move to mw

f0ssel · f0ssel · commit 1e9b79a78589 · 2024-07-24T16:34:18.000Z
diff --git a/coderd/httpmw/provisionerdaemon.go b/coderd/httpmw/provisionerdaemon.go
@@ -30,6 +30,7 @@ func ExtractProvisionerDaemonAuthenticated(opts ExtractProvisionerAuthConfig) fu
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			ctx := r.Context()
+			org := OrganizationParam(r)
 
 			handleOptional := func(code int, response codersdk.Response) {
 				if opts.Optional {
@@ -102,6 +103,13 @@ func ExtractProvisionerDaemonAuthenticated(opts ExtractProvisionerAuthConfig) fu
 				return
 			}
 
+			if pk.OrganizationID != org.ID {
+				handleOptional(http.StatusUnauthorized, codersdk.Response{
+					Message: "provisioner daemon key invalid",
+				})
+				return
+			}
+
 			// The provisioner key does not indicate a specific provisioner daemon. So just
 			// store a boolean so the caller can check if the request is from an
 			// authenticated provisioner daemon.
diff --git a/enterprise/coderd/coderd.go b/enterprise/coderd/coderd.go
@@ -284,6 +284,7 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 			r.Use(
 				api.provisionerDaemonsEnabledMW,
 				apiKeyMiddlewareOptional,
+				httpmw.ExtractOrganizationParam(api.Database),
 				httpmw.ExtractProvisionerDaemonAuthenticated(httpmw.ExtractProvisionerAuthConfig{
 					DB:              api.Database,
 					Optional:        true,
@@ -293,7 +294,6 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 				// Either a user auth or provisioner auth is required
 				// to move forward.
 				httpmw.RequireAPIKeyOrProvisionerDaemonAuth(),
-				httpmw.ExtractOrganizationParam(api.Database),
 			)
 			r.With(apiKeyMiddleware).Get("/", api.provisionerDaemons)
 			r.With(apiKeyMiddlewareOptional).Get("/serve", api.provisionerDaemonServe)
diff --git a/enterprise/coderd/provisionerdaemons.go b/enterprise/coderd/provisionerdaemons.go
@@ -108,13 +108,6 @@ func (p *provisionerDaemonAuth) authorize(r *http.Request, orgID uuid.UUID, tags
 		return nil, false
 	}
 
-	pk, ok := httpmw.ProvisionerKeyAuthOptional(r)
-	if ok {
-		if orgID != pk.OrganizationID {
-			return nil, false
-		}
-	}
-
 	// If using provisioner key / PSK auth, the daemon is, by definition, scoped to the organization.
 	tags = provisionersdk.MutateTags(uuid.Nil, tags)
 	return tags, true
