feat: accept provisioner keys for provisioner auth

f0ssel · f0ssel · commit 27c18edb55c1 · 2024-07-22T18:42:26.000Z
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -158,34 +158,49 @@ func ActorFromContext(ctx context.Context) (rbac.Subject, bool) {
 }
 
 var (
-	subjectProvisionerd = rbac.Subject{
-		FriendlyName: "Provisioner Daemon",
-		ID:           uuid.Nil.String(),
-		Roles: rbac.Roles([]rbac.Role{
-			{
-				Identifier:  rbac.RoleIdentifier{Name: "provisionerd"},
-				DisplayName: "Provisioner Daemon",
-				Site: rbac.Permissions(map[string][]policy.Action{
-					// TODO: Add ProvisionerJob resource type.
-					rbac.ResourceFile.Type:     {policy.ActionRead},
-					rbac.ResourceSystem.Type:   {policy.WildcardSymbol},
-					rbac.ResourceTemplate.Type: {policy.ActionRead, policy.ActionUpdate},
-					// Unsure why provisionerd needs update and read personal
-					rbac.ResourceUser.Type:             {policy.ActionRead, policy.ActionReadPersonal, policy.ActionUpdatePersonal},
-					rbac.ResourceWorkspaceDormant.Type: {policy.ActionDelete, policy.ActionRead, policy.ActionUpdate, policy.ActionWorkspaceStop},
-					rbac.ResourceWorkspace.Type:        {policy.ActionDelete, policy.ActionRead, policy.ActionUpdate, policy.ActionWorkspaceStart, policy.ActionWorkspaceStop},
-					rbac.ResourceApiKey.Type:           {policy.WildcardSymbol},
-					// When org scoped provisioner credentials are implemented,
-					// this can be reduced to read a specific org.
+	subjectProvisionerd = func(orgID uuid.UUID) rbac.Subject {
+		sitePermissions := map[string][]policy.Action{
+			// TODO: Add ProvisionerJob resource type.
+			rbac.ResourceFile.Type:     {policy.ActionRead},
+			rbac.ResourceSystem.Type:   {policy.WildcardSymbol},
+			rbac.ResourceTemplate.Type: {policy.ActionRead, policy.ActionUpdate},
+			// Unsure why provisionerd needs update and read personal
+			rbac.ResourceUser.Type:             {policy.ActionRead, policy.ActionReadPersonal, policy.ActionUpdatePersonal},
+			rbac.ResourceWorkspaceDormant.Type: {policy.ActionDelete, policy.ActionRead, policy.ActionUpdate, policy.ActionWorkspaceStop},
+			rbac.ResourceWorkspace.Type:        {policy.ActionDelete, policy.ActionRead, policy.ActionUpdate, policy.ActionWorkspaceStart, policy.ActionWorkspaceStop},
+			rbac.ResourceApiKey.Type:           {policy.WildcardSymbol},
+			// When org scoped provisioner credentials are implemented,
+			// this can be reduced to read a specific org.
+			rbac.ResourceOrganization.Type: {policy.ActionRead},
+			rbac.ResourceGroup.Type:        {policy.ActionRead},
+		}
+		orgPermissions := map[string][]rbac.Permission{}
+
+		if orgID != uuid.Nil {
+			// replace site wide org permissions with org scoped permissions
+			delete(sitePermissions, rbac.ResourceOrganization.Type)
+			orgPermissions = map[string][]rbac.Permission{
+				orgID.String(): rbac.Permissions(map[string][]policy.Action{
 					rbac.ResourceOrganization.Type: {policy.ActionRead},
-					rbac.ResourceGroup.Type:        {policy.ActionRead},
 				}),
-				Org:  map[string][]rbac.Permission{},
-				User: []rbac.Permission{},
-			},
-		}),
-		Scope: rbac.ScopeAll,
-	}.WithCachedASTValue()
+			}
+		}
+
+		return rbac.Subject{
+			FriendlyName: "Provisioner Daemon",
+			ID:           uuid.Nil.String(),
+			Roles: rbac.Roles([]rbac.Role{
+				{
+					Identifier:  rbac.RoleIdentifier{Name: "provisionerd"},
+					DisplayName: "Provisioner Daemon",
+					Site:        rbac.Permissions(sitePermissions),
+					Org:         orgPermissions,
+					User:        []rbac.Permission{},
+				},
+			}),
+			Scope: rbac.ScopeAll,
+		}.WithCachedASTValue()
+	}
 
 	subjectAutostart = rbac.Subject{
 		FriendlyName: "Autostart",
@@ -261,7 +276,13 @@ var (
 // AsProvisionerd returns a context with an actor that has permissions required
 // for provisionerd to function.
 func AsProvisionerd(ctx context.Context) context.Context {
-	return context.WithValue(ctx, authContextKey{}, subjectProvisionerd)
+	return context.WithValue(ctx, authContextKey{}, subjectProvisionerd(uuid.Nil))
+}
+
+// AsProvisionerd returns a context with an actor that has permissions required
+// for an org scoped provisionerd to function.
+func AsOrganizationProvisionerd(ctx context.Context, orgID uuid.UUID) context.Context {
+	return context.WithValue(ctx, authContextKey{}, subjectProvisionerd(orgID))
 }
 
 // AsAutostart returns a context with an actor that has permissions required
diff --git a/coderd/httpmw/csrf.go b/coderd/httpmw/csrf.go
@@ -93,6 +93,13 @@ func CSRF(secureCookie bool) func(next http.Handler) http.Handler {
 				return true
 			}
 
+			if r.Header.Get(codersdk.ProvisionerDaemonKey) != "" {
+				// If present, the provisioner daemon also is providing an api key
+				// that will make them exempt from CSRF. But this is still useful
+				// for enumerating the external auths.
+				return true
+			}
+
 			// If the X-CSRF-TOKEN header is set, we can exempt the func if it's valid.
 			// This is the CSRF check.
 			sent := r.Header.Get("X-CSRF-TOKEN")
diff --git a/coderd/httpmw/provisionerdaemon.go b/coderd/httpmw/provisionerdaemon.go
@@ -8,6 +8,7 @@ import (
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/dbauthz"
 	"github.com/coder/coder/v2/coderd/httpapi"
+	"github.com/coder/coder/v2/coderd/provisionerkey"
 	"github.com/coder/coder/v2/codersdk"
 )
 
@@ -19,11 +20,13 @@ func ProvisionerDaemonAuthenticated(r *http.Request) bool {
 }
 
 type ExtractProvisionerAuthConfig struct {
-	DB       database.Store
-	Optional bool
+	DB              database.Store
+	Optional        bool
+	PSK             string
+	MultiOrgEnabled bool
 }
 
-func ExtractProvisionerDaemonAuthenticated(opts ExtractProvisionerAuthConfig, psk string) func(next http.Handler) http.Handler {
+func ExtractProvisionerDaemonAuthenticated(opts ExtractProvisionerAuthConfig) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			ctx := r.Context()
@@ -36,26 +39,50 @@ func ExtractProvisionerDaemonAuthenticated(opts ExtractProvisionerAuthConfig, ps
 				httpapi.Write(ctx, w, code, response)
 			}
 
-			if psk == "" {
-				// No psk means external provisioner daemons are not allowed.
-				// So their auth is not valid.
-				handleOptional(http.StatusBadRequest, codersdk.Response{
-					Message: "External provisioner daemons not enabled",
-				})
+			if !opts.MultiOrgEnabled {
+				fallbackToPSK(ctx, opts.PSK, next, w, r, handleOptional)
 				return
 			}
 
-			token := r.Header.Get(codersdk.ProvisionerDaemonPSK)
-			if token == "" {
+			key := r.Header.Get(codersdk.ProvisionerDaemonKey)
+			if key == "" {
+				if opts.PSK == "" {
+					handleOptional(http.StatusUnauthorized, codersdk.Response{
+						Message: "provisioner daemon key required",
+					})
+					return
+				}
+
+				fallbackToPSK(ctx, opts.PSK, next, w, r, handleOptional)
+				return
+			}
+
+			id, keyValue, err := provisionerkey.Parse(key)
+			if err != nil {
 				handleOptional(http.StatusUnauthorized, codersdk.Response{
-					Message: "provisioner daemon auth token required",
+					Message: "provisioner daemon key invalid",
+				})
+				return
+			}
+
+			pk, err := opts.DB.GetProvisionerKeyByID(ctx, id)
+			if err != nil {
+				if httpapi.Is404Error(err) {
+					handleOptional(http.StatusUnauthorized, codersdk.Response{
+						Message: "provisioner daemon key invalid",
+					})
+					return
+				}
+
+				handleOptional(http.StatusInternalServerError, codersdk.Response{
+					Message: "get provisioner daemon key: " + err.Error(),
 				})
 				return
 			}
 
-			if subtle.ConstantTimeCompare([]byte(token), []byte(psk)) != 1 {
+			if subtle.ConstantTimeCompare(pk.HashedSecret, provisionerkey.HashSecret(keyValue)) != 1 {
 				handleOptional(http.StatusUnauthorized, codersdk.Response{
-					Message: "provisioner daemon auth token invalid",
+					Message: "provisioner daemon key invalid",
 				})
 				return
 			}
@@ -65,8 +92,33 @@ func ExtractProvisionerDaemonAuthenticated(opts ExtractProvisionerAuthConfig, ps
 			// authenticated provisioner daemon.
 			ctx = context.WithValue(ctx, provisionerDaemonContextKey{}, true)
 			// nolint:gocritic // Authenticating as a provisioner daemon.
-			ctx = dbauthz.AsProvisionerd(ctx)
+			ctx = dbauthz.AsOrganizationProvisionerd(ctx, pk.OrganizationID)
 			next.ServeHTTP(w, r.WithContext(ctx))
 		})
 	}
 }
+
+func fallbackToPSK(ctx context.Context, psk string, next http.Handler, w http.ResponseWriter, r *http.Request, handleOptional func(code int, response codersdk.Response)) {
+	if psk == "" {
+		handleOptional(http.StatusUnauthorized, codersdk.Response{
+			Message: "External provisioner daemons not enabled",
+		})
+		return
+	}
+
+	token := r.Header.Get(codersdk.ProvisionerDaemonPSK)
+	if subtle.ConstantTimeCompare([]byte(token), []byte(psk)) != 1 {
+		handleOptional(http.StatusUnauthorized, codersdk.Response{
+			Message: "provisioner daemon psk invalid",
+		})
+		return
+	}
+
+	// The PSK does not indicate a specific provisioner daemon. So just
+	// store a boolean so the caller can check if the request is from an
+	// authenticated provisioner daemon.
+	ctx = context.WithValue(ctx, provisionerDaemonContextKey{}, true)
+	// nolint:gocritic // Authenticating as a provisioner daemon.
+	ctx = dbauthz.AsProvisionerd(ctx)
+	next.ServeHTTP(w, r.WithContext(ctx))
+}
diff --git a/coderd/provisionerkey/provisionerkey.go b/coderd/provisionerkey/provisionerkey.go
@@ -3,6 +3,7 @@ package provisionerkey
 import (
 	"crypto/sha256"
 	"fmt"
+	"strings"
 
 	"github.com/google/uuid"
 	"golang.org/x/xerrors"
@@ -18,14 +19,33 @@ func New(organizationID uuid.UUID, name string) (database.InsertProvisionerKeyPa
 	if err != nil {
 		return database.InsertProvisionerKeyParams{}, "", xerrors.Errorf("generate token: %w", err)
 	}
-	hashedSecret := sha256.Sum256([]byte(secret))
+	hashedSecret := HashSecret(secret)
 	token := fmt.Sprintf("%s:%s", id, secret)
 
 	return database.InsertProvisionerKeyParams{
 		ID:             id,
 		CreatedAt:      dbtime.Now(),
 		OrganizationID: organizationID,
 		Name:           name,
-		HashedSecret:   hashedSecret[:],
+		HashedSecret:   hashedSecret,
 	}, token, nil
 }
+
+func Parse(token string) (uuid.UUID, string, error) {
+	parts := strings.Split(token, ":")
+	if len(parts) != 2 {
+		return uuid.UUID{}, "", xerrors.Errorf("invalid token format")
+	}
+
+	id, err := uuid.Parse(parts[0])
+	if err != nil {
+		return uuid.UUID{}, "", xerrors.Errorf("parse id: %w", err)
+	}
+
+	return id, parts[1], nil
+}
+
+func HashSecret(secret string) []byte {
+	h := sha256.Sum256([]byte(secret))
+	return h[:]
+}
diff --git a/codersdk/client.go b/codersdk/client.go
@@ -79,6 +79,9 @@ const (
 	// ProvisionerDaemonPSK contains the authentication pre-shared key for an external provisioner daemon
 	ProvisionerDaemonPSK = "Coder-Provisioner-Daemon-PSK"
 
+	// ProvisionerDaemonKey contains the authentication key for an external provisioner daemon
+	ProvisionerDaemonKey = "Coder-Provisioner-Daemon-Key"
+
 	// BuildVersionHeader contains build information of Coder.
 	BuildVersionHeader = "X-Coder-Build-Version"
 
diff --git a/codersdk/provisionerdaemons.go b/codersdk/provisionerdaemons.go
@@ -189,6 +189,8 @@ type ServeProvisionerDaemonRequest struct {
 	Tags map[string]string `json:"tags"`
 	// PreSharedKey is an authentication key to use on the API instead of the normal session token from the client.
 	PreSharedKey string `json:"pre_shared_key"`
+	// ProvisionerKey is an authentication key to use on the API instead of the normal session token from the client.
+	ProvisionerKey string `json:"provisioner_key"`
 }
 
 // ServeProvisionerDaemon returns the gRPC service for a provisioner daemon
@@ -223,7 +225,12 @@ func (c *Client) ServeProvisionerDaemon(ctx context.Context, req ServeProvisione
 	headers := http.Header{}
 
 	headers.Set(BuildVersionHeader, buildinfo.Version())
-	if req.PreSharedKey == "" {
+	// nolint:gocritic // Need to support multiple exclusive auth flows.
+	if req.ProvisionerKey != "" {
+		headers.Set(ProvisionerDaemonKey, req.ProvisionerKey)
+	} else if req.PreSharedKey != "" {
+		headers.Set(ProvisionerDaemonPSK, req.PreSharedKey)
+	} else {
 		// use session token if we don't have a PSK.
 		jar, err := cookiejar.New(nil)
 		if err != nil {
@@ -234,8 +241,6 @@ func (c *Client) ServeProvisionerDaemon(ctx context.Context, req ServeProvisione
 			Value: c.SessionToken(),
 		}})
 		httpClient.Jar = jar
-	} else {
-		headers.Set(ProvisionerDaemonPSK, req.PreSharedKey)
 	}
 
 	conn, res, err := websocket.Dial(ctx, serverURL.String(), &websocket.DialOptions{
diff --git a/enterprise/coderd/coderd.go b/enterprise/coderd/coderd.go
@@ -284,9 +284,11 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 				api.provisionerDaemonsEnabledMW,
 				apiKeyMiddlewareOptional,
 				httpmw.ExtractProvisionerDaemonAuthenticated(httpmw.ExtractProvisionerAuthConfig{
-					DB:       api.Database,
-					Optional: true,
-				}, api.ProvisionerDaemonPSK),
+					DB:              api.Database,
+					Optional:        true,
+					PSK:             api.ProvisionerDaemonPSK,
+					MultiOrgEnabled: api.AGPL.Experiments.Enabled(codersdk.ExperimentMultiOrganization),
+				}),
 				// Either a user auth or provisioner auth is required
 				// to move forward.
 				httpmw.RequireAPIKeyOrProvisionerDaemonAuth(),
diff --git a/enterprise/coderd/provisionerdaemons.go b/enterprise/coderd/provisionerdaemons.go
@@ -93,12 +93,13 @@ func (api *API) provisionerDaemons(rw http.ResponseWriter, r *http.Request) {
 
 type provisionerDaemonAuth struct {
 	psk        string
+	db         database.Store
 	authorizer rbac.Authorizer
 }
 
 // authorize returns mutated tags and true if the given HTTP request is authorized to access the provisioner daemon
 // protobuf API, and returns nil, false otherwise.
-func (p *provisionerDaemonAuth) authorize(r *http.Request, tags map[string]string) (map[string]string, bool) {
+func (p *provisionerDaemonAuth) authorize(r *http.Request, orgID uuid.UUID, tags map[string]string) (map[string]string, bool) {
 	ctx := r.Context()
 	apiKey, ok := httpmw.APIKeyOptional(r)
 	if ok {
@@ -115,14 +116,21 @@ func (p *provisionerDaemonAuth) authorize(r *http.Request, tags map[string]strin
 		}
 	}
 
-	// Check for PSK
+	// Check for provisioner key or PSK auth.
 	provAuth := httpmw.ProvisionerDaemonAuthenticated(r)
-	if provAuth {
-		// If using PSK auth, the daemon is, by definition, scoped to the organization.
-		tags = provisionersdk.MutateTags(uuid.Nil, tags)
-		return tags, true
+	if !provAuth {
+		return nil, false
 	}
-	return nil, false
+
+	// ensure provisioner daemon subject can read organization
+	_, err := p.db.GetOrganizationByID(ctx, orgID)
+	if err != nil {
+		return nil, false
+	}
+
+	// If using provisioner key / PSK auth, the daemon is, by definition, scoped to the organization.
+	tags = provisionersdk.MutateTags(uuid.Nil, tags)
+	return tags, true
 }
 
 // Serves the provisioner daemon protobuf API over a WebSocket.
@@ -185,7 +193,7 @@ func (api *API) provisionerDaemonServe(rw http.ResponseWriter, r *http.Request)
 		api.Logger.Warn(ctx, "unnamed provisioner daemon")
 	}
 
-	tags, authorized := api.provisionerDaemonAuth.authorize(r, tags)
+	tags, authorized := api.provisionerDaemonAuth.authorize(r, organization.ID, tags)
 	if !authorized {
 		api.Logger.Warn(ctx, "unauthorized provisioner daemon serve request", slog.F("tags", tags))
 		httpapi.Write(ctx, rw, http.StatusForbidden,
@@ -223,7 +231,7 @@ func (api *API) provisionerDaemonServe(rw http.ResponseWriter, r *http.Request)
 	)
 
 	authCtx := ctx
-	if r.Header.Get(codersdk.ProvisionerDaemonPSK) != "" {
+	if r.Header.Get(codersdk.ProvisionerDaemonPSK) != "" || r.Header.Get(codersdk.ProvisionerDaemonKey) != "" {
 		//nolint:gocritic // PSK auth means no actor in request,
 		// so use system restricted.
 		authCtx = dbauthz.AsSystemRestricted(ctx)
