auth tunnels via updater

ethanndickson · ethanndickson · commit 2fb2908843e9 · 2024-10-04T05:41:51.000Z
diff --git a/coderd/workspaceagents.go b/coderd/workspaceagents.go
@@ -1492,7 +1492,6 @@ func (api *API) workspaceAgentsExternalAuthListen(ctx context.Context, rw http.R
 func (api *API) tailnet(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	owner := httpmw.UserParam(r)
-	ownerRoles := httpmw.UserAuthorization(r)
 
 	// Check if the actor is allowed to access any workspace owned by the user.
 	if !api.Authorize(r, policy.ActionSSH, rbac.ResourceWorkspace.WithOwner(owner.ID.String())) {
@@ -1540,32 +1539,16 @@ func (api *API) tailnet(rw http.ResponseWriter, r *http.Request) {
 
 	go httpapi.Heartbeat(ctx, conn)
 	err = api.TailnetClientService.ServeUserClient(ctx, version, wsNetConn, tailnet.ServeUserClientOptions{
-		PeerID: peerID,
-		UserID: owner.ID,
-		AuthFn: authAgentFn(api.Database, api.Authorizer, &ownerRoles),
+		PeerID:          peerID,
+		UserID:          owner.ID,
+		UpdatesProvider: api.WorkspaceUpdatesProvider,
 	})
 	if err != nil && !xerrors.Is(err, io.EOF) && !xerrors.Is(err, context.Canceled) {
 		_ = conn.Close(websocket.StatusInternalError, err.Error())
 		return
 	}
 }
 
-// authAgentFn accepts a subject, and returns a closure that authorizes against
-// passed agent IDs.
-func authAgentFn(db database.Store, auth rbac.Authorizer, user *rbac.Subject) func(context.Context, uuid.UUID) error {
-	return func(ctx context.Context, agentID uuid.UUID) error {
-		ws, err := db.GetWorkspaceByAgentID(ctx, agentID)
-		if err != nil {
-			return xerrors.Errorf("get workspace by agent id: %w", err)
-		}
-		err = auth.Authorize(ctx, *user, policy.ActionSSH, ws.RBACObject())
-		if err != nil {
-			return xerrors.Errorf("workspace agent not found or you do not have permission: %w", sql.ErrNoRows)
-		}
-		return nil
-	}
-}
-
 // createExternalAuthResponse creates an ExternalAuthResponse based on the
 // provider type. This is to support legacy `/workspaceagents/me/gitauth`
 // which uses `Username` and `Password`.
diff --git a/coderd/workspaceupdates.go b/coderd/workspaceupdates.go
@@ -91,6 +91,24 @@ type updatesProvider struct {
 	cancelFn func()
 }
 
+func (u *updatesProvider) IsOwner(userID uuid.UUID, agentID uuid.UUID) error {
+	u.mu.RLock()
+	defer u.mu.RUnlock()
+
+	workspaces, exists := u.latest[userID]
+	if !exists {
+		return xerrors.Errorf("workspace agent not found or you do not have permission: %w", sql.ErrNoRows)
+	}
+	for _, workspace := range workspaces {
+		for _, agent := range workspace.Agents {
+			if agent.ID == agentID {
+				return nil
+			}
+		}
+	}
+	return xerrors.Errorf("workspace agent not found or you do not have permission: %w", sql.ErrNoRows)
+}
+
 var _ tailnet.WorkspaceUpdatesProvider = (*updatesProvider)(nil)
 
 func NewUpdatesProvider(ctx context.Context, db UpdateQuerier, ps pubsub.Pubsub) (tailnet.WorkspaceUpdatesProvider, error) {
diff --git a/enterprise/tailnet/connio.go b/enterprise/tailnet/connio.go
@@ -133,7 +133,7 @@ var errDisconnect = xerrors.New("graceful disconnect")
 
 func (c *connIO) handleRequest(req *proto.CoordinateRequest) error {
 	c.logger.Debug(c.peerCtx, "got request")
-	err := c.auth.Authorize(c.coordCtx, req)
+	err := c.auth.Authorize(req)
 	if err != nil {
 		c.logger.Warn(c.peerCtx, "unauthorized request", slog.Error(err))
 		return xerrors.Errorf("authorize request: %w", err)
diff --git a/tailnet/coordinator.go b/tailnet/coordinator.go
@@ -577,7 +577,7 @@ func (c *core) handleRequest(p *peer, req *proto.CoordinateRequest) error {
 		return ErrAlreadyRemoved
 	}
 
-	if err := pr.auth.Authorize(context.Background(), req); err != nil {
+	if err := pr.auth.Authorize(req); err != nil {
 		return xerrors.Errorf("authorize request: %w", err)
 	}
 
diff --git a/tailnet/service.go b/tailnet/service.go
@@ -43,6 +43,7 @@ type WorkspaceUpdatesProvider interface {
 	Subscribe(peerID uuid.UUID, userID uuid.UUID) (<-chan *proto.WorkspaceUpdate, error)
 	Unsubscribe(peerID uuid.UUID)
 	Stop()
+	IsOwner(userID uuid.UUID, agentID uuid.UUID) error
 }
 
 type ClientServiceOptions struct {
@@ -119,11 +120,9 @@ func (s *ClientService) ServeClient(ctx context.Context, version string, conn ne
 }
 
 type ServeUserClientOptions struct {
-	PeerID uuid.UUID
-	UserID uuid.UUID
-	// AuthFn authorizes the user to `ActionSSH` against the workspace given
-	// an agent ID.
-	AuthFn func(context.Context, uuid.UUID) error
+	PeerID          uuid.UUID
+	UserID          uuid.UUID
+	UpdatesProvider WorkspaceUpdatesProvider
 }
 
 func (s *ClientService) ServeUserClient(ctx context.Context, version string, conn net.Conn, opts ServeUserClientOptions) error {
@@ -136,7 +135,6 @@ func (s *ClientService) ServeUserClient(ctx context.Context, version string, con
 	case 2:
 		auth := ClientUserCoordinateeAuth{
 			UserID: opts.UserID,
-			AuthFn: opts.AuthFn,
 		}
 		streamID := StreamID{
 			Name: "client",
diff --git a/tailnet/service_test.go b/tailnet/service_test.go
@@ -74,7 +74,7 @@ func TestClientService_ServeClient_V2(t *testing.T) {
 	require.NotNil(t, call)
 	require.Equal(t, call.ID, clientID)
 	require.Equal(t, call.Name, "client")
-	require.NoError(t, call.Auth.Authorize(ctx, &proto.CoordinateRequest{
+	require.NoError(t, call.Auth.Authorize(&proto.CoordinateRequest{
 		AddTunnel: &proto.CoordinateRequest_Tunnel{Id: agentID[:]},
 	}))
 	req := testutil.RequireRecvCtx(ctx, t, call.Reqs)
diff --git a/tailnet/tunnel.go b/tailnet/tunnel.go
@@ -1,7 +1,6 @@
 package tailnet
 
 import (
-	"context"
 	"database/sql"
 	"net/netip"
 
@@ -14,13 +13,13 @@ import (
 var legacyWorkspaceAgentIP = netip.MustParseAddr("fd7a:115c:a1e0:49d6:b259:b7ac:b1b2:48f4")
 
 type CoordinateeAuth interface {
-	Authorize(ctx context.Context, req *proto.CoordinateRequest) error
+	Authorize(req *proto.CoordinateRequest) error
 }
 
 // SingleTailnetCoordinateeAuth allows all tunnels, since Coderd and wsproxy are allowed to initiate a tunnel to any agent
 type SingleTailnetCoordinateeAuth struct{}
 
-func (SingleTailnetCoordinateeAuth) Authorize(context.Context, *proto.CoordinateRequest) error {
+func (SingleTailnetCoordinateeAuth) Authorize(*proto.CoordinateRequest) error {
 	return nil
 }
 
@@ -29,7 +28,7 @@ type ClientCoordinateeAuth struct {
 	AgentID uuid.UUID
 }
 
-func (c ClientCoordinateeAuth) Authorize(_ context.Context, req *proto.CoordinateRequest) error {
+func (c ClientCoordinateeAuth) Authorize(req *proto.CoordinateRequest) error {
 	if tun := req.GetAddTunnel(); tun != nil {
 		uid, err := uuid.FromBytes(tun.Id)
 		if err != nil {
@@ -66,7 +65,7 @@ type AgentCoordinateeAuth struct {
 	ID uuid.UUID
 }
 
-func (a AgentCoordinateeAuth) Authorize(_ context.Context, req *proto.CoordinateRequest) error {
+func (a AgentCoordinateeAuth) Authorize(req *proto.CoordinateRequest) error {
 	if tun := req.GetAddTunnel(); tun != nil {
 		return xerrors.New("agents cannot open tunnels")
 	}
@@ -93,17 +92,17 @@ func (a AgentCoordinateeAuth) Authorize(_ context.Context, req *proto.Coordinate
 }
 
 type ClientUserCoordinateeAuth struct {
-	UserID uuid.UUID
-	AuthFn func(context.Context, uuid.UUID) error
+	UserID          uuid.UUID
+	UpdatesProvider WorkspaceUpdatesProvider
 }
 
-func (a ClientUserCoordinateeAuth) Authorize(ctx context.Context, req *proto.CoordinateRequest) error {
+func (a ClientUserCoordinateeAuth) Authorize(req *proto.CoordinateRequest) error {
 	if tun := req.GetAddTunnel(); tun != nil {
 		uid, err := uuid.FromBytes(tun.Id)
 		if err != nil {
 			return xerrors.Errorf("parse add tunnel id: %w", err)
 		}
-		err = a.AuthFn(ctx, uid)
+		err = a.UpdatesProvider.IsOwner(a.UserID, uid)
 		if err != nil {
 			return xerrors.Errorf("workspace agent not found or you do not have permission: %w", sql.ErrNoRows)
 		}

Original file line number	Diff line number	Diff line change
`@@ -577,7 +577,7 @@ func (c core) handleRequest(p peer, req *proto.CoordinateRequest) error {`
`577`	`577`	`return ErrAlreadyRemoved`
`578`	`578`	`}`
`579`	`579`
`580`		`- if err := pr.auth.Authorize(context.Background(), req); err != nil {`
	`580`	`+ if err := pr.auth.Authorize(req); err != nil {`
`581`	`581`	`return xerrors.Errorf("authorize request: %w", err)`
`582`	`582`	`}`
`583`	`583`