unconditionally set tag scope to org for psk auth

johnstcn · johnstcn · commit 34ef0a7bda76 · 2023-09-01T09:57:58.000+01:00
diff --git a/coderd/provisionerdserver/provisionertags.go b/coderd/provisionerdserver/provisionertags.go
@@ -24,9 +24,7 @@ func MutateTags(userID uuid.UUID, tags map[string]string) map[string]string {
 	}
 	switch tags[TagScope] {
 	case ScopeUser:
-		if userID != uuid.Nil {
-			tags[TagOwner] = userID.String()
-		}
+		tags[TagOwner] = userID.String()
 	case ScopeOrganization:
 	default:
 		tags[TagScope] = ScopeOrganization
diff --git a/enterprise/coderd/provisionerdaemons.go b/enterprise/coderd/provisionerdaemons.go
@@ -117,13 +117,8 @@ func (p *provisionerDaemonAuth) authorize(r *http.Request, tags map[string]strin
 	if p.psk != "" {
 		psk := r.Header.Get(codersdk.ProvisionerDaemonPSK)
 		if subtle.ConstantTimeCompare([]byte(p.psk), []byte(psk)) == 1 {
-			if len(tags) == 0 {
-				// Directly scope to organization if no tags are provided.
-				// MutateTags is only meant for scoping based on users.
-				tags = map[string]string{
-					provisionerdserver.TagScope: provisionerdserver.ScopeOrganization,
-				}
-			}
+			// If using PSK auth, the daemon is, by definition, scoped to the organization.
+			tags[provisionerdserver.TagScope] = provisionerdserver.ScopeOrganization
 			return tags, true
 		}
 	}
