forbid user and pk auth

f0ssel · f0ssel · commit 5d470f00b393 · 2024-07-24T17:48:37.000Z
diff --git a/enterprise/coderd/provisionerdaemons.go b/enterprise/coderd/provisionerdaemons.go
@@ -111,7 +111,7 @@ func (p *provisionerDaemonAuth) authorize(r *http.Request, orgID uuid.UUID, tags
 				return nil, xerrors.New("user unauthorized")
 			}
 
-			// If using provisioner key / PSK auth, the daemon is, by definition, scoped to the organization.
+			// If using PSK auth, the daemon is, by definition, scoped to the organization.
 			tags = provisionersdk.MutateTags(uuid.Nil, tags)
 			return tags, nil
 		}
@@ -120,8 +120,7 @@ func (p *provisionerDaemonAuth) authorize(r *http.Request, orgID uuid.UUID, tags
 		return tags, nil
 	}
 
-	pk, ok := httpmw.ProvisionerKeyAuthOptional(r)
-	if ok {
+	if pkOK {
 		if pk.OrganizationID != orgID {
 			return nil, xerrors.New("provisioner key unauthorized")
 		}

Original file line number	Diff line number	Diff line change
`@@ -111,7 +111,7 @@ func (p provisionerDaemonAuth) authorize(r http.Request, orgID uuid.UUID, tags`
`111`	`111`	`return nil, xerrors.New("user unauthorized")`
`112`	`112`	`}`
`113`	`113`
`114`		`- // If using provisioner key / PSK auth, the daemon is, by definition, scoped to the organization.`
	`114`	`+ // If using PSK auth, the daemon is, by definition, scoped to the organization.`
`115`	`115`	`tags = provisionersdk.MutateTags(uuid.Nil, tags)`
`116`	`116`	`return tags, nil`
`117`	`117`	`}`
`@@ -120,8 +120,7 @@ func (p provisionerDaemonAuth) authorize(r http.Request, orgID uuid.UUID, tags`
`120`	`120`	`return tags, nil`
`121`	`121`	`}`
`122`	`122`
`123`		`- pk, ok := httpmw.ProvisionerKeyAuthOptional(r)`
`124`		`- if ok {`
	`123`	`+ if pkOK {`
`125`	`124`	`if pk.OrganizationID != orgID {`
`126`	`125`	`return nil, xerrors.New("provisioner key unauthorized")`
`127`	`126`	`}`