Skip to content

Commit 727abcd

Browse files
f0sself0ssel
committed
restrict route
1 parent 7b83b7e commit 727abcd

File tree

2 files changed

+29
-27
lines changed

2 files changed

+29
-27
lines changed

enterprise/coderd/provisionerdaemons.go

Lines changed: 29 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ import (
1313
"github.com/hashicorp/yamux"
1414
"github.com/moby/moby/pkg/namesgenerator"
1515
"go.opentelemetry.io/otel/trace"
16+
"golang.org/x/exp/maps"
1617
"golang.org/x/xerrors"
1718
"nhooyr.io/websocket"
1819
"storj.io/drpc/drpcmux"
@@ -97,39 +98,43 @@ func (p *provisionerDaemonAuth) authorize(r *http.Request, orgID uuid.UUID, tags
9798
return nil, xerrors.New("Both API key and provisioner key authentication provided. Only one is allowed.")
9899
}
99100

100-
if apiKeyOK {
101-
tags = provisionersdk.MutateTags(apiKey.UserID, tags)
102-
if tags[provisionersdk.TagScope] == provisionersdk.ScopeUser {
103-
// Any authenticated user can create provisioner daemons scoped
104-
// for jobs that they own,
105-
return tags, nil
101+
// Provisioner Key Auth
102+
if pkOK {
103+
if pk.OrganizationID != orgID {
104+
return nil, xerrors.New("provisioner key unauthorized")
106105
}
107-
ua := httpmw.UserAuthorization(r)
108-
err := p.authorizer.Authorize(ctx, ua, policy.ActionCreate, rbac.ResourceProvisionerDaemon.InOrg(orgID))
109-
if err != nil {
110-
if !provAuth {
111-
return nil, xerrors.New("user unauthorized")
112-
}
113-
114-
// Allow fallback to PSK auth if the user is not allowed to create provisioner daemons.
115-
// This is to preserve backwards compatibility with existing user provisioner daemons.
116-
// If using PSK auth, the daemon is, by definition, scoped to the organization.
117-
tags = provisionersdk.MutateTags(uuid.Nil, tags)
118-
return tags, nil
106+
if tags != nil && !maps.Equal(tags, map[string]string{}) {
107+
return nil, xerrors.New("tags are not allowed when using a provisioner key")
119108
}
120109

121-
// User is allowed to create provisioner daemons
110+
// If using provisioner key / PSK auth, the daemon is, by definition, scoped to the organization.
111+
// Use the provisioner key tags here.
112+
tags = provisionersdk.MutateTags(uuid.Nil, pk.Tags)
122113
return tags, nil
123114
}
124115

125-
if pkOK {
126-
if pk.OrganizationID != orgID {
127-
return nil, xerrors.New("provisioner key unauthorized")
116+
// User Auth
117+
tags = provisionersdk.MutateTags(apiKey.UserID, tags)
118+
if tags[provisionersdk.TagScope] == provisionersdk.ScopeUser {
119+
// Any authenticated user can create provisioner daemons scoped
120+
// for jobs that they own,
121+
return tags, nil
122+
}
123+
ua := httpmw.UserAuthorization(r)
124+
err := p.authorizer.Authorize(ctx, ua, policy.ActionCreate, rbac.ResourceProvisionerDaemon.InOrg(orgID))
125+
if err != nil {
126+
if !provAuth {
127+
return nil, xerrors.New("user unauthorized")
128128
}
129+
130+
// Allow fallback to PSK auth if the user is not allowed to create provisioner daemons.
131+
// This is to preserve backwards compatibility with existing user provisioner daemons.
132+
// If using PSK auth, the daemon is, by definition, scoped to the organization.
133+
tags = provisionersdk.MutateTags(uuid.Nil, tags)
134+
return tags, nil
129135
}
130136

131-
// If using provisioner key / PSK auth, the daemon is, by definition, scoped to the organization.
132-
tags = provisionersdk.MutateTags(uuid.Nil, tags)
137+
// User is allowed to create provisioner daemons
133138
return tags, nil
134139
}
135140

enterprise/coderd/provisionerdaemons_test.go

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -703,9 +703,6 @@ func TestProvisionerDaemonServe(t *testing.T) {
703703
Provisioners: []codersdk.ProvisionerType{
704704
codersdk.ProvisionerTypeEcho,
705705
},
706-
Tags: map[string]string{
707-
provisionersdk.TagScope: provisionersdk.ScopeOrganization,
708-
},
709706
PreSharedKey: tc.requestPSK,
710707
ProvisionerKey: tc.requestProvisionerKey,
711708
})

0 commit comments

Comments
 (0)