restrict route

f0ssel · f0ssel · commit 727abcdc4070 · 2024-07-25T16:30:35.000Z
diff --git a/enterprise/coderd/provisionerdaemons.go b/enterprise/coderd/provisionerdaemons.go
@@ -13,6 +13,7 @@ import (
 	"github.com/hashicorp/yamux"
 	"github.com/moby/moby/pkg/namesgenerator"
 	"go.opentelemetry.io/otel/trace"
+	"golang.org/x/exp/maps"
 	"golang.org/x/xerrors"
 	"nhooyr.io/websocket"
 	"storj.io/drpc/drpcmux"
@@ -97,39 +98,43 @@ func (p *provisionerDaemonAuth) authorize(r *http.Request, orgID uuid.UUID, tags
 		return nil, xerrors.New("Both API key and provisioner key authentication provided. Only one is allowed.")
 	}
 
-	if apiKeyOK {
-		tags = provisionersdk.MutateTags(apiKey.UserID, tags)
-		if tags[provisionersdk.TagScope] == provisionersdk.ScopeUser {
-			// Any authenticated user can create provisioner daemons scoped
-			// for jobs that they own,
-			return tags, nil
+	// Provisioner Key Auth
+	if pkOK {
+		if pk.OrganizationID != orgID {
+			return nil, xerrors.New("provisioner key unauthorized")
 		}
-		ua := httpmw.UserAuthorization(r)
-		err := p.authorizer.Authorize(ctx, ua, policy.ActionCreate, rbac.ResourceProvisionerDaemon.InOrg(orgID))
-		if err != nil {
-			if !provAuth {
-				return nil, xerrors.New("user unauthorized")
-			}
-
-			// Allow fallback to PSK auth if the user is not allowed to create provisioner daemons.
-			// This is to preserve backwards compatibility with existing user provisioner daemons.
-			// If using PSK auth, the daemon is, by definition, scoped to the organization.
-			tags = provisionersdk.MutateTags(uuid.Nil, tags)
-			return tags, nil
+		if tags != nil && !maps.Equal(tags, map[string]string{}) {
+			return nil, xerrors.New("tags are not allowed when using a provisioner key")
 		}
 
-		// User is allowed to create provisioner daemons
+		// If using provisioner key / PSK auth, the daemon is, by definition, scoped to the organization.
+		// Use the provisioner key tags here.
+		tags = provisionersdk.MutateTags(uuid.Nil, pk.Tags)
 		return tags, nil
 	}
 
-	if pkOK {
-		if pk.OrganizationID != orgID {
-			return nil, xerrors.New("provisioner key unauthorized")
+	// User Auth
+	tags = provisionersdk.MutateTags(apiKey.UserID, tags)
+	if tags[provisionersdk.TagScope] == provisionersdk.ScopeUser {
+		// Any authenticated user can create provisioner daemons scoped
+		// for jobs that they own,
+		return tags, nil
+	}
+	ua := httpmw.UserAuthorization(r)
+	err := p.authorizer.Authorize(ctx, ua, policy.ActionCreate, rbac.ResourceProvisionerDaemon.InOrg(orgID))
+	if err != nil {
+		if !provAuth {
+			return nil, xerrors.New("user unauthorized")
 		}
+
+		// Allow fallback to PSK auth if the user is not allowed to create provisioner daemons.
+		// This is to preserve backwards compatibility with existing user provisioner daemons.
+		// If using PSK auth, the daemon is, by definition, scoped to the organization.
+		tags = provisionersdk.MutateTags(uuid.Nil, tags)
+		return tags, nil
 	}
 
-	// If using provisioner key / PSK auth, the daemon is, by definition, scoped to the organization.
-	tags = provisionersdk.MutateTags(uuid.Nil, tags)
+	// User is allowed to create provisioner daemons
 	return tags, nil
 }
 
diff --git a/enterprise/coderd/provisionerdaemons_test.go b/enterprise/coderd/provisionerdaemons_test.go
@@ -703,9 +703,6 @@ func TestProvisionerDaemonServe(t *testing.T) {
 					Provisioners: []codersdk.ProvisionerType{
 						codersdk.ProvisionerTypeEcho,
 					},
-					Tags: map[string]string{
-						provisionersdk.TagScope: provisionersdk.ScopeOrganization,
-					},
 					PreSharedKey:   tc.requestPSK,
 					ProvisionerKey: tc.requestProvisionerKey,
 				})
