Skip to content

Commit 948c470

Browse files
f0sself0ssel
committed
limit on api side
1 parent 0d45d1a commit 948c470

File tree

3 files changed

+33
-6
lines changed

3 files changed

+33
-6
lines changed

coderd/httpmw/provisionerdaemon.go

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,7 @@ func ExtractProvisionerDaemonAuthenticated(opts ExtractProvisionerAuthConfig) fu
5151
return
5252
}
5353

54+
psk := r.Header.Get(codersdk.ProvisionerDaemonPSK)
5455
key := r.Header.Get(codersdk.ProvisionerDaemonKey)
5556
if key == "" {
5657
if opts.PSK == "" {
@@ -63,6 +64,12 @@ func ExtractProvisionerDaemonAuthenticated(opts ExtractProvisionerAuthConfig) fu
6364
fallbackToPSK(ctx, opts.PSK, next, w, r, handleOptional)
6465
return
6566
}
67+
if psk != "" {
68+
handleOptional(http.StatusBadRequest, codersdk.Response{
69+
Message: "provisioner daemon key and psk provided, but only one is allowed",
70+
})
71+
return
72+
}
6673

6774
id, keyValue, err := provisionerkey.Parse(key)
6875
if err != nil {

codersdk/provisionerdaemons.go

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -226,9 +226,6 @@ func (c *Client) ServeProvisionerDaemon(ctx context.Context, req ServeProvisione
226226

227227
headers.Set(BuildVersionHeader, buildinfo.Version())
228228

229-
if req.ProvisionerKey != "" && req.PreSharedKey != "" {
230-
return nil, xerrors.Errorf("cannot provide both a provisioner key and a pre-shared key")
231-
}
232229
if req.ProvisionerKey != "" {
233230
headers.Set(ProvisionerDaemonKey, req.ProvisionerKey)
234231
}

enterprise/coderd/provisionerdaemons_test.go

Lines changed: 26 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ import (
66
"fmt"
77
"io"
88
"net/http"
9+
"strings"
910
"testing"
1011

1112
"github.com/google/uuid"
@@ -614,28 +615,50 @@ func TestProvisionerDaemonServe(t *testing.T) {
614615
name: "WrongKey",
615616
multiOrgFeatureEnabled: true,
616617
multiOrgExperimentEnabled: true,
618+
insertParams: insertParams,
617619
requestProvisionerKey: "provisionersftw",
618620
errStatusCode: http.StatusUnauthorized,
619621
},
620622
{
621-
name: "IdOKKeyWrong",
623+
name: "IdOKKeyValueWrong",
622624
multiOrgFeatureEnabled: true,
623625
multiOrgExperimentEnabled: true,
626+
insertParams: insertParams,
624627
requestProvisionerKey: insertParams.ID.String() + ":" + "wrong",
625628
errStatusCode: http.StatusUnauthorized,
626629
},
627630
{
628-
name: "IdWrongKeyOK",
631+
name: "IdWrongKeyValueOK",
629632
multiOrgFeatureEnabled: true,
630633
multiOrgExperimentEnabled: true,
634+
insertParams: insertParams,
631635
requestProvisionerKey: uuid.NewString() + ":" + token,
632636
errStatusCode: http.StatusUnauthorized,
633637
},
634638
{
635-
name: "TokenOnly",
639+
name: "KeyValueOnly",
640+
multiOrgFeatureEnabled: true,
641+
multiOrgExperimentEnabled: true,
642+
insertParams: insertParams,
643+
requestProvisionerKey: strings.Split(token, ":")[1],
644+
errStatusCode: http.StatusUnauthorized,
645+
},
646+
{
647+
name: "KeyAndPSK",
636648
multiOrgFeatureEnabled: true,
637649
multiOrgExperimentEnabled: true,
650+
psk: "provisionersftw",
651+
insertParams: insertParams,
638652
requestProvisionerKey: token,
653+
requestPSK: "provisionersftw",
654+
errStatusCode: http.StatusUnauthorized,
655+
},
656+
{
657+
name: "None",
658+
multiOrgFeatureEnabled: true,
659+
multiOrgExperimentEnabled: true,
660+
psk: "provisionersftw",
661+
insertParams: insertParams,
639662
errStatusCode: http.StatusUnauthorized,
640663
},
641664
}

0 commit comments

Comments
 (0)