Skip to content

Commit c3a7d11

Browse files
johnstcnjohnstcn
committed
httpmw: ExtractWorkspaceAgent: set auth context
1 parent 4956485 commit c3a7d11

File tree

1 file changed

+39
-1
lines changed

1 file changed

+39
-1
lines changed

coderd/httpmw/workspaceagent.go

Lines changed: 39 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,8 +9,10 @@ import (
99

1010
"github.com/google/uuid"
1111

12+
"github.com/coder/coder/coderd/authzquery"
1213
"github.com/coder/coder/coderd/database"
1314
"github.com/coder/coder/coderd/httpapi"
15+
"github.com/coder/coder/coderd/rbac"
1416
"github.com/coder/coder/codersdk"
1517
)
1618

@@ -30,6 +32,7 @@ func ExtractWorkspaceAgent(db database.Store) func(http.Handler) http.Handler {
3032
return func(next http.Handler) http.Handler {
3133
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
3234
ctx := r.Context()
35+
systemCtx := authzquery.WithAuthorizeSystemContext(ctx, rbac.RolesAdminSystem())
3336
tokenValue := apiTokenFromRequest(r)
3437
if tokenValue == "" {
3538
httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
@@ -45,7 +48,7 @@ func ExtractWorkspaceAgent(db database.Store) func(http.Handler) http.Handler {
4548
})
4649
return
4750
}
48-
agent, err := db.GetWorkspaceAgentByAuthToken(ctx, token)
51+
agent, err := db.GetWorkspaceAgentByAuthToken(systemCtx, token)
4952
if err != nil {
5053
if errors.Is(err, sql.ErrNoRows) {
5154
httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
@@ -62,7 +65,42 @@ func ExtractWorkspaceAgent(db database.Store) func(http.Handler) http.Handler {
6265
return
6366
}
6467

68+
workspace, err := db.GetWorkspaceByAgentID(systemCtx, agent.ID)
69+
if err != nil {
70+
// TODO: details
71+
httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
72+
Message: "Workspace agent not authorized.",
73+
})
74+
return
75+
}
76+
77+
user, err := db.GetUserByID(systemCtx, workspace.OwnerID)
78+
if err != nil {
79+
// TODO: details
80+
httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
81+
Message: "Workspace agent not authorized.",
82+
})
83+
return
84+
}
85+
86+
roles, err := db.GetAuthorizationUserRoles(systemCtx, user.ID)
87+
if err != nil {
88+
// TODO: details
89+
httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
90+
Message: "Workspace agent not authorized.",
91+
})
92+
return
93+
}
94+
95+
subject := rbac.Subject{
96+
ID: user.ID.String(),
97+
Roles: rbac.RoleNames(roles.Roles),
98+
Groups: roles.Groups,
99+
Scope: rbac.ScopeAll, // TODO: ScopeWorkspaceAgent
100+
}
101+
65102
ctx = context.WithValue(ctx, workspaceAgentContextKey{}, agent)
103+
ctx = authzquery.WithAuthorizeContext(ctx, subject)
66104
next.ServeHTTP(rw, r.WithContext(ctx))
67105
})
68106
}

0 commit comments

Comments
 (0)