@@ -83,41 +83,53 @@ type provisionerDaemonAuth struct {
8383 authorizer rbac.Authorizer
8484}
8585
86- // authorize returns mutated tags and true if the given HTTP request is authorized to access the provisioner daemon
87- // protobuf API, and returns nil, false otherwise.
88- func (p * provisionerDaemonAuth ) authorize (r * http.Request , orgID uuid.UUID , tags map [string ]string ) (map [string ]string , bool ) {
86+ // authorize returns mutated tags if the given HTTP request is authorized to access the provisioner daemon
87+ // protobuf API, and returns nil, err otherwise.
88+ func (p * provisionerDaemonAuth ) authorize (r * http.Request , orgID uuid.UUID , tags map [string ]string ) (map [string ]string , error ) {
8989 ctx := r .Context ()
90- apiKey , ok := httpmw .APIKeyOptional (r )
91- if ok {
90+ apiKey , apiKeyOK := httpmw .APIKeyOptional (r )
91+ pk , pkOK := httpmw .ProvisionerKeyAuthOptional (r )
92+ provAuth := httpmw .ProvisionerDaemonAuthenticated (r )
93+ if ! provAuth && ! apiKeyOK {
94+ return nil , xerrors .New ("no API key or provisioner key provided" )
95+ }
96+ if apiKeyOK && pkOK {
97+ return nil , xerrors .New ("Both API key and provisioner key authentication provided. Only one is allowed." )
98+ }
99+
100+ if apiKeyOK {
92101 tags = provisionersdk .MutateTags (apiKey .UserID , tags )
93102 if tags [provisionersdk .TagScope ] == provisionersdk .ScopeUser {
94103 // Any authenticated user can create provisioner daemons scoped
95104 // for jobs that they own,
96- return tags , true
105+ return tags , nil
97106 }
98107 ua := httpmw .UserAuthorization (r )
99- if err := p .authorizer .Authorize (ctx , ua , policy .ActionCreate , rbac .ResourceProvisionerDaemon .InOrg (orgID )); err == nil {
100- // User is allowed to create provisioner daemons
101- return tags , true
108+ err := p .authorizer .Authorize (ctx , ua , policy .ActionCreate , rbac .ResourceProvisionerDaemon .InOrg (orgID ))
109+ if err != nil {
110+ if ! provAuth {
111+ return nil , xerrors .New ("user unauthorized" )
112+ }
113+
114+ // If using provisioner key / PSK auth, the daemon is, by definition, scoped to the organization.
115+ tags = provisionersdk .MutateTags (uuid .Nil , tags )
116+ return tags , nil
102117 }
103- }
104118
105- // Check for provisioner key or PSK auth.
106- provAuth := httpmw .ProvisionerDaemonAuthenticated (r )
107- if ! provAuth {
108- return nil , false
119+ // User is allowed to create provisioner daemons
120+ return tags , nil
109121 }
110122
111123 pk , ok := httpmw .ProvisionerKeyAuthOptional (r )
112124 if ok {
113125 if pk .OrganizationID != orgID {
114- return nil , false
126+ return nil , xerrors . New ( "provisioner key unauthorized" )
115127 }
116128 }
117129
118130 // If using provisioner key / PSK auth, the daemon is, by definition, scoped to the organization.
119131 tags = provisionersdk .MutateTags (uuid .Nil , tags )
120- return tags , true
132+ return tags , nil
121133}
122134
123135// Serves the provisioner daemon protobuf API over a WebSocket.
@@ -180,12 +192,13 @@ func (api *API) provisionerDaemonServe(rw http.ResponseWriter, r *http.Request)
180192 api .Logger .Warn (ctx , "unnamed provisioner daemon" )
181193 }
182194
183- tags , authorized := api .provisionerDaemonAuth .authorize (r , organization .ID , tags )
184- if ! authorized {
185- api .Logger .Warn (ctx , "unauthorized provisioner daemon serve request" , slog .F ("tags" , tags ))
195+ tags , err := api .provisionerDaemonAuth .authorize (r , organization .ID , tags )
196+ if err != nil {
197+ api .Logger .Warn (ctx , "unauthorized provisioner daemon serve request" , slog .F ("tags" , tags ), slog . Error ( err ) )
186198 httpapi .Write (ctx , rw , http .StatusForbidden ,
187199 codersdk.Response {
188200 Message : fmt .Sprintf ("You aren't allowed to create provisioner daemons with scope %q" , tags [provisionersdk .TagScope ]),
201+ Detail : err .Error (),
189202 },
190203 )
191204 return
0 commit comments