revert rbac changes

f0ssel · f0ssel · commit c9376a083428 · 2024-07-24T16:19:39.000Z
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -158,49 +158,34 @@ func ActorFromContext(ctx context.Context) (rbac.Subject, bool) {
 }
 
 var (
-	subjectProvisionerd = func(orgID uuid.UUID) rbac.Subject {
-		sitePermissions := map[string][]policy.Action{
-			// TODO: Add ProvisionerJob resource type.
-			rbac.ResourceFile.Type:     {policy.ActionRead},
-			rbac.ResourceSystem.Type:   {policy.WildcardSymbol},
-			rbac.ResourceTemplate.Type: {policy.ActionRead, policy.ActionUpdate},
-			// Unsure why provisionerd needs update and read personal
-			rbac.ResourceUser.Type:             {policy.ActionRead, policy.ActionReadPersonal, policy.ActionUpdatePersonal},
-			rbac.ResourceWorkspaceDormant.Type: {policy.ActionDelete, policy.ActionRead, policy.ActionUpdate, policy.ActionWorkspaceStop},
-			rbac.ResourceWorkspace.Type:        {policy.ActionDelete, policy.ActionRead, policy.ActionUpdate, policy.ActionWorkspaceStart, policy.ActionWorkspaceStop},
-			rbac.ResourceApiKey.Type:           {policy.WildcardSymbol},
-			// When org scoped provisioner credentials are implemented,
-			// this can be reduced to read a specific org.
-			rbac.ResourceOrganization.Type: {policy.ActionRead},
-			rbac.ResourceGroup.Type:        {policy.ActionRead},
-		}
-		orgPermissions := map[string][]rbac.Permission{}
-
-		if orgID != uuid.Nil {
-			// replace site wide org permissions with org scoped permissions
-			delete(sitePermissions, rbac.ResourceOrganization.Type)
-			orgPermissions = map[string][]rbac.Permission{
-				orgID.String(): rbac.Permissions(map[string][]policy.Action{
+	subjectProvisionerd = rbac.Subject{
+		FriendlyName: "Provisioner Daemon",
+		ID:           uuid.Nil.String(),
+		Roles: rbac.Roles([]rbac.Role{
+			{
+				Identifier:  rbac.RoleIdentifier{Name: "provisionerd"},
+				DisplayName: "Provisioner Daemon",
+				Site: rbac.Permissions(map[string][]policy.Action{
+					// TODO: Add ProvisionerJob resource type.
+					rbac.ResourceFile.Type:     {policy.ActionRead},
+					rbac.ResourceSystem.Type:   {policy.WildcardSymbol},
+					rbac.ResourceTemplate.Type: {policy.ActionRead, policy.ActionUpdate},
+					// Unsure why provisionerd needs update and read personal
+					rbac.ResourceUser.Type:             {policy.ActionRead, policy.ActionReadPersonal, policy.ActionUpdatePersonal},
+					rbac.ResourceWorkspaceDormant.Type: {policy.ActionDelete, policy.ActionRead, policy.ActionUpdate, policy.ActionWorkspaceStop},
+					rbac.ResourceWorkspace.Type:        {policy.ActionDelete, policy.ActionRead, policy.ActionUpdate, policy.ActionWorkspaceStart, policy.ActionWorkspaceStop},
+					rbac.ResourceApiKey.Type:           {policy.WildcardSymbol},
+					// When org scoped provisioner credentials are implemented,
+					// this can be reduced to read a specific org.
 					rbac.ResourceOrganization.Type: {policy.ActionRead},
+					rbac.ResourceGroup.Type:        {policy.ActionRead},
 				}),
-			}
-		}
-
-		return rbac.Subject{
-			FriendlyName: "Provisioner Daemon",
-			ID:           uuid.Nil.String(),
-			Roles: rbac.Roles([]rbac.Role{
-				{
-					Identifier:  rbac.RoleIdentifier{Name: "provisionerd"},
-					DisplayName: "Provisioner Daemon",
-					Site:        rbac.Permissions(sitePermissions),
-					Org:         orgPermissions,
-					User:        []rbac.Permission{},
-				},
-			}),
-			Scope: rbac.ScopeAll,
-		}.WithCachedASTValue()
-	}
+				Org:  map[string][]rbac.Permission{},
+				User: []rbac.Permission{},
+			},
+		}),
+		Scope: rbac.ScopeAll,
+	}.WithCachedASTValue()
 
 	subjectAutostart = rbac.Subject{
 		FriendlyName: "Autostart",
@@ -277,13 +262,7 @@ var (
 // AsProvisionerd returns a context with an actor that has permissions required
 // for provisionerd to function.
 func AsProvisionerd(ctx context.Context) context.Context {
-	return context.WithValue(ctx, authContextKey{}, subjectProvisionerd(uuid.Nil))
-}
-
-// AsProvisionerd returns a context with an actor that has permissions required
-// for an org scoped provisionerd to function.
-func AsOrganizationProvisionerd(ctx context.Context, orgID uuid.UUID) context.Context {
-	return context.WithValue(ctx, authContextKey{}, subjectProvisionerd(orgID))
+	return context.WithValue(ctx, authContextKey{}, subjectProvisionerd)
 }
 
 // AsAutostart returns a context with an actor that has permissions required
diff --git a/coderd/httpmw/provisionerdaemon.go b/coderd/httpmw/provisionerdaemon.go
@@ -95,24 +95,33 @@ func ExtractProvisionerDaemonAuthenticated(opts ExtractProvisionerAuthConfig) fu
 				return
 			}
 
-			if subtle.ConstantTimeCompare(pk.HashedSecret, provisionerkey.HashSecret(keyValue)) != 1 {
+			if provisionerkey.Compare(pk.HashedSecret, provisionerkey.HashSecret(keyValue)) {
 				handleOptional(http.StatusUnauthorized, codersdk.Response{
 					Message: "provisioner daemon key invalid",
 				})
 				return
 			}
 
-			// The PSK does not indicate a specific provisioner daemon. So just
+			// The provisioner key does not indicate a specific provisioner daemon. So just
 			// store a boolean so the caller can check if the request is from an
 			// authenticated provisioner daemon.
 			ctx = context.WithValue(ctx, provisionerDaemonContextKey{}, true)
+			// store key used to authenticate the request
+			ctx = context.WithValue(ctx, provisionerKeyAuthContextKey{}, pk)
 			// nolint:gocritic // Authenticating as a provisioner daemon.
-			ctx = dbauthz.AsOrganizationProvisionerd(ctx, pk.OrganizationID)
+			ctx = dbauthz.AsProvisionerd(ctx)
 			next.ServeHTTP(w, r.WithContext(ctx))
 		})
 	}
 }
 
+type provisionerKeyAuthContextKey struct{}
+
+func ProvisionerKeyAuthOptional(r *http.Request) (database.ProvisionerKey, bool) {
+	user, ok := r.Context().Value(provisionerKeyAuthContextKey{}).(database.ProvisionerKey)
+	return user, ok
+}
+
 func fallbackToPSK(ctx context.Context, psk string, next http.Handler, w http.ResponseWriter, r *http.Request, handleOptional func(code int, response codersdk.Response)) {
 	token := r.Header.Get(codersdk.ProvisionerDaemonPSK)
 	if subtle.ConstantTimeCompare([]byte(token), []byte(psk)) != 1 {
diff --git a/coderd/provisionerkey/provisionerkey.go b/coderd/provisionerkey/provisionerkey.go
@@ -2,6 +2,7 @@ package provisionerkey
 
 import (
 	"crypto/sha256"
+	"crypto/subtle"
 	"fmt"
 	"strings"
 
@@ -49,3 +50,7 @@ func HashSecret(secret string) []byte {
 	h := sha256.Sum256([]byte(secret))
 	return h[:]
 }
+
+func Compare(a []byte, b []byte) bool {
+	return subtle.ConstantTimeCompare(a, b) != 1
+}
diff --git a/enterprise/coderd/provisionerdaemons.go b/enterprise/coderd/provisionerdaemons.go
@@ -108,10 +108,11 @@ func (p *provisionerDaemonAuth) authorize(r *http.Request, orgID uuid.UUID, tags
 		return nil, false
 	}
 
-	// ensure provisioner daemon subject can read organization
-	_, err := p.db.GetOrganizationByID(ctx, orgID)
-	if err != nil {
-		return nil, false
+	pk, ok := httpmw.ProvisionerKeyAuthOptional(r)
+	if ok {
+		if orgID != pk.OrganizationID {
+			return nil, false
+		}
 	}
 
 	// If using provisioner key / PSK auth, the daemon is, by definition, scoped to the organization.

Original file line number	Diff line number	Diff line change
`@@ -108,10 +108,11 @@ func (p provisionerDaemonAuth) authorize(r http.Request, orgID uuid.UUID, tags`
`108`	`108`	`return nil, false`
`109`	`109`	`}`
`110`	`110`
`111`		`- // ensure provisioner daemon subject can read organization`
`112`		`- _, err := p.db.GetOrganizationByID(ctx, orgID)`
`113`		`- if err != nil {`
`114`		`- return nil, false`
	`111`	`+ pk, ok := httpmw.ProvisionerKeyAuthOptional(r)`
	`112`	`+ if ok {`
	`113`	`+ if orgID != pk.OrganizationID {`
	`114`	`+ return nil, false`
	`115`	`+ }`
`115`	`116`	`}`
`116`	`117`
`117`	`118`	`// If using provisioner key / PSK auth, the daemon is, by definition, scoped to the organization.`