Skip to content

Commit e20fac4

Browse files
johnstcnjohnstcn
committed
escalate privs where required for provisionerd
1 parent 6761671 commit e20fac4

File tree

2 files changed

+14
-1
lines changed

2 files changed

+14
-1
lines changed

coderd/provisionerdserver/provisionerdserver.go

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,8 +24,10 @@ import (
2424
"cdr.dev/slog"
2525

2626
"github.com/coder/coder/coderd/audit"
27+
"github.com/coder/coder/coderd/authzquery"
2728
"github.com/coder/coder/coderd/database"
2829
"github.com/coder/coder/coderd/parameter"
30+
"github.com/coder/coder/coderd/rbac"
2931
"github.com/coder/coder/coderd/telemetry"
3032
"github.com/coder/coder/codersdk"
3133
"github.com/coder/coder/provisioner"
@@ -56,6 +58,8 @@ type Server struct {
5658

5759
// AcquireJob queries the database to lock a job.
5860
func (server *Server) AcquireJob(ctx context.Context, _ *proto.Empty) (*proto.AcquiredJob, error) {
61+
// TODO: make a provisionerd role
62+
ctx = authzquery.WithAuthorizeSystemContext(ctx, rbac.RolesAdminSystem())
5963
// This prevents loads of provisioner daemons from consistently
6064
// querying the database when no jobs are available.
6165
//
@@ -299,6 +303,8 @@ func (server *Server) CommitQuota(ctx context.Context, request *proto.CommitQuot
299303
}
300304

301305
func (server *Server) UpdateJob(ctx context.Context, request *proto.UpdateJobRequest) (*proto.UpdateJobResponse, error) {
306+
// TODO: make a provisionerd role
307+
ctx = authzquery.WithAuthorizeSystemContext(ctx, rbac.RolesAdminSystem())
302308
parsedID, err := uuid.Parse(request.JobId)
303309
if err != nil {
304310
return nil, xerrors.Errorf("parse job id: %w", err)
@@ -470,6 +476,8 @@ func (server *Server) UpdateJob(ctx context.Context, request *proto.UpdateJobReq
470476
}
471477

472478
func (server *Server) FailJob(ctx context.Context, failJob *proto.FailedJob) (*proto.Empty, error) {
479+
// TODO: make a provisionerd role
480+
ctx = authzquery.WithAuthorizeSystemContext(ctx, rbac.RolesAdminSystem())
473481
jobID, err := uuid.Parse(failJob.JobId)
474482
if err != nil {
475483
return nil, xerrors.Errorf("parse job id: %w", err)
@@ -595,6 +603,8 @@ func (server *Server) FailJob(ctx context.Context, failJob *proto.FailedJob) (*p
595603

596604
// CompleteJob is triggered by a provision daemon to mark a provisioner job as completed.
597605
func (server *Server) CompleteJob(ctx context.Context, completed *proto.CompletedJob) (*proto.Empty, error) {
606+
// TODO: make a provisionerd role
607+
ctx = authzquery.WithAuthorizeSystemContext(ctx, rbac.RolesAdminSystem())
598608
jobID, err := uuid.Parse(completed.JobId)
599609
if err != nil {
600610
return nil, xerrors.Errorf("parse job id: %w", err)

coderd/workspaceresourceauth.go

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,11 +7,13 @@ import (
77
"fmt"
88
"net/http"
99

10+
"github.com/coder/coder/coderd/authzquery"
1011
"github.com/coder/coder/coderd/awsidentity"
1112
"github.com/coder/coder/coderd/azureidentity"
1213
"github.com/coder/coder/coderd/database"
1314
"github.com/coder/coder/coderd/httpapi"
1415
"github.com/coder/coder/coderd/provisionerdserver"
16+
"github.com/coder/coder/coderd/rbac"
1517
"github.com/coder/coder/codersdk"
1618

1719
"github.com/mitchellh/mapstructure"
@@ -124,7 +126,8 @@ func (api *API) postWorkspaceAuthGoogleInstanceIdentity(rw http.ResponseWriter,
124126
}
125127

126128
func (api *API) handleAuthInstanceID(rw http.ResponseWriter, r *http.Request, instanceID string) {
127-
ctx := r.Context()
129+
// TODO: reduce the scope of this auth if possible.
130+
ctx := authzquery.WithAuthorizeSystemContext(r.Context(), rbac.RolesAdminSystem())
128131
agent, err := api.Database.GetWorkspaceAgentByInstanceID(ctx, instanceID)
129132
if errors.Is(err, sql.ErrNoRows) {
130133
httpapi.Write(ctx, rw, http.StatusNotFound, codersdk.Response{

0 commit comments

Comments
 (0)