Skip to content

feat: implement provisioner auth middleware and proper org params #12330

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 11 commits into from
Mar 4, 2024
Merged

feat: implement provisioner auth middleware and proper org params #12330

Changes from 1 commit
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
913600f
feat: provisioner auth in mw to allow ExtractOrg
Emyrk Feb 27, 2024
df54d89
chore: handle default org handling for provisioner daemons
Emyrk Feb 27, 2024
3e982cb
Lint
Emyrk Feb 27, 2024
0cbd149
fix provisioner auth mw
Emyrk Feb 27, 2024
e543e57
Linting
Emyrk Feb 28, 2024
c6fef46
Move 403 -> 401
Emyrk Feb 28, 2024
9372502
Add unit tests
Emyrk Feb 28, 2024
c855447
update todo comment
Emyrk Feb 28, 2024
321a145
fixup previous authorize
Emyrk Feb 28, 2024
0656d80
use const for test
Emyrk Feb 28, 2024
03d6f74
Fix logger name, update comment
Emyrk Feb 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
fix provisioner auth mw
  • Loading branch information
@Emyrk
Emyrk committed Feb 27, 2024
commit 0cbd14927176d63975ff0d02d36764fd41c68368
19 changes: 10 additions & 9 deletions coderd/httpmw/provisionerdaemon.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ import (
type provisionerDaemonContextKey struct{}

func ProvisionerDaemonAuthenticated(r *http.Request) bool {
proxy, ok := r.Context().Value(workspaceProxyContextKey{}).(bool)
proxy, ok := r.Context().Value(provisionerDaemonContextKey{}).(bool)
return ok && proxy
}

Expand All @@ -29,33 +29,34 @@ func ExtractProvisionerDaemonAuthenticated(opts ExtractProvisionerAuthConfig, ps
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
ctx := r.Context()
if psk == "" {

handleOptional := func(code int, response codersdk.Response) {
if opts.Optional {
next.ServeHTTP(w, r)
return
}
httpapi.Write(ctx, w, code, response)
}

if psk == "" {
// No psk means external provisioner daemons are not allowed.
// So their auth is not valid.
httpapi.Write(ctx, w, http.StatusBadRequest, codersdk.Response{
handleOptional(http.StatusBadRequest, codersdk.Response{
Message: "External provisioner daemons not enabled",
})
return
}

token := r.Header.Get(codersdk.ProvisionerDaemonPSK)
if token == "" {
if opts.Optional {
next.ServeHTTP(w, r)
return
}
httpapi.Write(ctx, w, http.StatusUnauthorized, codersdk.Response{
handleOptional(http.StatusUnauthorized, codersdk.Response{
Message: "provisioner daemon auth token required",
})
return
}

if subtle.ConstantTimeCompare([]byte(token), []byte(psk)) != 1 {
httpapi.Write(ctx, w, http.StatusUnauthorized, codersdk.Response{
handleOptional(http.StatusUnauthorized, codersdk.Response{
Message: "provisioner daemon auth token invalid",
})
return
Expand Down