Skip to content

feat: accept provisioner keys for provisioner auth #13972

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Jul 25, 2024
Merged

feat: accept provisioner keys for provisioner auth #13972

merged 10 commits into from
Jul 25, 2024

Conversation

f0ssel
Copy link
Contributor

@f0ssel f0ssel commented Jul 22, 2024
edited
Loading

What this changes:

  • Provisioner auth middleware now accepts a provisioner key via a header
    • API provides error if both the psk and provisioner key are specified
  • Provisioner rbac subject will now have org scoped permissions when authenticating with a provisioner key
    • Site org permissions are removed in this process
  • System restricted role now has provisioner key permissions

@f0ssel f0ssel mentioned this pull request Jul 22, 2024
Closed
17 tasks
@f0ssel f0ssel force-pushed the f0ssel/use-provisioner-key-auth branch from a53ffdb to e374c42 Compare July 23, 2024 15:03
@f0ssel f0ssel marked this pull request as ready for review July 23, 2024 16:36
@f0ssel f0ssel requested a review from Emyrk July 23, 2024 16:36
@f0ssel f0ssel force-pushed the f0ssel/use-provisioner-key-auth branch from 948c470 to 32ff000 Compare July 23, 2024 18:14
Emyrk
Emyrk reviewed Jul 23, 2024
View reviewed changes
codersdk/provisionerdaemons.go
Comment on lines +229 to +234
if req.ProvisionerKey != "" {
headers.Set(ProvisionerDaemonKey, req.ProvisionerKey)
}
if req.PreSharedKey != "" {
headers.Set(ProvisionerDaemonPSK, req.PreSharedKey)
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should these be mutually exclusive?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wanted it to fail at the API layer instead of silently taking one or the other. I could do a client error but thought it was cleaner to just have the server handle it.

@f0ssel f0ssel requested a review from Emyrk July 24, 2024 16:28
@f0ssel f0ssel merged commit ca83017 into main Jul 25, 2024
29 checks passed
@f0ssel f0ssel deleted the f0ssel/use-provisioner-key-auth branch July 25, 2024 14:22
@github-actions github-actions bot locked and limited conversation to collaborators Jul 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Emyrk Emyrk Emyrk approved these changes

Assignees

@f0ssel f0ssel

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@f0ssel @Emyrk