Skip to content

feat: accept provisioner keys for provisioner auth #13972

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Jul 25, 2024
Merged

feat: accept provisioner keys for provisioner auth #13972

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
abe253d
feat: accept provisioner keys for provisioner auth
f0ssel Jul 22, 2024
6837b57
fix panic
f0ssel Jul 22, 2024
56a880d
tests
f0ssel Jul 23, 2024
32ff000
limit on api side
f0ssel Jul 23, 2024
c9376a0
revert rbac changes
f0ssel Jul 24, 2024
1e9b79a
move to mw
f0ssel Jul 24, 2024
1214b62
move back to authorize
f0ssel Jul 24, 2024
c7c00e7
fix authorization with pk given
f0ssel Jul 24, 2024
5d470f0
forbid user and pk auth
f0ssel Jul 24, 2024
1a45338
forbid user and pk auth
f0ssel Jul 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
move to mw
  • Loading branch information
@f0ssel
f0ssel committed Jul 24, 2024
commit 1e9b79a7858944c3a041e3ecd32a807c6f513180
8 changes: 8 additions & 0 deletions coderd/httpmw/provisionerdaemon.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ func ExtractProvisionerDaemonAuthenticated(opts ExtractProvisionerAuthConfig) fu
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
ctx := r.Context()
org := OrganizationParam(r)

handleOptional := func(code int, response codersdk.Response) {
if opts.Optional {
Expand Down Expand Up @@ -102,6 +103,13 @@ func ExtractProvisionerDaemonAuthenticated(opts ExtractProvisionerAuthConfig) fu
return
}

if pk.OrganizationID != org.ID {
handleOptional(http.StatusUnauthorized, codersdk.Response{
Message: "provisioner daemon key invalid",
})
return
}

// The provisioner key does not indicate a specific provisioner daemon. So just
// store a boolean so the caller can check if the request is from an
// authenticated provisioner daemon.
Expand Down
2 changes: 1 addition & 1 deletion enterprise/coderd/coderd.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -284,6 +284,7 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
r.Use(
api.provisionerDaemonsEnabledMW,
apiKeyMiddlewareOptional,
httpmw.ExtractOrganizationParam(api.Database),
httpmw.ExtractProvisionerDaemonAuthenticated(httpmw.ExtractProvisionerAuthConfig{
DB: api.Database,
Optional: true,
Expand All @@ -293,7 +294,6 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
// Either a user auth or provisioner auth is required
// to move forward.
httpmw.RequireAPIKeyOrProvisionerDaemonAuth(),
httpmw.ExtractOrganizationParam(api.Database),
)
r.With(apiKeyMiddleware).Get("/", api.provisionerDaemons)
r.With(apiKeyMiddlewareOptional).Get("/serve", api.provisionerDaemonServe)
Expand Down
7 changes: 0 additions & 7 deletions enterprise/coderd/provisionerdaemons.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,13 +108,6 @@ func (p *provisionerDaemonAuth) authorize(r *http.Request, orgID uuid.UUID, tags
return nil, false
}

pk, ok := httpmw.ProvisionerKeyAuthOptional(r)
if ok {
if orgID != pk.OrganizationID {
return nil, false
}
}

// If using provisioner key / PSK auth, the daemon is, by definition, scoped to the organization.
tags = provisionersdk.MutateTags(uuid.Nil, tags)
return tags, true
Expand Down
Loading