Skip to content

fix(enterprise/cli): correctly set default tags for PSK auth #9436

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Sep 1, 2023
Merged

fix(enterprise/cli): correctly set default tags for PSK auth #9436

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
95b51ed
fix(provisionerd): correctly mutate default tags for PSK auth
johnstcn Aug 30, 2023
4fda818
address PR comments
johnstcn Aug 30, 2023
79717aa
ignore error log in test
johnstcn Aug 30, 2023
89030f2
do not log context.Canceled errors
johnstcn Aug 31, 2023
3e1a94b
address PR comment
johnstcn Aug 31, 2023
34ef0a7
unconditionally set tag scope to org for psk auth
johnstcn Sep 1, 2023
475311a
cli: add some informational logging statements around provisionerd tags
johnstcn Sep 1, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion coderd/provisionerdserver/provisionertags.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,9 @@ func MutateTags(userID uuid.UUID, tags map[string]string) map[string]string {
}
switch tags[TagScope] {
case ScopeUser:
tags[TagOwner] = userID.String()
if userID != uuid.Nil {
tags[TagOwner] = userID.String()
}
case ScopeOrganization:
default:
tags[TagScope] = ScopeOrganization
Expand Down
80 changes: 80 additions & 0 deletions coderd/provisionerdserver/provisionertags_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
package provisionerdserver_test

import (
"encoding/json"
"testing"

"github.com/google/uuid"
"github.com/stretchr/testify/require"

"github.com/coder/coder/v2/coderd/provisionerdserver"
)

func TestMutateTags(t *testing.T) {
t.Parallel()

testUserID := uuid.New()

for _, tt := range []struct {
name string
userID uuid.UUID
tags map[string]string
want map[string]string
}{
{
name: "nil tags",
userID: uuid.Nil,
tags: nil,
want: map[string]string{
provisionerdserver.TagScope: provisionerdserver.ScopeOrganization,
},
},
{
name: "empty tags",
userID: uuid.Nil,
tags: map[string]string{},
want: map[string]string{
provisionerdserver.TagScope: provisionerdserver.ScopeOrganization,
},
},
{
name: "user scope",
tags: map[string]string{provisionerdserver.TagScope: provisionerdserver.ScopeUser},
userID: testUserID,
want: map[string]string{
provisionerdserver.TagScope: provisionerdserver.ScopeUser,
provisionerdserver.TagOwner: testUserID.String(),
},
},
{
name: "organization scope",
tags: map[string]string{provisionerdserver.TagScope: provisionerdserver.ScopeOrganization},
userID: testUserID,
want: map[string]string{
provisionerdserver.TagScope: provisionerdserver.ScopeOrganization,
},
},
{
name: "invalid scope",
tags: map[string]string{provisionerdserver.TagScope: "360noscope"},
userID: testUserID,
want: map[string]string{
provisionerdserver.TagScope: provisionerdserver.ScopeOrganization,
},
},
} {
tt := tt
t.Run(tt.name, func(t *testing.T) {
t.Parallel()
// make a copy of the map because the function under test
// mutates the map
bytes, err := json.Marshal(tt.tags)
require.NoError(t, err)
var tags map[string]string
err = json.Unmarshal(bytes, &tags)
require.NoError(t, err)
got := provisionerdserver.MutateTags(tt.userID, tags)
require.Equal(t, tt.want, got)
})
}
}
3 changes: 3 additions & 0 deletions enterprise/cli/provisionerdaemons.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,9 @@ func (r *RootCmd) provisionerDaemonStart() *clibase.Cmd {
}()

logger := slog.Make(sloghuman.Sink(inv.Stderr))
if ok, _ := inv.ParsedFlags().GetBool("verbose"); ok {
logger = logger.Leveled(slog.LevelDebug)
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

errCh := make(chan error, 1)
go func() {
defer cancel()
Expand Down
26 changes: 26 additions & 0 deletions enterprise/coderd/provisionerdaemons.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,13 @@ func (p *provisionerDaemonAuth) authorize(r *http.Request, tags map[string]strin
if p.psk != "" {
psk := r.Header.Get(codersdk.ProvisionerDaemonPSK)
if subtle.ConstantTimeCompare([]byte(p.psk), []byte(psk)) == 1 {
if len(tags) == 0 {
// Directly scope to organization if no tags are provided.
// MutateTags is only meant for scoping based on users.
tags = map[string]string{
provisionerdserver.TagScope: provisionerdserver.ScopeOrganization,
}
}
return tags, true
}
}
Expand Down Expand Up @@ -172,10 +179,12 @@ func (api *API) provisionerDaemonServe(rw http.ResponseWriter, r *http.Request)

tags, authorized := api.provisionerDaemonAuth.authorize(r, tags)
if !authorized {
api.Logger.Warn(ctx, "unauthorized provisioner daemon serve request", slog.F("tags", tags))
httpapi.Write(ctx, rw, http.StatusForbidden,
codersdk.Response{Message: "You aren't allowed to create provisioner daemons"})
return
}
api.Logger.Debug(ctx, "provisioner authorized", slog.F("tags", tags))

provisioners := make([]database.ProvisionerType, 0)
for p := range provisionersMap {
Expand All @@ -188,6 +197,11 @@ func (api *API) provisionerDaemonServe(rw http.ResponseWriter, r *http.Request)
}

name := namesgenerator.GetRandomName(1)
log := api.Logger.With(
slog.F("name", name),
slog.F("provisioners", provisioners),
slog.F("tags", tags),
)
daemon, err := api.Database.InsertProvisionerDaemon(ctx, database.InsertProvisionerDaemonParams{
ID: uuid.New(),
CreatedAt: database.Now(),
Expand All @@ -196,6 +210,9 @@ func (api *API) provisionerDaemonServe(rw http.ResponseWriter, r *http.Request)
Tags: tags,
})
if err != nil {
if !xerrors.Is(err, context.Canceled) {
log.Error(ctx, "write provisioner daemon", slog.Error(err))
}
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
Message: "Internal error writing provisioner daemon.",
Detail: err.Error(),
Expand All @@ -205,6 +222,9 @@ func (api *API) provisionerDaemonServe(rw http.ResponseWriter, r *http.Request)

rawTags, err := json.Marshal(daemon.Tags)
if err != nil {
if !xerrors.Is(err, context.Canceled) {
log.Error(ctx, "marshal provisioner tags", slog.Error(err))
}
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
Message: "Internal error marshaling daemon tags.",
Detail: err.Error(),
Expand All @@ -222,6 +242,9 @@ func (api *API) provisionerDaemonServe(rw http.ResponseWriter, r *http.Request)
CompressionMode: websocket.CompressionDisabled,
})
if err != nil {
if !xerrors.Is(err, context.Canceled) {
log.Error(ctx, "accept provisioner websocket conn", slog.Error(err))
}
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
Message: "Internal error accepting websocket connection.",
Detail: err.Error(),
Expand Down Expand Up @@ -267,6 +290,9 @@ func (api *API) provisionerDaemonServe(rw http.ResponseWriter, r *http.Request)
},
)
if err != nil {
if !xerrors.Is(err, context.Canceled) {
log.Error(ctx, "create provisioner daemon server", slog.Error(err))
}
_ = conn.Close(websocket.StatusInternalError, httpapi.WebsocketCloseSprintf("create provisioner daemon server: %s", err))
return
}
Expand Down