authorize returns mutated tags if the given HTTP request is authorized to access the provisioner daemon protobuf API, and returns nil, err otherwise.
(r *http.Request, org database.Organization, tags map[string]string)
| 65 | // authorize returns mutated tags if the given HTTP request is authorized to access the provisioner daemon |
| 66 | // protobuf API, and returns nil, err otherwise. |
| 67 | func (p *provisionerDaemonAuth) authorize(r *http.Request, org database.Organization, tags map[string]string) (provisiionerDaemonAuthResponse, error) { |
| 68 | ctx := r.Context() |
| 69 | apiKey, apiKeyOK := httpmw.APIKeyOptional(r) |
| 70 | pk, pkOK := httpmw.ProvisionerKeyAuthOptional(r) |
| 71 | provAuth := httpmw.ProvisionerDaemonAuthenticated(r) |
| 72 | if !provAuth && !apiKeyOK { |
| 73 | return provisiionerDaemonAuthResponse{}, xerrors.New("no API key or provisioner key provided") |
| 74 | } |
| 75 | if apiKeyOK && pkOK { |
| 76 | return provisiionerDaemonAuthResponse{}, xerrors.New("Both API key and provisioner key authentication provided. Only one is allowed.") |
| 77 | } |
| 78 | |
| 79 | // Provisioner Key Auth |
| 80 | if pkOK { |
| 81 | if tags != nil && !maps.Equal(tags, map[string]string{}) { |
| 82 | return provisiionerDaemonAuthResponse{}, xerrors.New("tags are not allowed when using a provisioner key") |
| 83 | } |
| 84 | |
| 85 | // If using provisioner key / PSK auth, the daemon is, by definition, scoped to the organization. |
| 86 | // Use the provisioner key tags here. |
| 87 | tags = provisionersdk.MutateTags(uuid.Nil, pk.Tags) |
| 88 | return provisiionerDaemonAuthResponse{ |
| 89 | keyID: pk.ID, |
| 90 | orgID: pk.OrganizationID, |
| 91 | tags: tags, |
| 92 | }, nil |
| 93 | } |
| 94 | |
| 95 | // PSK Auth |
| 96 | if provAuth { |
| 97 | if !org.IsDefault { |
| 98 | return provisiionerDaemonAuthResponse{}, xerrors.Errorf("PSK auth is only allowed for the default organization '%s'", org.Name) |
| 99 | } |
| 100 | |
| 101 | pskKey, err := uuid.Parse(codersdk.ProvisionerKeyIDPSK) |
| 102 | if err != nil { |
| 103 | return provisiionerDaemonAuthResponse{}, xerrors.Errorf("parse psk provisioner key id: %w", err) |
| 104 | } |
| 105 | |
| 106 | tags = provisionersdk.MutateTags(uuid.Nil, tags) |
| 107 | |
| 108 | return provisiionerDaemonAuthResponse{ |
| 109 | keyID: pskKey, |
| 110 | orgID: org.ID, |
| 111 | tags: tags, |
| 112 | }, nil |
| 113 | } |
| 114 | |
| 115 | // User Auth |
| 116 | if !apiKeyOK { |
| 117 | return provisiionerDaemonAuthResponse{}, xerrors.New("no API key provided") |
| 118 | } |
| 119 | |
| 120 | userKey, err := uuid.Parse(codersdk.ProvisionerKeyIDUserAuth) |
| 121 | if err != nil { |
| 122 | return provisiionerDaemonAuthResponse{}, xerrors.Errorf("parse user provisioner key id: %w", err) |
| 123 | } |
| 124 |
no test coverage detected