MCPcopy Index your code
hub / github.com/coder/coder / authorize

Method authorize

enterprise/coderd/provisionerdaemons.go:67–146  ·  view source on GitHub ↗

authorize returns mutated tags if the given HTTP request is authorized to access the provisioner daemon protobuf API, and returns nil, err otherwise.

(r *http.Request, org database.Organization, tags map[string]string)

Source from the content-addressed store, hash-verified

65// authorize returns mutated tags if the given HTTP request is authorized to access the provisioner daemon
66// protobuf API, and returns nil, err otherwise.
67func (p *provisionerDaemonAuth) authorize(r *http.Request, org database.Organization, tags map[string]string) (provisiionerDaemonAuthResponse, error) {
68 ctx := r.Context()
69 apiKey, apiKeyOK := httpmw.APIKeyOptional(r)
70 pk, pkOK := httpmw.ProvisionerKeyAuthOptional(r)
71 provAuth := httpmw.ProvisionerDaemonAuthenticated(r)
72 if !provAuth && !apiKeyOK {
73 return provisiionerDaemonAuthResponse{}, xerrors.New("no API key or provisioner key provided")
74 }
75 if apiKeyOK && pkOK {
76 return provisiionerDaemonAuthResponse{}, xerrors.New("Both API key and provisioner key authentication provided. Only one is allowed.")
77 }
78
79 // Provisioner Key Auth
80 if pkOK {
81 if tags != nil && !maps.Equal(tags, map[string]string{}) {
82 return provisiionerDaemonAuthResponse{}, xerrors.New("tags are not allowed when using a provisioner key")
83 }
84
85 // If using provisioner key / PSK auth, the daemon is, by definition, scoped to the organization.
86 // Use the provisioner key tags here.
87 tags = provisionersdk.MutateTags(uuid.Nil, pk.Tags)
88 return provisiionerDaemonAuthResponse{
89 keyID: pk.ID,
90 orgID: pk.OrganizationID,
91 tags: tags,
92 }, nil
93 }
94
95 // PSK Auth
96 if provAuth {
97 if !org.IsDefault {
98 return provisiionerDaemonAuthResponse{}, xerrors.Errorf("PSK auth is only allowed for the default organization '%s'", org.Name)
99 }
100
101 pskKey, err := uuid.Parse(codersdk.ProvisionerKeyIDPSK)
102 if err != nil {
103 return provisiionerDaemonAuthResponse{}, xerrors.Errorf("parse psk provisioner key id: %w", err)
104 }
105
106 tags = provisionersdk.MutateTags(uuid.Nil, tags)
107
108 return provisiionerDaemonAuthResponse{
109 keyID: pskKey,
110 orgID: org.ID,
111 tags: tags,
112 }, nil
113 }
114
115 // User Auth
116 if !apiKeyOK {
117 return provisiionerDaemonAuthResponse{}, xerrors.New("no API key provided")
118 }
119
120 userKey, err := uuid.Parse(codersdk.ProvisionerKeyIDUserAuth)
121 if err != nil {
122 return provisiionerDaemonAuthResponse{}, xerrors.Errorf("parse user provisioner key id: %w", err)
123 }
124

Callers 1

Calls 12

APIKeyOptionalFunction · 0.92
MutateTagsFunction · 0.92
UserAuthorizationFunction · 0.92
InOrgMethod · 0.80
ContextMethod · 0.65
NewMethod · 0.65
ParseMethod · 0.65
AuthorizeMethod · 0.65
EqualMethod · 0.45
ErrorfMethod · 0.45

Tested by

no test coverage detected