NotificationsYou must be signed in to change notification settings
Fork914
Star10.1k

Commit13d9896

committed

auth tunnels via updater

1 parenta694bb3 commit13d9896Copy full SHA for 13d9896

File tree

7 files changed

+36

-38

lines changed

coderd
- workspaceagents.go
- workspaceupdates.go
enterprise/tailnet
- connio.go
tailnet

7 files changed

+36

-38

lines changed

`‎coderd/workspaceagents.go`

Lines changed: 3 additions & 20 deletions

Original file line number	Diff line number	Diff line change
`@@ -1491,7 +1491,6 @@ func (api *API) workspaceAgentsExternalAuthListen(ctx context.Context, rw http.R`
`1491`	`1491`	`func (apiAPI)tailnet(rw http.ResponseWriter,rhttp.Request) {`
`1492`	`1492`	`ctx:=r.Context()`
`1493`	`1493`	`owner:=httpmw.UserParam(r)`
`1494`		`-ownerRoles:=httpmw.UserAuthorization(r)`
`1495`	`1494`
`1496`	`1495`	`// Check if the actor is allowed to access any workspace owned by the user.`
`1497`	`1496`	`if!api.Authorize(r,policy.ActionSSH,rbac.ResourceWorkspace.WithOwner(owner.ID.String())) {`
`@@ -1539,32 +1538,16 @@ func (api API) tailnet(rw http.ResponseWriter, r http.Request) {`
`1539`	`1538`
`1540`	`1539`	`gohttpapi.Heartbeat(ctx,conn)`
`1541`	`1540`	`err=api.TailnetClientService.ServeUserClient(ctx,version,wsNetConn, tailnet.ServeUserClientOptions{`
`1542`		`-PeerID:peerID,`
`1543`		`-UserID:owner.ID,`
`1544`		`-AuthFn:authAgentFn(api.Database,api.Authorizer,&ownerRoles),`
	`1541`	`+PeerID:peerID,`
	`1542`	`+UserID:owner.ID,`
	`1543`	`+UpdatesProvider:api.WorkspaceUpdatesProvider,`
`1545`	`1544`	`})`
`1546`	`1545`	`iferr!=nil&&!xerrors.Is(err,io.EOF)&&!xerrors.Is(err,context.Canceled) {`
`1547`	`1546`	`_=conn.Close(websocket.StatusInternalError,err.Error())`
`1548`	`1547`	`return`
`1549`	`1548`	`}`
`1550`	`1549`	`}`
`1551`	`1550`
`1552`		`-// authAgentFn accepts a subject, and returns a closure that authorizes against`
`1553`		`-// passed agent IDs.`
`1554`		`-funcauthAgentFn(db database.Store,auth rbac.Authorizer,user*rbac.Subject)func(context.Context, uuid.UUID)error {`
`1555`		`-returnfunc(ctx context.Context,agentID uuid.UUID)error {`
`1556`		`-ws,err:=db.GetWorkspaceByAgentID(ctx,agentID)`
`1557`		`-iferr!=nil {`
`1558`		`-returnxerrors.Errorf("get workspace by agent id: %w",err)`
`1559`		`-}`
`1560`		`-err=auth.Authorize(ctx,*user,policy.ActionSSH,ws.RBACObject())`
`1561`		`-iferr!=nil {`
`1562`		`-returnxerrors.Errorf("workspace agent not found or you do not have permission: %w",sql.ErrNoRows)`
`1563`		`-}`
`1564`		`-returnnil`
`1565`		`-}`
`1566`		`-}`
`1567`		`-`
`1568`	`1551`	`// createExternalAuthResponse creates an ExternalAuthResponse based on the`
`1569`	`1552`	// provider type. This is to support legacy `/workspaceagents/me/gitauth`
`1570`	`1553`	// which uses `Username` and `Password`.

`‎coderd/workspaceupdates.go`

Lines changed: 18 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -91,6 +91,24 @@ type updatesProvider struct {`
`91`	`91`	`cancelFnfunc()`
`92`	`92`	`}`
`93`	`93`
	`94`	`+func (u*updatesProvider)IsOwner(userID uuid.UUID,agentID uuid.UUID)error {`
	`95`	`+u.mu.RLock()`
	`96`	`+deferu.mu.RUnlock()`
	`97`	`+`
	`98`	`+workspaces,exists:=u.latest[userID]`
	`99`	`+if!exists {`
	`100`	`+returnxerrors.Errorf("workspace agent not found or you do not have permission: %w",sql.ErrNoRows)`
	`101`	`+}`
	`102`	`+for_,workspace:=rangeworkspaces {`
	`103`	`+for_,agent:=rangeworkspace.Agents {`
	`104`	`+ifagent.ID==agentID {`
	`105`	`+returnnil`
	`106`	`+}`
	`107`	`+}`
	`108`	`+}`
	`109`	`+returnxerrors.Errorf("workspace agent not found or you do not have permission: %w",sql.ErrNoRows)`
	`110`	`+}`
	`111`	`+`
`94`	`112`	`var_ tailnet.WorkspaceUpdatesProvider= (*updatesProvider)(nil)`
`95`	`113`
`96`	`114`	`funcNewUpdatesProvider(ctx context.Context,dbUpdateQuerier,ps pubsub.Pubsub) (tailnet.WorkspaceUpdatesProvider,error) {`

`‎enterprise/tailnet/connio.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -133,7 +133,7 @@ var errDisconnect = xerrors.New("graceful disconnect")`
`133`	`133`
`134`	`134`	`func (cconnIO)handleRequest(reqproto.CoordinateRequest)error {`
`135`	`135`	`c.logger.Debug(c.peerCtx,"got request")`
`136`		`-err:=c.auth.Authorize(c.coordCtx,req)`
	`136`	`+err:=c.auth.Authorize(req)`
`137`	`137`	`iferr!=nil {`
`138`	`138`	`c.logger.Warn(c.peerCtx,"unauthorized request",slog.Error(err))`
`139`	`139`	`returnxerrors.Errorf("authorize request: %w",err)`

`‎tailnet/coordinator.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -577,7 +577,7 @@ func (c core) handleRequest(p peer, req *proto.CoordinateRequest) error {`
`577`	`577`	`returnErrAlreadyRemoved`
`578`	`578`	`}`
`579`	`579`
`580`		`-iferr:=pr.auth.Authorize(context.Background(),req);err!=nil {`
	`580`	`+iferr:=pr.auth.Authorize(req);err!=nil {`
`581`	`581`	`returnxerrors.Errorf("authorize request: %w",err)`
`582`	`582`	`}`
`583`	`583`

`‎tailnet/service.go`

Lines changed: 4 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -43,6 +43,7 @@ type WorkspaceUpdatesProvider interface {`
`43`	`43`	`Subscribe(peerID uuid.UUID,userID uuid.UUID) (<-chan*proto.WorkspaceUpdate,error)`
`44`	`44`	`Unsubscribe(peerID uuid.UUID)`
`45`	`45`	`Stop()`
	`46`	`+IsOwner(userID uuid.UUID,agentID uuid.UUID)error`
`46`	`47`	`}`
`47`	`48`
`48`	`49`	`typeClientServiceOptionsstruct {`
`@@ -119,11 +120,9 @@ func (s *ClientService) ServeClient(ctx context.Context, version string, conn ne`
`119`	`120`	`}`
`120`	`121`
`121`	`122`	`typeServeUserClientOptionsstruct {`
`122`		`-PeerID uuid.UUID`
`123`		`-UserID uuid.UUID`
`124`		-// AuthFn authorizes the user to `ActionSSH` against the workspace given
`125`		`-// an agent ID.`
`126`		`-AuthFnfunc(context.Context, uuid.UUID)error`
	`123`	`+PeerID uuid.UUID`
	`124`	`+UserID uuid.UUID`
	`125`	`+UpdatesProviderWorkspaceUpdatesProvider`
`127`	`126`	`}`
`128`	`127`
`129`	`128`	`func (s*ClientService)ServeUserClient(ctx context.Context,versionstring,conn net.Conn,optsServeUserClientOptions)error {`
`@@ -136,7 +135,6 @@ func (s *ClientService) ServeUserClient(ctx context.Context, version string, con`
`136`	`135`	`case2:`
`137`	`136`	`auth:=ClientUserCoordinateeAuth{`
`138`	`137`	`UserID:opts.UserID,`
`139`		`-AuthFn:opts.AuthFn,`
`140`	`138`	`}`
`141`	`139`	`streamID:=StreamID{`
`142`	`140`	`Name:"client",`

`‎tailnet/service_test.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -74,7 +74,7 @@ func TestClientService_ServeClient_V2(t *testing.T) {`
`74`	`74`	`require.NotNil(t,call)`
`75`	`75`	`require.Equal(t,call.ID,clientID)`
`76`	`76`	`require.Equal(t,call.Name,"client")`
`77`		`-require.NoError(t,call.Auth.Authorize(ctx,&proto.CoordinateRequest{`
	`77`	`+require.NoError(t,call.Auth.Authorize(&proto.CoordinateRequest{`
`78`	`78`	`AddTunnel:&proto.CoordinateRequest_Tunnel{Id:agentID[:]},`
`79`	`79`	`}))`
`80`	`80`	`req:=testutil.RequireRecvCtx(ctx,t,call.Reqs)`

`‎tailnet/tunnel.go`

Lines changed: 8 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,6 @@`
`1`	`1`	`package tailnet`
`2`	`2`
`3`	`3`	`import (`
`4`		`-"context"`
`5`	`4`	`"database/sql"`
`6`	`5`	`"net/netip"`
`7`	`6`
`@@ -14,13 +13,13 @@ import (`
`14`	`13`	`varlegacyWorkspaceAgentIP=netip.MustParseAddr("fd7a:115c:a1e0:49d6:b259:b7ac:b1b2:48f4")`
`15`	`14`
`16`	`15`	`typeCoordinateeAuthinterface {`
`17`		`-Authorize(ctx context.Context,req*proto.CoordinateRequest)error`
	`16`	`+Authorize(req*proto.CoordinateRequest)error`
`18`	`17`	`}`
`19`	`18`
`20`	`19`	`// SingleTailnetCoordinateeAuth allows all tunnels, since Coderd and wsproxy are allowed to initiate a tunnel to any agent`
`21`	`20`	`typeSingleTailnetCoordinateeAuthstruct{}`
`22`	`21`
`23`		`-func (SingleTailnetCoordinateeAuth)Authorize(context.Context,*proto.CoordinateRequest)error {`
	`22`	`+func (SingleTailnetCoordinateeAuth)Authorize(*proto.CoordinateRequest)error {`
`24`	`23`	`returnnil`
`25`	`24`	`}`
`26`	`25`
`@@ -29,7 +28,7 @@ type ClientCoordinateeAuth struct {`
`29`	`28`	`AgentID uuid.UUID`
`30`	`29`	`}`
`31`	`30`
`32`		`-func (cClientCoordinateeAuth)Authorize(_ context.Context,req*proto.CoordinateRequest)error {`
	`31`	`+func (cClientCoordinateeAuth)Authorize(req*proto.CoordinateRequest)error {`
`33`	`32`	`iftun:=req.GetAddTunnel();tun!=nil {`
`34`	`33`	`uid,err:=uuid.FromBytes(tun.Id)`
`35`	`34`	`iferr!=nil {`
`@@ -66,7 +65,7 @@ type AgentCoordinateeAuth struct {`
`66`	`65`	`ID uuid.UUID`
`67`	`66`	`}`
`68`	`67`
`69`		`-func (aAgentCoordinateeAuth)Authorize(_ context.Context,req*proto.CoordinateRequest)error {`
	`68`	`+func (aAgentCoordinateeAuth)Authorize(req*proto.CoordinateRequest)error {`
`70`	`69`	`iftun:=req.GetAddTunnel();tun!=nil {`
`71`	`70`	`returnxerrors.New("agents cannot open tunnels")`
`72`	`71`	`}`
`@@ -93,17 +92,17 @@ func (a AgentCoordinateeAuth) Authorize(_ context.Context, req *proto.Coordinate`
`93`	`92`	`}`
`94`	`93`
`95`	`94`	`typeClientUserCoordinateeAuthstruct {`
`96`		`-UserID uuid.UUID`
`97`		`-AuthFnfunc(context.Context, uuid.UUID)error`
	`95`	`+UserIDuuid.UUID`
	`96`	`+UpdatesProviderWorkspaceUpdatesProvider`
`98`	`97`	`}`
`99`	`98`
`100`		`-func (aClientUserCoordinateeAuth)Authorize(ctx context.Context,req*proto.CoordinateRequest)error {`
	`99`	`+func (aClientUserCoordinateeAuth)Authorize(req*proto.CoordinateRequest)error {`
`101`	`100`	`iftun:=req.GetAddTunnel();tun!=nil {`
`102`	`101`	`uid,err:=uuid.FromBytes(tun.Id)`
`103`	`102`	`iferr!=nil {`
`104`	`103`	`returnxerrors.Errorf("parse add tunnel id: %w",err)`
`105`	`104`	`}`
`106`		`-err=a.AuthFn(ctx,uid)`
	`105`	`+err=a.UpdatesProvider.IsOwner(a.UserID,uid)`
`107`	`106`	`iferr!=nil {`
`108`	`107`	`returnxerrors.Errorf("workspace agent not found or you do not have permission: %w",sql.ErrNoRows)`
`109`	`108`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit13d9896

File tree

7 files changed

7 files changed

`‎coderd/workspaceagents.go`

`‎coderd/workspaceupdates.go`

`‎enterprise/tailnet/connio.go`

`‎tailnet/coordinator.go`

`‎tailnet/service.go`

`‎tailnet/service_test.go`

`‎tailnet/tunnel.go`

0 commit comments