NotificationsYou must be signed in to change notification settings
Fork928
Star10.1k

Commitbccde3f

committed

allow workspace update permissions to access agents

1 parent8cfe223 commitbccde3fCopy full SHA for bccde3f

File tree

5 files changed

+32

-21

lines changed

coderd

5 files changed

+32

-21

lines changed

`‎coderd/coderd.go`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -292,6 +292,7 @@ func New(options Options) API {`
`292`	`292`	`r.Use(`
`293`	`293`	`apiKeyMiddleware,`
`294`	`294`	`httpmw.ExtractWorkspaceAgentParam(options.Database),`
	`295`	`+httpmw.ExtractWorkspaceParam(options.Database),`
`295`	`296`	`)`
`296`	`297`	`r.Get("/",api.workspaceAgent)`
`297`	`298`	`r.Get("/dial",api.workspaceAgentDial)`

`‎coderd/coderd_test.go`

Lines changed: 13 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -153,10 +153,7 @@ func TestAuthorizeAllEndpoints(t *testing.T) {`
`153`	`153`	`"GET:/api/v2/workspaceagents/me/listen": {NoAuthorize:true},`
`154`	`154`	`"GET:/api/v2/workspaceagents/me/metadata": {NoAuthorize:true},`
`155`	`155`	`"GET:/api/v2/workspaceagents/me/turn": {NoAuthorize:true},`
`156`		`-"GET:/api/v2/workspaceagents/{workspaceagent}": {NoAuthorize:true},`
`157`		`-"GET:/api/v2/workspaceagents/{workspaceagent}/dial": {NoAuthorize:true},`
`158`	`156`	`"GET:/api/v2/workspaceagents/{workspaceagent}/iceservers": {NoAuthorize:true},`
`159`		`-"GET:/api/v2/workspaceagents/{workspaceagent}/pty": {NoAuthorize:true},`
`160`	`157`	`"GET:/api/v2/workspaceagents/{workspaceagent}/turn": {NoAuthorize:true},`
`161`	`158`
`162`	`159`	`// These endpoints have more assertions. This is good, add more endpoints to assert if you can!`
`@@ -210,6 +207,18 @@ func TestAuthorizeAllEndpoints(t *testing.T) {`
`210`	`207`	`AssertAction:rbac.ActionRead,`
`211`	`208`	`AssertObject:workspaceRBACObj,`
`212`	`209`	`},`
	`210`	`+"GET:/api/v2/workspaceagents/{workspaceagent}": {`
	`211`	`+AssertAction:rbac.ActionRead,`
	`212`	`+AssertObject:workspaceRBACObj,`
	`213`	`+},`
	`214`	`+"GET:/api/v2/workspaceagents/{workspaceagent}/dial": {`
	`215`	`+AssertAction:rbac.ActionUpdate,`
	`216`	`+AssertObject:workspaceRBACObj,`
	`217`	`+},`
	`218`	`+"GET:/api/v2/workspaceagents/{workspaceagent}/pty": {`
	`219`	`+AssertAction:rbac.ActionUpdate,`
	`220`	`+AssertObject:workspaceRBACObj,`
	`221`	`+},`
`213`	`222`	`"GET:/api/v2/workspaces/": {`
`214`	`223`	`StatusCode:http.StatusOK,`
`215`	`224`	`AssertAction:rbac.ActionRead,`
`@@ -378,6 +387,7 @@ func TestAuthorizeAllEndpoints(t *testing.T) {`
`378`	`387`	`route=strings.ReplaceAll(route,"{workspacebuild}",workspace.LatestBuild.ID.String())`
`379`	`388`	`route=strings.ReplaceAll(route,"{workspacename}",workspace.Name)`
`380`	`389`	`route=strings.ReplaceAll(route,"{workspacebuildname}",workspace.LatestBuild.Name)`
	`390`	`+route=strings.ReplaceAll(route,"{workspaceagent}",workspaceResources[0].Agents[0].ID.String())`
`381`	`391`	`route=strings.ReplaceAll(route,"{template}",template.ID.String())`
`382`	`392`	`route=strings.ReplaceAll(route,"{hash}",file.Hash)`
`383`	`393`	`route=strings.ReplaceAll(route,"{workspaceresource}",workspaceResources[0].ID.String())`

`‎coderd/httpmw/apikey.go`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -37,11 +37,11 @@ type userRolesKey struct{}`
`37`	`37`	`// AuthorizationUserRoles returns the roles used for authorization.`
`38`	`38`	`// Comes from the ExtractAPIKey handler.`
`39`	`39`	`funcAuthorizationUserRoles(r*http.Request) database.GetAuthorizationUserRolesRow {`
`40`		`-apiKey,ok:=r.Context().Value(userRolesKey{}).(database.GetAuthorizationUserRolesRow)`
	`40`	`+userRoles,ok:=r.Context().Value(userRolesKey{}).(database.GetAuthorizationUserRolesRow)`
`41`	`41`	`if!ok {`
`42`	`42`	`panic("developer error: user roles middleware not provided")`
`43`	`43`	`}`
`44`		`-returnapiKey`
	`44`	`+returnuserRoles`
`45`	`45`	`}`
`46`	`46`
`47`	`47`	`// OAuth2Configs is a collection of configurations for OAuth-based authentication.`

`‎coderd/httpmw/workspaceagentparam.go`

Lines changed: 3 additions & 16 deletions

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,8 @@ import (`
`6`	`6`	`"errors"`
`7`	`7`	`"net/http"`
`8`	`8`
	`9`	`+"github.com/go-chi/chi/v5"`
	`10`	`+`
`9`	`11`	`"github.com/coder/coder/coderd/database"`
`10`	`12`	`"github.com/coder/coder/coderd/httpapi"`
`11`	`13`	`)`
`@@ -74,24 +76,9 @@ func ExtractWorkspaceAgentParam(db database.Store) func(http.Handler) http.Handl`
`74`	`76`	`})`
`75`	`77`	`return`
`76`	`78`	`}`
`77`		`-workspace,err:=db.GetWorkspaceByID(r.Context(),build.WorkspaceID)`
`78`		`-iferr!=nil {`
`79`		`-httpapi.Write(rw,http.StatusInternalServerError, httpapi.Response{`
`80`		`-Message:"Internal error fetching workspace.",`
`81`		`-Detail:err.Error(),`
`82`		`-})`
`83`		`-return`
`84`		`-}`
`85`		`-`
`86`		`-apiKey:=APIKey(r)`
`87`		`-ifapiKey.UserID!=workspace.OwnerID {`
`88`		`-httpapi.Write(rw,http.StatusUnauthorized, httpapi.Response{`
`89`		`-Message:"Getting non-personal agents isn't supported.",`
`90`		`-})`
`91`		`-return`
`92`		`-}`
`93`	`79`
`94`	`80`	`ctx:=context.WithValue(r.Context(),workspaceAgentParamContextKey{},agent)`
	`81`	`+chi.RouteContext(ctx).URLParams.Add("workspace",build.WorkspaceID.String())`
`95`	`82`	`next.ServeHTTP(rw,r.WithContext(ctx))`
`96`	`83`	`})`
`97`	`84`	`}`

`‎coderd/workspaceagents.go`

Lines changed: 13 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,7 @@ import (`
`21`	`21`	`"github.com/coder/coder/coderd/database"`
`22`	`22`	`"github.com/coder/coder/coderd/httpapi"`
`23`	`23`	`"github.com/coder/coder/coderd/httpmw"`
	`24`	`+"github.com/coder/coder/coderd/rbac"`
`24`	`25`	`"github.com/coder/coder/coderd/turnconn"`
`25`	`26`	`"github.com/coder/coder/codersdk"`
`26`	`27`	`"github.com/coder/coder/peer"`
`@@ -31,6 +32,10 @@ import (`
`31`	`32`
`32`	`33`	`func (apiAPI)workspaceAgent(rw http.ResponseWriter,rhttp.Request) {`
`33`	`34`	`workspaceAgent:=httpmw.WorkspaceAgentParam(r)`
	`35`	`+workspace:=httpmw.WorkspaceParam(r)`
	`36`	`+if!api.Authorize(rw,r,rbac.ActionRead,workspace) {`
	`37`	`+return`
	`38`	`+}`
`34`	`39`	`dbApps,err:=api.Database.GetWorkspaceAppsByAgentID(r.Context(),workspaceAgent.ID)`
`35`	`40`	`iferr!=nil&&!xerrors.Is(err,sql.ErrNoRows) {`
`36`	`41`	`httpapi.Write(rw,http.StatusInternalServerError, httpapi.Response{`
`@@ -58,6 +63,10 @@ func (api API) workspaceAgentDial(rw http.ResponseWriter, r http.Request) {`
`58`	`63`	`deferapi.websocketWaitGroup.Done()`
`59`	`64`
`60`	`65`	`workspaceAgent:=httpmw.WorkspaceAgentParam(r)`
	`66`	`+workspace:=httpmw.WorkspaceParam(r)`
	`67`	`+if!api.Authorize(rw,r,rbac.ActionUpdate,workspace) {`
	`68`	`+return`
	`69`	`+}`
`61`	`70`	`apiAgent,err:=convertWorkspaceAgent(workspaceAgent,nil,api.AgentConnectionUpdateFrequency)`
`62`	`71`	`iferr!=nil {`
`63`	`72`	`httpapi.Write(rw,http.StatusInternalServerError, httpapi.Response{`
`@@ -369,6 +378,10 @@ func (api API) workspaceAgentPTY(rw http.ResponseWriter, r http.Request) {`
`369`	`378`	`deferapi.websocketWaitGroup.Done()`
`370`	`379`
`371`	`380`	`workspaceAgent:=httpmw.WorkspaceAgentParam(r)`
	`381`	`+workspace:=httpmw.WorkspaceParam(r)`
	`382`	`+if!api.Authorize(rw,r,rbac.ActionUpdate,workspace) {`
	`383`	`+return`
	`384`	`+}`
`372`	`385`	`apiAgent,err:=convertWorkspaceAgent(workspaceAgent,nil,api.AgentConnectionUpdateFrequency)`
`373`	`386`	`iferr!=nil {`
`374`	`387`	`httpapi.Write(rw,http.StatusInternalServerError, httpapi.Response{`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitbccde3f

File tree

5 files changed

5 files changed

`‎coderd/coderd.go`

`‎coderd/coderd_test.go`

`‎coderd/httpmw/apikey.go`

`‎coderd/httpmw/workspaceagentparam.go`

`‎coderd/workspaceagents.go`

0 commit comments