2022-03-07 17:40:54 +00:00
|
|
|
package httpmw
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"database/sql"
|
|
|
|
"errors"
|
|
|
|
"fmt"
|
|
|
|
"net/http"
|
|
|
|
|
|
|
|
"github.com/google/uuid"
|
|
|
|
|
2023-08-18 18:55:43 +00:00
|
|
|
"github.com/coder/coder/v2/coderd/database"
|
|
|
|
"github.com/coder/coder/v2/coderd/database/dbauthz"
|
|
|
|
"github.com/coder/coder/v2/coderd/httpapi"
|
|
|
|
"github.com/coder/coder/v2/coderd/rbac"
|
|
|
|
"github.com/coder/coder/v2/codersdk"
|
2022-03-07 17:40:54 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
type workspaceAgentContextKey struct{}
|
|
|
|
|
2023-06-30 18:41:29 +00:00
|
|
|
func WorkspaceAgentOptional(r *http.Request) (database.WorkspaceAgent, bool) {
|
|
|
|
user, ok := r.Context().Value(workspaceAgentContextKey{}).(database.WorkspaceAgent)
|
|
|
|
return user, ok
|
|
|
|
}
|
|
|
|
|
2022-03-07 17:40:54 +00:00
|
|
|
// WorkspaceAgent returns the workspace agent from the ExtractAgent handler.
|
|
|
|
func WorkspaceAgent(r *http.Request) database.WorkspaceAgent {
|
2023-06-30 18:41:29 +00:00
|
|
|
user, ok := WorkspaceAgentOptional(r)
|
2022-03-07 17:40:54 +00:00
|
|
|
if !ok {
|
2023-06-30 18:41:29 +00:00
|
|
|
panic("developer error: agent middleware not provided or was made optional")
|
2022-03-07 17:40:54 +00:00
|
|
|
}
|
|
|
|
return user
|
|
|
|
}
|
|
|
|
|
2024-03-14 16:27:32 +00:00
|
|
|
type latestBuildContextKey struct{}
|
|
|
|
|
|
|
|
func latestBuildOptional(r *http.Request) (database.WorkspaceBuild, bool) {
|
|
|
|
wb, ok := r.Context().Value(latestBuildContextKey{}).(database.WorkspaceBuild)
|
|
|
|
return wb, ok
|
|
|
|
}
|
|
|
|
|
|
|
|
// LatestBuild returns the Latest Build from the ExtractLatestBuild handler.
|
|
|
|
func LatestBuild(r *http.Request) database.WorkspaceBuild {
|
|
|
|
wb, ok := latestBuildOptional(r)
|
|
|
|
if !ok {
|
|
|
|
panic("developer error: agent middleware not provided or was made optional")
|
|
|
|
}
|
|
|
|
return wb
|
|
|
|
}
|
|
|
|
|
|
|
|
type ExtractWorkspaceAgentAndLatestBuildConfig struct {
|
2023-06-30 18:41:29 +00:00
|
|
|
DB database.Store
|
|
|
|
// Optional indicates whether the middleware should be optional. If true, any
|
|
|
|
// requests without the a token or with an invalid token will be allowed to
|
|
|
|
// continue and no workspace agent will be set on the request context.
|
|
|
|
Optional bool
|
|
|
|
}
|
|
|
|
|
2024-03-14 16:27:32 +00:00
|
|
|
// ExtractWorkspaceAgentAndLatestBuild requires authentication using a valid agent token.
|
|
|
|
func ExtractWorkspaceAgentAndLatestBuild(opts ExtractWorkspaceAgentAndLatestBuildConfig) func(http.Handler) http.Handler {
|
2022-03-07 17:40:54 +00:00
|
|
|
return func(next http.Handler) http.Handler {
|
|
|
|
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
2022-09-21 22:07:00 +00:00
|
|
|
ctx := r.Context()
|
2023-06-30 18:41:29 +00:00
|
|
|
|
|
|
|
// optionalWrite wraps httpapi.Write but runs the next handler if the
|
|
|
|
// token is optional.
|
|
|
|
//
|
|
|
|
// It should be used when the token is not provided or is invalid, but not
|
|
|
|
// when there are other errors.
|
|
|
|
optionalWrite := func(code int, response codersdk.Response) {
|
|
|
|
if opts.Optional {
|
|
|
|
next.ServeHTTP(rw, r)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
httpapi.Write(ctx, rw, code, response)
|
|
|
|
}
|
|
|
|
|
2023-04-17 19:57:21 +00:00
|
|
|
tokenValue := APITokenFromRequest(r)
|
2022-12-14 18:24:22 +00:00
|
|
|
if tokenValue == "" {
|
2023-06-30 18:41:29 +00:00
|
|
|
optionalWrite(http.StatusUnauthorized, codersdk.Response{
|
2023-01-29 21:47:24 +00:00
|
|
|
Message: fmt.Sprintf("Cookie %q must be provided.", codersdk.SessionTokenCookie),
|
2022-03-07 17:40:54 +00:00
|
|
|
})
|
|
|
|
return
|
|
|
|
}
|
2022-12-14 18:24:22 +00:00
|
|
|
token, err := uuid.Parse(tokenValue)
|
2022-03-07 17:40:54 +00:00
|
|
|
if err != nil {
|
2023-06-30 18:41:29 +00:00
|
|
|
optionalWrite(http.StatusUnauthorized, codersdk.Response{
|
2022-12-14 18:24:22 +00:00
|
|
|
Message: "Workspace agent token invalid.",
|
|
|
|
Detail: fmt.Sprintf("An agent token must be a valid UUIDv4. (len %d)", len(tokenValue)),
|
2022-03-07 17:40:54 +00:00
|
|
|
})
|
|
|
|
return
|
|
|
|
}
|
2023-08-21 14:49:26 +00:00
|
|
|
|
2023-02-14 14:27:06 +00:00
|
|
|
//nolint:gocritic // System needs to be able to get workspace agents.
|
2024-03-14 16:27:32 +00:00
|
|
|
row, err := opts.DB.GetWorkspaceAgentAndLatestBuildByAuthToken(dbauthz.AsSystemRestricted(ctx), token)
|
2022-06-24 15:25:01 +00:00
|
|
|
if err != nil {
|
2022-03-07 17:40:54 +00:00
|
|
|
if errors.Is(err, sql.ErrNoRows) {
|
2023-06-30 18:41:29 +00:00
|
|
|
optionalWrite(http.StatusUnauthorized, codersdk.Response{
|
2022-12-14 18:24:22 +00:00
|
|
|
Message: "Workspace agent not authorized.",
|
|
|
|
Detail: "The agent cannot authenticate until the workspace provision job has been completed. If the job is no longer running, this agent is invalid.",
|
2022-03-07 17:40:54 +00:00
|
|
|
})
|
|
|
|
return
|
|
|
|
}
|
2022-06-24 15:25:01 +00:00
|
|
|
|
2022-09-21 22:07:00 +00:00
|
|
|
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
|
2023-08-21 14:49:26 +00:00
|
|
|
Message: "Internal error checking workspace agent authorization.",
|
2022-06-03 21:48:09 +00:00
|
|
|
Detail: err.Error(),
|
2022-03-07 17:40:54 +00:00
|
|
|
})
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2024-03-14 16:27:32 +00:00
|
|
|
//nolint:gocritic // System needs to be able to get owner roles.
|
|
|
|
roles, err := opts.DB.GetAuthorizationUserRoles(dbauthz.AsSystemRestricted(ctx), row.Workspace.OwnerID)
|
|
|
|
if err != nil {
|
|
|
|
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
|
|
|
|
Message: "Internal error checking workspace agent authorization.",
|
|
|
|
Detail: err.Error(),
|
|
|
|
})
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2023-08-21 14:49:26 +00:00
|
|
|
subject := rbac.Subject{
|
2024-03-14 16:27:32 +00:00
|
|
|
ID: row.Workspace.OwnerID.String(),
|
|
|
|
Roles: rbac.RoleNames(roles.Roles),
|
|
|
|
Groups: roles.Groups,
|
2023-12-20 17:38:49 +00:00
|
|
|
Scope: rbac.WorkspaceAgentScope(rbac.WorkspaceAgentScopeParams{
|
2024-03-14 16:27:32 +00:00
|
|
|
WorkspaceID: row.Workspace.ID,
|
|
|
|
OwnerID: row.Workspace.OwnerID,
|
|
|
|
TemplateID: row.Workspace.TemplateID,
|
|
|
|
VersionID: row.WorkspaceBuild.TemplateVersionID,
|
2023-12-20 17:38:49 +00:00
|
|
|
}),
|
2023-08-21 14:49:26 +00:00
|
|
|
}.WithCachedASTValue()
|
2023-02-14 14:27:06 +00:00
|
|
|
|
2023-08-21 14:49:26 +00:00
|
|
|
ctx = context.WithValue(ctx, workspaceAgentContextKey{}, row.WorkspaceAgent)
|
2024-03-14 16:27:32 +00:00
|
|
|
ctx = context.WithValue(ctx, latestBuildContextKey{}, row.WorkspaceBuild)
|
2023-02-14 14:27:06 +00:00
|
|
|
// Also set the dbauthz actor for the request.
|
|
|
|
ctx = dbauthz.As(ctx, subject)
|
2022-03-07 17:40:54 +00:00
|
|
|
next.ServeHTTP(rw, r.WithContext(ctx))
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|