mirror of https://github.com/coder/coder.git
96 lines
3.2 KiB
Go
96 lines
3.2 KiB
Go
package httpmw
|
|
|
|
import (
|
|
"net/http"
|
|
|
|
"github.com/coder/coder/v2/coderd/httpapi"
|
|
"github.com/coder/coder/v2/codersdk"
|
|
)
|
|
|
|
// RequireAPIKeyOrWorkspaceProxyAuth is middleware that should be inserted after
|
|
// optional ExtractAPIKey and ExtractWorkspaceProxy middlewares to ensure one of
|
|
// the two authentication methods is provided.
|
|
//
|
|
// If both are provided, an error is returned to avoid misuse.
|
|
func RequireAPIKeyOrWorkspaceProxyAuth() func(http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
_, hasAPIKey := APIKeyOptional(r)
|
|
_, hasWorkspaceProxy := WorkspaceProxyOptional(r)
|
|
|
|
if hasAPIKey && hasWorkspaceProxy {
|
|
httpapi.Write(r.Context(), w, http.StatusBadRequest, codersdk.Response{
|
|
Message: "API key and external proxy authentication provided, but only one is allowed",
|
|
})
|
|
return
|
|
}
|
|
if !hasAPIKey && !hasWorkspaceProxy {
|
|
httpapi.Write(r.Context(), w, http.StatusUnauthorized, codersdk.Response{
|
|
Message: "API key or external proxy authentication required, but none provided",
|
|
})
|
|
return
|
|
}
|
|
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
}
|
|
|
|
// RequireAPIKeyOrWorkspaceAgent is middleware that should be inserted after
|
|
// optional ExtractAPIKey and ExtractWorkspaceAgent middlewares to ensure one of
|
|
// the two is provided.
|
|
//
|
|
// If both are provided an error is returned to avoid misuse.
|
|
func RequireAPIKeyOrWorkspaceAgent() func(http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
_, hasAPIKey := APIKeyOptional(r)
|
|
_, hasWorkspaceAgent := WorkspaceAgentOptional(r)
|
|
|
|
if hasAPIKey && hasWorkspaceAgent {
|
|
httpapi.Write(r.Context(), w, http.StatusBadRequest, codersdk.Response{
|
|
Message: "API key and workspace agent token provided, but only one is allowed",
|
|
})
|
|
return
|
|
}
|
|
if !hasAPIKey && !hasWorkspaceAgent {
|
|
httpapi.Write(r.Context(), w, http.StatusUnauthorized, codersdk.Response{
|
|
Message: "API key or workspace agent token required, but none provided",
|
|
})
|
|
return
|
|
}
|
|
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
}
|
|
|
|
// RequireAPIKeyOrProvisionerDaemonAuth is middleware that should be inserted
|
|
// after optional ExtractAPIKey and ExtractProvisionerDaemonAuthenticated
|
|
// middlewares to ensure one of the two authentication methods is provided.
|
|
//
|
|
// If both are provided, an error is returned to avoid misuse.
|
|
func RequireAPIKeyOrProvisionerDaemonAuth() func(http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
_, hasAPIKey := APIKeyOptional(r)
|
|
hasProvisionerDaemon := ProvisionerDaemonAuthenticated(r)
|
|
|
|
if hasAPIKey && hasProvisionerDaemon {
|
|
httpapi.Write(r.Context(), w, http.StatusBadRequest, codersdk.Response{
|
|
Message: "API key and external provisioner authentication provided, but only one is allowed",
|
|
})
|
|
return
|
|
}
|
|
if !hasAPIKey && !hasProvisionerDaemon {
|
|
httpapi.Write(r.Context(), w, http.StatusUnauthorized, codersdk.Response{
|
|
Message: "API key or external provisioner authentication required, but none provided",
|
|
})
|
|
return
|
|
}
|
|
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
}
|