Skip to content

Commit 948c470

Browse files
f0sself0ssel
committed
limit on api side
1 parent 0d45d1a commit 948c470

File tree

3 files changed

+33
-6
lines changed

3 files changed

+33
-6
lines changed

coderd/httpmw/provisionerdaemon.go

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,7 @@ func ExtractProvisionerDaemonAuthenticated(opts ExtractProvisionerAuthConfig) fu
5151
return
5252
}
5353

54+
psk := r.Header.Get(codersdk.ProvisionerDaemonPSK)
5455
key := r.Header.Get(codersdk.ProvisionerDaemonKey)
5556
if key == "" {
5657
if opts.PSK == "" {
@@ -63,6 +64,12 @@ func ExtractProvisionerDaemonAuthenticated(opts ExtractProvisionerAuthConfig) fu
6364
fallbackToPSK(ctx, opts.PSK, next, w, r, handleOptional)
6465
return
6566
}
67+
if psk != "" {
68+
handleOptional(http.StatusBadRequest, codersdk.Response{
69+
Message: "provisioner daemon key and psk provided, but only one is allowed",
70+
})
71+
return
72+
}
6673

6774
id, keyValue, err := provisionerkey.Parse(key)
6875
if err != nil {

codersdk/provisionerdaemons.go

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -226,9 +226,6 @@ func (c *Client) ServeProvisionerDaemon(ctx context.Context, req ServeProvisione
226226

227227
headers.Set(BuildVersionHeader, buildinfo.Version())
228228

229-
if req.ProvisionerKey != "" && req.PreSharedKey != "" {
230-
return nil, xerrors.Errorf("cannot provide both a provisioner key and a pre-shared key")
231-
}
232229
if req.ProvisionerKey != "" {
233230
headers.Set(ProvisionerDaemonKey, req.ProvisionerKey)
234231
}

enterprise/coderd/provisionerdaemons_test.go

Lines changed: 26 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ import (
66
"fmt"
77
"io"
88
"net/http"
9+
"strings"
910
"testing"
1011

1112
"github.com/google/uuid"
@@ -614,28 +615,50 @@ func TestProvisionerDaemonServe(t *testing.T) {
614615
name: "WrongKey",
615616
multiOrgFeatureEnabled: true,
616617
multiOrgExperimentEnabled: true,
618+
insertParams: insertParams,
617619
requestProvisionerKey: "provisionersftw",
618620
errStatusCode: http.StatusUnauthorized,
619621
},
620622
{
621-
name: "IdOKKeyWrong",
623+
name: "IdOKKeyValueWrong",
622624
multiOrgFeatureEnabled: true,
623625
multiOrgExperimentEnabled: true,
626+
insertParams: insertParams,
624627
requestProvisionerKey: insertParams.ID.String() + ":" + "wrong",
625628
errStatusCode: http.StatusUnauthorized,
626629
},
627630
{
628-
name: "IdWrongKeyOK",
631+
name: "IdWrongKeyValueOK",
629632
multiOrgFeatureEnabled: true,
630633
multiOrgExperimentEnabled: true,
634+
insertParams: insertParams,
631635
requestProvisionerKey: uuid.NewString() + ":" + token,
632636
errStatusCode: http.StatusUnauthorized,
633637
},
634638
{
635-
name: "TokenOnly",
639+
name: "KeyValueOnly",
640+
multiOrgFeatureEnabled: true,
641+
multiOrgExperimentEnabled: true,
642+
insertParams: insertParams,
643+
requestProvisionerKey: strings.Split(token, ":")[1],
644+
errStatusCode: http.StatusUnauthorized,
645+
},
646+
{
647+
name: "KeyAndPSK",
636648
multiOrgFeatureEnabled: true,
637649
multiOrgExperimentEnabled: true,
650+
psk: "provisionersftw",
651+
insertParams: insertParams,
638652
requestProvisionerKey: token,
653+
requestPSK: "provisionersftw",
654+
errStatusCode: http.StatusUnauthorized,
655+
},
656+
{
657+
name: "None",
658+
multiOrgFeatureEnabled: true,
659+
multiOrgExperimentEnabled: true,
660+
psk: "provisionersftw",
661+
insertParams: insertParams,
639662
errStatusCode: http.StatusUnauthorized,
640663
},
641664
}

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy