chore: enforce that provisioners can only acquire jobs in their own organization (#12600)

* chore: add org ID as optional param to AcquireJob * chore: plumb through organization id to provisioner daemons * add org id to provisioner domain key * enforce org id argument * dbgen provisioner jobs defaults to default org
2025-07-06 15:41:45 +00:00 · 2024-03-18 12:48:13 -05:00
parent 0e8ebb9b22
commit f0f9569d51
15 changed files with 204 additions and 126 deletions
--- a/coderd/database/dbmem/dbmem.go
+++ b/coderd/database/dbmem/dbmem.go
@ -803,6 +803,9 @@ func (q *FakeQuerier) AcquireProvisionerJob(_ context.Context, arg database.Acqu
 	defer q.mutex.Unlock()

 	for index, provisionerJob := range q.provisionerJobs {
+		if provisionerJob.OrganizationID != arg.OrganizationID {
+			continue
+		}
 		if provisionerJob.StartedAt.Valid {
 			continue
 		}
@ -7861,15 +7864,16 @@ func (q *FakeQuerier) UpsertProvisionerDaemon(_ context.Context, arg database.Up
 		}
 	}
 	d := database.ProvisionerDaemon{
-		ID:           uuid.New(),
-		CreatedAt:    arg.CreatedAt,
-		Name:         arg.Name,
-		Provisioners: arg.Provisioners,
-		Tags:         maps.Clone(arg.Tags),
-		ReplicaID:    uuid.NullUUID{},
-		LastSeenAt:   arg.LastSeenAt,
-		Version:      arg.Version,
-		APIVersion:   arg.APIVersion,
+		ID:             uuid.New(),
+		CreatedAt:      arg.CreatedAt,
+		Name:           arg.Name,
+		Provisioners:   arg.Provisioners,
+		Tags:           maps.Clone(arg.Tags),
+		ReplicaID:      uuid.NullUUID{},
+		LastSeenAt:     arg.LastSeenAt,
+		Version:        arg.Version,
+		APIVersion:     arg.APIVersion,
+		OrganizationID: arg.OrganizationID,
 	}
 	q.provisionerDaemons = append(q.provisionerDaemons, d)
 	return d, nil