synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-03 16:13:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: enforce that provisioners can only acquire jobs in their own organization (#12600)

Browse Source 
* chore: add org ID as optional param to AcquireJob
* chore: plumb through organization id to provisioner daemons
* add org id to provisioner domain key
* enforce org id argument
* dbgen provisioner jobs defaults to default org
This commit is contained in:
Steven Masley
2024-03-18 12:48:13 -05:00
committed by GitHub
parent 0e8ebb9b22
commit f0f9569d51
15 changed files with 204 additions and 126 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
coderd/database/queries.sql.go
View File

@ -3941,14 +3941,15 @@ WHERE
provisioner_jobs AS nested
WHERE
nested.started_at IS NULL
AND nested.organization_id = $3
-- Ensure the caller has the correct provisioner.
AND nested.provisioner = ANY($3 :: provisioner_type [ ])
AND nested.provisioner = ANY($4 :: provisioner_type [ ])
AND CASE
-- Special case for untagged provisioners: only match untagged jobs.
WHEN nested.tags :: jsonb = '{"scope": "organization", "owner": ""}' :: jsonb
THEN nested.tags :: jsonb = $4 :: jsonb
THEN nested.tags :: jsonb = $5 :: jsonb
-- Ensure the caller satisfies all job tags.
ELSE nested.tags :: jsonb <@ $4 :: jsonb
ELSE nested.tags :: jsonb <@ $5 :: jsonb
END
ORDER BY
nested.created_at
@ -3960,10 +3961,11 @@ WHERE
`
type AcquireProvisionerJobParams struct {
StartedAt sql.NullTime `db:"started_at" json:"started_at"`
WorkerID uuid.NullUUID `db:"worker_id" json:"worker_id"`
Types []ProvisionerType `db:"types" json:"types"`
Tags json.RawMessage `db:"tags" json:"tags"`
StartedAt sql.NullTime `db:"started_at" json:"started_at"`
WorkerID uuid.NullUUID `db:"worker_id" json:"worker_id"`
OrganizationID uuid.UUID `db:"organization_id" json:"organization_id"`
Types []ProvisionerType `db:"types" json:"types"`
Tags json.RawMessage `db:"tags" json:"tags"`
}
// Acquires the lock for a single job that isn't started, completed,
@ -3976,6 +3978,7 @@ func (q *sqlQuerier) AcquireProvisionerJob(ctx context.Context, arg AcquireProvi
row := q.db.QueryRowContext(ctx, acquireProvisionerJob,
arg.StartedAt,
arg.WorkerID,
arg.OrganizationID,
pq.Array(arg.Types),
arg.Tags,
)