package httpmw import ( "context" "database/sql" "errors" "fmt" "net/http" "github.com/google/uuid" "github.com/coder/coder/coderd/database" "github.com/coder/coder/coderd/database/dbauthz" "github.com/coder/coder/coderd/httpapi" "github.com/coder/coder/coderd/rbac" "github.com/coder/coder/codersdk" ) type workspaceAgentContextKey struct{} // WorkspaceAgent returns the workspace agent from the ExtractAgent handler. func WorkspaceAgent(r *http.Request) database.WorkspaceAgent { user, ok := r.Context().Value(workspaceAgentContextKey{}).(database.WorkspaceAgent) if !ok { panic("developer error: agent middleware not provided") } return user } // ExtractWorkspaceAgent requires authentication using a valid agent token. func ExtractWorkspaceAgent(db database.Store) func(http.Handler) http.Handler { return func(next http.Handler) http.Handler { return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { ctx := r.Context() tokenValue := apiTokenFromRequest(r) if tokenValue == "" { httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{ Message: fmt.Sprintf("Cookie %q must be provided.", codersdk.SessionTokenCookie), }) return } token, err := uuid.Parse(tokenValue) if err != nil { httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{ Message: "Workspace agent token invalid.", Detail: fmt.Sprintf("An agent token must be a valid UUIDv4. (len %d)", len(tokenValue)), }) return } //nolint:gocritic // System needs to be able to get workspace agents. agent, err := db.GetWorkspaceAgentByAuthToken(dbauthz.AsSystemRestricted(ctx), token) if err != nil { if errors.Is(err, sql.ErrNoRows) { httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{ Message: "Workspace agent not authorized.", Detail: "The agent cannot authenticate until the workspace provision job has been completed. If the job is no longer running, this agent is invalid.", }) return } httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{ Message: "Internal error fetching workspace agent.", Detail: err.Error(), }) return } //nolint:gocritic // System needs to be able to get workspace agents. subject, err := getAgentSubject(dbauthz.AsSystemRestricted(ctx), db, agent) if err != nil { httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{ Message: "Internal error fetching workspace agent.", Detail: err.Error(), }) return } ctx = context.WithValue(ctx, workspaceAgentContextKey{}, agent) // Also set the dbauthz actor for the request. ctx = dbauthz.As(ctx, subject) next.ServeHTTP(rw, r.WithContext(ctx)) }) } } func getAgentSubject(ctx context.Context, db database.Store, agent database.WorkspaceAgent) (rbac.Subject, error) { // TODO: make a different query that gets the workspace owner and roles along with the agent. workspace, err := db.GetWorkspaceByAgentID(ctx, agent.ID) if err != nil { return rbac.Subject{}, err } user, err := db.GetUserByID(ctx, workspace.OwnerID) if err != nil { return rbac.Subject{}, err } roles, err := db.GetAuthorizationUserRoles(ctx, user.ID) if err != nil { return rbac.Subject{}, err } // A user that creates a workspace can use this agent auth token and // impersonate the workspace. So to prevent privilege escalation, the // subject inherits the roles of the user that owns the workspace. // We then add a workspace-agent scope to limit the permissions // to only what the workspace agent needs. return rbac.Subject{ ID: user.ID.String(), Roles: rbac.RoleNames(roles.Roles), Groups: roles.Groups, Scope: rbac.WorkspaceAgentScope(workspace.ID, user.ID), }, nil }