Skip to content

Commit 27c6919

Browse files
committed
fix(coderd): add stricter authorization for provisioners endpoint
References #16558
1 parent a845370 commit 27c6919

File tree

2 files changed

+15
-3
lines changed

2 files changed

+15
-3
lines changed

coderd/provisionerdaemons.go

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,8 @@ import (
99
"github.com/coder/coder/v2/coderd/httpapi"
1010
"github.com/coder/coder/v2/coderd/httpmw"
1111
"github.com/coder/coder/v2/coderd/provisionerdserver"
12+
"github.com/coder/coder/v2/coderd/rbac"
13+
"github.com/coder/coder/v2/coderd/rbac/policy"
1214
"github.com/coder/coder/v2/coderd/util/ptr"
1315
"github.com/coder/coder/v2/codersdk"
1416
)
@@ -31,6 +33,13 @@ func (api *API) provisionerDaemons(rw http.ResponseWriter, r *http.Request) {
3133
org = httpmw.OrganizationParam(r)
3234
)
3335

36+
// This endpoint returns information about provisioner jobs.
37+
// For now, only owners and template admins can access provisioner jobs.
38+
if !api.Authorize(r, policy.ActionRead, rbac.ResourceProvisionerJobs.InOrg(org.ID)) {
39+
httpapi.ResourceNotFound(rw)
40+
return
41+
}
42+
3443
qp := r.URL.Query()
3544
p := httpapi.NewQueryParamParser()
3645
limit := p.PositiveInt32(qp, 50, "limit")

coderd/provisionerdaemons_test.go

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -241,11 +241,14 @@ func TestProvisionerDaemons(t *testing.T) {
241241
require.Nil(t, daemons[0].PreviousJob)
242242
})
243243

244-
t.Run("MemberAllowed", func(t *testing.T) {
244+
// For now, this is not allowed even though the member has created a
245+
// workspace. Once member-level permissions for jobs are supported
246+
// by RBAC, this test should be updated.
247+
t.Run("MemberDenied", func(t *testing.T) {
245248
t.Parallel()
246249
ctx := testutil.Context(t, testutil.WaitMedium)
247250
daemons, err := memberClient.OrganizationProvisionerDaemons(ctx, owner.OrganizationID, nil)
248-
require.NoError(t, err)
249-
require.Len(t, daemons, 50)
251+
require.Error(t, err)
252+
require.Len(t, daemons, 0)
250253
})
251254
}

0 commit comments

Comments
 (0)