Skip to content

Commit 9458070

Browse files
kylecarbskylecarbs
committed
Fix connection RBAC
1 parent 2f899f2 commit 9458070

File tree

2 files changed

+12
-4
lines changed

2 files changed

+12
-4
lines changed

coderd/coderdtest/authtest.go

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -167,6 +167,7 @@ func AGPLRoutes(a *AuthTester) (map[string]string, map[string]RouteCheck) {
167167
// skipRoutes allows skipping routes from being checked.
168168
skipRoutes := map[string]string{
169169
"POST:/api/v2/users/logout": "Logging out deletes the API Key for other routes",
170+
"GET:/derp": "This requires a WebSocket upgrade!",
170171
}
171172

172173
assertRoute := map[string]RouteCheck{
@@ -193,11 +194,8 @@ func AGPLRoutes(a *AuthTester) (map[string]string, map[string]RouteCheck) {
193194
"GET:/api/v2/workspaceagents/me/listen": {NoAuthorize: true},
194195
"GET:/api/v2/workspaceagents/me/metadata": {NoAuthorize: true},
195196
"GET:/api/v2/workspaceagents/me/turn": {NoAuthorize: true},
196-
"GET:/api/v2/workspaceagents/me/derp": {NoAuthorize: true},
197-
"GET:/api/v2/workspaceagents/me/wireguardlisten": {NoAuthorize: true},
198-
"POST:/api/v2/workspaceagents/me/keys": {NoAuthorize: true},
197+
"GET:/api/v2/workspaceagents/me/coordinate": {NoAuthorize: true},
199198
"GET:/api/v2/workspaceagents/{workspaceagent}/iceservers": {NoAuthorize: true},
200-
"GET:/api/v2/workspaceagents/{workspaceagent}/derp": {NoAuthorize: true},
201199

202200
// These endpoints have more assertions. This is good, add more endpoints to assert if you can!
203201
"GET:/api/v2/organizations/{organization}": {AssertObject: rbac.ResourceOrganization.InOrg(a.Admin.OrganizationID)},
@@ -270,6 +268,10 @@ func AGPLRoutes(a *AuthTester) (map[string]string, map[string]RouteCheck) {
270268
AssertAction: rbac.ActionCreate,
271269
AssertObject: workspaceExecObj,
272270
},
271+
"GET:/api/v2/workspaceagents/{workspaceagent}/coordinate": {
272+
AssertAction: rbac.ActionCreate,
273+
AssertObject: workspaceExecObj,
274+
},
273275
"GET:/api/v2/workspaces/": {
274276
StatusCode: http.StatusOK,
275277
AssertAction: rbac.ActionRead,

coderd/workspaceagents.go

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -513,6 +513,12 @@ func (api *API) workspaceAgentCoordinate(rw http.ResponseWriter, r *http.Request
513513
// After accept a PubSub starts listening for new connection node updates
514514
// which are written to the WebSocket.
515515
func (api *API) workspaceAgentClientCoordinate(rw http.ResponseWriter, r *http.Request) {
516+
workspace := httpmw.WorkspaceParam(r)
517+
if !api.Authorize(r, rbac.ActionCreate, workspace.ExecutionRBAC()) {
518+
httpapi.ResourceNotFound(rw)
519+
return
520+
}
521+
516522
api.websocketWaitMutex.Lock()
517523
api.websocketWaitGroup.Add(1)
518524
api.websocketWaitMutex.Unlock()

0 commit comments

Comments
 (0)