[fga] prebuild access

Author: svenefftinge

components/server/src/workspace/gitpod-server-impl.ts

@@ -1197,12 +1197,16 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
     public async isPrebuildDone(ctx: TraceContext, pwsId: string): Promise<boolean> {
         traceAPIParams(ctx, { pwsId });
 
+        const user = await this.checkUser("isPrebuildDone");
+
         const pws = await this.workspaceDb.trace(ctx).findPrebuildByID(pwsId);
-        if (!pws) {
+        if (!pws || !pws.projectId) {
             // there is no prebuild - that's as good one being done
             return true;
         }
 
+        await this.auth.checkPermissionOnProject(user.id, "read_prebuild", pws.projectId);
+
         return PrebuiltWorkspace.isDone(pws);
     }
 
@@ -1486,6 +1490,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
         const project = await this.projectsService.getProject(user.id, projectId);
         await this.guardProjectOperation(user, projectId, "get");
+        await this.auth.checkPermissionOnProject(user.id, "read_prebuild", projectId);
 
         const events = await this.projectsService.getPrebuildEvents(user.id, project.cloneUrl);
         return events;

components/server/src/workspace/workspace-service.ts

@@ -134,9 +134,14 @@ export class WorkspaceService {
 
     // Internal method for allowing for additional DBs to be passed in
     private async doGetWorkspace(userId: string, workspaceId: string, db: WorkspaceDB = this.db): Promise<Workspace> {
-        await this.auth.checkPermissionOnWorkspace(userId, "access", workspaceId);
-
         const workspace = await db.findById(workspaceId);
+
+        if (workspace?.type === "prebuild" && workspace.projectId) {
+            await this.auth.checkPermissionOnProject(userId, "read_prebuild", workspace.projectId);
+        } else {
+            await this.auth.checkPermissionOnWorkspace(userId, "access", workspaceId);
+        }
+
         // TODO(gpl) We might want to add || !!workspace.softDeleted here in the future, but we were unsure how that would affect existing clients
         // In order to reduce risk, we leave it for a future changeset.
         if (!workspace || workspace.deleted) {
@@ -678,9 +683,13 @@ export class WorkspaceService {
     ): Promise<HeadlessLogUrls> {
         const workspace = await this.db.findByInstanceId(instanceId);
         if (!workspace) {
-            throw new ApplicationError(ErrorCodes.NOT_FOUND, `Workspace for instanceId ${instanceId} not found`);
+            throw new ApplicationError(ErrorCodes.NOT_FOUND, `Prebuild for instanceId ${instanceId} not found`);
         }
-        await this.auth.checkPermissionOnWorkspace(userId, "access", workspace.id);
+        if (workspace.type !== "prebuild" || !workspace.projectId) {
+            throw new ApplicationError(ErrorCodes.CONFLICT, `Workspace is not a prebuild`);
+        }
+
+        await this.auth.checkPermissionOnProject(userId, "read_prebuild", workspace.projectId);
 
         const wsiPromise = this.db.findInstanceById(instanceId);
         await check(workspace);
@@ -703,8 +712,8 @@ export class WorkspaceService {
         workspaceId: string,
         client: Pick<GitpodClient, "onWorkspaceImageBuildLogs">,
     ): Promise<void> {
-        await this.auth.checkPermissionOnWorkspace(userId, "access", workspaceId);
-
+        // check access
+        await this.getWorkspace(userId, workspaceId);
         const logCtx: LogContext = { userId, workspaceId };
         let instance = await this.db.findCurrentInstance(workspaceId);
         if (!instance || instance.status.phase === "stopped") {