Allow to disable workspace sharing in team settings (#17042)

* server impl

* dashboard

* dashboard improve

* 1

* add permission check

* update error message

* improve mutation

* 💄

* * remote `deleted` field in respond
* dashboard use new data from server

* update db select

* address UI feedback

* disable query when no org loaded yet

* rename team to org

* allow to stop sharring always

* fix

* Fix

* Fix

* Fix

* Fix

---------

Co-authored-by: Anton Kosyakov <[email protected]>
Co-authored-by: Brad Harris <[email protected]>
Co-authored-by: Milan Pavlik <[email protected]>

Author: 4 people

components/dashboard/src/data/organizations/org-settings-query.ts

@@ -0,0 +1,32 @@
+/**
+ * Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import { OrganizationSettings } from "@gitpod/gitpod-protocol";
+import { useQuery } from "@tanstack/react-query";
+import { getGitpodService } from "../../service/service";
+import { useCurrentOrg } from "./orgs-query";
+
+export type OrgSettingsResult = OrganizationSettings;
+
+export const useOrgSettingsQuery = () => {
+    const org = useCurrentOrg().data;
+
+    return useQuery<OrgSettingsResult>({
+        queryKey: getOrgSettingsQueryKey(org?.id ?? ""),
+        staleTime: 1000 * 60 * 1, // 1 minute
+        queryFn: async () => {
+            if (!org) {
+                throw new Error("No org selected.");
+            }
+
+            const settings = await getGitpodService().server.getOrgSettings(org.id);
+            return settings || null;
+        },
+        enabled: !!org,
+    });
+};
+
+export const getOrgSettingsQueryKey = (teamId: string) => ["org-settings", { teamId }];

components/dashboard/src/data/organizations/update-org-settings-mutation.ts

@@ -0,0 +1,30 @@
+/**
+ * Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import { OrganizationSettings } from "@gitpod/gitpod-protocol";
+import { useMutation, useQueryClient } from "@tanstack/react-query";
+import { getGitpodService } from "../../service/service";
+import { getOrgSettingsQueryKey, OrgSettingsResult } from "./org-settings-query";
+import { useCurrentOrg } from "./orgs-query";
+
+type UpdateOrganizationSettingsArgs = Pick<OrganizationSettings, "workspaceSharingDisabled">;
+
+export const useUpdateOrgSettingsMutation = () => {
+    const queryClient = useQueryClient();
+    const team = useCurrentOrg().data;
+    const teamId = team?.id || "";
+
+    return useMutation<OrganizationSettings, Error, UpdateOrganizationSettingsArgs>({
+        mutationFn: async ({ workspaceSharingDisabled }) => {
+            return await getGitpodService().server.updateOrgSettings(teamId, { workspaceSharingDisabled });
+        },
+        onSuccess: (newData, _) => {
+            const queryKey = getOrgSettingsQueryKey(teamId);
+            queryClient.setQueryData<OrgSettingsResult>(queryKey, newData);
+            queryClient.invalidateQueries({ queryKey });
+        },
+    });
+};

components/dashboard/src/teams/TeamSettings.tsx

@@ -4,12 +4,16 @@
  * See License.AGPL.txt in the project root for license information.
  */
 
+import { OrganizationSettings } from "@gitpod/gitpod-protocol";
 import React, { useCallback, useState } from "react";
 import Alert from "../components/Alert";
 import { Button } from "../components/Button";
+import CheckBox from "../components/CheckBox";
 import ConfirmationModal from "../components/ConfirmationModal";
 import { TextInputField } from "../components/forms/TextInputField";
 import { Heading2, Subheading } from "../components/typography/headings";
+import { useUpdateOrgSettingsMutation } from "../data/organizations/update-org-settings-mutation";
+import { useOrgSettingsQuery } from "../data/organizations/org-settings-query";
 import { useCurrentOrg, useOrganizationsInvalidator } from "../data/organizations/orgs-query";
 import { useUpdateOrgMutation } from "../data/organizations/update-org-mutation";
 import { useOnBlurError } from "../hooks/use-onblur-error";
@@ -18,7 +22,7 @@ import { gitpodHostUrl } from "../service/service";
 import { useCurrentUser } from "../user-context";
 import { OrgSettingsPage } from "./OrgSettingsPage";
 
-export default function TeamSettings() {
+export default function TeamSettingsPage() {
     const user = useCurrentUser();
     const org = useCurrentOrg().data;
     const invalidateOrgs = useOrganizationsInvalidator();
@@ -28,6 +32,21 @@ export default function TeamSettings() {
     const [slug, setSlug] = useState(org?.slug || "");
     const [updated, setUpdated] = useState(false);
     const updateOrg = useUpdateOrgMutation();
+    const { data: settings, isLoading } = useOrgSettingsQuery();
+    const updateTeamSettings = useUpdateOrgSettingsMutation();
+
+    const handleUpdateTeamSettings = useCallback(
+        (newSettings: Partial<OrganizationSettings>) => {
+            if (!org?.id) {
+                throw new Error("no organization selected");
+            }
+            updateTeamSettings.mutate({
+                ...settings,
+                ...newSettings,
+            });
+        },
+        [updateTeamSettings, org?.id, settings],
+    );
 
     const close = () => setModal(false);
 
@@ -88,6 +107,12 @@ export default function TeamSettings() {
                         <span>{updateOrg.error.message || "unknown error"}</span>
                     </Alert>
                 )}
+                {updateTeamSettings.isError && (
+                    <Alert type="error" closable={true} className="mb-2 max-w-xl rounded-md">
+                        <span>Failed to update organization settings: </span>
+                        <span>{updateTeamSettings.error.message || "unknown error"}</span>
+                    </Alert>
+                )}
                 {updated && (
                     <Alert type="message" closable={true} className="mb-2 max-w-xl rounded-md">
                         Organization name has been updated.
@@ -119,6 +144,21 @@ export default function TeamSettings() {
                     >
                         Update Organization
                     </Button>
+
+                    <Heading2 className="pt-12">Collaboration & Sharing</Heading2>
+                    <CheckBox
+                        title={<span>Workspace Sharing</span>}
+                        desc={
+                            <span>
+                                Allow organization members to share running workspaces outside the organization.
+                            </span>
+                        }
+                        checked={!settings?.workspaceSharingDisabled}
+                        onChange={({ target }) =>
+                            handleUpdateTeamSettings({ workspaceSharingDisabled: !target.checked })
+                        }
+                        disabled={isLoading}
+                    />
                 </form>
 
                 <Heading2 className="pt-12">Delete Organization</Heading2>

components/gitpod-db/src/team-db.ts

@@ -4,7 +4,13 @@
  * See License.AGPL.txt in the project root for license information.
  */
 
-import { Team, TeamMemberInfo, TeamMemberRole, TeamMembershipInvite } from "@gitpod/gitpod-protocol";
+import {
+    Team,
+    TeamMemberInfo,
+    TeamMemberRole,
+    TeamMembershipInvite,
+    OrganizationSettings,
+} from "@gitpod/gitpod-protocol";
 import { DBTeamMembership } from "./typeorm/entity/db-team-membership";
 
 export const TeamDB = Symbol("TeamDB");
@@ -32,4 +38,7 @@ export interface TeamDB {
     findGenericInviteByTeamId(teamId: string): Promise<TeamMembershipInvite | undefined>;
     resetGenericInvite(teamId: string): Promise<TeamMembershipInvite>;
     deleteTeam(teamId: string): Promise<void>;
+
+    findOrgSettings(teamId: string): Promise<OrganizationSettings | undefined>;
+    setOrgSettings(teamId: string, settings: Partial<OrganizationSettings>): Promise<void>;
 }

components/gitpod-db/src/typeorm/entity/db-team-settings.ts

@@ -0,0 +1,23 @@
+/**
+ * Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import { OrganizationSettings } from "@gitpod/gitpod-protocol";
+import { Entity, Column, PrimaryColumn } from "typeorm";
+import { TypeORM } from "../typeorm";
+
+@Entity()
+export class DBOrgSettings implements OrganizationSettings {
+    @PrimaryColumn(TypeORM.UUID_COLUMN_TYPE)
+    orgId: string;
+
+    @Column({
+        default: false,
+    })
+    workspaceSharingDisabled?: boolean;
+
+    @Column()
+    deleted: boolean;
+}

components/gitpod-db/src/typeorm/migration/1679909342076-AddOrganizationSettings.ts

@@ -0,0 +1,19 @@
+/**
+ * Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import { MigrationInterface, QueryRunner } from "typeorm";
+
+export class AddOrganizationSettings1679909342076 implements MigrationInterface {
+    public async up(queryRunner: QueryRunner): Promise<void> {
+        await queryRunner.query(
+            "CREATE TABLE IF NOT EXISTS d_b_org_settings (orgId char(36) NOT NULL,  workspaceSharingDisabled tinyint(4) NOT NULL DEFAULT '0', createdAt timestamp(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6), updatedAt timestamp(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6) ON UPDATE CURRENT_TIMESTAMP(6), deleted tinyint(4) NOT NULL DEFAULT '0', PRIMARY KEY (orgId)) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;",
+        );
+    }
+
+    public async down(queryRunner: QueryRunner): Promise<void> {
+        await queryRunner.query("DROP TABLE IF EXISTS d_b_org_settings;");
+    }
+}

components/gitpod-db/src/typeorm/team-db-impl.ts

@@ -4,7 +4,14 @@
  * See License.AGPL.txt in the project root for license information.
  */
 
-import { Team, TeamMemberInfo, TeamMemberRole, TeamMembershipInvite, User } from "@gitpod/gitpod-protocol";
+import {
+    Team,
+    TeamMemberInfo,
+    TeamMemberRole,
+    TeamMembershipInvite,
+    OrganizationSettings,
+    User,
+} from "@gitpod/gitpod-protocol";
 import { inject, injectable } from "inversify";
 import { TypeORM } from "./typeorm";
 import { Repository } from "typeorm";
@@ -18,6 +25,7 @@ import { DBTeamMembershipInvite } from "./entity/db-team-membership-invite";
 import { ResponseError } from "vscode-jsonrpc";
 import { ErrorCodes } from "@gitpod/gitpod-protocol/lib/messaging/error";
 import slugify from "slugify";
+import { DBOrgSettings } from "./entity/db-team-settings";
 
 @injectable()
 export class TeamDBImpl implements TeamDB {
@@ -39,6 +47,10 @@ export class TeamDBImpl implements TeamDB {
         return (await this.getEntityManager()).getRepository<DBTeamMembershipInvite>(DBTeamMembershipInvite);
     }
 
+    protected async getOrgSettingsRepo(): Promise<Repository<DBOrgSettings>> {
+        return (await this.getEntityManager()).getRepository<DBOrgSettings>(DBOrgSettings);
+    }
+
     protected async getUserRepo(): Promise<Repository<DBUser>> {
         return (await this.getEntityManager()).getRepository<DBUser>(DBUser);
     }
@@ -221,6 +233,16 @@ export class TeamDBImpl implements TeamDB {
         if (team) {
             team.markedDeleted = true;
             await teamRepo.save(team);
+            await this.deleteOrgSettings(teamId);
+        }
+    }
+
+    private async deleteOrgSettings(orgId: string): Promise<void> {
+        const orgSettingsRepo = await this.getOrgSettingsRepo();
+        const orgSettings = await orgSettingsRepo.findOne({ where: { orgId, deleted: false } });
+        if (orgSettings) {
+            orgSettings.deleted = true;
+            orgSettingsRepo.save(orgSettings);
         }
     }
 
@@ -339,4 +361,23 @@ export class TeamDBImpl implements TeamDB {
         await inviteRepo.save(newInvite);
         return newInvite;
     }
+
+    public async findOrgSettings(orgId: string): Promise<OrganizationSettings | undefined> {
+        const repo = await this.getOrgSettingsRepo();
+        return repo.findOne({ where: { orgId, deleted: false }, select: ["orgId", "workspaceSharingDisabled"] });
+    }
+
+    public async setOrgSettings(orgId: string, settings: Partial<OrganizationSettings>): Promise<void> {
+        const repo = await this.getOrgSettingsRepo();
+        const team = await repo.findOne({ where: { orgId, deleted: false } });
+        if (!team) {
+            await repo.insert({
+                ...settings,
+                orgId,
+            });
+        } else {
+            team.workspaceSharingDisabled = settings.workspaceSharingDisabled;
+            repo.save(team);
+        }
+    }
 }

components/gitpod-protocol/src/gitpod-service.ts

@@ -41,6 +41,7 @@ import {
     StartPrebuildResult,
     PartialProject,
     PrebuildEvent,
+    OrganizationSettings,
 } from "./teams-projects-protocol";
 import { JsonRpcProxy, JsonRpcServer } from "./messaging/proxy-factory";
 import { Disposable, CancellationTokenSource } from "vscode-jsonrpc";
@@ -184,6 +185,8 @@ export interface GitpodServer extends JsonRpcServer<GitpodClient>, AdminServer,
     getGenericInvite(teamId: string): Promise<TeamMembershipInvite>;
     resetGenericInvite(inviteId: string): Promise<TeamMembershipInvite>;
     deleteTeam(teamId: string): Promise<void>;
+    getOrgSettings(orgId: string): Promise<OrganizationSettings>;
+    updateOrgSettings(teamId: string, settings: Partial<OrganizationSettings>): Promise<OrganizationSettings>;
     createOrgAuthProvider(params: GitpodServer.CreateOrgAuthProviderParams): Promise<AuthProviderEntry>;
     updateOrgAuthProvider(params: GitpodServer.UpdateOrgAuthProviderParams): Promise<AuthProviderEntry>;
     getOrgAuthProviders(params: GitpodServer.GetOrgAuthProviderParams): Promise<AuthProviderEntry[]>;

components/gitpod-protocol/src/teams-projects-protocol.ts

@@ -142,6 +142,10 @@ export interface Organization {
     deleted?: boolean;
 }
 
+export interface OrganizationSettings {
+    workspaceSharingDisabled?: boolean;
+}
+
 export type TeamMemberRole = OrgMemberRole;
 export type OrgMemberRole = "owner" | "member";
 

components/server/ee/src/workspace/gitpod-server-impl.ts

@@ -464,6 +464,16 @@ export class GitpodServerEEImpl extends GitpodServerImpl {
         const workspace = await this.internalGetWorkspace(workspaceId, this.workspaceDb.trace(ctx));
         await this.guardAccess({ kind: "workspace", subject: workspace }, "update");
 
+        if (level != "owner" && workspace.organizationId) {
+            const settings = await this.teamDB.findOrgSettings(workspace.organizationId);
+            if (settings?.workspaceSharingDisabled) {
+                throw new ResponseError(
+                    ErrorCodes.PERMISSION_DENIED,
+                    "An Organization Owner has disabled workspace sharing for workspaces in this Organization. ",
+                );
+            }
+        }
+
         const instance = await this.workspaceDb.trace(ctx).findRunningInstance(workspaceId);
         if (instance) {
             await this.guardAccess({ kind: "workspaceInstance", subject: instance, workspace: workspace }, "update");

components/server/src/auth/rate-limiter.ts

@@ -113,6 +113,8 @@ const defaultFunctions: FunctionsConfig = {
     getGenericInvite: { group: "default", points: 1 },
     resetGenericInvite: { group: "default", points: 1 },
     deleteTeam: { group: "default", points: 1 },
+    getOrgSettings: { group: "default", points: 1 },
+    updateOrgSettings: { group: "default", points: 1 },
     getProviderRepositoriesForUser: { group: "default", points: 1 },
     createProject: { group: "default", points: 1 },
     getTeamProjects: { group: "default", points: 1 },

components/server/src/workspace/gitpod-server-impl.ts

@@ -159,7 +159,7 @@ import { InvalidGitpodYMLError } from "./config-provider";
 import { ProjectsService } from "../projects/projects-service";
 import { LocalMessageBroker } from "../messaging/local-message-broker";
 import { IDEOptions } from "@gitpod/gitpod-protocol/lib/ide-protocol";
-import { PartialProject } from "@gitpod/gitpod-protocol/lib/teams-projects-protocol";
+import { PartialProject, OrganizationSettings } from "@gitpod/gitpod-protocol/lib/teams-projects-protocol";
 import { ClientMetadata } from "../websocket/websocket-connection-manager";
 import { ConfigurationService } from "../config/configuration-service";
 import {
@@ -2486,6 +2486,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
             });
         });
 
+        // TODO: delete setting
         await this.teamDB.deleteTeam(teamId);
         await this.onTeamDeleted(teamId);
 
@@ -2498,6 +2499,27 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         });
     }
 
+    async getOrgSettings(ctx: TraceContextWithSpan, orgId: string): Promise<OrganizationSettings> {
+        const user = this.checkAndBlockUser("getOrgSettings");
+        traceAPIParams(ctx, { orgId, userId: user.id });
+        await this.guardTeamOperation(orgId, "get", "org_write");
+        const settings = await this.teamDB.findOrgSettings(orgId);
+        // TODO: make a default in protocol
+        return settings ?? { workspaceSharingDisabled: false };
+    }
+
+    async updateOrgSettings(
+        ctx: TraceContextWithSpan,
+        orgId: string,
+        settings: Partial<OrganizationSettings>,
+    ): Promise<OrganizationSettings> {
+        const user = this.checkAndBlockUser("updateOrgSettings");
+        traceAPIParams(ctx, { orgId, userId: user.id });
+        await this.guardTeamOperation(orgId, "update", "org_write");
+        await this.teamDB.setOrgSettings(orgId, settings);
+        return (await this.teamDB.findOrgSettings(orgId))!;
+    }
+
     public async getTeamProjects(ctx: TraceContext, teamId: string): Promise<Project[]> {
         traceAPIParams(ctx, { teamId });