WIP [server] add ScmService.getToken

Author: AlexTugarev

components/server/src/container-module.ts

@@ -86,7 +86,6 @@ import { IncrementalWorkspaceService } from "./prebuilds/incremental-workspace-s
 import { PrebuildManager } from "./prebuilds/prebuild-manager";
 import { PrebuildStatusMaintainer } from "./prebuilds/prebuilt-status-maintainer";
 import { ProjectsService } from "./projects/projects-service";
-import { ScmService } from "./projects/scm-service";
 import { RedisMutex } from "./redis/mutex";
 import { Server } from "./server";
 import { SessionHandler } from "./session-handler";
@@ -128,6 +127,7 @@ import { WorkspaceStartController } from "./workspace/workspace-start-controller
 import { WorkspaceStarter } from "./workspace/workspace-starter";
 import { DefaultWorkspaceImageValidator } from "./orgs/default-workspace-image-validator";
 import { ContextAwareAnalyticsWriter } from "./analytics";
+import { ScmService } from "./scm/scm-service";
 
 export const productionContainerModule = new ContainerModule(
     (bind, unbind, isBound, rebind, unbindAsync, onActivation, onDeactivation) => {

components/server/src/projects/projects-service.ts

@@ -28,8 +28,8 @@ import { ErrorCodes, ApplicationError } from "@gitpod/gitpod-protocol/lib/messag
 import { URL } from "url";
 import { Authorizer, SYSTEM_USER } from "../authorization/authorizer";
 import { TransactionalContext } from "@gitpod/gitpod-db/lib/typeorm/transactional-db-impl";
-import { ScmService } from "./scm-service";
 import { daysBefore, isDateSmaller } from "@gitpod/gitpod-protocol/lib/util/timeutil";
+import { ScmService } from "../scm/scm-service";
 
 const MAX_PROJECT_NAME_LENGTH = 100;
 

components/server/src/projects/scm-service.ts renamed to components/server/src/scm/scm-service.ts

@@ -4,15 +4,31 @@
  * See License.AGPL.txt in the project root for license information.
  */
 
-import { Project, User } from "@gitpod/gitpod-protocol";
-import { RepoURL } from "../repohost";
 import { inject, injectable } from "inversify";
+import { Authorizer } from "../authorization/authorizer";
+import { Config } from "../config";
+import { TokenProvider } from "../user/token-provider";
+import { Project, Token, User } from "@gitpod/gitpod-protocol";
 import { HostContextProvider } from "../auth/host-context-provider";
+import { RepoURL } from "../repohost";
 import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
 
 @injectable()
 export class ScmService {
-    constructor(@inject(HostContextProvider) private readonly hostContextProvider: HostContextProvider) {}
+    constructor(
+        @inject(Config) protected readonly config: Config,
+        @inject(Authorizer) private readonly auth: Authorizer,
+        @inject(TokenProvider) private readonly tokenProvider: TokenProvider,
+        @inject(HostContextProvider) private readonly hostContextProvider: HostContextProvider,
+    ) {}
+
+    public async getToken(userId: string, query: { host: string }): Promise<Token> {
+        // FIXME(at) this doesn't sound right. "token" is pretty overloaded, thus `read_scm_tokens` would be correct
+        await this.auth.checkPermissionOnUser(userId, "read_tokens", userId);
+        const { host } = query;
+        const token = await this.tokenProvider.getTokenForHost(userId, host);
+        return token;
+    }
 
     async installWebhookForPrebuilds(project: Project, installer: User) {
         // Install the prebuilds webhook if possible

components/server/src/user/token-provider.ts

@@ -13,5 +13,5 @@ export interface TokenProvider {
      * @param user
      * @param host
      */
-    getTokenForHost(user: User, host: string): Promise<Token>;
+    getTokenForHost(user: User | string, host: string): Promise<Token>;
 }

components/server/src/user/token-service.ts

@@ -10,37 +10,43 @@ import { HostContextProvider } from "../auth/host-context-provider";
 import { UserDB } from "@gitpod/gitpod-db/lib";
 import { v4 as uuidv4 } from "uuid";
 import { TokenProvider } from "./token-provider";
+import { ApplicationError, ErrorCodes } from "@gitpod/gitpod-protocol/lib/messaging/error";
 
 @injectable()
 export class TokenService implements TokenProvider {
     static readonly GITPOD_AUTH_PROVIDER_ID = "Gitpod";
-    static readonly GITPOD_PORT_AUTH_TOKEN_EXPIRY_MILLIS = 30 * 60 * 1000;
 
     @inject(HostContextProvider) protected readonly hostContextProvider: HostContextProvider;
     @inject(UserDB) protected readonly userDB: UserDB;
 
     protected getTokenForHostCache = new Map<string, Promise<Token>>();
 
-    async getTokenForHost(user: User, host: string): Promise<Token> {
+    async getTokenForHost(user: User | string, host: string): Promise<Token> {
+        const userId = User.is(user) ? user.id : user;
         // (AT) when it comes to token renewal, the awaited http requests may
         // cause "parallel" calls to repeat the renewal, which will fail.
         // Caching for pending operations should solve this issue.
-        const key = `${host}-${user.id}`;
+        const key = `${host}-${userId}`;
         let promise = this.getTokenForHostCache.get(key);
         if (!promise) {
-            promise = this.doGetTokenForHost(user, host);
+            promise = this.doGetTokenForHost(userId, host);
             this.getTokenForHostCache.set(key, promise);
             promise = promise.finally(() => this.getTokenForHostCache.delete(key));
         }
         return promise;
     }
 
-    async doGetTokenForHost(user: User, host: string): Promise<Token> {
+    private async doGetTokenForHost(userId: string, host: string): Promise<Token> {
+        const user = await this.userDB.findUserById(userId);
+        if (!user) {
+            throw new ApplicationError(ErrorCodes.NOT_FOUND, `User (${userId}) not found.`);
+        }
         const identity = this.getIdentityForHost(user, host);
         let token = await this.userDB.findTokenForIdentity(identity);
         if (!token) {
-            throw new Error(
-                `No token found for user ${identity.authProviderId}/${identity.authId}/${identity.authName}!`,
+            throw new ApplicationError(
+                ErrorCodes.NOT_FOUND,
+                `SCM Token not found: (${userId}/${identity?.authId}/${identity?.authName}).`,
             );
         }
         const aboutToExpireTime = new Date();
@@ -84,16 +90,16 @@ export class TokenService implements TokenProvider {
         return await this.userDB.addToken(identity, token);
     }
 
-    protected getIdentityForHost(user: User, host: string): Identity {
+    private getIdentityForHost(user: User, host: string): Identity {
         const authProviderId = this.getAuthProviderId(host);
         const hostIdentity = authProviderId && User.getIdentity(user, authProviderId);
         if (!hostIdentity) {
-            throw new Error(`User ${user.name} has no identity for host: ${host}!`);
+            throw new ApplicationError(ErrorCodes.NOT_FOUND, `User (${user.id}) has no identity for host: ${host}.`);
         }
         return hostIdentity;
     }
 
-    protected getAuthProviderId(host: string): string | undefined {
+    private getAuthProviderId(host: string): string | undefined {
         const hostContext = this.hostContextProvider.get(host);
         if (!hostContext) {
             return undefined;

components/server/src/workspace/gitpod-server-impl.ts

@@ -108,7 +108,6 @@ import { Config } from "../config";
 import { NotFoundError, UnauthorizedError } from "../errors";
 import { RepoURL } from "../repohost/repo-url";
 import { AuthorizationService } from "../user/authorization-service";
-import { TokenProvider } from "../user/token-provider";
 import { UserAuthentication } from "../user/user-authentication";
 import { ContextParser } from "./context-parser-service";
 import { GitTokenScopeGuesser } from "./git-token-scope-guesser";
@@ -172,6 +171,7 @@ import {
 } from "./suggested-repos-sorter";
 import { SubjectId } from "../auth/subject-id";
 import { runWithSubjectId } from "../util/request-context";
+import { ScmService } from "../scm/scm-service";
 
 // shortcut
 export const traceWI = (ctx: TraceContext, wi: Omit<LogContext, "userId">) => TraceContext.setOWI(ctx, wi); // userId is already taken care of in WebsocketConnectionManager
@@ -203,7 +203,6 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
         @inject(UserDB) private readonly userDB: UserDB,
         @inject(BlockedRepositoryDB) private readonly blockedRepostoryDB: BlockedRepositoryDB,
-        @inject(TokenProvider) private readonly tokenProvider: TokenProvider,
         @inject(UserAuthentication) private readonly userAuthentication: UserAuthentication,
         @inject(UserService) private readonly userService: UserService,
         @inject(IAnalyticsWriter) private readonly analytics: IAnalyticsWriter,
@@ -229,6 +228,8 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
         @inject(Authorizer) private readonly auth: Authorizer,
 
+        @inject(ScmService) private readonly scmService: ScmService,
+
         @inject(BillingModes) private readonly billingModes: BillingModes,
         @inject(StripeService) private readonly stripeService: StripeService,
         @inject(UsageService) private readonly usageService: UsageService,
@@ -642,16 +643,13 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         traceAPIParams(ctx, { query });
 
         const user = await this.checkUser("getToken");
-        const logCtx = { userId: user.id, host: query.host };
-
         const { host } = query;
         try {
-            const token = await this.tokenProvider.getTokenForHost(user, host);
+            const token = await this.scmService.getToken(user.id, { host });
             await this.guardAccess({ kind: "token", subject: token, tokenOwnerID: user.id }, "get");
 
             return token;
         } catch (error) {
-            log.error(logCtx, "failed to find token: ", error);
             return undefined;
         }
     }