[server] feature flag all spicedb calls (#18428)

Author: svenefftinge

components/server/src/authorization/authorizer.spec.db.ts

@@ -99,6 +99,7 @@ describe("Authorizer", async () => {
         const p1 = v4();
         const p2 = v4();
         await authorizer.addOrganization(
+            "",
             orgId,
             [
                 { userId: u1, role: "member" },
@@ -115,7 +116,7 @@ describe("Authorizer", async () => {
         await expected(rel.project(p2).org.organization(orgId));
 
         // add org again with different members and projects
-        await authorizer.addOrganization(orgId, [{ userId: u2, role: "member" }], [p2]);
+        await authorizer.addOrganization("", orgId, [{ userId: u2, role: "member" }], [p2]);
         await expected(rel.organization(orgId).installation.installation);
         await notExpected(rel.organization(orgId).member.user(u1));
         await expected(rel.organization(orgId).member.user(u2));

components/server/src/authorization/authorizer.ts

@@ -19,6 +19,7 @@ import {
     rel,
 } from "./definitions";
 import { SpiceDBAuthorizer } from "./spicedb-authorizer";
+import { getExperimentsClientForBackend } from "@gitpod/gitpod-protocol/lib/experiments/configcat-server";
 
 export function createInitializingAuthorizer(spiceDbAuthorizer: SpiceDBAuthorizer): Authorizer {
     const target = new Authorizer(spiceDbAuthorizer);
@@ -127,8 +128,10 @@ export class Authorizer {
     }
 
     // write operations below
-
-    public async removeAllRelationships(type: ResourceType, id: string) {
+    public async removeAllRelationships(userId: string, type: ResourceType, id: string) {
+        if (await this.isDisabled(userId)) {
+            return;
+        }
         await this.authorizer.deleteRelationships(
             v1.DeleteRelationshipsRequest.create({
                 relationshipFilter: {
@@ -156,7 +159,18 @@ export class Authorizer {
         }
     }
 
+    private async isDisabled(userId: string): Promise<boolean> {
+        return !(await getExperimentsClientForBackend().getValueAsync("centralizedPermissions", false, {
+            user: {
+                id: userId,
+            },
+        }));
+    }
+
     async addUser(userId: string, owningOrgId?: string) {
+        if (await this.isDisabled(userId)) {
+            return;
+        }
         const oldOrgs = await this.findAll(rel.user(userId).organization.organization(""));
         const updates = [set(rel.user(userId).self.user(userId))];
         updates.push(
@@ -184,10 +198,16 @@ export class Authorizer {
     }
 
     async removeUser(userId: string) {
-        await this.removeAllRelationships("user", userId);
+        if (await this.isDisabled(userId)) {
+            return;
+        }
+        await this.removeAllRelationships(userId, "user", userId);
     }
 
     async addOrganizationRole(orgID: string, userID: string, role: TeamMemberRole): Promise<void> {
+        if (await this.isDisabled(userID)) {
+            return;
+        }
         const updates = [set(rel.organization(orgID).member.user(userID))];
         if (role === "owner") {
             updates.push(set(rel.organization(orgID).owner.user(userID)));
@@ -198,48 +218,61 @@ export class Authorizer {
     }
 
     async removeOrganizationRole(orgID: string, userID: string, role: TeamMemberRole): Promise<void> {
+        if (await this.isDisabled(userID)) {
+            return;
+        }
         const updates = [remove(rel.organization(orgID).owner.user(userID))];
         if (role === "member") {
             updates.push(remove(rel.organization(orgID).member.user(userID)));
         }
         await this.authorizer.writeRelationships(...updates);
     }
 
-    async addProjectToOrg(orgID: string, projectID: string): Promise<void> {
+    async addProjectToOrg(userId: string, orgID: string, projectID: string): Promise<void> {
+        if (await this.isDisabled(userId)) {
+            return;
+        }
         await this.authorizer.writeRelationships(
             set(rel.project(projectID).org.organization(orgID)), //
         );
     }
 
-    async removeProjectFromOrg(orgID: string, projectID: string): Promise<void> {
+    async removeProjectFromOrg(userId: string, orgID: string, projectID: string): Promise<void> {
+        if (await this.isDisabled(userId)) {
+            return;
+        }
         await this.authorizer.writeRelationships(
             remove(rel.project(projectID).org.organization(orgID)), //
         );
     }
 
     async addOrganization(
+        userId: string,
         orgId: string,
         members: { userId: string; role: TeamMemberRole }[],
         projectIds: string[],
     ): Promise<void> {
+        if (await this.isDisabled(userId)) {
+            return;
+        }
         await this.addOrganizationMembers(orgId, members);
 
-        await this.addOrganizationProjects(orgId, projectIds);
+        await this.addOrganizationProjects(userId, orgId, projectIds);
 
         await this.authorizer.writeRelationships(
             set(rel.organization(orgId).installation.installation), //
         );
     }
 
-    private async addOrganizationProjects(orgID: string, projectIds: string[]): Promise<void> {
+    private async addOrganizationProjects(userId: string, orgID: string, projectIds: string[]): Promise<void> {
         const existing = await this.findAll(rel.project("").org.organization(orgID));
         const toBeRemoved = asSet(existing.map((r) => r.resource?.objectId));
         for (const projectId of projectIds) {
-            await this.addProjectToOrg(orgID, projectId);
+            await this.addProjectToOrg(userId, orgID, projectId);
             toBeRemoved.delete(projectId);
         }
         for (const projectId of toBeRemoved) {
-            await this.removeProjectFromOrg(orgID, projectId);
+            await this.removeProjectFromOrg(userId, orgID, projectId);
         }
     }
 
@@ -258,15 +291,21 @@ export class Authorizer {
         }
     }
 
-    async addInstallationAdminRole(userID: string) {
+    async addInstallationAdminRole(userId: string) {
+        if (await this.isDisabled(userId)) {
+            return;
+        }
         await this.authorizer.writeRelationships(
-            set(rel.installation.admin.user(userID)), //
+            set(rel.installation.admin.user(userId)), //
         );
     }
 
-    async removeInstallationAdminRole(userID: string) {
+    async removeInstallationAdminRole(userId: string) {
+        if (await this.isDisabled(userId)) {
+            return;
+        }
         await this.authorizer.writeRelationships(
-            remove(rel.installation.admin.user(userID)), //
+            remove(rel.installation.admin.user(userId)), //
         );
     }
 

components/server/src/authorization/relationship-updater.ts

@@ -74,7 +74,7 @@ export class RelationshipUpdater {
             // Add relationships
             await this.updateUser(user);
             for (const org of orgs) {
-                await this.updateOrganization(org);
+                await this.updateOrganization(user.id, org);
             }
             AdditionalUserData.set(user, {
                 fgaRelationshipsVersion: this.version,
@@ -136,10 +136,11 @@ export class RelationshipUpdater {
         }
     }
 
-    private async updateOrganization(org: Organization): Promise<void> {
+    private async updateOrganization(userId: string, org: Organization): Promise<void> {
         const members = await this.orgDB.findMembersByTeam(org.id);
         const projects = await this.projectDB.findProjects(org.id);
         await this.authorizer.addOrganization(
+            userId,
             org.id,
             members,
             projects.map((p) => p.id),

components/server/src/orgs/organization-service.ts

@@ -66,7 +66,7 @@ export class OrganizationService {
             result = await this.teamDB.transaction(async (db) => {
                 result = await db.createTeam(userId, name);
                 const members = await db.findMembersByTeam(result.id);
-                await this.auth.addOrganization(result.id, members, []);
+                await this.auth.addOrganization(userId, result.id, members, []);
                 return result;
             });
         } catch (err) {
@@ -110,7 +110,7 @@ export class OrganizationService {
 
                 await db.deleteTeam(orgId);
 
-                await this.auth.removeAllRelationships("organization", orgId);
+                await this.auth.removeAllRelationships(userId, "organization", orgId);
             });
             return this.analytics.track({
                 userId: userId,
@@ -121,6 +121,7 @@ export class OrganizationService {
             });
         } catch (err) {
             await this.auth.addOrganization(
+                userId,
                 orgId,
                 members,
                 projects.map((p) => p.id),

components/server/src/projects/projects-service.ts

@@ -239,10 +239,10 @@ export class ProjectsService {
             await this.projectDB.transaction(async (db) => {
                 await db.storeProject(project);
 
-                await this.auth.addProjectToOrg(teamId, project.id);
+                await this.auth.addProjectToOrg(installer.id, teamId, project.id);
             });
         } catch (err) {
-            await this.auth.removeProjectFromOrg(teamId, project.id);
+            await this.auth.removeProjectFromOrg(installer.id, teamId, project.id);
             throw err;
         }
         await this.onDidCreateProject(project, installer);
@@ -309,7 +309,7 @@ export class ProjectsService {
                 orgId = project.teamId;
                 await db.markDeleted(projectId);
 
-                await this.auth.removeProjectFromOrg(orgId, projectId);
+                await this.auth.removeProjectFromOrg(userId, orgId, projectId);
             });
             this.analytics.track({
                 userId,
@@ -320,7 +320,7 @@ export class ProjectsService {
             });
         } catch (err) {
             if (orgId) {
-                await this.auth.addProjectToOrg(orgId, projectId);
+                await this.auth.addProjectToOrg(userId, orgId, projectId);
             }
             throw err;
         }