[fga] check some admin functions (#18562)

Author: svenefftinge

components/gitpod-db/src/team-db.ts

@@ -21,7 +21,7 @@ export interface TeamDB extends TransactionalDB<TeamDB> {
         limit: number,
         orderBy: keyof Team,
         orderDir: "ASC" | "DESC",
-        searchTerm: string,
+        searchTerm?: string,
     ): Promise<{ total: number; rows: Team[] }>;
     findTeamById(teamId: string): Promise<Team | undefined>;
     findTeamByMembershipId(membershipId: string): Promise<Team | undefined>;

components/gitpod-db/src/typeorm/team-db-impl.ts

@@ -65,9 +65,13 @@ export class TeamDBImpl extends TransactionalDBImpl<TeamDB> implements TeamDB {
         searchTerm?: string,
     ): Promise<{ total: number; rows: Team[] }> {
         const teamRepo = await this.getTeamRepo();
-        const queryBuilder = teamRepo
-            .createQueryBuilder("team")
-            .where("LOWER(team.name) LIKE LOWER(:searchTerm)", { searchTerm: `%${searchTerm}%` })
+        let queryBuilder = teamRepo.createQueryBuilder("team");
+        if (searchTerm) {
+            queryBuilder = queryBuilder.where("LOWER(team.name) LIKE LOWER(:searchTerm)", {
+                searchTerm: `%${searchTerm}%`,
+            });
+        }
+        queryBuilder = queryBuilder
             .andWhere("deleted = 0")
             .andWhere("markedDeleted = 0")
             .skip(offset)

components/server/src/authorization/authorizer.ts

@@ -11,6 +11,8 @@ import { Project, TeamMemberRole } from "@gitpod/gitpod-protocol";
 import { ApplicationError, ErrorCodes } from "@gitpod/gitpod-protocol/lib/messaging/error";
 import {
     AllResourceTypes,
+    InstallationID,
+    InstallationPermission,
     OrganizationPermission,
     Permission,
     ProjectPermission,
@@ -54,6 +56,31 @@ export const SYSTEM_USER = "SYSTEM_USER";
 export class Authorizer {
     constructor(private authorizer: SpiceDBAuthorizer) {}
 
+    async hasPermissionOnInstallation(userId: string, permission: InstallationPermission): Promise<boolean> {
+        if (userId === SYSTEM_USER) {
+            return true;
+        }
+
+        const req = v1.CheckPermissionRequest.create({
+            subject: subject("user", userId),
+            permission,
+            resource: object("installation", InstallationID),
+            consistency,
+        });
+
+        return this.authorizer.check(req, { userId });
+    }
+
+    async checkPermissionOnInstallation(userId: string, permission: InstallationPermission): Promise<void> {
+        if (await this.hasPermissionOnInstallation(userId, permission)) {
+            return;
+        }
+        throw new ApplicationError(
+            ErrorCodes.PERMISSION_DENIED,
+            `User ${userId} does not have permission '${permission}' on the installation.`,
+        );
+    }
+
     async hasPermissionOnOrganization(
         userId: string,
         permission: OrganizationPermission,

components/server/src/authorization/definitions.ts

@@ -8,7 +8,7 @@
 
 import { v1 } from "@authzed/authzed-node";
 
-const InstallationID = "1";
+export const InstallationID = "1";
 
 export type ResourceType =
     | UserResourceType
@@ -37,6 +37,7 @@ export type UserPermission =
     | "write_info"
     | "delete"
     | "make_admin"
+    | "admin_control"
     | "read_ssh"
     | "write_ssh"
     | "read_tokens"
@@ -48,7 +49,7 @@ export type InstallationResourceType = "installation";
 
 export type InstallationRelation = "member" | "admin";
 
-export type InstallationPermission = "create_organization";
+export type InstallationPermission = "create_organization" | "configure";
 
 export type OrganizationResourceType = "organization";
 

components/server/src/orgs/organization-service.spec.db.ts

@@ -202,4 +202,20 @@ describe("OrganizationService", async () => {
         expect(members.length).to.eq(1);
         expect(members.some((m) => m.userId === owner.id && m.role === "owner")).to.be.true;
     });
+
+    it("should listOrganizations", async () => {
+        const strangerOrg = await os.createOrganization(stranger.id, "stranger-org");
+        let orgs = await os.listOrganizations(owner.id, {});
+        expect(orgs.rows[0].id).to.eq(org.id);
+        expect(orgs.total).to.eq(1);
+
+        orgs = await os.listOrganizations(stranger.id, {});
+        expect(orgs.rows[0].id).to.eq(strangerOrg.id);
+        expect(orgs.total).to.eq(1);
+
+        orgs = await os.listOrganizations(admin.id, {});
+        expect(orgs.rows.some((org) => org.id === org.id)).to.be.true;
+        expect(orgs.rows.some((org) => org.id === strangerOrg.id)).to.be.true;
+        expect(orgs.total).to.eq(2);
+    });
 });

components/server/src/orgs/organization-service.ts

@@ -30,6 +30,37 @@ export class OrganizationService {
         @inject(IAnalyticsWriter) private readonly analytics: IAnalyticsWriter,
     ) {}
 
+    async listOrganizations(
+        userId: string,
+        req: {
+            offset?: number;
+            limit?: number;
+            orderBy?: keyof Organization;
+            orderDir?: "asc" | "desc";
+            searchTerm?: string;
+        },
+    ): Promise<{ total: number; rows: Organization[] }> {
+        const result = await this.teamDB.findTeams(
+            req.offset || 0,
+            req.limit || 50,
+            req.orderBy || "creationTime",
+            req.orderDir === "asc" ? "ASC" : "DESC",
+            req.searchTerm,
+        );
+
+        await Promise.all(
+            result.rows.map(async (org) => {
+                // if the user doesn't see the org, filter it out
+                if (!(await this.auth.hasPermissionOnOrganization(userId, "read_info", org.id))) {
+                    result.total--;
+                    result.rows = result.rows.filter((o) => o.id !== org.id);
+                }
+            }),
+        );
+
+        return result;
+    }
+
     async listOrganizationsByMember(userId: string, memberId: string): Promise<Organization[]> {
         //TODO check if user has access to member
         const orgs = await this.teamDB.findTeamsByUser(memberId);

components/server/src/user/user-authentication.ts

@@ -14,8 +14,8 @@ import { AuthUser } from "../auth/auth-provider";
 import { TokenService } from "./token-service";
 import { EmailAddressAlreadyTakenException, SelectAccountException } from "../auth/errors";
 import { SelectAccountPayload } from "@gitpod/gitpod-protocol/lib/auth";
-import { ErrorCodes, ApplicationError } from "@gitpod/gitpod-protocol/lib/messaging/error";
 import { UserService } from "./user-service";
+import { Authorizer } from "../authorization/authorizer";
 
 export interface CreateUserParams {
     organizationId?: string;
@@ -37,14 +37,12 @@ export class UserAuthentication {
         @inject(UserDB) private readonly userDb: UserDB,
         @inject(UserService) private readonly userService: UserService,
         @inject(HostContextProvider) private readonly hostContextProvider: HostContextProvider,
+        @inject(Authorizer) private readonly authorizer: Authorizer,
     ) {}
 
     async blockUser(userId: string, targetUserId: string, block: boolean): Promise<User> {
+        await this.authorizer.checkPermissionOnUser(userId, "admin_control", targetUserId);
         const target = await this.userService.findUserById(userId, targetUserId);
-        if (!target) {
-            throw new ApplicationError(ErrorCodes.NOT_FOUND, "not found");
-        }
-
         target.blocked = !!block;
         return await this.userDb.storeUser(target);
     }

components/server/src/workspace/gitpod-server-impl.ts

@@ -2646,7 +2646,8 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
     ): Promise<AdminGetListResult<BlockedRepository>> {
         traceAPIParams(ctx, { req: censor(req, "searchTerm") }); // searchTerm may contain PII
 
-        await this.guardAdminAccess("adminGetBlockedRepositories", { req }, Permission.ADMIN_USERS);
+        const admin = await this.guardAdminAccess("adminGetBlockedRepositories", { req }, Permission.ADMIN_USERS);
+        await this.auth.checkPermissionOnInstallation(admin.id, "configure");
 
         try {
             const res = await this.blockedRepostoryDB.findAllBlockedRepositories(
@@ -2669,15 +2670,21 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
     ): Promise<BlockedRepository> {
         traceAPIParams(ctx, { urlRegexp, blockUser });
 
-        await this.guardAdminAccess("adminCreateBlockedRepository", { urlRegexp, blockUser }, Permission.ADMIN_USERS);
+        const admin = await this.guardAdminAccess(
+            "adminCreateBlockedRepository",
+            { urlRegexp, blockUser },
+            Permission.ADMIN_USERS,
+        );
+        await this.auth.checkPermissionOnInstallation(admin.id, "configure");
 
         return await this.blockedRepostoryDB.createBlockedRepository(urlRegexp, blockUser);
     }
 
     async adminDeleteBlockedRepository(ctx: TraceContext, id: number): Promise<void> {
         traceAPIParams(ctx, { id });
 
-        await this.guardAdminAccess("adminDeleteBlockedRepository", { id }, Permission.ADMIN_USERS);
+        const admin = await this.guardAdminAccess("adminDeleteBlockedRepository", { id }, Permission.ADMIN_USERS);
+        await this.auth.checkPermissionOnInstallation(admin.id, "configure");
 
         await this.blockedRepostoryDB.deleteBlockedRepository(id);
     }
@@ -2719,6 +2726,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
     async adminVerifyUser(ctx: TraceContext, userId: string): Promise<User> {
         const admin = await this.guardAdminAccess("adminVerifyUser", { id: userId }, Permission.ADMIN_USERS);
+        await this.auth.checkPermissionOnUser(admin.id, "admin_control", userId);
         const user = await this.userService.findUserById(admin.id, userId);
 
         this.verificationService.markVerified(user);
@@ -2759,6 +2767,8 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
             { req },
             Permission.ADMIN_USERS,
         );
+        await this.auth.checkPermissionOnUser(admin.id, "admin_control", req.id);
+
         const target = await this.userService.findUserById(admin.id, req.id);
 
         const featureSettings: UserFeatureSettings = target.featureFlags || {};
@@ -2890,15 +2900,8 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
     }
 
     async adminGetTeams(ctx: TraceContext, req: AdminGetListRequest<Team>): Promise<AdminGetListResult<Team>> {
-        await this.guardAdminAccess("adminGetTeams", { req }, Permission.ADMIN_WORKSPACES);
-
-        return await this.teamDB.findTeams(
-            req.offset,
-            req.limit,
-            req.orderBy,
-            req.orderDir === "asc" ? "ASC" : "DESC",
-            req.searchTerm as string,
-        );
+        const admin = await this.guardAdminAccess("adminGetTeams", { req }, Permission.ADMIN_WORKSPACES);
+        return this.organizationService.listOrganizations(admin.id, req);
     }
 
     async adminGetTeamById(ctx: TraceContext, id: string): Promise<Team | undefined> {
@@ -3623,16 +3626,17 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
     async adminGetBillingMode(ctx: TraceContextWithSpan, attributionId: string): Promise<BillingMode> {
         traceAPIParams(ctx, { attributionId });
 
-        const user = await this.checkAndBlockUser("adminGetBillingMode");
-        if (!this.authorizationService.hasPermission(user, Permission.ADMIN_USERS)) {
+        const admin = await this.checkAndBlockUser("adminGetBillingMode");
+        if (!this.authorizationService.hasPermission(admin, Permission.ADMIN_USERS)) {
             throw new ApplicationError(ErrorCodes.PERMISSION_DENIED, "not allowed");
         }
 
         const parsedAttributionId = AttributionId.parse(attributionId);
         if (!parsedAttributionId) {
             throw new ApplicationError(ErrorCodes.BAD_REQUEST, "Unable to parse attributionId");
         }
-        return this.billingModes.getBillingMode(user.id, parsedAttributionId.teamId);
+        await this.auth.checkPermissionOnOrganization(admin.id, "read_billing", attributionId);
+        return this.billingModes.getBillingMode(admin.id, parsedAttributionId.teamId);
     }
 
     async adminGetCostCenter(ctx: TraceContext, attributionId: string): Promise<CostCenterJSON | undefined> {
@@ -3700,6 +3704,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
     async adminGetBlockedEmailDomains(ctx: TraceContextWithSpan): Promise<EmailDomainFilterEntry[]> {
         const user = await this.checkAndBlockUser("adminGetBlockedEmailDomains");
         await this.guardAdminAccess("adminGetBlockedEmailDomains", { id: user.id }, Permission.ADMIN_USERS);
+        await this.auth.checkPermissionOnInstallation(user.id, "configure");
         return await this.emailDomainFilterdb.getFilterEntries();
     }
 
@@ -3709,6 +3714,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
     ): Promise<void> {
         const user = await this.checkAndBlockUser("adminSaveBlockedEmailDomain");
         await this.guardAdminAccess("adminSaveBlockedEmailDomain", { id: user.id }, Permission.ADMIN_USERS);
+        await this.auth.checkPermissionOnInstallation(user.id, "configure");
         await this.emailDomainFilterdb.storeFilterEntry(domainFilterentry);
     }
 }

components/spicedb/codegen/codegen.go

@@ -127,7 +127,7 @@ func GenerateDefinition(schema *compiler.CompiledSchema) string {
 
 		import { v1 } from "@authzed/authzed-node";
 
-		const InstallationID = "1";
+		export const InstallationID = "1";
 
 		` + resource + `;
 

components/spicedb/schema/schema.yaml

@@ -14,8 +14,12 @@ schema: |-
     permission read_info = self + organization->member + organization->owner + installation->admin
     permission write_info = self
     permission delete = self
+
     permission make_admin = installation->admin + organization->installation_admin
 
+    // administrate is for changes such as blocking or verifiying, i.e. things that only admins can do on user
+    permission admin_control = installation->admin + organization->installation_admin
+
     permission read_ssh = self
     permission write_ssh = self
 
@@ -36,6 +40,8 @@ schema: |-
     // orgs can only be created by installation-level users
     permission create_organization = member + admin
 
+    // any global runtime configurations, such as the list of blocked repositories
+    permission configure = admin
   }
 
   definition organization {