wip

Author: geropl

components/server/src/authorization/spicedb-authorizer.ts

@@ -11,15 +11,15 @@ import { TrustedValue } from "@gitpod/gitpod-protocol/lib/util/scrubbing";
 import { getExperimentsClientForBackend } from "@gitpod/gitpod-protocol/lib/experiments/configcat-server";
 import { inject, injectable } from "inversify";
 import { observeSpicedbClientLatency, spicedbClientLatency } from "../prometheus-metrics";
-import { SpiceDBClient } from "./spicedb";
+import { SpiceDBClientProvider } from "./spicedb";
 // TODO(gpl) Change to "@grpc/grpc-js" once we can use 1.9.0 (or higher) everywhere
 import * as grpc from "@grpc/grpc-js_1_9_0";
 
 @injectable()
 export class SpiceDBAuthorizer {
     constructor(
-        @inject(SpiceDBClient)
-        private client: SpiceDBClient,
+        @inject(SpiceDBClientProvider)
+        private readonly clientProvider: SpiceDBClientProvider,
     ) {}
 
     async check(
@@ -28,7 +28,8 @@ export class SpiceDBAuthorizer {
             userId: string;
         },
     ): Promise<boolean> {
-        if (!this.client) {
+        const client = this.clientProvider.getClient();
+        if (!client) {
             return true;
         }
         const timing = startTimer();
@@ -45,7 +46,7 @@ export class SpiceDBAuthorizer {
         const timer = spicedbClientLatency.startTimer();
         let error: Error | undefined;
         try {
-            const response = await this.client.checkPermission(req, this.callOptions);
+            const response = await client.checkPermission(req, this.callOptions);
             const permitted = response.permissionship === v1.CheckPermissionResponse_Permissionship.HAS_PERMISSION;
 
             return permitted;
@@ -62,15 +63,16 @@ export class SpiceDBAuthorizer {
     }
 
     async writeRelationships(...updates: v1.RelationshipUpdate[]): Promise<v1.WriteRelationshipsResponse | undefined> {
-        if (!this.client) {
+        const client = this.clientProvider.getClient();
+        if (!client) {
             return undefined;
         }
         const timing = startTimer();
 
         const timer = spicedbClientLatency.startTimer();
         let error: Error | undefined;
         try {
-            const response = await this.client.writeRelationships(
+            const response = await client.writeRelationships(
                 v1.WriteRelationshipsRequest.create({
                     updates,
                 }),
@@ -89,7 +91,7 @@ export class SpiceDBAuthorizer {
     }
 
     async deleteRelationships(req: v1.DeleteRelationshipsRequest): Promise<v1.ReadRelationshipsResponse[]> {
-        const client = this.client;
+        const client = this.clientProvider.getClient();
         if (!client) {
             return [];
         }
@@ -125,10 +127,11 @@ export class SpiceDBAuthorizer {
     }
 
     async readRelationships(req: v1.ReadRelationshipsRequest): Promise<v1.ReadRelationshipsResponse[]> {
-        if (!this.client) {
+        const client = this.clientProvider.getClient();
+        if (!client) {
             return [];
         }
-        return this.client.readRelationships(req, this.callOptions);
+        return client.readRelationships(req, this.callOptions);
     }
 
     /**
@@ -137,9 +140,9 @@ export class SpiceDBAuthorizer {
      * But the promisified client somehow does not have the same overloads. Thus we convince it here that options may be passed as 2nd argument.
      */
     private get callOptions(): grpc.Metadata {
-        return {
+        return (<grpc.CallOptions>{
             deadline: Date.now() + 5000,
-        } as any as grpc.Metadata;
+        }) as any as grpc.Metadata;
     }
 }
 function startTimer() {

components/server/src/authorization/spicedb.ts

@@ -5,13 +5,23 @@
  */
 
 import { v1 } from "@authzed/authzed-node";
-import { defaultGRPCOptions } from "@gitpod/gitpod-protocol/lib/util/grpc";
 import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
+import * as grpc from "@grpc/grpc-js_1_9_0";
 
-export const SpiceDBClient = Symbol("SpiceDBClient");
-export type SpiceDBClient = v1.ZedPromiseClientInterface | undefined;
+export const SpiceDBClientProvider = Symbol("SpiceDBClientProvider");
 
-export function spicedbClientFromEnv(): SpiceDBClient {
+export interface SpiceDBClientConfig {
+    address: string;
+    token: string;
+}
+
+export type SpiceDBClient = v1.ZedPromiseClientInterface;
+type Client = v1.ZedClientInterface & grpc.Client;
+export interface SpiceDBClientProvider {
+    getClient(): SpiceDBClient | undefined;
+}
+
+export function spiceDBConfigFromEnv(): SpiceDBClientConfig | undefined {
     const token = process.env["SPICEDB_PRESHARED_KEY"];
     if (!token) {
         log.error("[spicedb] No preshared key configured.");
@@ -23,11 +33,50 @@ export function spicedbClientFromEnv(): SpiceDBClient {
         log.error("[spicedb] No service address configured.");
         return undefined;
     }
+    return {
+        address,
+        token,
+    };
+}
+
+function spicedbClientFromConfig(config: SpiceDBClientConfig | undefined): Client | undefined {
+    if (!config) {
+        log.error("[spicedb] No config based, so won't create a client.");
+        return undefined;
+    }
 
-    const clientOptions = {
-        ...defaultGRPCOptions,
+    const clientOptions: grpc.ClientOptions = {
+        "grpc.client_idle_timeout_ms": 60000,
+        "grpc.max_reconnect_backoff_ms": 5000, // default: 12000
     };
 
-    return v1.NewClient(token, address, v1.ClientSecurity.INSECURE_PLAINTEXT_CREDENTIALS, undefined, clientOptions)
-        .promises;
+    return v1.NewClient(
+        config.token,
+        config.address,
+        v1.ClientSecurity.INSECURE_PLAINTEXT_CREDENTIALS,
+        undefined,
+        clientOptions,
+    ) as Client;
+}
+
+export class CachingSpiceDBClientProvider implements SpiceDBClientProvider {
+    private client: Client | undefined;
+
+    constructor(private readonly clientConfig: SpiceDBClientConfig | undefined) {}
+
+    getClient(): SpiceDBClient | undefined {
+        let client = this.client;
+        if (!client) {
+            client = spicedbClientFromConfig(this.clientConfig);
+        } else if (client.getChannel().getConnectivityState(true) !== grpc.connectivityState.READY) {
+            client.close();
+
+            log.warn("[spicedb] Lost connection to SpiceDB - reconnecting...");
+
+            client = spicedbClientFromConfig(this.clientConfig);
+        }
+        this.client = client;
+
+        return client?.promises;
+    }
 }

components/server/src/container-module.ts

@@ -46,7 +46,7 @@ import { AuthJWT, SignInJWT } from "./auth/jwt";
 import { LoginCompletionHandler } from "./auth/login-completion-handler";
 import { VerificationService } from "./auth/verification-service";
 import { Authorizer, createInitializingAuthorizer } from "./authorization/authorizer";
-import { SpiceDBClient, spicedbClientFromEnv } from "./authorization/spicedb";
+import { CachingSpiceDBClientProvider, SpiceDBClientProvider, spiceDBConfigFromEnv } from "./authorization/spicedb";
 import { BillingModes } from "./billing/billing-mode";
 import { EntitlementService, EntitlementServiceImpl } from "./billing/entitlement-service";
 import { EntitlementServiceUBP } from "./billing/entitlement-service-ubp";
@@ -302,8 +302,11 @@ export const productionContainerModule = new ContainerModule(
         bind(IamSessionApp).toSelf().inSingletonScope();
 
         // Authorization & Perms
-        bind(SpiceDBClient)
-            .toDynamicValue(() => spicedbClientFromEnv())
+        bind(SpiceDBClientProvider)
+            .toDynamicValue((ctx) => {
+                const config = spiceDBConfigFromEnv();
+                return new CachingSpiceDBClientProvider(config);
+            })
             .inSingletonScope();
         bind(SpiceDBAuthorizer).toSelf().inSingletonScope();
         bind(Authorizer)

components/server/src/test/service-testing-container-module.ts

@@ -5,7 +5,6 @@
  */
 
 import * as grpc from "@grpc/grpc-js";
-import { v1 } from "@authzed/authzed-node";
 import { IAnalyticsWriter, NullAnalyticsWriter } from "@gitpod/gitpod-protocol/lib/analytics";
 import { IDEServiceClient, IDEServiceDefinition } from "@gitpod/ide-service-api/lib/ide.pb";
 import { UsageServiceDefinition } from "@gitpod/usage-api/lib/usage/v1/usage.pb";
@@ -14,7 +13,7 @@ import { v4 } from "uuid";
 import { AuthProviderParams } from "../auth/auth-provider";
 import { HostContextProvider, HostContextProviderFactory } from "../auth/host-context-provider";
 import { HostContextProviderImpl } from "../auth/host-context-provider-impl";
-import { SpiceDBClient } from "../authorization/spicedb";
+import { CachingSpiceDBClientProvider, SpiceDBClientProvider } from "../authorization/spicedb";
 import { Config } from "../config";
 import { StorageClient } from "../storage/storage-client";
 import { testContainer } from "@gitpod/gitpod-db/lib";
@@ -189,10 +188,13 @@ const mockApplyingContainerModule = new ContainerModule((bind, unbound, isbound,
         }))
         .inSingletonScope();
 
-    rebind(SpiceDBClient)
+    rebind(SpiceDBClientProvider)
         .toDynamicValue(() => {
-            const token = v4();
-            return v1.NewClient(token, "localhost:50051", v1.ClientSecurity.INSECURE_PLAINTEXT_CREDENTIALS).promises;
+            const config = {
+                token: v4(),
+                address: "localhost:50051",
+            };
+            return new CachingSpiceDBClientProvider(config);
         })
         .inSingletonScope();
 });