[fga] Introduce EnvVarService

Author: jeanp413

components/server/src/container-module.ts

@@ -130,6 +130,7 @@ import { UserService } from "./user/user-service";
 import { RelationshipUpdater } from "./authorization/relationship-updater";
 import { WorkspaceService } from "./workspace/workspace-service";
 import { SSHKeyService } from "./user/sshkey-service";
+import { EnvVarService } from "./user/env-var-service";
 
 export const productionContainerModule = new ContainerModule(
     (bind, unbind, isBound, rebind, unbindAsync, onActivation, onDeactivation) => {
@@ -145,6 +146,7 @@ export const productionContainerModule = new ContainerModule(
         bind(AuthorizationService).to(AuthorizationServiceImpl).inSingletonScope();
 
         bind(SSHKeyService).toSelf().inSingletonScope();
+        bind(EnvVarService).toSelf().inSingletonScope();
 
         bind(TokenService).toSelf().inSingletonScope();
         bind(TokenProvider).toService(TokenService);

components/server/src/user/env-var-service.spec.db.ts

@@ -0,0 +1,110 @@
+/**
+ * Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import { BUILTIN_INSTLLATION_ADMIN_USER_ID, TypeORM } from "@gitpod/gitpod-db/lib";
+import { Organization, User } from "@gitpod/gitpod-protocol";
+import { Experiments } from "@gitpod/gitpod-protocol/lib/experiments/configcat-server";
+import * as chai from "chai";
+import { Container } from "inversify";
+import "mocha";
+import { createTestContainer } from "../test/service-testing-container-module";
+import { resetDB } from "@gitpod/gitpod-db/lib/test/reset-db";
+import { OrganizationService } from "../orgs/organization-service";
+import { UserService } from "./user-service";
+import { expectError } from "../test/expect-utils";
+import { ErrorCodes } from "@gitpod/gitpod-protocol/lib/messaging/error";
+import { EnvVarService } from "./env-var-service";
+
+const expect = chai.expect;
+
+describe("EnvVarService", async () => {
+    let container: Container;
+    let es: EnvVarService;
+
+    let member: User;
+    let stranger: User;
+    let org: Organization;
+
+    beforeEach(async () => {
+        container = createTestContainer();
+        Experiments.configureTestingClient({
+            centralizedPermissions: true,
+        });
+
+        const orgService = container.get<OrganizationService>(OrganizationService);
+        org = await orgService.createOrganization(BUILTIN_INSTLLATION_ADMIN_USER_ID, "myOrg");
+        const invite = await orgService.getOrCreateInvite(BUILTIN_INSTLLATION_ADMIN_USER_ID, org.id);
+
+        const userService = container.get<UserService>(UserService);
+        member = await userService.createUser({
+            organizationId: org.id,
+            identity: {
+                authId: "foo",
+                authName: "bar",
+                authProviderId: "github",
+                primaryEmail: "[email protected]",
+            },
+        });
+        await orgService.joinOrganization(member.id, invite.id);
+        stranger = await userService.createUser({
+            identity: {
+                authId: "foo2",
+                authName: "bar2",
+                authProviderId: "github",
+            },
+        });
+
+        es = container.get(EnvVarService);
+    });
+
+    afterEach(async () => {
+        // Clean-up database
+        await resetDB(container.get(TypeORM));
+    });
+
+    it("should add env variable", async () => {
+        const resp1 = await es.getAllEnvVars(member.id, member.id);
+        expect(resp1.length).to.equal(0);
+
+        await es.setEnvVar(member.id, member.id, { name: "var1", value: "foo", repositoryPattern: "*/*" });
+
+        const resp2 = await es.getAllEnvVars(member.id, member.id);
+        expect(resp2.length).to.equal(1);
+
+        await expectError(ErrorCodes.NOT_FOUND, es.getAllEnvVars(stranger.id, member.id));
+        await expectError(
+            ErrorCodes.NOT_FOUND,
+            es.setEnvVar(stranger.id, member.id, { name: "var2", value: "bar", repositoryPattern: "*/*" }),
+        );
+    });
+
+    it("should list all env vars", async () => {
+        await es.setEnvVar(member.id, member.id, { name: "var1", value: "foo", repositoryPattern: "*/*" });
+        await es.setEnvVar(member.id, member.id, { name: "var2", value: "bar", repositoryPattern: "*/*" });
+
+        const envVars = await es.getAllEnvVars(member.id, member.id);
+        expect(envVars.length).to.equal(2);
+        expect(envVars.some((e) => e.name === "var1" && e.value === "foo")).to.be.true;
+        expect(envVars.some((e) => e.name === "var2" && e.value === "bar")).to.be.true;
+
+        await expectError(ErrorCodes.NOT_FOUND, es.getAllEnvVars(stranger.id, member.id));
+    });
+
+    it("should delete env vars", async () => {
+        await es.setEnvVar(member.id, member.id, { name: "var1", value: "foo", repositoryPattern: "*/*" });
+        await es.setEnvVar(member.id, member.id, { name: "var2", value: "bar", repositoryPattern: "*/*" });
+
+        const envVars = await es.getAllEnvVars(member.id, member.id);
+        expect(envVars.length).to.equal(2);
+
+        await es.deleteEnvVar(member.id, member.id, envVars[0]);
+
+        const envVars2 = await es.getAllEnvVars(member.id, member.id);
+        expect(envVars2.length).to.equal(1);
+
+        await expectError(ErrorCodes.NOT_FOUND, es.deleteEnvVar(stranger.id, member.id, envVars2[0]));
+    });
+});

components/server/src/user/env-var-service.ts

@@ -0,0 +1,107 @@
+/**
+ * Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import { UserDB } from "@gitpod/gitpod-db/lib";
+import { UserEnvVar, UserEnvVarValue } from "@gitpod/gitpod-protocol";
+import { inject, injectable } from "inversify";
+import { Authorizer } from "../authorization/authorizer";
+import { IAnalyticsWriter } from "@gitpod/gitpod-protocol/lib/analytics";
+import { ApplicationError, ErrorCodes } from "@gitpod/gitpod-protocol/lib/messaging/error";
+import { v4 as uuidv4 } from "uuid";
+import { Config } from "../config";
+
+@injectable()
+export class EnvVarService {
+    constructor(
+        @inject(Config) private readonly config: Config,
+        @inject(UserDB) private readonly userDB: UserDB,
+        @inject(Authorizer) private readonly auth: Authorizer,
+        @inject(IAnalyticsWriter) private readonly analytics: IAnalyticsWriter,
+    ) {}
+
+    async getAllEnvVars(requestorId: string, userId: string): Promise<UserEnvVarValue[]> {
+        await this.auth.checkPermissionOnUser(requestorId, "read_info", userId);
+        const result: UserEnvVarValue[] = [];
+        for (const value of await this.userDB.getEnvVars(userId)) {
+            result.push({
+                id: value.id,
+                name: value.name,
+                value: value.value,
+                repositoryPattern: value.repositoryPattern,
+            });
+        }
+        return result;
+    }
+
+    async setEnvVar(requestorId: string, userId: string, variable: UserEnvVarValue): Promise<void> {
+        await this.auth.checkPermissionOnUser(requestorId, "write_info", userId);
+        const validationError = UserEnvVar.validate(variable);
+        if (validationError) {
+            throw new ApplicationError(ErrorCodes.BAD_REQUEST, validationError);
+        }
+
+        variable.repositoryPattern = UserEnvVar.normalizeRepoPattern(variable.repositoryPattern);
+        const existingVars = (await this.userDB.getEnvVars(userId)).filter((v) => !v.deleted);
+
+        const existingVar = existingVars.find(
+            (v) => v.name == variable.name && v.repositoryPattern == variable.repositoryPattern,
+        );
+        if (!!existingVar) {
+            // overwrite existing variable rather than introduce a duplicate
+            variable.id = existingVar.id;
+        }
+
+        if (!variable.id) {
+            // this is a new variable - make sure the user does not have too many (don't DOS our database using gp env)
+            const varCount = existingVars.length;
+            if (varCount > this.config.maxEnvvarPerUserCount) {
+                throw new ApplicationError(
+                    ErrorCodes.PERMISSION_DENIED,
+                    `cannot have more than ${this.config.maxEnvvarPerUserCount} environment variables`,
+                );
+            }
+        }
+
+        const envvar: UserEnvVar = {
+            id: variable.id || uuidv4(),
+            name: variable.name,
+            repositoryPattern: variable.repositoryPattern,
+            value: variable.value,
+            userId,
+        };
+        this.analytics.track({ event: "envvar-set", userId });
+
+        await this.userDB.setEnvVar(envvar);
+    }
+
+    async deleteEnvVar(requestorId: string, userId: string, variable: UserEnvVarValue): Promise<void> {
+        await this.auth.checkPermissionOnUser(requestorId, "write_info", userId);
+        if (!variable.id && variable.name && variable.repositoryPattern) {
+            variable.repositoryPattern = UserEnvVar.normalizeRepoPattern(variable.repositoryPattern);
+            const existingVars = (await this.userDB.getEnvVars(userId)).filter((v) => !v.deleted);
+            const existingVar = existingVars.find(
+                (v) => v.name == variable.name && v.repositoryPattern == variable.repositoryPattern,
+            );
+            variable.id = existingVar?.id;
+        }
+
+        if (!variable.id) {
+            throw new ApplicationError(
+                ErrorCodes.NOT_FOUND,
+                `cannot delete '${variable.name}' in scope '${variable.repositoryPattern}'`,
+            );
+        }
+
+        const envvar: UserEnvVar = {
+            ...variable,
+            id: variable.id!,
+            userId,
+        };
+        this.analytics.track({ event: "envvar-deleted", userId });
+
+        await this.userDB.deleteEnvVar(envvar);
+    }
+}

components/server/src/workspace/gitpod-server-impl.ts

@@ -36,7 +36,6 @@ import {
     StartWorkspaceResult,
     Token,
     User,
-    UserEnvVar,
     UserEnvVarValue,
     UserInfo,
     WhitelistedRepository,
@@ -192,6 +191,7 @@ import { UsageService } from "../orgs/usage-service";
 import { UserService } from "../user/user-service";
 import { SSHKeyService } from "../user/sshkey-service";
 import { StartWorkspaceOptions, WorkspaceService } from "./workspace-service";
+import { EnvVarService } from "../user/env-var-service";
 
 // shortcut
 export const traceWI = (ctx: TraceContext, wi: Omit<LogContext, "userId">) => TraceContext.setOWI(ctx, wi); // userId is already taken care of in WebsocketConnectionManager
@@ -234,6 +234,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         @inject(IAnalyticsWriter) private readonly analytics: IAnalyticsWriter,
         @inject(AuthorizationService) private readonly authorizationService: AuthorizationService,
         @inject(SSHKeyService) private readonly sshKeyservice: SSHKeyService,
+        @inject(EnvVarService) private readonly envVarService: EnvVarService,
 
         @inject(TeamDB) private readonly teamDB: TeamDB,
         @inject(OrganizationService) private readonly organizationService: OrganizationService,
@@ -2278,104 +2279,23 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
     // Get all environment variables (unfiltered)
     async getAllEnvVars(ctx: TraceContext): Promise<UserEnvVarValue[]> {
         const user = await this.checkUser("getAllEnvVars");
-        const result: UserEnvVarValue[] = [];
-        for (const value of await this.userDB.getEnvVars(user.id)) {
-            if (!(await this.resourceAccessGuard.canAccess({ kind: "envVar", subject: value }, "get"))) {
-                continue;
-            }
-            result.push({
-                id: value.id,
-                name: value.name,
-                value: value.value,
-                repositoryPattern: value.repositoryPattern,
-            });
-        }
-        return result;
+        return this.envVarService.getAllEnvVars(user.id, user.id);
     }
 
     async setEnvVar(ctx: TraceContext, variable: UserEnvVarValue): Promise<void> {
         traceAPIParams(ctx, { variable: censor(variable, "value") }); // filter content because of PII
 
         // Note: this operation is per-user only, hence needs no resource guard
         const user = await this.checkAndBlockUser("setEnvVar");
-        const userId = user.id;
-
-        // validate input
-        const validationError = UserEnvVar.validate(variable);
-        if (validationError) {
-            throw new ApplicationError(ErrorCodes.BAD_REQUEST, validationError);
-        }
-
-        variable.repositoryPattern = UserEnvVar.normalizeRepoPattern(variable.repositoryPattern);
-        const existingVars = (await this.userDB.getEnvVars(user.id)).filter((v) => !v.deleted);
-
-        const existingVar = existingVars.find(
-            (v) => v.name == variable.name && v.repositoryPattern == variable.repositoryPattern,
-        );
-        if (!!existingVar) {
-            // overwrite existing variable rather than introduce a duplicate
-            variable.id = existingVar.id;
-        }
-
-        if (!variable.id) {
-            // this is a new variable - make sure the user does not have too many (don't DOS our database using gp env)
-            const varCount = existingVars.length;
-            if (varCount > this.config.maxEnvvarPerUserCount) {
-                throw new ApplicationError(
-                    ErrorCodes.PERMISSION_DENIED,
-                    `cannot have more than ${this.config.maxEnvvarPerUserCount} environment variables`,
-                );
-            }
-        }
-
-        const envvar: UserEnvVar = {
-            id: variable.id || uuidv4(),
-            name: variable.name,
-            repositoryPattern: variable.repositoryPattern,
-            value: variable.value,
-            userId,
-        };
-        await this.guardAccess(
-            { kind: "envVar", subject: envvar },
-            typeof variable.id === "string" ? "update" : "create",
-        );
-        this.analytics.track({ event: "envvar-set", userId });
-
-        await this.userDB.setEnvVar(envvar);
+        return this.envVarService.setEnvVar(user.id, user.id, variable);
     }
 
     async deleteEnvVar(ctx: TraceContext, variable: UserEnvVarValue): Promise<void> {
         traceAPIParams(ctx, { variable: censor(variable, "value") });
 
         // Note: this operation is per-user only, hence needs no resource guard
         const user = await this.checkAndBlockUser("deleteEnvVar");
-        const userId = user.id;
-
-        if (!variable.id && variable.name && variable.repositoryPattern) {
-            variable.repositoryPattern = UserEnvVar.normalizeRepoPattern(variable.repositoryPattern);
-            const existingVars = (await this.userDB.getEnvVars(user.id)).filter((v) => !v.deleted);
-            const existingVar = existingVars.find(
-                (v) => v.name == variable.name && v.repositoryPattern == variable.repositoryPattern,
-            );
-            variable.id = existingVar?.id;
-        }
-
-        if (!variable.id) {
-            throw new ApplicationError(
-                ErrorCodes.NOT_FOUND,
-                `cannot delete '${variable.name}' in scope '${variable.repositoryPattern}'`,
-            );
-        }
-
-        const envvar: UserEnvVar = {
-            ...variable,
-            id: variable.id!,
-            userId,
-        };
-        await this.guardAccess({ kind: "envVar", subject: envvar }, "delete");
-        this.analytics.track({ event: "envvar-deleted", userId });
-
-        await this.userDB.deleteEnvVar(envvar);
+        return this.envVarService.deleteEnvVar(user.id, user.id, variable);
     }
 
     async hasSSHPublicKey(ctx: TraceContext): Promise<boolean> {