[server] Move some admin rpcs to non EE

easyCZ · easyCZ · commit 3eb4df75a8a8 · 2023-04-24T13:28:57.000Z
diff --git a/components/server/ee/src/workspace/gitpod-server-impl.ts b/components/server/ee/src/workspace/gitpod-server-impl.ts
@@ -12,16 +12,9 @@ import {
     AdminGetListRequest,
     User,
     Team,
-    TeamMemberInfo,
     AdminGetListResult,
     Permission,
     AdminBlockUserRequest,
-    AdminModifyRoleOrPermissionRequest,
-    RoleOrPermission,
-    AdminModifyPermanentWorkspaceFeatureFlagRequest,
-    UserFeatureSettings,
-    AdminGetWorkspacesRequest,
-    WorkspaceAndInstance,
     GetWorkspaceTimeoutResult,
     WorkspaceTimeoutDuration,
     SetWorkspaceTimeoutResult,
@@ -38,7 +31,6 @@ import {
     StartPrebuildResult,
     ClientHeaderFields,
     FindPrebuildsParams,
-    TeamMemberRole,
     WORKSPACE_TIMEOUT_DEFAULT_SHORT,
     PrebuildEvent,
     OpenPrebuildContext,
@@ -56,7 +48,6 @@ import { log, LogContext } from "@gitpod/gitpod-protocol/lib/util/logging";
 import { LicenseValidationResult } from "@gitpod/gitpod-protocol/lib/license-protocol";
 import { PrebuildManager } from "../prebuilds/prebuild-manager";
 import { GuardedCostCenter, ResourceAccessGuard, ResourceAccessOp } from "../../../src/auth/resource-access";
-import { BlockedRepository } from "@gitpod/gitpod-protocol/lib/blocked-repositories-protocol";
 import { CostCenterJSON, ListUsageRequest, ListUsageResponse } from "@gitpod/gitpod-protocol/lib/usage";
 import {
     CostCenter,
diff --git a/components/server/src/workspace/gitpod-server-impl.ts b/components/server/src/workspace/gitpod-server-impl.ts
@@ -76,6 +76,7 @@ import {
     SSHPublicKeyValue,
     UserSSHPublicKeyValue,
     PrebuildEvent,
+    RoleOrPermission,
 } from "@gitpod/gitpod-protocol";
 import { BlockedRepository } from "@gitpod/gitpod-protocol/lib/blocked-repositories-protocol";
 import {
@@ -154,6 +155,7 @@ import {
     EnvVarWithValue,
     LinkedInProfile,
     ProjectEnvVar,
+    UserFeatureSettings,
     WorkspaceTimeoutSetting,
 } from "@gitpod/gitpod-protocol/lib/protocol";
 import { InstallationAdminSettings, TelemetryData } from "@gitpod/gitpod-protocol";
@@ -2891,19 +2893,46 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         throw new ResponseError(ErrorCodes.EE_FEATURE, `Admin support is implemented in Gitpod's Enterprise Edition`);
     }
 
-    adminGetBlockedRepositories(
+    async adminGetBlockedRepositories(
         ctx: TraceContext,
         req: AdminGetListRequest<BlockedRepository>,
     ): Promise<AdminGetListResult<BlockedRepository>> {
-        throw new ResponseError(ErrorCodes.EE_FEATURE, `Admin support is implemented in Gitpod's Enterprise Edition`);
+        traceAPIParams(ctx, { req: censor(req, "searchTerm") }); // searchTerm may contain PII
+
+        await this.guardAdminAccess("adminGetBlockedRepositories", { req }, Permission.ADMIN_USERS);
+
+        try {
+            const res = await this.blockedRepostoryDB.findAllBlockedRepositories(
+                req.offset,
+                req.limit,
+                req.orderBy,
+                req.orderDir === "asc" ? "ASC" : "DESC",
+                req.searchTerm,
+            );
+            return res;
+        } catch (e) {
+            throw new ResponseError(ErrorCodes.INTERNAL_SERVER_ERROR, e.toString());
+        }
     }
 
-    adminCreateBlockedRepository(ctx: TraceContext, urlRegexp: string, blockUser: boolean): Promise<BlockedRepository> {
-        throw new ResponseError(ErrorCodes.EE_FEATURE, `Admin support is implemented in Gitpod's Enterprise Edition`);
+    async adminCreateBlockedRepository(
+        ctx: TraceContext,
+        urlRegexp: string,
+        blockUser: boolean,
+    ): Promise<BlockedRepository> {
+        traceAPIParams(ctx, { urlRegexp, blockUser });
+
+        await this.guardAdminAccess("adminCreateBlockedRepository", { urlRegexp, blockUser }, Permission.ADMIN_USERS);
+
+        return await this.blockedRepostoryDB.createBlockedRepository(urlRegexp, blockUser);
     }
 
-    adminDeleteBlockedRepository(ctx: TraceContext, id: number): Promise<void> {
-        throw new ResponseError(ErrorCodes.EE_FEATURE, `Admin support is implemented in Gitpod's Enterprise Edition`);
+    async adminDeleteBlockedRepository(ctx: TraceContext, id: number): Promise<void> {
+        traceAPIParams(ctx, { id });
+
+        await this.guardAdminAccess("adminDeleteBlockedRepository", { id }, Permission.ADMIN_USERS);
+
+        await this.blockedRepostoryDB.deleteBlockedRepository(id);
     }
 
     async adminGetUser(ctx: TraceContext, id: string): Promise<User> {
@@ -2914,34 +2943,120 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         throw new ResponseError(ErrorCodes.EE_FEATURE, `Admin support is implemented in Gitpod's Enterprise Edition`);
     }
 
-    async adminDeleteUser(ctx: TraceContext, _id: string): Promise<void> {
-        throw new ResponseError(ErrorCodes.EE_FEATURE, `Admin support is implemented in Gitpod's Enterprise Edition`);
+    async adminDeleteUser(ctx: TraceContext, userId: string): Promise<void> {
+        traceAPIParams(ctx, { userId });
+
+        await this.guardAdminAccess("adminDeleteUser", { id: userId }, Permission.ADMIN_USERS);
+
+        try {
+            await this.userDeletionService.deleteUser(userId);
+        } catch (e) {
+            throw new ResponseError(ErrorCodes.INTERNAL_SERVER_ERROR, e.toString());
+        }
     }
 
-    async adminVerifyUser(ctx: TraceContext, _id: string): Promise<User> {
-        throw new ResponseError(ErrorCodes.EE_FEATURE, `Admin support is implemented in Gitpod's Enterprise Edition`);
+    async adminVerifyUser(ctx: TraceContext, userId: string): Promise<User> {
+        await this.guardAdminAccess("adminVerifyUser", { id: userId }, Permission.ADMIN_USERS);
+        try {
+            const user = await this.userDB.findUserById(userId);
+            if (!user) {
+                throw new ResponseError(ErrorCodes.NOT_FOUND, `No user with id ${userId} found.`);
+            }
+            this.verificationService.markVerified(user);
+            await this.userDB.updateUserPartial(user);
+            return user;
+        } catch (e) {
+            throw new ResponseError(ErrorCodes.INTERNAL_SERVER_ERROR, e.toString());
+        }
     }
 
     async adminModifyRoleOrPermission(ctx: TraceContext, req: AdminModifyRoleOrPermissionRequest): Promise<User> {
-        throw new ResponseError(ErrorCodes.EE_FEATURE, `Admin support is implemented in Gitpod's Enterprise Edition`);
+        traceAPIParams(ctx, { req });
+
+        await this.guardAdminAccess("adminModifyRoleOrPermission", { req }, Permission.ADMIN_USERS);
+
+        const target = await this.userDB.findUserById(req.id);
+        if (!target) {
+            throw new ResponseError(ErrorCodes.NOT_FOUND, "not found");
+        }
+
+        const rolesOrPermissions = new Set((target.rolesOrPermissions || []) as string[]);
+        req.rpp.forEach((e) => {
+            if (e.add) {
+                rolesOrPermissions.add(e.r as string);
+            } else {
+                rolesOrPermissions.delete(e.r as string);
+            }
+        });
+        target.rolesOrPermissions = Array.from(rolesOrPermissions.values()) as RoleOrPermission[];
+
+        await this.userDB.storeUser(target);
+        // For some reason, neither returning the result of `this.userDB.storeUser(target)` nor returning `target` work.
+        // The response never arrives the caller.
+        // Returning the following works at the cost of an additional DB query:
+        return this.censorUser((await this.userDB.findUserById(req.id))!);
     }
 
     async adminModifyPermanentWorkspaceFeatureFlag(
         ctx: TraceContext,
         req: AdminModifyPermanentWorkspaceFeatureFlagRequest,
     ): Promise<User> {
-        throw new ResponseError(ErrorCodes.EE_FEATURE, `Admin support is implemented in Gitpod's Enterprise Edition`);
+        traceAPIParams(ctx, { req });
+
+        await this.guardAdminAccess("adminModifyPermanentWorkspaceFeatureFlag", { req }, Permission.ADMIN_USERS);
+        const target = await this.userDB.findUserById(req.id);
+        if (!target) {
+            throw new ResponseError(ErrorCodes.NOT_FOUND, "not found");
+        }
+
+        const featureSettings: UserFeatureSettings = target.featureFlags || {};
+        const featureFlags = new Set(featureSettings.permanentWSFeatureFlags || []);
+
+        req.changes.forEach((e) => {
+            if (e.add) {
+                featureFlags.add(e.featureFlag);
+            } else {
+                featureFlags.delete(e.featureFlag);
+            }
+        });
+        featureSettings.permanentWSFeatureFlags = Array.from(featureFlags);
+        target.featureFlags = featureSettings;
+
+        await this.userDB.storeUser(target);
+        // For some reason, returning the result of `this.userDB.storeUser(target)` does not work. The response never arrives the caller.
+        // Returning `target` instead (which should be equivalent).
+        return this.censorUser(target);
     }
 
     async adminGetWorkspaces(
         ctx: TraceContext,
         req: AdminGetWorkspacesRequest,
     ): Promise<AdminGetListResult<WorkspaceAndInstance>> {
-        throw new ResponseError(ErrorCodes.EE_FEATURE, `Admin support is implemented in Gitpod's Enterprise Edition`);
+        traceAPIParams(ctx, { req });
+
+        await this.guardAdminAccess("adminGetWorkspaces", { req }, Permission.ADMIN_WORKSPACES);
+
+        return await this.workspaceDb
+            .trace(ctx)
+            .findAllWorkspaceAndInstances(
+                req.offset,
+                req.limit,
+                req.orderBy,
+                req.orderDir === "asc" ? "ASC" : "DESC",
+                req,
+            );
     }
 
-    async adminGetWorkspace(ctx: TraceContext, id: string): Promise<WorkspaceAndInstance> {
-        throw new ResponseError(ErrorCodes.EE_FEATURE, `Admin support is implemented in Gitpod's Enterprise Edition`);
+    async adminGetWorkspace(ctx: TraceContext, workspaceId: string): Promise<WorkspaceAndInstance> {
+        traceAPIParams(ctx, { workspaceId });
+
+        await this.guardAdminAccess("adminGetWorkspace", { id: workspaceId }, Permission.ADMIN_WORKSPACES);
+
+        const result = await this.workspaceDb.trace(ctx).findWorkspaceAndInstance(workspaceId);
+        if (!result) {
+            throw new ResponseError(ErrorCodes.NOT_FOUND, "not found");
+        }
+        return result;
     }
 
     async adminGetWorkspaceInstances(ctx: TraceContext, workspaceId: string): Promise<WorkspaceInstance[]> {
@@ -2952,27 +3067,74 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         throw new ResponseError(ErrorCodes.EE_FEATURE, `Admin support is implemented in Gitpod's Enterprise Edition`);
     }
 
-    async adminRestoreSoftDeletedWorkspace(ctx: TraceContext, id: string): Promise<void> {
-        throw new ResponseError(ErrorCodes.EE_FEATURE, `Admin support is implemented in Gitpod's Enterprise Edition`);
+    async adminRestoreSoftDeletedWorkspace(ctx: TraceContext, workspaceId: string): Promise<void> {
+        traceAPIParams(ctx, { workspaceId });
+
+        await this.guardAdminAccess(
+            "adminRestoreSoftDeletedWorkspace",
+            { id: workspaceId },
+            Permission.ADMIN_WORKSPACES,
+        );
+
+        await this.workspaceDb.trace(ctx).transaction(async (db) => {
+            const ws = await db.findById(workspaceId);
+            if (!ws) {
+                throw new ResponseError(ErrorCodes.NOT_FOUND, `No workspace with id '${workspaceId}' found.`);
+            }
+            if (!ws.softDeleted) {
+                return;
+            }
+            if (!!ws.contentDeletedTime) {
+                throw new ResponseError(ErrorCodes.NOT_FOUND, "The workspace content was already garbage-collected.");
+            }
+            // @ts-ignore
+            ws.softDeleted = null;
+            ws.softDeletedTime = "";
+            ws.pinned = true;
+            await db.store(ws);
+        });
     }
 
     async adminGetProjectsBySearchTerm(
         ctx: TraceContext,
         req: AdminGetListRequest<Project>,
     ): Promise<AdminGetListResult<Project>> {
-        throw new ResponseError(ErrorCodes.EE_FEATURE, `Admin support is implemented in Gitpod's Enterprise Edition`);
+        await this.guardAdminAccess("adminGetProjectsBySearchTerm", { req }, Permission.ADMIN_PROJECTS);
+        return await this.projectDB.findProjectsBySearchTerm(
+            req.offset,
+            req.limit,
+            req.orderBy,
+            req.orderDir === "asc" ? "ASC" : "DESC",
+            req.searchTerm as string,
+        );
     }
 
     async adminGetProjectById(ctx: TraceContext, id: string): Promise<Project | undefined> {
-        throw new ResponseError(ErrorCodes.EE_FEATURE, `Admin support is implemented in Gitpod's Enterprise Edition`);
+        await this.guardAdminAccess("adminGetProjectById", { id }, Permission.ADMIN_PROJECTS);
+        return await this.projectDB.findProjectById(id);
     }
 
     async adminGetTeams(ctx: TraceContext, req: AdminGetListRequest<Team>): Promise<AdminGetListResult<Team>> {
-        throw new ResponseError(ErrorCodes.EE_FEATURE, `Admin support is implemented in Gitpod's Enterprise Edition`);
+        await this.guardAdminAccess("adminGetTeams", { req }, Permission.ADMIN_WORKSPACES);
+
+        return await this.teamDB.findTeams(
+            req.offset,
+            req.limit,
+            req.orderBy,
+            req.orderDir === "asc" ? "ASC" : "DESC",
+            req.searchTerm as string,
+        );
     }
 
     async adminGetTeamMembers(ctx: TraceContext, teamId: string): Promise<TeamMemberInfo[]> {
-        throw new ResponseError(ErrorCodes.EE_FEATURE, `Admin support is implemented in Gitpod's Enterprise Edition`);
+        await this.guardAdminAccess("adminGetTeamMembers", { teamId }, Permission.ADMIN_WORKSPACES);
+
+        const team = await this.teamDB.findTeamById(teamId);
+        if (!team) {
+            throw new ResponseError(ErrorCodes.NOT_FOUND, "Team not found");
+        }
+        const members = await this.teamDB.findMembersByTeam(team.id);
+        return members;
     }
 
     async adminSetTeamMemberRole(
@@ -2981,11 +3143,13 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         userId: string,
         role: TeamMemberRole,
     ): Promise<void> {
-        throw new ResponseError(ErrorCodes.EE_FEATURE, `Admin support is implemented in Gitpod's Enterprise Edition`);
+        await this.guardAdminAccess("adminSetTeamMemberRole", { teamId, userId, role }, Permission.ADMIN_WORKSPACES);
+        return this.teamDB.setTeamMemberRole(userId, teamId, role);
     }
 
     async adminGetTeamById(ctx: TraceContext, id: string): Promise<Team | undefined> {
-        throw new ResponseError(ErrorCodes.EE_FEATURE, `Admin support is implemented in Gitpod's Enterprise Edition`);
+        await this.guardAdminAccess("adminGetTeamById", { id }, Permission.ADMIN_WORKSPACES);
+        return await this.teamDB.findTeamById(id);
     }
 
     async adminFindPrebuilds(ctx: TraceContext, params: FindPrebuildsParams): Promise<PrebuildWithStatus[]> {
