[fga] Introduce GitpodTokenService

jeanp413 · jeanp413 · commit 64a360440095 · 2023-08-12T18:06:08.000Z
diff --git a/components/server/src/authorization/definitions.ts b/components/server/src/authorization/definitions.ts
@@ -32,7 +32,14 @@ export type UserResourceType = "user";
 
 export type UserRelation = "self" | "organization" | "installation";
 
-export type UserPermission = "read_info" | "write_info" | "make_admin" | "read_ssh" | "write_ssh";
+export type UserPermission =
+    | "read_info"
+    | "write_info"
+    | "make_admin"
+    | "read_ssh"
+    | "write_ssh"
+    | "read_tokens"
+    | "write_tokens";
 
 export type InstallationResourceType = "installation";
 
diff --git a/components/server/src/container-module.ts b/components/server/src/container-module.ts
@@ -130,6 +130,7 @@ import { UserService } from "./user/user-service";
 import { RelationshipUpdater } from "./authorization/relationship-updater";
 import { WorkspaceService } from "./workspace/workspace-service";
 import { SSHKeyService } from "./user/sshkey-service";
+import { GitpodTokenService } from "./user/gitpod-token-service";
 
 export const productionContainerModule = new ContainerModule(
     (bind, unbind, isBound, rebind, unbindAsync, onActivation, onDeactivation) => {
@@ -145,6 +146,7 @@ export const productionContainerModule = new ContainerModule(
         bind(AuthorizationService).to(AuthorizationServiceImpl).inSingletonScope();
 
         bind(SSHKeyService).toSelf().inSingletonScope();
+        bind(GitpodTokenService).toSelf().inSingletonScope();
 
         bind(TokenService).toSelf().inSingletonScope();
         bind(TokenProvider).toService(TokenService);
diff --git a/components/server/src/user/gitpod-token-service.spec.db.ts b/components/server/src/user/gitpod-token-service.spec.db.ts
@@ -0,0 +1,134 @@
+/**
+ * Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import { BUILTIN_INSTLLATION_ADMIN_USER_ID, TypeORM } from "@gitpod/gitpod-db/lib";
+import { GitpodTokenType, Organization, User } from "@gitpod/gitpod-protocol";
+import { Experiments } from "@gitpod/gitpod-protocol/lib/experiments/configcat-server";
+import * as chai from "chai";
+import { Container } from "inversify";
+import "mocha";
+import { createTestContainer } from "../test/service-testing-container-module";
+import { resetDB } from "@gitpod/gitpod-db/lib/test/reset-db";
+import { OrganizationService } from "../orgs/organization-service";
+import { UserService } from "./user-service";
+import { expectError } from "../test/expect-utils";
+import { ErrorCodes } from "@gitpod/gitpod-protocol/lib/messaging/error";
+import { GitpodTokenService } from "./gitpod-token-service";
+
+const expect = chai.expect;
+
+describe("GitpodTokenService", async () => {
+    let container: Container;
+    let gs: GitpodTokenService;
+
+    let member: User;
+    let stranger: User;
+    let org: Organization;
+
+    beforeEach(async () => {
+        container = createTestContainer();
+        Experiments.configureTestingClient({
+            centralizedPermissions: true,
+        });
+
+        const orgService = container.get<OrganizationService>(OrganizationService);
+        org = await orgService.createOrganization(BUILTIN_INSTLLATION_ADMIN_USER_ID, "myOrg");
+        const invite = await orgService.getOrCreateInvite(BUILTIN_INSTLLATION_ADMIN_USER_ID, org.id);
+
+        const userService = container.get<UserService>(UserService);
+        member = await userService.createUser({
+            organizationId: org.id,
+            identity: {
+                authId: "foo",
+                authName: "bar",
+                authProviderId: "github",
+                primaryEmail: "yolo@yolo.com",
+            },
+        });
+        await orgService.joinOrganization(member.id, invite.id);
+        stranger = await userService.createUser({
+            identity: {
+                authId: "foo2",
+                authName: "bar2",
+                authProviderId: "github",
+            },
+        });
+
+        gs = container.get(GitpodTokenService);
+    });
+
+    afterEach(async () => {
+        // Clean-up database
+        await resetDB(container.get(TypeORM));
+    });
+
+    it("should generate a new gitpod token", async () => {
+        const resp1 = await gs.getGitpodTokens(member.id, member.id);
+        expect(resp1.length).to.equal(0);
+
+        await gs.generateNewGitpodToken(member.id, member.id, { name: "token1", type: GitpodTokenType.API_AUTH_TOKEN });
+
+        const resp2 = await gs.getGitpodTokens(member.id, member.id);
+        expect(resp2.length).to.equal(1);
+
+        await expectError(ErrorCodes.NOT_FOUND, gs.getGitpodTokens(stranger.id, member.id));
+        await expectError(
+            ErrorCodes.NOT_FOUND,
+            gs.generateNewGitpodToken(stranger.id, member.id, { name: "token2", type: GitpodTokenType.API_AUTH_TOKEN }),
+        );
+    });
+
+    it("should list gitpod tokens", async () => {
+        await gs.generateNewGitpodToken(member.id, member.id, { name: "token1", type: GitpodTokenType.API_AUTH_TOKEN });
+        await gs.generateNewGitpodToken(member.id, member.id, { name: "token2", type: GitpodTokenType.API_AUTH_TOKEN });
+
+        const tokens = await gs.getGitpodTokens(member.id, member.id);
+        expect(tokens.length).to.equal(2);
+        expect(tokens.some((t) => t.name === "token1")).to.be.true;
+        expect(tokens.some((t) => t.name === "token2")).to.be.true;
+
+        await expectError(ErrorCodes.NOT_FOUND, gs.getGitpodTokens(stranger.id, member.id));
+    });
+
+    it("should return gitpod token scopes", async () => {
+        await gs.generateNewGitpodToken(member.id, member.id, {
+            name: "token1",
+            type: GitpodTokenType.API_AUTH_TOKEN,
+            scopes: ["user:email", "read:user"],
+        });
+
+        const tokens = await gs.getGitpodTokens(member.id, member.id);
+        expect(tokens.length).to.equal(1);
+
+        const scopes = await gs.getGitpodTokenScopes(member.id, member.id, tokens[0].tokenHash);
+        expect(scopes.length).to.equal(2);
+        expect(scopes.some((s) => s === "user:email")).to.be.true;
+        expect(scopes.some((s) => s === "read:user")).to.be.true;
+
+        await expectError(ErrorCodes.NOT_FOUND, gs.getGitpodTokenScopes(stranger.id, member.id, tokens[0].tokenHash));
+    });
+
+    it("should delete gitpod tokens", async () => {
+        await gs.generateNewGitpodToken(member.id, member.id, {
+            name: "token1",
+            type: GitpodTokenType.API_AUTH_TOKEN,
+        });
+        await gs.generateNewGitpodToken(member.id, member.id, {
+            name: "token2",
+            type: GitpodTokenType.API_AUTH_TOKEN,
+        });
+
+        const tokens = await gs.getGitpodTokens(member.id, member.id);
+        expect(tokens.length).to.equal(2);
+
+        await gs.deleteGitpodToken(member.id, member.id, tokens[0].tokenHash);
+
+        const tokens2 = await gs.getGitpodTokens(member.id, member.id);
+        expect(tokens2.length).to.equal(1);
+
+        await expectError(ErrorCodes.NOT_FOUND, gs.deleteGitpodToken(stranger.id, member.id, tokens[1].tokenHash));
+    });
+});
diff --git a/components/server/src/user/gitpod-token-service.ts b/components/server/src/user/gitpod-token-service.ts
@@ -0,0 +1,71 @@
+/**
+ * Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import * as crypto from "crypto";
+import { DBGitpodToken, UserDB } from "@gitpod/gitpod-db/lib";
+import { GitpodToken, GitpodTokenType } from "@gitpod/gitpod-protocol";
+import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
+import { inject, injectable } from "inversify";
+import { Authorizer } from "../authorization/authorizer";
+
+@injectable()
+export class GitpodTokenService {
+    constructor(
+        @inject(UserDB) private readonly userDB: UserDB,
+        @inject(Authorizer) private readonly auth: Authorizer,
+    ) {}
+
+    async getGitpodTokens(requestorId: string, userId: string): Promise<GitpodToken[]> {
+        await this.auth.checkPermissionOnUser(requestorId, "read_tokens", userId);
+        const res = (await this.userDB.findAllGitpodTokensOfUser(userId)).filter((v) => !v.deleted);
+        return res;
+    }
+
+    async generateNewGitpodToken(
+        requestorId: string,
+        userId: string,
+        options: { name?: string; type: GitpodTokenType; scopes?: string[] },
+    ): Promise<string> {
+        await this.auth.checkPermissionOnUser(requestorId, "write_tokens", userId);
+        const token = crypto.randomBytes(30).toString("hex");
+        const tokenHash = crypto.createHash("sha256").update(token, "utf8").digest("hex");
+        const dbToken: DBGitpodToken = {
+            tokenHash,
+            name: options.name,
+            type: options.type,
+            userId,
+            scopes: options.scopes || [],
+            created: new Date().toISOString(),
+        };
+        await this.userDB.storeGitpodToken(dbToken);
+        return token;
+    }
+
+    async getGitpodTokenScopes(requestorId: string, userId: string, tokenHash: string): Promise<string[]> {
+        await this.auth.checkPermissionOnUser(requestorId, "read_tokens", userId);
+        let token: GitpodToken | undefined;
+        try {
+            token = await this.userDB.findGitpodTokensOfUser(userId, tokenHash);
+        } catch (error) {
+            log.error({ userId }, "failed to resolve gitpod token: ", error);
+            return [];
+        }
+        if (!token || token.deleted) {
+            return [];
+        }
+        return token.scopes;
+    }
+
+    async deleteGitpodToken(requestorId: string, userId: string, tokenHash: string): Promise<void> {
+        await this.auth.checkPermissionOnUser(requestorId, "write_tokens", userId);
+        const existingTokens = await this.getGitpodTokens(requestorId, userId);
+        const tkn = existingTokens.find((token) => token.tokenHash === tokenHash);
+        if (!tkn) {
+            throw new Error(`User ${requestorId} tries to delete a token ${tokenHash} that does not exist.`);
+        }
+        await this.userDB.deleteGitpodToken(tokenHash);
+    }
+}
diff --git a/components/server/src/workspace/gitpod-server-impl.ts b/components/server/src/workspace/gitpod-server-impl.ts
@@ -10,7 +10,6 @@ import {
     WorkspaceDB,
     DBWithTracing,
     TracedWorkspaceDB,
-    DBGitpodToken,
     EmailDomainFilterDB,
     TeamDB,
     RedisPublisher,
@@ -112,7 +111,6 @@ import {
     StopWorkspacePolicy,
     TakeSnapshotRequest,
 } from "@gitpod/ws-manager/lib/core_pb";
-import * as crypto from "crypto";
 import { inject, injectable } from "inversify";
 import { URL } from "url";
 import { v4 as uuidv4, validate as uuidValidate } from "uuid";
@@ -194,6 +192,7 @@ import { UsageService } from "../orgs/usage-service";
 import { UserService } from "../user/user-service";
 import { WorkspaceService } from "./workspace-service";
 import { SSHKeyService } from "../user/sshkey-service";
+import { GitpodTokenService } from "../user/gitpod-token-service";
 
 // shortcut
 export const traceWI = (ctx: TraceContext, wi: Omit<LogContext, "userId">) => TraceContext.setOWI(ctx, wi); // userId is already taken care of in WebsocketConnectionManager
@@ -237,6 +236,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         @inject(IAnalyticsWriter) private readonly analytics: IAnalyticsWriter,
         @inject(AuthorizationService) private readonly authorizationService: AuthorizationService,
         @inject(SSHKeyService) private readonly sshKeyservice: SSHKeyService,
+        @inject(GitpodTokenService) private readonly gitpodTokenService: GitpodTokenService,
 
         @inject(TeamDB) private readonly teamDB: TeamDB,
         @inject(OrganizationService) private readonly organizationService: OrganizationService,
@@ -2958,9 +2958,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
     public async getGitpodTokens(ctx: TraceContext): Promise<GitpodToken[]> {
         const user = await this.checkAndBlockUser("getGitpodTokens");
-        const res = (await this.userDB.findAllGitpodTokensOfUser(user.id)).filter((v) => !v.deleted);
-        await Promise.all(res.map((tkn) => this.guardAccess({ kind: "gitpodToken", subject: tkn }, "get")));
-        return res;
+        return this.gitpodTokenService.getGitpodTokens(user.id, user.id);
     }
 
     public async generateNewGitpodToken(
@@ -2970,51 +2968,21 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         traceAPIParams(ctx, { options });
 
         const user = await this.checkAndBlockUser("generateNewGitpodToken");
-        const token = crypto.randomBytes(30).toString("hex");
-        const tokenHash = crypto.createHash("sha256").update(token, "utf8").digest("hex");
-        const dbToken: DBGitpodToken = {
-            tokenHash,
-            name: options.name,
-            type: options.type,
-            userId: user.id,
-            scopes: options.scopes || [],
-            created: new Date().toISOString(),
-        };
-        await this.guardAccess({ kind: "gitpodToken", subject: dbToken }, "create");
-
-        await this.userDB.storeGitpodToken(dbToken);
-        return token;
+        return this.gitpodTokenService.generateNewGitpodToken(user.id, user.id, options);
     }
 
     public async getGitpodTokenScopes(ctx: TraceContext, tokenHash: string): Promise<string[]> {
         traceAPIParams(ctx, {}); // do not trace tokenHash
 
         const user = await this.checkAndBlockUser("getGitpodTokenScopes");
-        let token: GitpodToken | undefined;
-        try {
-            token = await this.userDB.findGitpodTokensOfUser(user.id, tokenHash);
-        } catch (error) {
-            log.error({ userId: user.id }, "failed to resolve gitpod token: ", error);
-            return [];
-        }
-        if (!token || token.deleted) {
-            return [];
-        }
-        await this.guardAccess({ kind: "gitpodToken", subject: token }, "get");
-        return token.scopes;
+        return this.gitpodTokenService.getGitpodTokenScopes(user.id, user.id, tokenHash);
     }
 
     public async deleteGitpodToken(ctx: TraceContext, tokenHash: string): Promise<void> {
         traceAPIParams(ctx, {}); // do not trace tokenHash
 
         const user = await this.checkAndBlockUser("deleteGitpodToken");
-        const existingTokens = await this.getGitpodTokens(ctx); // all tokens for logged in user
-        const tkn = existingTokens.find((token) => token.tokenHash === tokenHash);
-        if (!tkn) {
-            throw new Error(`User ${user.id} tries to delete a token ${tokenHash} that does not exist.`);
-        }
-        await this.guardAccess({ kind: "gitpodToken", subject: tkn }, "delete");
-        return this.userDB.deleteGitpodToken(tokenHash);
+        return this.gitpodTokenService.deleteGitpodToken(user.id, user.id, tokenHash);
     }
 
     async guessGitTokenScopes(ctx: TraceContext, params: GuessGitTokenScopesParams): Promise<GuessedGitTokenScopes> {
diff --git a/components/spicedb/schema/schema.yaml b/components/spicedb/schema/schema.yaml
@@ -17,6 +17,9 @@ schema: |-
 
     permission read_ssh = self
     permission write_ssh = self
+
+    permission read_tokens = self
+    permission write_tokens = self
   }
 
   // There's only one global installation

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,9 @@ schema: \|-`
`17`	`17`
`18`	`18`	`permission read_ssh = self`
`19`	`19`	`permission write_ssh = self`
	`20`	`+`
	`21`	`+ permission read_tokens = self`
	`22`	`+ permission write_tokens = self`
`20`	`23`	`}`
`21`	`24`
`22`	`25`	`// There's only one global installation`