[db, protocol] Introduce DBOrgEnvVar

geropl · geropl · commit 665cacc87657 · 2025-01-21T13:19:31.000Z
diff --git a/components/gitpod-db/src/team-db.ts b/components/gitpod-db/src/team-db.ts
@@ -10,6 +10,8 @@ import {
     TeamMemberRole,
     TeamMembershipInvite,
     OrganizationSettings,
+    OrgEnvVar,
+    OrgEnvVarWithValue,
 } from "@gitpod/gitpod-protocol";
 import { DBTeamMembership } from "./typeorm/entity/db-team-membership";
 import { TransactionalDB } from "./typeorm/transactional-db-impl";
@@ -43,4 +45,12 @@ export interface TeamDB extends TransactionalDB<TeamDB> {
     setOrgSettings(teamId: string, settings: Partial<OrganizationSettings>): Promise<OrganizationSettings>;
 
     hasActiveSSO(organizationId: string): Promise<boolean>;
+
+    addOrgEnvironmentVariable(orgId: string, envVar: OrgEnvVarWithValue): Promise<OrgEnvVar>;
+    updateOrgEnvironmentVariable(orgId: string, envVar: Partial<OrgEnvVarWithValue>): Promise<OrgEnvVar | undefined>;
+    getOrgEnvironmentVariableById(id: string): Promise<OrgEnvVar | undefined>;
+    findOrgEnvironmentVariableByName(orgId: string, name: string): Promise<OrgEnvVar | undefined>;
+    getOrgEnvironmentVariables(orgId: string): Promise<OrgEnvVar[]>;
+    getOrgEnvironmentVariableValues(envVars: OrgEnvVar[]): Promise<OrgEnvVarWithValue[]>;
+    deleteOrgEnvironmentVariable(id: string): Promise<void>;
 }
diff --git a/components/gitpod-db/src/typeorm/entity/db-org-env-var.ts b/components/gitpod-db/src/typeorm/entity/db-org-env-var.ts
@@ -0,0 +1,42 @@
+/**
+ * Copyright (c) 2025 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import { PrimaryColumn, Entity, Column } from "typeorm";
+import { TypeORM } from "../typeorm";
+import { OrgEnvVarWithValue } from "@gitpod/gitpod-protocol";
+import { Transformer } from "../transformer";
+import { getGlobalEncryptionService } from "@gitpod/gitpod-protocol/lib/encryption/encryption-service";
+
+@Entity()
+// on DB but not Typeorm: @Index("ind_lastModified", ["_lastModified"])   // DBSync
+export class DBOrgEnvVar implements OrgEnvVarWithValue {
+    @PrimaryColumn(TypeORM.UUID_COLUMN_TYPE)
+    id: string;
+
+    // `orgId` is part of the primary key for safety reasons: This way it's impossible that a user
+    // (maliciously or by accident) sends us an environment variable that has the same private key (`id`)
+    // as the environment variable from another project.
+    @PrimaryColumn(TypeORM.UUID_COLUMN_TYPE)
+    orgId: string;
+
+    @Column()
+    name: string;
+
+    @Column({
+        type: "simple-json",
+        transformer: Transformer.compose(
+            Transformer.SIMPLE_JSON([]),
+            Transformer.encrypted(getGlobalEncryptionService),
+        ),
+    })
+    value: string;
+
+    @Column({
+        type: "varchar",
+        length: 36,
+    })
+    creationTime: string;
+}
diff --git a/components/gitpod-db/src/typeorm/migration/1737449780009-OrgEnvVars.ts b/components/gitpod-db/src/typeorm/migration/1737449780009-OrgEnvVars.ts
@@ -0,0 +1,17 @@
+/**
+ * Copyright (c) 2025 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import { MigrationInterface, QueryRunner } from "typeorm";
+
+export class OrgEnvVars1737449780009 implements MigrationInterface {
+    public async up(queryRunner: QueryRunner): Promise<void> {
+        await queryRunner.query(
+            "CREATE TABLE IF NOT EXISTS `d_b_org_env_var` (`id` char(36) NOT NULL, `orgId` char(36) NOT NULL, `name` varchar(255) NOT NULL, `value` text NOT NULL, `creationTime` varchar(36) NOT NULL, `_lastModified` timestamp(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6) ON UPDATE CURRENT_TIMESTAMP(6), PRIMARY KEY (`id`, `orgId`), KEY `ind_orgid` (orgId), KEY `ind_dbsync` (`_lastModified`)) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;",
+        );
+    }
+
+    public async down(queryRunner: QueryRunner): Promise<void> {}
+}
diff --git a/components/gitpod-db/src/typeorm/project-db-impl.ts b/components/gitpod-db/src/typeorm/project-db-impl.ts
@@ -222,11 +222,11 @@ export class ProjectDBImpl extends TransactionalDBImpl<ProjectDB> implements Pro
         return envVars;
     }
 
-    public async getProjectEnvironmentVariableById(variableId: string): Promise<ProjectEnvVar | undefined> {
+    public async getProjectEnvironmentVariableById(id: string): Promise<ProjectEnvVar | undefined> {
         const envVarRepo = await this.getProjectEnvVarRepo();
-        const envVarWithValue = await envVarRepo.findOne({ id: variableId, deleted: false });
+        const envVarWithValue = await envVarRepo.findOne({ id, deleted: false });
         if (!envVarWithValue) {
-            return;
+            return undefined;
         }
         const envVar = toProjectEnvVar(envVarWithValue);
         return envVar;
diff --git a/components/gitpod-db/src/typeorm/team-db-impl.ts b/components/gitpod-db/src/typeorm/team-db-impl.ts
@@ -6,6 +6,8 @@
 
 import {
     OrganizationSettings,
+    OrgEnvVar,
+    OrgEnvVarWithValue,
     Team,
     TeamMemberInfo,
     TeamMemberRole,
@@ -25,21 +27,32 @@ import { DBOrgSettings } from "./entity/db-team-settings";
 import { DBUser } from "./entity/db-user";
 import { TransactionalDBImpl } from "./transactional-db-impl";
 import { TypeORM } from "./typeorm";
+import { EncryptionService } from "@gitpod/gitpod-protocol/lib/encryption/encryption-service";
+import { DBOrgEnvVar } from "./entity/db-org-env-var";
+import { filter } from "../utils";
 
 @injectable()
 export class TeamDBImpl extends TransactionalDBImpl<TeamDB> implements TeamDB {
-    constructor(@inject(TypeORM) typeorm: TypeORM, @optional() transactionalEM?: EntityManager) {
+    constructor(
+        @inject(TypeORM) typeorm: TypeORM,
+        @inject(EncryptionService) private readonly encryptionService: EncryptionService,
+        @optional() transactionalEM?: EntityManager,
+    ) {
         super(typeorm, transactionalEM);
     }
 
     protected createTransactionalDB(transactionalEM: EntityManager): TeamDB {
-        return new TeamDBImpl(this.typeorm, transactionalEM);
+        return new TeamDBImpl(this.typeorm, this.encryptionService, transactionalEM);
     }
 
     private async getTeamRepo(): Promise<Repository<DBTeam>> {
         return (await this.getEntityManager()).getRepository<DBTeam>(DBTeam);
     }
 
+    private async getOrgEnvVarRepo(): Promise<Repository<DBOrgEnvVar>> {
+        return (await this.getEntityManager()).getRepository<DBOrgEnvVar>(DBOrgEnvVar);
+    }
+
     private async getMembershipRepo(): Promise<Repository<DBTeamMembership>> {
         return (await this.getEntityManager()).getRepository<DBTeamMembership>(DBTeamMembership);
     }
@@ -408,4 +421,83 @@ export class TeamDBImpl extends TransactionalDBImpl<TeamDB> implements TeamDB {
         );
         return result.length === 1;
     }
+
+    public async addOrgEnvironmentVariable(orgId: string, envVar: OrgEnvVarWithValue): Promise<OrgEnvVar> {
+        const envVarRepo = await this.getOrgEnvVarRepo();
+        const insertedEnvVar = await envVarRepo.save({
+            id: uuidv4(),
+            orgId,
+            name: envVar.name,
+            value: envVar.value,
+            creationTime: new Date().toISOString(),
+        });
+        return toOrgEnvVar(insertedEnvVar);
+    }
+
+    public async updateOrgEnvironmentVariable(
+        orgId: string,
+        envVar: Partial<OrgEnvVarWithValue>,
+    ): Promise<OrgEnvVar | undefined> {
+        if (!envVar.id) {
+            throw new ApplicationError(ErrorCodes.NOT_FOUND, "An environment variable with this ID could not be found");
+        }
+
+        return await this.transaction(async (_, ctx) => {
+            const envVarRepo = ctx.entityManager.getRepository<DBOrgEnvVar>(DBOrgEnvVar);
+
+            await envVarRepo.update(
+                { id: envVar.id, orgId },
+                filter(envVar, (_, v) => v !== null && v !== undefined),
+            );
+
+            const found = await envVarRepo.findOne({ id: envVar.id, orgId });
+            if (!found) {
+                return;
+            }
+            return toOrgEnvVar(found);
+        });
+    }
+
+    public async getOrgEnvironmentVariableById(id: string): Promise<OrgEnvVar | undefined> {
+        const envVarRepo = await this.getOrgEnvVarRepo();
+        const envVarWithValue = await envVarRepo.findOne({ id });
+        if (!envVarWithValue) {
+            return undefined;
+        }
+        const envVar = toOrgEnvVar(envVarWithValue);
+        return envVar;
+    }
+
+    public async findOrgEnvironmentVariableByName(orgId: string, name: string): Promise<OrgEnvVar | undefined> {
+        const envVarRepo = await this.getOrgEnvVarRepo();
+        return envVarRepo.findOne({ orgId, name });
+    }
+
+    public async getOrgEnvironmentVariables(orgId: string): Promise<OrgEnvVar[]> {
+        const envVarRepo = await this.getOrgEnvVarRepo();
+        const envVarsWithValue = await envVarRepo.find({ orgId });
+        const envVars = envVarsWithValue.map(toOrgEnvVar);
+        return envVars;
+    }
+
+    public async getOrgEnvironmentVariableValues(envVars: OrgEnvVar[]): Promise<OrgEnvVarWithValue[]> {
+        const envVarRepo = await this.getOrgEnvVarRepo();
+        const envVarsWithValues = await envVarRepo.findByIds(envVars);
+        return envVarsWithValues;
+    }
+
+    public async deleteOrgEnvironmentVariable(id: string): Promise<void> {
+        const envVarRepo = await this.getOrgEnvVarRepo();
+        await envVarRepo.delete({ id });
+    }
+}
+
+/**
+ * @param envVarWithValue
+ * @returns DBOrgEnvVar shape turned into an OrgEnvVar by dropping the "value" property
+ */
+function toOrgEnvVar(envVarWithValue: DBOrgEnvVar): OrgEnvVar {
+    const envVar = { ...envVarWithValue };
+    delete (envVar as any)["value"];
+    return envVar;
 }
diff --git a/components/gitpod-protocol/src/protocol.ts b/components/gitpod-protocol/src/protocol.ts
@@ -233,7 +233,7 @@ export namespace NamedWorkspaceFeatureFlag {
     }
 }
 
-export type EnvVar = UserEnvVar | ProjectEnvVarWithValue | EnvVarWithValue;
+export type EnvVar = UserEnvVar | ProjectEnvVarWithValue | OrgEnvVarWithValue | EnvVarWithValue;
 
 export interface EnvVarWithValue {
     name: string;
@@ -242,6 +242,7 @@ export interface EnvVarWithValue {
 
 export interface ProjectEnvVarWithValue extends EnvVarWithValue {
     id?: string;
+    /** If a project-scoped env var is "censored", it is only visible in Prebuilds */
     censored: boolean;
 }
 
@@ -250,6 +251,15 @@ export interface ProjectEnvVar extends Omit<ProjectEnvVarWithValue, "value"> {
     projectId: string;
 }
 
+export interface OrgEnvVarWithValue extends EnvVarWithValue {
+    id?: string;
+}
+
+export interface OrgEnvVar extends Omit<OrgEnvVarWithValue, "value"> {
+    id: string;
+    orgId: string;
+}
+
 export interface UserEnvVarValue extends EnvVarWithValue {
     id?: string;
     repositoryPattern: string; // DEPRECATED: Use ProjectEnvVar instead of repositoryPattern - https://github.com/gitpod-com/gitpod/issues/5322

Original file line number	Diff line number	Diff line change
`@@ -222,11 +222,11 @@ export class ProjectDBImpl extends TransactionalDBImpl<ProjectDB> implements Pro`
`222`	`222`	`return envVars;`
`223`	`223`	`}`
`224`	`224`
`225`		`- public async getProjectEnvironmentVariableById(variableId: string): Promise<ProjectEnvVar \| undefined> {`
	`225`	`+ public async getProjectEnvironmentVariableById(id: string): Promise<ProjectEnvVar \| undefined> {`
`226`	`226`	`const envVarRepo = await this.getProjectEnvVarRepo();`
`227`		`- const envVarWithValue = await envVarRepo.findOne({ id: variableId, deleted: false });`
	`227`	`+ const envVarWithValue = await envVarRepo.findOne({ id, deleted: false });`
`228`	`228`	`if (!envVarWithValue) {`
`229`		`- return;`
	`229`	`+ return undefined;`
`230`	`230`	`}`
`231`	`231`	`const envVar = toProjectEnvVar(envVarWithValue);`
`232`	`232`	`return envVar;`