[fga] Support createWorkspace + getWorkspace

Author: geropl

components/server/src/authorization/authorizer.ts

@@ -16,6 +16,7 @@ import {
     Relation,
     ResourceType,
     UserPermission,
+    WorkspacePermission,
     rel,
 } from "./definitions";
 import { SpiceDBAuthorizer } from "./spicedb-authorizer";
@@ -101,11 +102,11 @@ export class Authorizer {
         );
     }
 
-    async hasPermissionOnUser(userId: string, permission: UserPermission, userResourceId: string): Promise<boolean> {
+    async hasPermissionOnUser(userId: string, permission: UserPermission, resourceUserId: string): Promise<boolean> {
         const req = v1.CheckPermissionRequest.create({
             subject: subject("user", userId),
             permission,
-            resource: object("user", userResourceId),
+            resource: object("user", resourceUserId),
             consistency,
         });
 
@@ -126,6 +127,35 @@ export class Authorizer {
         );
     }
 
+    async hasPermissionOnWorkspace(
+        userId: string,
+        permission: WorkspacePermission,
+        workspaceId: string,
+    ): Promise<boolean> {
+        const req = v1.CheckPermissionRequest.create({
+            subject: subject("user", userId),
+            permission,
+            resource: object("workspace", workspaceId),
+            consistency,
+        });
+
+        return this.authorizer.check(req, { userId });
+    }
+
+    async checkPermissionOnWorkspace(userId: string, permission: WorkspacePermission, workspaceId: string) {
+        if (await this.hasPermissionOnWorkspace(userId, permission, workspaceId)) {
+            return;
+        }
+        if ("read_info" === permission || !(await this.hasPermissionOnWorkspace(userId, "read_info", workspaceId))) {
+            throw new ApplicationError(ErrorCodes.NOT_FOUND, `Workspace ${workspaceId} not found.`);
+        }
+
+        throw new ApplicationError(
+            ErrorCodes.PERMISSION_DENIED,
+            `You do not have ${permission} on workspace ${workspaceId}`,
+        );
+    }
+
     // write operations below
 
     public async removeAllRelationships(type: ResourceType, id: string) {
@@ -158,7 +188,7 @@ export class Authorizer {
 
     async addUser(userId: string, owningOrgId?: string) {
         await this.authorizer.writeRelationships(
-            set(rel.user(userId).self.user(userId)), //
+            set(rel.user(userId).self.user(userId)),
             set(
                 owningOrgId
                     ? rel.user(userId).organization.organization(owningOrgId)
@@ -186,15 +216,11 @@ export class Authorizer {
     }
 
     async addProjectToOrg(orgID: string, projectID: string): Promise<void> {
-        await this.authorizer.writeRelationships(
-            set(rel.project(projectID).org.organization(orgID)), //
-        );
+        await this.authorizer.writeRelationships(set(rel.project(projectID).org.organization(orgID)));
     }
 
     async removeProjectFromOrg(orgID: string, projectID: string): Promise<void> {
-        await this.authorizer.writeRelationships(
-            remove(rel.project(projectID).org.organization(orgID)), //
-        );
+        await this.authorizer.writeRelationships(remove(rel.project(projectID).org.organization(orgID)));
     }
 
     async addOrganization(org: Organization, members: TeamMemberInfo[], projects: Project[]): Promise<void> {
@@ -206,35 +232,40 @@ export class Authorizer {
             await this.addProjectToOrg(org.id, project.id);
         }
 
-        await this.authorizer.writeRelationships(
-            set(rel.organization(org.id).installation.installation), //
-        );
+        await this.authorizer.writeRelationships(set(rel.organization(org.id).installation.installation));
     }
 
     async addInstallationMemberRole(userID: string) {
-        await this.authorizer.writeRelationships(
-            set(rel.installation.member.user(userID)), //
-        );
+        await this.authorizer.writeRelationships(set(rel.installation.member.user(userID)));
     }
 
     async removeInstallationMemberRole(userID: string) {
-        await this.authorizer.writeRelationships(
-            remove(rel.installation.member.user(userID)), //
-        );
+        await this.authorizer.writeRelationships(remove(rel.installation.member.user(userID)));
     }
 
     async addInstallationAdminRole(userID: string) {
-        await this.authorizer.writeRelationships(
-            set(rel.installation.admin.user(userID)), //
-        );
+        await this.authorizer.writeRelationships(set(rel.installation.admin.user(userID)));
     }
 
     async removeInstallationAdminRole(userID: string) {
+        await this.authorizer.writeRelationships(remove(rel.installation.admin.user(userID)));
+    }
+
+    async createWorkspaceInOrg(orgID: string, userID: string, workspaceID: string): Promise<void> {
         await this.authorizer.writeRelationships(
-            remove(rel.installation.admin.user(userID)), //
+            set(rel.workspace(workspaceID).org.organization(orgID)),
+            set(rel.workspace(workspaceID).owner.user(userID)),
         );
     }
 
+    async addWorkspaceToOrg(orgID: string, workspaceID: string): Promise<void> {
+        await this.authorizer.writeRelationships(set(rel.workspace(workspaceID).org.organization(orgID)));
+    }
+
+    async removeWorkspaceFromOrg(orgID: string, workspaceID: string): Promise<void> {
+        await this.authorizer.writeRelationships(remove(rel.workspace(workspaceID).org.organization(orgID)));
+    }
+
     public async find(relation: v1.Relationship): Promise<v1.Relationship | undefined> {
         const relationships = await this.authorizer.readRelationships({
             consistency: v1.Consistency.create({

components/server/src/authorization/definitions.ts

@@ -10,11 +10,23 @@ import { v1 } from "@authzed/authzed-node";
 
 const InstallationID = "1";
 
-export type ResourceType = UserResourceType | InstallationResourceType | OrganizationResourceType | ProjectResourceType;
+export type ResourceType =
+    | UserResourceType
+    | InstallationResourceType
+    | OrganizationResourceType
+    | ProjectResourceType
+    | WorkspaceResourceType;
 
-export type Relation = UserRelation | InstallationRelation | OrganizationRelation | ProjectRelation;
+export const AllResourceTypes: ResourceType[] = ["user", "installation", "organization", "project", "workspace"];
 
-export type Permission = UserPermission | InstallationPermission | OrganizationPermission | ProjectPermission;
+export type Relation = UserRelation | InstallationRelation | OrganizationRelation | ProjectRelation | WorkspaceRelation;
+
+export type Permission =
+    | UserPermission
+    | InstallationPermission
+    | OrganizationPermission
+    | ProjectPermission
+    | WorkspacePermission;
 
 export type UserResourceType = "user";
 
@@ -48,6 +60,7 @@ export type OrganizationPermission =
     | "write_git_provider"
     | "read_billing"
     | "write_billing"
+    | "create_workspace"
     | "write_billing_admin";
 
 export type ProjectResourceType = "project";
@@ -56,6 +69,12 @@ export type ProjectRelation = "org" | "editor" | "viewer";
 
 export type ProjectPermission = "read_info" | "write_info" | "delete";
 
+export type WorkspaceResourceType = "workspace";
+
+export type WorkspaceRelation = "org" | "owner";
+
+export type WorkspacePermission = "access" | "read_info";
+
 export const rel = {
     user(id: string) {
         const result: Partial<v1.Relationship> = {
@@ -327,4 +346,54 @@ export const rel = {
             },
         };
     },
+
+    workspace(id: string) {
+        const result: Partial<v1.Relationship> = {
+            resource: {
+                objectType: "workspace",
+                objectId: id,
+            },
+        };
+        return {
+            get org() {
+                const result2 = {
+                    ...result,
+                    relation: "org",
+                };
+                return {
+                    organization(objectId: string) {
+                        return {
+                            ...result2,
+                            subject: {
+                                object: {
+                                    objectType: "organization",
+                                    objectId: objectId,
+                                },
+                            },
+                        } as v1.Relationship;
+                    },
+                };
+            },
+
+            get owner() {
+                const result2 = {
+                    ...result,
+                    relation: "owner",
+                };
+                return {
+                    user(objectId: string) {
+                        return {
+                            ...result2,
+                            subject: {
+                                object: {
+                                    objectType: "user",
+                                    objectId: objectId,
+                                },
+                            },
+                        } as v1.Relationship;
+                    },
+                };
+            },
+        };
+    },
 };

components/server/src/container-module.ts

@@ -129,6 +129,7 @@ import { Redis } from "ioredis";
 import { RedisPublisher, newRedisClient } from "@gitpod/gitpod-db/lib";
 import { UserService } from "./user/user-service";
 import { RelationshipUpdater } from "./authorization/relationship-updater";
+import { WorkspaceService } from "./workspace/workspace-service";
 
 export const productionContainerModule = new ContainerModule(
     (bind, unbind, isBound, rebind, unbindAsync, onActivation, onDeactivation) => {
@@ -159,6 +160,7 @@ export const productionContainerModule = new ContainerModule(
         bind(ConfigurationService).toSelf().inSingletonScope();
 
         bind(SnapshotService).toSelf().inSingletonScope();
+        bind(WorkspaceService).toSelf().inSingletonScope();
         bind(WorkspaceFactory).toSelf().inSingletonScope();
         bind(WorkspaceDeletionService).toSelf().inSingletonScope();
         bind(WorkspaceStarter).toSelf().inSingletonScope();

components/server/src/prebuilds/prebuild-manager.ts

@@ -21,7 +21,6 @@ import {
 import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
 import { TraceContext } from "@gitpod/gitpod-protocol/lib/util/tracing";
 import { getCommitInfo, HostContextProvider } from "../auth/host-context-provider";
-import { WorkspaceFactory } from "../workspace/workspace-factory";
 import { ConfigProvider } from "../workspace/config-provider";
 import { WorkspaceStarter } from "../workspace/workspace-starter";
 import { Config } from "../config";
@@ -38,6 +37,7 @@ import { ErrorCodes, ApplicationError } from "@gitpod/gitpod-protocol/lib/messag
 import { UserAuthentication } from "../user/user-authentication";
 import { EntitlementService, MayStartWorkspaceResult } from "../billing/entitlement-service";
 import { EnvVarService } from "../workspace/env-var-service";
+import { WorkspaceService } from "../workspace/workspace-service";
 
 export class WorkspaceRunningError extends Error {
     constructor(msg: string, public instance: WorkspaceInstance) {
@@ -56,7 +56,7 @@ export interface StartPrebuildParams {
 @injectable()
 export class PrebuildManager {
     @inject(TracedWorkspaceDB) protected readonly workspaceDB: DBWithTracing<WorkspaceDB>;
-    @inject(WorkspaceFactory) protected readonly workspaceFactory: WorkspaceFactory;
+    @inject(WorkspaceService) protected readonly workspaceService: WorkspaceService;
     @inject(WorkspaceStarter) protected readonly workspaceStarter: WorkspaceStarter;
     @inject(HostContextProvider) protected readonly hostContextProvider: HostContextProvider;
     @inject(ConfigProvider) protected readonly configProvider: ConfigProvider;
@@ -224,7 +224,7 @@ export class PrebuildManager {
                 }
             }
 
-            const workspace = await this.workspaceFactory.createForContext(
+            const workspace = await this.workspaceService.createWorkspace(
                 { span },
                 user,
                 project.teamId,