[fga] Skip old permission system if centralizedPermissions is enabled (#18519)

* [server] Disable old permission checks if centraliedPermissions is enabled

* review comments

Author: geropl

components/server/src/auth/resource-access.ts

@@ -22,6 +22,8 @@ import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
 import { UnauthorizedError } from "../errors";
 import { RepoURL } from "../repohost";
 import { HostContextProvider } from "./host-context-provider";
+import { isFgaAuthorizerEnabled } from "../authorization/authorizer";
+import { reportGuardAccessCheck } from "../prometheus-metrics";
 
 declare let resourceInstance: GuardedResource;
 export type GuardedResourceKind = typeof resourceInstance.kind;
@@ -152,6 +154,26 @@ export class CompositeResourceAccessGuard implements ResourceAccessGuard {
     }
 }
 
+/**
+ * FGAResourceAccessGuard can disable the delegate if FGA is enabled.
+ */
+export class FGAResourceAccessGuard implements ResourceAccessGuard {
+    constructor(private readonly userId: string, private readonly delegate: ResourceAccessGuard) {}
+
+    async canAccess(resource: GuardedResource, operation: ResourceAccessOp): Promise<boolean> {
+        const authorizerEnabled = await isFgaAuthorizerEnabled(this.userId);
+        if (authorizerEnabled) {
+            // Authorizer takes over, so we should not check.
+            reportGuardAccessCheck("fga");
+            return true;
+        }
+        reportGuardAccessCheck("resource-access");
+
+        // FGA can't take over yet, so we delegate
+        return await this.delegate.canAccess(resource, operation);
+    }
+}
+
 export class TeamMemberResourceGuard implements ResourceAccessGuard {
     constructor(readonly userId: string) {}
 

components/server/src/authorization/authorizer.ts

@@ -213,11 +213,7 @@ export class Authorizer {
     }
 
     private async isDisabled(userId: string): Promise<boolean> {
-        return !(await getExperimentsClientForBackend().getValueAsync("centralizedPermissions", false, {
-            user: {
-                id: userId,
-            },
-        }));
+        return !(await isFgaAuthorizerEnabled(userId));
     }
 
     async addUser(userId: string, owningOrgId?: string) {
@@ -438,6 +434,15 @@ export class Authorizer {
     }
 }
 
+// TODO(gpl) remove after FGA rollout
+export async function isFgaAuthorizerEnabled(userId: string): Promise<boolean> {
+    return getExperimentsClientForBackend().getValueAsync("centralizedPermissions", false, {
+        user: {
+            id: userId,
+        },
+    });
+}
+
 function set(rs: v1.Relationship): v1.RelationshipUpdate {
     return v1.RelationshipUpdate.create({
         operation: v1.RelationshipUpdate_Operation.TOUCH,

components/server/src/prometheus-metrics.ts

@@ -21,7 +21,6 @@ export function registerServerMetrics(registry: prometheusClient.Registry) {
     registry.registerMetric(stripeClientRequestsCompletedDurationSeconds);
     registry.registerMetric(imageBuildsStartedTotal);
     registry.registerMetric(imageBuildsCompletedTotal);
-    registry.registerMetric(centralizedPermissionsValidationsTotal);
     registry.registerMetric(spicedbClientLatency);
     registry.registerMetric(dashboardErrorBoundary);
     registry.registerMetric(jwtCookieIssued);
@@ -229,16 +228,6 @@ export function increaseImageBuildsCompletedTotal(outcome: "succeeded" | "failed
     imageBuildsCompletedTotal.inc({ outcome });
 }
 
-const centralizedPermissionsValidationsTotal = new prometheusClient.Counter({
-    name: "gitpod_perms_centralized_validations_total",
-    help: "counter of centralized permission checks validations against existing system",
-    labelNames: ["operation", "matches_expectation"],
-});
-
-export function reportCentralizedPermsValidation(operation: string, matches: boolean) {
-    centralizedPermissionsValidationsTotal.inc({ operation, matches_expectation: String(matches) });
-}
-
 export const fgaRelationsUpdateClientLatency = new prometheusClient.Histogram({
     name: "gitpod_fga_relationship_update_seconds",
     help: "Histogram of completed relationship updates",
@@ -343,3 +332,14 @@ export const updateSubscribersRegistered = new prometheusClient.Gauge({
     help: "Gauge of subscribers registered",
     labelNames: ["type"],
 });
+
+export const guardAccessChecksTotal = new prometheusClient.Counter({
+    name: "gitpod_guard_access_checks_total",
+    help: "Counter for the number of guard access checks we do by type",
+    labelNames: ["type"],
+});
+
+export type GuardAccessCheckType = "fga" | "resource-access";
+export function reportGuardAccessCheck(type: GuardAccessCheckType) {
+    guardAccessChecksTotal.labels(type).inc();
+}

components/server/src/user/user-controller.ts

@@ -21,7 +21,12 @@ import { getRequestingClientInfo } from "../express-util";
 import { GitpodToken, GitpodTokenType, User } from "@gitpod/gitpod-protocol";
 import { HostContextProvider } from "../auth/host-context-provider";
 import { reportJWTCookieIssued } from "../prometheus-metrics";
-import { OwnerResourceGuard, ResourceAccessGuard, ScopedResourceGuard } from "../auth/resource-access";
+import {
+    FGAResourceAccessGuard,
+    OwnerResourceGuard,
+    ResourceAccessGuard,
+    ScopedResourceGuard,
+} from "../auth/resource-access";
 import { OneTimeSecretServer } from "../one-time-secret-server";
 import { ClientMetadata } from "../websocket/websocket-connection-manager";
 import * as fs from "fs/promises";
@@ -387,7 +392,8 @@ export class UserController {
                     return;
                 }
                 const sessionId = req.body.sessionId;
-                const server = this.createGitpodServer(user, new OwnerResourceGuard(user.id));
+                const resourceGuard = new FGAResourceAccessGuard(user.id, new OwnerResourceGuard(user.id));
+                const server = this.createGitpodServer(user, resourceGuard);
                 try {
                     await server.sendHeartBeat({}, { wasClosed: true, instanceId: instanceID });
                     /** no await */ server

components/server/src/websocket/websocket-connection-manager.ts

@@ -34,6 +34,7 @@ import {
     TeamMemberResourceGuard,
     WithResourceAccessGuard,
     RepositoryResourceGuard,
+    FGAResourceAccessGuard,
 } from "../auth/resource-access";
 import { clientIp, takeFirst } from "../express-util";
 import {
@@ -226,6 +227,7 @@ export class WebsocketConnectionManager implements ConnectionHandler {
                 new SharedWorkspaceAccessGuard(),
                 new RepositoryResourceGuard(user, this.hostContextProvider),
             ]);
+            resourceGuard = new FGAResourceAccessGuard(user.id, resourceGuard);
         } else {
             resourceGuard = { canAccess: async () => false };
         }