[server] relationship updates

Author: svenefftinge

components/gitpod-protocol/src/protocol.ts

@@ -268,7 +268,8 @@ export interface AdditionalUserData extends Partial<WorkspaceTimeoutSetting> {
     // additional user profile data
     profile?: ProfileDetails;
     shouldSeeMigrationMessage?: boolean;
-
+    // fgaRelationshipsVersion is the version of the spicedb relationships
+    fgaRelationshipsVersion?: number;
     // remembered workspace auto start options
     workspaceAutostartOptions?: WorkspaceAutostartOption[];
 }

components/gitpod-protocol/src/teams-projects-protocol.ts

@@ -142,6 +142,12 @@ export interface Organization {
     deleted?: boolean;
 }
 
+export namespace Organization {
+    export function is(data?: any): data is Organization {
+        return typeof data === "object" && ["id", "name"].every((p) => p in data);
+    }
+}
+
 export interface OrganizationSettings {
     workspaceSharingDisabled?: boolean;
 }

components/server/src/authorization/authorizer.ts

@@ -6,16 +6,20 @@
 
 import { v1 } from "@authzed/authzed-node";
 
-import { Organization, Project, TeamMemberInfo, TeamMemberRole } from "@gitpod/gitpod-protocol";
+import { Organization, Project, TeamMemberInfo, TeamMemberRole, User } from "@gitpod/gitpod-protocol";
 import { ApplicationError, ErrorCodes } from "@gitpod/gitpod-protocol/lib/messaging/error";
 import {
     InstallationID,
+    InstallationRelation,
     OrganizationPermission,
+    OrganizationRelation,
     Permission,
     ProjectPermission,
+    ProjectRelation,
     Relation,
     ResourceType,
     UserPermission,
+    UserRelation,
 } from "./definitions";
 import { SpiceDBAuthorizer } from "./spicedb-authorizer";
 import { BUILTIN_INSTLLATION_ADMIN_USER_ID } from "@gitpod/gitpod-db/lib";
@@ -39,6 +43,24 @@ export function createInitializingAuthorizer(spiceDbAuthorizer: SpiceDBAuthorize
     });
 }
 
+export const installation = {
+    type: "installation",
+    id: InstallationID,
+};
+
+export type Resource = typeof installation | User | Organization | Project;
+export namespace Resource {
+    export function getType(res: Resource): ResourceType {
+        return (res as any).type === "installation"
+            ? "installation"
+            : User.is(res)
+            ? "user"
+            : Organization.is(res)
+            ? "organization"
+            : "project";
+    }
+}
+
 export class Authorizer {
     constructor(private authorizer: SpiceDBAuthorizer) {}
 
@@ -125,15 +147,24 @@ export class Authorizer {
 
     // write operations below
 
-    async addUser(userId: string) {
+    async addUser(userId: string, owningOrgId?: string) {
+        const updates = [
+            v1.RelationshipUpdate.create({
+                operation: v1.RelationshipUpdate_Operation.TOUCH,
+                relationship: relationship(objectRef("user", userId), "self", subject("user", userId)),
+            }),
+            v1.RelationshipUpdate.create({
+                operation: v1.RelationshipUpdate_Operation.TOUCH,
+                relationship: relationship(
+                    objectRef("user", userId),
+                    "container",
+                    owningOrgId ? subject("organization", owningOrgId) : subject("installation", InstallationID),
+                ),
+            }),
+        ];
         await this.authorizer.writeRelationships(
             v1.WriteRelationshipsRequest.create({
-                updates: [
-                    v1.RelationshipUpdate.create({
-                        operation: v1.RelationshipUpdate_Operation.TOUCH,
-                        relationship: relationship(objectRef("user", userId), "self", subject("user", userId)),
-                    }),
-                ],
+                updates,
             }),
         );
     }
@@ -375,6 +406,76 @@ export class Authorizer {
             }),
         ];
     }
+
+    public async readRelationships(
+        inst: typeof installation,
+        relation: InstallationRelation,
+        target: Resource,
+    ): Promise<Relationship[]>;
+    public async readRelationships(user: User, relation: UserRelation, target: Resource): Promise<Relationship[]>;
+    public async readRelationships(
+        org: Organization,
+        relation: OrganizationRelation,
+        target: Resource,
+    ): Promise<Relationship[]>;
+    public async readRelationships(
+        project: Project,
+        relation: ProjectRelation,
+        target: Resource,
+    ): Promise<Relationship[]>;
+    public async readRelationships(subject: Resource, relation?: Relation, object?: Resource): Promise<Relationship[]>;
+    public async readRelationships(subject: Resource, relation?: Relation, object?: Resource): Promise<Relationship[]> {
+        const relationShips = await this.authorizer.readRelationships({
+            consistency: v1.Consistency.create({
+                requirement: {
+                    oneofKind: "fullyConsistent",
+                    fullyConsistent: true,
+                },
+            }),
+            relationshipFilter: {
+                resourceType: Resource.getType(subject),
+                optionalResourceId: subject.id,
+                optionalRelation: relation || "",
+                optionalSubjectFilter: object && {
+                    subjectType: Resource.getType(object),
+                    optionalSubjectId: object?.id,
+                },
+            },
+        });
+        return relationShips
+            .map((rel) => {
+                const subject = rel.relationship?.subject?.object;
+                const object = rel.relationship?.resource;
+                const relation = rel.relationship?.relation;
+                if (!subject || !object || !relation) {
+                    throw new Error("Invalid relationship");
+                }
+                return new Relationship(
+                    object.objectType as ResourceType,
+                    object.objectId!,
+                    relation as Relation,
+                    subject.objectType as ResourceType,
+                    subject.objectId!,
+                );
+            })
+            .sort((a, b) => {
+                return a.toString().localeCompare(b.toString());
+            });
+    }
+}
+
+export class Relationship {
+    constructor(
+        public readonly subjectType: ResourceType,
+        public readonly subjectID: string,
+        public readonly relation: Relation,
+        public readonly objectType: ResourceType,
+        public readonly objectID: string,
+    ) {}
+
+    public toString(): string {
+        return `${this.subjectType}:${this.subjectID}#${this.relation}@${this.objectType}:${this.objectID}`;
+    }
 }
 
 function objectRef(type: ResourceType, id: string): v1.ObjectReference {

components/server/src/authorization/relationship-updater.spec.db.ts

@@ -0,0 +1,91 @@
+/**
+ * Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import { BUILTIN_INSTLLATION_ADMIN_USER_ID, TeamDB, TypeORM, UserDB } from "@gitpod/gitpod-db/lib";
+import { resetDB } from "@gitpod/gitpod-db/lib/test/reset-db";
+import { User } from "@gitpod/gitpod-protocol";
+import { Experiments } from "@gitpod/gitpod-protocol/lib/experiments/configcat-server";
+import * as chai from "chai";
+import { Container } from "inversify";
+import "mocha";
+import { createTestContainer } from "../test/service-testing-container-module";
+import { Authorizer, Relationship, Resource, installation } from "./authorizer";
+import { Relation } from "./definitions";
+import { RelationshipUpdater } from "./relationship-updater";
+
+const expect = chai.expect;
+
+describe("RelationshipUpdater", async () => {
+    let container: Container;
+    let userDB: UserDB;
+    let orgDB: TeamDB;
+    let migrator: RelationshipUpdater;
+    let authorizer: Authorizer;
+
+    beforeEach(async () => {
+        container = createTestContainer();
+        Experiments.configureTestingClient({
+            centralizedPermissions: true,
+        });
+        BUILTIN_INSTLLATION_ADMIN_USER_ID;
+        userDB = container.get<UserDB>(UserDB);
+        orgDB = container.get<TeamDB>(TeamDB);
+        migrator = container.get<RelationshipUpdater>(RelationshipUpdater);
+        authorizer = container.get<Authorizer>(Authorizer);
+    });
+
+    afterEach(async () => {
+        // Clean-up database
+        await resetDB(container.get(TypeORM));
+    });
+
+    it("should update a simple user", async () => {
+        let user = await userDB.newUser();
+        user = await migrate(user);
+
+        await expectRs(user, "container", installation);
+        await expectRs(user, "self", user);
+        await expectRs(installation, "member", user);
+    });
+
+    it("should update a simple user organization owned", async () => {
+        let user = await userDB.newUser();
+        const org = await orgDB.createTeam(user.id, "MyOrg");
+        user.organizationId = org.id;
+        user = await userDB.storeUser(user);
+
+        user = await migrate(user);
+
+        await expectRs(user, "container", org);
+        await expectRs(user, "self", user);
+        await expectRs(org, "installation", installation);
+        await expectRs(org, "member", user);
+        await expectRs(org, "owner", user);
+    });
+
+    async function expectRs(res: Resource, relation: Relation, target: Resource): Promise<void> {
+        const expected = new Relationship(
+            Resource.getType(res),
+            res.id,
+            relation,
+            Resource.getType(target),
+            target.id,
+        ).toString();
+        const rs = await authorizer.readRelationships(res, relation, target);
+        const all = await authorizer.readRelationships(res, relation);
+        expect(
+            rs.length,
+            `Expected ${expected} but got ${JSON.stringify(rs)} (all rs of this kind ${JSON.stringify(all)})`,
+        ).to.equal(1);
+        expect(rs[0].toString()).to.equal(expected);
+    }
+
+    async function migrate(user: User): Promise<User> {
+        user = await migrator.migrate(user);
+        expect(user.additionalData?.fgaRelationshipsVersion).to.equal(migrator.version);
+        return user;
+    }
+});

components/server/src/authorization/relationship-updater.ts

@@ -0,0 +1,74 @@
+/**
+ * Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import { ProjectDB, TeamDB, UserDB } from "@gitpod/gitpod-db/lib";
+import { AdditionalUserData, Organization, User } from "@gitpod/gitpod-protocol";
+import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
+import { inject, injectable } from "inversify";
+import { RedisMutex } from "../redis/mutex";
+import { Authorizer } from "./authorizer";
+
+@injectable()
+export class RelationshipUpdater {
+    public readonly version = 1;
+
+    constructor(
+        @inject(RedisMutex) private readonly mutex: RedisMutex,
+        @inject(UserDB) private readonly userDB: UserDB,
+        @inject(TeamDB) private readonly orgDB: TeamDB,
+        @inject(ProjectDB) private readonly projectDB: ProjectDB,
+        @inject(Authorizer) private readonly authorizer: Authorizer,
+    ) {}
+
+    /**
+     * Updates all relationships for a user according to the current state of the database.
+     * @param user
+     * @returns
+     */
+    public async migrate(user: User): Promise<User> {
+        if (user?.additionalData?.fgaRelationshipsVersion === this.version) {
+            return user;
+        }
+        return this.mutex.using([`fga-migration-${user.id}`], 2000, async () => {
+            const now = new Date().getTime();
+            try {
+                log.info({ userId: user.id }, `Updating FGA relationships for user.`, {
+                    fromVersion: user?.additionalData?.fgaRelationshipsVersion,
+                    toVersion: this.version,
+                });
+                await this.updateUser(user);
+                const orgs = await this.orgDB.findTeamsByUser(user.id);
+                for (const org of orgs) {
+                    await this.updateOrganization(org);
+                }
+                return user;
+            } finally {
+                AdditionalUserData.set(user, {
+                    fgaRelationshipsVersion: this.version,
+                });
+                await this.userDB.updateUserPartial(user);
+                log.info({ userId: user.id }, `Finished updating relationships.`, {
+                    duration: now - new Date().getTime(),
+                });
+            }
+        });
+    }
+
+    private async updateUser(user: User): Promise<void> {
+        //TODO remove user first
+        await this.authorizer.addUser(user.id, user.organizationId);
+        if (!user.organizationId) {
+            await this.authorizer.addInstallationMemberRole(user.id);
+        }
+    }
+
+    private async updateOrganization(org: Organization): Promise<void> {
+        //TODO remove org first
+        const members = await this.orgDB.findMembersByTeam(org.id);
+        const projects = await this.projectDB.findProjects(org.id);
+        await this.authorizer.addOrganization(org, members, projects);
+    }
+}

components/server/src/authorization/spicedb-authorizer.ts

@@ -97,4 +97,11 @@ export class SpiceDBAuthorizer {
             observeSpicedbClientLatency("delete", error, timer());
         }
     }
+
+    async readRelationships(req: v1.ReadRelationshipsRequest): Promise<v1.ReadRelationshipsResponse[]> {
+        if (!this.client) {
+            return [];
+        }
+        return this.client.readRelationships(req);
+    }
 }

components/server/src/container-module.ts

@@ -128,6 +128,7 @@ import { RedisSubscriber } from "./messaging/redis-subscriber";
 import { Redis } from "ioredis";
 import { RedisPublisher, newRedisClient } from "@gitpod/gitpod-db/lib";
 import { UserService } from "./user/user-service";
+import { RelationshipUpdater as RelationshipUpdater } from "./authorization/relationship-updater";
 
 export const productionContainerModule = new ContainerModule(
     (bind, unbind, isBound, rebind, unbindAsync, onActivation, onDeactivation) => {
@@ -311,6 +312,7 @@ export const productionContainerModule = new ContainerModule(
                 return createInitializingAuthorizer(authorizer);
             })
             .inSingletonScope();
+        bind(RelationshipUpdater).toSelf().inSingletonScope();
 
         // grpc / Connect API
         bind(APIUserService).toSelf().inSingletonScope();

components/server/src/projects/projects-service.spec.db.ts

@@ -5,17 +5,17 @@
  */
 
 import { TypeORM, UserDB } from "@gitpod/gitpod-db/lib";
+import { resetDB } from "@gitpod/gitpod-db/lib/test/reset-db";
 import { Organization, User } from "@gitpod/gitpod-protocol";
 import { Experiments } from "@gitpod/gitpod-protocol/lib/experiments/configcat-server";
+import { ErrorCodes } from "@gitpod/gitpod-protocol/lib/messaging/error";
 import * as chai from "chai";
 import { Container } from "inversify";
 import "mocha";
 import { OrganizationService } from "../orgs/organization-service";
+import { expectError } from "../test/expect-utils";
 import { createTestContainer } from "../test/service-testing-container-module";
 import { ProjectsService } from "./projects-service";
-import { ErrorCodes } from "@gitpod/gitpod-protocol/lib/messaging/error";
-import { resetDB } from "@gitpod/gitpod-db/lib/test/reset-db";
-import { expectError } from "../test/expect-utils";
 
 const expect = chai.expect;