[server] WorkspaceService.stopWorkspace

Author: geropl

components/server/src/authorization/definitions.ts

@@ -73,7 +73,7 @@ export type WorkspaceResourceType = "workspace";
 
 export type WorkspaceRelation = "org" | "owner";
 
-export type WorkspacePermission = "access" | "read_info";
+export type WorkspacePermission = "access" | "stop" | "read_info";
 
 export const rel = {
     user(id: string) {

components/server/src/prebuilds/prebuild-manager.ts

@@ -77,21 +77,18 @@ export class PrebuildManager {
             const results: Promise<any>[] = [];
             for (const prebuild of prebuilds) {
                 try {
-                    for (const instance of prebuild.instances) {
-                        log.info(
-                            { userId: user.id, instanceId: instance.id, workspaceId: instance.workspaceId },
-                            "Cancelling Prebuild workspace because a newer commit was pushed to the same branch.",
-                        );
-                        results.push(
-                            this.workspaceStarter.stopWorkspaceInstance(
-                                { span },
-                                instance.id,
-                                instance.region,
-                                "prebuild cancelled because a newer commit was pushed to the same branch",
-                                StopWorkspacePolicy.ABORT,
-                            ),
-                        );
-                    }
+                    log.info(
+                        { userId: user.id, workspaceId: prebuild.workspace.id },
+                        "Cancelling Prebuild workspace because a newer commit was pushed to the same branch.",
+                    );
+                    results.push(
+                        this.workspaceService.stopWorkspace(
+                            user.id,
+                            prebuild.workspace.id,
+                            "prebuild cancelled because a newer commit was pushed to the same branch",
+                            StopWorkspacePolicy.ABORT,
+                        ),
+                    );
                     prebuild.prebuild.state = "aborted";
                     prebuild.prebuild.error = "A newer commit was pushed to the same branch.";
                     results.push(this.workspaceDB.trace({ span }).storePrebuiltWorkspace(prebuild.prebuild));

components/server/src/workspace/gitpod-server-impl.ts

@@ -1015,7 +1015,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         }
 
         try {
-            await this.internalStopWorkspace(ctx, workspace, "stopped via API");
+            await this.internalStopWorkspace(ctx, user.id, workspace, "stopped via API");
         } catch (err) {
             log.error(logCtx, "stopWorkspace error: ", err);
             if (isClusterMaintenanceError(err)) {
@@ -1028,8 +1028,10 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         }
     }
 
+    // TODO(gpl) Remove this method once we introduced FGA
     private async internalStopWorkspace(
         ctx: TraceContext,
+        userId: string,
         workspace: Workspace,
         reason: string,
         policy?: StopWorkspacePolicy,
@@ -1059,7 +1061,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
             }
         }
 
-        await this.workspaceStarter.stopWorkspaceInstance(ctx, instance.id, instance.region, reason, policy);
+        await this.workspaceService.stopWorkspace(userId, workspace.id, reason, policy);
     }
 
     private async guardAdminAccess(method: string, params: any, requiredPermission: PermissionName): Promise<User> {
@@ -1112,7 +1114,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         await this.guardAccess({ kind: "workspace", subject: ws }, "delete");
 
         // for good measure, try and stop running instances
-        await this.internalStopWorkspace(ctx, ws, "deleted via API");
+        await this.internalStopWorkspace(ctx, user.id, ws, "deleted via API");
 
         // actually delete the workspace
         await this.workspaceDeletionService.softDeleteWorkspace(ctx, ws, "user");
@@ -3317,12 +3319,20 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
     async adminForceStopWorkspace(ctx: TraceContext, workspaceId: string): Promise<void> {
         traceAPIParams(ctx, { workspaceId });
+        const user = await this.checkAndBlockUser("adminForceStopWorkspace");
 
         await this.guardAdminAccess("adminForceStopWorkspace", { id: workspaceId }, Permission.ADMIN_WORKSPACES);
 
         const workspace = await this.workspaceDb.trace(ctx).findById(workspaceId);
         if (workspace) {
-            await this.internalStopWorkspace(ctx, workspace, "stopped by admin", StopWorkspacePolicy.IMMEDIATELY, true);
+            await this.internalStopWorkspace(
+                ctx,
+                user.id,
+                workspace,
+                "stopped by admin",
+                StopWorkspacePolicy.IMMEDIATELY,
+                true,
+            );
         }
     }
 

components/server/src/workspace/workspace-service.spec.db.ts

@@ -78,6 +78,16 @@ describe("WorkspaceService", async () => {
         await resetDB(container.get(TypeORM));
     });
 
+    it("should createWorkspace", async () => {
+        const svc = container.get(WorkspaceService);
+
+        // Owner can create a workspace in our org
+        await createTestWorkspace(svc, org, owner, project);
+
+        // Stranger can't create a workspace in our org
+        await expectError(ErrorCodes.NOT_FOUND, () => createTestWorkspace(svc, org, stranger, project));
+    });
+
     it("should getWorkspace", async () => {
         const svc = container.get(WorkspaceService);
         const ws = await createTestWorkspace(svc, org, owner, project);
@@ -87,6 +97,16 @@ describe("WorkspaceService", async () => {
 
         await expectError(ErrorCodes.NOT_FOUND, () => svc.getWorkspace(stranger.id, ws.id));
     });
+
+    it("should stopWorkspace", async () => {
+        const svc = container.get(WorkspaceService);
+        const ws = await createTestWorkspace(svc, org, owner, project);
+
+        await svc.stopWorkspace(owner.id, ws.id, "test stopping stopped workspace");
+        await expectError(ErrorCodes.NOT_FOUND, () =>
+            svc.stopWorkspace(stranger.id, ws.id, "test stranger stopping stopped workspace"),
+        );
+    });
 });
 
 async function createTestWorkspace(svc: WorkspaceService, org: Organization, owner: User, project: Project) {

components/server/src/workspace/workspace-service.ts

@@ -12,11 +12,14 @@ import { Authorizer } from "../authorization/authorizer";
 import { TraceContext } from "@gitpod/gitpod-protocol/lib/util/tracing";
 import { WorkspaceFactory } from "./workspace-factory";
 import { WorkspaceDeletionService } from "./workspace-deletion-service";
+import { StopWorkspacePolicy } from "@gitpod/ws-manager/lib";
+import { WorkspaceStarter } from "./workspace-starter";
 
 @injectable()
 export class WorkspaceService {
     constructor(
         @inject(WorkspaceFactory) private readonly factory: WorkspaceFactory,
+        @inject(WorkspaceStarter) private readonly workspaceStarter: WorkspaceStarter,
         @inject(WorkspaceDeletionService) private readonly workspaceDeletionService: WorkspaceDeletionService,
         @inject(WorkspaceDB) private readonly db: WorkspaceDB,
         @inject(Authorizer) private readonly auth: Authorizer,
@@ -56,10 +59,28 @@ export class WorkspaceService {
 
     async getWorkspace(userId: string, workspaceId: string): Promise<Workspace> {
         await this.auth.checkPermissionOnWorkspace(userId, "access", workspaceId);
+
         const workspace = await this.db.findById(workspaceId);
         if (!workspace) {
             throw new ApplicationError(ErrorCodes.NOT_FOUND, "Workspace not found.");
         }
         return workspace;
     }
+
+    async stopWorkspace(
+        userId: string,
+        workspaceId: string,
+        reason: string,
+        policy?: StopWorkspacePolicy,
+    ): Promise<void> {
+        await this.auth.checkPermissionOnWorkspace(userId, "stop", workspaceId);
+
+        const workspace = await this.getWorkspace(userId, workspaceId);
+        const instance = await this.db.findRunningInstance(workspace.id);
+        if (!instance) {
+            // there's no instance running - we're done
+            return;
+        }
+        await this.workspaceStarter.stopWorkspaceInstance({}, instance.id, instance.region, reason, policy);
+    }
 }

components/spicedb/schema/schema.yaml

@@ -92,6 +92,9 @@ schema: |-
     //+ (hasAccessToRepository && isPrebuild) + everyoneIfIsShared
     permission access = owner
 
+    // This is modelled after current behavior
+    permission stop = owner + org->installation_admin
+
     // Whether a user can read basic info/metadata of a workspace
     //+ (hasAccessToRepository && isPrebuild) + everyoneIfIsShared
     permission read_info = owner + org->member