spicedb: set grpc options

Author: geropl

components/server/package.json

@@ -34,7 +34,7 @@
     "/src"
   ],
   "dependencies": {
-    "@authzed/authzed-node": "^0.10.0",
+    "@authzed/authzed-node": "^0.12.1",
     "@bufbuild/connect": "^0.8.1",
     "@bufbuild/connect-express": "^0.8.1",
     "@gitbeaker/node": "^35.7.0",
@@ -66,6 +66,7 @@
     "express-http-proxy": "^1.0.7",
     "fs-extra": "^10.0.0",
     "google-protobuf": "^3.19.1",
+    "@grpc/grpc-js_1_9_0": "npm:@grpc/[email protected]",
     "inversify": "^6.0.1",
     "ioredis": "^5.3.2",
     "ioredis-mock": "^8.7.0",

components/server/src/authorization/authorizer.ts

@@ -474,6 +474,7 @@ export class Authorizer {
                     optionalSubjectId: relation.subject.object.objectId,
                 },
             },
+            optionalLimit: 0,
         });
         if (relationships.length === 0) {
             return undefined;
@@ -498,6 +499,7 @@ export class Authorizer {
                     optionalSubjectId: relation.subject.object.objectId,
                 },
             },
+            optionalLimit: 0,
         });
         return relationships.map((r) => r.relationship!);
     }

components/server/src/authorization/spicedb-authorizer.ts

@@ -12,6 +12,8 @@ import { getExperimentsClientForBackend } from "@gitpod/gitpod-protocol/lib/expe
 import { inject, injectable } from "inversify";
 import { observeSpicedbClientLatency, spicedbClientLatency } from "../prometheus-metrics";
 import { SpiceDBClient } from "./spicedb";
+// TODO(gpl) Change to "@grpc/grpc-js" once we can use 1.9.0 (or higher) everywhere
+import * as grpc from "@grpc/grpc-js_1_9_0";
 
 @injectable()
 export class SpiceDBAuthorizer {
@@ -43,7 +45,7 @@ export class SpiceDBAuthorizer {
         const timer = spicedbClientLatency.startTimer();
         let error: Error | undefined;
         try {
-            const response = await timeout(this.client.checkPermission(req), 5000);
+            const response = await this.client.checkPermission(req, this.callOptions);
             const permitted = response.permissionship === v1.CheckPermissionResponse_Permissionship.HAS_PERMISSION;
 
             return permitted;
@@ -68,13 +70,11 @@ export class SpiceDBAuthorizer {
         const timer = spicedbClientLatency.startTimer();
         let error: Error | undefined;
         try {
-            const response = await timeout(
-                this.client.writeRelationships(
-                    v1.WriteRelationshipsRequest.create({
-                        updates,
-                    }),
-                ),
-                5000,
+            const response = await this.client.writeRelationships(
+                v1.WriteRelationshipsRequest.create({
+                    updates,
+                }),
+                this.callOptions,
             );
             log.info("[spicedb] Successfully wrote relationships.", { response, updates });
 
@@ -98,25 +98,20 @@ export class SpiceDBAuthorizer {
         const timer = spicedbClientLatency.startTimer();
         let error: Error | undefined;
         try {
-            return await timeout(
-                (async () => {
-                    const existing = await client.readRelationships(v1.ReadRelationshipsRequest.create(req));
-                    if (existing.length > 0) {
-                        const response = await client.deleteRelationships(req);
-                        const after = await client.readRelationships(v1.ReadRelationshipsRequest.create(req));
-                        if (after.length > 0) {
-                            log.error("[spicedb] Failed to delete relationships.", { existing, after, request: req });
-                        }
-                        log.info(`[spicedb] Successfully deleted ${existing.length} relationships.`, {
-                            response,
-                            request: req,
-                            existing,
-                        });
-                    }
-                    return existing;
-                })(),
-                5000,
-            );
+            const existing = await client.readRelationships(v1.ReadRelationshipsRequest.create(req), this.callOptions);
+            if (existing.length > 0) {
+                const response = await client.deleteRelationships(req, this.callOptions);
+                const after = await client.readRelationships(v1.ReadRelationshipsRequest.create(req), this.callOptions);
+                if (after.length > 0) {
+                    log.error("[spicedb] Failed to delete relationships.", { existing, after, request: req });
+                }
+                log.info(`[spicedb] Successfully deleted ${existing.length} relationships.`, {
+                    response,
+                    request: req,
+                    existing,
+                });
+            }
+            return existing;
         } catch (err) {
             error = err;
             // While in we're running two authorization systems in parallel, we do not hard fail on writes.
@@ -133,7 +128,18 @@ export class SpiceDBAuthorizer {
         if (!this.client) {
             return [];
         }
-        return this.client.readRelationships(req);
+        return this.client.readRelationships(req, this.callOptions);
+    }
+
+    /**
+     * permission_service.grpc-client.d.ts has all methods overloaded with this pattern:
+     *  - xyzRelationships(input: Request, metadata?: grpc.Metadata | grpc.CallOptions, options?: grpc.CallOptions): grpc.ClientReadableStream<ReadRelationshipsResponse>;
+     * But the promisified client somehow does not have the same overloads. Thus we convince it here that options may be passed as 2nd argument.
+     */
+    private get callOptions(): grpc.Metadata {
+        return {
+            deadline: Date.now() + 5000,
+        } as any as grpc.Metadata;
     }
 }
 function startTimer() {
@@ -146,20 +152,20 @@ function stopTimer(method: string, hrtime: [number, number]) {
     log.info(`[SPICEDB] ${method} (${ms} ms)`);
 }
 
-async function timeout<T>(code: Promise<T>, ms: number): Promise<T> {
-    return new Promise<T>((resolve, reject) => {
-        const timer = setTimeout(() => {
-            reject(new Error(`[spicedb] timed out after ${ms}ms`));
-        }, ms);
-        code.then(
-            (res) => {
-                clearTimeout(timer);
-                resolve(res);
-            },
-            (err) => {
-                clearTimeout(timer);
-                reject(err);
-            },
-        );
-    });
-}
+// async function timeout<T>(code: Promise<T>, ms: number): Promise<T> {
+//     return new Promise<T>((resolve, reject) => {
+//         const timer = setTimeout(() => {
+//             reject(new Error(`[spicedb] timed out after ${ms}ms`));
+//         }, ms);
+//         code.then(
+//             (res) => {
+//                 clearTimeout(timer);
+//                 resolve(res);
+//             },
+//             (err) => {
+//                 clearTimeout(timer);
+//                 reject(err);
+//             },
+//         );
+//     });
+// }

components/server/src/authorization/spicedb.ts

@@ -5,6 +5,7 @@
  */
 
 import { v1 } from "@authzed/authzed-node";
+import { defaultGRPCOptions } from "@gitpod/gitpod-protocol/lib/util/grpc";
 import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
 
 export const SpiceDBClient = Symbol("SpiceDBClient");
@@ -23,5 +24,10 @@ export function spicedbClientFromEnv(): SpiceDBClient {
         return undefined;
     }
 
-    return v1.NewClient(token, address, v1.ClientSecurity.INSECURE_PLAINTEXT_CREDENTIALS).promises;
+    const clientOptions = {
+        ...defaultGRPCOptions,
+    };
+
+    return v1.NewClient(token, address, v1.ClientSecurity.INSECURE_PLAINTEXT_CREDENTIALS, undefined, clientOptions)
+        .promises;
 }

yarn.lock

@@ -2,12 +2,12 @@
 # yarn lockfile v1
 
 
-"@authzed/authzed-node@^0.10.0":
-  version "0.10.0"
-  resolved "https://registry.yarnpkg.com/@authzed/authzed-node/-/authzed-node-0.10.0.tgz#623e4911fde221bb526e7f2e9ca335d9f3b9072d"
-  integrity sha512-TnAnatcU5dHvyGqrWoZzPNaO1opPpVU1y7P5LrJsV2j54y0xvx/OFhYtfeguMxHSz2kpbdCuIvIKJuB8WFbRRA==
+"@authzed/authzed-node@^0.12.1":
+  version "0.12.1"
+  resolved "https://registry.yarnpkg.com/@authzed/authzed-node/-/authzed-node-0.12.1.tgz#0c28395a64f9b1ecf33faf67259e32a9a3bce300"
+  integrity sha512-BVHLaPfiHQw1Vz+199m9i4xltT3YyFhqVHtkYPIQ28q8a7iJpnXmFRZIWuTMJcxJI01wtAxJYFuRJq3ktFe6qw==
   dependencies:
-    "@grpc/grpc-js" "^1.2.8"
+    "@grpc/grpc-js" "^1.8.3"
     "@protobuf-ts/runtime" "^2.8.1"
     "@protobuf-ts/runtime-rpc" "^2.8.1"
     google-protobuf "^3.15.3"
@@ -1419,14 +1419,6 @@
     "@grpc/proto-loader" "^0.7.0"
     "@types/node" ">=12.12.47"
 
-"@grpc/grpc-js@^1.2.8":
-  version "1.8.7"
-  resolved "https://registry.yarnpkg.com/@grpc/grpc-js/-/grpc-js-1.8.7.tgz#2154fc0134462ad45f4134e8b54682a25ed05956"
-  integrity sha512-dRAWjRFN1Zy9mzPNLkFFIWT8T6C9euwluzCHZUKuhC+Bk3MayNPcpgDRyG+sg+n2sitEUySKxUynirVpu9ItKw==
-  dependencies:
-    "@grpc/proto-loader" "^0.7.0"
-    "@types/node" ">=12.12.47"
-
 "@grpc/grpc-js@^1.6.1":
   version "1.7.0"
   resolved "https://registry.yarnpkg.com/@grpc/grpc-js/-/grpc-js-1.7.0.tgz#5a96bdbe51cce23faa38a4db6e43595a5c584849"
@@ -1435,6 +1427,14 @@
     "@grpc/proto-loader" "^0.7.0"
     "@types/node" ">=12.12.47"
 
+"@grpc/grpc-js@^1.8.3", "@grpc/grpc-js_1_9_0@npm:@grpc/[email protected]":
+  version "1.9.0"
+  resolved "https://registry.yarnpkg.com/@grpc/grpc-js/-/grpc-js-1.9.0.tgz#bdb599e339adabb16aa7243e70c311f75a572867"
+  integrity sha512-H8+iZh+kCE6VR/Krj6W28Y/ZlxoZ1fOzsNt77nrdE3knkbSelW1Uus192xOFCxHyeszLj8i4APQkSIXjAoOxXg==
+  dependencies:
+    "@grpc/proto-loader" "^0.7.0"
+    "@types/node" ">=12.12.47"
+
 "@grpc/proto-loader@^0.7.0":
   version "0.7.2"
   resolved "https://registry.yarnpkg.com/@grpc/proto-loader/-/proto-loader-0.7.2.tgz#fa63178853afe1473c50cff89fe572f7c8b20154"
@@ -3470,7 +3470,7 @@
     "@typescript-eslint/types" "4.33.0"
     eslint-visitor-keys "^2.0.0"
 
-"@useorbital/client-types@^1.5.0":
+"@useorbital/client-types@^1.6.0":
   version "1.6.0"
   resolved "https://registry.yarnpkg.com/@useorbital/client-types/-/client-types-1.6.0.tgz#5ae0828964cb50962395b142578ec4c2c39806e8"
   integrity sha512-Lf490y3x1v8jFgEULuLRt7TmN/kSZeQ0hYS4Y6AfHijB6oBp/B0o1MWNrF11KqKY6ghs1CIZi5RxVOXsnd/geQ==