This is a combination of 3 commits.

[server] Make gRPC accept PAT tokens

Author: geropl

components/server/src/api/server.ts

@@ -7,7 +7,6 @@
 import { MethodKind, ServiceType } from "@bufbuild/protobuf";
 import { Code, ConnectError, ConnectRouter, HandlerContext, ServiceImpl } from "@connectrpc/connect";
 import { expressConnectMiddleware } from "@connectrpc/connect-express";
-import { User } from "@gitpod/gitpod-protocol";
 import { ApplicationError, ErrorCodes } from "@gitpod/gitpod-protocol/lib/messaging/error";
 import { PublicAPIConverter } from "@gitpod/gitpod-protocol/lib/public-api-converter";
 import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
@@ -49,6 +48,7 @@ import { ConfigurationServiceAPI } from "./configuration-service-api";
 import { AuthProviderServiceAPI } from "./auth-provider-service-api";
 import { Unauthenticated } from "./unauthenticated";
 import { SubjectId } from "../auth/subject-id";
+import { BearerAuth } from "../auth/bearer-authenticator";
 
 decorate(injectable(), PublicAPIConverter);
 
@@ -71,6 +71,7 @@ export class API {
     @inject(Redis) private readonly redis: Redis;
     @inject(Config) private readonly config: Config;
     @inject(UserService) private readonly userService: UserService;
+    @inject(BearerAuth) private readonly bearerAuthenticator: BearerAuth;
 
     listenPrivate(): http.Server {
         const app = express();
@@ -220,20 +221,20 @@ export class API {
                     // actually call the RPC handler
                     const auth = async () => {
                         // Authenticate
-                        const userId = await self.verify(connectContext);
-                        const isAuthenticated = !!userId;
+                        const subjectId = await self.verify(connectContext);
+                        const isAuthenticated = !!subjectId;
                         const requiresAuthentication = !Unauthenticated.get(target, prop);
                         if (!isAuthenticated && requiresAuthentication) {
                             throw new ConnectError("unauthenticated", Code.Unauthenticated);
                         }
 
                         if (isAuthenticated) {
-                            await rateLimit(userId);
-                            await self.ensureFgaMigration(userId);
+                            await rateLimit(subjectId.toString());
+                            await self.ensureFgaMigration(subjectId);
                         }
                         // TODO(at) if unauthenticated, we still need to apply enforece a rate limit
 
-                        return userId ? SubjectId.fromUserId(userId) : undefined;
+                        return subjectId;
                     };
 
                     const apply = async <T>(): Promise<T> => {
@@ -293,30 +294,46 @@ export class API {
         };
     }
 
-    private async verify(context: HandlerContext): Promise<string | undefined> {
+    private async verify(context: HandlerContext): Promise<SubjectId | undefined> {
+        // 1. Try Bearer token first
+        try {
+            const subjectId = await this.bearerAuthenticator.tryAuthFromHeaders(context.requestHeader);
+            if (subjectId) {
+                return subjectId;
+            }
+            // fall-through to session JWT
+        } catch (err) {
+            log.warn("error authenticating subject by Bearer token", err);
+        }
+
+        // 2. Try for session JWT in the "cookie" header
         const cookieHeader = (context.requestHeader.get("cookie") || "") as string;
         try {
             const claims = await this.sessionHandler.verifyJWTCookie(cookieHeader);
             const userId = claims?.sub;
-            return userId;
-        } catch (error) {
-            log.warn("Failed to authenticate user with JWT Session", error);
+            return !!userId ? SubjectId.fromUserId(userId) : undefined;
+        } catch (err) {
+            log.warn("Failed to authenticate user with JWT Session", err);
             return undefined;
         }
     }
 
-    private async ensureFgaMigration(userId: string): Promise<User> {
-        const fgaChecksEnabled = await isFgaChecksEnabled(userId);
+    private async ensureFgaMigration(subjectId: SubjectId): Promise<void> {
+        const fgaChecksEnabled = await isFgaChecksEnabled(subjectId.userId());
         if (!fgaChecksEnabled) {
             throw new ConnectError("unauthorized", Code.PermissionDenied);
         }
-        try {
-            return await this.userService.findUserById(userId, userId);
-        } catch (e) {
-            if (e instanceof ApplicationError && e.code === ErrorCodes.NOT_FOUND) {
-                throw new ConnectError("unauthorized", Code.PermissionDenied);
+
+        if (subjectId.kind === "user") {
+            const userId = subjectId.userId()!;
+            try {
+                await this.userService.findUserById(userId, userId);
+            } catch (e) {
+                if (e instanceof ApplicationError && e.code === ErrorCodes.NOT_FOUND) {
+                    throw new ConnectError("unauthorized", Code.PermissionDenied);
+                }
+                throw e;
             }
-            throw e;
         }
     }
 

components/server/src/api/teams.spec.db.ts

@@ -27,6 +27,7 @@ import { Config } from "../config";
 import { OrganizationService } from "../orgs/organization-service";
 import { ProjectsService } from "../projects/projects-service";
 import { AuthProviderService } from "../auth/auth-provider-service";
+import { BearerAuth } from "../auth/bearer-authenticator";
 
 const expect = chai.expect;
 
@@ -45,6 +46,7 @@ export class APITeamsServiceSpec {
         this.container.bind(WorkspaceService).toConstantValue({} as WorkspaceService);
         this.container.bind(OrganizationService).toConstantValue({} as OrganizationService);
         this.container.bind(UserAuthentication).toConstantValue({} as UserAuthentication);
+        this.container.bind(BearerAuth).toConstantValue({} as BearerAuth);
         this.container.bind(SessionHandler).toConstantValue({} as SessionHandler);
         this.container.bind(Config).toConstantValue({} as Config);
         this.container.bind(Redis).toConstantValue({} as Redis);

components/server/src/auth/bearer-authenticator.ts

@@ -9,14 +9,19 @@ import { GitpodTokenType, User } from "@gitpod/gitpod-protocol";
 import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
 import * as crypto from "crypto";
 import express from "express";
-import { IncomingHttpHeaders } from "http";
 import { inject, injectable } from "inversify";
 import { Config } from "../config";
-import { AllAccessFunctionGuard, ExplicitFunctionAccessGuard, WithFunctionAccessGuard } from "./function-access";
+import {
+    AllAccessFunctionGuard,
+    ExplicitFunctionAccessGuard,
+    FunctionAccessGuard,
+    WithFunctionAccessGuard,
+} from "./function-access";
 import { TokenResourceGuard, WithResourceAccessGuard } from "./resource-access";
 import { UserService } from "../user/user-service";
+import { SubjectId } from "./subject-id";
 
-export function getBearerToken(headers: IncomingHttpHeaders): string | undefined {
+export function getBearerToken(headers: { [key: string]: any }): string | undefined {
     const authorizationHeader = headers["authorization"];
     if (!authorizationHeader || !(typeof authorizationHeader === "string")) {
         return;
@@ -51,7 +56,7 @@ export class BearerAuth {
     get restHandler(): express.RequestHandler {
         return async (req, res, next) => {
             try {
-                await this.auth(req);
+                await this.authExpressRequest(req);
             } catch (e) {
                 if (isBearerAuthError(e)) {
                     // (AT) while investigating https://github.com/gitpod-io/gitpod/issues/8703 we
@@ -71,15 +76,15 @@ export class BearerAuth {
     get restHandlerOptionally(): express.RequestHandler {
         return async (req, res, next) => {
             try {
-                await this.auth(req);
+                await this.authExpressRequest(req);
             } catch (e) {
                 // don't error the request, we just have not bearer authentication token
             }
             return next();
         };
     }
 
-    async auth(req: express.Request): Promise<void> {
+    async authExpressRequest(req: express.Request): Promise<void> {
         const token = getBearerToken(req.headers);
         if (!token) {
             throw createBearerAuthError("missing Bearer token");
@@ -90,10 +95,8 @@ export class BearerAuth {
         const resourceGuard = new TokenResourceGuard(user.id, scopes);
         (req as WithResourceAccessGuard).resourceGuard = resourceGuard;
 
-        const functionScopes = scopes
-            .filter((s) => s.startsWith("function:"))
-            .map((s) => s.substring("function:".length));
-        if (functionScopes.length === 1 && functionScopes[0] === "*") {
+        const { isAllAccessFunctionGuard, functionScopes } = FunctionAccessGuard.extractFunctionScopes(scopes);
+        if (isAllAccessFunctionGuard) {
             (req as WithFunctionAccessGuard).functionGuard = new AllAccessFunctionGuard();
         } else {
             // We always install a function access guard. If the token has no scopes, it's not allowed to do anything.
@@ -103,6 +106,22 @@ export class BearerAuth {
         req.user = user;
     }
 
+    async tryAuthFromHeaders(headers: { [key: string]: any }): Promise<SubjectId | undefined> {
+        const token = getBearerToken(headers);
+        if (!token) {
+            return undefined;
+        }
+        const { user, scopes } = await this.userAndScopesFromToken(token);
+
+        // gpl: Once we move PAT to FGA-backed scopes, this special case will go away, and covered by a different SubjectIdKind.
+        const { isAllAccessFunctionGuard } = FunctionAccessGuard.extractFunctionScopes(scopes);
+        if (!isAllAccessFunctionGuard) {
+            return undefined;
+        }
+
+        return SubjectId.fromUserId(user.id);
+    }
+
     private async userAndScopesFromToken(token: string): Promise<{ user: User; scopes: string[] }> {
         // We handle two types of Bearer tokens:
         //  1. Personal Access Tokens which are prefixed with `gitpod_pat_`

components/server/src/auth/function-access.ts

@@ -10,6 +10,19 @@ export interface FunctionAccessGuard {
     canAccess(name: string): boolean;
 }
 
+export namespace FunctionAccessGuard {
+    export function extractFunctionScopes(scopes: string[]): {
+        functionScopes: string[];
+        isAllAccessFunctionGuard: boolean;
+    } {
+        const functionScopes = scopes
+            .filter((s) => s.startsWith("function:"))
+            .map((s) => s.substring("function:".length));
+        const isAllAccessFunctionGuard = functionScopes.length === 1 && functionScopes[0] === "*";
+        return { functionScopes, isAllAccessFunctionGuard };
+    }
+}
+
 export interface WithFunctionAccessGuard {
     functionGuard?: FunctionAccessGuard;
 }

components/server/src/authorization/authorizer.ts

@@ -503,11 +503,13 @@ export class Authorizer {
     }
 }
 
-export async function isFgaChecksEnabled(userId: string): Promise<boolean> {
+export async function isFgaChecksEnabled(userId: string | undefined): Promise<boolean> {
     return getExperimentsClientForBackend().getValueAsync("centralizedPermissions", false, {
-        user: {
-            id: userId,
-        },
+        user: userId
+            ? {
+                  id: userId,
+              }
+            : undefined,
     });
 }
 

components/server/src/server.ts

@@ -191,7 +191,7 @@ export class Server {
                     }
 
                     try {
-                        await this.bearerAuth.auth(info.req as express.Request);
+                        await this.bearerAuth.authExpressRequest(info.req as express.Request);
                         authenticatedUsingBearerToken = true;
                     } catch (e) {
                         if (isBearerAuthError(e)) {