gitpod-io
diff --git a/‎components/server/src/authorization/authorizer.ts
Lines changed: 51 additions & 21 deletions b/‎components/server/src/authorization/authorizer.ts
Lines changed: 51 additions & 21 deletions
diff --git a/‎components/server/src/authorization/definitions.ts
Lines changed: 72 additions & 3 deletions b/‎components/server/src/authorization/definitions.ts
Lines changed: 72 additions & 3 deletions
diff --git a/‎components/server/src/container-module.ts
Lines changed: 2 additions & 0 deletions b/‎components/server/src/container-module.ts
Lines changed: 2 additions & 0 deletions
diff --git a/‎components/server/src/jobs/workspace-gc.ts
Lines changed: 8 additions & 2 deletions b/‎components/server/src/jobs/workspace-gc.ts
Lines changed: 8 additions & 2 deletions
diff --git a/‎components/server/src/prebuilds/prebuild-manager.ts
Lines changed: 15 additions & 18 deletions b/‎components/server/src/prebuilds/prebuild-manager.ts
Lines changed: 15 additions & 18 deletions
diff --git a/‎components/server/src/test/expect-utils.ts
Lines changed: 4 additions & 3 deletions b/‎components/server/src/test/expect-utils.ts
Lines changed: 4 additions & 3 deletions
@@ -16,6 +16,7 @@ import {
     Relation,
     ResourceType,
     UserPermission,
+    WorkspacePermission,
     rel,
 } from "./definitions";
 import { SpiceDBAuthorizer } from "./spicedb-authorizer";
@@ -101,11 +102,11 @@ export class Authorizer {
         );
     }
 
-    async hasPermissionOnUser(userId: string, permission: UserPermission, userResourceId: string): Promise<boolean> {
+    async hasPermissionOnUser(userId: string, permission: UserPermission, resourceUserId: string): Promise<boolean> {
         const req = v1.CheckPermissionRequest.create({
             subject: subject("user", userId),
             permission,
-            resource: object("user", userResourceId),
+            resource: object("user", resourceUserId),
             consistency,
         });
 
@@ -126,6 +127,35 @@ export class Authorizer {
         );
     }
 
+    async hasPermissionOnWorkspace(
+        userId: string,
+        permission: WorkspacePermission,
+        workspaceId: string,
+    ): Promise<boolean> {
+        const req = v1.CheckPermissionRequest.create({
+            subject: subject("user", userId),
+            permission,
+            resource: object("workspace", workspaceId),
+            consistency,
+        });
+
+        return this.authorizer.check(req, { userId });
+    }
+
+    async checkPermissionOnWorkspace(userId: string, permission: WorkspacePermission, workspaceId: string) {
+        if (await this.hasPermissionOnWorkspace(userId, permission, workspaceId)) {
+            return;
+        }
+        if ("read_info" === permission || !(await this.hasPermissionOnWorkspace(userId, "read_info", workspaceId))) {
+            throw new ApplicationError(ErrorCodes.NOT_FOUND, `Workspace ${workspaceId} not found.`);
+        }
+
+        throw new ApplicationError(
+            ErrorCodes.PERMISSION_DENIED,
+            `You do not have ${permission} on workspace ${workspaceId}`,
+        );
+    }
+
     // write operations below
 
     public async removeAllRelationships(type: ResourceType, id: string) {
@@ -158,7 +188,7 @@ export class Authorizer {
 
     async addUser(userId: string, owningOrgId?: string) {
         await this.authorizer.writeRelationships(
-            set(rel.user(userId).self.user(userId)), //
+            set(rel.user(userId).self.user(userId)),
             set(
                 owningOrgId
                     ? rel.user(userId).organization.organization(owningOrgId)
@@ -186,15 +216,11 @@ export class Authorizer {
     }
 
     async addProjectToOrg(orgID: string, projectID: string): Promise<void> {
-        await this.authorizer.writeRelationships(
-            set(rel.project(projectID).org.organization(orgID)), //
-        );
+        await this.authorizer.writeRelationships(set(rel.project(projectID).org.organization(orgID)));
     }
 
     async removeProjectFromOrg(orgID: string, projectID: string): Promise<void> {
-        await this.authorizer.writeRelationships(
-            remove(rel.project(projectID).org.organization(orgID)), //
-        );
+        await this.authorizer.writeRelationships(remove(rel.project(projectID).org.organization(orgID)));
     }
 
     async addOrganization(org: Organization, members: TeamMemberInfo[], projects: Project[]): Promise<void> {
@@ -206,32 +232,36 @@ export class Authorizer {
             await this.addProjectToOrg(org.id, project.id);
         }
 
-        await this.authorizer.writeRelationships(
-            set(rel.organization(org.id).installation.installation), //
-        );
+        await this.authorizer.writeRelationships(set(rel.organization(org.id).installation.installation));
     }
 
     async addInstallationMemberRole(userID: string) {
-        await this.authorizer.writeRelationships(
-            set(rel.installation.member.user(userID)), //
-        );
+        await this.authorizer.writeRelationships(set(rel.installation.member.user(userID)));
     }
 
     async removeInstallationMemberRole(userID: string) {
-        await this.authorizer.writeRelationships(
-            remove(rel.installation.member.user(userID)), //
-        );
+        await this.authorizer.writeRelationships(remove(rel.installation.member.user(userID)));
     }
 
     async addInstallationAdminRole(userID: string) {
+        await this.authorizer.writeRelationships(set(rel.installation.admin.user(userID)));
+    }
+
+    async removeInstallationAdminRole(userID: string) {
+        await this.authorizer.writeRelationships(remove(rel.installation.admin.user(userID)));
+    }
+
+    async createWorkspaceInOrg(orgID: string, userID: string, workspaceID: string): Promise<void> {
         await this.authorizer.writeRelationships(
-            set(rel.installation.admin.user(userID)), //
+            set(rel.workspace(workspaceID).org.organization(orgID)),
+            set(rel.workspace(workspaceID).owner.user(userID)),
         );
     }
 
-    async removeInstallationAdminRole(userID: string) {
+    async deleteWorkspaceFromOrg(orgID: string, userID: string, workspaceID: string): Promise<void> {
         await this.authorizer.writeRelationships(
-            remove(rel.installation.admin.user(userID)), //
+            remove(rel.workspace(workspaceID).org.organization(orgID)),
+            remove(rel.workspace(workspaceID).owner.user(userID)),
         );
     }
 
 
@@ -10,11 +10,23 @@ import { v1 } from "@authzed/authzed-node";
 
 const InstallationID = "1";
 
-export type ResourceType = UserResourceType | InstallationResourceType | OrganizationResourceType | ProjectResourceType;
+export type ResourceType =
+    | UserResourceType
+    | InstallationResourceType
+    | OrganizationResourceType
+    | ProjectResourceType
+    | WorkspaceResourceType;
 
-export type Relation = UserRelation | InstallationRelation | OrganizationRelation | ProjectRelation;
+export const AllResourceTypes: ResourceType[] = ["user", "installation", "organization", "project", "workspace"];
 
-export type Permission = UserPermission | InstallationPermission | OrganizationPermission | ProjectPermission;
+export type Relation = UserRelation | InstallationRelation | OrganizationRelation | ProjectRelation | WorkspaceRelation;
+
+export type Permission =
+    | UserPermission
+    | InstallationPermission
+    | OrganizationPermission
+    | ProjectPermission
+    | WorkspacePermission;
 
 export type UserResourceType = "user";
 
@@ -48,6 +60,7 @@ export type OrganizationPermission =
     | "write_git_provider"
     | "read_billing"
     | "write_billing"
+    | "create_workspace"
     | "write_billing_admin";
 
 export type ProjectResourceType = "project";
@@ -56,6 +69,12 @@ export type ProjectRelation = "org" | "editor" | "viewer";
 
 export type ProjectPermission = "read_info" | "write_info" | "delete";
 
+export type WorkspaceResourceType = "workspace";
+
+export type WorkspaceRelation = "org" | "owner";
+
+export type WorkspacePermission = "access" | "stop" | "delete" | "read_info";
+
 export const rel = {
     user(id: string) {
         const result: Partial<v1.Relationship> = {
@@ -327,4 +346,54 @@ export const rel = {
             },
         };
     },
+
+    workspace(id: string) {
+        const result: Partial<v1.Relationship> = {
+            resource: {
+                objectType: "workspace",
+                objectId: id,
+            },
+        };
+        return {
+            get org() {
+                const result2 = {
+                    ...result,
+                    relation: "org",
+                };
+                return {
+                    organization(objectId: string) {
+                        return {
+                            ...result2,
+                            subject: {
+                                object: {
+                                    objectType: "organization",
+                                    objectId: objectId,
+                                },
+                            },
+                        } as v1.Relationship;
+                    },
+                };
+            },
+
+            get owner() {
+                const result2 = {
+                    ...result,
+                    relation: "owner",
+                };
+                return {
+                    user(objectId: string) {
+                        return {
+                            ...result2,
+                            subject: {
+                                object: {
+                                    objectType: "user",
+                                    objectId: objectId,
+                                },
+                            },
+                        } as v1.Relationship;
+                    },
+                };
+            },
+        };
+    },
 };
@@ -129,6 +129,7 @@ import { Redis } from "ioredis";
 import { RedisPublisher, newRedisClient } from "@gitpod/gitpod-db/lib";
 import { UserService } from "./user/user-service";
 import { RelationshipUpdater } from "./authorization/relationship-updater";
+import { WorkspaceService } from "./workspace/workspace-service";
 
 export const productionContainerModule = new ContainerModule(
     (bind, unbind, isBound, rebind, unbindAsync, onActivation, onDeactivation) => {
@@ -159,6 +160,7 @@ export const productionContainerModule = new ContainerModule(
         bind(ConfigurationService).toSelf().inSingletonScope();
 
         bind(SnapshotService).toSelf().inSingletonScope();
+        bind(WorkspaceService).toSelf().inSingletonScope();
         bind(WorkspaceFactory).toSelf().inSingletonScope();
         bind(WorkspaceDeletionService).toSelf().inSingletonScope();
         bind(WorkspaceStarter).toSelf().inSingletonScope();
 
@@ -12,6 +12,7 @@ import { TracedWorkspaceDB, DBWithTracing, WorkspaceDB } from "@gitpod/gitpod-db
 import { TraceContext } from "@gitpod/gitpod-protocol/lib/util/tracing";
 import { Config } from "../config";
 import { Job } from "./runner";
+import { WorkspaceService } from "../workspace/workspace-service";
 
 /**
  * The WorkspaceGarbageCollector has two tasks:
@@ -20,6 +21,7 @@ import { Job } from "./runner";
  */
 @injectable()
 export class WorkspaceGarbageCollector implements Job {
+    @inject(WorkspaceService) protected readonly workspaceService: WorkspaceService;
     @inject(WorkspaceDeletionService) protected readonly deletionService: WorkspaceDeletionService;
     @inject(TracedWorkspaceDB) protected readonly workspaceDB: DBWithTracing<WorkspaceDB>;
     @inject(Config) protected readonly config: Config;
@@ -70,7 +72,7 @@ export class WorkspaceGarbageCollector implements Job {
                 );
             const afterSelect = new Date();
             const deletes = await Promise.all(
-                workspaces.map((ws) => this.deletionService.softDeleteWorkspace({ span }, ws, "gc")),
+                workspaces.map((ws) => this.workspaceService.deleteWorkspace(ws.ownerId, ws.id, "gc")), // TODO(gpl) This should be a system user/service account instead of ws owner
             );
             const afterDelete = new Date();
 
@@ -125,7 +127,11 @@ export class WorkspaceGarbageCollector implements Job {
                     now,
                 );
             const deletes = await Promise.all(
-                workspaces.map((ws) => this.deletionService.hardDeleteWorkspace({ span }, ws.id)),
+                workspaces.map((ws) =>
+                    this.workspaceService
+                        .hardDeleteWorkspace(ws.ownerId, ws.id)
+                        .catch((err) => log.error("failed to hard-delete workspace", err)),
+                ), // TODO(gpl) This should be a system user/service account instead of ws owner
             );
 
             log.info(`workspace-gc: successfully purged ${deletes.length} workspaces`);
 
@@ -21,7 +21,6 @@ import {
 import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
 import { TraceContext } from "@gitpod/gitpod-protocol/lib/util/tracing";
 import { getCommitInfo, HostContextProvider } from "../auth/host-context-provider";
-import { WorkspaceFactory } from "../workspace/workspace-factory";
 import { ConfigProvider } from "../workspace/config-provider";
 import { WorkspaceStarter } from "../workspace/workspace-starter";
 import { Config } from "../config";
@@ -38,6 +37,7 @@ import { ErrorCodes, ApplicationError } from "@gitpod/gitpod-protocol/lib/messag
 import { UserAuthentication } from "../user/user-authentication";
 import { EntitlementService, MayStartWorkspaceResult } from "../billing/entitlement-service";
 import { EnvVarService } from "../workspace/env-var-service";
+import { WorkspaceService } from "../workspace/workspace-service";
 
 export class WorkspaceRunningError extends Error {
     constructor(msg: string, public instance: WorkspaceInstance) {
@@ -56,7 +56,7 @@ export interface StartPrebuildParams {
 @injectable()
 export class PrebuildManager {
     @inject(TracedWorkspaceDB) protected readonly workspaceDB: DBWithTracing<WorkspaceDB>;
-    @inject(WorkspaceFactory) protected readonly workspaceFactory: WorkspaceFactory;
+    @inject(WorkspaceService) protected readonly workspaceService: WorkspaceService;
     @inject(WorkspaceStarter) protected readonly workspaceStarter: WorkspaceStarter;
     @inject(HostContextProvider) protected readonly hostContextProvider: HostContextProvider;
     @inject(ConfigProvider) protected readonly configProvider: ConfigProvider;
@@ -77,21 +77,18 @@ export class PrebuildManager {
             const results: Promise<any>[] = [];
             for (const prebuild of prebuilds) {
                 try {
-                    for (const instance of prebuild.instances) {
-                        log.info(
-                            { userId: user.id, instanceId: instance.id, workspaceId: instance.workspaceId },
-                            "Cancelling Prebuild workspace because a newer commit was pushed to the same branch.",
-                        );
-                        results.push(
-                            this.workspaceStarter.stopWorkspaceInstance(
-                                { span },
-                                instance.id,
-                                instance.region,
-                                "prebuild cancelled because a newer commit was pushed to the same branch",
-                                StopWorkspacePolicy.ABORT,
-                            ),
-                        );
-                    }
+                    log.info(
+                        { userId: user.id, workspaceId: prebuild.workspace.id },
+                        "Cancelling Prebuild workspace because a newer commit was pushed to the same branch.",
+                    );
+                    results.push(
+                        this.workspaceService.stopWorkspace(
+                            user.id,
+                            prebuild.workspace.id,
+                            "prebuild cancelled because a newer commit was pushed to the same branch",
+                            StopWorkspacePolicy.ABORT,
+                        ),
+                    );
                     prebuild.prebuild.state = "aborted";
                     prebuild.prebuild.error = "A newer commit was pushed to the same branch.";
                     results.push(this.workspaceDB.trace({ span }).storePrebuiltWorkspace(prebuild.prebuild));
@@ -224,7 +221,7 @@ export class PrebuildManager {
                 }
             }
 
-            const workspace = await this.workspaceFactory.createForContext(
+            const workspace = await this.workspaceService.createWorkspace(
                 { span },
                 user,
                 project.teamId,
 
@@ -7,14 +7,15 @@
 import { ApplicationError, ErrorCode } from "@gitpod/gitpod-protocol/lib/messaging/error";
 import { expect } from "chai";
 
-export async function expectError(errorCode: ErrorCode, code: Promise<any> | (() => Promise<any>)) {
+export async function expectError(errorCode: ErrorCode, code: Promise<any> | (() => Promise<any>), message?: string) {
+    const msg = "expected error: " + errorCode + (message ? " - " + message : "");
     try {
         await (code instanceof Function ? code() : code);
-        expect.fail("expected error: " + errorCode);
+        expect.fail(msg);
     } catch (err) {
         if (!ApplicationError.hasErrorCode(err)) {
             throw err;
         }
-        expect(err && ApplicationError.hasErrorCode(err) && err.code).to.equal(errorCode);
+        expect(err && ApplicationError.hasErrorCode(err) && err.code, msg).to.equal(errorCode);
     }
 }
Original file line number	Diff line number	Diff line change
`@@ -7,14 +7,15 @@`
`7`	`7`	`import { ApplicationError, ErrorCode } from "@gitpod/gitpod-protocol/lib/messaging/error";`
`8`	`8`	`import { expect } from "chai";`
`9`	`9`
`10`		`-export async function expectError(errorCode: ErrorCode, code: Promise<any> \| (() => Promise<any>)) {`
	`10`	`+export async function expectError(errorCode: ErrorCode, code: Promise<any> \| (() => Promise<any>), message?: string) {`
	`11`	`+ const msg = "expected error: " + errorCode + (message ? " - " + message : "");`
`11`	`12`	`try {`
`12`	`13`	`await (code instanceof Function ? code() : code);`
`13`		`- expect.fail("expected error: " + errorCode);`
	`14`	`+ expect.fail(msg);`
`14`	`15`	`} catch (err) {`
`15`	`16`	`if (!ApplicationError.hasErrorCode(err)) {`
`16`	`17`	`throw err;`
`17`	`18`	`}`
`18`		`- expect(err && ApplicationError.hasErrorCode(err) && err.code).to.equal(errorCode);`
	`19`	`+ expect(err && ApplicationError.hasErrorCode(err) && err.code, msg).to.equal(errorCode);`
`19`	`20`	`}`
`20`	`21`	`}`