[fga] extract WorkspaceService.start (#18467)

* [server] WorkspaceService.startWorkspace

* [server] Start redis if not running

* [server] Move regionCode handling into WorkspaceService.startWorkspace

* [server] move "not-deleted" check into WorkspaceService.startWorkspace

* fix sshkey tests

---------

Co-authored-by: Gero Posmyk-Leinemann <[email protected]>

Author: akosyakov

components/server/package.json

@@ -19,13 +19,13 @@
     "test:leeway": "yarn build && yarn test",
     "test": "yarn test:unit && yarn test:db",
     "test:unit": "mocha --opts mocha.opts './**/*.spec.js' --exclude './node_modules/**'",
-    "test:db": "cleanup() { echo 'Cleanup started'; yarn stop-spicedb; }; trap cleanup EXIT; . $(leeway run components/gitpod-db:db-test-env) && yarn start-spicedb && mocha --opts mocha.opts './**/*.spec.db.js'  --exclude './node_modules/**'",
+    "test:db": "cleanup() { echo 'Cleanup started'; yarn stop-services; }; trap cleanup EXIT; . $(leeway run components/gitpod-db:db-test-env) && yarn start-services && mocha --opts mocha.opts './**/*.spec.db.js'  --exclude './node_modules/**'",
     "start-services": "yarn start-testdb && yarn start-redis && yarn start-spicedb",
     "stop-services": "yarn stop-redis && yarn stop-spicedb",
-    "start-testdb": "if netstat -tuln | grep ':23306 '; then echo 'Mysql is already running.'; else leeway run components/gitpod-db:init-testdb; fi",
+    "start-testdb": "leeway run components/gitpod-db:init-testdb",
     "start-spicedb": "leeway run components/spicedb:start-spicedb",
     "stop-spicedb": "leeway run components/spicedb:stop-spicedb",
-    "start-redis": "if netstat -tuln | grep ':6379 '; then echo 'Redis is already running.'; else docker run --rm --name test-redis -p 6379:6379 -d redis; fi",
+    "start-redis": "if redis-cli -h ${REDIS_HOST:-0.0.0.0} -e ping; then echo 'Redis is already running.'; else docker run --rm --name test-redis -p 6379:6379 -d redis; fi",
     "stop-redis": "docker stop test-redis || true",
     "telepresence": "telepresence --swap-deployment server --method inject-tcp --run yarn start-inspect"
   },

components/server/src/api/teams.spec.db.ts

@@ -13,7 +13,6 @@ import { createConnectTransport } from "@bufbuild/connect-node";
 import { Code, ConnectError, PromiseClient, createPromiseClient } from "@bufbuild/connect";
 import { AddressInfo } from "net";
 import { TeamsService as TeamsServiceDefinition } from "@gitpod/public-api/lib/gitpod/experimental/v1/teams_connectweb";
-import { WorkspaceStarter } from "../workspace/workspace-starter";
 import { UserAuthentication } from "../user/user-authentication";
 import { APITeamsService } from "./teams";
 import { v4 as uuidv4 } from "uuid";
@@ -24,6 +23,7 @@ import { Connection } from "typeorm";
 import { Timestamp } from "@bufbuild/protobuf";
 import { APIWorkspacesService } from "./workspaces";
 import { APIStatsService } from "./stats";
+import { WorkspaceService } from "../workspace/workspace-service";
 
 const expect = chai.expect;
 
@@ -43,7 +43,7 @@ export class APITeamsServiceSpec {
         this.container.bind(APIWorkspacesService).toSelf().inSingletonScope();
         this.container.bind(APIStatsService).toSelf().inSingletonScope();
 
-        this.container.bind(WorkspaceStarter).toConstantValue({} as WorkspaceStarter);
+        this.container.bind(WorkspaceService).toConstantValue({} as WorkspaceService);
         this.container.bind(UserAuthentication).toConstantValue({} as UserAuthentication);
 
         // Clean-up database

components/server/src/api/user.spec.ts

@@ -8,7 +8,6 @@ import { suite, test } from "@testdeck/mocha";
 import { APIUserService } from "./user";
 import { Container } from "inversify";
 import { testContainer } from "@gitpod/gitpod-db/lib";
-import { WorkspaceStarter } from "../workspace/workspace-starter";
 import { UserAuthentication } from "../user/user-authentication";
 import { BlockUserRequest, BlockUserResponse } from "@gitpod/public-api/lib/gitpod/experimental/v1/user_pb";
 import { User } from "@gitpod/gitpod-protocol";
@@ -18,24 +17,26 @@ import { TraceContext } from "@gitpod/gitpod-protocol/lib/util/tracing";
 import { v4 as uuidv4 } from "uuid";
 import { ConnectError, Code } from "@bufbuild/connect";
 import * as chai from "chai";
+import { WorkspaceService } from "../workspace/workspace-service";
 
 const expect = chai.expect;
 
 @suite()
 export class APIUserServiceSpec {
     private container: Container;
-    private workspaceStarterMock: WorkspaceStarter = {
+    private workspaceStarterMock: WorkspaceService = {
         stopRunningWorkspacesForUser: async (
             ctx: TraceContext,
-            userID: string,
+            userId: string,
+            userIdToStop: string,
             reason: string,
             policy?: StopWorkspacePolicy,
         ): Promise<Workspace[]> => {
             return [];
         },
-    } as WorkspaceStarter;
+    } as WorkspaceService;
     private userServiceMock: UserAuthentication = {
-        blockUser: async (targetUserId: string, block: boolean): Promise<User> => {
+        blockUser: async (userId: string, targetUserId: string, block: boolean): Promise<User> => {
             return {
                 id: targetUserId,
             } as User;
@@ -45,7 +46,7 @@ export class APIUserServiceSpec {
     async before() {
         this.container = testContainer.createChild();
 
-        this.container.bind(WorkspaceStarter).toConstantValue(this.workspaceStarterMock);
+        this.container.bind(WorkspaceService).toConstantValue(this.workspaceStarterMock);
         this.container.bind(UserAuthentication).toConstantValue(this.userServiceMock);
         this.container.bind(APIUserService).toSelf().inSingletonScope();
     }

components/server/src/api/user.ts

@@ -23,15 +23,16 @@ import {
     GetGitTokenResponse,
     BlockUserResponse,
 } from "@gitpod/public-api/lib/gitpod/experimental/v1/user_pb";
-import { WorkspaceStarter } from "../workspace/workspace-starter";
 import { UserAuthentication } from "../user/user-authentication";
+import { WorkspaceService } from "../workspace/workspace-service";
+import { SYSTEM_USER } from "../authorization/authorizer";
 import { validate } from "uuid";
-import { StopWorkspacePolicy } from "@gitpod/ws-manager/lib";
 import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
+import { StopWorkspacePolicy } from "@gitpod/ws-manager/lib";
 
 @injectable()
 export class APIUserService implements ServiceImpl<typeof UserServiceInterface> {
-    @inject(WorkspaceStarter) protected readonly workspaceStarter: WorkspaceStarter;
+    @inject(WorkspaceService) protected readonly workspaceService: WorkspaceService;
     @inject(UserAuthentication) protected readonly userService: UserAuthentication;
 
     public async getAuthenticatedUser(req: GetAuthenticatedUserRequest): Promise<GetAuthenticatedUserResponse> {
@@ -73,14 +74,17 @@ export class APIUserService implements ServiceImpl<typeof UserServiceInterface>
 
         // TODO: Once connect-node supports middlewares, lift the tracing into the middleware.
         const trace = {};
-        await this.userService.blockUser(userId, true);
+        // TODO for now we use SYSTEM_USER, since it is only called by internal componenets like usage
+        // and not exposed publically, but there should be better way to get an authenticated user
+        await this.userService.blockUser(SYSTEM_USER, userId, true);
         log.info(`Blocked user ${userId}.`, {
             userId,
             reason,
         });
 
-        const stoppedWorkspaces = await this.workspaceStarter.stopRunningWorkspacesForUser(
+        const stoppedWorkspaces = await this.workspaceService.stopRunningWorkspacesForUser(
             trace,
+            SYSTEM_USER,
             userId,
             reason,
             StopWorkspacePolicy.IMMEDIATELY,

components/server/src/authorization/authorizer.ts

@@ -59,7 +59,7 @@ export class Authorizer {
         permission: OrganizationPermission,
         orgId: string,
     ): Promise<boolean> {
-        if (userId === "SYSTEM_USER") {
+        if (userId === SYSTEM_USER) {
             return true;
         }
 
@@ -89,7 +89,7 @@ export class Authorizer {
     }
 
     async hasPermissionOnProject(userId: string, permission: ProjectPermission, projectId: string): Promise<boolean> {
-        if (userId === "SYSTEM_USER") {
+        if (userId === SYSTEM_USER) {
             return true;
         }
 
@@ -119,7 +119,7 @@ export class Authorizer {
     }
 
     async hasPermissionOnUser(userId: string, permission: UserPermission, resourceUserId: string): Promise<boolean> {
-        if (userId === "SYSTEM_USER") {
+        if (userId === SYSTEM_USER) {
             return true;
         }
 
@@ -152,7 +152,7 @@ export class Authorizer {
         permission: WorkspacePermission,
         workspaceId: string,
     ): Promise<boolean> {
-        if (userId === "SYSTEM_USER") {
+        if (userId === SYSTEM_USER) {
             return true;
         }
 

components/server/src/authorization/definitions.ts

@@ -73,7 +73,7 @@ export type WorkspaceResourceType = "workspace";
 
 export type WorkspaceRelation = "org" | "owner";
 
-export type WorkspacePermission = "access" | "stop" | "delete" | "read_info";
+export type WorkspacePermission = "access" | "start" | "stop" | "delete" | "read_info";
 
 export const rel = {
     user(id: string) {

components/server/src/test/service-testing-container-module.ts

@@ -4,15 +4,15 @@
  * See License.AGPL.txt in the project root for license information.
  */
 
+import * as grpc from "@grpc/grpc-js";
 import { v1 } from "@authzed/authzed-node";
 import { IAnalyticsWriter, NullAnalyticsWriter } from "@gitpod/gitpod-protocol/lib/analytics";
-import { IDEServiceDefinition } from "@gitpod/ide-service-api/lib/ide.pb";
+import { IDEServiceClient, IDEServiceDefinition } from "@gitpod/ide-service-api/lib/ide.pb";
 import { UsageServiceDefinition } from "@gitpod/usage-api/lib/usage/v1/usage.pb";
-import { WorkspaceManagerClientProvider } from "@gitpod/ws-manager/lib/client-provider";
 import { ContainerModule } from "inversify";
 import { v4 } from "uuid";
 import { AuthProviderParams } from "../auth/auth-provider";
-import { HostContextProviderFactory } from "../auth/host-context-provider";
+import { HostContextProvider, HostContextProviderFactory } from "../auth/host-context-provider";
 import { HostContextProviderImpl } from "../auth/host-context-provider-impl";
 import { SpiceDBClient } from "../authorization/spicedb";
 import { Config } from "../config";
@@ -21,7 +21,22 @@ import { testContainer } from "@gitpod/gitpod-db/lib";
 import { productionContainerModule } from "../container-module";
 import { createMock } from "./mocks/mock";
 import { UsageServiceClientMock } from "./mocks/usage-service-client-mock";
-import { env } from "process";
+import { env, nextTick } from "process";
+import { WorkspaceManagerClientProviderSource } from "@gitpod/ws-manager/lib/client-provider-source";
+import { WorkspaceClusterWoTLS } from "@gitpod/gitpod-protocol/lib/workspace-cluster";
+import { WorkspaceManagerClientProvider } from "@gitpod/ws-manager/lib/client-provider";
+import {
+    BuildInfo,
+    BuildResponse,
+    BuildStatus,
+    IImageBuilderClient,
+    LogInfo,
+    ResolveWorkspaceImageResponse,
+} from "@gitpod/image-builder/lib";
+import { IWorkspaceManagerClient, StartWorkspaceResponse } from "@gitpod/ws-manager/lib";
+import { TokenProvider } from "../user/token-provider";
+import { GitHubScope } from "../github/scopes";
+import { GitpodHostUrl } from "@gitpod/gitpod-protocol/lib/util/gitpod-host-url";
 
 /**
  * Expects a fully configured production container and
@@ -30,19 +45,141 @@ import { env } from "process";
  *  - replaces the analytics writer with a null analytics writer
  */
 const mockApplyingContainerModule = new ContainerModule((bind, unbound, isbound, rebind) => {
+    rebind(HostContextProvider).toConstantValue({
+        get: () => {
+            const authProviderId = "Public-GitHub";
+            return {
+                authProvider: {
+                    authProviderId,
+                },
+            };
+        },
+    });
+    rebind(TokenProvider).toConstantValue(<TokenProvider>{
+        getTokenForHost: async () => {
+            return {
+                value: "test",
+                scopes: [GitHubScope.EMAIL, GitHubScope.PUBLIC, GitHubScope.PRIVATE],
+            };
+        },
+    });
     rebind(UsageServiceDefinition.name).toConstantValue(createMock(new UsageServiceClientMock()));
     rebind(StorageClient).toConstantValue(createMock());
-    rebind(WorkspaceManagerClientProvider).toConstantValue(createMock());
-    rebind(IDEServiceDefinition.name).toConstantValue(createMock());
+    rebind(WorkspaceManagerClientProviderSource).toDynamicValue((): WorkspaceManagerClientProviderSource => {
+        const clusters: WorkspaceClusterWoTLS[] = [
+            {
+                name: "eu-central-1",
+                region: "europe",
+                url: "https://ws.gitpod.io",
+                state: "available",
+                maxScore: 100,
+                score: 100,
+                govern: true,
+            },
+        ];
+        return <WorkspaceManagerClientProviderSource>{
+            getAllWorkspaceClusters: async () => {
+                return clusters;
+            },
+            getWorkspaceCluster: async (name: string) => {
+                return clusters.find((c) => c.name === name);
+            },
+        };
+    });
+    rebind(WorkspaceManagerClientProvider)
+        .toSelf()
+        .onActivation((_, provider) => {
+            provider["createConnection"] = () => {
+                const channel = <Partial<grpc.Channel>>{
+                    getConnectivityState() {
+                        return grpc.connectivityState.READY;
+                    },
+                };
+                return Object.assign(
+                    <Partial<grpc.Client>>{
+                        getChannel() {
+                            return channel;
+                        },
+                    },
+                    <IImageBuilderClient & IWorkspaceManagerClient>{
+                        resolveWorkspaceImage(request, metadata, options, callback) {
+                            const response = new ResolveWorkspaceImageResponse();
+                            response.setStatus(BuildStatus.DONE_SUCCESS);
+                            callback(null, response);
+                        },
+                        build(request, metadata, options) {
+                            const listeners = new Map<string | symbol, Function>();
+                            nextTick(() => {
+                                const response = new BuildResponse();
+                                response.setStatus(BuildStatus.DONE_SUCCESS);
+                                response.setRef("my-test-build-ref");
+                                const buildInfo = new BuildInfo();
+                                const logInfo = new LogInfo();
+                                logInfo.setUrl("https://ws.gitpod.io/my-test-image-build/logs");
+                                buildInfo.setLogInfo(logInfo);
+                                response.setInfo(buildInfo);
+                                listeners.get("data")!(response);
+                                listeners.get("end")!();
+                            });
+                            return {
+                                on(event, callback) {
+                                    listeners.set(event, callback);
+                                },
+                            };
+                        },
+                        startWorkspace(request, metadata, options, callback) {
+                            const workspaceId = request.getServicePrefix();
+                            const response = new StartWorkspaceResponse();
+                            response.setUrl(`https://${workspaceId}.ws.gitpod.io`);
+                            callback(null, response);
+                        },
+                    },
+                ) as any;
+            };
+            return provider;
+        });
+    rebind(IDEServiceDefinition.name).toConstantValue(
+        createMock(<Partial<IDEServiceClient>>{
+            async resolveWorkspaceConfig() {
+                return {
+                    envvars: [],
+                    supervisorImage: "gitpod/supervisor:latest",
+                    webImage: "gitpod/code:latest",
+                    ideImageLayers: [],
+                    refererIde: "code",
+                    ideSettings: "",
+                    tasks: "",
+                };
+            },
+        }),
+    );
 
     rebind<Partial<Config>>(Config).toConstantValue({
+        hostUrl: new GitpodHostUrl("https://gitpod.io"),
         blockNewUsers: {
             enabled: false,
             passlist: [],
         },
         redis: {
             address: (env.REDIS_HOST || "127.0.0.1") + ":" + (env.REDIS_PORT || "6379"),
         },
+        workspaceDefaults: {
+            workspaceImage: "gitpod/workspace-full",
+            defaultFeatureFlags: [],
+            previewFeatureFlags: [],
+        },
+        workspaceClasses: [
+            {
+                category: "general",
+                description: "The default workspace class",
+                displayName: "Default",
+                id: "default",
+                isDefault: true,
+                powerups: 0,
+            },
+        ],
+        authProviderConfigs: [],
+        installationShortname: "gitpod",
     });
     rebind(IAnalyticsWriter).toConstantValue(NullAnalyticsWriter);
     rebind(HostContextProviderFactory)

components/server/src/user/sshkey-service.spec.db.ts

@@ -74,6 +74,7 @@ describe("SSHKeyService", async () => {
     afterEach(async () => {
         // Clean-up database
         await resetDB(container.get(TypeORM));
+        container.unbindAll();
     });
 
     it("should add ssh key", async () => {

components/server/src/user/user-authentication.ts

@@ -39,8 +39,8 @@ export class UserAuthentication {
         @inject(HostContextProvider) private readonly hostContextProvider: HostContextProvider,
     ) {}
 
-    async blockUser(targetUserId: string, block: boolean): Promise<User> {
-        const target = await this.userService.findUserById(targetUserId, targetUserId);
+    async blockUser(userId: string, targetUserId: string, block: boolean): Promise<User> {
+        const target = await this.userService.findUserById(userId, targetUserId);
         if (!target) {
             throw new ApplicationError(ErrorCodes.NOT_FOUND, "not found");
         }