[server] handle guessTokenScopes

Author: AlexTugarev

components/gitpod-protocol/src/protocol.ts

@@ -891,13 +891,6 @@ export interface GuessGitTokenScopesParams {
     host: string;
     repoUrl: string;
     gitCommand: string;
-    currentToken: GitToken;
-}
-
-export interface GitToken {
-    token: string;
-    user: string;
-    scopes: string[];
 }
 
 export interface GuessedGitTokenScopes {

components/server/src/api/scm-service-api.ts

@@ -43,7 +43,12 @@ export class ScmServiceAPI implements ServiceImpl<typeof ScmServiceInterface> {
         request: GuessTokenScopesRequest,
         context: HandlerContext,
     ): Promise<GuessTokenScopesResponse> {
-        throw new ConnectError("unimplemented", Code.Unimplemented);
+        const userId = ctxUserId();
+        const { scopes, message } = await this.scmService.guessTokenScopes(userId, request);
+        return new GuessTokenScopesResponse({
+            scopes,
+            message,
+        });
     }
 
     async searchRepositories(

components/server/src/auth/auth-provider-service.ts

@@ -86,44 +86,52 @@ export class AuthProviderService {
         return result.map(toPublic);
     }
 
+    async findAuthProviderDescription(user: User, host: string): Promise<AuthProviderInfo | undefined> {
+        const provider =
+            this.config.authProviderConfigs.find((p) => p.host.toLowerCase() === host?.toLowerCase()) ||
+            (await this.getAllAuthProviderParams()).find((p) => p.host.toLowerCase() === host?.toLowerCase());
+        return provider ? this.toInfo(provider) : undefined;
+    }
+
+    // explicitly copy to avoid bleeding sensitive details
+    private toInfo(ap: AuthProviderParams): AuthProviderInfo {
+        return {
+            authProviderId: ap.id,
+            authProviderType: ap.type,
+            ownerId: ap.ownerId,
+            organizationId: ap.organizationId,
+            verified: ap.verified,
+            host: ap.host,
+            icon: ap.icon,
+            hiddenOnDashboard: ap.hiddenOnDashboard,
+            disallowLogin: ap.disallowLogin,
+            description: ap.description,
+            scopes: getScopesOfProvider(ap),
+            requirements: getRequiredScopes(ap),
+        };
+    }
+
     async getAuthProviderDescriptions(user: User): Promise<AuthProviderInfo[]> {
         const { builtinAuthProvidersConfigured } = this.config;
 
         const authProviders = [...(await this.getAllAuthProviderParams()), ...this.config.authProviderConfigs];
 
-        // explicitly copy to avoid bleeding sensitive details
-        const toInfo = (ap: AuthProviderParams) =>
-            <AuthProviderInfo>{
-                authProviderId: ap.id,
-                authProviderType: ap.type,
-                ownerId: ap.ownerId,
-                organizationId: ap.organizationId,
-                verified: ap.verified,
-                host: ap.host,
-                icon: ap.icon,
-                hiddenOnDashboard: ap.hiddenOnDashboard,
-                disallowLogin: ap.disallowLogin,
-                description: ap.description,
-                scopes: getScopesOfProvider(ap),
-                requirements: getRequiredScopes(ap),
-            };
-
         const result: AuthProviderInfo[] = [];
         for (const p of authProviders) {
             const identity = user.identities.find((i) => i.authProviderId === p.id);
             if (identity) {
-                result.push(toInfo(p));
+                result.push(this.toInfo(p));
                 continue;
             }
             if (p.ownerId === user.id) {
-                result.push(toInfo(p));
+                result.push(this.toInfo(p));
                 continue;
             }
             if (builtinAuthProvidersConfigured && !this.isBuiltIn(p)) {
                 continue;
             }
             if (this.isNotHidden(p) && this.isVerified(p)) {
-                result.push(toInfo(p));
+                result.push(this.toInfo(p));
             }
         }
         return result;

components/server/src/scm/scm-service.ts

@@ -12,6 +12,10 @@ import { Project, Token, User } from "@gitpod/gitpod-protocol";
 import { HostContextProvider } from "../auth/host-context-provider";
 import { RepoURL } from "../repohost";
 import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
+import { AuthProviderService } from "../auth/auth-provider-service";
+import { UserService } from "../user/user-service";
+import { GitTokenScopeGuesser } from "../workspace/git-token-scope-guesser";
+import { ApplicationError, ErrorCodes } from "@gitpod/gitpod-protocol/lib/messaging/error";
 
 @injectable()
 export class ScmService {
@@ -20,6 +24,9 @@ export class ScmService {
         @inject(Authorizer) private readonly auth: Authorizer,
         @inject(TokenProvider) private readonly tokenProvider: TokenProvider,
         @inject(HostContextProvider) private readonly hostContextProvider: HostContextProvider,
+        @inject(AuthProviderService) private readonly authProviderService: AuthProviderService,
+        @inject(UserService) private readonly userService: UserService,
+        @inject(GitTokenScopeGuesser) private readonly gitTokenScopeGuesser: GitTokenScopeGuesser,
     ) {}
 
     public async getToken(userId: string, query: { host: string }): Promise<Token> {
@@ -30,7 +37,7 @@ export class ScmService {
         return token;
     }
 
-    async installWebhookForPrebuilds(project: Project, installer: User) {
+    public async installWebhookForPrebuilds(project: Project, installer: User) {
         // Install the prebuilds webhook if possible
         const { teamId, cloneUrl } = project;
         const parsedUrl = RepoURL.parseRepoUrl(project.cloneUrl);
@@ -42,4 +49,29 @@ export class ScmService {
             await repositoryService.installAutomatedPrebuilds(installer, cloneUrl);
         }
     }
+
+    /**
+     * `guessTokenScopes` requires the same permissions as `getToken`.
+     */
+    public async guessTokenScopes(
+        userId: string,
+        params: { host: string; repoUrl: string; gitCommand: string },
+    ): Promise<{ scopes?: string[]; message?: string }> {
+        const { host, repoUrl, gitCommand } = params;
+
+        const user = await this.userService.findUserById(userId, userId);
+
+        const provider = await this.authProviderService.findAuthProviderDescription(user, host);
+        if (!provider) {
+            throw new ApplicationError(ErrorCodes.NOT_FOUND, `Auth provider not found.`);
+        }
+
+        const { value: currentToken } = await this.getToken(userId, { host });
+        return await this.gitTokenScopeGuesser.guessGitTokenScopes(provider, {
+            host,
+            repoUrl,
+            gitCommand,
+            currentToken,
+        });
+    }
 }

components/server/src/workspace/git-token-scope-guesser.ts

@@ -11,15 +11,12 @@ import { GitTokenValidator } from "./git-token-validator";
 
 @injectable()
 export class GitTokenScopeGuesser {
-    @inject(GitTokenValidator) tokenValidator: GitTokenValidator;
+    constructor(@inject(GitTokenValidator) private readonly tokenValidator: GitTokenValidator) {}
 
     async guessGitTokenScopes(
-        authProvider: AuthProviderInfo | undefined,
-        params: GuessGitTokenScopesParams,
+        authProvider: AuthProviderInfo,
+        params: GuessGitTokenScopesParams & { currentToken: string },
     ): Promise<GuessedGitTokenScopes> {
-        if (!authProvider) {
-            return { message: "Unknown host" };
-        }
         const { repoUrl, gitCommand, currentToken } = params;
 
         const parsedRepoUrl = repoUrl && RepoURL.parseRepoUrl(repoUrl);
@@ -36,7 +33,7 @@ export class GitTokenScopeGuesser {
                 owner,
                 repo,
                 repoKind,
-                token: currentToken.token,
+                token: currentToken,
             });
             const hasWriteAccess = validationResult && validationResult.writeAccessToRepo === true;
             if (hasWriteAccess) {

components/server/src/workspace/gitpod-server-impl.ts

@@ -110,7 +110,6 @@ import { RepoURL } from "../repohost/repo-url";
 import { AuthorizationService } from "../user/authorization-service";
 import { UserAuthentication } from "../user/user-authentication";
 import { ContextParser } from "./context-parser-service";
-import { GitTokenScopeGuesser } from "./git-token-scope-guesser";
 import { isClusterMaintenanceError } from "./workspace-starter";
 import { HeadlessLogUrls } from "@gitpod/gitpod-protocol/lib/headless-workspace-log";
 import { ConfigProvider, InvalidGitpodYMLError } from "./config-provider";
@@ -218,8 +217,6 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
         @inject(AuthProviderService) private readonly authProviderService: AuthProviderService,
 
-        @inject(GitTokenScopeGuesser) private readonly gitTokenScopeGuesser: GitTokenScopeGuesser,
-
         @inject(ProjectsService) private readonly projectsService: ProjectsService,
 
         @inject(IDEService) private readonly ideService: IDEService,
@@ -2363,13 +2360,11 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
     }
 
     async guessGitTokenScopes(ctx: TraceContext, params: GuessGitTokenScopesParams): Promise<GuessedGitTokenScopes> {
-        traceAPIParams(ctx, { params: censor(params, "currentToken") });
+        traceAPIParams(ctx, { params: censor(params as any, "currentToken") });
 
-        const authProviders = await this.getAuthProviders(ctx);
-        return this.gitTokenScopeGuesser.guessGitTokenScopes(
-            authProviders.find((p) => p.host == params.host),
-            params,
-        );
+        const user = await this.checkAndBlockUser("guessGitTokenScopes");
+
+        return await this.scmService.guessTokenScopes(user.id, { ...params });
     }
 
     async adminGetUser(ctx: TraceContext, userId: string): Promise<User> {