[server] setAdmin impr

Author: svenefftinge

components/server/src/authorization/authorizer.ts

@@ -337,7 +337,7 @@ export class Authorizer {
         );
     }
 
-    async removeAdminRole(userID: string) {
+    async removeInstallationAdminRole(userID: string) {
         await this.authorizer.writeRelationships(
             v1.WriteRelationshipsRequest.create({
                 updates: [

components/server/src/authorization/definitions.ts

@@ -15,7 +15,7 @@ export type UserResourceType = "user";
 
 export type UserRelation = "self" | "container";
 
-export type UserPermission = "read_info" | "write_info" | "suspend";
+export type UserPermission = "read_info" | "write_info" | "suspend" | "make_admin";
 
 export type InstallationResourceType = "installation";
 

components/server/src/orgs/usage-service.spec.db.ts

@@ -4,7 +4,7 @@
  * See License.AGPL.txt in the project root for license information.
  */
 
-import { TypeORM, UserDB } from "@gitpod/gitpod-db/lib";
+import { BUILTIN_INSTLLATION_ADMIN_USER_ID, TypeORM } from "@gitpod/gitpod-db/lib";
 import { Organization, User } from "@gitpod/gitpod-protocol";
 import { AttributionId } from "@gitpod/gitpod-protocol/lib/attribution";
 import { Experiments } from "@gitpod/gitpod-protocol/lib/experiments/configcat-server";
@@ -47,21 +47,42 @@ describe("UsageService", async () => {
             centralizedPermissions: true,
         });
         os = container.get(OrganizationService);
-        const userDB = container.get<UserDB>(UserDB);
-        owner = await userDB.newUser();
+        const userService = container.get<UserService>(UserService);
+        owner = await userService.createUser({
+            identity: {
+                authName: "github",
+                authProviderId: "github",
+                authId: "1234",
+            },
+        });
         org = await os.createOrganization(owner.id, "myorg");
         const invite = await os.getOrCreateInvite(owner.id, org.id);
 
-        member = await userDB.newUser();
+        member = await userService.createUser({
+            identity: {
+                authName: "github",
+                authProviderId: "github",
+                authId: "1234",
+            },
+        });
         await os.joinOrganization(member.id, invite.id);
 
-        stranger = await userDB.newUser();
+        stranger = await userService.createUser({
+            identity: {
+                authName: "github",
+                authProviderId: "github",
+                authId: "1234",
+            },
+        });
 
-        const userService = container.get<UserService>(UserService);
-        admin = await userDB.newUser();
-        admin.rolesOrPermissions = ["admin"];
-        await userDB.storeUser(admin);
-        await userService.setAdminRole(admin.id, admin.id, true);
+        admin = await userService.createUser({
+            identity: {
+                authName: "github",
+                authProviderId: "github",
+                authId: "1234",
+            },
+        });
+        await userService.setAdminRole(BUILTIN_INSTLLATION_ADMIN_USER_ID, admin.id, true);
 
         us = container.get<UsageService>(UsageService);
         await us.getCostCenter(owner.id, org.id);

components/server/src/user/user-service.ts

@@ -118,16 +118,8 @@ export class UserService {
     }
 
     async setAdminRole(userId: string, targetUserId: string, admin: boolean): Promise<User> {
-        //TODO check if user has permission on targetUser to change admin role using auth system
-        const user = await this.userDb.findUserById(userId);
-        if (!user?.rolesOrPermissions || !user?.rolesOrPermissions.includes("admin")) {
-            throw new ApplicationError(ErrorCodes.PERMISSION_DENIED, "permission denied");
-        }
-
-        const target = await this.userDb.findUserById(targetUserId);
-        if (!target) {
-            throw new ApplicationError(ErrorCodes.NOT_FOUND, "not found");
-        }
+        await this.authorizer.checkUserPermissionAndThrow(userId, "make_admin", targetUserId);
+        const target = await this.findUserById(userId, targetUserId);
         const rolesAndPermissions = target.rolesOrPermissions || [];
         const newRoles = [...rolesAndPermissions.filter((r) => r !== "admin")];
         if (admin) {
@@ -142,13 +134,13 @@ export class UserService {
                 if (admin) {
                     await this.authorizer.addInstallationAdminRole(target.id);
                 } else {
-                    await this.authorizer.removeAdminRole(target.id);
+                    await this.authorizer.removeInstallationAdminRole(target.id);
                 }
                 return updatedUser;
             });
         } catch (err) {
             if (admin) {
-                await this.authorizer.removeAdminRole(target.id);
+                await this.authorizer.removeInstallationAdminRole(target.id);
             } else {
                 await this.authorizer.addInstallationAdminRole(target.id);
             }

components/spicedb/schema/schema.yaml

@@ -11,6 +11,7 @@ schema: |-
     permission read_info = self + container->member + container->owner + container->admin
     permission write_info = self + container->owner + container->admin
     permission suspend = self + container->owner + container->admin
+    permission make_admin = container->admin
   }
 
   // There's only one global installation