💄

jeanp413 · jeanp413 · commit da74d6f1ac09 · 2023-08-15T16:44:34.000Z
diff --git a/components/server/src/user/gitpod-token-service.ts b/components/server/src/user/gitpod-token-service.ts
@@ -10,8 +10,6 @@ import { GitpodToken, GitpodTokenType } from "@gitpod/gitpod-protocol";
 import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
 import { inject, injectable } from "inversify";
 import { Authorizer } from "../authorization/authorizer";
-import { GuardedResource, ResourceAccessGuard, ResourceAccessOp } from "../auth/resource-access";
-import { ApplicationError, ErrorCodes } from "@gitpod/gitpod-protocol/lib/messaging/error";
 
 @injectable()
 export class GitpodTokenService {
@@ -23,21 +21,21 @@ export class GitpodTokenService {
     async getGitpodTokens(
         requestorId: string,
         userId: string,
-        resouceGuardAccess: ResourceAccessGuard,
+        oldPermissionCheck?: (token: GitpodToken) => Promise<void>, // @deprecated
     ): Promise<GitpodToken[]> {
         await this.auth.checkPermissionOnUser(requestorId, "read_tokens", userId);
         const res = (await this.userDB.findAllGitpodTokensOfUser(userId)).filter((v) => !v.deleted);
-        await Promise.all(
-            res.map((tkn) => this.guardAccess(resouceGuardAccess, { kind: "gitpodToken", subject: tkn }, "get")),
-        );
+        if (oldPermissionCheck) {
+            await Promise.all(res.map((tkn) => oldPermissionCheck(tkn)));
+        }
         return res;
     }
 
     async generateNewGitpodToken(
         requestorId: string,
         userId: string,
         options: { name?: string; type: GitpodTokenType; scopes?: string[] },
-        resouceGuardAccess: ResourceAccessGuard,
+        oldPermissionCheck?: (dbToken: DBGitpodToken) => Promise<void>, // @deprecated
     ): Promise<string> {
         await this.auth.checkPermissionOnUser(requestorId, "write_tokens", userId);
         const token = crypto.randomBytes(30).toString("hex");
@@ -50,7 +48,9 @@ export class GitpodTokenService {
             scopes: options.scopes || [],
             created: new Date().toISOString(),
         };
-        await this.guardAccess(resouceGuardAccess, { kind: "gitpodToken", subject: dbToken }, "create");
+        if (oldPermissionCheck) {
+            await oldPermissionCheck(dbToken);
+        }
         await this.userDB.storeGitpodToken(dbToken);
         return token;
     }
@@ -59,7 +59,7 @@ export class GitpodTokenService {
         requestorId: string,
         userId: string,
         tokenHash: string,
-        resouceGuardAccess: ResourceAccessGuard,
+        oldPermissionCheck?: (token: GitpodToken) => Promise<void>, // @deprecated
     ): Promise<string[]> {
         await this.auth.checkPermissionOnUser(requestorId, "read_tokens", userId);
         let token: GitpodToken | undefined;
@@ -72,39 +72,27 @@ export class GitpodTokenService {
         if (!token || token.deleted) {
             return [];
         }
-        await this.guardAccess(resouceGuardAccess, { kind: "gitpodToken", subject: token }, "get");
+        if (oldPermissionCheck) {
+            await oldPermissionCheck(token);
+        }
         return token.scopes;
     }
 
     async deleteGitpodToken(
         requestorId: string,
         userId: string,
         tokenHash: string,
-        resouceGuardAccess: ResourceAccessGuard,
+        oldPermissionCheck?: (token: GitpodToken) => Promise<void>, // @deprecated
     ): Promise<void> {
         await this.auth.checkPermissionOnUser(requestorId, "write_tokens", userId);
-        const existingTokens = await this.getGitpodTokens(requestorId, userId, resouceGuardAccess);
+        const existingTokens = await this.getGitpodTokens(requestorId, userId, oldPermissionCheck);
         const tkn = existingTokens.find((token) => token.tokenHash === tokenHash);
         if (!tkn) {
             throw new Error(`User ${requestorId} tries to delete a token ${tokenHash} that does not exist.`);
         }
-        await this.guardAccess(resouceGuardAccess, { kind: "gitpodToken", subject: tkn }, "delete");
-        await this.userDB.deleteGitpodToken(tokenHash);
-    }
-
-    /**
-     * @deprecated Will be removed in the near future
-     */
-    private async guardAccess(
-        resouceGuardAccess: ResourceAccessGuard,
-        resource: GuardedResource,
-        op: ResourceAccessOp,
-    ) {
-        if (!(await resouceGuardAccess.canAccess(resource, op))) {
-            throw new ApplicationError(
-                ErrorCodes.PERMISSION_DENIED,
-                `operation not permitted: missing ${op} permission on ${resource.kind}`,
-            );
+        if (oldPermissionCheck) {
+            await oldPermissionCheck(tkn);
         }
+        await this.userDB.deleteGitpodToken(tokenHash);
     }
 }
diff --git a/components/server/src/workspace/gitpod-server-impl.ts b/components/server/src/workspace/gitpod-server-impl.ts
@@ -13,6 +13,7 @@ import {
     EmailDomainFilterDB,
     TeamDB,
     RedisPublisher,
+    DBGitpodToken,
 } from "@gitpod/gitpod-db/lib";
 import { BlockedRepositoryDB } from "@gitpod/gitpod-db/lib/blocked-repository-db";
 import {
@@ -2892,7 +2893,9 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
     public async getGitpodTokens(ctx: TraceContext): Promise<GitpodToken[]> {
         const user = await this.checkAndBlockUser("getGitpodTokens");
-        return this.gitpodTokenService.getGitpodTokens(user.id, user.id, this.resourceAccessGuard);
+        return this.gitpodTokenService.getGitpodTokens(user.id, user.id, (token: GitpodToken) => {
+            return this.guardAccess({ kind: "gitpodToken", subject: token }, "get");
+        });
     }
 
     public async generateNewGitpodToken(
@@ -2902,21 +2905,27 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         traceAPIParams(ctx, { options });
 
         const user = await this.checkAndBlockUser("generateNewGitpodToken");
-        return this.gitpodTokenService.generateNewGitpodToken(user.id, user.id, options, this.resourceAccessGuard);
+        return this.gitpodTokenService.generateNewGitpodToken(user.id, user.id, options, (dbToken: DBGitpodToken) => {
+            return this.guardAccess({ kind: "gitpodToken", subject: dbToken }, "create");
+        });
     }
 
     public async getGitpodTokenScopes(ctx: TraceContext, tokenHash: string): Promise<string[]> {
         traceAPIParams(ctx, {}); // do not trace tokenHash
 
         const user = await this.checkAndBlockUser("getGitpodTokenScopes");
-        return this.gitpodTokenService.getGitpodTokenScopes(user.id, user.id, tokenHash, this.resourceAccessGuard);
+        return this.gitpodTokenService.getGitpodTokenScopes(user.id, user.id, tokenHash, (token: GitpodToken) => {
+            return this.guardAccess({ kind: "gitpodToken", subject: token }, "get");
+        });
     }
 
     public async deleteGitpodToken(ctx: TraceContext, tokenHash: string): Promise<void> {
         traceAPIParams(ctx, {}); // do not trace tokenHash
 
         const user = await this.checkAndBlockUser("deleteGitpodToken");
-        return this.gitpodTokenService.deleteGitpodToken(user.id, user.id, tokenHash, this.resourceAccessGuard);
+        return this.gitpodTokenService.deleteGitpodToken(user.id, user.id, tokenHash, (token: GitpodToken) => {
+            return this.guardAccess({ kind: "gitpodToken", subject: token }, "delete");
+        });
     }
 
     async guessGitTokenScopes(ctx: TraceContext, params: GuessGitTokenScopesParams): Promise<GuessedGitTokenScopes> {
