Address feedback

Author: jeanp413

components/server/src/user/gitpod-token-service.spec.db.ts

@@ -28,6 +28,12 @@ describe("GitpodTokenService", async () => {
     let stranger: User;
     let org: Organization;
 
+    const resourceAccessGuard = {
+        async canAccess() {
+            return true;
+        },
+    };
+
     beforeEach(async () => {
         container = createTestContainer();
         Experiments.configureTestingClient({
@@ -66,69 +72,110 @@ describe("GitpodTokenService", async () => {
     });
 
     it("should generate a new gitpod token", async () => {
-        const resp1 = await gs.getGitpodTokens(member.id, member.id);
+        const resp1 = await gs.getGitpodTokens(member.id, member.id, resourceAccessGuard);
         expect(resp1.length).to.equal(0);
 
-        await gs.generateNewGitpodToken(member.id, member.id, { name: "token1", type: GitpodTokenType.API_AUTH_TOKEN });
+        await gs.generateNewGitpodToken(
+            member.id,
+            member.id,
+            { name: "token1", type: GitpodTokenType.API_AUTH_TOKEN },
+            resourceAccessGuard,
+        );
 
-        const resp2 = await gs.getGitpodTokens(member.id, member.id);
+        const resp2 = await gs.getGitpodTokens(member.id, member.id, resourceAccessGuard);
         expect(resp2.length).to.equal(1);
 
-        await expectError(ErrorCodes.NOT_FOUND, gs.getGitpodTokens(stranger.id, member.id));
+        await expectError(ErrorCodes.NOT_FOUND, gs.getGitpodTokens(stranger.id, member.id, resourceAccessGuard));
         await expectError(
             ErrorCodes.NOT_FOUND,
-            gs.generateNewGitpodToken(stranger.id, member.id, { name: "token2", type: GitpodTokenType.API_AUTH_TOKEN }),
+            gs.generateNewGitpodToken(
+                stranger.id,
+                member.id,
+                { name: "token2", type: GitpodTokenType.API_AUTH_TOKEN },
+                resourceAccessGuard,
+            ),
         );
     });
 
     it("should list gitpod tokens", async () => {
-        await gs.generateNewGitpodToken(member.id, member.id, { name: "token1", type: GitpodTokenType.API_AUTH_TOKEN });
-        await gs.generateNewGitpodToken(member.id, member.id, { name: "token2", type: GitpodTokenType.API_AUTH_TOKEN });
+        await gs.generateNewGitpodToken(
+            member.id,
+            member.id,
+            { name: "token1", type: GitpodTokenType.API_AUTH_TOKEN },
+            resourceAccessGuard,
+        );
+        await gs.generateNewGitpodToken(
+            member.id,
+            member.id,
+            { name: "token2", type: GitpodTokenType.API_AUTH_TOKEN },
+            resourceAccessGuard,
+        );
 
-        const tokens = await gs.getGitpodTokens(member.id, member.id);
+        const tokens = await gs.getGitpodTokens(member.id, member.id, resourceAccessGuard);
         expect(tokens.length).to.equal(2);
         expect(tokens.some((t) => t.name === "token1")).to.be.true;
         expect(tokens.some((t) => t.name === "token2")).to.be.true;
 
-        await expectError(ErrorCodes.NOT_FOUND, gs.getGitpodTokens(stranger.id, member.id));
+        await expectError(ErrorCodes.NOT_FOUND, gs.getGitpodTokens(stranger.id, member.id, resourceAccessGuard));
     });
 
     it("should return gitpod token scopes", async () => {
-        await gs.generateNewGitpodToken(member.id, member.id, {
-            name: "token1",
-            type: GitpodTokenType.API_AUTH_TOKEN,
-            scopes: ["user:email", "read:user"],
-        });
+        await gs.generateNewGitpodToken(
+            member.id,
+            member.id,
+            {
+                name: "token1",
+                type: GitpodTokenType.API_AUTH_TOKEN,
+                scopes: ["user:email", "read:user"],
+            },
+            resourceAccessGuard,
+        );
 
-        const tokens = await gs.getGitpodTokens(member.id, member.id);
+        const tokens = await gs.getGitpodTokens(member.id, member.id, resourceAccessGuard);
         expect(tokens.length).to.equal(1);
 
-        const scopes = await gs.getGitpodTokenScopes(member.id, member.id, tokens[0].tokenHash);
+        const scopes = await gs.getGitpodTokenScopes(member.id, member.id, tokens[0].tokenHash, resourceAccessGuard);
         expect(scopes.length).to.equal(2);
         expect(scopes.some((s) => s === "user:email")).to.be.true;
         expect(scopes.some((s) => s === "read:user")).to.be.true;
 
-        await expectError(ErrorCodes.NOT_FOUND, gs.getGitpodTokenScopes(stranger.id, member.id, tokens[0].tokenHash));
+        await expectError(
+            ErrorCodes.NOT_FOUND,
+            gs.getGitpodTokenScopes(stranger.id, member.id, tokens[0].tokenHash, resourceAccessGuard),
+        );
     });
 
     it("should delete gitpod tokens", async () => {
-        await gs.generateNewGitpodToken(member.id, member.id, {
-            name: "token1",
-            type: GitpodTokenType.API_AUTH_TOKEN,
-        });
-        await gs.generateNewGitpodToken(member.id, member.id, {
-            name: "token2",
-            type: GitpodTokenType.API_AUTH_TOKEN,
-        });
+        await gs.generateNewGitpodToken(
+            member.id,
+            member.id,
+            {
+                name: "token1",
+                type: GitpodTokenType.API_AUTH_TOKEN,
+            },
+            resourceAccessGuard,
+        );
+        await gs.generateNewGitpodToken(
+            member.id,
+            member.id,
+            {
+                name: "token2",
+                type: GitpodTokenType.API_AUTH_TOKEN,
+            },
+            resourceAccessGuard,
+        );
 
-        const tokens = await gs.getGitpodTokens(member.id, member.id);
+        const tokens = await gs.getGitpodTokens(member.id, member.id, resourceAccessGuard);
         expect(tokens.length).to.equal(2);
 
-        await gs.deleteGitpodToken(member.id, member.id, tokens[0].tokenHash);
+        await gs.deleteGitpodToken(member.id, member.id, tokens[0].tokenHash, resourceAccessGuard);
 
-        const tokens2 = await gs.getGitpodTokens(member.id, member.id);
+        const tokens2 = await gs.getGitpodTokens(member.id, member.id, resourceAccessGuard);
         expect(tokens2.length).to.equal(1);
 
-        await expectError(ErrorCodes.NOT_FOUND, gs.deleteGitpodToken(stranger.id, member.id, tokens[1].tokenHash));
+        await expectError(
+            ErrorCodes.NOT_FOUND,
+            gs.deleteGitpodToken(stranger.id, member.id, tokens[1].tokenHash, resourceAccessGuard),
+        );
     });
 });

components/server/src/user/gitpod-token-service.ts

@@ -10,6 +10,8 @@ import { GitpodToken, GitpodTokenType } from "@gitpod/gitpod-protocol";
 import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
 import { inject, injectable } from "inversify";
 import { Authorizer } from "../authorization/authorizer";
+import { GuardedResource, ResourceAccessGuard, ResourceAccessOp } from "../auth/resource-access";
+import { ApplicationError, ErrorCodes } from "@gitpod/gitpod-protocol/lib/messaging/error";
 
 @injectable()
 export class GitpodTokenService {
@@ -18,16 +20,24 @@ export class GitpodTokenService {
         @inject(Authorizer) private readonly auth: Authorizer,
     ) {}
 
-    async getGitpodTokens(requestorId: string, userId: string): Promise<GitpodToken[]> {
+    async getGitpodTokens(
+        requestorId: string,
+        userId: string,
+        resouceGuardAccess: ResourceAccessGuard,
+    ): Promise<GitpodToken[]> {
         await this.auth.checkPermissionOnUser(requestorId, "read_tokens", userId);
         const res = (await this.userDB.findAllGitpodTokensOfUser(userId)).filter((v) => !v.deleted);
+        await Promise.all(
+            res.map((tkn) => this.guardAccess(resouceGuardAccess, { kind: "gitpodToken", subject: tkn }, "get")),
+        );
         return res;
     }
 
     async generateNewGitpodToken(
         requestorId: string,
         userId: string,
         options: { name?: string; type: GitpodTokenType; scopes?: string[] },
+        resouceGuardAccess: ResourceAccessGuard,
     ): Promise<string> {
         await this.auth.checkPermissionOnUser(requestorId, "write_tokens", userId);
         const token = crypto.randomBytes(30).toString("hex");
@@ -40,11 +50,17 @@ export class GitpodTokenService {
             scopes: options.scopes || [],
             created: new Date().toISOString(),
         };
+        await this.guardAccess(resouceGuardAccess, { kind: "gitpodToken", subject: dbToken }, "create");
         await this.userDB.storeGitpodToken(dbToken);
         return token;
     }
 
-    async getGitpodTokenScopes(requestorId: string, userId: string, tokenHash: string): Promise<string[]> {
+    async getGitpodTokenScopes(
+        requestorId: string,
+        userId: string,
+        tokenHash: string,
+        resouceGuardAccess: ResourceAccessGuard,
+    ): Promise<string[]> {
         await this.auth.checkPermissionOnUser(requestorId, "read_tokens", userId);
         let token: GitpodToken | undefined;
         try {
@@ -56,16 +72,36 @@ export class GitpodTokenService {
         if (!token || token.deleted) {
             return [];
         }
+        await this.guardAccess(resouceGuardAccess, { kind: "gitpodToken", subject: token }, "get");
         return token.scopes;
     }
 
-    async deleteGitpodToken(requestorId: string, userId: string, tokenHash: string): Promise<void> {
+    async deleteGitpodToken(
+        requestorId: string,
+        userId: string,
+        tokenHash: string,
+        resouceGuardAccess: ResourceAccessGuard,
+    ): Promise<void> {
         await this.auth.checkPermissionOnUser(requestorId, "write_tokens", userId);
-        const existingTokens = await this.getGitpodTokens(requestorId, userId);
+        const existingTokens = await this.getGitpodTokens(requestorId, userId, resouceGuardAccess);
         const tkn = existingTokens.find((token) => token.tokenHash === tokenHash);
         if (!tkn) {
             throw new Error(`User ${requestorId} tries to delete a token ${tokenHash} that does not exist.`);
         }
+        await this.guardAccess(resouceGuardAccess, { kind: "gitpodToken", subject: tkn }, "delete");
         await this.userDB.deleteGitpodToken(tokenHash);
     }
+
+    private async guardAccess(
+        resouceGuardAccess: ResourceAccessGuard,
+        resource: GuardedResource,
+        op: ResourceAccessOp,
+    ) {
+        if (!(await resouceGuardAccess.canAccess(resource, op))) {
+            throw new ApplicationError(
+                ErrorCodes.PERMISSION_DENIED,
+                `operation not permitted: missing ${op} permission on ${resource.kind}`,
+            );
+        }
+    }
 }

components/server/src/workspace/gitpod-server-impl.ts

@@ -2958,7 +2958,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
     public async getGitpodTokens(ctx: TraceContext): Promise<GitpodToken[]> {
         const user = await this.checkAndBlockUser("getGitpodTokens");
-        return this.gitpodTokenService.getGitpodTokens(user.id, user.id);
+        return this.gitpodTokenService.getGitpodTokens(user.id, user.id, this.resourceAccessGuard);
     }
 
     public async generateNewGitpodToken(
@@ -2968,21 +2968,21 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         traceAPIParams(ctx, { options });
 
         const user = await this.checkAndBlockUser("generateNewGitpodToken");
-        return this.gitpodTokenService.generateNewGitpodToken(user.id, user.id, options);
+        return this.gitpodTokenService.generateNewGitpodToken(user.id, user.id, options, this.resourceAccessGuard);
     }
 
     public async getGitpodTokenScopes(ctx: TraceContext, tokenHash: string): Promise<string[]> {
         traceAPIParams(ctx, {}); // do not trace tokenHash
 
         const user = await this.checkAndBlockUser("getGitpodTokenScopes");
-        return this.gitpodTokenService.getGitpodTokenScopes(user.id, user.id, tokenHash);
+        return this.gitpodTokenService.getGitpodTokenScopes(user.id, user.id, tokenHash, this.resourceAccessGuard);
     }
 
     public async deleteGitpodToken(ctx: TraceContext, tokenHash: string): Promise<void> {
         traceAPIParams(ctx, {}); // do not trace tokenHash
 
         const user = await this.checkAndBlockUser("deleteGitpodToken");
-        return this.gitpodTokenService.deleteGitpodToken(user.id, user.id, tokenHash);
+        return this.gitpodTokenService.deleteGitpodToken(user.id, user.id, tokenHash, this.resourceAccessGuard);
     }
 
     async guessGitTokenScopes(ctx: TraceContext, params: GuessGitTokenScopesParams): Promise<GuessedGitTokenScopes> {