[fga] prebuild access (#18560)

svenefftinge · web-flow · commit e234839ba842 · 2023-08-21T16:55:47.000+02:00
diff --git a/components/server/src/workspace/gitpod-server-impl.ts b/components/server/src/workspace/gitpod-server-impl.ts
@@ -530,7 +530,23 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
     private forwardInstanceUpdateToClient(ctx: TraceContext, instance: WorkspaceInstance) {
         // gpl: We decided against tracing updates here, because it create far too much noise (cmp. history)
-        this.client?.onInstanceUpdate(this.censorInstance(instance));
+        if (this.userID) {
+            this.workspaceService
+                .getWorkspace(this.userID, instance.workspaceId)
+                .then((ws) => {
+                    this.client?.onInstanceUpdate(this.censorInstance(instance));
+                })
+                .catch((err) => {
+                    if (
+                        ApplicationError.hasErrorCode(err) &&
+                        (err.code === ErrorCodes.NOT_FOUND || err.code === ErrorCodes.PERMISSION_DENIED)
+                    ) {
+                        // ignore
+                    } else {
+                        log.error("error forwarding instance update to client", err);
+                    }
+                });
+        }
     }
 
     setClient(ctx: TraceContext, client: GitpodApiClient | undefined): void {
@@ -1197,12 +1213,16 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
     public async isPrebuildDone(ctx: TraceContext, pwsId: string): Promise<boolean> {
         traceAPIParams(ctx, { pwsId });
 
+        const user = await this.checkUser("isPrebuildDone");
+
         const pws = await this.workspaceDb.trace(ctx).findPrebuildByID(pwsId);
-        if (!pws) {
+        if (!pws || !pws.projectId) {
             // there is no prebuild - that's as good one being done
             return true;
         }
 
+        await this.auth.checkPermissionOnProject(user.id, "read_prebuild", pws.projectId);
+
         return PrebuiltWorkspace.isDone(pws);
     }
 
@@ -1486,6 +1506,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
         const project = await this.projectsService.getProject(user.id, projectId);
         await this.guardProjectOperation(user, projectId, "get");
+        await this.auth.checkPermissionOnProject(user.id, "read_prebuild", projectId);
 
         const events = await this.projectsService.getPrebuildEvents(user.id, project.cloneUrl);
         return events;
diff --git a/components/server/src/workspace/workspace-service.ts b/components/server/src/workspace/workspace-service.ts
@@ -134,9 +134,14 @@ export class WorkspaceService {
 
     // Internal method for allowing for additional DBs to be passed in
     private async doGetWorkspace(userId: string, workspaceId: string, db: WorkspaceDB = this.db): Promise<Workspace> {
-        await this.auth.checkPermissionOnWorkspace(userId, "access", workspaceId);
-
         const workspace = await db.findById(workspaceId);
+
+        if (workspace?.type === "prebuild" && workspace.projectId) {
+            await this.auth.checkPermissionOnProject(userId, "read_prebuild", workspace.projectId);
+        } else {
+            await this.auth.checkPermissionOnWorkspace(userId, "access", workspaceId);
+        }
+
         // TODO(gpl) We might want to add || !!workspace.softDeleted here in the future, but we were unsure how that would affect existing clients
         // In order to reduce risk, we leave it for a future changeset.
         if (!workspace || workspace.deleted) {
@@ -678,9 +683,13 @@ export class WorkspaceService {
     ): Promise<HeadlessLogUrls> {
         const workspace = await this.db.findByInstanceId(instanceId);
         if (!workspace) {
-            throw new ApplicationError(ErrorCodes.NOT_FOUND, `Workspace for instanceId ${instanceId} not found`);
+            throw new ApplicationError(ErrorCodes.NOT_FOUND, `Prebuild for instanceId ${instanceId} not found`);
         }
-        await this.auth.checkPermissionOnWorkspace(userId, "access", workspace.id);
+        if (workspace.type !== "prebuild" || !workspace.projectId) {
+            throw new ApplicationError(ErrorCodes.CONFLICT, `Workspace is not a prebuild`);
+        }
+
+        await this.auth.checkPermissionOnProject(userId, "read_prebuild", workspace.projectId);
 
         const wsiPromise = this.db.findInstanceById(instanceId);
         await check(workspace);
@@ -703,8 +712,8 @@ export class WorkspaceService {
         workspaceId: string,
         client: Pick<GitpodClient, "onWorkspaceImageBuildLogs">,
     ): Promise<void> {
-        await this.auth.checkPermissionOnWorkspace(userId, "access", workspaceId);
-
+        // check access
+        await this.getWorkspace(userId, workspaceId);
         const logCtx: LogContext = { userId, workspaceId };
         let instance = await this.db.findCurrentInstance(workspaceId);
         if (!instance || instance.status.phase === "stopped") {
