[server] extract tested usage-service (#18260)

* [server] extract tested usage-service

* Fix runner removal script

---------

Co-authored-by: Alejandro de Brito Fontes <[email protected]>

Author: svenefftinge

.github/workflows/remove_runner.yml

@@ -31,7 +31,7 @@ jobs:
 
           gcloud auth activate-service-account --key-file ${{ steps.auth.outputs.credentials_file_path }}
           if [ -z "$(gcloud compute instances list | grep "${{ inputs.runner-label }}")" ]; then
-            // vm is gone
+            # vm is gone
             exit 0
           fi
 

components/server/package.json

@@ -16,17 +16,17 @@
     "clean": "rimraf dist",
     "clean:node": "rimraf node_modules",
     "purge": "yarn clean && yarn clean:node && yarn run rimraf yarn.lock",
-    "test": ". $(leeway run components/gitpod-db:db-test-env) && yarn test:unit && yarn start-services && yarn test:db && yarn stop-services",
+    "test": "cleanup() { echo 'Cleanup started'; yarn stop-services; }; trap cleanup EXIT; . $(leeway run components/gitpod-db:db-test-env) && yarn test:unit && yarn start-services && yarn test:db",
     "test:unit": "TS_NODE_FILES=true mocha --opts mocha.opts './**/*.spec.ts' --exclude './node_modules/**'",
     "test:db": "TS_NODE_FILES=true mocha --opts mocha.opts './**/*.spec.db.ts' --exclude './node_modules/**'",
     "start-services": "yarn start-testdb && yarn start-redis && yarn start-spicedb",
     "stop-services": "yarn stop-testdb && yarn stop-redis && yarn stop-spicedb",
     "start-testdb": "leeway run components/gitpod-db:init-testdb",
     "stop-testdb": "docker stop test-mysql || true && docker rm test-mysql || true",
-    "start-spicedb": "if netstat -tuln | grep ':50051 '; then echo '`spicedb serve-testing` is already running.'; else spicedb serve-testing --load-configs components-spicedb--lib/schema/schema.yaml  & fi",
-    "stop-spicedb": "PID=$(lsof -t -i:50051); if [ -z \"$PID\" ]; then echo '`spicedb serve-testing` is not running'; else kill -INT $PID && echo 'Stopped `spicedb serve-testing`'; fi",
-    "start-redis": "if netstat -tuln | grep ':6379 '; then echo 'Redis is already running.'; else docker run --name test-redis -p 6379:6379 -d redis; fi",
-    "stop-redis": "docker stop test-redis || true && docker stop test-redis && docker rm test-redis",
+    "start-spicedb": "leeway run components/spicedb:start-spicedb",
+    "stop-spicedb": "leeway run components/spicedb:stop-spicedb",
+    "start-redis": "if netstat -tuln | grep ':6379 '; then echo 'Redis is already running.'; else docker run --rm --name test-redis -p 6379:6379 -d redis; fi",
+    "stop-redis": "docker stop test-redis || true",
     "telepresence": "telepresence --swap-deployment server --method inject-tcp --run yarn start-inspect"
   },
   "files": [

components/server/src/authorization/authorizer.ts

@@ -17,6 +17,7 @@ import {
 } from "./definitions";
 import { SpiceDBAuthorizer } from "./spicedb-authorizer";
 import { Organization, TeamMemberInfo, Project, TeamMemberRole } from "@gitpod/gitpod-protocol";
+import { ApplicationError, ErrorCodes } from "@gitpod/gitpod-protocol/lib/messaging/error";
 
 @injectable()
 export class Authorizer {
@@ -40,6 +41,21 @@ export class Authorizer {
         return this.authorizer.check(req, { orgID: orgId });
     }
 
+    async checkOrgPermissionAndThrow(userId: string, permission: OrganizationPermission, orgId: string) {
+        if (await this.hasPermissionOnOrganization(userId, permission, orgId)) {
+            return;
+        }
+        // check if the user has read permission
+        if ("read_info" === permission || !(await this.hasPermissionOnOrganization(userId, "read_info", orgId))) {
+            throw new ApplicationError(ErrorCodes.NOT_FOUND, `Organization ${orgId} not found.`);
+        }
+
+        throw new ApplicationError(
+            ErrorCodes.PERMISSION_DENIED,
+            `You do not have ${permission} on organization ${orgId}`,
+        );
+    }
+
     async hasPermissionOnProject(userId: string, permission: ProjectPermission, project: Project): Promise<boolean> {
         const req = v1.CheckPermissionRequest.create({
             subject: subject("user", userId),

components/server/src/authorization/definitions.ts

@@ -35,6 +35,7 @@ export type OrganizationPermission =
     | "read_git_provider"
     | "write_git_provider"
     | "read_billing"
-    | "write_billing";
+    | "write_billing"
+    | "write_billing_admin";
 export type ProjectPermission = "write_info" | "read_info" | "delete";
 export type Permission = OrganizationPermission;

components/server/src/authorization/spicedb-authorizer.ts

@@ -22,6 +22,14 @@ export class SpiceDBAuthorizer {
         private client: SpiceDBClient,
     ) {}
 
+    /**
+     * @deprecated only for testing
+     */
+    async logRelationships() {
+        //        const resources = await this.client?.readRelationships({});
+        //log.info(JSON.stringify(resources, undefined, 2));
+    }
+
     async check(
         req: v1.CheckPermissionRequest,
         experimentsFields?: {

components/server/src/billing/billing-mode.spec.db.ts

@@ -6,42 +6,31 @@
 
 import { inject, injectable } from "inversify";
 
-import { Team, User } from "@gitpod/gitpod-protocol";
+import { User } from "@gitpod/gitpod-protocol";
 import { Config } from "../config";
 import { BillingMode } from "@gitpod/gitpod-protocol/lib/billing-mode";
-import { TeamDB, UserDB } from "@gitpod/gitpod-db/lib";
-import { AttributionId } from "@gitpod/gitpod-protocol/lib/attribution";
 import { CostCenter_BillingStrategy } from "@gitpod/usage-api/lib/usage/v1/usage.pb";
 import { UsageService } from "../orgs/usage-service";
 
-export const BillingModes = Symbol("BillingModes");
-export interface BillingModes {
-    getBillingMode(attributionId: AttributionId, now: Date): Promise<BillingMode>;
-    getBillingModeForUser(user: User, now: Date): Promise<BillingMode>;
-    getBillingModeForTeam(team: Team, now: Date): Promise<BillingMode>;
-}
-
 /**
  * Decides on a per org (legcay: also per-user) basis which BillingMode to use: "none" or "usage-based"
  */
 @injectable()
-export class BillingModesImpl implements BillingModes {
-    @inject(Config) protected readonly config: Config;
-    @inject(UsageService) protected readonly usageService: UsageService;
-    @inject(TeamDB) protected readonly teamDB: TeamDB;
-    @inject(UserDB) protected readonly userDB: UserDB;
+export class BillingModes {
+    constructor(
+        @inject(Config) private readonly config: Config,
+        @inject(UsageService) private readonly usageService: UsageService,
+    ) {}
 
-    public async getBillingMode(attributionId: AttributionId, now: Date): Promise<BillingMode> {
-        switch (attributionId.kind) {
-            case "team":
-                const team = await this.teamDB.findTeamById(attributionId.teamId);
-                if (!team) {
-                    throw new Error(`Cannot find team with id '${attributionId.teamId}'!`);
-                }
-                return this.getBillingModeForTeam(team, now);
-            default:
-                throw new Error("Invalid attributionId.");
+    public async getBillingMode(userId: string, organizationId: string, now: Date): Promise<BillingMode> {
+        if (!this.config.enablePayment) {
+            // Payment is not enabled. E.g. Dedicated
+            return { mode: "none" };
         }
+
+        const { billingStrategy } = await this.usageService.getCostCenter(userId, organizationId);
+        const paid = billingStrategy === CostCenter_BillingStrategy.BILLING_STRATEGY_STRIPE;
+        return { mode: "usage-based", paid };
     }
 
     async getBillingModeForUser(user: User, now: Date): Promise<BillingMode> {
@@ -55,15 +44,4 @@ export class BillingModesImpl implements BillingModes {
             mode: "usage-based",
         };
     }
-
-    async getBillingModeForTeam(team: Team, _now: Date): Promise<BillingMode> {
-        if (!this.config.enablePayment) {
-            // Payment is not enabled. E.g. Dedicated
-            return { mode: "none" };
-        }
-
-        const billingStrategy = await this.usageService.getCurrentBillingStategy(AttributionId.create(team));
-        const paid = billingStrategy === CostCenter_BillingStrategy.BILLING_STRATEGY_STRIPE;
-        return { mode: "usage-based", paid };
-    }
 }

components/server/src/billing/billing-mode.ts

@@ -125,7 +125,7 @@ export class EntitlementServiceUBP implements EntitlementService {
         // Member of paid team?
         const teams = await this.teamDB.findTeamsByUser(user.id);
         const isTeamSubscribedPromises = teams.map(async (team: Team) => {
-            const billingStrategy = await this.usageService.getCurrentBillingStategy(AttributionId.create(team));
+            const { billingStrategy } = await this.usageService.getCostCenter(user.id, team.id);
             return billingStrategy === CostCenter_BillingStrategy.BILLING_STRATEGY_STRIPE;
         });
         // Return the first truthy promise, or false if all the promises were falsy.

components/server/src/billing/entitlement-service-ubp.ts

@@ -53,7 +53,7 @@ import { LoginCompletionHandler } from "./auth/login-completion-handler";
 import { VerificationService } from "./auth/verification-service";
 import { Authorizer } from "./authorization/authorizer";
 import { SpiceDBClient, spicedbClientFromEnv } from "./authorization/spicedb";
-import { BillingModes, BillingModesImpl } from "./billing/billing-mode";
+import { BillingModes } from "./billing/billing-mode";
 import { EntitlementService, EntitlementServiceImpl } from "./billing/entitlement-service";
 import { EntitlementServiceUBP } from "./billing/entitlement-service-ubp";
 import { BitbucketAppSupport } from "./bitbucket/bitbucket-app-support";
@@ -345,7 +345,7 @@ export const productionContainerModule = new ContainerModule(
         bind(EntitlementServiceUBP).toSelf().inSingletonScope();
         bind(EntitlementServiceImpl).toSelf().inSingletonScope();
         bind(EntitlementService).to(EntitlementServiceImpl).inSingletonScope();
-        bind(BillingModes).to(BillingModesImpl).inSingletonScope();
+        bind(BillingModes).toSelf().inSingletonScope();
 
         // Periodic jobs
         bind(WorkspaceGarbageCollector).toSelf().inSingletonScope();