[server] WorkspaceService.getWorkspace(s)

geropl · geropl · commit eaf66ba55ec1 · 2023-08-22T07:07:21.000Z
diff --git a/components/server/src/workspace/gitpod-server-impl.ts b/components/server/src/workspace/gitpod-server-impl.ts
@@ -846,26 +846,26 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
         const user = await this.checkUser("getWorkspace");
 
-        const workspace = await this.workspaceService.getWorkspace(user.id, workspaceId);
-        const latestInstancePromise = this.workspaceDb.trace(ctx).findCurrentInstance(workspaceId);
-        const teamMembers = await this.organizationService.listMembers(user.id, workspace.organizationId);
-        await this.guardAccess({ kind: "workspace", subject: workspace, teamMembers: teamMembers }, "get");
-        const latestInstance = await latestInstancePromise;
-        if (!!latestInstance) {
-            await this.guardAccess(
-                {
-                    kind: "workspaceInstance",
-                    subject: latestInstance,
-                    workspace,
-                    teamMembers,
-                },
-                "get",
-            );
-        }
+        const result = await this.workspaceService.getWorkspace(user.id, workspaceId, async (workspace, instance) => {
+            if (instance) {
+                const teamMembers = await this.organizationService.listMembers(user.id, workspace.organizationId);
+                await this.guardAccess(
+                    {
+                        kind: "workspaceInstance",
+                        subject: instance,
+                        workspace,
+                        teamMembers,
+                    },
+                    "get",
+                );
+            } else {
+                return this.guardAccess({ kind: "workspace", subject: workspace }, "get");
+            }
+        });
 
         return {
-            workspace,
-            latestInstance: this.censorInstance(latestInstance),
+            ...result,
+            latestInstance: this.censorInstance(result.latestInstance),
         };
     }
 
@@ -876,10 +876,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         const user = await this.checkAndBlockUser("getOwnerToken");
 
         //TODO this requests are only here to populate the resource guard check
-        const workspace = await this.workspaceService.getWorkspace(user.id, workspaceId);
-        if (!workspace) {
-            throw new Error("owner token not found");
-        }
+        const { workspace } = await this.workspaceService.getWorkspace(user.id, workspaceId);
         await this.guardAccess({ kind: "workspace", subject: workspace }, "get");
 
         const latestInstance = await this.workspaceService.getCurrentInstance(user.id, workspaceId);
@@ -895,7 +892,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         const user = await this.checkAndBlockUser("getIDECredentials");
 
         //TODO this requests are only here to populate the resource guard check
-        const workspace = await this.workspaceService.getWorkspace(user.id, workspaceId);
+        const { workspace } = await this.workspaceService.getWorkspace(user.id, workspaceId);
         await this.guardAccess({ kind: "workspace", subject: workspace }, "get");
 
         return await this.workspaceService.getIDECredentials(user.id, workspaceId);
@@ -912,7 +909,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         const user = await this.checkAndBlockUser("startWorkspace", undefined, { workspaceId });
 
         // (gpl) We keep this check here for backwards compatibility, it should be superfluous in the future
-        const workspace = await this.workspaceService.getWorkspace(user.id, workspaceId);
+        const { workspace } = await this.workspaceService.getWorkspace(user.id, workspaceId);
         await this.guardAccess({ kind: "workspace", subject: workspace }, "get");
 
         // (gpl) We keep this check here for backwards compatibility, it should be superfluous in the future
@@ -951,7 +948,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         const user = await this.checkUser("stopWorkspace", undefined, { workspaceId });
         const logCtx = { userId: user.id, workspaceId };
 
-        const workspace = await this.workspaceService.getWorkspace(user.id, workspaceId);
+        const { workspace } = await this.workspaceService.getWorkspace(user.id, workspaceId);
         if (workspace.type === "prebuild") {
             // If this is a team prebuild, any team member can stop it.
             const teamMembers = await this.organizationService.listMembers(user.id, workspace.organizationId);
@@ -1031,22 +1028,22 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
         const user = await this.checkAndBlockUser("updateWorkspaceUserPin");
 
-        const ws = await this.workspaceService.getWorkspace(user.id, workspaceId);
-        await this.guardAccess({ kind: "workspace", subject: ws }, "update");
+        const { workspace } = await this.workspaceService.getWorkspace(user.id, workspaceId);
+        await this.guardAccess({ kind: "workspace", subject: workspace }, "update");
 
         switch (action) {
             case "pin":
-                ws.pinned = true;
+                workspace.pinned = true;
                 break;
             case "unpin":
-                ws.pinned = false;
+                workspace.pinned = false;
                 break;
             case "toggle":
-                ws.pinned = !ws.pinned;
+                workspace.pinned = !workspace.pinned;
                 break;
         }
 
-        await this.workspaceService.setPinned(user.id, ws.id, ws.pinned);
+        await this.workspaceService.setPinned(user.id, workspace.id, workspace.pinned);
     }
 
     public async deleteWorkspace(ctx: TraceContext, workspaceId: string): Promise<void> {
@@ -1055,8 +1052,8 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
         const user = await this.checkAndBlockUser("deleteWorkspace");
 
-        const ws = await this.workspaceService.getWorkspace(user.id, workspaceId);
-        await this.guardAccess({ kind: "workspace", subject: ws }, "delete");
+        const { workspace } = await this.workspaceService.getWorkspace(user.id, workspaceId);
+        await this.guardAccess({ kind: "workspace", subject: workspace }, "delete");
 
         await this.workspaceService.deleteWorkspace(user.id, workspaceId, "user");
     }
@@ -1067,7 +1064,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
         const user = await this.checkAndBlockUser("setWorkspaceDescription");
 
-        const workspace = await this.workspaceService.getWorkspace(user.id, workspaceId);
+        const { workspace } = await this.workspaceService.getWorkspace(user.id, workspaceId);
         await this.guardAccess({ kind: "workspace", subject: workspace }, "update");
 
         await this.workspaceService.setDescription(user.id, workspaceId, description);
@@ -1081,22 +1078,13 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
         const user = await this.checkUser("getWorkspaces");
 
-        const res = await this.workspaceDb.trace(ctx).find({
-            limit: 20,
-            ...options,
-            userId: user.id,
-            includeHeadless: false,
+        return this.workspaceService.getWorkspaces(user.id, options, async (workspace, instance) => {
+            if (instance) {
+                return this.guardAccess({ kind: "workspaceInstance", subject: instance, workspace: workspace }, "get");
+            } else {
+                return this.guardAccess({ kind: "workspace", subject: workspace }, "get");
+            }
         });
-        await Promise.all(res.map((ws) => this.guardAccess({ kind: "workspace", subject: ws.workspace }, "get")));
-        await Promise.all(
-            res.map((ws) =>
-                this.guardAccess(
-                    { kind: "workspaceInstance", subject: ws.latestInstance, workspace: ws.workspace },
-                    "get",
-                ),
-            ),
-        );
-        return res;
     }
 
     public async isWorkspaceOwner(ctx: TraceContext, workspaceId: string): Promise<boolean> {
@@ -1105,7 +1093,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
         const user = await this.checkUser("isWorkspaceOwner", undefined, { workspaceId });
 
-        const workspace = await this.workspaceService.getWorkspace(user.id, workspaceId);
+        const { workspace } = await this.workspaceService.getWorkspace(user.id, workspaceId);
         await this.guardAccess({ kind: "workspace", subject: workspace }, "get");
         return user.id == workspace.ownerId;
     }
@@ -1128,7 +1116,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
         const user = await this.checkUser("getWorkspaceOwner");
 
-        const workspace = await this.workspaceService.getWorkspace(user.id, workspaceId);
+        const { workspace } = await this.workspaceService.getWorkspace(user.id, workspaceId);
         await this.guardAccess({ kind: "workspace", subject: workspace }, "get");
 
         try {
@@ -1149,7 +1137,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
         const user = await this.checkAndBlockUser("getWorkspaceUsers", undefined, { workspaceId });
 
-        const workspace = await this.workspaceService.getWorkspace(user.id, workspaceId);
+        const { workspace } = await this.workspaceService.getWorkspace(user.id, workspaceId);
         await this.guardAccess({ kind: "workspace", subject: workspace }, "get");
 
         // Note: there's no need to try and guard the users below, they're not complete users but just enough to
@@ -1800,7 +1788,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
         const user = await this.checkAndBlockUser("updateGitStatus");
 
-        const workspace = await this.workspaceService.getWorkspace(user.id, workspaceId);
+        const { workspace } = await this.workspaceService.getWorkspace(user.id, workspaceId);
         const instance = await this.workspaceService.getCurrentInstance(user.id, workspaceId);
         traceWI(ctx, { instanceId: instance.id });
         await this.guardAccess({ kind: "workspaceInstance", subject: instance, workspace }, "update");
@@ -1818,7 +1806,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
         const user = await this.checkAndBlockUser("openPort");
 
-        const workspace = await this.workspaceService.getWorkspace(user.id, workspaceId);
+        const { workspace } = await this.workspaceService.getWorkspace(user.id, workspaceId);
         const runningInstance = await this.workspaceDb.trace(ctx).findRunningInstance(workspaceId);
         if (!runningInstance) {
             log.debug({ userId: user.id, workspaceId }, "Cannot open port for workspace with no running instance", {
@@ -1894,7 +1882,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         user: User,
         workspaceId: string,
     ): Promise<{ workspace: Workspace; instance: WorkspaceInstance | undefined }> {
-        const workspace = await this.workspaceService.getWorkspace(user.id, workspaceId);
+        const { workspace } = await this.workspaceService.getWorkspace(user.id, workspaceId);
 
         const instance = await this.workspaceDb.trace(ctx).findRunningInstance(workspaceId);
         return { instance, workspace };
@@ -2017,7 +2005,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
     async getWorkspaceEnvVars(ctx: TraceContext, workspaceId: string): Promise<EnvVarWithValue[]> {
         const user = await this.checkUser("getWorkspaceEnvVars");
-        const workspace = await this.workspaceService.getWorkspace(user.id, workspaceId);
+        const { workspace } = await this.workspaceService.getWorkspace(user.id, workspaceId);
         await this.guardAccess({ kind: "workspace", subject: workspace }, "get");
         const envVars = await this.envVarService.resolveEnvVariables(
             workspace.ownerId,
diff --git a/components/server/src/workspace/workspace-service.spec.db.ts b/components/server/src/workspace/workspace-service.spec.db.ts
@@ -183,8 +183,8 @@ describe("WorkspaceService", async () => {
         const svc = container.get(WorkspaceService);
         const ws = await createTestWorkspace(svc, org, owner, project);
 
-        const foundWorkspace = await svc.getWorkspace(owner.id, ws.id);
-        expect(foundWorkspace?.id).to.equal(ws.id);
+        const { workspace: ownerWs } = await svc.getWorkspace(owner.id, ws.id);
+        expect(ownerWs.id).to.equal(ws.id);
 
         await expectError(ErrorCodes.PERMISSION_DENIED, svc.getWorkspace(member.id, ws.id));
         await expectError(ErrorCodes.NOT_FOUND, svc.getWorkspace(stranger.id, ws.id));
@@ -196,14 +196,45 @@ describe("WorkspaceService", async () => {
 
         await svc.controlAdmission(owner.id, ws.id, "everyone");
 
-        const foundWorkspace = await svc.getWorkspace(owner.id, ws.id);
-        expect(foundWorkspace?.id, "owner has access to shared workspace").to.equal(ws.id);
+        const { workspace: ownerWs } = await svc.getWorkspace(owner.id, ws.id);
+        expect(ownerWs.id, "owner has access to shared workspace").to.equal(ws.id);
 
-        const memberFoundWorkspace = await svc.getWorkspace(member.id, ws.id);
-        expect(memberFoundWorkspace?.id, "member has access to shared workspace").to.equal(ws.id);
+        const { workspace: memberWs } = await svc.getWorkspace(member.id, ws.id);
+        expect(memberWs.id, "member has access to shared workspace").to.equal(ws.id);
 
-        const strangerFoundWorkspace = await svc.getWorkspace(stranger.id, ws.id);
-        expect(strangerFoundWorkspace?.id, "stranger has access to shared workspace").to.equal(ws.id);
+        const { workspace: strangerWs } = await svc.getWorkspace(stranger.id, ws.id);
+        expect(strangerWs.id, "stranger has access to shared workspace").to.equal(ws.id);
+    });
+
+    it("should getWorkspaces", async () => {
+        const svc = container.get(WorkspaceService);
+        await createTestWorkspace(svc, org, owner, project);
+
+        const ownerResult = await svc.getWorkspaces(owner.id, {});
+        expect(ownerResult).to.have.lengthOf(1);
+
+        const memberResult = await svc.getWorkspaces(member.id, {});
+        expect(memberResult).to.have.lengthOf(0);
+
+        const strangerResult = await svc.getWorkspaces(stranger.id, {});
+        expect(strangerResult).to.have.lengthOf(0);
+    });
+
+    it("should getWorkspaces - shared", async () => {
+        const svc = container.get(WorkspaceService);
+        const ws = await createTestWorkspace(svc, org, owner, project);
+
+        await svc.controlAdmission(owner.id, ws.id, "everyone");
+
+        const ownerResult = await svc.getWorkspaces(owner.id, {});
+        expect(ownerResult, "owner").to.have.lengthOf(1);
+
+        // getWorkspaces is limited to the user's own workspaces atm
+        const memberResult = await svc.getWorkspaces(member.id, {});
+        expect(memberResult, "member").to.have.lengthOf(0);
+
+        const strangerResult = await svc.getWorkspaces(stranger.id, {});
+        expect(strangerResult, "stranger").to.have.lengthOf(0);
     });
 
     it("should getOwnerToken", async () => {
@@ -299,7 +330,7 @@ describe("WorkspaceService", async () => {
         //     svc.getWorkspace(owner.id, ws.id),
         //     "getWorkspace should return NOT_FOUND after deletion",
         // );
-        const ws2 = await svc.getWorkspace(owner.id, ws.id);
+        const { workspace: ws2 } = await svc.getWorkspace(owner.id, ws.id);
         expect(ws2.softDeleted, "workspace should be marked as 'softDeleted'").to.equal("user");
     });
 
@@ -353,7 +384,7 @@ describe("WorkspaceService", async () => {
 
         await expectError(ErrorCodes.NOT_FOUND, svc.setPinned(stranger.id, ws.id, true));
         await svc.setPinned(owner.id, ws.id, true);
-        const ws2 = await svc.getWorkspace(owner.id, ws.id);
+        const { workspace: ws2 } = await svc.getWorkspace(owner.id, ws.id);
         expect(ws2.pinned, "workspace should be pinned").to.equal(true);
     });
 
@@ -363,7 +394,7 @@ describe("WorkspaceService", async () => {
         const desc = "Some description";
 
         await svc.setDescription(owner.id, ws.id, desc);
-        const ws2 = await svc.getWorkspace(owner.id, ws.id);
+        const { workspace: ws2 } = await svc.getWorkspace(owner.id, ws.id);
         expect(ws2.description).to.equal(desc);
 
         await expectError(ErrorCodes.NOT_FOUND, svc.setDescription(stranger.id, ws.id, desc));
@@ -516,7 +547,7 @@ describe("WorkspaceService", async () => {
 
         // owner can share workspace
         await svc.controlAdmission(owner.id, ws.id, "everyone");
-        const wsActual = await svc.getWorkspace(owner.id, ws.id);
+        const { workspace: wsActual } = await svc.getWorkspace(owner.id, ws.id);
         expect(wsActual.shareable, "owner should be able to share by default").to.equal(true);
     });
 
@@ -540,7 +571,7 @@ describe("WorkspaceService", async () => {
             "invalid admission level should fail",
         );
 
-        const wsActual = await svc.getWorkspace(owner.id, ws.id);
+        const { workspace: wsActual } = await svc.getWorkspace(owner.id, ws.id);
         expect(!!wsActual.shareable, "shareable should still be false").to.equal(false);
     });
 
diff --git a/components/server/src/workspace/workspace-service.ts b/components/server/src/workspace/workspace-service.ts
