[fga] Introduce sshkeyservice (#18479)

* Introduce sshkeyservice

* Add read_ssh and write_ssh permissions

* add requestorId to sshkeyservice

---------

Co-authored-by: svenefftinge <[email protected]>

Author: jeanp413

components/server/src/authorization/definitions.ts

@@ -32,7 +32,7 @@ export type UserResourceType = "user";
 
 export type UserRelation = "self" | "organization" | "installation";
 
-export type UserPermission = "read_info" | "write_info" | "make_admin";
+export type UserPermission = "read_info" | "write_info" | "make_admin" | "read_ssh" | "write_ssh";
 
 export type InstallationResourceType = "installation";
 

components/server/src/container-module.ts

@@ -129,6 +129,7 @@ import { RedisPublisher, newRedisClient } from "@gitpod/gitpod-db/lib";
 import { UserService } from "./user/user-service";
 import { RelationshipUpdater } from "./authorization/relationship-updater";
 import { WorkspaceService } from "./workspace/workspace-service";
+import { SSHKeyService } from "./user/sshkey-service";
 
 export const productionContainerModule = new ContainerModule(
     (bind, unbind, isBound, rebind, unbindAsync, onActivation, onDeactivation) => {
@@ -143,6 +144,8 @@ export const productionContainerModule = new ContainerModule(
         bind(UserDeletionService).toSelf().inSingletonScope();
         bind(AuthorizationService).to(AuthorizationServiceImpl).inSingletonScope();
 
+        bind(SSHKeyService).toSelf().inSingletonScope();
+
         bind(TokenService).toSelf().inSingletonScope();
         bind(TokenProvider).toService(TokenService);
 

components/server/src/user/sshkey-service.spec.db.ts

@@ -0,0 +1,118 @@
+/**
+ * Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import { BUILTIN_INSTLLATION_ADMIN_USER_ID, TypeORM } from "@gitpod/gitpod-db/lib";
+import { Organization, SSHPublicKeyValue, User } from "@gitpod/gitpod-protocol";
+import { Experiments } from "@gitpod/gitpod-protocol/lib/experiments/configcat-server";
+import * as chai from "chai";
+import { Container } from "inversify";
+import "mocha";
+import { createTestContainer } from "../test/service-testing-container-module";
+import { resetDB } from "@gitpod/gitpod-db/lib/test/reset-db";
+import { SSHKeyService } from "./sshkey-service";
+import { OrganizationService } from "../orgs/organization-service";
+import { UserService } from "./user-service";
+import { expectError } from "../test/expect-utils";
+import { ErrorCodes } from "@gitpod/gitpod-protocol/lib/messaging/error";
+
+const expect = chai.expect;
+
+describe("SSHKeyService", async () => {
+    let container: Container;
+    let ss: SSHKeyService;
+
+    let member: User;
+    let stranger: User;
+    let org: Organization;
+
+    const testSSHkeys: SSHPublicKeyValue[] = [
+        {
+            name: "foo",
+            key: "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN+Mh3U/3We4VYtV1QmWUFIzFLTUeegl1Ao5/QGtCRGAZn8bxX9KlCrrWISIjSYAwCajIEGSPEZwPNMBoK8XD8Q= test@gitpod",
+        },
+        {
+            name: "bar",
+            key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0wmN/Cr3JXqmLW7u+g9pTh+wyqDHpSQEIQczXkVx9q bar@gitpod",
+        },
+    ];
+
+    beforeEach(async () => {
+        container = createTestContainer();
+        Experiments.configureTestingClient({
+            centralizedPermissions: true,
+        });
+
+        const orgService = container.get<OrganizationService>(OrganizationService);
+        org = await orgService.createOrganization(BUILTIN_INSTLLATION_ADMIN_USER_ID, "myOrg");
+        const invite = await orgService.getOrCreateInvite(BUILTIN_INSTLLATION_ADMIN_USER_ID, org.id);
+
+        const userService = container.get<UserService>(UserService);
+        member = await userService.createUser({
+            organizationId: org.id,
+            identity: {
+                authId: "foo",
+                authName: "bar",
+                authProviderId: "github",
+                primaryEmail: "[email protected]",
+            },
+        });
+        await orgService.joinOrganization(member.id, invite.id);
+        stranger = await userService.createUser({
+            identity: {
+                authId: "foo2",
+                authName: "bar2",
+                authProviderId: "github",
+            },
+        });
+
+        ss = container.get(SSHKeyService);
+    });
+
+    afterEach(async () => {
+        // Clean-up database
+        await resetDB(container.get(TypeORM));
+    });
+
+    it("should add ssh key", async () => {
+        const resp1 = await ss.hasSSHPublicKey(member.id, member.id);
+        expect(resp1).to.be.false;
+
+        await ss.addSSHPublicKey(member.id, member.id, testSSHkeys[0]);
+
+        const resp2 = await ss.hasSSHPublicKey(member.id, member.id);
+        expect(resp2).to.be.true;
+
+        await expectError(ErrorCodes.NOT_FOUND, ss.hasSSHPublicKey(stranger.id, member.id));
+        await expectError(ErrorCodes.NOT_FOUND, ss.addSSHPublicKey(stranger.id, member.id, testSSHkeys[0]));
+    });
+
+    it("should list ssh keys", async () => {
+        await ss.addSSHPublicKey(member.id, member.id, testSSHkeys[0]);
+        await ss.addSSHPublicKey(member.id, member.id, testSSHkeys[1]);
+
+        const keys = await ss.getSSHPublicKeys(member.id, member.id);
+        expect(keys.length).to.equal(2);
+        expect(testSSHkeys.some((k) => k.name === keys[0].name && k.key === keys[0].key)).to.be.true;
+        expect(testSSHkeys.some((k) => k.name === keys[1].name && k.key === keys[1].key)).to.be.true;
+
+        await expectError(ErrorCodes.NOT_FOUND, ss.getSSHPublicKeys(stranger.id, member.id));
+    });
+
+    it("should delete ssh keys", async () => {
+        await ss.addSSHPublicKey(member.id, member.id, testSSHkeys[0]);
+        await ss.addSSHPublicKey(member.id, member.id, testSSHkeys[1]);
+
+        const keys = await ss.getSSHPublicKeys(member.id, member.id);
+        expect(keys.length).to.equal(2);
+
+        await ss.deleteSSHPublicKey(member.id, member.id, keys[0].id);
+
+        const keys2 = await ss.getSSHPublicKeys(member.id, member.id);
+        expect(keys2.length).to.equal(1);
+
+        await expectError(ErrorCodes.NOT_FOUND, ss.deleteSSHPublicKey(stranger.id, member.id, keys[0].id));
+    });
+});

components/server/src/user/sshkey-service.ts

@@ -0,0 +1,88 @@
+/**
+ * Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import { UserDB, WorkspaceDB } from "@gitpod/gitpod-db/lib";
+import { SSHPublicKeyValue, UserSSHPublicKeyValue, WorkspaceInstance } from "@gitpod/gitpod-protocol";
+import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
+import { inject, injectable } from "inversify";
+import { UpdateSSHKeyRequest } from "@gitpod/ws-manager/lib";
+import { WorkspaceManagerClientProvider } from "@gitpod/ws-manager/lib/client-provider";
+import { Authorizer } from "../authorization/authorizer";
+
+@injectable()
+export class SSHKeyService {
+    constructor(
+        @inject(WorkspaceDB) private readonly workspaceDb: WorkspaceDB,
+        @inject(UserDB) private readonly userDB: UserDB,
+        @inject(WorkspaceManagerClientProvider)
+        private readonly workspaceManagerClientProvider: WorkspaceManagerClientProvider,
+        @inject(Authorizer) private readonly auth: Authorizer,
+    ) {}
+
+    async hasSSHPublicKey(requestorId: string, userId: string): Promise<boolean> {
+        await this.auth.checkPermissionOnUser(requestorId, "read_ssh", userId);
+        return this.userDB.hasSSHPublicKey(userId);
+    }
+
+    async getSSHPublicKeys(requestorId: string, userId: string): Promise<UserSSHPublicKeyValue[]> {
+        await this.auth.checkPermissionOnUser(requestorId, "read_ssh", userId);
+        const list = await this.userDB.getSSHPublicKeys(userId);
+        return list.map((e) => ({
+            id: e.id,
+            name: e.name,
+            key: e.key,
+            fingerprint: e.fingerprint,
+            creationTime: e.creationTime,
+            lastUsedTime: e.lastUsedTime,
+        }));
+    }
+
+    async addSSHPublicKey(
+        requestorId: string,
+        userId: string,
+        value: SSHPublicKeyValue,
+    ): Promise<UserSSHPublicKeyValue> {
+        await this.auth.checkPermissionOnUser(requestorId, "write_ssh", userId);
+        const data = await this.userDB.addSSHPublicKey(userId, value);
+        this.updateSSHKeysForRegularRunningInstances(userId).catch((err) => {
+            log.error("Failed to update ssh keys on running instances.", err);
+        });
+        return {
+            id: data.id,
+            name: data.name,
+            key: data.key,
+            fingerprint: data.fingerprint,
+            creationTime: data.creationTime,
+            lastUsedTime: data.lastUsedTime,
+        };
+    }
+
+    async deleteSSHPublicKey(requestorId: string, userId: string, id: string): Promise<void> {
+        await this.auth.checkPermissionOnUser(requestorId, "write_ssh", userId);
+        await this.userDB.deleteSSHPublicKey(userId, id);
+        this.updateSSHKeysForRegularRunningInstances(userId).catch((err) => {
+            log.error("Failed to update ssh keys on running instances.", err);
+        });
+    }
+
+    private async updateSSHKeysForRegularRunningInstances(userId: string) {
+        const updateSSHKeysOfInstance = async (instance: WorkspaceInstance, sshKeys: string[]) => {
+            try {
+                const req = new UpdateSSHKeyRequest();
+                req.setId(instance.id);
+                req.setKeysList(sshKeys);
+                const cli = await this.workspaceManagerClientProvider.get(instance.region);
+                await cli.updateSSHPublicKey({}, req);
+            } catch (err) {
+                const logCtx = { userId, instanceId: instance.id };
+                log.error(logCtx, "Could not update ssh public key for instance", err);
+            }
+        };
+        const sshKeys = (await this.userDB.getSSHPublicKeys(userId)).map((e) => e.key);
+        const instances = await this.workspaceDb.findRegularRunningInstances(userId);
+        return Promise.allSettled(instances.map((instance) => updateSSHKeysOfInstance(instance, sshKeys)));
+    }
+}

components/server/src/workspace/gitpod-server-impl.ts

@@ -111,7 +111,6 @@ import {
     PortProtocol as ProtoPortProtocol,
     StopWorkspacePolicy,
     TakeSnapshotRequest,
-    UpdateSSHKeyRequest,
 } from "@gitpod/ws-manager/lib/core_pb";
 import * as crypto from "crypto";
 import { inject, injectable } from "inversify";
@@ -194,6 +193,7 @@ import { RedisSubscriber } from "../messaging/redis-subscriber";
 import { UsageService } from "../orgs/usage-service";
 import { UserService } from "../user/user-service";
 import { WorkspaceService } from "./workspace-service";
+import { SSHKeyService } from "../user/sshkey-service";
 
 // shortcut
 export const traceWI = (ctx: TraceContext, wi: Omit<LogContext, "userId">) => TraceContext.setOWI(ctx, wi); // userId is already taken care of in WebsocketConnectionManager
@@ -236,6 +236,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         @inject(UserDeletionService) private readonly userDeletionService: UserDeletionService,
         @inject(IAnalyticsWriter) private readonly analytics: IAnalyticsWriter,
         @inject(AuthorizationService) private readonly authorizationService: AuthorizationService,
+        @inject(SSHKeyService) private readonly sshKeyservice: SSHKeyService,
 
         @inject(TeamDB) private readonly teamDB: TeamDB,
         @inject(OrganizationService) private readonly organizationService: OrganizationService,
@@ -2445,59 +2446,22 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
     async hasSSHPublicKey(ctx: TraceContext): Promise<boolean> {
         const user = await this.checkUser("hasSSHPublicKey");
-        return this.userDB.hasSSHPublicKey(user.id);
+        return this.sshKeyservice.hasSSHPublicKey(user.id, user.id);
     }
 
     async getSSHPublicKeys(ctx: TraceContext): Promise<UserSSHPublicKeyValue[]> {
         const user = await this.checkUser("getSSHPublicKeys");
-        const list = await this.userDB.getSSHPublicKeys(user.id);
-        return list.map((e) => ({
-            id: e.id,
-            name: e.name,
-            key: e.key,
-            fingerprint: e.fingerprint,
-            creationTime: e.creationTime,
-            lastUsedTime: e.lastUsedTime,
-        }));
+        return this.sshKeyservice.getSSHPublicKeys(user.id, user.id);
     }
 
     async addSSHPublicKey(ctx: TraceContext, value: SSHPublicKeyValue): Promise<UserSSHPublicKeyValue> {
         const user = await this.checkUser("addSSHPublicKey");
-        const data = await this.userDB.addSSHPublicKey(user.id, value);
-        this.updateSSHKeysForRegularRunningInstances(ctx, user.id).catch(console.error);
-        return {
-            id: data.id,
-            name: data.name,
-            key: data.key,
-            fingerprint: data.fingerprint,
-            creationTime: data.creationTime,
-            lastUsedTime: data.lastUsedTime,
-        };
+        return this.sshKeyservice.addSSHPublicKey(user.id, user.id, value);
     }
 
     async deleteSSHPublicKey(ctx: TraceContext, id: string): Promise<void> {
         const user = await this.checkUser("deleteSSHPublicKey");
-        await this.userDB.deleteSSHPublicKey(user.id, id);
-        this.updateSSHKeysForRegularRunningInstances(ctx, user.id).catch(console.error);
-        return;
-    }
-
-    private async updateSSHKeysForRegularRunningInstances(ctx: TraceContext, userId: string) {
-        const keys = (await this.userDB.getSSHPublicKeys(userId)).map((e) => e.key);
-        const instances = await this.workspaceDb.trace(ctx).findRegularRunningInstances(userId);
-        const updateKeyOfInstance = async (instance: WorkspaceInstance) => {
-            try {
-                const req = new UpdateSSHKeyRequest();
-                req.setId(instance.id);
-                req.setKeysList(keys);
-                const cli = await this.workspaceManagerClientProvider.get(instance.region);
-                await cli.updateSSHPublicKey(ctx, req);
-            } catch (err) {
-                const logCtx = { userId, instanceId: instance.id };
-                log.error(logCtx, "Could not update ssh public key for instance", err);
-            }
-        };
-        return Promise.allSettled(instances.map((e) => updateKeyOfInstance(e)));
+        return this.sshKeyservice.deleteSSHPublicKey(user.id, user.id, id);
     }
 
     async setProjectEnvironmentVariable(

components/spicedb/schema/schema.yaml

@@ -14,6 +14,9 @@ schema: |-
     permission read_info = self + organization->member + organization->owner + installation->admin
     permission write_info = self
     permission make_admin = installation->admin + organization->installation_admin
+
+    permission read_ssh = self
+    permission write_ssh = self
   }
 
   // There's only one global installation