Skip to content

[fga] prebuild access #18560

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 21, 2023
Merged

[fga] prebuild access #18560

merged 1 commit into from
Aug 21, 2023

Conversation

svenefftinge
Copy link
Contributor

@svenefftinge svenefftinge commented Aug 21, 2023
edited by github-actions bot
Loading

Description

Distinguishes access checks for workspaces between prebuilds and regular workspaces.

Summary generated by Copilot

🤖 Generated by Copilot at 0b49b53

This pull request enhances the security of prebuilds by enforcing Project-based access control for both reading prebuilds and accessing prebuild workspaces. It also simplifies some code in workspace-service.ts by reusing existing permission checks.

Related Issue(s)

Fixes EXP-490

How to test

Documentation

Preview status

Gitpod was successfully deployed to your preview environment.

Build Options

Build
  • /werft with-werft
    Run the build with werft instead of GHA
  • leeway-no-cache
  • /werft no-test
    Run Leeway with --dont-test
Publish
  • /werft publish-to-npm
  • /werft publish-to-jb-marketplace
Installer
  • analytics=segment
  • with-dedicated-emulation
  • workspace-feature-flags
    Add desired feature flags to the end of the line above, space separated
Preview Environment / Integration Tests
  • /werft with-local-preview
    If enabled this will build install/preview
  • /werft with-preview
  • /werft with-large-vm
  • /werft with-gce-vm
    If enabled this will create the environment on GCE infra
  • with-integration-tests=all
    Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh. If enabled, with-preview and with-large-vm will be enabled.
  • with-monitoring

/hold

@svenefftinge svenefftinge requested a review from a team as a code owner August 21, 2023 10:50
geropl
geropl reviewed Aug 21, 2023
View reviewed changes
geropl
geropl reviewed Aug 21, 2023
View reviewed changes
components/server/src/workspace/workspace-service.ts
await this.auth.checkPermissionOnWorkspace(userId, "access", workspaceId);

// check access
await this.getWorkspace(userId, workspaceId);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: it still works, but I wonder what the motivation for this change is? Feels a bit like hiding the check somewhat. 🤔

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, missed the indirection.

Can we maybe work around this pattern? E.g., by moving the "is prebuild" check in doGetWorkspace into Authorizer, and call it here as well? 🤔

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolved sync: As it's only two call-sites, we go with this approach for now.

@roboquat roboquat added size/M and removed size/S labels Aug 21, 2023
geropl
geropl approved these changes Aug 21, 2023
View reviewed changes
Copy link
Member

@geropl geropl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code LGTM

@svenefftinge
Copy link
Contributor Author

/unhold

@roboquat roboquat merged commit e234839 into main Aug 21, 2023
@roboquat roboquat deleted the se/fga-prebuilds branch August 21, 2023 14:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@geropl geropl geropl approved these changes

Assignees
No one assigned
Labels
size/M team: team-experience
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@svenefftinge @geropl @roboquat