Skip to content

[gRPC] Enable PATs to be used for authorizing with the gRPC API #19081

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 20, 2023
Merged

[gRPC] Enable PATs to be used for authorizing with the gRPC API #19081

merged 2 commits into from
Nov 20, 2023

Conversation

geropl
Copy link
Member

@geropl geropl commented Nov 16, 2023
edited
Loading

Description

Blocked by/based on: #19023

Adds the ability to call the gRPC API with a PAT token. This works because PATs at the moment only supporting two "scopes":

  • all functions
  • nothing

Only if the "all functions" are allowed, we accept it for the gRPC API.

Summary generated by Copilot

🤖[deprecated] Generated by Copilot at a29e3ea

This pull request enhances the bearer token authentication and authorization logic for different kinds of subjects, such as users and tokens. It adds a new SubjectId class to represent subjects, a new extractFunctionScopes method to handle function scopes, and a new authExpressRequest method to authenticate express requests. It also renames and refactors some existing methods and functions for clarity and consistency. The affected files are server.ts, bearer-authenticator.ts, function-access.ts, and authorizer.ts.

Related Issue(s)

Fixes EXP-897

How to test

  • login
  • create a PAT token
  • open a workspace on this PR
  • dev/gpctl
  • export GPCTL_PUBLICAPI_TOKEN=<your pat>
  • go run main.go api ws ls <an org id> --address gpl-897-pat-api.preview.gitpod-dev.com ✔️
  • go run main.go api ws get <ws id> --address gpl-897-pat-api.preview.gitpod-dev.com ✔️

Documentation

Preview status

Gitpod was successfully deployed to your preview environment.

Build Options

Build
  • /werft with-werft
    Run the build with werft instead of GHA
  • leeway-no-cache
  • /werft no-test
    Run Leeway with --dont-test
Publish
  • /werft publish-to-npm
  • /werft publish-to-jb-marketplace
Installer
  • analytics=segment
  • with-dedicated-emulation
  • workspace-feature-flags
    Add desired feature flags to the end of the line above, space separated
Preview Environment / Integration Tests
  • /werft with-local-preview
    If enabled this will build install/preview
  • /werft with-preview
  • /werft with-large-vm
  • /werft with-gce-vm
    If enabled this will create the environment on GCE infra
  • /werft preemptible
    Saves cost. Untick this only if you're really sure you need a non-preemtible machine.
  • with-integration-tests=all
    Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh. If enabled, with-preview and with-large-vm will be enabled.
  • with-monitoring

/hold

@geropl geropl force-pushed the gpl/request-context branch from 2443926 to e8e0eee Compare November 16, 2023 11:13
akosyakov
akosyakov reviewed Nov 16, 2023
View reviewed changes
Base automatically changed from gpl/request-context to main November 16, 2023 12:54
@roboquat roboquat added size/XXL and removed size/L labels Nov 16, 2023
@geropl geropl marked this pull request as ready for review November 17, 2023 09:26
@geropl geropl requested a review from a team as a code owner November 17, 2023 09:26
akosyakov
akosyakov reviewed Nov 17, 2023
View reviewed changes
Copy link
Member

@akosyakov akosyakov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

code wise looks good, I did not try yet.

@geropl is going to change gpctl public-api-get-workspace to use gitpod/v1 that we can verify against internal CLI, i will test then

@akosyakov
Copy link
Member

I tested though dummy service and it sill work with cookie auth.

@mustard-mh
Copy link
Contributor

mustard-mh commented Nov 17, 2023
edited
Loading

UPDATE: test it wrong, cli will not hit PR's changes

✅ Access Check (with no access and full access)
image

✅ API call

➜  ~ gitpod ws list
ID REPOSITORY BRANCH STATUS 
➜  ~ gitpod ws list
ID                                  REPOSITORY                   BRANCH STATUS       
mustardmh-templatesvelt-lnwyoj49jcg mustard-mh/template-sveltejs        initializing 
➜  ~ gitpod ws stop mustardmh-templatesvelt-lnwyoj49jcg
Nov 17 17:52:05.551 [INFO ] waiting for workspace to stop...
Nov 17 17:52:06.387 [INFO ] workspace status: stopping
Nov 17 17:52:06.410 [INFO ] workspace stopped
➜  ~

✅ regenerate

➜  ~ gitpod whoami
Error: internal: jsonrpc2: connection is closed

cc @filiptronicek it's nice to use cli for testing 🎉 . we need to check if we can have proper error message if token is invalidated

@geropl
Copy link
Member Author

geropl commented Nov 17, 2023

@mustard-mh I think I got it wrong: The CLI is still based on experimental/v1, which already supported PATs. I will move some of the gpctl api ws methods to your new v1 implementations from yesterday, then we can use that for testing. 🙏

@geropl geropl requested a review from a team as a code owner November 17, 2023 13:41
@geropl
Copy link
Member Author

geropl commented Nov 17, 2023

@akosyakov @mustard-mh Works now, and can be tested using the steps in the description ☝️

akosyakov
akosyakov reviewed Nov 17, 2023
View reviewed changes
components/server/src/auth/bearer-authenticator.ts
.map((s) => s.substring("function:".length));
if (functionScopes.length === 1 && functionScopes[0] === "*") {
const { isAllAccessFunctionGuard, functionScopes } = FunctionAccessGuard.extractFunctionScopes(scopes);
if (isAllAccessFunctionGuard) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@geropl how can we test for a regression of this path manually? to use gitpod cli with PAT?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, exactly. Still works 😉

akosyakov
akosyakov reviewed Nov 17, 2023
View reviewed changes
akosyakov
akosyakov approved these changes Nov 17, 2023
View reviewed changes
Copy link
Member

@akosyakov akosyakov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested that it works from dashboard with gRPC and JSON RPC, and from cli against experimental and gitpod

i left some comments

@geropl
Copy link
Member Author

geropl commented Nov 17, 2023

/unhold

akosyakov
akosyakov reviewed Nov 19, 2023
View reviewed changes
dev/gpctl/cmd/public-api-workspaces-get.go
@@ -6,7 +6,8 @@ package cmd

import (
"github.com/gitpod-io/gitpod/common-go/log"
v1 "github.com/gitpod-io/gitpod/components/public-api/go/experimental/v1"
v1 "github.com/gitpod-io/gitpod/components/public-api/go/v1"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@iQQBot could you approve it?

@easyCZ Would it be alright if ownership of gpctl or public-api-* files are shared with EXP team?

@roboquat roboquat merged commit c279fc4 into main Nov 20, 2023
@roboquat roboquat deleted the gpl/897-pat-api branch November 20, 2023 07:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@akosyakov akosyakov akosyakov approved these changes

@iQQBot iQQBot iQQBot approved these changes

Assignees
No one assigned
Labels
size/XL team: team-engine team: team-experience
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@geropl @akosyakov @mustard-mh @iQQBot @roboquat