Merge branch 'main' into ft/focus-targets

filiptronicek · web-flow · commit 78ee74fde5f5 · 2023-06-22T12:48:56.000+02:00
diff --git a/components/server/src/authorization/perms.ts b/components/server/src/authorization/perms.ts
@@ -15,34 +15,6 @@ import {
 } from "../prometheus-metrics";
 import { SpiceDBClient } from "./spicedb";
 
-export type OrganizationOperation =
-    // A not yet implemented operation at this time. This exists such that we can be explicit about what
-    // we have not yet migrated to fine-grained-permissions.
-    | "not_implemented"
-
-    // Ability to perform write actions an Organization, and all sub-resources of the organization.
-    | "org_write"
-
-    // Ability to update Organization metadata - name, and other general info.
-    | "org_metadata_write"
-    // Ability to read Organization metadata - name, and other general info.
-    | "org_metadata_read"
-
-    // Ability to access information about team members.
-    | "org_members_read"
-    // Ability to add, or remove, team members.
-    | "org_members_write"
-
-    // Ability to read projects in an Organization.
-    | "org_project_read"
-    // Ability to create/update/delete projects in an Organization.
-    | "org_project_write"
-
-    // Ability to create/update/delete Organization Auth Providers.
-    | "org_authprovider_write"
-    // Ability to read Organization Auth Providers.
-    | "org_authprovider_read";
-
 export type CheckResult = {
     permitted: boolean;
     err?: Error;
diff --git a/components/server/src/workspace/gitpod-server-impl.ts b/components/server/src/workspace/gitpod-server-impl.ts
@@ -169,13 +169,7 @@ import {
     ConfigCatClientFactory,
     getExperimentsClientForBackend,
 } from "@gitpod/gitpod-protocol/lib/experiments/configcat-server";
-import {
-    Authorizer,
-    CheckResult,
-    OrganizationOperation,
-    NotPermitted,
-    PermissionChecker,
-} from "../authorization/perms";
+import { Authorizer, CheckResult, NotPermitted, PermissionChecker } from "../authorization/perms";
 import {
     ReadOrganizationMembers,
     ReadOrganizationInfo,
@@ -210,6 +204,7 @@ import {
 import { ClientError } from "nice-grpc-common";
 import { BillingModes } from "../billing/billing-mode";
 import { goDurationToHumanReadable } from "@gitpod/gitpod-protocol/lib/util/timeutil";
+import { OrganizationPermission } from "../authorization/definitions";
 
 // shortcut
 export const traceWI = (ctx: TraceContext, wi: Omit<LogContext, "userId">) => TraceContext.setOWI(ctx, wi); // userId is already taken care of in WebsocketConnectionManager
@@ -2662,7 +2657,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
     protected async guardTeamOperation(
         teamId: string,
         op: ResourceAccessOp,
-        fineGrainedOp: OrganizationOperation,
+        fineGrainedOp: OrganizationPermission | "not_implemented",
     ): Promise<{ team: Team; members: TeamMemberInfo[] }> {
         if (!uuidValidate(teamId)) {
             throw new ResponseError(ErrorCodes.BAD_REQUEST, "organization ID must be a valid UUID");
@@ -2693,7 +2688,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         };
 
         const checkWithCentralizedPerms = async (): Promise<CheckResult> => {
-            if (centralizedPermissionsEnabled) {
+            if (centralizedPermissionsEnabled && fineGrainedOp !== "not_implemented") {
                 log.info("[perms] Checking team operations.", {
                     org: teamId,
                     operations: fineGrainedOp,
@@ -2746,19 +2741,19 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
     protected async guardOrganizationOperationWithCentralizedPerms(
         orgId: string,
-        op: OrganizationOperation,
+        op: OrganizationPermission,
     ): Promise<CheckResult> {
         const user = await this.checkUser();
 
         switch (op) {
-            case "org_metadata_read":
+            case "read_info":
                 return await this.authorizer.check(ReadOrganizationInfo(user.id, orgId));
-            case "org_metadata_write":
+            case "write_info":
                 return await this.authorizer.check(WriteOrganizationInfo(user.id, orgId));
 
-            case "org_members_read":
+            case "read_members":
                 return await this.authorizer.check(ReadOrganizationMembers(user.id, orgId));
-            case "org_members_write":
+            case "write_members":
                 return await this.authorizer.check(WriteOrganizationMembers(user.id, orgId));
 
             default:
@@ -2777,15 +2772,15 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
         await this.checkAndBlockUser("getTeam");
 
-        const { team } = await this.guardTeamOperation(teamId, "get", "org_members_read");
+        const { team } = await this.guardTeamOperation(teamId, "get", "read_info");
         return team;
     }
 
     public async updateTeam(ctx: TraceContext, teamId: string, team: Pick<Team, "name">): Promise<Team> {
         traceAPIParams(ctx, { teamId });
         await this.checkUser("updateTeam");
 
-        await this.guardTeamOperation(teamId, "update", "org_metadata_write");
+        await this.guardTeamOperation(teamId, "update", "write_info");
 
         const updatedTeam = await this.teamDB.updateTeam(teamId, team);
         return updatedTeam;
@@ -2795,7 +2790,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         traceAPIParams(ctx, { teamId });
 
         await this.checkUser("getTeamMembers");
-        const { members } = await this.guardTeamOperation(teamId, "get", "org_members_read");
+        const { members } = await this.guardTeamOperation(teamId, "get", "read_members");
 
         return members;
     }
@@ -2904,7 +2899,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         }
 
         await this.checkAndBlockUser("setTeamMemberRole");
-        await this.guardTeamOperation(teamId, "update", "org_members_write");
+        await this.guardTeamOperation(teamId, "update", "write_members");
 
         await this.teamDB.setTeamMemberRole(userId, teamId, role);
     }
@@ -2923,7 +2918,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         if (!currentUserLeavingTeam) {
             await this.guardTeamOperation(teamId, "update", "not_implemented");
         } else {
-            await this.guardTeamOperation(teamId, "get", "org_members_write");
+            await this.guardTeamOperation(teamId, "get", "write_members");
         }
 
         // Check for existing membership.
@@ -2957,7 +2952,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         traceAPIParams(ctx, { teamId });
 
         await this.checkUser("getGenericInvite");
-        await this.guardTeamOperation(teamId, "get", "org_members_write");
+        await this.guardTeamOperation(teamId, "get", "write_members");
 
         if (await this.teamDB.hasActiveSSO(teamId)) {
             throw new ResponseError(ErrorCodes.NOT_FOUND, "Invites are disabled for SSO-enabled organizations.");
@@ -2974,7 +2969,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         traceAPIParams(ctx, { teamId });
 
         await this.checkAndBlockUser("resetGenericInvite");
-        await this.guardTeamOperation(teamId, "update", "org_members_write");
+        await this.guardTeamOperation(teamId, "update", "write_members");
         if (await this.teamDB.hasActiveSSO(teamId)) {
             throw new ResponseError(ErrorCodes.NOT_FOUND, "Invites are disabled for SSO-enabled organizations.");
         }
@@ -3017,7 +3012,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         const user = await this.checkAndBlockUser("deleteTeam");
         traceAPIParams(ctx, { teamId, userId: user.id });
 
-        await this.guardTeamOperation(teamId, "delete", "org_write");
+        await this.guardTeamOperation(teamId, "delete", "not_implemented");
 
         const teamProjects = await this.projectsService.getTeamProjects(teamId);
         teamProjects.forEach((project) => {
@@ -3048,7 +3043,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
     async getOrgSettings(ctx: TraceContextWithSpan, orgId: string): Promise<OrganizationSettings> {
         const user = await this.checkAndBlockUser("getOrgSettings");
         traceAPIParams(ctx, { orgId, userId: user.id });
-        await this.guardTeamOperation(orgId, "get", "org_write");
+        await this.guardTeamOperation(orgId, "get", "not_implemented");
         const settings = await this.teamDB.findOrgSettings(orgId);
         // TODO: make a default in protocol
         return settings ?? { workspaceSharingDisabled: false };
@@ -3061,7 +3056,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
     ): Promise<OrganizationSettings> {
         const user = await this.checkAndBlockUser("updateOrgSettings");
         traceAPIParams(ctx, { orgId, userId: user.id });
-        await this.guardTeamOperation(orgId, "update", "org_write");
+        await this.guardTeamOperation(orgId, "update", "not_implemented");
         await this.teamDB.setOrgSettings(orgId, settings);
         return (await this.teamDB.findOrgSettings(orgId))!;
     }
@@ -3757,7 +3752,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         }
 
         // Ensure user can perform this operation on this organization
-        await this.guardTeamOperation(newProvider.organizationId, "update", "org_authprovider_write");
+        await this.guardTeamOperation(newProvider.organizationId, "update", "not_implemented");
 
         try {
             // on creating we're are checking for already existing runtime providers
@@ -3805,7 +3800,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
         await this.guardWithFeatureFlag("orgGitAuthProviders", user, providerUpdate.organizationId);
 
-        await this.guardTeamOperation(providerUpdate.organizationId, "update", "org_authprovider_write");
+        await this.guardTeamOperation(providerUpdate.organizationId, "update", "not_implemented");
 
         try {
             const result = await this.authProviderService.updateOrgAuthProvider(providerUpdate);
@@ -3826,7 +3821,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
         await this.guardWithFeatureFlag("orgGitAuthProviders", user, params.organizationId);
 
-        await this.guardTeamOperation(params.organizationId, "get", "org_authprovider_read");
+        await this.guardTeamOperation(params.organizationId, "get", "not_implemented");
 
         try {
             const result = await this.authProviderService.getAuthProvidersOfOrg(params.organizationId);
@@ -3857,7 +3852,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
             throw new ResponseError(ErrorCodes.NOT_FOUND, "Provider resource not found.");
         }
 
-        await this.guardTeamOperation(authProvider.organizationId || "", "update", "org_authprovider_write");
+        await this.guardTeamOperation(authProvider.organizationId || "", "update", "not_implemented");
 
         try {
             await this.authProviderService.deleteAuthProvider(authProvider);
