Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Align access level of Workspaces of type "prebuild" with Prebuilds #11138

Merged
merged 2 commits into from
Jul 5, 2022
Merged

Align access level of Workspaces of type "prebuild" with Prebuilds #11138

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0fe8d24
[server] Fix resource guard tests
geropl Jul 5, 2022
578b07b
[server] Align access level of Workspaces of type "prebuild" with Pre…
geropl Jul 5, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
73 changes: 66 additions & 7 deletions components/server/src/auth/resource-access.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,17 +18,21 @@ import {
GuardedWorkspace,
CompositeResourceAccessGuard,
OwnerResourceGuard,
ResourceAccessGuard,
GuardedResourceKind,
RepositoryResourceGuard,
SharedWorkspaceAccessGuard,
} from "./resource-access";
import { User, UserEnvVar, Workspace, WorkspaceType } from "@gitpod/gitpod-protocol/lib/protocol";
import { PrebuiltWorkspace, User, UserEnvVar, Workspace, WorkspaceType } from "@gitpod/gitpod-protocol/lib/protocol";
import { TeamMemberInfo, TeamMemberRole, WorkspaceInstance } from "@gitpod/gitpod-protocol";
import { HostContextProvider } from "./host-context-provider";

class MockedRepositoryResourceGuard implements ResourceAccessGuard {
constructor(protected response: boolean) {}
class MockedRepositoryResourceGuard extends RepositoryResourceGuard {
constructor(protected repositoryAccess: boolean) {
super({} as User, {} as HostContextProvider);
}

async canAccess(resource: GuardedResource, operation: ResourceAccessOp): Promise<boolean> {
return this.response;
protected async hasAccessToRepos(workspace: Workspace): Promise<boolean> {
return this.repositoryAccess;
}
}

Expand Down Expand Up @@ -588,6 +592,17 @@ class TestResourceAccess {
workspaceImage: "gitpod/workspace-full:latest",
};
};
const createPrebuild = (): PrebuiltWorkspace => {
return {
id: "pws-123",
buildWorkspaceId: workspaceId,
cloneURL: "https://github.com/gitpod-io/gitpod",
commit: "sha123123213",
creationTime: new Date(2000, 1, 2).toISOString(),
state: "available",
statusVersion: 1,
};
};

const tests: {
name: string;
Expand Down Expand Up @@ -767,6 +782,43 @@ class TestResourceAccess {
teamRole: "owner",
expectation: true,
},
// prebuild workspace with repo access
{
name: "prebuild workspace get owner",
resourceKind: "workspace",
workspaceType: "prebuild",
isOwner: true,
teamRole: undefined,
repositoryAccess: true,
expectation: true,
},
{
name: "prebuild workspace get other",
resourceKind: "workspace",
workspaceType: "prebuild",
isOwner: false,
teamRole: undefined,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is this case where the user is not the owner but also doesn't have a team?

Copy link
Member Author

@geropl geropl Jul 5, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They have read access to the repository (repositoryAccess, see one line 👇 ).

That's the qualifier based on which we share access to prebuilds, and thus should be the same for workspaces (at least for those of type prebuild). 👍

This fixes the UI issue we see currently.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aha, makes sense.

repositoryAccess: true,
expectation: true,
},
{
name: "prebuild workspace get team member",
resourceKind: "workspace",
workspaceType: "prebuild",
isOwner: false,
teamRole: "member",
repositoryAccess: true,
expectation: true,
},
{
name: "prebuild workspace get team owner (same as member)",
resourceKind: "workspace",
workspaceType: "prebuild",
isOwner: false,
teamRole: "owner",
repositoryAccess: true,
expectation: true,
},
// regular instance
{
name: "regular workspaceInstance get owner",
Expand Down Expand Up @@ -911,6 +963,7 @@ class TestResourceAccess {
const resourceGuard = new CompositeResourceAccessGuard([
new OwnerResourceGuard(user.id),
new TeamMemberResourceGuard(user.id),
new SharedWorkspaceAccessGuard(),
new MockedRepositoryResourceGuard(!!t.repositoryAccess),
]);
const teamMembers: TeamMemberInfo[] = [];
Expand All @@ -922,7 +975,7 @@ class TestResourceAccess {
});
}

const kind: GuardedResourceKind = "workspaceInstance";
const kind: GuardedResourceKind = t.resourceKind;
let resource: GuardedResource | undefined = undefined;
if (kind === "workspaceInstance") {
const instance = createInstance();
Expand All @@ -931,6 +984,12 @@ class TestResourceAccess {
resource = { kind, subject: workspace, teamMembers };
} else if (kind === "workspace") {
resource = { kind, subject: workspace, teamMembers };
} else if (kind === "prebuild") {
if (workspace.type !== "prebuild") {
throw new Error("invalid test data: PWS requires workspace to be of type prebuild!");
}
const prebuild = createPrebuild();
resource = { kind, subject: prebuild, workspace, teamMembers };
}
if (!resource) {
throw new Error("unhandled GuardedResourceKind" + kind);
Expand Down
26 changes: 16 additions & 10 deletions components/server/src/auth/resource-access.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -163,6 +163,8 @@ export class TeamMemberResourceGuard implements ResourceAccessGuard {
return await this.hasAccessToWorkspace(resource.workspace, resource.teamMembers);
case "workspaceLog":
return await this.hasAccessToWorkspace(resource.subject, resource.teamMembers);
case "prebuild":
return !!resource.teamMembers?.some((m) => m.userId === this.userId);
}
return false;
}
Expand Down Expand Up @@ -217,17 +219,9 @@ export class OwnerResourceGuard implements ResourceAccessGuard {
return resource.members.some((m) => m.userId === this.userId && m.role === "owner");
}
case "workspaceLog":
// Owners may do everything, team members can "get"
return (
resource.subject.ownerId === this.userId ||
(operation === "get" && !!resource.teamMembers?.some((m) => m.userId === this.userId))
);
return resource.subject.ownerId === this.userId;
case "prebuild":
// Owners may do everything, team members can "get"
return (
resource.workspace.ownerId === this.userId ||
(operation === "get" && !!resource.teamMembers?.some((m) => m.userId === this.userId))
);
return resource.workspace.ownerId === this.userId;
}
}
}
Expand Down Expand Up @@ -490,6 +484,13 @@ export class RepositoryResourceGuard implements ResourceAccessGuard {
// Get Workspace from GuardedResource
let workspace: Workspace;
switch (resource.kind) {
case "workspace":
workspace = resource.subject;
if (workspace.type !== "prebuild") {
return false;
}
// We're only allowed to access prebuild workspaces with the repository guard
break;
case "workspaceLog":
workspace = resource.subject;
break;
Expand All @@ -498,12 +499,17 @@ export class RepositoryResourceGuard implements ResourceAccessGuard {
break;
case "prebuild":
workspace = resource.workspace;
break;
default:
// We do not handle resource kinds here!
return false;
}

// Check if user has at least read access to the repository
return this.hasAccessToRepos(workspace);
}

protected async hasAccessToRepos(workspace: Workspace): Promise<boolean> {
const repos: Repository[] = [];
if (CommitContext.is(workspace.context)) {
repos.push(workspace.context.repository);
Expand Down