gitpod-io
diff --git a/‎components/openfga/model.openfga
+20 b/‎components/openfga/model.openfga
+20
diff --git a/‎components/openfga/scripts.hack
+163 b/‎components/openfga/scripts.hack
+163
diff --git a/‎components/server/package.json
+1 b/‎components/server/package.json
+1
diff --git a/‎components/server/src/perms.ts
+142 b/‎components/server/src/perms.ts
+142
@@ -0,0 +1,20 @@
+model
+  schema 1.1
+
+type user
+type team
+  relations
+    define owner: [user]
+    define member: [user] or owner
+
+    define grant_owner: owner
+    define list_members: owner or member
+    define add_members: owner
+    define remove_members: owner
+    define delete_team: owner
+
+    define project_creator: owner or member
+
+type project
+  relations
+    define maintainer: [user,team#member]
@@ -0,0 +1,163 @@
+curl -X POST "openfga:8080/stores/01GP4CRKXESH1JE5E0SNHMZYG1/authorization-models" \
+  -H "content-type: application/json" \
+  -d '{
+  "type_definitions": [
+    {
+      "type": "user",
+      "relations": {}
+    },
+    {
+      "type": "team",
+      "relations": {
+        "owner": {
+          "this": {}
+        },
+        "member": {
+          "union": {
+            "child": [
+              {
+                "this": {}
+              },
+              {
+                "computedUserset": {
+                  "object": "",
+                  "relation": "owner"
+                }
+              }
+            ]
+          }
+        },
+        "grant_owner": {
+          "computedUserset": {
+            "object": "",
+            "relation": "owner"
+          }
+        },
+        "list_members": {
+          "union": {
+            "child": [
+              {
+                "computedUserset": {
+                  "object": "",
+                  "relation": "owner"
+                }
+              },
+              {
+                "computedUserset": {
+                  "object": "",
+                  "relation": "member"
+                }
+              }
+            ]
+          }
+        },
+        "add_members": {
+          "computedUserset": {
+            "object": "",
+            "relation": "owner"
+          }
+        },
+        "remove_members": {
+          "computedUserset": {
+            "object": "",
+            "relation": "owner"
+          }
+        },
+        "delete_team": {
+          "computedUserset": {
+            "object": "",
+            "relation": "owner"
+          }
+        },
+        "project_creator": {
+          "union": {
+            "child": [
+              {
+                "computedUserset": {
+                  "object": "",
+                  "relation": "owner"
+                }
+              },
+              {
+                "computedUserset": {
+                  "object": "",
+                  "relation": "member"
+                }
+              }
+            ]
+          }
+        }
+      },
+      "metadata": {
+        "relations": {
+          "owner": {
+            "directly_related_user_types": [
+              {
+                "type": "user"
+              }
+            ]
+          },
+          "member": {
+            "directly_related_user_types": [
+              {
+                "type": "user"
+              }
+            ]
+          },
+          "grant_owner": {
+            "directly_related_user_types": []
+          },
+          "list_members": {
+            "directly_related_user_types": []
+          },
+          "add_members": {
+            "directly_related_user_types": []
+          },
+          "remove_members": {
+            "directly_related_user_types": []
+          },
+          "delete_team": {
+            "directly_related_user_types": []
+          },
+          "project_creator": {
+            "directly_related_user_types": []
+          }
+        }
+      }
+    },
+    {
+      "type": "project",
+      "relations": {
+        "maintainer": {
+          "this": {}
+        }
+      },
+      "metadata": {
+        "relations": {
+          "maintainer": {
+            "directly_related_user_types": [
+              {
+                "type": "user"
+              },
+              {
+                "type": "team",
+                "relation": "member"
+              }
+            ]
+          }
+        }
+      }
+    }
+  ],
+  "schema_version": "1.1"
+}'
+
+curl -X POST "openfga:8080/stores/01GP4CRKXESH1JE5E0SNHMZYG1/check" \
+  -H "content-type: application/json" \
+  -d '{"tuple_key":{"user":"user:milan","relation":"maintainer","object":"project:project1"}}'
+
+# Response: {"allowed":true}
+b23f24d7-47f7-4366-a642-ce46b61b499e
+
+curl -X GET "localhost:8080/stores/01GP4CRKXESH1JE5E0SNHMZYG1/changes" \
+  -H "content-type: application/json"
@@ -43,6 +43,7 @@
     "@improbable-eng/grpc-web-node-http-transport": "^0.14.0",
     "@jmondi/oauth2-server": "^2.6.1",
     "@octokit/rest": "18.6.1",
+    "@openfga/sdk": "^0.2.0",
     "@probot/get-private-key": "^1.1.1",
     "@types/jaeger-client": "^3.18.3",
     "amqplib": "^0.8.0",
 
@@ -0,0 +1,142 @@
+/**
+ * Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import { ErrorCodes } from "@gitpod/gitpod-protocol/lib/messaging/error";
+import { OpenFgaApi, TupleKey } from "@openfga/sdk";
+import { ResponseError } from "vscode-jsonrpc";
+
+export const OpenFGA = new OpenFgaApi({
+    apiScheme: "http", // Optional. Can be "http" or "https". Defaults to "https"
+    apiHost: "openfga:8080", // required, define without the scheme (e.g. api.openfga.example instead of https://api.openfga.example)
+    storeId: "01GP4CRKXESH1JE5E0SNHMZYG1",
+});
+
+function tup(user: string, relation: string, object: string): TupleKey {
+    return { user, relation, object };
+}
+
+function user(id: string): string {
+    return `user:${id}`;
+}
+
+function team(id: string): string {
+    return `team:${id}`;
+}
+
+function proj(id: string): string {
+    return `project:${id}`;
+}
+
+export async function isTeamOwner(userID: string, teamID: string): Promise<boolean> {
+    return (
+        (
+            await OpenFGA.check({
+                tuple_key: tup(user(userID), "owner", team(teamID)),
+            })
+        ).allowed || false
+    );
+}
+
+export async function isTeamMember(userID: string, teamID: string): Promise<boolean> {
+    return (
+        (
+            await OpenFGA.check({
+                tuple_key: tup(user(userID), "member", team(teamID)),
+            })
+        ).allowed || false
+    );
+}
+
+export async function grantTeamOwner(userID: string, teamID: string) {
+    const deletes: TupleKey[] = [];
+
+    const isMember = await isTeamMember(userID, teamID);
+    if (isMember) {
+        deletes.push(tup(user(userID), "member", team(teamID)));
+    }
+
+    return await OpenFGA.write({
+        writes: {
+            tuple_keys: [tup(user(userID), "owner", team(teamID))],
+        },
+        deletes: {
+            tuple_keys: deletes,
+        },
+    });
+}
+
+export async function grantTeamMember(userID: string, teamID: string) {
+    const deletes: TupleKey[] = [];
+
+    const isMember = await isTeamOwner(userID, teamID);
+    if (isMember) {
+        deletes.push(tup(user(userID), "owner", team(teamID)));
+    }
+    await OpenFGA.write({
+        writes: {
+            tuple_keys: [tup(user(userID), "member", team(teamID))],
+        },
+        deletes: {
+            tuple_keys: deletes,
+        },
+    });
+}
+
+export async function removeUserFromTeam(userID: string, teamID: string) {
+    return OpenFGA.write({
+        deletes: {
+            tuple_keys: [tup(user(userID), "owner", team(teamID)), tup(user(userID), "member", team(teamID))],
+        },
+    });
+}
+
+export async function canCreateProject(userID: string, teamID: string) {
+    const response = await OpenFGA.check({
+        tuple_key: tup(user(userID), "member", team(teamID)),
+    });
+
+    if (!response.allowed) {
+        throw newPermissionDenied(`user ${userID} is not allowed to create projects for team ${teamID}`);
+    }
+    return response.allowed || false;
+}
+
+export async function canDeleteProject(userID: string, projectID: string) {
+    const response = await OpenFGA.check({
+        tuple_key: tup(user(userID), "maintainer", proj(projectID)),
+    });
+
+    if (!response.allowed) {
+        throw newPermissionDenied(`user ${userID} is not allowed to delete project ${projectID}`);
+    }
+    return response.allowed || false;
+}
+
+export async function canAccessProject(userID: string, projectID: string): Promise<boolean> {
+    const response = await OpenFGA.check({
+        tuple_key: tup(user(userID), "maintainer", proj(projectID)),
+    });
+
+    return response.allowed || false;
+}
+
+export async function grantTeamProjectMaintainer(teamID: string, projectID: string) {
+    return OpenFGA.write({
+        writes: {
+            tuple_keys: [
+                {
+                    user: `team:${teamID}#member`,
+                    relation: "maintainer",
+                    object: proj(projectID),
+                },
+            ],
+        },
+    });
+}
+
+function newPermissionDenied(msg: string): ResponseError<string> {
+    return new ResponseError(ErrorCodes.PERMISSION_DENIED, msg);
+}