[public-api] add workspaceStatus stream rpc

Author: mustard-mh

components/public-api-server/pkg/apiv1/workspace.go

@@ -51,7 +51,7 @@ func (s *WorkspaceService) GetWorkspace(ctx context.Context, req *connect.Reques
 		return nil, proxy.ConvertError(err)
 	}
 
-	instance, err := convertWorkspaceInstance(workspace)
+	instance, err := convertWorkspaceInstance(workspace.LatestInstance, workspace.Workspace.Shareable)
 	if err != nil {
 		logger.WithError(err).Error("Failed to convert workspace instance.")
 		instance = &v1.WorkspaceInstance{}
@@ -77,6 +77,52 @@ func (s *WorkspaceService) GetWorkspace(ctx context.Context, req *connect.Reques
 	}), nil
 }
 
+func (s *WorkspaceService) StreamWorkspaceStatus(ctx context.Context, req *connect.Request[v1.StreamWorkspaceStatusRequest], stream *connect.ServerStream[v1.StreamWorkspaceStatusResponse]) error {
+	workspaceID, err := validateWorkspaceID(req.Msg.GetWorkspaceId())
+	if err != nil {
+		return err
+	}
+
+	logger := ctxlogrus.Extract(ctx).WithField("workspace_id", workspaceID)
+
+	conn, err := getConnection(ctx, s.connectionPool)
+	if err != nil {
+		return err
+	}
+
+	workspace, err := conn.GetWorkspace(ctx, workspaceID)
+	if err != nil {
+		logger.WithError(err).Error("Failed to get workspace.")
+		return proxy.ConvertError(err)
+	}
+
+	if workspace.LatestInstance == nil {
+		logger.WithError(err).Error("Failed to get latest instance.")
+		return connect.NewError(connect.CodeFailedPrecondition, fmt.Errorf("instance not found"))
+	}
+
+	ch, err := conn.InstanceUpdates(ctx, workspace.LatestInstance.ID)
+	if err != nil {
+		logger.WithError(err).Error("Failed to get workspace instance updates.")
+		return proxy.ConvertError(err)
+	}
+
+	for update := range ch {
+		instance, err := convertWorkspaceInstance(update, workspace.Workspace.Shareable)
+		if err != nil {
+			logger.WithError(err).Error("Failed to convert workspace instance.")
+			return proxy.ConvertError(err)
+		}
+		_ = stream.Send(&v1.StreamWorkspaceStatusResponse{
+			Result: &v1.WorkspaceStatus{
+				Instance: instance,
+			},
+		})
+	}
+
+	return nil
+}
+
 func (s *WorkspaceService) GetOwnerToken(ctx context.Context, req *connect.Request[v1.GetOwnerTokenRequest]) (*connect.Response[v1.GetOwnerTokenResponse], error) {
 	workspaceID, err := validateWorkspaceID(req.Msg.GetWorkspaceId())
 	if err != nil {
@@ -230,7 +276,7 @@ func getLimitFromPagination(pagination *v1.Pagination) (int, error) {
 
 // convertWorkspaceInfo convers a "protocol workspace" to a "public API workspace". Returns gRPC errors if things go wrong.
 func convertWorkspaceInfo(input *protocol.WorkspaceInfo) (*v1.Workspace, error) {
-	instance, err := convertWorkspaceInstance(input)
+	instance, err := convertWorkspaceInstance(input.LatestInstance, input.Workspace.Shareable)
 	if err != nil {
 		return nil, err
 	}
@@ -252,8 +298,7 @@ func convertWorkspaceInfo(input *protocol.WorkspaceInfo) (*v1.Workspace, error)
 	}, nil
 }
 
-func convertWorkspaceInstance(input *protocol.WorkspaceInfo) (*v1.WorkspaceInstance, error) {
-	wsi := input.LatestInstance
+func convertWorkspaceInstance(wsi *protocol.WorkspaceInstance, shareable bool) (*v1.WorkspaceInstance, error) {
 	if wsi == nil {
 		return nil, nil
 	}
@@ -292,7 +337,7 @@ func convertWorkspaceInstance(input *protocol.WorkspaceInfo) (*v1.WorkspaceInsta
 	}
 
 	var admissionLevel v1.AdmissionLevel
-	if input.Workspace.Shareable {
+	if shareable {
 		admissionLevel = v1.AdmissionLevel_ADMISSION_LEVEL_EVERYONE
 	} else {
 		admissionLevel = v1.AdmissionLevel_ADMISSION_LEVEL_OWNER_ONLY

components/public-api-server/pkg/apiv1/workspace_test.go

@@ -349,6 +349,120 @@ func TestWorkspaceService_ListWorkspaces(t *testing.T) {
 	}
 }
 
+func TestWorkspaceService_StreamWorkspaceStatus(t *testing.T) {
+	const (
+		workspaceID = "easycz-seer-xl8o1zacpyw"
+		instanceID  = "f2effcfd-3ddb-4187-b584-256e88a42442"
+		ownerToken  = "some-owner-token"
+	)
+
+	t.Run("not found when workspace does not exist", func(t *testing.T) {
+		serverMock, client := setupWorkspacesService(t)
+
+		serverMock.EXPECT().GetWorkspace(gomock.Any(), workspaceID).Return(nil, &jsonrpc2.Error{
+			Code:    404,
+			Message: "not found",
+		})
+
+		resp, _ := client.StreamWorkspaceStatus(context.Background(), connect.NewRequest(&v1.StreamWorkspaceStatusRequest{
+			WorkspaceId: workspaceID,
+		}))
+
+		resp.Receive()
+
+		require.Error(t, resp.Err())
+		require.Equal(t, connect.CodeNotFound, connect.CodeOf(resp.Err()))
+	})
+
+	t.Run("returns a workspace status", func(t *testing.T) {
+		serverMock, client := setupWorkspacesService(t)
+
+		serverMock.EXPECT().GetWorkspace(gomock.Any(), workspaceID).Return(&workspaceTestData[0].Protocol, nil)
+		serverMock.EXPECT().InstanceUpdates(gomock.Any(), instanceID).DoAndReturn(func(ctx context.Context, instanceID string) (<-chan *protocol.WorkspaceInstance, error) {
+			ch := make(chan *protocol.WorkspaceInstance)
+			go func() {
+				ch <- workspaceTestData[0].Protocol.LatestInstance
+			}()
+			go func() {
+				<-ctx.Done()
+				close(ch)
+			}()
+			return ch, nil
+		})
+
+		ctx, cancel := context.WithCancel(context.Background())
+		resp, err := client.StreamWorkspaceStatus(ctx, connect.NewRequest(&v1.StreamWorkspaceStatusRequest{
+			WorkspaceId: workspaceID,
+		}))
+
+		require.NoError(t, err)
+
+		resp.Receive()
+		cancel()
+
+		requireEqualProto(t, workspaceTestData[0].API.Status, resp.Msg().Result)
+	})
+}
+
+func TestClientServerStreamInterceptor(t *testing.T) {
+	testInterceptor := &TestInterceptor{
+		expectedToken: "auth-token",
+		t:             t,
+	}
+
+	ctrl := gomock.NewController(t)
+	t.Cleanup(ctrl.Finish)
+
+	serverMock := protocol.NewMockAPIInterface(ctrl)
+
+	svc := NewWorkspaceService(&FakeServerConnPool{
+		api: serverMock,
+	})
+
+	_, handler := v1connect.NewWorkspacesServiceHandler(svc, connect.WithInterceptors(auth.NewServerInterceptor(), testInterceptor))
+
+	srv := httptest.NewServer(handler)
+	t.Cleanup(srv.Close)
+
+	client := v1connect.NewWorkspacesServiceClient(http.DefaultClient, srv.URL, connect.WithInterceptors(
+		auth.NewClientInterceptor("auth-token"),
+		testInterceptor,
+	))
+
+	resp, _ := client.StreamWorkspaceStatus(context.Background(), connect.NewRequest(&v1.StreamWorkspaceStatusRequest{
+		WorkspaceId: "",
+	}))
+
+	resp.Close()
+}
+
+type TestInterceptor struct {
+	expectedToken string
+	t             *testing.T
+}
+
+func (ti *TestInterceptor) WrapUnary(next connect.UnaryFunc) connect.UnaryFunc {
+	return func(ctx context.Context, req connect.AnyRequest) (connect.AnyResponse, error) {
+		return next(ctx, req)
+	}
+}
+
+func (ti *TestInterceptor) WrapStreamingClient(next connect.StreamingClientFunc) connect.StreamingClientFunc {
+	return func(ctx context.Context, spec connect.Spec) connect.StreamingClientConn {
+		token, _ := auth.TokenFromContext(ctx)
+		require.Equal(ti.t, ti.expectedToken, token.Value)
+		return next(ctx, spec)
+	}
+}
+
+func (ti *TestInterceptor) WrapStreamingHandler(next connect.StreamingHandlerFunc) connect.StreamingHandlerFunc {
+	return func(ctx context.Context, conn connect.StreamingHandlerConn) error {
+		token, _ := auth.TokenFromContext(ctx)
+		require.Equal(ti.t, ti.expectedToken, token.Value)
+		return next(ctx, conn)
+	}
+}
+
 type workspaceTestDataEntry struct {
 	Name     string
 	Protocol protocol.WorkspaceInfo

components/public-api-server/pkg/auth/middleware.go

@@ -11,25 +11,50 @@ import (
 	"github.com/bufbuild/connect-go"
 )
 
-// NewServerInterceptor creates a server-side interceptor which validates that an incoming request contains a Bearer Authorization header
-func NewServerInterceptor() connect.UnaryInterceptorFunc {
-	interceptor := func(next connect.UnaryFunc) connect.UnaryFunc {
-		return connect.UnaryFunc(func(ctx context.Context, req connect.AnyRequest) (connect.AnyResponse, error) {
+type AuthInterceptor struct {
+	accessToken string
+}
 
-			if req.Spec().IsClient {
-				return next(ctx, req)
-			}
+func (a *AuthInterceptor) WrapUnary(next connect.UnaryFunc) connect.UnaryFunc {
+	return connect.UnaryFunc(func(ctx context.Context, req connect.AnyRequest) (connect.AnyResponse, error) {
+		if req.Spec().IsClient {
+			ctx = TokenToContext(ctx, NewAccessToken(a.accessToken))
+
+			req.Header().Add(authorizationHeaderKey, bearerPrefix+a.accessToken)
+			return next(ctx, req)
+		}
 
-			token, err := tokenFromRequest(ctx, req)
-			if err != nil {
-				return nil, err
-			}
+		token, err := tokenFromRequest(ctx, req)
+		if err != nil {
+			return nil, err
+		}
 
-			return next(TokenToContext(ctx, token), req)
-		})
+		return next(TokenToContext(ctx, token), req)
+	})
+}
+
+func (a *AuthInterceptor) WrapStreamingClient(next connect.StreamingClientFunc) connect.StreamingClientFunc {
+	return func(ctx context.Context, s connect.Spec) connect.StreamingClientConn {
+		ctx = TokenToContext(ctx, NewAccessToken(a.accessToken))
+		conn := next(ctx, s)
+		conn.RequestHeader().Add(authorizationHeaderKey, bearerPrefix+a.accessToken)
+		return conn
 	}
+}
 
-	return connect.UnaryInterceptorFunc(interceptor)
+func (a *AuthInterceptor) WrapStreamingHandler(next connect.StreamingHandlerFunc) connect.StreamingHandlerFunc {
+	return func(ctx context.Context, conn connect.StreamingHandlerConn) error {
+		token, err := tokenFromConn(ctx, conn)
+		if err != nil {
+			return err
+		}
+		return next(TokenToContext(ctx, token), conn)
+	}
+}
+
+// NewServerInterceptor creates a server-side interceptor which validates that an incoming request contains a Bearer Authorization header
+func NewServerInterceptor() connect.Interceptor {
+	return &AuthInterceptor{}
 }
 
 func tokenFromRequest(ctx context.Context, req connect.AnyRequest) (Token, error) {
@@ -48,21 +73,25 @@ func tokenFromRequest(ctx context.Context, req connect.AnyRequest) (Token, error
 	return Token{}, connect.NewError(connect.CodeUnauthenticated, fmt.Errorf("No access token or cookie credentials available on request."))
 }
 
-// NewClientInterceptor creates a client-side interceptor which injects token as a Bearer Authorization header
-func NewClientInterceptor(accessToken string) connect.UnaryInterceptorFunc {
-	interceptor := func(next connect.UnaryFunc) connect.UnaryFunc {
-		return connect.UnaryFunc(func(ctx context.Context, req connect.AnyRequest) (connect.AnyResponse, error) {
-
-			if !req.Spec().IsClient {
-				return next(ctx, req)
-			}
+func tokenFromConn(ctx context.Context, conn connect.StreamingHandlerConn) (Token, error) {
+	headers := conn.RequestHeader()
 
-			ctx = TokenToContext(ctx, NewAccessToken(accessToken))
+	bearerToken, err := BearerTokenFromHeaders(headers)
+	if err == nil {
+		return NewAccessToken(bearerToken), nil
+	}
 
-			req.Header().Add(authorizationHeaderKey, bearerPrefix+accessToken)
-			return next(ctx, req)
-		})
+	cookie := conn.RequestHeader().Get("Cookie")
+	if cookie != "" {
+		return NewCookieToken(cookie), nil
 	}
 
-	return connect.UnaryInterceptorFunc(interceptor)
+	return Token{}, connect.NewError(connect.CodeUnauthenticated, fmt.Errorf("No access token or cookie credentials available on request."))
+}
+
+// NewClientInterceptor creates a client-side interceptor which injects token as a Bearer Authorization header
+func NewClientInterceptor(accessToken string) connect.Interceptor {
+	return &AuthInterceptor{
+		accessToken: accessToken,
+	}
 }

components/public-api-server/pkg/auth/middleware_test.go

@@ -60,7 +60,8 @@ func TestNewServerInterceptor(t *testing.T) {
 				request.Header().Add(header.Key, header.Value)
 			}
 
-			resp, err := NewServerInterceptor()(handler)(ctx, request)
+			interceptor := NewServerInterceptor()
+			resp, err := interceptor.WrapUnary(handler)(ctx, request)
 
 			require.Equal(t, s.ExpectedError, err)
 			if err == nil {

components/public-api/gitpod/experimental/v1/workspaces.proto

@@ -16,6 +16,9 @@ service WorkspacesService {
     // GetWorkspace returns a single workspace.
     rpc GetWorkspace(GetWorkspaceRequest) returns (GetWorkspaceResponse) {}
 
+    // StreamWorkspaceStatus returns workspace status once it changed.
+    rpc StreamWorkspaceStatus(StreamWorkspaceStatusRequest) returns (stream StreamWorkspaceStatusResponse) {}
+
     // GetOwnerToken returns an owner token.
     rpc GetOwnerToken(GetOwnerTokenRequest) returns (GetOwnerTokenResponse) {}
 
@@ -53,6 +56,14 @@ message GetWorkspaceResponse {
     Workspace result = 1;
 }
 
+message StreamWorkspaceStatusRequest {
+    string workspace_id = 1;
+}
+
+message StreamWorkspaceStatusResponse {
+    WorkspaceStatus result = 1;
+}
+
 message GetOwnerTokenRequest {
     string workspace_id = 1;
 }