[server] Remove admin OTS create/use flow (#16761)

Author: easyCZ

components/server/src/config.ts

@@ -28,7 +28,6 @@ export type Config = Omit<
     | "stripeConfigFile"
     | "licenseFile"
     | "patSigningKeyFile"
-    | "adminLoginKeyFile"
 > & {
     hostUrl: GitpodHostUrl;
     workspaceDefaults: WorkspaceDefaults;
@@ -151,7 +150,6 @@ export interface ConfigSerialized {
 
     showSetupModal: boolean;
 
-    adminLoginKeyFile?: string;
     admin: {
         grantFirstUserAdminRole: boolean;
         credentialsPath: string;
@@ -331,15 +329,6 @@ export namespace ConfigFile {
             }
         }
 
-        let adminLoginKey: string | undefined = undefined;
-        if (config.adminLoginKeyFile) {
-            try {
-                adminLoginKey = fs.readFileSync(filePathTelepresenceAware(config.adminLoginKeyFile), "utf-8").trim();
-            } catch (error) {
-                log.error("Could not load admin login key", error);
-            }
-        }
-
         return {
             ...config,
             hostUrl,
@@ -359,7 +348,6 @@ export namespace ConfigFile {
             patSigningKey,
             admin: {
                 ...config.admin,
-                loginKey: adminLoginKey,
                 credentialsPath: config.admin.credentialsPath,
             },
         };

components/server/src/installation-admin/installation-admin-controller.ts

@@ -4,31 +4,16 @@
  * See License.AGPL.txt in the project root for license information.
  */
 
-import * as crypto from "crypto";
 import { injectable, inject } from "inversify";
 import * as express from "express";
 import * as opentracing from "opentracing";
 import { InstallationAdminTelemetryDataProvider } from "./telemetry-data-provider";
-import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
-import { OneTimeSecretServer } from "../one-time-secret-server";
-import { TraceContext } from "@gitpod/gitpod-protocol/lib/util/tracing";
-import { BUILTIN_INSTLLATION_ADMIN_USER_ID, UserDB } from "@gitpod/gitpod-db/lib/user-db";
-import { Config } from "../config";
 
 @injectable()
 export class InstallationAdminController {
     @inject(InstallationAdminTelemetryDataProvider)
     protected readonly telemetryDataProvider: InstallationAdminTelemetryDataProvider;
 
-    @inject(OneTimeSecretServer)
-    protected readonly otsServer: OneTimeSecretServer;
-
-    @inject(Config)
-    protected readonly config: Config;
-
-    @inject(UserDB)
-    protected readonly userDb: UserDB;
-
     public create(): express.Application {
         const app = express();
 
@@ -43,46 +28,6 @@ export class InstallationAdminController {
             }
         });
 
-        const adminUserCreateLoginTokenRoute = "/admin-user/login-token/create";
-        app.post(adminUserCreateLoginTokenRoute, async (req: express.Request, res: express.Response) => {
-            const span = TraceContext.startSpan(adminUserCreateLoginTokenRoute);
-            const ctx = { span };
-
-            log.info(`${adminUserCreateLoginTokenRoute} received.`);
-            try {
-                // In case there is no/an empty key specified: Nobody should be able to call this so they are not able to guess values here
-                if (!this.config.admin.loginKey) {
-                    throw new Error("Cannot handle request");
-                }
-
-                // Unblock the admin-user: it's blocked initially!
-                const user = await this.userDb.findUserById(BUILTIN_INSTLLATION_ADMIN_USER_ID);
-                if (!user) {
-                    throw new Error("Cannot find builtin admin-user");
-                }
-                user.blocked = false;
-                await this.userDb.storeUser(user);
-
-                // Create a fresh token
-                // TODO(gpl): Would be nice if we could invalidate all other tokens here!
-                const secretHash = crypto
-                    .createHash("sha256")
-                    .update(BUILTIN_INSTLLATION_ADMIN_USER_ID + this.config.admin.loginKey)
-                    .digest("hex");
-                const oneDay = new Date();
-                oneDay.setDate(oneDay.getDate() + 1);
-                const ots = await this.otsServer.serveToken(ctx, secretHash, oneDay);
-
-                res.send(ots.token).status(200);
-                log.info(`${adminUserCreateLoginTokenRoute} done.`);
-            } catch (err) {
-                TraceContext.setError(ctx, err);
-                span.finish();
-                log.error(`${adminUserCreateLoginTokenRoute} error`, err);
-                res.sendStatus(500);
-            }
-        });
-
         return app;
     }
 }

components/server/src/user/user-controller.ts

@@ -190,38 +190,6 @@ export class UserController {
             }
         });
 
-        router.get(
-            "/login/ots/admin-user/:key",
-            loginUserWithOts(async (req: express.Request, res: express.Response, user: User, secret: string) => {
-                // In case there is no/an empty key specified: Nobody should be able to call this so they are not able to guess values here
-                if (!this.config.admin.loginKey) {
-                    throw new ResponseError(500, "No admin login key configured, cannot login as admin-user");
-                }
-
-                // Counterpart is here: https://github.com/gitpod-io/gitpod/blob/478a75e744a642d9b764de37cfae655bc8b29dd5/components/server/src/installation-admin/installation-admin-controller.ts#L38
-                const secretHash = crypto
-                    .createHash("sha256")
-                    .update(user.id + this.config.admin.loginKey)
-                    .digest("hex");
-                if (secretHash !== secret) {
-                    throw new ResponseError(401, "OTS secret not verified");
-                }
-
-                // Login this user (sets cookie as side-effect)
-                await new Promise<void>((resolve, reject) => {
-                    req.login(user, (err) => {
-                        if (err) {
-                            reject(err);
-                        } else {
-                            resolve();
-                        }
-                    });
-                });
-
-                // Simply redirect to the app for now
-                res.redirect("/orgs/new", 307);
-            }, BUILTIN_INSTLLATION_ADMIN_USER_ID),
-        );
         router.get(
             "/login/ots/:userId/:key",
             loginUserWithOts(async (req: express.Request, res: express.Response, user: User, secret: string) => {

install/installer/pkg/components/server/configmap.go

@@ -303,8 +303,7 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 			GrantFirstUserAdminRole: true, // existing default
 			CredentialsPath:         adminCredentialsPath,
 		},
-		AdminLoginKeyFile: AdminLoginKeyFile(ctx),
-		ShowSetupModal:    showSetupModal,
+		ShowSetupModal: showSetupModal,
 	}
 
 	fc, err := common.ToJSONString(scfg)
@@ -328,13 +327,6 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 	}, nil
 }
 
-func AdminLoginKeyFile(ctx *common.RenderContext) string {
-	if ctx.Config.AdminLoginSecret == nil {
-		return ""
-	}
-	return fmt.Sprintf("%s/%s", AdminSecretMountPath, AdminSecretLoginKeyName)
-}
-
 func getPersonalAccessTokenSigningKey(cfg *experimental.Config) (corev1.Volume, corev1.VolumeMount, string, bool) {
 	var volume corev1.Volume
 	var mount corev1.VolumeMount

install/installer/pkg/components/server/constants.go

@@ -25,9 +25,6 @@ const (
 	DebugNodePortName                      = "debugnode"
 	ServicePort                            = 3000
 	personalAccessTokenSigningKeyMountPath = "/secrets/personal-access-token-signing-key"
-	AdminSecretName                        = "server-admin-secret"
-	AdminSecretLoginKeyName                = "login-key"
-	AdminSecretMountPath                   = "/admin"
 
 	AdminCredentialsSecretName      = "admin-credentials"
 	AdminCredentialsSecretMountPath = "/credentials/admin"

install/installer/pkg/components/server/deployment.go

@@ -318,23 +318,6 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
 		})
 	}
 
-	// admin secret
-	if ctx.Config.AdminLoginSecret != nil {
-		volumes = append(volumes, corev1.Volume{
-			Name: "admin-login-key",
-			VolumeSource: corev1.VolumeSource{
-				Secret: &corev1.SecretVolumeSource{
-					SecretName: ctx.Config.AdminLoginSecret.Name,
-				},
-			},
-		})
-		volumeMounts = append(volumeMounts, corev1.VolumeMount{
-			Name:      "admin-login-key",
-			MountPath: AdminSecretMountPath,
-			ReadOnly:  true,
-		})
-	}
-
 	adminCredentialsVolume, adminCredentialsMount, _ := getAdminCredentials()
 	volumes = append(volumes, adminCredentialsVolume)
 	volumeMounts = append(volumeMounts, adminCredentialsMount)