[server] Extend guardTeamResource with fine-grained ops

Author: easyCZ

components/server/src/authorization/perms.ts

@@ -0,0 +1,28 @@
+/**
+ * Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+export type OrganizationOperation =
+    // Not yet implemented operation time. This exists such that we can be explicit about what
+    // we have not yet migrated to fine-grained-permissions.
+    | "not_implemented"
+
+    // Ability to perform read actions an Organization, and all sub-resources of the organization.
+    | "org_read"
+    // Ability to perform write actions an Organization, and all sub-resources of the organization.
+    | "org_write"
+
+    // Ability to read Team metadata - name, ID, but no members.
+    | "org_metadata_read"
+
+    // Ability to access information about team members.
+    | "org_members_read"
+    // Ability to add, or remove, team members.
+    | "org_members_write"
+
+    // Ability to read projects in an Organization.
+    | "org_project_read"
+    // Ability to create/update/delete projects in an Organization.
+    | "org_project_write";

components/server/src/workspace/gitpod-server-impl.ts

@@ -180,7 +180,11 @@ import * as grpc from "@grpc/grpc-js";
 import { CachingBlobServiceClientProvider } from "../util/content-service-sugar";
 import { CostCenterJSON } from "@gitpod/gitpod-protocol/lib/usage";
 import { createCookielessId, maskIp } from "../analytics";
-import { ConfigCatClientFactory } from "@gitpod/gitpod-protocol/lib/experiments/configcat-server";
+import {
+    ConfigCatClientFactory,
+    getExperimentsClientForBackend,
+} from "@gitpod/gitpod-protocol/lib/experiments/configcat-server";
+import { OrganizationOperation } from "../authorization/perms";
 
 // shortcut
 export const traceWI = (ctx: TraceContext, wi: Omit<LogContext, "userId">) => TraceContext.setOWI(ctx, wi); // userId is already taken care of in WebsocketConnectionManager
@@ -2033,11 +2037,26 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
     protected async guardTeamOperation(
         teamId: string,
         op: ResourceAccessOp,
+        fineGrainedOps: OrganizationOperation[],
     ): Promise<{ team: Team; members: TeamMemberInfo[] }> {
         if (!uuidValidate(teamId)) {
             throw new ResponseError(ErrorCodes.BAD_REQUEST, "organization ID must be a valid UUID");
         }
 
+        const user = this.checkUser();
+        const centralizedPermissionsEnabled = await getExperimentsClientForBackend().getValueAsync(
+            "centralizedPermissions",
+            false,
+            {
+                user: user,
+                teamId: teamId,
+            },
+        );
+
+        if (centralizedPermissionsEnabled) {
+            log.info("[perms] Checking team operations.", { org: teamId, operations: fineGrainedOps, user: user.id });
+        }
+
         const team = await this.teamDB.findTeamById(teamId);
         if (!team) {
             // We return Permission Denied because we don't want to leak the existence, or not of the Organization.
@@ -2060,15 +2079,15 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
         this.checkAndBlockUser("getTeam");
 
-        const { team } = await this.guardTeamOperation(teamId, "get");
+        const { team } = await this.guardTeamOperation(teamId, "get", ["org_members_read"]);
         return team;
     }
 
     public async updateTeam(ctx: TraceContext, teamId: string, team: Pick<Team, "name">): Promise<Team> {
         traceAPIParams(ctx, { teamId });
         this.checkUser("updateTeam");
 
-        await this.guardTeamOperation(teamId, "update");
+        await this.guardTeamOperation(teamId, "update", ["org_write"]);
 
         const updatedTeam = await this.teamDB.updateTeam(teamId, team);
         return updatedTeam;
@@ -2077,7 +2096,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
     public async getTeamMembers(ctx: TraceContext, teamId: string): Promise<TeamMemberInfo[]> {
         traceAPIParams(ctx, { teamId });
 
-        const { members } = await this.guardTeamOperation(teamId, "get");
+        const { members } = await this.guardTeamOperation(teamId, "get", ["org_members_read"]);
 
         return members;
     }
@@ -2148,7 +2167,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         }
 
         this.checkAndBlockUser("setTeamMemberRole");
-        await this.guardTeamOperation(teamId, "update");
+        await this.guardTeamOperation(teamId, "update", ["org_members_write"]);
 
         await this.teamDB.setTeamMemberRole(userId, teamId, role);
     }
@@ -2161,8 +2180,15 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         }
 
         const user = this.checkAndBlockUser("removeTeamMember");
-        // Users are free to leave any team themselves, but only owners can remove others from their teams.
-        await this.guardTeamOperation(teamId, user.id === userId ? "get" : "update");
+        // The user is leaving a team, if they are removing themselves from the team.
+        const userLeavingTeam = user.id === userId;
+
+        if (userLeavingTeam) {
+            await this.guardTeamOperation(teamId, "update", ["not_implemented"]);
+        } else {
+            await this.guardTeamOperation(teamId, "get", ["org_members_write"]);
+        }
+
         const membership = await this.teamDB.findTeamMembership(userId, teamId);
         if (!membership) {
             throw new Error(`Could not find membership for user '${userId}' in organization '${teamId}'`);
@@ -2183,7 +2209,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         traceAPIParams(ctx, { teamId });
 
         this.checkUser("getGenericInvite");
-        await this.guardTeamOperation(teamId, "get");
+        await this.guardTeamOperation(teamId, "get", ["org_members_write"]);
 
         const invite = await this.teamDB.findGenericInviteByTeamId(teamId);
         if (invite) {
@@ -2196,7 +2222,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         traceAPIParams(ctx, { teamId });
 
         this.checkAndBlockUser("resetGenericInvite");
-        await this.guardTeamOperation(teamId, "update");
+        await this.guardTeamOperation(teamId, "update", ["org_members_write"]);
         return this.teamDB.resetGenericInvite(teamId);
     }
 
@@ -2213,7 +2239,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
             }
         } else {
             // Anyone who can read a team's information (i.e. any team member) can manage team projects
-            await this.guardTeamOperation(project.teamId || "", "get");
+            await this.guardTeamOperation(project.teamId || "", "get", ["not_implemented"]);
         }
     }
 
@@ -2240,7 +2266,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
             }
         } else {
             // Anyone who can read a team's information (i.e. any team member) can create a new project.
-            await this.guardTeamOperation(params.teamId || "", "get");
+            await this.guardTeamOperation(params.teamId || "", "get", ["not_implemented"]);
         }
 
         return this.projectsService.createProject(params, user);
@@ -2265,7 +2291,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         const user = this.checkAndBlockUser("deleteTeam");
         traceAPIParams(ctx, { teamId, userId: user.id });
 
-        await this.guardTeamOperation(teamId, "delete");
+        await this.guardTeamOperation(teamId, "delete", ["org_write"]);
 
         const teamProjects = await this.projectsService.getTeamProjects(teamId);
         teamProjects.forEach((project) => {
@@ -2298,7 +2324,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
         this.checkUser("getTeamProjects");
 
-        await this.guardTeamOperation(teamId, "get");
+        await this.guardTeamOperation(teamId, "get", ["not_implemented"]);
         return this.projectsService.getTeamProjects(teamId);
     }
 
@@ -2921,7 +2947,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         }
 
         // Ensure user can perform this operation on this organization
-        await this.guardTeamOperation(newProvider.organizationId, "create");
+        await this.guardTeamOperation(newProvider.organizationId, "create", ["org_write"]);
 
         try {
             // on creating we're are checking for already existing runtime providers
@@ -2969,7 +2995,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
         await this.guardWithFeatureFlag("orgGitAuthProviders", providerUpdate.organizationId);
 
-        await this.guardTeamOperation(providerUpdate.organizationId, "update");
+        await this.guardTeamOperation(providerUpdate.organizationId, "update", ["org_write"]);
 
         try {
             const result = await this.authProviderService.updateOrgAuthProvider(providerUpdate);
@@ -2990,7 +3016,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
         await this.guardWithFeatureFlag("orgGitAuthProviders", params.organizationId);
 
-        await this.guardTeamOperation(params.organizationId, "get");
+        await this.guardTeamOperation(params.organizationId, "get", ["org_read"]);
 
         try {
             const result = await this.authProviderService.getAuthProvidersOfOrg(params.organizationId);
@@ -3021,7 +3047,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
             throw new ResponseError(ErrorCodes.NOT_FOUND, "Provider resource not found.");
         }
 
-        await this.guardTeamOperation(authProvider.organizationId || "", "delete");
+        await this.guardTeamOperation(authProvider.organizationId || "", "delete", ["org_write"]);
 
         try {
             await this.authProviderService.deleteAuthProvider(authProvider);