dev 2

Author: geropl

components/gitpod-protocol/src/attribution.ts

@@ -0,0 +1,48 @@
+/**
+ * Copyright (c) 2022 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License-AGPL.txt in the project root for license information.
+ */
+
+export type AttributionId = UserAttributionId | TeamAttributionId;
+export type AttributionTarget = "user" | "team";
+
+export interface UserAttributionId {
+    kind: "user";
+    userId: string;
+}
+export interface TeamAttributionId {
+    kind: "team";
+    teamId: string;
+}
+
+export namespace AttributionId {
+    const SEPARATOR = ":";
+
+    export function parse(s: string): UserAttributionId | TeamAttributionId | undefined {
+        if (!s) {
+            return undefined;
+        }
+        const parts = s.split(":");
+        if (parts.length !== 2) {
+            return undefined;
+        }
+        switch (parts[0]) {
+            case "user":
+                return { kind: "user", userId: parts[1] };
+            case "team":
+                return { kind: "team", teamId: parts[1] };
+            default:
+                return undefined;
+        }
+    }
+
+    export function render(id: AttributionId): string {
+        switch (id.kind) {
+            case "user":
+                return `user${SEPARATOR}${id.userId}`;
+            case "team":
+                return `team${SEPARATOR}${id.teamId}`;
+        }
+    }
+}

components/server/ee/src/workspace/gitpod-server-impl.ts

@@ -2069,7 +2069,13 @@ export class GitpodServerEEImpl extends GitpodServerImpl {
 
         // TODO(gpl) We need a GuardedCostCenter to authorize access to reports
         // const costCenter = await this.costCenterDB.findByAttributionId(attributionId);
-        // await this.guardAccess({ kind: "GuardedCostCenter", subject: costCenter }, "get");
+        Attribution;
+        const team = await this.teamDB.findTeamById(teamId);
+        if (!team) {
+            throw new ResponseError(ErrorCodes.NOT_FOUND, "Team not found");
+        }
+        const members = await this.teamDB.findMembersByTeam(team.id);
+        await this.guardAccess({ kind: "costCenter", /*subject: costCenter,*/ team, members }, "get");
 
         const usageClient = this.usageServiceClientProvider.getDefault();
         const response = await usageClient.getBilledUsage(ctx, attributionId);

components/server/src/auth/resource-access.spec.ts

@@ -23,7 +23,7 @@ import {
     SharedWorkspaceAccessGuard,
 } from "./resource-access";
 import { PrebuiltWorkspace, User, UserEnvVar, Workspace, WorkspaceType } from "@gitpod/gitpod-protocol/lib/protocol";
-import { TeamMemberInfo, TeamMemberRole, WorkspaceInstance } from "@gitpod/gitpod-protocol";
+import { Team, TeamMemberInfo, TeamMemberRole, WorkspaceInstance } from "@gitpod/gitpod-protocol";
 import { HostContextProvider } from "./host-context-provider";
 
 class MockedRepositoryResourceGuard extends RepositoryResourceGuard {
@@ -233,6 +233,108 @@ class TestResourceAccess {
         }
     }
 
+    @test public async costCenterResourceGuard() {
+        const createUser = (): User => {
+            return {
+                id: "123",
+                name: "testuser",
+                creationDate: new Date(2000, 1, 1).toISOString(),
+                identities: [
+                    {
+                        authId: "123",
+                        authName: "testuser",
+                        authProviderId: "github.com",
+                    },
+                ],
+            };
+        };
+
+        const tests: {
+            name: string;
+            teamRole: TeamMemberRole | undefined;
+            operation: ResourceAccessOp;
+            expectation: boolean;
+        }[] = [
+            {
+                name: "member - get",
+                teamRole: "member",
+                operation: "get",
+                expectation: false,
+            },
+            {
+                name: "member - update",
+                teamRole: "member",
+                operation: "update",
+                expectation: false,
+            },
+            {
+                name: "member - update",
+                teamRole: "member",
+                operation: "create",
+                expectation: false,
+            },
+            {
+                name: "member - delete",
+                teamRole: "member",
+                operation: "delete",
+                expectation: false,
+            },
+            {
+                name: "team owner - get",
+                teamRole: "owner",
+                operation: "get",
+                expectation: true,
+            },
+            {
+                name: "team owner - update",
+                teamRole: "owner",
+                operation: "update",
+                expectation: true,
+            },
+            {
+                name: "team owner - update",
+                teamRole: "owner",
+                operation: "create",
+                expectation: true,
+            },
+            {
+                name: "team owner - delete",
+                teamRole: "owner",
+                operation: "delete",
+                expectation: true,
+            },
+        ];
+
+        for (const t of tests) {
+            const user = createUser();
+            const team: Team = {
+                id: "team-123",
+                name: "test-team",
+                creationTime: user.creationDate,
+                slug: "test-team",
+            };
+            const resourceGuard = new CompositeResourceAccessGuard([
+                new OwnerResourceGuard(user.id),
+                new TeamMemberResourceGuard(user.id),
+                new SharedWorkspaceAccessGuard(),
+                new MockedRepositoryResourceGuard(true),
+            ]);
+            const teamMembers: TeamMemberInfo[] = [];
+            if (!!t.teamRole) {
+                teamMembers.push({
+                    userId: user.id,
+                    role: t.teamRole,
+                    memberSince: user.creationDate,
+                });
+            }
+            const actual = await resourceGuard.canAccess({ kind: "costCenter", team, members: teamMembers }, "get");
+            expect(actual).to.be.eq(
+                t.expectation,
+                `"${t.name}" expected canAccess(resource, "${t.operation}") === ${t.expectation}, but was ${actual}`,
+            );
+        }
+    }
+
     @test public async tokenResourceGuardCanAccess() {
         const workspaceResource: GuardedResource = {
             kind: "workspace",

components/server/src/auth/resource-access.ts

@@ -37,6 +37,7 @@ export type GuardedResource =
     | GuardedContentBlob
     | GuardEnvVar
     | GuardedTeam
+    | GuardedCostCenter
     | GuardedWorkspaceLog
     | GuardedPrebuild;
 
@@ -51,6 +52,7 @@ const ALL_GUARDED_RESOURCE_KINDS = new Set<GuardedResourceKind>([
     "contentBlob",
     "envVar",
     "team",
+    "costCenter",
     "workspaceLog",
 ]);
 export function isGuardedResourceKind(kind: any): kind is GuardedResourceKind {
@@ -104,6 +106,13 @@ export interface GuardedTeam {
     members: TeamMemberInfo[];
 }
 
+export interface GuardedCostCenter {
+    kind: "costCenter";
+    //subject: CostCenter;
+    team: Team;
+    members: TeamMemberInfo[];
+}
+
 export interface GuardedGitpodToken {
     kind: "gitpodToken";
     subject: GitpodToken;
@@ -165,6 +174,10 @@ export class TeamMemberResourceGuard implements ResourceAccessGuard {
                 return await this.hasAccessToWorkspace(resource.subject, resource.teamMembers);
             case "prebuild":
                 return !!resource.teamMembers?.some((m) => m.userId === this.userId);
+            case "costCenter":
+                // TODO(gpl) We should check whether we're looking at the right team for the right CostCenter here!
+                // Only team "owners" are allowed to do anything with CostCenters
+                return resource.members.filter((m) => m.role === "owner").some((m) => m.userId === this.userId);
         }
         return false;
     }
@@ -218,6 +231,9 @@ export class OwnerResourceGuard implements ResourceAccessGuard {
                         // Only owners can update or delete a team.
                         return resource.members.some((m) => m.userId === this.userId && m.role === "owner");
                 }
+            case "costCenter":
+                // CostCenter does not have a single "owner" but is owned by a team
+                return false;
             case "workspaceLog":
                 return resource.subject.ownerId === this.userId;
             case "prebuild":

components/server/src/user/user-service.ts

@@ -27,6 +27,7 @@ import { TermsProvider } from "../terms/terms-provider";
 import { TokenService } from "./token-service";
 import { EmailAddressAlreadyTakenException, SelectAccountException } from "../auth/errors";
 import { SelectAccountPayload } from "@gitpod/gitpod-protocol/lib/auth";
+import { AttributionId } from "@gitpod/gitpod-protocol/lib/attribution";
 
 export interface FindUserByIdentityStrResult {
     user: User;
@@ -226,7 +227,7 @@ export class UserService {
         if (this.config.enablePayment) {
             if (!user.additionalData?.usageAttributionId) {
                 // No explicit user attribution ID yet -- attribute all usage to the user by default (regardless of project/team).
-                return `user:${user.id}`;
+                return AttributionId.render({ kind: "user", userId: user.id });
             }
             // Return the user's explicit attribution ID.
             return user.additionalData.usageAttributionId;
@@ -235,15 +236,15 @@ export class UserService {
         // B. Project-based attribution
         if (!projectId) {
             // No project -- attribute to the user.
-            return `user:${user.id}`;
+            return AttributionId.render({ kind: "user", userId: user.id });
         }
         const project = await this.projectDb.findProjectById(projectId);
         if (!project?.teamId) {
             // The project doesn't exist, or it isn't owned by a team -- attribute to the user.
-            return `user:${user.id}`;
+            return AttributionId.render({ kind: "user", userId: user.id });
         }
         // Attribute workspace usage to the team that currently owns this project.
-        return `team:${project.teamId}`;
+        return AttributionId.render({ kind: "team", teamId: project.teamId });
     }
 
     /**