[server] Perform authorization checks for Orgs against spicedb

Author: easyCZ

components/server/ee/src/workspace/gitpod-server-impl.ts

@@ -1596,7 +1596,7 @@ export class GitpodServerEEImpl extends GitpodServerImpl {
     // Team Subscriptions 2
     async getTeamSubscription(ctx: TraceContext, teamId: string): Promise<TeamSubscription2 | undefined> {
         this.checkUser("getTeamSubscription");
-        await this.guardTeamOperation(teamId, "get", ["not_implemented"]);
+        await this.guardTeamOperation(teamId, "get", "not_implemented");
         return this.teamSubscription2DB.findForTeam(teamId, new Date().toISOString());
     }
 
@@ -2098,7 +2098,7 @@ export class GitpodServerEEImpl extends GitpodServerImpl {
 
         try {
             if (attrId.kind == "team") {
-                await this.guardTeamOperation(attrId.teamId, "get", ["not_implemented"]);
+                await this.guardTeamOperation(attrId.teamId, "get", "not_implemented");
             }
             const subscriptionId = await this.stripeService.findUncancelledSubscriptionByAttributionId(attributionId);
             return subscriptionId;
@@ -2119,7 +2119,7 @@ export class GitpodServerEEImpl extends GitpodServerImpl {
         }
         let team: Team | undefined;
         if (attrId.kind === "team") {
-            team = (await this.guardTeamOperation(attrId.teamId, "update", ["not_implemented"])).team;
+            team = (await this.guardTeamOperation(attrId.teamId, "update", "not_implemented")).team;
             await this.ensureStripeApiIsAllowed({ team });
         } else {
             if (attrId.userId !== user.id) {
@@ -2141,7 +2141,7 @@ export class GitpodServerEEImpl extends GitpodServerImpl {
         }
         let team: Team | undefined;
         if (attrId.kind === "team") {
-            team = (await this.guardTeamOperation(attrId.teamId, "update", ["not_implemented"])).team;
+            team = (await this.guardTeamOperation(attrId.teamId, "update", "not_implemented")).team;
             await this.ensureStripeApiIsAllowed({ team });
         } else {
             if (attrId.userId !== user.id) {
@@ -2211,7 +2211,7 @@ export class GitpodServerEEImpl extends GitpodServerImpl {
         let team: Team | undefined;
         try {
             if (attrId.kind === "team") {
-                team = (await this.guardTeamOperation(attrId.teamId, "update", ["not_implemented"])).team;
+                team = (await this.guardTeamOperation(attrId.teamId, "update", "not_implemented")).team;
                 await this.ensureStripeApiIsAllowed({ team });
             } else {
                 await this.ensureStripeApiIsAllowed({ user });
@@ -2257,7 +2257,7 @@ export class GitpodServerEEImpl extends GitpodServerImpl {
         if (attrId.kind === "user") {
             await this.ensureStripeApiIsAllowed({ user });
         } else if (attrId.kind === "team") {
-            const team = (await this.guardTeamOperation(attrId.teamId, "update", ["not_implemented"])).team;
+            const team = (await this.guardTeamOperation(attrId.teamId, "update", "not_implemented")).team;
             await this.ensureStripeApiIsAllowed({ team });
             returnUrl = this.config.hostUrl
                 .with(() => ({ pathname: `/org-billing`, search: `org=${team.id}` }))
@@ -2493,7 +2493,7 @@ export class GitpodServerEEImpl extends GitpodServerImpl {
         traceAPIParams(ctx, { teamId });
 
         this.checkAndBlockUser("getBillingModeForTeam");
-        const { team } = await this.guardTeamOperation(teamId, "get", ["not_implemented"]);
+        const { team } = await this.guardTeamOperation(teamId, "get", "not_implemented");
 
         return this.billingModes.getBillingModeForTeam(team, new Date());
     }

components/server/src/authorization/checks.ts

@@ -0,0 +1,41 @@
+/**
+ * Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import { v1 } from "@authzed/authzed-node";
+import { ResourceType, SubjectType } from "./perms";
+
+const FULLY_CONSISTENT = v1.Consistency.create({
+    requirement: {
+        oneofKind: "fullyConsistent",
+        fullyConsistent: true,
+    },
+});
+
+type SubjectResourceCheckFn = (subjectID: string, resourceID: string) => v1.CheckPermissionRequest;
+
+function check(subjectT: SubjectType, op: string, resourceT: ResourceType): SubjectResourceCheckFn {
+    return (subjectID, resourceID) =>
+        v1.CheckPermissionRequest.create({
+            subject: v1.SubjectReference.create({
+                object: v1.ObjectReference.create({
+                    objectId: subjectID,
+                    objectType: subjectT,
+                }),
+            }),
+            permission: op,
+            resource: v1.ObjectReference.create({
+                objectId: resourceID,
+                objectType: resourceT,
+            }),
+            consistency: FULLY_CONSISTENT,
+        });
+}
+
+export const ReadOrganizationMetadata = check("user", "organization_metadata_read", "organization");
+export const WriteOrganizationMetadata = check("user", "organization_metadata_write", "organization");
+
+export const ReadOrganizationMembers = check("user", "organization_members_read", "organization");
+export const WriteOrganizationMembers = check("user", "organization_members_write", "organization");

components/server/src/authorization/perms.ts

@@ -4,6 +4,17 @@
  * See License.AGPL.txt in the project root for license information.
  */
 
+import { v1 } from "@authzed/authzed-node";
+import { ErrorCodes } from "@gitpod/gitpod-protocol/lib/messaging/error";
+import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
+import { inject, injectable } from "inversify";
+import { ResponseError } from "vscode-ws-jsonrpc";
+import {
+    observespicedbClientLatency as observeSpicedbClientLatency,
+    spicedbClientLatency,
+} from "../prometheus-metrics";
+import { SpiceDBClient } from "./spicedb";
+
 export type OrganizationOperation =
     // A not yet implemented operation at this time. This exists such that we can be explicit about what
     // we have not yet migrated to fine-grained-permissions.
@@ -31,3 +42,66 @@ export type OrganizationOperation =
     | "org_authprovider_write"
     // Ability to read Organization Auth Providers.
     | "org_authprovider_read";
+
+export type ResourceType = "organization";
+
+export type SubjectType = "user";
+
+export type CheckResult = {
+    permitted: boolean;
+    err?: Error;
+    response?: v1.CheckPermissionResponse;
+};
+
+export const NotPermitted = { permitted: false };
+
+export const PermissionChecker = Symbol("PermissionChecker");
+
+export interface PermissionChecker {
+    check(req: v1.CheckPermissionRequest): Promise<CheckResult>;
+}
+
+@injectable()
+export class Authorizer implements PermissionChecker {
+    @inject(SpiceDBClient)
+    private client: SpiceDBClient;
+
+    async check(req: v1.CheckPermissionRequest): Promise<CheckResult> {
+        if (!this.client) {
+            return {
+                permitted: false,
+                err: new Error("Authorization client not available."),
+                response: v1.CheckPermissionResponse.create({}),
+            };
+        }
+
+        const timer = spicedbClientLatency.startTimer();
+        try {
+            const response = await this.client.checkPermission(req);
+            const permitted = response.permissionship === v1.CheckPermissionResponse_Permissionship.HAS_PERMISSION;
+            const err = !permitted ? newUnathorizedError(req.resource!, req.permission, req.subject!) : undefined;
+
+            observeSpicedbClientLatency("check", req.permission, undefined, timer());
+
+            return { permitted, response, err };
+        } catch (err) {
+            log.error("[spicedb] Failed to perform authorization check.", err, { req });
+            observeSpicedbClientLatency("check", req.permission, err, timer());
+
+            throw err;
+        }
+    }
+}
+
+function newUnathorizedError(resource: v1.ObjectReference, relation: string, subject: v1.SubjectReference) {
+    return new ResponseError(
+        ErrorCodes.PERMISSION_DENIED,
+        `Subject (${objString(subject.object)}) is not permitted to perform ${relation} on resource ${objString(
+            resource,
+        )}.`,
+    );
+}
+
+function objString(obj?: v1.ObjectReference): string {
+    return `${obj?.objectType}:${obj?.objectId}`;
+}

components/server/src/container-module.ts

@@ -113,6 +113,7 @@ import { UbpResetOnCancel } from "@gitpod/gitpod-payment-endpoint/lib/chargebee/
 import { retryMiddleware } from "nice-grpc-client-middleware-retry";
 import { IamSessionApp } from "./iam/iam-session-app";
 import { spicedbClientFromEnv, SpiceDBClient } from "./authorization/spicedb";
+import { Authorizer, PermissionChecker } from "./authorization/perms";
 
 export const productionContainerModule = new ContainerModule((bind, unbind, isBound, rebind) => {
     bind(Config).toConstantValue(ConfigFile.fromFile());
@@ -313,4 +314,5 @@ export const productionContainerModule = new ContainerModule((bind, unbind, isBo
     bind(SpiceDBClient)
         .toDynamicValue(() => spicedbClientFromEnv())
         .inSingletonScope();
+    bind(PermissionChecker).to(Authorizer).inSingletonScope();
 });

components/server/src/prometheus-metrics.ts

@@ -22,6 +22,8 @@ export function registerServerMetrics(registry: prometheusClient.Registry) {
     registry.registerMetric(stripeClientRequestsCompletedDurationSeconds);
     registry.registerMetric(imageBuildsStartedTotal);
     registry.registerMetric(imageBuildsCompletedTotal);
+    registry.registerMetric(centralizedPermissionsValidationsTotal);
+    registry.registerMetric(spicedbClientLatency);
 }
 
 const loginCounter = new prometheusClient.Counter({
@@ -195,3 +197,31 @@ export const imageBuildsCompletedTotal = new prometheusClient.Counter({
 export function increaseImageBuildsCompletedTotal(outcome: "succeeded" | "failed") {
     imageBuildsCompletedTotal.inc({ outcome });
 }
+
+const centralizedPermissionsValidationsTotal = new prometheusClient.Counter({
+    name: "gitpod_perms_centralized_validations_total",
+    help: "counter of centralized permission checks validations against existing system",
+    labelNames: ["operation", "matches_expectation"],
+});
+
+export function reportCentralizedPermsValidation(operation: string, matches: boolean) {
+    centralizedPermissionsValidationsTotal.inc({ operation, matches_expectation: String(matches) });
+}
+
+export const spicedbClientLatency = new prometheusClient.Histogram({
+    name: "gitpod_spicedb_client_requests_completed_seconds",
+    help: "Histogram of completed spicedb client requests",
+    labelNames: ["operation", "permission", "outcome"],
+});
+
+export function observespicedbClientLatency(
+    operation: string,
+    permission: string,
+    outcome: Error | undefined,
+    durationInSeconds: number,
+) {
+    spicedbClientLatency.observe(
+        { operation, permission, outcome: outcome === undefined ? "success" : "error" },
+        durationInSeconds,
+    );
+}