From 926c66331d6c63eaa097d766bbaaad02730733d6 Mon Sep 17 00:00:00 2001 From: Gero Posmyk-Leinemann Date: Wed, 29 Jun 2022 07:31:46 +0000 Subject: [PATCH 1/2] [server] Introduce GuardedPrebuild and allow access akin to WorkspaceLog/Snapshots --- .../server/src/auth/resource-access.spec.ts | 70 +++++++++++++++++++ components/server/src/auth/resource-access.ts | 19 ++++- 2 files changed, 88 insertions(+), 1 deletion(-) diff --git a/components/server/src/auth/resource-access.spec.ts b/components/server/src/auth/resource-access.spec.ts index d65694526985a6..4cb20d6172085b 100644 --- a/components/server/src/auth/resource-access.spec.ts +++ b/components/server/src/auth/resource-access.spec.ts @@ -833,6 +833,76 @@ class TestResourceAccess { teamRole: "owner", expectation: true, }, + // prebuild + { + name: "prebuild get owner", + resourceKind: "prebuild", + workspaceType: "prebuild", + isOwner: true, + teamRole: undefined, + expectation: true, + }, + { + name: "prebuild get other", + resourceKind: "prebuild", + workspaceType: "prebuild", + isOwner: false, + teamRole: undefined, + expectation: false, + }, + { + name: "prebuild get team member", + resourceKind: "prebuild", + workspaceType: "prebuild", + isOwner: false, + teamRole: "member", + expectation: true, + }, + { + name: "prebuild get team owner (same as member)", + resourceKind: "prebuild", + workspaceType: "prebuild", + isOwner: false, + teamRole: "owner", + expectation: true, + }, + // prebuild with repo access + { + name: "prebuild get owner", + resourceKind: "prebuild", + workspaceType: "prebuild", + isOwner: true, + teamRole: undefined, + repositoryAccess: true, + expectation: true, + }, + { + name: "prebuild get other", + resourceKind: "prebuild", + workspaceType: "prebuild", + isOwner: false, + teamRole: undefined, + repositoryAccess: true, + expectation: true, + }, + { + name: "prebuild get team member", + resourceKind: "prebuild", + workspaceType: "prebuild", + isOwner: false, + teamRole: "member", + repositoryAccess: true, + expectation: true, + }, + { + name: "prebuild get team owner (same as member)", + resourceKind: "prebuild", + workspaceType: "prebuild", + isOwner: false, + teamRole: "owner", + repositoryAccess: true, + expectation: true, + }, ]; for (const t of tests) { diff --git a/components/server/src/auth/resource-access.ts b/components/server/src/auth/resource-access.ts index 0ff63ed717c87e..2929d8878d5ac4 100644 --- a/components/server/src/auth/resource-access.ts +++ b/components/server/src/auth/resource-access.ts @@ -7,6 +7,7 @@ import { CommitContext, GitpodToken, + PrebuiltWorkspace, Repository, Snapshot, Team, @@ -36,7 +37,8 @@ export type GuardedResource = | GuardedContentBlob | GuardEnvVar | GuardedTeam - | GuardedWorkspaceLog; + | GuardedWorkspaceLog + | GuardedPrebuild; const ALL_GUARDED_RESOURCE_KINDS = new Set([ "workspace", @@ -119,6 +121,13 @@ export interface GuardedWorkspaceLog { teamMembers?: TeamMemberInfo[]; } +export interface GuardedPrebuild { + kind: "prebuild"; + subject: PrebuiltWorkspace; + workspace: Workspace; + teamMembers?: TeamMemberInfo[]; +} + export type ResourceAccessOp = "create" | "update" | "get" | "delete"; export const ResourceAccessGuard = Symbol("ResourceAccessGuard"); @@ -209,6 +218,12 @@ export class OwnerResourceGuard implements ResourceAccessGuard { } case "workspaceLog": return resource.subject.ownerId === this.userId; + case "prebuild": + // Owners may do everything, team members can "get" + return ( + resource.workspace.ownerId === this.userId || + (operation === "get" && !!resource.teamMembers?.some((m) => m.userId === this.userId)) + ); } } } @@ -477,6 +492,8 @@ export class RepositoryResourceGuard implements ResourceAccessGuard { case "snapshot": workspace = resource.workspace; break; + case "prebuild": + workspace = resource.workspace; default: // We do not handle resource kinds here! return false; From 0a37cf9f329b23d168d11fda8c80af479840ae0f Mon Sep 17 00:00:00 2001 From: Gero Posmyk-Leinemann Date: Wed, 29 Jun 2022 07:36:01 +0000 Subject: [PATCH 2/2] [server] Align workspaceLog access semantics --- components/server/src/auth/resource-access.ts | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/components/server/src/auth/resource-access.ts b/components/server/src/auth/resource-access.ts index 2929d8878d5ac4..b24e48a9f1d01e 100644 --- a/components/server/src/auth/resource-access.ts +++ b/components/server/src/auth/resource-access.ts @@ -217,7 +217,11 @@ export class OwnerResourceGuard implements ResourceAccessGuard { return resource.members.some((m) => m.userId === this.userId && m.role === "owner"); } case "workspaceLog": - return resource.subject.ownerId === this.userId; + // Owners may do everything, team members can "get" + return ( + resource.subject.ownerId === this.userId || + (operation === "get" && !!resource.teamMembers?.some((m) => m.userId === this.userId)) + ); case "prebuild": // Owners may do everything, team members can "get" return (