[fga] added create_snapshot permission

gitpod-io · Aug 23, 2023 · 5805b65 · 5805b65
1 parent c85581c
commit 5805b65
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 6 deletions.
diff --git a/components/server/src/authorization/authorizer.ts b/components/server/src/authorization/authorizer.ts
@@ -364,6 +364,7 @@ export class Authorizer {
 
         await this.authorizer.writeRelationships(
             set(rel.organization(orgId).installation.installation), //
+            set(rel.organization(orgId).snapshoter.organization_member(orgId)), //TODO allow orgs to opt-out of snapshotting
         );
     }
 

diff --git a/components/server/src/authorization/definitions.ts b/components/server/src/authorization/definitions.ts
@@ -53,7 +53,7 @@ export type InstallationPermission = "create_organization" | "configure";
 
 export type OrganizationResourceType = "organization";
 
-export type OrganizationRelation = "installation" | "member" | "owner";
+export type OrganizationRelation = "installation" | "member" | "owner" | "snapshoter";
 
 export type OrganizationPermission =
     | "installation_admin"
@@ -92,7 +92,7 @@ export type WorkspaceResourceType = "workspace";
 
 export type WorkspaceRelation = "org" | "owner" | "shared";
 
-export type WorkspacePermission = "access" | "start" | "stop" | "delete" | "read_info";
+export type WorkspacePermission = "access" | "start" | "stop" | "delete" | "read_info" | "create_snapshot";
 
 export const rel = {
     user(id: string) {
@@ -282,6 +282,27 @@ export const rel = {
                     },
                 };
             },
+
+            get snapshoter() {
+                const result2 = {
+                    ...result,
+                    relation: "snapshoter",
+                };
+                return {
+                    organization_member(objectId: string) {
+                        return {
+                            ...result2,
+                            subject: {
+                                object: {
+                                    objectType: "organization",
+                                    objectId: objectId,
+                                },
+                                optionalRelation: "member",
+                            },
+                        } as v1.Relationship;
+                    },
+                };
+            },
         };
     },
 

diff --git a/components/server/src/workspace/gitpod-server-impl.ts b/components/server/src/workspace/gitpod-server-impl.ts
@@ -1923,6 +1923,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         const user = await this.checkAndBlockUser("takeSnapshot");
 
         const workspace = await this.guardSnaphotAccess(ctx, user.id, workspaceId);
+        await this.auth.checkPermissionOnWorkspace(user.id, "create_snapshot", workspaceId);
 
         const instance = await this.workspaceDb.trace(ctx).findRunningInstance(workspaceId);
         if (!instance) {
@@ -1990,11 +1991,12 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
         const user = await this.checkAndBlockUser("getSnapshots");
 
-        const workspace = await this.workspaceDb.trace(ctx).findById(workspaceId);
-        if (!workspace || workspace.ownerId !== user.id) {
+        // we use the workspacService which checks if the requesting user has access to the workspace. If that is the case they have access to snapshots as well.
+        // below is the old permission check which would also check if the user has access to the snapshot itself. This is not the case anymore.
+        const workspace = await this.workspaceService.getWorkspace(user.id, workspaceId);
+        if (workspace.ownerId !== user.id) {
             throw new ApplicationError(ErrorCodes.NOT_FOUND, `Workspace ${workspaceId} does not exist.`);
         }
-
         const snapshots = await this.workspaceDb.trace(ctx).findSnapshotsByWorkspaceId(workspaceId);
         await Promise.all(snapshots.map((s) => this.guardAccess({ kind: "snapshot", subject: s, workspace }, "get")));
 

diff --git a/components/spicedb/schema/schema.yaml b/components/spicedb/schema/schema.yaml
@@ -51,6 +51,9 @@ schema: |-
     relation member: user
     // Some users in an organization may additionally have the `owner` role
     relation owner: user
+    // users who can snapshot workspaces
+    relation snapshoter: organization#member
+
 
     // synthetic permission for installation->admin (because https://github.com/authzed/spicedb/issues/15)
     permission installation_admin = installation->admin
@@ -95,7 +98,6 @@ schema: |-
     //  * the project has granted access to all members in an organization
     //  * the project has granted access to _any_ user on this installation
     relation viewer: user | organization#member | user:*
-
     permission read_info = viewer + editor + org->owner + org->installation_admin
     permission write_info = editor + org->owner + org->installation_admin
     permission delete = editor + org->owner + org->installation_admin
@@ -127,6 +129,8 @@ schema: |-
     // Whether a user can read basic info/metadata of a workspace
     //+ (hasAccessToRepository && isPrebuild)
     permission read_info = owner + shared + org->member
+
+    permission create_snapshot = owner & org->snapshoter
   }
 # relationships to be used for assertions & validation
 relationships: |-