gitpod-io · roboquat · Feb 21, 2022 · Feb 17, 2022 · AlexTugarev · Feb 21, 2022
@@ -129,6 +129,9 @@ export default class CreateWorkspace extends React.Component<CreateWorkspaceProp
             }}>Authorize with {error.data.host}</button>
           </div>;
           break;
+        case ErrorCodes.PERMISSION_DENIED:
+          statusMessage = <p className="text-base text-gitpod-red w-96">Access is not allowed</p>;
+          break;
         case ErrorCodes.USER_BLOCKED:
           window.location.href = '/blocked';
           return;

@@ -815,15 +815,14 @@ export namespace WithSnapshot {
     }
 }
 
-export interface WithPrebuild {
-    snapshotBucketId: string;
+export interface WithPrebuild extends WithSnapshot {
     prebuildWorkspaceId: string;
     wasPrebuilt: true;
 }
 export namespace WithPrebuild {
     export function is(context: any): context is WithPrebuild {
         return context
-            && 'snapshotBucketId' in context
+            && WithSnapshot.is(context)
             && 'prebuildWorkspaceId' in context
             && 'wasPrebuilt' in context;
     }

@@ -8,7 +8,6 @@ import { injectable, interfaces } from "inversify";
 import { HostContainerMapping } from "../../../src/auth/host-container-mapping";
 import { gitlabContainerModuleEE } from "../gitlab/container-module";
 import { bitbucketContainerModuleEE } from "../bitbucket/container-module";
-import { gitHubContainerModuleEE } from "../github/container-module";
 
 @injectable()
 export class HostContainerMappingEE extends HostContainerMapping {
@@ -24,8 +23,6 @@ export class HostContainerMappingEE extends HostContainerMapping {
         // case "BitbucketServer":
             // FIXME
             // return (modules || []).concat([bitbucketContainerModuleEE]);
-        case "GitHub":
-            return (modules || []).concat([gitHubContainerModuleEE]);
         default:
             return modules;
         }

@@ -5,7 +5,7 @@
  */
 
 import { RepositoryService } from "../../../src/repohost/repo-service";
-import { CommitContext, User, WorkspaceContext } from "@gitpod/gitpod-protocol";
+import { User } from "@gitpod/gitpod-protocol";
 import { inject, injectable } from "inversify";
 import { GitLabApi, GitLab } from "../../../src/gitlab/api";
 import { AuthProviderParams } from "../../../src/auth/auth-provider";
@@ -66,25 +66,6 @@ export class GitlabService extends RepositoryService {
         log.info('Installed Webhook for ' + cloneUrl, { cloneUrl, userId: user.id });
     }
 
-    async canAccessHeadlessLogs(user: User, context: WorkspaceContext): Promise<boolean> {
-        if (!CommitContext.is(context)) {
-            return false;
-        }
-        const { owner, name: repoName } = context.repository;
-
-        try {
-            // If we can "see" a project we are allowed to access it's headless logs
-            const api = await this.api.create(user);
-            const response = await api.Projects.show(`${owner}/${repoName}`);
-            if (GitLab.ApiError.is(response)) {
-                return false;
-            }
-            return true;
-        } catch (err) {
-            return false;
-        }
-    }
-
     protected getHookUrl() {
         return this.config.hostUrl.with({
             pathname: GitLabApp.path

@@ -359,7 +359,7 @@ export class GitpodServerEEImpl extends GitpodServerImpl {
         if (!workspace || workspace.ownerId !== userId) {
             throw new ResponseError(ErrorCodes.NOT_FOUND, `Workspace ${workspaceId} does not exist.`);
         }
-        await this.guardAccess({ kind: "snapshot", subject: undefined, workspaceOwnerID: workspace.ownerId, workspaceID: workspace.id }, "create");
+        await this.guardAccess({ kind: "snapshot", subject: undefined, workspace }, "create");
 
         return workspace;
     }
@@ -406,7 +406,7 @@ export class GitpodServerEEImpl extends GitpodServerImpl {
         }
 
         const snapshots = await this.workspaceDb.trace(ctx).findSnapshotsByWorkspaceId(workspaceId);
-        await Promise.all(snapshots.map(s => this.guardAccess({ kind: "snapshot", subject: s, workspaceOwnerID: workspace.ownerId }, "get")));
+        await Promise.all(snapshots.map(s => this.guardAccess({ kind: "snapshot", subject: s, workspace }, "get")));
 
         return snapshots.map(s => s.id);
     }

@@ -178,7 +178,7 @@ import { UserEnvVar } from "@gitpod/gitpod-protocol/lib/protocol";
                     guard: new TokenResourceGuard(workspaceResource.subject.ownerId, [
                         "resource:" + ScopedResourceGuard.marshalResourceScope({ kind: "snapshot", subjectID: ScopedResourceGuard.SNAPSHOT_WORKSPACE_SUBJECT_ID_PREFIX + workspaceResource.subject.id, operations: ["create"] }),
                     ]),
-                    resource: { kind: "snapshot", subject: undefined, workspaceID: workspaceResource.subject.id, workspaceOwnerID: workspaceResource.subject.ownerId },
+                    resource: { kind: "snapshot", subject: undefined, workspace: workspaceResource.subject },
                     operation: "create",
                     expectation: true,
                 },
@@ -187,7 +187,7 @@ import { UserEnvVar } from "@gitpod/gitpod-protocol/lib/protocol";
                     guard: new TokenResourceGuard(workspaceResource.subject.ownerId, [
                         "resource:" + ScopedResourceGuard.marshalResourceScope({ kind: "snapshot", subjectID: workspaceResource.subject.id, operations: ["create"] }),
                     ]),
-                    resource: { kind: "snapshot", subject: undefined, workspaceID: workspaceResource.subject.id, workspaceOwnerID: workspaceResource.subject.ownerId },
+                    resource: { kind: "snapshot", subject: undefined, workspace: workspaceResource.subject },
                     operation: "create",
                     expectation: false,
                 },
@@ -196,10 +196,19 @@ import { UserEnvVar } from "@gitpod/gitpod-protocol/lib/protocol";
                     guard: new TokenResourceGuard(workspaceResource.subject.ownerId, [
                         "resource:" + ScopedResourceGuard.marshalResourceScope({ kind: "snapshot", subjectID: workspaceResource.subject.id, operations: ["create"] }),
                     ]),
-                    resource: { kind: "snapshot", subject: undefined, workspaceID: workspaceResource.subject.id, workspaceOwnerID: "other_owner" },
+                    resource: { kind: "snapshot", subject: undefined, workspace: { ...workspaceResource.subject, ownerId: "other_owner" } },
                     operation: "create",
                     expectation: false,
                 },
+                {
+                    name: "snaphshot get",
+                    guard: new TokenResourceGuard(workspaceResource.subject.ownerId, [
+                        "resource:" + ScopedResourceGuard.marshalResourceScope({ kind: "snapshot", subjectID: ScopedResourceGuard.SNAPSHOT_WORKSPACE_SUBJECT_ID_PREFIX + workspaceResource.subject.id, operations: ["get"] }),
+                    ]),
+                    resource: { kind: "snapshot", subject: undefined, workspace: workspaceResource.subject },
+                    operation: "get",
+                    expectation: true,
+                },
             ]
 
         await Promise.all(tests.map(async t => {

@@ -4,7 +4,8 @@
  * See License-AGPL.txt in the project root for license information.
  */
 
-import { ContextURL, GitpodToken, Snapshot, Team, TeamMemberInfo, Token, User, UserEnvVar, Workspace, WorkspaceInstance } from "@gitpod/gitpod-protocol";
+import { CommitContext, ContextURL, GitpodToken, Snapshot, Team, TeamMemberInfo, Token, User, UserEnvVar, Workspace, WorkspaceInstance } from "@gitpod/gitpod-protocol";
+import { UnauthorizedError } from "../errors";
 import { HostContextProvider } from "./host-context-provider";
 
 declare var resourceInstance: GuardedResource;
@@ -61,9 +62,8 @@ export interface GuardedUser {
 
 export interface GuardedSnapshot {
     kind: "snapshot";
-    subject: Snapshot | undefined;
-    workspaceOwnerID: string;
-    workspaceID?: string;
+    subject?: Snapshot;
+    workspace: Workspace;
 }
 
 export interface GuardedUserStorage {
@@ -177,7 +177,7 @@ export class OwnerResourceGuard implements ResourceAccessGuard {
             case "gitpodToken":
                 return resource.subject.user.id === this.userId;
             case "snapshot":
-                return resource.workspaceOwnerID === this.userId;
+                return resource.workspace.ownerId === this.userId;
             case "token":
                 return resource.tokenOwnerID === this.userId;
             case "user":
@@ -360,10 +360,7 @@ export namespace ScopedResourceGuard {
                 if (resource.subject) {
                     return resource.subject.id;
                 }
-                if (resource.workspaceID) {
-                    return SNAPSHOT_WORKSPACE_SUBJECT_ID_PREFIX + resource.workspaceID;
-                }
-                return undefined;
+                return SNAPSHOT_WORKSPACE_SUBJECT_ID_PREFIX + resource.workspace.id;
             case "token":
                 return resource.subject.value;
             case "user":
@@ -464,35 +461,43 @@ export namespace TokenResourceGuard {
 
 }
 
-export class WorkspaceLogAccessGuard implements ResourceAccessGuard {
+export class RepositoryResourceGuard implements ResourceAccessGuard {
     constructor(
         protected readonly user: User,
         protected readonly hostContextProvider: HostContextProvider) {}
 
     async canAccess(resource: GuardedResource, operation: ResourceAccessOp): Promise<boolean> {
-        if (resource.kind !== 'workspaceLog') {
+        if (resource.kind !== 'workspaceLog' && resource.kind !== 'snapshot') {
             return false;
         }
         // only get operations are supported
         if (operation !== 'get') {
             return false;
         }
 
-        // Check if user can access repositories headless logs
-        const ws = resource.subject;
-        const contextURL = ContextURL.getNormalizedURL(ws);
+        // Check if user has at least read access to the repository
+        const workspace = resource.kind === 'snapshot' ? resource.workspace : resource.subject;
+        const contextURL = ContextURL.getNormalizedURL(workspace);
         if (!contextURL) {
             throw new Error(`unable to parse ContextURL: ${contextURL}`);
         }
         const hostContext = this.hostContextProvider.get(contextURL.hostname);
         if (!hostContext) {
             throw new Error(`no HostContext found for hostname: ${contextURL.hostname}`);
         }
-
-        const svcs = hostContext.services;
-        if (!svcs) {
+        const { authProvider } = hostContext;
+        const identity = User.getIdentity(this.user, authProvider.authProviderId);
+        if (!identity) {
+            throw UnauthorizedError.create(contextURL.hostname, authProvider.info.requirements?.default || [], "missing-identity");
+        }
+        const { services } = hostContext;
+        if (!services) {
             throw new Error(`no services found in HostContext for hostname: ${contextURL.hostname}`);
         }
-        return svcs.repositoryService.canAccessHeadlessLogs(this.user, ws.context);
+        if (!CommitContext.is(workspace.context)) {
+            return false;
+        }
+        const { owner, name: repo } = workspace.context.repository;
+        return services.repositoryProvider.hasReadAccess(this.user, owner, repo);
     }
 }
@@ -11,10 +11,6 @@ import { RepositoryProvider } from '../repohost/repository-provider';
 @injectable()
 export class BitbucketServerRepositoryProvider implements RepositoryProvider {
 
-    getUserRepos(user: User): Promise<string[]> {
-        throw new Error("getUserRepos not implemented.");
-    }
-
     async getRepo(user: User, owner: string, name: string): Promise<Repository> {
         // const api = await this.apiFactory.create(user);
         // const repo = (await api.repositories.get({ workspace: owner, repo_slug: name })).data;
@@ -100,4 +96,15 @@ export class BitbucketServerRepositoryProvider implements RepositoryProvider {
         //     authorAvatarUrl: commit.author?.user?.links?.avatar?.href,
         // };
     }
+
+    async getUserRepos(user: User): Promise<string[]> {
+        // TODO(janx): Not implemented yet
+        return [];
+    }
+
+    async hasReadAccess(user: User, owner: string, repo: string): Promise<boolean> {
+        // TODO(janx): Not implemented yet
+        return false;
+    }
+
 }
@@ -103,4 +103,9 @@ export class BitbucketRepositoryProvider implements RepositoryProvider {
         // FIXME(janx): Not implemented yet
         return [];
     }
+
+    async hasReadAccess(user: User, owner: string, repo: string): Promise<boolean> {
+        // FIXME(janx): Not implemented yet
+        return false;
+    }
 }
@@ -128,4 +128,21 @@ export class GithubRepositoryProvider implements RepositoryProvider {
             }`);
         return (result.data.viewer?.repositoriesContributedTo?.edges || []).map((edge: any) => edge.node.url)
     }
+
+    async hasReadAccess(user: User, owner: string, repo: string): Promise<boolean> {
+        try {
+            // If you have no "viewerPermission" on a repository you may not read it
+            // Ref: https://docs.github.com/en/graphql/reference/enums#repositorypermission
+            const result: any = await this.githubQueryApi.runQuery(user, `
+                query {
+                    repository(name: "${repo}", owner: "${owner}") {
+                        viewerPermission
+                    }
+                }
+            `);
+            return result.data.repository !== null;
+        } catch (err) {
+            return false;
+        }
+    }
 }
@@ -99,4 +99,18 @@ export class GitlabRepositoryProvider implements RepositoryProvider {
         // FIXME(janx): Not implemented yet
         return [];
     }
+
+    async hasReadAccess(user: User, owner: string, repo: string): Promise<boolean> {
+        try {
+            // If we can "see" a project we are allowed to read it
+            const api = await this.gitlab.create(user);
+            const response = await api.Projects.show(`${owner}/${repo}`);
+            if (GitLab.ApiError.is(response)) {
+                return false;
+            }
+            return true;
+        } catch (err) {
+            return false;
+        }
+    }
 }
@@ -4,7 +4,7 @@
  * See License-AGPL.txt in the project root for license information.
  */
 
-import { User, WorkspaceContext } from "@gitpod/gitpod-protocol";
+import { User } from "@gitpod/gitpod-protocol";
 import { injectable } from "inversify";
 
 @injectable()
@@ -18,7 +18,4 @@ export class RepositoryService {
         throw new Error('unsupported');
     }
 
-    async canAccessHeadlessLogs(user: User, context: WorkspaceContext): Promise<boolean> {
-        return false;
-    }
 }
@@ -14,4 +14,5 @@ export interface RepositoryProvider {
     getBranches(user: User, owner: string, repo: string): Promise<Branch[]>;
     getCommitInfo(user: User, owner: string, repo: string, ref: string): Promise<CommitInfo | undefined>;
     getUserRepos(user: User): Promise<string[]>;
+    hasReadAccess(user: User, owner: string, repo: string): Promise<boolean>;
 }