gitpod-io
diff --git a/‎components/server/src/authorization/authorizer.spec.db.ts‎
Lines changed: 142 additions & 0 deletions b/‎components/server/src/authorization/authorizer.spec.db.ts‎
Lines changed: 142 additions & 0 deletions
diff --git a/‎components/server/src/authorization/authorizer.ts‎
Lines changed: 92 additions & 26 deletions b/‎components/server/src/authorization/authorizer.ts‎
Lines changed: 92 additions & 26 deletions
@@ -0,0 +1,142 @@
+/**
+ * Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+import { v1 } from "@authzed/authzed-node";
+import { TypeORM } from "@gitpod/gitpod-db/lib";
+import { resetDB } from "@gitpod/gitpod-db/lib/test/reset-db";
+import { Experiments } from "@gitpod/gitpod-protocol/lib/experiments/configcat-server";
+import * as chai from "chai";
+import { Container } from "inversify";
+import "mocha";
+import { createTestContainer } from "../test/service-testing-container-module";
+import { Authorizer } from "./authorizer";
+import { rel } from "./definitions";
+import { v4 } from "uuid";
+
+const expect = chai.expect;
+
+describe("Authorizer", async () => {
+    let container: Container;
+    let authorizer: Authorizer;
+
+    beforeEach(async () => {
+        container = createTestContainer();
+        Experiments.configureTestingClient({
+            centralizedPermissions: true,
+        });
+        authorizer = container.get<Authorizer>(Authorizer);
+    });
+
+    afterEach(async () => {
+        // Clean-up database
+        await resetDB(container.get(TypeORM));
+    });
+
+    it("should removeUser", async () => {
+        const userId = v4();
+        await authorizer.addUser(userId);
+        await expected(rel.user(userId).installation.installation);
+        await expected(rel.user(userId).self.user(userId));
+        await expected(rel.installation.member.user(userId));
+
+        await authorizer.removeUser(userId);
+        await notExpected(rel.user(userId).installation.installation);
+        await notExpected(rel.user(userId).self.user(userId));
+        await notExpected(rel.installation.member.user(userId));
+    });
+
+    it("should addUser", async () => {
+        const userId = v4();
+        await notExpected(rel.user(userId).installation.installation);
+        await notExpected(rel.user(userId).self.user(userId));
+        await notExpected(rel.installation.member.user(userId));
+
+        await authorizer.addUser(userId);
+
+        await expected(rel.user(userId).installation.installation);
+        await expected(rel.user(userId).self.user(userId));
+        await expected(rel.installation.member.user(userId));
+
+        // add user to org
+        const org1Id = v4();
+        await authorizer.addUser(userId, org1Id);
+
+        await notExpected(rel.user(userId).installation.installation);
+        await notExpected(rel.installation.member.user(userId));
+        await expected(rel.user(userId).self.user(userId));
+        await expected(rel.user(userId).organization.organization(org1Id));
+
+        // add user to another org
+        const org2Id = v4();
+        await authorizer.addUser(userId, org2Id);
+
+        await notExpected(rel.user(userId).installation.installation);
+        await notExpected(rel.installation.member.user(userId));
+        await notExpected(rel.user(userId).organization.organization(org1Id));
+        await expected(rel.user(userId).self.user(userId));
+        await expected(rel.user(userId).organization.organization(org2Id));
+
+        // back to installation
+        await authorizer.addUser(userId);
+
+        await notExpected(rel.user(userId).organization.organization(org1Id));
+        await notExpected(rel.user(userId).organization.organization(org2Id));
+
+        await expected(rel.user(userId).installation.installation);
+        await expected(rel.user(userId).self.user(userId));
+        await expected(rel.installation.member.user(userId));
+    });
+
+    it("should addOrganization", async () => {
+        const orgId = v4();
+        await notExpected(rel.organization(orgId).installation.installation);
+
+        // add org with members and projects
+        const u1 = v4();
+        const u2 = v4();
+        const p1 = v4();
+        const p2 = v4();
+        await authorizer.addOrganization(
+            orgId,
+            [
+                { userId: u1, role: "member" },
+                { userId: u2, role: "owner" },
+            ],
+            [p1, p2],
+        );
+
+        await expected(rel.organization(orgId).installation.installation);
+        await expected(rel.organization(orgId).member.user(u1));
+        await expected(rel.organization(orgId).member.user(u2));
+        await expected(rel.organization(orgId).owner.user(u2));
+        await expected(rel.project(p1).org.organization(orgId));
+        await expected(rel.project(p2).org.organization(orgId));
+
+        // add org again with different members and projects
+        await authorizer.addOrganization(orgId, [{ userId: u2, role: "member" }], [p2]);
+        await expected(rel.organization(orgId).installation.installation);
+        await notExpected(rel.organization(orgId).member.user(u1));
+        await expected(rel.organization(orgId).member.user(u2));
+        await notExpected(rel.organization(orgId).owner.user(u2));
+        await notExpected(rel.project(p1).org.organization(orgId));
+        await expected(rel.project(p2).org.organization(orgId));
+    });
+
+    async function expected(relation: v1.Relationship): Promise<void> {
+        const rs = await authorizer.find(relation);
+        const message = async () => {
+            const expected = JSON.stringify(relation);
+            relation.subject = undefined;
+            const result = await authorizer.find(relation);
+            return `Expected ${expected} to be present, but it was not. Found ${JSON.stringify(result)}`;
+        };
+        expect(rs, await message()).to.not.be.undefined;
+    }
+
+    async function notExpected(relation: v1.Relationship): Promise<void> {
+        const rs = await authorizer.find(relation);
+        expect(rs).to.be.undefined;
+    }
+});
@@ -7,7 +7,7 @@
 import { v1 } from "@authzed/authzed-node";
 
 import { BUILTIN_INSTLLATION_ADMIN_USER_ID } from "@gitpod/gitpod-db/lib";
-import { Organization, Project, TeamMemberInfo, TeamMemberRole } from "@gitpod/gitpod-protocol";
+import { TeamMemberRole } from "@gitpod/gitpod-protocol";
 import { ApplicationError, ErrorCodes } from "@gitpod/gitpod-protocol/lib/messaging/error";
 import {
     OrganizationPermission,
@@ -157,14 +157,34 @@ export class Authorizer {
     }
 
     async addUser(userId: string, owningOrgId?: string) {
-        await this.authorizer.writeRelationships(
-            set(rel.user(userId).self.user(userId)), //
-            set(
-                owningOrgId
-                    ? rel.user(userId).organization.organization(owningOrgId)
-                    : rel.user(userId).installation.installation,
-            ),
+        const oldOrgs = await this.findAll(rel.user(userId).organization.organization(""));
+        const updates = [set(rel.user(userId).self.user(userId))];
+        updates.push(
+            ...oldOrgs
+                .map((r) => r.subject?.object?.objectId)
+                .filter((orgId) => !!orgId && orgId !== owningOrgId)
+                .map((orgId) => remove(rel.user(userId).organization.organization(orgId!))),
         );
+
+        if (owningOrgId) {
+            updates.push(
+                set(rel.user(userId).organization.organization(owningOrgId)), //
+                remove(rel.user(userId).installation.installation),
+                remove(rel.installation.member.user(userId)),
+                remove(rel.installation.admin.user(userId)),
+            );
+        } else {
+            updates.push(
+                set(rel.user(userId).installation.installation), //
+                set(rel.installation.member.user(userId)),
+            );
+        }
+
+        await this.authorizer.writeRelationships(...updates);
+    }
+
+    async removeUser(userId: string) {
+        await this.removeAllRelationships("user", userId);
     }
 
     async addOrganizationRole(orgID: string, userID: string, role: TeamMemberRole): Promise<void> {
@@ -197,30 +217,45 @@ export class Authorizer {
         );
     }
 
-    async addOrganization(org: Organization, members: TeamMemberInfo[], projects: Project[]): Promise<void> {
-        for (const member of members) {
-            await this.addOrganizationRole(org.id, member.userId, member.role);
-        }
+    async addOrganization(
+        orgId: string,
+        members: { userId: string; role: TeamMemberRole }[],
+        projectIds: string[],
+    ): Promise<void> {
+        await this.addOrganizationMembers(orgId, members);
 
-        for (const project of projects) {
-            await this.addProjectToOrg(org.id, project.id);
-        }
+        await this.addOrganizationProjects(orgId, projectIds);
 
         await this.authorizer.writeRelationships(
-            set(rel.organization(org.id).installation.installation), //
+            set(rel.organization(orgId).installation.installation), //
         );
     }
 
-    async addInstallationMemberRole(userID: string) {
-        await this.authorizer.writeRelationships(
-            set(rel.installation.member.user(userID)), //
-        );
+    private async addOrganizationProjects(orgID: string, projectIds: string[]): Promise<void> {
+        const existing = await this.findAll(rel.project("").org.organization(orgID));
+        const toBeRemoved = asSet(existing.map((r) => r.resource?.objectId));
+        for (const projectId of projectIds) {
+            await this.addProjectToOrg(orgID, projectId);
+            toBeRemoved.delete(projectId);
+        }
+        for (const projectId of toBeRemoved) {
+            await this.removeProjectFromOrg(orgID, projectId);
+        }
     }
 
-    async removeInstallationMemberRole(userID: string) {
-        await this.authorizer.writeRelationships(
-            remove(rel.installation.member.user(userID)), //
-        );
+    private async addOrganizationMembers(
+        orgID: string,
+        members: { userId: string; role: TeamMemberRole }[],
+    ): Promise<void> {
+        const existing = await this.findAll(rel.organization(orgID).member.user(""));
+        const toBeRemoved = asSet(existing.map((r) => r.subject?.object?.objectId));
+        for (const member of members) {
+            await this.addOrganizationRole(orgID, member.userId, member.role);
+            toBeRemoved.delete(member.userId);
+        }
+        for (const userId of toBeRemoved) {
+            await this.removeOrganizationRole(orgID, userId, "member");
+        }
     }
 
     async addInstallationAdminRole(userID: string) {
@@ -258,6 +293,27 @@ export class Authorizer {
         }
         return relationships[0].relationship;
     }
+
+    async findAll(relation: v1.Relationship): Promise<v1.Relationship[]> {
+        const relationships = await this.authorizer.readRelationships({
+            consistency: v1.Consistency.create({
+                requirement: {
+                    oneofKind: "fullyConsistent",
+                    fullyConsistent: true,
+                },
+            }),
+            relationshipFilter: {
+                resourceType: relation.resource?.objectType || "",
+                optionalResourceId: relation.resource?.objectId || "",
+                optionalRelation: relation.relation,
+                optionalSubjectFilter: relation.subject?.object && {
+                    subjectType: relation.subject.object.objectType,
+                    optionalSubjectId: relation.subject.object.objectId,
+                },
+            },
+        });
+        return relationships.map((r) => r.relationship!);
+    }
 }
 
 function set(rs: v1.Relationship): v1.RelationshipUpdate {
@@ -274,14 +330,14 @@ function remove(rs: v1.Relationship): v1.RelationshipUpdate {
     });
 }
 
-function object(type: ResourceType, id: string): v1.ObjectReference {
+function object(type: ResourceType, id?: string): v1.ObjectReference {
     return v1.ObjectReference.create({
         objectId: id,
         objectType: type,
     });
 }
 
-function subject(type: ResourceType, id: string, relation?: Relation | Permission): v1.SubjectReference {
+function subject(type: ResourceType, id?: string, relation?: Relation | Permission): v1.SubjectReference {
     return v1.SubjectReference.create({
         object: object(type, id),
         optionalRelation: relation,
@@ -294,3 +350,13 @@ const consistency = v1.Consistency.create({
         fullyConsistent: true,
     },
 });
+
+function asSet<T>(array: (T | undefined)[]): Set<T> {
+    const result = new Set<T>();
+    for (const r of array) {
+        if (r) {
+            result.add(r);
+        }
+    }
+    return result;
+}