Skip to content

Commit 46868ef

Browse files
geroplflaming-codes
geropl
authored and
flaming-codes
committed
[server] Introduce GuardedPrebuild and allow access akin to WorkspaceLog/Snapshots
1 parent 91ac42b commit 46868ef

File tree

2 files changed

+88
-1
lines changed

2 files changed

+88
-1
lines changed

components/server/src/auth/resource-access.spec.ts

Lines changed: 70 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -833,6 +833,76 @@ class TestResourceAccess {
833833
teamRole: "owner",
834834
expectation: true,
835835
},
836+
// prebuild
837+
{
838+
name: "prebuild get owner",
839+
resourceKind: "prebuild",
840+
workspaceType: "prebuild",
841+
isOwner: true,
842+
teamRole: undefined,
843+
expectation: true,
844+
},
845+
{
846+
name: "prebuild get other",
847+
resourceKind: "prebuild",
848+
workspaceType: "prebuild",
849+
isOwner: false,
850+
teamRole: undefined,
851+
expectation: false,
852+
},
853+
{
854+
name: "prebuild get team member",
855+
resourceKind: "prebuild",
856+
workspaceType: "prebuild",
857+
isOwner: false,
858+
teamRole: "member",
859+
expectation: true,
860+
},
861+
{
862+
name: "prebuild get team owner (same as member)",
863+
resourceKind: "prebuild",
864+
workspaceType: "prebuild",
865+
isOwner: false,
866+
teamRole: "owner",
867+
expectation: true,
868+
},
869+
// prebuild with repo access
870+
{
871+
name: "prebuild get owner",
872+
resourceKind: "prebuild",
873+
workspaceType: "prebuild",
874+
isOwner: true,
875+
teamRole: undefined,
876+
repositoryAccess: true,
877+
expectation: true,
878+
},
879+
{
880+
name: "prebuild get other",
881+
resourceKind: "prebuild",
882+
workspaceType: "prebuild",
883+
isOwner: false,
884+
teamRole: undefined,
885+
repositoryAccess: true,
886+
expectation: true,
887+
},
888+
{
889+
name: "prebuild get team member",
890+
resourceKind: "prebuild",
891+
workspaceType: "prebuild",
892+
isOwner: false,
893+
teamRole: "member",
894+
repositoryAccess: true,
895+
expectation: true,
896+
},
897+
{
898+
name: "prebuild get team owner (same as member)",
899+
resourceKind: "prebuild",
900+
workspaceType: "prebuild",
901+
isOwner: false,
902+
teamRole: "owner",
903+
repositoryAccess: true,
904+
expectation: true,
905+
},
836906
];
837907

838908
for (const t of tests) {

components/server/src/auth/resource-access.ts

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@
77
import {
88
CommitContext,
99
GitpodToken,
10+
PrebuiltWorkspace,
1011
Repository,
1112
Snapshot,
1213
Team,
@@ -36,7 +37,8 @@ export type GuardedResource =
3637
| GuardedContentBlob
3738
| GuardEnvVar
3839
| GuardedTeam
39-
| GuardedWorkspaceLog;
40+
| GuardedWorkspaceLog
41+
| GuardedPrebuild;
4042

4143
const ALL_GUARDED_RESOURCE_KINDS = new Set<GuardedResourceKind>([
4244
"workspace",
@@ -119,6 +121,13 @@ export interface GuardedWorkspaceLog {
119121
teamMembers?: TeamMemberInfo[];
120122
}
121123

124+
export interface GuardedPrebuild {
125+
kind: "prebuild";
126+
subject: PrebuiltWorkspace;
127+
workspace: Workspace;
128+
teamMembers?: TeamMemberInfo[];
129+
}
130+
122131
export type ResourceAccessOp = "create" | "update" | "get" | "delete";
123132

124133
export const ResourceAccessGuard = Symbol("ResourceAccessGuard");
@@ -209,6 +218,12 @@ export class OwnerResourceGuard implements ResourceAccessGuard {
209218
}
210219
case "workspaceLog":
211220
return resource.subject.ownerId === this.userId;
221+
case "prebuild":
222+
// Owners may do everything, team members can "get"
223+
return (
224+
resource.workspace.ownerId === this.userId ||
225+
(operation === "get" && !!resource.teamMembers?.some((m) => m.userId === this.userId))
226+
);
212227
}
213228
}
214229
}
@@ -477,6 +492,8 @@ export class RepositoryResourceGuard implements ResourceAccessGuard {
477492
case "snapshot":
478493
workspace = resource.workspace;
479494
break;
495+
case "prebuild":
496+
workspace = resource.workspace;
480497
default:
481498
// We do not handle resource kinds here!
482499
return false;

0 commit comments

Comments
 (0)