[server] enable auth for snapshot creation (#3444)

JanKoehnlein · web-flow · commit 9da787cab721 · 2021-03-18T14:00:40.000+01:00
diff --git a/components/ide/code/leeway.Dockerfile b/components/ide/code/leeway.Dockerfile
@@ -28,7 +28,7 @@ RUN sudo apt-get update \
     && sudo apt-get clean -y \
     && rm -rf /var/lib/apt/lists/*
 
-ENV GP_CODE_COMMIT 07fe931b77d75daa0ba73f05e5e282c0f1dc1482
+ENV GP_CODE_COMMIT b16a98d1506fc5008773b4694d0553847d441674
 RUN mkdir gp-code \
     && cd gp-code \
     && git init \
diff --git a/components/server/ee/src/workspace/gitpod-server-impl.ts b/components/server/ee/src/workspace/gitpod-server-impl.ts
@@ -242,7 +242,7 @@ export class GitpodServerEEImpl<C extends GitpodClient, S extends GitpodServer>
             }
 
             await this.guardAccess({kind: "workspaceInstance", subject: instance, workspaceOwnerID: workspace.ownerId, workspaceIsShared: workspace.shareable || false}, "get");
-            await this.guardAccess({kind: "snapshot", subject: undefined, workspaceOwnerID: workspace.ownerId}, "create");
+            await this.guardAccess({kind: "snapshot", subject: undefined, workspaceOwnerID: workspace.ownerId, workspaceID: workspace.id }, "create");
 
             const client = await this.workspaceManagerClientProvider.get(instance.region);
             const request = new TakeSnapshotRequest();
diff --git a/components/server/src/auth/resource-access.spec.ts b/components/server/src/auth/resource-access.spec.ts
@@ -7,7 +7,7 @@
 import { suite, test } from "mocha-typescript";
 import * as chai from 'chai';
 const expect = chai.expect;
-import { TokenResourceGuard, ScopedResourceGuard, GuardedResource } from "./resource-access";
+import { TokenResourceGuard, ScopedResourceGuard, GuardedResource, ResourceAccessOp } from "./resource-access";
 
 @suite class TestResourceAccess {
 
@@ -62,6 +62,8 @@ import { TokenResourceGuard, ScopedResourceGuard, GuardedResource } from "./reso
         const tests: {
             name: string
             guard: TokenResourceGuard
+            resource?: GuardedResource,
+            operation?: ResourceAccessOp,
             expectation: boolean
         }[] = [
             {
@@ -100,11 +102,38 @@ import { TokenResourceGuard, ScopedResourceGuard, GuardedResource } from "./reso
                     "resource:"+ScopedResourceGuard.marshalResourceScope({kind: "workspace", subjectID: "*", operations: ["get"]}),
                 ]), 
                 expectation: true,
-            }
+            },
+            {
+                name: "snaphshot create",
+                guard: new TokenResourceGuard(workspaceResource.subject.ownerId, [
+                    "resource:"+ScopedResourceGuard.marshalResourceScope({kind: "snapshot", subjectID: ScopedResourceGuard.SNAPSHOT_WORKSPACE_SUBJECT_ID_PREFIX + workspaceResource.subject.id, operations: ["create"]}),
+                ]), 
+                resource: { kind: "snapshot", subject: undefined, workspaceID:  workspaceResource.subject.id, workspaceOwnerID: workspaceResource.subject.ownerId},
+                operation: "create",
+                expectation: true,
+            },
+            {
+                name: "snaphshot create missing prefix fails",
+                guard: new TokenResourceGuard(workspaceResource.subject.ownerId, [
+                    "resource:"+ScopedResourceGuard.marshalResourceScope({kind: "snapshot", subjectID:  workspaceResource.subject.id, operations: ["create"]}),
+                ]), 
+                resource: { kind: "snapshot", subject: undefined, workspaceID:  workspaceResource.subject.id, workspaceOwnerID: workspaceResource.subject.ownerId},
+                operation: "create",
+                expectation: false,
+            },
+            {
+                name: "snaphshot create other user fails",
+                guard: new TokenResourceGuard(workspaceResource.subject.ownerId, [
+                    "resource:"+ScopedResourceGuard.marshalResourceScope({kind: "snapshot", subjectID: workspaceResource.subject.id, operations: ["create"]}),
+                ]), 
+                resource: { kind: "snapshot", subject: undefined, workspaceID: workspaceResource.subject.id, workspaceOwnerID: "other_owner"},
+                operation: "create",
+                expectation: false,
+            },
         ]
 
         await Promise.all(tests.map(async t => {
-            const res = await t.guard.canAccess(workspaceResource, "get")
+            const res = await t.guard.canAccess(t.resource || workspaceResource, t.operation || "get")
             expect(res).to.be.eq(t.expectation, `"${t.name}" expected canAccess(...) === ${t.expectation}, but was ${res}`);
         }))
     }
diff --git a/components/server/src/auth/resource-access.ts b/components/server/src/auth/resource-access.ts
@@ -41,6 +41,7 @@ export interface GuardedSnapshot {
     kind: "snapshot";
     subject: Snapshot | undefined;
     workspaceOwnerID: string;
+    workspaceID?: string;
 }
 
 export interface GuardedUserStorage {
@@ -172,6 +173,9 @@ export class ScopedResourceGuard implements ResourceAccessGuard {
 }
 
 export namespace ScopedResourceGuard {
+
+    export const SNAPSHOT_WORKSPACE_SUBJECT_ID_PREFIX = 'ws-'
+
     export interface ResourceScope {
         kind: GuardedResourceKind;
         subjectID: string;
@@ -229,7 +233,13 @@ export namespace ScopedResourceGuard {
             case "gitpodToken":
                 return resource.subject.tokenHash;
             case "snapshot":
-                return resource.subject ? resource.subject.id : undefined;
+                if (resource.subject) {
+                    return resource.subject.id;
+                }
+                if (resource.workspaceID) {
+                    return SNAPSHOT_WORKSPACE_SUBJECT_ID_PREFIX + resource.workspaceID;
+                }
+                return undefined;
             case "token":
                 return resource.subject.value;
             case "user":
@@ -308,4 +318,4 @@ export namespace TokenResourceGuard {
         return true;
     }
 
-}
+}
diff --git a/components/server/src/workspace/workspace-starter.ts b/components/server/src/workspace/workspace-starter.ts
@@ -645,7 +645,7 @@ export class WorkspaceStarter {
 
             "resource:"+ScopedResourceGuard.marshalResourceScope({kind: "workspace", subjectID: workspace.id, operations: ["get", "update"]}),
             "resource:"+ScopedResourceGuard.marshalResourceScope({kind: "workspaceInstance", subjectID: instance.id, operations: ["get", "update", "delete"]}),
-            "resource:"+ScopedResourceGuard.marshalResourceScope({kind: "snapshot", subjectID: "*", operations: ["create", "get"]}),
+            "resource:"+ScopedResourceGuard.marshalResourceScope({kind: "snapshot", subjectID: ScopedResourceGuard.SNAPSHOT_WORKSPACE_SUBJECT_ID_PREFIX + workspace.id, operations: ["create"]}),
             "resource:"+ScopedResourceGuard.marshalResourceScope({kind: "gitpodToken", subjectID: "*", operations: ["create"]}),
             "resource:"+ScopedResourceGuard.marshalResourceScope({kind: "userStorage", subjectID: "*", operations: ["create", "get", "update"]}),
             "resource:"+ScopedResourceGuard.marshalResourceScope({kind: "token", subjectID: "*", operations: ["get"]}),

Original file line number	Diff line number	Diff line change
`@@ -242,7 +242,7 @@ export class GitpodServerEEImpl<C extends GitpodClient, S extends GitpodServer>`
`242`	`242`	`}`
`243`	`243`
`244`	`244`	`await this.guardAccess({kind: "workspaceInstance", subject: instance, workspaceOwnerID: workspace.ownerId, workspaceIsShared: workspace.shareable \|\| false}, "get");`
`245`		`- await this.guardAccess({kind: "snapshot", subject: undefined, workspaceOwnerID: workspace.ownerId}, "create");`
	`245`	`+ await this.guardAccess({kind: "snapshot", subject: undefined, workspaceOwnerID: workspace.ownerId, workspaceID: workspace.id }, "create");`
`246`	`246`
`247`	`247`	`const client = await this.workspaceManagerClientProvider.get(instance.region);`
`248`	`248`	`const request = new TakeSnapshotRequest();`