[server, dashboard] Introduce "enable_multi_org" feature flag to allow admin-user to create organizations

Author: geropl

components/dashboard/src/data/featureflag-query.ts

@@ -21,6 +21,7 @@ const featureFlags = {
     repositoryFinderSearch: false,
     // dummy specified dataops feature, default false
     dataops: false,
+    enable_multi_org: false,
     showBrowserExtensionPromotion: false,
     enable_experimental_jbtb: false,
     enabled_configuration_prebuild_full_clone: false,

components/dashboard/src/menu/OrganizationSelector.tsx

@@ -12,9 +12,10 @@ import { useCurrentOrg, useOrganizations } from "../data/organizations/orgs-quer
 import { useLocation } from "react-router";
 import { useOrgBillingMode } from "../data/billing-mode/org-billing-mode-query";
 import { useIsOwner, useListOrganizationMembers, useHasRolePermission } from "../data/organizations/members-query";
-import { isOrganizationOwned } from "@gitpod/public-api-common/lib/user-utils";
+import { isAllowedToCreateOrganization } from "@gitpod/public-api-common/lib/user-utils";
 import { OrganizationRole } from "@gitpod/public-api/lib/gitpod/v1/organization_pb";
 import { useInstallationConfiguration } from "../data/installation/default-workspace-image-query";
+import { useFeatureFlag } from "../data/featureflag-query";
 
 export default function OrganizationSelector() {
     const user = useCurrentUser();
@@ -27,9 +28,10 @@ export default function OrganizationSelector() {
     const getOrgURL = useGetOrgURL();
     const { data: installationConfig } = useInstallationConfiguration();
     const isDedicated = !!installationConfig?.isDedicatedInstallation;
+    const isMultiOrgEnabled = useFeatureFlag("enable_multi_org");
 
     // we should have an API to ask for permissions, until then we duplicate the logic here
-    const canCreateOrgs = user && !isOrganizationOwned(user) && !isDedicated;
+    const canCreateOrgs = user && isAllowedToCreateOrganization(user, isDedicated, isMultiOrgEnabled);
 
     const userFullName = user?.name || "...";
 

components/public-api/typescript-common/src/user-utils.ts

@@ -73,3 +73,24 @@ export function getName(user: User | UserProtocol): string | undefined {
 export function isOrganizationOwned(user: User | UserProtocol) {
     return !!user.organizationId;
 }
+
+/**
+ * gitpod.io: Only installation-level users are allowed to create orgs (installation-level users on gitpod.io, and admin user on Dedicated)
+ * Dedicated: Only if multiOrg is enabled, installation-level users can create orgs
+ * @param user
+ * @param isDedicated
+ * @param isMultiOrgEnabled
+ * @returns
+ */
+export function isAllowedToCreateOrganization(
+    user: User | UserProtocol,
+    isDedicated: boolean,
+    isMultiOrgEnabled?: boolean,
+): boolean {
+    if (!isDedicated) {
+        // gitpod.io case
+        return !isOrganizationOwned(user);
+    }
+
+    return !isOrganizationOwned(user) && !!isMultiOrgEnabled;
+}

components/server/src/orgs/organization-service.ts

@@ -152,7 +152,7 @@ export class OrganizationService {
         if (!user) {
             throw new ApplicationError(ErrorCodes.NOT_AUTHENTICATED, `User not authenticated. Please login.`);
         }
-        const mayCreateOrganization = await this.userAuthentication.mayCreateOrJoinOrganization(user);
+        const mayCreateOrganization = await this.userAuthentication.mayCreateOrganization(user);
         if (!mayCreateOrganization) {
             throw new ApplicationError(
                 ErrorCodes.PERMISSION_DENIED,

components/server/src/user/user-authentication.ts

@@ -16,6 +16,8 @@ import { EmailAddressAlreadyTakenException, SelectAccountException } from "../au
 import { SelectAccountPayload } from "@gitpod/gitpod-protocol/lib/auth";
 import { UserService } from "./user-service";
 import { Authorizer } from "../authorization/authorizer";
+import { getExperimentsClientForBackend } from "@gitpod/gitpod-protocol/lib/experiments/configcat-server";
+import { isOrganizationOwned, isAllowedToCreateOrganization } from "@gitpod/public-api-common/lib/user-utils";
 
 export interface CreateUserParams {
     organizationId?: string;
@@ -193,12 +195,26 @@ export class UserAuthentication {
     }
 
     /**
-     * Only installation-level users are allowed to create/join other orgs then the one they belong to
+     * Only installation-level users are allowed to join other orgs then the one they belong to
      * @param user
      * @returns
      */
-    async mayCreateOrJoinOrganization(user: User): Promise<boolean> {
-        return !user.organizationId;
+    async mayJoinOrganization(user: User): Promise<boolean> {
+        return !isOrganizationOwned(user);
+    }
+
+    /**
+     * gitpod.io: Only installation-level users are allowed to create orgs
+     * Dedicated: Only if multiOrg is enabled, installation-level users (=admin-user) can create orgs
+     * @param user
+     * @returns
+     */
+    async mayCreateOrganization(user: User): Promise<boolean> {
+        const isDedicated = this.config.isDedicatedInstallation;
+        const isMultiOrgEnabled = await getExperimentsClientForBackend().getValueAsync("enable_multi_org", false, {
+            gitpodHost: this.config.hostUrl.url.host,
+        });
+        return isAllowedToCreateOrganization(user, isDedicated, isMultiOrgEnabled);
     }
 
     async isBlocked(params: CheckIsBlockedParams): Promise<boolean> {

components/server/src/workspace/gitpod-server-impl.ts

@@ -1446,7 +1446,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
         const user = await this.checkAndBlockUser("joinTeam");
 
-        const mayCreateOrganization = await this.userAuthentication.mayCreateOrJoinOrganization(user);
+        const mayCreateOrganization = await this.userAuthentication.mayJoinOrganization(user);
         if (!mayCreateOrganization) {
             throw new ApplicationError(
                 ErrorCodes.PERMISSION_DENIED,