papi: basic authorizer

Author: geropl

components/public-api-server/go.mod

@@ -4,6 +4,7 @@ go 1.21
 
 require (
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20220708163326-82d177caec6e
+	github.com/authzed/authzed-go v0.10.0
 	github.com/bufbuild/connect-go v1.10.0
 	github.com/coreos/go-oidc/v3 v3.5.0
 	github.com/gitpod-io/gitpod/common-go v0.0.0-00010101000000-000000000000
@@ -17,18 +18,18 @@ require (
 	github.com/google/go-cmp v0.5.9
 	github.com/google/uuid v1.3.0
 	github.com/gorilla/handlers v1.5.1
-	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0
+	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
 	github.com/hashicorp/golang-lru v0.5.4
 	github.com/prometheus/client_golang v1.16.0
 	github.com/redis/go-redis/v9 v9.0.2
 	github.com/relvacode/iso8601 v1.1.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/sourcegraph/jsonrpc2 v0.0.0-20200429184054-15c2290dcb37
 	github.com/spf13/cobra v1.4.0
-	github.com/stretchr/testify v1.8.3
+	github.com/stretchr/testify v1.8.4
 	github.com/stripe/stripe-go/v72 v72.122.0
 	github.com/zitadel/oidc v1.13.0
-	golang.org/x/oauth2 v0.6.0
+	golang.org/x/oauth2 v0.8.0
 	google.golang.org/grpc v1.55.0
 	google.golang.org/protobuf v1.31.0
 	gopkg.in/square/go-jose.v2 v2.6.0
@@ -38,16 +39,21 @@ require (
 require (
 	github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.0.1 // indirect
 	github.com/gitpod-io/gitpod/components/scrubber v0.0.0-00010101000000-000000000000 // indirect
 	github.com/go-logr/logr v1.2.4 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.2 // indirect
+	github.com/jzelinskie/stringz v0.0.1 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/yuin/gopher-lua v0.0.0-20220504180219-658193537a64 // indirect
 	go.opentelemetry.io/otel v1.16.0 // indirect
 	go.opentelemetry.io/otel/metric v1.16.0 // indirect
 	go.opentelemetry.io/otel/trace v1.16.0 // indirect
 	golang.org/x/crypto v0.0.0-20220214200702-86341886e292 // indirect
 	golang.org/x/sync v0.2.0 // indirect
+	google.golang.org/genproto v0.0.0-20230526015343-6ee61e4f9d5f // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20230526161137-0005af68ea54 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230526161137-0005af68ea54 // indirect
 	gorm.io/driver/mysql v1.4.4 // indirect
 	gorm.io/plugin/opentelemetry v0.1.3 // indirect

components/public-api-server/go.sum

@@ -0,0 +1,71 @@
+// Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License.AGPL.txt in the project root for license information.
+
+package auth
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+
+	v1 "github.com/authzed/authzed-go/proto/authzed/api/v1"
+	authzed "github.com/authzed/authzed-go/v1"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+
+	papi_config "github.com/gitpod-io/gitpod/components/public-api/go/config"
+	"github.com/gitpod-io/gitpod/public-api-server/pkg/util"
+)
+
+type SpiceDbAuthorizer struct {
+	client *authzed.Client
+}
+
+func NewSpiceDbAuthorizer(cfg *papi_config.SpiceDbAuthorizerConfig) (*SpiceDbAuthorizer, error) {
+	client, err := authzed.NewClient(
+		cfg.Address,
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to setup create SpiceDbAuthorizer: %w", err)
+	}
+	return &SpiceDbAuthorizer{
+		client,
+	}, nil
+}
+
+func (a *SpiceDbAuthorizer) CheckPermissionOnOrganization(ctx context.Context, subjectId string, permission string, organizationId string) (bool, error) {
+	resp, err := a.client.CheckPermission(ctx, &v1.CheckPermissionRequest{
+		Subject:     subject(subjectId),
+		Permission:  permission,
+		Resource:    object("organization", organizationId),
+		Consistency: consistency(),
+	})
+	if err != nil {
+		return false, util.NewApplicationError(http.StatusForbidden, "Error while calling CheckPermission: %w", err)
+	}
+	return resp.Permissionship == v1.CheckPermissionResponse_PERMISSIONSHIP_HAS_PERMISSION, nil
+}
+
+func subject(subjectId string) *v1.SubjectReference {
+	return &v1.SubjectReference{
+		Object: &v1.ObjectReference{
+			ObjectType: "user",
+			ObjectId:   subjectId,
+		},
+	}
+}
+
+func object(objectType, objectId string) *v1.ObjectReference {
+	return &v1.ObjectReference{
+		ObjectType: objectType,
+		ObjectId:   objectId,
+	}
+}
+
+func consistency() *v1.Consistency {
+	return &v1.Consistency{
+		Requirement: &v1.Consistency_FullyConsistent{FullyConsistent: true},
+	}
+}

components/public-api-server/pkg/auth/authorizer.go

@@ -0,0 +1,50 @@
+// Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License.AGPL.txt in the project root for license information.
+
+package util
+
+import (
+	"errors"
+	"fmt"
+)
+
+type ApplicationError interface {
+	error
+
+	// StatusCode returns the HTTP error code
+	StatusCode() int
+
+	Unwrap() error
+}
+
+func NewApplicationError(code int, msg string, err error) ApplicationError {
+	return &applicationError{Code: code, Msg: fmt.Sprintf(msg+": %v", err)}
+}
+
+type applicationError struct {
+	Msg   string `json:"message"`
+	Code  int    `json:"code"`
+	inner error  `json:"-"`
+}
+
+func (e *applicationError) StatusCode() int {
+	return e.Code
+}
+func (e *applicationError) Error() string {
+	return e.Msg
+}
+func (e *applicationError) Unwrap() error {
+	return e.inner
+}
+
+var _ ApplicationError = &applicationError{}
+
+func MapErrToHttpStatusCode(err error) int {
+	var appErr ApplicationError
+	if errors.As(err, &appErr) {
+		return appErr.StatusCode()
+	}
+
+	return 500
+}