impl

Author: filiptronicek

components/dashboard/src/service/json-rpc-organization-client.ts

@@ -41,7 +41,7 @@ import {
 import { getGitpodService } from "./service";
 import { converter } from "./public-api";
 import { ApplicationError, ErrorCodes } from "@gitpod/gitpod-protocol/lib/messaging/error";
-import { OrgMemberRole } from "@gitpod/gitpod-protocol";
+import { OrgMemberRole, RoleRestrictions } from "@gitpod/gitpod-protocol";
 
 export class JsonRpcOrganizationClient implements PromiseClient<typeof OrganizationService> {
     async createOrganization(
@@ -251,13 +251,32 @@ export class JsonRpcOrganizationClient implements PromiseClient<typeof Organizat
                 "updateRestrictedEditorNames is required to be true to update restrictedEditorNames",
             );
         }
+        const roleRestrictions: RoleRestrictions = {};
+        if (request.updateRoleRestrictions) {
+            for (const roleRestriction of request?.roleRestrictions ?? []) {
+                if (!roleRestriction.role) {
+                    throw new ApplicationError(ErrorCodes.BAD_REQUEST, "role is required");
+                }
+                const role = converter.fromOrgMemberRole(roleRestriction.role);
+                const permissions = roleRestriction?.permissions?.map((p) => converter.fromOrganizationPermission(p));
+
+                roleRestrictions[role] = permissions;
+            }
+        } else if (request.roleRestrictions && Object.keys(request.roleRestrictions).length > 0) {
+            throw new ApplicationError(
+                ErrorCodes.BAD_REQUEST,
+                "updateRoleRestrictions is required to be true to update roleRestrictions",
+            );
+        }
+
         await getGitpodService().server.updateOrgSettings(request.organizationId, {
             ...update,
             defaultRole: request.defaultRole as OrgMemberRole,
             timeoutSettings: {
                 inactivity: converter.toDurationString(request.timeoutSettings?.inactivity),
                 denyUserTimeouts: request.timeoutSettings?.denyUserTimeouts,
             },
+            roleRestrictions,
         });
         return new UpdateOrganizationSettingsResponse();
     }

components/gitpod-protocol/src/teams-projects-protocol.ts

@@ -231,6 +231,8 @@ export interface OrganizationSettings {
 
     // the default organization-wide timeout settings for workspaces
     timeoutSettings?: TimeoutSettings;
+
+    roleRestrictions?: RoleRestrictions;
 }
 
 export type TimeoutSettings = {
@@ -241,12 +243,17 @@ export type TimeoutSettings = {
     denyUserTimeouts?: boolean;
 };
 
+export const VALID_ORG_MEMBER_ROLES = ["owner", "member", "collaborator"] as const;
+
 export type TeamMemberRole = OrgMemberRole;
-export type OrgMemberRole = "owner" | "member" | "collaborator";
+export type OrgMemberRole = typeof VALID_ORG_MEMBER_ROLES[number];
+
+export type OrgMemberPermission = "start_arbitrary_repositories";
+export type RoleRestrictions = Partial<Record<OrgMemberRole, OrgMemberPermission[]>>;
 
 export namespace TeamMemberRole {
-    export function isValid(role: any): role is TeamMemberRole {
-        return role === "owner" || role === "member" || role === "collaborator";
+    export function isValid(role: unknown): role is TeamMemberRole {
+        return VALID_ORG_MEMBER_ROLES.includes(role as TeamMemberRole);
     }
 }
 

components/public-api/typescript-common/src/public-api-converter.ts

@@ -43,14 +43,15 @@ import {
 import { AuditLog as AuditLogProtocol } from "@gitpod/gitpod-protocol/lib/audit-log";
 import {
     OrgMemberInfo,
-    OrgMemberRole,
     OrganizationSettings as OrganizationSettingsProtocol,
     PartialProject,
     PrebuildSettings as PrebuildSettingsProtocol,
     PrebuildWithStatus,
     Project,
     ProjectSettings,
     Organization as ProtocolOrganization,
+    OrgMemberPermission,
+    OrgMemberRole,
 } from "@gitpod/gitpod-protocol/lib/teams-projects-protocol";
 import type { DeepPartial } from "@gitpod/gitpod-protocol/lib/util/deep-partial";
 import { parseGoDurationToMs } from "@gitpod/gitpod-protocol/lib/util/timeutil";
@@ -108,6 +109,7 @@ import {
 import {
     Organization,
     OrganizationMember,
+    OrganizationPermission,
     OrganizationRole,
     OrganizationSettings,
 } from "@gitpod/public-api/lib/gitpod/v1/organization_pb";
@@ -1394,6 +1396,15 @@ export class PublicAPIConverter {
         });
     }
 
+    fromOrganizationPermission = (permission: OrganizationPermission): OrgMemberPermission => {
+        switch (permission) {
+            case OrganizationPermission.START_ARBITRARY_REPOS:
+                return "start_arbitrary_repositories";
+            default:
+                throw new Error(`unknown org member permission ${permission}`);
+        }
+    }
+
     toSuggestedRepository(r: SuggestedRepositoryProtocol): SuggestedRepository {
         return new SuggestedRepository({
             url: r.url,

components/server/src/api/organization-service-api.ts

@@ -293,6 +293,23 @@ export class OrganizationServiceAPI implements ServiceImpl<typeof OrganizationSe
             update.timeoutSettings.inactivity = this.apiConverter.toDurationString(req.timeoutSettings.inactivity);
         }
 
+        if (req.roleRestrictions.length > 0) {
+            if (!req.updateRoleRestrictions) {
+                throw new ApplicationError(
+                    ErrorCodes.BAD_REQUEST,
+                    "updateRoleRestrictions is required to be true when updating roleRestrictions",
+                );
+            }
+
+            update.roleRestrictions = update.roleRestrictions ?? {};
+            for (const roleRestriction of req.roleRestrictions) {
+                const role = this.apiConverter.fromOrgMemberRole(roleRestriction.role);
+                const permissions = roleRestriction.permissions.map((p) =>
+                    this.apiConverter.fromOrganizationPermission(p),
+                );
+                update.roleRestrictions[role] = permissions;
+            }
+        }
         if (Object.keys(update).length === 0) {
             throw new ApplicationError(ErrorCodes.BAD_REQUEST, "nothing to update");
         }

components/server/src/orgs/organization-service.ts

@@ -7,12 +7,12 @@
 import { BUILTIN_INSTLLATION_ADMIN_USER_ID, TeamDB, UserDB } from "@gitpod/gitpod-db/lib";
 import {
     OrgMemberInfo,
-    OrgMemberRole,
     Organization,
     OrganizationSettings,
     TeamMemberRole,
     TeamMembershipInvite,
     WorkspaceTimeoutDuration,
+    OrgMemberRole,
 } from "@gitpod/gitpod-protocol";
 import { IAnalyticsWriter } from "@gitpod/gitpod-protocol/lib/analytics";
 import { ApplicationError, ErrorCodes } from "@gitpod/gitpod-protocol/lib/messaging/error";