codegen: generate SYSTEM_USER

geropl · geropl · commit a8bf7d06c0e8 · 2023-10-10T16:08:09.000Z
diff --git a/components/server/src/api/user.ts b/components/server/src/api/user.ts
@@ -25,10 +25,10 @@ import {
 } from "@gitpod/public-api/lib/gitpod/experimental/v1/user_pb";
 import { UserAuthentication } from "../user/user-authentication";
 import { WorkspaceService } from "../workspace/workspace-service";
-import { SYSTEM_USER } from "../authorization/authorizer";
 import { validate } from "uuid";
 import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
 import { StopWorkspacePolicy } from "@gitpod/ws-manager/lib";
+import { SYSTEM_USER } from "../authorization/definitions";
 
 @injectable()
 export class APIUserService implements ServiceImpl<typeof UserServiceInterface> {
diff --git a/components/server/src/authorization/authorizer.ts b/components/server/src/authorization/authorizer.ts
@@ -18,6 +18,7 @@ import {
     ProjectPermission,
     Relation,
     ResourceType,
+    SYSTEM_USER,
     UserPermission,
     WorkspacePermission,
     rel,
@@ -48,12 +49,6 @@ export function createInitializingAuthorizer(spiceDbAuthorizer: SpiceDBAuthorize
     });
 }
 
-/**
- * We need to call our internal API with system permissions in some cases.
- * As we don't have other ways to represent that (e.g. ServiceAccounts), we use this magic constant to designated it.
- */
-export const SYSTEM_USER = "SYSTEM_USER";
-
 export class Authorizer {
     constructor(private authorizer: SpiceDBAuthorizer) {}
 
diff --git a/components/server/src/authorization/caching-spicedb-authorizer.spec.db.ts b/components/server/src/authorization/caching-spicedb-authorizer.spec.db.ts
@@ -11,14 +11,15 @@ import * as chai from "chai";
 import { Container } from "inversify";
 import "mocha";
 import { createTestContainer } from "../test/service-testing-container-module";
-import { Authorizer, SYSTEM_USER } from "./authorizer";
+import { Authorizer } from "./authorizer";
 import { OrganizationService } from "../orgs/organization-service";
 import { WorkspaceService } from "../workspace/workspace-service";
 import { UserService } from "../user/user-service";
 import { ZedTokenCache } from "./caching-spicedb-authorizer";
 import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
 import { ConfigProvider } from "../workspace/config-provider";
 import { runWithContext } from "../util/log-context";
+import { SYSTEM_USER } from "./definitions";
 
 const expect = chai.expect;
 
diff --git a/components/server/src/authorization/definitions.ts b/components/server/src/authorization/definitions.ts
@@ -10,6 +10,12 @@ import { v1 } from "@authzed/authzed-node";
 
 export const InstallationID = "1";
 
+/**
+ * We need to call our internal API with system permissions in some cases.
+ * As we don't have other ways to represent that (e.g. ServiceAccounts), we use this magic constant to designated it.
+ */
+export const SYSTEM_USER = "SYSTEM_USER";
+
 export type ResourceType =
     | UserResourceType
     | InstallationResourceType
diff --git a/components/server/src/iam/iam-session-app.ts b/components/server/src/iam/iam-session-app.ts
@@ -17,7 +17,7 @@ import { ApplicationError } from "@gitpod/gitpod-protocol/lib/messaging/error";
 import { OrganizationService } from "../orgs/organization-service";
 import { UserService } from "../user/user-service";
 import { BUILTIN_INSTLLATION_ADMIN_USER_ID, TeamDB, UserDB } from "@gitpod/gitpod-db/lib";
-import { SYSTEM_USER } from "../authorization/authorizer";
+import { SYSTEM_USER } from "../authorization/definitions";
 
 @injectable()
 export class IamSessionApp {
diff --git a/components/server/src/jobs/workspace-gc.ts b/components/server/src/jobs/workspace-gc.ts
@@ -18,8 +18,8 @@ import { TraceContext } from "@gitpod/gitpod-protocol/lib/util/tracing";
 import { Config } from "../config";
 import { Job } from "./runner";
 import { WorkspaceService } from "../workspace/workspace-service";
-import { SYSTEM_USER } from "../authorization/authorizer";
 import { StorageClient } from "../storage/storage-client";
+import { SYSTEM_USER } from "../authorization/definitions";
 
 /**
  * The WorkspaceGarbageCollector has two tasks:
diff --git a/components/server/src/prebuilds/github-app.ts b/components/server/src/prebuilds/github-app.ts
@@ -41,7 +41,7 @@ import { RepoURL } from "../repohost";
 import { ApplicationError, ErrorCode } from "@gitpod/gitpod-protocol/lib/messaging/error";
 import { UserService } from "../user/user-service";
 import { ProjectsService } from "../projects/projects-service";
-import { SYSTEM_USER } from "../authorization/authorizer";
+import { SYSTEM_USER } from "../authorization/definitions";
 
 /**
  * GitHub app urls:
diff --git a/components/server/src/prebuilds/github-enterprise-app.ts b/components/server/src/prebuilds/github-enterprise-app.ts
@@ -22,7 +22,7 @@ import { RepoURL } from "../repohost";
 import { UserService } from "../user/user-service";
 import { ApplicationError, ErrorCodes } from "@gitpod/gitpod-protocol/lib/messaging/error";
 import { ProjectsService } from "../projects/projects-service";
-import { SYSTEM_USER } from "../authorization/authorizer";
+import { SYSTEM_USER } from "../authorization/definitions";
 
 @injectable()
 export class GitHubEnterpriseApp {
diff --git a/components/server/src/projects/projects-service.ts b/components/server/src/projects/projects-service.ts
@@ -27,10 +27,11 @@ import {
 import { IAnalyticsWriter } from "@gitpod/gitpod-protocol/lib/analytics";
 import { ErrorCodes, ApplicationError } from "@gitpod/gitpod-protocol/lib/messaging/error";
 import { URL } from "url";
-import { Authorizer, SYSTEM_USER } from "../authorization/authorizer";
+import { Authorizer } from "../authorization/authorizer";
 import { TransactionalContext } from "@gitpod/gitpod-db/lib/typeorm/transactional-db-impl";
 import { ScmService } from "./scm-service";
 import { daysBefore, isDateSmaller } from "@gitpod/gitpod-protocol/lib/util/timeutil";
+import { SYSTEM_USER } from "../authorization/definitions";
 
 @injectable()
 export class ProjectsService {
diff --git a/components/server/src/workspace/gitpod-server-impl.ts b/components/server/src/workspace/gitpod-server-impl.ts
@@ -160,7 +160,7 @@ import {
 } from "@gitpod/usage-api/lib/usage/v1/billing.pb";
 import { ClientError } from "nice-grpc-common";
 import { BillingModes } from "../billing/billing-mode";
-import { Authorizer, SYSTEM_USER, isFgaChecksEnabled } from "../authorization/authorizer";
+import { Authorizer, isFgaChecksEnabled } from "../authorization/authorizer";
 import { OrganizationService } from "../orgs/organization-service";
 import { RedisSubscriber } from "../messaging/redis-subscriber";
 import { UsageService } from "../orgs/usage-service";
@@ -178,7 +178,7 @@ import {
     suggestionFromUserRepo,
 } from "./suggested-repos-sorter";
 import { TrustedValue } from "@gitpod/gitpod-protocol/lib/util/scrubbing";
-import { rel } from "../authorization/definitions";
+import { rel, SYSTEM_USER } from "../authorization/definitions";
 
 // shortcut
 export const traceWI = (ctx: TraceContext, wi: Omit<LogContext, "userId">) => TraceContext.setOWI(ctx, wi); // userId is already taken care of in WebsocketConnectionManager
diff --git a/components/server/src/workspace/workspace-starter.ts b/components/server/src/workspace/workspace-starter.ts
@@ -126,7 +126,7 @@ import { TokenProvider } from "../user/token-provider";
 import { UserAuthentication } from "../user/user-authentication";
 import { ImageSourceProvider } from "./image-source-provider";
 import { WorkspaceClassesConfig } from "./workspace-classes";
-import { SYSTEM_USER } from "../authorization/authorizer";
+import { SYSTEM_USER } from "../authorization/definitions";
 import { EnvVarService, ResolvedEnvVars } from "../user/env-var-service";
 import { RedlockAbortSignal } from "redlock";
 import { getExperimentsClientForBackend } from "@gitpod/gitpod-protocol/lib/experiments/configcat-server";
diff --git a/components/spicedb/codegen/codegen-ts.go b/components/spicedb/codegen/codegen-ts.go
@@ -97,6 +97,12 @@ func generateTypeScriptDefinitions(schema *compiler.CompiledSchema) string {
 
 		export const InstallationID = "1";
 
+		/**
+		* We need to call our internal API with system permissions in some cases.
+		* As we don't have other ways to represent that (e.g. ServiceAccounts), we use this magic constant to designated it.
+		*/
+		export const SYSTEM_USER = "SYSTEM_USER";
+
 		` + resource + `;
 
 		` + resourceTypes + `
