WIP UI

Author: filiptronicek

components/dashboard/src/admin/TeamDetail.tsx

@@ -6,7 +6,7 @@
 
 import dayjs from "dayjs";
 import { useEffect, useState } from "react";
-import { Team, TeamMemberInfo, TeamMemberRole } from "@gitpod/gitpod-protocol";
+import { Team, TeamMemberInfo, TeamMemberRole, VALID_ORG_MEMBER_ROLES } from "@gitpod/gitpod-protocol";
 import { getGitpodService } from "../service/service";
 import { Item, ItemField, ItemsList } from "../components/ItemsList";
 import DropDown from "../components/DropDown";
@@ -205,20 +205,10 @@ export default function TeamDetail(props: { team: Team }) {
                                     <DropDown
                                         customClasses="w-32"
                                         activeEntry={m.role}
-                                        entries={[
-                                            {
-                                                title: "owner",
-                                                onClick: () => setTeamMemberRole(m.userId, "owner"),
-                                            },
-                                            {
-                                                title: "member",
-                                                onClick: () => setTeamMemberRole(m.userId, "member"),
-                                            },
-                                            {
-                                                title: "collaborator",
-                                                onClick: () => setTeamMemberRole(m.userId, "collaborator"),
-                                            },
-                                        ]}
+                                        entries={VALID_ORG_MEMBER_ROLES.map((role) => ({
+                                            title: role,
+                                            onClick: () => setTeamMemberRole(m.userId, role),
+                                        }))}
                                     />
                                 </span>
                             </ItemField>

components/dashboard/src/components/OrgMemberPermissionsOptions.tsx

@@ -0,0 +1,157 @@
+/**
+ * Copyright (c) 2024 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import { useState } from "react";
+import { LoadingButton } from "@podkit/buttons/LoadingButton";
+import { Button } from "@podkit/buttons/Button";
+import { SwitchInputField } from "@podkit/switch/Switch";
+import { cn } from "@podkit/lib/cn";
+import { CpuIcon } from "lucide-react";
+import { UseMutationResult } from "@tanstack/react-query";
+import { AllowedWorkspaceClass } from "../data/workspaces/workspace-classes-query";
+import { useToast } from "./toasts/Toasts";
+import Modal, { ModalBaseFooter, ModalBody, ModalHeader } from "./Modal";
+import { LoadingState } from "@podkit/loading/LoadingState";
+import { VALID_ORG_MEMBER_ROLES } from "@gitpod/gitpod-protocol";
+import { OrganizationPermission, RoleRestrictionEntry } from "@gitpod/public-api/lib/gitpod/v1/organization_pb";
+import { PlainMessage } from "@bufbuild/protobuf";
+import { PublicAPIConverter } from "@gitpod/public-api-common/lib/public-api-converter";
+
+interface WorkspaceClassesOptionsProps {
+    roleRestrictions: RoleRestrictionEntry[];
+    defaultClass?: string;
+    className?: string;
+    emptyState?: React.ReactNode;
+}
+
+export const OrgMemberPermissionRestrictionsOptions = ({
+    roleRestrictions,
+    emptyState,
+    className,
+}: WorkspaceClassesOptionsProps) => {
+    const rolesRestrictingArbitraryRepositories = roleRestrictions.filter((entry) =>
+        entry.permissions.includes(OrganizationPermission.START_ARBITRARY_REPOS),
+    );
+    if (rolesRestrictingArbitraryRepositories.length === 0) {
+        return <>{emptyState}</>;
+    }
+
+    return (
+        <div className={cn("space-y-2", className)}>
+            {rolesRestrictingArbitraryRepositories.map((entry) => (
+                <div className="flex gap-2 items-center">
+                    <CpuIcon size={20} />
+                    <div>
+                        <span className="font-medium text-pk-content-primary capitalize">{entry.role}</span>
+                    </div>
+                </div>
+            ))}
+        </div>
+    );
+};
+
+export type OrganizationRoleRestrictionModalProps = {
+    isLoading: boolean;
+    defaultClass?: string;
+    roleRestrictions: RoleRestrictionEntry[];
+    showSetDefaultButton: boolean;
+    showSwitchTitle: boolean;
+
+    allowedClasses: AllowedWorkspaceClass[];
+    updateMutation: UseMutationResult<void, Error, { roleRestrictions: PlainMessage<RoleRestrictionEntry>[] }>;
+
+    onClose: () => void;
+};
+
+const converter = new PublicAPIConverter();
+
+export const OrganizationRoleRestrictionModal = ({
+    onClose,
+    updateMutation,
+    showSetDefaultButton,
+    showSwitchTitle,
+    ...props
+}: OrganizationRoleRestrictionModalProps) => {
+    const [restrictedRoles, setRestrictedClasses] = useState(
+        props.roleRestrictions
+            .filter((entry) => entry.permissions.includes(OrganizationPermission.START_ARBITRARY_REPOS))
+            .map((entry) => converter.fromOrgMemberRole(entry.role)),
+    );
+
+    const { toast } = useToast();
+
+    const handleUpdate = async () => {
+        updateMutation.mutate(
+            {
+                roleRestrictions: restrictedRoles.map((role) => {
+                    return {
+                        role: converter.toOrgMemberRole(role),
+                        permissions: [OrganizationPermission.START_ARBITRARY_REPOS],
+                    };
+                }),
+            },
+            {
+                onSuccess: () => {
+                    toast({ message: "Role restrictions updated" });
+                    onClose();
+                },
+            },
+        );
+    };
+
+    return (
+        <Modal visible onClose={onClose} onSubmit={handleUpdate}>
+            <ModalHeader>Restricted organization roles from opening non-imported repositories</ModalHeader>
+            <ModalBody>
+                {props.isLoading ? (
+                    <LoadingState />
+                ) : (
+                    VALID_ORG_MEMBER_ROLES.map((role) => (
+                        <OrganizationRoleRestrictionSwitch
+                            role={role}
+                            checked={!restrictedRoles.includes(role)}
+                            onCheckedChange={(checked) => {
+                                console.log(role, { checked });
+                                if (!checked) {
+                                    setRestrictedClasses((prev) => [...prev, role]);
+                                } else {
+                                    setRestrictedClasses((prev) => prev.filter((r) => r !== role));
+                                }
+                            }}
+                        />
+                    ))
+                )}
+            </ModalBody>
+            <ModalBaseFooter className="justify-between">
+                <div className="flex gap-2">
+                    <Button variant="secondary" onClick={onClose}>
+                        Cancel
+                    </Button>
+                    <LoadingButton disabled={props.isLoading} type="submit" loading={updateMutation.isLoading}>
+                        Save
+                    </LoadingButton>
+                </div>
+            </ModalBaseFooter>
+        </Modal>
+    );
+};
+
+interface OrganizationRoleRestrictionSwitchProps {
+    role: string;
+    checked: boolean;
+    onCheckedChange: (checked: boolean) => void;
+}
+const OrganizationRoleRestrictionSwitch = ({
+    role,
+    checked,
+    onCheckedChange,
+}: OrganizationRoleRestrictionSwitchProps) => {
+    return (
+        <div className={cn("flex w-full capitalize justify-between items-center mt-2")}>
+            <SwitchInputField key={role} id={role} label={role} checked={checked} onCheckedChange={onCheckedChange} />
+        </div>
+    );
+};

components/dashboard/src/data/organizations/update-org-settings-mutation.ts

@@ -23,6 +23,7 @@ type UpdateOrganizationSettingsArgs = Partial<
         | "restrictedEditorNames"
         | "defaultRole"
         | "timeoutSettings"
+        | "roleRestrictions"
     >
 >;
 
@@ -41,6 +42,7 @@ export const useUpdateOrgSettingsMutation = () => {
             restrictedEditorNames,
             defaultRole,
             timeoutSettings,
+            roleRestrictions,
         }) => {
             const settings = await organizationClient.updateOrganizationSettings({
                 organizationId: teamId,
@@ -53,6 +55,8 @@ export const useUpdateOrgSettingsMutation = () => {
                 updateRestrictedEditorNames: !!restrictedEditorNames,
                 defaultRole,
                 timeoutSettings,
+                roleRestrictions,
+                updateRoleRestrictions: !!roleRestrictions,
             });
             return settings.settings!;
         },

components/dashboard/src/teams/TeamPolicies.tsx

@@ -38,6 +38,11 @@ import { Link } from "react-router-dom";
 import { InputField } from "../components/forms/InputField";
 import { TextInput } from "../components/forms/TextInputField";
 import { LoadingButton } from "@podkit/buttons/LoadingButton";
+import {
+    OrganizationRoleRestrictionModal,
+    OrganizationRoleRestrictionModalProps,
+    OrgMemberPermissionRestrictionsOptions,
+} from "../components/OrgMemberPermissionsOptions";
 
 export default function TeamPoliciesPage() {
     useDocumentTitle("Organization Settings - Policies");
@@ -219,6 +224,12 @@ export default function TeamPoliciesPage() {
                         settings={settings}
                         handleUpdateTeamSettings={handleUpdateTeamSettings}
                     />
+
+                    <RolePermissionsRestrictions
+                        settings={settings}
+                        isOwner={isOwner}
+                        handleUpdateTeamSettings={handleUpdateTeamSettings}
+                    />
                 </div>
             </OrgSettingsPage>
         </>
@@ -314,6 +325,60 @@ const OrgWorkspaceClassesOptions = ({
     );
 };
 
+type RolePermissionsRestrictionsProps = {
+    settings: OrganizationSettings | undefined;
+    isOwner: boolean;
+    handleUpdateTeamSettings: (
+        newSettings: Partial<PlainMessage<OrganizationSettings>>,
+        options?: { throwMutateError?: boolean },
+    ) => Promise<void>;
+};
+
+const RolePermissionsRestrictions = ({
+    settings,
+    isOwner,
+    handleUpdateTeamSettings,
+}: RolePermissionsRestrictionsProps) => {
+    const [showModal, setShowModal] = useState(false);
+
+    const updateMutation: OrganizationRoleRestrictionModalProps["updateMutation"] = useMutation({
+        mutationFn: async ({ roleRestrictions }) => {
+            await handleUpdateTeamSettings({ roleRestrictions }, { throwMutateError: true });
+        },
+    });
+
+    return (
+        <ConfigurationSettingsField>
+            <Heading3>Role permissions restrictions</Heading3>
+            <Subheading>
+                Limit the permissions of certain roles in your organization. Requires{" "}
+                <span className="font-medium">Owner</span> permissions to change.
+            </Subheading>
+
+            <OrgMemberPermissionRestrictionsOptions roleRestrictions={settings?.roleRestrictions ?? []} />
+
+            {isOwner && (
+                <Button className="mt-6" onClick={() => setShowModal(true)}>
+                    Manage Permissions
+                </Button>
+            )}
+
+            {showModal && (
+                <OrganizationRoleRestrictionModal
+                    isLoading={false}
+                    defaultClass={""}
+                    roleRestrictions={settings?.roleRestrictions ?? []}
+                    showSetDefaultButton={false}
+                    showSwitchTitle={false}
+                    allowedClasses={[]}
+                    updateMutation={updateMutation}
+                    onClose={() => setShowModal(false)}
+                />
+            )}
+        </ConfigurationSettingsField>
+    );
+};
+
 interface EditorOptionsProps {
     settings: OrganizationSettings | undefined;
     isOwner: boolean;

components/server/src/workspace/workspace-starter.ts

@@ -19,6 +19,7 @@ import {
     DBWithTracing,
     ProjectDB,
     RedisPublisher,
+    TeamDB,
     TracedUserDB,
     TracedWorkspaceDB,
     UserDB,
@@ -228,6 +229,7 @@ export class WorkspaceStarter {
         @inject(IAnalyticsWriter) private readonly analytics: IAnalyticsWriter,
         @inject(OneTimeSecretServer) private readonly otsServer: OneTimeSecretServer,
         @inject(ProjectDB) private readonly projectDB: ProjectDB,
+        @inject(TeamDB) private readonly orgDB: TeamDB,
         @inject(BlockedRepositoryDB) private readonly blockedRepositoryDB: BlockedRepositoryDB,
         @inject(EntitlementService) private readonly entitlementService: EntitlementService,
         @inject(RedisMutex) private readonly redisMutex: RedisMutex,
@@ -257,6 +259,7 @@ export class WorkspaceStarter {
 
         let instanceId: string | undefined = undefined;
         try {
+            await this.checkStartPermission(user, workspace, project);
             await this.checkBlockedRepository(user, workspace);
 
             // Some workspaces do not have an image source.
@@ -543,6 +546,35 @@ export class WorkspaceStarter {
         }
     }
 
+    private async checkStartPermission(user: User, workspace: Workspace, project?: Project) {
+        // explicit project
+        if (project) {
+            return;
+        }
+
+        const { organizationId, contextURL } = workspace;
+
+        const membership = await this.orgDB.findTeamMembership(user.id, organizationId);
+        if (!membership) {
+            return;
+        }
+
+        // check if user's role is restricted from starting arbitrary repositories
+        const organizationSettings = await this.orgService.getSettings(user.id, organizationId);
+        if (!organizationSettings?.roleRestrictions?.[membership.role]?.includes("start_arbitrary_repositories")) {
+            return;
+        }
+
+        // implicit project (existing on the same clone URL)
+        const projects = await this.projectService.findProjectsByCloneUrl(user.id, contextURL, organizationId);
+        if (projects.length === 0) {
+            throw new ApplicationError(
+                ErrorCodes.PRECONDITION_FAILED,
+                "You don't have permission to start this workspace.",
+            );
+        }
+    }
+
     // Note: this function does not expect to be awaited for by its caller. This means that it takes care of error handling itself.
     private async actuallyStartWorkspace(
         ctx: TraceContext,