Skip to content

Non-project repository starting restrictions #20234

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 12 commits into from
Sep 27, 2024
Merged

Non-project repository starting restrictions #20234

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
c0a3f64
add proto
filiptronicek Sep 22, 2024
171daca
codegen
filiptronicek Sep 22, 2024
6c439d1
impl
filiptronicek Sep 22, 2024
b8cdd34
WIP UI
filiptronicek Sep 22, 2024
c29f55b
make it work
filiptronicek Sep 22, 2024
e4cdfa3
Make it work
filiptronicek Sep 23, 2024
597b5a2
Merge branch 'main' into ft/org-restrict-arbitrary-starts
filiptronicek Sep 25, 2024
31b31c4
Empty state
filiptronicek Sep 26, 2024
d6d9c27
Update copies (thx Fernando!)
filiptronicek Sep 26, 2024
1d90a62
Fix tip flexbox
filiptronicek Sep 26, 2024
c30919a
fix newline for role restriction empty state
filiptronicek Sep 27, 2024
8e9b7b3
When arbitrary repos are restricted, don't suggest them
filiptronicek Sep 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 5 additions & 15 deletions components/dashboard/src/admin/TeamDetail.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@

import dayjs from "dayjs";
import { useEffect, useState } from "react";
import { Team, TeamMemberInfo, TeamMemberRole } from "@gitpod/gitpod-protocol";
import { Team, TeamMemberInfo, TeamMemberRole, VALID_ORG_MEMBER_ROLES } from "@gitpod/gitpod-protocol";
import { getGitpodService } from "../service/service";
import { Item, ItemField, ItemsList } from "../components/ItemsList";
import DropDown from "../components/DropDown";
Expand Down Expand Up @@ -205,20 +205,10 @@ export default function TeamDetail(props: { team: Team }) {
<DropDown
customClasses="w-32"
activeEntry={m.role}
entries={[
{
title: "owner",
onClick: () => setTeamMemberRole(m.userId, "owner"),
},
{
title: "member",
onClick: () => setTeamMemberRole(m.userId, "member"),
},
{
title: "collaborator",
onClick: () => setTeamMemberRole(m.userId, "collaborator"),
},
]}
entries={VALID_ORG_MEMBER_ROLES.map((role) => ({
title: role,
onClick: () => setTeamMemberRole(m.userId, role),
}))}
/>
</span>
</ItemField>
Expand Down
160 changes: 160 additions & 0 deletions components/dashboard/src/components/OrgMemberPermissionsOptions.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,160 @@
/**
* Copyright (c) 2024 Gitpod GmbH. All rights reserved.
* Licensed under the GNU Affero General Public License (AGPL).
* See License.AGPL.txt in the project root for license information.
*/

import { useState } from "react";
import { LoadingButton } from "@podkit/buttons/LoadingButton";
import { Button } from "@podkit/buttons/Button";
import { SwitchInputField } from "@podkit/switch/Switch";
import { cn } from "@podkit/lib/cn";
import { UserIcon } from "lucide-react";
import { UseMutationResult } from "@tanstack/react-query";
import { AllowedWorkspaceClass } from "../data/workspaces/workspace-classes-query";
import { useToast } from "./toasts/Toasts";
import Modal, { ModalBaseFooter, ModalBody, ModalHeader } from "./Modal";
import { LoadingState } from "@podkit/loading/LoadingState";
import { VALID_ORG_MEMBER_ROLES } from "@gitpod/gitpod-protocol";
import { OrganizationPermission, RoleRestrictionEntry } from "@gitpod/public-api/lib/gitpod/v1/organization_pb";
import { PlainMessage } from "@bufbuild/protobuf";
import { PublicAPIConverter } from "@gitpod/public-api-common/lib/public-api-converter";

const converter = new PublicAPIConverter();

interface WorkspaceClassesOptionsProps {
roleRestrictions: RoleRestrictionEntry[];
defaultClass?: string;
className?: string;
}

export const OrgMemberPermissionRestrictionsOptions = ({
roleRestrictions,
className,
}: WorkspaceClassesOptionsProps) => {
const rolesRestrictingArbitraryRepositories = roleRestrictions.filter((entry) =>
entry.permissions.includes(OrganizationPermission.START_ARBITRARY_REPOS),
);
const rolesAllowedToOpenArbitraryRepositories = VALID_ORG_MEMBER_ROLES.filter(
(role) =>
!rolesRestrictingArbitraryRepositories.some((entry) => entry.role === converter.toOrgMemberRole(role)),
);

if (rolesAllowedToOpenArbitraryRepositories.length === 0) {
return <div>Nobody in the organization can open repositories that are not imported</div>;
}

return (
<div className={cn("space-y-2", className)}>
{rolesAllowedToOpenArbitraryRepositories.map((entry) => (
<div className="flex gap-2 items-center">
<UserIcon size={20} />
<div>
<span className="font-medium text-pk-content-primary capitalize">{entry}</span>
</div>
</div>
))}
</div>
);
};

export type OrganizationRoleRestrictionModalProps = {
isLoading: boolean;
defaultClass?: string;
roleRestrictions: RoleRestrictionEntry[];
showSetDefaultButton: boolean;
showSwitchTitle: boolean;

allowedClasses: AllowedWorkspaceClass[];
updateMutation: UseMutationResult<void, Error, { roleRestrictions: PlainMessage<RoleRestrictionEntry>[] }>;

onClose: () => void;
};

export const OrganizationRoleRestrictionModal = ({
onClose,
updateMutation,
showSetDefaultButton,
showSwitchTitle,
...props
}: OrganizationRoleRestrictionModalProps) => {
const [restrictedRoles, setRestrictedClasses] = useState(
props.roleRestrictions
.filter((entry) => entry.permissions.includes(OrganizationPermission.START_ARBITRARY_REPOS))
.map((entry) => converter.fromOrgMemberRole(entry.role)),
);

const { toast } = useToast();

const handleUpdate = async () => {
updateMutation.mutate(
{
roleRestrictions: restrictedRoles.map((role) => {
return {
role: converter.toOrgMemberRole(role),
permissions: [OrganizationPermission.START_ARBITRARY_REPOS],
};
}),
},
{
onSuccess: () => {
toast({ message: "Role restrictions updated" });
onClose();
},
},
);
};

return (
<Modal visible onClose={onClose} onSubmit={handleUpdate}>
<ModalHeader>Allow roles to start workspaces from non-imported repos</ModalHeader>
<ModalBody>
{props.isLoading ? (
<LoadingState />
) : (
VALID_ORG_MEMBER_ROLES.map((role) => (
<OrganizationRoleRestrictionSwitch
role={role}
checked={!restrictedRoles.includes(role)}
onCheckedChange={(checked) => {
console.log(role, { checked });
if (!checked) {
setRestrictedClasses((prev) => [...prev, role]);
} else {
setRestrictedClasses((prev) => prev.filter((r) => r !== role));
}
}}
/>
))
)}
</ModalBody>
<ModalBaseFooter className="justify-between">
<div className="flex gap-2">
<Button variant="secondary" onClick={onClose}>
Cancel
</Button>
<LoadingButton disabled={props.isLoading} type="submit" loading={updateMutation.isLoading}>
Save
</LoadingButton>
</div>
</ModalBaseFooter>
</Modal>
);
};

interface OrganizationRoleRestrictionSwitchProps {
role: string;
checked: boolean;
onCheckedChange: (checked: boolean) => void;
}
const OrganizationRoleRestrictionSwitch = ({
role,
checked,
onCheckedChange,
}: OrganizationRoleRestrictionSwitchProps) => {
return (
<div className={cn("flex w-full capitalize justify-between items-center mt-2")}>
<SwitchInputField key={role} id={role} label={role} checked={checked} onCheckedChange={onCheckedChange} />
</div>
);
};
2 changes: 1 addition & 1 deletion components/dashboard/src/data/organizations/members-query.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ export function useIsOwner(): boolean {
return role === OrganizationRole.OWNER;
}

function useMemberRole(): OrganizationRole {
export function useMemberRole(): OrganizationRole {
const user = useCurrentUser();
const members = useListOrganizationMembers();
return useMemo(
Expand Down
4 changes: 4 additions & 0 deletions components/dashboard/src/data/organizations/update-org-settings-mutation.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ type UpdateOrganizationSettingsArgs = Partial<
| "restrictedEditorNames"
| "defaultRole"
| "timeoutSettings"
| "roleRestrictions"
>
>;

Expand All @@ -41,6 +42,7 @@ export const useUpdateOrgSettingsMutation = () => {
restrictedEditorNames,
defaultRole,
timeoutSettings,
roleRestrictions,
}) => {
const settings = await organizationClient.updateOrganizationSettings({
organizationId: teamId,
Expand All @@ -53,6 +55,8 @@ export const useUpdateOrgSettingsMutation = () => {
updateRestrictedEditorNames: !!restrictedEditorNames,
defaultRole,
timeoutSettings,
roleRestrictions,
updateRoleRestrictions: !!roleRestrictions,
});
return settings.settings!;
},
Expand Down
21 changes: 20 additions & 1 deletion components/dashboard/src/service/json-rpc-organization-client.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ import {
import { getGitpodService } from "./service";
import { converter } from "./public-api";
import { ApplicationError, ErrorCodes } from "@gitpod/gitpod-protocol/lib/messaging/error";
import { OrgMemberRole } from "@gitpod/gitpod-protocol";
import { OrgMemberRole, RoleRestrictions } from "@gitpod/gitpod-protocol";

export class JsonRpcOrganizationClient implements PromiseClient<typeof OrganizationService> {
async createOrganization(
Expand Down Expand Up @@ -251,13 +251,32 @@ export class JsonRpcOrganizationClient implements PromiseClient<typeof Organizat
"updateRestrictedEditorNames is required to be true to update restrictedEditorNames",
);
}
const roleRestrictions: RoleRestrictions = {};
if (request.updateRoleRestrictions) {
for (const roleRestriction of request?.roleRestrictions ?? []) {
if (!roleRestriction.role) {
throw new ApplicationError(ErrorCodes.BAD_REQUEST, "role is required");
}
const role = converter.fromOrgMemberRole(roleRestriction.role);
const permissions = roleRestriction?.permissions?.map((p) => converter.fromOrganizationPermission(p));

roleRestrictions[role] = permissions;
}
} else if (request.roleRestrictions && Object.keys(request.roleRestrictions).length > 0) {
throw new ApplicationError(
ErrorCodes.BAD_REQUEST,
"updateRoleRestrictions is required to be true to update roleRestrictions",
);
}

await getGitpodService().server.updateOrgSettings(request.organizationId, {
...update,
defaultRole: request.defaultRole as OrgMemberRole,
timeoutSettings: {
inactivity: converter.toDurationString(request.timeoutSettings?.inactivity),
denyUserTimeouts: request.timeoutSettings?.denyUserTimeouts,
},
roleRestrictions,
});
return new UpdateOrganizationSettingsResponse();
}
Expand Down
77 changes: 77 additions & 0 deletions components/dashboard/src/teams/TeamPolicies.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,12 @@ import { Link } from "react-router-dom";
import { InputField } from "../components/forms/InputField";
import { TextInput } from "../components/forms/TextInputField";
import { LoadingButton } from "@podkit/buttons/LoadingButton";
import {
OrganizationRoleRestrictionModal,
OrganizationRoleRestrictionModalProps,
OrgMemberPermissionRestrictionsOptions,
} from "../components/OrgMemberPermissionsOptions";
import { LightbulbIcon } from "lucide-react";

export default function TeamPoliciesPage() {
useDocumentTitle("Organization Settings - Policies");
Expand Down Expand Up @@ -219,6 +225,12 @@ export default function TeamPoliciesPage() {
settings={settings}
handleUpdateTeamSettings={handleUpdateTeamSettings}
/>

<RolePermissionsRestrictions
settings={settings}
isOwner={isOwner}
handleUpdateTeamSettings={handleUpdateTeamSettings}
/>
</div>
</OrgSettingsPage>
</>
Expand Down Expand Up @@ -314,6 +326,71 @@ const OrgWorkspaceClassesOptions = ({
);
};

type RolePermissionsRestrictionsProps = {
settings: OrganizationSettings | undefined;
isOwner: boolean;
handleUpdateTeamSettings: (
newSettings: Partial<PlainMessage<OrganizationSettings>>,
options?: { throwMutateError?: boolean },
) => Promise<void>;
};

const RolePermissionsRestrictions = ({
settings,
isOwner,
handleUpdateTeamSettings,
}: RolePermissionsRestrictionsProps) => {
const [showModal, setShowModal] = useState(false);

const updateMutation: OrganizationRoleRestrictionModalProps["updateMutation"] = useMutation({
mutationFn: async ({ roleRestrictions }) => {
await handleUpdateTeamSettings({ roleRestrictions }, { throwMutateError: true });
},
});

return (
<ConfigurationSettingsField>
<Heading3>Roles allowed to start workspaces from non-imported repos</Heading3>
<Subheading className="mb-2">
Restrict specific roles from initiating workspaces using non-imported repositories. This setting
requires <span className="font-medium">Owner</span> permissions to modify.
<br />
<span className="flex flex-row items-center gap-1 my-2">
<LightbulbIcon size={20} />{" "}
<span>
Tip: Imported repositories are those listed under{" "}
<Link to={"/repositories"} className="gp-link">
Repository settings
</Link>
.
</span>
</span>
</Subheading>

<OrgMemberPermissionRestrictionsOptions roleRestrictions={settings?.roleRestrictions ?? []} />

{isOwner && (
<Button className="mt-6" onClick={() => setShowModal(true)}>
Manage Permissions
</Button>
)}

{showModal && (
<OrganizationRoleRestrictionModal
isLoading={false}
defaultClass={""}
roleRestrictions={settings?.roleRestrictions ?? []}
showSetDefaultButton={false}
showSwitchTitle={false}
allowedClasses={[]}
updateMutation={updateMutation}
onClose={() => setShowModal(false)}
/>
)}
</ConfigurationSettingsField>
);
};

interface EditorOptionsProps {
settings: OrganizationSettings | undefined;
isOwner: boolean;
Expand Down
Loading
Loading