feat(mps-sync-plugin): detect when the user doesn't have permission to access a repository

Author: slisson

authorization/src/main/kotlin/org/modelix/authorization/ModelixJWTUtil.kt

@@ -328,6 +328,9 @@ class ModelixJWTUtil {
         fun claim(name: String, value: String) {
             builder.claim(name, value)
         }
+        fun claim(name: String, value: Long) {
+            builder.claim(name, value)
+        }
     }
 
     private inner class PemFileJWKSet<C : SecurityContext>(pemFile: File) : FileJWKSet<C>(pemFile) {

model-client/src/jvmMain/kotlin/org/modelix/model/oauth/ModelixAuthClient.kt

@@ -162,6 +162,18 @@ actual class ModelixAuthClient {
                                 val realm = wwwAuthenticate.parameter("realm")
                                 val description = wwwAuthenticate.parameter("error_description")
                             }
+                            if (currentAuthConfig.tokenUrl == null) {
+                                LOG.warn { "No token URL configured" }
+                                return@refreshTokens null
+                            }
+                            if (currentAuthConfig.authorizationUrl == null) {
+                                LOG.warn { "No authorization URL configured" }
+                                return@refreshTokens null
+                            }
+                            if (currentAuthConfig.clientId == null) {
+                                LOG.warn { "No client ID configured" }
+                                return@refreshTokens null
+                            }
                             val tokens = refreshTokensOrReauthorize(currentAuthConfig)
                             checkNotNull(tokens) { "No tokens received" }
 

mps-sync-plugin3/build.gradle.kts

@@ -39,6 +39,7 @@ dependencies {
     implementation(libs.kotlin.logging, excludeMPSLibraries)
     implementation(libs.kotlin.html, excludeMPSLibraries)
     implementation(libs.kotlin.datetime, excludeMPSLibraries)
+    implementation(libs.ktor.client.core, excludeMPSLibraries)
 
     compileOnly(
         fileTree(mpsHomeDir).matching {
@@ -51,6 +52,8 @@ dependencies {
     testImplementation(libs.kotlin.coroutines.test)
     testImplementation(libs.logback.classic)
     testImplementation(kotlin("test"))
+    testImplementation(project(":authorization"), excludeMPSLibraries)
+    testImplementation(project(":model-server"), excludeMPSLibraries)
 }
 
 tasks {

mps-sync-plugin3/src/main/kotlin/org/modelix/mps/sync3/BindingWorker.kt

@@ -2,6 +2,8 @@ package org.modelix.mps.sync3
 
 import com.intellij.openapi.application.ApplicationManager
 import com.intellij.openapi.application.ModalityState
+import io.ktor.client.plugins.ResponseException
+import io.ktor.http.HttpStatusCode
 import io.ktor.utils.io.CancellationException
 import jetbrains.mps.project.MPSProject
 import kotlinx.coroutines.CoroutineScope
@@ -62,6 +64,7 @@ class BindingWorker(
     private var invalidatingListener: MyInvalidatingListener? = null
     private var activeSynchronizer: ModelSynchronizer? = null
     private var previousSyncStack: List<IReadableNode> = emptyList()
+    private var status: IBinding.Status = IBinding.Status.Disabled
 
     private val repository: SRepository get() = mpsProject.repository
     private suspend fun client() = serverConnection.getClient()
@@ -72,6 +75,7 @@ class BindingWorker(
 
     fun activate() {
         if (activated.getAndSet(true)) return
+        status = IBinding.Status.Initializing
         syncJob = coroutinesScope.launch {
             try {
                 syncJob()
@@ -84,14 +88,16 @@ class BindingWorker(
 
     fun deactivate() {
         if (!activated.getAndSet(false)) return
-
+        status = IBinding.Status.Disabled
         syncJob?.cancel()
         syncJob = null
         syncToServerTask = null
         invalidatingListener?.stop()
         invalidatingListener = null
     }
 
+    fun getStatus(): IBinding.Status = status
+
     private fun ModelSynchronizer.synchronizeAndStoreInstance() {
         try {
             activeSynchronizer = this
@@ -153,6 +159,22 @@ class BindingWorker(
         }
     }
 
+    private suspend fun <R : IVersion?> runSync(body: suspend (IVersion?) -> R) = lastSyncedVersion.updateValue {
+        try {
+            status = IBinding.Status.Syncing(::getSyncProgress)
+            body(it).also {
+                status = IBinding.Status.Synced(it?.getContentHash() ?: "null")
+            }
+        } catch (ex: Throwable) {
+            status = if (ex is ResponseException && ex.response.status == HttpStatusCode.Forbidden) {
+                IBinding.Status.NoPermission(runCatching { client().getUserId() }.getOrNull())
+            } else {
+                IBinding.Status.Error(ex.message)
+            }
+            throw ex
+        }
+    }
+
     private suspend fun CoroutineScope.syncJob() {
         // initial sync
         while (isActive()) {
@@ -189,7 +211,7 @@ class BindingWorker(
     }
 
     private suspend fun initialSync() {
-        lastSyncedVersion.updateValue { oldVersion ->
+        runSync { oldVersion ->
             LOG.debug { "Running initial synchronization" }
 
             val baseVersion = oldVersion
@@ -230,15 +252,15 @@ class BindingWorker(
     }
 
     suspend fun syncToMPS(incremental: Boolean): IVersion {
-        return lastSyncedVersion.updateValue { oldVersion ->
+        return runSync { oldVersion ->
             client().pull(branchRef, oldVersion).also { newVersion ->
                 doSyncToMPS(oldVersion, newVersion, incremental)
             }
         }
     }
 
     suspend fun syncToServer(incremental: Boolean): IVersion? {
-        return lastSyncedVersion.updateValue { oldVersion ->
+        return runSync { oldVersion ->
             if (oldVersion == null) {
                 // have to wait for initial sync
                 oldVersion

mps-sync-plugin3/src/main/kotlin/org/modelix/mps/sync3/IModelSyncService.kt

@@ -99,4 +99,34 @@ interface IBinding : Closeable {
     fun getCurrentVersion(): IVersion?
 
     fun getSyncProgress(): String?
+    fun getStatus(): Status
+
+    sealed class Status {
+        object Disabled : Status()
+
+        /**
+         * Binding is enabled, but the initial synchronization hasn't started yet.
+         */
+        object Initializing : Status()
+
+        /**
+         * The last synchronization was successful.
+         */
+        data class Synced(val versionHash: String) : Status()
+
+        /**
+         * Synchronization is running.
+         */
+        data class Syncing(val progress: () -> String?) : Status()
+
+        /**
+         * The last synchronization failed.
+         */
+        data class Error(val message: String?) : Status()
+
+        /**
+         * The last synchronization failed because of a mission permission.
+         */
+        data class NoPermission(val user: String?) : Status()
+    }
 }

mps-sync-plugin3/src/main/kotlin/org/modelix/mps/sync3/ModelSyncService.kt

@@ -382,6 +382,10 @@ class ModelSyncService(val project: Project) :
             return workers[id]?.getSyncProgress()
         }
 
+        override fun getStatus(): IBinding.Status {
+            return workers[id]?.getStatus() ?: IBinding.Status.Disabled
+        }
+
         private fun getService(): ModelSyncService = this@ModelSyncService
 
         override fun equals(other: Any?): Boolean {

mps-sync-plugin3/src/main/kotlin/org/modelix/mps/sync3/ui/ModelSyncStatusWidget.kt

@@ -26,6 +26,7 @@ import kotlinx.html.td
 import kotlinx.html.tr
 import org.modelix.model.lazy.CLVersion
 import org.modelix.mps.api.ModelixMpsApi
+import org.modelix.mps.sync3.IBinding
 import org.modelix.mps.sync3.IModelSyncService
 import org.modelix.mps.sync3.IServerConnection
 import java.awt.Desktop
@@ -257,9 +258,14 @@ class ModelSyncStatusWidget(val project: Project) : CustomStatusBarWidget, Statu
                             return "Click to log in"
                         }
                     }
-                    result = binding.getSyncProgress()?.let { "Synchronizing: $it" }
-                        ?: binding.getCurrentVersion()?.getContentHash()?.let { "Synchronized: ${it.take(5)}" }
-                        ?: result
+                    result = when (val status = binding.getStatus()) {
+                        IBinding.Status.Disabled -> "Disabled"
+                        IBinding.Status.Initializing -> "Initializing"
+                        is IBinding.Status.Synced -> "Synchronized: ${status.versionHash.take(5)}"
+                        is IBinding.Status.Syncing -> "Synchronizing: ${status.progress()}"
+                        is IBinding.Status.Error -> "Synchronization failed: ${status.message}"
+                        is IBinding.Status.NoPermission -> "${status.user} has no permission on ${binding.getBranchRef().repositoryId}"
+                    }
                 }
             }
         }

mps-sync-plugin3/src/test/kotlin/org/modelix/mps/sync3/ProjectSyncTest.kt

@@ -1,16 +1,20 @@
 package org.modelix.mps.sync3
 
 import com.intellij.configurationStore.saveSettings
+import io.ktor.client.plugins.ResponseException
 import jetbrains.mps.smodel.SNodeUtil
 import jetbrains.mps.smodel.adapter.ids.SConceptId
 import jetbrains.mps.smodel.adapter.ids.SContainmentLinkId
 import jetbrains.mps.smodel.adapter.structure.concept.SConceptAdapterById
 import jetbrains.mps.smodel.adapter.structure.link.SContainmentLinkAdapterById
+import kotlinx.coroutines.delay
 import org.jetbrains.mps.openapi.model.SNode
 import org.jetbrains.mps.openapi.persistence.PersistenceFacade
 import org.junit.Assert
+import org.modelix.authorization.ModelixJWTUtil
 import org.modelix.datastructures.model.ModelChangeEvent
 import org.modelix.datastructures.model.MutationParameters
+import org.modelix.datastructures.model.PropertyChangedEvent
 import org.modelix.model.IVersion
 import org.modelix.model.api.BuiltinLanguages
 import org.modelix.model.api.INodeReference
@@ -30,7 +34,9 @@ import org.modelix.model.mpsadapters.MPSProjectReference
 import org.modelix.model.mpsadapters.MPSProperty
 import org.modelix.model.mpsadapters.toModelix
 import org.modelix.model.mutable.asModelSingleThreaded
+import org.modelix.model.oauth.IAuthConfig
 import org.modelix.model.operations.IOperation
+import org.modelix.model.server.ModelServerPermissionSchema
 import org.modelix.mps.multiplatform.model.MPSIdGenerator
 import org.modelix.streams.getBlocking
 import java.nio.file.Path
@@ -39,6 +45,7 @@ import kotlin.io.path.readText
 import kotlin.io.path.writeText
 import kotlin.test.assertFailsWith
 import kotlin.test.assertNotEquals
+import kotlin.time.Duration.Companion.seconds
 
 class ProjectSyncTest : MPSTestBase() {
 
@@ -259,7 +266,7 @@ class ProjectSyncTest : MPSTestBase() {
             it.getStreamExecutor().query { it.getChanges(version1.getModelTree(), false).toList() }
         }
         assertEquals(1, changes.size)
-        val change = changes.single() as org.modelix.datastructures.model.PropertyChangedEvent<INodeReference>
+        val change = changes.single() as PropertyChangedEvent<INodeReference>
         assertEquals(MPSProperty(nameProperty).getUID(), change.role.getUID())
         assertEquals("MyClass", version1.getModelTree().getProperty(change.nodeId, change.role).getBlocking(version1.getModelTree()))
         assertEquals("Changed", version2.getModelTree().getProperty(change.nodeId, change.role).getBlocking(version1.getModelTree()))
@@ -486,6 +493,92 @@ class ProjectSyncTest : MPSTestBase() {
         assertEquals(expectedSnapshot, project.captureSnapshot())
     }
 
+    fun `test missing permission on initial sync is detected`(): Unit = runWithModelServer(hmacKey = "abc") { port ->
+        val branchRef = RepositoryId("sync-test").getBranchReference("branchA")
+        AppLevelModelSyncService.getInstance().getOrCreateConnection(
+            ModelServerConnectionProperties(
+                url = "http://localhost:$port",
+                repositoryId = branchRef.repositoryId,
+            ),
+        ).setAuthorizationConfig(
+            IAuthConfig.fromTokenProvider {
+                ModelixJWTUtil().also { it.setHmac512Key("abc") }
+                    .createAccessToken("[email protected]", listOf())
+            },
+        )
+
+        openTestProject("initial")
+        val binding = IModelSyncService.getInstance(mpsProject)
+            .addServer("http://localhost:$port")
+            .bind(branchRef, null)
+        assertFailsWith<ResponseException> {
+            binding.flush()
+        }
+
+        assertEquals(IBinding.Status.NoPermission(user = "[email protected]"), binding.getStatus())
+    }
+
+    fun `test missing permission after initial sync is detected`(): Unit = runWithModelServer(hmacKey = "abc") { port ->
+        fun now() = kotlinx.datetime.Instant.fromEpochMilliseconds(System.currentTimeMillis())
+        val leeway = 60.seconds
+        var grantPermission = true
+        var tokenExpiration = now()
+        val branchRef = RepositoryId("sync-test").getBranchReference("branchA")
+
+        fun initConnection(repositoryId: RepositoryId?) {
+            AppLevelModelSyncService.getInstance().getOrCreateConnection(
+                ModelServerConnectionProperties(
+                    url = "http://localhost:$port",
+                    repositoryId = repositoryId,
+                ),
+            ).setAuthorizationConfig(
+                IAuthConfig.fromTokenProvider {
+                    val permissions = listOfNotNull(
+                        ModelServerPermissionSchema.repository(branchRef.repositoryId).write.fullId.takeIf { grantPermission },
+                    )
+                    ModelixJWTUtil()
+                        .also { it.setHmac512Key("abc") }
+                        .createAccessToken("[email protected]", permissions) {
+                            tokenExpiration = now() + 10.seconds
+                            it.claim("exp", (tokenExpiration - leeway).epochSeconds)
+                        }
+                        .also { println("Generated token: $it") }
+                },
+            )
+        }
+        initConnection(null)
+        initConnection(branchRef.repositoryId)
+
+        openTestProject("initial")
+        val binding = IModelSyncService.getInstance(mpsProject)
+            .addServer("http://localhost:$port")
+            .bind(branchRef, null)
+        binding.flush()
+        println("Initial sync done")
+        grantPermission = false
+
+        delay(tokenExpiration - now())
+
+        val nameProperty = SNodeUtil.property_INamedConcept_name
+        command {
+            val node = mpsProject.projectModules
+                .first { it.moduleName == "NewSolution" }
+                .models
+                .flatMap { it.rootNodes }
+                .first { it.getProperty(nameProperty) == "MyClass" }
+            println("will change property")
+            node.setProperty(nameProperty, "Changed")
+            println("property changed")
+        }
+
+        println(AppLevelModelSyncService.getInstance().getConnections().map { it.properties })
+        assertFailsWith<ResponseException> {
+            binding.flush()
+        }
+
+        assertEquals(IBinding.Status.NoPermission(user = "[email protected]"), binding.getStatus())
+    }
+
     fun `test loading enabled persisted binding`(): Unit = runPersistedBindingTest(true)
     fun `test loading disabled persisted binding`(): Unit = runPersistedBindingTest(false)
 

mps-sync-plugin3/src/test/kotlin/org/modelix/mps/sync3/TestWithModelServer.kt

@@ -8,14 +8,20 @@ import kotlin.time.Duration.Companion.minutes
 import kotlin.time.ExperimentalTime
 import kotlin.time.toJavaDuration
 
-fun runWithModelServer(body: suspend (port: Int) -> Unit) = runBlocking {
+fun runWithModelServer(hmacKey: String? = null, body: suspend (port: Int) -> Unit) = runBlocking {
     @OptIn(ExperimentalTime::class)
     withTimeout(5.minutes) {
         val modelServer: GenericContainer<*> = GenericContainer(System.getProperty("modelix.model.server.image"))
             .withExposedPorts(28101)
             .withCommand("-inmemory")
             .withEnv("MODELIX_VALIDATE_VERSIONS", "true")
 //            .withEnv("MODELIX_REJECT_EXISTING_OBJECT", "true")
+            .also {
+                if (hmacKey != null) {
+                    it.withEnv("MODELIX_PERMISSION_CHECKS_ENABLED", "true")
+                    it.withEnv("MODELIX_JWT_SIGNATURE_HMAC512_KEY", hmacKey)
+                }
+            }
             .waitingFor(Wait.forListeningPort().withStartupTimeout(3.minutes.toJavaDuration()))
             .withLogConsumer {
                 println(it.utf8StringWithoutLineEnding)