[gitlab] scopes refinement

Signed-off-by: Alex Tugarev <alex@gitpod.io>

Author: AlexTugarev

components/dashboard/src/components/access-control/access-control.tsx

@@ -87,7 +87,7 @@ export class AccessControl extends React.Component<AccessControlProps, AccessCon
             }
         }
     }
-    
+
     protected async redirectToLogin() {
         window.location.href = new GitpodHostUrl(window.location.toString()).with({
             pathname: '/login/',
@@ -127,7 +127,7 @@ export class AccessControl extends React.Component<AccessControlProps, AccessCon
                     return undefined;
                 }
                 const scopes = authProvider.scopes || [];
-                const updatedScopes = updatedScopesString.split(',').filter(s => !!s && scopes.some(scope => scope === s));
+                const updatedScopes = updatedScopesString.split(',').filter(s => !!s && scopes.all.some(scope => scope === s));
                 if (updatedScopes.length > 0 && hosts.some(h => h === updatedHost)) {
                     return { updatedHost, updatedScopes };
                 }
@@ -154,7 +154,7 @@ export class AccessControl extends React.Component<AccessControlProps, AccessCon
                 const authProvider = authProviders.find(p => p.host === host)!;
                 let newScopes = new Set<string>(value.split(','));
                 let oldScopes = new Set<string>(scopes.get(host) || []);
-                const merged = new Set<string>((authProvider.scopes || []).filter(scope => oldScopes.has(scope) || newScopes.has(scope)));
+                const merged = new Set<string>((authProvider.scopes.all || []).filter(scope => oldScopes.has(scope) || newScopes.has(scope)));
                 scopes.set(host, merged);
             }
         });
@@ -289,12 +289,11 @@ export class AccessControl extends React.Component<AccessControlProps, AccessCon
         this.setState({ newScopes });
     }
 
-    protected renderScopeTooltip(scope: string) {
-        const text = this.getTooltipForScope(scope);
-        if (!text) {
+    protected renderScopeTooltip(description: string | undefined) {
+        if (!description) {
             return undefined;
         }
-        return (<Tooltip title={text} placement="right" interactive style={{ maxWidth: 200, padding: '12px' }}>
+        return (<Tooltip title={description} placement="right" interactive style={{ maxWidth: 200, padding: '12px' }}>
             <span>
                 <InfoIcon fontSize="small" color="disabled" style={{ verticalAlign: 'middle' }} />
             </span>
@@ -355,9 +354,9 @@ export class AccessControl extends React.Component<AccessControlProps, AccessCon
 
             <Grid item style={{ flexGrow: 2 }}>
                 <CardContent style={{ display: 'block', float: 'left', textAlign: 'left', paddingBottom: '8px' }}>
-                    {(provider.scopes || []).map((scope, index) => {
-                        const disabled = provider.requirements && provider.requirements.default.includes(scope);
-                        const defaultChecked = newScopes.has(scope) || (provider.requirements && provider.requirements.default.includes(scope));
+                    {(provider.scopes.all || []).map((scope, index) => {
+                        const disabled = provider.scopes.default.includes(scope);
+                        const defaultChecked = newScopes.has(scope) || (provider.scopes.default.includes(scope));
                         const color = newScopes.has(scope) && !oldScopes.has(scope) ? 'secondary' : 'primary';
                         return (<p key={host + "-scope-" + index} style={{ display: 'table', marginTop: 0 }}>
                             <label style={{ display: 'flex', alignItems: 'center' }}>
@@ -368,7 +367,7 @@ export class AccessControl extends React.Component<AccessControlProps, AccessCon
                                     defaultChecked={defaultChecked}
                                 />
                                 {this.getLabelForScope(scope)}
-                                {this.renderScopeTooltip(scope)}
+                                {this.renderScopeTooltip(provider.scopes.descriptions[scope])}
                             </label>
                         </p>);
                     })}
@@ -391,7 +390,7 @@ export class AccessControl extends React.Component<AccessControlProps, AccessCon
                             this.renderUpdateButton(dirty, () => this.updateToken(provider.host, Array.from(newScopes)), 'Update') :
                             this.renderUpdateButton(true, () => this.updateToken(provider.host,
                                 // for authorization we set the required (if any) plus the new scopes
-                                [...(provider.requirements && provider.requirements.default || []), ...Array.from(newScopes)]), 'Connect'))
+                                [...(provider.scopes.default || []), ...Array.from(newScopes)]), 'Connect'))
                     }
                 </CardActions>
             </Grid>
@@ -414,11 +413,13 @@ export class AccessControl extends React.Component<AccessControlProps, AccessCon
             case "read:org": return "read organizations";
             case "workflow": return "update workflows";
             // GitLab
-            case "read_user": return "read user";
-            case "api": return "allow api calls";
-            case "read_repository": return "repository access";
+            case "read_user": return "read user info";
+            case "api": return "full API access";
+            case "read_api": return "read API access";
+            case "read_repository": return "read repositories";
+            case "write_repository": return "write repository";
             // Bitbucket
-            case "account": return "read account";
+            case "account": return "read account info";
             case "repository": return "read repositories";
             case "repository:write": return "write repositories";
             case "pullrequest": return "read pull requests";
@@ -428,28 +429,6 @@ export class AccessControl extends React.Component<AccessControlProps, AccessCon
         }
     }
 
-    protected getTooltipForScope(scope: string): string | undefined {
-        switch (scope) {
-            case "user:email": return "Read-only access to your email addresses";
-            case "public_repo": return "Write access to code in public repositories and organizations";
-            case "repo": return "Read/write access to code in private repositories and organizations";
-            case "read:org": return "Read-only access to organizations (used to suggest organizations when forking a repository)";
-            case "workflow": return "Allow updating GitHub Actions workflow files";
-            // GitLab
-            case "read_user": return "Read-only access to your email addresses";
-            case "api": return "Allow making API calls (used to set up a webhook when enabling prebuilds for a repository)";
-            case "read_repository": return "Read/write access to your repositories";
-            // Bitbucket
-            case "account": return "Read-only access to your account information";
-            case "repository": return "Read-only access to your repositories (note: Bitbucket doesn't support revoking scopes)";
-            case "repository:write": return "Read/write access to your repositories (note: Bitbucket doesn't support revoking scopes)";
-            case "pullrequest": return "Read access to pull requests and ability to collaborate via comments, tasks, and approvals (note: Bitbucket doesn't support revoking scopes)";
-            case "pullrequest:write": return "Allow creating, merging and declining pull requests (note: Bitbucket doesn't support revoking scopes)";
-            case "webhook": return "Allow installing webhooks (used when enabling prebuilds for a repository, note: Bitbucket doesn't support revoking scopes)";
-            default: return undefined;
-        }
-    }
-
     protected updateToken(provider: string, scopes: string[]) {
         if (scopes.length === 0) {
             return;

components/gitpod-protocol/src/protocol.ts

@@ -1025,12 +1025,13 @@ export interface AuthProviderInfo {
     readonly description?: string;
 
     readonly settingsUrl?: string;
-    readonly scopes?: string[];
-    readonly requirements?: {
-        readonly default: string[];
-        readonly publicRepo: string[];
-        readonly privateRepo: string[];
-    }
+    readonly scopes: AuthProviderScopes;
+}
+
+export interface AuthProviderScopes {
+    readonly default: string[];
+    readonly all: string[];
+    readonly descriptions: { [key: string]: string };
 }
 
 export interface AuthProviderEntry {

components/server/src/auth/authenticator.ts

@@ -201,8 +201,8 @@ export class Authenticator {
         await AuthFlow.attach(req.session, { host, returnTo, overrideScopes: override });
         let wantedScopes = scopes.split(',');
         if (wantedScopes.length === 0) {
-            if (authProvider.info.requirements) {
-                wantedScopes = authProvider.info.requirements.default;
+            if (authProvider.info.scopes) {
+                wantedScopes = authProvider.info.scopes.default;
             }
         }
         // compute merged scopes
@@ -211,8 +211,8 @@ export class Authenticator {
             wantedScopes = this.mergeScopes(currentScopes, wantedScopes);
             // in case user signed in with another identity, we need to ensure the merged scopes contain
             // all default needed to for proper authentication
-            if (currentScopes.length === 0 && authProvider.info.requirements) {
-                wantedScopes = this.mergeScopes(authProvider.info.requirements.default, wantedScopes);
+            if (currentScopes.length === 0 && authProvider.info.scopes) {
+                wantedScopes = this.mergeScopes(authProvider.info.scopes.default, wantedScopes);
             }
         }
         // authorize Gitpod

components/server/src/auth/generic-auth-provider.ts

@@ -80,7 +80,7 @@ export class GenericAuthProvider implements AuthProvider {
     }
 
     protected defaultInfo(): AuthProviderInfo {
-        const scopes = this.oauthScopes;
+        const { oauthScopes } = this;
         const { id, type, icon, host, ownerId, verified, hiddenOnDashboard, disallowLogin, description, loginContextMatcher } = this.config;
         return {
             authProviderId: id,
@@ -93,13 +93,12 @@ export class GenericAuthProvider implements AuthProvider {
             loginContextMatcher,
             disallowLogin,
             description,
-            scopes,
+            scopes: {
+                all: oauthScopes,
+                default: oauthScopes,
+                descriptions: {}
+            },
             settingsUrl: this.oauthConfig.settingsUrl,
-            requirements: {
-                default: scopes,
-                publicRepo: scopes,
-                privateRepo: scopes
-            }
         }
     }
 
@@ -119,7 +118,7 @@ export class GenericAuthProvider implements AuthProvider {
     protected get oauthConfig() {
         return this.config.oauth!;
     }
-    protected get oauthScopes() {
+    protected get oauthScopes(): string[] {
         if (!this.oauthConfig.scope) {
             return [];
         }

components/server/src/bitbucket/bitbucket-auth-provider.ts

@@ -19,12 +19,7 @@ export class BitbucketAuthProvider extends GenericAuthProvider {
     get info(): AuthProviderInfo {
         return {
             ...this.defaultInfo(),
-            scopes: BitbucketOAuthScopes.ALL,
-            requirements: {
-                default: BitbucketOAuthScopes.Requirements.DEFAULT,
-                publicRepo: BitbucketOAuthScopes.Requirements.DEFAULT,
-                privateRepo: BitbucketOAuthScopes.Requirements.DEFAULT,
-            },
+            scopes: BitbucketOAuthScopes.definitions,
         }
     }
 
@@ -39,7 +34,7 @@ export class BitbucketAuthProvider extends GenericAuthProvider {
             authorizationUrl: oauth.authorizationUrl || `https://${this.config.host}/site/oauth2/authorize`,
             tokenUrl: oauth.tokenUrl || `https://${this.config.host}/site/oauth2/access_token`,
             settingsUrl: oauth.settingsUrl || `https://${this.config.host}/account/settings/app-authorizations/`,
-            scope: BitbucketOAuthScopes.ALL.join(scopeSeparator),
+            scope: BitbucketOAuthScopes.definitions.default.join(scopeSeparator),
             scopeSeparator
         };
     }
@@ -49,7 +44,7 @@ export class BitbucketAuthProvider extends GenericAuthProvider {
     }
 
     authorize(req: express.Request, res: express.Response, next: express.NextFunction, scope?: string[]): void {
-        super.authorize(req, res, next, scope ? scope : BitbucketOAuthScopes.Requirements.DEFAULT);
+        super.authorize(req, res, next, scope ? scope : BitbucketOAuthScopes.definitions.default);
     }
 
     protected get baseURL() {
@@ -105,7 +100,7 @@ export class BitbucketAuthProvider extends GenericAuthProvider {
             set.add('pullrequest');
         }
         for (const item of set.values()) {
-            if (!(BitbucketOAuthScopes.Requirements.DEFAULT.includes(item))) {
+            if (!(BitbucketOAuthScopes.definitions.default.includes(item))) {
                 set.delete(item);
             }
         }

components/server/src/bitbucket/bitbucket-oauth-scopes.ts

@@ -4,6 +4,8 @@
  * See License-AGPL.txt in the project root for license information.
  */
 
+import { AuthProviderScopes } from "@gitpod/gitpod-protocol";
+
 // https://confluence.atlassian.com/bitbucket/oauth-on-bitbucket-cloud-238027431.html
 
 export namespace BitbucketOAuthScopes {
@@ -20,12 +22,16 @@ export namespace BitbucketOAuthScopes {
     /** Create, list web hooks */
     export const WEBHOOK = "webhook"
 
-    export const ALL = [ACCOUNT_READ, REPOSITORY_READ, REPOSITORY_WRITE, PULL_REQUEST_READ, PULL_REQUEST_WRITE, WEBHOOK];
-
-    export const Requirements = {
-        /**
-         * Minimal required permission.
-         */
-        DEFAULT: ALL
-    }
+    export const definitions: AuthProviderScopes = {
+        default: [ACCOUNT_READ, REPOSITORY_READ, REPOSITORY_WRITE, PULL_REQUEST_READ, PULL_REQUEST_WRITE, WEBHOOK],
+        all: [ACCOUNT_READ, REPOSITORY_READ, REPOSITORY_WRITE, PULL_REQUEST_READ, PULL_REQUEST_WRITE, WEBHOOK],
+        descriptions: {
+            ACCOUNT_READ: "Grants read-only access to your account information.",
+            REPOSITORY_READ: "Read-only access to your repositories (note: Bitbucket doesn't support revoking scopes)",
+            REPOSITORY_WRITE: "Grants read/write access to your repositories (note: Bitbucket doesn't support revoking scopes)",
+            PULL_REQUEST_READ: "Grants read-only access to pull requests and ability to collaborate via comments, tasks, and approvals (note: Bitbucket doesn't support revoking scopes)",
+            PULL_REQUEST_WRITE: "Allows creating, merging and declining pull requests (note: Bitbucket doesn't support revoking scopes)",
+            WEBHOOK: "Allows installing webhooks (used when enabling prebuilds for a repository, note: Bitbucket doesn't support revoking scopes)",
+        }
+    };
 }

components/server/src/bitbucket/bitbucket-token-handler.ts

@@ -36,7 +36,7 @@ export class BitbucketTokenHelper {
             // no token
         }
         if (requiredScopes.length === 0) {
-            requiredScopes = BitbucketOAuthScopes.Requirements.DEFAULT
+            requiredScopes = BitbucketOAuthScopes.definitions.default
         }
         throw UnauthorizedError.create(host, requiredScopes, "missing-identity");
     }

components/server/src/dev/authenticator-dev.ts

@@ -35,6 +35,7 @@ class DummyAuthProvider implements AuthProvider {
             host: "github.com",
             icon: this.config.icon,
             description: this.config.description,
+            scopes: ({} as any)
         }
     }
     readonly host = "github.com";

components/server/src/github/api.ts

@@ -124,7 +124,7 @@ export class GitHubRestApi {
         if (typeof userOrToken === 'string') {
             token = userOrToken;
         } else {
-            const githubToken = await this.tokenHelper.getTokenWithScopes(userOrToken, GitHubScope.Requirements.DEFAULT);
+            const githubToken = await this.tokenHelper.getTokenWithScopes(userOrToken, GitHubScope.definitions.default);
             token = githubToken.value;
         }
         const api = new GitHub(this.getGitHubOptions(token));

components/server/src/github/github-auth-provider.ts

@@ -21,12 +21,7 @@ export class GitHubAuthProvider extends GenericAuthProvider {
     get info(): AuthProviderInfo {
         return {
             ...this.defaultInfo(),
-            scopes: GitHubScope.All,
-            requirements: {
-                default: GitHubScope.Requirements.DEFAULT,
-                publicRepo: GitHubScope.Requirements.PUBLIC_REPO,
-                privateRepo: GitHubScope.Requirements.PRIVATE_REPO,
-            },
+            scopes: GitHubScope.definitions,
         }
     }
 
@@ -41,13 +36,13 @@ export class GitHubAuthProvider extends GenericAuthProvider {
             ...oauth!,
             authorizationUrl: oauth.authorizationUrl || defaultUrls.authorizationUrl,
             tokenUrl: oauth.tokenUrl || defaultUrls.tokenUrl,
-            scope: GitHubScope.All.join(scopeSeparator),
+            scope: GitHubScope.definitions.default.join(scopeSeparator),
             scopeSeparator
         };
     }
 
     authorize(req: express.Request, res: express.Response, next: express.NextFunction, scope?: string[]): void {
-        super.authorize(req, res, next, scope ? scope : GitHubScope.Requirements.DEFAULT);
+        super.authorize(req, res, next, scope ? scope : GitHubScope.definitions.default);
     }
 
     /**

components/server/src/github/github-context-parser.ts

@@ -57,9 +57,8 @@ export class GithubContextParser extends AbstractContextParser implements IConte
                     // most likely the token needs to be updated after revoking by user.
                     throw UnauthorizedError.create(this.config.host, scopes, "http-unauthorized");
                 }
-                // todo@alex: this is very unlikely. is coercing it into a valid case helpful?
-                // here, GH API responded with a 401 code, and we are missing a token. OTOH, a missing token would not lead to a request.
-                throw UnauthorizedError.create(this.config.host, GitHubScope.Requirements.PUBLIC_REPO, "missing-identity");
+                // this isn't expected to be reached, as a missing token is supposed to be handled already.
+                throw UnauthorizedError.create(this.config.host, GitHubScope.definitions.default, "missing-identity");
             }
             throw error;
         } finally {

components/server/src/github/github-token-helper.ts

@@ -35,7 +35,7 @@ export class GitHubTokenHelper {
             // no token
         }
         if (requiredScopes.length === 0) {
-            requiredScopes = GitHubScope.Requirements.DEFAULT
+            requiredScopes = GitHubScope.definitions.default
         }
         throw UnauthorizedError.create(host, requiredScopes, "missing-identity");
     }

components/server/src/github/scopes.ts

@@ -4,6 +4,7 @@
  * See License-AGPL.txt in the project root for license information.
  */
 
+import { AuthProviderScopes } from "@gitpod/gitpod-protocol";
 
 export namespace GitHubScope {
     export const EMAIL = "user:email";
@@ -12,15 +13,15 @@ export namespace GitHubScope {
     export const ORGS = "read:org";
     export const WORKFLOW = "workflow";
 
-    export const All = [EMAIL, PUBLIC, PRIVATE, ORGS, WORKFLOW];
-    export const Requirements = {
-        /**
-         * Minimal required permission.
-         * GitHub's API is not restricted any further.
-         */
-        DEFAULT: [EMAIL],
-
-        PUBLIC_REPO: [PUBLIC],
-        PRIVATE_REPO: [PRIVATE],
-    }
+    export const definitions: AuthProviderScopes = {
+        default: [EMAIL],
+        all: [EMAIL, PUBLIC, PRIVATE, ORGS, WORKFLOW],
+        descriptions: {
+            EMAIL: "Grants read-only access to the authenticated user's profile.",
+            PUBLIC: "Grants read-write access to public repositories using Git-over-HTTP.",
+            PRIVATE: "Grants read-write access to private repositories using Git-over-HTTP.",
+            ORGS: "Grants read-only access to organization membership.",
+            WORKFLOW: "Grants the ability to add and update GitHub Actions workflow files.",
+        }
+    };
 }

components/server/src/gitlab/api.ts

@@ -27,7 +27,7 @@ export class GitLabApi {
         if (typeof userOrToken === 'string') {
             oauthToken = userOrToken;
         } else {
-            const gitlabToken = await this.tokenHelper.getTokenWithScopes(userOrToken, GitLabScope.Requirements.DEFAULT);
+            const gitlabToken = await this.tokenHelper.getTokenWithScopes(userOrToken, GitLabScope.definitions.default);
             oauthToken = gitlabToken.value;
         }
         return GitLab.create({