[pat] Validate and enforce scopes for PATs

easyCZ · roboquat · commit 7ef62ba4a289 · 2022-11-24T06:22:53.000-03:00
diff --git a/components/gitpod-db/go/dbtest/personal_access_token.go b/components/gitpod-db/go/dbtest/personal_access_token.go
@@ -26,7 +26,7 @@ func NewPersonalAccessToken(t *testing.T, record db.PersonalAccessToken) db.Pers
 		UserID:         uuid.New(),
 		Hash:           "some-secure-hash",
 		Name:           "some-name",
-		Scopes:         []string{"read", "write"},
+		Scopes:         []string{"resource:default", "function:*"},
 		ExpirationTime: now.Add(5 * time.Hour),
 		CreatedAt:      now,
 		LastModified:   now,
diff --git a/components/public-api-server/pkg/apiv1/tokens.go b/components/public-api-server/pkg/apiv1/tokens.go
@@ -9,6 +9,7 @@ import (
 	"errors"
 	"fmt"
 	"regexp"
+	"sort"
 	"strings"
 
 	connect "github.com/bufbuild/connect-go"
@@ -20,6 +21,7 @@ import (
 	protocol "github.com/gitpod-io/gitpod/gitpod-protocol"
 	"github.com/gitpod-io/gitpod/public-api-server/pkg/auth"
 	"github.com/gitpod-io/gitpod/public-api-server/pkg/proxy"
+	"github.com/google/go-cmp/cmp"
 	"github.com/google/uuid"
 	"google.golang.org/protobuf/types/known/timestamppb"
 	"gorm.io/gorm"
@@ -56,9 +58,10 @@ func (s *TokensService) CreatePersonalAccessToken(ctx context.Context, req *conn
 		return nil, connect.NewError(connect.CodeInvalidArgument, errors.New("Received invalid Expiration Time, it is a required parameter."))
 	}
 
-	// TODO: Parse and validate scopes before storing
-	// Until we do that, we store empty scopes.
-	var scopes []string
+	scopes, err := validateScopes(tokenReq.GetScopes())
+	if err != nil {
+		return nil, err
+	}
 
 	conn, err := getConnection(ctx, s.connectionPool)
 	if err != nil {
@@ -347,3 +350,27 @@ func validatePersonalAccessTokenName(name string) (string, error) {
 
 	return trimmed, nil
 }
+
+const (
+	allFunctionsScope    = "function:*"
+	defaultResourceScope = "resource:default"
+)
+
+func validateScopes(scopes []string) ([]string, error) {
+	// Currently we do not have support for fine grained permissions, and therefore do not support fine-grained scopes.
+	// Therefore, for now we operate in one of the following modes:
+	// * Token has no scopes - represented as the empty list of scopes
+	// * Token explicitly has access to everything the user has access to, represented as ["function:*", "resource:default"]
+	if len(scopes) == 0 {
+		return nil, nil
+	}
+
+	sort.Strings(scopes)
+	allScopesSorted := []string{allFunctionsScope, defaultResourceScope}
+
+	if cmp.Equal(scopes, allScopesSorted) {
+		return scopes, nil
+	}
+
+	return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("Tokens can currently only have no scopes (empty), or all scopes represented as [%s, %s]", allFunctionsScope, defaultResourceScope))
+}
diff --git a/components/public-api-server/pkg/apiv1/tokens_test.go b/components/public-api-server/pkg/apiv1/tokens_test.go
@@ -67,7 +67,7 @@ func TestTokensService_CreatePersonalAccessTokenWithoutFeatureFlag(t *testing.T)
 	})
 
 	t.Run("invalid argument when name is not specified", func(t *testing.T) {
-		_, _, client := setupTokensService(t, withTokenFeatureDisabled)
+		_, _, client := setupTokensService(t, withTokenFeatureEnabled)
 
 		_, err := client.CreatePersonalAccessToken(context.Background(), connect.NewRequest(&v1.CreatePersonalAccessTokenRequest{
 			Token: &v1.PersonalAccessToken{},
@@ -91,7 +91,7 @@ func TestTokensService_CreatePersonalAccessTokenWithoutFeatureFlag(t *testing.T)
 	})
 
 	t.Run("invalid argument when expiration time is unspecified", func(t *testing.T) {
-		_, _, client := setupTokensService(t, withTokenFeatureDisabled)
+		_, _, client := setupTokensService(t, withTokenFeatureEnabled)
 
 		_, err := client.CreatePersonalAccessToken(context.Background(), connect.NewRequest(&v1.CreatePersonalAccessTokenRequest{
 			Token: &v1.PersonalAccessToken{
@@ -102,7 +102,7 @@ func TestTokensService_CreatePersonalAccessTokenWithoutFeatureFlag(t *testing.T)
 	})
 
 	t.Run("invalid argument when expiration time is invalid", func(t *testing.T) {
-		_, _, client := setupTokensService(t, withTokenFeatureDisabled)
+		_, _, client := setupTokensService(t, withTokenFeatureEnabled)
 
 		_, err := client.CreatePersonalAccessToken(context.Background(), connect.NewRequest(&v1.CreatePersonalAccessTokenRequest{
 			Token: &v1.PersonalAccessToken{
@@ -115,6 +115,19 @@ func TestTokensService_CreatePersonalAccessTokenWithoutFeatureFlag(t *testing.T)
 		require.Equal(t, connect.CodeInvalidArgument, connect.CodeOf(err))
 	})
 
+	t.Run("invalid argument when disallowed scopes used", func(t *testing.T) {
+		_, _, client := setupTokensService(t, withTokenFeatureEnabled)
+
+		_, err := client.CreatePersonalAccessToken(context.Background(), connect.NewRequest(&v1.CreatePersonalAccessTokenRequest{
+			Token: &v1.PersonalAccessToken{
+				Name:           "my-token",
+				ExpirationTime: timestamppb.Now(),
+				Scopes:         []string{"random:scope"},
+			},
+		}))
+		require.Equal(t, connect.CodeInvalidArgument, connect.CodeOf(err))
+	})
+
 	t.Run("crates personal access token", func(t *testing.T) {
 		serverMock, dbConn, client := setupTokensService(t, withTokenFeatureEnabled)
 
@@ -149,6 +162,53 @@ func TestTokensService_CreatePersonalAccessTokenWithoutFeatureFlag(t *testing.T)
 		require.NoError(t, err)
 		require.Equal(t, user.ID, storedInDB.UserID.String())
 	})
+
+	t.Run("crates personal access token with no scopes when none provided", func(t *testing.T) {
+		serverMock, dbConn, client := setupTokensService(t, withTokenFeatureEnabled)
+
+		serverMock.EXPECT().GetLoggedInUser(gomock.Any()).Return(user, nil)
+
+		token := &v1.PersonalAccessToken{
+			Name:           "my-token",
+			ExpirationTime: timestamppb.Now(),
+		}
+
+		response, err := client.CreatePersonalAccessToken(context.Background(), connect.NewRequest(&v1.CreatePersonalAccessTokenRequest{
+			Token: token,
+		}))
+		require.NoError(t, err)
+
+		created := response.Msg.GetToken()
+		t.Cleanup(func() {
+			require.NoError(t, dbConn.Where("id = ?", created.GetId()).Delete(&db.PersonalAccessToken{}).Error)
+		})
+
+		require.Len(t, created.GetScopes(), 0, "must have no scopes, none were provided in the request")
+	})
+
+	t.Run("crates personal access token with full access when correct scopes provided", func(t *testing.T) {
+		serverMock, dbConn, client := setupTokensService(t, withTokenFeatureEnabled)
+
+		serverMock.EXPECT().GetLoggedInUser(gomock.Any()).Return(user, nil)
+
+		token := &v1.PersonalAccessToken{
+			Name:           "my-token",
+			ExpirationTime: timestamppb.Now(),
+			Scopes:         []string{"resource:default", "function:*"},
+		}
+
+		response, err := client.CreatePersonalAccessToken(context.Background(), connect.NewRequest(&v1.CreatePersonalAccessTokenRequest{
+			Token: token,
+		}))
+		require.NoError(t, err)
+
+		created := response.Msg.GetToken()
+		t.Cleanup(func() {
+			require.NoError(t, dbConn.Where("id = ?", created.GetId()).Delete(&db.PersonalAccessToken{}).Error)
+		})
+
+		require.Equal(t, []string{allFunctionsScope, defaultResourceScope}, created.GetScopes())
+	})
 }
 
 func TestTokensService_GetPersonalAccessToken(t *testing.T) {
@@ -617,6 +677,62 @@ func TestTokensService_Workflow(t *testing.T) {
 	require.NoError(t, err)
 }
 
+func TestValidateScopes(t *testing.T) {
+	for _, s := range []struct {
+		Name            string
+		RequestedScopes []string
+		Error           bool
+	}{
+		{
+			Name:            "no scopes are permitted",
+			RequestedScopes: nil,
+		},
+		{
+			Name:            "empty scopes are permitted",
+			RequestedScopes: []string{},
+		},
+		{
+			Name:            "all scopes are permitted",
+			RequestedScopes: []string{"function:*", "resource:default"},
+		},
+		{
+			Name:            "all scopes (unsorted) are permitted",
+			RequestedScopes: []string{"resource:default", "function:*"},
+		},
+		{
+			Name:            "only all function scope is not permitted",
+			RequestedScopes: []string{"function:*"},
+			Error:           true,
+		},
+		{
+			Name:            "only all default resource scope is not permitted",
+			RequestedScopes: []string{"resource:default"},
+			Error:           true,
+		},
+		{
+			Name:            "unknown scope is rejected",
+			RequestedScopes: []string{"unknown"},
+			Error:           true,
+		},
+		{
+			Name:            "unknown scope, with all scopes, is rejected",
+			RequestedScopes: []string{"unknown", "function:*", "resource:default"},
+			Error:           true,
+		},
+	} {
+		t.Run(s.Name, func(t *testing.T) {
+			_, err := validateScopes(s.RequestedScopes)
+
+			if s.Error {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+
+	}
+}
+
 func setupTokensService(t *testing.T, expClient experiments.Client) (*protocol.MockAPIInterface, *gorm.DB, v1connect.TokensServiceClient) {
 	t.Helper()
 
