From 51a6c4bc77ef2b56178dedad3e4a8835b8be93e7 Mon Sep 17 00:00:00 2001
From: svenefftinge <sven@gitpod.io>
Date: Wed, 20 Sep 2023 09:19:44 +0000
Subject: [PATCH] [fga] add more logging to track down sharing issue

---
 .../server/src/authorization/spicedb-authorizer.ts   | 12 ++++++++----
 components/server/src/workspace/workspace-service.ts |  2 +-
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/components/server/src/authorization/spicedb-authorizer.ts b/components/server/src/authorization/spicedb-authorizer.ts
index 5affd1bc6d5585..584c03f048f90c 100644
--- a/components/server/src/authorization/spicedb-authorizer.ts
+++ b/components/server/src/authorization/spicedb-authorizer.ts
@@ -56,9 +56,6 @@ export class SpiceDBAuthorizer {
         },
     ): Promise<boolean> {
         const featureEnabled = await isFgaChecksEnabled(experimentsFields.userId);
-        if (!featureEnabled) {
-            return true;
-        }
         const timer = spicedbClientLatency.startTimer();
         let error: Error | undefined;
         try {
@@ -66,6 +63,13 @@ export class SpiceDBAuthorizer {
                 this.client.checkPermission(req, this.callOptions),
             );
             const permitted = response.permissionship === v1.CheckPermissionResponse_Permissionship.HAS_PERMISSION;
+            if (!permitted && !featureEnabled) {
+                log.info("[spicedb] Permission denied.", {
+                    response: new TrustedValue(response),
+                    request: new TrustedValue(req),
+                });
+                return true;
+            }
 
             return permitted;
         } catch (err) {
@@ -73,7 +77,7 @@ export class SpiceDBAuthorizer {
             log.error("[spicedb] Failed to perform authorization check.", err, {
                 request: new TrustedValue(req),
             });
-            return false;
+            return !featureEnabled;
         } finally {
             observeSpicedbClientLatency("check", error, timer());
         }
diff --git a/components/server/src/workspace/workspace-service.ts b/components/server/src/workspace/workspace-service.ts
index 60aec37a3a109d..5879e812fcaee0 100644
--- a/components/server/src/workspace/workspace-service.ts
+++ b/components/server/src/workspace/workspace-service.ts
@@ -890,7 +890,7 @@ export class WorkspaceService {
             const client = await this.clientProvider.get(instance.region);
             await client.controlAdmission({}, req);
         }
-
+        log.info({ userId, workspaceId }, "Admission level changed", { level });
         await this.db.transaction(async (db) => {
             const shareable = level === "everyone";
             await db.updatePartial(workspaceId, { shareable });