SubjectId: Address mismatch (I) (#19144)

* [workspace] Use runWithRequestContext in reconcileWorkspaceStart * [probot] Run prebuild webhook with correct subjectId * [prebuods] Mopre SubjectId changes...
gitpod-io · Nov 28, 2023 · 5fc4561 · 5fc4561
1 parent dfb3dc2
commit 5fc4561
Show file tree

Hide file tree

Showing 7 changed files with 280 additions and 248 deletions.
diff --git a/components/server/src/prebuilds/bitbucket-app.ts b/components/server/src/prebuilds/bitbucket-app.ts
@@ -19,6 +19,9 @@ import { UserService } from "../user/user-service";
 import { ApplicationError, ErrorCodes } from "@gitpod/gitpod-protocol/lib/messaging/error";
 import { URL } from "url";
 import { ProjectsService } from "../projects/projects-service";
+import { SubjectId } from "../auth/subject-id";
+import { runWithSubjectId } from "../util/request-context";
+import { SYSTEM_USER, SYSTEM_USER_ID } from "../authorization/authorizer";
 
 @injectable()
 export class BitbucketApp {
@@ -120,7 +123,9 @@ export class BitbucketApp {
         const span = TraceContext.startSpan("Bitbucket.handlePushHook", ctx);
         try {
             const cloneURL = data.gitCloneUrl;
-            const projects = await this.projectService.findProjectsByCloneUrl(user.id, cloneURL);
+            const projects = await runWithSubjectId(SYSTEM_USER, () =>
+                this.projectService.findProjectsByCloneUrl(SYSTEM_USER_ID, cloneURL),
+            );
             for (const project of projects) {
                 try {
                     const projectOwner = await this.findProjectOwner(project, user);
@@ -151,34 +156,36 @@ export class BitbucketApp {
                         continue;
                     }
 
-                    log.info("Starting prebuild.", { contextURL });
-                    const { host, owner, repo } = RepoURL.parseRepoUrl(data.repoUrl)!;
-                    const hostCtx = this.hostCtxProvider.get(host);
-                    let commitInfo: CommitInfo | undefined;
-                    if (hostCtx?.services?.repositoryProvider) {
-                        commitInfo = await hostCtx.services.repositoryProvider.getCommitInfo(
-                            user,
-                            owner,
-                            repo,
-                            data.commitHash,
+                    await runWithSubjectId(SubjectId.fromUserId(projectOwner.id), async () => {
+                        log.info("Starting prebuild.", { contextURL });
+                        const { host, owner, repo } = RepoURL.parseRepoUrl(data.repoUrl)!;
+                        const hostCtx = this.hostCtxProvider.get(host);
+                        let commitInfo: CommitInfo | undefined;
+                        if (hostCtx?.services?.repositoryProvider) {
+                            commitInfo = await hostCtx.services.repositoryProvider.getCommitInfo(
+                                user,
+                                owner,
+                                repo,
+                                data.commitHash,
+                            );
+                        }
+                        const ws = await this.prebuildManager.startPrebuild(
+                            { span },
+                            {
+                                user: projectOwner,
+                                project,
+                                context,
+                                commitInfo,
+                            },
                         );
-                    }
-                    const ws = await this.prebuildManager.startPrebuild(
-                        { span },
-                        {
-                            user: projectOwner,
-                            project,
-                            context,
-                            commitInfo,
-                        },
-                    );
-                    if (!ws.done) {
-                        await this.webhookEvents.updateEvent(event.id, {
-                            prebuildStatus: "prebuild_triggered",
-                            status: "processed",
-                            prebuildId: ws.prebuildId,
-                        });
-                    }
+                        if (!ws.done) {
+                            await this.webhookEvents.updateEvent(event.id, {
+                                prebuildStatus: "prebuild_triggered",
+                                status: "processed",
+                                prebuildId: ws.prebuildId,
+                            });
+                        }
+                    });
                 } catch (error) {
                     log.error("Error processing Bitbucket Server webhook event", error);
                 }
@@ -218,7 +225,9 @@ export class BitbucketApp {
             const hostContext = this.hostCtxProvider.get(new URL(project.cloneUrl).host);
             const authProviderId = hostContext?.authProvider.authProviderId;
             for (const teamMember of teamMembers) {
-                const user = await this.userService.findUserById(teamMember.userId, teamMember.userId);
+                const user = await runWithSubjectId(SubjectId.fromUserId(teamMember.userId), () =>
+                    this.userService.findUserById(teamMember.userId, teamMember.userId),
+                );
                 if (user && user.identities.some((i) => i.authProviderId === authProviderId)) {
                     return user;
                 }

diff --git a/components/server/src/prebuilds/bitbucket-server-app.ts b/components/server/src/prebuilds/bitbucket-server-app.ts
@@ -19,6 +19,9 @@ import { UserService } from "../user/user-service";
 import { ApplicationError, ErrorCodes } from "@gitpod/gitpod-protocol/lib/messaging/error";
 import { URL } from "url";
 import { ProjectsService } from "../projects/projects-service";
+import { SubjectId } from "../auth/subject-id";
+import { runWithSubjectId } from "../util/request-context";
+import { SYSTEM_USER, SYSTEM_USER_ID } from "../authorization/authorizer";
 
 @injectable()
 export class BitbucketServerApp {
@@ -117,7 +120,9 @@ export class BitbucketServerApp {
         const span = TraceContext.startSpan("Bitbucket.handlePushHook", ctx);
         try {
             const cloneURL = this.getCloneUrl(payload);
-            const projects = await this.projectService.findProjectsByCloneUrl(user.id, cloneURL);
+            const projects = await runWithSubjectId(SYSTEM_USER, () =>
+                this.projectService.findProjectsByCloneUrl(SYSTEM_USER_ID, cloneURL),
+            );
             for (const project of projects) {
                 try {
                     const projectOwner = await this.findProjectOwner(project, user);
@@ -155,23 +160,25 @@ export class BitbucketServerApp {
 
                     log.debug("Bitbucket Server push event: Starting prebuild.", { contextUrl });
 
-                    const commitInfo = await this.getCommitInfo(user, cloneURL, commit);
-                    const ws = await this.prebuildManager.startPrebuild(
-                        { span },
-                        {
-                            user: projectOwner,
-                            project: project,
-                            context,
-                            commitInfo,
-                        },
-                    );
-                    if (!ws.done) {
-                        await this.webhookEvents.updateEvent(event.id, {
-                            prebuildStatus: "prebuild_triggered",
-                            status: "processed",
-                            prebuildId: ws.prebuildId,
-                        });
-                    }
+                    await runWithSubjectId(SubjectId.fromUserId(projectOwner.id), async () => {
+                        const commitInfo = await this.getCommitInfo(user, cloneURL, commit);
+                        const ws = await this.prebuildManager.startPrebuild(
+                            { span },
+                            {
+                                user: projectOwner,
+                                project: project,
+                                context,
+                                commitInfo,
+                            },
+                        );
+                        if (!ws.done) {
+                            await this.webhookEvents.updateEvent(event.id, {
+                                prebuildStatus: "prebuild_triggered",
+                                status: "processed",
+                                prebuildId: ws.prebuildId,
+                            });
+                        }
+                    });
                 } catch (error) {
                     log.error("Error processing Bitbucket Server webhook event", error);
                 }
@@ -214,7 +221,9 @@ export class BitbucketServerApp {
             const hostContext = this.hostCtxProvider.get(new URL(project.cloneUrl).host);
             const authProviderId = hostContext?.authProvider.authProviderId;
             for (const teamMember of teamMembers) {
-                const user = await this.userService.findUserById(webhookInstaller.id, teamMember.userId);
+                const user = await runWithSubjectId(SubjectId.fromUserId(webhookInstaller.id), () =>
+                    this.userService.findUserById(webhookInstaller.id, teamMember.userId),
+                );
                 if (user && user.identities.some((i) => i.authProviderId === authProviderId)) {
                     return user;
                 }