[server] move FGA calls into AuthProviderService

[AlexTugarev]

Description

This change set was extracted out of #19008.

What happens here is a refactoring of the json-rpc api and implementation in order to make it, i.e. the AuthProviderService, reusable to implement the public-api interfaces.

Summary generated by Copilot

🤖 Generated by Copilot at 1010fde

This pull request refactors the auth provider API and the GitpodServer interface to improve the security, clarity, and modularity of the auth provider operations. It introduces new methods for managing auth providers at the user and org level, and applies rate limiting and authorization checks to them. It also updates the UserDeletionService class to use the new method for deleting the user's own auth providers.

Related Issue(s)

Fixes #

How to test

• verify managing scopes works as usual, i.e. you can update your git token in user settings
• verify creating of new git integrations works as usual, on user-level as well as on Org-level
• verify no credentials are sent over the websocket channel (as we're touching mapping of shapes in this PR)

Documentation

Preview status

Gitpod was successfully deployed to your preview environment.

• 🏷️ Name - at-server-e1c45418cc
• 🔗 URL - at-server-e1c45418cc.preview.gitpod-dev.com/workspaces.
• 📚 Documentation - See our internal documentation for information on how to interact with your preview environment.
• 📦 Version - at-server-authprovider-service-gha.19431
• 🗒️ Logs - GCP Logs Explorer

Build Options

Build

• /werft with-werft
  Run the build with werft instead of GHA
• leeway-no-cache
• /werft no-test
  Run Leeway with --dont-test

Publish

• /werft publish-to-npm
• /werft publish-to-jb-marketplace

Installer

• analytics=segment
• with-dedicated-emulation
• workspace-feature-flags
  Add desired feature flags to the end of the line above, space separated

Preview Environment / Integration Tests

• /werft with-local-preview
  If enabled this will build install/preview
• /werft with-preview
• /werft with-large-vm
• /werft with-gce-vm
  If enabled this will create the environment on GCE infra
• with-integration-tests=all
  Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh. If enabled, with-preview and with-large-vm will be enabled.
• with-monitoring

/hold

[AlexTugarev]

DI issue to be solved:

Circular dependency found: 
Server --> Authenticator --> Symbol(HostContextProvider) --> AuthProviderService --> Symbol(HostContextProvider)

✅

[akosyakov]

@AlexTugarev is good to review? asking because it is still in draft

[akosyakov]

@mustard-mh it would be good if you review code and test as well

[mustard-mh]

Code LGTM, tested with BBS 🎉

✅ It can create/delete org SCM, and able to connect and create ws

✅ After delete org SCM, connected one in user setting deleted too

✅ User level SCM create/delete/connect and workspace create also works

[AlexTugarev]

We've been testing with Anton and one situation was unclear which deserves to be covered in a test case. getAuthProviders should return providers owned by Orgs where the subject is a regular member of. There is a test case for owners, but not for members. Also this is to be checked with Dogfood cell to provide a consistent behavior.

[AlexTugarev]

@akosyakov, the behavior we've seen during testing is consistent with previous decisions. I've added test cases to cover the very in b54761f

[akosyakov]

@AlexTugarev good, do you need any other support or good to land?

[AlexTugarev]

/unhold