1
/**
2
 * Copyright (c) 2020 Gitpod GmbH. All rights reserved.
3
 * Licensed under the GNU Affero General Public License (AGPL).
4
 * See License.AGPL.txt in the project root for license information.
5
 */
6

7
// see below for explanation
8
export const Permissions = {
9
    developer: undefined,
10
    "registry-access": undefined,
11
    "admin-permissions": undefined,
12
    "admin-users": undefined,
13
    "admin-workspace-content": undefined,
14
    "admin-workspaces": undefined,
15
    "admin-projects": undefined,
16
    "new-workspace-cluster": undefined,
17
};
18
export type PermissionName = keyof typeof Permissions;
19
export const Roles = { devops: undefined, viewer: undefined, admin: undefined };
20
export type RoleName = keyof typeof Roles;
21
export type RoleOrPermission = RoleName | PermissionName;
22

23
export namespace RoleName {
24
    export const is = (o: any): o is RoleName => {
25
        return typeof o === "string" && Role.all().some((r) => r.name === o);
26
    };
27
}
28

29
export interface Role {
30
    name: RoleName;
31
    permissions: PermissionName[];
32
}
33

34
export namespace RolesOrPermissions {
35
    export function toPermissionSet(rolesOrPermissions: RoleOrPermission[] | undefined): Set<PermissionName> {
36
        rolesOrPermissions = rolesOrPermissions || [];
37

38
        const permissions = new Set<PermissionName>();
39
        for (const rop of rolesOrPermissions) {
40
            if (Permission.is(rop)) {
41
                permissions.add(rop);
42
            } else if (RoleName.is(rop)) {
43
                Role.getByName(rop).permissions.forEach((p) => permissions.add(p));
44
            }
45
        }
46
        return permissions;
47
    }
48
}
49

50
export namespace Permission {
51
    /** The permission to develop on this running Gitpod installation */
52
    export const DEVELOPER: PermissionName = "developer";
53

54
    /** The permission for registry access (start workspaces referencing gitpod-internal Docker images) */
55
    export const REGISTRY_ACCESS: PermissionName = "registry-access";
56

57
    /** The permission for administration and deletion of user data */
58
    export const ADMIN_PERMISSIONS: PermissionName = "admin-permissions";
59

60
    /** The permission for accessing user data */
61
    export const ADMIN_USERS: PermissionName = "admin-users";
62

63
    /** The permission for accessing workspace content */
64
    export const ADMIN_WORKSPACE_CONTENT: PermissionName = "admin-workspace-content";
65

66
    /** The permission for accessing workspace data */
67
    export const ADMIN_WORKSPACES: PermissionName = "admin-workspaces";
68

69
    /** The permission for accessing all projects data */
70
    export const ADMIN_PROJECTS: PermissionName = "admin-projects";
71

72
    export const is = (o: any): o is PermissionName => {
73
        return typeof o === "string" && Permission.all().some((p) => p === o);
74
    };
75

76
    export const all = (): PermissionName[] => {
77
        return Object.keys(Permissions) as PermissionName[];
78
    };
79
}
80

81
export namespace Role {
82
    /** A role for people that are allowed to view Gitpod internals */
83
    export const VIEWER: Role = {
84
        name: "viewer",
85
        permissions: [Permission.REGISTRY_ACCESS],
86
    };
87

88
    export const ADMIN: Role = {
89
        name: "admin",
90
        permissions: [Permission.ADMIN_USERS, Permission.ADMIN_WORKSPACES, Permission.ADMIN_PROJECTS],
91
    };
92

93
    export const getByName = (name: RoleName): Role => {
94
        const result = Role.all().find((r) => r.name === name);
95
        if (!result) {
96
            throw Error("Unknown RoleName: " + name);
97
        }
98
        return result;
99
    };
100

101
    export const all = (): Role[] => {
102
        return Object.keys(Role)
103
            .map((k) => (Role as any)[k])
104
            .filter((k) => typeof k === "object");
105
    };
106
}
107

108