/** * Copyright (c) 2020 Gitpod GmbH. All rights reserved. * Licensed under the GNU Affero General Public License (AGPL). * See License-AGPL.txt in the project root for license information. */ // see below for explanation export const Permissions = { monitor: undefined, enforcement: undefined, "privileged-ws": undefined, "registry-access": undefined, "admin-users": undefined, "admin-workspaces": undefined, "admin-projects": undefined, "admin-api": undefined, "ide-settings": undefined, "new-workspace-cluster": undefined, }; export type PermissionName = keyof typeof Permissions; export const Roles = { devops: undefined, viewer: undefined, admin: undefined }; export type RoleName = keyof typeof Roles; export type RoleOrPermission = RoleName | PermissionName; export namespace RoleName { export const is = (o: any): o is RoleName => { return typeof o === "string" && Role.all().some((r) => r.name === o); }; } export interface Role { name: RoleName; permissions: PermissionName[]; } export namespace RolesOrPermissions { export function toPermissionSet(rolesOrPermissions: RoleOrPermission[] | undefined): Set { rolesOrPermissions = rolesOrPermissions || []; const permissions = new Set(); for (const rop of rolesOrPermissions) { if (Permission.is(rop)) { permissions.add(rop); } else if (RoleName.is(rop)) { Role.getByName(rop).permissions.forEach((p) => permissions.add(p)); } } return permissions; } } export namespace Permission { /** The permission to monitor the (live) state of a Gitpod installation */ export const MONITOR: PermissionName = "monitor"; /** The permission for actions like block user, stop workspace, etc. */ export const ENFORCEMENT: PermissionName = "enforcement"; /** The permission for registry access (start workspaces referencing gitpod-internal Docker images) */ export const REGISTRY_ACCESS: PermissionName = "registry-access"; /** The permission for accessing all user data */ export const ADMIN_USERS: PermissionName = "admin-users"; /** The permission for accessing all workspace data */ export const ADMIN_WORKSPACES: PermissionName = "admin-workspaces"; /** The permission for accessing all projects data */ export const ADMIN_PROJECTS: PermissionName = "admin-projects"; /** The permission to access the admin API */ export const ADMIN_API: PermissionName = "admin-api"; /** The permission to access the IDE settings */ export const IDE_SETTINGS: PermissionName = "ide-settings"; export const is = (o: any): o is PermissionName => { return typeof o === "string" && Permission.all().some((p) => p === o); }; export const all = (): PermissionName[] => { return Object.keys(Permissions) as PermissionName[]; }; } export namespace Role { /** The default role for all Gitpod developers */ export const DEVOPS: Role = { name: "devops", permissions: [Permission.MONITOR, Permission.ENFORCEMENT, Permission.REGISTRY_ACCESS, Permission.IDE_SETTINGS], }; /** A role for people that are allowed to view Gitpod internals */ export const VIEWER: Role = { name: "viewer", permissions: [Permission.MONITOR, Permission.REGISTRY_ACCESS], }; export const ADMIN: Role = { name: "admin", permissions: [ Permission.ADMIN_USERS, Permission.ADMIN_WORKSPACES, Permission.ADMIN_PROJECTS, Permission.ADMIN_API, Permission.ENFORCEMENT, ], }; export const getByName = (name: RoleName): Role => { const result = Role.all().find((r) => r.name === name); if (!result) { throw Error("Unknown RoleName: " + name); } return result; }; export const all = (): Role[] => { return Object.keys(Role) .map((k) => (Role as any)[k]) .filter((k) => typeof k === "object"); }; }