[server] Read blocked repositories from database #11036
Conversation
Add the new BlockedRepository entity and its interface and implementation.
This was auto-generated by running: `docker run --rm --name some-mysql -e MYSQL_ROOT_PASSWORD=test -e MYSQL_DATABASE=gitpod -e MYSQL_USER=gitpod -e MYSQL_PASSWORD=test -p 3306:3306 -d mysql:5.7` `yarn typeorm migration:generate -n New` from the `gitpod-db` directory. And then removing everything but the new table. We should document a better way of doing this.
| // TODO: not sure if we need this? | ||
| // TODO: should have a default value of false? | ||
| // This column triggers the db-sync deletion mechanism. It's not intended for public consumption. | ||
| @Column() | ||
| deleted: boolean; |
There was a problem hiding this comment.
As the comment suggests, I'm not sure if we need this field on the new table.
There was a problem hiding this comment.
boolean is mapped tinyint, which defaults to '0'. That's why we do not have explicit defaults throughout the code base. 👍
TODO: not sure if we need this?
If we want to be able to remove this entry from the DB cross-region then yes, we should have it. 👍
There was a problem hiding this comment.
@andrew-farries For this DB table to be synced we also need an entry in tables.ts. Happy to chat about how that needs to look like.
There was a problem hiding this comment.
I've added an entry to tables.ts in c4aebe3
|
To be able to land this, we also need to udpate all the runbooks and point to how to establish a DB connection so that on-call engineers can block dynamically. To make this less one-shot-change, can we first merge the config and the DB results when checking to enable gradual migration away? This would give us time to stage the change and communicate it. |
My plan (as described in #11030) was to allow the two mechanisms (reading from db and from config) to exist in parallel until we add the API and UI to interact with blocked repositories in the db. At that point we copy the blocked repos from config into the db. Until that point the blocked repository db table remains empty. This PR isn't intended to replace the mechanism we currently use to block repos, just be a step towards that. So we don't need to update any runbooks etc. |
|
Nice, sorry didn't click through into the parent issue. |
components/gitpod-protocol/src/blocked-repositories-protocol.ts
Outdated
Show resolved
Hide resolved
Answered by code review.
components/gitpod-db/src/typeorm/entity/db-blocked-repository.ts
Outdated
Show resolved
Hide resolved
|
Testing... |
There was a problem hiding this comment.
Awesome, looking forward to have this! 🚀
/hold We should remove this unused DB field.
|
/werft run with-clean-slate-deployment=true 👍 started the job as gitpod-build-af-admin-block-users.36 |
|
/unhold |
roboquat
added
deployed: webapp
Description
Add a
d_b_blocked_repositorytable to the application database and use it at workspace startup to check whether a workspace should be blocked. Also checks if the user should be blocked for attempting to start such a workspace and blocks the user as necessary.Related Issue(s)
Part of #11030
How to test
Get a kube context for the preview environment for this branch:
Port forward to the database (username and password is in the
serverenvironment):Using
mysqlclient ormycli(needsbrew install myclifirst) add an entry to thed_b_blocked_repositorytable.Attempt to start a workspace from a github repository under your user.
Observe that the workspace fails to start.
Try to open another workspace and see that you are now blocked.
Unblock yourself by updating your entry in the
d_b_userstable:Experiment by inserting/deleting other combinations of
urlRegexpandblockUserin thed_b_blocked_repositorytable.Release Notes
Werft options