[papi] add api to allow organization owner to create a temporary token

[mustard-mh]

Description

• Need to rebase after Add admin role to builtin admin back #19337 is merged

Related Issue(s)

Fixes EXP-1084, EXP-1085

How to test

Without OIDC, test script mentioned below should failed. Since there's no organization owned users even you have Feature Flag enabled.

• Try test with test script

  gitpod/test/tests/smoke-test/papi_create_temp_token_test.go

  Lines 22 to 33 in 9c645b1

  	export TEST_CREATE_TMP_TOKEN=true
  	export GITPOD_HOST=hw-token-exp-1084.preview.gitpod-dev.com
  	# cookie should format like: <cookie_name>=<cookie_value>
  	export USER_TOKEN=<correct_cookie>
  	export MEMBER_USER_TOKEN=<member_cookie>
  	export MEMBER_USER_ID=<member_id>
  	export CURRENT_USER_ID=<admin_id>
  	export TARGET_USER_ID=<target_user_id>
  	go test -run "^TestCreateTemporaryAccessToken" github.com/gitpod-io/gitpod/test/tests/smoke-test -v -count=1

Create an OIDC preview env youself

• Open this PR with Gitpod, create another branch based on current one
• Exec command

export GITPOD_WITH_DEDICATED_EMU=true
leeway run dev:preview

• Follow internal Notion page to get SSO info
• Exec command

previewctl admin credentials create
kubectl rollout restart deploy/server

# access link print via previewctl

• Setup our SSO

Documentation

Preview status

gitpod:summary

Build Options

Build

• /werft with-werft
  Run the build with werft instead of GHA
• leeway-no-cache
• /werft no-test
  Run Leeway with --dont-test

Publish

• /werft publish-to-npm
• /werft publish-to-jb-marketplace

Installer

• analytics=segment
• with-dedicated-emulation
• workspace-feature-flags
  Add desired feature flags to the end of the line above, space separated

Preview Environment / Integration Tests

• /werft with-local-preview
  If enabled this will build install/preview
• /werft with-preview
• /werft with-large-vm
• /werft with-gce-vm
  If enabled this will create the environment on GCE infra
• /werft preemptible
  Saves cost. Untick this only if you're really sure you need a non-preemtible machine.
• with-integration-tests=all
  Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh. If enabled, with-preview and with-large-vm will be enabled.
• with-monitoring

/hold

[svenefftinge]

why do we need to add this role back? It looks like FGA doesn't care given this code in authorizer.ts:

export function createInitializingAuthorizer(spiceDbAuthorizer: SpiceDBAuthorizer): Authorizer {
    const target = new Authorizer(spiceDbAuthorizer);
    const initialized = (async () => {
        await target.addInstallationAdminRole(BUILTIN_INSTLLATION_ADMIN_USER_ID);
        await target.addUser(BUILTIN_INSTLLATION_ADMIN_USER_ID);
    })().catch((err) => log.error("Failed to initialize authorizer", err));
    return new Proxy(target, {
        get(target, propKey, receiver) {
            const originalMethod = target[propKey as keyof typeof target];

            if (typeof originalMethod === "function") {
                return async function (...args: any[]) {
                    await initialized;
                    return (originalMethod as any).apply(target, args);
                };
            } else {
                return originalMethod;
            }
        },
    });
}

[mustard-mh]

installation#admin will be removed by regular job because it doesn't have role: admin in database

[svenefftinge]

Ah, ok that gets executed when ever we bump the version. 👍

[mustard-mh]

Feedback addressed, smoke tests pass after deployment