support getting other orgs on dotcom from the GraphQL API (#63941)

sqs · web-flow · commit d33b87cb643f · 2024-07-19T15:49:09.000-07:00
Previously, the GraphQL API on dotcom only let org members query for an
org (through `organization(name: ...)` or otherwise). This made sense as
a strict security safeguard in a world where an org had only private
resources, not public resources.

However, with search contexts, saved searches, and now the new prompt
library, we want orgs on dotcom to be able to create things that (if we
or they intentionally make them public) all users can see, and can see
the association with the org owner. That requires all users to be able
to query for the org and see its name.

We continue to enforce the secrecy of much org data: members (only org
members can list the other members of the org), settings (only org
members can view this).

**But the name, displayName, and existence of an org will now be
considered public.**

## Test plan

In dotcom mode, view an organization.
diff --git a/cmd/frontend/graphqlbackend/org.go b/cmd/frontend/graphqlbackend/org.go
@@ -2,7 +2,6 @@ package graphqlbackend
 
 import (
 	"context"
-	"fmt"
 
 	"github.com/graph-gophers/graphql-go"
 	"github.com/graph-gophers/graphql-go/relay"
@@ -28,50 +27,14 @@ func (r *schemaResolver) Organization(ctx context.Context, args struct{ Name str
 	if err != nil {
 		return nil, err
 	}
-	// 🚨 SECURITY: Only org members can get org details on Cloud
-	if dotcom.SourcegraphDotComMode() {
-		hasAccess := func() error {
-			if auth.CheckOrgAccess(ctx, r.db, org.ID) == nil {
-				return nil
-			}
-
-			if a := sgactor.FromContext(ctx); a.IsAuthenticated() {
-				_, err = r.db.OrgInvitations().GetPending(ctx, org.ID, a.UID)
-				if err == nil {
-					return nil
-				}
-			}
-
-			// NOTE: We want to present a unified error to unauthorized users to prevent
-			// them from differentiating service states by different error messages.
-			return &database.OrgNotFoundError{Message: fmt.Sprintf("name %s", args.Name)}
-		}
-		if err := hasAccess(); err != nil {
-			// site admin can access org ID
-			if auth.CheckCurrentUserIsSiteAdmin(ctx, r.db) == nil {
-				if featureflag.FromContext(ctx).GetBoolOr("auditlog-expansion", false) {
-
-					// Log action for site admin vieweing an organization's details in dotcom
-					if err := r.db.SecurityEventLogs().LogSecurityEvent(ctx, database.SecurityEventNameDotComOrgViewed, "", uint32(actor.FromContext(ctx).UID), "", "BACKEND", args); err != nil {
-						r.logger.Warn("Error logging security event", log.Error(err))
-
-					}
-				}
-				onlyOrgID := &types.Org{ID: org.ID}
-				return &OrgResolver{db: r.db, org: onlyOrgID}, nil
-			}
-			return nil, err
-		}
-	}
 
 	if featureflag.FromContext(ctx).GetBoolOr("auditlog-expansion", false) {
-
 		// Log action for siteadmin viewing an organization's details
 		if err := r.db.SecurityEventLogs().LogSecurityEvent(ctx, database.SecurityEventNameOrgViewed, "", uint32(actor.FromContext(ctx).UID), "", "BACKEND", args); err != nil {
 			r.logger.Warn("Error logging security event", log.Error(err))
-
 		}
 	}
+
 	return &OrgResolver{db: r.db, org: org}, nil
 }
 
@@ -93,28 +56,6 @@ func OrgByID(ctx context.Context, db database.DB, id graphql.ID) (*OrgResolver,
 }
 
 func OrgByIDInt32(ctx context.Context, db database.DB, orgID int32) (*OrgResolver, error) {
-	return orgByIDInt32WithForcedAccess(ctx, db, orgID, false)
-}
-
-func orgByIDInt32WithForcedAccess(ctx context.Context, db database.DB, orgID int32, forceAccess bool) (*OrgResolver, error) {
-	// 🚨 SECURITY: Only org members can get org details on Cloud
-	//              And all invited users by email
-	if !forceAccess && dotcom.SourcegraphDotComMode() {
-		err := auth.CheckOrgAccess(ctx, db, orgID)
-		if err != nil {
-			hasAccess := false
-			// allow invited user to view org details
-			if a := sgactor.FromContext(ctx); a.IsAuthenticated() {
-				_, err := db.OrgInvitations().GetPending(ctx, orgID, a.UID)
-				if err == nil {
-					hasAccess = true
-				}
-			}
-			if !hasAccess {
-				return nil, &database.OrgNotFoundError{Message: fmt.Sprintf("id %d", orgID)}
-			}
-		}
-	}
 	org, err := db.Orgs().GetByID(ctx, orgID)
 	if err != nil {
 		return nil, err
diff --git a/cmd/frontend/graphqlbackend/org_invitation.go b/cmd/frontend/graphqlbackend/org_invitation.go
@@ -48,7 +48,7 @@ func UnmarshalOrgInvitationID(id graphql.ID) (orgInvitationID int64, err error)
 }
 
 func (r *organizationInvitationResolver) Organization(ctx context.Context) (*OrgResolver, error) {
-	return orgByIDInt32WithForcedAccess(ctx, r.db, r.v.OrgID, r.v.RecipientEmail != "")
+	return OrgByIDInt32(ctx, r.db, r.v.OrgID)
 }
 
 func (r *organizationInvitationResolver) Sender(ctx context.Context) (*UserResolver, error) {
diff --git a/cmd/frontend/graphqlbackend/org_test.go b/cmd/frontend/graphqlbackend/org_test.go
@@ -43,7 +43,7 @@ func TestOrganization(t *testing.T) {
 	db.UsersFunc.SetDefaultReturn(users)
 	db.OrgMembersFunc.SetDefaultReturn(orgMembers)
 
-	t.Run("anyone can access by default", func(t *testing.T) {
+	t.Run("can access organizations", func(t *testing.T) {
 		RunTests(t, []*Test{
 			{
 				Schema: mustParseGraphQLSchema(t, db),
@@ -64,160 +64,6 @@ func TestOrganization(t *testing.T) {
 			},
 		})
 	})
-
-	t.Run("users not invited or not a member cannot access on Sourcegraph.com", func(t *testing.T) {
-		dotcom.MockSourcegraphDotComMode(t, true)
-
-		RunTests(t, []*Test{
-			{
-				Schema: mustParseGraphQLSchema(t, db),
-				Query: `
-				{
-					organization(name: "acme") {
-						name
-					}
-				}
-			`,
-				ExpectedResult: `
-				{
-					"organization": null
-				}
-				`,
-				ExpectedErrors: []*gqlerrors.QueryError{
-					{
-						Message: "org not found: name acme",
-						Path:    []any{"organization"},
-					},
-				},
-			},
-		})
-	})
-
-	t.Run("org members can access on Sourcegraph.com", func(t *testing.T) {
-		dotcom.MockSourcegraphDotComMode(t, true)
-
-		ctx := actor.WithActor(context.Background(), &actor.Actor{UID: 1})
-
-		users := dbmocks.NewMockUserStore()
-		users.GetByCurrentAuthUserFunc.SetDefaultReturn(&types.User{ID: 1, SiteAdmin: false}, nil)
-
-		orgMembers := dbmocks.NewMockOrgMemberStore()
-		orgMembers.GetByOrgIDAndUserIDFunc.SetDefaultReturn(&types.OrgMembership{OrgID: 1, UserID: 1}, nil)
-
-		db := dbmocks.NewMockDBFrom(db)
-		db.UsersFunc.SetDefaultReturn(users)
-		db.OrgMembersFunc.SetDefaultReturn(orgMembers)
-
-		RunTests(t, []*Test{
-			{
-				Schema:  mustParseGraphQLSchema(t, db),
-				Context: ctx,
-				Query: `
-				{
-					organization(name: "acme") {
-						name
-					}
-				}
-			`,
-				ExpectedResult: `
-				{
-					"organization": {
-						"name": "acme"
-					}
-				}
-				`,
-			},
-		})
-	})
-
-	t.Run("invited users can access on Sourcegraph.com", func(t *testing.T) {
-		dotcom.MockSourcegraphDotComMode(t, true)
-
-		ctx := actor.WithActor(context.Background(), &actor.Actor{UID: 1})
-
-		users := dbmocks.NewMockUserStore()
-		users.GetByCurrentAuthUserFunc.SetDefaultReturn(&types.User{ID: 1, SiteAdmin: false}, nil)
-
-		orgMembers := dbmocks.NewMockOrgMemberStore()
-		orgMembers.GetByOrgIDAndUserIDFunc.SetDefaultReturn(nil, &database.ErrOrgMemberNotFound{})
-
-		orgInvites := dbmocks.NewMockOrgInvitationStore()
-		orgInvites.GetPendingFunc.SetDefaultReturn(nil, nil)
-
-		db := dbmocks.NewMockDBFrom(db)
-		db.OrgsFunc.SetDefaultReturn(orgs)
-		db.UsersFunc.SetDefaultReturn(users)
-		db.OrgMembersFunc.SetDefaultReturn(orgMembers)
-		db.OrgInvitationsFunc.SetDefaultReturn(orgInvites)
-
-		RunTests(t, []*Test{
-			{
-				Schema:  mustParseGraphQLSchema(t, db),
-				Context: ctx,
-				Query: `
-				{
-					organization(name: "acme") {
-						name
-					}
-				}
-			`,
-				ExpectedResult: `
-				{
-					"organization": {
-						"name": "acme"
-					}
-				}
-				`,
-			},
-		})
-	})
-
-	t.Run("invited users can access org by ID on Sourcegraph.com", func(t *testing.T) {
-		dotcom.MockSourcegraphDotComMode(t, true)
-
-		ctx := actor.WithActor(context.Background(), &actor.Actor{UID: 1})
-
-		users := dbmocks.NewMockUserStore()
-		users.GetByCurrentAuthUserFunc.SetDefaultReturn(&types.User{ID: 1, SiteAdmin: false}, nil)
-
-		orgMembers := dbmocks.NewMockOrgMemberStore()
-		orgMembers.GetByOrgIDAndUserIDFunc.SetDefaultReturn(nil, &database.ErrOrgMemberNotFound{})
-
-		orgInvites := dbmocks.NewMockOrgInvitationStore()
-		orgInvites.GetPendingFunc.SetDefaultReturn(nil, nil)
-
-		db := dbmocks.NewMockDBFrom(db)
-		db.OrgsFunc.SetDefaultReturn(orgs)
-		db.UsersFunc.SetDefaultReturn(users)
-		db.OrgMembersFunc.SetDefaultReturn(orgMembers)
-		db.OrgInvitationsFunc.SetDefaultReturn(orgInvites)
-
-		RunTests(t, []*Test{
-			{
-				Schema:  mustParseGraphQLSchema(t, db),
-				Context: ctx,
-				Query: `
-				{
-					node(id: "T3JnOjE=") {
-						__typename
-						id
-						... on Org {
-						  name
-						}
-					}
-				}
-				`,
-				ExpectedResult: `
-				{
-					"node": {
-						"__typename":"Org",
-						"id":"T3JnOjE=", "name":"acme"
-					}
-				}
-				`,
-			},
-		})
-	})
 }
 
 func TestOrganizationMembers(t *testing.T) {
@@ -327,8 +173,8 @@ func TestOrganizationMembers(t *testing.T) {
 				`,
 					ExpectedErrors: []*gqlerrors.QueryError{
 						{
-							Message: "org not found: name acme",
-							Path:    []any{"organization"},
+							Message: "current user is not an org member",
+							Path:    []any{"organization", "members"},
 						},
 					},
 				},
diff --git a/internal/database/security_event_logs.go b/internal/database/security_event_logs.go
@@ -93,7 +93,6 @@ const (
 	SecurityEventNameOrgCreated        SecurityEventName = "OrganizationCreated"
 	SecurityEventNameOrgUpdated        SecurityEventName = "OrganizationUpdated"
 	SecurityEventNameOrgSettingsViewed SecurityEventName = "OrganizationSettingsViewed"
-	SecurityEventNameDotComOrgViewed   SecurityEventName = "DotComOrganizationViewed"
 
 	SecurityEventNameOutboundReqViewed SecurityEventName = "OutboundRequestViewed"
 

Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,7 @@ func UnmarshalOrgInvitationID(id graphql.ID) (orgInvitationID int64, err error)`
`48`	`48`	`}`
`49`	`49`
`50`	`50`	`func (r organizationInvitationResolver) Organization(ctx context.Context) (OrgResolver, error) {`
`51`		`- return orgByIDInt32WithForcedAccess(ctx, r.db, r.v.OrgID, r.v.RecipientEmail != "")`
	`51`	`+ return OrgByIDInt32(ctx, r.db, r.v.OrgID)`
`52`	`52`	`}`
`53`	`53`
`54`	`54`	`func (r organizationInvitationResolver) Sender(ctx context.Context) (UserResolver, error) {`