Support variable scopes (#17)

Author: jeanp413

src/authentication.ts

@@ -5,6 +5,7 @@
 
 import * as vscode from 'vscode';
 import { v4 as uuid } from 'uuid';
+import fetch from 'node-fetch';
 import Keychain from './common/keychain';
 import GitpodServer from './gitpodServer';
 import Log from './common/logger';
@@ -30,6 +31,8 @@ export default class GitpodAuthenticationProvider extends Disposable implements
 	private _gitpodServer: GitpodServer;
 	private _keychain: Keychain;
 
+	private _serviceUrl: string;
+
 	private _sessionsPromise: Promise<vscode.AuthenticationSession[]>;
 
 	constructor(private readonly context: vscode.ExtensionContext, logger: Log, telemetry: TelemetryReporter) {
@@ -39,17 +42,19 @@ export default class GitpodAuthenticationProvider extends Disposable implements
 		this._telemetry = telemetry;
 
 		const gitpodHost = vscode.workspace.getConfiguration('gitpod').get<string>('host')!;
-		const serviceUrl = new URL(gitpodHost);
-		this._gitpodServer = new GitpodServer(serviceUrl.toString(), this._logger);
-		this._keychain = new Keychain(this.context, `gitpod.auth.${serviceUrl.hostname}`, this._logger);
+		const gitpodHostUrl = new URL(gitpodHost);
+		this._serviceUrl = gitpodHostUrl.toString().replace(/\/$/, '');
+		this._gitpodServer = new GitpodServer(this._serviceUrl, this._logger);
+		this._keychain = new Keychain(this.context, `gitpod.auth.${gitpodHostUrl.hostname}`, this._logger);
 		this._logger.info(`Started authentication provider for ${gitpodHost}`);
 		this._register(vscode.workspace.onDidChangeConfiguration(e => {
 			if (e.affectsConfiguration('gitpod.host')) {
 				const gitpodHost = vscode.workspace.getConfiguration('gitpod').get<string>('host')!;
-				const serviceUrl = new URL(gitpodHost);
+				const gitpodHostUrl = new URL(gitpodHost);
+				this._serviceUrl = gitpodHostUrl.toString().replace(/\/$/, '');
 				this._gitpodServer.dispose();
-				this._gitpodServer = new GitpodServer(serviceUrl.toString(), this._logger);
-				this._keychain = new Keychain(this.context, `gitpod.auth.${serviceUrl.hostname}`, this._logger);
+				this._gitpodServer = new GitpodServer(this._serviceUrl, this._logger);
+				this._keychain = new Keychain(this.context, `gitpod.auth.${gitpodHostUrl.hostname}`, this._logger);
 				this._logger.info(`Started authentication provider for ${gitpodHost}`);
 
 				this.checkForUpdates();
@@ -70,16 +75,40 @@ export default class GitpodAuthenticationProvider extends Disposable implements
 	async getSessions(scopes?: string[]): Promise<vscode.AuthenticationSession[]> {
 		// For the Gitpod scope list, order doesn't matter so we immediately sort the scopes
 		const sortedScopes = scopes?.sort() || [];
-		this._logger.info(`Getting sessions for ${sortedScopes.length ? sortedScopes.join(',') : 'all scopes'}...`);
+		const validScopes = await this.fetchValidScopes();
+		const sortedFilteredScopes = sortedScopes.filter(s => !validScopes || validScopes.includes(s));
+		this._logger.info(`Getting sessions for ${sortedScopes.length ? sortedScopes.join(',') : 'all scopes'}${sortedScopes.length !== sortedFilteredScopes.length ? `, but valid scopes are ${sortedFilteredScopes.join(',')}` : ''}...`);
+		if (sortedScopes.length !== sortedFilteredScopes.length) {
+			this._logger.warn(`But valid scopes are ${sortedFilteredScopes.join(',')}, returning session with only valid scopes...`);
+		}
 		const sessions = await this._sessionsPromise;
-		const finalSessions = sortedScopes.length
-			? sessions.filter(session => arrayEquals([...session.scopes].sort(), sortedScopes))
+		const finalSessions = sortedFilteredScopes.length
+			? sessions.filter(session => arrayEquals([...session.scopes].sort(), sortedFilteredScopes))
 			: sessions;
 
-		this._logger.info(`Got ${finalSessions.length} sessions for ${sortedScopes?.join(',') ?? 'all scopes'}...`);
+		this._logger.info(`Got ${finalSessions.length} sessions for ${sortedFilteredScopes?.join(',') ?? 'all scopes'}...`);
 		return finalSessions;
 	}
 
+	private _validScopes: string[] | undefined;
+	private async fetchValidScopes(): Promise<string[] | undefined> {
+		if (this._validScopes) {
+			return this._validScopes;
+		}
+
+		const endpoint = `${this._serviceUrl}/api/oauth/inspect?client=${vscode.env.uriScheme}-gitpod`;
+		try {
+			const resp = await fetch(endpoint, { timeout: 1500 });
+			if (resp.ok) {
+				this._validScopes = await resp.json();
+				return this._validScopes;
+			}
+		} catch (e) {
+			this._logger.error(`Error fetching endpoint ${endpoint}`, e);
+		}
+		return undefined;
+	}
+
 	private async checkForUpdates() {
 		const previousSessions = await this._sessionsPromise;
 		this._sessionsPromise = this.readSessions();
@@ -187,18 +216,23 @@ export default class GitpodAuthenticationProvider extends Disposable implements
 		try {
 			// For the Gitpod scope list, order doesn't matter so we immediately sort the scopes
 			const sortedScopes = scopes.sort();
+			const validScopes = await this.fetchValidScopes();
+			const sortedFilteredScopes = sortedScopes.filter(s => !validScopes || validScopes.includes(s));
+			if (sortedScopes.length !== sortedFilteredScopes.length) {
+				this._logger.warn(`Creating session with only valid scopes ${sortedFilteredScopes.join(',')}, original scopes were ${sortedScopes.join(',')}`);
+			}
 
 			this._telemetry.sendRawTelemetryEvent('gitpod_desktop_auth', {
 				kind: 'login',
-				scopes: JSON.stringify(sortedScopes),
+				scopes: JSON.stringify(sortedFilteredScopes),
 			});
 
-			const scopeString = sortedScopes.join(' ');
+			const scopeString = sortedFilteredScopes.join(' ');
 			const token = await this._gitpodServer.login(scopeString);
-			const session = await this.tokenToSession(token, sortedScopes);
+			const session = await this.tokenToSession(token, sortedFilteredScopes);
 
 			const sessions = await this._sessionsPromise;
-			const sessionIndex = sessions.findIndex(s => s.id === session.id || arrayEquals([...s.scopes].sort(), sortedScopes));
+			const sessionIndex = sessions.findIndex(s => s.id === session.id || arrayEquals([...s.scopes].sort(), sortedFilteredScopes));
 			if (sessionIndex > -1) {
 				sessions.splice(sessionIndex, 1, session);
 			} else {

src/featureSupport.ts

@@ -2,6 +2,7 @@
  *  Copyright (c) Gitpod. All rights reserved.
  *  Licensed under the MIT License. See License.txt in the project root for license information.
  *--------------------------------------------------------------------------------------------*/
+import * as vscode from 'vscode';
 import * as semver from 'semver';
 import fetch from 'node-fetch';
 import Log from './common/logger';
@@ -50,9 +51,9 @@ async function getOrFetchVersionInfo(serviceUrl: string, logger: Log) {
         return cacheGitpodVersion;
     }
 
+    const versionEndPoint = `${serviceUrl}/api/version`;
     let gitpodRawVersion: string | undefined;
     try {
-        const versionEndPoint = `${serviceUrl}/api/version`;
         gitpodRawVersion = await retry(async () => {
             const resp = await fetch(versionEndPoint, { timeout: 1500 });
             if (!resp.ok) {
@@ -61,11 +62,11 @@ async function getOrFetchVersionInfo(serviceUrl: string, logger: Log) {
             return resp.text();
         }, 1000, 3);
     } catch (e) {
-        logger.error(`Error while fetching ${serviceUrl}`, e);
+        logger.error(`Error while fetching ${versionEndPoint}`, e);
     }
 
     if (!gitpodRawVersion) {
-        logger.info(`Failed to fetch version from ${serviceUrl}, some feature will be disabled`);
+        logger.info(`Failed to fetch version from ${versionEndPoint}, some feature will be disabled`);
         return {
             host: serviceUrl,
             version: GitpodVersion.Min,
@@ -98,3 +99,22 @@ export function isFeatureSupported(gitpodVersion: GitpodVersion, feature: Featur
             return semver.gte(gitpodVersion.version, '2022.7.0'); // Don't use leading zeros
     }
 }
+
+export async function isOauthInspectSupported(gitpodHost: string,) {
+    const serviceUrl = new URL(gitpodHost).toString().replace(/\/$/, '');
+    const endpoint = `${serviceUrl}/api/oauth/inspect?client=${vscode.env.uriScheme}-gitpod`;
+    try {
+        const resp = await fetch(endpoint, { timeout: 1500 });
+        if (resp.ok) {
+            return true;
+        }
+    } catch {
+    }
+
+    return false;
+}
+
+export enum ScopeFeature {
+    SSHPublicKeys = 'function:getSSHPublicKeys',
+    LocalHeartbeat = 'function:sendHeartBeat'
+}

src/remoteConnector.ts

@@ -25,7 +25,7 @@ import TelemetryReporter from './telemetryReporter';
 import { addHostToHostFile, checkNewHostInHostkeys } from './ssh/hostfile';
 import { DEFAULT_IDENTITY_FILES } from './ssh/identityFiles';
 import { HeartbeatManager } from './heartbeat';
-import { getGitpodVersion, GitpodVersion, isFeatureSupported } from './featureSupport';
+import { getGitpodVersion, GitpodVersion, isFeatureSupported, isOauthInspectSupported, ScopeFeature } from './featureSupport';
 import SSHConfiguration from './ssh/sshConfig';
 import { isWindows } from './common/platform';
 import { untildify } from './common/files';
@@ -523,14 +523,13 @@ export default class RemoteConnector extends Disposable {
 		return preferredIdentityKeys;
 	}
 
-	private async getWorkspaceSSHDestination(accessToken: string, { workspaceId, gitpodHost }: SSHConnectionParams): Promise<{ destination: string; password?: string }> {
+	private async getWorkspaceSSHDestination(session: vscode.AuthenticationSession, { workspaceId, gitpodHost }: SSHConnectionParams): Promise<{ destination: string; password?: string }> {
 		const serviceUrl = new URL(gitpodHost);
-		const gitpodVersion = await getGitpodVersion(gitpodHost, this.logger);
-
-		const [workspaceInfo, ownerToken, registeredSSHKeys] = await withServerApi(accessToken, serviceUrl.toString(), service => Promise.all([
+		const sshKeysSupported = session.scopes.includes(ScopeFeature.SSHPublicKeys);
+		const [workspaceInfo, ownerToken, registeredSSHKeys] = await withServerApi(session.accessToken, serviceUrl.toString(), service => Promise.all([
 			service.server.getWorkspace(workspaceId),
 			service.server.getOwnerToken(workspaceId),
-			isFeatureSupported(gitpodVersion, 'SSHPublicKeys') ? service.server.getSSHPublicKeys() : undefined
+			sshKeysSupported ? service.server.getSSHPublicKeys() : undefined
 		]), this.logger);
 
 		if (workspaceInfo.latestInstance?.status?.phase !== 'running') {
@@ -612,7 +611,8 @@ export default class RemoteConnector extends Disposable {
 			if (identityKeys.length) {
 				sshDestInfo.user = `${workspaceId}#${ownerToken}`;
 			}
-			this.logger.warn(`Registered SSH public keys not supported in ${gitpodHost}, using version ${gitpodVersion.version}`);
+			const gitpodVersion = await getGitpodVersion(gitpodHost, this.logger);
+			this.logger.warn(`Registered SSH public keys not supported in ${gitpodHost}, using version ${gitpodVersion.raw}`);
 		}
 
 		return {
@@ -699,11 +699,11 @@ export default class RemoteConnector extends Disposable {
 		return true;
 	}
 
-	private async showSSHPasswordModal(password: string, sshParams: SSHConnectionParams) {
+	private async showSSHPasswordModal(password: string, session: vscode.AuthenticationSession,sshParams: SSHConnectionParams) {
 		const maskedPassword = '•'.repeat(password.length - 3) + password.substring(password.length - 3);
 
+		const sshKeysSupported = session.scopes.includes(ScopeFeature.SSHPublicKeys);
 		const gitpodVersion = await getGitpodVersion(sshParams.gitpodHost, this.logger);
-		const sshKeysSupported = isFeatureSupported(gitpodVersion, 'SSHPublicKeys');
 
 		const copy: vscode.MessageItem = { title: 'Copy' };
 		const configureSSH: vscode.MessageItem = { title: 'Configure SSH' };
@@ -752,10 +752,10 @@ export default class RemoteConnector extends Disposable {
 
 		const gitpodVersion = await getGitpodVersion(gitpodHost, this.logger);
 		const sessionScopes = ['function:getWorkspace', 'function:getOwnerToken', 'function:getLoggedInUser', 'resource:default'];
-		if (isFeatureSupported(gitpodVersion, 'SSHPublicKeys') /* && isFeatureSupported('', 'sendHeartBeat') */) {
+		if (await isOauthInspectSupported(gitpodHost) || isFeatureSupported(gitpodVersion, 'SSHPublicKeys') /* && isFeatureSupported('', 'sendHeartBeat') */) {
 			sessionScopes.push('function:getSSHPublicKeys', 'function:sendHeartBeat');
 		} else {
-			this.logger.warn(`function:getSSHPublicKeys and function:sendHeartBeat session scopes not supported in ${gitpodHost}, using version ${gitpodVersion.version}`);
+			this.logger.warn(`function:getSSHPublicKeys and function:sendHeartBeat session scopes not supported in ${gitpodHost}, using version ${gitpodVersion.raw}`);
 		}
 
 		return vscode.authentication.getSession(
@@ -797,11 +797,11 @@ export default class RemoteConnector extends Disposable {
 			try {
 				this.telemetry.sendRawTelemetryEvent('vscode_desktop_ssh', { kind: 'gateway', status: 'connecting', ...params, gitpodVersion: gitpodVersion.raw, userOverride, openSSHVersion });
 
-				const { destination, password } = await this.getWorkspaceSSHDestination(session.accessToken, params);
+				const { destination, password } = await this.getWorkspaceSSHDestination(session, params);
 				sshDestination = destination;
 
 				if (password) {
-					await this.showSSHPasswordModal(password, params);
+					await this.showSSHPasswordModal(password, session, params);
 				}
 
 				this.telemetry.sendRawTelemetryEvent('vscode_desktop_ssh', { kind: 'gateway', status: 'connected', ...params, gitpodVersion: gitpodVersion.raw, auth: password ? 'password' : 'key', userOverride, openSSHVersion });
@@ -1039,11 +1039,12 @@ export default class RemoteConnector extends Disposable {
 
 		await this.context.globalState.update(`${RemoteConnector.SSH_DEST_KEY}${sshDestStr}`, { ...connectionInfo, isFirstConnection: false });
 
+		const heartbeatSupported = session.scopes.includes(ScopeFeature.LocalHeartbeat);
 		const gitpodVersion = await getGitpodVersion(connectionInfo.gitpodHost, this.logger);
-		if (isFeatureSupported(gitpodVersion, 'localHeartbeat')) {
+		if (heartbeatSupported) {
 			this.startHeartBeat(session.accessToken, connectionInfo, gitpodVersion);
 		} else {
-			this.logger.warn(`Local heatbeat not supported in ${connectionInfo.gitpodHost}, using version ${gitpodVersion.version}`);
+			this.logger.warn(`Local heartbeat not supported in ${connectionInfo.gitpodHost}, using version ${gitpodVersion.raw}`);
 		}
 
 		const syncExtensions = vscode.workspace.getConfiguration('gitpod').get<boolean>('remote.syncExtensions')!;