Check if target gitpodHost is matching hostSession one in getWorkspaceAuthInfo (#76)

Author: mustard-mh

src/local-ssh/ipc/extensionServiceServer.ts

@@ -75,6 +75,10 @@ class ExtensionServiceImpl implements ExtensionServiceImplementation {
 
     async getWorkspaceAuthInfo(request: GetWorkspaceAuthInfoRequest, _context: CallContext): Promise<GetWorkspaceAuthInfoResponse> {
         try {
+            if (new URL(this.hostService.gitpodHost).host !== new URL(request.gitpodHost).host) {
+                this.logService.error(`gitpod host mismatch, actual: ${this.hostService.gitpodHost} target: ${request.gitpodHost}`);
+                throw new ServerError(Status.FAILED_PRECONDITION, 'gitpod host mismatch');
+            }
             const accessToken = this.sessionService.getGitpodToken();
             if (!accessToken) {
                 throw new ServerError(Status.INTERNAL, 'no access token found');
@@ -113,6 +117,9 @@ class ExtensionServiceImpl implements ExtensionServiceImplementation {
             };
         } catch (e) {
             this.logService.error(e, 'failed to get workspace auth info');
+            if (e instanceof ServerError) {
+                throw e;
+            }
             throw new ServerError(Status.UNAVAILABLE, e.toString());
         }
     }

src/local-ssh/proxy.ts

@@ -7,7 +7,7 @@ import { SshClient } from '@microsoft/dev-tunnels-ssh-tcp';
 import { NodeStream, SshClientCredentials, SshClientSession, SshDisconnectReason, SshServerSession, SshSessionConfiguration, Stream, WebSocketStream } from '@microsoft/dev-tunnels-ssh';
 import { importKey, importKeyBytes } from '@microsoft/dev-tunnels-ssh-keys';
 import { ExtensionServiceDefinition, GetWorkspaceAuthInfoResponse } from '../proto/typescript/ipc/v1/ipc';
-import { Client, createChannel, createClient } from 'nice-grpc';
+import { Client, ClientError, Status, createChannel, createClient } from 'nice-grpc';
 import { retry } from '../common/async';
 import { WebSocket } from 'ws';
 import * as stream from 'stream';
@@ -41,7 +41,7 @@ function getClientOptions(): ClientOptions {
     };
 }
 
-type FailedToProxyCode = 'SSH.AuthenticationFailed' | 'TUNNEL.AuthenticateSSHKeyFailed' | 'NoRunningInstance' | 'FailedToGetAuthInfo';
+type FailedToProxyCode = 'SSH.AuthenticationFailed' | 'TUNNEL.AuthenticateSSHKeyFailed' | 'NoRunningInstance' | 'FailedToGetAuthInfo' | 'GitpodHostMismatch' | 'NoAccessTokenFound';
 
 // IgnoredFailedCodes contains the failreCode that don't need to send error report
 const IgnoredFailedCodes: FailedToProxyCode[] = ['NoRunningInstance'];
@@ -139,11 +139,11 @@ class WebSocketSSHProxy {
                     pipePromise = session.pipe(pipeSession);
                     return {};
                 }).catch(async err => {
-                    let sendErrorReport = true
+                    let sendErrorReport = true;
                     if (err instanceof FailedToProxyError) {
                         this.flow.failureCode = err.failureCode;
                         if (IgnoredFailedCodes.includes(err.failureCode)) {
-                            sendErrorReport = false
+                            sendErrorReport = false;
                         }
                     }
                     await Promise.allSettled([
@@ -236,6 +236,13 @@ class WebSocketSSHProxy {
     async retryGetWorkspaceInfo(username: string) {
         return retry(async () => {
             return this.extensionIpc.getWorkspaceAuthInfo({ workspaceId: username, gitpodHost: this.options.host }).catch(e => {
+                if (e instanceof ClientError) {
+                    if (e.code === Status.FAILED_PRECONDITION && e.message.includes('gitpod host mismatch')) {
+                        throw new FailedToProxyError('GitpodHostMismatch', e);
+                    } else if (e.code === Status.INTERNAL && e.message.includes('no access token found')) {
+                        throw new FailedToProxyError('NoAccessTokenFound', e);
+                    }
+                }
                 throw new FailedToProxyError('FailedToGetAuthInfo', e);
             });
         }, 200, 50);