[gp] Allow update of existing user-scoped env vars (#20193)

geropl · web-flow · commit d3eccd0169a3 · 2024-09-11T02:57:56.000-04:00
* [gp, protocol, server] Remove references to long-deprecated "getEnvVars" API method

* [gp, server] Allow users to update user-scopes env vars
diff --git a/components/gitpod-cli/cmd/env.go b/components/gitpod-cli/cmd/env.go
@@ -27,6 +27,14 @@ import (
 
 var exportEnvs = false
 var unsetEnvs = false
+var scope = string(envScopeRepo)
+
+type envScope string
+
+var (
+	envScopeRepo envScope = "repo"
+	envScopeUser envScope = "user"
+)
 
 // envCmd represents the env command
 var envCmd = &cobra.Command{
@@ -67,7 +75,8 @@ delete environment variables with a repository pattern of */foo, foo/* or */*.
 			if unsetEnvs {
 				err = deleteEnvs(ctx, args)
 			} else {
-				err = setEnvs(ctx, args)
+				scopeUser := scope == string(envScopeUser)
+				err = setEnvs(ctx, scopeUser, args)
 			}
 		} else {
 			err = getEnvs(ctx)
@@ -80,14 +89,14 @@ type connectToServerResult struct {
 	repositoryPattern string
 	wsInfo            *supervisorapi.WorkspaceInfoResponse
 	client            *serverapi.APIoverJSONRPC
-
-	useDeprecatedGetEnvVar bool
 }
 
 type connectToServerOptions struct {
 	supervisorClient *supervisor.SupervisorClient
 	wsInfo           *api.WorkspaceInfoResponse
 	log              *log.Entry
+
+	setEnvScopeUser bool
 }
 
 func connectToServer(ctx context.Context, options *connectToServerOptions) (*connectToServerResult, error) {
@@ -123,31 +132,23 @@ func connectToServer(ctx context.Context, options *connectToServerOptions) (*con
 	}
 	repositoryPattern := wsinfo.Repository.Owner + "/" + wsinfo.Repository.Name
 
-	var useDeprecatedGetEnvVar bool
+	operations := "create/get/update/delete"
+	if options != nil && options.setEnvScopeUser {
+		// Updating user env vars requires a different token with a special scope
+		repositoryPattern = "*/*"
+		operations = "update"
+	}
+
 	clientToken, err := supervisorClient.Token.GetToken(ctx, &supervisorapi.GetTokenRequest{
 		Host: wsinfo.GitpodApi.Host,
 		Kind: "gitpod",
 		Scope: []string{
 			"function:getWorkspaceEnvVars",
 			"function:setEnvVar",
 			"function:deleteEnvVar",
-			"resource:envVar::" + repositoryPattern + "::create/get/update/delete",
+			"resource:envVar::" + repositoryPattern + "::" + operations,
 		},
 	})
-	if err != nil {
-		// TODO remove then GetWorkspaceEnvVars is deployed
-		clientToken, err = supervisorClient.Token.GetToken(ctx, &supervisorapi.GetTokenRequest{
-			Host: wsinfo.GitpodApi.Host,
-			Kind: "gitpod",
-			Scope: []string{
-				"function:getEnvVars", // TODO remove then getWorkspaceEnvVars is deployed
-				"function:setEnvVar",
-				"function:deleteEnvVar",
-				"resource:envVar::" + repositoryPattern + "::create/get/update/delete",
-			},
-		})
-		useDeprecatedGetEnvVar = true
-	}
 	if err != nil {
 		return nil, xerrors.Errorf("failed getting token from supervisor: %w", err)
 	}
@@ -165,7 +166,7 @@ func connectToServer(ctx context.Context, options *connectToServerOptions) (*con
 	if err != nil {
 		return nil, xerrors.Errorf("failed connecting to server: %w", err)
 	}
-	return &connectToServerResult{repositoryPattern, wsinfo, client, useDeprecatedGetEnvVar}, nil
+	return &connectToServerResult{repositoryPattern, wsinfo, client}, nil
 }
 
 func getWorkspaceEnvs(ctx context.Context, options *connectToServerOptions) ([]*serverapi.EnvVar, error) {
@@ -175,10 +176,7 @@ func getWorkspaceEnvs(ctx context.Context, options *connectToServerOptions) ([]*
 	}
 	defer result.client.Close()
 
-	if !result.useDeprecatedGetEnvVar {
-		return result.client.GetWorkspaceEnvVars(ctx, result.wsInfo.WorkspaceId)
-	}
-	return result.client.GetEnvVars(ctx)
+	return result.client.GetWorkspaceEnvVars(ctx, result.wsInfo.WorkspaceId)
 }
 
 func getEnvs(ctx context.Context) error {
@@ -194,8 +192,11 @@ func getEnvs(ctx context.Context) error {
 	return nil
 }
 
-func setEnvs(ctx context.Context, args []string) error {
-	result, err := connectToServer(ctx, nil)
+func setEnvs(ctx context.Context, scopeUser bool, args []string) error {
+	options := connectToServerOptions{
+		setEnvScopeUser: scopeUser,
+	}
+	result, err := connectToServer(ctx, &options)
 	if err != nil {
 		return err
 	}
@@ -291,4 +292,5 @@ func init() {
 
 	envCmd.Flags().BoolVarP(&exportEnvs, "export", "e", false, "produce a script that can be eval'ed in Bash")
 	envCmd.Flags().BoolVarP(&unsetEnvs, "unset", "u", false, "deletes/unsets persisted environment variables")
+	envCmd.Flags().StringVarP(&scope, "scope", "s", "repo", "deletes/unsets persisted environment variables")
 }
diff --git a/components/gitpod-cli/cmd/validate.go b/components/gitpod-cli/cmd/validate.go
@@ -238,7 +238,7 @@ func runRebuild(ctx context.Context, supervisorClient *supervisor.SupervisorClie
 	serverLog := logrus.NewEntry(logrus.New())
 	serverLog.Logger.SetLevel(logLevel)
 	setLoggerFormatter(serverLog.Logger)
-	workspaceEnvs, err := getWorkspaceEnvs(ctx, &connectToServerOptions{supervisorClient, wsInfo, serverLog})
+	workspaceEnvs, err := getWorkspaceEnvs(ctx, &connectToServerOptions{supervisorClient, wsInfo, serverLog, false})
 	if err != nil {
 		return err
 	}
diff --git a/components/gitpod-protocol/go/gitpod-service.go b/components/gitpod-protocol/go/gitpod-service.go
@@ -61,7 +61,6 @@ type APIInterface interface {
 	ClosePort(ctx context.Context, workspaceID string, port float32) (err error)
 	UpdateGitStatus(ctx context.Context, workspaceID string, status *WorkspaceInstanceRepoStatus) (err error)
 	GetWorkspaceEnvVars(ctx context.Context, workspaceID string) (res []*EnvVar, err error)
-	GetEnvVars(ctx context.Context) (res []*EnvVar, err error)
 	SetEnvVar(ctx context.Context, variable *UserEnvVarValue) (err error)
 	DeleteEnvVar(ctx context.Context, variable *UserEnvVarValue) (err error)
 	HasSSHPublicKey(ctx context.Context) (res bool, err error)
@@ -179,8 +178,6 @@ const (
 	FunctionOpenPort FunctionName = "openPort"
 	// FunctionClosePort is the name of the closePort function
 	FunctionClosePort FunctionName = "closePort"
-	// FunctionGetEnvVars is the name of the getEnvVars function
-	FunctionGetEnvVars FunctionName = "getEnvVars"
 	// FunctionSetEnvVar is the name of the setEnvVar function
 	FunctionSetEnvVar FunctionName = "setEnvVar"
 	// FunctionDeleteEnvVar is the name of the deleteEnvVar function
@@ -1088,24 +1085,6 @@ func (gp *APIoverJSONRPC) GetWorkspaceEnvVars(ctx context.Context, workspaceID s
 	return
 }
 
-// GetEnvVars calls getEnvVars on the server
-func (gp *APIoverJSONRPC) GetEnvVars(ctx context.Context) (res []*EnvVar, err error) {
-	if gp == nil {
-		err = errNotConnected
-		return
-	}
-	var _params []interface{}
-
-	var result []*EnvVar
-	err = gp.C.Call(ctx, "getEnvVars", _params, &result)
-	if err != nil {
-		return
-	}
-	res = result
-
-	return
-}
-
 // SetEnvVar calls setEnvVar on the server
 func (gp *APIoverJSONRPC) SetEnvVar(ctx context.Context, variable *UserEnvVarValue) (err error) {
 	if gp == nil {
diff --git a/components/gitpod-protocol/go/mock.go b/components/gitpod-protocol/go/mock.go
diff --git a/components/server/src/workspace/workspace-starter.ts b/components/server/src/workspace/workspace-starter.ts
@@ -1616,7 +1616,6 @@ export class WorkspaceStarter {
             "function:guessGitTokenScopes",
             "function:updateGitStatus",
             "function:getWorkspaceEnvVars",
-            "function:getEnvVars", // TODO remove this after new gitpod-cli is deployed
             "function:setEnvVar",
             "function:deleteEnvVar",
             "function:getTeams",
@@ -1666,6 +1665,8 @@ export class WorkspaceStarter {
                     operations: ["create", "get"],
                 }),
         ];
+        // By intention, we only limit the token passed down to the workspace to the env vars scoped to that workspace.
+        // This is meant to maintain the "workspace as a unit of isolation" principle on the API level.
         if (CommitContext.is(workspace.context)) {
             const subjectID = workspace.context.repository.owner + "/" + workspace.context.repository.name;
             scopes.push(
@@ -1677,6 +1678,15 @@ export class WorkspaceStarter {
                     }),
             );
         }
+        // The only exception is "updates", which we allow to be made to all env vars (that exist).
+        scopes.push(
+            "resource:" +
+                ScopedResourceGuard.marshalResourceScope({
+                    kind: "envVar",
+                    subjectID: "*/*",
+                    operations: ["update"],
+                }),
+        );
         return scopes;
     }
 

Original file line number	Diff line number	Diff line change
`@@ -238,7 +238,7 @@ func runRebuild(ctx context.Context, supervisorClient *supervisor.SupervisorClie`
`238`	`238`	`serverLog := logrus.NewEntry(logrus.New())`
`239`	`239`	`serverLog.Logger.SetLevel(logLevel)`
`240`	`240`	`setLoggerFormatter(serverLog.Logger)`
`241`		`- workspaceEnvs, err := getWorkspaceEnvs(ctx, &connectToServerOptions{supervisorClient, wsInfo, serverLog})`
	`241`	`+ workspaceEnvs, err := getWorkspaceEnvs(ctx, &connectToServerOptions{supervisorClient, wsInfo, serverLog, false})`
`242`	`242`	`if err != nil {`
`243`	`243`	`return err`
`244`	`244`	`}`