Merge branch 'main' into merogge/notification

Author: meganrogge

.vscode/settings.json

@@ -36,6 +36,7 @@
 	"files.readonlyInclude": {
 		"**/node_modules/**": true,
 		"**/yarn.lock": true,
+		"**/Cargo.lock": true,
 		"src/vs/workbench/workbench.web.main.css": true,
 		"src/vs/workbench/workbench.desktop.main.css": true,
 		"src/vs/workbench/workbench.desktop.main.nls.js": true,

cli/src/commands/args.rs

@@ -548,6 +548,7 @@ pub enum OutputFormat {
 #[derive(Args, Clone, Debug, Default)]
 pub struct ExistingTunnelArgs {
 	/// Name you'd like to assign preexisting tunnel to use to connect the tunnel
+	/// Old option, new code sohuld just use `--name`.
 	#[clap(long, hide = true)]
 	pub tunnel_name: Option<String>,
 

cli/src/commands/tunnels.rs

@@ -59,20 +59,31 @@ impl From<AuthProvider> for crate::auth::AuthProvider {
 	}
 }
 
-impl From<ExistingTunnelArgs> for Option<dev_tunnels::ExistingTunnel> {
-	fn from(d: ExistingTunnelArgs) -> Option<dev_tunnels::ExistingTunnel> {
-		if let (Some(tunnel_id), Some(tunnel_name), Some(cluster), Some(host_token)) =
-			(d.tunnel_id, d.tunnel_name, d.cluster, d.host_token)
-		{
+fn fulfill_existing_tunnel_args(
+	d: ExistingTunnelArgs,
+	name_arg: &Option<String>,
+) -> Option<dev_tunnels::ExistingTunnel> {
+	let tunnel_name = d.tunnel_name.or_else(|| name_arg.clone());
+
+	match (d.tunnel_id, d.cluster, d.host_token) {
+		(Some(tunnel_id), None, Some(host_token)) => {
+			let i = tunnel_id.find('.')?;
 			Some(dev_tunnels::ExistingTunnel {
-				tunnel_id,
+				tunnel_id: tunnel_id[..i].to_string(),
+				cluster: tunnel_id[i + 1..].to_string(),
 				tunnel_name,
 				host_token,
-				cluster,
 			})
-		} else {
-			None
 		}
+
+		(Some(tunnel_id), Some(cluster), Some(host_token)) => Some(dev_tunnels::ExistingTunnel {
+			tunnel_id,
+			tunnel_name,
+			host_token,
+			cluster,
+		}),
+
+		_ => None,
 	}
 }
 
@@ -412,8 +423,10 @@ async fn serve_with_csa(
 	let auth = Auth::new(&paths, log.clone());
 	let mut dt = dev_tunnels::DevTunnels::new(&log, auth, &paths);
 	loop {
-		let tunnel = if let Some(d) = gateway_args.tunnel.clone().into() {
-			dt.start_existing_tunnel(d).await
+		let tunnel = if let Some(t) =
+			fulfill_existing_tunnel_args(gateway_args.tunnel.clone(), &gateway_args.name)
+		{
+			dt.start_existing_tunnel(t).await
 		} else {
 			dt.start_new_launcher_tunnel(gateway_args.name.as_deref(), gateway_args.random_name)
 				.await

cli/src/tunnels/dev_tunnels.rs

@@ -229,7 +229,7 @@ lazy_static! {
 #[derive(Clone, Debug)]
 pub struct ExistingTunnel {
 	/// Name you'd like to assign preexisting tunnel to use to connect to the VS Code Server
-	pub tunnel_name: String,
+	pub tunnel_name: Option<String>,
 
 	/// Token to authenticate and use preexisting tunnel
 	pub host_token: String,
@@ -393,7 +393,12 @@ impl DevTunnels {
 		};
 
 		tunnel = self
-			.sync_tunnel_tags(&persisted.name, tunnel, &HOST_TUNNEL_REQUEST_OPTIONS)
+			.sync_tunnel_tags(
+				&self.client,
+				&persisted.name,
+				tunnel,
+				&HOST_TUNNEL_REQUEST_OPTIONS,
+			)
 			.await?;
 
 		let locator = TunnelLocator::try_from(&tunnel).unwrap();
@@ -532,6 +537,7 @@ impl DevTunnels {
 	/// other version tags.
 	async fn sync_tunnel_tags(
 		&self,
+		client: &TunnelManagementClient,
 		name: &str,
 		tunnel: Tunnel,
 		options: &TunnelRequestOptions,
@@ -558,7 +564,7 @@ impl DevTunnels {
 		let result = spanf!(
 			self.log,
 			self.log.span("dev-tunnel.protocol-tag-update"),
-			self.client.update_tunnel(&tunnel_update, options)
+			client.update_tunnel(&tunnel_update, options)
 		);
 
 		result.map_err(|e| wrap(e, "tunnel tag update failed").into())
@@ -639,6 +645,12 @@ impl DevTunnels {
 		Ok(())
 	}
 
+	fn get_placeholder_name() -> String {
+		let mut n = clean_hostname_for_tunnel(&gethostname::gethostname().to_string_lossy());
+		n.make_ascii_lowercase();
+		n
+	}
+
 	async fn get_name_for_tunnel(
 		&mut self,
 		preferred_name: Option<&str>,
@@ -670,10 +682,7 @@ impl DevTunnels {
 			use_random_name = true;
 		}
 
-		let mut placeholder_name =
-			clean_hostname_for_tunnel(&gethostname::gethostname().to_string_lossy());
-		placeholder_name.make_ascii_lowercase();
-
+		let mut placeholder_name = Self::get_placeholder_name();
 		if !is_name_free(&placeholder_name) {
 			for i in 2.. {
 				let fixed_name = format!("{}{}", placeholder_name, i);
@@ -715,7 +724,10 @@ impl DevTunnels {
 		tunnel: ExistingTunnel,
 	) -> Result<ActiveTunnel, AnyError> {
 		let tunnel_details = PersistedTunnel {
-			name: tunnel.tunnel_name,
+			name: match tunnel.tunnel_name {
+				Some(n) => n,
+				None => Self::get_placeholder_name(),
+			},
 			id: tunnel.tunnel_id,
 			cluster: tunnel.cluster,
 		};
@@ -725,10 +737,23 @@ impl DevTunnels {
 			tunnel.host_token.clone(),
 		));
 
+		let client = mgmt.into();
+		self.sync_tunnel_tags(
+			&client,
+			&tunnel_details.name,
+			Tunnel {
+				cluster_id: Some(tunnel_details.cluster.clone()),
+				tunnel_id: Some(tunnel_details.id.clone()),
+				..Default::default()
+			},
+			&HOST_TUNNEL_REQUEST_OPTIONS,
+		)
+		.await?;
+
 		self.start_tunnel(
 			tunnel_details.locator(),
 			&tunnel_details,
-			mgmt.into(),
+			client,
 			StaticAccessTokenProvider::new(tunnel.host_token),
 		)
 		.await

extensions/github-authentication/extension-browser.webpack.config.js

@@ -21,7 +21,8 @@ module.exports = withBrowserDefaults({
 			'uuid': path.resolve(__dirname, 'node_modules/uuid/dist/esm-browser/index.js'),
 			'./node/authServer': path.resolve(__dirname, 'src/browser/authServer'),
 			'./node/crypto': path.resolve(__dirname, 'src/browser/crypto'),
-			'./node/fetch': path.resolve(__dirname, 'src/browser/fetch')
+			'./node/fetch': path.resolve(__dirname, 'src/browser/fetch'),
+			'./node/buffer': path.resolve(__dirname, 'src/browser/buffer'),
 		}
 	}
 });

src/vscode-dts/vscode.proposed.quickPickItemIcon.d.ts renamed to extensions/github-authentication/src/browser/buffer.ts

@@ -3,15 +3,6 @@
  *  Licensed under the MIT License. See License.txt in the project root for license information.
  *--------------------------------------------------------------------------------------------*/
 
-declare module 'vscode' {
-	/**
-	 * Represents an item that can be selected from
-	 * a list of items.
-	 */
-	export interface QuickPickItem {
-		/**
-		 * The icon path or {@link ThemeIcon} for the QuickPickItem.
-		 */
-		iconPath?: Uri | { light: Uri; dark: Uri } | ThemeIcon;
-	}
+export function base64Encode(text: string): string {
+	return btoa(text);
 }

extensions/github-authentication/src/common/logger.ts

@@ -26,4 +26,7 @@ export class Log {
 		this.output.error(message);
 	}
 
+	public warn(message: string): void {
+		this.output.warn(message);
+	}
 }

extensions/github-authentication/src/flows.ts

@@ -201,7 +201,8 @@ const allFlows: IFlow[] = [
 			supportsGitHubEnterpriseServer: false,
 			supportsHostedGitHubEnterprise: true,
 			supportsRemoteExtensionHost: true,
-			supportsWebWorkerExtensionHost: true,
+			// Web worker can't open a port to listen for the redirect
+			supportsWebWorkerExtensionHost: false,
 			// exchanging a code for a token requires a client secret
 			supportsNoClientSecret: false,
 			supportsSupportedClients: true,

extensions/github-authentication/src/github.ts

@@ -363,6 +363,7 @@ export class GitHubAuthenticationProvider implements vscode.AuthenticationProvid
 				sessions.splice(sessionIndex, 1);
 
 				await this.storeSessions(sessions);
+				await this._githubServer.logout(session);
 
 				this._sessionChangeEmitter.fire({ added: [], removed: [session], changed: [] });
 			} else {

extensions/github-authentication/src/githubServer.ts

@@ -12,6 +12,8 @@ import { crypto } from './node/crypto';
 import { fetching } from './node/fetch';
 import { ExtensionHost, GitHubTarget, getFlows } from './flows';
 import { NETWORK_ERROR, USER_CANCELLATION_ERROR } from './common/errors';
+import { Config } from './config';
+import { base64Encode } from './node/buffer';
 
 // This is the error message that we throw if the login was cancelled for any reason. Extensions
 // calling `getSession` can handle this error to know that the user cancelled the login.
@@ -22,6 +24,7 @@ const REDIRECT_URL_INSIDERS = 'https://insiders.vscode.dev/redirect';
 
 export interface IGitHubServer {
 	login(scopes: string): Promise<string>;
+	logout(session: vscode.AuthenticationSession): Promise<void>;
 	getUserInfo(token: string): Promise<{ id: string; accountName: string }>;
 	sendAdditionalTelemetryInfo(session: vscode.AuthenticationSession): Promise<void>;
 	friendlyName: string;
@@ -78,9 +81,14 @@ export class GitHubServer implements IGitHubServer {
 	}
 
 	// TODO@joaomoreno TODO@TylerLeonhardt
+	private _isNoCorsEnvironment: boolean | undefined;
 	private async isNoCorsEnvironment(): Promise<boolean> {
+		if (this._isNoCorsEnvironment !== undefined) {
+			return this._isNoCorsEnvironment;
+		}
 		const uri = await vscode.env.asExternalUri(vscode.Uri.parse(`${vscode.env.uriScheme}://vscode.github-authentication/dummy`));
-		return (uri.scheme === 'https' && /^((insiders\.)?vscode|github)\./.test(uri.authority)) || (uri.scheme === 'http' && /^localhost/.test(uri.authority));
+		this._isNoCorsEnvironment = (uri.scheme === 'https' && /^((insiders\.)?vscode|github)\./.test(uri.authority)) || (uri.scheme === 'http' && /^localhost/.test(uri.authority));
+		return this._isNoCorsEnvironment;
 	}
 
 	public async login(scopes: string): Promise<string> {
@@ -144,6 +152,58 @@ export class GitHubServer implements IGitHubServer {
 		throw new Error(userCancelled ? CANCELLATION_ERROR : 'No auth flow succeeded.');
 	}
 
+	public async logout(session: vscode.AuthenticationSession): Promise<void> {
+		this._logger.trace(`Deleting session (${session.id}) from server...`);
+
+		if (!Config.gitHubClientSecret) {
+			this._logger.warn('No client secret configured for GitHub authentication. The token has been deleted with best effort on this system, but we are unable to delete the token on server without the client secret.');
+			return;
+		}
+
+		// Only attempt to delete OAuth tokens. They are always prefixed with `gho_`.
+		// https://docs.github.com/en/rest/apps/oauth-applications#about-oauth-apps-and-oauth-authorizations-of-github-apps
+		if (!session.accessToken.startsWith('gho_')) {
+			this._logger.warn('The token being deleted is not an OAuth token. It has been deleted locally, but we cannot delete it on server.');
+			return;
+		}
+
+		if (!isSupportedTarget(this._type, this._ghesUri)) {
+			this._logger.trace('GitHub.com and GitHub hosted GitHub Enterprise are the only options that support deleting tokens on the server. Skipping.');
+			return;
+		}
+
+		const authHeader = 'Basic ' + base64Encode(`${Config.gitHubClientId}:${Config.gitHubClientSecret}`);
+		const uri = this.getServerUri(`/applications/${Config.gitHubClientId}/token`);
+
+		try {
+			// Defined here: https://docs.github.com/en/rest/apps/oauth-applications?apiVersion=2022-11-28#delete-an-app-token
+			const result = await fetching(uri.toString(true), {
+				method: 'DELETE',
+				headers: {
+					Accept: 'application/vnd.github+json',
+					Authorization: authHeader,
+					'X-GitHub-Api-Version': '2022-11-28',
+					'User-Agent': `${vscode.env.appName} (${vscode.env.appHost})`
+				},
+				body: JSON.stringify({ access_token: session.accessToken }),
+			});
+
+			if (result.status === 204) {
+				this._logger.trace(`Successfully deleted token from session (${session.id}) from server.`);
+				return;
+			}
+
+			try {
+				const body = await result.text();
+				throw new Error(body);
+			} catch (e) {
+				throw new Error(`${result.status} ${result.statusText}`);
+			}
+		} catch (e) {
+			this._logger.warn('Failed to delete token from server.' + e.message ?? e);
+		}
+	}
+
 	private getServerUri(path: string = '') {
 		const apiUri = this.baseUri;
 		// github.com and Hosted GitHub Enterprise instances