Implement basic authentification

msujew · msujew · commit cc6782dd4324 · 2021-09-06T13:12:38.000+02:00
diff --git a/src/vs/server/browser/workbench/login.html b/src/vs/server/browser/workbench/login.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html lang="en">
+	<head>
+		<meta charset="utf-8" />
+		<title>vscode-web-server login</title>
+	</head>
+	<body>
+		<form action="/" method="post">
+			<input style="display: none;" type="text" autocomplete="username" />
+			<div class="field">
+				<input required autofocus type="password" placeholder="Enter password..." name="password" autocomplete="current-password" />
+				<input value="Login" type="submit" />
+			</div>
+		</form>
+	</body>
+</html>
diff --git a/src/vs/server/node/args.ts b/src/vs/server/node/args.ts
@@ -0,0 +1,24 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Gitpod. All rights reserved.
+ *--------------------------------------------------------------------------------------------*/
+
+import * as path from 'path';
+import * as os from 'os';
+import { URI } from 'vs/base/common/uri';
+import { NativeParsedArgs } from 'vs/platform/environment/common/argv';
+import { OptionDescriptions, OPTIONS, parseArgs } from 'vs/platform/environment/node/argv';
+import product from 'vs/platform/product/common/product';
+
+export interface ServerParsedArgs extends NativeParsedArgs {
+	port?: string
+	password?: string
+}
+const SERVER_OPTIONS: OptionDescriptions<Required<ServerParsedArgs>> = {
+	...OPTIONS,
+	port: { type: 'string' },
+	password: { type: 'string' }
+};
+
+export const devMode = !!process.env['VSCODE_DEV'];
+export const args = parseArgs(process.argv, SERVER_OPTIONS);
+args['user-data-dir'] = URI.file(path.join(os.homedir(), product.dataFolderName)).fsPath;
diff --git a/src/vs/server/node/auth-http.ts b/src/vs/server/node/auth-http.ts
@@ -0,0 +1,59 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Gitpod. All rights reserved.
+ *--------------------------------------------------------------------------------------------*/
+
+import * as path from 'path';
+import * as http from 'http';
+import { ILogService } from 'vs/platform/log/common/log';
+import { parse } from 'querystring';
+import { args } from 'vs/server/node/args';
+import { authenticated, generateAndSetPassword, handlePasswordValidation } from 'vs/server/node/auth';
+import { APP_ROOT, serveFile } from 'vs/server/node/server.main';
+
+const LOGIN = path.join(APP_ROOT, 'out', 'vs', 'server', 'browser', 'workbench', 'login.html');
+
+export async function handleVerification(req: http.IncomingMessage, res: http.ServerResponse | undefined, logService: ILogService): Promise<boolean> {
+	if (args.password === undefined) {
+		await generateAndSetPassword(logService);
+	}
+	const auth = await authenticated(args, req);
+	if (!auth && res) {
+		const password = (await collectRequestData(req)).password;
+		if (password !== undefined) {
+			const { valid, hashed } = await handlePasswordValidation({
+				reqPassword: password,
+				argsPassword: args.password,
+			});
+
+			if (valid) {
+				res.setHeader('Set-Cookie', `key=${hashed}; HttpOnly`);
+				return true;
+			} else {
+				serveFile(logService, req, res, LOGIN);
+			}
+		} else {
+			serveFile(logService, req, res, LOGIN);
+		}
+		return false;
+	}
+	return auth;
+}
+
+function collectRequestData(request: http.IncomingMessage): Promise<Record<string, string>> {
+	return new Promise(resolve => {
+		const FORM_URLENCODED = 'application/x-www-form-urlencoded';
+		if (request.headers['content-type'] === FORM_URLENCODED) {
+			let body = '';
+			request.on('data', chunk => {
+				body += chunk.toString();
+			});
+			request.on('end', () => {
+				const item = parse(body) as Record<string, string>;
+				resolve(item);
+			});
+		}
+		else {
+			resolve({});
+		}
+	});
+}
diff --git a/src/vs/server/node/auth.ts b/src/vs/server/node/auth.ts
@@ -0,0 +1,94 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Gitpod. All rights reserved.
+ *--------------------------------------------------------------------------------------------*/
+
+import * as http from 'http';
+import * as crypto from 'crypto';
+import { args, ServerParsedArgs } from 'vs/server/node/args';
+import { ILogService } from 'vs/platform/log/common/log';
+
+export function sanitizeString(str: string): string {
+	return typeof str === 'string' && str.trim().length > 0 ? str.trim() : '';
+}
+
+export function parseCookies(request: http.IncomingMessage): Record<string, string> {
+	const cookies: Record<string, string> = {};
+	const rc = request.headers.cookie;
+
+	if (rc) {
+		rc.split(';').forEach(cookie => {
+			let parts = cookie.split('=');
+			if (parts.length > 0) {
+				const name = parts.shift()!.trim();
+				let value = decodeURI(parts.join('='));
+				cookies[name] = value;
+			}
+		});
+	}
+
+	return cookies;
+}
+
+export async function authenticated(args: ServerParsedArgs, req: http.IncomingMessage): Promise<boolean> {
+	if (!args.password) {
+		return true;
+	}
+	const cookies = parseCookies(req);
+	return isHashMatch(args.password || '', sanitizeString(cookies.key));
+};
+
+interface PasswordValidation {
+	valid: boolean
+	hashed: string
+}
+
+interface HandlePasswordValidationArgs {
+	reqPassword: string | undefined
+	argsPassword: string | undefined
+}
+
+function safeCompare(a: string, b: string): boolean {
+	return a.length === b.length && crypto.timingSafeEqual(Buffer.from(a), Buffer.from(b));
+}
+
+export async function generateAndSetPassword(logService: ILogService, length = 24): Promise<void> {
+	if (args.password || !length) {
+		return;
+	}
+	const password = await generatePassword(length);
+	args.password = password;
+	logService.info(`Automatically generated password\r\n        ${password}`);
+}
+
+export async function generatePassword(length = 24): Promise<string> {
+	const buffer = Buffer.alloc(Math.ceil(length / 2));
+	await new Promise(resolve => {
+		crypto.randomFill(buffer, (_, buf) => resolve(buf));
+	});
+	return buffer.toString('hex').substring(0, length);
+}
+
+export function hash(str: string): string {
+	return crypto.createHash('sha256').update(str).digest('hex');
+}
+
+export function isHashMatch(password: string, hashPassword: string): boolean {
+	const hashed = hash(password);
+	return safeCompare(hashed, hashPassword);
+}
+
+export async function handlePasswordValidation({ argsPassword: passwordFromArgs, reqPassword: passwordFromRequestBody }: HandlePasswordValidationArgs): Promise<PasswordValidation> {
+	if (passwordFromRequestBody) {
+		const valid = passwordFromArgs ? safeCompare(passwordFromRequestBody, passwordFromArgs) : false;
+		const hashed = hash(passwordFromRequestBody);
+		return {
+			valid,
+			hashed
+		};
+	}
+
+	return {
+		valid: false,
+		hashed: ''
+	}
+}
diff --git a/src/vs/server/node/server.main.ts b/src/vs/server/node/server.main.ts
@@ -7,7 +7,6 @@ import * as crypto from 'crypto';
 import * as fs from 'fs';
 import * as http from 'http';
 import * as net from 'net';
-import * as os from 'os';
 import * as path from 'path';
 import * as url from 'url';
 import { RunOnceScheduler } from 'vs/base/common/async';
@@ -33,9 +32,7 @@ import { ConfigurationService } from 'vs/platform/configuration/common/configura
 import { ExtensionHostDebugBroadcastChannel } from 'vs/platform/debug/common/extensionHostDebugIpc';
 import { IDownloadService } from 'vs/platform/download/common/download';
 import { DownloadService } from 'vs/platform/download/common/downloadService';
-import { NativeParsedArgs } from 'vs/platform/environment/common/argv';
 import { IEnvironmentService, INativeEnvironmentService } from 'vs/platform/environment/common/environment';
-import { OptionDescriptions, OPTIONS, parseArgs } from 'vs/platform/environment/node/argv';
 import { NativeEnvironmentService } from 'vs/platform/environment/node/environmentService';
 import { ExtensionGalleryService } from 'vs/platform/extensionManagement/common/extensionGalleryService';
 import { IExtensionGalleryService, IExtensionManagementService } from 'vs/platform/extensionManagement/common/extensionManagement';
@@ -62,6 +59,7 @@ import { RequestChannel } from 'vs/platform/request/common/requestIpc';
 import { RequestService } from 'vs/platform/request/node/requestService';
 import { ITelemetryService } from 'vs/platform/telemetry/common/telemetry';
 import { NullTelemetryService } from 'vs/platform/telemetry/common/telemetryUtils';
+import { args } from 'vs/server/node/args';
 import { IFileChangeDto } from 'vs/workbench/api/common/extHost.protocol';
 import { IExtHostReadyMessage, IExtHostSocketMessage } from 'vs/workbench/services/extensions/common/extensionHostProtocol';
 import { Logger } from 'vs/workbench/services/extensions/common/extensionPoints';
@@ -73,7 +71,7 @@ import { RemoteExtensionLogFileName } from 'vs/workbench/services/remote/common/
 export type IRawURITransformerFactory = (remoteAuthority: string) => IRawURITransformer;
 export const IRawURITransformerFactory = createDecorator<IRawURITransformerFactory>('rawURITransformerFactory');
 
-const APP_ROOT = path.join(__dirname, '..', '..', '..', '..');
+export const APP_ROOT = path.join(__dirname, '..', '..', '..', '..');
 const uriTransformerPath = path.join(APP_ROOT, 'out/serverUriTransformer');
 const rawURITransformerFactory: IRawURITransformerFactory = <any>require.__$__nodeRequire(uriTransformerPath);
 
@@ -226,14 +224,6 @@ async function handleRoot(req: http.IncomingMessage, resp: http.ServerResponse,
 	return resp.end(entryPointContent);
 }
 
-interface ServerParsedArgs extends NativeParsedArgs {
-	port?: string
-}
-const SERVER_OPTIONS: OptionDescriptions<Required<ServerParsedArgs>> = {
-	...OPTIONS,
-	port: { type: 'string' }
-};
-
 export interface IStartServerResult {
 	installingInitialExtensions?: Promise<void>
 }
@@ -249,17 +239,16 @@ export interface IServerOptions {
 	configureExtensionHostForkOptions?(opts: cp.ForkOptions, accessor: ServicesAccessor, channelServer: IPCServer<RemoteAgentConnectionContext>): void;
 	configureExtensionHostProcess?(extensionHost: cp.ChildProcess, accessor: ServicesAccessor, channelServer: IPCServer<RemoteAgentConnectionContext>): IDisposable;
 
+	verifyRequest?(req: http.IncomingMessage, res: http.ServerResponse | undefined, accessor: ServicesAccessor): Promise<boolean>;
 	handleRequest?(pathname: string | null, req: http.IncomingMessage, res: http.ServerResponse, accessor: ServicesAccessor, channelServer: IPCServer<RemoteAgentConnectionContext>): Promise<boolean>;
 }
 
 export async function main(options: IServerOptions): Promise<void> {
 	const devMode = !!process.env['VSCODE_DEV'];
 	const connectionToken = generateUuid();
 
-	const parsedArgs = parseArgs(process.argv, SERVER_OPTIONS);
-	parsedArgs['user-data-dir'] = URI.file(path.join(os.homedir(), product.dataFolderName)).fsPath;
 	const productService = { _serviceBrand: undefined, ...product };
-	const environmentService = new NativeEnvironmentService(parsedArgs, productService);
+	const environmentService = new NativeEnvironmentService(args, productService);
 
 	// see src/vs/code/electron-main/main.ts#142
 	const bufferLogService = new BufferLogService();
@@ -593,10 +582,12 @@ export async function main(options: IServerOptions): Promise<void> {
 				const parsedUrl = url.parse(req.url, true);
 				const pathname = parsedUrl.pathname;
 
+				if (options.verifyRequest && !await instantiationService.invokeFunction(accessor => options.verifyRequest!(req, res, accessor))) {
+					return;
+				}
 				if (options.handleRequest && await instantiationService.invokeFunction(accessor => options.handleRequest!(pathname, req, res, accessor, channelServer))) {
 					return;
 				}
-
 				//#region headless
 				if (pathname === '/vscode-remote-resource') {
 					const filePath = parsedUrl.query['path'];
@@ -643,12 +634,16 @@ export async function main(options: IServerOptions): Promise<void> {
 			}
 		});
 		server.on('error', e => logService.error(e));
-		server.on('upgrade', (req: http.IncomingMessage, socket: net.Socket) => {
+		server.on('upgrade', async (req: http.IncomingMessage, socket: net.Socket) => {
 			if (req.headers['upgrade'] !== 'websocket' || !req.url) {
 				logService.error(`failed to upgrade for header "${req.headers['upgrade']}" and url: "${req.url}".`);
 				socket.end('HTTP/1.1 400 Bad Request');
 				return;
 			}
+			if (options.verifyRequest && !await instantiationService.invokeFunction(accessor => options.verifyRequest!(req, undefined, accessor))) {
+				socket.end('HTTP/1.1 401 Unauthorized');
+				return;
+			}
 			const { query } = url.parse(req.url, true);
 			// /?reconnectionToken=c0e3a8af-6838-44fb-851b-675401030831&reconnection=false&skipWebSocketFrames=false
 			const reconnection = 'reconnection' in query && query['reconnection'] === 'true';
@@ -758,7 +753,7 @@ export async function main(options: IServerOptions): Promise<void> {
 							logService.info(`[${token}] Management connection is connected.`);
 						} else {
 							if (!client.management) {
-								logService.error(`[${token}] Failed to reconnect: management connection is not running.`);
+								logService.error(`[${token}] Failed to reconnect: management connection is not running.`);
 								protocol.sendControl(VSBuffer.fromString(JSON.stringify({ type: 'error', reason: 'Management connection is not running.' } as ErrorMessage)));
 								safeDisposeProtocolAndSocket(protocol);
 								return;
@@ -848,17 +843,17 @@ export async function main(options: IServerOptions): Promise<void> {
 									socket.end();
 									extensionHost.kill();
 									client.extensionHost = undefined;
-									logService.info(`[${token}] Extension host is disconnected.`);
+									logService.info(`[${token}] Extension host is disconnected.`);
 								}
 
 								extensionHost.on('error', err => {
 									dispose();
-									logService.error(`[${token}] Extension host failed with: `, err);
+									logService.error(`[${token}] Extension host failed with: `, err);
 								});
 								extensionHost.on('exit', (code: number, signal: string) => {
 									dispose();
 									if (code !== 0 && signal !== 'SIGTERM') {
-										logService.error(`[${token}] Extension host exited with code: ${code} and signal: ${signal}.`);
+										logService.error(`[${token}] Extension host exited with code: ${code} and signal: ${signal}.`);
 									}
 								});
 
@@ -873,7 +868,7 @@ export async function main(options: IServerOptions): Promise<void> {
 											permessageDeflate,
 											inflateBytes
 										} as IExtHostSocketMessage, socket);
-										logService.info(`[${token}] Extension host is connected.`);
+										logService.info(`[${token}] Extension host is connected.`);
 									}
 								};
 								extensionHost.on('message', readyListener);
@@ -882,13 +877,13 @@ export async function main(options: IServerOptions): Promise<void> {
 									toDispose = instantiationService.invokeFunction(accessor => options.configureExtensionHostProcess!(extensionHost, accessor, channelServer));
 								}
 								client.extensionHost = extensionHost;
-								logService.info(`[${token}] Extension host is started.`);
+								logService.info(`[${token}] Extension host is started.`);
 							} catch (e) {
-								logService.error(`[${token}] Failed to start the extension host process: `, e);
+								logService.error(`[${token}] Failed to start the extension host process: `, e);
 							}
 						} else {
 							if (!client.extensionHost) {
-								logService.error(`[${token}] Failed to reconnect: extension host is not running.`);
+								logService.error(`[${token}] Failed to reconnect: extension host is not running.`);
 								protocol.sendControl(VSBuffer.fromString(JSON.stringify({ type: 'error', reason: 'Extension host is not running.' } as ErrorMessage)));
 								safeDisposeProtocolAndSocket(protocol);
 								return;
@@ -908,7 +903,7 @@ export async function main(options: IServerOptions): Promise<void> {
 								permessageDeflate,
 								inflateBytes
 							} as IExtHostSocketMessage, socket);
-							logService.info(`[${token}] Extension host is reconnected.`);
+							logService.info(`[${token}] Extension host is reconnected.`);
 						}
 					} else {
 						logService.error(`[${token}] Unexpected connection type:`, msg.desiredConnectionType);
@@ -921,8 +916,8 @@ export async function main(options: IServerOptions): Promise<void> {
 			});
 		});
 		let port = 3000;
-		if (parsedArgs.port) {
-			port = Number(parsedArgs.port);
+		if (args.port) {
+			port = Number(args.port);
 		} else if (typeof options.port === 'number') {
 			port = options.port;
 		}
diff --git a/src/vs/server/node/server.ts b/src/vs/server/node/server.ts
@@ -2,11 +2,18 @@
  *  Copyright (c) Gitpod. All rights reserved.
  *--------------------------------------------------------------------------------------------*/
 
+import { ILogService } from 'vs/platform/log/common/log';
+import { handleVerification } from 'vs/server/node/auth-http';
 import { registerRemoteTerminal } from 'vs/server/node/remote-terminal';
 import { main } from 'vs/server/node/server.main';
 
 main({
 	start: (services, channelServer) => {
 		registerRemoteTerminal(services, channelServer);
+	},
+	verifyRequest: (req, res, accessor): Promise<boolean> => {
+		const logService = accessor.get(ILogService);
+		return handleVerification(req, res, logService);
 	}
 });
+
