gitpod-io
diff --git a/‎package.json
Lines changed: 1 addition & 0 deletions b/‎package.json
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/vs/server/node/args.ts
Lines changed: 22 additions & 0 deletions b/‎src/vs/server/node/args.ts
Lines changed: 22 additions & 0 deletions
diff --git a/‎src/vs/server/node/auth.ts
Lines changed: 226 additions & 0 deletions b/‎src/vs/server/node/auth.ts
Lines changed: 226 additions & 0 deletions
diff --git a/‎src/vs/server/node/http.ts
Lines changed: 88 additions & 0 deletions b/‎src/vs/server/node/http.ts
Lines changed: 88 additions & 0 deletions
@@ -62,6 +62,7 @@
     "argon2": "^0.28.2",
     "applicationinsights": "1.0.8",
     "chokidar": "3.5.1",
+    "express": "^4.17.1",
     "graceful-fs": "4.2.6",
     "http-proxy-agent": "^2.1.0",
     "https-proxy-agent": "^2.2.3",
 
@@ -0,0 +1,22 @@
+import * as path from 'path';
+import * as os from 'os';
+import { URI } from 'vs/base/common/uri';
+import { NativeParsedArgs } from 'vs/platform/environment/common/argv';
+import { OptionDescriptions, OPTIONS, parseArgs } from 'vs/platform/environment/node/argv';
+import product from 'vs/platform/product/common/product';
+
+export interface ServerParsedArgs extends NativeParsedArgs {
+	port?: string
+	password?: string
+	hashedPassword?: string
+}
+const SERVER_OPTIONS: OptionDescriptions<Required<ServerParsedArgs>> = {
+	...OPTIONS,
+	port: { type: 'string' },
+	password: { type: 'string' },
+	hashedPassword: { type: 'string' }
+};
+
+export const devMode = !!process.env['VSCODE_DEV'];
+export const args = parseArgs(process.argv, SERVER_OPTIONS);
+args['user-data-dir'] = URI.file(path.join(os.homedir(), product.dataFolderName)).fsPath;
@@ -0,0 +1,226 @@
+import * as http from 'http';
+import * as crypto from 'crypto';
+import * as argon2 from 'argon2';
+import { ServerParsedArgs } from 'vs/server/node/args';
+import { serveError } from 'vs/server/node/http';
+
+/** Ensures that the input is sanitized by checking
+ * - it's a string
+ * - greater than 0 characters
+ * - trims whitespace
+ */
+export function sanitizeString(str: string): string {
+	// Very basic sanitization of string
+	// Credit: https://stackoverflow.com/a/46719000/3015595
+	return typeof str === 'string' && str.trim().length > 0 ? str.trim() : '';
+}
+
+export const ensureAuthenticated = async (args: ServerParsedArgs, req: http.IncomingMessage, res: http.ServerResponse): Promise<boolean> => {
+	const isAuthenticated = await authenticated(args, req);
+	if (!isAuthenticated) {
+		serveError(req, res, 401, 'Unauthorized');
+	}
+	return isAuthenticated;
+};
+
+/**
+ * Return true if authenticated via cookies.
+ */
+export const authenticated = async (args: ServerParsedArgs, req: http.IncomingMessage): Promise<boolean> => {
+	if (!args.password && !args.hashedPassword) {
+		return true;
+	}
+	const passwordMethod = getPasswordMethod(args.hashedPassword);
+	const cookies = parseCookies(req);
+	const isCookieValidArgs: IsCookieValidArgs = {
+		passwordMethod,
+		cookieKey: sanitizeString(cookies.key),
+		passwordFromArgs: args.password || '',
+		hashedPasswordFromArgs: args.hashedPassword,
+	};
+
+	return await isCookieValid(isCookieValidArgs);
+};
+
+function parseCookies(request: http.IncomingMessage): Record<string, string> {
+	const cookies: Record<string, string> = {},
+		rc = request.headers.cookie;
+
+	// eslint-disable-next-line code-no-unused-expressions
+	rc && rc.split(';').forEach(cookie => {
+		let parts = cookie.split('=');
+		if (parts.length > 0) {
+			const name = parts.shift()!.trim();
+			let value = decodeURI(parts.join('='));
+			value = value.substring(1, value.length - 1);
+			cookies[name] = value;
+		}
+	});
+
+	return cookies;
+}
+
+export type PasswordMethod = 'ARGON2' | 'PLAIN_TEXT';
+
+/**
+ * Used to determine the password method.
+ *
+ * There are three options for the return value:
+ * 1. "SHA256" -> the legacy hashing algorithm
+ * 2. "ARGON2" -> the newest hashing algorithm
+ * 3. "PLAIN_TEXT" -> regular ol' password with no hashing
+ *
+ * @returns "ARGON2" | "PLAIN_TEXT"
+ */
+export function getPasswordMethod(hashedPassword: string | undefined): PasswordMethod {
+	if (!hashedPassword) {
+		return 'PLAIN_TEXT';
+	}
+	return 'ARGON2';
+}
+
+type PasswordValidation = {
+	isPasswordValid: boolean
+	hashedPassword: string
+};
+
+type HandlePasswordValidationArgs = {
+	/** The PasswordMethod */
+	passwordMethod: PasswordMethod
+	/** The password provided by the user */
+	passwordFromRequestBody: string
+	/** The password set in PASSWORD or config */
+	passwordFromArgs: string | undefined
+	/** The hashed-password set in HASHED_PASSWORD or config */
+	hashedPasswordFromArgs: string | undefined
+};
+
+function safeCompare(a: string, b: string): boolean {
+	if (b.length > a.length) {
+		a = a.padEnd(b.length);
+	}
+	if (a.length > b.length) {
+		b = b.padEnd(a.length);
+	}
+	return crypto.timingSafeEqual(Buffer.from(a), Buffer.from(b));
+}
+
+export const generatePassword = async (length = 24): Promise<string> => {
+	const buffer = Buffer.alloc(Math.ceil(length / 2));
+	await new Promise(resolve => {
+		crypto.randomFill(buffer, (_, buf) => resolve(buf));
+	});
+	return buffer.toString('hex').substring(0, length);
+};
+
+/**
+ * Used to hash the password.
+ */
+export const hash = async (password: string): Promise<string> => {
+	try {
+		return await argon2.hash(password);
+	} catch (error) {
+		console.error(error);
+		return '';
+	}
+};
+
+/**
+ * Used to verify if the password matches the hash
+ */
+export const isHashMatch = async (password: string, hash: string) => {
+	if (password === '' || hash === '' || !hash.startsWith('$')) {
+		return false;
+	}
+	try {
+		return await argon2.verify(hash, password);
+	} catch (error) {
+		throw new Error(error);
+	}
+};
+
+/**
+ * Used to hash the password using the sha256
+ * algorithm. We only use this to for checking
+ * the hashed-password set in the config.
+ *
+ * Kept for legacy reasons.
+ */
+export const hashLegacy = (str: string): string => {
+	return crypto.createHash('sha256').update(str).digest('hex');
+};
+
+/**
+ * Used to check if the password matches the hash using
+ * the hashLegacy function
+ */
+export const isHashLegacyMatch = (password: string, hashPassword: string) => {
+	const hashedWithLegacy = hashLegacy(password);
+	return safeCompare(hashedWithLegacy, hashPassword);
+};
+
+/**
+ * Checks if a password is valid and also returns the hash
+ * using the PasswordMethod
+ */
+export async function handlePasswordValidation({
+	passwordMethod,
+	passwordFromArgs,
+	passwordFromRequestBody,
+	hashedPasswordFromArgs,
+}: HandlePasswordValidationArgs): Promise<PasswordValidation> {
+	const passwordValidation: PasswordValidation = {
+		isPasswordValid: false,
+		hashedPassword: '',
+	};
+
+	switch (passwordMethod) {
+		case 'PLAIN_TEXT': {
+			const isValid = passwordFromArgs ? safeCompare(passwordFromRequestBody, passwordFromArgs) : false;
+			passwordValidation.isPasswordValid = isValid;
+
+			const hashedPassword = await hash(passwordFromRequestBody);
+			passwordValidation.hashedPassword = hashedPassword;
+			break;
+		}
+		case 'ARGON2': {
+			const isValid = await isHashMatch(passwordFromRequestBody, hashedPasswordFromArgs || '');
+			passwordValidation.isPasswordValid = isValid;
+
+			passwordValidation.hashedPassword = hashedPasswordFromArgs || '';
+			break;
+		}
+		default:
+			break;
+	}
+
+	return passwordValidation;
+}
+
+export type IsCookieValidArgs = {
+	passwordMethod: PasswordMethod
+	cookieKey: string
+	hashedPasswordFromArgs: string | undefined
+	passwordFromArgs: string | undefined
+};
+
+/** Checks if a req.cookies.key is valid using the PasswordMethod */
+export async function isCookieValid({
+	passwordFromArgs = '',
+	cookieKey,
+	hashedPasswordFromArgs = '',
+	passwordMethod,
+}: IsCookieValidArgs): Promise<boolean> {
+	let isValid = false;
+	switch (passwordMethod) {
+		case 'PLAIN_TEXT':
+			isValid = await isHashMatch(passwordFromArgs, cookieKey);
+			break;
+		case 'ARGON2':
+			isValid = safeCompare(cookieKey, hashedPasswordFromArgs);
+			break;
+		default:
+			break;
+	}
+	return isValid;
+}
@@ -0,0 +1,88 @@
+import * as fs from 'fs';
+import * as path from 'path';
+import * as http from 'http';
+import { ILogService } from 'vs/platform/log/common/log';
+import { parse } from 'querystring';
+
+// TODO is it enough?
+const textMimeType = new Map([
+	['.html', 'text/html'],
+	['.js', 'text/javascript'],
+	['.json', 'application/json'],
+	['.css', 'text/css'],
+	['.svg', 'image/svg+xml']
+]);
+
+// TODO is it enough?
+const mapExtToMediaMimes = new Map([
+	['.bmp', 'image/bmp'],
+	['.gif', 'image/gif'],
+	['.ico', 'image/x-icon'],
+	['.jpe', 'image/jpg'],
+	['.jpeg', 'image/jpg'],
+	['.jpg', 'image/jpg'],
+	['.png', 'image/png'],
+	['.tga', 'image/x-tga'],
+	['.tif', 'image/tiff'],
+	['.tiff', 'image/tiff'],
+	['.woff', 'application/font-woff']
+]);
+
+export function getMediaMime(forPath: string): string | undefined {
+	const ext = path.extname(forPath);
+	return mapExtToMediaMimes.get(ext.toLowerCase());
+}
+
+export function collectRequestData(request: http.IncomingMessage): Promise<Record<string, string>> {
+	return new Promise(resolve => {
+		const FORM_URLENCODED = 'application/x-www-form-urlencoded';
+		if (request.headers['content-type'] === FORM_URLENCODED) {
+			let body = '';
+			request.on('data', chunk => {
+				body += chunk.toString();
+			});
+			request.on('end', () => {
+				const item = parse(body) as Record<string, string>;
+				resolve(item);
+			});
+		}
+		else {
+			resolve({});
+		}
+	});
+}
+
+export async function serveFile(logService: ILogService, req: http.IncomingMessage, res: http.ServerResponse, filePath: string, responseHeaders: http.OutgoingHttpHeaders = {}) {
+	try {
+
+		// Sanity checks
+		filePath = path.normalize(filePath); // ensure no "." and ".."
+
+		const stat = await fs.promises.stat(filePath);
+
+		// Check if file modified since
+		const etag = `W/"${[stat.ino, stat.size, stat.mtime.getTime()].join('-')}"`; // weak validator (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ETag)
+		if (req.headers['if-none-match'] === etag) {
+			res.writeHead(304);
+			return res.end();
+		}
+
+		// Headers
+		responseHeaders['Content-Type'] = textMimeType.get(path.extname(filePath)) || getMediaMime(filePath) || 'text/plain';
+		responseHeaders['Etag'] = etag;
+
+		res.writeHead(200, responseHeaders);
+
+		// Data
+		fs.createReadStream(filePath).pipe(res);
+	} catch (error) {
+		logService.error(error.toString());
+		res.writeHead(404, { 'Content-Type': 'text/plain' });
+		return res.end('Not found');
+	}
+}
+
+export function serveError(req: http.IncomingMessage, res: http.ServerResponse, errorCode: number, errorMessage: string): void {
+	res.writeHead(errorCode, { 'Content-Type': 'text/plain' });
+	res.end(errorMessage);
+}