[code] fix #4529: serve each webview from own origin

akosyakov · akosyakov · commit ed076d77a847 · 2021-07-16T14:08:25.000+05:00
decoupled from workpace origin (also extension host origin)
diff --git a/chart/templates/ws-manager-configmap.yaml b/chart/templates/ws-manager-configmap.yaml
@@ -61,6 +61,7 @@ data:
             },
             "heartbeatInterval": "30s",
             "hostURL": "https://{{ $.Values.hostname }}",
+            "workspaceClusterHost": "ws{{- if $gp.installation.shortname -}}-{{ $.Values.installation.shortname }}{{- end -}}.{{ $.Values.hostname }}",
             "initProbe": {
                 "timeout": "1s"
             },
diff --git a/components/ide/code/leeway.Dockerfile b/components/ide/code/leeway.Dockerfile
@@ -42,7 +42,7 @@ RUN curl -fsSL https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh |
     && npm install -g yarn node-gyp
 ENV PATH $NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH
 
-ENV GP_CODE_COMMIT a17670ba5af14e0faf3a6927983468d28fda235b
+ENV GP_CODE_COMMIT 6cf68cedd9ab62af8e426a364d97ed206bbe0a02
 RUN mkdir gp-code \
     && cd gp-code \
     && git init \
diff --git a/components/proxy/conf/Caddyfile b/components/proxy/conf/Caddyfile
@@ -236,6 +236,7 @@ https://*.*.{$GITPOD_DOMAIN} {
 		}
 	}
 
+	# remove (webview-|browser-|extensions-) after Theia removed and new VS Code is used by all workspaces
 	@workspace_port header_regexp host Host ^(webview-|browser-|extensions-)?(?P<workspacePort>[0-9]{2,5})-(?P<workspaceID>[a-z0-9][0-9a-z\-]+).ws(?P<location>-[a-z0-9]+)?.{$GITPOD_DOMAIN}
 	handle @workspace_port {
 		reverse_proxy https://ws-proxy.{$KUBE_NAMESPACE}.{$KUBE_DOMAIN}:9090 {
@@ -248,6 +249,7 @@ https://*.*.{$GITPOD_DOMAIN} {
 		}
 	}
 
+	# remove (webview-|browser-|extensions-) after Theia removed and new VS Code is used by all workspaces
 	@workspace 	header_regexp host Host ^(webview-|browser-|extensions-)?(?P<workspaceID>[a-z0-9][0-9a-z\-]+).ws(?P<location>-[a-z0-9]+)?.{$GITPOD_DOMAIN}
 	handle @workspace {
 		reverse_proxy https://ws-proxy.{$KUBE_NAMESPACE}.{$KUBE_DOMAIN}:9090 {
@@ -259,6 +261,17 @@ https://*.*.{$GITPOD_DOMAIN} {
 		}
 	}
 
+	# foreign content origin should be decoupled from the workspace (port) origin but the workspace (port) prefix should be the path root for routing
+	@foreign_content header_regexp host Host ^(.*)(foreign).ws(-[a-z0-9]+)?.{$GITPOD_DOMAIN}
+	handle @foreign_content {
+		reverse_proxy https://ws-proxy.{$KUBE_NAMESPACE}.{$KUBE_DOMAIN}:9090 {
+			import workspace_transport
+			import upstream_headers
+
+			header_up X-WSProxy-Host       {http.request.host}
+		}
+	}
+
 	respond "Not found" 404
 }
 
diff --git a/components/supervisor-api/go/info.pb.go b/components/supervisor-api/go/info.pb.go
diff --git a/components/supervisor-api/info.proto b/components/supervisor-api/info.proto
@@ -65,4 +65,7 @@ message WorkspaceInfoResponse {
     }
     // repository is a repository from which this workspace was created
     Repository repository = 10;
+
+    // workspace_cluster_host provides the cluster host under which this workspace is served, e.g. ws-eu11.gitpod.io
+    string workspace_cluster_host = 11;
 }
diff --git a/components/supervisor/pkg/supervisor/config.go b/components/supervisor/pkg/supervisor/config.go
@@ -205,6 +205,9 @@ type WorkspaceConfig struct {
 
 	// WorkspaceContext is a context for this workspace
 	WorkspaceContext string `env:"GITPOD_WORKSPACE_CONTEXT"`
+
+	// WorkspaceClusterHost is a host under which this workspace is served, e.g. ws-eu11.gitpod.io
+	WorkspaceClusterHost string `env:"GITPOD_WORKSPACE_CLUSTER_HOST"`
 }
 
 // WorkspaceGitpodToken is a list of tokens that should be added to supervisor's token service
diff --git a/components/supervisor/pkg/supervisor/services.go b/components/supervisor/pkg/supervisor/services.go
@@ -585,11 +585,12 @@ func (is *InfoService) RegisterREST(mux *runtime.ServeMux, grpcEndpoint string)
 // WorkspaceInfo provides information about the workspace
 func (is *InfoService) WorkspaceInfo(context.Context, *api.WorkspaceInfoRequest) (*api.WorkspaceInfoResponse, error) {
 	resp := &api.WorkspaceInfoResponse{
-		CheckoutLocation:    is.cfg.RepoRoot,
-		InstanceId:          is.cfg.WorkspaceInstanceID,
-		WorkspaceId:         is.cfg.WorkspaceID,
-		GitpodHost:          is.cfg.GitpodHost,
-		WorkspaceContextUrl: is.cfg.WorkspaceContextURL,
+		CheckoutLocation:     is.cfg.RepoRoot,
+		InstanceId:           is.cfg.WorkspaceInstanceID,
+		WorkspaceId:          is.cfg.WorkspaceID,
+		GitpodHost:           is.cfg.GitpodHost,
+		WorkspaceContextUrl:  is.cfg.WorkspaceContextURL,
+		WorkspaceClusterHost: is.cfg.WorkspaceClusterHost,
 	}
 
 	commit, err := is.cfg.getCommit()
diff --git a/components/ws-manager/pkg/manager/config.go b/components/ws-manager/pkg/manager/config.go
@@ -79,6 +79,8 @@ type Configuration struct {
 	WorkspaceDaemon WorkspaceDaemonConfiguration `json:"wsdaemon"`
 	// RegistryFacadeHost is the host (possibly including port) on which the registry facade resolves
 	RegistryFacadeHost string `json:"registryFacadeHost"`
+	// Cluster host under which workspaces are served, e.g. ws-eu11.gitpod.io
+	WorkspaceClusterHost string `json:"workspaceClusterHost"`
 }
 
 // AllContainerConfiguration contains the configuration for all container in a workspace pod
diff --git a/components/ws-manager/pkg/manager/create.go b/components/ws-manager/pkg/manager/create.go
@@ -512,7 +512,9 @@ func (m *Manager) createWorkspaceEnvironment(startContext *startWorkspaceContext
 	result = append(result, corev1.EnvVar{Name: "THEIA_WORKSPACE_ROOT", Value: getWorkspaceRelativePath(spec.WorkspaceLocation)})
 	result = append(result, corev1.EnvVar{Name: "GITPOD_HOST", Value: m.Config.GitpodHostURL})
 	result = append(result, corev1.EnvVar{Name: "GITPOD_WORKSPACE_URL", Value: startContext.WorkspaceURL})
+	result = append(result, corev1.EnvVar{Name: "GITPOD_WORKSPACE_CLUSTER_HOST", Value: m.Config.WorkspaceClusterHost})
 	result = append(result, corev1.EnvVar{Name: "THEIA_SUPERVISOR_ENDPOINT", Value: fmt.Sprintf(":%d", startContext.SupervisorPort)})
+	// TODO(ak) remove THEIA_WEBVIEW_EXTERNAL_ENDPOINT and THEIA_MINI_BROWSER_HOST_PATTERN when Theia is removed
 	result = append(result, corev1.EnvVar{Name: "THEIA_WEBVIEW_EXTERNAL_ENDPOINT", Value: "webview-{{hostname}}"})
 	result = append(result, corev1.EnvVar{Name: "THEIA_MINI_BROWSER_HOST_PATTERN", Value: "browser-{{hostname}}"})
 
diff --git a/components/ws-proxy/pkg/proxy/pass.go b/components/ws-proxy/pkg/proxy/pass.go
@@ -13,6 +13,7 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/gorilla/mux"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/xerrors"
 
@@ -187,3 +188,22 @@ func withXFrameOptionsFilter() proxyPassOpt {
 		})
 	}
 }
+
+type workspaceTransport struct {
+	transport http.RoundTripper
+}
+
+func (t *workspaceTransport) RoundTrip(req *http.Request) (resp *http.Response, err error) {
+	vars := mux.Vars(req)
+	if vars[foreignPathIdentifier] != "" {
+		req = req.Clone(req.Context())
+		req.URL.Path = vars[foreignPathIdentifier]
+	}
+	return t.transport.RoundTrip(req)
+}
+
+func withWorkspaceTransport() proxyPassOpt {
+	return func(h *proxyPassConfig) {
+		h.Transport = &workspaceTransport{h.Transport}
+	}
+}
diff --git a/components/ws-proxy/pkg/proxy/routes.go b/components/ws-proxy/pkg/proxy/routes.go
@@ -104,7 +104,8 @@ func installWorkspaceRoutes(r *mux.Router, config *RouteHandlerConfig, ip Worksp
 	routes.HandleDirectSupervisorRoute(r.PathPrefix("/_supervisor"), true)
 
 	routes.HandleDirectIDERoute(r.MatcherFunc(func(req *http.Request, m *mux.RouteMatch) bool {
-		return m.Vars != nil && m.Vars[foreignOriginPrefix] != ""
+		// this handles all foreign (none-IDE) content
+		return m.Vars != nil && m.Vars[foreignOriginIdentifier] != ""
 	}))
 
 	routes.HandleRoot(r.NewRoute())
@@ -132,7 +133,7 @@ func (ir *ideRoutes) HandleDirectIDERoute(route *mux.Route) {
 	r.Use(ir.Config.WorkspaceAuthHandler)
 	r.Use(ir.workspaceMustExistHandler)
 
-	r.NewRoute().HandlerFunc(proxyPass(ir.Config, workspacePodResolver))
+	r.NewRoute().HandlerFunc(proxyPass(ir.Config, workspacePodResolver, withWorkspaceTransport()))
 }
 
 func (ir *ideRoutes) HandleDirectSupervisorRoute(route *mux.Route, authenticated bool) {
@@ -323,6 +324,7 @@ func installWorkspacePortRoutes(r *mux.Router, config *RouteHandlerConfig) error
 				workspacePodPortResolver,
 				withHTTPErrorHandler(showPortNotFoundPage),
 				withXFrameOptionsFilter(),
+				withWorkspaceTransport(),
 			)(rw, r)
 		},
 	)
diff --git a/components/ws-proxy/pkg/proxy/routes_test.go b/components/ws-proxy/pkg/proxy/routes_test.go
@@ -580,6 +580,26 @@ func TestRoutes(t *testing.T) {
 				Body:   "blobserve hit: /blobserve/gitpod-io/supervisor:latest/main.js\nreadOnly: true\n",
 			},
 		},
+		{
+			Desc: "extensions route GET",
+			Request: modifyRequest(httptest.NewRequest("GET", "https://extensions-foreign.test-domain.com/"+workspaces[0].WorkspaceID+"/extensions.js", nil),
+				addHostHeader,
+				addHeader("Origin", config.GitpodInstallation.HostName),
+				addOwnerToken(workspaces[0].InstanceID, workspaces[0].Auth.OwnerToken),
+			),
+			Expectation: Expectation{
+				Status: http.StatusOK,
+				Header: http.Header{
+					"Access-Control-Allow-Credentials": {"true"},
+					"Access-Control-Allow-Origin":      {"test-domain.com"},
+					"Access-Control-Expose-Headers":    {"Authorization"},
+					"Content-Length":                   {"30"},
+					"Content-Type":                     {"text/plain; charset=utf-8"},
+					"Vary":                             {"Accept-Encoding"},
+				},
+				Body: "workspace hit: /extensions.js\n",
+			},
+		},
 	}
 
 	log.Init("ws-proxy-test", "", false, true)
diff --git a/components/ws-proxy/pkg/proxy/workspacerouter.go b/components/ws-proxy/pkg/proxy/workspacerouter.go
diff --git a/components/ws-proxy/pkg/proxy/workspacerouter_test.go b/components/ws-proxy/pkg/proxy/workspacerouter_test.go

Original file line number	Diff line number	Diff line change
`@@ -236,6 +236,7 @@ https://..{$GITPOD_DOMAIN} {`
`236`	`236`	`}`
`237`	`237`	`}`
`238`	`238`
	`239`	`+ # remove (webview-\|browser-\|extensions-) after Theia removed and new VS Code is used by all workspaces`
`239`	`240`	`@workspace_port header_regexp host Host ^(webview-\|browser-\|extensions-)?(?P<workspacePort>[0-9]{2,5})-(?P<workspaceID>[a-z0-9][0-9a-z\-]+).ws(?P<location>-[a-z0-9]+)?.{$GITPOD_DOMAIN}`
`240`	`241`	`handle @workspace_port {`
`241`	`242`	`reverse_proxy https://ws-proxy.{$KUBE_NAMESPACE}.{$KUBE_DOMAIN}:9090 {`
`@@ -248,6 +249,7 @@ https://..{$GITPOD_DOMAIN} {`
`248`	`249`	`}`
`249`	`250`	`}`
`250`	`251`
	`252`	`+ # remove (webview-\|browser-\|extensions-) after Theia removed and new VS Code is used by all workspaces`
`251`	`253`	`@workspace header_regexp host Host ^(webview-\|browser-\|extensions-)?(?P<workspaceID>[a-z0-9][0-9a-z\-]+).ws(?P<location>-[a-z0-9]+)?.{$GITPOD_DOMAIN}`
`252`	`254`	`handle @workspace {`
`253`	`255`	`reverse_proxy https://ws-proxy.{$KUBE_NAMESPACE}.{$KUBE_DOMAIN}:9090 {`
`@@ -259,6 +261,17 @@ https://..{$GITPOD_DOMAIN} {`
`259`	`261`	`}`
`260`	`262`	`}`
`261`	`263`
	`264`	`+ # foreign content origin should be decoupled from the workspace (port) origin but the workspace (port) prefix should be the path root for routing`
	`265`	`+ @foreign_content header_regexp host Host ^(.*)(foreign).ws(-[a-z0-9]+)?.{$GITPOD_DOMAIN}`
	`266`	`+ handle @foreign_content {`
	`267`	`+ reverse_proxy https://ws-proxy.{$KUBE_NAMESPACE}.{$KUBE_DOMAIN}:9090 {`
	`268`	`+ import workspace_transport`
	`269`	`+ import upstream_headers`
	`270`	`+`
	`271`	`+ header_up X-WSProxy-Host {http.request.host}`
	`272`	`+ }`
	`273`	`+ }`
	`274`	`+`
`262`	`275`	`respond "Not found" 404`
`263`	`276`	`}`
`264`	`277`
Original file line number	Diff line number	Diff line change
`@@ -65,4 +65,7 @@ message WorkspaceInfoResponse {`
`65`	`65`	`}`
`66`	`66`	`// repository is a repository from which this workspace was created`
`67`	`67`	`Repository repository = 10;`
	`68`	`+`
	`69`	`+ // workspace_cluster_host provides the cluster host under which this workspace is served, e.g. ws-eu11.gitpod.io`
	`70`	`+ string workspace_cluster_host = 11;`
`68`	`71`	`}`
Original file line number	Diff line number	Diff line change
`@@ -205,6 +205,9 @@ type WorkspaceConfig struct {`
`205`	`205`
`206`	`206`	`// WorkspaceContext is a context for this workspace`
`207`	`207`	WorkspaceContext string `env:"GITPOD_WORKSPACE_CONTEXT"`
	`208`	`+`
	`209`	`+ // WorkspaceClusterHost is a host under which this workspace is served, e.g. ws-eu11.gitpod.io`
	`210`	+ WorkspaceClusterHost string `env:"GITPOD_WORKSPACE_CLUSTER_HOST"`
`208`	`211`	`}`
`209`	`212`
`210`	`213`	`// WorkspaceGitpodToken is a list of tokens that should be added to supervisor's token service`
Original file line number	Diff line number	Diff line change
`@@ -79,6 +79,8 @@ type Configuration struct {`
`79`	`79`	WorkspaceDaemon WorkspaceDaemonConfiguration `json:"wsdaemon"`
`80`	`80`	`// RegistryFacadeHost is the host (possibly including port) on which the registry facade resolves`
`81`	`81`	RegistryFacadeHost string `json:"registryFacadeHost"`
	`82`	`+ // Cluster host under which workspaces are served, e.g. ws-eu11.gitpod.io`
	`83`	+ WorkspaceClusterHost string `json:"workspaceClusterHost"`
`82`	`84`	`}`
`83`	`85`
`84`	`86`	`// AllContainerConfiguration contains the configuration for all container in a workspace pod`