[server] enable auth for snapshot creation

[JanKoehnlein]

The problem is that for snapshot creation, we don't have a snapshot yet, and as such have to provide the workspaceID instead for the create token. This creates an ambiguity between

snapshot:<snapshot ID>:create
snapshot:<workspace ID>:create

which has to be resolved. This solution uses a prefix if the subjectID is a workspaceID.

I refrained from creating a SnapshotCreateResourceGuard wire that up using a CompositeResourceGuard as the latter only ORs the composite guards. As such the TokenResourceGuard would still accept a SnapshotResource whose snapshotID equals the workspaceID for which the permission has been granted. So our hope that we could solve this with a local additive change was wrong. Alternatively, we could either add a VetoCompositeResourceGuard or put the entire filtering and matching logic into TokenResourceGuard. Both appeared far more invasive to me than the prefix approach.

[JanKoehnlein]

How to test this

• create a dev-staging environment from this PR using werft
• log in and set feature preview to true
• create an EE license for the dev environment and register it (see https://www.notion.so/gitpod/How-we-develop-e8ce7e562478458a9223eb9b797415b2#509d98bc73134b18b8ebea08f7d213f7)
• open an arbitrary GitHub repo and chose Gitpod: Share Workspace Snapshot from the main menu.
• wait for once the snapshot is ready copy the URL (requires allowing copy/paste to the dev-staging environment in your browser)
• open a new tab with the snapshot URL

[csweichel]

Works as expected :)
Love the resource guard change - it's much simpler than what we originally discussed.

Only the message is quite verbose and somewhat hard to parse.
I'd propose something like this:

before	after

[csweichel]

Personally I still find the URL in there to be too much noise :/

[JanKoehnlein]

Personally I still find the URL in there to be too much noise :/

Yes, it is noisy. The problem is that the "Copy URL to Clipboard" will silently fail when clipboard access is not granted in the browser, and VS Code seems to block all other ways to present the URL in the dialog. And it's a bit better if the base URL is just https://gitpod.io.

For the time being, we could add an outputChannel and print the URL there, such that users can copy it themselves. In the long run, we should go for another UI that also allows browsing all snapshots of that workspace. Still we have to solve the copy/paste problem.

[akosyakov]

I think we can go with it for now and then replace it with proper webview which will fix the clipboard issue as well. @svenefftinge would it be fine?

[svenefftinge]

Is using a link as Chris proposed not possible within the notification? I would find that more UX-friendly, as it is easier on the eye and easier to copy.

[akosyakov]

@JanKoehnlein I read through the code and it seems that links are supported with markdown syntax: https://github.com/microsoft/vscode/blob/a699ffaee62010c4634d301da2bbdb7646b8d1da/src/vs/base/common/linkedText.ts#L26-L28

i.e. [label](url)

[JanKoehnlein]

I tried markdown links in a VS Code message dialog yesterday, but it didn't work. Tried again today, and now it works. Must have slightly messed up the syntax. So now it's a link. Sorry for the noise (in all regards)

[akosyakov]

LGTM