Merge branch 'main' into vscode-1.56

Author: Akash Satheesan

.github/workflows/ci.yaml

@@ -406,3 +406,61 @@ jobs:
         with:
           name: release-images
           path: ./release-images
+
+  trivy-scan-image:
+    runs-on: ubuntu-20.04
+    needs: docker-amd64
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Download release images
+        uses: actions/download-artifact@v2
+        with:
+          name: release-images
+          path: ./release-images
+
+      - name: Run Trivy vulnerability scanner in image mode
+        # Commit SHA for v0.0.14
+        uses: aquasecurity/trivy-action@b38389f8efef9798810fe0c5b5096ac198cffd54
+        with:
+          input: "./release-images/code-server-amd64-*.tar"
+          scan-type: "image"
+          ignore-unfixed: true
+          format: "template"
+          template: "@/contrib/sarif.tpl"
+          output: "trivy-image-results.sarif"
+          severity: "HIGH,CRITICAL"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: "trivy-image-results.sarif"
+
+  # We have to use two trivy jobs
+  # because GitHub only allows
+  # codeql/upload-sarif action per job
+  trivy-scan-repo:
+    runs-on: ubuntu-20.04
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        # Commit SHA for v0.0.14
+        uses: aquasecurity/trivy-action@b38389f8efef9798810fe0c5b5096ac198cffd54
+        with:
+          scan-type: "fs"
+          scan-ref: "."
+          ignore-unfixed: true
+          format: "template"
+          template: "@/contrib/sarif.tpl"
+          output: "trivy-repo-results.sarif"
+          severity: "HIGH,CRITICAL"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: "trivy-repo-results.sarif"

docs/MAINTAINING.md

@@ -5,7 +5,9 @@
 - [Maintaining](#maintaining)
   - [Workflow](#workflow)
     - [Milestones](#milestones)
+    - [Triage](#triage)
     - [Project Boards](#project-boards)
+  - [Versioning](#versioning)
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
@@ -36,10 +38,28 @@ Here are the milestones we use and how we use them:
 
 With this flow, any un-assigned issues are essentially in triage state and once triaged are either "Backlog" or "Backlog Candidates". They will eventually move to "On Deck" (or be closed). Lastly, they will end up on a version milestone where they will be worked on.
 
+### Triage
+
+We use the following process for triaging GitHub issues:
+
+1. a submitter creates an issue
+1. add appropriate labels
+   1. if we need to look into it further, add "needs-investigation"
+1. add to milestone
+   1. if it should be fixed soon, add to version milestone or "On Deck"
+   1. if not urgent, add to "Backlog"
+   1. otherwise, add to "Backlog Candidate" if it should be considered
+
 ### Project Boards
 
 We use project boards for projects or goals that span multiple milestones.
 
 Think of this as a place to put miscellaneous things (like testing, clean up stuff, etc). As a maintainer, random todos may come up here and there. This gives you a place to add notes temporarily before opening a new issue. Given that our release milestones function off of issues, we believe tasks should have dedicated issues.
 
 It also gives us a way to separate the issue triage from bigger-picture, long-term work.
+
+## Versioning
+
+`<major.minor.patch>`
+
+The code-server project follows traditional [semantic versioning](ttps://semver.org/), with the objective of minimizing major changes that break backward compatibility. We increment the patch level for all releases, except when the upstream Visual Studio Code project increments its minor version or we change the plugin API in a backward-compatible manner. In those cases, we increment the minor version rather than the patch level.

lib/vscode/.eslintignore

@@ -19,3 +19,4 @@
 # These are code-server code symlinks.
 src/vs/base/node/proxy_agent.ts
 src/vs/ipc.d.ts
+src/vs/server/common/util.ts

lib/vscode/src/vs/server/browser/client.ts

@@ -1,8 +1,10 @@
 import * as path from 'vs/base/common/path';
-import { URI } from 'vs/base/common/uri';
 import { Options } from 'vs/ipc';
 import { localize } from 'vs/nls';
+import { MenuId, MenuRegistry } from 'vs/platform/actions/common/actions';
+import { CommandsRegistry } from 'vs/platform/commands/common/commands';
 import { Extensions, IConfigurationRegistry } from 'vs/platform/configuration/common/configurationRegistry';
+import { ContextKeyExpr, IContextKeyService } from 'vs/platform/contextkey/common/contextkey';
 import { registerSingleton } from 'vs/platform/instantiation/common/extensions';
 import { ServiceCollection } from 'vs/platform/instantiation/common/serviceCollection';
 import { ILogService } from 'vs/platform/log/common/log';
@@ -11,10 +13,18 @@ import { Registry } from 'vs/platform/registry/common/platform';
 import { IStorageService, StorageScope, StorageTarget } from 'vs/platform/storage/common/storage';
 import { ITelemetryService } from 'vs/platform/telemetry/common/telemetry';
 import { TelemetryChannelClient } from 'vs/server/common/telemetry';
+import { getOptions } from 'vs/server/common/util';
 import 'vs/workbench/contrib/localizations/browser/localizations.contribution';
 import 'vs/workbench/services/localizations/browser/localizationsService';
 import { IRemoteAgentService } from 'vs/workbench/services/remote/common/remoteAgentService';
 
+/**
+ * All client-side customization to VS Code should live in this file when
+ * possible.
+ */
+
+const options = getOptions<Options>();
+
 class TelemetryService extends TelemetryChannelClient {
 	public constructor(
 		@IRemoteAgentService remoteAgentService: IRemoteAgentService,
@@ -23,26 +33,6 @@ class TelemetryService extends TelemetryChannelClient {
 	}
 }
 
-/**
- * Remove extra slashes in a URL.
- */
-export const normalize = (url: string, keepTrailing = false): string => {
-	return url.replace(/\/\/+/g, '/').replace(/\/+$/, keepTrailing ? '/' : '');
-};
-
-/**
- * Get options embedded in the HTML.
- */
-export const getOptions = <T extends Options>(): T => {
-	try {
-		return JSON.parse(document.getElementById('coder-options')!.getAttribute('data-settings')!);
-	} catch (error) {
-		return {} as T;
-	}
-};
-
-const options = getOptions();
-
 const TELEMETRY_SECTION_ID = 'telemetry';
 Registry.as<IConfigurationRegistry>(Extensions.Configuration).registerConfiguration({
 	'id': TELEMETRY_SECTION_ID,
@@ -173,38 +163,36 @@ export const initialize = async (services: ServiceCollection): Promise<void> =>
 	if (theme) {
 		localStorage.setItem('colorThemeData', theme);
 	}
-};
 
-export interface Query {
-	[key: string]: string | undefined;
-}
-
-/**
- * Split a string up to the delimiter. If the delimiter doesn't exist the first
- * item will have all the text and the second item will be an empty string.
- */
-export const split = (str: string, delimiter: string): [string, string] => {
-	const index = str.indexOf(delimiter);
-	return index !== -1 ? [str.substring(0, index).trim(), str.substring(index + 1)] : [str, ''];
-};
+	// Use to show or hide logout commands and menu options.
+	const contextKeyService = (services.get(IContextKeyService) as IContextKeyService);
+	contextKeyService.createKey('code-server.authed', options.authed);
+
+	// Add a logout command.
+	const logoutEndpoint = path.join(options.base, '/logout') + `?base=${options.base}`;
+	const LOGOUT_COMMAND_ID = 'code-server.logout';
+	CommandsRegistry.registerCommand(
+		LOGOUT_COMMAND_ID,
+		() => {
+			window.location.href = logoutEndpoint;
+		},
+	);
+
+	// Add logout to command palette.
+	MenuRegistry.appendMenuItem(MenuId.CommandPalette, {
+		command: {
+			id: LOGOUT_COMMAND_ID,
+			title: localize('logout', "Log out")
+		},
+		when: ContextKeyExpr.has('code-server.authed')
+	});
 
-/**
- * Return the URL modified with the specified query variables. It's pretty
- * stupid so it probably doesn't cover any edge cases. Undefined values will
- * unset existing values. Doesn't allow duplicates.
- */
-export const withQuery = (url: string, replace: Query): string => {
-	const uri = URI.parse(url);
-	const query = { ...replace };
-	uri.query.split('&').forEach((kv) => {
-		const [key, value] = split(kv, '=');
-		if (!(key in query)) {
-			query[key] = value;
-		}
+	// Add logout to the (web-only) home menu.
+	MenuRegistry.appendMenuItem(MenuId.MenubarHomeMenu, {
+		command: {
+			id: LOGOUT_COMMAND_ID,
+			title: localize('logout', "Log out")
+		},
+		when: ContextKeyExpr.has('code-server.authed')
 	});
-	return uri.with({
-		query: Object.keys(query)
-			.filter((k) => typeof query[k] !== 'undefined')
-			.map((k) => `${k}=${query[k]}`).join('&'),
-	}).toString(true);
 };

lib/vscode/src/vs/server/common/cookie.ts

@@ -0,0 +1 @@
+../../../../../../src/common/util.ts

lib/vscode/src/vs/server/common/util.ts

@@ -9,7 +9,7 @@ import { registerThemingParticipant, IThemeService } from 'vs/platform/theme/com
 import { MenuBarVisibility, getTitleBarStyle, IWindowOpenable, getMenuBarVisibility } from 'vs/platform/windows/common/windows';
 import { IContextKeyService } from 'vs/platform/contextkey/common/contextkey';
 import { IAction, Action, SubmenuAction, Separator } from 'vs/base/common/actions';
-import { addDisposableListener, Dimension, EventType, getCookieValue } from 'vs/base/browser/dom';
+import { addDisposableListener, Dimension, EventType } from 'vs/base/browser/dom';
 import { IKeybindingService } from 'vs/platform/keybinding/common/keybinding';
 import { isMacintosh, isWeb, isIOS, isNative } from 'vs/base/common/platform';
 import { IConfigurationService, IConfigurationChangeEvent } from 'vs/platform/configuration/common/configuration';
@@ -38,8 +38,6 @@ import { KeyCode } from 'vs/base/common/keyCodes';
 import { KeybindingWeight } from 'vs/platform/keybinding/common/keybindingsRegistry';
 import { IsWebContext } from 'vs/platform/contextkey/common/contextkeys';
 import { ICommandService } from 'vs/platform/commands/common/commands';
-import { ILogService } from 'vs/platform/log/common/log';
-import { Cookie } from 'vs/server/common/cookie';
 
 export type IOpenRecentAction = IAction & { uri: URI, remoteAuthority?: string };
 
@@ -303,7 +301,6 @@ export class CustomMenubarControl extends MenubarControl {
 	private readonly _onVisibilityChange: Emitter<boolean>;
 	private readonly _onFocusStateChange: Emitter<boolean>;
 
-	// NOTE@coder: add logService (used in logout)
 	constructor(
 		@IMenuService menuService: IMenuService,
 		@IWorkspacesService workspacesService: IWorkspacesService,
@@ -320,8 +317,7 @@ export class CustomMenubarControl extends MenubarControl {
 		@IThemeService private readonly themeService: IThemeService,
 		@IWorkbenchLayoutService private readonly layoutService: IWorkbenchLayoutService,
 		@IHostService hostService: IHostService,
-		@ICommandService commandService: ICommandService,
-		@ILogService private readonly logService: ILogService
+		@ICommandService commandService: ICommandService
 	) {
 		super(menuService, workspacesService, contextKeyService, keybindingService, configurationService, labelService, updateService, storageService, notificationService, preferencesService, environmentService, accessibilityService, hostService, commandService);
 
@@ -723,28 +719,6 @@ export class CustomMenubarControl extends MenubarControl {
 			webNavigationActions.pop();
 		}
 
-		webNavigationActions.push(new Action('logout', localize('logout', "Log out"), undefined, true,
-		async (_event?: any) => {
-			const COOKIE_KEY = Cookie.Key;
-			const loginCookie = getCookieValue(COOKIE_KEY);
-
-			this.logService.info('Logging out of code-server');
-
-			if(loginCookie) {
-				this.logService.info(`Removing cookie under ${COOKIE_KEY}`);
-
-				if (document && document.cookie) {
-					// We delete the cookie by setting the expiration to a date/time in the past
-					document.cookie = COOKIE_KEY +'=; Path=/; Expires=Thu, 01 Jan 1970 00:00:01 GMT;';
-					window.location.href = '/login';
-				} else {
-					this.logService.warn('Could not delete cookie because document and/or document.cookie is undefined');
-				}
-			} else {
-				this.logService.warn('Could not log out because we could not find cookie');
-			}
-		}));
-
 		return webNavigationActions;
 	}
 

lib/vscode/src/vs/workbench/browser/parts/titlebar/menubarControl.ts

@@ -55,7 +55,7 @@
     "@types/wtfnode": "^0.7.0",
     "@typescript-eslint/eslint-plugin": "^4.7.0",
     "@typescript-eslint/parser": "^4.7.0",
-    "audit-ci": "^3.1.1",
+    "audit-ci": "^4.0.0",
     "codecov": "^3.8.1",
     "doctoc": "^2.0.0",
     "eslint": "^7.7.0",

package.json

@@ -1,3 +1,4 @@
+import { logger } from "@coder/logger"
 import { getOptions, normalize, logError } from "../common/util"
 
 import "./pages/error.css"
@@ -6,19 +7,21 @@ import "./pages/login.css"
 
 export async function registerServiceWorker(): Promise<void> {
   const options = getOptions()
+  logger.level = options.logLevel
+
   const path = normalize(`${options.csStaticBase}/dist/serviceWorker.js`)
   try {
     await navigator.serviceWorker.register(path, {
       scope: options.base + "/",
     })
-    console.log("[Service Worker] registered")
+    logger.info(`[Service Worker] registered`)
   } catch (error) {
-    logError(`[Service Worker] registration`, error)
+    logError(logger, `[Service Worker] registration`, error)
   }
 }
 
 if (typeof navigator !== "undefined" && "serviceWorker" in navigator) {
   registerServiceWorker()
 } else {
-  console.error(`[Service Worker] navigator is undefined`)
+  logger.error(`[Service Worker] navigator is undefined`)
 }

src/browser/register.ts

@@ -1,5 +1,13 @@
-import { logger, field } from "@coder/logger"
+/*
+ * This file exists in two locations:
+ * - src/common/util.ts
+ * - lib/vscode/src/vs/server/common/util.ts
+ * The second is a symlink to the first.
+ */
 
+/**
+ * Base options included on every page.
+ */
 export interface Options {
   base: string
   csStaticBase: string
@@ -69,6 +77,9 @@ export const getOptions = <T extends Options>(): T => {
     options = {} as T
   }
 
+  // You can also pass options in stringified form to the options query
+  // variable. Options provided here will override the ones in the options
+  // element.
   const params = new URLSearchParams(location.search)
   const queryOpts = params.get("options")
   if (queryOpts) {
@@ -78,13 +89,9 @@ export const getOptions = <T extends Options>(): T => {
     }
   }
 
-  logger.level = options.logLevel
-
   options.base = resolveBase(options.base)
   options.csStaticBase = resolveBase(options.csStaticBase)
 
-  logger.debug("got options", field("options", options))
-
   return options
 }
 
@@ -113,7 +120,8 @@ export const getFirstString = (value: string | string[] | object | undefined): s
   return typeof value === "string" ? value : undefined
 }
 
-export function logError(prefix: string, err: any): void {
+// TODO: Might make sense to add Error handling to the logger itself.
+export function logError(logger: { error: (msg: string) => void }, prefix: string, err: Error | string): void {
   if (err instanceof Error) {
     logger.error(`${prefix}: ${err.message} ${err.stack}`)
   } else {