[supervisor-frontend] implement encryption for code

Author: mustard-mh

components/gitpod-protocol/src/typings/globals.ts

@@ -11,5 +11,9 @@ interface Window {
         loggedUserID?: string;
 
         openDesktopIDE(url: string): void;
+
+        encrypt(content: string): string;
+        decrypt(content: string): string;
+        isEncryptedData(content: string): boolean;
     };
 }

components/supervisor/frontend/src/ide/ide-metrics-service-client.ts

@@ -36,10 +36,10 @@ export class IDEMetricsServiceClient {
     static serviceClient: FrontendDashboardServiceClient;
 
     static get instanceId(): string {
-        return this.serviceClient.latestStatus?.instanceId ?? "";
+        return this.serviceClient.latestInfo?.instanceId ?? "";
     }
     static get userId(): string {
-        return this.serviceClient.latestStatus?.loggedUserId ?? "";
+        return this.serviceClient.latestInfo?.loggedUserId ?? "";
     }
 
     static async addCounter(

components/supervisor/frontend/src/index.ts

@@ -68,13 +68,16 @@ LoadingFrame.load().then(async (loading) => {
     const frontendDashboardServiceClient = loading.frontendDashboardServiceClient;
     await frontendDashboardServiceClient.initialize();
 
-    if (frontendDashboardServiceClient.latestStatus.workspaceType !== "regular") {
+    if (frontendDashboardServiceClient.latestInfo.workspaceType !== "regular") {
         return;
     }
 
-    document.title = frontendDashboardServiceClient.latestStatus.workspaceDescription ?? "gitpod";
-    window.gitpod.loggedUserID = frontendDashboardServiceClient.latestStatus.loggedUserId;
+    document.title = frontendDashboardServiceClient.latestInfo.workspaceDescription ?? "gitpod";
+    window.gitpod.loggedUserID = frontendDashboardServiceClient.latestInfo.loggedUserId;
     window.gitpod.openDesktopIDE = frontendDashboardServiceClient.openDesktopIDE.bind(frontendDashboardServiceClient);
+    window.gitpod.decrypt = frontendDashboardServiceClient.decrypt.bind(frontendDashboardServiceClient);
+    window.gitpod.encrypt = frontendDashboardServiceClient.encrypt.bind(frontendDashboardServiceClient);
+    window.gitpod.isEncryptedData = frontendDashboardServiceClient.isEncryptedData.bind(frontendDashboardServiceClient);
 
     (async () => {
         const supervisorServiceClient = SupervisorServiceClient.get();
@@ -113,7 +116,7 @@ LoadingFrame.load().then(async (loading) => {
         let desktopRedirected = false;
         let currentInstanceId = "";
         const nextFrame = () => {
-            const { instanceId, ideUrl, statusPhase } = frontendDashboardServiceClient.latestStatus ?? {};
+            const { instanceId, ideUrl, statusPhase } = frontendDashboardServiceClient.latestInfo ?? {};
 
             if (instanceId) {
                 // refresh web page when instanceId changed
@@ -209,7 +212,7 @@ LoadingFrame.load().then(async (loading) => {
         updateCurrentFrame();
         updateLoadingState();
         trackIDEStatusRenderedEvent();
-        frontendDashboardServiceClient.onStatusUpdate(() => updateCurrentFrame());
+        frontendDashboardServiceClient.onInfoUpdate(() => updateCurrentFrame());
         ideService.onDidChange(() => {
             updateLoadingState();
             updateCurrentFrame();
@@ -228,25 +231,25 @@ LoadingFrame.load().then(async (loading) => {
         //#region heart-beat
         heartBeat.track(window);
         const updateHeartBeat = () => {
-            if (frontendDashboardServiceClient.latestStatus?.statusPhase === "running") {
+            if (frontendDashboardServiceClient.latestInfo?.statusPhase === "running") {
                 heartBeat.schedule(frontendDashboardServiceClient);
             } else {
                 heartBeat.cancel();
             }
         };
         updateHeartBeat();
-        frontendDashboardServiceClient.onStatusUpdate(() => updateHeartBeat());
+        frontendDashboardServiceClient.onInfoUpdate(() => updateHeartBeat());
         //#endregion
     })();
 
     (async () => {
         //#region ide lifecycle
         function isWorkspaceInstancePhase(phase: WorkspaceInstancePhase): boolean {
-            return frontendDashboardServiceClient.latestStatus?.statusPhase === phase;
+            return frontendDashboardServiceClient.latestInfo?.statusPhase === phase;
         }
         if (!isWorkspaceInstancePhase("running")) {
             await new Promise<void>((resolve) => {
-                frontendDashboardServiceClient.onStatusUpdate((status) => {
+                frontendDashboardServiceClient.onInfoUpdate((status) => {
                     if (status.statusPhase === "running") {
                         resolve();
                     }
@@ -264,7 +267,7 @@ LoadingFrame.load().then(async (loading) => {
         }
         toStop.pushAll([
             IDEWebSocket.connectWorkspace(),
-            frontendDashboardServiceClient.onStatusUpdate((status) => {
+            frontendDashboardServiceClient.onInfoUpdate((status) => {
                 if (status.statusPhase === "stopping" || status.statusPhase === "stopped") {
                     toStop.dispose();
                 }

components/supervisor/frontend/src/shared/frontend-dashboard-service.ts

@@ -4,16 +4,18 @@
  * See License.AGPL.txt in the project root for license information.
  */
 
+import * as crypto from "crypto";
 import { IDEFrontendDashboardService } from "@gitpod/gitpod-protocol/lib/frontend-dashboard-service";
 import { RemoteTrackMessage } from "@gitpod/gitpod-protocol/lib/analytics";
 import { Emitter } from "@gitpod/gitpod-protocol/lib/util/event";
 import { workspaceUrl, serverUrl } from "./urls";
 
 export class FrontendDashboardServiceClient implements IDEFrontendDashboardService.IClient {
-    public latestStatus!: IDEFrontendDashboardService.Status;
+    public latestInfo!: IDEFrontendDashboardService.Info;
+    private credentialsToken?: Uint8Array;
 
-    private readonly onDidChangeEmitter = new Emitter<IDEFrontendDashboardService.Status>();
-    readonly onStatusUpdate = this.onDidChangeEmitter.event;
+    private readonly onDidChangeEmitter = new Emitter<IDEFrontendDashboardService.Info>();
+    readonly onInfoUpdate = this.onDidChangeEmitter.event;
 
     private readonly onOpenBrowserIDEEmitter = new Emitter<void>();
     readonly onOpenBrowserIDE = this.onOpenBrowserIDEEmitter.event;
@@ -28,11 +30,16 @@ export class FrontendDashboardServiceClient implements IDEFrontendDashboardServi
             if (event.origin !== serverUrl.url.origin) {
                 return;
             }
-            if (IDEFrontendDashboardService.isStatusUpdateEventData(event.data)) {
+            if (IDEFrontendDashboardService.isInfoUpdateEventData(event.data)) {
                 this.version = event.data.version;
-                this.latestStatus = event.data.status;
+                this.latestInfo = event.data.info;
+                if (event.data.info.credentialsToken?.length > 0) {
+                    this.credentialsToken = Uint8Array.from(atob(event.data.info.credentialsToken), (c) =>
+                        c.charCodeAt(0),
+                    );
+                }
                 this.resolveInit();
-                this.onDidChangeEmitter.fire(this.latestStatus);
+                this.onDidChangeEmitter.fire(this.latestInfo);
             }
             if (IDEFrontendDashboardService.isRelocateEventData(event.data)) {
                 window.location.href = event.data.url;
@@ -46,6 +53,50 @@ export class FrontendDashboardServiceClient implements IDEFrontendDashboardServi
         return this.initPromise;
     }
 
+    decrypt(str: string): string {
+        if (!this.credentialsToken) {
+            throw new Error("no credentials token available");
+        }
+        const obj = JSON.parse(str);
+        if (!isSerializedEncryptedData(obj)) {
+            throw new Error("incorrect encrypted data");
+        }
+        const data = {
+            ...obj,
+            iv: Buffer.from(obj.iv, "base64"),
+            tag: Buffer.from(obj.tag, "base64"),
+        };
+        const decipher = crypto.createDecipheriv("aes-256-gcm", this.credentialsToken, data.iv);
+        decipher.setAuthTag(data.tag);
+        const decrypted = decipher.update(data.encrypted, "hex", "utf8");
+        return decrypted + decipher.final("utf8");
+    }
+
+    encrypt(content: string): string {
+        if (!this.credentialsToken) {
+            throw new Error("no credentials token available");
+        }
+        const iv = crypto.randomBytes(12);
+        const cipher = crypto.createCipheriv("aes-256-gcm", this.credentialsToken, iv);
+        let encrypted = cipher.update(content, "utf8", "hex");
+        encrypted += cipher.final("hex");
+        const tag = cipher.getAuthTag();
+        return JSON.stringify({
+            iv: iv.toString("base64"),
+            tag: tag.toString("base64"),
+            encrypted,
+        });
+    }
+
+    isEncryptedData(content: string): boolean {
+        try {
+            const obj = JSON.parse(content);
+            return isSerializedEncryptedData(obj);
+        } catch (e) {
+            return false;
+        }
+    }
+
     trackEvent(msg: RemoteTrackMessage): void {
         const debugWorkspace = workspaceUrl.debugWorkspace;
         msg.properties = { ...msg.properties, debugWorkspace };
@@ -78,3 +129,13 @@ export class FrontendDashboardServiceClient implements IDEFrontendDashboardServi
         );
     }
 }
+
+function isSerializedEncryptedData(obj: any): obj is { iv: string; encrypted: string; tag: string } {
+    return (
+        obj != null &&
+        typeof obj === "object" &&
+        typeof obj.iv === "string" &&
+        typeof obj.encrypted === "string" &&
+        typeof obj.tag === "string"
+    );
+}

components/supervisor/frontend/webpack.config.js

@@ -55,7 +55,7 @@ module.exports = {
         fs: "empty",
         child_process: "empty",
         net: "empty",
-        crypto: "empty",
+        crypto: true,
         tls: "empty",
     },
     devtool: "source-map",