[db][server][dashboard] Allow censoring Project environment variables out of Workspaces

Author: jankeromnes

components/dashboard/src/projects/ProjectVariables.tsx

@@ -7,6 +7,8 @@
 import { Project, ProjectEnvVar } from "@gitpod/gitpod-protocol";
 import { useContext, useEffect, useState } from "react";
 import AlertBox from "../components/AlertBox";
+import CheckBox from "../components/CheckBox";
+import InfoBox from "../components/InfoBox";
 import { Item, ItemField, ItemFieldContextMenu, ItemsList } from "../components/ItemsList";
 import Modal from "../components/Modal";
 import { getGitpodService } from "../service/service";
@@ -54,15 +56,17 @@ export default function () {
             </div>
             : <>
                 <ItemsList>
-                    <Item header={true} className="grid grid-cols-3 items-center">
+                    <Item header={true} className="grid grid-cols-4 items-center">
                         <ItemField>Name</ItemField>
                         <ItemField>Value</ItemField>
+                        <ItemField>Visible in Workspaces?</ItemField>
                         <ItemField></ItemField>
                     </Item>
                     {envVars.map(variable => {
-                        return <Item className="grid grid-cols-3 items-center">
+                        return <Item className="grid grid-cols-4 items-center">
                             <ItemField>{variable.name}</ItemField>
                             <ItemField>****</ItemField>
+                            <ItemField>{variable.censored ? 'Hidden' : 'Visible'}</ItemField>
                             <ItemField className="flex justify-end">
                                 <ItemFieldContextMenu menuEntries={[
                                     {
@@ -83,14 +87,15 @@ export default function () {
 function AddVariableModal(props: { project?: Project, onClose: () => void }) {
     const [ name, setName ] = useState<string>("");
     const [ value, setValue ] = useState<string>("");
+    const [ censored, setCensored ] = useState<boolean>(true);
     const [ error, setError ] = useState<Error | undefined>();
 
     const addVariable = async () => {
         if (!props.project) {
             return;
         }
         try {
-            await getGitpodService().server.setProjectEnvironmentVariable(props.project.id, name, value);
+            await getGitpodService().server.setProjectEnvironmentVariable(props.project.id, name, value, censored);
             props.onClose();
         } catch (err) {
             setError(err);
@@ -104,18 +109,24 @@ function AddVariableModal(props: { project?: Project, onClose: () => void }) {
             {error && <div className="bg-gitpod-kumquat-light rounded-md p-3 text-gitpod-red text-sm mb-2">
                 {error}
             </div>}
-            <div className="mt-4">
+            <div className="mt-8">
                 <h4>Name</h4>
                 <input autoFocus className="w-full" type="text" name="name" value={name} onChange={e => setName(e.target.value)} />
             </div>
             <div className="mt-4">
                 <h4>Value</h4>
                 <input className="w-full" type="text" name="value" value={value} onChange={e => setValue(e.target.value)} />
             </div>
+            <div className="mt-4">
+                <CheckBox title="Hide in Workspaces" desc="Project variables are visible during prebuilds. Choose whether this variable should be visible in workspaces as well." checked={censored} onChange={() => setCensored(!censored)} />
+            </div>
+            {!censored && <div className="mt-4">
+                <InfoBox>This value will be directly visible to anyone who can open your repository in Gitpod.</InfoBox>
+            </div>}
         </div>
         <div className="flex justify-end mt-6">
             <button className="secondary" onClick={props.onClose}>Cancel</button>
-            <button className="ml-2" onClick={addVariable} >Add Variable</button>
+            <button className="ml-2" onClick={addVariable}>Add Variable</button>
         </div>
     </Modal>;
 }

components/gitpod-db/src/project-db.ts

@@ -16,7 +16,7 @@ export interface ProjectDB {
     storeProject(project: Project): Promise<Project>;
     updateProject(partialProject: PartialProject): Promise<void>;
     markDeleted(projectId: string): Promise<void>;
-    setProjectEnvironmentVariable(projectId: string, name: string, value: string): Promise<void>;
+    setProjectEnvironmentVariable(projectId: string, name: string, value: string, censored: boolean): Promise<void>;
     getProjectEnvironmentVariables(projectId: string): Promise<ProjectEnvVar[]>;
     getProjectEnvironmentVariableById(variableId: string): Promise<ProjectEnvVar | undefined>;
     deleteProjectEnvironmentVariable(variableId: string): Promise<void>;

components/gitpod-db/src/typeorm/entity/db-project-env-vars.ts

@@ -34,6 +34,9 @@ export class DBProjectEnvVar implements ProjectEnvVarWithValue {
     })
     value: string;
 
+    @Column()
+    censored: boolean;
+
     @Column("varchar")
     creationTime: string;
 

components/gitpod-db/src/typeorm/migration/1639735838107-ProjectEnvVars.ts

@@ -9,7 +9,7 @@ import { MigrationInterface, QueryRunner } from "typeorm";
 export class ProjectEnvVars1639735838107 implements MigrationInterface {
 
     public async up(queryRunner: QueryRunner): Promise<void> {
-        await queryRunner.query("CREATE TABLE IF NOT EXISTS `d_b_project_env_var` (`id` char(36) NOT NULL, `projectId` char(36) NOT NULL, `name` varchar(255) NOT NULL, `value` text NOT NULL, `creationTime` varchar(255) NOT NULL, `deleted` tinyint(4) NOT NULL DEFAULT '0', `_lastModified` timestamp(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6) ON UPDATE CURRENT_TIMESTAMP(6), PRIMARY KEY (`id`, `projectId`), KEY `ind_projectid` (projectId), KEY `ind_dbsync` (`_lastModified`)) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;");
+        await queryRunner.query("CREATE TABLE IF NOT EXISTS `d_b_project_env_var` (`id` char(36) NOT NULL, `projectId` char(36) NOT NULL, `name` varchar(255) NOT NULL, `value` text NOT NULL, `censored` tinyint(4) NOT NULL, `creationTime` varchar(255) NOT NULL, `deleted` tinyint(4) NOT NULL DEFAULT '0', `_lastModified` timestamp(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6) ON UPDATE CURRENT_TIMESTAMP(6), PRIMARY KEY (`id`, `projectId`), KEY `ind_projectid` (projectId), KEY `ind_dbsync` (`_lastModified`)) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;");
     }
 
     public async down(queryRunner: QueryRunner): Promise<void> {

components/gitpod-db/src/typeorm/project-db-impl.ts

@@ -108,18 +108,19 @@ export class ProjectDBImpl implements ProjectDB {
         }
     }
 
-    public async setProjectEnvironmentVariable(projectId: string, name: string, value: string): Promise<void>{
+    public async setProjectEnvironmentVariable(projectId: string, name: string, value: string, censored: boolean): Promise<void>{
         const envVarRepo = await this.getProjectEnvVarRepo();
         const envVarWithValue = await envVarRepo.findOne({ projectId, name, deleted: false });
         if (envVarWithValue) {
-            await envVarRepo.update({ id: envVarWithValue.id, projectId: envVarWithValue.projectId }, { value });
+            await envVarRepo.update({ id: envVarWithValue.id, projectId: envVarWithValue.projectId }, { value, censored });
             return;
         }
         await envVarRepo.save({
             id: uuidv4(),
             projectId,
             name,
             value,
+            censored,
             creationTime: new Date().toISOString(),
             deleted: false,
         });

components/gitpod-protocol/src/gitpod-service.ts

@@ -141,7 +141,7 @@ export interface GitpodServer extends JsonRpcServer<GitpodClient>, AdminServer,
     guessRepositoryConfiguration(cloneUrl: string): Promise<string | undefined>;
     setProjectConfiguration(projectId: string, configString: string): Promise<void>;
     updateProjectPartial(partialProject: PartialProject): Promise<void>;
-    setProjectEnvironmentVariable(projectId: string, name: string, value: string): Promise<void>;
+    setProjectEnvironmentVariable(projectId: string, name: string, value: string, censored: boolean): Promise<void>;
     getProjectEnvironmentVariables(projectId: string): Promise<ProjectEnvVar[]>;
     deleteProjectEnvironmentVariable(variableId: string): Promise<void>;
 

components/gitpod-protocol/src/protocol.ts

@@ -162,6 +162,7 @@ export interface EnvVarWithValue {
 export interface ProjectEnvVarWithValue extends EnvVarWithValue {
     id: string;
     projectId: string;
+    censored: boolean;
 }
 
 export type ProjectEnvVar = Omit<ProjectEnvVarWithValue, 'value'>;

components/server/src/projects/projects-service.ts

@@ -181,8 +181,8 @@ export class ProjectsService {
         return this.projectDB.updateProject(partialProject);
     }
 
-    async setProjectEnvironmentVariable(projectId: string, name: string, value: string): Promise<void> {
-        return this.projectDB.setProjectEnvironmentVariable(projectId, name, value);
+    async setProjectEnvironmentVariable(projectId: string, name: string, value: string, censored: boolean): Promise<void> {
+        return this.projectDB.setProjectEnvironmentVariable(projectId, name, value, censored);
     }
 
     async getProjectEnvironmentVariables(projectId: string): Promise<ProjectEnvVar[]> {

components/server/src/workspace/gitpod-server-impl.ts

@@ -484,15 +484,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
             throw new ResponseError(ErrorCodes.PERMISSION_DENIED, "Cannot (re-)start a deleted workspace.");
         }
         const userEnvVars = this.userDB.getEnvVars(user.id);
-        let projectEnvVarsPromise: Promise<ProjectEnvVar[]> = Promise.resolve([]);
-        if (workspace.projectId) {
-            try {
-                await this.guardProjectOperation(user, workspace.projectId, "get");
-                projectEnvVarsPromise = this.projectsService.getProjectEnvironmentVariables(workspace.projectId);
-            } catch (error) {
-                log.debug({ userId: user.id }, "User doesn't have access to the Project, thus not loading Project environment variables:", error);
-            }
-        }
+        let projectEnvVarsPromise = this.internalGetPublicProjectEnvVars(workspace.projectId);
 
         await mayStartPromise;
 
@@ -850,15 +842,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
                 throw err;
             }
 
-            let projectEnvVarsPromise: Promise<ProjectEnvVar[]> = Promise.resolve([]);
-            if (workspace.projectId) {
-                try {
-                    await this.guardProjectOperation(user, workspace.projectId, "get");
-                    projectEnvVarsPromise = this.projectsService.getProjectEnvironmentVariables(workspace.projectId);
-                } catch (error) {
-                    log.warn(logContext, "User doesn't have access to the Project, thus not loading Project environment variables:", error);
-                }
-            }
+            let projectEnvVarsPromise = this.internalGetPublicProjectEnvVars(workspace.projectId);
 
             logContext.workspaceId = workspace.id;
             traceWI(ctx, { workspaceId: workspace.id });
@@ -1374,11 +1358,11 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         await this.userDB.deleteEnvVar(envvar);
     }
 
-    async setProjectEnvironmentVariable(ctx: TraceContext, projectId: string, name: string, value: string): Promise<void> {
+    async setProjectEnvironmentVariable(ctx: TraceContext, projectId: string, name: string, value: string, censored: boolean): Promise<void> {
         traceAPIParams(ctx, { projectId, name }); // value may contain secrets
         const user = this.checkAndBlockUser("setProjectEnvironmentVariable");
         await this.guardProjectOperation(user, projectId, "update");
-        return this.projectsService.setProjectEnvironmentVariable(projectId, name, value);
+        return this.projectsService.setProjectEnvironmentVariable(projectId, name, value, censored);
     }
 
     async getProjectEnvironmentVariables(ctx: TraceContext, projectId: string): Promise<ProjectEnvVar[]> {
@@ -1399,6 +1383,18 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         return this.projectsService.deleteProjectEnvironmentVariable(envVar.id);
     }
 
+    protected async internalGetPublicProjectEnvVars(projectId?: string): Promise<ProjectEnvVar[]> {
+        if (!projectId) {
+            return [];
+        }
+        const projectEnvVars = await this.projectsService.getProjectEnvironmentVariables(projectId);
+        // Instead of using an access guard for Project environment variables, we let Project owners decide whether
+        // a variable should be:
+        //   - exposed in all workspaces (even for non-Project members when the repository is public), or
+        //   - censored from all workspaces (even for Project members)
+        return projectEnvVars.filter(variable => !variable.censored);
+    }
+
     protected async guardTeamOperation(teamId: string | undefined, op: ResourceAccessOp): Promise<void> {
         const team = await this.teamDB.findTeamById(teamId || "");
         if (!team) {