Implement Project-level environment variables (WIP)

Author: jankeromnes

components/dashboard/src/App.tsx

@@ -21,7 +21,6 @@ import { trackButtonOrAnchor, trackPathChange, trackLocation } from './Analytics
 import { User } from '@gitpod/gitpod-protocol';
 import * as GitpodCookie from '@gitpod/gitpod-protocol/lib/util/gitpod-cookie';
 import { Experiment } from './experiments';
-import ProjectSettings from './projects/ProjectSettings';
 
 const Setup = React.lazy(() => import(/* webpackPrefetch: true */ './Setup'));
 const Workspaces = React.lazy(() => import(/* webpackPrefetch: true */ './workspaces/Workspaces'));
@@ -42,6 +41,8 @@ const NewProject = React.lazy(() => import(/* webpackPrefetch: true */ './projec
 const ConfigureProject = React.lazy(() => import(/* webpackPrefetch: true */ './projects/ConfigureProject'));
 const Projects = React.lazy(() => import(/* webpackPrefetch: true */ './projects/Projects'));
 const Project = React.lazy(() => import(/* webpackPrefetch: true */ './projects/Project'));
+const ProjectSettings = React.lazy(() => import(/* webpackPrefetch: true */ './projects/ProjectSettings'));
+const ProjectVariables = React.lazy(() => import(/* webpackPrefetch: true */ './projects/ProjectVariables'));
 const Prebuilds = React.lazy(() => import(/* webpackPrefetch: true */ './projects/Prebuilds'));
 const Prebuild = React.lazy(() => import(/* webpackPrefetch: true */ './projects/Prebuild'));
 const InstallGitHubApp = React.lazy(() => import(/* webpackPrefetch: true */ './projects/InstallGitHubApp'));
@@ -305,6 +306,9 @@ function App() {
                         if (resourceOrPrebuild === "configure") {
                             return <ConfigureProject />;
                         }
+                        if (resourceOrPrebuild === "variables") {
+                            return <ProjectVariables />;
+                        }
                         if (resourceOrPrebuild === "workspaces") {
                             return <Workspaces />;
                         }
@@ -338,11 +342,14 @@ function App() {
                             if (maybeProject === "settings") {
                                 return <TeamSettings />;
                             }
+                            if (resourceOrPrebuild === "settings") {
+                                return <ProjectSettings />;
+                            }
                             if (resourceOrPrebuild === "configure") {
                                 return <ConfigureProject />;
                             }
-                            if (resourceOrPrebuild === "settings") {
-                                return <ProjectSettings />;
+                            if (resourceOrPrebuild === "variables") {
+                                return <ProjectVariables />;
                             }
                             if (resourceOrPrebuild === "workspaces") {
                                 return <Workspaces />;

components/dashboard/src/Menu.tsx

@@ -47,7 +47,7 @@ export default function Menu() {
     })();
     const prebuildId = (() => {
         const resource = projectSlug && match?.params?.segment3;
-        if (resource !== "workspaces" && resource !== "prebuilds" && resource !== "settings" && resource !== "configure") {
+        if (resource !== "workspaces" && resource !== "prebuilds" && resource !== "settings" && resource !== "configure" && resource !== "variables") {
             return resource;
         }
     })();

components/dashboard/src/projects/ProjectSettings.tsx

@@ -25,6 +25,10 @@ export function getProjectSettingsMenu(project?: Project, team?: Team) {
             title: 'Configuration',
             link: [`/${teamOrUserSlug}/${project?.slug || project?.name}/configure`],
         },
+        {
+            title: 'Variables',
+            link: [`/${teamOrUserSlug}/${project?.slug || project?.name}/variables`],
+        },
     ];
 }
 

components/dashboard/src/projects/ProjectVariables.tsx

@@ -0,0 +1,42 @@
+/**
+ * Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License-AGPL.txt in the project root for license information.
+ */
+
+import { ProjectEnvVar } from "@gitpod/gitpod-protocol";
+import { useContext, useEffect, useState } from "react";
+import { getGitpodService } from "../service/service";
+import { ProjectContext } from "./project-context";
+import { ProjectSettingsPage } from "./ProjectSettings";
+
+export default function () {
+    const { project } = useContext(ProjectContext);
+    const [ envVars, setEnvVars ] = useState<ProjectEnvVar[]>([]);
+
+    const updateEnvVars = async (projectId: string) => {
+        const vars = await getGitpodService().server.getProjectEnvironmentVariables(projectId);
+        setEnvVars(vars);
+    }
+
+    useEffect(() => {
+        if (!project) {
+            return;
+        }
+        updateEnvVars(project.id);
+    }, [project]);
+
+    const setEnvVar = async (name: string, value: string) => {
+        if (!project) {
+            return;
+        }
+        await getGitpodService().server.setProjectEnvironmentVariable(project.id, name, value);
+        await updateEnvVars(project.id);
+    }
+
+    return <ProjectSettingsPage project={project}>
+        <h3>Project Variables</h3>
+        <ul>{envVars.map(e => <li>{e.name}</li>)}</ul>
+        <button onClick={() => setEnvVar('TEST', 'VALUE')}>Create</button>
+    </ProjectSettingsPage>;
+}

components/gitpod-db/src/project-db.ts

@@ -4,7 +4,7 @@
  * See License.enterprise.txt in the project root folder.
  */
 
-import { PartialProject, Project } from "@gitpod/gitpod-protocol";
+import { PartialProject, Project, ProjectEnvVar } from "@gitpod/gitpod-protocol";
 
 export const ProjectDB = Symbol('ProjectDB');
 export interface ProjectDB {
@@ -16,4 +16,7 @@ export interface ProjectDB {
     storeProject(project: Project): Promise<Project>;
     updateProject(partialProject: PartialProject): Promise<void>;
     markDeleted(projectId: string): Promise<void>;
+    setProjectEnvironmentVariable(projectId: string, name: string, value: string): Promise<void>;
+    getProjectEnvironmentVariables(projectId: string): Promise<ProjectEnvVar[]>;
+    deleteProjectEnvironmentVariable(projectId: string, name: string): Promise<void>;
 }

components/gitpod-db/src/tables.ts

@@ -47,7 +47,7 @@ export class GitpodSessionTableDescriptionProvider implements TableDescriptionPr
 /**
  * BEWARE
  *
- * When updating this list, make sure you update the deleted-entry-gc in gitpod-db
+ * When updating this list, make sure you update the deleted-entry-gc.ts in gitpod-db
  * as well, if you're adding a table that needs some of its entries deleted.
  */
 @injectable()
@@ -250,6 +250,18 @@ export class GitpodTableDescriptionProvider implements TableDescriptionProvider
             deletionColumn: 'deleted',
             timeColumn: '_lastModified',
         },
+        {
+            name: 'd_b_project_env_var',
+            primaryKeys: ['id', 'projectId'],
+            deletionColumn: 'deleted',
+            timeColumn: '_lastModified',
+        },
+        /**
+         * BEWARE
+         *
+         * When updating this list, make sure you update the deleted-entry-gc.ts in gitpod-db
+         * as well, if you're adding a table that needs some of its entries deleted.
+         */
     ]
 
     public getSortedTables(): TableDescription[] {

components/gitpod-db/src/typeorm/deleted-entry-gc.ts

@@ -58,6 +58,7 @@ const tables: TableWithDeletion[] = [
     { deletionColumn: "deleted", name: "d_b_project" },
     { deletionColumn: "deleted", name: "d_b_prebuild_info" },
     { deletionColumn: "deleted", name: "d_b_oss_allow_list" },
+    { deletionColumn: "deleted", name: "d_b_project_env_var" },
 ];
 
 interface TableWithDeletion {

components/gitpod-db/src/typeorm/entity/db-project-env-vars.ts

@@ -0,0 +1,46 @@
+/**
+ * Copyright (c) 2022 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License-AGPL.txt in the project root for license information.
+ */
+
+import { PrimaryColumn, Entity, Column } from "typeorm";
+import { TypeORM } from "../typeorm";
+import { ProjectEnvVarWithValue } from "@gitpod/gitpod-protocol";
+import { Transformer } from "../transformer";
+import { encryptionService } from "../user-db-impl";
+
+@Entity()
+// on DB but not Typeorm: @Index("ind_lastModified", ["_lastModified"])   // DBSync
+export class DBProjectEnvVar implements ProjectEnvVarWithValue {
+    @PrimaryColumn(TypeORM.UUID_COLUMN_TYPE)
+    id: string;
+
+    // projectId must be part of the primary key as otherwise malicious users could overwrite
+    // the value of arbitrary user env vars because we use TypeORM.save. If the projectId were
+    // not part of the primary key, this save call would overwrite env vars with arbitrary IDs,
+    // allowing an attacker to steal other users environment variables.
+    // But projectId is part of the primary key and we ensure that users can only overwrite/set variables
+    // that belong to them.
+    @PrimaryColumn(TypeORM.UUID_COLUMN_TYPE)
+    projectId: string;
+
+    @Column()
+    name: string;
+
+    @Column({
+        type: "simple-json",
+        transformer: Transformer.compose(
+            Transformer.SIMPLE_JSON([]),
+            Transformer.encrypted(() => encryptionService)
+        )
+    })
+    value: string;
+
+    @Column("varchar")
+    creationTime: string;
+
+    // This column triggers the db-sync deletion mechanism. It's not intended for public consumption.
+    @Column()
+    deleted: boolean;
+}

components/gitpod-db/src/typeorm/migration/1639735838107-ProjectEnvVars.ts

@@ -0,0 +1,18 @@
+/**
+ * Copyright (c) 2022 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License-AGPL.txt in the project root for license information.
+ */
+
+import { MigrationInterface, QueryRunner } from "typeorm";
+
+export class ProjectEnvVars1639735838107 implements MigrationInterface {
+
+    public async up(queryRunner: QueryRunner): Promise<void> {
+        await queryRunner.query("CREATE TABLE IF NOT EXISTS `d_b_project_env_var` (`id` char(36) NOT NULL, `projectId` char(36) NOT NULL, `name` varchar(255) NOT NULL, `value` text NOT NULL, `creationTime` varchar(255) NOT NULL, `deleted` tinyint(4) NOT NULL DEFAULT '0', `_lastModified` timestamp(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6) ON UPDATE CURRENT_TIMESTAMP(6), PRIMARY KEY (`id`, `projectId`), KEY `ind_projectid` (projectId), KEY `ind_dbsync` (`_lastModified`)) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;");
+    }
+
+    public async down(queryRunner: QueryRunner): Promise<void> {
+    }
+
+}

components/gitpod-db/src/typeorm/project-db-impl.ts

@@ -7,22 +7,31 @@
 import { inject, injectable } from "inversify";
 import { TypeORM } from "./typeorm";
 import { Repository } from "typeorm";
+import { v4 as uuidv4 } from 'uuid';
+import { PartialProject, Project, ProjectEnvVar } from "@gitpod/gitpod-protocol";
+import { EncryptionService } from "@gitpod/gitpod-protocol/lib/encryption/encryption-service";
+import { censor } from '@gitpod/gitpod-protocol/lib/util/censor';
 import { ProjectDB } from "../project-db";
 import { DBProject } from "./entity/db-project";
-import { PartialProject, Project } from "@gitpod/gitpod-protocol";
+import { DBProjectEnvVar } from "./entity/db-project-env-vars";
 
 @injectable()
 export class ProjectDBImpl implements ProjectDB {
     @inject(TypeORM) typeORM: TypeORM;
+    @inject(EncryptionService) protected readonly encryptionService: EncryptionService;
 
     protected async getEntityManager() {
         return (await this.typeORM.getConnection()).manager;
     }
 
-    async getRepo(): Promise<Repository<DBProject>> {
+    protected async getRepo(): Promise<Repository<DBProject>> {
         return (await this.getEntityManager()).getRepository<DBProject>(DBProject);
     }
 
+    protected async getProjectEnvVarRepo(): Promise<Repository<DBProjectEnvVar>> {
+        return (await this.getEntityManager()).getRepository<DBProjectEnvVar>(DBProjectEnvVar);
+    }
+
     public async findProjectById(projectId: string): Promise<Project | undefined> {
         const repo = await this.getRepo();
         return repo.findOne({ id: projectId, markedDeleted: false });
@@ -77,4 +86,39 @@ export class ProjectDBImpl implements ProjectDB {
             await repo.save(project);
         }
     }
+
+    public async setProjectEnvironmentVariable(projectId: string, name: string, value: string): Promise<void>{
+        const envVarRepo = await this.getProjectEnvVarRepo();
+        let envVar = await envVarRepo.findOne({ projectId, name, deleted: false });
+        if (envVar) {
+            envVar.value = value;
+        } else {
+            envVar = {
+                id: uuidv4(),
+                projectId,
+                name,
+                value,
+                creationTime: new Date().toISOString(),
+                deleted: false,
+            };
+        }
+        await envVarRepo.save(envVar);
+    }
+
+    public async getProjectEnvironmentVariables(projectId: string): Promise<ProjectEnvVar[]> {
+        const envVarRepo = await this.getProjectEnvVarRepo();
+        const envVarsWithValue = await envVarRepo.find({ projectId, deleted: false });
+        const envVars = envVarsWithValue.map(v => (censor(v, 'value') as any as ProjectEnvVar));
+        return envVars;
+    }
+
+    public async deleteProjectEnvironmentVariable(projectId: string, name: string): Promise<void> {
+        const envVarRepo = await this.getProjectEnvVarRepo();
+        const envVar = await envVarRepo.findOne({ projectId, name, deleted: false });
+        if (!envVar) {
+            throw new Error('A environment variable with this name could not be found for this project');
+        }
+        envVar.deleted = true;
+        envVarRepo.update(envVar.id, envVar);
+    }
 }

components/gitpod-protocol/src/gitpod-service.ts

@@ -9,7 +9,7 @@ import {
     WhitelistedRepository, WorkspaceImageBuild, AuthProviderInfo, Branding, CreateWorkspaceMode,
     Token, UserEnvVarValue, ResolvePluginsParams, PreparePluginUploadParams, Terms,
     ResolvedPlugins, Configuration, InstallPluginsParams, UninstallPluginParams, UserInfo, GitpodTokenType,
-    GitpodToken, AuthProviderEntry, GuessGitTokenScopesParams, GuessedGitTokenScopes
+    GitpodToken, AuthProviderEntry, GuessGitTokenScopesParams, GuessedGitTokenScopes, ProjectEnvVar
 } from './protocol';
 import {
     Team, TeamMemberInfo,
@@ -142,6 +142,9 @@ export interface GitpodServer extends JsonRpcServer<GitpodClient>, AdminServer,
     guessRepositoryConfiguration(cloneUrl: string): Promise<string | undefined>;
     setProjectConfiguration(projectId: string, configString: string): Promise<void>;
     updateProjectPartial(partialProject: PartialProject): Promise<void>;
+    setProjectEnvironmentVariable(projectId: string, name: string, value: string): Promise<void>;
+    getProjectEnvironmentVariables(projectId: string): Promise<ProjectEnvVar[]>;
+    deleteProjectEnvironmentVariable(projectId: string, name: string): Promise<void>;
 
     // content service
     getContentBlobUploadUrl(name: string): Promise<string>

components/gitpod-protocol/src/protocol.ts

@@ -151,10 +151,19 @@ export interface UserFeatureSettings {
 export const WorkspaceFeatureFlags = { "full_workspace_backup": undefined, "fixed_resources": undefined };
 export type NamedWorkspaceFeatureFlag = keyof (typeof WorkspaceFeatureFlags);
 
+export interface ProjectEnvVarWithValue {
+    id: string;
+    projectId: string;
+    name: string;
+    value: string;
+}
+
+export type ProjectEnvVar = Omit<Project, 'value'>;
+
 export interface UserEnvVarValue {
     id?: string;
     name: string;
-    repositoryPattern: string;
+    repositoryPattern: string; // DEPRECATED: Use ProjectEnvVar instead - https://github.com/gitpod-com/gitpod/issues/5322
     value: string;
 }
 export interface UserEnvVar extends UserEnvVarValue {
@@ -163,6 +172,7 @@ export interface UserEnvVar extends UserEnvVarValue {
     deleted?: boolean;
 }
 
+// DEPRECATED: Use ProjectEnvVar instead - https://github.com/gitpod-com/gitpod/issues/5322
 export namespace UserEnvVar {
 
     export function normalizeRepoPattern(pattern: string) {

components/server/src/auth/rate-limiter.ts

@@ -80,6 +80,9 @@ function getConfig(config: RateLimiterConfig): RateLimiterConfig {
         "getAllEnvVars": { group: "default", points: 1 },
         "setEnvVar": { group: "default", points: 1 },
         "deleteEnvVar": { group: "default", points: 1 },
+        "setProjectEnvironmentVariable": { group: "default", points: 1 },
+        "getProjectEnvironmentVariables": { group: "default", points: 1 },
+        "deleteProjectEnvironmentVariable": { group: "default", points: 1 },
         "getTeams": { group: "default", points: 1 },
         "getTeamMembers": { group: "default", points: 1 },
         "createTeam": { group: "default", points: 1 },

components/server/src/projects/projects-service.ts

@@ -6,7 +6,7 @@
 
 import { inject, injectable } from "inversify";
 import { DBWithTracing, ProjectDB, TeamDB, TracedWorkspaceDB, UserDB, WorkspaceDB } from "@gitpod/gitpod-db/lib";
-import { Branch, CommitContext, PrebuildWithStatus, CreateProjectParams, FindPrebuildsParams, Project, User, WorkspaceConfig } from "@gitpod/gitpod-protocol";
+import { Branch, CommitContext, PrebuildWithStatus, CreateProjectParams, FindPrebuildsParams, Project, User, WorkspaceConfig, ProjectEnvVar } from "@gitpod/gitpod-protocol";
 import { TraceContext } from "@gitpod/gitpod-protocol/lib/util/tracing";
 import { HostContextProvider } from "../auth/host-context-provider";
 import { FileProvider, RepoURL } from "../repohost";
@@ -230,4 +230,16 @@ export class ProjectsService {
         return this.projectDB.updateProject(partialProject);
     }
 
+    async setProjectEnvironmentVariable(projectId: string, name: string, value: string): Promise<void> {
+        return this.projectDB.setProjectEnvironmentVariable(projectId, name, value);
+    }
+
+    async getProjectEnvironmentVariables(projectId: string): Promise<ProjectEnvVar[]> {
+        return this.projectDB.getProjectEnvironmentVariables(projectId);
+    }
+
+    async deleteProjectEnvironmentVariable(projectId: string, name: string): Promise<void> {
+        return this.projectDB.deleteProjectEnvironmentVariable(projectId, name);
+    }
+
 }