Works quite similarly to vscode.dev. The client has a key stored in
secret storage. The server has a key stored server-side, and issues
an http-only cookie to the client. The client can ask the server to
combine its key and the http-only cookie key to a key component, which
it combines with its local key to encrypt and decrypt data.
This logic kicks in if the web server bits see a `vscode-secret-key-path`
cookie set when it loads.
Fixes#191501
It turns out this was a difference in inflate/deflate implementations
between the extension/SDK and the CLI. The SDK uses Node's zlib bindings,
while by default Rust's flate2 library uses a rust port of [miniz][1].
The 'logic' in the CLI was good, but miniz does not appear to flush
decompressed data as nicely on SYNC'd boundaries as zlib does, which
caused data to 'stall'. Telling the flate2 crate to use the native
bindings fixed this.
This could also be the cause of the flakiness occasionally seen on idle
tunnel connections!
[1]: https://github.com/richgel999/miniz
Closes https://github.com/microsoft/vscode/issues/168492
This implements @aeschli's 'server server' concept in a new
`code serve-web` command.
Command line args are similar to the standalone web server. The first
time a user hits that page, the latest version of the VS Code web server
will be downloaded and run. Thanks to Martin's previous PRs, all
resources the page requests are prefixed with `/<quality-<commit>`.
The latest release version is cached, but when the page is loaded again
and there's a new release, a the new server version will be downloaded
and started up.
Behind the scenes the servers all listen on named pipes/sockets and the
CLI acts as a proxy server to those sockets. Servers without connections
for an hour will be shut down automatically.
- Remove the `prepare` script entirely
- Variables are now populated from the product.json during build. Most
variables are mapped automatically, with some special handling in a
few cases. `build.rs` is now much more self-contained.
- Look for the `product.overrides.json` for vscode developers instead of
looking for a peer `vscode-distro` folder
Fixes#178691
* forwarding: add built-in tunnel forwarding extension
- Support public/private ports, which accounts for most of the work in
the CLI. Previously ports were only privat.
- Make the extension built-in. Ported from the remote-containers
extension with some tweaks for privacy and durability.
- This also removes the opt-in flag, by not reimplementing it 😛
Fixes https://github.com/microsoft/vscode/issues/189677
Fixes https://github.com/microsoft/vscode/issues/189678
* fixup! comments
---------
Co-authored-by: Raymond Zhao <7199958+rzhao271@users.noreply.github.com>
This reuses a lot of the logic we use for the normal VS Code Server
tunnel to do port forwarding. It does use a _different_ tunnel than what
Remote Tunnels would otherwise use for the control server. The reason
for this is that ports exist on a tunnel instance, and if we reused the
same tunnel then a client would expect all CLI hosts to serve all
tunnels, where the port forwarding instance would not provide the VS
Code server. It also reuses the singleton logic so all ports on a
machine are handled by a single CLI instance for the same reason: we
can't have different instances hosting subsets of
ports on a single tunnel.
Currently all ports are under the default privacy: support for
public/private tunnels is either later today or next iteration.
Previously we only tried to recycle a tunnel once, so if the tunnel
limit changed and was reduced by >1 we'd fail even though we should
have actually just recycled multiple tunnels.
Also, only trigger recycling if the specific tunnel limit is hit.
* cli: allow exec server to listen on a port and require token authentication
For remote ssh on Windows where pipe forwarding doesn't work
* fix linux build
- Apply the name/tunnel-name from the CLI to automatically
(do a normal tag sync). Previously the CLI could host tunnels that
were unusable unless the consumer did the tag setup, which they
should not.
- Allow "tunnel ID" to be specified in the new `<id>.<cluster>` format
that devtunnels has adopted.
- When turning on remote tunnel access, a quickpick is now shown asking
users whether it should be installed as a service or just run in
the session.
- Picking the service install will install the tunnel as a service on
the machine, and start it.
- Turning off remote tunnel access will uninstall the service only if
we were the ones to install it.
- This involved some refactoring to add extra state to the RemoteTunnelService.
There's now a "mode" that includes the previous "session" and reflects
the desired end state.
- I also did a cleanup with a `StreamSplitter` to ensure output of the
CLI gets read line-by-line. This was depended upon by the remote tunnel
service code, but it's not actually guaranteed.
- Changes in the CLI: allow setting the tunnel name while installing the
service, and make both service un/installation and renames idempotent.
Closes https://github.com/microsoft/vscode/issues/184663
Adds a 5s timeout to keychain access on Linux. We had an issue about this a long time ago, but I never repro'd it until today and can't find the original...
If this timeout is hit, it'll fall back to the file-based keychain.
* cli: ensure ordering of rpc server messages
Sending lots of messages to a stream would block them around the async
tokio mutex, which is "fair" so doesn't preserve ordering. Instead, use
the write_loop approach I introduced to the server_multiplexer for the
same reason some time ago.
* fix clippy
* signing: implement signing service on the web
* wip
* cli: implement stdio service
This is used to implement the exec server for WSL. Guarded behind a signed handshake.
* update distro
* rm debug
* address pr comments
* cli: store cli in user data dir, separate per quality
Fixes#181017
On first run, the `~/.vscode-cli` will be migrated inside the user data dir of the currently running quality.
* use create_dir_all instead
* clippy fixes
