feat: Add ability to manage extensions installation using a ConfigMap

Signed-off-by: Roman Nikitenko <rnikiten@redhat.com>
Assisted-by: Cursor AI

Author: RomanNikitenko

code/src/vs/server/node/che/serverServices.ts

@@ -0,0 +1,38 @@
+/**********************************************************************
+ * Copyright (c) 2025 Red Hat, Inc.
+ *
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at https://www.eclipse.org/legal/epl-2.0/
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ ***********************************************************************/
+/* eslint-disable header/header */
+
+import * as fs from 'fs';
+import { URI } from '../../../base/common/uri.js';
+import { DisposableStore } from '../../../base/common/lifecycle.js';
+import { FileService } from '../../../platform/files/common/fileService.js';
+import { LogService } from '../../../platform/log/common/logService.js';
+import { FilePolicyService } from '../../../platform/policy/common/filePolicyService.js';
+import { IPolicyService, NullPolicyService } from '../../../platform/policy/common/policy.js';
+import { ServerEnvironmentService } from '../serverEnvironmentService.js';
+
+const POLICY_FILE_PATH = '/checode-config/policy.json';
+
+export function getPolicyFile(): URI | undefined {
+	if (fs.existsSync(POLICY_FILE_PATH)) {
+		return URI.file(POLICY_FILE_PATH);
+	}
+	return undefined;
+}
+
+export function getPolicyService(environmentService: ServerEnvironmentService, fileService: FileService, logService: LogService, disposables: DisposableStore): IPolicyService {
+	if (environmentService.policyFile) {
+		logService.info(`Using policy file: ${environmentService.policyFile.fsPath}`);
+		return disposables.add(new FilePolicyService(environmentService.policyFile, fileService, logService));
+	} else {
+		logService.info('Policy file not found');
+		return new NullPolicyService();
+	}
+}

code/src/vs/server/node/serverEnvironmentService.ts

@@ -13,6 +13,7 @@ import { memoize } from '../../base/common/decorators.js';
 import { URI } from '../../base/common/uri.js';
 import { joinPath } from '../../base/common/resources.js';
 import { join } from '../../base/common/path.js';
+import { getPolicyFile } from './che/serverServices.js';
 
 export const serverOptions: OptionDescriptions<Required<ServerParsedArgs>> = {
 
@@ -240,4 +241,8 @@ export class ServerEnvironmentService extends NativeEnvironmentService implement
 	@memoize
 	get mcpResource(): URI { return joinPath(URI.file(join(this.userDataPath, 'User')), 'mcp.json'); }
 	override get args(): ServerParsedArgs { return super.args as ServerParsedArgs; }
+	@memoize
+	override get policyFile(): URI | undefined {
+		return getPolicyFile() || super.policyFile;
+	}
 }

code/src/vs/server/node/serverServices.ts

@@ -65,7 +65,7 @@ import { IExtensionsScannerService } from '../../platform/extensionManagement/co
 import { ExtensionsScannerService } from './extensionsScannerService.js';
 import { IExtensionsProfileScannerService } from '../../platform/extensionManagement/common/extensionsProfileScannerService.js';
 import { IUserDataProfilesService } from '../../platform/userDataProfile/common/userDataProfile.js';
-import { NullPolicyService } from '../../platform/policy/common/policy.js';
+import { PolicyChannel } from '../../platform/policy/common/policyIpc.js';
 import { OneDataSystemAppender } from '../../platform/telemetry/node/1dsAppender.js';
 import { LoggerService } from '../../platform/log/node/loggerService.js';
 import { ServerUserDataProfilesService } from '../../platform/userDataProfile/node/userDataProfile.js';
@@ -93,6 +93,7 @@ import { McpManagementChannel } from '../../platform/mcp/common/mcpManagementIpc
 import { AllowedMcpServersService } from '../../platform/mcp/common/allowedMcpServersService.js';
 import { IMcpGalleryManifestService } from '../../platform/mcp/common/mcpGalleryManifest.js';
 import { McpGalleryManifestIPCService } from '../../platform/mcp/common/mcpGalleryManifestServiceIpc.js';
+import { getPolicyService } from './che/serverServices.js';
 
 const eventPrefix = 'monacoworkbench';
 
@@ -139,7 +140,8 @@ export async function setupServerServices(connectionToken: ServerConnectionToken
 	services.set(IUriIdentityService, uriIdentityService);
 
 	// Configuration
-	const configurationService = new ConfigurationService(environmentService.machineSettingsResource, fileService, new NullPolicyService(), logService);
+	const policyService = getPolicyService(environmentService, fileService, logService, disposables);
+	const configurationService = new ConfigurationService(environmentService.machineSettingsResource, fileService, policyService, logService);
 	services.set(IConfigurationService, configurationService);
 
 	// User Data Profiles
@@ -257,6 +259,7 @@ export async function setupServerServices(connectionToken: ServerConnectionToken
 		socketServer.registerChannel('extensions', channel);
 
 		socketServer.registerChannel('mcpManagement', new McpManagementChannel(mcpManagementService, (ctx: RemoteAgentConnectionContext) => getUriTransformer(ctx.remoteAuthority)));
+		socketServer.registerChannel('policy', new PolicyChannel(policyService));
 
 		// clean up extensions folder
 		remoteExtensionsScanner.whenExtensionsReady().then(() => extensionManagementService.cleanUp());

code/src/vs/workbench/browser/che/web.ts

@@ -0,0 +1,43 @@
+/**********************************************************************
+ * Copyright (c) 2025 Red Hat, Inc.
+ *
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at https://www.eclipse.org/legal/epl-2.0/
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ ***********************************************************************/
+/* eslint-disable header/header */
+
+import { ILogService } from '../../../platform/log/common/log.js';
+import { IPolicyService, NullPolicyService } from '../../../platform/policy/common/policy.js';
+import { PolicyChannelClient } from '../../../platform/policy/common/policyIpc.js';
+import { IRemoteAgentService } from '../../services/remote/common/remoteAgentService.js';
+
+// Get policy service from remote agent if available, otherwise use NullPolicyService
+export function getPolicyService(remoteAgentService: IRemoteAgentService, logService: ILogService, remoteAuthority?: string): IPolicyService {
+
+    let policyService: IPolicyService;
+    if (remoteAuthority) {
+        try {
+            const connection = remoteAgentService.getConnection();
+            if (connection) {
+                const policyChannel = connection.getChannel('policy');
+                // PolicyChannelClient needs initial policiesData - start with empty object, policies will be loaded when definitions are registered
+                policyService = new PolicyChannelClient({}, policyChannel);
+                logService.info('Policy channel client was created successfully');
+            } else {
+                logService.warn('Failed to get remote aget connection, using NullPolicyService');
+                policyService = new NullPolicyService();
+            }
+        } catch (error) {
+            console.log('/// web main /// connection - ERROR ');
+            logService.warn('Failed to create policy channel client, using NullPolicyService', error);
+            policyService = new NullPolicyService();
+        }
+    } else {
+        logService.warn('Failed to create policy channel client(no remote authority), using NullPolicyService');
+        policyService = new NullPolicyService();
+    }
+    return policyService;
+}

code/src/vs/workbench/browser/web.main.ts

@@ -68,7 +68,6 @@ import { IProgressService } from '../../platform/progress/common/progress.js';
 import { DelayedLogChannel } from '../services/output/common/delayedLogChannel.js';
 import { dirname, joinPath } from '../../base/common/resources.js';
 import { IUserDataProfile, IUserDataProfilesService } from '../../platform/userDataProfile/common/userDataProfile.js';
-import { NullPolicyService } from '../../platform/policy/common/policy.js';
 import { IRemoteExplorerService } from '../services/remote/common/remoteExplorerService.js';
 import { DisposableTunnel, TunnelProtocol } from '../../platform/tunnel/common/tunnel.js';
 import { ILabelService } from '../../platform/label/common/label.js';
@@ -95,6 +94,7 @@ import { ISecretStorageService } from '../../platform/secrets/common/secrets.js'
 import { TunnelSource } from '../services/remote/common/tunnelModel.js';
 import { mainWindow } from '../../base/browser/window.js';
 import { INotificationService, Severity } from '../../platform/notification/common/notification.js';
+import { getPolicyService } from './che/web.js';
 
 export class BrowserMain extends Disposable {
 
@@ -567,7 +567,7 @@ export class BrowserMain extends Disposable {
 		}
 
 		const configurationCache = new ConfigurationCache([Schemas.file, Schemas.vscodeUserData, Schemas.tmp] /* Cache all non native resources */, environmentService, fileService);
-		const workspaceService = new WorkspaceService({ remoteAuthority: this.configuration.remoteAuthority, configurationCache }, environmentService, userDataProfileService, userDataProfilesService, fileService, remoteAgentService, uriIdentityService, logService, new NullPolicyService());
+		const workspaceService = new WorkspaceService({ remoteAuthority: this.configuration.remoteAuthority, configurationCache }, environmentService, userDataProfileService, userDataProfilesService, fileService, remoteAgentService, uriIdentityService, logService, getPolicyService(remoteAgentService,logService, this.configuration.remoteAuthority));
 
 		try {
 			await workspaceService.initialize(workspace);

code/src/vs/workbench/contrib/extensions/browser/extensionsWorkbenchService.ts

@@ -2406,6 +2406,12 @@ export class ExtensionsWorkbenchService extends Disposable implements IExtension
 		}
 
 		if (extension.gallery) {
+			// Check if extension is allowed first (before checking platform compatibility or signing)
+			const allowedResult = this.allowedExtensionsService.isAllowed({ id: extension.gallery.identifier.id, publisherDisplayName: extension.gallery.publisherDisplayName });
+			if (allowedResult !== true) {
+				return new MarkdownString(nls.localize('extension not allowed to install', "This extension cannot be installed because it is not in the allowed list."));
+			}
+
 			if (!extension.gallery.isSigned && shouldRequireRepositorySignatureFor(extension.private, await this.extensionGalleryManifestService.getExtensionGalleryManifest())) {
 				return new MarkdownString().appendText(nls.localize('not signed', "This extension is not signed."));
 			}