Add functionality

Signed-off-by: Roman Nikitenko <rnikiten@redhat.com>

Author: RomanNikitenko

code/ALLOWED_EXTENSIONS_POLICY.md

@@ -0,0 +1,107 @@
+# Allowed Extensions Policy
+
+Che-Code supports reading an allowed extensions policy from a file on the filesystem where the server is started. This allows administrators to control which extensions can be installed and used.
+
+## Usage
+
+Start the server with the `--allowed-extensions-policy-file` argument:
+
+```bash
+./code-server --allowed-extensions-policy-file /path/to/policy.json
+```
+
+The path can be either absolute or relative to the current working directory where the server is started.
+
+## Policy File Format
+
+The policy file must be a valid JSON file containing a policy object with the `AllowedExtensions` key. The value should match the format of the `extensions.allowed` configuration setting.
+
+### Example: Allow All Extensions
+
+```json
+{
+	"AllowedExtensions": {
+		"*": true
+	}
+}
+```
+
+### Example: Allow Specific Extensions
+
+```json
+{
+	"AllowedExtensions": {
+		"ms-python.python": true,
+		"ms-vscode.vscode-typescript-next": true,
+		"redhat.java": true
+	}
+}
+```
+
+### Example: Allow Only Stable Versions
+
+```json
+{
+	"AllowedExtensions": {
+		"ms-python.python": "stable",
+		"ms-vscode.vscode-typescript-next": true
+	}
+}
+```
+
+### Example: Allow Specific Versions
+
+```json
+{
+	"AllowedExtensions": {
+		"ms-python.python": ["1.2.3", "linux-x64@1.2.4"],
+		"ms-vscode.vscode-typescript-next": true
+	}
+}
+```
+
+### Example: Allow All Extensions from a Publisher
+
+```json
+{
+	"AllowedExtensions": {
+		"ms-python": true,
+		"ms-vscode": true
+	}
+}
+```
+
+### Example: Deny All Extensions
+
+```json
+{
+	"AllowedExtensions": {
+		"*": false
+	}
+}
+```
+
+## Policy File Location
+
+The policy file should be placed in a location accessible to the server process. Common locations:
+
+- `/etc/che-code/policy.json` (system-wide)
+- `/opt/che-code/policy.json` (installation directory)
+- `./policy.json` (current working directory)
+
+## How It Works
+
+1. When the server starts, it reads the policy file specified by `--allowed-extensions-policy-file`
+2. The policy file is parsed and the `AllowedExtensions` policy is extracted
+3. The policy is applied to the `extensions.allowed` configuration setting
+4. The `AllowedExtensionsService` enforces the policy when extensions are installed or used
+5. If the policy file changes, the server will automatically reload the policy (with a 500ms delay)
+
+## Notes
+
+- The policy file must be valid JSON
+- If the file doesn't exist or cannot be read, the server will log an error but continue to start
+- The policy takes precedence over user settings
+- The policy file is watched for changes and will be reloaded automatically
+
+

code/src/vs/platform/extensionManagement/common/extensionManagement.ts

@@ -575,6 +575,10 @@ export type InstallOptions = {
 	productVersion?: IProductVersion;
 	keepExisting?: boolean;
 	downloadExtensionsLocally?: boolean;
+	/**
+	 * Indicates that this extension is from DEFAULT_EXTENSIONS and should bypass policy checks
+	 */
+	isDefault?: boolean;
 	/**
 	 * Context passed through to InstallExtensionResult
 	 */
@@ -709,6 +713,7 @@ export async function computeSize(location: URI, fileService: IFileService): Pro
 export const ExtensionsLocalizedLabel = localize2('extensions', "Extensions");
 export const PreferencesLocalizedLabel = localize2('preferences', 'Preferences');
 export const AllowedExtensionsConfigKey = 'extensions.allowed';
+export const BlockNonGalleryExtensionsConfigKey = 'extensions.blockNonGalleryExtensions';
 export const VerifyExtensionSignatureConfigKey = 'extensions.verifySignature';
 
 Registry.as<IConfigurationRegistry>(Extensions.Configuration)
@@ -781,6 +786,17 @@ Registry.as<IConfigurationRegistry>(Extensions.Configuration)
 						],
 					}
 				}
+			},
+			[BlockNonGalleryExtensionsConfigKey]: {
+				type: 'boolean',
+				markdownDescription: localize('extensions.blockNonGalleryExtensions', "When enabled and the allowed extensions policy is configured, blocks installation of non-gallery extensions (VSIX files and resource extensions). Only extensions from the gallery can be installed."),
+				default: false,
+				scope: ConfigurationScope.APPLICATION,
+				policy: {
+					name: 'BlockNonGalleryExtensions',
+					minimumVersion: '1.96',
+					description: localize('extensions.blockNonGalleryExtensions.policy', "When enabled and the allowed extensions policy is configured, blocks installation of non-gallery extensions (VSIX files and resource extensions). Only extensions from the gallery can be installed."),
+				},
 			}
 		}
 	});

code/src/vs/platform/extensionManagement/node/extensionManagementService.ts

@@ -34,6 +34,8 @@ import {
 	ExtensionSignatureVerificationCode,
 	computeSize,
 	IAllowedExtensionsService,
+	AllowedExtensionsConfigKey,
+	BlockNonGalleryExtensionsConfigKey,
 	VerifyExtensionSignatureConfigKey,
 	shouldRequireRepositorySignatureFor,
 } from '../common/extensionManagement.js';
@@ -144,7 +146,12 @@ export class ExtensionManagementService extends AbstractExtensionManagementServi
 	}
 
 	async install(vsix: URI, options: InstallOptions = {}): Promise<ILocalExtension> {
+		this.logService.info('========================= INSTALL === node.ExtensionManagementService ', vsix);
+
 		this.logService.trace('ExtensionManagementService#install', vsix.toString());
+		this.logService.info('+++++ ExtensionManagementService#install = ILC ', vsix.path);
+
+		const isDefaultExtension = options.isDefault === true;
 
 		const { location, cleanup } = await this.downloadVsix(vsix);
 
@@ -155,9 +162,30 @@ export class ExtensionManagementService extends AbstractExtensionManagementServi
 				throw new Error(nls.localize('incompatible', "Unable to install extension '{0}' as it is not compatible with VS Code '{1}'.", extensionId, this.productService.version));
 			}
 
-			const allowedToInstall = this.allowedExtensionsService.isAllowed({ id: extensionId, version: manifest.version, publisherDisplayName: undefined });
-			if (allowedToInstall !== true) {
-				throw new Error(nls.localize('notAllowed', "This extension cannot be installed because {0}", allowedToInstall.value));
+			// Block VSIX installations if the policy is configured and blockNonGalleryExtensions is enabled
+			// Skip this check for default extensions (from DEFAULT_EXTENSIONS)
+			if (!isDefaultExtension) {
+				const blockNonGallery = this.configurationService.getValue<boolean>(BlockNonGalleryExtensionsConfigKey);
+				this.logService.info('+++++ ExtensionManagementService +++ blockNonGallery ', blockNonGallery);
+				const hasPolicy = this.configurationService.inspect(AllowedExtensionsConfigKey).policy !== undefined;
+				if (hasPolicy && blockNonGallery) {
+					this.logService.info('+++++ ExtensionManagementService +++ hasPolicy ', hasPolicy);
+					throw new Error(nls.localize('vsix not allowed', "VSIX files cannot be installed because only extensions from the gallery are allowed. Please install this extension from the Extensions marketplace."));
+				} else {
+					this.logService.info('+++++ ExtensionManagementService +++ NOT hasPolicy ', hasPolicy);
+				}
+			} else {
+				this.logService.info('!!!!!!!! ExtensionManagementService#install - skipping blockNonGallery check for default extension');
+			}
+
+			// Skip allowedExtensionsService check for default extensions (from DEFAULT_EXTENSIONS)
+			if (!isDefaultExtension) {
+				const allowedToInstall = this.allowedExtensionsService.isAllowed({ id: extensionId, version: manifest.version, publisherDisplayName: undefined });
+				if (allowedToInstall !== true) {
+					throw new Error(nls.localize('notAllowed', "This extension cannot be installed because {0}", allowedToInstall.value));
+				}
+			} else {
+				this.logService.info('!!!!!!!! ExtensionManagementService#install - skipping allowedExtensionsService check for default extension');
 			}
 
 			const results = await this.installExtensions([{ manifest, extension: location, options }]);