Declare limited support for untrusted workspaces by only supporting Pylance (microsoft/vscode-python#17998)

* Untrusted workspaces

* Reactivate extension when trust is granted to a workspace

* If Jedi is selected as language server, do not activate it

* Only send telemetry which is applicable for untrusted workspaces

Author: Kartik Raj

extensions/positron-python/news/1 Enhancements/18031.md

@@ -0,0 +1 @@
+Declare limited support for untrusted workspaces by only supporting Pylance.

extensions/positron-python/package.json

@@ -8,7 +8,8 @@
     },
     "capabilities": {
         "untrustedWorkspaces": {
-            "supported": false
+            "supported": "limited",
+            "description": "Only Partial IntelliSense with Pylance is supported. Cannot execute Python with untrusted files."
         },
         "virtualWorkspaces": {
             "supported": "limited",

extensions/positron-python/package.nls.json

@@ -171,6 +171,7 @@
     "LanguageService.lsFailedToStart": "We encountered an issue starting the language server. Reverting to Jedi language engine. Check the Python output panel for details.",
     "LanguageService.lsFailedToDownload": "We encountered an issue downloading the language server. Reverting to Jedi language engine. Check the Python output panel for details.",
     "LanguageService.lsFailedToExtract": "We encountered an issue extracting the language server. Reverting to Jedi language engine. Check the Python output panel for details.",
+    "LanguageService.untrustedWorkspaceMessage": "Only Pylance is supported in untrusted workspaces, setting language server to None.",
     "LanguageService.downloadFailedOutputMessage": "Language server download failed",
     "LanguageService.extractionFailedOutputMessage": "Language server extraction failed",
     "LanguageService.extractionCompletedOutputMessage": "Language server download complete",

extensions/positron-python/src/client/activation/activationManager.ts

@@ -40,6 +40,14 @@ export class ExtensionActivationManager implements IExtensionActivationManager {
         @inject(IExperimentService) private readonly experiments: IExperimentService,
         @inject(IInterpreterPathService) private readonly interpreterPathService: IInterpreterPathService,
     ) {
+        if (!this.workspaceService.isTrusted) {
+            this.activationServices = this.activationServices.filter(
+                (service) => service.supportedWorkspaceTypes.untrustedWorkspace,
+            );
+            this.singleActivationServices = this.singleActivationServices.filter(
+                (service) => service.supportedWorkspaceTypes.untrustedWorkspace,
+            );
+        }
         if (this.workspaceService.isVirtualWorkspace) {
             this.activationServices = this.activationServices.filter(
                 (service) => service.supportedWorkspaceTypes.virtualWorkspace,
@@ -80,13 +88,14 @@ export class ExtensionActivationManager implements IExtensionActivationManager {
         }
         this.activatedWorkspaces.add(key);
 
-        if (this.experiments.inExperimentSync(DeprecatePythonPath.experiment)) {
-            await this.interpreterPathService.copyOldInterpreterStorageValuesToNew(resource);
+        if (this.workspaceService.isTrusted) {
+            // Do not interact with interpreters in a untrusted workspace.
+            if (this.experiments.inExperimentSync(DeprecatePythonPath.experiment)) {
+                await this.interpreterPathService.copyOldInterpreterStorageValuesToNew(resource);
+            }
+            await this.autoSelection.autoSelectInterpreter(resource);
         }
-
         await sendActivationTelemetry(this.fileSystem, this.workspaceService, resource);
-
-        await this.autoSelection.autoSelectInterpreter(resource);
         await Promise.all(this.activationServices.map((item) => item.activate(resource)));
         await this.appDiagnostics.performPreStartupHealthCheck(resource);
     }

extensions/positron-python/src/client/activation/activationService.ts

@@ -57,7 +57,7 @@ export class LanguageServerExtensionActivationService
 
     private readonly output: OutputChannel;
 
-    private readonly interpreterService: IInterpreterService;
+    private readonly interpreterService?: IInterpreterService;
 
     private readonly languageServerChangeHandler: LanguageServerChangeHandler;
 
@@ -69,14 +69,16 @@ export class LanguageServerExtensionActivationService
     ) {
         this.workspaceService = this.serviceContainer.get<IWorkspaceService>(IWorkspaceService);
         this.configurationService = this.serviceContainer.get<IConfigurationService>(IConfigurationService);
-        this.interpreterService = this.serviceContainer.get<IInterpreterService>(IInterpreterService);
         this.output = this.serviceContainer.get<OutputChannel>(IOutputChannel, STANDARD_OUTPUT_CHANNEL);
 
         const disposables = serviceContainer.get<IDisposableRegistry>(IDisposableRegistry);
         disposables.push(this);
         disposables.push(this.workspaceService.onDidChangeConfiguration(this.onDidChangeConfiguration.bind(this)));
         disposables.push(this.workspaceService.onDidChangeWorkspaceFolders(this.onWorkspaceFoldersChanged, this));
-        disposables.push(this.interpreterService.onDidChangeInterpreter(this.onDidChangeInterpreter.bind(this)));
+        if (this.workspaceService.isTrusted) {
+            this.interpreterService = this.serviceContainer.get<IInterpreterService>(IInterpreterService);
+            disposables.push(this.interpreterService.onDidChangeInterpreter(this.onDidChangeInterpreter.bind(this)));
+        }
 
         this.languageServerChangeHandler = new LanguageServerChangeHandler(
             this.getCurrentLanguageServerType(),
@@ -93,7 +95,7 @@ export class LanguageServerExtensionActivationService
         const stopWatch = new StopWatch();
         // Get a new server and dispose of the old one (might be the same one)
         this.resource = resource;
-        const interpreter = await this.interpreterService.getActiveInterpreter(resource);
+        const interpreter = await this.interpreterService?.getActiveInterpreter(resource);
         const key = await this.getKey(resource, interpreter);
 
         // If we have an old server with a different key, then deactivate it as the
@@ -235,6 +237,14 @@ export class LanguageServerExtensionActivationService
             }
         }
 
+        if (
+            !this.workspaceService.isTrusted &&
+            serverType !== LanguageServerType.Node &&
+            serverType !== LanguageServerType.None
+        ) {
+            this.output.appendLine(LanguageService.untrustedWorkspaceMessage());
+            serverType = LanguageServerType.None;
+        }
         this.sendTelemetryForChosenLanguageServer(serverType).ignoreErrors();
         await this.logStartup(serverType);
         let server = this.serviceContainer.get<ILanguageServerActivator>(ILanguageServerActivator, serverType);
@@ -305,7 +315,7 @@ export class LanguageServerExtensionActivationService
             resource,
             workspacePathNameForGlobalWorkspaces,
         );
-        interpreter = interpreter || (await this.interpreterService.getActiveInterpreter(resource));
+        interpreter = interpreter || (await this.interpreterService?.getActiveInterpreter(resource));
         const interperterPortion = interpreter ? `${interpreter.path}-${interpreter.envName}` : '';
         return `${resourcePortion}-${interperterPortion}`;
     }

extensions/positron-python/src/client/activation/node/analysisOptions.ts

@@ -18,6 +18,7 @@ export class NodeLanguageServerAnalysisOptions extends LanguageServerAnalysisOpt
     protected async getInitializationOptions() {
         return {
             experimentationSupport: true,
+            trustedWorkspaceSupport: true,
         };
     }
 }

extensions/positron-python/src/client/activation/node/languageServerProxy.ts

@@ -23,6 +23,7 @@ import { FileBasedCancellationStrategy } from '../common/cancellationUtils';
 import { ProgressReporting } from '../progress';
 import { ILanguageClientFactory, ILanguageServerFolderService, ILanguageServerProxy } from '../types';
 import { traceDecoratorError, traceDecoratorVerbose, traceError } from '../../logging';
+import { IWorkspaceService } from '../../common/application/types';
 
 namespace InExperiment {
     export const Method = 'python/inExperiment';
@@ -64,6 +65,7 @@ export class NodeLanguageServerProxy implements ILanguageServerProxy {
         @inject(IExperimentService) private readonly experimentService: IExperimentService,
         @inject(IInterpreterPathService) private readonly interpreterPathService: IInterpreterPathService,
         @inject(IEnvironmentVariablesProvider) private readonly environmentService: IEnvironmentVariablesProvider,
+        @inject(IWorkspaceService) private readonly workspace: IWorkspaceService,
     ) {
         this.startupCompleted = createDeferred<void>();
     }
@@ -127,6 +129,14 @@ export class NodeLanguageServerProxy implements ILanguageServerProxy {
                 }
             });
 
+            this.disposables.push(
+                this.workspace.onDidGrantWorkspaceTrust(() => {
+                    this.languageClient!.onReady().then(() => {
+                        this.languageClient!.sendNotification('python/workspaceTrusted', { isTrusted: true });
+                    });
+                }),
+            );
+
             this.disposables.push(this.languageClient.start());
             await this.serverReady();
 
@@ -224,5 +234,13 @@ export class NodeLanguageServerProxy implements ILanguageServerProxy {
                 return { value };
             },
         );
+
+        this.disposables.push(
+            this.languageClient!.onRequest('python/isTrustedWorkspace', async () => {
+                return {
+                    isTrusted: this.workspace.isTrusted,
+                };
+            }),
+        );
     }
 }

extensions/positron-python/src/client/application/diagnostics/applicationDiagnostics.ts

@@ -5,6 +5,7 @@
 
 import { inject, injectable, named } from 'inversify';
 import { DiagnosticSeverity } from 'vscode';
+import { IWorkspaceService } from '../../common/application/types';
 import { isTestExecution, STANDARD_OUTPUT_CHANNEL } from '../../common/constants';
 import { IOutputChannel, Resource } from '../../common/types';
 import { IServiceContainer } from '../../ioc/types';
@@ -26,7 +27,11 @@ export class ApplicationDiagnostics implements IApplicationDiagnostics {
         if (isTestExecution()) {
             return;
         }
-        const services = this.serviceContainer.getAll<IDiagnosticsService>(IDiagnosticsService);
+        let services = this.serviceContainer.getAll<IDiagnosticsService>(IDiagnosticsService);
+        const workspaceService = this.serviceContainer.get<IWorkspaceService>(IWorkspaceService);
+        if (!workspaceService.isTrusted) {
+            services = services.filter((item) => item.runInUntrustedWorkspace);
+        }
         // Perform these validation checks in the foreground.
         await this.runDiagnostics(
             services.filter((item) => !item.runInBackground),

extensions/positron-python/src/client/application/diagnostics/base.ts

@@ -35,6 +35,7 @@ export abstract class BaseDiagnosticsService implements IDiagnosticsService, IDi
         @unmanaged() protected serviceContainer: IServiceContainer,
         @unmanaged() disposableRegistry: IDisposableRegistry,
         @unmanaged() public readonly runInBackground: boolean = false,
+        @unmanaged() public readonly runInUntrustedWorkspace: boolean = false,
     ) {
         this.filterService = serviceContainer.get<IDiagnosticFilterService>(IDiagnosticFilterService);
         disposableRegistry.push(this);

extensions/positron-python/src/client/application/diagnostics/checks/envPathVariable.ts

@@ -43,7 +43,13 @@ export class EnvironmentPathVariableDiagnosticsService extends BaseDiagnosticsSe
         @inject(IServiceContainer) serviceContainer: IServiceContainer,
         @inject(IDisposableRegistry) disposableRegistry: IDisposableRegistry,
     ) {
-        super([DiagnosticCodes.InvalidEnvironmentPathVariableDiagnostic], serviceContainer, disposableRegistry, true);
+        super(
+            [DiagnosticCodes.InvalidEnvironmentPathVariableDiagnostic],
+            serviceContainer,
+            disposableRegistry,
+            true,
+            true,
+        );
         this.platform = this.serviceContainer.get<IPlatformService>(IPlatformService);
         this.messageService = serviceContainer.get<IDiagnosticHandlerService<MessageCommandPrompt>>(
             IDiagnosticHandlerService,