feat(workspace): implement workspace trust dialog and management

[eneufeld]

What it does

Adds workspace trust functionality:

• Trust dialog on folder open (respecting startupPrompt preference)
• Trusted folders list preference for global trust decisions
• Per-workspace trust storage for 'once' mode
• Restricted Mode banner when workspace is untrusted
• "Manage Workspace Trust" command to toggle trust state
• onDidChangeWorkspaceTrust event for plugins

Plugin API:

• Add onDidChangeWorkspaceTrust: Event to workspace namespace
• Update workspace.ts and workspace-main.ts for RPC event flow

Preferences added:

• security.workspace.trust.trustedFolders (string array)

Closes #16653

How to test

Open a new workspace after enabling workspace trust checks.
See a dialog pop up. Test that trusted workspaces don't show dialog anymore. Untrusted workspaces show a message.

Follow-ups

Breaking changes

• This PR introduces breaking changes and requires careful review. If yes, the breaking changes section in the changelog has been updated.

Attribution

Review checklist

• As an author, I have thoroughly tested my changes and carefully followed the review guidelines
• User-facing text is internationalized using the nls service (for details, please see the Internationalization/Localization section in the Coding Guidelines)

Reminder for reviewers

• As a reviewer, I agree to behave in accordance with the review guidelines

[ndoschek]

Hi @eneufeld, thanks for this improvement!

Unfortunately it does not work as expected for me. If I trust new folders, the decision is not saved, i.e., I cannot see it in the settings and hence I get prompted on each reload.
If I add the path manually via the settings UI it works, however only after a manual reload, it seems the manual settings change does not trigger the update listener.

Could you have a look if it behaves the same on your machine?

Besides that, I added a few minor comments inline, would be great if you could have a look. TIA!

[ndoschek]

Thanks for the update Eugen!
It works much better now, but I still found a few cases which are not working correctly, yet.

1. After hitting Yes, I trust the authors in the dialog, I still get the restricted mode popup which is incocrrect, as the trusted path has been saved to the settings alrleady.
   Also the additional notification from before keeps showing after I trust the workspace. Not sure if we should keep this at all? wdyt? In either case we should clear this popup if we trusted the workspace.

2. If i cancel the trust dialog, the restriced mode popup shows as expected. But then the "Manage Workspace Trust" does not work if I try to select trust, this does not update the settings accordingly.

3. The dialog does not show for an empty window if the setting is disabled:

Overall it looks good to me, it also works fine with the remaining settings 👍
Would be great if you could have another look, TIA!

[eneufeld]

@ndoschek about The dialog does not show for an empty window if the setting is disabled:
So my understanding is:
emptyWindow: true → empty window trusted
emptyWindow: false → empty window in restricted mode

If we have an empty window we don't have a workspace that we can trust or not trust.
I fixed the issue of the dialog not showing on folder switch though.

[ndoschek]

Hi @eneufeld, thank you for the updates!

About the emptyWindow setting: Ah that totally makes sense, thanks!
However unfortunately I always get the restricted popup independent of the setting (and it also does not listen to the setting change), could you have another look there please?

And unfortunately, point 1. from my previous comment is still not resolved for me:

• After hitting Yes, I trust the authors in the dialog, I still get the restricted mode popup which is incorrect, as the trusted path has been saved to the settings correctly.
• About the additional popup, I am not sure if we should keep that, if i cancel the new dialog for example and then hit yes in the popup nothing happens. I would suggest to remove the additional popup and integrate the info in the new dialog, WDYT?

And as mentioned above, the restricted popup does not listen to any settings change, either for the emptyWindow above. Also in this case: dismiss the dialog, restricted popup appears, executing the command and trust the workspace => the trust setting was updated for this folder, but the restricted popup is still showing and has to be dismissed manually. I think we should clear the restricted popup when the settings change.

Would be great if you could have another look.
Thanks for you patience with this, but if we can get these things fixed we should be good to get this merged, thanks!

[ndoschek]

Thanks @eneufeld this is a great improvement, and I think we are very close now.
I added a few comments inline, but nothing major.

Besides that one of my previous comments is still unresolved.
The notification we are now still getting is the one shown below, I would still be in favour of removing it, wdyt?
Also, the actions do not work properly, e.g. if I dismiss the main dialog and then click on yes in this notification the workspace is not trusted.

Besides that, as discussed offline, I will work on the theme update soon and then we can also make use of the different styles for status bar items (there is a prominent styling for status bar items, which we should the pick for this item).
But I can take care of that in a follow up.

[ndoschek]

Suggested change

	description: currentTrust ? nls.localize('theia/workspace/currentTrustState', '(current)') : undefined
	const currentSuffix = `(${nls.localizeByDefault('current')})`,
	...
	description: currentTrust ? currentSuffix : undefined

And also for the item below

[ndoschek]

The test file creates emitters but doesn't dispose of them after tests complete. While this may not cause issues in isolated tests, it's good practice to clean up.

[ndoschek]

Suggested change

	command: 'workspace:manageTrust'
	command: MANAGE_WORKSPACE_TRUST.id

[ndoschek]

Could we use URI's built-in normalization?

Suggested change

	return trustedFolders.some(folder => {
	// Strip trailing slash from folder string before creating URI
	const normalizedFolder = folder.endsWith('/') ? folder.slice(0, -1) : folder;
	const folderUri = new URI(normalizedFolder);
	return workspaceUri.isEqual(folderUri, caseSensitive);
	});
	return trustedFolders.some(folder => {
	try {
	const folderUri = new URI(folder).normalizePath();
	return workspaceUri.normalizePath().isEqual(folderUri, caseSensitive);
	} catch {
	return false; // Invalid URI in preferences
	}
	});

[ndoschek]

This subscription should be ideally stored in a disposable collection, as we never dispose it., probably also for the other subscriptions above.