Check Workspace Owner when launching non-ephemeral Sessions

eclipse-theia · Aug 6, 2024 · c1c71da · c1c71da
1 parent 4f84c4c
commit c1c71da
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/...or/src/main/java/org/eclipse/theia/cloud/operator/handler/session/LazySessionHandler.java b/...or/src/main/java/org/eclipse/theia/cloud/operator/handler/session/LazySessionHandler.java
@@ -348,6 +348,15 @@ protected Optional<String> getStorageName(Session session, String correlationId)
             return Optional.empty();
 
         }
+        if (!session.getSpec().getUser().equals(workspace.get().getSpec().getUser())) {
+            // the workspace is owned by a different user. do not mount and go ephemeral
+            // should get prevented by service, but we need to be sure to not expose data
+            LOGGER.error(formatLogMessage(correlationId,
+                    "Workspace is owned by " + workspace.get().getSpec().getUser() + ", but requesting user is "
+                            + session.getSpec().getUser()));
+            return Optional.empty();
+        }
+
         String storageName = WorkspaceUtil.getStorageName(workspace.get());
         if (!client.persistentVolumeClaimsClient().has(storageName)) {
             LOGGER.info(formatLogMessage(correlationId,