From 397ab13d6e215e3902d8609175a4333f1c6825aa Mon Sep 17 00:00:00 2001
From: Marcus Robinson <marrobi@microsoft.com>
Date: Mon, 16 Dec 2024 12:07:25 +0000
Subject: [PATCH] Enable VS Code Extension Gallery to be proxied via Sonatype
 Nexus RM (#4188)

---
 CHANGELOG.md                                  |  1 +
 docs/tre-templates/shared-services/nexus.md   | 71 +++++++++++++++++++
 .../sonatype-nexus-vm/porter.yaml             |  2 +-
 .../scripts/configure_nexus_repos.sh          | 10 +++
 .../vscode_extensions_proxy_conf.json         | 32 +++++++++
 .../sonatype-nexus-vm/terraform/locals.tf     |  2 +-
 6 files changed, 116 insertions(+), 2 deletions(-)
 create mode 100644 templates/shared_services/sonatype-nexus-vm/scripts/nexus_repos_config/vscode_extensions_proxy_conf.json

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a529ffcbd9..4094db546c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,7 @@ ENHANCEMENTS:
 * Move Github PR bot commands into main documentation ([#4167](https://github.com/microsoft/AzureTRE/pull/4167))
 * Block Authentication with keys to CosmosDB SQL account ([#4175](https://github.com/microsoft/AzureTRE/pull/4175))
 * Add support for customer-managed keys encryption in base workspace ([#4161](https://github.com/microsoft/AzureTRE/pull/4161))
+* Add ability to download VSCode Extensions ([[#4187](https://github.com/microsoft/AzureTRE/issues/4187)])
 * Update Windows VM Images ([#4198](https://github.com/microsoft/AzureTRE/pull/4198))
 
 BUG FIXES:
diff --git a/docs/tre-templates/shared-services/nexus.md b/docs/tre-templates/shared-services/nexus.md
index 3717f986e8..51c134ebe4 100644
--- a/docs/tre-templates/shared-services/nexus.md
+++ b/docs/tre-templates/shared-services/nexus.md
@@ -93,6 +93,7 @@ Nexus Shared Service requires access to resources outside of the Azure TRE VNET.
 | Microsoft Keys | raw | [https://packages.microsoft.com/keys/] | `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/microsoft-keys` | Provide access to Microsoft keys |
 | Microsoft Yum | yum | [https://packages.microsoft.com/yumrepos] | `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/microsoft-yum` | Provide access to Microsoft Yum packages |
 | Microsoft Download | raw | [https://download.microsoft.com/download] | `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/microsoft-download` | Provide access to Microsoft Downloads |
+| VS Code Extensions | raw | [https://marketplace.visualstudio.com/_apis/public/gallery/publishers/] | `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/vscode-extensions/` | Provide access to VS Code extensions |
 
 ### Migrate from an existing V1 Nexus service (hosted on App Service)
 
@@ -130,3 +131,73 @@ sudo docker pull {NEXUS_URL}:8083/hello-world
 the default port out of the box is 8083
 
 Nexus will also need "Anonymous Access" set to "Enable". This can be done by logging into the Nexus Portal with the Admin user and following the prompts.
+
+## Using the VS Code Extensions
+
+To fetch and install VS Code extensions, use the following commands:
+
+```bash
+curl -o {publisher}-{extension}-{version}.vsix https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/vscode-extensions/{publisher}/vsextensions/{extension}/{version}/vspackage
+
+code --install-extension {publisher}-{extension}-{version}.vsix
+```
+
+The extensions which are  available to users can be restricted by configuring content selectors using the package `path` via the SonatypeNexus RM web interface.
+
+If extensions want to be intalled in bulk, a script such as the following can be used:
+
+```bash
+#!/bin/bash
+
+# Function to display usage
+usage() {
+    echo "Usage: $0 -t TRE_ID -l LOCATION [--install]"
+    exit 1
+}
+
+# Parse command line arguments
+INSTALL=false
+while [[ "$#" -gt 0 ]]; do
+    case $1 in
+        -t|--tre-id) TRE_ID="$2"; shift ;;
+        -l|--location) LOCATION="$2"; shift ;;
+        --install) INSTALL=true ;;
+        *) usage ;;
+    esac
+    shift
+done
+
+# Check if TRE_ID and LOCATION are provided
+if [ -z "$TRE_ID" ] || [ -z "$LOCATION" ]; then
+    usage
+fi
+
+# Define the list of extensions
+extensions=(
+    "ms-python.debugpy@2024.14.0"
+    "ms-python.python@2024.22.0"
+    "ms-python.vscode-pylance@2024.12.1"
+    "ms-toolsai.datawrangler@1.14.0"
+    "ms-toolsai.jupyter@2024.10.0"
+    "ms-toolsai.jupyter-keymap@1.1.2"
+    "ms-toolsai.jupyter-renderers@1.0.21"
+    "ms-toolsai.vscode-jupyter-cell-tags@0.1.9"
+    "ms-toolsai.vscode-jupyter-slideshow@0.1.6"
+)
+
+# Define the base URL
+base_url="https://nexus-${TRE_ID}.${LOCATION}.cloudapp.azure.com/repository/vscode-extensions"
+
+# Loop through each extension and download it
+for ext in "${extensions[@]}"; do
+    IFS='@' read -r publisher_extension version <<< "$ext"
+    IFS='.' read -r publisher extension <<< "$publisher_extension"
+    vsix_file="${publisher}-${extension}-${version}.vsix"
+    curl -o "$vsix_file" "${base_url}/${publisher}/vsextensions/${extension}/${version}/vspackage"
+    
+    # Install the extension if --install flag is set
+    if [ "$INSTALL" = true ]; then
+        code --install-extension "$vsix_file"
+    fi
+done
+```
diff --git a/templates/shared_services/sonatype-nexus-vm/porter.yaml b/templates/shared_services/sonatype-nexus-vm/porter.yaml
index 534b8684ff..2ffb3e5ea4 100644
--- a/templates/shared_services/sonatype-nexus-vm/porter.yaml
+++ b/templates/shared_services/sonatype-nexus-vm/porter.yaml
@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-shared-service-sonatype-nexus
-version: 3.1.1
+version: 3.2.1
 description: "A Sonatype Nexus shared service"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
diff --git a/templates/shared_services/sonatype-nexus-vm/scripts/configure_nexus_repos.sh b/templates/shared_services/sonatype-nexus-vm/scripts/configure_nexus_repos.sh
index 3487f1413c..8e6a8456de 100644
--- a/templates/shared_services/sonatype-nexus-vm/scripts/configure_nexus_repos.sh
+++ b/templates/shared_services/sonatype-nexus-vm/scripts/configure_nexus_repos.sh
@@ -59,3 +59,13 @@ status_code=$(curl -iu admin:"$1" -XPUT \
   -d @"$(dirname "${BASH_SOURCE[0]}")"/nexus_realms_config.json \
   -k -s -w "%{http_code}" -o /dev/null)
 echo "Response received from Nexus: $status_code"
+
+# Add a new section to handle the VS Code extensions configuration
+echo 'Configuring VS Code extensions proxy...'
+status_code=$(curl -iu admin:"$1" -XPOST \
+  'http://localhost/service/rest/v1/repositories/raw/proxy' \
+  -H 'accept: application/json' \
+  -H 'Content-Type: application/json' \
+  -d @"$(dirname "${BASH_SOURCE[0]}")"/nexus_repos_config/vscode_extensions_proxy_conf.json \
+  -k -s -w "%{http_code}" -o /dev/null)
+echo "Response received from Nexus: $status_code"
diff --git a/templates/shared_services/sonatype-nexus-vm/scripts/nexus_repos_config/vscode_extensions_proxy_conf.json b/templates/shared_services/sonatype-nexus-vm/scripts/nexus_repos_config/vscode_extensions_proxy_conf.json
new file mode 100644
index 0000000000..745b0a25aa
--- /dev/null
+++ b/templates/shared_services/sonatype-nexus-vm/scripts/nexus_repos_config/vscode_extensions_proxy_conf.json
@@ -0,0 +1,32 @@
+{
+  "name": "vscode-extensions",
+  "online": true,
+  "storage": {
+    "blobStoreName": "default",
+    "strictContentTypeValidation": true,
+    "write_policy": "ALLOW"
+  },
+  "proxy": {
+    "remoteUrl": "https://marketplace.visualstudio.com/_apis/public/gallery/publishers/",
+    "contentMaxAge": 1440,
+    "metadataMaxAge": 1440
+  },
+  "negativeCache": {
+    "enabled": true,
+    "timeToLive": 1440
+  },
+  "httpClient": {
+    "blocked": false,
+    "autoBlock": false,
+    "connection": {
+      "retries": 0,
+      "userAgentSuffix": "string",
+      "timeout": 60,
+      "enableCircularRedirects": false,
+      "enableCookies": false,
+      "useTrustStore": false
+    }
+  },
+  "baseType": "raw",
+  "repoType": "proxy"
+}
diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/locals.tf b/templates/shared_services/sonatype-nexus-vm/terraform/locals.tf
index 67cae90039..85bb6d34f6 100644
--- a/templates/shared_services/sonatype-nexus-vm/terraform/locals.tf
+++ b/templates/shared_services/sonatype-nexus-vm/terraform/locals.tf
@@ -1,7 +1,7 @@
 locals {
   core_vnet                       = "vnet-${var.tre_id}"
   core_resource_group_name        = "rg-${var.tre_id}"
-  nexus_allowed_fqdns             = "pypi.org,*.pypi.org,files.pythonhosted.org,security.ubuntu.com,archive.ubuntu.com,keyserver.ubuntu.com,repo.anaconda.com,*.docker.com,*.docker.io,conda.anaconda.org,azure.archive.ubuntu.com,packages.microsoft.com,repo.almalinux.org,download-ib01.fedoraproject.org,cran.r-project.org,cloud.r-project.org,download1.rstudio.org,*.snapcraftcontent.com,download.microsoft.com"
+  nexus_allowed_fqdns             = "pypi.org,*.pypi.org,files.pythonhosted.org,security.ubuntu.com,archive.ubuntu.com,keyserver.ubuntu.com,repo.anaconda.com,*.docker.com,*.docker.io,conda.anaconda.org,azure.archive.ubuntu.com,packages.microsoft.com,repo.almalinux.org,download-ib01.fedoraproject.org,cran.r-project.org,cloud.r-project.org,download1.rstudio.org,*.snapcraftcontent.com,download.microsoft.com,marketplace.visualstudio.com"
   nexus_allowed_fqdns_list        = distinct(compact(split(",", replace(local.nexus_allowed_fqdns, " ", ""))))
   workspace_vm_allowed_fqdns      = "r3.o.lencr.org,x1.c.lencr.org"
   workspace_vm_allowed_fqdns_list = distinct(compact(split(",", replace(local.workspace_vm_allowed_fqdns, " ", ""))))