User Approval Flow for Package Installation

[eleanorjboyd]

Since this extension handles package installs, it should also correct communicate to the user about package installs and get user consent. The flow around package installs, user approval, when to allow background installs etc should be discussed and a plan outlined.

Security:

This is an important part of the user trust boundary as we should only have extensions install packages that have user consent. There could be different categories, trusted extensions that are allowed to install packages and untrusted extensions that need user consent to install.

Scenarios:

• extension wants to install a package, it is not a pre-approved extension to install packages
• extension wants to install a package, it is a pre-approved extension to install packages
• user wants to reduce notifications and select to have packages installed in the background for a given extension
• user wants to add, revoke, or edit which extensions can install / remove packages in a given workspace
• user wants to add, revoke, or edit which extensions can install / remove packages at a user or more global level
• user wants to accept installing a package without consenting to approve this extension going forward

Questions:

• How do we make sure users are in control of the package installs while not making the experience too noisy?
• Are there any extensions (like ones published by microsoft) that do not need to be prompted for the user to accept maybe only notified?
• Do we still notify users on package install even if the installer is a pre-approved extension? Do users want to be notified every time?

[luabud]

I'm wondering if it'd make sense to have a setting which maps extensions with "approval" status? and by default, no extension is approved until a notification is displayed to the user asking for consent.
Then in hits notification they would have a choice to approve package(s) installation just this time, always approve package(s) installation for that extension, decline package(s) installation.

I don't think we should pre-approve any extension, even if it's from Microsoft. I don't think this would be too noisy, since I don't expect package installation to be something that common on a session, especially coming from different providers/extensions 🤔

[DonJayamanne]

I don't think we should pre-approve any extension, even if it's from Microsoft

Agreed, in Jupyter extension we do the same
Data wrangler and synapse extensions execute code against a Jupyter kernel via the Jupyter extension API, here we have no special treatment for msft vs external extensions, same with Jupyter powertoys extension, which is managed by us as well,

[eleanorjboyd]

hard to see sorry but began thinking of the flow, you can use mermaid.live to play around with it yourself

flowchart TD
    A["Install a Package"]

    C1["End: No changes needed"]
    A --> B{"Does the user have a config file?"}
    B -- "No" --> D1{"Create a new config file?"}
    B -- "Yes" --> E1{"Append to existing config?"}
    D1 -- "No" --> C1

    subgraph "Create New Config"
        D1 -- "Yes" --> D2["Prompt user for config type"] --> D3["Create config based on selection"] 
        
    end

    subgraph "Append to Existing Config"
        
        E1 -- "Yes" --> E2["Append settings"]
        E1 -- "User has >1 config file" --> E3["Prompt user to select config"] --> E2
    end
    E1 -- "No" --> C1
    D3 --> C1
    E2 --> C1

flowchart TD
 subgraph subGraph0["User-Initiated Installation"]
        UI2["UI: User installs via extension manager"]
        UI3["AI Agent: User selects install after prompt"]
        UI6["User accepted extension installation"]
  end
 subgraph subGraph1["Background Installation"]
        BG1["AI Agent: Attempts to install via tool"]
        BG2["Extension: Attempts auto-install"]
        BG3["Notebook: JIT install attempt"]
  end
 subgraph subGraph2["Trust Flow"]
        T1{"Is the extension approved?"}
        T3{"Is pkg already installed?"}
        T4["Show notification"]
        T5@{ label: "Prompt: Approve, Trust, or Don't Install?" }
        T6["Update settings.json (Trust Extension)"]
  end
    UI2 --> A["Install Package"]
    UI3 --> A
    UI6 --> A
    BG1 --> A2["Trust Flow"]
    BG2 --> A2
    BG3 --> A2
    A2 --> T1
    T1 -- Yes --> A
    T1 -- No --> T3
    T3 -- yes --> T4
    T3 -- No --> T5
    T5 -- Don't Install --> T4
    T5 -- Approve This Install --> A
    T5 -- Trust This Extension --> T6
    T6 --> A

    T5@{ shape: diamond}

[karthiknadig]

Pylance Quickfix would probably use extension API so it would run into the same flow. For terminal CLI cases, I think, we can't control the flow.

[eleanorjboyd]

If the user selects a quick fix then it would be a user-initiated install instead of a background one right? So Ill add two different types of extension API flows, ones that are user-initiated and ones that are background.

good point about terminal CLI- forgot about that aspect

[cwebster-99]

Thanks for prepping this! I also wanted to mention @StellaHuang95 is looking into package install flows in the upcoming iteration from Pylance's perspective, so I would love to discuss ways in which this flow could be aided with info from Pylance since these will be complementary.

[eleanorjboyd]

flowchart TD
 subgraph subGraph0["User-Initiated Installation"]
        UI2["UI: User installs via extension manager"]
        UI3["AI Agent: User selects install after prompt"]
        UI6["User accepted extension installation"]
  end
 subgraph subGraph1["Background Installation"]
        BG1["AI Agent: Attempts to install via tool"]
        BG2["Extension: Attempts auto-install"]
        BG3["Notebook: JIT install attempt"]
  end
 subgraph subGraph2["AllowInstalls Flow"]
        T1{"Is the extension approved?"}
        T3{"Is pkg already installed?"}
        T4["Show notification"]
        T5@{ label: "Quickpick: Approve Once, Approve ext always, or Don't Install?" }
        T6["Update settings.json (Trust Extension)"]
  end
    UI2 --> A["Install Package"]
    UI3 --> A
    UI6 --> A
    BG1 --> A2["AllowInstalls Flow"]
    BG2 --> A2
    BG3 --> A2
    A2 --> T1
    T1 -- Yes --> A
    T1 -- No --> T3
    T3 -- yes --> T4
    T3 -- No --> T5
    T5 -- Don't Install --> T4
    T5 -- Approve This Install --> A
    T5 -- Trust This Extension --> T6
    T6 --> A

flowchart TD
    A["Install a Package"]

    C1["End of action"]
    A --> B{"Does the user have a config file? MVP only support requirements.txt"}
    B -- "No" --> D1{"Create a new config file?"}
    B -- "Yes" --> E1{"Append to existing config?"}
    D1 -- "No" --> C1

    subgraph "Create New Config"
        D1 -- "Yes" -->  D3["Create config based on selection"] 
        
    end

    subgraph "Append to Existing Config"
        
        E1 -- "Yes" --> E2["edit requirements.txt at root?"]
    end
    E1 -- "No" --> C1
    D3 --> C1
    E2 --> C1