Merge pull request #1890 from codefori/secure_password

Change secrets API

Author: worksofliam

src/api/Storage.ts

@@ -5,14 +5,22 @@ const LAST_PROFILE_KEY = `currentProfile`;
 const SOURCE_LIST_KEY = `sourceList`;
 const DEPLOYMENT_KEY = `deployment`;
 const DEBUG_KEY = `debug`;
-const SERVER_SETTINGS_CACHE_KEY = (name : string) => `serverSettingsCache_${name}`;
+const SERVER_SETTINGS_CACHE_KEY = (name: string) => `serverSettingsCache_${name}`;
 const PREVIOUS_SEARCH_TERMS_KEY = `prevSearchTerms`;
 const RECENTLY_OPENED_FILES_KEY = `recentlyOpenedFiles`;
+const AUTHORISED_EXTENSIONS_KEY = `authorisedExtensions`
 
 export type PathContent = Record<string, string[]>;
 export type DeploymentPath = Record<string, string>;
 export type DebugCommands = Record<string, string>;
 
+type AuthorisedExtension = {
+  id: string
+  displayName: string
+  since: number
+  lastAccess: number
+}
+
 abstract class Storage {
   protected readonly globalState;
 
@@ -180,7 +188,7 @@ export class ConnectionStorage extends Storage {
     return this.set(DEBUG_KEY, existingCommands);
   }
 
-  getWorkspaceDeployPath(workspaceFolder : vscode.WorkspaceFolder){
+  getWorkspaceDeployPath(workspaceFolder: vscode.WorkspaceFolder) {
     const deployDirs = this.get<DeploymentPath>(DEPLOYMENT_KEY) || {};
     return deployDirs[workspaceFolder.uri.fsPath].toLowerCase();
   }
@@ -196,4 +204,38 @@ export class ConnectionStorage extends Storage {
   async clearRecentlyOpenedFiles() {
     await this.set(RECENTLY_OPENED_FILES_KEY, undefined);
   }
+
+  async grantExtensionAuthorisation(extension: vscode.Extension<any>) {
+    const extensions = this.getAuthorisedExtensions();
+    if (!this.getExtensionAuthorisation(extension)) {
+      extensions.push({
+        id: extension.id,
+        displayName: extension.packageJSON.displayName,
+        since: new Date().getTime(),
+        lastAccess: new Date().getTime()
+      });
+      await this.set(AUTHORISED_EXTENSIONS_KEY, extensions);
+    }
+  }
+
+  getExtensionAuthorisation(extension: vscode.Extension<any>) {
+    const authorisedExtension = this.getAuthorisedExtensions().find(authorisedExtension => authorisedExtension.id === extension.id);
+    if (authorisedExtension) {
+      authorisedExtension.lastAccess = new Date().getTime();
+    }
+    return authorisedExtension;
+  }
+
+  getAuthorisedExtensions(): AuthorisedExtension[] {
+    return this.get<AuthorisedExtension[]>(AUTHORISED_EXTENSIONS_KEY) || [];
+  }
+
+  revokeAllExtensionAuthorisations() {
+    this.revokeExtensionAuthorisation(...this.getAuthorisedExtensions());
+  }
+
+  revokeExtensionAuthorisation(...extensions: AuthorisedExtension[]) {
+    const newExtensions = this.getAuthorisedExtensions().filter(ext => !extensions.includes(ext));
+    return this.set(AUTHORISED_EXTENSIONS_KEY, newExtensions);
+  }
 }

src/instantiate.ts

@@ -8,17 +8,19 @@ import Instance from "./api/Instance";
 import { Search } from "./api/Search";
 import { Terminal } from './api/Terminal';
 import { refreshDiagnosticsFromServer } from './api/errors/diagnostics';
+import { setupGitEventHandler } from './api/local/git';
 import { QSysFS, getUriFromPath, parseFSOptions } from "./filesystems/qsys/QSysFs";
 import { initGetNewLibl } from "./languages/clle/getnewlibl";
 import { SEUColorProvider } from "./languages/general/SEUColorProvider";
 import { Action, BrowserItem, DeploymentMethod, MemberItem, OpenEditableOptions, WithPath } from "./typings";
 import { SearchView } from "./views/searchView";
 import { ActionsUI } from './webviews/actions';
 import { VariablesUI } from "./webviews/variables";
-import { setupGitEventHandler } from './api/local/git';
 
 export let instance: Instance;
 
+const passwordAttempts: { [extensionId: string]: number } = {}
+
 const CLEAR_RECENT = `$(trash) Clear recently opened`;
 const CLEAR_CACHED = `$(trash) Clear cached`;
 
@@ -618,14 +620,82 @@ export async function loadAllofExtension(context: vscode.ExtensionContext) {
       }
     }),
 
-    vscode.commands.registerCommand(`code-for-ibmi.secret`, async (key: string, newValue: string) => {
-      const connectionKey = `${instance.getConnection()!.currentConnectionName}_${key}`;
-      if (newValue) {
-        await context.secrets.store(connectionKey, newValue);
-        return newValue;
-      }
+    vscode.commands.registerCommand(`code-for-ibmi.getPassword`, async (extensionId: string, reason?: string) => {
+      if (extensionId) {
+        const extension = vscode.extensions.getExtension(extensionId);
+        const isValid = (extension && extension.isActive);
+        if (isValid) {
+          const connection = instance.getConnection();
+          const storage = instance.getStorage();
+          if (connection && storage) {
+            const displayName = extension.packageJSON.displayName || extensionId;
+
+            // Some logic to stop spam from extensions.
+            passwordAttempts[extensionId] = passwordAttempts[extensionId] || 0;
+            if (passwordAttempts[extensionId] > 1) {
+              throw new Error(`Password request denied for extension ${displayName}.`);
+            }
+
+            const connectionKey = `${instance.getConnection()!.currentConnectionName}_password`;
+            const storedPassword = await context.secrets.get(connectionKey);
 
-      return await context.secrets.get(connectionKey);
+            if (storedPassword) {
+              let isAuthed = storage.getExtensionAuthorisation(extension) !== undefined;
+
+              if (!isAuthed) {
+                const detail = `The ${displayName} extension is requesting access to your password for this connection. ${reason ? `\n\nReason: ${reason}` : `The extension did not provide a reason for password access.`}`;
+                let done = false;
+                let modal = true;
+
+                while (!done) {
+                  const options: string[] = [`Allow`];
+
+                  if (modal) {
+                    options.push(`View on Marketplace`);
+                  } else {
+                    options.push(`Deny`);
+                  }
+
+                  const result = await vscode.window.showWarningMessage(
+                    modal ? `Password Request` : detail,
+                    {
+                      modal,
+                      detail,
+                    },
+                    ...options
+                  );
+
+                  switch (result) {
+                    case `Allow`:
+                      await storage.grantExtensionAuthorisation(extension);
+                      isAuthed = true;
+                      done = true;
+                      break;
+
+                    case `View on Marketplace`:
+                      vscode.commands.executeCommand('extension.open', extensionId);
+                      modal = false;
+                      break;
+
+                    default:
+                      done = true;
+                      break;
+                  }
+                }
+              }
+
+              if (isAuthed) {
+                return storedPassword;
+              } else {
+                passwordAttempts[extensionId]++;
+              }
+            }
+
+          } else {
+            throw new Error(`Not connected to an IBM i.`);
+          }
+        }
+      }
     }),
 
     vscode.commands.registerCommand("code-for-ibmi.browse", (item: WithPath | MemberItem) => {
@@ -660,7 +730,7 @@ export async function loadAllofExtension(context: vscode.ExtensionContext) {
   }
 
   // Register git events based on workspace folders
-	if (vscode.workspace.workspaceFolders) {
+  if (vscode.workspace.workspaceFolders) {
     setupGitEventHandler(context);
   }
 

src/testing/index.ts

@@ -7,6 +7,7 @@ import { ContentSuite } from "./content";
 import { DeployToolsSuite } from "./deployTools";
 import { FilterSuite } from "./filter";
 import { ILEErrorSuite } from "./ileErrors";
+import { StorageSuite } from "./storage";
 import { TestSuitesTreeProvider } from "./testCasesTree";
 import { ToolsSuite } from "./tools";
 
@@ -17,7 +18,8 @@ const suites: TestSuite[] = [
   DeployToolsSuite,
   ToolsSuite,
   ILEErrorSuite,
-  FilterSuite
+  FilterSuite,
+  StorageSuite
 ]
 
 export type TestSuite = {

src/testing/storage.ts

@@ -0,0 +1,42 @@
+import assert from "assert";
+import vscode from "vscode";
+import { TestSuite } from ".";
+import { instance } from "../instantiate";
+
+export const StorageSuite: TestSuite = {
+  name: `Extension storage tests`,
+  tests: [
+    {
+      name: "Authorized extensions", test: async () => {
+        const storage = instance.getStorage();
+        if(storage){ 
+          const extension = vscode.extensions.getExtension("halcyontechltd.code-for-ibmi")!;          
+          try{
+            let auth = storage.getExtensionAuthorisation(extension);
+            assert.strictEqual(undefined, auth, "Extension is already authorized");
+            storage.grantExtensionAuthorisation(extension);
+            
+            auth = storage.getExtensionAuthorisation(extension);
+            assert.ok(auth, "Authorisation not found");
+            assert.strictEqual(new Date(auth.since).toDateString(), new Date().toDateString(), "Access date must be today");
+
+            const lastAccess = auth.lastAccess;
+            await new Promise(r => setTimeout(r, 100)); //Wait a bit
+            auth = storage.getExtensionAuthorisation(extension);
+            assert.ok(auth, "Authorisation not found");
+            assert.notStrictEqual(lastAccess, auth.lastAccess, "Last access did not change")
+          }
+          finally{
+            const auth = storage.getExtensionAuthorisation(extension);
+            if(auth){
+              storage.revokeExtensionAuthorisation(auth);
+            }
+          }
+        }
+        else{
+          throw Error("Cannot run test: no storage")
+        }
+      }
+    }
+  ]
+}