make authentication optional

Author: Strum355

src/caStatusBarProvider.ts

@@ -51,12 +51,12 @@ class CAStatusBarProvider implements Disposable {
    * Shows authentication required status in the status bar.
    */
   public showAuthRequired(): void {
-    this.statusBarItem.text = `$(shield) RHDA: Sign In Required`;
+    this.statusBarItem.text = `$(account) RHDA: Not Signed In`;
     this.statusBarItem.command = {
       title: 'Authenticate with RHDA',
       command: 'rhda.authenticate',
     };
-    this.statusBarItem.tooltip = 'RHDA features are disabled. Click to authenticate and enable dependency analysis.';
+    this.statusBarItem.tooltip = 'Click to sign in for enhanced RHDA features (optional)';
     this.statusBarItem.show();
   }
 

src/extension.ts

@@ -11,7 +11,7 @@ import { StatusMessages, PromptText } from './constants';
 import { caStatusBarProvider } from './caStatusBarProvider';
 import { CANotification, CANotificationData } from './caNotification';
 import { DepOutputChannel } from './depOutputChannel';
-import { record, startUp, TelemetryActions } from './redhatTelemetry';
+import { initTelemetry, record, TelemetryActions } from './redhatTelemetry';
 import { applySettingNameMappings, buildLogErrorMessage, buildNotificationErrorMessage } from './utils';
 import { clearCodeActionsMap, getDiagnosticsCodeActions } from './codeActionHandler';
 import { AnalysisMatcher } from './fileHandler';
@@ -21,265 +21,16 @@ import { LLMAnalysisReportPanel } from './llmAnalysisReportPanel';
 // eslint-disable-next-line @typescript-eslint/no-require-imports
 import CliTable3 = require('cli-table3');
 import { Language, Parser, Query } from 'web-tree-sitter';
-import * as client from 'openid-client';
+import { getValidAccessToken, performOIDCAuthorizationFlow } from './oidcAuthentication';
 
 export let outputChannelDep: DepOutputChannel;
 
 export const notifications = new EventEmitter();
 
-// OIDC flow state storage
-interface OIDCFlowState {
-  codeVerifier: string;
-  state?: string;
-  nonce: string;
-}
-
-/**
- * Performs OIDC Authorization Code Flow with VSCode URL handler
- */
-async function performOIDCAuthorizationFlow(context: vscode.ExtensionContext): Promise<void> {
-  try {
-    const clientId = 'vscode-extension';
 
-    let config: client.Configuration | undefined;
-    const realmUrl = 'http://localhost:8090/realms/trustify';
 
-    try {
-      config = await client.discovery(
-        new URL(realmUrl),
-        clientId,
-        undefined,
-        undefined,
-        {
-          execute: [client.allowInsecureRequests],
-        }
-      );
-      outputChannelDep.info(`✓ Discovery successful for: ${realmUrl}`);
-    } catch (error) {
-      outputChannelDep.info(`✗ Discovery failed for ${realmUrl}: ${error}`);
-    }
-
-    if (!config) {
-      throw new Error(`Could not discover OIDC configuration from ${realmUrl}`);
-    }
-
-    outputChannelDep.info(`Using issuer: ${realmUrl}`);
-    outputChannelDep.info(`Authorization endpoint: ${config.serverMetadata().authorization_endpoint}`);
-
-    const redirectUri = `vscode://redhat.fabric8-analytics/auth-callback`;
-
-    // Generate PKCE parameters
-    const codeVerifier = client.randomPKCECodeVerifier();
-    const codeChallenge = await client.calculatePKCECodeChallenge(codeVerifier);
-    const nonce = client.randomNonce();
-
-    let state: string | undefined;
-    const parameters: Record<string, string> = {
-      // eslint-disable-next-line @typescript-eslint/naming-convention
-      redirect_uri: redirectUri,
-      scope: 'openid profile email',
-      // eslint-disable-next-line @typescript-eslint/naming-convention
-      code_challenge: codeChallenge,
-      // eslint-disable-next-line @typescript-eslint/naming-convention
-      code_challenge_method: 'S256',
-      nonce: nonce,
-    };
-
-    // Use state if PKCE is not supported
-    if (!config.serverMetadata().supportsPKCE()) {
-      state = client.randomState();
-      parameters.state = state;
-    }
-
-    // Store flow state for callback verification
-    const flowState: OIDCFlowState = {
-      codeVerifier,
-      state,
-      nonce,
-    };
-    await context.globalState.update('oidc-flow-state', flowState);
-
-    // Register URL handler for the callback
-    const disposable = vscode.window.registerUriHandler({
-      handleUri: async (uri: vscode.Uri) => {
-        try {
-          await handleOIDCCallback(context, config, uri, flowState);
-        } catch (error) {
-          outputChannelDep.error(`OIDC callback error: ${error}`);
-          vscode.window.showErrorMessage(`RHDA authentication failed: ${(error as Error).message}`);
-        } finally {
-          disposable.dispose();
-          await context.globalState.update('oidc-flow-state', undefined);
-        }
-      },
-    });
-
-    // Build authorization URL and redirect user
-    outputChannelDep.info(`Building authorization URL with parameters: ${JSON.stringify(parameters)}`);
-    const authUrl = client.buildAuthorizationUrl(config, parameters);
-    outputChannelDep.info(`Complete authorization URL: ${authUrl.href}`);
-
-    // Open authorization URL in browser
-    await vscode.env.openExternal(vscode.Uri.parse(authUrl.href));
-
-    vscode.window.showInformationMessage('Please complete RHDA authentication in your browser.');
-  } catch (error) {
-    outputChannelDep.error(`OIDC flow initialization error: ${error}`);
-    vscode.window.showErrorMessage(`RHDA authentication initialization failed: ${(error as Error).message}`);
-  }
-}
-
-/**
- * Handles the OIDC callback from VSCode URL handler
- */
-async function handleOIDCCallback(context: vscode.ExtensionContext, config: client.Configuration, callbackUri: vscode.Uri, flowState: OIDCFlowState): Promise<void> {
-  try {
-    const url = new URL(callbackUri.toString());
-    // Handle double-encoded query parameters from VSCode
-    const searchParams = new URLSearchParams(url.searchParams.keys().next().value!);
-
-    // Reconstruct a properly formatted callback URL with parsed parameters
-    // VSCode's URL handler double-encodes parameters, so we need to fix this
-    const redirectUri = `vscode://redhat.fabric8-analytics/auth-callback`;
-
-    // Create a simple URL with just the base and our clean parameters
-    const cleanCallbackUrl = new URL(`${redirectUri}?${searchParams.toString()}`);
-    outputChannelDep.info(`Clean callback URL: ${cleanCallbackUrl.toString()}`);
-
-    // First try the standard approach
-    const tokens = await client.authorizationCodeGrant(
-      config,
-      cleanCallbackUrl,
-      {
-        pkceCodeVerifier: flowState.codeVerifier,
-        expectedState: flowState.state,
-        expectedNonce: flowState.nonce,
-      }
-    );
-
-    outputChannelDep.info('Successfully obtained tokens from OIDC authorization server');
-
-    // Store tokens securely
-    if (tokens.access_token) {
-      await context.secrets.store('oidc-access-token', tokens.access_token);
-    }
-    if (tokens.refresh_token) {
-      await context.secrets.store('oidc-refresh-token', tokens.refresh_token);
-    }
-    if (tokens.id_token) {
-      await context.secrets.store('oidc-id-token', tokens.id_token);
-    }
-
-    // Store token expiration time
-    if (tokens.expires_in) {
-      const expirationTime = Date.now() + tokens.expires_in * 1000;
-      await context.globalState.update('oidc-token-expiration', expirationTime);
-    }
-
-    vscode.window.showInformationMessage('RHDA authentication successful!');
-
-    // Record successful authentication telemetry
-    record(context, TelemetryActions.vulnerabilityReportDone, {
-      action: 'oidc-authentication-success',
-    });
-
-    // Enable all extension features now that authentication is complete
-    outputChannelDep.info('🎯 Authentication complete - enabling extension features');
-    caStatusBarProvider.showAuthenticated();
-    await enableExtensionFeatures(context);
-  } catch (error) {
-    outputChannelDep.error(`Token exchange failed: ${error}`);
-    throw new Error(`Failed to complete authentication: ${(error as Error).message}`);
-  }
-}
-
-/**
- * Retrieves a valid access token, refreshing if necessary
- */
-export async function getValidAccessToken(context: vscode.ExtensionContext): Promise<string | null> {
-  try {
-    const accessToken = await context.secrets.get('oidc-access-token');
-    const expirationTime = context.globalState.get<number>('oidc-token-expiration');
-
-    if (!accessToken) {
-      // No token means user hasn't authenticated yet
-      return null;
-    }
-
-    // Check if token is expired (with 5 minute buffer)
-    if (expirationTime && Date.now() > expirationTime - 300000) {
-      const refreshToken = await context.secrets.get('oidc-refresh-token');
-      if (refreshToken) {
-        return await refreshAccessToken(context, refreshToken);
-      }
-      return null;
-    }
-
-    return accessToken;
-  } catch (error) {
-    outputChannelDep.error(`Failed to get access token: ${error}`);
-    return null;
-  }
-}
-
-/**
- * Refreshes the access token using the refresh token
- */
-async function refreshAccessToken(context: vscode.ExtensionContext, refreshToken: string): Promise<string | null> {
-  try {
-    const config = await client.discovery(
-      new URL('http://localhost:8090/realms/trustify'),
-      'trustify-realm',
-      undefined,
-      undefined,
-      {
-        execute: [client.allowInsecureRequests],
-      }
-    );
-
-    const tokens = await client.refreshTokenGrant(config, refreshToken);
-
-    // Update stored tokens
-    if (tokens.access_token) {
-      await context.secrets.store('oidc-access-token', tokens.access_token);
-    }
-    if (tokens.refresh_token) {
-      await context.secrets.store('oidc-refresh-token', tokens.refresh_token);
-    }
-
-    // Update token expiration time
-    if (tokens.expires_in) {
-      const expirationTime = Date.now() + tokens.expires_in * 1000;
-      await context.globalState.update('oidc-token-expiration', expirationTime);
-    }
-
-    outputChannelDep.info('Successfully refreshed access token');
-    return tokens.access_token || null;
-  } catch (error) {
-    outputChannelDep.error(`Token refresh failed: ${error}`);
-    // Clear invalid tokens
-    await context.secrets.delete('oidc-access-token');
-    await context.secrets.delete('oidc-refresh-token');
-    await context.secrets.delete('oidc-id-token');
-    await context.globalState.update('oidc-token-expiration', undefined);
-
-    // Update status bar to show session expired
-    caStatusBarProvider.showSessionExpired();
-    return null;
-  }
-}
-
-/**
- * Activates the extension upon launch.
- * @param context - The extension context.
- */
-/**
- * Enables all extension features after successful authentication
- */
 async function enableExtensionFeatures(context: vscode.ExtensionContext): Promise<void> {
-  outputChannelDep.info('Authentication successful - enabling all RHDA features');
-
-  startUp(context);
+  outputChannelDep.info('Initializing RHDA analysis features');
 
   context.subscriptions.push(vscode.languages.registerCodeActionsProvider('*', new class implements vscode.CodeActionProvider {
     provideCodeActions(document: vscode.TextDocument, range: vscode.Range | vscode.Selection, ctx: vscode.CodeActionContext): vscode.ProviderResult<vscode.CodeAction[]> {
@@ -592,9 +343,6 @@ async function enableExtensionFeatures(context: vscode.ExtensionContext): Promis
   vscode.workspace.onDidChangeConfiguration(() => {
     globalConfig.loadData();
   });
-
-  outputChannelDep.info('All RHDA extension features are now active and ready to use');
-  vscode.window.showInformationMessage('RHDA: All features enabled. Ready for dependency analysis!');
 }
 
 /**
@@ -606,6 +354,8 @@ export async function activate(context: vscode.ExtensionContext) {
 
   globalConfig.linkToSecretStorage(context);
 
+  initTelemetry(context);
+
   // Register authentication command (always available)
   const authenticateCommand = vscode.commands.registerCommand('rhda.authenticate', async () => {
     const existingToken = await getValidAccessToken(context);
@@ -626,29 +376,31 @@ export async function activate(context: vscode.ExtensionContext) {
   });
   context.subscriptions.push(authenticateCommand);
 
-  // Check if user is already authenticated
+  // Check if user is already authenticated (optional)
   const existingToken = await getValidAccessToken(context);
   if (existingToken) {
-    outputChannelDep.info('User already authenticated, enabling all features');
+    outputChannelDep.info('User authenticated');
     caStatusBarProvider.showAuthenticated();
-    await enableExtensionFeatures(context);
   } else {
-    outputChannelDep.info('User not authenticated - extension features disabled until authentication');
+    outputChannelDep.info('User not authenticated (authentication is optional)');
     caStatusBarProvider.showAuthRequired();
-    // Must use showErrorMessage, otherwise the notification will automatically disappear after ~15s 
-    // See more: https://github.com/microsoft/azuredatastudio/issues/22567
-    vscode.window.showErrorMessage('RHDA: Authentication required. Extension features are disabled until you complete the login process.', 'Authenticate Now').then(selection => {
-      if (selection === 'Authenticate Now') {
-        // Start OIDC flow when user clicks the button
+
+    // Show optional authentication prompt
+    vscode.window.showInformationMessage(
+      'RHDA: You can optionally authenticate for enhanced features.',
+      'Authenticate',
+      'Skip'
+    ).then(selection => {
+      if (selection === 'Authenticate') {
         performOIDCAuthorizationFlow(context).catch(error => {
           outputChannelDep.error(`Authentication failed: ${buildLogErrorMessage(error)}`);
           vscode.window.showErrorMessage(`RHDA: Authentication failed. ${buildNotificationErrorMessage(error as Error)}`);
         });
       }
     });
-
-    outputChannelDep.info('Extension started in restricted mode. Authentication required for full functionality.');
   }
+
+  await enableExtensionFeatures(context);
 }
 
 /**