First move off of keytar (microsoft#185077)

* First move off of keytar

Since keytar is now deprecated, we need a solution going forward. That solution is the electron safeStorage API.

This PR:
* Uses the Electron safeStorage API for encryption
* Since we have encrypted strings we then store them in the StorageService (at the application & machine level)

This PR also refactors things quite a bit... a diagram of the change is going to be in the PR.

It gives embedders the ability to override the behavior of the secret storage similar to the existing Credential Provider embedder API... only with a better API surface since we no longer need to conform to keytar's shape.

More will come after this PR such as:
* Converting all CredentialService usages to SecretStorageService usages

After a while:

* Removing MainThreadKeytar
* Removing all the old code marked in this PR

* Use InMemoryStorageService

* use pausable emitter

Author: TylerLeonhardt

src/vs/code/electron-main/app.ts

@@ -37,7 +37,7 @@ import { IDiagnosticsService } from 'vs/platform/diagnostics/common/diagnostics'
 import { DiagnosticsMainService, IDiagnosticsMainService } from 'vs/platform/diagnostics/electron-main/diagnosticsMainService';
 import { DialogMainService, IDialogMainService } from 'vs/platform/dialogs/electron-main/dialogMainService';
 import { IEncryptionMainService } from 'vs/platform/encryption/common/encryptionService';
-import { EncryptionMainService } from 'vs/platform/encryption/node/encryptionMainService';
+import { EncryptionMainService } from 'vs/platform/encryption/electron-main/encryptionMainService';
 import { NativeParsedArgs } from 'vs/platform/environment/common/argv';
 import { IEnvironmentMainService } from 'vs/platform/environment/electron-main/environmentMainService';
 import { isLaunchedFromCli } from 'vs/platform/environment/node/argvHelper';

src/vs/platform/encryption/common/encryptionService.ts

@@ -5,9 +5,11 @@
 
 import { createDecorator } from 'vs/platform/instantiation/common/instantiation';
 
-export const IEncryptionMainService = createDecorator<IEncryptionMainService>('encryptionMainService');
+export const IEncryptionService = createDecorator<IEncryptionService>('encryptionService');
+export interface IEncryptionService extends ICommonEncryptionService { }
 
-export interface IEncryptionMainService extends ICommonEncryptionService { }
+export const IEncryptionMainService = createDecorator<IEncryptionMainService>('encryptionMainService');
+export interface IEncryptionMainService extends IEncryptionService { }
 
 export interface ICommonEncryptionService {
 
@@ -16,4 +18,6 @@ export interface ICommonEncryptionService {
 	encrypt(value: string): Promise<string>;
 
 	decrypt(value: string): Promise<string>;
+
+	isEncryptionAvailable(): Promise<boolean>;
 }

src/vs/platform/encryption/electron-main/encryptionMainService.ts

@@ -0,0 +1,60 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+
+import { safeStorage } from 'electron';
+import { IEncryptionMainService } from 'vs/platform/encryption/common/encryptionService';
+import { ILogService } from 'vs/platform/log/common/log';
+
+export class EncryptionMainService implements IEncryptionMainService {
+	_serviceBrand: undefined;
+
+	constructor(
+		private readonly machineId: string,
+		@ILogService private readonly logService: ILogService
+	) { }
+
+	async encrypt(value: string): Promise<string> {
+		return JSON.stringify(safeStorage.encryptString(value));
+	}
+
+	async decrypt(value: string): Promise<string> {
+		let parsedValue: { data: string };
+		try {
+			parsedValue = JSON.parse(value);
+			if (!parsedValue.data) {
+				this.logService.trace('[EncryptionMainService] Unable to parse encrypted value. Attempting old decryption.');
+				return this.oldDecrypt(value);
+			}
+		} catch (e) {
+			this.logService.trace('[EncryptionMainService] Unable to parse encrypted value. Attempting old decryption.', e);
+			return this.oldDecrypt(value);
+		}
+		const bufferToDecrypt = Buffer.from(parsedValue.data);
+
+		this.logService.trace('[EncryptionMainService] Decrypting value.');
+		return safeStorage.decryptString(bufferToDecrypt);
+	}
+
+	isEncryptionAvailable(): Promise<boolean> {
+		return Promise.resolve(safeStorage.isEncryptionAvailable());
+	}
+
+	// TODO: Remove this after a few releases
+	private async oldDecrypt(value: string): Promise<string> {
+		let encryption: { decrypt(salt: string, value: string): Promise<string> };
+		try {
+			encryption = await new Promise((resolve, reject) => require(['vscode-encrypt'], resolve, reject));
+		} catch (e) {
+			return value;
+		}
+
+		try {
+			return encryption.decrypt(this.machineId, value);
+		} catch (e) {
+			this.logService.error(e);
+			return value;
+		}
+	}
+}

src/vs/platform/encryption/node/encryptionMainService.ts

@@ -52,4 +52,13 @@ export class EncryptionMainService implements ICommonEncryptionService {
 			return value;
 		}
 	}
+
+	async isEncryptionAvailable(): Promise<boolean> {
+		try {
+			await this.encryption();
+			return true;
+		} catch (e) {
+			return false;
+		}
+	}
 }

src/vs/platform/secrets/common/secrets.ts

@@ -0,0 +1,123 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+
+import { SequencerByKey } from 'vs/base/common/async';
+import { IEncryptionService } from 'vs/platform/encryption/common/encryptionService';
+import { createDecorator } from 'vs/platform/instantiation/common/instantiation';
+import { IStorageService, InMemoryStorageService, StorageScope, StorageTarget } from 'vs/platform/storage/common/storage';
+import { Event, PauseableEmitter } from 'vs/base/common/event';
+import { ILogService } from 'vs/platform/log/common/log';
+
+export const ISecretStorageService = createDecorator<ISecretStorageService>('secretStorageService');
+
+export interface ISecretStorageProvider {
+	get(key: string): Promise<string | undefined>;
+	set(key: string, value: string): Promise<void>;
+	delete(key: string): Promise<void>;
+}
+
+export interface ISecretStorageService extends ISecretStorageProvider {
+	readonly _serviceBrand: undefined;
+	onDidChangeSecret: Event<string>;
+}
+
+export class SecretStorageService implements ISecretStorageService {
+	declare readonly _serviceBrand: undefined;
+
+	private _storagePrefix = 'secret://';
+
+	private readonly _onDidChangeSecret = new PauseableEmitter<string>();
+	onDidChangeSecret: Event<string> = this._onDidChangeSecret.event;
+
+	private readonly _sequencer = new SequencerByKey<string>();
+	private initialized = this.init();
+
+	constructor(
+		@IStorageService private _storageService: IStorageService,
+		@IEncryptionService private _encryptionService: IEncryptionService,
+		@ILogService private readonly _logService: ILogService,
+	) {
+		this._storageService.onDidChangeValue(e => this.onDidChangeValue(e.key));
+	}
+
+	private onDidChangeValue(key: string): void {
+		if (!key.startsWith(this._storagePrefix)) {
+			return;
+		}
+
+		if (this._onDidChangeSecret.isPaused) {
+			this._logService.trace(`[SecretStorageService] Skipping change event for secret: ${key} because it is paused`);
+			return;
+		}
+
+		const secretKey = key.slice(this._storagePrefix.length);
+
+		this._logService.trace(`[SecretStorageService] Notifying change in value for secret: ${secretKey}`);
+		this._onDidChangeSecret.fire(secretKey);
+	}
+
+	get(key: string): Promise<string | undefined> {
+		return this._sequencer.queue(key, async () => {
+			await this.initialized;
+
+			const fullKey = this.getKey(key);
+			const encrypted = this._storageService.get(fullKey, StorageScope.APPLICATION);
+			if (!encrypted) {
+				return undefined;
+			}
+
+			try {
+				return await this._encryptionService.decrypt(encrypted);
+			} catch (e) {
+				this._logService.error(e);
+				this.delete(key);
+				return undefined;
+			}
+		});
+	}
+
+	set(key: string, value: string): Promise<void> {
+		return this._sequencer.queue(key, async () => {
+			await this.initialized;
+
+			const encrypted = await this._encryptionService.encrypt(value);
+			const fullKey = this.getKey(key);
+			try {
+				this._onDidChangeSecret.pause();
+				this._storageService.store(fullKey, encrypted, StorageScope.APPLICATION, StorageTarget.MACHINE);
+			} finally {
+				this._onDidChangeSecret.resume();
+			}
+		});
+	}
+
+	delete(key: string): Promise<void> {
+		return this._sequencer.queue(key, async () => {
+			await this.initialized;
+
+			const fullKey = this.getKey(key);
+			try {
+				this._onDidChangeSecret.pause();
+				this._storageService.remove(fullKey, StorageScope.APPLICATION);
+			} finally {
+				this._onDidChangeSecret.resume();
+			}
+		});
+	}
+
+	private async init(): Promise<void> {
+		if (await this._encryptionService.isEncryptionAvailable()) {
+			return;
+		}
+
+		this._logService.trace('[SecretStorageService] Encryption is not available, falling back to in-memory storage');
+
+		this._storageService = new InMemoryStorageService();
+	}
+
+	private getKey(key: string): string {
+		return `${this._storagePrefix}${key}`;
+	}
+}

src/vs/server/node/serverServices.ts

@@ -20,8 +20,6 @@ import { CredentialsWebMainService } from 'vs/platform/credentials/node/credenti
 import { ExtensionHostDebugBroadcastChannel } from 'vs/platform/debug/common/extensionHostDebugIpc';
 import { IDownloadService } from 'vs/platform/download/common/download';
 import { DownloadServiceChannelClient } from 'vs/platform/download/common/downloadIpc';
-import { IEncryptionMainService } from 'vs/platform/encryption/common/encryptionService';
-import { EncryptionMainService } from 'vs/platform/encryption/node/encryptionMainService';
 import { IEnvironmentService, INativeEnvironmentService } from 'vs/platform/environment/common/environment';
 import { ExtensionGalleryServiceWithNoStorageService } from 'vs/platform/extensionManagement/common/extensionGalleryService';
 import { IExtensionGalleryService } from 'vs/platform/extensionManagement/common/extensionManagement';
@@ -202,8 +200,6 @@ export async function setupServerServices(connectionToken: ServerConnectionToken
 	const ptyService = instantiationService.createInstance(PtyHostService, ptyHostStarter);
 	services.set(IPtyService, ptyService);
 
-	services.set(IEncryptionMainService, new SyncDescriptor(EncryptionMainService, [machineId]));
-
 	services.set(ICredentialsMainService, new SyncDescriptor(CredentialsWebMainService));
 
 	instantiationService.invokeFunction(accessor => {
@@ -230,9 +226,6 @@ export async function setupServerServices(connectionToken: ServerConnectionToken
 		const channel = new ExtensionManagementChannel(extensionManagementService, (ctx: RemoteAgentConnectionContext) => getUriTransformer(ctx.remoteAuthority));
 		socketServer.registerChannel('extensions', channel);
 
-		const encryptionChannel = ProxyChannel.fromService<RemoteAgentConnectionContext>(accessor.get(IEncryptionMainService));
-		socketServer.registerChannel('encryption', encryptionChannel);
-
 		const credentialsChannel = ProxyChannel.fromService<RemoteAgentConnectionContext>(accessor.get(ICredentialsMainService));
 		socketServer.registerChannel('credentials', credentialsChannel);