Improve error messages to users where encryption fails/isn't available (microsoft#186037)

Author: TylerLeonhardt

src/vs/platform/encryption/common/encryptionService.ts

@@ -6,7 +6,10 @@
 import { createDecorator } from 'vs/platform/instantiation/common/instantiation';
 
 export const IEncryptionService = createDecorator<IEncryptionService>('encryptionService');
-export interface IEncryptionService extends ICommonEncryptionService { }
+export interface IEncryptionService extends ICommonEncryptionService {
+	setUsePlainTextEncryption(): Promise<void>;
+	getKeyStorageProvider(): Promise<KnownStorageProvider>;
+}
 
 export const IEncryptionMainService = createDecorator<IEncryptionMainService>('encryptionMainService');
 export interface IEncryptionMainService extends IEncryptionService { }
@@ -21,3 +24,34 @@ export interface ICommonEncryptionService {
 
 	isEncryptionAvailable(): Promise<boolean>;
 }
+
+export const enum KnownStorageProvider {
+	unknown = 'unknown',
+	basicText = 'basic_text',
+
+	// Linux
+	gnomeAny = 'gnome_any',
+	gnomeLibsecret = 'gnome_libsecret',
+	gnomeKeyring = 'gnome_keyring',
+	kwallet = 'kwallet',
+	kwallet5 = 'kwallet5',
+	kwallet6 = 'kwallet6',
+
+	// Windows
+	dplib = 'dpapi',
+
+	// macOS
+	keychainAccess = 'keychain_access',
+}
+
+export function isKwallet(backend: string): boolean {
+	return backend === KnownStorageProvider.kwallet
+		|| backend === KnownStorageProvider.kwallet5
+		|| backend === KnownStorageProvider.kwallet6;
+}
+
+export function isGnome(backend: string): boolean {
+	return backend === KnownStorageProvider.gnomeAny
+		|| backend === KnownStorageProvider.gnomeLibsecret
+		|| backend === KnownStorageProvider.gnomeKeyring;
+}

src/vs/platform/encryption/electron-main/encryptionMainService.ts

@@ -3,10 +3,20 @@
  *  Licensed under the MIT License. See License.txt in the project root for license information.
  *--------------------------------------------------------------------------------------------*/
 
-import { safeStorage } from 'electron';
-import { IEncryptionMainService } from 'vs/platform/encryption/common/encryptionService';
+import { safeStorage as safeStorageElectron } from 'electron';
+import { isMacintosh, isWindows } from 'vs/base/common/platform';
+import { KnownStorageProvider, IEncryptionMainService } from 'vs/platform/encryption/common/encryptionService';
 import { ILogService } from 'vs/platform/log/common/log';
 
+// These APIs are currently only supported in our custom build of electron so
+// we need to guard against them not being available.
+interface ISafeStorageAdditionalAPIs {
+	setUsePlainTextEncryption(usePlainText: boolean): void;
+	getSelectedStorageBackend(): string;
+}
+
+const safeStorage: typeof import('electron').safeStorage & Partial<ISafeStorageAdditionalAPIs> = safeStorageElectron;
+
 export class EncryptionMainService implements IEncryptionMainService {
 	_serviceBrand: undefined;
 
@@ -41,6 +51,40 @@ export class EncryptionMainService implements IEncryptionMainService {
 		return Promise.resolve(safeStorage.isEncryptionAvailable());
 	}
 
+	getKeyStorageProvider(): Promise<KnownStorageProvider> {
+		if (isWindows) {
+			return Promise.resolve(KnownStorageProvider.dplib);
+		}
+		if (isMacintosh) {
+			return Promise.resolve(KnownStorageProvider.keychainAccess);
+		}
+		if (safeStorage.getSelectedStorageBackend) {
+			try {
+				const result = safeStorage.getSelectedStorageBackend() as KnownStorageProvider;
+				return Promise.resolve(result);
+			} catch (e) {
+				this.logService.error(e);
+			}
+		}
+		return Promise.resolve(KnownStorageProvider.unknown);
+	}
+
+	async setUsePlainTextEncryption(): Promise<void> {
+		if (isWindows) {
+			throw new Error('Setting plain text encryption is not supported on Windows.');
+		}
+
+		if (isMacintosh) {
+			throw new Error('Setting plain text encryption is not supported on macOS.');
+		}
+
+		if (!safeStorage.setUsePlainTextEncryption) {
+			throw new Error('Setting plain text encryption is not supported.');
+		}
+
+		safeStorage.setUsePlainTextEncryption(true);
+	}
+
 	// TODO: Remove this after a few releases
 	private async oldDecrypt(value: string): Promise<string> {
 		let encryption: { decrypt(salt: string, value: string): Promise<string> };

src/vs/platform/secrets/common/secrets.ts

@@ -5,15 +5,10 @@
 
 import { SequencerByKey } from 'vs/base/common/async';
 import { IEncryptionService } from 'vs/platform/encryption/common/encryptionService';
-import { IInstantiationService, createDecorator } from 'vs/platform/instantiation/common/instantiation';
+import { createDecorator } from 'vs/platform/instantiation/common/instantiation';
 import { IStorageService, InMemoryStorageService, StorageScope, StorageTarget } from 'vs/platform/storage/common/storage';
 import { Event, PauseableEmitter } from 'vs/base/common/event';
 import { ILogService } from 'vs/platform/log/common/log';
-import { isNative } from 'vs/base/common/platform';
-import { INotificationService, Severity } from 'vs/platform/notification/common/notification';
-import { localize } from 'vs/nls';
-import { IOpenerService } from 'vs/platform/opener/common/opener';
-import { once } from 'vs/base/common/functional';
 
 export const ISecretStorageService = createDecorator<ISecretStorageService>('secretStorageService');
 
@@ -29,25 +24,23 @@ export interface ISecretStorageService extends ISecretStorageProvider {
 	onDidChangeSecret: Event<string>;
 }
 
-export class SecretStorageService implements ISecretStorageService {
+export abstract class BaseSecretStorageService implements ISecretStorageService {
 	declare readonly _serviceBrand: undefined;
 
 	private _storagePrefix = 'secret://';
 
 	private readonly _onDidChangeSecret = new PauseableEmitter<string>();
 	onDidChangeSecret: Event<string> = this._onDidChangeSecret.event;
 
-	private readonly _sequencer = new SequencerByKey<string>();
-	private initialized = this.init();
+	protected readonly _sequencer = new SequencerByKey<string>();
+	protected initialized = this.init();
 
 	private _type: 'in-memory' | 'persisted' | 'unknown' = 'unknown';
 
 	constructor(
 		@IStorageService private _storageService: IStorageService,
-		@IEncryptionService private _encryptionService: IEncryptionService,
-		@IInstantiationService private readonly _instantiationService: IInstantiationService,
-		@INotificationService private readonly _notificationService: INotificationService,
-		@ILogService private readonly _logService: ILogService
+		@IEncryptionService protected _encryptionService: IEncryptionService,
+		@ILogService protected readonly _logService: ILogService
 	) {
 		this._storageService.onDidChangeValue(e => this.onDidChangeValue(e.key));
 	}
@@ -77,13 +70,18 @@ export class SecretStorageService implements ISecretStorageService {
 			await this.initialized;
 
 			const fullKey = this.getKey(key);
+			this._logService.trace('[secrets] getting secret for key:', fullKey);
 			const encrypted = this._storageService.get(fullKey, StorageScope.APPLICATION);
 			if (!encrypted) {
+				this._logService.trace('[secrets] no secret found for key:', fullKey);
 				return undefined;
 			}
 
 			try {
-				return await this._encryptionService.decrypt(encrypted);
+				this._logService.trace('[secrets] decrypting gotten secret for key:', fullKey);
+				const result = await this._encryptionService.decrypt(encrypted);
+				this._logService.trace('[secrets] decrypted secret for key:', fullKey);
+				return result;
 			} catch (e) {
 				this._logService.error(e);
 				this.delete(key);
@@ -96,18 +94,23 @@ export class SecretStorageService implements ISecretStorageService {
 		return this._sequencer.queue(key, async () => {
 			await this.initialized;
 
-			if (isNative && this.type !== 'persisted') {
-				this.notifyNativeUserOnce();
+			this._logService.trace('[secrets] encrypting secret for key:', key);
+			let encrypted;
+			try {
+				encrypted = await this._encryptionService.encrypt(value);
+			} catch (e) {
+				this._logService.error(e);
+				throw e;
 			}
-
-			const encrypted = await this._encryptionService.encrypt(value);
 			const fullKey = this.getKey(key);
 			try {
 				this._onDidChangeSecret.pause();
+				this._logService.trace('[secrets] storing encrypted secret for key:', fullKey);
 				this._storageService.store(fullKey, encrypted, StorageScope.APPLICATION, StorageTarget.MACHINE);
 			} finally {
 				this._onDidChangeSecret.resume();
 			}
+			this._logService.trace('[secrets] stored encrypted secret for key:', fullKey);
 		});
 	}
 
@@ -118,10 +121,12 @@ export class SecretStorageService implements ISecretStorageService {
 			const fullKey = this.getKey(key);
 			try {
 				this._onDidChangeSecret.pause();
+				this._logService.trace('[secrets] deleting secret for key:', fullKey);
 				this._storageService.remove(fullKey, StorageScope.APPLICATION);
 			} finally {
 				this._onDidChangeSecret.resume();
 			}
+			this._logService.trace('[secrets] deleted secret for key:', fullKey);
 		});
 	}
 
@@ -140,20 +145,4 @@ export class SecretStorageService implements ISecretStorageService {
 	private getKey(key: string): string {
 		return `${this._storagePrefix}${key}`;
 	}
-
-	private notifyNativeUserOnce = once(() => this.notifyNativeUser());
-	private notifyNativeUser(): void {
-		this._notificationService.prompt(
-			Severity.Warning,
-			localize('notEncrypted', 'Secrets are not being stored on disk because encryption is not available in this environment.'),
-			[{
-				label: localize('openTroubleshooting', "Open Troubleshooting"),
-				run: () => this._instantiationService.invokeFunction(accessor => {
-					const openerService = accessor.get(IOpenerService);
-					// Open troubleshooting docs page
-					return openerService.open('https://go.microsoft.com/fwlink/?linkid=2239490');
-				})
-			}]
-		);
-	}
 }

src/vs/platform/secrets/electron-sandbox/secretStorageService.ts

@@ -0,0 +1,82 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+
+import { once } from 'vs/base/common/functional';
+import { isLinux } from 'vs/base/common/platform';
+import Severity from 'vs/base/common/severity';
+import { localize } from 'vs/nls';
+import { IEncryptionService, KnownStorageProvider, isGnome, isKwallet } from 'vs/platform/encryption/common/encryptionService';
+import { IInstantiationService } from 'vs/platform/instantiation/common/instantiation';
+import { ILogService } from 'vs/platform/log/common/log';
+import { INativeHostService } from 'vs/platform/native/common/native';
+import { INotificationService, IPromptChoice } from 'vs/platform/notification/common/notification';
+import { IOpenerService } from 'vs/platform/opener/common/opener';
+import { BaseSecretStorageService } from 'vs/platform/secrets/common/secrets';
+import { IStorageService } from 'vs/platform/storage/common/storage';
+
+export class NativeSecretStorageService extends BaseSecretStorageService {
+
+	constructor(
+		@INotificationService private readonly _notificationService: INotificationService,
+		@IInstantiationService private readonly _instantiationService: IInstantiationService,
+		@IStorageService storageService: IStorageService,
+		@IEncryptionService encryptionService: IEncryptionService,
+		@INativeHostService private readonly _nativeHostService: INativeHostService,
+		@ILogService logService: ILogService
+	) {
+		super(storageService, encryptionService, logService);
+	}
+
+	override set(key: string, value: string): Promise<void> {
+		this._sequencer.queue(key, async () => {
+			await this.initialized;
+
+			if (this.type !== 'persisted') {
+				this._logService.trace('[NativeSecretStorageService] Notifying user that secrets are not being stored on disk.');
+				await this.notifyOfNoEncryptionOnce();
+			}
+
+		});
+
+		return this._sequencer.queue(key, () => super.set(key, value));
+	}
+
+	private notifyOfNoEncryptionOnce = once(() => this.notifyOfNoEncryption());
+	private async notifyOfNoEncryption(): Promise<void> {
+		const buttons: IPromptChoice[] = [];
+		const troubleshootingButton: IPromptChoice = {
+			label: localize('troubleshootingButton', "Open troubleshooting guide"),
+			run: () => this._instantiationService.invokeFunction(accessor => accessor.get(IOpenerService).open('https://go.microsoft.com/fwlink/?linkid=2239490')),
+			keepOpen: true
+		};
+		buttons.push(troubleshootingButton);
+
+		let errorMessage = localize('encryptionNotAvailableJustTroubleshootingGuide', "Secrets are not being stored on disk because encryption is not available in this environment.");
+
+		if (!isLinux) {
+			this._notificationService.prompt(Severity.Error, errorMessage, buttons);
+			return;
+		}
+
+		const provider = await this._encryptionService.getKeyStorageProvider();
+		if (isGnome(provider)) {
+			errorMessage = localize('isGnome', "You're running in a GNOME environment but encryption is not available. Ensure you have gnome-keyring or another libsecret compatible implementation installed and running.");
+		} else if (isKwallet(provider)) {
+			errorMessage = localize('isKwallet', "You're running in a KDE environment but encryption is not available. Ensure you have kwallet running.");
+		} else if (provider === KnownStorageProvider.basicText) {
+			errorMessage += ' ' + localize('usePlainTextExtraSentence', "Open the troubleshooting guide or you can use plain text obfuscation instead.");
+			const usePlainTextButton: IPromptChoice = {
+				label: localize('usePlainText', "Use plain text (restart required)"),
+				run: async () => {
+					this._encryptionService.setUsePlainTextEncryption();
+					await this._nativeHostService.relaunch();
+				}
+			};
+			buttons.unshift(usePlainTextButton);
+		}
+
+		this._notificationService.prompt(Severity.Error, errorMessage, buttons);
+	}
+}

src/vs/workbench/services/encryption/browser/encryptionService.ts

@@ -3,7 +3,7 @@
  *  Licensed under the MIT License. See License.txt in the project root for license information.
  *--------------------------------------------------------------------------------------------*/
 
-import { IEncryptionService } from 'vs/platform/encryption/common/encryptionService';
+import { IEncryptionService, KnownStorageProvider } from 'vs/platform/encryption/common/encryptionService';
 import { InstantiationType, registerSingleton } from 'vs/platform/instantiation/common/extensions';
 
 export class EncryptionService implements IEncryptionService {
@@ -21,6 +21,14 @@ export class EncryptionService implements IEncryptionService {
 	isEncryptionAvailable(): Promise<boolean> {
 		return Promise.resolve(false);
 	}
+
+	getKeyStorageProvider(): Promise<KnownStorageProvider> {
+		return Promise.resolve(KnownStorageProvider.basicText);
+	}
+
+	setUsePlainTextEncryption(): Promise<void> {
+		return Promise.resolve(undefined);
+	}
 }
 
 registerSingleton(IEncryptionService, EncryptionService, InstantiationType.Delayed);

src/vs/workbench/services/secrets/browser/secretStorageService.ts

@@ -8,11 +8,11 @@ import { InstantiationType, registerSingleton } from 'vs/platform/instantiation/
 import { IInstantiationService } from 'vs/platform/instantiation/common/instantiation';
 import { ILogService } from 'vs/platform/log/common/log';
 import { INotificationService } from 'vs/platform/notification/common/notification';
-import { ISecretStorageProvider, ISecretStorageService, SecretStorageService } from 'vs/platform/secrets/common/secrets';
+import { ISecretStorageProvider, ISecretStorageService, BaseSecretStorageService } from 'vs/platform/secrets/common/secrets';
 import { IStorageService } from 'vs/platform/storage/common/storage';
 import { IBrowserWorkbenchEnvironmentService } from 'vs/workbench/services/environment/browser/environmentService';
 
-export class BrowserSecretStorageService extends SecretStorageService {
+export class BrowserSecretStorageService extends BaseSecretStorageService {
 
 	private readonly _secretStorageProvider: ISecretStorageProvider | undefined;
 
@@ -24,7 +24,7 @@ export class BrowserSecretStorageService extends SecretStorageService {
 		@INotificationService notificationService: INotificationService,
 		@ILogService logService: ILogService
 	) {
-		super(storageService, encryptionService, instantiationService, notificationService, logService);
+		super(storageService, encryptionService, logService);
 
 		if (environmentService.options?.secretStorageProvider) {
 			this._secretStorageProvider = environmentService.options.secretStorageProvider;

src/vs/workbench/workbench.desktop.main.ts

@@ -90,13 +90,14 @@ import 'vs/workbench/services/extensions/electron-sandbox/nativeExtensionService
 import 'vs/platform/userDataProfile/electron-sandbox/userDataProfileStorageService';
 
 import { InstantiationType, registerSingleton } from 'vs/platform/instantiation/common/extensions';
-import { ISecretStorageService, SecretStorageService } from 'vs/platform/secrets/common/secrets';
+import { ISecretStorageService } from 'vs/platform/secrets/common/secrets';
+import { NativeSecretStorageService } from 'vs/platform/secrets/electron-sandbox/secretStorageService';
 import { IUserDataInitializationService, UserDataInitializationService } from 'vs/workbench/services/userData/browser/userDataInit';
 import { IExtensionsProfileScannerService } from 'vs/platform/extensionManagement/common/extensionsProfileScannerService';
 import { ExtensionsProfileScannerService } from 'vs/platform/extensionManagement/electron-sandbox/extensionsProfileScannerService';
 import { SyncDescriptor } from 'vs/platform/instantiation/common/descriptors';
 
-registerSingleton(ISecretStorageService, SecretStorageService, InstantiationType.Delayed);
+registerSingleton(ISecretStorageService, NativeSecretStorageService, InstantiationType.Delayed);
 registerSingleton(IUserDataInitializationService, new SyncDescriptor(UserDataInitializationService, [[]], true));
 registerSingleton(IExtensionsProfileScannerService, ExtensionsProfileScannerService, InstantiationType.Delayed);