feat: reworked credential management (#473)

Store passwords in the system keychain.

Signed-off-by: Gordon Smith <GordonJSmith@gmail.com>

Author: GordonSmith

.vscode/launch.json

@@ -17,6 +17,8 @@
             "runtimeExecutable": "${execPath}",
             "args": [
                 "--disable-extensions",
+                "--enable-extension",
+                "GordonSmith.observable-js",
                 "--extensionDevelopmentPath=${workspaceRoot}",
                 "${workspaceRoot}/ecl-sample"
             ],

README.md

@@ -159,7 +159,28 @@ _Version 2.x introduces a new streamlined submission process. The "old" Run/Debu
 
 ## ECL
 
-\n+## AI / Chat Integration
+## Secure Credential Storage
+
+**Important:** As of version 2.33.0, the extension now uses VS Code's secure storage for HPCC Platform credentials instead of storing passwords in plaintext in your launch configuration files.
+
+### What This Means for You
+
+- **Your passwords are now encrypted** using your operating system's native credential manager (Windows Credential Manager, macOS Keychain, or Linux Secret Service)
+- **No more plaintext passwords** in workspace files that could accidentally be committed to version control
+- **Automatic migration**: Existing passwords are automatically moved to secure storage on first use
+- **Stay logged in** across VS Code sessions without re-entering credentials
+
+### What You Need to Do
+
+**Nothing!** The migration happens automatically. When you connect to an HPCC Platform:
+
+1. If a password exists in your launch configuration, it will be securely stored and removed from the file
+2. For new connections, you'll be prompted for credentials which will be securely saved
+3. Your credentials persist across VS Code restarts
+
+You can safely remove any `"password"` fields from your `launch.json` files if you prefer.
+
+## AI / Chat Integration
 
 The extension contributes experimental Language Model (AI) tools and a chat participant:
 
@@ -343,9 +364,6 @@ The following Visual Studio Code settings are available for the ECL extension. T
   // Save file prior to submission
   "ecl.saveOnSubmit": false
 
-  // Ping interval (secs, -1 to disable)
-  "ecl.pingInterval": 5
-
   // Preferred version of ECL Watch (default v9).
   "ecl.preferredECLWatch": v9 | v5
 ```

ecl-sample/.vscode/launch.json

@@ -15,8 +15,20 @@
             "rejectUnauthorized": true,
             "resultLimit": 100,
             "timeoutSecs": 60,
-            "user": "vscode_user",
-            "password": ""
+            "user": "gordon"
+        },
+        {
+            "name": "localhost2",
+            "type": "ecl",
+            "request": "launch",
+            "protocol": "http",
+            "serverAddress": "localhost",
+            "port": 8010,
+            "targetCluster": "thor",
+            "rejectUnauthorized": true,
+            "resultLimit": 100,
+            "timeoutSecs": 60,
+            "user": "gordon2"
         },
         {
             "name": "play",
@@ -29,8 +41,7 @@
             "rejectUnauthorized": false,
             "resultLimit": 100,
             "timeoutSecs": 60,
-            "user": "vscode_user",
-            "password": ""
+            "user": "vscode_user"
         },
         {
             "name": "localhost (https)",

package.json

@@ -134,6 +134,13 @@
   "engines": {
     "vscode": "^1.105.0"
   },
+  "releaseNotes": [
+    {
+      "previousVersion": "2.32.0",
+      "message": "Credential storage has been upgraded to use VS Code's secure storage. Your existing credentials have been automatically migrated.",
+      "learnMoreUrl": "README.md#secure-credential-storage"
+    }
+  ],
   "galleryBanner": {
     "color": "#CFB69A",
     "theme": "light"
@@ -147,8 +154,7 @@
     "workspaceContains:*.ecllib",
     "workspaceContains:*.mod",
     "workspaceContains:*.eclnb",
-    "workspaceContains:*.kel",
-    "workspaceContains:*.dashy"
+    "workspaceContains:*.kel"
   ],
   "contributes": {
     "languageModelTools": [
@@ -428,6 +434,12 @@
         "title": "%Copy as ECL ID%",
         "description": "%Copy path as Qualified ECL ID%"
       },
+      {
+        "command": "ecl.clearStoredPasswords",
+        "category": "ECL",
+        "title": "%Clear All Passwords%",
+        "description": "%Clear all stored HPCC Platform passwords from secure storage%"
+      },
       {
         "command": "hpccPlatform.copyWUID",
         "category": "ECL",
@@ -625,6 +637,20 @@
           "dark": "resources/dark/server-process.svg"
         }
       },
+      {
+        "command": "hpccPlatform.login",
+        "category": "ECL",
+        "title": "%Login%",
+        "description": "%Login to HPCC Platform%",
+        "icon": "$(sign-in)"
+      },
+      {
+        "command": "hpccPlatform.logout",
+        "category": "ECL",
+        "title": "%Logout and Clear Credentials%",
+        "description": "%Logout from HPCC Platform and remove stored credentials%",
+        "icon": "$(sign-out)"
+      },
       {
         "command": "hpccPlatform.switchTargetCluster",
         "category": "ECL",
@@ -1046,6 +1072,16 @@
           "when": "view == hpccPlatform",
           "group": "navigation@60"
         },
+        {
+          "command": "hpccPlatform.login",
+          "when": "view == hpccPlatform && !ecl.connected",
+          "group": "navigation@65"
+        },
+        {
+          "command": "hpccPlatform.logout",
+          "when": "view == hpccPlatform && ecl.connected",
+          "group": "navigation@65"
+        },
         {
           "command": "hpccResources.bundles.homepage",
           "when": "view == hpccResources.bundles",
@@ -1478,12 +1514,6 @@
           "default": false,
           "description": "%Force global 'proxySupport' to 'fallback'%"
         },
-        "ecl.pingInterval": {
-          "type": "number",
-          "scope": "resource",
-          "default": 5,
-          "description": "%Ping interval (secs, -1 to disable)%"
-        },
         "dashy.libraryLocation": {
           "type": "string",
           "scope": "resource",
@@ -1671,11 +1701,6 @@
                 "type": "string",
                 "description": "%User ID%",
                 "default": ""
-              },
-              "password": {
-                "type": "string",
-                "description": "%User password%",
-                "default": ""
               }
             }
           }
@@ -1694,8 +1719,7 @@
             "rejectUnauthorized": true,
             "resultLimit": 100,
             "timeoutSecs": 60,
-            "user": "vscode_user",
-            "password": ""
+            "user": "vscode_user"
           }
         ],
         "configurationSnippets": [
@@ -1715,8 +1739,7 @@
               "rejectUnauthorized": true,
               "resultLimit": 100,
               "timeoutSecs": 60,
-              "user": "vscode_user",
-              "password": ""
+              "user": "vscode_user"
             }
           },
           {
@@ -1735,8 +1758,7 @@
               "rejectUnauthorized": false,
               "resultLimit": 100,
               "timeoutSecs": 60,
-              "user": "vscode_user",
-              "password": ""
+              "user": "vscode_user"
             }
           }
         ]

package.nls.json

@@ -22,6 +22,7 @@
     "Build flags, to be passed to the eclcc compiler": "Build flags, to be passed to the eclcc compiler",
     "Bundles": "Bundles",
     "Bundles Homepage": "Bundles Homepage",
+    "Cancel": "Cancel",
     "Cannot search: HPCC Platform not connected": "Cannot search: HPCC Platform not connected",
     "Check ECL Syntax": "Check ECL Syntax",
     "Checking ECL syntax": "Checking ECL syntax",
@@ -30,6 +31,11 @@
     "Check syntax with KEL grammar (fast)": "Check syntax with KEL grammar (fast)",
     "Check the syntax of ECL code?": "Check the syntax of ECL code?",
     "Clear all previously reported ECL Syntax Check results": "Clear all previously reported ECL Syntax Check results",
+    "Clear All Passwords": "Clear All Passwords",
+    "Clear all stored HPCC Platform passwords from secure storage": "Clear all stored HPCC Platform passwords from secure storage",
+    "All stored passwords have been cleared.": "All stored passwords have been cleared.",
+    "Failed to clear stored passwords: ": "Failed to clear stored passwords: ",
+    "This will clear all stored HPCC Platform passwords. You will need to re-enter your credentials on the next connection. Are you sure?": "This will clear all stored HPCC Platform passwords. You will need to re-enter your credentials on the next connection. Are you sure?",
     "Client Tools": "Client Tools",
     "Client Tools Homepage": "Client Tools Homepage",
     "Compile": "Compile",
@@ -40,17 +46,20 @@
     "Copy as ECL ID": "Copy as ECL ID",
     "Copy path as Qualified ECL ID": "Copy path as Qualified ECL ID",
     "Copy WUID": "Copy WUID",
+    "Credential storage has been upgraded to use VS Code's secure storage. Your existing credentials have been automatically migrated.": "Credential storage has been upgraded to use VS Code's secure storage. Your existing credentials have been automatically migrated.",
     "Dashy library location (bundled, latest, localPath)": "Dashy library location (bundled, latest, localPath)",
     "Dashy Library Path (libraryLocation === \"localPath\")": "Dashy Library Path (libraryLocation === \"localPath\")",
     "Database Name": "Database Name",
     "Debug level logging (requires restart)": "Debug level logging (requires restart)",
     "Default launch configuration": "Default launch configuration",
+    "Dismiss": "Dismiss",
     "Default timeout (secs)": "Default timeout (secs)",
     "Delete Workunit": "Delete Workunit",
     "Digitally sign ECL file": "Digitally sign ECL file",
     "Down": "Down",
     "eclcc syntax check arguments": "eclcc syntax check arguments",
     "ECL Client Tools Terminal": "ECL Client Tools Terminal",
+    "ECL Extension Updated": "ECL Extension Updated",
     "ECL Notebook": "ECL Notebook",
     "ECL syntax is invalid.": "ECL syntax is invalid.",
     "ECL syntax is valid.": "ECL syntax is valid.",
@@ -80,6 +89,16 @@
     "Language Reference Lookup": "Language Reference Lookup",
     "Language Reference Website": "Language Reference Website",
     "Launch ECL Watch": "Launch ECL Watch",
+    "Login": "Login",
+    "Login to HPCC Platform": "Login to HPCC Platform",
+    "Login failed": "Login failed",
+    "Logout and Clear Credentials": "Logout and Clear Credentials",
+    "Logout from HPCC Platform and remove stored credentials": "Logout from HPCC Platform and remove stored credentials",
+    "Logout failed": "Logout failed",
+    "Learn More": "Learn More",
+    "No HPCC Platform connection available": "No HPCC Platform connection available",
+    "Successfully logged in to HPCC Platform": "Successfully logged in to HPCC Platform",
+    "Successfully logged out from HPCC Platform": "Successfully logged out from HPCC Platform",
     "List recent HPCC workunits": "List recent HPCC workunits",
     "List Workunits Tool": "List Workunits Tool",
     "Max result limit for workunit results": "Max result limit for workunit results",

src/__tests__/versionNotification.test.ts

@@ -0,0 +1,74 @@
+import { describe, it, expect, beforeEach, vi } from "vitest";
+import * as vscode from "vscode";
+
+// Mock the localize function
+vi.mock("../util/localize", () => ({
+    default: (key: string) => key
+}));
+
+describe("versionNotification", () => {
+    let mockContext: any;
+    let mockGlobalState: Map<string, any>;
+
+    beforeEach(() => {
+        mockGlobalState = new Map();
+        mockContext = {
+            extension: {
+                packageJSON: {
+                    version: "2.33.0"
+                }
+            },
+            extensionUri: vscode.Uri.file("/mock/path"),
+            globalState: {
+                get: vi.fn((key: string) => mockGlobalState.get(key)),
+                update: vi.fn((key: string, value: any) => {
+                    mockGlobalState.set(key, value);
+                    return Promise.resolve();
+                })
+            }
+        };
+    });
+
+    it("should store the current version on first activation", async () => {
+        const { checkForUpgrade } = await import("../util/versionNotification");
+
+        await checkForUpgrade(mockContext);
+
+        expect(mockContext.globalState.update).toHaveBeenCalledWith(
+            "ecl.lastVersion",
+            "2.33.0"
+        );
+    });
+
+    it("should detect version upgrade", async () => {
+        mockGlobalState.set("ecl.lastVersion", "2.32.0");
+
+        const showInformationMessageSpy = vi.spyOn(vscode.window, "showInformationMessage")
+            .mockResolvedValue(undefined as any);
+
+        const { checkForUpgrade } = await import("../util/versionNotification");
+
+        await checkForUpgrade(mockContext);
+
+        expect(showInformationMessageSpy).toHaveBeenCalled();
+        const call = showInformationMessageSpy.mock.calls[0];
+        expect(call[0]).toContain("2.33.0");
+
+        showInformationMessageSpy.mockRestore();
+    });
+
+    it("should not show notification when version hasn't changed", async () => {
+        mockGlobalState.set("ecl.lastVersion", "2.33.0");
+
+        const showInformationMessageSpy = vi.spyOn(vscode.window, "showInformationMessage")
+            .mockResolvedValue(undefined as any);
+
+        const { checkForUpgrade } = await import("../util/versionNotification");
+
+        await checkForUpgrade(mockContext);
+
+        expect(showInformationMessageSpy).not.toHaveBeenCalled();
+
+        showInformationMessageSpy.mockRestore();
+    });
+});

src/debugger/launchRequestArguments.ts

@@ -4,13 +4,6 @@ import { locateAllClientTools as commsLocateAllClientTools } from "@hpcc-js/comm
 export type LaunchProtocol = "http" | "https";
 export type LaunchMode = "submit" | "submitNoArchive" | "compile" | "publish" | "debug";
 
-export enum LaunchConfigState {
-    Unknown,
-    Unreachable,
-    Credentials,
-    Ok
-}
-
 // This interface should always match the schema found in `package.json`.
 export interface LaunchRequestArguments extends DebugProtocol.LaunchRequestArguments {
     //  Implicit

src/ecl/command.ts

@@ -12,6 +12,7 @@ import localize from "../util/localize";
 import { createDirectory, exists, writeFile } from "../util/fs";
 import { ECLR_EN_US, matchTopics, SLR_EN_US } from "./docs";
 import { SaveData } from "./saveData";
+import { credentialManager } from "../util/credentialManager";
 
 const IMPORT_MARKER = "//Import:";
 const SKIP = localize("Skip");
@@ -45,6 +46,7 @@ export class ECLCommands {
         ctx.subscriptions.push(vscode.commands.registerCommand("ecl.verify", this.verify, this));
         ctx.subscriptions.push(vscode.commands.registerCommand("ecl.importModFile", this.importModFile, this));
         ctx.subscriptions.push(vscode.commands.registerCommand("ecl.copyAsEclID", this.copyAsEclID, this));
+        ctx.subscriptions.push(vscode.commands.registerCommand("ecl.clearStoredPasswords", this.clearStoredPasswords, this));
     }
 
     static attach(ctx: vscode.ExtensionContext): ECLCommands {
@@ -331,4 +333,22 @@ export class ECLCommands {
             vscode.env.clipboard.writeText(ids.join(os.EOL));
         }
     }
+
+    async clearStoredPasswords() {
+        const confirm = await vscode.window.showWarningMessage(
+            localize("This will clear all stored HPCC Platform passwords. You will need to re-enter your credentials on the next connection. Are you sure?"),
+            { modal: true },
+            localize("Clear All Passwords"),
+            localize("Cancel")
+        );
+
+        if (confirm === localize("Clear All Passwords")) {
+            try {
+                await credentialManager.deleteAllCredentials();
+                vscode.window.showInformationMessage(localize("All stored passwords have been cleared."));
+            } catch (error: any) {
+                vscode.window.showErrorMessage(localize("Failed to clear stored passwords: ") + error.message);
+            }
+        }
+    }
 }