Begin password migration command

gjsjohnmurray · gjsjohnmurray · commit 209126778f08 · 2022-07-01T11:16:29.000+01:00
diff --git a/package.json b/package.json
@@ -71,6 +71,7 @@
     "onCommand:intersystems-community.servermanager.addServer",
     "onCommand:intersystems-community.servermanager.storePassword",
     "onCommand:intersystems-community.servermanager.clearPassword",
+    "onCommand:intersystems-community.servermanager.migratePasswords",
     "onCommand:intersystems-community.servermanager.importServers",
     "onCommand:intersystems-community.servermanager-credentials.testLogin",
     "onCommand:intersystems-community.servermanager-credentials.testScopedLogin",
@@ -323,6 +324,11 @@
         "category": "InterSystems Server Manager",
         "title": "Clear Password from Keychain"
       },
+      {
+        "command": "intersystems-community.servermanager.migratePasswords",
+        "category": "InterSystems Server Manager",
+        "title": "Migrate Legacy Passwords"
+      },
       {
         "command": "intersystems-community.servermanager.importServers",
         "category": "InterSystems Server Manager",
@@ -479,6 +485,18 @@
           "command": "intersystems-community.servermanager.importServers",
           "when": "isWindows"
         },
+        {
+          "command": "intersystems-community.servermanager.migratePasswords",
+          "when": "config.intersystemsServerManager.authentication.provider == intersystems-server-credentials"
+        },
+        {
+          "command": "intersystems-community.servermanager.storePassword",
+          "when": "false"
+        },
+        {
+          "command": "intersystems-community.servermanager.clearPassword",
+          "when": "false"
+        },
         {
           "command": "intersystems-community.servermanager.addToStarred",
           "when": "false"
diff --git a/src/commands/managePasswords.ts b/src/commands/managePasswords.ts
@@ -1,6 +1,7 @@
 import * as vscode from "vscode";
 import { getServerNames } from "../api/getServerNames";
 import { credentialCache } from "../api/getServerSpec";
+import { ServerManagerAuthenticationProvider } from "../authenticationProvider";
 import { extensionId } from "../extension";
 import { Keychain } from "../keychain";
 import { ServerTreeItem } from "../ui/serverManagerView";
@@ -60,6 +61,57 @@ export async function clearPassword(treeItem?: ServerTreeItem): Promise<string>
     return reply;
 }
 
+export async function migratePasswords(secretStorage: vscode.SecretStorage): Promise<void> {
+    const credentials = await Keychain.findCredentials();
+    console.log(credentials);
+    if (credentials.length === 0) {
+        vscode.window.showInformationMessage('No legacy passwords found');
+    } else {
+
+        // Collect only those for which server definition exists with a username
+        // and no credentials yet stored in our SecretStorage
+        const migratableCredentials = (await Promise.all(
+            credentials.map(async (item) => {
+                const serverName = item.account;
+                const username: string | undefined = vscode.workspace.getConfiguration("intersystems.servers." + serverName).get("username");
+                if (!username) {
+                  return undefined;
+                }
+                if (username === "" || username === "UnknownUser") {
+                  return undefined;
+                }
+                const sessionId = ServerManagerAuthenticationProvider.sessionId(serverName, username);
+                const credentialKey = ServerManagerAuthenticationProvider.credentialKey(sessionId);
+                return (await secretStorage.get(credentialKey) ? {...item, username} : undefined);
+            })
+            ))
+            .filter((item) => item);
+        if (migratableCredentials.length === 0) {
+            vscode.window.showInformationMessage('No legacy passwords found for servers whose definitions specify a username');
+        } else {
+            const disqualified = credentials.length - migratableCredentials.length;
+            const detail = disqualified > 0 ? `${disqualified} other ${disqualified > 1 ? "passwords" : "password"} ignored because associated server is no longer defined, or has no username set, or already has a password in the new keystore.` : "";
+            const message = `Migrate ${migratableCredentials.length} legacy stored ${migratableCredentials.length > 1 ? "passwords" : "password"}?`;
+            switch (await vscode.window.showInformationMessage(message, {modal: true, detail}, "Yes", "No")) {
+                case undefined:
+                    return;
+
+                case "Yes":
+                    vscode.window.showInformationMessage('TODO migration');
+                    break;
+
+                default:
+                    break;
+            }
+        }
+        const detail = "Do this to tidy up your keystore once you have migrated passwords and will not be reverting to an earlier Server Manager.";
+        if (await vscode.window.showInformationMessage(`Delete all legacy stored passwords?`, {modal: true, detail}, "Yes", "No") === "Yes") {
+            vscode.window.showInformationMessage('TODO deletion');
+        }
+}
+    return;
+}
+
 async function commonPickServer(options?: vscode.QuickPickOptions): Promise<string | undefined> {
     // Deliberately uses its own API to illustrate how other extensions would
     const serverManagerExtension = vscode.extensions.getExtension(extensionId);
diff --git a/src/extension.ts b/src/extension.ts
@@ -9,7 +9,7 @@ import { getServerSummary } from "./api/getServerSummary";
 import { pickServer } from "./api/pickServer";
 import { AUTHENTICATION_PROVIDER, ServerManagerAuthenticationProvider } from "./authenticationProvider";
 import { importFromRegistry } from "./commands/importFromRegistry";
-import { clearPassword, storePassword } from "./commands/managePasswords";
+import { clearPassword, migratePasswords, storePassword } from "./commands/managePasswords";
 import { cookieJar } from "./makeRESTRequest";
 import { NamespaceTreeItem, ProjectTreeItem, ServerManagerView, ServerTreeItem, SMTreeItem } from "./ui/serverManagerView";
 
@@ -269,6 +269,11 @@ export function activate(context: vscode.ExtensionContext) {
             });
         }),
     );
+    context.subscriptions.push(
+        vscode.commands.registerCommand(`${extensionId}.migratePasswords`, async () => {
+            await migratePasswords(context.secrets);
+        }),
+    );
     context.subscriptions.push(
         vscode.commands.registerCommand(`${extensionId}.setIconRed`, (server?: ServerTreeItem) => {
             if (server?.name) {
diff --git a/src/keychain.ts b/src/keychain.ts
@@ -18,11 +18,16 @@ export interface IKeytar {
     getPassword: typeof keytarType["getPassword"];
     setPassword: typeof keytarType["setPassword"];
     deletePassword: typeof keytarType["deletePassword"];
+    findCredentials: typeof keytarType["findCredentials"];
+}
+
+function serviceId(): string {
+  return `${vscode.env.uriScheme}-${extensionId}:password`;
 }
 
 export class Keychain {
+
     private keytar: IKeytar;
-    private serviceId: string;
     private accountId: string;
 
     constructor(connectionName: string) {
@@ -32,13 +37,12 @@ export class Keychain {
         }
 
         this.keytar = keytar;
-        this.serviceId = `${vscode.env.uriScheme}-${extensionId}:password`;
         this.accountId = connectionName;
     }
 
     public async setPassword(password: string): Promise<void> {
         try {
-            return await this.keytar.setPassword(this.serviceId, this.accountId, password);
+            return await this.keytar.setPassword(serviceId(), this.accountId, password);
         } catch (e) {
             // Ignore
             await vscode.window.showErrorMessage(
@@ -50,7 +54,7 @@ export class Keychain {
 
     public async getPassword(): Promise<string | null | undefined> {
         try {
-            return await this.keytar.getPassword(this.serviceId, this.accountId);
+            return await this.keytar.getPassword(serviceId(), this.accountId);
         } catch (e) {
             // Ignore
             logger.error(`Getting password failed: ${e}`);
@@ -60,11 +64,27 @@ export class Keychain {
 
     public async deletePassword(): Promise<boolean | undefined> {
         try {
-            return await this.keytar.deletePassword(this.serviceId, this.accountId);
+            return await this.keytar.deletePassword(serviceId(), this.accountId);
         } catch (e) {
             // Ignore
             logger.error(`Deleting password failed: ${e}`);
             return Promise.resolve(undefined);
         }
     }
+
+    public static async findCredentials(): Promise<{account: string; password: string}[]> {
+      console.log(serviceId());
+      const keytar = getKeytar();
+      try {
+        if (!keytar) {
+            throw new Error("System keychain unavailable");
+        }
+        return await keytar.findCredentials(serviceId());
+      } catch (e) {
+          // Ignore
+          logger.error(`Finding credentials failed: ${e}`);
+          return Promise.resolve([]);
+      }
+
+    }
 }
