Isolate secrets from others extensions

package.json

@@ -57,6 +57,7 @@
     },
     "dependencies": {
         "@jupyterlab/application": "^4.0.0",
+        "@jupyterlab/coreutils": "^6.0.0",
         "@jupyterlab/statedb": "^4.0.0",
         "@lumino/algorithm": "^2.0.0",
         "@lumino/coreutils": "^2.1.2"

src/index.ts

@@ -3,20 +3,20 @@ import {
   JupyterFrontEndPlugin
 } from '@jupyterlab/application';
 import { SecretsManager } from './manager';
-import { ISecretsConnector, ISecretsManager } from './token';
+import { ISecretsManager } from './token';
 import { InMemoryConnector } from './connectors';
 
 /**
  * A basic secret connector extension, that should be disabled to provide a new
  * connector.
  */
-const inMemoryConnector: JupyterFrontEndPlugin<ISecretsConnector> = {
+const inMemoryConnector: JupyterFrontEndPlugin<void> = {
   id: 'jupyter-secrets-manager:connector',
   description: 'A JupyterLab extension to manage secrets.',
   autoStart: true,
-  provides: ISecretsConnector,
-  activate: (app: JupyterFrontEnd): ISecretsConnector => {
-    return new InMemoryConnector();
+  requires: [ISecretsManager],
+  activate: (app: JupyterFrontEnd, manager: ISecretsManager): void => {
+    manager.setConnector(new InMemoryConnector());
   }
 };
 
@@ -28,16 +28,13 @@ const manager: JupyterFrontEndPlugin<ISecretsManager> = {
   description: 'A JupyterLab extension to manage secrets.',
   autoStart: true,
   provides: ISecretsManager,
-  requires: [ISecretsConnector],
-  activate: (
-    app: JupyterFrontEnd,
-    connector: ISecretsConnector
-  ): ISecretsManager => {
+  activate: (app: JupyterFrontEnd): ISecretsManager => {
     console.log('JupyterLab extension jupyter-secrets-manager is activated!');
-    return new SecretsManager({ connector });
+    return new SecretsManager();
   }
 };
 
 export * from './connectors';
+export * from './manager';
 export * from './token';
 export default [inMemoryConnector, manager];

src/manager.ts

@@ -1,3 +1,5 @@
+import { JupyterFrontEndPlugin } from '@jupyterlab/application';
+import { PageConfig } from '@jupyterlab/coreutils';
 import { PromiseDelegate } from '@lumino/coreutils';
 
 import {
@@ -8,64 +10,79 @@ import {
 } from './token';
 
 /**
- * The secrets manager namespace.
- */
-export namespace SecretsManager {
-  /**
-   * Secrets manager constructor's options.
-   */
-  export interface IOptions {
-    connector: ISecretsConnector;
-  }
-}
-
-/**
- * The default secrets manager implementation.
+ * The default secrets manager.
  */
 export class SecretsManager implements ISecretsManager {
   /**
    * the secrets manager constructor.
    */
-  constructor(options: SecretsManager.IOptions) {
-    this._connector = options.connector;
+  constructor() {
     this._ready = new PromiseDelegate<void>();
     this._ready.resolve();
   }
 
+  /**
+   * Set the connector to use with the manager.
+   *
+   * NOTE:
+   * If several extensions try to set the connector, the manager will be locked.
+   * This is to prevent malicious extensions to get passwords when they are saved.
+   */
+  setConnector(value: ISecretsConnector): void {
+    Private.setConnector(value);
+  }
+
   get ready(): Promise<void> {
     return this._ready.promise;
   }
 
   /**
    * Get a secret given its namespace and ID.
    */
-  async get(namespace: string, id: string): Promise<ISecret | undefined> {
-    return this._get(Private.buildSecretId(namespace, id));
+  async get(
+    token: symbol,
+    namespace: string,
+    id: string
+  ): Promise<ISecret | undefined> {
+    this._check(token, namespace);
+    return this._get(Private.buildConnectorId(namespace, id));
   }
 
   /**
    * Set a secret given its namespace and ID.
    */
-  async set(namespace: string, id: string, secret: ISecret): Promise<any> {
-    return this._set(Private.buildSecretId(namespace, id), secret);
+  async set(
+    token: symbol,
+    namespace: string,
+    id: string,
+    secret: ISecret
+  ): Promise<any> {
+    this._check(token, namespace);
+    return this._set(Private.buildConnectorId(namespace, id), secret);
   }
 
   /**
    * List the secrets for a namespace as a ISecretsList.
    */
-  async list(namespace: string): Promise<ISecretsList | undefined> {
-    if (!this._connector.list) {
+  async list(
+    token: symbol,
+    namespace: string
+  ): Promise<ISecretsList | undefined> {
+    this._check(token, namespace);
+    const connector = Private.getConnector();
+    if (!connector?.list) {
       return;
     }
     await this._ready.promise;
-    return await this._connector.list(namespace);
+    return connector.list(namespace);
   }
 
   /**
    * Remove a secret given its namespace and ID.
    */
-  async remove(namespace: string, id: string): Promise<void> {
-    return this._remove(Private.buildSecretId(namespace, id));
+  async remove(token: symbol, namespace: string, id: string): Promise<void> {
+    this._check(token, namespace);
+    return this._remove(Private.buildConnectorId(namespace, id));
   }
 
   /**
@@ -74,17 +91,19 @@ export class SecretsManager implements ISecretsManager {
    * is programmatically filled.
    */
   async attach(
+    token: symbol,
     namespace: string,
     id: string,
     input: HTMLInputElement,
     callback?: (value: string) => void
   ): Promise<void> {
-    const attachedId = Private.buildSecretId(namespace, id);
+    this._check(token, namespace);
+    const attachedId = Private.buildConnectorId(namespace, id);
     const attachedInput = this._attachedInputs.get(attachedId);
 
     // Detach the previous input.
     if (attachedInput) {
-      this.detach(namespace, id);
+      this.detach(token, namespace, id);
     }
     this._attachedInputs.set(attachedId, input);
 
@@ -108,14 +127,16 @@ export class SecretsManager implements ISecretsManager {
   /**
    * Detach the input previously attached with its namespace and ID.
    */
-  detach(namespace: string, id: string): void {
-    this._detach(Private.buildSecretId(namespace, id));
+  detach(token: symbol, namespace: string, id: string): void {
+    this._check(token, namespace);
+    this._detach(Private.buildConnectorId(namespace, id));
   }
 
   /**
    * Detach all attached input for a namespace.
    */
-  async detachAll(namespace: string): Promise<void> {
+  async detachAll(token: symbol, namespace: string): Promise<void> {
+    this._check(token, namespace);
     for (const id of this._attachedInputs.keys()) {
       if (id.startsWith(`${namespace}:`)) {
         this._detach(id);
@@ -127,31 +148,34 @@ export class SecretsManager implements ISecretsManager {
    * Actually fetch the secret from the connector.
    */
   private async _get(id: string): Promise<ISecret | undefined> {
-    if (!this._connector.fetch) {
+    const connector = Private.getConnector();
+    if (!connector?.fetch) {
       return;
     }
     await this._ready.promise;
-    return this._connector.fetch(id);
+    return connector.fetch(id);
   }
 
   /**
    * Actually save the secret using the connector.
    */
   private async _set(id: string, secret: ISecret): Promise<any> {
-    if (!this._connector.save) {
+    const connector = Private.getConnector();
+    if (!connector?.save) {
       return;
     }
-    return this._connector.save(id, secret);
+    return connector.save(id, secret);
   }
 
   /**
    * Actually remove the secrets using the connector.
    */
   async _remove(id: string): Promise<void> {
-    if (!this._connector.remove) {
+    const connector = Private.getConnector();
+    if (!connector?.remove) {
       return;
     }
-    this._connector.remove(id);
+    return connector.remove(id);
   }
 
   private _onInput = async (e: Event): Promise<void> => {
@@ -184,16 +208,122 @@ export class SecretsManager implements ISecretsManager {
     this._attachedInputs.delete(attachedId);
   }
 
-  private _connector: ISecretsConnector;
+  private _check(token: symbol, namespace: string): void {
+    if (Private.isLocked() || Private.namespace.get(token) !== namespace) {
+      throw new Error(
+        `The secrets namespace ${namespace} is not available with the provided token`
+      );
+    }
+  }
+
   private _attachedInputs = new Map<string, HTMLInputElement>();
   private _ready: PromiseDelegate<void>;
 }
 
+/**
+ * The secrets manager namespace.
+ */
+export namespace SecretsManager {
+  /**
+   * A function that protects the secrets namespace of the signed plugin from
+   * other plugins.
+   *
+   * @param id - the secrets namespace, which must match the plugin ID to prevent an
+   * extension to use an other extension namespace.
+   * @param factory - a plugin factory, taking a symbol as argument and returning a
+   * plugin.
+   * @returns - the plugin to activate.
+   */
+  export function sign<T>(
+    id: string,
+    factory: ISecretsManager.PluginFactory<T>
+  ): JupyterFrontEndPlugin<T> {
+    const { lock, isLocked, namespace: plugins, symbols } = Private;
+    const { isDisabled } = PageConfig.Extension;
+    if (isLocked()) {
+      throw new Error('Secrets manager is locked, check errors.');
+    }
+    if (isDisabled('jupyter-secrets-manager:manager')) {
+      lock('Secret registry is disabled.');
+    }
+    if (isDisabled(id)) {
+      lock(`Sign error: plugin ${id} is disabled.`);
+    }
+    if (symbols.has(id)) {
+      lock(`Sign error: another plugin signed as "${id}".`);
+    }
+    const token = Symbol(id);
+    const plugin = factory(token);
+    if (id !== plugin.id) {
+      lock(`Sign error: plugin ID mismatch "${plugin.id}"≠"${id}".`);
+    }
+    plugins.set(token, id);
+    symbols.set(id, token);
+    return plugin;
+  }
+}
+
 namespace Private {
+  /**
+   * Internal 'locked' status.
+   */
+  let locked: boolean = false;
+
+  /**
+   * The namespace associated to a symbol.
+   */
+  export const namespace = new Map<symbol, string>();
+
+  /**
+   * The symbol associated to a namespace.
+   */
+  export const symbols = new Map<string, symbol>();
+
+  /**
+   * Lock the manager.
+   *
+   * @param message - the error message to throw.
+   */
+  export function lock(message: string) {
+    locked = true;
+    throw new Error(message);
+  }
+
+  /**
+   * Check if the manager is locked.
+   *
+   * @returns - whether the manager is locked or not.
+   */
+  export function isLocked(): boolean {
+    return locked;
+  }
+
+  /**
+   * Connector used by the manager.
+   */
+  let connector: ISecretsConnector | null = null;
+
+  /**
+   * Set the connector.
+   */
+  export function setConnector(value: ISecretsConnector) {
+    if (connector !== null) {
+      lock('A secrets manager connector already exists.');
+    }
+    connector = value;
+  }
+
+  /**
+   * Get the connector.
+   */
+  export function getConnector(): ISecretsConnector | null {
+    return connector;
+  }
+
   /**
    * Build the secret id from the namespace and id.
    */
-  export function buildSecretId(namespace: string, id: string): string {
+  export function buildConnectorId(namespace: string, id: string): string {
     return `${namespace}:${id}`;
   }
 }