fix: save auth state between pd sessions in secure storage (#88)

Signed-off-by: Denis Golovin <[email protected]>

Author: dgolovin

package.json

@@ -29,7 +29,7 @@
     "test": "vitest run --coverage"
   },
   "dependencies": {
-    "@podman-desktop/api": "^1.6.4",
+    "@podman-desktop/api": "0.0.202403201348-23ebd88",
     "@redhat-developer/rhcra-client": "^0.0.1",
     "@redhat-developer/rhsm-client": "^0.0.4  ",
     "@types/node": "^18.15.11",

src/authentication-service.spec.ts

@@ -16,15 +16,37 @@
  * SPDX-License-Identifier: Apache-2.0
  ***********************************************************************/
 
-import { afterEach, expect, beforeEach, test, vi, vitest } from 'vitest';
-import { convertToSession } from './authentication-service';
+import { beforeEach, expect, test, vi } from 'vitest';
+import { RedHatAuthenticationService, convertToSession } from './authentication-service';
+import { AuthenticationProvider, ExtensionContext, authentication } from '@podman-desktop/api';
+import { TokenSet, Issuer, BaseClient } from 'openid-client';
+import { getAuthConfig } from './configuration';
 
 vi.mock('@podman-desktop/api', async () => {
   return {
-    EventEmitter: function() {}
+    EventEmitter: vi.fn().mockImplementation(() => {
+      return {
+        fire: vi.fn(),
+      };
+    }),
+    registry: {
+      suggestRegistry: vi.fn(),
+    },
+    authentication: {
+      registerAuthenticationProvider: vi.fn(),
+      onDidChangeSessions: vi.fn(),
+      getSession: vi.fn(),
+    },
+    commands: {
+      registerCommand: vi.fn(),
+    },
   };
 });
 
+beforeEach(() => {
+  vi.restoreAllMocks();
+});
+
 test('An authentication token is converted to a session', () => {
   const token = {
     account: {
@@ -39,10 +61,69 @@ test('An authentication token is converted to a session', () => {
     expiresAt: Date.now() + 777777777,
     expiresIn: 777777,
   };
-  const session = convertToSession(token)
+  const session = convertToSession(token);
   expect(session.id).equals(token.sessionId);
   expect(session.accessToken).equals(token.accessToken);
   expect(session.idToken).equals(token.idToken);
-  expect(session.account).equals(token.account);;
+  expect(session.account).equals(token.account);
   expect(session.scopes).contain('openid');
-});
+});
+
+test('Authentication service loads tokens form secret storage during initialization', async () => {
+  vi.spyOn(Issuer, 'discover').mockImplementation(async (url: string) => {
+    return {
+      Client: vi.fn().mockImplementation(() => {
+        return {
+          refresh: vi.fn().mockImplementation((refreshToken: string): TokenSet => {
+            return {
+              claims: vi.fn().mockImplementation(() => {
+                return {
+                  sub: 'subscriptionId',
+                  preferred_username: 'username',
+                };
+              }),
+              expired: vi.fn().mockImplementation(() => false),
+              expires_in: 15 * 60, // in seconds
+              id_token: 'id_token_string',
+              access_token: 'access_token_string',
+              refresh_token: 'refresh_token_string',
+              session_state: 'session_state_string',
+            };
+          }),
+          authorizationUrl: vi.fn().mockImplementation(() => {}),
+          callback: vi.fn(),
+          callbackParams: vi.fn(),
+        };
+      }),
+    } as unknown as Issuer<BaseClient>;
+  });
+
+  let provider: AuthenticationProvider;
+  vi.mocked(authentication.registerAuthenticationProvider).mockImplementation((_id, _label, ssoProvider) => {
+    provider = ssoProvider;
+    return {
+      dispose: vi.fn(),
+    };
+  });
+  const extensionContext: ExtensionContext = {
+    secrets: {
+      get: vi.fn().mockImplementation(() => {
+        return JSON.stringify([
+          {
+            refreshToken: 'refreshTokenString',
+            scope: 'openid scope1 scope3 scope4',
+            id: 'uniqueId1',
+          },
+        ]);
+      }),
+      store: vi.fn(),
+      delete: vi.fn(),
+      onDidChange: vi.fn(),
+    },
+    subscriptions: [],
+  } as unknown as ExtensionContext;
+  const service = await RedHatAuthenticationService.build(extensionContext, getAuthConfig());
+  await service.initialize();
+  expect(extensionContext.secrets.get).toHaveBeenCalledOnce();
+  expect((await service.getSessions(['scope1', 'scope3', 'scope4'])).length).toBe(0);
+});

src/authentication-service.ts

@@ -19,12 +19,11 @@
  *  IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
  *  WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  *--------------------------------------------------------------------------------------------*/
-import { AuthenticationSession, window, EventEmitter, AuthenticationProviderAuthenticationSessionsChangeEvent, env, Uri } from '@podman-desktop/api';
+import { AuthenticationSession, window, EventEmitter, AuthenticationProviderAuthenticationSessionsChangeEvent, env, Uri, ExtensionContext, Disposable } from '@podman-desktop/api';
 import { ServerResponse } from 'node:http';
 import { Client, generators, Issuer, TokenSet } from 'openid-client';
 import { createServer, startServer } from './authentication-server';
 import { AuthConfig } from './configuration';
-import { Keychain } from './keychain';
 import Logger from './logger';
 
 interface IToken {
@@ -92,11 +91,11 @@ export class RedHatAuthenticationService {
   private _tokens: IToken[] = [];
   private _refreshTimeouts: Map<string, NodeJS.Timeout> = new Map<string, NodeJS.Timeout>();
   //private _uriHandler: UriEventHandler;
+  private _disposables: Disposable[] = [];
   private client: Client;
-  private keychain: Keychain;
   private config: AuthConfig;
 
-  constructor(issuer: Issuer<Client>, config: AuthConfig) {
+  constructor(issuer: Issuer<Client>, private context: ExtensionContext, config: AuthConfig) {
     //this._uriHandler = new UriEventHandler();
     //this._disposables.push(vscode.window.registerUriHandler(this._uriHandler));
     this.config = config;
@@ -105,19 +104,18 @@ export class RedHatAuthenticationService {
       response_types: ['code'],
       token_endpoint_auth_method: 'none',
     });
-    this.keychain = new Keychain(config.serviceId);
   }
 
-  public static async build(config: AuthConfig): Promise<RedHatAuthenticationService> {
+  public static async build(context: ExtensionContext, config: AuthConfig): Promise<RedHatAuthenticationService> {
     Logger.info(`Configuring ${config.serviceId} {auth: ${config.authUrl}, api: ${config.apiUrl}}`);
     const issuer = await Issuer.discover(config.authUrl);
 
-    const provider = new RedHatAuthenticationService(issuer, config);
+    const provider = new RedHatAuthenticationService(issuer, context, config);
     return provider;
   }
 
   public async initialize(): Promise<void> {
-    const storedData = await this.keychain.getToken();
+    const storedData = await this.context.secrets.get(this.config.serviceId);
     if (storedData) {
       try {
         const sessions = this.parseStoredData(storedData);
@@ -159,6 +157,10 @@ export class RedHatAuthenticationService {
         Logger.info('Failed to initialize stored data');
         await this.clearSessions();
       }
+
+      this._disposables.push(this.context.secrets.onDidChange(() => {
+        this.checkForUpdates();
+      }));
     }
   }
 
@@ -167,7 +169,7 @@ export class RedHatAuthenticationService {
   }
 
   private async storeTokenData(): Promise<void> {
-    const serializedData: IStoredSession[] = this._tokens.map(token => {
+    const storedSessions: IStoredSession[] = this._tokens.map(token => {
       return {
         id: token.sessionId,
         refreshToken: token.refreshToken,
@@ -176,13 +178,13 @@ export class RedHatAuthenticationService {
       };
     });
 
-    await this.keychain.setToken(JSON.stringify(serializedData));
+    await this.context.secrets.store(this.config.serviceId, JSON.stringify(storedSessions));
   }
 
   private async checkForUpdates(): Promise<void> {
     const added: RedHatAuthenticationSession[] = [];
     let removed: RedHatAuthenticationSession[] = [];
-    const storedData = await this.keychain.getToken();
+    const storedData = await this.context.secrets.get(this.config.serviceId);
     if (storedData) {
       try {
         const sessions = this.parseStoredData(storedData);
@@ -394,6 +396,11 @@ export class RedHatAuthenticationService {
     response.end();
   }
 
+	public dispose(): void {
+		this._disposables.forEach(disposable => disposable.dispose());
+		this._disposables = [];
+	}
+
   private async setToken(token: IToken, scope: string): Promise<void> {
     const existingTokenIndex = this._tokens.findIndex(t => t.sessionId === token.sessionId);
     if (existingTokenIndex > -1) {
@@ -546,7 +553,7 @@ export class RedHatAuthenticationService {
       session = convertToSession(token);
     }
     if (this._tokens.length === 0) {
-      await this.keychain.deleteToken();
+      await this.context.secrets.delete(this.config.serviceId);
     } else {
       this.storeTokenData();
     }
@@ -556,7 +563,7 @@ export class RedHatAuthenticationService {
   public async clearSessions() {
     Logger.info('Logging out of all sessions');
     this._tokens = [];
-    await this.keychain.deleteToken();
+    await this.context.secrets.delete(this.config.serviceId);
 
     this._refreshTimeouts.forEach(timeout => {
       clearTimeout(timeout);

src/configuration.ts

@@ -41,24 +41,18 @@ const CLIENT_ID = process.env.CLIENT_ID ? process.env.CLIENT_ID : 'podman-deskto
 console.log('REDHAT_AUTH_URL: ' + REDHAT_AUTH_URL);
 console.log('KAS_API_URL: ' + KAS_API_URL);
 console.log('CLIENT_ID: ' + KAS_API_URL);
-export async function getAuthConfig(): Promise<AuthConfig> {
+
+export function getAuthConfig(): AuthConfig {
   return {
     serviceId: 'redhat-account-auth',
     authUrl: REDHAT_AUTH_URL,
     apiUrl: KAS_API_URL,
     clientId: CLIENT_ID,
-    serverConfig: await getServerConfig(SSO_REDHAT),
+    serverConfig: getServerConfig(SSO_REDHAT),
   };
 }
 
-export async function getServerConfig(type: AuthType): Promise<ServerConfig> {
-  // if (process.env['CHE_WORKSPACE_ID']) {
-  //     return getCheServerConfig(type);
-  // }
-  return getLocalServerConfig(type);
-}
-
-async function getLocalServerConfig(type: AuthType): Promise<ServerConfig> {
+export function getServerConfig(type: AuthType): ServerConfig {
   return {
     callbackPath: `${type}-callback`,
     externalUrl: 'http://localhost',

src/extension.ts

@@ -29,24 +29,11 @@ import { restartPodmanMachine, runRpmInstallSubscriptionManager, runSubscription
 import { SubscriptionManagerClient } from '@redhat-developer/rhsm-client';
 import { isLinux } from './util';
 
-let loginService: RedHatAuthenticationService;
+let authenticationServicePromise: Promise<RedHatAuthenticationService>;
 let currentSession: extensionApi.AuthenticationSession | undefined;
 
 async function getAuthenticationService() {
-  if (!loginService) {
-    const config = await getAuthConfig();
-    loginService = await RedHatAuthenticationService.build(config);
-  }
-  return loginService;
-}
-
-let authService: RedHatAuthenticationService;
-
-async function getAuthService() {
-  if (!authService) {
-    authService = await getAuthenticationService();
-  }
-  return authService;
+  return authenticationServicePromise;
 }
 
 // function to encode file data to base64 encoded string
@@ -209,15 +196,22 @@ async function removeSession(sessionId: string): Promise<void> {
   runSubscriptionManagerUnregister()
     .catch(console.error); // ignore error in case vm subscription activation failed on login
   removeRegistry(); // never fails, even if registry does not exist
-  const service = await getAuthService();
+  const service = await getAuthenticationService();
   const session = await service.removeSession(sessionId);
   onDidChangeSessions.fire({ removed: [session!] });
 }
 
-export async function activate(extensionContext: extensionApi.ExtensionContext): Promise<void> {
+export async function activate(context: extensionApi.ExtensionContext): Promise<void> {
   console.log('starting redhat-authentication extension');
-
-  extensionContext.subscriptions.push(extensionApi.registry.suggestRegistry({
+  if (!authenticationServicePromise) {
+    authenticationServicePromise = RedHatAuthenticationService.build(context, getAuthConfig())
+      .then(service => {
+        context.subscriptions.push(service);
+        service.initialize();
+        return service;
+    });
+  }
+  context.subscriptions.push(extensionApi.registry.suggestRegistry({
     name: 'Red Hat Container Registry',
     icon: fileToBase64(path.resolve(__dirname,'..', 'icon.png')),
     url: 'registry.redhat.io',
@@ -228,13 +222,13 @@ export async function activate(extensionContext: extensionApi.ExtensionContext):
     'Red Hat SSO', {
       onDidChangeSessions: onDidChangeSessions.event,
       createSession: async function (scopes: string[]): Promise<extensionApi.AuthenticationSession> {
-        const service = await getAuthService();
+        const service = await getAuthenticationService();
         const session = await service.createSession(scopes.sort().join(' '));
         onDidChangeSessions.fire({ added: [session] });
         return session;
       },
       getSessions: async function (scopes: string[]): Promise<extensionApi.AuthenticationSession[]> {
-        const service = await getAuthService();
+        const service = await getAuthenticationService();
         return service.getSessions(scopes);
       },
       removeSession,
@@ -259,7 +253,7 @@ export async function activate(extensionContext: extensionApi.ExtensionContext):
 
   await signIntoRedHatDeveloperAccount(false);
 
-  extensionContext.subscriptions.push(providerDisposable);
+  context.subscriptions.push(providerDisposable);
 
   const SignInCommand = extensionApi.commands.registerCommand('redhat.authentication.signin', async () => {
 
@@ -309,7 +303,8 @@ export async function activate(extensionContext: extensionApi.ExtensionContext):
   });
 
   const SignOutCommand = extensionApi.commands.registerCommand('redhat.authentication.signout', async () => {
-    loginService.removeSession(currentSession!.id);
+    const service = await getAuthenticationService();
+    service.removeSession(currentSession!.id);
     onDidChangeSessions.fire({ added: [], removed: [currentSession!], changed: [] });
     currentSession = undefined;
   });
@@ -320,7 +315,7 @@ export async function activate(extensionContext: extensionApi.ExtensionContext):
     );
   });
 
-  extensionContext.subscriptions.push(SignInCommand, SignOutCommand, SignUpCommand, onDidChangeSessionDisposable);
+  context.subscriptions.push(SignInCommand, SignOutCommand, SignUpCommand, onDidChangeSessionDisposable);
 }
 
 export function deactivate(): void {