Uploaded image for project: 'Tools (JBoss Tools)'
  1. Tools (JBoss Tools)
  2. JBIDE-22756

Connection: various weirdness in token/password implementations

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Unresolved
    • Icon: Major Major
    • 4.30.x
    • 4.4.1.AM2
    • openshift

      The lifecycle of the token is rather weird and needs a consistent logic:
      When connecting via wizard the token is set in the connection wizard:

      ConnectionWizardPageModel#connect
      ...
      try {
      	IConnection connection = createConnection(connectionFactory, connectionAuthenticationProvider);
      ...
      
      ConnectionWizardPageModel#createConnection
      ...
      		if (authProvider != null) {
      			authProvider.update(connection); // sets the token
      		}
      ...
      
      BearTokenAuthenticationProvider#update
      ...
      			connection.setAuthScheme(IAuthorizationContext.AUTHSCHEME_OAUTH);
      connection.setToken(tokenObservable.getValue());
      connection.setRememberToken(rememberTokenObservable.getValue());
      ...
      
      Connection#connect
      if(authorize()) {
      ...
      
      Connection#authorized
      ...
      if (context.isAuthorized()) {
      	String username = context.getUser().getName();
      	String token = context.getToken();
      	updateAuthorized(username, token);
      } else {
      ...
      

      The token is then fetched from client and set to the connection

      Connection#updateAuthorized
      setToken(token);
      ...
      

      and the password is cleared

      Unable to find source-code formatter for language: connectoin#savepasswordortoken. Available languages are: actionscript, ada, applescript, bash, c, c#, c++, cpp, css, erlang, go, groovy, haskell, html, java, javascript, js, json, lua, none, nyan, objc, perl, php, python, r, rainbow, ruby, scala, sh, sql, swift, visualbasic, xml, yaml
      		} else if (IAuthorizationContext.AUTHSCHEME_OAUTH.equals(getAuthScheme())){
      			boolean success = saveOrClear(SECURE_STORAGE_TOKEN_KEY, this.token, isRememberToken());
      			if(success) { 
      				//Avoid second secure storage prompt.
      				//Token is stored, password should be cleared.
      				clearPassword();
      

      I suspect the aim here is to clear existing password in secure storage if the user is switching password->token based auth (and vice versa)
      The opposite is then not fully congruent. The token is only cleared in secure storage, not in Connection instance var

      Connection#savePasswordOrToken
      		if (IAuthorizationContext.AUTHSCHEME_BASIC.equals(getAuthScheme())) {
      			boolean success = saveOrClear(SECURE_STORAGE_PASSWORD_KEY, this.password, isRememberPassword());
      			if (success) {
      				//Avoid second secure storage prompt.
      				// Password is stored, token should be cleared.
      				clearToken();
      			}
      {code:Connection#clearToken}
      		// dont clear the token instance var: JBIDE-22594
      		setRememberToken(false);
      		saveOrClear(SECURE_STORAGE_TOKEN_KEY, null, false);
      

      I suspect that we should only clear in secure storage, not in the Connection instance as we see in JBIDE-22594 (for the opposite case where we dont clear the token in the Connection instance). But then one has to keep in mind that all auth is token based. Even if you auth via password initially, the auth is then switched to token based once the authorization succeeded and we got a token:

      Connection#updateAuthorized
      		setToken(token);
      		if (IAuthorizationContext.AUTHSCHEME_OAUTH.equalsIgnoreCase(getAuthScheme())) {
      			setUsername(username);
      		}
      		// force auth strategy to token if authorized
      		TokenAuthorizationStrategy tokenStrategy = new TokenAuthorizationStrategy(token, username);
      		client.setAuthorizationStrategy(tokenStrategy);
      

      Another issue is that the connection and the auth schemeare both stored in different classes. The connection is stored via

      ConnectionPersistency#persist
      preferences.saveConnections(connections.keySet().toArray(new String[] {}));
      ...
      

      while the auth scheme is stored in Connection#saveAuthSchemePreference:

      Connection#connect
      saveAuthSchemePreference();
      

              Unassigned Unassigned
              adietish@redhat.com André Dietisheim
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: