Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Private Key Auth #159

Merged
merged 56 commits into from
Nov 6, 2024
Merged

feat: Private Key Auth #159

merged 56 commits into from
Nov 6, 2024

Conversation

bmingles
Copy link
Collaborator

@bmingles bmingles commented Oct 23, 2024

  • DHE server context right-click context menu actions

    • Generate DHE keypair - will generate keypair, upload to server, and store in secret storage locally
    • Connect to server as another user (only visible if server is disconnected
  • Login via keypair - If a keypair has been generated, clicking on a DHE server node will allow picking username / pwd or key login

  • Discard connection action - shows up as trashcan on connected server node. Will discard DHE connection + any worker connections

  • Secret storage

    • Store generated keypair
    • Remember last login user / operateas for the server
    • Deephaven: Clear Secrets - command palette option to remove private keys + remembering user / operateas user info

Note: there are some debugging tools for visualizing the secret storage. In command palette:
> Developer: Toggle Developer Tools
> Developer: Log Storage Database Contents

Copy link

github-actions bot commented Oct 23, 2024

End-to-end Test Summary

Tests 📝Passed ✅Failed ❌Skipped ⏭️Pending ⏳Other ❓Flaky 🍂Duration ⏱️
660000004:49:50
A ctrf plugin

Detailed Test Results

NameStatusmsFlaky 🍂
should default to the correct settingspassed ✅1932
should return custom settings: Empty configspassed ✅265
should return custom settings: Populated configspassed ✅109
should be able to load VSCodepassed ✅1127
should only be visible when a supported file type is active: test.groovypassed ✅2599
should only be visible when a supported file type is active: test.pypassed ✅1000
A ctrf plugin

Failed Test Summary

No failed tests ✨

Flaky Test Summary

No flaky tests detected. ✨

@bmingles bmingles marked this pull request as ready for review October 31, 2024 20:35
@bmingles bmingles requested a review from mofojed October 31, 2024 22:03
@bmingles
Copy link
Collaborator Author

The code should be ready for review. I do plan to update the DH npm package versions to non-alpha ones once https://github.com/deephaven-ent/iris/pull/2386 has merged and npm packages have been published, but there shouldn't be any api changes from that.

const username = await vscode.window.showInputBox({
placeHolder: 'Username',
prompt: 'Enter your Deephaven username',
const credentials = await runUserLoginWorkflow({
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One thing that's weird about this is that if we're already authenticated, it requests our username/password again. We should at least fill in the lastLogin here so we don't need to type in the user name again.
Ideally we'd use the same username, and just ask for the password again (like how other apps require re-authentication when performing security operations). It's somewhat odd having to enter the username again.

That being said, after using it - why do we have the user explicitly ask to generate a keypair? Is there any reason they'd want to create multiple key pairs? We're essentially generating this key pair so the user doesn't need to re-enter their password every time, correct? In which case, I'd expect the flow to be more like Login -> enter username/password, with an option to "Remember Me", rather than having an action "Generate DHE Keypair". Thoughts?

Copy link
Collaborator Author

@bmingles bmingles Nov 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Users could in theory create different keys for different usernames, so we would at least need to have a way for them to create a key for a different user. This could be facilitated by requiring logout and then login as the other user (related to your other comment of why we need to prompt user/password if there exists a key)

The remember me option is interesting depending on how much we want to expose to the user about the method of how things are stored. As-is, the user has to have some understanding they are opting for key pair encryption vs hiding that nuance. It does seem simpler that way but seems like something we'd want to run by Charles since it differs from current key pair usage.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assuming Charles is ok with hiding the private / key pair behind a "remember me" feature, I guess we could change the workflow to something like:

  1. Prompt for username (remember last used)
  2. If private key exists for selected user, use it. If not, prompt for password
  3. Somewhere along the way present option to "remember me" and generate keys if not exists, or delete them if they do and user opts out

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, if we didn't want to make such a change on this PR, I could at least default the keygen username to remember the last username. That was just an oversight on my part

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I fixed it to remember the username

src/services/SecretService.ts Outdated Show resolved Hide resolved
@@ -13,6 +14,9 @@ export class ByURLAsyncCache<TValue>
this._promiseMap = new URLMap<Promise<TValue>>();
}

private readonly _onDidInvalidate = new vscode.EventEmitter<URL>();
readonly onDidInvalidate = this._onDidInvalidate.event;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a little confused why you're adding this event/listener when it isn't being used anywhere (that I can see). Seems to be a pattern you do on a few services (e.g. DhService.onDidDisconnect). Any reason why?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had added this and then ended up swapping the instance using it for a SerializedKeyMap where I added the onDidChange. I just left it since it seemed something less to implement later if needed. I'm fine to remove it if you'd prefer though.


export type SeparatorPickItem = {
label: string;
kind: vscode.QuickPickItemKind.Separator;
};

export type AuthenticationMethodPickItem =
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why bother prompting the user if they already have a key? Why not just login automatically?

Copy link
Collaborator Author

@bmingles bmingles Nov 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use case would be to be able to login as a different user that doesn't have a private key.

@bmingles bmingles requested a review from mofojed November 1, 2024 15:59
@bmingles bmingles merged commit 9d60405 into main Nov 6, 2024
3 checks passed
@bmingles bmingles deleted the 32-private-key branch November 6, 2024 14:25
@bmingles bmingles linked an issue Nov 14, 2024 that may be closed by this pull request
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Private key based auth
2 participants