SLI-378 Prefer PasswordSafe to PasswordUtil

.cirrus/Dockerfile

@@ -5,7 +5,10 @@ FROM ${CIRRUS_AWS_ACCOUNT}.dkr.ecr.eu-central-1.amazonaws.com/base:j${JDK_VERSIO
 USER root
 
 ENV NODE_VERSION=18
+
+# dbus-x11 is for SonarLint token secure storage (required by the IDE)
 RUN apt-get update && apt-get install -y metacity xvfb xauth ffmpeg \
+    dbus-x11 \
     nodejs=${NODE_VERSION}.* \
     build-essential \
     gettext-base \

src/main/java/org/sonarlint/intellij/SonarLintIntelliJClient.kt

@@ -56,8 +56,8 @@ import org.sonarlint.intellij.analysis.AnalysisSubmitter
 import org.sonarlint.intellij.common.ui.ReadActionUtils.Companion.computeReadActionSafely
 import org.sonarlint.intellij.common.util.SonarLintUtils
 import org.sonarlint.intellij.common.util.SonarLintUtils.getService
-import org.sonarlint.intellij.config.Settings.getGlobalSettings
 import org.sonarlint.intellij.config.Settings.getSettingsFor
+import org.sonarlint.intellij.config.global.ServerConnectionService
 import org.sonarlint.intellij.config.global.wizard.ServerConnectionCreator
 import org.sonarlint.intellij.core.BackendService
 import org.sonarlint.intellij.core.ProjectBindingManager
@@ -334,7 +334,7 @@ object SonarLintIntelliJClient : SonarLintClient {
         return CompletableFuture.supplyAsync {
             val connectionId = params.connectionId
             val projectKey = params.projectKey
-            val connection = getGlobalSettings().getServerConnectionByName(connectionId)
+            val connection = ServerConnectionService.getInstance().getServerConnectionByName(connectionId)
                 .orElseThrow { IllegalStateException("Unable to find connection '$connectionId'") }
             val message = "Cannot automatically find a project bound to:\n" +
                 "  • Project: $projectKey\n" +
@@ -390,11 +390,12 @@ object SonarLintIntelliJClient : SonarLintClient {
     }
 
     override fun getCredentials(params: GetCredentialsParams): CompletableFuture<GetCredentialsResponse> {
-        return getGlobalSettings().getServerConnectionByName(params.connectionId)
-            .map { connection -> connection.token?.let { CompletableFuture.completedFuture(GetCredentialsResponse(TokenDto(it))) }
-                ?: connection.login?.let { CompletableFuture.completedFuture(GetCredentialsResponse(UsernamePasswordDto(it, connection.password))) }
-                ?: CompletableFuture.failedFuture(IllegalArgumentException("Invalid credentials for connection: " + params.connectionId))
-            }.orElse(CompletableFuture.failedFuture(IllegalArgumentException("Unknown connection: " + params.connectionId)))
+        val connectionId = params.connectionId
+        return ServerConnectionService.getInstance().getServerConnectionByName(connectionId)
+                .map { connection -> connection.credentials.token?.let { CompletableFuture.completedFuture(GetCredentialsResponse(TokenDto(it))) }
+                        ?: connection.credentials.login?.let { CompletableFuture.completedFuture(GetCredentialsResponse(UsernamePasswordDto(it, connection.credentials.password))) }
+                        ?: CompletableFuture.failedFuture(IllegalArgumentException("Invalid credentials for connection: $connectionId"))}
+                .orElseGet { CompletableFuture.failedFuture(IllegalArgumentException("Connection '$connectionId' not found")) }
     }
 
     override fun getProxyPasswordAuthentication(params: GetProxyPasswordAuthenticationParams): CompletableFuture<GetProxyPasswordAuthenticationResponse> {

src/main/java/org/sonarlint/intellij/actions/OpenIssueInBrowserAction.kt

@@ -45,7 +45,7 @@ class OpenIssueInBrowserAction : AbstractSonarAction(
   override fun updatePresentation(e: AnActionEvent, project: Project) {
     val serverConnection = serverConnection(project) ?: return
     e.presentation.text = "Open in " + serverConnection.productName
-    e.presentation.icon = serverConnection.productIcon
+    e.presentation.icon = serverConnection.product.icon
   }
 
   override fun actionPerformed(e: AnActionEvent) {

src/main/java/org/sonarlint/intellij/actions/OpenSecurityHotspotInBrowserAction.kt

@@ -48,7 +48,7 @@ class OpenSecurityHotspotInBrowserAction : AbstractSonarAction(
     val serverConnection = serverConnection(project) ?: return
     e.presentation.text = "Open in " + serverConnection.productName
     e.presentation.description = "Open Security Hotspot in browser interface of " + serverConnection.productName
-    e.presentation.icon = serverConnection.productIcon
+    e.presentation.icon = serverConnection.product.icon
   }
 
   override fun actionPerformed(e: AnActionEvent) {

src/main/java/org/sonarlint/intellij/config/global/ServerConnection.kt

@@ -0,0 +1,60 @@
+/*
+ * SonarLint for IntelliJ IDEA
+ * Copyright (C) 2015-2023 SonarSource
+ * [email protected]
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02
+ */
+package org.sonarlint.intellij.config.global
+
+import org.sonarlint.intellij.common.util.SonarLintUtils
+import org.sonarlint.intellij.common.util.SonarLintUtils.SONARCLOUD_URL
+import org.sonarlint.intellij.core.BackendService
+import org.sonarlint.intellij.core.SonarProduct
+import org.sonarlint.intellij.core.server.ServerLinks
+import org.sonarlint.intellij.core.server.SonarCloudLinks
+import org.sonarlint.intellij.core.server.SonarQubeLinks
+import org.sonarsource.sonarlint.core.serverapi.EndpointParams
+import org.sonarsource.sonarlint.core.serverapi.ServerApi
+
+
+sealed class ServerConnection {
+    abstract val name: String
+    abstract val notificationsDisabled: Boolean
+    abstract val hostUrl: String
+    abstract val credentials: ServerConnectionCredentials
+    abstract val product: SonarProduct
+    abstract val links: ServerLinks
+    abstract val endpointParams: EndpointParams
+    fun api() = ServerApi(endpointParams, SonarLintUtils.getService(BackendService::class.java).getHttpClient(name))
+    override fun toString() = name
+    val isSonarCloud get() = product == SonarProduct.SONARCLOUD
+    val isSonarQube get() = product == SonarProduct.SONARQUBE
+    val productName get() = product.productName
+}
+
+data class SonarQubeConnection(override val name: String, override val hostUrl: String, override val credentials: ServerConnectionCredentials, override val notificationsDisabled: Boolean) : ServerConnection() {
+    override val product = SonarProduct.SONARQUBE
+    override val links = SonarQubeLinks(hostUrl)
+    override val endpointParams = EndpointParams(hostUrl, false, null)
+}
+
+data class SonarCloudConnection(override val name: String, val token: String, val organizationKey: String, override val notificationsDisabled: Boolean) : ServerConnection() {
+    override val credentials = ServerConnectionCredentials(null, null, token)
+    override val product = SonarProduct.SONARCLOUD
+    override val links = SonarCloudLinks
+    override val hostUrl: String = SONARCLOUD_URL
+    override val endpointParams = EndpointParams(hostUrl, true, organizationKey)
+}

src/main/java/org/sonarlint/intellij/config/global/ServerConnectionCredentials.kt

@@ -0,0 +1,22 @@
+/*
+ * SonarLint for IntelliJ IDEA
+ * Copyright (C) 2015-2023 SonarSource
+ * [email protected]
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02
+ */
+package org.sonarlint.intellij.config.global
+
+data class ServerConnectionCredentials(val login: String?, val password: String?, val token: String?)

src/main/java/org/sonarlint/intellij/config/global/ServerConnectionMgmtPanel.java

@@ -32,7 +32,6 @@
 import com.intellij.ui.ToolbarDecorator;
 import com.intellij.ui.components.JBLabel;
 import com.intellij.ui.components.JBList;
-import org.sonarlint.intellij.SonarLintIcons;
 import java.awt.BorderLayout;
 import java.awt.event.MouseAdapter;
 import java.awt.event.MouseEvent;
@@ -105,15 +104,11 @@ public void mouseClicked(MouseEvent evt) {
 
     connectionList.setCellRenderer(new ColoredListCellRenderer<>() {
       @Override
-      protected void customizeCellRenderer(JList list, ServerConnection server, int index, boolean selected, boolean hasFocus) {
-        if (server.isSonarCloud()) {
-          setIcon(SonarLintIcons.ICON_SONARCLOUD_16);
-        } else {
-          setIcon(SonarLintIcons.ICON_SONARQUBE_16);
-        }
-        append(server.getName(), SimpleTextAttributes.REGULAR_ATTRIBUTES);
-        if (!server.isSonarCloud()) {
-          append("    (" + server.getHostUrl() + ")", SimpleTextAttributes.GRAYED_ATTRIBUTES, false);
+      protected void customizeCellRenderer(JList list, ServerConnection connection, int index, boolean selected, boolean hasFocus) {
+        setIcon(connection.getProduct().getIcon());
+        append(connection.getName(), SimpleTextAttributes.REGULAR_ATTRIBUTES);
+        if (connection.isSonarQube()) {
+          append("    (" + connection.getHostUrl() + ")", SimpleTextAttributes.GRAYED_ATTRIBUTES, false);
         }
       }
     });
@@ -144,14 +139,12 @@ public JComponent getComponent() {
 
   @Override
   public boolean isModified(SonarLintGlobalSettings settings) {
-    return !connections.equals(settings.getServerConnections());
+    return !connections.equals(ServerConnectionService.getInstance().getConnections());
   }
 
   @Override
   public void save(SonarLintGlobalSettings newSettings) {
-    var newConnections = new ArrayList<>(connections);
-    newSettings.setServerConnections(newConnections);
-
+    ServerConnectionService.getInstance().setServerConnections(newSettings, connections);
     // remove them even if a server with the same name was later added
     unbindRemovedServers();
   }
@@ -162,8 +155,9 @@ public void load(SonarLintGlobalSettings settings) {
     deletedServerIds.clear();
 
     var listModel = new CollectionListModel<ServerConnection>(new ArrayList<>());
-    listModel.add(settings.getServerConnections());
-    connections.addAll(settings.getServerConnections());
+    var serverConnections = ServerConnectionService.getInstance().getConnections();
+    listModel.add(serverConnections);
+    connections.addAll(serverConnections);
     connectionList.setModel(listModel);
 
     if (!connections.isEmpty()) {
@@ -213,15 +207,15 @@ public void run(AnActionButton anActionButton) {
   private class RemoveServerAction implements AnActionButtonRunnable {
     @Override
     public void run(AnActionButton anActionButton) {
-      var server = getSelectedConnection();
+      var connection = getSelectedConnection();
       var selectedIndex = connectionList.getSelectedIndex();
 
-      if (server == null) {
+      if (connection == null) {
         return;
       }
 
       var openProjects = ProjectManager.getInstance().getOpenProjects();
-      var projectsUsingNames = getOpenProjectNames(openProjects, server);
+      var projectsUsingNames = getOpenProjectNames(openProjects, connection);
 
       if (!projectsUsingNames.isEmpty()) {
         var projects = String.join("<br>", projectsUsingNames);
@@ -236,8 +230,8 @@ public void run(AnActionButton anActionButton) {
 
       var model = (CollectionListModel<ServerConnection>) connectionList.getModel();
       // it's not removed from serverIds and editorList
-      model.remove(server);
-      connections.remove(server);
+      model.remove(connection);
+      connections.remove(connection);
       connectionChangeListener.changed(connections);
 
       if (model.getSize() > 0) {

src/main/java/org/sonarlint/intellij/config/global/ServerConnectionService.kt

@@ -0,0 +1,159 @@
+/*
+ * SonarLint for IntelliJ IDEA
+ * Copyright (C) 2015-2023 SonarSource
+ * [email protected]
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02
+ */
+package org.sonarlint.intellij.config.global
+
+import com.intellij.credentialStore.CredentialAttributes
+import com.intellij.credentialStore.Credentials
+import com.intellij.credentialStore.generateServiceName
+import com.intellij.ide.passwordSafe.PasswordSafe
+import com.intellij.openapi.application.ApplicationManager
+import com.intellij.openapi.components.Service
+import java.util.Optional
+import kotlinx.collections.immutable.toImmutableList
+import org.sonarlint.intellij.common.util.SonarLintUtils.getService
+import org.sonarlint.intellij.config.Settings.getGlobalSettings
+import org.sonarlint.intellij.messages.ServerConnectionsListener
+import org.sonarlint.intellij.util.GlobalLogOutput
+
+@Service(Service.Level.APP)
+class ServerConnectionService {
+
+    init {
+        loadAndMigrateServerConnections()
+    }
+
+    private fun loadAndMigrateServerConnections() {
+        getGlobalSettings().serverConnections.forEach { migrate(it) }
+    }
+
+    private fun migrate(connection: ServerConnectionSettings) {
+        saveCredentials(connection.name, ServerConnectionCredentials(connection.login, connection.password, connection.token))
+        connection.clearCredentials()
+    }
+
+    fun getConnections(): List<ServerConnection> = getGlobalSettings().serverConnections.filter { isValid(it) }.mapNotNull { connection ->
+        val credentials = loadCredentials(connection.name) ?: return@mapNotNull null
+        if (connection.isSonarCloud) {
+            val token = credentials.token ?: run {
+                GlobalLogOutput.get().logError("Token not found in secure storage for connection $connection", null)
+                return@mapNotNull null
+            }
+            SonarCloudConnection(connection.name, token, connection.organizationKey!!, connection.isDisableNotifications)
+        } else SonarQubeConnection(connection.name, connection.hostUrl, credentials, connection.isDisableNotifications)
+    }
+
+    private fun isValid(connectionSettings: ServerConnectionSettings): Boolean {
+        val valid = connectionSettings.name != null && if (connectionSettings.isSonarCloud) connectionSettings.organizationKey != null
+        else connectionSettings.hostUrl != null
+        if (!valid) {
+            GlobalLogOutput.get().logError("The connection $connectionSettings is not valid", null)
+        }
+        return valid
+    }
+
+    fun getServerConnectionByName(name: String): Optional<ServerConnection> {
+        return Optional.ofNullable(getConnections().firstOrNull { name == it.name })
+    }
+
+    fun connectionExists(connectionName: String): Boolean {
+        return getConnections().any { it.name == connectionName }
+    }
+
+    fun getServerNames(): Set<String> {
+        return getConnections().map { it.name }.toSet()
+    }
+
+    fun addServerConnection(connection: ServerConnection) {
+        setServerConnections(getConnections() + connection)
+    }
+
+    fun replaceConnection(name: String, replacementConnection: ServerConnection) {
+        val serverConnections = getConnections().toMutableList()
+        serverConnections[serverConnections.indexOfFirst { it.name == name }] = replacementConnection
+        setServerConnections(serverConnections.toImmutableList())
+    }
+
+    private fun setServerConnections(connections: List<ServerConnection>) {
+        setServerConnections(getGlobalSettings(), connections)
+    }
+
+    fun setServerConnections(settings: SonarLintGlobalSettings, connections: List<ServerConnection>) {
+        val previousConnections = getConnections()
+        settings.serverConnections = connections.map {
+            var builder = ServerConnectionSettings.newBuilder().setName(it.name).setHostUrl(it.hostUrl).setDisableNotifications(it.notificationsDisabled)
+            if (it is SonarCloudConnection) {
+                builder = builder.setOrganizationKey(it.organizationKey)
+            }
+            builder.build()
+        }.toList()
+        connections.forEach { saveCredentials(it.name, it.credentials) }
+        notifyConnectionsChange(connections)
+        notifyCredentialsChange(previousConnections, connections)
+        val removedConnectionNames = previousConnections.map { it.name }.filter { name -> !connections.map { it.name }.contains(name) }
+        removedConnectionNames.forEach { forgetCredentials(it) }
+    }
+
+    private fun notifyConnectionsChange(connections: List<ServerConnection>) {
+        ApplicationManager.getApplication().messageBus.syncPublisher(ServerConnectionsListener.TOPIC).afterChange(connections)
+    }
+
+    private fun notifyCredentialsChange(previousConnections: List<ServerConnection>, newConnections: List<ServerConnection>) {
+        val changedConnections = newConnections.filter { connection ->
+            val previousConnection = previousConnections.find { it.name == connection.name }
+            previousConnection?.let { connection.credentials != it.credentials } == true
+        }
+        if (changedConnections.isNotEmpty()) {
+            ApplicationManager.getApplication().messageBus.syncPublisher(ServerConnectionsListener.TOPIC).credentialsChanged(changedConnections)
+        }
+    }
+
+    private fun loadCredentials(connectionId: String): ServerConnectionCredentials? {
+        val token = PasswordSafe.instance.getPassword(tokenCredentials(connectionId))
+        if (token != null) {
+            return ServerConnectionCredentials(null, null, token)
+        }
+        val loginPassword = PasswordSafe.instance[loginPasswordCredentials(connectionId)]
+        if (loginPassword != null) {
+            return ServerConnectionCredentials(loginPassword.userName, loginPassword.password.toString(), null)
+        }
+        GlobalLogOutput.get().logError("Unable to retrieve credentials from secure storage for connection '$connectionId'", null)
+        return null
+    }
+
+    private fun saveCredentials(connectionId: String, credentials: ServerConnectionCredentials) {
+        if (credentials.token != null) {
+            PasswordSafe.instance.setPassword(tokenCredentials(connectionId), credentials.token)
+        } else if (credentials.login != null && credentials.password != null) {
+            PasswordSafe.instance[loginPasswordCredentials(connectionId)] = Credentials(credentials.login, credentials.password)
+        }
+        // else probably already migrated
+    }
+
+    private fun forgetCredentials(connectionId: String) {
+        PasswordSafe.instance[tokenCredentials(connectionId)] = null
+    }
+
+    companion object {
+        @JvmStatic
+        fun getInstance(): ServerConnectionService = getService(ServerConnectionService::class.java)
+        private fun tokenCredentials(connectionId: String) = CredentialAttributes(generateServiceName("SonarLint connections", "$connectionId.token"))
+        private fun loginPasswordCredentials(connectionId: String) = CredentialAttributes(generateServiceName("SonarLint connections", "$connectionId.loginPassword"))
+    }
+}