Unexpected behaviour when retrieving username/password from zowe config with autoStore: true

[juleskreutzer]

Hello,

We're working on a custom extension that uses the CLI and imperative packages. We recently reworked our authentication handler to make it more robust and minimize the amount of times a user has to sign in.

In general, the flow for authentication and creating a Session is as follows:

• Extension is activated, authHandler instance is created (signleton pattern)
• Upon request to APIML, we check if the authHandler has a filled Session object
  • If session is undefined, retrieve the token from zowe.config.json
    • If token is undefined, retrieve username and password from zowe.config.json, stored securely
      • If username and/or password is undefined, prompt user for input and create session
    • If the token is defined, check if is hasn't expired yet
      • If the token is expired, try to get the username and password from zowe.config.json or prompt the user and create new session
  • If the session is defined, check if token is still valid
    • Renew token if it is expired, either with username/password or prompt user

If we try to create a new session and the username/password are not stored in the zowe.config.json, the below part of code is being executed to create a new token:

import { ProfileInfo, IProfAttrs, Session } from '@zowe/imperative';
import * as zowe from '@zowe/cli';

...
private async doLogin(username: string, password: string) {
   ...

   // Load base profile
   const profile = this.profileInfo.getDefaultProfile('base');
   if (profile === undefined || profile === null) {
      throw new ProfileLoadingError(`Retrieved base profile is undefined`, MessageLocation.CORE);
   }

   const profileToUpdate = { profileName: profile.profName, profileType: profile.profType };

   const updSession = new zowe.imperative.Session({
      hostname: MAINFRAME_HOSTNAME,
      port: MAINFRAME_PORT,
      user: username, // --> Input has been validated before
      password: password, // --> Input has been validated before
      rejectUnauthorized: MAINFRAME_REJECT_UNAUTHORIZED, // false
      tokenType: MAINFRAME_TOKEN_TYPE, // apimlAuthenticationToken
      type: zowe.imperative.SessConstants.AUTH_TYPE_TOKEN
   });

   // Generate new token
   const token = await zowe.Login.apimlLogin(updSession);

   await this.profileInfo.updateProperty({
      ...profileToUpdate,
      property: 'tokenType',
      value: updSession.ISession.tokenType!
   });

   await this.profileInfo.updateProperty({
      ...profileToUpdate,
      property: 'tokenValue',
      value: token,
      setSecure: this.profileInfo.isSecured()
   });

   // Reload profile info
   await this._loadProfileInfo();
}

// Perhaps this needs to be reworked because we store our zowe profiles in `%USERPROFILE%/.zowe`
public async _loadProfileInfo() {
   if (vscode.workspace.workspaceFolders !== undefined && vscode.workspace.workspaceFolders.length > 0) {
      const workspaceRoot: string = vscode.workspace.workspaceFolders[0].uri.fsPath;
      await this.profileInfo.readProfilesFromDisk({
         homeDir: path.join(os.homedir(), '.zowe'),
         projectDir: getFullPath(workspaceRoot)
     });
   } else {
      await this.profileInfo.readProfilesFromDisk({
         homeDir: path.join(os.homedir(), '.zowe'),
         projectDir: false
      });
   }

   const profiles = await this.profileInfo.getAllProfiles();
   if (profiles.length === 0) {
      throw new ProfileLoadingError('Unable to load profiles from disk', MessageLocation.CORE);
   }
}

When we make a call to APIML, for example retrieving a source file, and the session object is not defined, the following code will be executed to retrieved the needed values from zowe.config.json and try to create a new session.

private async createSession(): Promise<void> {
   try {
      const zosmfProfAttr = this.profileInfo.getDefaultProfile('zosmf');
        
      if (zosmfProfAttr === null) {
         throw new ProfileLoadingError('Unable to load default ZOSMF profile', MessageLocation.CORE);
      }

      let zosmfMergedArgs = this.profileInfo.mergeArgsForProfile(zosmfProfAttr, { getSecureVals: true});

      // Validate if we have a filled and valid tokenValue in the profile
      const tokenValueProfAttr = zosmfMergedArgs.knownArgs.find(v => v.argName === 'tokenValue');

      if (!tokenValueProfAttr) {
         // No TokenValue available in profile
         // Check if we have username and password and login
         const usernameProfAttr = zosmfMergedArgs.knownArgs.find(v => v.argName === 'user');
         const passwordProfAttr = zosmfMergedArgs.knownArgs.find(v => v.argName === 'password');       
         
         if (!usernameProfAttr || !passwordProfAttr) {
            // Do the login via the regular login command
           await vscode.commands.executeCommand('daf.commands.authhandler.update-credentials');

           // After login, reload the zosmfMergedArgs so that we have the new tokenValue
           zosmfMergedArgs = this.profileInfo.mergeArgsForProfile(zosmfProfAttr, { getSecureVals: true});
        } else {
           // Login
           if ((typeof usernameProfAttr.argValue !== 'string' || usernameProfAttr.argValue === '') || (typeof passwordProfAttr.argValue !== 'string' || passwordProfAttr.argValue === '')) {
              // Do the login via the regular login command since we're missing either the username or the password
              await vscode.commands.executeCommand('daf.commands.authhandler.update-credentials');
           } else {
              await this.doLogin(usernameProfAttr.argValue, passwordProfAttr.argValue);
           }
           // After login, reload the zosmfMergedArgs so that we have the new tokenValue
           zosmfMergedArgs = this.profileInfo.mergeArgsForProfile(zosmfProfAttr!, { getSecureVals: true });
         }
      } else {
         // We have a token in the profile
         // Verify if the token is still valid...
         if (typeof tokenValueProfAttr.argValue !== 'string') {
            throw new ProfileLoadingError(`Expected token to be of type 'string', but received '${typeof tokenValueProfAttr.argValue}' instead`, MessageLocation.CORE);
         }

         let decodedToken = JSON.parse(Buffer.from(tokenValueProfAttr.argValue.split('.')[1], 'base64').toString());
         if (decodedToken === null || decodedToken === undefined || decodedToken === '') {
            throw new ProfileLoadingError(`Unable to decoded token`, MessageLocation.CORE);
         }

         if(!decodedToken.hasOwnProperty('exp')) {
            throw new ProfileLoadingError(`Unable to retrieve expiration from token`, MessageLocation.CORE);
         }

         // Check if token is valid and ask user to login again if not
         const currentEpoch = Math.floor(+new Date() / 1000);
         if (decodedToken.exp <= currentEpoch) {
            // token has expired, login again
            // Check if we have a username and password
            const usernameProfAttr = zosmfMergedArgs.knownArgs.find(v => v.argName === 'user');
            const passwordProfAttr = zosmfMergedArgs.knownArgs.find(v => v.argName === 'password');   
    
        if (!usernameProfAttr || !passwordProfAttr) {
           // Do the login via the regular login command
           await vscode.commands.executeCommand('daf.commands.authhandler.update-credentials');

           // After login, reload the zosmfMergedArgs so that we have the new tokenValue
           zosmfMergedArgs = this.profileInfo.mergeArgsForProfile(zosmfProfAttr, { getSecureVals: true});
        } else {
           // Login
           if ((typeof usernameProfAttr.argValue !== 'string' || usernameProfAttr.argValue === '') || (typeof passwordProfAttr.argValue !== 'string' || passwordProfAttr.argValue === '')) {
              // Do the login via the regular login command since we're missing either the username or the password
              await vscode.commands.executeCommand('daf.commands.authhandler.update-credentials');
           } else {
              await this.doLogin(usernameProfAttr.argValue, passwordProfAttr.argValue);
           }
                        
           // After login, reload the zosmfMergedArgs so that we have the new tokenValue
           zosmfMergedArgs = this.profileInfo.mergeArgsForProfile(zosmfProfAttr!, { getSecureVals: true });
       
         }
      }
   }
   this.session = ProfileInfo.createSession(zosmfMergedArgs.knownArgs);
   } catch (err) {
            this.logger.logError(err, MessageSeverity.ERROR);
   }
}

As you can see in the createSession method's code above, we try to retrieve the username and password from the zowe.config.json file when no token is defined.

In the zowe.config.json file that we use within the company, we have the autoStore set to true:

{
    "$schema": "./zowe.schema.json",
    "profiles": {
        "DAF-mainframe": {
            "type": "zosmf",
            "properties": {
                "basePath": "ibmzosmf/api/v1"
            },
            "secure": [
                "user",
                "password"
            ]
        },

   ...

        "DAF-base": {
            "type": "base",
            "properties": {
                "host": "xxxx",
                "port": 1234,
                "rejectUnauthorized": true,
                "account": "xxxx",
                "characterSet": "697",
                "codePage": "1047",
                "tokenType": "apimlAuthenticationToken"
            },
            "secure": [
                "tokenValue"
            ]
        }
    },
    "defaults": {
        "zosmf": "DAF-mainframe",
        "tso": "DAF-tso3",
        "base": "DAF-base"
    },
    "autoStore": true
}

---

So far, we tested our reworked code with 3 users. For 2 of them, it works as expected: When the token is expired, the username and password are retrieved from the zowe.config.json and a login to the APIML can be performed. The token is returned and stored and the users are able to continue using our extension.

For one user however, it always fails when retrieving the username and password from the zowe.config.json file. When adding logging statements in the code and analyzing the log, I can see that both the username and password are undefined:

[2023/08/01 14:12:42.951] [DEBUG] [extensionHostProcess.js:99] [Extension Core]: Retrieved default z/OSMF profile
[2023/08/01 14:12:42.952] [DEBUG] [extensionHostProcess.js:99] [Extension Core]: tokenValueProfAttr is defined
[2023/08/01 14:12:42.953] [DEBUG] [extensionHostProcess.js:99] [Extension Core]: validating token argValue
[2023/08/01 14:12:42.953] [DEBUG] [extensionHostProcess.js:99] [Extension Core]: Valid token type, decoding...
[2023/08/01 14:12:42.953] [DEBUG] [extensionHostProcess.js:99] [Extension Core]: Token decoded:
[2023/08/01 14:12:42.954] [DEBUG] [extensionHostProcess.js:99] [Extension Core]: [object Object]
[2023/08/01 14:12:42.954] [DEBUG] [extensionHostProcess.js:99] [Extension Core]: Token has a value and has property 'exp'
[2023/08/01 14:12:42.955] [DEBUG] [extensionHostProcess.js:99] [Extension Core]: Checking if token is valid:
[2023/08/01 14:12:42.955] [DEBUG] [extensionHostProcess.js:99] [Extension Core]: Token expiry epoch: '1690570564'
[2023/08/01 14:12:42.955] [DEBUG] [extensionHostProcess.js:99] [Extension Core]: Current epoch: '1690891962
[2023/08/01 14:12:42.956] [DEBUG] [extensionHostProcess.js:99] [Extension Core]: Token expired: 'true'
[2023/08/01 14:12:42.956] [DEBUG] [extensionHostProcess.js:99] [Extension Core]: Retrieving usernameProfAttr and passwordProfAttr
[2023/08/01 14:12:42.956] [DEBUG] [extensionHostProcess.js:99] [Extension Core]: Either username or password is undefined
[2023/08/01 14:12:42.957] [DEBUG] [extensionHostProcess.js:99] [Extension Core]: Username: undefined
[2023/08/01 14:12:42.957] [DEBUG] [extensionHostProcess.js:99] [Extension Core]: Password: undefined
[2023/08/01 14:12:42.957] [DEBUG] [extensionHostProcess.js:99] [Extension Core]: Executing 'daf.commands.authhandler.update-credentials

I would expect that for this user, the extension would also be able to find the username and password in the zowe.config.json. I've made sure that he's using the same config file as that I am. There are also no other config files in the current workspace folder (%APPDATA%/Roaming/code4z) of VSCode and any parent folder, except the %USERPROFILE%/.zowe folder.

At this point I'm stuck in finding the actual cause for this issue and I'm actually looking for some guidance in how to debug this. Any suggestions (and also improvents for the code above) are welcome!

[zFernand0]

Hey @juleskreutzer,
A few things to note.
Please keep in mind that having secure: ["user", "password"] in your DAF-mainframe profile may prevent all use of the tokenValue stored in the DAF-base, given that basic authentication (user:password) takes precedence over tokens when the ISession object is constructed by Imperative.

The indentation was a bit confusing towards the end of the file (starting with if (!usernameProfAttr || !passwordProfAttr) {), but I do like the clever way in which you verify that a token is expired without having to submit a request. 👍🏽

One more thing, I'm assuming that daf.commands.authhandler.update-credentials performs the prompting of credentials before the doLogin method gets called.

I do have a few questions to help me understand a bit better what could be causing the issue:

• Is the update-credentials responsible for triggering an autoStore of the credentials provided (resulting in user:password being saved in DAF-mainframe) ?
• Is it possible that the secure properties in DAF-mainframe were not stored in the vault at the time of the operation? (example below)

  {
    "%APPDATA%/Roaming/code4z/zowe.config.json": {
      "profiles.DAF-mainframe.properties.user": undefined, // not in the vault
      "profiles.DAF-mainframe.properties.password": undefined, // not in the vault
      "profiles.DAF-base.properties.tokenValue": "long-base64-encoded-token-value"
    }
  }

[juleskreutzer]

Hi @zFernand0

Thanks for your reply.
With regards to basic authentication taking precedence, I'm not completely sure that we use the Imperative as intented. Most of the times we "just" initialize classes provided by the Imperative. If it is related, the only time we load an imperative config is when we're importing a zowe.config.json. The code how we do this is available here: CLI discussion 1589

However, I did just do a test. I made sure that no token was available in my profile (called to logout method of our extension which will remove the tokenValue property from DAF-base). After that, I did a signin. I got a JWT token.
After closing VSCode and opening it again, doing a simple action like retrieving a source and checking the log output reveals that the same JWT token is being used.
It actually makes sense, since the ProfileInfo.createSession(args: IProfArgAttrs[]) will allow an argName: tokenValue

[2023/08/08 07:55:12.946] [DEBUG] [authHandler.js:93] [Extension Core]: Retrieved default z/OSMF profile
[2023/08/08 07:55:12.949] [DEBUG] [authHandler.js:139] [Extension Core]: tokenValueProfAttr is defined
[2023/08/08 07:55:12.950] [DEBUG] [authHandler.js:142] [Extension Core]: validating token argValue
[2023/08/08 07:55:12.951] [DEBUG] [authHandler.js:146] [Extension Core]: Valid token type, decoding...
[2023/08/08 07:55:12.951] [DEBUG] [authHandler.js:148] [Extension Core]: Token decoded:
[2023/08/08 07:55:12.952] [DEBUG] [authHandler.js:149] [Extension Core]: [object Object]
[2023/08/08 07:55:12.952] [DEBUG] [authHandler.js:156] [Extension Core]: Token has a value and has property 'exp'
[2023/08/08 07:55:12.953] [DEBUG] [authHandler.js:159] [Extension Core]: Checking if token is valid:
[2023/08/08 07:55:12.954] [DEBUG] [authHandler.js:160] [Extension Core]: Token expiry epoch: '1691502820'
[2023/08/08 07:55:12.954] [DEBUG] [authHandler.js:161] [Extension Core]: Current epoch: '1691474112
[2023/08/08 07:55:12.955] [DEBUG] [authHandler.js:162] [Extension Core]: Token expired: 'false'
[2023/08/08 07:55:12.956] [DEBUG] [authHandler.js:203] [Extension Core]: Creating session...
[2023/08/08 07:55:12.958] [DEBUG] [authHandler.js:205] [Extension Core]: Session created!

Regarding the daf.commands.authhandler.update-credentials, your assumtions are correct. The command binding will prompt the user for username/password and does validation before calling the doLogin() method

Regarding your last 2 questions, I assumed that autoStore would take care of automatically storing the variables. I think this is the issue, since we do explicitly store the tokenValue, but not the username and password.
For the 2 people it did work with, we have probably manually stored the username and password via CLI, because we see the following output when running the command zowe config list:

DAF-mainframe:
    type:       zosmf
    properties:
      basePath: ibmzosmf/api/v1
      user:     (secure value)
      password: (secure value)
    secure:
      - user
      - password

The user for whom it fails doesn't have the properties user and password when executing the same command.

---

I think next steps for us would be to explicitly store the user and password values. We'll test this and get back to you ;)

[juleskreutzer]

To get back on this, we now explicitly store the user and password properties in the zosmf profile and this works as expected. I analyzed the log of a colleague this morning and see that when the token is expired, the user and password are retrieved from the zosmf profile and used to create a new session/login to APIML.

For clarity, the doLogin method has been extended with the following code:

// Load z/OSMF profile
const zosmfProfile = this.profileInfo.getDefaultProfile('zosmf');
if (zosmfProfile === undefined || zosmfProfile === null) {
   throw new ProfileLoadingError(`Retrieved z/OSMF profile is undefined`, MessageLocation.CORE);
}

// Store username
await this.profileInfo.updateProperty({
   ...zosmfProfileToUpdate,
   property: 'user',
   value: username,
   setSecure: this.profileInfo.isSecured()
});

// Store password
await this.profileInfo.updateProperty({
   ...zosmfProfileToUpdate,
   property: 'password',
   value: password,
   setSecure: this.profileInfo.isSecured()
});

[zFernand0]

Thanks for providing more details on how the doLogin was extended.