Support not needing a password on a jupyter connection (microsoft#12456)

* Support not needing a password on a jupyter connection * Fix unit tests

Author: rchiodo

src/client/datascience/jupyter/jupyterPasswordConnect.ts

@@ -13,25 +13,18 @@ import { Telemetry } from './../constants';
 
 @injectable()
 export class JupyterPasswordConnect implements IJupyterPasswordConnect {
+ private savedConnectInfo = new Map<string, Promise<IJupyterPasswordConnectInfo | undefined>>();
+
  constructor(@inject(IApplicationShell) private appShell: IApplicationShell) {}
 
  @captureTelemetry(Telemetry.GetPasswordAttempt)
- public async getPasswordConnectionInfo(
+ public getPasswordConnectionInfo(
  url: string,
  allowUnauthorized: boolean,
  fetchFunction?: (url: nodeFetch.RequestInfo, init?: nodeFetch.RequestInit) => Promise<nodeFetch.Response>
  ): Promise<IJupyterPasswordConnectInfo | undefined> {
- // For testing allow for our fetch function to be overridden
- if (!fetchFunction) {
- fetchFunction = nodeFetch.default;
- }
-
- let xsrfCookie: string | undefined;
- let sessionCookieName: string | undefined;
- let sessionCookieValue: string | undefined;
-
  if (!url || url.length < 1) {
- return undefined;
+ return Promise.resolve(undefined);
  }
 
  // Add on a trailing slash to our URL if it's not there already
@@ -40,31 +33,60 @@ export class JupyterPasswordConnect implements IJupyterPasswordConnect {
  newUrl = `${newUrl}/`;
  }
 
- // Get password first
- let userPassword = await this.getUserPassword();
-
- if (userPassword) {
- // First get the xsrf cookie by hitting the initial login page
- xsrfCookie = await this.getXSRFToken(url, allowUnauthorized, fetchFunction);
-
- // Then get the session cookie by hitting that same page with the xsrftoken and the password
- if (xsrfCookie) {
- const sessionResult = await this.getSessionCookie(
- url,
- allowUnauthorized,
- xsrfCookie,
- userPassword,
- fetchFunction
- );
- sessionCookieName = sessionResult.sessionCookieName;
- sessionCookieValue = sessionResult.sessionCookieValue;
+ // See if we already have this data. Don't need to ask for a password more than once. (This can happen in remote when listing kernels)
+ let result = this.savedConnectInfo.get(newUrl);
+ if (!result) {
+ result = this.getNonCachedPasswordConnectionInfo(newUrl, allowUnauthorized, fetchFunction);
+ this.savedConnectInfo.set(newUrl, result);
+ }
+
+ return result;
+ }
+
+ private async getNonCachedPasswordConnectionInfo(
+ url: string,
+ allowUnauthorized: boolean,
+ fetchFunction?: (url: nodeFetch.RequestInfo, init?: nodeFetch.RequestInit) => Promise<nodeFetch.Response>
+ ) {
+ // For testing allow for our fetch function to be overridden
+ if (!fetchFunction) {
+ fetchFunction = nodeFetch.default;
+ }
+
+ let xsrfCookie: string | undefined;
+ let sessionCookieName: string | undefined;
+ let sessionCookieValue: string | undefined;
+
+ // First determine if we need a password. A request for the base URL with /tree? should return a 302 if we do.
+ if (await this.needPassword(url, allowUnauthorized, fetchFunction)) {
+ // Get password first
+ let userPassword = await this.getUserPassword();
+
+ if (userPassword) {
+ xsrfCookie = await this.getXSRFToken(url, allowUnauthorized, fetchFunction);
+
+ // Then get the session cookie by hitting that same page with the xsrftoken and the password
+ if (xsrfCookie) {
+ const sessionResult = await this.getSessionCookie(
+ url,
+ allowUnauthorized,
+ xsrfCookie,
+ userPassword,
+ fetchFunction
+ );
+ sessionCookieName = sessionResult.sessionCookieName;
+ sessionCookieValue = sessionResult.sessionCookieValue;
+ }
+ } else {
+ // If userPassword is undefined or '' then the user didn't pick a password. In this case return back that we should just try to connect
+ // like a standard connection. Might be the case where there is no token and no password
+ return { emptyPassword: true, xsrfCookie: '', sessionCookieName: '', sessionCookieValue: '' };
  }
+ userPassword = undefined;
  } else {
- // If userPassword is undefined or '' then the user didn't pick a password. In this case return back that we should just try to connect
- // like a standard connection. Might be the case where there is no token and no password
+ // If no password needed, act like empty password and no cookie
  return { emptyPassword: true, xsrfCookie: '', sessionCookieName: '', sessionCookieValue: '' };
  }
- userPassword = undefined;
 
  // If we found everything return it all back if not, undefined as partial is useless
  if (xsrfCookie && sessionCookieName && sessionCookieValue) {
@@ -125,6 +147,24 @@ export class JupyterPasswordConnect implements IJupyterPasswordConnect {
  return xsrfCookie;
  }
 
+ private async needPassword(
+ url: string,
+ allowUnauthorized: boolean,
+ fetchFunction: (url: nodeFetch.RequestInfo, init?: nodeFetch.RequestInit) => Promise<nodeFetch.Response>
+ ): Promise<boolean> {
+ // A jupyter server will redirect if you ask for the tree when a login is required
+ const response = await fetchFunction(
+ `${url}tree?`,
+ this.addAllowUnauthorized(url, allowUnauthorized, {
+ method: 'get',
+ redirect: 'manual',
+ headers: { Connection: 'keep-alive' }
+ })
+ );
+
+ return response.status !== 200;
+ }
+
  // Jupyter uses a session cookie to validate so by hitting the login page with the password we can get that cookie and use it ourselves
  // This workflow can be seen by running fiddler and hitting the login page with a browser
  // First you need a get at the login page to get the xsrf token, then you send back that token along with the password in a post

src/test/datascience/jupyterPasswordConnect.unit.test.ts

@@ -24,53 +24,57 @@ suite('JupyterPasswordConnect', () => {
  jupyterPasswordConnect = new JupyterPasswordConnect(appShell.object);
  });
 
- test('getPasswordConnectionInfo', async () => {
+ function createMockSetup(secure: boolean, ok: boolean) {
  // Set up our fake node fetch
  const fetchMock: typemoq.IMock<typeof nodeFetch.default> = typemoq.Mock.ofInstance(nodeFetch.default);
 
+ //tslint:disable-next-line:no-http-string
+ const rootUrl = secure ? 'https://TESTNAME:8888/' : 'http://TESTNAME:8888/';
+
  // Mock our first call to get xsrf cookie
  const mockXsrfResponse = typemoq.Mock.ofType(nodeFetch.Response);
  const mockXsrfHeaders = typemoq.Mock.ofType(nodeFetch.Headers);
- mockXsrfHeaders
- .setup((mh) => mh.get('set-cookie'))
- .returns(() => `_xsrf=${xsrfValue}`)
- .verifiable(typemoq.Times.once());
- mockXsrfResponse
- .setup((mr) => mr.ok)
- .returns(() => true)
- .verifiable(typemoq.Times.once());
- mockXsrfResponse
- .setup((mr) => mr.headers)
- .returns(() => mockXsrfHeaders.object)
- .verifiable(typemoq.Times.once());
+ mockXsrfHeaders.setup((mh) => mh.get('set-cookie')).returns(() => `_xsrf=${xsrfValue}`);
+ mockXsrfResponse.setup((mr) => mr.ok).returns(() => ok);
+ mockXsrfResponse.setup((mr) => mr.status).returns(() => 302);
+ mockXsrfResponse.setup((mr) => mr.headers).returns(() => mockXsrfHeaders.object);
 
+ fetchMock
+ .setup((fm) =>
+ fm(
+ `${rootUrl}login?`,
+ typemoq.It.isObjectWith({
+ method: 'get',
+ headers: { Connection: 'keep-alive' }
+ })
+ )
+ )
+ .returns(() => Promise.resolve(mockXsrfResponse.object));
  fetchMock
  .setup((fm) =>
  //tslint:disable-next-line:no-http-string
- fm('http://TESTNAME:8888/login?', {
- method: 'get',
- redirect: 'manual',
- headers: { Connection: 'keep-alive' }
- })
+ fm(
+ `${rootUrl}tree?`,
+ typemoq.It.isObjectWith({
+ method: 'get',
+ headers: { Connection: 'keep-alive' }
+ })
+ )
  )
- .returns(() => Promise.resolve(mockXsrfResponse.object))
- .verifiable(typemoq.Times.once());
+ .returns(() => Promise.resolve(mockXsrfResponse.object));
+
+ return { fetchMock, mockXsrfHeaders, mockXsrfResponse };
+ }
+
+ test('getPasswordConnectionInfo', async () => {
+ const { fetchMock, mockXsrfHeaders, mockXsrfResponse } = createMockSetup(false, true);
 
  // Mock our second call to get session cookie
  const mockSessionResponse = typemoq.Mock.ofType(nodeFetch.Response);
  const mockSessionHeaders = typemoq.Mock.ofType(nodeFetch.Headers);
- mockSessionHeaders
- .setup((mh) => mh.get('set-cookie'))
- .returns(() => `${sessionName}=${sessionValue}`)
- .verifiable(typemoq.Times.once());
- mockSessionResponse
- .setup((mr) => mr.status)
- .returns(() => 302)
- .verifiable(typemoq.Times.once());
- mockSessionResponse
- .setup((mr) => mr.headers)
- .returns(() => mockSessionHeaders.object)
- .verifiable(typemoq.Times.once());
+ mockSessionHeaders.setup((mh) => mh.get('set-cookie')).returns(() => `${sessionName}=${sessionValue}`);
+ mockSessionResponse.setup((mr) => mr.status).returns(() => 302);
+ mockSessionResponse.setup((mr) => mr.headers).returns(() => mockSessionHeaders.object);
 
  // typemoq doesn't love this comparison, so generalize it a bit
  fetchMock
@@ -88,8 +92,7 @@ suite('JupyterPasswordConnect', () => {
  })
  )
  )
- .returns(() => Promise.resolve(mockSessionResponse.object))
- .verifiable(typemoq.Times.once());
+ .returns(() => Promise.resolve(mockSessionResponse.object));
 
  const result = await jupyterPasswordConnect.getPasswordConnectionInfo(
  //tslint:disable-next-line:no-http-string
@@ -113,38 +116,7 @@ suite('JupyterPasswordConnect', () => {
  });
 
  test('getPasswordConnectionInfo allowUnauthorized', async () => {
- // Set up our fake node fetch
- const fetchMock: typemoq.IMock<typeof nodeFetch.default> = typemoq.Mock.ofInstance(nodeFetch.default);
-
- // Mock our first call to get xsrf cookie
- const mockXsrfResponse = typemoq.Mock.ofType(nodeFetch.Response);
- const mockXsrfHeaders = typemoq.Mock.ofType(nodeFetch.Headers);
- mockXsrfHeaders
- .setup((mh) => mh.get('set-cookie'))
- .returns(() => `_xsrf=${xsrfValue}`)
- .verifiable(typemoq.Times.once());
- mockXsrfResponse
- .setup((mr) => mr.ok)
- .returns(() => true)
- .verifiable(typemoq.Times.once());
- mockXsrfResponse
- .setup((mr) => mr.headers)
- .returns(() => mockXsrfHeaders.object)
- .verifiable(typemoq.Times.once());
-
- //tslint:disable-next-line:no-http-string
- fetchMock
- .setup((fm) =>
- fm(
- 'https://TESTNAME:8888/login?',
- typemoq.It.isObjectWith({
- method: 'get',
- headers: { Connection: 'keep-alive' }
- })
- )
- )
- .returns(() => Promise.resolve(mockXsrfResponse.object))
- .verifiable(typemoq.Times.once());
+ const { fetchMock, mockXsrfHeaders, mockXsrfResponse } = createMockSetup(true, true);
 
  // Mock our second call to get session cookie
  const mockSessionResponse = typemoq.Mock.ofType(nodeFetch.Response);
@@ -153,14 +125,8 @@ suite('JupyterPasswordConnect', () => {
  .setup((mh) => mh.get('set-cookie'))
  .returns(() => `${sessionName}=${sessionValue}`)
  .verifiable(typemoq.Times.once());
- mockSessionResponse
- .setup((mr) => mr.status)
- .returns(() => 302)
- .verifiable(typemoq.Times.once());
- mockSessionResponse
- .setup((mr) => mr.headers)
- .returns(() => mockSessionHeaders.object)
- .verifiable(typemoq.Times.once());
+ mockSessionResponse.setup((mr) => mr.status).returns(() => 302);
+ mockSessionResponse.setup((mr) => mr.headers).returns(() => mockSessionHeaders.object);
 
  // typemoq doesn't love this comparison, so generalize it a bit
  //tslint:disable-next-line:no-http-string
@@ -178,8 +144,7 @@ suite('JupyterPasswordConnect', () => {
  })
  )
  )
- .returns(() => Promise.resolve(mockSessionResponse.object))
- .verifiable(typemoq.Times.once());
+ .returns(() => Promise.resolve(mockSessionResponse.object));
 
  //tslint:disable-next-line:no-http-string
  const result = await jupyterPasswordConnect.getPasswordConnectionInfo(
@@ -203,37 +168,7 @@ suite('JupyterPasswordConnect', () => {
  });
 
  test('getPasswordConnectionInfo failure', async () => {
- // Set up our fake node fetch
- const fetchMock: typemoq.IMock<typeof nodeFetch.default> = typemoq.Mock.ofInstance(nodeFetch.default);
-
- // Mock our first call to get xsrf cookie
- const mockXsrfResponse = typemoq.Mock.ofType(nodeFetch.Response);
- const mockXsrfHeaders = typemoq.Mock.ofType(nodeFetch.Headers);
- mockXsrfHeaders
- .setup((mh) => mh.get('set-cookie'))
- .returns(() => `_xsrf=${xsrfValue}`)
- .verifiable(typemoq.Times.never());
- // Status set to not ok and header fetch should not be hit
- mockXsrfResponse
- .setup((mr) => mr.ok)
- .returns(() => false)
- .verifiable(typemoq.Times.once());
- mockXsrfResponse
- .setup((mr) => mr.headers)
- .returns(() => mockXsrfHeaders.object)
- .verifiable(typemoq.Times.never());
-
- fetchMock
- .setup((fm) =>
- //tslint:disable-next-line:no-http-string
- fm('http://TESTNAME:8888/login?', {
- method: 'get',
- redirect: 'manual',
- headers: { Connection: 'keep-alive' }
- })
- )
- .returns(() => Promise.resolve(mockXsrfResponse.object))
- .verifiable(typemoq.Times.once());
+ const { fetchMock, mockXsrfHeaders, mockXsrfResponse } = createMockSetup(false, false);
 
  const result = await jupyterPasswordConnect.getPasswordConnectionInfo(
  //tslint:disable-next-line:no-http-string