Skip to content

SLVS-2796 Implement alternative Credentials Storage #6576

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
georgii-borovinskikh-sonarsource wants to merge 2 commits into
base: master
Choose a base branch
from
Open

SLVS-2796 Implement alternative Credentials Storage #6576

georgii-borovinskikh-sonarsource wants to merge 2 commits into from

Conversation

@georgii-borovinskikh-sonarsource
Copy link
Contributor

@georgii-borovinskikh-sonarsource georgii-borovinskikh-sonarsource commented Dec 24, 2025

Part of

@hashicorp-vault-sonar-prod
Copy link

hashicorp-vault-sonar-prod bot commented Dec 24, 2025
edited by atlassian bot
Loading

SLVS-2796

@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 24, 2025

SonarQube reviewer guide

Important

We are currently testing different models for AI Summary.
Please give us your feedback by filling this form.

Model A:

Summary: Implement DPAPI credential storage with a new storage mechanism and refactor credential handling.

Review Focus:

  • New DPAPI credential encryption/decryption implementation (security-critical)
  • Aggregating loader pattern properly routing between Default and DPAPI storage types
  • Migration path and backward compatibility for existing credentials
  • Proper disposal and secure handling of SecureString instances

Start review at: src/ConnectedMode/Persistence/DpapiCurrentUserCredentialsLoader.cs. This is the core new security implementation that encrypts/persists credentials using Windows DPAPI and must be thoroughly validated for secure data handling.

Model B:

Summary: Implement DPAPI-based credential storage with user-selectable storage backends, adding support for encrypted token credentials as an alternative to the default credential store.

Review Focus:

  • The credential storage refactoring introduces a plugin architecture with multiple implementations (DefaultBindingCredentialsLoader, DpapiCurrentUserCredentialsLoader). Verify that the AggregatingSolutionBindingCredentialsLoader correctly routes operations to the selected implementation.
  • DPAPI implementation handles sensitive data (encryption/decryption of tokens). Ensure proper SecureString usage and memory cleanup.
  • Settings persistence and UI integration for the new CredentialStoreType enum—verify the default value handling and migration path.
  • Dependency injection changes are extensive; confirm all MEF exports/imports align correctly, especially in ServerConnectionsRepository and SolutionBindingRepository.

Start review at: src/ConnectedMode/Persistence/AggregatingSolutionBindingCredentialsLoader.cs. This is the central orchestrator that determines which credential loader implementation to use based on user settings, making it critical to understand the overall flow before reviewing individual implementations.

Quality Gate Passed Quality Gate passed

Issues
0 New issues
1 Accepted issue
0 Dependency risks

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vnaskos-sonar vnaskos-sonar Awaiting requested review from vnaskos-sonar

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@georgii-borovinskikh-sonarsource