Reinstate token precedence over password in AbstractRestClient

[gejohnston]

What It Does

Modified this description to reflect changes made in response to reviews.

The AbstractRestClient class was originally released with logic that chose a token over user and password. Other commonly used Zowe SDK APIs enforce the order back to PASSWORD_OVER_TOKEN. Consumers which directly extended AbstractRestClient came to rely on the unintended order of TOKEN_OVER_PASSWORD. Later changes in this class to adhere to the Zowe policy of PASSWORD_OVER_TOKEN inadvertently broke such extenders. Until a means is provided for consumers (and/or end-users) to customize their credential order of precedence, we now revert the behavior of AbstractRestClient of back to TOKEN_OVER_PASSWORD.

A new array named authTypeOrder was added to ISession. It contains the order of precedence for authentication types. It can provide a building block for a future, customizable order of precedence. For now, that array is hard-coded in the AbstractRestClient constructor. Logic in another function within AbstractRestClient uses the order of that array to determine the type of authentication to use.

Related issue: Breaking Change in User/Password/Token Order of Precedence

How to Test

Zowe CLI and ZE cannot be used to test the TOKEN_OVER_PASSWORD option. Too many up-stream safeguards ensure that using a token is not even a possibility when user and password are present. We would have to write a specialized test app that confirms that a token can be given precedence over password. Even then we would only confirm that our test app works. I think that everyone is better served if the consuming team confirms that the modifications address their needs.

Therefore, this pull request has been opened as a draft. I propose that we take the following actions:

• The Zowe CLI/ZE team reviews the logic to confirm that it seems correct.
• We create a CLI package containing this update.
• We post the package on Box.
• We notify the affected team about the availability of this "test-fix".
• Upon confirmation, we complete our normal test and publication process of Zowe CLI.

Review Checklist
I certify that I have:

• tested my changes
• added/updated automated tests
• updated the changelog
• followed the contribution guidelines

Additional Comments

[codecov]

Codecov Report

Attention: Patch coverage is 98.33333% with 1 lines in your changes are missing coverage. Please review.

Project coverage is 91.12%. Comparing base (be499e0) to head (bb9b314).

Files	Patch %	Lines
...perative/src/rest/src/client/AbstractRestClient.ts	98.33%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2119      +/-   ##
==========================================
+ Coverage   91.05%   91.12%   +0.06%     
==========================================
  Files         636      636              
  Lines       19004    19035      +31     
  Branches     3997     4009      +12     
==========================================
+ Hits        17305    17346      +41     
+ Misses       1698     1688      -10     
  Partials        1        1              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[dkelosky]

without much thought, I "assumed" this option would have been implemented here: https://github.com/zowe/zowe-cli/blob/master/packages/imperative/src/rest/src/session/doc/ISession.ts

do you think this is simply an alternative place to add this new option?

[gejohnston]

AbstractRestClient is only called from one file (RestClient). Thus, the correction can be made in 2 existing files (and 1 new file). No other zowe code should see any potential change or capabilities. It would just correct something that was broken.

ISession is used in over a dozen other Zowe files. I am a little concerned about how widely visible this change would become.

We have had requests to officially change the credential order of precedence. To do that properly, we may have to introduce the ability to control the order of password, token, certificate, and Personal-Access-Token, (and maybe something else?) Further, we may have to define a way for end-users to set the precedence differently for different sessions. We have not thought through these requirements well enough to start down any particular implementation path.

I suppose that by making a new ISession property optional, it would not break other functions. Further, if RestClient ALWAYS sets that property, and AbstractRestClient is the only class to read that property, it could just as effectively revert the breaking change and limit the change to only the broken class.

Your comment has made me think about making an ISession property more complex so that it might accommodate more than just password and token. A more complex property might provide the means to control the order of more credential types in the future, even though we would only implement password and token now.

I will try out some of my thoughts and update this pull request if they pan out.

[gejohnston]

Update: The only way to make this alternative non-breaking is for the AbstractRestClient constructor to Always set the Session property to prefer "token". Otherwise a direct caller of AbstractRestClient would have to set the new ISession property before calling AbstractRestClient.constructor. The RestClient already overrides this AbstractRestClient behavior to prefer password, so this should be ok.

[gejohnston]

Hi @dkelosky - I made revisions as described above. Please re-review.

[dkelosky]

Hey @gejohnston, thanks for considering this approach. It feels a little more natural to me. Hopefully others feel the same 😃

[traeok]

Thanks for separating the logic for authentication methods into different functions, this is easier to read and keeps code complexity at a minimum.

I noticed some tests are failing in AbstractRestClient, but the solution itself looks good to me! This implementation should also take things a step forward to allow for custom authentication precedence in the future.

[t1m0thyj]

LGTM, thanks @gejohnston!

AFAICT this should fix the potential breaking change that was reported, and I like the way it sets us up for supporting user-defined auth type order in the future.

When we're ready to build a CLI TGZ for others to test, we should be able to use the npm run package script to bundle the Imperative package changes in this PR 😋

[zFernand0]

LGTM! 😋
left a small comment/question but nothing that should stop this PR from being merged 😋

[traeok]

LGTM, thanks @gejohnston!

[sonarcloud]

Quality Gate passed

Issues
3 New issues
0 Accepted issues

Measures
0 Security Hotspots
97.7% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[github-actions]

Release succeeded for the master branch. 🎉

The following packages have been published:

• npm: @zowe/imperative@5.23.1
• npm: @zowe/cli-test-utils@7.24.1
• npm: @zowe/core-for-zowe-sdk@7.24.1
• npm: @zowe/zos-uss-for-zowe-sdk@7.24.1
• npm: @zowe/provisioning-for-zowe-sdk@7.24.1
• npm: @zowe/zos-console-for-zowe-sdk@7.24.1
• npm: @zowe/zos-files-for-zowe-sdk@7.24.1
• npm: @zowe/zos-logs-for-zowe-sdk@7.24.1
• npm: @zowe/zosmf-for-zowe-sdk@7.24.1
• npm: @zowe/zos-workflows-for-zowe-sdk@7.24.1
• npm: @zowe/zos-jobs-for-zowe-sdk@7.24.1
• npm: @zowe/zos-tso-for-zowe-sdk@7.24.1
• npm: @zowe/cli@7.24.1

_{Powered by Octorelease 🚀}