On linux and mac, where does ADS store credentials?

[gbritton1]

On linux and mac, where does ADS store credentials?

[kburtram]

The credentials are stored in a platform-dependent manner to take advantage of capabilities in each platform. For Windows we use the Win32 API CredWrite/GetCredential as implemented at https://github.com/microsoft/sqltoolsservice/blob/main/src/Microsoft.SqlTools.Credentials/Credentials/Win32/Win32Credential.cs.

For macOS, we use the Keychain API on that OS. For example, SecKeychainAddGenericPassword/SecKeychainFindGenericPassword. I'm not on my mac to look-up exact entry names, but I think the entries have short names like 'M' and have some field saying the application that created them. There's an issue https://github.com/microsoft/sqltoolsservice/issues/1283 to investigate why we use these short names (I didn't write the code so don't have that detail). The implementation is at https://github.com/microsoft/sqltoolsservice/blob/main/src/Microsoft.SqlTools.Credentials/Credentials/OSX/OSXCredentialStore.cs.

For Linux the story is a little more complicated. When we create SQL Tools Service and added password management there want a standard password encryption API on all various distros and we didn't install keytar as part of ADS. So the original implementation was copied from Azure CLI, which was to store password in file in the users directory and rely on OS system privileges to protect access. This is how ADS worked until a release or two ago when we moved to the native secret service in vscode, which takes a dependency on keytar. In current ADS releases passwords are now stored in keytar. Here is the older filesystem logic https://github.com/microsoft/sqltoolsservice/blob/main/src/Microsoft.SqlTools.Credentials/Credentials/Linux/LinuxCredentialStore.cs and the native vscode support for keytar we now use the getPassword/setPassword methods in https://github.com/microsoft/azuredatastudio/blob/main/src/vs/platform/native/electron-main/nativeHostMainService.ts.

@abist can you double-check what I wrote for accuracy and add any additional details? Such as where to find the credentials specifically in macOS Keychain and Linux keytar?

[abist]

Thanks @kburtram for explaining it in detail! That's correct. To be a little more specific, we use the secret storage here - https://github.com/microsoft/vscode/blob/ad5ef7ea85b8a622f73b96394507d98809e68861/src/vscode-dts/vscode.d.ts#L6626 , which internally uses the native keytar module.

[mkorsukov]

Database credentials (without password) can be found in user settings:

~/.config/azuredatastudio/User/settings.json