Implemented a token scrambler to make the low level GitHub token not directly accessible.

Author: halirutan

resources/de/halirutan/mathematica/errorreporting/ScrambledToken.bin

@@ -32,6 +32,7 @@
 
 import javax.annotation.Nullable;
 import java.io.IOException;
+import java.net.URL;
 import java.util.*;
 import java.util.Map.Entry;
 
@@ -40,7 +41,7 @@
  */
 class AnonymousFeedback {
 
-  private final static String gitAccessToken = "097a2a4e4a94ff65a73508083da690d4565fd038";
+  private final static String tokenFile = "de/halirutan/mathematica/errorreporting/ScrambledToken.bin";
   private final static String gitRepoUser = "Mathematica-IntelliJ-Plugin";
   private final static String gitRepo = "Auto-generated-issues-for-the-Mathematica-Plugin";
 
@@ -61,6 +62,11 @@ static SubmittedReportInfo sendFeedback(LinkedHashMap<String, String> environmen
 
     final SubmittedReportInfo result;
     try {
+      final URL resource = AnonymousFeedback.class.getClassLoader().getResource(tokenFile);
+      if (resource == null) {
+        throw new IOException("Could not decrypt access token");
+      }
+      final String gitAccessToken = GitHubAccessTokenScrambler.decrypt(resource.getFile());
       GitHubClient client = new GitHubClient();
       client.setOAuth2Token(gitAccessToken);
       RepositoryId repoID = new RepositoryId(gitRepoUser, gitRepo);
@@ -85,7 +91,7 @@ static SubmittedReportInfo sendFeedback(LinkedHashMap<String, String> environmen
       final String message = ErrorReportBundle.message(isNewIssue ? "git.issue.text" : "git.issue.duplicate.text", htmlUrl, id);
       result = new SubmittedReportInfo(htmlUrl, message, isNewIssue ? SubmissionStatus.NEW_ISSUE : SubmissionStatus.DUPLICATE);
       return result;
-    } catch (IOException e) {
+    } catch (Exception e) {
       return new SubmittedReportInfo(null, ErrorReportBundle.message("report.error.connection.failure"), SubmissionStatus.FAILED);
     }
   }

src/de/halirutan/mathematica/errorreporting/AnonymousFeedback.java

@@ -0,0 +1,86 @@
+/*
+ * Copyright (c) 2017 Patrick Scheibe
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package de.halirutan.mathematica.errorreporting;
+
+import org.apache.commons.codec.binary.Base64;
+
+import javax.crypto.Cipher;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
+import java.io.*;
+
+/**
+ * Provides functionality to encode and decode secret tokens to make them not directly readable. Let me be clear:
+ * THIS IS THE OPPOSITE OF SECURITY!
+ * @author patrick (20.06.17).
+ */
+public class GitHubAccessTokenScrambler {
+
+  private static final String myInitVector = "RandomInitVector";
+  private static final  String myKey = "GitHubErrorToken";
+
+  public static void main(String[] args) {
+    if (args.length != 2) {
+      return;
+    }
+    String horse = args[0];
+    String outputFile = args[1];
+    try {
+      final String e = encrypt(horse);
+      final ObjectOutputStream o = new ObjectOutputStream(new FileOutputStream(outputFile));
+      o.writeObject(e);
+      o.close();
+    } catch (Exception e) {
+      e.printStackTrace();
+    }
+  }
+
+   private static String encrypt(String value) {
+        try {
+            IvParameterSpec iv = new IvParameterSpec(myInitVector.getBytes("UTF-8"));
+            SecretKeySpec keySpec = new SecretKeySpec(myKey.getBytes("UTF-8"), "AES");
+
+            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
+            cipher.init(Cipher.ENCRYPT_MODE, keySpec, iv);
+
+            byte[] encrypted = cipher.doFinal(value.getBytes());
+            return Base64.encodeBase64String(encrypted);
+        } catch (Exception ex) {
+            ex.printStackTrace();
+        }
+        return null;
+    }
+
+  static String decrypt(String file) throws Exception {
+    String in;
+      final ObjectInputStream o = new ObjectInputStream(new FileInputStream(file));
+      in = (String) o.readObject();
+      IvParameterSpec iv = new IvParameterSpec(myInitVector.getBytes("UTF-8"));
+      SecretKeySpec keySpec = new SecretKeySpec(myKey.getBytes("UTF-8"), "AES");
+
+      Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
+      cipher.init(Cipher.DECRYPT_MODE, keySpec, iv);
+
+      byte[] original = cipher.doFinal(Base64.decodeBase64(in));
+      return new String(original);
+  }
+}

src/de/halirutan/mathematica/errorreporting/GitHubAccessTokenScrambler.java

@@ -27,7 +27,7 @@
  * </p>
  * <ul>
  *   <li>@see <a href="https://android.googlesource.com/platform/tools/adt/idea/+/master/android/src/com/android/tools/idea/diagnostics/error/ErrorReporter.java">the android implementation</a></li>
- *   <li>@see <a href="http://devnet.jetbrains.com/message/5526206>a post on jetbrains</a></li>
+ *   <li>@see <a href="http://devnet.jetbrains.com/message/5526206">a post on jetbrains</a></li>
  * </ul>
  * <p>
  * Furthermore, an earlier implementation of Jon Akhtar (https://github.com/sylvanaar) gave me the idea of finding duplicates,
@@ -50,5 +50,14 @@
  *   which is run as background task {@link de.halirutan.mathematica.errorreporting.AnonymousFeedbackTask}.
  *   The main class that is also registered in the plugin.xml and starts the whole procedure is {@link de.halirutan.mathematica.errorreporting.GitHubErrorReporter}.
  * </p>
+ * <p>
+ *   You might consider using a subset of this functionality by not using the duplicate finding and commenting feature.
+ *   The advantage of this is, that you should be able to implement this without having a real fake user in the background
+ *   that reports for you. Creating issues can be done by anyone, commenting and labeling not. For commenting on an existing issue,
+ *   you need a higher level of access to GitHub and your requests need to be backed by a user/password or token. The problem
+ *   here is clearly that you need to give the plugin access to this token. No matter how you secure it, if the code is
+ *   open access it is not hard to decipher your token. Therefore, always use tokens with the lowest possible access level
+ *   (in this case, access to public repositories only) if you need to.
+ * </p>
  */
 package de.halirutan.mathematica.errorreporting;