Limit the sso scopes to the service requesting it (#3528)

manodnyab · web-flow · commit 06d1216a7d8b · 2023-04-27T11:49:09.000-07:00
* Limit scopes to service calling it

* new changes

* feedback changes

* try logout

* fedback changes 2

* removed customizerId

* feedback changes

* variable name change

* fixed tests

* modified tests

* detekt

* fixed indent

* added changelog
diff --git a/.changes/next-release/feature-67a861d4-e076-4ce8-8853-1debbb564995.json b/.changes/next-release/feature-67a861d4-e076-4ce8-8853-1debbb564995.json
@@ -0,0 +1,4 @@
+{
+  "type" : "feature",
+  "description" : "Using the least permissive set of scopes for features during BuilderID/SSO login. Using the same connection for multiple features will request additional scopes to be used."
+}
diff --git a/jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/ToolkitAddConnectionDialog.kt b/jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/ToolkitAddConnectionDialog.kt
@@ -27,6 +27,7 @@ import com.intellij.ui.dsl.builder.columns
 import com.intellij.ui.dsl.builder.panel
 import com.intellij.ui.dsl.builder.selected
 import com.intellij.ui.dsl.builder.toNullableProperty
+import com.intellij.util.containers.nullize
 import software.amazon.awssdk.services.ssooidc.model.InvalidGrantException
 import software.amazon.awssdk.services.ssooidc.model.InvalidRequestException
 import software.amazon.awssdk.services.ssooidc.model.SsoOidcException
@@ -36,8 +37,6 @@ import software.aws.toolkits.core.utils.getLogger
 import software.aws.toolkits.core.utils.info
 import software.aws.toolkits.core.utils.warn
 import software.aws.toolkits.jetbrains.ToolkitPlaces
-import software.aws.toolkits.jetbrains.core.credentials.sono.ALL_SONO_SCOPES
-import software.aws.toolkits.jetbrains.core.credentials.sono.ALL_SSO_SCOPES
 import software.aws.toolkits.jetbrains.core.credentials.sono.SONO_URL
 import software.aws.toolkits.jetbrains.core.help.HelpIds
 import software.aws.toolkits.jetbrains.core.region.AwsRegionProvider
@@ -52,6 +51,7 @@ data class ConnectionDialogCustomizer(
     val header: String? = null,
     val helpId: HelpIds? = null,
     val replaceIamComment: String? = null,
+    val scopes: List<String>? = null,
     val startUrl: String? = null,
     val region: String? = null,
     val errorMsg: String? = null
@@ -148,11 +148,7 @@ open class ToolkitAddConnectionDialog(
                     error("User should not perform Identity Center login with AWS Builder ID url")
                 }
 
-                val scopes = if (loginType == LoginOptions.AWS_BUILDER_ID) {
-                    ALL_SONO_SCOPES
-                } else {
-                    ALL_SSO_SCOPES
-                }
+                val scopes = customizer?.scopes?.nullize() ?: listOf("sso:account:access")
 
                 LOG.info {
                     """
diff --git a/jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/ToolkitAuthManager.kt b/jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/ToolkitAuthManager.kt
@@ -103,15 +103,17 @@ interface ToolkitConnectionManager : Disposable {
 /**
  * Individual service should subscribe [ToolkitConnectionManagerListener.TOPIC] to fire their service activation / UX update
  */
-fun loginSso(project: Project?, startUrl: String, region: String = DEFAULT_SSO_REGION, scopes: List<String> = ALL_SONO_SCOPES): BearerTokenProvider {
+
+fun loginSso(project: Project?, startUrl: String, region: String = DEFAULT_SSO_REGION, requestedScopes: List<String> = ALL_SONO_SCOPES): BearerTokenProvider {
     val connectionId = ToolkitBearerTokenProvider.ssoIdentifier(startUrl, region)
-    val manager = ToolkitAuthManager.getInstance()
 
+    val manager = ToolkitAuthManager.getInstance()
+    val allScopes = requestedScopes.toMutableList()
     return manager.getConnection(connectionId)?.let { connection ->
         val logger = getLogger<ToolkitAuthManager>()
         // requested Builder ID, but one already exists
         // TBD: do we do this for regular SSO too?
-        if (connection.isSono() && connection is BearerSsoConnection && scopes.all { it in connection.scopes }) {
+        if (connection.isSono() && connection is BearerSsoConnection && requestedScopes.all { it in connection.scopes }) {
             val signOut = computeOnEdt {
                 MessageDialogBuilder.yesNo(
                     message("toolkit.login.aws_builder_id.already_connected.title"),
@@ -133,13 +135,17 @@ fun loginSso(project: Project?, startUrl: String, region: String = DEFAULT_SSO_R
         }
 
         // There is an existing connection we can use
-        if (connection is BearerSsoConnection && !scopes.all { it in connection.scopes }) {
+        if (connection is BearerSsoConnection && !requestedScopes.all { it in connection.scopes }) {
+            allScopes.addAll(connection.scopes)
+
             logger.info {
-                "Forcing reauth on ${connection.id} since requested scopes ($scopes) are not a complete subset of current scopes (${connection.scopes})"
+                """
+                    Forcing reauth on ${connection.id} since requested scopes ($requestedScopes)
+                    are not a complete subset of current scopes (${connection.scopes})
+                """.trimIndent()
             }
-
+            logoutFromSsoConnection(project, connection as AwsBearerTokenConnection)
             // can't reuse since requested scopes are not in current connection. forcing reauth
-            manager.deleteConnection(connection)
             return@let null
         }
 
@@ -155,7 +161,7 @@ fun loginSso(project: Project?, startUrl: String, region: String = DEFAULT_SSO_R
             ManagedSsoProfile(
                 region,
                 startUrl,
-                scopes
+                allScopes.toSet().toList()
             )
         )
 
diff --git a/jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/sono/SonoConstants.kt b/jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/sono/SonoConstants.kt
@@ -18,7 +18,6 @@ internal val CODECATALYST_SCOPES = listOf(
 
 // limit of 10
 // at least one scope must be provided
-internal val ALL_SSO_SCOPES = CODEWHISPERER_SCOPES
 val ALL_SONO_SCOPES = CODEWHISPERER_SCOPES + CODECATALYST_SCOPES
 
 fun ToolkitConnection?.isSono() = if (this == null) {
diff --git a/jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/sono/SonoCredentialManager.kt b/jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/sono/SonoCredentialManager.kt
@@ -68,8 +68,8 @@ class SonoCredentialManager {
     fun getProviderAndPromptAuth(): BearerTokenProvider {
         val provider = provider()
         return when (provider?.state()) {
-            null -> runUnderProgressIfNeeded(project, message("credentials.sono.login.pending"), true) {
-                loginSso(project, SONO_URL, scopes = ALL_SONO_SCOPES)
+            null -> runUnderProgressIfNeeded(null, message("credentials.sono.login.pending"), true) {
+                loginSso(project, SONO_URL, requestedScopes = CODECATALYST_SCOPES)
             }
 
             else -> reauthProviderIfNeeded(project, provider)
diff --git a/jetbrains-core/src/software/aws/toolkits/jetbrains/services/codewhisperer/credentials/CodeWhispererLoginDialog.kt b/jetbrains-core/src/software/aws/toolkits/jetbrains/services/codewhisperer/credentials/CodeWhispererLoginDialog.kt
@@ -6,6 +6,7 @@ package software.aws.toolkits.jetbrains.services.codewhisperer.credentials
 import com.intellij.openapi.project.Project
 import software.aws.toolkits.jetbrains.core.credentials.ConnectionDialogCustomizer
 import software.aws.toolkits.jetbrains.core.credentials.ToolkitAddConnectionDialog
+import software.aws.toolkits.jetbrains.core.credentials.sono.CODEWHISPERER_SCOPES
 import software.aws.toolkits.jetbrains.core.help.HelpIds
 import software.aws.toolkits.resources.message
 
@@ -16,6 +17,7 @@ class CodeWhispererLoginDialog(project: Project) : ToolkitAddConnectionDialog(
         title = message("codewhisperer.credential.login.dialog.title"),
         header = message("codewhisperer.credential.login.dialog.prompt"),
         helpId = HelpIds.CODEWHISPERER_LOGIN_DIALOG,
-        replaceIamComment = message("codewhisperer.credential.login.dialog.iam.description")
+        replaceIamComment = message("codewhisperer.credential.login.dialog.iam.description"),
+        scopes = CODEWHISPERER_SCOPES
     )
 )
diff --git a/jetbrains-core/src/software/aws/toolkits/jetbrains/services/codewhisperer/util/CodeWhispererUtil.kt b/jetbrains-core/src/software/aws/toolkits/jetbrains/services/codewhisperer/util/CodeWhispererUtil.kt
@@ -164,7 +164,7 @@ object CodeWhispererUtil {
         if (connection !is BearerSsoConnection) return
         ApplicationManager.getApplication().executeOnPooledThread {
             getConnectionStartUrl(connection)?.let { startUrl ->
-                loginSso(project, startUrl, scopes = connection.scopes)
+                loginSso(project, startUrl, requestedScopes = connection.scopes)
             }
         }
     }
diff --git a/jetbrains-core/tst/software/aws/toolkits/jetbrains/core/credentials/DefaultToolkitAuthManagerTest.kt b/jetbrains-core/tst/software/aws/toolkits/jetbrains/core/credentials/DefaultToolkitAuthManagerTest.kt
@@ -18,6 +18,7 @@ import org.mockito.kotlin.argumentCaptor
 import org.mockito.kotlin.doNothing
 import org.mockito.kotlin.eq
 import org.mockito.kotlin.mock
+import org.mockito.kotlin.times
 import org.mockito.kotlin.verify
 import org.mockito.kotlin.verifyNoMoreInteractions
 import org.mockito.kotlin.whenever
@@ -160,7 +161,7 @@ class DefaultToolkitAuthManagerTest {
                 )
             )
 
-            loginSso(projectRule.project, "foo", scopes = emptyList())
+            loginSso(projectRule.project, "foo", requestedScopes = emptyList())
 
             val tokenProvider = it.constructed()[0]
             verify(tokenProvider).state()
@@ -188,7 +189,7 @@ class DefaultToolkitAuthManagerTest {
                 )
             )
 
-            loginSso(projectRule.project, "foo", scopes = emptyList())
+            loginSso(projectRule.project, "foo", requestedScopes = emptyList())
 
             val tokenProvider = it.constructed()[0]
             verify(tokenProvider).resolveToken()
@@ -214,7 +215,7 @@ class DefaultToolkitAuthManagerTest {
                 )
             )
 
-            loginSso(projectRule.project, "foo", scopes = emptyList())
+            loginSso(projectRule.project, "foo", requestedScopes = emptyList())
 
             val tokenProvider = it.constructed()[0]
             verify(tokenProvider).reauthenticate()
@@ -240,7 +241,7 @@ class DefaultToolkitAuthManagerTest {
                 )
             )
 
-            loginSso(projectRule.project, "foo", scopes = listOf("existing1"))
+            loginSso(projectRule.project, "foo", requestedScopes = listOf("existing1"))
 
             val tokenProvider = it.constructed()[0]
             verify(tokenProvider).state()
@@ -268,17 +269,18 @@ class DefaultToolkitAuthManagerTest {
             )
 
             val newScopes = listOf("existing1", "new1")
-            loginSso(projectRule.project, "foo", scopes = newScopes)
+            loginSso(projectRule.project, "foo", requestedScopes = newScopes)
 
             val captor = argumentCaptor<ManagedBearerSsoConnection>()
-            verify(connectionManager).switchConnection(captor.capture())
-            assertThat(captor.allValues.size).isEqualTo(1)
-            assertThat(captor.firstValue).satisfies { connection ->
-                assertThat(connection.scopes).usingRecursiveComparison().isEqualTo(newScopes)
+
+            verify(connectionManager, times(2)).switchConnection(captor.capture())
+
+            assertThat(captor.secondValue).satisfies { connection ->
+                assertThat(connection.scopes.toSet()).isEqualTo(setOf("existing1", "existing2", "existing3", "new1"))
             }
             assertThat(sut.listConnections()).singleElement().isInstanceOfSatisfying<BearerSsoConnection>() { connection ->
                 assertThat(connection).usingRecursiveComparison().isNotEqualTo(existingConnection)
-                assertThat(connection.scopes).usingRecursiveComparison().isEqualTo(newScopes)
+                assertThat(connection.scopes.toSet()).isEqualTo(setOf("existing1", "existing2", "existing3", "new1"))
             }
         }
     }
@@ -296,7 +298,7 @@ class DefaultToolkitAuthManagerTest {
             // before
             assertThat(sut.listConnections()).hasSize(0)
 
-            loginSso(projectRule.project, "foo", scopes = listOf("scope1", "scope2"))
+            loginSso(projectRule.project, "foo", requestedScopes = listOf("scope1", "scope2"))
 
             // after
             assertThat(sut.listConnections()).hasSize(1)
diff --git a/resources/resources/software/aws/toolkits/resources/MessagesBundle.properties b/resources/resources/software/aws/toolkits/resources/MessagesBundle.properties
@@ -454,7 +454,7 @@ codewhisperer.credential.login.dialog.title=CodeWhisperer: Add Connection to AWS
 codewhisperer.credential.login.exception.general=Ran into unknown error: {0}
 codewhisperer.credential.login.exception.general.oidc=Fail to fetch credential
 codewhisperer.credential.login.exception.invalid_grant=Access denied
-codewhisperer.credential.login.exception.invalid_input=Invalid start url
+codewhisperer.credential.login.exception.invalid_input=Invalid start url or scopes
 codewhisperer.credential.login.exception.io=Unable to access SSO disk cache: {0}
 codewhisperer.credential.login.prompt.sono.message=Sign in with AWS Builder ID
 codewhisperer.credential.login.prompt.sono.title=AWS Builder ID login

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +{
 +  "type" : "feature",
 +  "description" : "Using the least permissive set of scopes for features during BuilderID/SSO login. Using the same connection for multiple features will request additional scopes to be used."
 +}
Original file line number	Diff line number	Diff line change
`@@ -164,7 +164,7 @@ object CodeWhispererUtil {`
`164`	`164`	`if (connection !is BearerSsoConnection) return`
`165`	`165`	`ApplicationManager.getApplication().executeOnPooledThread {`
`166`	`166`	`getConnectionStartUrl(connection)?.let { startUrl ->`
`167`		`- loginSso(project, startUrl, scopes = connection.scopes)`
	`167`	`+ loginSso(project, startUrl, requestedScopes = connection.scopes)`
`168`	`168`	`}`
`169`	`169`	`}`
`170`	`170`	`}`
Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@ import org.mockito.kotlin.argumentCaptor`
`18`	`18`	`import org.mockito.kotlin.doNothing`
`19`	`19`	`import org.mockito.kotlin.eq`
`20`	`20`	`import org.mockito.kotlin.mock`
	`21`	`+import org.mockito.kotlin.times`
`21`	`22`	`import org.mockito.kotlin.verify`
`22`	`23`	`import org.mockito.kotlin.verifyNoMoreInteractions`
`23`	`24`	`import org.mockito.kotlin.whenever`
`@@ -160,7 +161,7 @@ class DefaultToolkitAuthManagerTest {`
`160`	`161`	`)`
`161`	`162`	`)`
`162`	`163`
`163`		`- loginSso(projectRule.project, "foo", scopes = emptyList())`
	`164`	`+ loginSso(projectRule.project, "foo", requestedScopes = emptyList())`
`164`	`165`
`165`	`166`	`val tokenProvider = it.constructed()[0]`
`166`	`167`	`verify(tokenProvider).state()`
`@@ -188,7 +189,7 @@ class DefaultToolkitAuthManagerTest {`
`188`	`189`	`)`
`189`	`190`	`)`
`190`	`191`
`191`		`- loginSso(projectRule.project, "foo", scopes = emptyList())`
	`192`	`+ loginSso(projectRule.project, "foo", requestedScopes = emptyList())`
`192`	`193`
`193`	`194`	`val tokenProvider = it.constructed()[0]`
`194`	`195`	`verify(tokenProvider).resolveToken()`
`@@ -214,7 +215,7 @@ class DefaultToolkitAuthManagerTest {`
`214`	`215`	`)`
`215`	`216`	`)`
`216`	`217`
`217`		`- loginSso(projectRule.project, "foo", scopes = emptyList())`
	`218`	`+ loginSso(projectRule.project, "foo", requestedScopes = emptyList())`
`218`	`219`
`219`	`220`	`val tokenProvider = it.constructed()[0]`
`220`	`221`	`verify(tokenProvider).reauthenticate()`
`@@ -240,7 +241,7 @@ class DefaultToolkitAuthManagerTest {`
`240`	`241`	`)`
`241`	`242`	`)`
`242`	`243`
`243`		`- loginSso(projectRule.project, "foo", scopes = listOf("existing1"))`
	`244`	`+ loginSso(projectRule.project, "foo", requestedScopes = listOf("existing1"))`
`244`	`245`
`245`	`246`	`val tokenProvider = it.constructed()[0]`
`246`	`247`	`verify(tokenProvider).state()`
`@@ -268,17 +269,18 @@ class DefaultToolkitAuthManagerTest {`
`268`	`269`	`)`
`269`	`270`
`270`	`271`	`val newScopes = listOf("existing1", "new1")`
`271`		`- loginSso(projectRule.project, "foo", scopes = newScopes)`
	`272`	`+ loginSso(projectRule.project, "foo", requestedScopes = newScopes)`
`272`	`273`
`273`	`274`	`val captor = argumentCaptor<ManagedBearerSsoConnection>()`
`274`		`- verify(connectionManager).switchConnection(captor.capture())`
`275`		`- assertThat(captor.allValues.size).isEqualTo(1)`
`276`		`- assertThat(captor.firstValue).satisfies { connection ->`
`277`		`- assertThat(connection.scopes).usingRecursiveComparison().isEqualTo(newScopes)`
	`275`	`+`
	`276`	`+ verify(connectionManager, times(2)).switchConnection(captor.capture())`
	`277`	`+`
	`278`	`+ assertThat(captor.secondValue).satisfies { connection ->`
	`279`	`+ assertThat(connection.scopes.toSet()).isEqualTo(setOf("existing1", "existing2", "existing3", "new1"))`
`278`	`280`	`}`
`279`	`281`	`assertThat(sut.listConnections()).singleElement().isInstanceOfSatisfying<BearerSsoConnection>() { connection ->`
`280`	`282`	`assertThat(connection).usingRecursiveComparison().isNotEqualTo(existingConnection)`
`281`		`- assertThat(connection.scopes).usingRecursiveComparison().isEqualTo(newScopes)`
	`283`	`+ assertThat(connection.scopes.toSet()).isEqualTo(setOf("existing1", "existing2", "existing3", "new1"))`
`282`	`284`	`}`
`283`	`285`	`}`
`284`	`286`	`}`
`@@ -296,7 +298,7 @@ class DefaultToolkitAuthManagerTest {`
`296`	`298`	`// before`
`297`	`299`	`assertThat(sut.listConnections()).hasSize(0)`
`298`	`300`
`299`		`- loginSso(projectRule.project, "foo", scopes = listOf("scope1", "scope2"))`
	`301`	`+ loginSso(projectRule.project, "foo", requestedScopes = listOf("scope1", "scope2"))`
`300`	`302`
`301`	`303`	`// after`
`302`	`304`	`assertThat(sut.listConnections()).hasSize(1)`