Backport SSO scope changes to public (#3321)

Author: rli

gradle/libs.versions.toml

@@ -1,7 +1,7 @@
 [versions]
 apacheCommons = "2.8.0"
 assertJ = "3.20.2" # Upgrading leads to SAM errors: https://youtrack.jetbrains.com/issue/KT-17765
-awsSdk = "2.17.219"
+awsSdk = "2.17.289"
 commonmark = "0.17.1"
 detekt = "1.21.0"
 intellijGradle = "1.9.0"

jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/profiles/ProfileCredentialProviderFactory.kt

@@ -25,6 +25,8 @@ import software.aws.toolkits.core.credentials.CredentialType
 import software.aws.toolkits.core.credentials.CredentialsChangeEvent
 import software.aws.toolkits.core.credentials.CredentialsChangeListener
 import software.aws.toolkits.core.region.AwsRegion
+import software.aws.toolkits.core.utils.getLogger
+import software.aws.toolkits.core.utils.warn
 import software.aws.toolkits.jetbrains.core.credentials.MfaRequiredInteractiveCredentials
 import software.aws.toolkits.jetbrains.core.credentials.SsoRequiredInteractiveCredentials
 import software.aws.toolkits.jetbrains.core.credentials.ToolkitCredentialProcessProvider
@@ -143,6 +145,8 @@ class ProfileCredentialProviderFactory(private val ssoCache: SsoCache = diskCach
             ": $it"
         } ?: ""
 
+        LOG.warn(e) { loadingFailureMessage }
+
         if (AwsSettings.getInstance().profilesNotification != ProfilesNotification.Never) {
             notifyError(
                 title = message("credentials.profile.refresh_ok_title"),
@@ -298,6 +302,10 @@ class ProfileCredentialProviderFactory(private val ssoCache: SsoCache = diskCach
 
     private fun Profile.requiresSso(profiles: Map<String, Profile>) = this.traverseCredentialChain(profiles)
         .any { it.propertyExists(ProfileProperty.SSO_START_URL) }
+
+    companion object {
+        private val LOG = getLogger<ProfileCredentialProviderFactory>()
+    }
 }
 
 private fun Profile.toCredentialType(): CredentialType? = when {

jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/profiles/ProfileReader.kt

@@ -14,7 +14,7 @@ data class Profiles(val validProfiles: Map<String, Profile>, val invalidProfiles
  * Reads the AWS shared credentials files and produces what profiles are valid and if not why it is not
  */
 fun validateAndGetProfiles(): Profiles {
-    val allProfiles: Map<String, Profile> = ProfileFile.defaultProfileFile().profiles()
+    val allProfiles: Map<String, Profile> = ProfileFile.defaultProfileFile().profiles().orEmpty()
 
     val validProfiles = mutableMapOf<String, Profile>()
     val invalidProfiles = mutableMapOf<String, Exception>()

jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/sso/AccessToken.kt

@@ -3,6 +3,7 @@
 
 package software.aws.toolkits.jetbrains.core.credentials.sso
 
+import com.fasterxml.jackson.annotation.JsonInclude
 import software.amazon.awssdk.services.sso.SsoClient
 import software.amazon.awssdk.services.ssooidc.SsoOidcClient
 import java.time.Instant
@@ -14,5 +15,7 @@ data class AccessToken(
     val startUrl: String,
     val region: String,
     val accessToken: String,
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    val refreshToken: String? = null,
     val expiresAt: Instant
 )

jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/sso/DiskCache.kt

@@ -24,10 +24,10 @@ import java.nio.file.Paths
 import java.nio.file.attribute.PosixFilePermission
 import java.security.MessageDigest
 import java.time.Clock
+import java.time.Duration
 import java.time.Instant
 import java.time.ZoneOffset
 import java.time.format.DateTimeFormatter.ISO_INSTANT
-import java.time.temporal.ChronoUnit
 import java.util.TimeZone
 
 /**
@@ -78,11 +78,11 @@ class DiskCache(
         val inputStream = cacheFile.inputStreamIfExists() ?: return null
 
         return tryOrNull {
-            val clientRegistration = objectMapper.readValue<AccessToken>(inputStream)
+            val accessToken = objectMapper.readValue<AccessToken>(inputStream)
             // Use same expiration logic as client registration even though RFC/SEP does not specify it.
             // This prevents a cache entry being returned as valid and then expired when we go to use it.
-            if (clientRegistration.expiresAt.isNotExpired()) {
-                clientRegistration
+            if (!accessToken.isDefinitelyExpired()) {
+                accessToken
             } else {
                 null
             }
@@ -113,7 +113,9 @@ class DiskCache(
     }
 
     // If the item is going to expire in the next 15 mins, we must treat it as already expired
-    private fun Instant.isNotExpired(): Boolean = this.isAfter(Instant.now(clock).plus(15, ChronoUnit.MINUTES))
+    private fun Instant.isNotExpired(): Boolean = this.isAfter(Instant.now(clock).plus(EXPIRATION_THRESHOLD))
+
+    private fun AccessToken.isDefinitelyExpired(): Boolean = refreshToken == null && !expiresAt.isNotExpired()
 
     private class CliCompatibleInstantDeserializer : StdDeserializer<Instant>(Instant::class.java) {
         override fun deserialize(parser: JsonParser, context: DeserializationContext): Instant {
@@ -129,4 +131,8 @@ class DiskCache(
             return ISO_INSTANT.parse(sanitized) { Instant.from(it) }
         }
     }
+
+    companion object {
+        val EXPIRATION_THRESHOLD = Duration.ofMinutes(15)
+    }
 }

jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/sso/SsoAccessTokenProvider.kt

@@ -6,7 +6,9 @@ package software.aws.toolkits.jetbrains.core.credentials.sso
 import com.intellij.openapi.progress.ProgressManager
 import software.amazon.awssdk.services.ssooidc.SsoOidcClient
 import software.amazon.awssdk.services.ssooidc.model.AuthorizationPendingException
+import software.amazon.awssdk.services.ssooidc.model.CreateTokenResponse
 import software.amazon.awssdk.services.ssooidc.model.InvalidClientException
+import software.amazon.awssdk.services.ssooidc.model.InvalidRequestException
 import software.amazon.awssdk.services.ssooidc.model.SlowDownException
 import software.aws.toolkits.jetbrains.utils.assertIsNonDispatchThread
 import software.aws.toolkits.jetbrains.utils.sleepWithCancellation
@@ -23,6 +25,7 @@ class SsoAccessTokenProvider(
     private val onPendingToken: SsoLoginCallback,
     private val cache: SsoCache,
     private val client: SsoOidcClient,
+    private val scopes: List<String> = emptyList(),
     private val clock: Clock = Clock.systemUTC()
 ) {
     fun accessToken(): AccessToken {
@@ -47,6 +50,7 @@ class SsoAccessTokenProvider(
         // Based on botocore: https://github.com/boto/botocore/blob/5dc8ee27415dc97cfff75b5bcfa66d410424e665/botocore/utils.py#L1753
         val registerResponse = client.registerClient {
             it.clientType(CLIENT_REGISTRATION_TYPE)
+            it.scopes(scopes)
             it.clientName("aws-toolkit-jetbrains-${Instant.now(clock)}")
         }
 
@@ -99,20 +103,13 @@ class SsoAccessTokenProvider(
                 val tokenResponse = client.createToken {
                     it.clientId(registration.clientId)
                     it.clientSecret(registration.clientSecret)
-                    it.grantType(GRANT_TYPE)
+                    it.grantType(DEVICE_GRANT_TYPE)
                     it.deviceCode(authorization.deviceCode)
                 }
 
-                val expirationTime = Instant.now(clock).plusSeconds(tokenResponse.expiresIn().toLong())
-
                 onPendingToken.tokenRetrieved()
 
-                return AccessToken(
-                    ssoUrl,
-                    ssoRegion,
-                    tokenResponse.accessToken(),
-                    expirationTime
-                )
+                return tokenResponse.toAccessToken()
             } catch (e: SlowDownException) {
                 backOffTime = backOffTime.plusSeconds(SLOW_DOWN_DELAY_SECS)
             } catch (e: AuthorizationPendingException) {
@@ -126,13 +123,46 @@ class SsoAccessTokenProvider(
         }
     }
 
+    fun refreshToken(currentToken: AccessToken): AccessToken {
+        if (currentToken.refreshToken == null) {
+            throw InvalidRequestException.builder().build()
+        }
+
+        val registration = cache.loadClientRegistration(ssoRegion) ?: throw InvalidClientException.builder().build()
+
+        val newToken = client.createToken {
+            it.clientId(registration.clientId)
+            it.clientSecret(registration.clientSecret)
+            it.grantType(REFRESH_GRANT_TYPE)
+            it.refreshToken(currentToken.refreshToken)
+        }
+
+        val token = newToken.toAccessToken()
+        cache.saveAccessToken(ssoUrl, token)
+
+        return token
+    }
+
     fun invalidate() {
         cache.invalidateAccessToken(ssoUrl)
     }
 
+    private fun CreateTokenResponse.toAccessToken(): AccessToken {
+        val expirationTime = Instant.now(clock).plusSeconds(expiresIn().toLong())
+
+        return AccessToken(
+            startUrl = ssoUrl,
+            region = ssoRegion,
+            accessToken = accessToken(),
+            refreshToken = refreshToken(),
+            expiresAt = expirationTime
+        )
+    }
+
     private companion object {
         const val CLIENT_REGISTRATION_TYPE = "public"
-        const val GRANT_TYPE = "urn:ietf:params:oauth:grant-type:device_code"
+        const val DEVICE_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:device_code"
+        const val REFRESH_GRANT_TYPE = "refresh_token"
 
         // Default number of seconds to poll for token, https://tools.ietf.org/html/draft-ietf-oauth-device-flow-15#section-3.5
         const val DEFAULT_INTERVAL_SECS = 5L

jetbrains-core/tst/software/aws/toolkits/jetbrains/core/credentials/ToolkitCredentialProcessProviderTest.kt

@@ -116,14 +116,15 @@ class ToolkitCredentialProcessProviderTest {
     }
 
     @Test
-    fun `expiry in the past means command is re-run`() {
+    fun `expiry in the past means command is not re-run`() {
+        // Java SDK prefers threads to block when this happens https://github.com/aws/aws-sdk-java-v2/commit/5151e4049382bdb5ea6b487e6f150314b579181d
         val sut = createSut("echo")
         stubParser(CredentialProcessOutput("foo", "bar", null, Instant.now().minus(Duration.ofHours(1))))
 
         sut.resolveCredentials()
         sut.resolveCredentials()
 
-        verify(parser, times(2)).parse(any())
+        verify(parser).parse(any())
     }
 
     @Test