Sign in with Idc for CodeCatalyst (#4126)

* Support sign in to CodeCatalyst via Identity Center (#4059)

* Support SSO sign in for CodeCatalyst in IDEA

* Support SSO sign in for CodeCatalyst in the Gateway

* Fix codecatalyst scope

* Add new GW authentication dialog

* Fix merge conflicts

* Small refactor of GW auth dialog

* Refactor auth dialog panel building to dedupe code

* Empty-Commit

* Fix broken unit tests

* Fix tests, lint errors, small fixes

* Fix lint errors

* Addressed PR feedback

* Fix lint errors

* Add support for opening CodeCatalyst dev env using Idc (#4079)

* Support SSO sign in for CodeCatalyst in IDEA

* Support SSO sign in for CodeCatalyst in the Gateway

* Fix codecatalyst scope

* Add new GW authentication dialog

* Fix merge conflicts

* Small refactor of GW auth dialog

* Refactor auth dialog panel building to dedupe code

* Empty-Commit

* Fix broken unit tests

* Fix tests, lint errors, small fixes

* Fix lint errors

* Support starting a dev env via Idc from an external url

* Addressed PR feedback

* Addressed PR feedback

* Fix lint errors

* Include conn parameters in workspace list

* Addressed PR feedback

* Fix getting started panel

* Avoid throwing error when canceling auth dialog in GW (#4111)

Co-authored-by: manodnyab <[email protected]>

* Fix sign out message in GW (#4097)

* Fix sign out message in GW

* Remove unused message bundle entry

---------

Co-authored-by: manodnyab <[email protected]>

* Fix Auth Setup Dialog For CodeCatalyst (#4102)

* Fix getting started panel for CodeCatalyst

* Fix getting started panel button label, supported auth table

* Remove notice banner in setup auth dialog for CodeCatalyst (#4103)

* Remove notice in setup auth dialog for CodeCatalyst

* add support for idc in gs page

* Fix duplicate + invalid SSO session found when connected to remote dev env (#4107)

* Add IDC as connection type for CC metrics (#4123)

* add entrypoint for metrics

* added changelog

* detekt

* Fix switching between accounts in CodeCatalyst (#4122)

* Fix switching between accounts in CodeCatalyst

* fixed tests

* extra line

* feedback changes

* feedback 2

* detekt

---------

Co-authored-by: aws-toolkit-automation <[email protected]>
Co-authored-by: juanbenj <[email protected]>
Co-authored-by: Richard Li <[email protected]>

Author: 4 people

.changes/next-release/feature-2ea8d8de-522b-4b9b-8f46-dbcc1a77cfb6.json

@@ -0,0 +1,4 @@
+{
+  "type" : "feature",
+  "description" : "Add support for IAM Identity Center connections for CodeCatalyst"
+}

core/src/software/aws/toolkits/core/credentials/ToolkitCredentialsProvider.kt

@@ -137,7 +137,7 @@ class ToolkitBearerTokenProvider(val delegate: ToolkitBearerTokenProviderDelegat
             message("iam_identity_center.service_name", extractOrgID(startUrl))
         }
 
-        fun diskSessionIdentifier(profileName: String) = "diskSessionProfile;$profileName"
+        fun diskSessionIdentifier(profileName: String) = "sso-session:$profileName"
         fun diskSessionDisplayName(profileName: String) = "IAM Identity Center Session ($profileName)"
     }
 }

jetbrains-core/resources/META-INF/plugin.xml

@@ -784,7 +784,7 @@
         <action class="software.aws.toolkits.jetbrains.settings.ShowSettingsAction" id="aws.settings.show" icon="AllIcons.General.Settings"/>
 
         <group id="aws.toolkit.sono.id.actions">
-            <action class="software.aws.toolkits.jetbrains.core.credentials.sono.SonoLogoutAction" id="aws.toolkit.sono.id.logout"/>
+            <action class="software.aws.toolkits.jetbrains.core.credentials.sono.SonoLogoutAction" id="aws.toolkit.caws.logout"/>
             <action class="software.aws.toolkits.jetbrains.services.caws.actions.OpenCawsProfileAction" id="aws.toolkit.caws.profile"/>
             <action class="software.aws.toolkits.jetbrains.ui.feedback.SubmitFeedbackInGateway" id="aws.toolkit.submit.caws.dev.env.feedback"/>
         </group>

jetbrains-core/resources/META-INF/services/caws.xml

@@ -5,16 +5,12 @@
     <depends optional="true" config-file="services/caws-ext-git.xml">Git4Idea</depends>
 
     <extensions defaultExtensionNs="com.intellij">
-        <projectService serviceImplementation="software.aws.toolkits.jetbrains.core.credentials.sono.SonoCredentialManager"/>
-        <applicationService serviceImplementation="software.aws.toolkits.jetbrains.core.credentials.sono.SonoCredentialManager"/>
+        <projectService serviceImplementation="software.aws.toolkits.jetbrains.core.credentials.sono.CodeCatalystCredentialManager"/>
+        <applicationService serviceImplementation="software.aws.toolkits.jetbrains.core.credentials.sono.CodeCatalystCredentialManager"/>
         <applicationService serviceImplementation="software.aws.toolkits.jetbrains.settings.CawsSpaceTracker"/>
         <projectService serviceImplementation="software.aws.toolkits.jetbrains.services.caws.projectstate.CawsProjectSettings"/>
     </extensions>
 
-    <extensions defaultExtensionNs="aws.toolkit">
-        <startupAuthFactory implementation="software.aws.toolkits.jetbrains.core.credentials.sono.SonoDiskProfileAuthFactory"/>
-    </extensions>
-
     <actions>
         <group id="aws.caws.devtools.actions.loggedin">
             <action class="software.aws.toolkits.jetbrains.core.explorer.devToolsTab.nodes.actions.CopyCawsRepositoryUrl" id="aws.caws.devtools.actions.copyCloneUrl"/>

jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/DefaultToolkitAuthManager.kt

@@ -81,21 +81,21 @@ class DefaultToolkitAuthManager : ToolkitAuthManager, PersistentStateComponent<T
 
     override fun listConnections(): List<ToolkitConnection> = connections.toList() + transientConnections
 
-    override fun tryCreateTransientSsoConnection(profile: AuthProfile, callback: (BearerSsoConnection) -> Unit): BearerSsoConnection {
-        val connection = (connectionFromProfile(profile) as BearerSsoConnection).also {
+    override fun tryCreateTransientSsoConnection(profile: AuthProfile, callback: (AwsBearerTokenConnection) -> Unit): AwsBearerTokenConnection {
+        val connection = (connectionFromProfile(profile) as AwsBearerTokenConnection).also {
             callback(it)
             transientConnections.add(it)
         }
 
         return connection
     }
 
-    override fun getOrCreateSsoConnection(profile: UserConfigSsoSessionProfile): BearerSsoConnection {
-        (transientConnections.firstOrNull { it.id == profile.id } as? BearerSsoConnection)?.let {
+    override fun getOrCreateSsoConnection(profile: UserConfigSsoSessionProfile): AwsBearerTokenConnection {
+        (transientConnections.firstOrNull { it.id == profile.id } as? AwsBearerTokenConnection)?.let {
             return it
         }
 
-        val connection = connectionFromProfile(profile) as BearerSsoConnection
+        val connection = connectionFromProfile(profile) as AwsBearerTokenConnection
         transientConnections.add(connection)
 
         return connection
@@ -130,11 +130,15 @@ class DefaultToolkitAuthManager : ToolkitAuthManager, PersistentStateComponent<T
     }
 
     private fun deleteConnection(predicate: (ToolkitConnection) -> Boolean) {
+        val deleted = mutableListOf<ToolkitConnection>()
         connections.removeAll { connection ->
             predicate(connection).also {
-                if (it && connection is Disposable) {
-                    disposeAndNotify(connection)
-                }
+                deleted.add(connection)
+            }
+        }
+        for (connection in deleted) {
+            if (connection is Disposable) {
+                disposeAndNotify(connection)
             }
         }
     }
@@ -222,7 +226,8 @@ class DefaultToolkitAuthManager : ToolkitAuthManager, PersistentStateComponent<T
         is DetectedDiskSsoSessionProfile -> DetectedDiskSsoSessionConnection(
             sessionProfileName = profile.profileName,
             startUrl = profile.startUrl,
-            region = profile.ssoRegion
+            region = profile.ssoRegion,
+            scopes = profile.scopes
         )
     }
 

jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/DefaultToolkitConnectionManager.kt

@@ -124,7 +124,6 @@ class DefaultToolkitConnectionManager : ToolkitConnectionManager, PersistentStat
                 if (featuresToPin.isNotEmpty()) {
                     application.executeOnPooledThread {
                         pinningManager.pinFeatures(oldConnection, newConnection, featuresToPin)
-                        application.messageBus.syncPublisher(ToolkitConnectionManagerListener.TOPIC).activeConnectionChanged(newConnection)
                     }
                 }
             }

jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/ToolkitAuthManager.kt

@@ -4,7 +4,6 @@
 package software.aws.toolkits.jetbrains.core.credentials
 
 import com.intellij.openapi.Disposable
-import com.intellij.openapi.application.ApplicationManager
 import com.intellij.openapi.components.service
 import com.intellij.openapi.extensions.ExtensionPointName
 import com.intellij.openapi.project.Project
@@ -24,6 +23,7 @@ import software.aws.toolkits.jetbrains.core.credentials.sono.isSono
 import software.aws.toolkits.jetbrains.core.credentials.sso.bearer.BearerTokenAuthState
 import software.aws.toolkits.jetbrains.core.credentials.sso.bearer.BearerTokenProvider
 import software.aws.toolkits.jetbrains.core.credentials.sso.bearer.BearerTokenProviderListener
+import software.aws.toolkits.jetbrains.core.gettingstarted.deleteSsoConnectionCW
 import software.aws.toolkits.jetbrains.utils.computeOnEdt
 import software.aws.toolkits.jetbrains.utils.runUnderProgressIfNeeded
 import software.aws.toolkits.resources.message
@@ -42,14 +42,11 @@ interface AwsCredentialConnection : ToolkitConnection {
 interface AwsBearerTokenConnection : ToolkitConnection {
     val startUrl: String
     val region: String
+    val scopes: List<String>
 
     override fun getConnectionSettings(): TokenConnectionSettings
 }
 
-interface BearerSsoConnection : AwsBearerTokenConnection {
-    val scopes: List<String>
-}
-
 sealed interface AuthProfile
 
 data class ManagedSsoProfile(
@@ -71,7 +68,8 @@ data class UserConfigSsoSessionProfile(
 data class DetectedDiskSsoSessionProfile(
     var profileName: String = "",
     var startUrl: String = "",
-    var ssoRegion: String = ""
+    var ssoRegion: String = "",
+    var scopes: List<String> = emptyList()
 ) : AuthProfile
 
 /**
@@ -92,10 +90,10 @@ interface ToolkitAuthManager {
 
     /**
      * Creates a connection that is not visible to the rest of the toolkit unless authentication succeeds
-     * @return [BearerSsoConnection] on success
+     * @return [AwsBearerTokenConnection] on success
      */
-    fun tryCreateTransientSsoConnection(profile: AuthProfile, callback: (BearerSsoConnection) -> Unit): BearerSsoConnection
-    fun getOrCreateSsoConnection(profile: UserConfigSsoSessionProfile): BearerSsoConnection
+    fun tryCreateTransientSsoConnection(profile: AuthProfile, callback: (AwsBearerTokenConnection) -> Unit): AwsBearerTokenConnection
+    fun getOrCreateSsoConnection(profile: UserConfigSsoSessionProfile): AwsBearerTokenConnection
 
     fun deleteConnection(connection: ToolkitConnection)
     fun deleteConnection(connectionId: String)
@@ -134,7 +132,7 @@ fun loginSso(project: Project?, startUrl: String, region: String, requestedScope
         val logger = getLogger<ToolkitAuthManager>()
         // requested Builder ID, but one already exists
         // TBD: do we do this for regular SSO too?
-        if (connection.isSono() && connection is BearerSsoConnection && requestedScopes.all { it in connection.scopes }) {
+        if (connection.isSono() && connection is AwsBearerTokenConnection && requestedScopes.all { it in connection.scopes }) {
             val signOut = computeOnEdt {
                 MessageDialogBuilder.yesNo(
                     message("toolkit.login.aws_builder_id.already_connected.title"),
@@ -150,13 +148,13 @@ fun loginSso(project: Project?, startUrl: String, region: String, requestedScope
                     "Forcing reauth on ${connection.id} since user requested Builder ID while already connected to Builder ID"
                 }
 
-                logoutFromSsoConnection(project, connection as AwsBearerTokenConnection)
+                logoutFromSsoConnection(project, connection)
                 return@let null
             }
         }
 
         // There is an existing connection we can use
-        if (connection is BearerSsoConnection && !requestedScopes.all { it in connection.scopes }) {
+        if (connection is AwsBearerTokenConnection && !requestedScopes.all { it in connection.scopes }) {
             allScopes.addAll(connection.scopes)
 
             logger.info {
@@ -165,7 +163,7 @@ fun loginSso(project: Project?, startUrl: String, region: String, requestedScope
                     are not a complete subset of current scopes (${connection.scopes})
                 """.trimIndent()
             }
-            logoutFromSsoConnection(project, connection as AwsBearerTokenConnection)
+            logoutFromSsoConnection(project, connection)
             // can't reuse since requested scopes are not in current connection. forcing reauth
             return@let null
         }
@@ -204,11 +202,14 @@ internal fun reauthConnection(project: Project?, connection: ToolkitConnection):
     return provider
 }
 
+@Suppress("UnusedParameter")
 fun logoutFromSsoConnection(project: Project?, connection: AwsBearerTokenConnection, callback: () -> Unit = {}) {
     try {
-        ApplicationManager.getApplication().messageBus.syncPublisher(BearerTokenProviderListener.TOPIC).invalidate(connection.id)
         ToolkitAuthManager.getInstance().deleteConnection(connection.id)
-        project?.let { ToolkitConnectionManager.getInstance(it).switchConnection(null) }
+        if (connection is ProfileSsoManagedBearerSsoConnection) {
+            // TODO: Connection handling in GettingStartedAuthUtils needs to be refactored
+            deleteSsoConnectionCW(connection)
+        }
     } finally {
         callback()
     }
@@ -238,19 +239,12 @@ fun AwsBearerTokenConnection.lazyIsUnauthedBearerConnection(): Boolean {
 
 fun reauthConnectionIfNeeded(project: Project?, connection: ToolkitConnection): BearerTokenProvider {
     val tokenProvider = (connection.getConnectionSettings() as TokenConnectionSettings).tokenProvider.delegate as BearerTokenProvider
-
-    return reauthProviderIfNeeded(project, tokenProvider, connection.isSono())
+    return reauthProviderIfNeeded(project, tokenProvider)
 }
 
-fun reauthProviderIfNeeded(project: Project?, tokenProvider: BearerTokenProvider, isBuilderId: Boolean): BearerTokenProvider {
-    maybeReauthProviderIfNeeded(project, tokenProvider, isBuilderId) {
-        val title = if (isBuilderId) {
-            message("credentials.sono.login.pending")
-        } else {
-            message("credentials.sso.login.pending")
-        }
-
-        runUnderProgressIfNeeded(project, title, true) {
+fun reauthProviderIfNeeded(project: Project?, tokenProvider: BearerTokenProvider): BearerTokenProvider {
+    maybeReauthProviderIfNeeded(project, tokenProvider) {
+        runUnderProgressIfNeeded(project, message("credentials.pending.title"), true) {
             tokenProvider.reauthenticate()
         }
     }
@@ -262,7 +256,6 @@ fun reauthProviderIfNeeded(project: Project?, tokenProvider: BearerTokenProvider
 fun maybeReauthProviderIfNeeded(
     project: Project?,
     tokenProvider: BearerTokenProvider,
-    isBuilderId: Boolean,
     onReauthRequired: (SsoOidcException?) -> Any
 ): Boolean {
     val state = tokenProvider.state()
@@ -275,13 +268,7 @@ fun maybeReauthProviderIfNeeded(
 
         BearerTokenAuthState.NEEDS_REFRESH -> {
             try {
-                val title = if (isBuilderId) {
-                    message("credentials.sono.login.refreshing")
-                } else {
-                    message("credentials.sso.login.refreshing")
-                }
-
-                return runUnderProgressIfNeeded(project, title, true) {
+                return runUnderProgressIfNeeded(project, message("credentials.refreshing"), true) {
                     tokenProvider.resolveToken()
                     BearerTokenProviderListener.notifyCredUpdate(tokenProvider.id)
                     return@runUnderProgressIfNeeded false

jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/ToolkitConnectionImpls.kt

@@ -56,7 +56,7 @@ sealed class ManagedBearerSsoConnection(
     cache: DiskCache = diskCache,
     override val id: String,
     override val label: String
-) : BearerSsoConnection, Disposable {
+) : AwsBearerTokenConnection, Disposable {
 
     private val provider =
         tokenConnection(
@@ -81,6 +81,7 @@ class DetectedDiskSsoSessionConnection(
     val sessionProfileName: String,
     override val startUrl: String,
     override val region: String,
+    override val scopes: List<String>,
     displayNameOverride: String? = null
 ) : AwsBearerTokenConnection, Disposable {
     override val id = ToolkitBearerTokenProvider.diskSessionIdentifier(sessionProfileName)

jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/metadataservice/ContainerCredentialProviderFactory.kt

@@ -16,11 +16,11 @@ import software.aws.toolkits.core.credentials.CredentialsChangeListener
 import software.aws.toolkits.core.region.AwsRegion
 import software.aws.toolkits.core.utils.debug
 import software.aws.toolkits.core.utils.getLogger
-import software.aws.toolkits.jetbrains.services.caws.CawsConstants
+import software.aws.toolkits.jetbrains.utils.isCodeCatalystDevEnv
 
 class ContainerCredentialProviderFactory : CredentialProviderFactory {
     init {
-        if (System.getenv(CawsConstants.CAWS_ENV_ID_VAR) != null) {
+        if (isCodeCatalystDevEnv()) {
             throw ExtensionNotApplicableException.INSTANCE
         }
     }

jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/metadataservice/InstanceRoleCredentialProviderFactory.kt

@@ -18,11 +18,11 @@ import software.aws.toolkits.core.region.AwsRegion
 import software.aws.toolkits.core.utils.debug
 import software.aws.toolkits.core.utils.getLogger
 import software.aws.toolkits.core.utils.warn
-import software.aws.toolkits.jetbrains.services.caws.CawsConstants
+import software.aws.toolkits.jetbrains.utils.isCodeCatalystDevEnv
 
 class InstanceRoleCredentialProviderFactory : CredentialProviderFactory {
     init {
-        if (System.getenv(CawsConstants.CAWS_ENV_ID_VAR) != null) {
+        if (isCodeCatalystDevEnv()) {
             throw ExtensionNotApplicableException.INSTANCE
         }
     }