fix codewhisperer auth (#3961)

Author: Will-ShaoHua

jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/ToolkitConnectionImpls.kt

@@ -7,6 +7,7 @@ import com.intellij.openapi.Disposable
 import com.intellij.openapi.util.Disposer
 import software.aws.toolkits.core.TokenConnectionSettings
 import software.aws.toolkits.core.credentials.ToolkitBearerTokenProvider
+import software.aws.toolkits.jetbrains.core.credentials.sso.DiskCache
 import software.aws.toolkits.jetbrains.core.credentials.sso.bearer.BearerTokenProvider
 import software.aws.toolkits.jetbrains.core.credentials.sso.bearer.InteractiveBearerTokenProvider
 import software.aws.toolkits.jetbrains.core.credentials.sso.bearer.ProfileSdkTokenProviderWrapper
@@ -16,6 +17,7 @@ class ManagedBearerSsoConnection(
     val startUrl: String,
     val region: String,
     override val scopes: List<String>,
+    cache: DiskCache = diskCache
 ) : BearerSsoConnection, Disposable {
     override val id: String = ToolkitBearerTokenProvider.ssoIdentifier(startUrl, region)
     override val label: String = ToolkitBearerTokenProvider.ssoDisplayName(startUrl)
@@ -25,7 +27,8 @@ class ManagedBearerSsoConnection(
             InteractiveBearerTokenProvider(
                 startUrl,
                 region,
-                scopes
+                scopes,
+                cache
             ),
             region
         )

jetbrains-core/src/software/aws/toolkits/jetbrains/services/codewhisperer/explorer/CodeWhispererExplorerActionManager.kt

@@ -13,14 +13,16 @@ import com.intellij.util.xmlb.annotations.Property
 import org.jetbrains.annotations.ApiStatus.ScheduledForRemoval
 import software.aws.toolkits.core.utils.getLogger
 import software.aws.toolkits.core.utils.warn
+import software.aws.toolkits.jetbrains.core.credentials.AwsBearerTokenConnection
 import software.aws.toolkits.jetbrains.core.credentials.ToolkitConnectionManager
 import software.aws.toolkits.jetbrains.core.credentials.pinning.CodeWhispererConnection
 import software.aws.toolkits.jetbrains.core.credentials.sono.isSono
+import software.aws.toolkits.jetbrains.core.credentials.sso.bearer.BearerTokenAuthState
+import software.aws.toolkits.jetbrains.core.credentials.sso.bearer.BearerTokenProvider
 import software.aws.toolkits.jetbrains.core.explorer.refreshDevToolTree
 import software.aws.toolkits.jetbrains.services.codewhisperer.credentials.CodeWhispererLoginType
 import software.aws.toolkits.jetbrains.services.codewhisperer.util.CodeWhispererConstants
 import software.aws.toolkits.jetbrains.services.codewhisperer.util.CodeWhispererUtil.getConnectionStartUrl
-import software.aws.toolkits.jetbrains.services.codewhisperer.util.CodeWhispererUtil.isRefreshTokenExpired
 import software.aws.toolkits.telemetry.AwsTelemetry
 import java.time.LocalDateTime
 
@@ -119,21 +121,25 @@ class CodeWhispererExplorerActionManager : PersistentStateComponent<CodeWhispere
         return actionState.token
     }
 
-    fun checkActiveCodeWhispererConnectionType(project: Project) = when {
-        actionState.token != null -> CodeWhispererLoginType.Accountless
-        isRefreshTokenExpired(project) -> CodeWhispererLoginType.Expired
-        else -> {
-            val conn = ToolkitConnectionManager.getInstance(project).activeConnectionForFeature(CodeWhispererConnection.getInstance())
-            if (conn != null) {
-                if (conn.isSono()) {
-                    CodeWhispererLoginType.Sono
-                } else {
-                    CodeWhispererLoginType.SSO
+    fun checkActiveCodeWhispererConnectionType(project: Project): CodeWhispererLoginType {
+        val conn = ToolkitConnectionManager.getInstance(project).activeConnectionForFeature(CodeWhispererConnection.getInstance()) as? AwsBearerTokenConnection
+        return conn?.let {
+            val provider = (it.getConnectionSettings().tokenProvider.delegate as? BearerTokenProvider) ?: return@let CodeWhispererLoginType.Logout
+
+            when (provider.state()) {
+                BearerTokenAuthState.AUTHORIZED -> {
+                    if (it.isSono()) {
+                        CodeWhispererLoginType.Sono
+                    } else {
+                        CodeWhispererLoginType.SSO
+                    }
                 }
-            } else {
-                CodeWhispererLoginType.Logout
+
+                BearerTokenAuthState.NEEDS_REFRESH -> CodeWhispererLoginType.Expired
+
+                BearerTokenAuthState.NOT_AUTHENTICATED -> CodeWhispererLoginType.Logout
             }
-        }
+        } ?: CodeWhispererLoginType.Logout
     }
 
     fun nullifyAccountlessCredentialIfNeeded() {
@@ -202,6 +208,11 @@ fun isCodeWhispererEnabled(project: Project) = with(CodeWhispererExplorerActionM
     checkActiveCodeWhispererConnectionType(project) != CodeWhispererLoginType.Logout
 }
 
+/**
+ * Note: please use this util with extra caution, it will return "false" for a "logout" scenario,
+ *  the reasoning is we need handling specifically for a "Expired" condition thus excluding logout from here
+ *  If callers rather need a predicate "isInvalidConnection", please use the combination of the two (!isCodeWhispererEnabled() || isCodeWhispererExpired())
+ */
 fun isCodeWhispererExpired(project: Project) = with(CodeWhispererExplorerActionManager.getInstance()) {
     checkActiveCodeWhispererConnectionType(project) == CodeWhispererLoginType.Expired
 }

jetbrains-core/src/software/aws/toolkits/jetbrains/services/codewhisperer/util/CodeWhispererUtil.kt

@@ -21,7 +21,6 @@ import software.aws.toolkits.jetbrains.core.credentials.loginSso
 import software.aws.toolkits.jetbrains.core.credentials.maybeReauthProviderIfNeeded
 import software.aws.toolkits.jetbrains.core.credentials.pinning.CodeWhispererConnection
 import software.aws.toolkits.jetbrains.core.credentials.sono.isSono
-import software.aws.toolkits.jetbrains.core.credentials.sso.bearer.BearerTokenAuthState
 import software.aws.toolkits.jetbrains.core.credentials.sso.bearer.BearerTokenProvider
 import software.aws.toolkits.jetbrains.core.explorer.refreshDevToolTree
 import software.aws.toolkits.jetbrains.services.codewhisperer.actions.CodeWhispererLoginLearnMoreAction
@@ -196,18 +195,6 @@ object CodeWhispererUtil {
         listOf(CodeWhispererSsoLearnMoreAction(), ConnectWithAwsToContinueActionError(), DoNotShowAgainActionError())
     )
 
-    fun isAccessTokenExpired(project: Project): Boolean {
-        val tokenProvider = tokenProvider(project) ?: return false
-        val state = tokenProvider.state()
-        return state == BearerTokenAuthState.NEEDS_REFRESH
-    }
-
-    fun isRefreshTokenExpired(project: Project): Boolean {
-        val tokenProvider = tokenProvider(project) ?: return false
-        val state = tokenProvider.state()
-        return state == BearerTokenAuthState.NOT_AUTHENTICATED
-    }
-
     // This will be called only when there's a CW connection, but it has expired(either accessToken or refreshToken)
     // 1. If connection is expired, try to refresh
     // 2. If not able to refresh, requesting re-login by showing a notification

jetbrains-core/tst/software/aws/toolkits/jetbrains/services/codewhisperer/CodeWhispererExplorerActionManagerTest.kt

@@ -3,16 +3,15 @@
 
 package software.aws.toolkits.jetbrains.services.codewhisperer
 
-import com.intellij.openapi.application.ApplicationManager
 import com.intellij.openapi.project.Project
-import com.intellij.testFramework.ApplicationRule
 import com.intellij.testFramework.DisposableRule
 import com.intellij.testFramework.ProjectRule
 import com.intellij.testFramework.replaceService
 import org.assertj.core.api.Assertions.assertThat
 import org.junit.Before
 import org.junit.Rule
 import org.junit.Test
+import org.junit.rules.TemporaryFolder
 import org.mockito.kotlin.any
 import org.mockito.kotlin.mock
 import org.mockito.kotlin.spy
@@ -23,16 +22,31 @@ import software.aws.toolkits.jetbrains.core.MockClientManagerRule
 import software.aws.toolkits.jetbrains.core.credentials.ManagedBearerSsoConnection
 import software.aws.toolkits.jetbrains.core.credentials.MockToolkitAuthManagerRule
 import software.aws.toolkits.jetbrains.core.credentials.ToolkitConnectionManager
+import software.aws.toolkits.jetbrains.core.credentials.pinning.CodeWhispererConnection
+import software.aws.toolkits.jetbrains.core.credentials.pinning.ConnectionPinningManager
+import software.aws.toolkits.jetbrains.core.credentials.sono.CODEWHISPERER_SCOPES
 import software.aws.toolkits.jetbrains.core.credentials.sono.SONO_URL
+import software.aws.toolkits.jetbrains.core.credentials.sso.AccessToken
+import software.aws.toolkits.jetbrains.core.credentials.sso.AccessTokenCacheKey
+import software.aws.toolkits.jetbrains.core.credentials.sso.DiskCache
+import software.aws.toolkits.jetbrains.core.credentials.sso.bearer.BearerTokenAuthState
+import software.aws.toolkits.jetbrains.core.credentials.sso.bearer.InteractiveBearerTokenProvider
 import software.aws.toolkits.jetbrains.services.codewhisperer.credentials.CodeWhispererLoginType
-import software.aws.toolkits.jetbrains.services.codewhisperer.explorer.CodeWhispererExploreActionState
 import software.aws.toolkits.jetbrains.services.codewhisperer.explorer.CodeWhispererExplorerActionManager
 import software.aws.toolkits.jetbrains.services.codewhisperer.explorer.isCodeWhispererEnabled
+import software.aws.toolkits.jetbrains.services.codewhisperer.explorer.isCodeWhispererExpired
+import java.nio.file.Files
+import java.nio.file.Path
+import java.nio.file.Paths
+import java.time.Clock
+import java.time.Instant
+import java.time.ZoneOffset
+import java.time.temporal.ChronoUnit
 
 class CodeWhispererExplorerActionManagerTest {
     @JvmField
     @Rule
-    val applicationRule = ApplicationRule()
+    val tempFolder = TemporaryFolder()
 
     @JvmField
     @Rule
@@ -50,17 +64,24 @@ class CodeWhispererExplorerActionManagerTest {
     @Rule
     val mockClientManager = MockClientManagerRule()
 
+    private val now = Instant.now()
+    private val clock = Clock.fixed(now, ZoneOffset.UTC)
+
     private lateinit var mockManager: CodeWhispererExplorerActionManager
     private lateinit var project: Project
-    private lateinit var connectionManager: ToolkitConnectionManager
+    private lateinit var cacheRoot: Path
+    private lateinit var cacheLocation: Path
+    private lateinit var testDiskCache: DiskCache
 
     @Before
     fun setup() {
+        cacheRoot = tempFolder.root.toPath().toAbsolutePath()
+        cacheLocation = Paths.get(cacheRoot.toString(), "fakehome", ".aws", "sso", "cache")
+        Files.createDirectories(cacheLocation)
+        testDiskCache = DiskCache(cacheLocation, clock)
+
         mockClientManager.create<SsoOidcClient>()
         project = projectRule.project
-        connectionManager = mock()
-
-        project.replaceService(ToolkitConnectionManager::class.java, connectionManager, disposableRule.disposable)
     }
 
     /**
@@ -69,49 +90,14 @@ class CodeWhispererExplorerActionManagerTest {
     @Test
     fun `when there is no connection, should return logout`() {
         mockManager = spy()
-        whenever(connectionManager.activeConnectionForFeature(any())).thenReturn(null)
+        val mockConnectionManager = mock<ToolkitConnectionManager>()
+        whenever(mockConnectionManager.activeConnectionForFeature(any())).thenReturn(null)
+        project.replaceService(ToolkitConnectionManager::class.java, mockConnectionManager, disposableRule.disposable)
 
         val actual = mockManager.checkActiveCodeWhispererConnectionType(project)
         assertThat(actual).isEqualTo(CodeWhispererLoginType.Logout)
-    }
-
-    @Test
-    fun `when ToS accepted and there is an accountless token, should return accountless`() {
-        mockManager = spy()
-        mockManager.loadState(
-            // set up accountless token
-            CodeWhispererExploreActionState().apply {
-                this.token = "foo"
-            }
-        )
-
-        val actual = mockManager.checkActiveCodeWhispererConnectionType(project)
-        assertThat(actual).isEqualTo(CodeWhispererLoginType.Accountless)
-    }
-
-    @Test
-    fun `when ToS accepted, no accountless token and there is an AWS Builder ID connection, should return Sono`() {
-        assertLoginType(SONO_URL, CodeWhispererLoginType.Sono)
-    }
-
-    @Test
-    fun `when ToS accepted, no accountless token and there is an SSO connection, should return SSO`() {
-        assertLoginType(aString(), CodeWhispererLoginType.SSO)
-    }
-
-    @Test
-    fun `test nullifyAccountlessCredentialIfNeeded`() {
-        mockManager = CodeWhispererExplorerActionManager()
-        mockManager.loadState(CodeWhispererExploreActionState().apply { this.token = "foo" })
-
-        assertThat(mockManager.state.token)
-            .isNotNull
-            .isEqualTo("foo")
-
-        mockManager.nullifyAccountlessCredentialIfNeeded()
-
-        assertThat(mockManager.state.token)
-            .isNull()
+        assertThat(isCodeWhispererEnabled(project)).isFalse
+        assertThat(isCodeWhispererExpired(project)).isFalse
     }
 
     /**
@@ -120,31 +106,113 @@ class CodeWhispererExplorerActionManagerTest {
      * - should return true if loginType == Accountless || Sono || SSO
      */
     @Test
-    fun `test isCodeWhispererEnabled`() {
-        mockManager = mock()
-        ApplicationManager.getApplication().replaceService(CodeWhispererExplorerActionManager::class.java, mockManager, disposableRule.disposable)
-
-        whenever(mockManager.checkActiveCodeWhispererConnectionType(project)).thenReturn(CodeWhispererLoginType.Logout)
-        assertThat(isCodeWhispererEnabled(project)).isFalse
-
-        whenever(mockManager.checkActiveCodeWhispererConnectionType(project)).thenReturn(CodeWhispererLoginType.Accountless)
-        assertThat(isCodeWhispererEnabled(project)).isTrue
+    fun `test connection state`() {
+        assertConnectionState(
+            startUrl = SONO_URL,
+            refreshToken = aString(),
+            expirationTime = now.plus(1, ChronoUnit.DAYS),
+            expectedState = BearerTokenAuthState.AUTHORIZED,
+            expectedLoginType = CodeWhispererLoginType.Sono,
+            expectedIsCwEnabled = true,
+            expectedIsCwExpired = false
+        )
+        assertThat(ConnectionPinningManager.getInstance().isFeaturePinned(CodeWhispererConnection.getInstance())).isFalse
+
+        assertConnectionState(
+            startUrl = SONO_URL,
+            refreshToken = aString(),
+            expirationTime = now.minus(1, ChronoUnit.DAYS),
+            expectedState = BearerTokenAuthState.NEEDS_REFRESH,
+            expectedLoginType = CodeWhispererLoginType.Expired,
+            expectedIsCwEnabled = true,
+            expectedIsCwExpired = true
+        )
+        assertThat(ConnectionPinningManager.getInstance().isFeaturePinned(CodeWhispererConnection.getInstance())).isFalse
+
+        assertConnectionState(
+            startUrl = SONO_URL,
+            refreshToken = null,
+            expirationTime = now.minus(1, ChronoUnit.DAYS),
+            expectedState = BearerTokenAuthState.NOT_AUTHENTICATED,
+            expectedLoginType = CodeWhispererLoginType.Logout,
+            expectedIsCwEnabled = false,
+            expectedIsCwExpired = false
+        )
+        assertThat(ConnectionPinningManager.getInstance().isFeaturePinned(CodeWhispererConnection.getInstance())).isFalse
+
+        assertConnectionState(
+            startUrl = aString(),
+            refreshToken = aString(),
+            expirationTime = now.plus(1, ChronoUnit.DAYS),
+            expectedState = BearerTokenAuthState.AUTHORIZED,
+            expectedLoginType = CodeWhispererLoginType.SSO,
+            expectedIsCwEnabled = true,
+            expectedIsCwExpired = false
+        )
+        assertThat(ConnectionPinningManager.getInstance().isFeaturePinned(CodeWhispererConnection.getInstance())).isFalse
+
+        assertConnectionState(
+            startUrl = aString(),
+            refreshToken = aString(),
+            expirationTime = now.minus(1, ChronoUnit.DAYS),
+            expectedState = BearerTokenAuthState.NEEDS_REFRESH,
+            expectedLoginType = CodeWhispererLoginType.Expired,
+            expectedIsCwEnabled = true,
+            expectedIsCwExpired = true
+        )
+        assertThat(ConnectionPinningManager.getInstance().isFeaturePinned(CodeWhispererConnection.getInstance())).isFalse
+
+        assertConnectionState(
+            startUrl = aString(),
+            refreshToken = null,
+            expirationTime = now.minus(1, ChronoUnit.DAYS),
+            expectedState = BearerTokenAuthState.NOT_AUTHENTICATED,
+            expectedLoginType = CodeWhispererLoginType.Logout,
+            expectedIsCwEnabled = false,
+            expectedIsCwExpired = false
+        )
+        assertThat(ConnectionPinningManager.getInstance().isFeaturePinned(CodeWhispererConnection.getInstance())).isFalse
+    }
 
-        whenever(mockManager.checkActiveCodeWhispererConnectionType(project)).thenReturn(CodeWhispererLoginType.Sono)
-        assertThat(isCodeWhispererEnabled(project)).isTrue
+    private fun assertConnectionState(
+        startUrl: String,
+        refreshToken: String?,
+        expirationTime: Instant,
+        expectedState: BearerTokenAuthState,
+        expectedLoginType: CodeWhispererLoginType,
+        expectedIsCwEnabled: Boolean,
+        expectedIsCwExpired: Boolean
+    ) {
+        testDiskCache.saveAccessToken(
+            AccessTokenCacheKey(
+                connectionId = "us-east-1",
+                startUrl = startUrl,
+                scopes = CODEWHISPERER_SCOPES
+            ),
+            AccessToken(
+                startUrl = startUrl,
+                region = "us-east-1",
+                accessToken = aString(),
+                refreshToken = refreshToken,
+                expiresAt = expirationTime
+            )
+        )
 
-        whenever(mockManager.checkActiveCodeWhispererConnectionType(project)).thenReturn(CodeWhispererLoginType.SSO)
-        assertThat(isCodeWhispererEnabled(project)).isTrue
-    }
+        val myConnection = ManagedBearerSsoConnection(
+            startUrl,
+            "us-east-1",
+            CODEWHISPERER_SCOPES,
+            testDiskCache
+        )
 
-    private fun assertLoginType(startUrl: String, expectedType: CodeWhispererLoginType) {
-        mockManager = spy()
-        val conn: ManagedBearerSsoConnection = mock()
-        whenever(connectionManager.activeConnectionForFeature(any())).thenReturn(conn)
-        whenever(conn.startUrl).thenReturn(startUrl)
-        whenever(conn.getConnectionSettings()).thenReturn(null)
+        ToolkitConnectionManager.getInstance(project).switchConnection(myConnection)
+        val activeCwConn = ToolkitConnectionManager.getInstance(project).activeConnectionForFeature(CodeWhispererConnection.getInstance())
+        val myTokenProvider = myConnection.getConnectionSettings().tokenProvider.delegate as InteractiveBearerTokenProvider
 
-        val actual = mockManager.checkActiveCodeWhispererConnectionType(project)
-        assertThat(actual).isEqualTo(expectedType)
+        assertThat(activeCwConn).isEqualTo(myConnection)
+        assertThat(myTokenProvider.state()).isEqualTo(expectedState)
+        assertThat(CodeWhispererExplorerActionManager.getInstance().checkActiveCodeWhispererConnectionType(project)).isEqualTo(expectedLoginType)
+        assertThat(isCodeWhispererEnabled(project)).isEqualTo(expectedIsCwEnabled)
+        assertThat(isCodeWhispererExpired(project)).isEqualTo(expectedIsCwExpired)
     }
 }