Move legacy SSO profile users to scoped SSO (#4484)

Author: rli

plugins/amazonq/chat/jetbrains-community/tst/software/aws/toolkits/jetbrains/services/amazonq/clients/AmazonQStreamingClientTest.kt

@@ -65,7 +65,7 @@ class AmazonQStreamingClientTest : AmazonQTestBase() {
         connectionManager = mock {
             on {
                 activeConnectionForFeature(any())
-            } doReturn authManagerRule.createConnection(ManagedSsoProfile("us-east-1", aString(), emptyList())) as AwsBearerTokenConnection
+            } doReturn authManagerRule.createConnection(ManagedSsoProfile("us-east-1", aString(), listOf("scopes"))) as AwsBearerTokenConnection
         }
 
         projectRule.project.replaceService(ToolkitConnectionManager::class.java, connectionManager, disposableRule.disposable)

plugins/amazonq/chat/jetbrains-community/tst/software/aws/toolkits/jetbrains/services/amazonqFeatureDev/clients/FeatureDevClientTest.kt

@@ -100,7 +100,7 @@ class FeatureDevClientTest : FeatureDevTestBase() {
         connectionManager = mock {
             on {
                 activeConnectionForFeature(any())
-            } doReturn authManagerRule.createConnection(ManagedSsoProfile("us-east-1", aString(), emptyList())) as AwsBearerTokenConnection
+            } doReturn authManagerRule.createConnection(ManagedSsoProfile("us-east-1", aString(), listOf("scopes"))) as AwsBearerTokenConnection
         }
         projectRule.project.replaceService(ToolkitConnectionManager::class.java, connectionManager, disposableRule.disposable)
 

plugins/amazonq/codetransform/jetbrains-community/tst/software/aws/toolkits/jetbrains/services/codemodernizer/CodeWhispererCodeModernizerGumbyClientTest.kt

@@ -99,7 +99,7 @@ class CodeWhispererCodeModernizerGumbyClientTest : CodeWhispererCodeModernizerTe
         connectionManager = mock {
             on {
                 activeConnectionForFeature(any())
-            } doReturn authManagerRule.createConnection(ManagedSsoProfile("us-east-1", aString(), emptyList())) as AwsBearerTokenConnection
+            } doReturn authManagerRule.createConnection(ManagedSsoProfile("us-east-1", aString(), listOf("scopes"))) as AwsBearerTokenConnection
         }
         projectRule.project.replaceService(ToolkitConnectionManager::class.java, connectionManager, disposableRule.disposable)
 

plugins/core/jetbrains-community/src/software/aws/toolkits/jetbrains/core/credentials/SsoRequiredInteractiveCredentials.kt

@@ -4,17 +4,31 @@
 package software.aws.toolkits.jetbrains.core.credentials
 
 import com.intellij.openapi.actionSystem.AnAction
+import software.aws.toolkits.jetbrains.core.credentials.sono.IDENTITY_CENTER_ROLE_ACCESS_SCOPE
+import software.aws.toolkits.jetbrains.core.credentials.sso.LazyAccessTokenProvider
 import software.aws.toolkits.jetbrains.core.credentials.sso.SsoCache
 import software.aws.toolkits.resources.message
 
 interface SsoRequiredInteractiveCredentials : InteractiveCredential {
     val ssoCache: SsoCache
     val ssoUrl: String
+    val ssoRegion: String
 
     override val userActionDisplayMessage: String get() = message("credentials.sso.display", displayName)
     override val userActionShortDisplayMessage: String get() = message("credentials.sso.display.short")
 
     override val userAction: AnAction get() = RefreshConnectionAction(message("credentials.sso.action"))
 
-    override fun userActionRequired(): Boolean = ssoCache.loadAccessToken(ssoUrl) == null
+    private val lazyTokenProvider: LazyAccessTokenProvider
+        get() = LazyAccessTokenProvider(
+            ssoCache,
+            ssoUrl,
+            ssoRegion,
+            listOf(IDENTITY_CENTER_ROLE_ACCESS_SCOPE)
+        )
+
+    // assumes single scope if we're going through this interface
+    override fun userActionRequired(): Boolean = lazyTokenProvider.resolveToken() == null
+
+    fun invalidateCurrentToken() = lazyTokenProvider.invalidate()
 }

plugins/core/jetbrains-community/src/software/aws/toolkits/jetbrains/core/credentials/profiles/ProfileCredentialProviderFactory.kt

@@ -22,6 +22,7 @@ import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider
 import software.amazon.awssdk.auth.credentials.SystemPropertyCredentialsProvider
 import software.amazon.awssdk.profiles.Profile
 import software.amazon.awssdk.profiles.ProfileProperty
+import software.amazon.awssdk.services.sso.model.UnauthorizedException
 import software.amazon.awssdk.services.ssooidc.model.SsoOidcException
 import software.aws.toolkits.core.credentials.CredentialIdentifier
 import software.aws.toolkits.core.credentials.CredentialIdentifierBase
@@ -80,9 +81,30 @@ private class ProfileCredentialsIdentifierLegacySso(
     defaultRegionId: String?,
     override val ssoCache: SsoCache,
     override val ssoUrl: String,
+    override val ssoRegion: String,
     credentialType: CredentialType?
 ) : ProfileCredentialsIdentifier(profileName, defaultRegionId, credentialType),
-    SsoRequiredInteractiveCredentials
+    SsoRequiredInteractiveCredentials,
+    PostValidateInteractiveCredential {
+    // react to failure to use the local credential set
+    override fun handleValidationException(e: Exception) = ifReAuthNeeded(e) {
+        ConnectionState.RequiresUserAction(
+            object : InteractiveCredential, CredentialIdentifier by this {
+                override val userActionDisplayMessage = message("credentials.sso.display", displayName)
+                override val userActionShortDisplayMessage = message("credentials.sso.display.short")
+                override val userAction = object : AnAction(message("credentials.sso.action")), DumbAware {
+                    override fun actionPerformed(e: AnActionEvent) {
+                        invalidateCurrentToken()
+
+                        RefreshConnectionAction().actionPerformed(e)
+                    }
+                }
+
+                override fun userActionRequired() = true
+            }
+        )
+    }
+}
 
 class ProfileCredentialsIdentifierSso @TestOnly constructor(
     profileName: String,
@@ -92,10 +114,9 @@ class ProfileCredentialsIdentifierSso @TestOnly constructor(
 ) : ProfileCredentialsIdentifier(profileName, defaultRegionId, credentialType), PostValidateInteractiveCredential, SsoSessionBackedCredentialIdentifier {
     override val sessionIdentifier = "$SSO_SESSION_SECTION_NAME:$ssoSessionName"
 
-    override fun handleValidationException(e: Exception): ConnectionState.RequiresUserAction? {
-        // in the new SSO flow, we must attempt validation before knowing if user action is truly required
-        if (findUpException<SsoOidcException>(e) || findUpException<IllegalStateException>(e) || findUpException<NoTokenInitializedException>(e)) {
-            return ConnectionState.RequiresUserAction(
+    override fun handleValidationException(e: Exception): ConnectionState.RequiresUserAction? =
+        ifReAuthNeeded(e) {
+            ConnectionState.RequiresUserAction(
                 object : InteractiveCredential, CredentialIdentifier by this {
                     override val userActionDisplayMessage = message("credentials.sso.display", displayName)
                     override val userActionShortDisplayMessage = message("credentials.sso.display.short")
@@ -121,23 +142,33 @@ class ProfileCredentialsIdentifierSso @TestOnly constructor(
                 }
             )
         }
+}
 
-        return null
+// in the new SSO flow, we must attempt validation before knowing if user action is truly required
+private fun ifReAuthNeeded(e: Exception, action: () -> ConnectionState.RequiresUserAction?): ConnectionState.RequiresUserAction? {
+    if (findUpException<SsoOidcException>(e) ||
+        findUpException<IllegalStateException>(e) ||
+        findUpException<NoTokenInitializedException>(e) ||
+        findUpException<UnauthorizedException>(e)
+    ) {
+        return action()
     }
 
-    // true exception could be further up the chain
-    private inline fun<reified T : Throwable> findUpException(e: Throwable?): Boolean {
-        // inline fun can't use recursion
-        var throwable = e
-        while (throwable != null) {
-            if (throwable is T) {
-                return true
-            }
-            throwable = throwable.cause
-        }
+    return null
+}
 
-        return false
+// true exception could be further up the chain
+private inline fun<reified T : Throwable> findUpException(e: Throwable?): Boolean {
+    // inline fun can't use recursion
+    var throwable = e
+    while (throwable != null) {
+        if (throwable is T) {
+            return true
+        }
+        throwable = throwable.cause
     }
+
+    return false
 }
 
 private class NeverShowAgain : DumbAwareAction(message("settings.never_show_again")) {
@@ -410,6 +441,7 @@ class ProfileCredentialProviderFactory(private val ssoCache: SsoCache = diskCach
                 defaultRegion,
                 ssoCache,
                 this.traverseCredentialChain(profiles).map { it.property(ProfileProperty.SSO_START_URL) }.first { it.isPresent }.get(),
+                this.traverseCredentialChain(profiles).map { it.property(ProfileProperty.SSO_REGION) }.first { it.isPresent }.get(),
                 requestedProfileType
             )
             this.requiresSso() -> ProfileCredentialsIdentifierSso(

plugins/core/jetbrains-community/src/software/aws/toolkits/jetbrains/core/credentials/profiles/ProfileLegacySsoProvider.kt

@@ -13,6 +13,7 @@ import software.amazon.awssdk.services.sso.SsoClient
 import software.amazon.awssdk.services.ssooidc.SsoOidcClient
 import software.amazon.awssdk.utils.SdkAutoCloseable
 import software.aws.toolkits.jetbrains.core.AwsClientManager
+import software.aws.toolkits.jetbrains.core.credentials.sono.IDENTITY_CENTER_ROLE_ACCESS_SCOPE
 import software.aws.toolkits.jetbrains.core.credentials.sso.SsoAccessTokenProvider
 import software.aws.toolkits.jetbrains.core.credentials.sso.SsoCache
 import software.aws.toolkits.jetbrains.core.credentials.sso.SsoCredentialProvider
@@ -35,6 +36,7 @@ class ProfileLegacySsoProvider(ssoCache: SsoCache, profile: Profile) : AwsCreden
             ssoCache,
             ssoOidcClient,
             isAlwaysShowDeviceCode = true,
+            scopes = listOf(IDENTITY_CENTER_ROLE_ACCESS_SCOPE),
         )
 
         credentialsProvider = SsoCredentialProvider(

plugins/core/jetbrains-community/src/software/aws/toolkits/jetbrains/core/credentials/sso/ClientRegistration.kt

@@ -54,19 +54,21 @@ data class PKCEClientRegistration(
     override fun toString(): String = redactedString(this)
 }
 
-sealed interface ClientRegistrationCacheKey
+sealed interface ClientRegistrationCacheKey {
+    val region: String
+}
 
 // only applicable in scoped registration path
 // based on internal development branch @da780a4,L2574-2586
 data class DeviceAuthorizationClientRegistrationCacheKey(
     val startUrl: String,
     val scopes: List<String>,
-    val region: String,
+    override val region: String,
 ) : ClientRegistrationCacheKey
 
 data class PKCEClientRegistrationCacheKey(
     val issuerUrl: String,
-    val region: String,
+    override val region: String,
     val scopes: List<String>,
     // assume clientType, grantTypes, redirectUris are static, but throw them in just in case
     val clientType: String,

plugins/core/jetbrains-community/src/software/aws/toolkits/jetbrains/core/credentials/sso/DiskCache.kt

@@ -93,20 +93,6 @@ class DiskCache(
             )
         }
 
-    override fun loadClientRegistration(ssoRegion: String): ClientRegistration? {
-        LOG.debug { "loadClientRegistration for $ssoRegion" }
-        val inputStream = clientRegistrationCache(ssoRegion).tryInputStreamIfExists() ?: return null
-        return loadClientRegistration(inputStream)
-    }
-
-    override fun saveClientRegistration(ssoRegion: String, registration: ClientRegistration) {
-        LOG.debug { "saveClientRegistration for $ssoRegion" }
-        val registrationCache = clientRegistrationCache(ssoRegion)
-        writeKey(registrationCache) {
-            objectMapper.writeValue(it, registration)
-        }
-    }
-
     override fun invalidateClientRegistration(ssoRegion: String) {
         LOG.debug { "invalidateClientRegistration for $ssoRegion" }
         clientRegistrationCache(ssoRegion).tryDeleteIfExists()
@@ -133,22 +119,6 @@ class DiskCache(
         clientRegistrationCache(cacheKey).tryDeleteIfExists()
     }
 
-    override fun loadAccessToken(ssoUrl: String): AccessToken? {
-        LOG.debug { "loadAccessToken for $ssoUrl" }
-        val cacheFile = accessTokenCache(ssoUrl)
-        val inputStream = cacheFile.tryInputStreamIfExists() ?: return null
-
-        return loadAccessToken(inputStream)
-    }
-
-    override fun saveAccessToken(ssoUrl: String, accessToken: AccessToken) {
-        LOG.debug { "saveAccessToken for $ssoUrl" }
-        val accessTokenCache = accessTokenCache(ssoUrl)
-        writeKey(accessTokenCache) {
-            objectMapper.writeValue(it, accessToken)
-        }
-    }
-
     override fun invalidateAccessToken(ssoUrl: String) {
         LOG.debug { "invalidateAccessToken for $ssoUrl" }
         accessTokenCache(ssoUrl).tryDeleteIfExists()