Prompt user when attempting to sign-in to multiple Builder IDs (#3519)

Author: rli

jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/ToolkitAuthManager.kt

@@ -7,6 +7,7 @@ import com.intellij.openapi.application.ApplicationManager
 import com.intellij.openapi.components.service
 import com.intellij.openapi.extensions.ExtensionPointName
 import com.intellij.openapi.project.Project
+import com.intellij.openapi.ui.MessageDialogBuilder
 import software.amazon.awssdk.services.ssooidc.model.SsoOidcException
 import software.aws.toolkits.core.ClientConnectionSettings
 import software.aws.toolkits.core.ConnectionSettings
@@ -16,10 +17,12 @@ import software.aws.toolkits.core.utils.getLogger
 import software.aws.toolkits.core.utils.info
 import software.aws.toolkits.jetbrains.core.credentials.pinning.FeatureWithPinnedConnection
 import software.aws.toolkits.jetbrains.core.credentials.sono.ALL_SONO_SCOPES
+import software.aws.toolkits.jetbrains.core.credentials.sono.isSono
 import software.aws.toolkits.jetbrains.core.credentials.sso.bearer.BearerTokenAuthState
 import software.aws.toolkits.jetbrains.core.credentials.sso.bearer.BearerTokenProvider
 import software.aws.toolkits.jetbrains.core.credentials.sso.bearer.BearerTokenProviderListener
 import software.aws.toolkits.jetbrains.core.credentials.sso.bearer.DEFAULT_SSO_REGION
+import software.aws.toolkits.jetbrains.utils.computeOnEdt
 import software.aws.toolkits.jetbrains.utils.runUnderProgressIfNeeded
 import software.aws.toolkits.resources.message
 
@@ -101,23 +104,44 @@ fun loginSso(project: Project?, startUrl: String, scopes: List<String> = ALL_SON
     val manager = ToolkitAuthManager.getInstance()
 
     return manager.getConnection(connectionId)?.let { connection ->
+        val logger = getLogger<ToolkitAuthManager>()
+        // requested Builder ID, but one already exists
+        // TBD: do we do this for regular SSO too?
+        if (connection.isSono()) {
+            val signOut = computeOnEdt {
+                MessageDialogBuilder.yesNo(
+                    message("toolkit.login.aws_builder_id.already_connected.title"),
+                    message("toolkit.login.aws_builder_id.already_connected.message")
+                )
+                    .yesText(message("toolkit.login.aws_builder_id.already_connected.reconnect"))
+                    .noText(message("toolkit.login.aws_builder_id.already_connected.cancel"))
+                    .ask(project)
+            }
+
+            if (signOut) {
+                logger.info {
+                    "Forcing reauth on ${connection.id} since user requested Builder ID while already connected to Builder ID"
+                }
+
+                logoutFromSsoConnection(project, connection as AwsBearerTokenConnection)
+                return@let null
+            }
+        }
+
         // There is an existing connection we can use
         if (connection is BearerSsoConnection && !scopes.all { it in connection.scopes }) {
-            getLogger<ToolkitAuthManager>().info {
+            logger.info {
                 "Forcing reauth on ${connection.id} since requested scopes ($scopes) are not a complete subset of current scopes (${connection.scopes})"
             }
+
             // can't reuse since requested scopes are not in current connection. forcing reauth
             manager.deleteConnection(connection)
             return@let null
         }
 
         // For the case when the existing connection is in invalid state, we need to re-auth
         if (connection is AwsBearerTokenConnection) {
-            val tokenProvider = reauthProviderIfNeeded(connection)
-
-            ToolkitConnectionManager.getInstance(project).switchConnection(connection)
-
-            return tokenProvider
+            reauthConnection(project, connection)
         }
 
         null
@@ -132,18 +156,22 @@ fun loginSso(project: Project?, startUrl: String, scopes: List<String> = ALL_SON
         )
 
         try {
-            val provider = reauthProviderIfNeeded(connection)
-
-            ToolkitConnectionManager.getInstance(project).switchConnection(connection)
-
-            provider
+            reauthConnection(project, connection)
         } catch (e: Exception) {
             manager.deleteConnection(connection)
             throw e
         }
     }
 }
 
+private fun reauthConnection(project: Project?, connection: ToolkitConnection): BearerTokenProvider {
+    val provider = reauthProviderIfNeeded(connection)
+
+    ToolkitConnectionManager.getInstance(project).switchConnection(connection)
+
+    return provider
+}
+
 fun logoutFromSsoConnection(project: Project?, connection: AwsBearerTokenConnection, callback: () -> Unit = {}) {
     try {
         ApplicationManager.getApplication().messageBus.syncPublisher(BearerTokenProviderListener.TOPIC).invalidate(connection.id)

resources/resources/software/aws/toolkits/resources/MessagesBundle.properties

@@ -1390,6 +1390,10 @@ sqs.subscribe.sns.validation.empty_topic=Topic must be specified.
 sqs.toolwindow=SQS
 sqs.url.parse_error=Error parsing SQS queue URL
 tags.title=Tags
+toolkit.login.aws_builder_id.already_connected.cancel=Use existing AWS Builder ID
+toolkit.login.aws_builder_id.already_connected.message=You already signed in with an AWS Builder ID.\nSign out to add another?
+toolkit.login.aws_builder_id.already_connected.reconnect=Sign out
+toolkit.login.aws_builder_id.already_connected.title=Sign out of current AWS Builder ID?
 toolkit.login.dialog.aws_builder_id.comment=AWS Builder ID is a new personal profile for builders. <a href='https://docs.aws.amazon.com/toolkit-for-jetbrains/latest/userguide/codewhisperer.html'>Learn More</a>
 toolkit.login.dialog.aws_builder_id.title=Use a personal email to sign up and sign in with AWS Builder ID
 toolkit.login.dialog.connect_button=Connect