tst/lint

Author: rli

plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/auth/DefaultAuthCredentialsService.kt

@@ -165,7 +165,6 @@ class DefaultAuthCredentialsService(
     private fun updateTokenFromConnection(connection: ToolkitConnection): CompletableFuture<ResponseMessage> =
         updateTokenCredentials(connection, true)
 
-
     private fun createUpdateCredentialsPayload(connection: ToolkitConnection, encrypted: Boolean): UpdateCredentialsPayload {
         val token = (connection.getConnectionSettings() as? TokenConnectionSettings)
             ?.tokenProvider

plugins/core/jetbrains-community/src/software/aws/toolkits/jetbrains/core/credentials/sso/SsoAccessTokenProvider.kt

@@ -194,7 +194,7 @@ class SsoAccessTokenProvider(
 
     @Deprecated("Device authorization grant flow is deprecated")
     private fun registerDAGClient(): ClientRegistration {
-        loadDagClientRegistration(SourceOfLoadRegistration.REGISTER_CLIENT.toString())?.let {
+        loadDagClientRegistration(SourceOfLoadRegistration.REGISTER_CLIENT)?.let {
             return it
         }
 
@@ -235,7 +235,7 @@ class SsoAccessTokenProvider(
     }
 
     private fun registerPkceClient(): PKCEClientRegistration {
-        loadPkceClientRegistration(SourceOfLoadRegistration.REGISTER_CLIENT.toString())?.let {
+        loadPkceClientRegistration(SourceOfLoadRegistration.REGISTER_CLIENT)?.let {
             return it
         }
 
@@ -431,8 +431,8 @@ class SsoAccessTokenProvider(
         stageName = RefreshCredentialStage.LOAD_REGISTRATION
         val registration = try {
             when (currentToken) {
-                is DeviceAuthorizationGrantToken -> loadDagClientRegistration(SourceOfLoadRegistration.REFRESH_TOKEN.toString())
-                is PKCEAuthorizationGrantToken -> loadPkceClientRegistration(SourceOfLoadRegistration.REFRESH_TOKEN.toString())
+                is DeviceAuthorizationGrantToken -> loadDagClientRegistration(SourceOfLoadRegistration.REFRESH_TOKEN)
+                is PKCEAuthorizationGrantToken -> loadPkceClientRegistration(SourceOfLoadRegistration.REFRESH_TOKEN)
             }
         } catch (e: Exception) {
             val message = e.message ?: "$stageName: ${e::class.java.name}"
@@ -519,13 +519,13 @@ class SsoAccessTokenProvider(
         SAVE_TOKEN,
     }
 
-    private fun loadDagClientRegistration(source: String): ClientRegistration? =
-        cache.loadClientRegistration(dagClientRegistrationCacheKey, source)?.let {
+    private fun loadDagClientRegistration(source: SourceOfLoadRegistration): ClientRegistration? =
+        cache.loadClientRegistration(dagClientRegistrationCacheKey, source.toString())?.let {
             return it
         }
 
-    private fun loadPkceClientRegistration(source: String): PKCEClientRegistration? =
-        cache.loadClientRegistration(pkceClientRegistrationCacheKey, source)?.let {
+    private fun loadPkceClientRegistration(source: SourceOfLoadRegistration): PKCEClientRegistration? =
+        cache.loadClientRegistration(pkceClientRegistrationCacheKey, source.toString())?.let {
             return it as PKCEClientRegistration
         }
 

plugins/core/jetbrains-community/src/software/aws/toolkits/jetbrains/core/credentials/sso/bearer/BearerTokenProvider.kt

@@ -37,8 +37,8 @@ import software.aws.toolkits.jetbrains.core.credentials.sso.DiskCache
 import software.aws.toolkits.jetbrains.core.credentials.sso.PendingAuthorization
 import software.aws.toolkits.jetbrains.core.credentials.sso.SsoAccessTokenProvider
 import software.aws.toolkits.jetbrains.core.credentials.sso.bearer.BearerTokenProviderListener.Companion.TOPIC
+import java.time.Clock
 import java.time.Duration
-import java.time.Instant
 import java.util.concurrent.atomic.AtomicBoolean
 import java.util.concurrent.atomic.AtomicReference
 import java.util.function.Supplier
@@ -75,11 +75,11 @@ interface BearerTokenProvider : SdkTokenProvider, SdkAutoCloseable, ToolkitBeare
     }
 
     companion object {
-        internal fun tokenExpired(accessToken: AccessToken) = Instant.now().isAfter(accessToken.expiresAt)
+        private fun tokenExpired(accessToken: AccessToken, clock: Clock) = clock.instant().isAfter(accessToken.expiresAt)
 
-        internal fun state(accessToken: AccessToken?) = when {
+        internal fun state(accessToken: AccessToken?, clock: Clock = Clock.systemUTC()) = when {
             accessToken == null -> BearerTokenAuthState.NOT_AUTHENTICATED
-            tokenExpired(accessToken) -> {
+            tokenExpired(accessToken, clock) -> {
                 if (accessToken.refreshToken != null) {
                     BearerTokenAuthState.NEEDS_REFRESH
                 } else {
@@ -98,6 +98,7 @@ class InteractiveBearerTokenProvider(
     val scopes: List<String>,
     override val id: String,
     cache: DiskCache = diskCache,
+    private val clock: Clock = Clock.systemUTC(),
 ) : BearerTokenProvider, BearerTokenLogoutSupport, Disposable {
     override val displayName = ToolkitBearerTokenProvider.ssoDisplayName(startUrl)
 
@@ -146,7 +147,7 @@ class InteractiveBearerTokenProvider(
         SupplierWithInitialValue(initialValue, accessTokenProvider).let {
             SupplierHolder(
                 it,
-                CachedSupplier.builder(it).prefetchStrategy(NonBlocking("AWS SSO bearer token refresher")).build()
+                CachedSupplier.builder(it).clock(clock).prefetchStrategy(NonBlocking("AWS SSO bearer token refresher")).build()
             )
         }
 
@@ -163,8 +164,14 @@ class InteractiveBearerTokenProvider(
             val token = if (hasCalledAtLeastOnce.getAndSet(true)) {
                 refresh()
             } else {
-                initialValue ?: throw NoTokenInitializedException("Token refresh started before session initialized")
+                // on initial call, refresh if needed
+                if (initialValue != null && initialValue.expiresAt.minus(DEFAULT_PREFETCH_DURATION) < clock.instant()) {
+                    refresh()
+                } else {
+                    initialValue ?: throw NoTokenInitializedException("Token provider initialized with no token")
+                }
             }
+
             return RefreshResult.builder(token)
                 .staleTime(token.expiresAt.minus(DEFAULT_STALE_DURATION))
                 .prefetchTime(token.expiresAt.minus(DEFAULT_PREFETCH_DURATION))
@@ -187,6 +194,8 @@ class InteractiveBearerTokenProvider(
         }
     }
 
+    override fun state() = BearerTokenProvider.state(currentToken(), clock)
+
     // how we expect consumers to obtain a token
     override fun resolveToken() = supplier.cachedSupplier.get()
 
@@ -209,6 +218,7 @@ class InteractiveBearerTokenProvider(
 
     override fun invalidate() {
         accessTokenProvider.invalidate()
+        supplier.cachedSupplier.close()
         supplier = supplier()
         BearerTokenProviderListener.notifyCredUpdate(id)
     }
@@ -217,6 +227,7 @@ class InteractiveBearerTokenProvider(
         // we probably don't need to invalidate this, but we might as well since we need to login again anyways
         invalidate()
         accessTokenProvider.accessToken().also {
+            supplier.cachedSupplier.close()
             supplier = supplier(it)
             BearerTokenProviderListener.notifyCredUpdate(id)
         }

plugins/core/jetbrains-community/tst/software/aws/toolkits/jetbrains/core/credentials/sso/bearer/InteractiveBearerTokenProviderTest.kt

@@ -13,11 +13,10 @@ import org.junit.Before
 import org.junit.Rule
 import org.junit.Test
 import org.junit.jupiter.api.assertThrows
-import org.mockito.Mockito
 import org.mockito.kotlin.any
 import org.mockito.kotlin.argThat
-import org.mockito.kotlin.eq
 import org.mockito.kotlin.mock
+import org.mockito.kotlin.reset
 import org.mockito.kotlin.spy
 import org.mockito.kotlin.times
 import org.mockito.kotlin.verify
@@ -49,6 +48,7 @@ import software.aws.toolkits.jetbrains.core.credentials.sso.DeviceAuthorizationG
 import software.aws.toolkits.jetbrains.core.credentials.sso.DeviceGrantAccessTokenCacheKey
 import software.aws.toolkits.jetbrains.core.credentials.sso.DiskCache
 import software.aws.toolkits.jetbrains.core.credentials.sso.PKCEAccessTokenCacheKey
+import java.time.Clock
 import java.time.Instant
 import java.time.temporal.ChronoUnit
 
@@ -158,7 +158,7 @@ class InteractiveBearerTokenProviderTest {
     }
 
     @Test
-    fun `resolveToken does't refresh if token was retrieved recently`() {
+    fun `resolveToken doesn't refresh if token was retrieved recently`() {
         stubClientRegistration()
         whenever(diskCache.loadAccessToken(any<DeviceGrantAccessTokenCacheKey>())).thenReturn(
             DeviceAuthorizationGrantToken(
@@ -173,11 +173,56 @@ class InteractiveBearerTokenProviderTest {
         sut.resolveToken()
     }
 
+    @Test
+    fun `resolveToken attempts to refresh token on first invoke if expired`() {
+        stubClientRegistration()
+        stubAccessToken()
+        whenever(diskCache.loadAccessToken(any<DeviceGrantAccessTokenCacheKey>())).thenReturn(
+            DeviceAuthorizationGrantToken(
+                startUrl = startUrl,
+                region = region,
+                accessToken = "accessToken",
+                refreshToken = "refreshToken",
+                expiresAt = Instant.now()
+            )
+        )
+        val sut = buildSut()
+        sut.resolveToken()
+
+        verify(oidcClient).createToken(any<CreateTokenRequest>())
+    }
+
+    @Test
+    fun `resolveToken refreshes on subsequent invokes if expired`() {
+        val mockClock = mock<Clock>()
+        whenever(mockClock.instant()).thenReturn(Instant.now())
+        stubClientRegistration()
+        stubAccessToken()
+        whenever(diskCache.loadAccessToken(any<DeviceGrantAccessTokenCacheKey>())).thenReturn(
+            DeviceAuthorizationGrantToken(
+                startUrl = startUrl,
+                region = region,
+                accessToken = "accessToken",
+                refreshToken = "refreshToken",
+                expiresAt = Instant.now().plus(1, ChronoUnit.HOURS)
+            )
+        )
+        val sut = buildSut(mockClock)
+        // current token should be valid
+        assertThat(sut.resolveToken().accessToken).isEqualTo("accessToken")
+        verify(oidcClient, times(0)).createToken(any<CreateTokenRequest>())
+
+        // then if we advance the clock it should refresh
+        whenever(mockClock.instant()).thenReturn(Instant.now().plus(100, ChronoUnit.DAYS))
+        assertThat(sut.resolveToken().accessToken).isEqualTo("access1")
+        verify(oidcClient, times(1)).createToken(any<CreateTokenRequest>())
+    }
+
     @Test
     fun `resolveToken throws if reauthentication is needed`() {
         stubClientRegistration()
         stubAccessToken()
-        Mockito.reset(oidcClient)
+        reset(oidcClient)
         whenever(oidcClient.createToken(any<CreateTokenRequest>())).thenThrow(AccessDeniedException.create("denied", null))
 
         val sut = buildSut()
@@ -206,7 +251,8 @@ class InteractiveBearerTokenProviderTest {
         sut.invalidate()
 
         // initial load
-        verify(diskCache).loadAccessToken(any<DeviceGrantAccessTokenCacheKey>())
+        // invalidate attempts to reload token from disk
+        verify(diskCache, times(2)).loadAccessToken(any<DeviceGrantAccessTokenCacheKey>())
         verify(diskCache).invalidateClientRegistration(region)
         verify(diskCache).invalidateAccessToken(startUrl)
 
@@ -230,22 +276,22 @@ class InteractiveBearerTokenProviderTest {
         stubAccessToken()
         val sut = buildSut()
 
-        assertThat(sut.currentToken()?.accessToken).isEqualTo("accessToken")
+        assertThat(sut.resolveToken().accessToken).isEqualTo("access1")
 
         // and now instead of trying to stub out the entire OIDC device flow, abuse the fact that we short-circuit and read from disk if available
-        Mockito.reset(diskCache)
+        reset(diskCache)
         whenever(diskCache.loadAccessToken(any<DeviceGrantAccessTokenCacheKey>())).thenReturn(
             DeviceAuthorizationGrantToken(
                 startUrl = startUrl,
                 region = region,
-                accessToken = "access1",
-                refreshToken = "refresh1",
+                accessToken = "access1234",
+                refreshToken = "refresh1234",
                 expiresAt = Instant.MAX
             )
         )
         sut.reauthenticate()
 
-        assertThat(sut.currentToken()?.accessToken).isEqualTo("access1")
+        assertThat(sut.resolveToken().accessToken).isEqualTo("access1234")
     }
 
     @Test
@@ -263,16 +309,17 @@ class InteractiveBearerTokenProviderTest {
         verify(mockListener, times(2)).onProviderChange(sut.id)
     }
 
-    private fun buildSut() = InteractiveBearerTokenProvider(
+    private fun buildSut(clock: Clock = Clock.systemUTC()) = InteractiveBearerTokenProvider(
         startUrl = startUrl,
         region = region,
         scopes = scopes,
         cache = diskCache,
-        id = "test"
+        id = "test",
+        clock = clock,
     )
 
     private fun stubClientRegistration() {
-        whenever(diskCache.loadClientRegistration(any<DeviceAuthorizationClientRegistrationCacheKey>(), eq("testSource"))).thenReturn(
+        whenever(diskCache.loadClientRegistration(any<DeviceAuthorizationClientRegistrationCacheKey>(), any())).thenReturn(
             DeviceAuthorizationClientRegistration(
                 "",
                 "",
@@ -288,7 +335,7 @@ class InteractiveBearerTokenProviderTest {
                 region = region,
                 accessToken = "accessToken",
                 refreshToken = "refreshToken",
-                expiresAt = Instant.MIN
+                expiresAt = Instant.now().minus(100, ChronoUnit.DAYS),
             )
         )
         whenever(oidcClient.createToken(any<CreateTokenRequest>())).thenReturn(