Support testing using Builder ID credentials (#3586)

Author: rli

core/src/software/aws/toolkits/core/utils/SensitiveField.kt

@@ -0,0 +1,43 @@
+// Copyright 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package software.aws.toolkits.core.utils
+
+import kotlin.reflect.full.hasAnnotation
+import kotlin.reflect.full.memberProperties
+
+@Target(AnnotationTarget.PROPERTY)
+annotation class SensitiveField
+
+fun redactedString(o: Any): String {
+    val clazz = o::class
+    if (!clazz.isData) {
+        error("Only supports redacting data classes")
+    }
+
+    return buildString {
+        append(clazz.simpleName)
+        append("(")
+
+        val properties = o::class.memberProperties
+        properties.forEachIndexed { i, prop ->
+            append(prop.name)
+            append("=")
+            if (prop.hasAnnotation<SensitiveField>()) {
+                if (prop.getter.call(o) == null) {
+                    append("null")
+                } else {
+                    append("<redacted>")
+                }
+            } else {
+                append(prop.getter.call(o))
+            }
+
+            if (i != properties.size - 1) {
+                append(", ")
+            }
+        }
+
+        append(")")
+    }
+}

jetbrains-core/it/software/aws/toolkits/jetbrains/core/credentials/sso/bearer/InteractiveBearerTokenProviderIntegrationTest.kt

@@ -0,0 +1,79 @@
+// Copyright 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package software.aws.toolkits.jetbrains.core.credentials.sso.bearer
+
+import com.intellij.openapi.util.Disposer
+import com.intellij.testFramework.ApplicationExtension
+import org.assertj.core.api.Assertions.assertThat
+import org.assertj.core.api.Assumptions.assumeThat
+import org.junit.jupiter.api.MethodOrderer
+import org.junit.jupiter.api.Order
+import org.junit.jupiter.api.Test
+import org.junit.jupiter.api.TestMethodOrder
+import org.junit.jupiter.api.extension.ExtendWith
+import org.junit.jupiter.api.io.TempDir
+import software.aws.toolkits.jetbrains.core.credentials.sono.SONO_REGION
+import software.aws.toolkits.jetbrains.core.credentials.sono.SONO_URL
+import software.aws.toolkits.jetbrains.core.credentials.sso.AccessTokenCacheKey
+import software.aws.toolkits.jetbrains.core.credentials.sso.DiskCache
+import software.aws.toolkits.jetbrains.utils.extensions.SsoLogin
+import software.aws.toolkits.jetbrains.utils.extensions.SsoLoginExtension
+import java.nio.file.Path
+import java.time.Instant
+
+@TestMethodOrder(MethodOrderer.OrderAnnotation::class)
+@ExtendWith(ApplicationExtension::class, SsoLoginExtension::class)
+@SsoLogin("codecatalyst-test-account")
+class InteractiveBearerTokenProviderIntegrationTest {
+    companion object {
+        @JvmStatic
+        @TempDir
+        private lateinit var diskCachePath: Path
+
+        private val testScopes = listOf("sso:account:access")
+        private val diskCache by lazy { DiskCache(cacheDir = diskCachePath) }
+        private val cacheKey = AccessTokenCacheKey(SONO_REGION, SONO_URL, testScopes)
+    }
+
+    @Test
+    @Order(1)
+    fun `test Builder ID login`() {
+        val initialToken = diskCache.loadAccessToken(cacheKey)
+        assertThat(initialToken).isNull()
+
+        val sut = InteractiveBearerTokenProvider(
+            startUrl = SONO_URL,
+            region = SONO_REGION,
+            scopes = testScopes,
+            cache = diskCache
+        )
+
+        sut.reauthenticate()
+        assertThat(sut.resolveToken()).isNotNull()
+
+        Disposer.dispose(sut)
+    }
+
+    @Test
+    @Order(2)
+    fun `test token refresh`() {
+        val initialToken = diskCache.loadAccessToken(cacheKey)
+        assumeThat(initialToken).isNotNull
+
+        diskCache.saveAccessToken(cacheKey, initialToken!!.copy(accessToken = "invalid", expiresAt = Instant.EPOCH))
+        val sut = InteractiveBearerTokenProvider(
+            startUrl = SONO_URL,
+            region = SONO_REGION,
+            scopes = testScopes,
+            cache = diskCache
+        )
+
+        assertThat(sut.resolveToken()).satisfies {
+            assertThat(it).isNotNull()
+            assertThat(it).isNotEqualTo(initialToken)
+        }
+
+        Disposer.dispose(sut)
+    }
+}

jetbrains-core/resources/META-INF/plugin.xml

@@ -198,6 +198,9 @@ with what features/services are supported.
         <applicationService serviceInterface="software.aws.toolkits.jetbrains.settings.AwsSettings"
                             serviceImplementation="software.aws.toolkits.jetbrains.settings.DefaultAwsSettings"
                             testServiceImplementation="software.aws.toolkits.jetbrains.settings.MockAwsSettings" />
+        <applicationService serviceInterface="software.aws.toolkits.jetbrains.core.credentials.sso.SsoLoginCallbackProvider"
+                            serviceImplementation="software.aws.toolkits.jetbrains.core.credentials.sso.DefaultSsoLoginCallbackProvider"
+                            testServiceImplementation="software.aws.toolkits.jetbrains.core.credentials.sso.MockSsoLoginCallbackProvider" />
 
         <applicationService serviceImplementation="software.aws.toolkits.jetbrains.settings.EcsExecCommandSettings"/>
         <applicationService serviceImplementation="software.aws.toolkits.jetbrains.settings.SamDisplayDevModeWarningSettings"/>

jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/SsoSupport.kt

@@ -3,53 +3,16 @@
 
 package software.aws.toolkits.jetbrains.core.credentials
 
-import com.intellij.ide.BrowserUtil
 import com.intellij.openapi.actionSystem.AnAction
-import com.intellij.openapi.progress.ProcessCanceledException
-import com.intellij.openapi.project.ProjectManager
-import software.aws.toolkits.jetbrains.core.credentials.sso.Authorization
 import software.aws.toolkits.jetbrains.core.credentials.sso.DiskCache
 import software.aws.toolkits.jetbrains.core.credentials.sso.SsoCache
-import software.aws.toolkits.jetbrains.core.credentials.sso.SsoLoginCallback
-import software.aws.toolkits.jetbrains.core.credentials.sso.bearer.CopyUserCodeForLoginDialog
-import software.aws.toolkits.jetbrains.utils.computeOnEdt
-import software.aws.toolkits.jetbrains.utils.notifyError
 import software.aws.toolkits.resources.message
-import software.aws.toolkits.telemetry.AwsTelemetry
-import software.aws.toolkits.telemetry.CredentialType
-import software.aws.toolkits.telemetry.Result
 
 /**
  * Shared disk cache for SSO for the IDE
  */
 val diskCache by lazy { DiskCache() }
 
-object SsoPrompt : SsoLoginCallback {
-    override fun tokenPending(authorization: Authorization) {
-        computeOnEdt {
-            val result = CopyUserCodeForLoginDialog(
-                ProjectManager.getInstance().defaultProject,
-                authorization.userCode,
-                message("credentials.sso.login.title"),
-                CredentialType.SsoProfile
-            ).showAndGet()
-            if (result) {
-                AwsTelemetry.loginWithBrowser(project = null, Result.Succeeded, CredentialType.SsoProfile)
-                BrowserUtil.browse(authorization.verificationUri)
-            } else {
-                AwsTelemetry.loginWithBrowser(project = null, Result.Cancelled, CredentialType.SsoProfile)
-                throw ProcessCanceledException(IllegalStateException(message("credentials.sso.login.cancelled")))
-            }
-        }
-    }
-
-    override fun tokenRetrieved() {}
-
-    override fun tokenRetrievalFailure(e: Exception) {
-        e.notifyError(message("credentials.sso.login.failed"))
-    }
-}
-
 interface SsoRequiredInteractiveCredentials : InteractiveCredential {
     val ssoCache: SsoCache
     val ssoUrl: String

jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/ToolkitConnectionImpls.kt

@@ -7,8 +7,6 @@ import com.intellij.openapi.Disposable
 import com.intellij.openapi.util.Disposer
 import software.aws.toolkits.core.TokenConnectionSettings
 import software.aws.toolkits.core.credentials.ToolkitBearerTokenProvider
-import software.aws.toolkits.jetbrains.core.credentials.sso.SsoLoginCallback
-import software.aws.toolkits.jetbrains.core.credentials.sso.bearer.BearerTokenPrompt
 import software.aws.toolkits.jetbrains.core.credentials.sso.bearer.BearerTokenProvider
 import software.aws.toolkits.jetbrains.core.credentials.sso.bearer.InteractiveBearerTokenProvider
 import software.aws.toolkits.jetbrains.core.credentials.sso.bearer.ProfileSdkTokenProviderWrapper
@@ -18,7 +16,6 @@ class ManagedBearerSsoConnection(
     val startUrl: String,
     val region: String,
     override val scopes: List<String>,
-    private val prompt: SsoLoginCallback = BearerTokenPrompt
 ) : BearerSsoConnection, Disposable {
     override val id: String = ToolkitBearerTokenProvider.ssoIdentifier(startUrl, region)
     override val label: String = ToolkitBearerTokenProvider.ssoDisplayName(startUrl)
@@ -28,7 +25,6 @@ class ManagedBearerSsoConnection(
             InteractiveBearerTokenProvider(
                 startUrl,
                 region,
-                prompt,
                 scopes
             ),
             region

jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/profiles/ProfileSsoProvider.kt

@@ -13,7 +13,6 @@ import software.amazon.awssdk.services.sso.SsoClient
 import software.amazon.awssdk.services.ssooidc.SsoOidcClient
 import software.amazon.awssdk.utils.SdkAutoCloseable
 import software.aws.toolkits.jetbrains.core.AwsClientManager
-import software.aws.toolkits.jetbrains.core.credentials.SsoPrompt
 import software.aws.toolkits.jetbrains.core.credentials.diskCache
 import software.aws.toolkits.jetbrains.core.credentials.sso.SsoAccessTokenProvider
 import software.aws.toolkits.jetbrains.core.credentials.sso.SsoCredentialProvider
@@ -33,7 +32,6 @@ class ProfileSsoProvider(profile: Profile) : AwsCredentialsProvider, SdkAutoClos
         val ssoAccessTokenProvider = SsoAccessTokenProvider(
             profile.requiredProperty(ProfileProperty.SSO_START_URL),
             ssoRegion,
-            SsoPrompt,
             diskCache,
             ssoOidcClient
         )

jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/sono/SonoConstants.kt

@@ -6,7 +6,7 @@ package software.aws.toolkits.jetbrains.core.credentials.sono
 import software.aws.toolkits.jetbrains.core.credentials.ManagedBearerSsoConnection
 import software.aws.toolkits.jetbrains.core.credentials.ToolkitConnection
 
-internal const val SONO_REGION = "us-east-1"
+const val SONO_REGION = "us-east-1"
 const val SONO_URL = "https://view.awsapps.com/start"
 internal val CODEWHISPERER_SCOPES = listOf(
     "codewhisperer:completions",

jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/sso/AccessToken.kt

@@ -7,6 +7,8 @@ import com.fasterxml.jackson.annotation.JsonInclude
 import software.amazon.awssdk.auth.token.credentials.SdkToken
 import software.amazon.awssdk.services.sso.SsoClient
 import software.amazon.awssdk.services.ssooidc.SsoOidcClient
+import software.aws.toolkits.core.utils.SensitiveField
+import software.aws.toolkits.core.utils.redactedString
 import java.time.Instant
 import java.util.Optional
 
@@ -16,7 +18,9 @@ import java.util.Optional
 data class AccessToken(
     val startUrl: String,
     val region: String,
+    @SensitiveField
     val accessToken: String,
+    @SensitiveField
     @JsonInclude(JsonInclude.Include.NON_NULL)
     val refreshToken: String? = null,
     val expiresAt: Instant,
@@ -25,6 +29,8 @@ data class AccessToken(
     override fun token() = accessToken
 
     override fun expirationTime() = Optional.of(expiresAt)
+
+    override fun toString() = redactedString(this)
 }
 
 // diverging from SDK/CLI impl here since they do: sha1sum(sessionName ?: startUrl)

jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/sso/Authorization.kt

@@ -4,17 +4,22 @@
 package software.aws.toolkits.jetbrains.core.credentials.sso
 
 import software.amazon.awssdk.services.ssooidc.SsoOidcClient
+import software.aws.toolkits.core.utils.SensitiveField
+import software.aws.toolkits.core.utils.redactedString
 import java.time.Instant
 
 /**
  * Returned by [SsoOidcClient.startDeviceAuthorization] that contains the required data to construct the user visible SSO login flow.
  */
 data class Authorization(
+    @SensitiveField
     val deviceCode: String,
     val userCode: String,
     val verificationUri: String,
     val verificationUriComplete: String,
     val expiresAt: Instant,
     val pollInterval: Long,
     val createdAt: Instant
-)
+) {
+    override fun toString(): String = redactedString(this)
+}