Skip to content

fix(amazonq): tweak CA resolution and add additional logging #5815

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Jun 12, 2025
Merged

fix(amazonq): tweak CA resolution and add additional logging #5815

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
3fee35a
fix(amazonq): tweak CA resolution and add additional logging
rli Jun 11, 2025
974fb40
Merge remote-tracking branch 'origin/main' into rli/certs-tweak
rli Jun 12, 2025
fa77267
shadow
rli Jun 12, 2025
40e9ac1
try/catch
rli Jun 12, 2025
e557cef
val
rli Jun 12, 2025
fda292d
lint
rli Jun 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
76 changes: 62 additions & 14 deletions ...s-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,12 @@
import com.intellij.openapi.util.Disposer
import com.intellij.openapi.util.Key
import com.intellij.openapi.util.SystemInfo
import com.intellij.util.EnvironmentUtil
import com.intellij.util.io.DigestUtil
import com.intellij.util.io.await
import com.intellij.util.net.HttpConfigurable
import com.intellij.util.net.JdkProxyProvider
import com.intellij.util.net.ssl.CertificateManager
import kotlinx.coroutines.CoroutineScope
import kotlinx.coroutines.Deferred
import kotlinx.coroutines.Job
Expand Down Expand Up @@ -77,6 +80,7 @@
import software.aws.toolkits.jetbrains.services.amazonq.lsp.util.WorkspaceFolderUtil.createWorkspaceFolders
import software.aws.toolkits.jetbrains.services.amazonq.lsp.workspace.WorkspaceServiceHandler
import software.aws.toolkits.jetbrains.services.amazonq.profile.QDefaultServiceConfig
import software.aws.toolkits.jetbrains.services.amazonq.profile.QEndpoints
import software.aws.toolkits.jetbrains.services.cwc.controller.chat.telemetry.getStartUrl
import software.aws.toolkits.jetbrains.services.telemetry.ClientMetadata
import software.aws.toolkits.jetbrains.settings.LspSettings
Expand Down Expand Up @@ -369,21 +373,60 @@
// will cause slow service init, but maybe fine for now. will not block UI since fetch/extract will be under background progress
val artifact = runBlocking { service<ArtifactManager>().fetchArtifact(project) }.toAbsolutePath()

// more network calls
// make assumption that all requests will resolve to the same CA
// also terrible assumption that default endpoint is reachable
val qUri = URI(QDefaultServiceConfig.ENDPOINT)
val extraCaCerts = try {
val rtsTrustChain = TrustChainUtil.getTrustChain(qUri)

Files.createTempFile("q-extra-ca", ".pem").apply {
writeText(
TrustChainUtil.certsToPem(rtsTrustChain)
)
// make some network calls for troubleshooting
listOf(*QEndpoints.listRegionEndpoints().map { it.endpoint }.toTypedArray(), QDefaultServiceConfig.ENDPOINT).forEach { endpoint ->
try {
val qUri = URI(endpoint)
val rtsTrustChain = TrustChainUtil.getTrustChain(qUri)
val trustRoot = rtsTrustChain.last()

Check warning on line 381 in plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt

View check run for this annotation

Codecov / codecov/patch

plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt#L377-L381 

Added lines #L377 - L381 were not covered by tests
// ATS is cross-signed against starfield certs: https://www.amazontrust.com/repository/
if (listOf("Amazon Root CA", "Starfield Technologies").any { trustRoot.subjectX500Principal.name.contains(it) }) {
LOG.info { "Trust chain for $endpoint ends with public-like CA with sha256 fingerprint: ${DigestUtil.sha256Hex(trustRoot.encoded)}" }

Check warning on line 384 in plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt

View check run for this annotation

Codecov / codecov/patch

plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt#L384 

Added line #L384 was not covered by tests
} else {
LOG.info {

Check warning on line 386 in plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt

View check run for this annotation

Codecov / codecov/patch

plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt#L386 

Added line #L386 was not covered by tests
"""
|Trust chain for $endpoint transits private CA:
|${buildString {
rtsTrustChain.forEach { cert ->
append("Issuer: ${cert.issuerX500Principal}, ")
append("Subject: ${cert.subjectX500Principal}, ")
append("Fingerprint: ${DigestUtil.sha256Hex(cert.encoded)}\n\t")
}
}}
""".trimMargin("|")

Check warning on line 396 in plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt

View check run for this annotation

Codecov / codecov/patch

plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt#L388-L396 

Added lines #L388 - L396 were not covered by tests
}
LOG.debug { "Full trust chain info for $endpoint: $rtsTrustChain" }

Check warning on line 398 in plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt

View check run for this annotation

Codecov / codecov/patch

plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt#L398 

Added line #L398 was not covered by tests
}
} catch (e: Exception) {
LOG.info { "${e.message}: Could not resolve trust chain for $endpoint" }

Check warning on line 401 in plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt

View check run for this annotation

Codecov / codecov/patch

plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt#L400-L401 

Added lines #L400 - L401 were not covered by tests
}
} catch (e: Exception) {
LOG.info(e) { "Could not resolve trust chain for $qUri, skipping NODE_EXTRA_CA_CERTS" }
}

Check warning on line 403 in plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt

View check run for this annotation

Codecov / codecov/patch

plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt#L403 

Added line #L403 was not covered by tests

val userEnvNodeCaCerts = EnvironmentUtil.getValue("NODE_EXTRA_CA_CERTS")

Check warning on line 405 in plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt

View check run for this annotation

Codecov / codecov/patch

plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt#L405 

Added line #L405 was not covered by tests
// if user has NODE_EXTRA_CA_CERTS in their environment, assume they know what they're doing
val extraCaCerts = if (!userEnvNodeCaCerts.isNullOrEmpty()) {
LOG.info { "Skipping injection of IDE trust store, user already defines NODE_EXTRA_CA_CERTS: $userEnvNodeCaCerts" }

Check warning on line 408 in plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt

View check run for this annotation

Codecov / codecov/patch

plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt#L408 

Added line #L408 was not covered by tests

null
} else {
try {

Check warning on line 412 in plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt

View check run for this annotation

Codecov / codecov/patch

plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt#L412 

Added line #L412 was not covered by tests
// otherwise include everything the IDE knows about
val allAcceptedIssuers = CertificateManager.getInstance().trustManager.acceptedIssuers
val customIssuers = CertificateManager.getInstance().customTrustManager.acceptedIssuers
LOG.info {
"Injecting ${allAcceptedIssuers.size} IDE trusted certificates (${customIssuers.size} from IDE custom manager) into NODE_EXTRA_CA_CERTS"

Check warning on line 417 in plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt

View check run for this annotation

Codecov / codecov/patch

plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt#L414-L417 

Added lines #L414 - L417 were not covered by tests
}

Files.createTempFile("q-extra-ca", ".pem").apply {
writeText(
TrustChainUtil.certsToPem(allAcceptedIssuers.toList())

Check warning on line 422 in plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt

View check run for this annotation

Codecov / codecov/patch

plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt#L420-L422 

Added lines #L420 - L422 were not covered by tests
)
}.toAbsolutePath().toString()
} catch (e: Exception) {
LOG.warn(e) { "Could not inject IDE trust store into NODE_EXTRA_CA_CERTS" }

Check warning on line 426 in plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt

View check run for this annotation

Codecov / codecov/patch

plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt#L424-L426 

Added lines #L424 - L426 were not covered by tests

null

Check warning on line 428 in plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt

View check run for this annotation

Codecov / codecov/patch

plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt#L428 

Added line #L428 was not covered by tests
}
}

val node = if (SystemInfo.isWindows) "node.exe" else "node"
Expand All @@ -396,8 +439,13 @@
"--set-credentials-encryption-key",
).withEnvironment(
buildMap {
extraCaCerts?.let { put("NODE_EXTRA_CA_CERTS", it.toAbsolutePath().toString()) }
extraCaCerts?.let {
LOG.info { "Starting Flare with NODE_EXTRA_CA_CERTS: $it" }
put("NODE_EXTRA_CA_CERTS", it)

Check warning on line 444 in plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt

View check run for this annotation

Codecov / codecov/patch

plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt#L443-L444 

Added lines #L443 - L444 were not covered by tests
}

// assume default endpoint will pick correct proxy if needed
val qUri = URI(QDefaultServiceConfig.ENDPOINT)

Check warning on line 448 in plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt

View check run for this annotation

Codecov / codecov/patch

plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt#L448 

Added line #L448 was not covered by tests
val proxy = JdkProxyProvider.getInstance().proxySelector.select(qUri)
// log if only socks proxy available
.firstOrNull { it.type() == Proxy.Type.HTTP }
Expand Down
Loading