feat(auth): use minimal scopes for CC and CW (#3264)

## Problem
The Toolkit requests permissions for CodeWhisperer and CodeCatalyst even if the user doesn't want to use both

## Solution
Request the minimum permissions required to use a feature

Author: JadenSimon

.changes/next-release/Feature-af0f8609-79f1-40fc-8425-60223bb783d7.json

@@ -0,0 +1,4 @@
+{
+	"type": "Feature",
+	"description": "feat(auth): IAM Identity Center connections now request the least permissive set of scopes for features. Using the same connection for multiple features will request additional scopes to be used."
+}

src/codecatalyst/auth.ts

@@ -14,6 +14,7 @@ import {
     codecatalystScopes,
     hasScopes,
     createBuilderIdConnection,
+    ssoAccountAccessScopes,
 } from '../credentials/auth'
 import { getSecondaryAuth } from '../credentials/secondaryAuth'
 import { getLogger } from '../shared/logger'
@@ -36,9 +37,13 @@ export class CodeCatalystAuthStorage {
     }
 }
 
+const defaultScopes = [...ssoAccountAccessScopes, ...codecatalystScopes]
 export const isValidCodeCatalystConnection = (conn: Connection): conn is SsoConnection =>
     isBuilderIdConnection(conn) && hasScopes(conn, codecatalystScopes)
 
+export const isUpgradeableConnection = (conn: Connection): conn is SsoConnection =>
+    isBuilderIdConnection(conn) && !isValidCodeCatalystConnection(conn)
+
 export class CodeCatalystAuthenticationProvider {
     public readonly onDidChangeActiveConnection = this.secondaryAuth.onDidChangeActiveConnection
 
@@ -105,13 +110,12 @@ export class CodeCatalystAuthenticationProvider {
         }
 
         const conn = (await this.auth.listConnections()).find(isBuilderIdConnection)
-        const isNewUser = conn === undefined
         const continueItem: vscode.MessageItem = { title: localizedText.continueText }
         const cancelItem: vscode.MessageItem = { title: localizedText.cancel, isCloseAffordance: true }
 
-        if (isNewUser || !isValidCodeCatalystConnection(conn)) {
+        if (conn === undefined) {
             // TODO: change to `satisfies` on TS 4.9
-            telemetry.record({ codecatalyst_connectionFlow: isNewUser ? 'Create' : 'Upgrade' } as ConnectionFlowEvent)
+            telemetry.record({ codecatalyst_connectionFlow: 'Create' } as ConnectionFlowEvent)
 
             const message = `The ${
                 getIdeProperties().company
@@ -122,15 +126,22 @@ export class CodeCatalystAuthenticationProvider {
                 throw new ToolkitError('Not connected to CodeCatalyst', { code: 'NoConnection', cancelled: true })
             }
 
-            const newConn = await createBuilderIdConnection(this.auth)
+            const newConn = await createBuilderIdConnection(this.auth, defaultScopes)
             if (this.auth.activeConnection?.id !== newConn.id) {
                 await this.secondaryAuth.useNewConnection(newConn)
             }
 
             return newConn
         }
 
-        if (this.auth.activeConnection?.id !== conn.id) {
+        const upgrade = async () => {
+            // TODO: change to `satisfies` on TS 4.9
+            telemetry.record({ codecatalyst_connectionFlow: 'Upgrade' } as ConnectionFlowEvent)
+
+            return this.secondaryAuth.addScopes(conn, defaultScopes)
+        }
+
+        if (isBuilderIdConnection(conn) && this.auth.activeConnection?.id !== conn.id) {
             // TODO: change to `satisfies` on TS 4.9
             telemetry.record({ codecatalyst_connectionFlow: 'Switch' } as ConnectionFlowEvent)
 
@@ -144,11 +155,19 @@ export class CodeCatalystAuthenticationProvider {
                 throw new ToolkitError('Not connected to CodeCatalyst', { code: 'NoConnection', cancelled: true })
             }
 
+            if (isUpgradeableConnection(conn)) {
+                await upgrade()
+            }
+
             await this.secondaryAuth.useNewConnection(conn)
 
             return conn
         }
 
+        if (isUpgradeableConnection(conn)) {
+            return upgrade()
+        }
+
         throw new ToolkitError('Not connected to CodeCatalyst', { code: 'NoConnectionBadState' })
     }
 

src/codecatalyst/explorer.ts

@@ -5,7 +5,7 @@
 
 import * as vscode from 'vscode'
 import { RootNode } from '../awsexplorer/localExplorer'
-import { Connection, createBuilderIdConnection, isBuilderIdConnection } from '../credentials/auth'
+import { Connection, isBuilderIdConnection } from '../credentials/auth'
 import { DevEnvironment } from '../shared/clients/codecatalystClient'
 import { isCloud9 } from '../shared/extensionUtilities'
 import { addColor, getIcon } from '../shared/icons'
@@ -19,10 +19,7 @@ import { getLogger } from '../shared/logger'
 
 const getStartedCommand = Commands.register(
     'aws.codecatalyst.getStarted',
-    async (authProvider: CodeCatalystAuthenticationProvider) => {
-        const conn = await createBuilderIdConnection(authProvider.auth)
-        await authProvider.secondaryAuth.useNewConnection(conn)
-    }
+    (authProvider: CodeCatalystAuthenticationProvider) => authProvider.promptNotConnected()
 )
 
 const learnMoreCommand = Commands.register('aws.learnMore', async (docsUrl: vscode.Uri) => {
@@ -126,6 +123,8 @@ export class CodeCatalystRootNode implements RootNode {
     }
 
     public async getTreeItem() {
+        await this.authProvider.restore()
+
         this.devenv = (await getThisDevEnv(this.authProvider))?.unwrapOrElse(err => {
             getLogger().warn('codecatalyst: failed to get current Dev Enviroment: %s', err)
             return undefined

src/codewhisperer/util/authUtil.ts

@@ -15,6 +15,7 @@ import {
     createSsoProfile,
     isSsoConnection,
     hasScopes,
+    ssoAccountAccessScopes,
     isIamConnection,
 } from '../../credentials/auth'
 import { Connection, SsoConnection } from '../../credentials/auth'
@@ -26,7 +27,8 @@ import { isCloud9 } from '../../shared/extensionUtilities'
 import { TelemetryHelper } from './telemetryHelper'
 import { PromptSettings } from '../../shared/settings'
 
-export const awsBuilderIdSsoProfile = createBuilderIdProfile()
+const defaultScopes = [...ssoAccountAccessScopes, ...codewhispererScopes]
+export const awsBuilderIdSsoProfile = createBuilderIdProfile(defaultScopes)
 
 export const isValidCodeWhispererConnection = (conn: Connection): conn is Connection => {
     if (isCloud9('classic')) {
@@ -48,7 +50,7 @@ export class AuthUtil {
     private readonly clearAccessToken = once(() =>
         globals.context.globalState.update(CodeWhispererConstants.accessToken, undefined)
     )
-    private readonly secondaryAuth = getSecondaryAuth(
+    public readonly secondaryAuth = getSecondaryAuth(
         this.auth,
         'codewhisperer',
         'CodeWhisperer',
@@ -80,8 +82,6 @@ export class AuthUtil {
                 vscode.commands.executeCommand('aws.codeWhisperer.updateReferenceLog'),
             ])
         })
-
-        Commands.register('aws.codeWhisperer.removeConnection', () => this.secondaryAuth.removeConnection())
     }
 
     // current active cwspr connection
@@ -115,7 +115,7 @@ export class AuthUtil {
             return existingConn
         }
 
-        return this.rescopeConnection(existingConn)
+        return this.secondaryAuth.addScopes(existingConn, defaultScopes)
     }
 
     public async connectToEnterpriseSso(startUrl: string, region: string) {
@@ -125,17 +125,24 @@ export class AuthUtil {
         )
 
         if (!existingConn) {
-            const conn = await this.auth.createConnection(createSsoProfile(startUrl, region))
+            const conn = await this.auth.createConnection(createSsoProfile(startUrl, region, defaultScopes))
             return this.secondaryAuth.useNewConnection(conn)
         } else if (isValidCodeWhispererConnection(existingConn)) {
             return this.secondaryAuth.useNewConnection(existingConn)
         } else if (isSsoConnection(existingConn)) {
-            return this.rescopeConnection(existingConn)
+            return this.secondaryAuth.addScopes(existingConn, defaultScopes)
         }
     }
 
     public static get instance() {
-        return (this.#instance ??= new this())
+        if (this.#instance !== undefined) {
+            return this.#instance
+        }
+
+        const self = (this.#instance = new this())
+        Commands.register('aws.codeWhisperer.removeConnection', () => self.secondaryAuth.removeConnection())
+
+        return self
     }
 
     public async getBearerToken(): Promise<string> {
@@ -227,23 +234,7 @@ export class AuthUtil {
         this.showReauthenticatePrompt(isAutoTrigger)
     }
 
-    public async rescopeConnection(existingConn: SsoConnection) {
-        const upgradedConn = await this.auth.createConnection(createSsoProfile(existingConn.startUrl))
-        await this.auth.deleteConnection(existingConn)
-
-        if (this.auth.activeConnection?.id === (existingConn as SsoConnection).id) {
-            await this.auth.useConnection(upgradedConn)
-        } else {
-            await this.secondaryAuth.useNewConnection(upgradedConn)
-        }
-
-        return upgradedConn
-    }
-
     public hasAccessToken() {
         return !!globals.context.globalState.get(CodeWhispererConstants.accessToken)
     }
 }
-
-export const isUpgradeableConnection = (conn?: Connection): conn is SsoConnection =>
-    !!conn && !isValidCodeWhispererConnection(conn) && isSsoConnection(conn)

src/codewhisperer/util/getStartUrl.ts

@@ -9,11 +9,11 @@ import { isValidResponse } from '../../shared/wizards/wizard'
 import { AuthUtil } from './authUtil'
 import { CancellationError } from '../../shared/utilities/timeoutUtils'
 import { ToolkitError } from '../../shared/errors'
-import { createStartUrlPrompter, showRegionPrompter } from '../../credentials/auth'
+import { codewhispererScopes, createStartUrlPrompter, showRegionPrompter } from '../../credentials/auth'
 import { telemetry } from '../../shared/telemetry/telemetry'
 
 export const getStartUrl = async () => {
-    const inputBox = await createStartUrlPrompter('IAM Identity Center', false)
+    const inputBox = await createStartUrlPrompter('IAM Identity Center', codewhispererScopes)
     const userInput = await inputBox.prompt()
     if (!isValidResponse(userInput)) {
         telemetry.ui_click.emit({ elementId: 'connection_optionescapecancel' })