feat(codecatalyst): IdC connection logic #3986

Problem:
Amazon CodeCatalyst currently supports Builder ID connections. The
CodeCatalyst team is working to enable IAM Identity Center connections
for CodeCatalyst, including enabling IDC connections using AWS Toolkit
for Visual Studio Code.

Solution:
- Additions and changes within `CodeCatalystAuthenticationProvider` and surrounding modules to enable IDC connections.
  - The changes account for switching connections.
  - The changes account for extending scopes on existing connections.
- Minimal UI additions to CodeCatalyst connection form to support IDC connection flow (may be revised in subsequent revision)
- URI handler changes to support explicit IDC startUrl/region.
- `tryAutoConnect` changes to support IDC profiles.

Note that no changes were necessary for core authN/connection logic
(e.g. secondaryAuth, and connection modules). Similarly, no UI changes
were necessary for these existing connection flows.

**The following testing has been performed:**

- Manual testing of the connection with various permutations / combinations of Builder ID vs IDC connections for CodeCatalyst and CodeWhisperer.
- Manual testing a CodeCatalyst IDC connection successfully authenticates and works against CodeCatalyst APIs.
- Manual testing that a CodeCatalyst Dev Environment can be connected to from the Toolkit using an IDC conneciton.
- End-to-end manual testing with a CodeCatalyst Dev Environment.
- Backfilled some unit tests for `CodeCatalystAuthenticationProvider`.

Co-authored-by: C Tidd <[email protected]>
Author: C Tidd <[email protected]>
commit 1eb8b94

Author: C Tidd

src/auth/auth.ts

@@ -24,6 +24,11 @@ import { CredentialsProviderManager } from './providers/credentialsProviderManag
 import { asString, CredentialsId, CredentialsProvider, fromString } from './providers/credentials'
 import { once } from '../shared/utilities/functionUtils'
 import { CredentialsSettings } from './credentials/utils'
+import {
+    extractDataFromSection,
+    getSectionOrThrow,
+    loadSharedCredentialsSections,
+} from './credentials/sharedCredentials'
 import { getCodeCatalystDevEnvId } from '../shared/vscode/env'
 import { partition } from '../shared/utilities/mementos'
 import { SsoCredentialsProvider } from './providers/ssoCredentialsProvider'
@@ -47,8 +52,9 @@ import {
     StoredProfile,
     codecatalystScopes,
     createBuilderIdProfile,
+    createSsoProfile,
     hasScopes,
-    isBuilderIdConnection,
+    isValidCodeCatalystConnection,
     loadIamProfilesIntoStore,
     loadLinkedProfilesIntoStore,
     ssoAccountAccessScopes,
@@ -521,9 +527,11 @@ export class Auth implements AuthService, ConnectionManager {
     }
 
     // XXX: always read from the same location in a dev environment
-    private getSsoSessionName = once(() => {
+    // This detection is fuzzy if an sso-session section exists for any other reason.
+    private detectSsoSessionNameForCodeCatalyst = once((): string => {
         try {
             const configFile = getConfigFilename()
+            // `require('fs')` is workaround for web mode:
             const contents: string = require('fs').readFileSync(configFile, 'utf-8')
             const identifier = contents.match(/\[sso\-session (.*)\]/)?.[1]
             if (!identifier) {
@@ -532,21 +540,40 @@ export class Auth implements AuthService, ConnectionManager {
 
             return identifier
         } catch (err) {
-            const defaultName = 'codecatalyst'
-            getLogger().warn(`auth: unable to get an sso session name, defaulting to "${defaultName}": %s`, err)
-
-            return defaultName
+            const identifier = 'codecatalyst'
+            getLogger().warn(`auth: unable to get an sso session name, defaulting to "${identifier}": %s`, err)
+            return identifier
         }
     })
 
+    private createCodeCatalystDevEnvProfile = async (): Promise<[id: string, profile: SsoProfile]> => {
+        const identifier = this.detectSsoSessionNameForCodeCatalyst()
+
+        const { sections } = await loadSharedCredentialsSections()
+        const { sso_region: region, sso_start_url: startUrl } = extractDataFromSection(
+            getSectionOrThrow(sections, identifier, 'sso-session')
+        )
+
+        if ([region, startUrl].some(prop => typeof prop !== 'string')) {
+            throw new ToolkitError('sso-session data missing in ~/.aws/config', { code: 'NoSsoSession' })
+        }
+
+        return startUrl === builderIdStartUrl
+            ? [identifier, createBuilderIdProfile(codecatalystScopes)]
+            : [identifier, createSsoProfile(region, startUrl, codecatalystScopes)]
+    }
+
     private getTokenProvider(id: Connection['id'], profile: StoredProfile<SsoProfile>) {
-        // XXX: Use the token created by dev environments if and only if the profile is strictly for CodeCatalyst
+        // XXX: Use the token created by Dev Environments if and only if the profile is strictly
+        // for CodeCatalyst, as indicated by its set of scopes. A consequence of these semantics is
+        // that any profile will be coerced to use this token if that profile exclusively contains
+        // CodeCatalyst scopes. Similarly, if additional scopes are added to a profile, the profile
+        // no longer matches this condition.
         const shouldUseSoftwareStatement =
             getCodeCatalystDevEnvId() !== undefined &&
-            profile.startUrl === builderIdStartUrl &&
             profile.scopes?.every(scope => codecatalystScopes.includes(scope))
 
-        const tokenIdentifier = shouldUseSoftwareStatement ? this.getSsoSessionName() : id
+        const tokenIdentifier = shouldUseSoftwareStatement ? this.detectSsoSessionNameForCodeCatalyst() : id
 
         return this.createTokenProvider(
             {
@@ -702,15 +729,28 @@ export class Auth implements AuthService, ConnectionManager {
             })
         )
 
-        // Use the environment token if available
-        // This token only has CC permissions currently!
+        // When opening a Dev Environment, use the environment token if no other CodeCatalyst
+        // credential is in use. This token only has CC permissions currently!
         if (getCodeCatalystDevEnvId() !== undefined) {
-            const connections = (await this.listConnections()).filter(isBuilderIdConnection)
-
-            if (connections.length === 0) {
-                const key = uuid.v4()
-                await this.store.addProfile(key, createBuilderIdProfile(codecatalystScopes))
-                await this.store.setCurrentProfileId(key)
+            const connections = await this.listConnections()
+            const shouldInsertDevEnvCredential = !connections.some(isValidCodeCatalystConnection)
+
+            if (shouldInsertDevEnvCredential) {
+                // Insert a profile based on the `~/.aws/config` sso-session:
+                try {
+                    // After creating a CodeCatalyst Dev Environment profile based on sso-session,
+                    // we discard the actual key, and we insert the profile with an arbitrary key.
+                    // The cache key for any strictly-CodeCatalyst profile is overriden to the
+                    // sso-session identifier on read. If the coerce-on-read semantics ever become
+                    // an issue, it should be possible to use the actual key here However, this
+                    // would require deleting existing profiles to avoid inserting duplicates.
+                    const [_dangerousDiscardActualKey, devEnvProfile] = await this.createCodeCatalystDevEnvProfile()
+                    const key = uuid.v4()
+                    await this.store.addProfile(key, devEnvProfile)
+                    await this.store.setCurrentProfileId(key)
+                } catch (err) {
+                    getLogger().warn(`auth: failed to insert dev env profile: %s`, err)
+                }
             }
         }
 

src/auth/connection.ts

@@ -52,7 +52,7 @@ export const isIdcSsoConnection = (conn?: Connection): conn is SsoConnection =>
 export const isBuilderIdConnection = (conn?: Connection): conn is SsoConnection => isSsoConnection(conn, 'builderId')
 
 export const isValidCodeCatalystConnection = (conn: Connection): conn is SsoConnection =>
-    isBuilderIdConnection(conn) && hasScopes(conn, codecatalystScopes)
+    isSsoConnection(conn) && hasScopes(conn, codecatalystScopes)
 
 export function hasScopes(target: SsoConnection | SsoProfile, scopes: string[]): boolean {
     return scopes?.every(s => target.scopes?.includes(s))

src/auth/sso/cache.ts

@@ -105,25 +105,28 @@ export function getTokenCache(directory = getCacheDir()): KeyedCache<SsoAccess>
     }
 
     const logger = (message: string) => getLogger().debug(`SSO token cache: ${message}`)
-    const cache = createDiskCache<StoredToken, string>((ssoUrl: string) => getTokenCacheFile(directory, ssoUrl), logger)
+    const cache = createDiskCache<StoredToken, string>((key: string) => getTokenCacheFile(directory, key), logger)
 
     return mapCache(cache, read, write)
 }
 
-function getTokenCacheFile(ssoCacheDir: string, ssoUrl: string): string {
-    const encoded = encodeURI(ssoUrl)
+function getTokenCacheFile(ssoCacheDir: string, key: string): string {
+    const encoded = encodeURI(key)
     // Per the spec: 'SSO Login Token Flow' the access token must be
     // cached as the SHA1 hash of the bytes of the UTF-8 encoded
-    // startUrl value with ".json" appended to the end.
+    // startUrl value with ".json" appended to the end. However, the
+    // cache key used by the Toolkit is an alternative arbitrary key
+    // in most scenarios. This alternative cache key still conforms
+    // to the same ${sha1(key)}.json cache location semantics.
 
     const shasum = crypto.createHash('sha1')
     // Suppress warning because:
     //   1. SHA1 is prescribed by the AWS SSO spec
-    //   2. the hashed startUrl value is not a secret
+    //   2. the hashed startUrl or other key value is not a secret
     shasum.update(encoded) // lgtm[js/weak-cryptographic-algorithm]
-    const hashedUrl = shasum.digest('hex') // lgtm[js/weak-cryptographic-algorithm]
+    const hashedKey = shasum.digest('hex') // lgtm[js/weak-cryptographic-algorithm]
 
-    return path.join(ssoCacheDir, `${hashedUrl}.json`)
+    return path.join(ssoCacheDir, `${hashedKey}.json`)
 }
 
 function getRegistrationCacheFile(ssoCacheDir: string, key: RegistrationKey): string {

src/auth/ui/vue/authForms/manageIdentityCenter.vue

@@ -360,6 +360,45 @@ export class CodeWhispererIdentityCenterState extends BaseIdentityCenterState {
     }
 }
 
+export class CodeCatalystIdentityCenterState extends BaseIdentityCenterState {
+    override get id(): AuthFormId {
+        return 'identityCenterCodeCatalyst'
+    }
+
+    override get name(): string {
+        return 'CodeCatalyst'
+    }
+
+    override get uiClickOpenId(): AuthUiClick {
+        return 'auth_openCodeCatalyst'
+    }
+
+    override get uiClickSignout(): AuthUiClick {
+        return 'auth_codecatalyst_signoutIdentityCenter'
+    }
+
+    override get featureType(): FeatureId {
+        return 'codecatalyst'
+    }
+
+    protected override async _startIdentityCenterSetup(): Promise<AuthError | undefined> {
+        const data = await this.getSubmittableDataOrThrow()
+        return client.startCodeCatalystIdentityCenterSetup(data.startUrl, data.region)
+    }
+
+    override async isAuthConnected(): Promise<boolean> {
+        return client.isCodeCatalystIdentityCenterConnected()
+    }
+
+    override async showView(): Promise<void> {
+        client.showCodeCatalystNode()
+    }
+
+    override signout(): Promise<void> {
+        return client.signoutCodeCatalystIdentityCenter()
+    }
+}
+
 /**
  * In the context of the Explorer, an Identity Center connection
  * is not required to be active. This is due to us only needing

src/auth/ui/vue/authForms/shared.vue

@@ -1,7 +1,11 @@
 <script lang="ts">
 import { CodeCatalystBuilderIdState, CodeWhispererBuilderIdState } from './manageBuilderId.vue'
 import { CredentialsState } from './manageCredentials.vue'
-import { CodeWhispererIdentityCenterState, ExplorerIdentityCenterState } from './manageIdentityCenter.vue'
+import {
+    CodeCatalystIdentityCenterState,
+    CodeWhispererIdentityCenterState,
+    ExplorerIdentityCenterState,
+} from './manageIdentityCenter.vue'
 import { AuthFormId } from './types'
 
 /**
@@ -12,6 +16,7 @@ const authFormsState = {
     builderIdCodeWhisperer: CodeWhispererBuilderIdState.instance,
     builderIdCodeCatalyst: CodeCatalystBuilderIdState.instance,
     identityCenterCodeWhisperer: new CodeWhispererIdentityCenterState(),
+    identityCenterCodeCatalyst: new CodeCatalystIdentityCenterState(),
     identityCenterExplorer: new ExplorerIdentityCenterState(),
 } as const
 

src/auth/ui/vue/authForms/types.ts

@@ -8,6 +8,7 @@ export type AuthFormId =
     | 'builderIdCodeWhisperer'
     | 'builderIdCodeCatalyst'
     | 'identityCenterCodeWhisperer'
+    | 'identityCenterCodeCatalyst'
     | 'identityCenterExplorer'
     | 'aggregateExplorer'
 
@@ -19,6 +20,7 @@ export const AuthFormDisplayName: Record<AuthFormId, string> = {
     credentials: 'IAM Credentials',
     builderIdCodeCatalyst: 'CodeCatalyst with AWS Builder ID',
     builderIdCodeWhisperer: 'CodeWhisperer with AWS Builder ID',
+    identityCenterCodeCatalyst: 'CodeCatalyst with IAM Identity Center',
     identityCenterCodeWhisperer: 'CodeWhisperer with IAM Identity Center',
     identityCenterExplorer: 'AWS Explorer with IAM Identity Center',
     aggregateExplorer: '',

src/auth/ui/vue/serviceItemContent/codeCatalystContent.vue

@@ -32,34 +32,62 @@
                     @auth-connection-updated="onAuthConnectionUpdated"
                 ></BuilderIdForm>
             </div>
+
+            <div>
+                <div v-on:click="toggleIdentityCenterShown" style="cursor: pointer; display: flex; flex-direction: row">
+                    <div style="font-weight: bold; font-size: medium" :class="identityCenterCollapsibleClass"></div>
+                    <div>
+                        <div style="font-weight: bold; font-size: 14px">Sign in with IAM Identity Center.</div>
+                    </div>
+                </div>
+            </div>
+
+            <IdentityCenterForm
+                :state="identityCenterState"
+                :allow-existing-start-url="true"
+                @auth-connection-updated="onAuthConnectionUpdated"
+                v-show="isIdentityCenterShown"
+            ></IdentityCenterForm>
         </div>
     </div>
 </template>
 
 <script lang="ts">
 import { defineComponent } from 'vue'
 import BuilderIdForm, { CodeCatalystBuilderIdState } from '../authForms/manageBuilderId.vue'
+import IdentityCenterForm, { CodeCatalystIdentityCenterState } from '../authForms/manageIdentityCenter.vue'
 import BaseServiceItemContent from './baseServiceItemContent.vue'
 import authFormsState, { AuthForm, FeatureStatus } from '../authForms/shared.vue'
 import { AuthFormId } from '../authForms/types'
 import { ConnectionUpdateArgs } from '../authForms/baseAuth.vue'
+import { WebviewClientFactory } from '../../../../webviews/client'
+import { AuthWebview } from '../show'
+
+const client = WebviewClientFactory.create<AuthWebview>()
 
 export default defineComponent({
     name: 'CodeCatalystContent',
-    components: { BuilderIdForm },
+    components: { BuilderIdForm, IdentityCenterForm },
     extends: BaseServiceItemContent,
     data() {
         return {
             isLoaded: {
                 builderIdCodeCatalyst: false,
             } as Record<AuthFormId, boolean>,
             isAllAuthsLoaded: false,
+            isIdentityCenterShown: false,
         }
     },
     computed: {
         builderIdState(): CodeCatalystBuilderIdState {
             return authFormsState.builderIdCodeCatalyst
         },
+        identityCenterState(): CodeCatalystIdentityCenterState {
+            return authFormsState.identityCenterCodeCatalyst
+        },
+        identityCenterCollapsibleClass() {
+            return this.isIdentityCenterShown ? 'icon icon-vscode-chevron-down' : 'icon icon-vscode-chevron-right'
+        },
     },
     methods: {
         updateIsAllAuthsLoaded() {
@@ -71,12 +99,18 @@ export default defineComponent({
             this.updateIsAllAuthsLoaded()
             this.emitAuthConnectionUpdated('codecatalyst', args)
         },
+        toggleIdentityCenterShown() {
+            this.isIdentityCenterShown = !this.isIdentityCenterShown
+            if (this.isIdentityCenterShown) {
+                client.emitUiClick('auth_codecatalyst_expandIAMIdentityCenter')
+            }
+        },
     },
 })
 
 export class CodeCatalystContentState extends FeatureStatus {
     override getAuthForms(): AuthForm[] {
-        return [authFormsState.builderIdCodeCatalyst]
+        return [authFormsState.builderIdCodeCatalyst, authFormsState.identityCenterCodeCatalyst]
     }
 }
 </script>