aws field in debug config is passed to SAM as environment vars (#1145)

bryceitoc9 · web-flow · commit 162857540c2b · 2020-06-10T16:48:51.000-07:00
The `aws` field in our `direct-invoke` launch configs now pass AWS credentials and regions to the SAM debug session. This includes passing active session tokens. These credentials and region info will be available to the debugged app, allowing the use of AWS SDK calls.
diff --git a/package.nls.json b/package.nls.json
@@ -68,8 +68,8 @@
     "AWS.configuration.description.awssam.debug.runtime": "The Lambda Function's runtime",
     "AWS.configuration.description.awssam.debug.timeout": "The amount of time (in seconds) that Lambda allows a function to run before stopping it.",
     "AWS.configuration.description.awssam.debug.aws": "AWS connection details",
-    "AWS.configuration.description.awssam.debug.credentials": "The AWS credential id to use during the invocation.",
-    "AWS.configuration.description.awssam.debug.region": "The AWS region to use during the invocation.",
+    "AWS.configuration.description.awssam.debug.credentials": "The AWS credential type and ID to use during the invocation. Example: credential profile \"default\" would be entered as `profile:default`.",
+    "AWS.configuration.description.awssam.debug.region": "AWS region to use during the invocation.",
     "AWS.configuration.description.awssam.debug.event": "The payload to pass to the lambda invocation.\n Must specify one of 'json' or 'path'.",
     "AWS.configuration.description.awssam.debug.event.json": "A JSON document to use as the event payload",
     "AWS.configuration.description.awssam.debug.event.path": "The path to a file to use as the event payload",
diff --git a/src/credentials/credentialsStore.ts b/src/credentials/credentialsStore.ts
@@ -4,8 +4,10 @@
  */
 
 import * as AWS from 'aws-sdk'
+import { getLogger } from '../shared/logger/logger'
 import { CredentialsProvider } from './providers/credentialsProvider'
 import { asString, CredentialsProviderId } from './providers/credentialsProviderId'
+import { CredentialsProviderManager } from './providers/credentialsProviderManager'
 
 export interface CachedCredentials {
     credentials: AWS.Credentials
@@ -31,20 +33,21 @@ export class CredentialsStore {
 
     /**
      * If credentials are not stored, the credentialsProvider is used to produce credentials (which are then stored).
+     * If the credentials exist but are outdated, the credentials will be invalidated and updated.
+     * Either way, the credentials tied to the credentialsProviderId will then be returned.
      */
-    public async getOrCreateCredentials(
+    public async upsertCredentials(
         credentialsProviderId: CredentialsProviderId,
         credentialsProvider: CredentialsProvider
     ): Promise<CachedCredentials> {
         let credentials = await this.getCredentials(credentialsProviderId)
 
         if (!credentials) {
-            credentials = {
-                credentials: await credentialsProvider.getCredentials(),
-                credentialsHashCode: credentialsProvider.getHashCode(),
-            }
-
-            this.credentialsCache[asString(credentialsProviderId)] = credentials
+            credentials = await this.setCredentials(credentialsProviderId, credentialsProvider)
+        } else if (credentialsProvider.getHashCode() !== credentials.credentialsHashCode) {
+            getLogger().verbose(`Using updated credentials: ${asString(credentialsProviderId)}`)
+            this.invalidateCredentials(credentialsProviderId)
+            credentials = await this.setCredentials(credentialsProviderId, credentialsProvider)
         }
 
         return credentials
@@ -57,4 +60,32 @@ export class CredentialsStore {
         // tslint:disable-next-line:no-dynamic-delete
         delete this.credentialsCache[asString(credentialsProviderId)]
     }
+
+    private async setCredentials(
+        credentialsProviderId: CredentialsProviderId,
+        credentialsProvider: CredentialsProvider
+    ): Promise<CachedCredentials> {
+        const credentials = {
+            credentials: await credentialsProvider.getCredentials(),
+            credentialsHashCode: credentialsProvider.getHashCode(),
+        }
+
+        this.credentialsCache[asString(credentialsProviderId)] = credentials
+
+        return credentials
+    }
+}
+
+export async function getCredentialsFromStore(
+    credentialsProviderId: CredentialsProviderId,
+    credentialsStore: CredentialsStore
+): Promise<AWS.Credentials> {
+    const provider = await CredentialsProviderManager.getInstance().getCredentialsProvider(credentialsProviderId)
+    if (!provider) {
+        credentialsStore.invalidateCredentials(credentialsProviderId)
+        throw new Error(`Could not find Credentials Provider for ${asString(credentialsProviderId)}`)
+    }
+
+    const cachedCredentials = await credentialsStore.upsertCredentials(credentialsProviderId, provider)
+    return cachedCredentials.credentials
 }
diff --git a/src/credentials/credentialsUtilities.ts b/src/credentials/credentialsUtilities.ts
@@ -3,7 +3,13 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
+import * as nls from 'vscode-nls'
+const localize = nls.loadMessageBundle()
+
+import * as vscode from 'vscode'
 import { Credentials } from 'aws-sdk'
+import { credentialHelpUrl } from '../shared/constants'
+import { CredentialsProviderId, asString } from './providers/credentialsProviderId'
 
 export function asEnvironmentVariables(credentials: Credentials): NodeJS.ProcessEnv {
     const environmentVariables: NodeJS.ProcessEnv = {}
@@ -17,3 +23,26 @@ export function asEnvironmentVariables(credentials: Credentials): NodeJS.Process
 
     return environmentVariables
 }
+
+export function notifyUserInvalidCredentials(credentialProviderId: CredentialsProviderId): void {
+    const getHelp = localize('AWS.message.credentials.invalid.help', 'Get Help...')
+    const viewLogs = localize('AWS.message.credentials.invalid.logs', 'View Logs...')
+
+    vscode.window
+        .showErrorMessage(
+            localize(
+                'AWS.message.credentials.invalid',
+                'Invalid Credentials {0}, see logs for more information.',
+                asString(credentialProviderId)
+            ),
+            getHelp,
+            viewLogs
+        )
+        .then((selection: string | undefined) => {
+            if (selection === getHelp) {
+                vscode.env.openExternal(vscode.Uri.parse(credentialHelpUrl))
+            } else if (selection === viewLogs) {
+                vscode.commands.executeCommand('aws.viewLogs')
+            }
+        })
+}
diff --git a/src/credentials/loginManager.ts b/src/credentials/loginManager.ts
@@ -3,25 +3,19 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-import * as nls from 'vscode-nls'
-const localize = nls.loadMessageBundle()
-
-import * as vscode from 'vscode'
 import { AwsContext } from '../shared/awsContext'
-import { credentialHelpUrl } from '../shared/constants'
 import { getAccountId } from '../shared/credentials/accountId'
 import { getLogger } from '../shared/logger'
 import { recordAwsSetCredentials, Result } from '../shared/telemetry/telemetry'
 import { CredentialsStore } from './credentialsStore'
-import { CredentialsProvider } from './providers/credentialsProvider'
+import { notifyUserInvalidCredentials } from './credentialsUtilities'
 import { asString, CredentialsProviderId } from './providers/credentialsProviderId'
 import { CredentialsProviderManager } from './providers/credentialsProviderManager'
 
 export class LoginManager {
     private readonly defaultCredentialsRegion = 'us-east-1'
-    private readonly credentialsStore: CredentialsStore = new CredentialsStore()
 
-    public constructor(private readonly awsContext: AwsContext) {}
+    public constructor(private readonly awsContext: AwsContext, private readonly store: CredentialsStore) {}
 
     /**
      * Establishes a Credentials for the Toolkit to use. Essentially the Toolkit becomes "logged in".
@@ -37,9 +31,8 @@ export class LoginManager {
                 throw new Error(`Could not find Credentials Provider for ${asString(credentialsProviderId)}`)
             }
 
-            await this.updateCredentialsStore(credentialsProviderId, provider)
+            const storedCredentials = await this.store.upsertCredentials(credentialsProviderId, provider)
 
-            const storedCredentials = await this.credentialsStore.getCredentials(credentialsProviderId)
             if (!storedCredentials) {
                 throw new Error(`No credentials found for id ${asString(credentialsProviderId)}`)
             }
@@ -64,11 +57,11 @@ export class LoginManager {
                 )}. Toolkit will now disconnect from AWS. %O`,
                 err as Error
             )
-            this.credentialsStore.invalidateCredentials(credentialsProviderId)
+            this.store.invalidateCredentials(credentialsProviderId)
 
             await this.logout()
 
-            this.notifyUserInvalidCredentials(credentialsProviderId)
+            notifyUserInvalidCredentials(credentialsProviderId)
         } finally {
             recordAwsSetCredentials({ result: loginResult })
         }
@@ -80,45 +73,4 @@ export class LoginManager {
     public async logout(): Promise<void> {
         await this.awsContext.setCredentials(undefined)
     }
-
-    /**
-     * Updates the CredentialsStore if the credentials are considered different
-     */
-    private async updateCredentialsStore(
-        credentialsProviderId: CredentialsProviderId,
-        provider: CredentialsProvider
-    ): Promise<void> {
-        const storedCredentials = await this.credentialsStore.getCredentials(credentialsProviderId)
-        if (provider.getHashCode() !== storedCredentials?.credentialsHashCode) {
-            getLogger().verbose(
-                `Credentials for ${asString(credentialsProviderId)} have changed, using updated credentials.`
-            )
-            this.credentialsStore.invalidateCredentials(credentialsProviderId)
-        }
-
-        await this.credentialsStore.getOrCreateCredentials(credentialsProviderId, provider)
-    }
-
-    private notifyUserInvalidCredentials(credentialProviderId: CredentialsProviderId) {
-        const getHelp = localize('AWS.message.credentials.invalid.help', 'Get Help...')
-        const viewLogs = localize('AWS.message.credentials.invalid.logs', 'View Logs...')
-
-        vscode.window
-            .showErrorMessage(
-                localize(
-                    'AWS.message.credentials.invalid',
-                    'Invalid Credentials {0}, see logs for more information.',
-                    asString(credentialProviderId)
-                ),
-                getHelp,
-                viewLogs
-            )
-            .then((selection: string | undefined) => {
-                if (selection === getHelp) {
-                    vscode.env.openExternal(vscode.Uri.parse(credentialHelpUrl))
-                } else if (selection === viewLogs) {
-                    vscode.commands.executeCommand('aws.viewLogs')
-                }
-            })
-    }
 }
diff --git a/src/extension.ts b/src/extension.ts
@@ -55,6 +55,7 @@ import { ExtensionDisposableFiles } from './shared/utilities/disposableFiles'
 import { getChannelLogger } from './shared/utilities/vsCodeUtils'
 import { ExtContext } from './shared/extensions'
 import { activate as activateStepFunctions } from './stepFunctions/activation'
+import { CredentialsStore } from './credentials/credentialsStore'
 
 let localize: nls.LocalizeFunc
 
@@ -78,7 +79,8 @@ export async function activate(context: vscode.ExtensionContext) {
         const awsContext = new DefaultAwsContext(context)
         const awsContextTrees = new AwsContextTreeCollection()
         const regionProvider = new DefaultRegionProvider(endpointsProvider)
-        const loginManager = new LoginManager(awsContext)
+        const credentialsStore = new CredentialsStore()
+        const loginManager = new LoginManager(awsContext, credentialsStore)
 
         const toolkitEnvDetails = getToolkitEnvironmentDetails()
         getLogger().info(toolkitEnvDetails)
@@ -114,6 +116,7 @@ export async function activate(context: vscode.ExtensionContext) {
             outputChannel: toolkitOutputChannel,
             telemetryService: ext.telemetry,
             chanLogger: getChannelLogger(toolkitOutputChannel),
+            credentialsStore,
         }
 
         context.subscriptions.push(
diff --git a/src/shared/extensions.ts b/src/shared/extensions.ts
@@ -9,6 +9,7 @@ import { RegionProvider } from './regions/regionProvider'
 import { SettingsConfiguration } from './settingsConfiguration'
 import { TelemetryService } from './telemetry/telemetryService'
 import { ChannelLogger } from './utilities/vsCodeUtils'
+import { CredentialsStore } from '../credentials/credentialsStore'
 
 export const VSCODE_EXTENSION_ID = {
     awstoolkit: 'amazonwebservices.aws-toolkit-vscode',
@@ -27,4 +28,5 @@ export interface ExtContext {
     outputChannel: vscode.OutputChannel
     telemetryService: TelemetryService
     chanLogger: ChannelLogger
+    credentialsStore: CredentialsStore
 }
diff --git a/src/shared/sam/cli/samCliLocalInvoke.ts b/src/shared/sam/cli/samCliLocalInvoke.ts
@@ -47,7 +47,7 @@ export class DefaultSamLocalInvokeCommand implements SamLocalInvokeCommand {
         ]
     ) {}
 
-    public async invoke({ options = {}, ...params }: SamLocalInvokeCommandArgs): Promise<void> {
+    public async invoke({ options, ...params }: SamLocalInvokeCommandArgs): Promise<void> {
         this.channelLogger.info(
             'AWS.running.command',
             'Running command: {0}',
@@ -155,6 +155,10 @@ export interface SamCliLocalInvokeInvocationArguments {
      * Location of the file containing the environment variables to invoke the Lambda Function against.
      */
     environmentVariablePath: string
+    /**
+     * Environment variables set when invoking the SAM process (NOT passed to the Lambda).
+     */
+    environmentVariables?: NodeJS.ProcessEnv
     /**
      * When specified, starts the Lambda function container in debug mode and exposes this port on the local host.
      */
@@ -212,6 +216,9 @@ export class SamCliLocalInvokeInvocation {
         invokeArgs.push(...(this.args.extraArgs ?? []))
 
         await this.args.invoker.invoke({
+            options: {
+                env: this.args.environmentVariables,
+            },
             command: 'sam',
             args: invokeArgs,
             isDebug: !!this.args.debugPort,
diff --git a/src/shared/sam/debugger/awsSamDebugger.ts b/src/shared/sam/debugger/awsSamDebugger.ts
@@ -39,6 +39,10 @@ import {
 } from './awsSamDebugConfigurationValidator'
 import { makeConfig } from '../localLambdaRunner'
 import { SamLocalInvokeCommand } from '../cli/samCliLocalInvoke'
+import { getCredentialsFromStore } from '../../../credentials/credentialsStore'
+import { fromString } from '../../../credentials/providers/credentialsProviderId'
+import { notifyUserInvalidCredentials } from '../../../credentials/credentialsUtilities'
+import { Credentials } from 'aws-sdk/lib/credentials'
 
 const localize = nls.loadMessageBundle()
 
@@ -111,6 +115,11 @@ export interface SamLaunchRequestArgs extends AwsSamDebuggerConfiguration {
     debuggerPath?: string
     debugPort?: number
 
+    /**
+     * Credentials to add as env vars if available
+     */
+    awsCredentials?: Credentials
+
     //
     //  Invocation properties (for "execute" phase, after "config" phase).
     //  Non-serializable...
@@ -311,6 +320,19 @@ export class SamDebugConfigProvider implements vscode.DebugConfigurationProvider
             // XXX: don't know what URI to choose...
             vscode.Uri.parse(templateInvoke.samTemplatePath!!)
 
+        let awsCredentials: Credentials | undefined
+
+        if (config.aws?.credentials) {
+            const credentialsProviderId = fromString(config.aws.credentials)
+            try {
+                awsCredentials = await getCredentialsFromStore(credentialsProviderId, this.ctx.credentialsStore)
+            } catch (err) {
+                getLogger().error(err as Error)
+                notifyUserInvalidCredentials(credentialsProviderId)
+                return undefined
+            }
+        }
+
         let launchConfig: SamLaunchRequestArgs = {
             ...config,
             request: 'attach',
@@ -330,6 +352,7 @@ export class SamDebugConfigProvider implements vscode.DebugConfigurationProvider
                 timeoutSec: lambdaTimout,
                 environmentVariables: { ...config.lambda?.environmentVariables },
             },
+            awsCredentials: awsCredentials,
         }
 
         //
diff --git a/src/shared/sam/debugger/typescriptSamDebug.ts b/src/shared/sam/debugger/typescriptSamDebug.ts
@@ -62,7 +62,7 @@ export async function makeTypescriptConfig(config: SamLaunchRequestArgs): Promis
     // Always generate a temporary template.yaml, don't use workspace one directly.
     config.samTemplatePath = await makeInputTemplate(config)
 
-    //  Make a python launch-config from the generic config.
+    //  Make a node launch-config from the generic config.
     const nodejsLaunchConfig: NodejsDebugConfiguration = {
         ...config, // Compose.
         type: 'node',
diff --git a/src/shared/sam/localLambdaRunner.ts b/src/shared/sam/localLambdaRunner.ts
@@ -26,6 +26,7 @@ import { DefaultValidatingSamCliProcessInvoker } from './cli/defaultValidatingSa
 import { SamCliBuildInvocation, SamCliBuildInvocationArguments } from './cli/samCliBuild'
 import { SamCliLocalInvokeInvocation, SamCliLocalInvokeInvocationArguments } from './cli/samCliLocalInvoke'
 import { SamLaunchRequestArgs } from './debugger/awsSamDebugger'
+import { asEnvironmentVariables } from '../../credentials/credentialsUtilities'
 
 export interface LambdaLocalInvokeParams {
     /** URI of the current editor document. */
@@ -136,13 +137,17 @@ export async function invokeLambdaFunction(
 
     ctx.chanLogger.info('AWS.output.building.sam.application', 'Building SAM Application...')
     const samBuildOutputFolder = path.join(config.baseBuildDir!, 'output')
+    const envVars = {
+        ...(config.awsCredentials ? asEnvironmentVariables(config.awsCredentials) : {}),
+        ...(config.aws?.region ? { AWS_DEFAULT_REGION: config.aws.region } : {}),
+    }
     const samCliArgs: SamCliBuildInvocationArguments = {
         buildDir: samBuildOutputFolder,
         baseDir: config.codeRoot,
         templatePath: config.samTemplatePath!,
         invoker: processInvoker,
         manifestPath: config.manifestPath,
-        environmentVariables: {},
+        environmentVariables: envVars,
         useContainer: config.sam?.containerBuild || false,
         extraArgs: config.sam?.buildArguments,
     }
@@ -174,6 +179,7 @@ export async function invokeLambdaFunction(
         templatePath: config.samTemplatePath,
         eventPath: config.eventPayloadFile,
         environmentVariablePath: config.envFile,
+        environmentVariables: envVars,
         invoker: config.samLocalInvokeCommand!,
         dockerNetwork: config.sam?.dockerNetwork,
         debugPort: !config.noDebug ? config.debugPort?.toString() : undefined,
diff --git a/src/test/fakeExtensionContext.ts b/src/test/fakeExtensionContext.ts
diff --git a/src/test/shared/credentials/credentialsStore.test.ts b/src/test/shared/credentials/credentialsStore.test.ts
diff --git a/src/test/shared/credentials/loginManager.test.ts b/src/test/shared/credentials/loginManager.test.ts
diff --git a/src/test/shared/sam/debugger/samDebugConfigProvider.test.ts b/src/test/shared/sam/debugger/samDebugConfigProvider.test.ts
