fix(auth): more improvements (#2986)

## Problem
* `invalidate` doesn't drop the cached registration
* Users can switch to invalid static credentials
* Outdated references to "SSO"

## Solution
* Use LoginManager to validate profiles
* Update `invalidate`
* Change usages of "SSO" to relevant IAM Identity Center terminology

Author: JadenSimon

src/credentials/auth.ts

@@ -434,7 +434,7 @@ export class Auth implements AuthService, ConnectionManager {
 
             return provider.invalidate()
         } else if (profile.type === 'iam') {
-            globals.credentialsStore.invalidateCredentials(fromString(id))
+            globals.loginManager.store.invalidateCredentials(fromString(id))
         }
     }
 
@@ -518,7 +518,8 @@ export class Auth implements AuthService, ConnectionManager {
         profile: StoredProfile<SsoProfile>
     ): SsoConnection & StatefulConnection {
         const provider = this.getTokenProvider(id, profile)
-        const label = `SSO (${profile.startUrl})`
+        const truncatedUrl = profile.startUrl.match(/https?:\/\/(.*)\.awsapps\.com\/start/)?.[1] ?? profile.startUrl
+        const label = `IAM Identity Center (${truncatedUrl})`
 
         return {
             id,
@@ -547,14 +548,15 @@ export class Auth implements AuthService, ConnectionManager {
 
     private async createCachedCredentials(provider: CredentialsProvider) {
         const providerId = provider.getCredentialsId()
-        globals.credentialsStore.invalidateCredentials(providerId)
-        const { credentials } = await globals.credentialsStore.upsertCredentials(providerId, provider)
+        globals.loginManager.store.invalidateCredentials(providerId)
+        const { credentials } = await globals.loginManager.store.upsertCredentials(providerId, provider)
+        await globals.loginManager.validateCredentials(credentials, provider.getDefaultRegion())
 
         return credentials
     }
 
     private async getCachedCredentials(provider: CredentialsProvider) {
-        const creds = await globals.credentialsStore.getCredentials(provider.getCredentialsId())
+        const creds = await globals.loginManager.store.getCredentials(provider.getCredentialsId())
         if (creds !== undefined && creds.credentialsHashCode === provider.getHashCode()) {
             return creds.credentials
         }
@@ -784,7 +786,7 @@ export async function createStartUrlPrompter(title: string) {
 
     return createInputBox({
         title: `${title}: Enter Start URL`,
-        placeholder: "Enter start URL for your organization's SSO",
+        placeholder: "Enter start URL for your organization's AWS access portal",
         buttons: createCommonButtons(),
         validateInput: validateSsoUrl,
     })
@@ -807,7 +809,7 @@ const addConnection = Commands.register('aws.auth.addConnection', async () => {
         case 'iam':
             return await globals.awsContextCommands.onCommandCreateCredentialsProfile()
         case 'sso': {
-            const startUrlPrompter = await createStartUrlPrompter('SSO Connection')
+            const startUrlPrompter = await createStartUrlPrompter('IAM Identity Center')
             const startUrl = await startUrlPrompter.prompt()
             if (!isValidResponse(startUrl)) {
                 throw new CancellationError('user')

src/credentials/loginManager.ts

@@ -42,7 +42,7 @@ export class LoginManager {
 
     public constructor(
         private readonly awsContext: AwsContext,
-        private readonly store: CredentialsStore,
+        public readonly store: CredentialsStore,
         public readonly recordAwsValidateCredentialsFn = telemetry.aws_validateCredentials.emit.bind(
             telemetry.aws_validateCredentials
         )
@@ -69,13 +69,7 @@ export class LoginManager {
                 throw new Error(`No credentials found for id ${asString(args.providerId)}`)
             }
 
-            const credentialsRegion = provider.getDefaultRegion() ?? this.defaultCredentialsRegion
-            const stsClient = new DefaultStsClient(credentialsRegion, credentials)
-            const accountId = (await stsClient.getCallerIdentity()).Account
-            if (!accountId) {
-                throw new Error('Could not determine Account Id for credentials')
-            }
-
+            const accountId = await this.validateCredentials(credentials, provider.getDefaultRegion())
             this.awsContext.credentialsShim = createCredentialsShim(this.store, args.providerId, credentials)
             await this.awsContext.setCredentials({
                 credentials,
@@ -115,6 +109,16 @@ export class LoginManager {
         }
     }
 
+    public async validateCredentials(credentials: Credentials, region = this.defaultCredentialsRegion) {
+        const stsClient = new DefaultStsClient(region, credentials)
+        const accountId = (await stsClient.getCallerIdentity()).Account
+        if (!accountId) {
+            throw new Error('Could not determine Account Id for credentials')
+        }
+
+        return accountId
+    }
+
     /**
      * Removes Credentials from the Toolkit. Essentially the Toolkit becomes "logged out".
      *

src/credentials/sso/ssoAccessTokenProvider.ts

@@ -62,7 +62,10 @@ export class SsoAccessTokenProvider {
     ) {}
 
     public async invalidate(): Promise<void> {
-        await this.cache.token.clear(this.tokenCacheKey)
+        await Promise.all([
+            this.cache.token.clear(this.tokenCacheKey),
+            this.cache.registration.clear(this.registrationCacheKey),
+        ])
     }
 
     public async getToken(): Promise<SsoToken | undefined> {

src/extension.ts

@@ -112,7 +112,7 @@ export async function activate(context: vscode.ExtensionContext) {
 
         await initializeAwsCredentialsStatusBarItem(awsContext, context)
         globals.regionProvider = regionProvider
-        globals.credentialsStore = credentialsStore
+        globals.loginManager = loginManager
         globals.awsContextCommands = new AwsContextCommands(regionProvider, Auth.instance)
         globals.sdkClientBuilder = new DefaultAWSClientBuilder(awsContext)
         globals.schemaService = new SchemaService(context)

src/shared/extensionGlobals.ts

@@ -4,7 +4,7 @@
  */
 
 import { ExtensionContext, OutputChannel, Uri } from 'vscode'
-import { CredentialsStore } from '../credentials/credentialsStore'
+import { LoginManager } from '../credentials/loginManager'
 import { AwsResourceManager } from '../dynamicResources/awsResourceManager'
 import { AWSClientBuilder } from './awsClientBuilder'
 import { AwsContext } from './awsContext'
@@ -60,7 +60,7 @@ interface ToolkitGlobals {
     readonly window: Window
     // TODO: make the rest of these readonly (or delete them)
     outputChannel: OutputChannel
-    credentialsStore: CredentialsStore
+    loginManager: LoginManager
     awsContextCommands: AwsContextCommands
     awsContext: AwsContext
     regionProvider: RegionProvider

src/test/credentials/sso/ssoAccessTokenProvider.test.ts

@@ -78,6 +78,18 @@ describe('SsoAccessTokenProvider', function () {
         await tryRemoveFolder(tempDir)
     })
 
+    describe('invalidate', function () {
+        it('removes cached tokens and registrations', async function () {
+            const validToken = createToken(HOUR_IN_MS)
+            await cache.token.save(startUrl, { region, startUrl, token: validToken })
+            await cache.registration.save({ region }, createRegistration(HOUR_IN_MS))
+            await sut.invalidate()
+
+            assert.strictEqual(await cache.token.load(startUrl), undefined)
+            assert.strictEqual(await cache.registration.load({ region }), undefined)
+        })
+    })
+
     describe('getToken', function () {
         it('returns a cached token', async function () {
             const validToken = createToken(HOUR_IN_MS)