refactor: Credentials Validation (#3424)

This refactors the methods of credentials validation
to instead have a single function that decides which
validation method we want to use based off the key.

Signed-off-by: Nikolas Komonen <[email protected]>

Author: nkomonen-amazon

src/credentials/auth.ts

@@ -46,8 +46,8 @@ import { AsyncCollection, toCollection } from '../shared/utilities/asyncCollecti
 import { join, toStream } from '../shared/utilities/collectionUtils'
 import { getConfigFilename } from './sharedCredentialsFile'
 import { saveProfileToCredentials } from './sharedCredentials'
-import { SectionName, StaticCredentialsProfileData } from './types'
-import { validateCredentialsProfile } from './sharedCredentialsValidation'
+import { SectionName, StaticCredentialsProfileKeys } from './types'
+import { throwOnInvalidCredentials } from './sharedCredentialsValidation'
 
 export const ssoScope = 'sso:account:access'
 export const codecatalystScopes = ['codecatalyst:read_write']
@@ -1204,10 +1204,10 @@ const addConnection = Commands.register('aws.auth.addConnection', async () => {
 
 export async function tryAddCredentials(
     profileName: SectionName,
-    profileData: StaticCredentialsProfileData,
+    profileData: StaticCredentialsProfileKeys,
     tryConnect = true
 ): Promise<boolean> {
-    await validateCredentialsProfile(profileName, profileData)
+    await throwOnInvalidCredentials(profileName, profileData)
     await saveProfileToCredentials(profileName, profileData)
     if (tryConnect) {
         const auth = Auth.instance

src/credentials/sharedCredentials.ts

@@ -8,7 +8,7 @@ import { SystemUtilities } from '../shared/systemUtilities'
 import { ToolkitError } from '../shared/errors'
 import { assertHasProps } from '../shared/utilities/tsUtils'
 import { getConfigFilename, getCredentialsFilename } from './sharedCredentialsFile'
-import { SectionName, StaticCredentialsProfileData } from './types'
+import { SectionName, StaticCredentialsProfileKeys } from './types'
 import { UserCredentialsUtils } from '../shared/credentials/userCredentialsUtils'
 
 export async function updateAwsSdkLoadConfigEnvVar(): Promise<void> {
@@ -241,7 +241,7 @@ async function loadCredentialsFile(credentialsUri?: vscode.Uri): Promise<ReturnT
  */
 export async function saveProfileToCredentials(
     profileName: SectionName,
-    profileData: StaticCredentialsProfileData
+    profileData: StaticCredentialsProfileKeys
 ): Promise<void> {
     if (await profileExists(profileName)) {
         throw new ToolkitError(`Cannot save profile "${profileName}" because it already exists.`, {

src/credentials/sharedCredentialsValidation.ts

@@ -6,89 +6,127 @@
  */
 
 import { localize } from 'vscode-nls'
-import { SectionName, SharedCredentialsKeys, StaticCredentialsProfileData } from './types'
+import { CredentialsData, CredentialsKey, SectionName, SharedCredentialsKeys } from './types'
 import { ToolkitError } from '../shared/errors'
 import { profileExists } from './sharedCredentials'
+import { getLogger } from '../shared/logger'
+
+/** credentials keys and their associated error message, if they exists */
+type CredentialsErrors = CredentialsData
 
 /**
- * The format validators for shared credentials keys.
+ * A function that validates a credential value
  *
- * A format validator validates the format of the data,
- * but not the validity of the content.
+ * @returns An error message string if there is an error, otherwise undefined.
  */
-export const CredentialsKeyFormatValidators = {
-    [SharedCredentialsKeys.AWS_ACCESS_KEY_ID]: getAccessKeyIdFormatError,
-    [SharedCredentialsKeys.AWS_SECRET_ACCESS_KEY]: getSecretAccessKeyFormatError,
-} as const
+type GetCredentialError = (key: CredentialsKey, value: string | undefined) => string | undefined
 
 /**
- * Holds the error for each key of static credentials data,
- * if it exists. This allows the user to get all the errors
- * at once.
+ * Validates all credentials values from the given input
+ *
+ * @returns Returns the same shape as the input, but the value of each
+ * key is an error message if the original value is invalid,
+ * otherwise undefined.
+ *
+ * If there are no errors at all, undefined is returned
  */
-export type StaticCredentialsErrorResult = {
-    [k in keyof StaticCredentialsProfileData]: string | undefined
+export function getCredentialsErrors(
+    data: CredentialsData,
+    validateFunc: GetCredentialError = getCredentialError
+): CredentialsErrors | undefined {
+    const errors: CredentialsData = {}
+    Object.entries(data).forEach(([key, value]) => {
+        if (!isCredentialsKey(key)) {
+            return
+        }
+        errors[key] = validateFunc(key, value)
+    })
+    if (Object.keys(errors).length === 0) {
+        return
+    }
+    return errors
 }
 
-export function getStaticCredentialsDataErrors(
-    data: StaticCredentialsProfileData
-): StaticCredentialsErrorResult | undefined {
-    const accessKeyIdError = CredentialsKeyFormatValidators[SharedCredentialsKeys.AWS_ACCESS_KEY_ID](
-        data[SharedCredentialsKeys.AWS_ACCESS_KEY_ID]
-    )
-    const secretAccessKeyError = CredentialsKeyFormatValidators[SharedCredentialsKeys.AWS_SECRET_ACCESS_KEY](
-        data[SharedCredentialsKeys.AWS_SECRET_ACCESS_KEY]
-    )
-
-    if (accessKeyIdError === undefined && secretAccessKeyError === undefined) {
-        return undefined
+export const getCredentialError: GetCredentialError = (key: CredentialsKey, value: string | undefined) => {
+    const emptyError = getCredentialEmptyError(key, value)
+    if (emptyError) {
+        return emptyError
     }
 
-    return {
-        [SharedCredentialsKeys.AWS_ACCESS_KEY_ID]: accessKeyIdError,
-        [SharedCredentialsKeys.AWS_SECRET_ACCESS_KEY]: secretAccessKeyError,
+    // If value is allowed to be empty, no need to validate anything further
+    if (!value) {
+        return
     }
-}
 
-const accessKeyPattern = /[\w]{16,128}/
+    return getCredentialFormatError(key, value)
+}
 
-function getAccessKeyIdFormatError(awsAccessKeyId: string | undefined): string | undefined {
-    if (awsAccessKeyId === undefined) {
-        return undefined
+/**
+ * Validates the format of a credential value.
+ *
+ * This function assumes there is a value to evaluate, if not
+ * it returns no error.
+ */
+export const getCredentialFormatError: GetCredentialError = (key, value) => {
+    if (!value) {
+        /** Empty values should be validated in {@link getCredentialEmptyError} */
+        getLogger().debug('getCredentialFormatError() called with empty value for key "%s"', key)
+        return
     }
 
-    if (awsAccessKeyId === '') {
-        return localize('AWS.credentials.error.emptyAccessKey', 'Access key must not be empty')
-    }
-    if (!accessKeyPattern.test(awsAccessKeyId)) {
-        return localize(
-            'AWS.credentials.error.emptyAccessKey',
-            'Access key must be alphanumeric and between 16 and 128 characters'
-        )
+    switch (key) {
+        case SharedCredentialsKeys.AWS_ACCESS_KEY_ID: {
+            const accessKeyPattern = /[\w]{16,128}/
+            if (!accessKeyPattern.test(value)) {
+                return localize(
+                    'AWS.credentials.error.invalidAccessKeyFormat',
+                    'Access key must be alphanumeric and between 16 and 128 characters'
+                )
+            }
+            return
+        }
+        case SharedCredentialsKeys.AWS_SECRET_ACCESS_KEY:
+            return
+        default:
+            throw new ToolkitError(`Unsupported key in getCredentialFormatError(): "${key}"`)
     }
 }
 
-function getSecretAccessKeyFormatError(awsSecretAccessKey: string | undefined): string | undefined {
-    if (awsSecretAccessKey === undefined) {
-        return undefined
-    }
-
-    if (awsSecretAccessKey === '') {
-        return localize('AWS.credentials.error.emptySecretKey', 'Secret key must not be empty')
+export const getCredentialEmptyError: GetCredentialError = (key: CredentialsKey, value: string | undefined) => {
+    switch (key) {
+        case SharedCredentialsKeys.AWS_ACCESS_KEY_ID:
+        case SharedCredentialsKeys.AWS_SECRET_ACCESS_KEY:
+            if (value) {
+                return undefined
+            }
+            return 'Cannot be empty.'
+        default:
+            throw new ToolkitError(`Unsupported key in getCredentialEmptyError(): "${key}"`)
     }
 }
 
 /** To be used as a sanity check to validate all core parts of a credentials profile */
-export async function validateCredentialsProfile(profileName: SectionName, profileData: StaticCredentialsProfileData) {
-    if (await profileExists(profileName)) {
-        throw new ToolkitError(`Credentials profile "${profileName}" already exists`)
-    }
+export async function throwOnInvalidCredentials(profileName: SectionName, data: CredentialsData) {
+    await validateProfileName(profileName)
 
-    const credentialsDataErrors = getStaticCredentialsDataErrors(profileData)
+    const credentialsDataErrors = getCredentialsErrors(data)
     if (credentialsDataErrors !== undefined) {
         throw new ToolkitError(`Errors in credentials data: ${credentialsDataErrors}`, {
             code: 'InvalidCredentialsData',
             details: credentialsDataErrors,
         })
     }
 }
+
+async function validateProfileName(profileName: SectionName) {
+    if (await profileExists(profileName)) {
+        throw new ToolkitError(`Credentials profile "${profileName}" already exists`)
+    }
+}
+
+// All shared credentials keys
+const sharedCredentialsKeysSet = new Set(Object.values(SharedCredentialsKeys))
+
+export function isCredentialsKey(key: string): key is CredentialsKey {
+    return sharedCredentialsKeysSet.has(key as CredentialsKey)
+}

src/credentials/types.ts

@@ -24,15 +24,18 @@ export const SharedCredentialsKeys = {
     SSO_REGISTRATION_SCOPES: 'sso_registration_scopes',
 } as const
 
+/** An object that has only credentials data */
+export type CredentialsData = Partial<Record<CredentialsKey, string>>
+
+export type CredentialsKey = (typeof SharedCredentialsKeys)[keyof typeof SharedCredentialsKeys]
+
 /**
  * The required keys for a static credentials profile
  *
  * https://docs.aws.amazon.com/sdkref/latest/guide/feature-static-credentials.html
  */
-export interface StaticCredentialsProfileData {
-    [SharedCredentialsKeys.AWS_ACCESS_KEY_ID]: string
-    [SharedCredentialsKeys.AWS_SECRET_ACCESS_KEY]: string
-}
+export type StaticCredentialsProfileKeysOptional = Pick<CredentialsData, 'aws_access_key_id' | 'aws_secret_access_key'>
+export type StaticCredentialsProfileKeys = Required<StaticCredentialsProfileKeysOptional>
 
 /**
  * The name of a section in a credentials/config file

src/credentials/wizards/templates.ts

@@ -11,14 +11,14 @@ import { getIdeProperties } from '../../shared/extensionUtilities'
 import { ProfileTemplateProvider } from './createProfile'
 import { createCommonButtons } from '../../shared/ui/buttons'
 import { credentialHelpUrl } from '../../shared/constants'
-import { SharedCredentialsKeys, StaticCredentialsProfileData } from '../types'
-import { CredentialsKeyFormatValidators } from '../sharedCredentialsValidation'
+import { SharedCredentialsKeys, StaticCredentialsProfileKeys } from '../types'
+import { getCredentialError } from '../sharedCredentialsValidation'
 
 function getTitle(profileName: string): string {
     return localize('AWS.title.createCredentialProfile', 'Creating new profile "{0}"', profileName)
 }
 
-export const staticCredentialsTemplate: ProfileTemplateProvider<StaticCredentialsProfileData> = {
+export const staticCredentialsTemplate: ProfileTemplateProvider<StaticCredentialsProfileKeys> = {
     label: 'Static Credentials',
     description: 'Use this for credentials that never expire',
     prompts: {
@@ -33,7 +33,7 @@ export const staticCredentialsTemplate: ProfileTemplateProvider<StaticCredential
                     'Input the {0} Access Key',
                     getIdeProperties().company
                 ),
-                validateInput: CredentialsKeyFormatValidators.aws_access_key_id,
+                validateInput: value => getCredentialError(SharedCredentialsKeys.AWS_ACCESS_KEY_ID, value),
             }),
         [SharedCredentialsKeys.AWS_SECRET_ACCESS_KEY]: name =>
             createInputBox({
@@ -46,7 +46,7 @@ export const staticCredentialsTemplate: ProfileTemplateProvider<StaticCredential
                     'Input the {0} Secret Key',
                     getIdeProperties().company
                 ),
-                validateInput: CredentialsKeyFormatValidators.aws_secret_access_key,
+                validateInput: value => getCredentialError(SharedCredentialsKeys.AWS_SECRET_ACCESS_KEY, value),
                 password: true,
             }),
     },