feat(core): Update all references to use new auth class using flare identity server for Amazon Q

Author: opieter-aws

packages/amazonq/src/app/amazonqScan/app.ts

@@ -19,6 +19,7 @@ import { Messenger } from './chat/controller/messenger/messenger'
 import { UIMessageListener } from './chat/views/actions/uiMessageListener'
 import { debounce } from 'lodash'
 import { Commands, placeholder } from 'aws-core-vscode/shared'
+import { auth2 } from 'aws-core-vscode/auth'
 
 export function init(appContext: AmazonQAppInitContext) {
     const scanChatControllerEventEmitters: ScanChatControllerEventEmitters = {
@@ -52,7 +53,7 @@ export function init(appContext: AmazonQAppInitContext) {
     appContext.registerWebViewToAppMessagePublisher(new MessagePublisher<any>(scanChatUIInputEventEmitter), 'review')
 
     const debouncedEvent = debounce(async () => {
-        const authenticated = (await AuthUtil.instance.getChatAuthState()).amazonQ === 'connected'
+        const authenticated = AuthUtil.instance.getAuthState() === 'connected'
         let authenticatingSessionID = ''
 
         if (authenticated) {
@@ -67,7 +68,7 @@ export function init(appContext: AmazonQAppInitContext) {
         messenger.sendAuthenticationUpdate(authenticated, [authenticatingSessionID])
     }, 500)
 
-    AuthUtil.instance.secondaryAuth.onDidChangeActiveConnection(() => {
+    AuthUtil.instance.onDidChangeConnectionState((e: auth2.AuthStateEvent) => {
         return debouncedEvent()
     })
     AuthUtil.instance.regionProfileManager.onDidChangeRegionProfile(() => {

packages/amazonq/src/app/amazonqScan/chat/controller/controller.ts

@@ -104,7 +104,7 @@ export class ScanController {
             telemetry.amazonq_feedback.emit({
                 featureId: 'amazonQReview',
                 amazonqConversationId: this.sessionStorage.getSession().scanUuid,
-                credentialStartUrl: AuthUtil.instance.startUrl,
+                credentialStartUrl: AuthUtil.instance.connection?.startUrl,
                 interactionType: data.vote,
             })
         })
@@ -122,8 +122,8 @@ export class ScanController {
         try {
             getLogger().debug(`Q - Review: Session created with id: ${session.tabID}`)
 
-            const authState = await AuthUtil.instance.getChatAuthState()
-            if (authState.amazonQ !== 'connected') {
+            const authState = AuthUtil.instance.getAuthState()
+            if (authState !== 'connected') {
                 void this.messenger.sendAuthNeededExceptionMessage(authState, tabID)
                 session.isAuthenticating = true
                 return
@@ -161,8 +161,8 @@ export class ScanController {
                 return
             }
             // check that the session is authenticated
-            const authState = await AuthUtil.instance.getChatAuthState()
-            if (authState.amazonQ !== 'connected') {
+            const authState = AuthUtil.instance.getAuthState()
+            if (authState !== 'connected') {
                 void this.messenger.sendAuthNeededExceptionMessage(authState, message.tabID)
                 session.isAuthenticating = true
                 return

packages/amazonq/src/app/amazonqScan/chat/controller/messenger/messenger.ts

@@ -10,7 +10,6 @@
 
 import { AuthFollowUpType, AuthMessageDataMap } from 'aws-core-vscode/amazonq'
 import {
-    FeatureAuthState,
     SecurityScanError,
     CodeWhispererConstants,
     SecurityScanStep,
@@ -34,6 +33,7 @@ import {
 import { i18n } from 'aws-core-vscode/shared'
 import { ScanAction, scanProgressMessage } from '../../../models/constants'
 import path from 'path'
+import { auth2 } from 'aws-core-vscode/auth'
 
 export type UnrecoverableErrorType = 'no-project-found' | 'no-open-file-found' | 'invalid-file-type'
 
@@ -78,19 +78,15 @@ export class Messenger {
         this.dispatcher.sendUpdatePromptProgress(new UpdatePromptProgressMessage(tabID, progressField))
     }
 
-    public async sendAuthNeededExceptionMessage(credentialState: FeatureAuthState, tabID: string) {
+    public async sendAuthNeededExceptionMessage(credentialState: auth2.AuthState, tabID: string) {
         let authType: AuthFollowUpType = 'full-auth'
         let message = AuthMessageDataMap[authType].message
 
-        switch (credentialState.amazonQ) {
-            case 'disconnected':
+        switch (credentialState) {
+            case 'notConnected':
                 authType = 'full-auth'
                 message = AuthMessageDataMap[authType].message
                 break
-            case 'unsupported':
-                authType = 'use-supported-auth'
-                message = AuthMessageDataMap[authType].message
-                break
             case 'expired':
                 authType = 're-auth'
                 message = AuthMessageDataMap[authType].message

packages/amazonq/src/inlineChat/provider/inlineChatProvider.ts

@@ -123,10 +123,8 @@ export class InlineChatProvider {
 
         const tabID = triggerEvent.tabID
 
-        const credentialsState = await AuthUtil.instance.getChatAuthState()
-        if (
-            !(credentialsState.codewhispererChat === 'connected' && credentialsState.codewhispererCore === 'connected')
-        ) {
+        const credentialsState = AuthUtil.instance.getAuthState()
+        if (credentialsState !== 'connected') {
             const { message } = extractAuthFollowUp(credentialsState)
             this.errorEmitter.fire()
             throw new ToolkitError(message)

packages/amazonq/src/lsp/chat/messages.ts

@@ -117,7 +117,7 @@ export function registerMessageListeners(
 
                 if (fullAuthTypes.includes(authType)) {
                     try {
-                        await AuthUtil.instance.secondaryAuth.deleteConnection()
+                        await AuthUtil.instance.logout()
                     } catch (e) {
                         languageClient.error(
                             `[VSCode Client] Failed to authenticate after AUTH_FOLLOW_UP_CLICKED: ${(e as Error).message}`

packages/amazonq/test/e2e/amazonq/utils/setup.ts

@@ -5,9 +5,9 @@
 import { AuthUtil } from 'aws-core-vscode/codewhisperer'
 
 export async function loginToIdC() {
-    const authState = await AuthUtil.instance.getChatAuthState()
+    const authState = AuthUtil.instance.getAuthState()
     if (process.env['AWS_TOOLKIT_AUTOMATION'] === 'local') {
-        if (authState.amazonQ !== 'connected') {
+        if (authState !== 'connected') {
             throw new Error('You will need to login manually before running tests.')
         }
         return
@@ -22,5 +22,5 @@ export async function loginToIdC() {
         )
     }
 
-    await AuthUtil.instance.connectToEnterpriseSso(startUrl, region)
+    await AuthUtil.instance.login(startUrl, region)
 }

packages/amazonq/test/unit/codewhisperer/region/regionProfileManager.test.ts

@@ -7,41 +7,36 @@ import * as sinon from 'sinon'
 import assert, { fail } from 'assert'
 import { AuthUtil, RegionProfile, RegionProfileManager, defaultServiceConfig } from 'aws-core-vscode/codewhisperer'
 import { globals } from 'aws-core-vscode/shared'
-import { createTestAuth } from 'aws-core-vscode/test'
-import { SsoConnection } from 'aws-core-vscode/auth'
+import { builderIdStartUrl } from 'aws-core-vscode/auth'
 
 const enterpriseSsoStartUrl = 'https://enterprise.awsapps.com/start'
+const region = 'us-east-1'
 
 describe('RegionProfileManager', function () {
-    let sut: RegionProfileManager
-    let auth: ReturnType<typeof createTestAuth>
-    let authUtil: AuthUtil
+    let regionProfileManager: RegionProfileManager
 
     const profileFoo: RegionProfile = {
         name: 'foo',
-        region: 'us-east-1',
+        region,
         arn: 'foo arn',
         description: 'foo description',
     }
 
     async function setupConnection(type: 'builderId' | 'idc') {
         if (type === 'builderId') {
-            await authUtil.connectToAwsBuilderId()
-            const conn = authUtil.conn
-            assert.strictEqual(conn?.type, 'sso')
-            assert.strictEqual(conn.label, 'AWS Builder ID')
+            await AuthUtil.instance.login(builderIdStartUrl, region)
+            assert.ok(AuthUtil.instance.isSsoSession())
+            assert.ok(AuthUtil.instance.isBuilderIdConnection())
         } else if (type === 'idc') {
-            await authUtil.connectToEnterpriseSso(enterpriseSsoStartUrl, 'us-east-1')
-            const conn = authUtil.conn
-            assert.strictEqual(conn?.type, 'sso')
-            assert.strictEqual(conn.label, 'IAM Identity Center (enterprise)')
+            await AuthUtil.instance.login(enterpriseSsoStartUrl, region)
+            assert.ok(AuthUtil.instance.isSsoSession())
+            assert.ok(AuthUtil.instance.isIdcConnection())
         }
     }
 
     beforeEach(function () {
-        auth = createTestAuth(globals.globalState)
-        authUtil = new AuthUtil(auth)
-        sut = new RegionProfileManager(() => authUtil.conn)
+        regionProfileManager = new RegionProfileManager(AuthUtil.instance)
+        // const authUtilStub = sinon.stub(AuthUtil.instance, 'isIdcConnection').returns(isSso)
     })
 
     afterEach(function () {
@@ -65,9 +60,9 @@ describe('RegionProfileManager', function () {
             const mockClient = {
                 listAvailableProfiles: listProfilesStub,
             }
-            const createClientStub = sinon.stub(sut, 'createQClient').resolves(mockClient)
+            const createClientStub = sinon.stub(regionProfileManager, 'createQClient').resolves(mockClient)
 
-            const r = await sut.listRegionProfile()
+            const r = await regionProfileManager.listRegionProfiles()
 
             assert.strictEqual(r.length, 2)
             assert.deepStrictEqual(r, [
@@ -93,41 +88,40 @@ describe('RegionProfileManager', function () {
     describe('switch and get profile', function () {
         it('should switch if connection is IdC', async function () {
             await setupConnection('idc')
-            await sut.switchRegionProfile(profileFoo, 'user')
-            assert.deepStrictEqual(sut.activeRegionProfile, profileFoo)
+            await regionProfileManager.switchRegionProfile(profileFoo, 'user')
+            assert.deepStrictEqual(regionProfileManager.activeRegionProfile, profileFoo)
         })
 
         it('should do nothing and return undefined if connection is builder id', async function () {
             await setupConnection('builderId')
-            await sut.switchRegionProfile(profileFoo, 'user')
-            assert.deepStrictEqual(sut.activeRegionProfile, undefined)
+            await regionProfileManager.switchRegionProfile(profileFoo, 'user')
+            assert.deepStrictEqual(regionProfileManager.activeRegionProfile, undefined)
         })
     })
 
     describe(`client config`, function () {
         it(`no valid credential should throw`, async function () {
-            assert.ok(authUtil.conn === undefined)
+            assert.ok(!AuthUtil.instance.isConnected())
 
             assert.throws(() => {
-                sut.clientConfig
+                regionProfileManager.clientConfig
             }, /trying to get client configuration without credential/)
         })
 
         it(`builder id should always use default profile IAD`, async function () {
             await setupConnection('builderId')
-            await sut.switchRegionProfile(profileFoo, 'user')
-            assert.deepStrictEqual(sut.activeRegionProfile, undefined)
-            const conn = authUtil.conn
-            if (!conn) {
+            await regionProfileManager.switchRegionProfile(profileFoo, 'user')
+            assert.deepStrictEqual(regionProfileManager.activeRegionProfile, undefined)
+            if (!AuthUtil.instance.isConnected()) {
                 fail('connection should not be undefined')
             }
 
-            assert.deepStrictEqual(sut.clientConfig, defaultServiceConfig)
+            assert.deepStrictEqual(regionProfileManager.clientConfig, defaultServiceConfig)
         })
 
         it(`idc should return correct endpoint corresponding to profile region`, async function () {
             await setupConnection('idc')
-            await sut.switchRegionProfile(
+            await regionProfileManager.switchRegionProfile(
                 {
                     name: 'foo',
                     region: 'eu-central-1',
@@ -136,16 +130,16 @@ describe('RegionProfileManager', function () {
                 },
                 'user'
             )
-            assert.ok(sut.activeRegionProfile)
-            assert.deepStrictEqual(sut.clientConfig, {
+            assert.ok(regionProfileManager.activeRegionProfile)
+            assert.deepStrictEqual(regionProfileManager.clientConfig, {
                 region: 'eu-central-1',
                 endpoint: 'https://q.eu-central-1.amazonaws.com/',
             })
         })
 
         it(`idc should throw if corresponding endpoint is not defined`, async function () {
             await setupConnection('idc')
-            await sut.switchRegionProfile(
+            await regionProfileManager.switchRegionProfile(
                 {
                     name: 'foo',
                     region: 'unknown region',
@@ -156,74 +150,71 @@ describe('RegionProfileManager', function () {
             )
 
             assert.throws(() => {
-                sut.clientConfig
+                regionProfileManager.clientConfig
             }, /Q client configuration error, endpoint not found for region*/)
         })
     })
 
     describe('persistence', function () {
         it('persistSelectedRegionProfile', async function () {
             await setupConnection('idc')
-            await sut.switchRegionProfile(profileFoo, 'user')
-            assert.deepStrictEqual(sut.activeRegionProfile, profileFoo)
-            const conn = authUtil.conn
-            if (!conn) {
+            await regionProfileManager.switchRegionProfile(profileFoo, 'user')
+            assert.deepStrictEqual(regionProfileManager.activeRegionProfile, profileFoo)
+            if (!AuthUtil.instance.isConnected()) {
                 fail('connection should not be undefined')
             }
 
-            await sut.persistSelectRegionProfile()
+            await regionProfileManager.persistSelectRegionProfile()
 
             const state = globals.globalState.tryGet<{ [label: string]: RegionProfile }>(
                 'aws.amazonq.regionProfiles',
                 Object,
                 {}
             )
 
-            assert.strictEqual(state[conn.id], profileFoo)
+            assert.strictEqual(state[AuthUtil.instance.profileName], profileFoo)
         })
 
         it(`restoreRegionProfile`, async function () {
-            sinon.stub(sut, 'listRegionProfile').resolves([profileFoo])
+            sinon.stub(regionProfileManager, 'listRegionProfiles').resolves([profileFoo])
             await setupConnection('idc')
-            const conn = authUtil.conn
-            if (!conn) {
+            if (!AuthUtil.instance.isConnected()) {
                 fail('connection should not be undefined')
             }
 
             const state = {} as any
-            state[conn.id] = profileFoo
+            state[AuthUtil.instance.profileName] = profileFoo
 
             await globals.globalState.update('aws.amazonq.regionProfiles', state)
 
-            await sut.restoreRegionProfile(conn)
+            await regionProfileManager.restoreRegionProfile()
 
-            assert.strictEqual(sut.activeRegionProfile, profileFoo)
+            assert.strictEqual(regionProfileManager.activeRegionProfile, profileFoo)
         })
     })
 
     describe('invalidate', function () {
         it('should reset activeProfile and global state', async function () {
             // setup
             await setupConnection('idc')
-            await sut.switchRegionProfile(profileFoo, 'user')
-            assert.deepStrictEqual(sut.activeRegionProfile, profileFoo)
-            const conn = authUtil.conn
-            if (!conn) {
+            await regionProfileManager.switchRegionProfile(profileFoo, 'user')
+            assert.deepStrictEqual(regionProfileManager.activeRegionProfile, profileFoo)
+            if (!AuthUtil.instance.isConnected()) {
                 fail('connection should not be undefined')
             }
-            await sut.persistSelectRegionProfile()
+            await regionProfileManager.persistSelectRegionProfile()
             const state = globals.globalState.tryGet<{ [label: string]: RegionProfile }>(
                 'aws.amazonq.regionProfiles',
                 Object,
                 {}
             )
-            assert.strictEqual(state[conn.id], profileFoo)
+            assert.strictEqual(state[AuthUtil.instance.profileName], profileFoo)
 
             // subject to test
-            await sut.invalidateProfile(profileFoo.arn)
+            await regionProfileManager.invalidateProfile(profileFoo.arn)
 
             // assertion
-            assert.strictEqual(sut.activeRegionProfile, undefined)
+            assert.strictEqual(regionProfileManager.activeRegionProfile, undefined)
             const actualGlobalState = globals.globalState.tryGet<{ [label: string]: RegionProfile }>(
                 'aws.amazonq.regionProfiles',
                 Object,
@@ -236,11 +227,10 @@ describe('RegionProfileManager', function () {
     describe('createQClient', function () {
         it(`should configure the endpoint and region correspondingly`, async function () {
             await setupConnection('idc')
-            await sut.switchRegionProfile(profileFoo, 'user')
-            assert.deepStrictEqual(sut.activeRegionProfile, profileFoo)
-            const conn = authUtil.conn as SsoConnection
+            await regionProfileManager.switchRegionProfile(profileFoo, 'user')
+            assert.deepStrictEqual(regionProfileManager.activeRegionProfile, profileFoo)
 
-            const client = await sut.createQClient('eu-central-1', 'https://amazon.com/', conn)
+            const client = await regionProfileManager.createQClient('eu-central-1', 'https://amazon.com/')
 
             assert.deepStrictEqual(client.config.region, 'eu-central-1')
             assert.deepStrictEqual(client.endpoint.href, 'https://amazon.com/')

packages/amazonq/test/unit/codewhisperer/service/codewhisperer.test.ts

@@ -136,7 +136,7 @@ describe('codewhisperer', async function () {
                 }),
         } as Request<SendTelemetryEventResponse, AWSError>)
 
-        const authUtilStub = sinon.stub(AuthUtil.instance, 'isValidEnterpriseSsoInUse').returns(isSso)
+        const authUtilStub = sinon.stub(AuthUtil.instance, 'isIdcConnection').returns(isSso)
         await globals.telemetry.setTelemetryEnabled(isTelemetryEnabled)
         await codeWhispererClient.sendTelemetryEvent({ telemetryEvent: payload })
         const expectedOptOutPreference = isTelemetryEnabled ? 'OPTIN' : 'OPTOUT'