Add session token input to login flow

Author: liramon1

packages/amazonq/test/e2e/amazonq/utils/setup.ts

@@ -22,5 +22,5 @@ export async function loginToIdC() {
         )
     }
 
-    await AuthUtil.instance.login(startUrl, region, 'sso')
+    await AuthUtil.instance.login_sso(startUrl, region)
 }

packages/amazonq/test/unit/codewhisperer/region/regionProfileManager.test.ts

@@ -26,11 +26,11 @@ describe('RegionProfileManager', async function () {
 
     async function setupConnection(type: 'builderId' | 'idc') {
         if (type === 'builderId') {
-            await AuthUtil.instance.login(constants.builderIdStartUrl, region, 'sso')
+            await AuthUtil.instance.login_sso(constants.builderIdStartUrl, region)
             assert.ok(AuthUtil.instance.isSsoSession())
             assert.ok(AuthUtil.instance.isBuilderIdConnection())
         } else if (type === 'idc') {
-            await AuthUtil.instance.login(enterpriseSsoStartUrl, region, 'sso')
+            await AuthUtil.instance.login_sso(enterpriseSsoStartUrl, region)
             assert.ok(AuthUtil.instance.isSsoSession())
             assert.ok(AuthUtil.instance.isIdcConnection())
         }

packages/amazonq/test/unit/codewhisperer/util/showSsoPrompt.test.ts

@@ -28,7 +28,7 @@ describe('showConnectionPrompt', function () {
     })
 
     it('can select connect to AwsBuilderId', async function () {
-        sinon.stub(AuthUtil.instance, 'login').resolves()
+        sinon.stub(AuthUtil.instance, 'login_sso').resolves()
 
         getTestWindow().onDidShowQuickPick(async (picker) => {
             await picker.untilReady()
@@ -44,7 +44,7 @@ describe('showConnectionPrompt', function () {
 
     it('connectToAwsBuilderId calls AuthUtil login with builderIdStartUrl', async function () {
         sinon.stub(vscode.commands, 'executeCommand')
-        const loginStub = sinon.stub(AuthUtil.instance, 'login').resolves()
+        const loginStub = sinon.stub(AuthUtil.instance, 'login_sso').resolves()
 
         await awsIdSignIn()
 

packages/core/src/auth/auth2.ts

@@ -174,7 +174,7 @@ export class LanguageClientAuth {
         } satisfies UpdateProfileParams)
     }
 
-    updateIamProfile(profileName: string, accessKey: string, secretKey: string): Promise<UpdateProfileResult> {
+    updateIamProfile(profileName: string, accessKey: string, secretKey: string, sessionToken?: string): Promise<UpdateProfileResult> {
         // Add credentials and delete SSO settings from profile
         return this.client.sendRequest(updateProfileRequestType.method, {
             profile: {
@@ -185,6 +185,7 @@ export class LanguageClientAuth {
                     sso_session: '',
                     aws_access_key_id: accessKey,
                     aws_secret_access_key: secretKey,
+                    aws_session_token: sessionToken,
                 },
             },
             ssoSession: {
@@ -497,7 +498,7 @@ export class IamLogin extends BaseLogin {
         // )
     }
 
-    async login(opts: { accessKey: string; secretKey: string }) {
+    async login(opts: { accessKey: string; secretKey: string, sessionToken?: string }) {
         await this.updateProfile(opts)
         return this._getIamCredential(true)
     }
@@ -519,8 +520,8 @@ export class IamLogin extends BaseLogin {
         // TODO: DeleteProfile api in Identity Service (this doesn't exist yet)
     }
 
-    async updateProfile(opts: { accessKey: string; secretKey: string }) {
-        await this.lspAuth.updateIamProfile(this.profileName, opts.accessKey, opts.secretKey)
+    async updateProfile(opts: { accessKey: string; secretKey: string, sessionToken?: string }) {
+        await this.lspAuth.updateIamProfile(this.profileName, opts.accessKey, opts.secretKey, opts.sessionToken)
         this._data = {
             accessKey: opts.accessKey,
             secretKey: opts.secretKey,

packages/core/src/codewhisperer/ui/codeWhispererNodes.ts

@@ -271,7 +271,7 @@ export function createSignIn(): DataQuickPickItem<'signIn'> {
     if (isWeb()) {
         // TODO: nkomonen, call a Command instead
         onClick = () => {
-            void AuthUtil.instance.login(builderIdStartUrl, builderIdRegion, 'sso')
+            void AuthUtil.instance.login_sso(builderIdStartUrl, builderIdRegion)
         }
     }
 

packages/core/src/codewhisperer/util/authUtil.ts

@@ -160,25 +160,26 @@ export class AuthUtil implements IAuthProvider {
         }
     }
 
-    // Log into the desired session type using the authentication parameters
-    async login(accessKey: string, secretKey: string, loginType: 'iam'): Promise<GetIamCredentialResult | undefined>
-    async login(startUrl: string, region: string, loginType: 'sso'): Promise<GetSsoTokenResult | undefined>
-    async login(
-        first: string,
-        second: string,
-        loginType: 'iam' | 'sso'
-    ): Promise<GetSsoTokenResult | GetIamCredentialResult | undefined> {
-        let response: GetSsoTokenResult | GetIamCredentialResult | undefined
-
-        // Start session if the current session type does not match the desired type
-        if (loginType === 'sso' && !this.isSsoSession()) {
+    // Log in using SSO
+    async login_sso(startUrl: string, region: string): Promise<GetSsoTokenResult | undefined> {
+        let response: GetSsoTokenResult | undefined
+        // Create SSO login session
+        if (!this.isSsoSession()) {
             this.session = new SsoLogin(this.profileName, this.lspAuth, this.eventEmitter)
-            response = await this.session.login({ startUrl: first, region: second, scopes: amazonQScopes })
-        } else if (loginType === 'iam' && !this.isIamSession()) {
-            this.session = new IamLogin(this.profileName, this.lspAuth, this.eventEmitter)
-            response = await this.session.login({ accessKey: first, secretKey: second })
         }
+        response = await (this.session as SsoLogin).login({ startUrl: startUrl, region: region, scopes: amazonQScopes })
+        await showAmazonQWalkthroughOnce()
+        return response
+    }
 
+    // Log in using IAM or STS credentials
+    async login_iam(accessKey: string, secretKey: string, sessionToken?: string): Promise<GetIamCredentialResult | undefined> {
+        let response: GetIamCredentialResult | undefined
+        // Create IAM login session
+        if (!this.isIamSession()) {
+            this.session = new IamLogin(this.profileName, this.lspAuth, this.eventEmitter)
+        }
+        response = await (this.session as IamLogin).login({ accessKey: accessKey, secretKey: secretKey, sessionToken: sessionToken })
         await showAmazonQWalkthroughOnce()
         return response
     }

packages/core/src/codewhisperer/util/getStartUrl.ts

@@ -29,7 +29,7 @@ export const getStartUrl = async () => {
 
 export async function connectToEnterpriseSso(startUrl: string, region: Region['id']) {
     try {
-        await AuthUtil.instance.login(startUrl, region, 'sso')
+        await AuthUtil.instance.login_sso(startUrl, region)
     } catch (e) {
         throw ToolkitError.chain(e, CodeWhispererConstants.failedToConnectIamIdentityCenter, {
             code: 'FailedToConnect',

packages/core/src/codewhisperer/util/showSsoPrompt.ts

@@ -47,7 +47,7 @@ export const showCodeWhispererConnectionPrompt = async () => {
 export async function awsIdSignIn() {
     getLogger().info('selected AWS ID sign in')
     try {
-        await AuthUtil.instance.login(builderIdStartUrl, builderIdRegion, 'sso')
+        await AuthUtil.instance.login_sso(builderIdStartUrl, builderIdRegion)
     } catch (e) {
         throw ToolkitError.chain(e, failedToConnectAwsBuilderId, { code: 'FailedToConnect' })
     }

packages/core/src/login/webview/vue/amazonq/backend_amazonq.ts

@@ -196,7 +196,8 @@ export class AmazonQLoginWebview extends CommonAuthWebview {
     async startIamCredentialSetup(
         profileName: string,
         accessKey: string,
-        secretKey: string
+        secretKey: string,
+        sessionToken?: string
     ): Promise<AuthError | undefined> {
         getLogger().debug(`called startIamCredentialSetup()`)
         // Defining separate auth function to emit telemetry before returning from this method
@@ -205,7 +206,7 @@ export class AmazonQLoginWebview extends CommonAuthWebview {
         })
         const runAuth = async (): Promise<AuthError | undefined> => {
             try {
-                await AuthUtil.instance.login(accessKey, secretKey, 'iam')
+                await AuthUtil.instance.login_iam(accessKey, secretKey, sessionToken)
             } catch (e) {
                 getLogger().error('Failed submitting credentials %O', e)
                 return { id: this.id, text: e as string }

packages/core/src/login/webview/vue/backend.ts

@@ -174,7 +174,8 @@ export abstract class CommonAuthWebview extends VueWebview {
     abstract startIamCredentialSetup(
         profileName: string,
         accessKey: string,
-        secretKey: string
+        secretKey: string,
+        sessionToken?: string,
     ): Promise<AuthError | undefined>
 
     async showResourceExplorer(): Promise<void> {