fix(amazonq): validate YAML file more strictly (#8136)

## Problem

When users provide a YAML config file, we were not validating the
contents of it very strictly.


## Solution

Improve validation logic to be more strict so that invalid YAML files
are rejected client-side with a relevant error message.

---

- Treat all work as PUBLIC. Private `feature/x` branches will not be
squash-merged at release time.
- Your code changes must meet the guidelines in
[CONTRIBUTING.md](https://github.com/aws/aws-toolkit-vscode/blob/master/CONTRIBUTING.md#guidelines).
- License: I confirm that my contribution is made under the terms of the
Apache 2.0 license.

---------

Co-authored-by: David Hasani <[email protected]>

Author: dhasani23

packages/core/src/amazonqGumby/chat/controller/controller.ts

@@ -580,11 +580,11 @@ export class GumbyController {
             return
         }
         const fileContents = await fs.readFileText(fileUri[0].fsPath)
-        const missingKey = await validateCustomVersionsFile(fileContents)
+        const errorMessage = validateCustomVersionsFile(fileContents)
 
-        if (missingKey) {
+        if (errorMessage) {
             this.messenger.sendMessage(
-                CodeWhispererConstants.invalidCustomVersionsFileMessage(missingKey),
+                CodeWhispererConstants.invalidCustomVersionsFileMessage(errorMessage),
                 message.tabID,
                 'ai-prompt'
             )

packages/core/src/codewhisperer/models/constants.ts

@@ -588,8 +588,8 @@ export const invalidMetadataFileUnsupportedSourceDB =
 export const invalidMetadataFileUnsupportedTargetDB =
     'I can only convert SQL for migrations to Aurora PostgreSQL or Amazon RDS for PostgreSQL target databases. The provided .sct file indicates another target database for this migration.'
 
-export const invalidCustomVersionsFileMessage = (missingKey: string) =>
-    `The dependency upgrade file provided is missing required field \`${missingKey}\`. Check that it is configured properly and try again. For an example of the required dependency upgrade file format, see the [documentation](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/code-transformation.html#dependency-upgrade-file).`
+export const invalidCustomVersionsFileMessage = (errorMessage: string) =>
+    `The dependency upgrade file provided is malformed: ${errorMessage}. Check that it is configured properly and try again. For an example of the required dependency upgrade file format, see the [documentation](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/code-transformation.html#dependency-upgrade-file).`
 
 export const invalidMetadataFileErrorParsing =
     "It looks like the .sct file you provided isn't valid. Make sure that you've uploaded the .zip file you retrieved from your schema conversion in AWS DMS."

packages/core/src/codewhisperer/service/transformByQ/transformFileHandler.ts

@@ -6,6 +6,7 @@
 import * as vscode from 'vscode'
 import * as path from 'path'
 import * as os from 'os'
+import * as YAML from 'js-yaml'
 import xml2js = require('xml2js')
 import * as CodeWhispererConstants from '../../models/constants'
 import { existsSync, readFileSync, writeFileSync } from 'fs' // eslint-disable-line no-restricted-imports
@@ -119,15 +120,52 @@ export async function parseBuildFile() {
     return undefined
 }
 
-// return the first missing key in the custom versions file, or undefined if all required keys are present
-export async function validateCustomVersionsFile(fileContents: string) {
+// return an error message, or undefined if YAML file is valid
+export function validateCustomVersionsFile(fileContents: string) {
     const requiredKeys = ['dependencyManagement', 'identifier', 'targetVersion', 'originType']
     for (const key of requiredKeys) {
         if (!fileContents.includes(key)) {
             getLogger().info(`CodeTransformation: .YAML file is missing required key: ${key}`)
-            return key
+            return `Missing required key: \`${key}\``
         }
     }
+    try {
+        const yaml = YAML.load(fileContents) as any
+        const dependencies = yaml?.dependencyManagement?.dependencies || []
+        const plugins = yaml?.dependencyManagement?.plugins || []
+        const dependenciesAndPlugins = dependencies.concat(plugins)
+
+        if (dependenciesAndPlugins.length === 0) {
+            getLogger().info('CodeTransformation: .YAML file must contain at least dependencies or plugins')
+            return `YAML file must contain at least \`dependencies\` or \`plugins\` under \`dependencyManagement\``
+        }
+        for (const item of dependenciesAndPlugins) {
+            const errorMessage = validateItem(item)
+            if (errorMessage) {
+                return errorMessage
+            }
+        }
+        return undefined
+    } catch (err: any) {
+        getLogger().info(`CodeTransformation: Invalid YAML format: ${err.message}`)
+        return `Invalid YAML format: ${err.message}`
+    }
+}
+
+// return an error message, or undefined if item is valid
+function validateItem(item: any, validOriginTypes: string[] = ['FIRST_PARTY', 'THIRD_PARTY']) {
+    if (!/^[^\s:]+:[^\s:]+$/.test(item.identifier)) {
+        getLogger().info(`CodeTransformation: Invalid identifier format: ${item.identifier}`)
+        return `Invalid identifier format: \`${item.identifier}\`. Must be in format \`groupId:artifactId\` without spaces`
+    }
+    if (!validOriginTypes.includes(item.originType)) {
+        getLogger().info(`CodeTransformation: Invalid originType: ${item.originType}`)
+        return `Invalid originType: \`${item.originType}\`. Must be either \`FIRST_PARTY\` or \`THIRD_PARTY\``
+    }
+    if (!item.targetVersion?.trim()) {
+        getLogger().info(`CodeTransformation: Missing targetVersion in: ${item.identifier}`)
+        return `Missing \`targetVersion\` in: \`${item.identifier}\``
+    }
     return undefined
 }
 

packages/core/src/test/codewhisperer/commands/transformByQ.test.ts

@@ -67,7 +67,8 @@ dependencyManagement:
   plugins:
     - identifier: "com.example:plugin"
       targetVersion: "1.2.0"
-      versionProperty: "plugin.version"  # Optional`
+      versionProperty: "plugin.version"  # Optional
+      originType: "FIRST_PARTY" # or "THIRD_PARTY"`
 
     const validSctFile = `<?xml version="1.0" encoding="UTF-8"?>
     <tree>
@@ -570,15 +571,39 @@ dependencyManagement:
         assert.strictEqual(expectedWarning, warningMessage)
     })
 
-    it(`WHEN validateCustomVersionsFile on fully valid .yaml file THEN passes validation`, async function () {
-        const missingKey = await validateCustomVersionsFile(validCustomVersionsFile)
-        assert.strictEqual(missingKey, undefined)
+    it(`WHEN validateCustomVersionsFile on fully valid .yaml file THEN passes validation`, function () {
+        const errorMessage = validateCustomVersionsFile(validCustomVersionsFile)
+        assert.strictEqual(errorMessage, undefined)
     })
 
-    it(`WHEN validateCustomVersionsFile on invalid .yaml file THEN fails validation`, async function () {
+    it(`WHEN validateCustomVersionsFile on .yaml file with missing key THEN fails validation`, function () {
         const invalidFile = validCustomVersionsFile.replace('dependencyManagement', 'invalidKey')
-        const missingKey = await validateCustomVersionsFile(invalidFile)
-        assert.strictEqual(missingKey, 'dependencyManagement')
+        const errorMessage = validateCustomVersionsFile(invalidFile)
+        assert.strictEqual(errorMessage, `Missing required key: \`dependencyManagement\``)
+    })
+
+    it(`WHEN validateCustomVersionsFile on .yaml file with invalid identifier format THEN fails validation`, function () {
+        const invalidFile = validCustomVersionsFile.replace('com.example:library1', 'com.example-library1')
+        const errorMessage = validateCustomVersionsFile(invalidFile)
+        assert.strictEqual(
+            errorMessage,
+            `Invalid identifier format: \`com.example-library1\`. Must be in format \`groupId:artifactId\` without spaces`
+        )
+    })
+
+    it(`WHEN validateCustomVersionsFile on .yaml file with invalid originType THEN fails validation`, function () {
+        const invalidFile = validCustomVersionsFile.replace('FIRST_PARTY', 'INVALID_TYPE')
+        const errorMessage = validateCustomVersionsFile(invalidFile)
+        assert.strictEqual(
+            errorMessage,
+            `Invalid originType: \`INVALID_TYPE\`. Must be either \`FIRST_PARTY\` or \`THIRD_PARTY\``
+        )
+    })
+
+    it(`WHEN validateCustomVersionsFile on .yaml file with missing targetVersion THEN fails validation`, function () {
+        const invalidFile = validCustomVersionsFile.replace('targetVersion: "2.1.0"', '')
+        const errorMessage = validateCustomVersionsFile(invalidFile)
+        assert.strictEqual(errorMessage, `Missing \`targetVersion\` in: \`com.example:library1\``)
     })
 
     it(`WHEN validateMetadataFile on fully valid .sct file THEN passes validation`, async function () {