authWebview: Can connect with credentials (#3448)

Ability to enter credentials from auth webview

- Validation of inputs
    - No duplicate profile name
    - Checks credentials can be authenticated before submission
- Connects to credentials upon submission


Signed-off-by: Nikolas Komonen <[email protected]>

Author: nkomonen-amazon

resources/css/base.css

@@ -55,13 +55,15 @@ body.vscode-light input[type='checkbox']:checked {
 
 /* Text/number input box */
 input[type='text'],
+input[type='password'],
 input[type='number'] {
     color: var(--vscode-settings-textInputForeground);
     background: var(--vscode-settings-textInputBackground);
     border: 1px solid var(--vscode-settings-textInputBorder);
     padding: 4px 4px;
 }
 input[type='text'][data-invalid='true'],
+input[type='password'][data-invalid='true'],
 input[type='number'][data-invalid='true'] {
     border: 1px solid var(--vscode-inputValidation-errorBorder);
     border-bottom: 0;

src/credentials/auth.ts

@@ -18,14 +18,14 @@ import { Commands } from '../shared/vscode/commands2'
 import { createQuickPick, DataQuickPickItem, showQuickPick } from '../shared/ui/pickerPrompter'
 import { isValidResponse } from '../shared/wizards/wizard'
 import { CancellationError, Timeout } from '../shared/utilities/timeoutUtils'
-import { errorCode, formatError, ToolkitError, UnknownError } from '../shared/errors'
+import { errorCode, formatError, isAwsError, ToolkitError, UnknownError } from '../shared/errors'
 import { getCache } from './sso/cache'
 import { createFactoryFunction, isNonNullable, Mutable } from '../shared/utilities/tsUtils'
 import { builderIdStartUrl, SsoToken } from './sso/model'
 import { SsoClient } from './sso/clients'
 import { getLogger } from '../shared/logger'
 import { CredentialsProviderManager } from './providers/credentialsProviderManager'
-import { asString, CredentialsProvider, fromString } from './providers/credentials'
+import { asString, CredentialsId, CredentialsProvider, fromString } from './providers/credentials'
 import { once } from '../shared/utilities/functionUtils'
 import { getResourceFromTreeNode } from '../shared/treeview/utils'
 import { Instance } from '../shared/utilities/typeConstructors'
@@ -46,8 +46,9 @@ import { AsyncCollection, toCollection } from '../shared/utilities/asyncCollecti
 import { join, toStream } from '../shared/utilities/collectionUtils'
 import { getConfigFilename } from './sharedCredentialsFile'
 import { saveProfileToCredentials } from './sharedCredentials'
-import { SectionName, StaticCredentialsProfileKeys } from './types'
+import { SectionName, SharedCredentialsKeys, StaticProfile, StaticProfileKeyErrorMessage } from './types'
 import { throwOnInvalidCredentials } from './sharedCredentialsValidation'
+import { TempCredentialProvider } from './providers/tempCredentialsProvider'
 
 export const ssoScope = 'sso:account:access'
 export const codecatalystScopes = ['codecatalyst:read_write']
@@ -586,6 +587,54 @@ export class Auth implements AuthService, ConnectionManager {
         return this.#validationErrors.get(connection.id)
     }
 
+    /**
+     * Authenticates the given data and returns error info if it fails.
+     *
+     * @returns undefined if authentication succeeds, otherwise object with error info
+     */
+    public async authenticateData(data: StaticProfile): Promise<StaticProfileKeyErrorMessage | undefined> {
+        const tempId = await this.addTempCredential(data)
+        const tempIdString = asString(tempId)
+        try {
+            await this.reauthenticate({ id: tempIdString })
+        } catch (e) {
+            if (isAwsError(e)) {
+                if (e.code === 'InvalidClientTokenId') {
+                    return { key: SharedCredentialsKeys.AWS_ACCESS_KEY_ID, error: 'Invalid access key' }
+                } else if (e.code === 'SignatureDoesNotMatch') {
+                    return { key: SharedCredentialsKeys.AWS_SECRET_ACCESS_KEY, error: 'Invalid secret key' }
+                }
+            }
+            throw e
+        } finally {
+            await this.removeTempCredential(tempId)
+        }
+        return undefined
+    }
+
+    private async addTempCredential(data: StaticProfile): Promise<CredentialsId> {
+        const tempProvider = new TempCredentialProvider(data)
+        this.iamProfileProvider.addProvider(tempProvider)
+        await this.thrownOnConn(tempProvider.getCredentialsId(), 'not-exists')
+        return tempProvider.getCredentialsId()
+    }
+    private async removeTempCredential(id: CredentialsId) {
+        this.iamProfileProvider.removeProvider(id)
+        await this.thrownOnConn(id, 'exists')
+    }
+
+    private async thrownOnConn(id: CredentialsId, throwOn: 'exists' | 'not-exists') {
+        const idAsString = asString(id)
+        const conns = await this.listConnections() // triggers loading of profile in to store
+        const connExists = conns.some(conn => conn.id === idAsString)
+
+        if (throwOn === 'exists' && connExists) {
+            throw new ToolkitError(`Conn should not exist: ${idAsString}`)
+        } else if (throwOn === 'not-exists' && !connExists) {
+            throw new ToolkitError(`Conn should exist: ${idAsString}`)
+        }
+    }
+
     /**
      * Attempts to remove all auth state related to the connection.
      *
@@ -1204,16 +1253,33 @@ const addConnection = Commands.register({ id: 'aws.auth.addConnection', telemetr
 
 export async function tryAddCredentials(
     profileName: SectionName,
-    profileData: StaticCredentialsProfileKeys,
+    profileData: StaticProfile,
     tryConnect = true
 ): Promise<boolean> {
+    const auth = Auth.instance
+
+    // sanity checks
     await throwOnInvalidCredentials(profileName, profileData)
+    const authenticationError = await auth.authenticateData(profileData)
+    if (authenticationError) {
+        throw new ToolkitError(`Found error with '${authenticationError.key}':'${authenticationError.error}' `, {
+            code: 'InvalidCredentials',
+        })
+    }
+
     await saveProfileToCredentials(profileName, profileData)
+
     if (tryConnect) {
-        const auth = Auth.instance
-        const conn = await auth.getConnection({ id: profileName })
+        const id = asString({
+            credentialSource: 'profile',
+            credentialTypeId: profileName,
+        })
+        const conn = await auth.getConnection({ id })
+
         if (conn === undefined) {
-            throw new ToolkitError('Failed to get connection from profile', { code: 'MissingConnection' })
+            throw new ToolkitError(`Failed to get connection from profile: ${profileName}`, {
+                code: 'MissingConnection',
+            })
         }
 
         await auth.useConnection(conn)

src/credentials/providers/credentials.ts

@@ -67,11 +67,12 @@ export function isEqual(idA: CredentialsId, idB: CredentialsId): boolean {
  * - "sso" refers to all SSO-based profiles. Currently, any profile with a start URL will
  *   be treated as SSO _by the Toolkit_. Incomplete profiles may be rejected by the SDKs, so
  *   valid SSO profiles may not necessarily be considered valid among all tools.
- *
+ * - "temp" refers to credentials that are used temporarily within the code.
+ *   This can be for something like testing raw credentials data
  * Compare the similar concept `telemetry.CredentialSourceId`.
  */
-export type CredentialsProviderType = typeof credentialsProviderType[number]
-export const credentialsProviderType = ['profile', 'ec2', 'ecs', 'env', 'sso'] as const
+export type CredentialsProviderType = (typeof credentialsProviderType)[number]
+export const credentialsProviderType = ['profile', 'ec2', 'ecs', 'env', 'sso', 'temp'] as const
 
 /**
  * Lossy map of CredentialsProviderType to telemetry.CredentialSourceId

src/credentials/providers/tempCredentialsProvider.ts

@@ -0,0 +1,72 @@
+/*!
+ * Copyright 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { Credentials } from '@aws-sdk/types'
+import { CredentialType } from '../../shared/telemetry/telemetry.gen'
+import { getStringHash } from '../../shared/utilities/textUtilities'
+import { CredentialsId, CredentialsProvider, CredentialsProviderType } from './credentials'
+import { StaticProfile } from '../types'
+import { Auth } from '../auth'
+
+/**
+ * HACK: A credentials provider for a temporary use case.
+ *
+ * This provides the bare minimum way to use credentials
+ * in the rest of the system.
+ *
+ * It is currently only used in {@link Auth} and is hidden
+ * within the class.
+ */
+export class TempCredentialProvider implements CredentialsProvider {
+    private credentials: StaticProfile
+    constructor(data: StaticProfile) {
+        this.credentials = {
+            aws_access_key_id: data.aws_access_key_id,
+            aws_secret_access_key: data.aws_secret_access_key,
+        }
+    }
+
+    public async isAvailable(): Promise<boolean> {
+        return true
+    }
+
+    public getCredentialsId(): CredentialsId {
+        return {
+            credentialSource: this.getProviderType(),
+            credentialTypeId: this.getHashCode(),
+        }
+    }
+
+    public static getProviderType(): CredentialsProviderType {
+        return 'temp'
+    }
+
+    public getProviderType(): CredentialsProviderType {
+        return TempCredentialProvider.getProviderType()
+    }
+
+    public getTelemetryType(): CredentialType {
+        return 'other'
+    }
+
+    public getHashCode(): string {
+        return getStringHash(JSON.stringify(this.credentials))
+    }
+
+    public getDefaultRegion(): string | undefined {
+        return undefined
+    }
+
+    public async canAutoConnect(): Promise<boolean> {
+        return false
+    }
+
+    public async getCredentials(): Promise<Credentials> {
+        return {
+            accessKeyId: this.credentials.aws_access_key_id,
+            secretAccessKey: this.credentials.aws_secret_access_key,
+        }
+    }
+}

src/credentials/sharedCredentials.ts

@@ -8,7 +8,7 @@ import { SystemUtilities } from '../shared/systemUtilities'
 import { ToolkitError } from '../shared/errors'
 import { assertHasProps } from '../shared/utilities/tsUtils'
 import { getConfigFilename, getCredentialsFilename } from './sharedCredentialsFile'
-import { SectionName, StaticCredentialsProfileKeys } from './types'
+import { SectionName, StaticProfile } from './types'
 import { UserCredentialsUtils } from '../shared/credentials/userCredentialsUtils'
 
 export async function updateAwsSdkLoadConfigEnvVar(): Promise<void> {
@@ -124,9 +124,9 @@ function validateSection(section: BaseSection): asserts section is Section {
  */
 export async function loadSharedCredentialsProfiles(): Promise<Record<SectionName, Profile>> {
     const profiles = {} as Record<SectionName, Profile>
-    for (const [k, v] of (await loadSharedCredentialsSections()).sections.entries()) {
-        if (v.type === 'profile') {
-            profiles[k] = extractDataFromSection(v)
+    for (const section of (await loadSharedCredentialsSections()).sections.values()) {
+        if (section.type === 'profile') {
+            profiles[section.name] = extractDataFromSection(section)
         }
     }
     return profiles
@@ -239,10 +239,7 @@ async function loadCredentialsFile(credentialsUri?: vscode.Uri): Promise<ReturnT
 /**
  * Saves the given profile data to the credentials file.
  */
-export async function saveProfileToCredentials(
-    profileName: SectionName,
-    profileData: StaticCredentialsProfileKeys
-): Promise<void> {
+export async function saveProfileToCredentials(profileName: SectionName, profileData: StaticProfile): Promise<void> {
     if (await profileExists(profileName)) {
         throw new ToolkitError(`Cannot save profile "${profileName}" because it already exists.`, {
             code: 'ProfileAlreadyExists',

src/credentials/sharedCredentialsValidation.ts

@@ -5,7 +5,8 @@
  * This module focuses on the validation of shared credentials properties
  */
 
-import { localize } from 'vscode-nls'
+import * as nls from 'vscode-nls'
+const localize = nls.loadMessageBundle()
 import { CredentialsData, CredentialsKey, SectionName, SharedCredentialsKeys } from './types'
 import { ToolkitError } from '../shared/errors'
 import { profileExists } from './sharedCredentials'
@@ -41,7 +42,9 @@ export function getCredentialsErrors(
         }
         errors[key] = validateFunc(key, value)
     })
-    if (Object.keys(errors).length === 0) {
+
+    const hasErrors = Object.values(errors).some(v => v)
+    if (!hasErrors) {
         return
     }
     return errors

src/credentials/types.ts

@@ -34,8 +34,11 @@ export type CredentialsKey = (typeof SharedCredentialsKeys)[keyof typeof SharedC
  *
  * https://docs.aws.amazon.com/sdkref/latest/guide/feature-static-credentials.html
  */
-export type StaticCredentialsProfileKeysOptional = Pick<CredentialsData, 'aws_access_key_id' | 'aws_secret_access_key'>
-export type StaticCredentialsProfileKeys = Required<StaticCredentialsProfileKeysOptional>
+export type StaticProfileOptional = Pick<CredentialsData, 'aws_access_key_id' | 'aws_secret_access_key'>
+export type StaticProfile = Required<StaticProfileOptional>
+export type StaticProfileKey = keyof StaticProfile
+/** An error for a specific static profile key */
+export type StaticProfileKeyErrorMessage = { key: StaticProfileKey; error: string }
 
 /**
  * The name of a section in a credentials/config file

src/credentials/vue/ServiceItemContent.vue

@@ -0,0 +1,11 @@
+# Auth Forms
+
+These are the components which the user will interact with and enter the necessary
+auth data.
+
+## General Design
+
+Each auth form component utilizes an underlying state class which keeps
+track of the data. The state class can then be used elsewhere to retrieve
+the latest information about that auth method, these class instances can
+be found in [shared.vue](./shared.vue).

src/credentials/vue/authForms/README.md

@@ -0,0 +1,31 @@
+<script lang="ts">
+import { defineComponent } from 'vue'
+
+export default defineComponent({
+    emits: ['auth-connection-updated'],
+    methods: {
+        emitAuthConnectionUpdated(id: AuthFormId) {
+            this.$emit('auth-connection-updated', id)
+        },
+    },
+})
+
+export interface AuthStatus {
+    /**
+     * Returns true if the auth is successfully connected.
+     */
+    isAuthConnected(): Promise<boolean>
+}
+
+export class UnimplementedAuthStatus implements AuthStatus {
+    isAuthConnected(): Promise<boolean> {
+        return Promise.resolve(false)
+    }
+}
+
+export const authForms = {
+    CREDENTIALS: 'CREDENTIALS',
+} as const
+
+export type AuthFormId = (typeof authForms)[keyof typeof authForms]
+</script>