fix(codecatalyst): split session auth issues (#5199)

Fixes:
- Adds 'source' to telemetry for logout prompt
- If in dev env, fall back to MDE credentials if logged out (due to sharing connection with Q)
- Bug where signing in to Amazon Q in dev env will add coca scopes (and otherwise share the underlying MDE credentials)
  - Amazon Q was also importing the MDE creds under the hood, so it was being detected as an existant connection. This means any login method will use that instead of creating a new connection.

Author: hayemaxi

packages/core/src/auth/auth.ts

@@ -53,11 +53,11 @@ import {
     createBuilderIdProfile,
     createSsoProfile,
     hasScopes,
-    isValidCodeCatalystConnection,
     loadIamProfilesIntoStore,
     loadLinkedProfilesIntoStore,
     scopesSsoAccountAccess,
     AwsConnection,
+    scopesCodeWhispererCore,
 } from './connection'
 import { isSageMaker, isCloud9, isAmazonQ } from '../shared/extensionUtilities'
 import { telemetry } from '../shared/telemetry/telemetry'
@@ -528,8 +528,8 @@ export class Auth implements AuthService, ConnectionManager {
                 })
             }
 
-            // XXX: never drop tokens in a dev environment
-            if (getCodeCatalystDevEnvId() === undefined) {
+            // XXX: never drop tokens in a dev environment, unless you are Amazon Q!
+            if (getCodeCatalystDevEnvId() === undefined || isAmazonQ()) {
                 await provider.invalidate()
             }
         } else if (profile.type === 'iam') {
@@ -882,9 +882,11 @@ export class Auth implements AuthService, ConnectionManager {
 
         // When opening a Dev Environment, use the environment token if no other CodeCatalyst
         // credential is in use. This token only has CC permissions currently!
-        if (getCodeCatalystDevEnvId() !== undefined) {
+        if (!isAmazonQ() && getCodeCatalystDevEnvId() !== undefined) {
             const connections = await this.listConnections()
-            const shouldInsertDevEnvCredential = !connections.some(isValidCodeCatalystConnection)
+            const shouldInsertDevEnvCredential = !connections.some(
+                c => c.type === 'sso' && hasScopes(c, scopesCodeCatalyst) && !hasScopes(c, scopesCodeWhispererCore)
+            )
 
             if (shouldInsertDevEnvCredential) {
                 // Insert a profile based on the `~/.aws/config` sso-session:
@@ -1067,6 +1069,7 @@ export class SessionSeparationPrompt {
                 )
                 .then(async resp => {
                     await telemetry.toolkit_invokeAction.run(async () => {
+                        telemetry.record({ source: 'sessionSeparationNotification' })
                         if (resp === 'Sign In') {
                             telemetry.record({ action: 'signIn' })
                             await vscode.commands.executeCommand(cmd)

packages/core/src/codewhisperer/activation.ts

@@ -70,6 +70,7 @@ import { securityScanLanguageContext } from './util/securityScanLanguageContext'
 import { registerWebviewErrorHandler } from '../webviews/server'
 import { logAndShowWebviewError } from '../shared/utilities/logAndShowUtils'
 import { openSettings } from '../shared/settings'
+import { getCodeCatalystDevEnvId } from '../shared/vscode/env'
 
 let localize: nls.LocalizeFunc
 
@@ -291,6 +292,16 @@ export async function activate(context: ExtContext): Promise<void> {
 
     await auth.restore()
 
+    // Amazon Q may have code catalyst only credentials stored because it used to import the credentials stored on disk in the environment.
+    if (getCodeCatalystDevEnvId() !== undefined) {
+        for (const conn of await auth.auth.listConnections()) {
+            if (conn.id !== auth.conn?.id) {
+                getLogger().debug('forgetting extra amazon q connection in CoCa dev env: %O', conn)
+                await auth.auth.forgetConnection(conn)
+            }
+        }
+    }
+
     if (auth.isConnectionExpired()) {
         auth.showReauthenticatePrompt().catch(e => {
             getLogger().error('showReauthenticatePrompt failed: %s', (e as Error).message)