fix: sync with IAM PR changes

Author: yuxianrz

packages/amazonq/test/unit/codewhisperer/util/authUtil.test.ts

@@ -427,18 +427,18 @@ describe('AuthUtil', async function () {
                 login: sinon.stub().resolves(mockResponse),
                 loginType: 'iam',
             }
-            
+
             sinon.stub(auth2, 'IamLogin').returns(mockIamLogin as any)
 
             const response = await auth.loginIam('accessKey', 'secretKey', 'sessionToken')
 
             assert.ok(mockIamLogin.login.calledOnce)
-            assert.ok(mockIamLogin.login.calledWith({
-                accessKey: 'accessKey',
-                secretKey: 'secretKey',
-                sessionToken: 'sessionToken',
-                roleArn: undefined,
-            }))
+            assert.ok(
+                mockIamLogin.login.calledWith({
+                    accessKey: 'accessKey',
+                    secretKey: 'secretKey',
+                })
+            )
             assert.strictEqual(response, mockResponse)
         })
 
@@ -462,7 +462,7 @@ describe('AuthUtil', async function () {
 
             sinon.stub(auth2, 'IamLogin').returns(mockIamLogin as any)
 
-            const response = await auth.login_iam('accessKey', 'secretKey', 'sessionToken', 'arn:aws:iam::123456789012:role/TestRole')
+            const response = await auth.loginIam('accessKey', 'secretKey', 'sessionToken', 'arn:aws:iam::123456789012:role/TestRole')
 
             assert.ok(mockIamLogin.login.calledOnce)
             assert.ok(mockIamLogin.login.calledWith({
@@ -568,23 +568,5 @@ describe('AuthUtil', async function () {
             assert.ok(mockLspAuth.updateIamCredential.called)
             assert.strictEqual(mockLspAuth.updateIamCredential.firstCall.args[0].data, 'fake-data')
         })
-
-        it('cleans up IAM credential when connection expires', async function () {
-            const mockSession = { loginType: 'iam' }
-            ;(auth as any).session = mockSession
-
-            await (auth as any).stateChangeHandler({ state: 'expired' })
-
-            assert.ok(mockLspAuth.deleteIamCredential.called)
-        })
-
-        it('deletes IAM credential when disconnected', async function () {
-            const mockSession = { loginType: 'iam' }
-            ;(auth as any).session = mockSession
-
-            await (auth as any).stateChangeHandler({ state: 'notConnected' })
-
-            assert.ok(mockLspAuth.deleteIamCredential.called)
-        })
     })
 })

packages/core/src/codewhisperer/util/authUtil.ts

@@ -109,11 +109,11 @@ export class AuthUtil implements IAuthProvider {
     }
 
     isSsoSession(): boolean {
-        return this.session?.loginType === LoginTypes.SSO || this.session instanceof SsoLogin
+        return this.session instanceof SsoLogin
     }
 
     isIamSession(): boolean {
-        return this.session?.loginType === LoginTypes.IAM || this.session instanceof IamLogin
+        return this.session instanceof IamLogin
     }
 
     /**
@@ -176,11 +176,7 @@ export class AuthUtil implements IAuthProvider {
     }
 
     // Log in using IAM or STS credentials
-    async loginIam(
-        accessKey: string,
-        secretKey: string,
-        sessionToken?: string
-    ): Promise<GetIamCredentialResult | undefined> {
+    async loginIam(accessKey: string, secretKey: string, sessionToken?: string, roleArn?: string): Promise<GetIamCredentialResult | undefined> {
         let response: GetIamCredentialResult | undefined
         // Create IAM login session
         if (!this.isIamSession()) {

packages/core/src/login/webview/vue/amazonq/backend_amazonq.ts

@@ -206,7 +206,7 @@ export class AmazonQLoginWebview extends CommonAuthWebview {
         await globals.globalState.update('recentRoleArn', { roleArn: roleArn })
         const runAuth = async (): Promise<AuthError | undefined> => {
             try {
-                await AuthUtil.instance.loginIam(accessKey, secretKey)
+                await AuthUtil.instance.loginIam(accessKey, secretKey, sessionToken, roleArn)
             } catch (e) {
                 getLogger().error('Failed submitting credentials %O', e)
                 const message = e instanceof Error ? e.message : e as string

packages/core/src/test/credentials/auth2.test.ts

@@ -182,6 +182,79 @@ describe('LanguageClientAuth', () => {
         })
     })
 
+    describe('updateIamCredential', () => {
+        it('sends request', async () => {
+            const updateParams: UpdateCredentialsParams = {
+                data: 'credential-data',
+                encrypted: true,
+            }
+
+            await auth.updateIamCredential(updateParams)
+
+            sinon.assert.calledOnce(client.sendRequest)
+            sinon.assert.calledWith(client.sendRequest, iamCredentialsUpdateRequestType.method, updateParams)
+        })
+    })
+
+    describe('deleteIamCredential', () => {
+        it('sends notification', async () => {
+            auth.deleteIamCredential()
+
+            sinon.assert.calledOnce(client.sendNotification)
+            sinon.assert.calledWith(client.sendNotification, iamCredentialsDeleteNotificationType.method)
+        })
+    })
+
+    describe('getIamCredential', () => {
+        it('sends correct request parameters', async () => {
+            await auth.getIamCredential(profileName, true)
+
+            sinon.assert.calledOnce(client.sendRequest)
+            sinon.assert.calledWith(
+                client.sendRequest,
+                sinon.match.any,
+                sinon.match({
+                    profileName: profileName,
+                    options: {
+                        callStsOnInvalidIamCredential: true,
+                    },
+                })
+            )
+        })
+    })
+
+    describe('invalidateStsCredential', () => {
+        it('sends request', async () => {
+            client.sendRequest.resolves({ success: true })
+            const result = await auth.invalidateStsCredential(profileName)
+
+            sinon.assert.calledOnce(client.sendRequest)
+            sinon.assert.calledWith(client.sendRequest, invalidateStsCredentialRequestType.method, { profileName: profileName })
+            sinon.assert.match(result, { success: true })
+        })
+    })
+
+    describe('registerStsCredentialChangedHandler', () => {
+        it('registers the handler correctly', () => {
+            const handler = sinon.spy()
+
+            auth.registerStsCredentialChangedHandler(handler)
+
+            sinon.assert.calledOnce(client.onNotification)
+            sinon.assert.calledWith(client.onNotification, stsCredentialChangedRequestType.method, sinon.match.func)
+
+            const credentialChangedParams: StsCredentialChangedParams = {
+                kind: StsCredentialChangedKind.Refreshed,
+                stsCredentialId: 'test-credential-id',
+            }
+            const registeredHandler = client.onNotification.firstCall.args[1]
+            registeredHandler(credentialChangedParams)
+
+            sinon.assert.calledOnce(handler)
+            sinon.assert.calledWith(handler, credentialChangedParams)
+        })
+    })
+
     describe('invalidateSsoToken', () => {
         it('sends request', async () => {
             client.sendRequest.resolves({ success: true })
@@ -551,3 +624,193 @@ describe('SsoLogin', () => {
         })
     })
 })
+
+describe('IamLogin', () => {
+    let lspAuth: sinon.SinonStubbedInstance<LanguageClientAuth>
+    let iamLogin: IamLogin
+    let eventEmitter: vscode.EventEmitter<any>
+    let fireEventSpy: sinon.SinonSpy
+
+    const loginOpts = {
+        accessKey: 'test-access-key',
+        secretKey: 'test-secret-key',
+        sessionToken: 'test-session-token',
+    }
+
+    const mockGetIamCredentialResponse: GetIamCredentialResult = {
+        id: 'test-credential-id',
+        credentials: {
+            accessKeyId: 'encrypted-access-key',
+            secretAccessKey: 'encrypted-secret-key',
+            sessionToken: 'encrypted-session-token',
+        },
+        updateCredentialsParams: {
+            data: 'credential-data',
+        },
+    }
+
+    beforeEach(() => {
+        lspAuth = sinon.createStubInstance(LanguageClientAuth)
+        eventEmitter = new vscode.EventEmitter()
+        fireEventSpy = sinon.spy(eventEmitter, 'fire')
+        iamLogin = new IamLogin(profileName, lspAuth as any, eventEmitter)
+        ;(iamLogin as any).eventEmitter = eventEmitter
+        ;(iamLogin as any).connectionState = 'notConnected'
+    })
+
+    afterEach(() => {
+        sinon.restore()
+        eventEmitter.dispose()
+    })
+
+    describe('login', () => {
+        it('updates profile and returns IAM credential', async () => {
+            lspAuth.updateIamProfile.resolves()
+            lspAuth.getIamCredential.resolves(mockGetIamCredentialResponse)
+
+            const response = await iamLogin.login(loginOpts)
+
+            sinon.assert.calledOnce(lspAuth.updateIamProfile)
+            sinon.assert.calledWith(lspAuth.updateIamProfile, profileName, loginOpts.accessKey, loginOpts.secretKey)
+            sinon.assert.calledOnce(lspAuth.getIamCredential)
+            sinon.assert.match(iamLogin.getConnectionState(), 'connected')
+            sinon.assert.match(response.id, 'test-credential-id')
+        })
+    })
+
+    describe('reauthenticate', () => {
+        it('throws when not connected', async () => {
+            ;(iamLogin as any).connectionState = 'notConnected'
+            try {
+                await iamLogin.reauthenticate()
+                sinon.assert.fail('Should have thrown an error')
+            } catch (err) {
+                sinon.assert.match((err as Error).message, 'Cannot reauthenticate when not connected.')
+            }
+        })
+
+        it('returns new IAM credential when connected', async () => {
+            ;(iamLogin as any).connectionState = 'connected'
+            lspAuth.getIamCredential.resolves(mockGetIamCredentialResponse)
+
+            const response = await iamLogin.reauthenticate()
+
+            sinon.assert.calledOnce(lspAuth.getIamCredential)
+            sinon.assert.match(iamLogin.getConnectionState(), 'connected')
+            sinon.assert.match(response.id, 'test-credential-id')
+        })
+    })
+
+    describe('logout', () => {
+        it('invalidates credential and updates state', async () => {
+            ;(iamLogin as any).iamCredentialId = 'test-credential-id'
+            lspAuth.invalidateStsCredential.resolves({ success: true })
+            lspAuth.updateIamProfile.resolves()
+
+            await iamLogin.logout()
+
+            sinon.assert.calledOnce(lspAuth.invalidateStsCredential)
+            sinon.assert.calledWith(lspAuth.invalidateStsCredential, 'test-credential-id')
+            sinon.assert.match(iamLogin.getConnectionState(), 'notConnected')
+            sinon.assert.match(iamLogin.data, undefined)
+        })
+    })
+
+    describe('restore', () => {
+        it('restores connection state', async () => {
+            lspAuth.getIamCredential.resolves(mockGetIamCredentialResponse)
+
+            await iamLogin.restore()
+
+            sinon.assert.calledOnce(lspAuth.getIamCredential)
+            sinon.assert.calledWith(lspAuth.getIamCredential, profileName, false)
+            sinon.assert.match(iamLogin.getConnectionState(), 'connected')
+        })
+    })
+
+    describe('_getIamCredential', () => {
+        const testErrorHandling = async (errorCode: string, expectedState: string) => {
+            const error = new Error('Credential error')
+            ;(error as any).data = { awsErrorCode: errorCode }
+            lspAuth.getIamCredential.rejects(error)
+
+            try {
+                await (iamLogin as any)._getIamCredential(false)
+                sinon.assert.fail('Should have thrown an error')
+            } catch (err) {
+                sinon.assert.match(err, error)
+            }
+
+            sinon.assert.match(iamLogin.getConnectionState(), expectedState)
+        }
+
+        const notConnectedErrors = [
+            AwsErrorCodes.E_CANCELLED,
+            AwsErrorCodes.E_INVALID_PROFILE,
+            AwsErrorCodes.E_PROFILE_NOT_FOUND,
+            AwsErrorCodes.E_CANNOT_CREATE_STS_CREDENTIAL,
+            AwsErrorCodes.E_INVALID_STS_CREDENTIAL,
+        ]
+
+        for (const errorCode of notConnectedErrors) {
+            it(`handles ${errorCode} error`, async () => {
+                await testErrorHandling(errorCode, 'notConnected')
+            })
+        }
+
+        it('returns correct response and updates state', async () => {
+            lspAuth.getIamCredential.resolves(mockGetIamCredentialResponse)
+
+            const response = await (iamLogin as any)._getIamCredential(true)
+
+            sinon.assert.calledWith(lspAuth.getIamCredential, profileName, true)
+            sinon.assert.match(response, mockGetIamCredentialResponse)
+            sinon.assert.match(iamLogin.getConnectionState(), 'connected')
+            // Note: iamCredentialId is commented out in the implementation
+            // sinon.assert.match((iamLogin as any).iamCredentialId, 'test-credential-id')
+        })
+    })
+
+    describe('stsCredentialChangedHandler', () => {
+        beforeEach(() => {
+            ;(iamLogin as any).iamCredentialId = 'test-credential-id'
+            ;(iamLogin as any).connectionState = 'connected'
+        })
+
+        it('updates state when credential expires', () => {
+            ;(iamLogin as any).stsCredentialChangedHandler({
+                kind: StsCredentialChangedKind.Expired,
+                stsCredentialId: 'test-credential-id',
+            })
+
+            sinon.assert.match(iamLogin.getConnectionState(), 'expired')
+            sinon.assert.calledOnce(fireEventSpy)
+            sinon.assert.calledWith(fireEventSpy, {
+                id: profileName,
+                state: 'expired',
+            })
+        })
+
+        it('emits refresh event when credential is refreshed', () => {
+            ;(iamLogin as any).stsCredentialChangedHandler({
+                kind: StsCredentialChangedKind.Refreshed,
+                stsCredentialId: 'test-credential-id',
+            })
+
+            sinon.assert.calledOnce(fireEventSpy)
+            sinon.assert.calledWith(fireEventSpy, {
+                id: profileName,
+                state: 'refreshed',
+            })
+        })
+
+        it('does not emit event for different credential ID', () => {
+            ;(iamLogin as any).stsCredentialChangedHandler({
+                kind: StsCredentialChangedKind.Refreshed,
+                stsCredentialId: 'different-credential-id',
+            })
+
+            sinon.assert.notCalled(fireEventSpy)
+        })
+    })
+})