auth refactoring (#3375)

Doing some refactoring of the auth related code.

Includes naming changes, extracting logic in to its own function, centralizing code.

See commit messages for specific info on each change.

Signed-off-by: Nikolas Komonen <[email protected]>

Author: nkomonen-amazon

src/credentials/auth.ts

@@ -36,7 +36,6 @@ import { telemetry } from '../shared/telemetry/telemetry'
 import { createCommonButtons, createExitButton, createHelpButton, createRefreshButton } from '../shared/ui/buttons'
 import { getIdeProperties, isCloud9 } from '../shared/extensionUtilities'
 import { getCodeCatalystDevEnvId } from '../shared/vscode/env'
-import { getConfigFilename } from './sharedCredentials'
 import { authHelpUrl } from '../shared/constants'
 import { getDependentAuths } from './secondaryAuth'
 import { DevSettings } from '../shared/settings'
@@ -45,6 +44,7 @@ import { createRegionPrompter } from '../shared/ui/common/region'
 import { SsoCredentialsProvider } from './providers/ssoCredentialsProvider'
 import { AsyncCollection, toCollection } from '../shared/utilities/asyncCollection'
 import { join, toStream } from '../shared/utilities/collectionUtils'
+import { getConfigFilename } from './sharedCredentialsFile'
 
 export const ssoScope = 'sso:account:access'
 export const codecatalystScopes = ['codecatalyst:read_write']

src/credentials/providers/sharedCredentialsProvider.ts

@@ -5,15 +5,11 @@
 
 import * as fs from 'fs-extra'
 import { getLogger, Logger } from '../../shared/logger'
-import {
-    getConfigFilename,
-    getCredentialsFilename,
-    loadSharedCredentialsSections,
-    updateAwsSdkLoadConfigEnvVar,
-} from '../sharedCredentials'
+import { loadSharedCredentialsSections, updateAwsSdkLoadConfigEnvVar } from '../sharedCredentials'
 import { CredentialsProviderType } from './credentials'
 import { BaseCredentialsProviderFactory } from './credentialsProviderFactory'
 import { SharedCredentialsProvider } from './sharedCredentialsProvider'
+import { getCredentialsFilename, getConfigFilename } from '../sharedCredentialsFile'
 
 export class SharedCredentialsProviderFactory extends BaseCredentialsProviderFactory<SharedCredentialsProvider> {
     private readonly logger: Logger = getLogger()

src/credentials/providers/sharedCredentialsProviderFactory.ts

@@ -4,23 +4,10 @@
  */
 
 import * as vscode from 'vscode'
-import { join } from 'path'
-import { EnvironmentVariables } from '../shared/environmentVariables'
 import { SystemUtilities } from '../shared/systemUtilities'
 import { ToolkitError } from '../shared/errors'
 import { assertHasProps } from '../shared/utilities/tsUtils'
-
-export function getCredentialsFilename(): string {
-    const env = process.env as EnvironmentVariables
-
-    return env.AWS_SHARED_CREDENTIALS_FILE || join(SystemUtilities.getHomeDirectory(), '.aws', 'credentials')
-}
-
-export function getConfigFilename(): string {
-    const env = process.env as EnvironmentVariables
-
-    return env.AWS_CONFIG_FILE || join(SystemUtilities.getHomeDirectory(), '.aws', 'config')
-}
+import { getConfigFilename, getCredentialsFilename } from './sharedCredentialsFile'
 
 export async function updateAwsSdkLoadConfigEnvVar(): Promise<void> {
     const configFileExists = await SystemUtilities.fileExists(getConfigFilename())
@@ -35,7 +22,7 @@ interface AssignmentNode {
 
 export interface BaseSection {
     readonly type: string
-    readonly name: string
+    readonly name: SectionName
     readonly source: vscode.Uri
     readonly startLines: number[]
     readonly assignments: AssignmentNode[]
@@ -75,7 +62,7 @@ export class ParseError extends Error {
 export const isProfileSection = (section: Section): section is ProfileSection => section.type === 'profile'
 export const isSsoSessionSection = (section: Section): section is SsoSessionSection => section.type === 'sso-session'
 
-export function extractData(section: BaseSection): Record<string, string> {
+export function extractDataFromSection(section: BaseSection): Record<string, string> {
     const data: Record<string, string> = {}
     for (const assignment of section.assignments) {
         data[assignment.key] = assignment.value
@@ -86,7 +73,7 @@ export function extractData(section: BaseSection): Record<string, string> {
 
 export function getRequiredFields<T extends string>(section: Section, ...keys: T[]): { [P in T]: string } {
     try {
-        const data = extractData(section)
+        const data = extractDataFromSection(section)
         assertHasProps(data, ...keys)
 
         return data
@@ -99,7 +86,7 @@ export function getRequiredFields<T extends string>(section: Section, ...keys: T
 
 export function getSectionOrThrow<T extends Section['type'] = Section['type']>(
     sections: Section[],
-    name: string,
+    name: SectionName,
     type: T
 ): Section & { type: T } {
     const section = sections.find(s => s.name === name && s.type === type) as (Section & { type: T }) | undefined
@@ -111,13 +98,13 @@ export function getSectionOrThrow<T extends Section['type'] = Section['type']>(
     return section
 }
 
-export function getSectionDataOrThrow(sections: Section[], name: string, type: Section['type']) {
+export function getSectionDataOrThrow(sections: Section[], name: SectionName, type: Section['type']) {
     const section = getSectionOrThrow(sections, name, type)
     if (section.type !== type) {
         throw ParseError.fromSection(section, `Expected section to be type "${type}", got: ${section.type}`)
     }
 
-    return extractData(section)
+    return extractDataFromSection(section)
 }
 
 const sectionTypes = ['profile', 'sso-session'] as const
@@ -130,6 +117,19 @@ function validateSection(section: BaseSection): asserts section is Section {
     }
 }
 
+/**
+ * Loads existing merged (credentials + config) profiles from the filesystem
+ */
+export async function loadSharedCredentialsProfiles(): Promise<Record<SectionName, Profile>> {
+    const profiles = {} as Record<SectionName, Profile>
+    for (const [k, v] of (await loadSharedCredentialsSections()).sections.entries()) {
+        if (v.type === 'profile') {
+            profiles[k] = extractDataFromSection(v)
+        }
+    }
+    return profiles
+}
+
 export async function loadSharedCredentialsSections(): Promise<ParseResult> {
     // These should eventually be changed to use `parse` to allow for credentials from other file systems
     const data = await loadSharedConfigFiles({
@@ -234,6 +234,13 @@ async function loadCredentialsFile(credentialsUri?: vscode.Uri): Promise<ReturnT
     return parseIni(await SystemUtilities.readFile(credentialsUri), credentialsUri)
 }
 
+/**
+ * The name of a section in a credentials/config file
+ *
+ * The is the value of `{A}` in `[ {A} ]` or `[ {B} {A} ]`.
+ */
+export type SectionName = string
+
 export interface Profile {
     [key: string]: string | undefined
 }

src/credentials/sharedCredentials.ts

@@ -0,0 +1,22 @@
+/*!
+ * Copyright 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * This module focuses on the i/o of the credentials/config files
+ */
+
+import { join } from 'path'
+import { EnvironmentVariables } from '../shared/environmentVariables'
+import { SystemUtilities } from '../shared/systemUtilities'
+
+export function getCredentialsFilename(): string {
+    const env = process.env as EnvironmentVariables
+
+    return env.AWS_SHARED_CREDENTIALS_FILE || join(SystemUtilities.getHomeDirectory(), '.aws', 'credentials')
+}
+
+export function getConfigFilename(): string {
+    const env = process.env as EnvironmentVariables
+
+    return env.AWS_CONFIG_FILE || join(SystemUtilities.getHomeDirectory(), '.aws', 'config')
+}

src/credentials/sharedCredentialsFile.ts

@@ -0,0 +1,35 @@
+/*!
+ * Copyright 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/**
+ * All keys that are shared between a credentials or config file
+ */
+export const SharedCredentialsKeys = {
+    AWS_ACCESS_KEY_ID: 'aws_access_key_id',
+    AWS_SECRET_ACCESS_KEY: 'aws_secret_access_key',
+    AWS_SESSION_TOKEN: 'aws_session_token',
+    CREDENTIAL_PROCESS: 'credential_process',
+    CREDENTIAL_SOURCE: 'credential_source',
+    REGION: 'region',
+    ROLE_ARN: 'role_arn',
+    SOURCE_PROFILE: 'source_profile',
+    MFA_SERIAL: 'mfa_serial',
+    SSO_START_URL: 'sso_start_url',
+    SSO_REGION: 'sso_region',
+    SSO_ACCOUNT_ID: 'sso_account_id',
+    SSO_ROLE_NAME: 'sso_role_name',
+    SSO_SESSION: 'sso_session',
+    SSO_REGISTRATION_SCOPES: 'sso_registration_scopes',
+} as const
+
+/**
+ * The required keys for a static credentials profile
+ *
+ * https://docs.aws.amazon.com/sdkref/latest/guide/feature-static-credentials.html
+ */
+export interface StaticCredentialsProfileData {
+    [SharedCredentialsKeys.AWS_ACCESS_KEY_ID]: string
+    [SharedCredentialsKeys.AWS_SECRET_ACCESS_KEY]: string
+}

src/credentials/types.ts

@@ -11,11 +11,11 @@ import { StepEstimator, Wizard, WIZARD_BACK } from '../../shared/wizards/wizard'
 import { Prompter, PromptResult } from '../../shared/ui/prompter'
 import { createInputBox } from '../../shared/ui/inputPrompter'
 import { DefaultStsClient } from '../../shared/clients/stsClient'
-import { ProfileKey } from './templates'
 import { createCommonButtons } from '../../shared/ui/buttons'
 import { credentialHelpUrl } from '../../shared/constants'
 import { showLoginFailedMessage } from '../credentialsUtilities'
 import { ParsedIniData, Profile } from '../sharedCredentials'
+import { SharedCredentialsKeys } from '../types'
 
 function createProfileNamePrompter(profiles: ParsedIniData) {
     return createInputBox({
@@ -82,8 +82,8 @@ class ProfileChecker<T extends Profile> extends Prompter<string> {
         try {
             const region = this.profile['region'] ?? 'us-east-1' // De-dupe this pattern
             const stsClient = new DefaultStsClient(region, {
-                accessKeyId: this.profile[ProfileKey.AccessKeyId]!,
-                secretAccessKey: this.profile[ProfileKey.SecretKey]!,
+                accessKeyId: this.profile[SharedCredentialsKeys.AWS_ACCESS_KEY_ID]!,
+                secretAccessKey: this.profile[SharedCredentialsKeys.AWS_SECRET_ACCESS_KEY]!,
             })
 
             return (await stsClient.getCallerIdentity()).Account

src/credentials/wizards/createProfile.ts

@@ -11,30 +11,19 @@ import { getIdeProperties } from '../../shared/extensionUtilities'
 import { ProfileTemplateProvider } from './createProfile'
 import { createCommonButtons } from '../../shared/ui/buttons'
 import { credentialHelpUrl } from '../../shared/constants'
-
-// TODO: use this everywhere else
-export enum ProfileKey {
-    AccessKeyId = 'aws_access_key_id',
-    SecretKey = 'aws_secret_access_key',
-    Process = 'credential_process',
-}
+import { SharedCredentialsKeys, StaticCredentialsProfileData } from '../types'
 
 function getTitle(profileName: string): string {
     return localize('AWS.title.createCredentialProfile', 'Creating new profile "{0}"', profileName)
 }
 
-interface StaticProfile {
-    [ProfileKey.AccessKeyId]: string
-    [ProfileKey.SecretKey]: string
-}
-
 const accessKeyPattern = /[\w]{16,128}/
 
-export const staticCredentialsTemplate: ProfileTemplateProvider<StaticProfile> = {
+export const staticCredentialsTemplate: ProfileTemplateProvider<StaticCredentialsProfileData> = {
     label: 'Static Credentials',
     description: 'Use this for credentials that never expire',
     prompts: {
-        [ProfileKey.AccessKeyId]: name =>
+        [SharedCredentialsKeys.AWS_ACCESS_KEY_ID]: name =>
             createInputBox({
                 title: getTitle(name),
                 buttons: createCommonButtons(credentialHelpUrl),
@@ -57,7 +46,7 @@ export const staticCredentialsTemplate: ProfileTemplateProvider<StaticProfile> =
                     }
                 },
             }),
-        [ProfileKey.SecretKey]: name =>
+        [SharedCredentialsKeys.AWS_SECRET_ACCESS_KEY]: name =>
             createInputBox({
                 title: getTitle(name),
                 buttons: createCommonButtons(credentialHelpUrl),
@@ -79,14 +68,14 @@ export const staticCredentialsTemplate: ProfileTemplateProvider<StaticProfile> =
 }
 
 interface CredentialsProcessProfile {
-    [ProfileKey.Process]: string
+    [SharedCredentialsKeys.CREDENTIAL_PROCESS]: string
 }
 
 export const processCredentialsTemplate: ProfileTemplateProvider<CredentialsProcessProfile> = {
     label: 'External Process',
     description: 'Creates a new profile that fetches credentials from a process',
     prompts: {
-        [ProfileKey.Process]: name =>
+        [SharedCredentialsKeys.CREDENTIAL_PROCESS]: name =>
             createInputBox({
                 title: getTitle(name),
                 prompt: 'Enter a command to run',

src/credentials/wizards/templates.ts

@@ -17,12 +17,13 @@ import { credentialHelpUrl } from './constants'
 import { PromptSettings } from './settings'
 import { isNonNullable } from './utilities/tsUtils'
 import { CreateProfileWizard } from '../credentials/wizards/createProfile'
-import { ProfileKey, staticCredentialsTemplate } from '../credentials/wizards/templates'
+import { staticCredentialsTemplate } from '../credentials/wizards/templates'
 import { SharedCredentialsProvider } from '../credentials/providers/sharedCredentialsProvider'
 import { Auth } from '../credentials/auth'
 import { CancellationError } from './utilities/timeoutUtils'
 import { ToolkitError } from './errors'
-import { extractData, loadSharedCredentialsSections, Profile } from '../credentials/sharedCredentials'
+import { loadSharedCredentialsProfiles } from '../credentials/sharedCredentials'
+import { SharedCredentialsKeys } from '../credentials/types'
 
 /**
  * @deprecated
@@ -115,23 +116,17 @@ export class AwsContextCommands {
      * @returns The profile name, or undefined if user cancelled
      */
     public async promptAndCreateNewCredentialsFile(): Promise<string | undefined> {
-        const profiles = {} as Record<string, Profile>
-        for (const [k, v] of (await loadSharedCredentialsSections()).sections.entries()) {
-            if (v.type === 'profile') {
-                profiles[k] = extractData(v)
-            }
-        }
-
-        const wizard = new CreateProfileWizard(profiles, staticCredentialsTemplate)
+        const existingProfiles = await loadSharedCredentialsProfiles()
+        const wizard = new CreateProfileWizard(existingProfiles, staticCredentialsTemplate)
         const resp = await wizard.run()
         if (!resp) {
             return
         }
 
         await UserCredentialsUtils.generateCredentialsFile({
             profileName: resp.name,
-            accessKey: resp.profile[ProfileKey.AccessKeyId]!,
-            secretKey: resp.profile[ProfileKey.SecretKey]!,
+            accessKey: resp.profile[SharedCredentialsKeys.AWS_ACCESS_KEY_ID]!,
+            secretKey: resp.profile[SharedCredentialsKeys.AWS_SECRET_ACCESS_KEY]!,
         })
 
         const sharedProviderId: CredentialsId = {

src/shared/awsContextCommands.ts

@@ -6,10 +6,10 @@
 import * as path from 'path'
 import * as vscode from 'vscode'
 import { mkdirp, writeFile } from 'fs-extra'
-import { getConfigFilename, getCredentialsFilename } from '../../credentials/sharedCredentials'
 import { fileExists } from '../filesystemUtilities'
 import { SystemUtilities } from '../systemUtilities'
 import { isNonNullable } from '../utilities/tsUtils'
+import { getConfigFilename, getCredentialsFilename } from '../../credentials/sharedCredentialsFile'
 
 const header = `
 # AWS credentials file used by AWS CLI, SDKs, and tools.