authWebview: Auth refactoring + new funcs (#3409)

- Refactors some existing auth code
- Adds a new sharedCredentialsValidation class which centralizes validation of shared credentials data
     - Previous validation functionality was moved in to this file
- Added function to be able to save credentials data (aws access key, secret key) at once to the credentials file.

Signed-off-by: Nikolas Komonen <[email protected]>

Author: nkomonen-amazon

src/credentials/auth.ts

@@ -45,6 +45,9 @@ import { SsoCredentialsProvider } from './providers/ssoCredentialsProvider'
 import { AsyncCollection, toCollection } from '../shared/utilities/asyncCollection'
 import { join, toStream } from '../shared/utilities/collectionUtils'
 import { getConfigFilename } from './sharedCredentialsFile'
+import { saveProfileToCredentials } from './sharedCredentials'
+import { SectionName, StaticCredentialsProfileData } from './types'
+import { validateCredentialsProfile } from './sharedCredentialsValidation'
 
 export const ssoScope = 'sso:account:access'
 export const codecatalystScopes = ['codecatalyst:read_write']
@@ -1199,6 +1202,25 @@ const addConnection = Commands.register('aws.auth.addConnection', async () => {
     }
 })
 
+export async function tryAddCredentials(
+    profileName: SectionName,
+    profileData: StaticCredentialsProfileData,
+    tryConnect = true
+): Promise<boolean> {
+    await validateCredentialsProfile(profileName, profileData)
+    await saveProfileToCredentials(profileName, profileData)
+    if (tryConnect) {
+        const auth = Auth.instance
+        const conn = await auth.getConnection({ id: profileName })
+        if (conn === undefined) {
+            throw new ToolkitError('Failed to get connection from profile', { code: 'MissingConnection' })
+        }
+
+        await auth.useConnection(conn)
+    }
+    return true
+}
+
 const getConnectionIcon = (conn: Connection) =>
     conn.type === 'sso' ? getIcon('vscode-account') : getIcon('vscode-key')
 

src/credentials/providers/sharedCredentialsProvider.ts

@@ -28,12 +28,11 @@ import {
     getSectionOrThrow,
     isProfileSection,
     Profile,
-    SectionName,
     Section,
 } from '../sharedCredentials'
 import { hasScopes, SsoProfile } from '../auth'
 import { builderIdStartUrl } from '../sso/model'
-import { SharedCredentialsKeys } from '../types'
+import { SectionName, SharedCredentialsKeys } from '../types'
 
 const credentialSources = {
     ECS_CONTAINER: 'EcsContainer',

src/credentials/sharedCredentials.ts

@@ -8,6 +8,8 @@ import { SystemUtilities } from '../shared/systemUtilities'
 import { ToolkitError } from '../shared/errors'
 import { assertHasProps } from '../shared/utilities/tsUtils'
 import { getConfigFilename, getCredentialsFilename } from './sharedCredentialsFile'
+import { SectionName, StaticCredentialsProfileData } from './types'
+import { UserCredentialsUtils } from '../shared/credentials/userCredentialsUtils'
 
 export async function updateAwsSdkLoadConfigEnvVar(): Promise<void> {
     const configFileExists = await SystemUtilities.fileExists(getConfigFilename())
@@ -235,11 +237,32 @@ async function loadCredentialsFile(credentialsUri?: vscode.Uri): Promise<ReturnT
 }
 
 /**
- * The name of a section in a credentials/config file
- *
- * The is the value of `{A}` in `[ {A} ]` or `[ {B} {A} ]`.
+ * Saves the given profile data to the credentials file.
  */
-export type SectionName = string
+export async function saveProfileToCredentials(
+    profileName: SectionName,
+    profileData: StaticCredentialsProfileData
+): Promise<void> {
+    if (await profileExists(profileName)) {
+        throw new ToolkitError(`Cannot save profile "${profileName}" because it already exists.`, {
+            code: 'ProfileAlreadyExists',
+        })
+    }
+
+    return UserCredentialsUtils.generateCredentialsFile({
+        profileName,
+        accessKey: profileData.aws_access_key_id,
+        secretKey: profileData.aws_secret_access_key,
+    })
+}
+
+/**
+ * Checks if a profile exists in a shared credentials file.
+ */
+export async function profileExists(profileName: SectionName): Promise<boolean> {
+    const existingProfiles = await loadSharedCredentialsProfiles()
+    return Object.keys(existingProfiles).includes(profileName)
+}
 
 export interface Profile {
     [key: string]: string | undefined

src/credentials/sharedCredentialsValidation.ts

@@ -0,0 +1,94 @@
+/*!
+ * Copyright 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * This module focuses on the validation of shared credentials properties
+ */
+
+import { localize } from 'vscode-nls'
+import { SectionName, SharedCredentialsKeys, StaticCredentialsProfileData } from './types'
+import { ToolkitError } from '../shared/errors'
+import { profileExists } from './sharedCredentials'
+
+/**
+ * The format validators for shared credentials keys.
+ *
+ * A format validator validates the format of the data,
+ * but not the validity of the content.
+ */
+export const CredentialsKeyFormatValidators = {
+    [SharedCredentialsKeys.AWS_ACCESS_KEY_ID]: getAccessKeyIdFormatError,
+    [SharedCredentialsKeys.AWS_SECRET_ACCESS_KEY]: getSecretAccessKeyFormatError,
+} as const
+
+/**
+ * Holds the error for each key of static credentials data,
+ * if it exists. This allows the user to get all the errors
+ * at once.
+ */
+export type StaticCredentialsErrorResult = {
+    [k in keyof StaticCredentialsProfileData]: string | undefined
+}
+
+export function getStaticCredentialsDataErrors(
+    data: StaticCredentialsProfileData
+): StaticCredentialsErrorResult | undefined {
+    const accessKeyIdError = CredentialsKeyFormatValidators[SharedCredentialsKeys.AWS_ACCESS_KEY_ID](
+        data[SharedCredentialsKeys.AWS_ACCESS_KEY_ID]
+    )
+    const secretAccessKeyError = CredentialsKeyFormatValidators[SharedCredentialsKeys.AWS_SECRET_ACCESS_KEY](
+        data[SharedCredentialsKeys.AWS_SECRET_ACCESS_KEY]
+    )
+
+    if (accessKeyIdError === undefined && secretAccessKeyError === undefined) {
+        return undefined
+    }
+
+    return {
+        [SharedCredentialsKeys.AWS_ACCESS_KEY_ID]: accessKeyIdError,
+        [SharedCredentialsKeys.AWS_SECRET_ACCESS_KEY]: secretAccessKeyError,
+    }
+}
+
+const accessKeyPattern = /[\w]{16,128}/
+
+function getAccessKeyIdFormatError(awsAccessKeyId: string | undefined): string | undefined {
+    if (awsAccessKeyId === undefined) {
+        return undefined
+    }
+
+    if (awsAccessKeyId === '') {
+        return localize('AWS.credentials.error.emptyAccessKey', 'Access key must not be empty')
+    }
+    if (!accessKeyPattern.test(awsAccessKeyId)) {
+        return localize(
+            'AWS.credentials.error.emptyAccessKey',
+            'Access key must be alphanumeric and between 16 and 128 characters'
+        )
+    }
+}
+
+function getSecretAccessKeyFormatError(awsSecretAccessKey: string | undefined): string | undefined {
+    if (awsSecretAccessKey === undefined) {
+        return undefined
+    }
+
+    if (awsSecretAccessKey === '') {
+        return localize('AWS.credentials.error.emptySecretKey', 'Secret key must not be empty')
+    }
+}
+
+/** To be used as a sanity check to validate all core parts of a credentials profile */
+export async function validateCredentialsProfile(profileName: SectionName, profileData: StaticCredentialsProfileData) {
+    if (await profileExists(profileName)) {
+        throw new ToolkitError(`Credentials profile "${profileName}" already exists`)
+    }
+
+    const credentialsDataErrors = getStaticCredentialsDataErrors(profileData)
+    if (credentialsDataErrors !== undefined) {
+        throw new ToolkitError(`Errors in credentials data: ${credentialsDataErrors}`, {
+            code: 'InvalidCredentialsData',
+            details: credentialsDataErrors,
+        })
+    }
+}

src/credentials/types.ts

@@ -33,3 +33,10 @@ export interface StaticCredentialsProfileData {
     [SharedCredentialsKeys.AWS_ACCESS_KEY_ID]: string
     [SharedCredentialsKeys.AWS_SECRET_ACCESS_KEY]: string
 }
+
+/**
+ * The name of a section in a credentials/config file
+ *
+ * The is the value of `{A}` in `[ {A} ]` or `[ {B} {A} ]`.
+ */
+export type SectionName = string

src/credentials/wizards/templates.ts

@@ -12,13 +12,12 @@ import { ProfileTemplateProvider } from './createProfile'
 import { createCommonButtons } from '../../shared/ui/buttons'
 import { credentialHelpUrl } from '../../shared/constants'
 import { SharedCredentialsKeys, StaticCredentialsProfileData } from '../types'
+import { CredentialsKeyFormatValidators } from '../sharedCredentialsValidation'
 
 function getTitle(profileName: string): string {
     return localize('AWS.title.createCredentialProfile', 'Creating new profile "{0}"', profileName)
 }
 
-const accessKeyPattern = /[\w]{16,128}/
-
 export const staticCredentialsTemplate: ProfileTemplateProvider<StaticCredentialsProfileData> = {
     label: 'Static Credentials',
     description: 'Use this for credentials that never expire',
@@ -34,17 +33,7 @@ export const staticCredentialsTemplate: ProfileTemplateProvider<StaticCredential
                     'Input the {0} Access Key',
                     getIdeProperties().company
                 ),
-                validateInput: accessKey => {
-                    if (accessKey === '') {
-                        return localize('AWS.credentials.error.emptyAccessKey', 'Access key must not be empty')
-                    }
-                    if (!accessKeyPattern.test(accessKey)) {
-                        return localize(
-                            'AWS.credentials.error.emptyAccessKey',
-                            'Access key must be alphanumeric and between 16 and 128 characters'
-                        )
-                    }
-                },
+                validateInput: CredentialsKeyFormatValidators.aws_access_key_id,
             }),
         [SharedCredentialsKeys.AWS_SECRET_ACCESS_KEY]: name =>
             createInputBox({
@@ -57,11 +46,7 @@ export const staticCredentialsTemplate: ProfileTemplateProvider<StaticCredential
                     'Input the {0} Secret Key',
                     getIdeProperties().company
                 ),
-                validateInput: secretKey => {
-                    if (secretKey === '') {
-                        return localize('AWS.credentials.error.emptySecretKey', 'Secret key must not be empty')
-                    }
-                },
+                validateInput: CredentialsKeyFormatValidators.aws_secret_access_key,
                 password: true,
             }),
     },