fix(auth): static credentials without an expiration are not coherent with the source #3407

Problem:
It's possible to load temporary credentials without an explicit expiration time. Cloud9 writes credentials in this way. 
Without an expiration time, we assume they are good forever even when the underlying source changes.

Solution:
Fetch a new provider on every call. CredentialsProviderManager calls fs.stat every time which might have performance
implications. This really only affects CW on C9, need to test to see if it's noticeable.

Author: JadenSimon

.changes/next-release/Bug Fix-51780426-c0f2-464c-9f56-602a019b6625.json

@@ -0,0 +1,4 @@
+{
+	"type": "Bug Fix",
+	"description": "auth: changes to the AWS shared configuration files are not always respected when fetching credentials"
+}

src/credentials/auth.ts

@@ -296,14 +296,14 @@ async function loadIamProfilesIntoStore(store: ProfileStore, manager: Credential
             continue
         }
 
-        if (providers[id] === undefined) {
-            await store.deleteProfile(id)
-        } else if (profile.subtype === 'linked') {
+        if (profile.subtype === 'linked') {
             const source = store.getProfile(profile.ssoSession)
             if (source === undefined || source.type !== 'sso') {
                 await store.deleteProfile(id)
                 manager.removeProvider(fromString(id))
             }
+        } else if (providers[id] === undefined) {
+            await store.deleteProfile(id)
         }
     }
 
@@ -430,7 +430,7 @@ export class Auth implements AuthService, ConnectionManager {
             const provider = await this.getCredentialsProvider(id, profile)
             await this.authenticate(id, () => this.createCachedCredentials(provider))
 
-            return this.getIamConnection(id, provider)
+            return this.getIamConnection(id, profile)
         }
     }
 
@@ -444,9 +444,7 @@ export class Auth implements AuthService, ConnectionManager {
 
         const validated = await this.validateConnection(id, profile)
         const conn =
-            validated.type === 'sso'
-                ? this.getSsoConnection(id, validated)
-                : this.getIamConnection(id, await this.getCredentialsProvider(id, validated))
+            validated.type === 'sso' ? this.getSsoConnection(id, validated) : this.getIamConnection(id, validated)
 
         this.#activeConnection = conn
         this.#onDidChangeActiveConnection.fire(conn)
@@ -685,7 +683,7 @@ export class Auth implements AuthService, ConnectionManager {
         if (profile.type === 'sso') {
             return this.getSsoConnection(id, profile)
         } else {
-            return this.getIamConnection(id, await this.getCredentialsProvider(id, profile))
+            return this.getIamConnection(id, profile)
         }
     }
 
@@ -699,6 +697,10 @@ export class Auth implements AuthService, ConnectionManager {
             return provider
         }
 
+        return this.getSsoLinkedCredentialsProvider(id, profile)
+    }
+
+    private getSsoLinkedCredentialsProvider(id: Connection['id'], profile: LinkedIamProfile) {
         const sourceProfile = this.store.getProfile(profile.ssoSession)
         if (sourceProfile === undefined) {
             throw new Error(`Source profile for "${id}" no longer exists`)
@@ -760,16 +762,17 @@ export class Auth implements AuthService, ConnectionManager {
         )
     }
 
-    private getIamConnection(id: Connection['id'], provider: CredentialsProvider): IamConnection & StatefulConnection {
-        const profile = this.store.getProfileOrThrow(id)
-
+    private getIamConnection(
+        id: Connection['id'],
+        profile: StoredProfile<IamProfile>
+    ): IamConnection & StatefulConnection {
         return {
             id,
             type: 'iam',
             state: profile.metadata.connectionState,
             label:
                 profile.metadata.label ?? (profile.type === 'iam' && profile.subtype === 'linked' ? profile.name : id),
-            getCredentials: () => this.getCredentials(id, provider),
+            getCredentials: async () => this.getCredentials(id, await this.getCredentialsProvider(id, profile)),
         }
     }
 

src/test/credentials/auth.test.ts

@@ -20,6 +20,11 @@ import { captureEventOnce } from '../testUtil'
 import { createBuilderIdProfile, createSsoProfile, createTestAuth } from './testUtil'
 import { toCollection } from '../../shared/utilities/asyncCollection'
 import globals from '../../shared/extensionGlobals'
+import { SystemUtilities } from '../../shared/systemUtilities'
+import { makeTemporaryToolkitFolder } from '../../shared/filesystemUtilities'
+import { SharedCredentialsProviderFactory } from '../../credentials/providers/sharedCredentialsProviderFactory'
+import { UserCredentialsUtils } from '../../shared/credentials/userCredentialsUtils'
+import { getCredentialsFilename } from '../../credentials/sharedCredentialsFile'
 
 const ssoProfile = createSsoProfile()
 const scopedSsoProfile = createSsoProfile({ scopes: ['foo'] })
@@ -360,6 +365,50 @@ describe('Auth', function () {
         })
     })
 
+    describe('Shared ini files', function () {
+        let tmpDir: string
+
+        beforeEach(async function () {
+            tmpDir = await makeTemporaryToolkitFolder()
+            sinon.stub(SystemUtilities, 'getHomeDirectory').returns(tmpDir)
+            sinon.stub(globals.loginManager, 'validateCredentials').resolves('123')
+            auth.credentialsManager.addProviderFactory(new SharedCredentialsProviderFactory())
+        })
+
+        afterEach(async function () {
+            sinon.restore()
+            await SystemUtilities.delete(tmpDir, { recursive: true })
+        })
+
+        it('does not cache if the credentials file changes', async function () {
+            const initialCreds = {
+                profileName: 'default',
+                accessKey: 'x',
+                secretKey: 'x',
+            }
+
+            await UserCredentialsUtils.generateCredentialsFile(initialCreds)
+
+            const conn = await auth.getConnection({ id: 'profile:default' })
+            assert.ok(conn?.type === 'iam', 'Expected an IAM connection')
+            assert.deepStrictEqual(await conn.getCredentials(), {
+                accessKeyId: initialCreds.accessKey,
+                secretAccessKey: initialCreds.secretKey,
+                sessionToken: undefined,
+            })
+
+            await SystemUtilities.delete(getCredentialsFilename())
+
+            const newCreds = { ...initialCreds, accessKey: 'y', secretKey: 'y' }
+            await UserCredentialsUtils.generateCredentialsFile(newCreds)
+            assert.deepStrictEqual(await conn.getCredentials(), {
+                accessKeyId: newCreds.accessKey,
+                secretAccessKey: newCreds.secretKey,
+                sessionToken: undefined,
+            })
+        })
+    })
+
     describe('AuthNode', function () {
         it('shows a message to create a connection if no connections exist', async function () {
             const node = new AuthNode(auth)

src/test/credentials/provider/sharedCredentialsProvider.test.ts

@@ -3,7 +3,6 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-import * as vscode from 'vscode'
 import * as assert from 'assert'
 import * as FakeTimers from '@sinonjs/fake-timers'
 import * as sinon from 'sinon'
@@ -12,20 +11,13 @@ import { stripUndefined } from '../../../shared/utilities/collectionUtils'
 import * as process from '@aws-sdk/credential-provider-process'
 import { ParsedIniData } from '@aws-sdk/shared-ini-file-loader'
 import { installFakeClock } from '../../testUtil'
-import { parseIni, mergeAndValidateSections } from '../../../credentials/sharedCredentials'
 import { SsoClient } from '../../../credentials/sso/clients'
 import { stub } from '../../utilities/stubber'
 import { SsoAccessTokenProvider } from '../../../credentials/sso/ssoAccessTokenProvider'
+import { createTestSections } from '../testUtil'
 
 const missingPropertiesFragment = 'missing properties'
 
-async function createTestSections(ini: string) {
-    const doc = await vscode.workspace.openTextDocument({ content: ini })
-    const sections = parseIni(doc.getText(), doc.uri)
-
-    return mergeAndValidateSections(sections).sections
-}
-
 describe('SharedCredentialsProvider', async function () {
     let clock: FakeTimers.InstalledClock
     let sandbox: sinon.SinonSandbox

src/test/credentials/testUtil.ts

@@ -4,6 +4,7 @@
  */
 
 import * as assert from 'assert'
+import * as vscode from 'vscode'
 import { Auth, Connection, ProfileStore, SsoConnection, SsoProfile } from '../../credentials/auth'
 import { CredentialsProviderManager } from '../../credentials/providers/credentialsProviderManager'
 import { SsoClient } from '../../credentials/sso/clients'
@@ -14,6 +15,8 @@ import { captureEvent, EventCapturer } from '../testUtil'
 import { stub } from '../utilities/stubber'
 import globals from '../../shared/extensionGlobals'
 import { fromString } from '../../credentials/providers/credentials'
+import { mergeAndValidateSections, parseIni } from '../../credentials/sharedCredentials'
+import { SharedCredentialsProvider } from '../../credentials/providers/sharedCredentialsProvider'
 
 export function createSsoProfile(props?: Partial<Omit<SsoProfile, 'type'>>): SsoProfile {
     return {
@@ -28,6 +31,17 @@ export function createBuilderIdProfile(props?: Partial<Omit<SsoProfile, 'type' |
     return createSsoProfile({ startUrl: builderIdStartUrl, ...props })
 }
 
+export async function createTestSections(ini: string) {
+    const doc = await vscode.workspace.openTextDocument({ content: ini })
+    const sections = parseIni(doc.getText(), doc.uri)
+
+    return mergeAndValidateSections(sections).sections
+}
+
+export async function createSharedCredentialsProvider(name: string, ini: string) {
+    return new SharedCredentialsProvider(name, await createTestSections(ini))
+}
+
 function createTestTokenProvider() {
     let token: SsoToken | undefined
     let counter = 0