merge in master

Author: Hweinstock

.changes/1.83.0.json

@@ -0,0 +1,10 @@
+{
+	"date": "2023-08-03",
+	"version": "1.83.0",
+	"entries": [
+		{
+			"type": "Feature",
+			"description": "IAM Identity Center (SSO): log a warning if SSO user is not linked to an account"
+		}
+	]
+}

CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.83.0 2023-08-03
+
+- **Feature** IAM Identity Center (SSO): log a warning if SSO user is not linked to an account
+
 ## 1.82.0 2023-07-26
 
 - **Bug Fix** CodeWhisperer: issue with fetching enhanced file context

CONTRIBUTING.md

@@ -379,6 +379,18 @@ Note therefore:
 2. `HEAD` implies that the URL depends on the current _default branch_ (i.e.
    `master`). Changes to other branches won't affect the marketplace page.
 
+## Using new vscode APIs
+
+The minimum required vscode version specified in [package.json](https://github.com/aws/aws-toolkit-vscode/blob/07119655109bb06105a3f53bbcd86b812b32cdbe/package.json#L16)
+is decided by the version of vscode running in Cloud9 and other vscode-compatible targets.
+
+But you can still use the latest vscode APIs, by checking the current running vscode version. For example, to use a vscode 1.64 API:
+
+1. Check the vscode version: `semver.gte(vscode.version, '1.64.0')`
+2. Disable the feature if is too old. That could mean just skipping the code entirely, or showing a different UI.
+
+Full example: https://github.com/aws/aws-toolkit-vscode/blob/7cb97a2ef0a765862d21842693967070b0dcdd49/src/shared/credentials/defaultCredentialSelectionDataProvider.ts#L54-L76
+
 ## Importing icons from other open source repos
 
 If you are contribuing visual assets from other open source repos, the source repo must have a compatible license (such as MIT), and we need to document the source of the images. Follow these steps:

package-lock.json

@@ -2,7 +2,7 @@
     "name": "aws-toolkit-vscode",
     "displayName": "AWS Toolkit",
     "description": "Including support for CodeWhisperer, CodeCatalyst, Lambda, S3, CloudWatch Logs, and many other services",
-    "version": "1.83.0-SNAPSHOT",
+    "version": "1.84.0-SNAPSHOT",
     "extensionKind": [
         "workspace"
     ],
@@ -1120,6 +1120,18 @@
                     "command": "aws.ec2.openTerminal",
                     "when": "aws.isDevMode"
                 },
+                {
+                    "command": "aws.ec2.startInstance",
+                    "when": "aws.isDevMode"
+                },
+                {
+                    "command": "aws.ec2.stopInstance",
+                    "whem": "aws.isDevMode"
+                },
+                {
+                    "command": "aws.ec2.rebootInstance",
+                    "whem": "aws.isDevMode"
+                },
                 {
                     "command": "aws.dev.openMenu",
                     "when": "aws.isDevMode || isCloud9"
@@ -1324,6 +1336,21 @@
                     "group": "inline@1",
                     "when": "viewItem == awsEc2Node"
                 },
+                {
+                    "command": "aws.ec2.startInstance",
+                    "group": "0@1",
+                    "when": "viewItem == awsEc2Node"
+                },
+                {
+                    "command": "aws.ec2.stopInstance",
+                    "group": "0@1",
+                    "when": "viewItem == awsEc2Node"
+                },
+                {
+                    "command": "aws.ec2.rebootInstance",
+                    "group": "0@1",
+                    "when": "viewItem == awsEc2Node"
+                },
                 {
                     "command": "aws.ecr.createRepository",
                     "when": "view == aws.explorer && viewItem == awsEcrNode",
@@ -2091,6 +2118,36 @@
                     }
                 }
             },
+            {
+                "command": "aws.ec2.startInstance",
+                "title": "%AWS.command.ec2.startInstance%",
+                "category": "%AWS.title%",
+                "cloud9": {
+                    "cn": {
+                        "category": "%AWS.title.cn%"
+                    }
+                }
+            },
+            {
+                "command": "aws.ec2.stopInstance",
+                "title": "%AWS.command.ec2.stopInstance%",
+                "category": "%AWS.title%",
+                "cloud9": {
+                    "cn": {
+                        "category": "%AWS.title.cn%"
+                    }
+                }
+            },
+            {
+                "command": "aws.ec2.rebootInstance",
+                "title": "%AWS.command.ec2.rebootInstance%",
+                "category": "%AWS.title%",
+                "cloud9": {
+                    "cn": {
+                        "category": "%AWS.title.cn%"
+                    }
+                }
+            },
             {
                 "command": "aws.ec2.copyInstanceId",
                 "title": "%AWS.command.ec2.copyInstanceId%",

package.json

@@ -110,6 +110,9 @@
     "AWS.command.cdk.help": "View CDK Documentation",
     "AWS.command.ec2.openTerminal": "Open terminal to EC2 instance...",
     "AWS.command.ec2.openRemoteConnection": "Connect to EC2 instance in New Window...",
+    "AWS.command.ec2.startInstance": "Start EC2 Instance",
+    "AWS.command.ec2.stopInstance": "Stop EC2 Instance",
+    "AWS.command.ec2.rebootInstance": "Reboot EC2 Instance",
     "AWS.command.ec2.copyInstanceId": "Copy Instance Id",
     "AWS.command.ecr.copyTagUri": "Copy Tag URI",
     "AWS.command.ecr.copyRepositoryUri": "Copy Repository URI",

package.nls.json

@@ -212,7 +212,7 @@ export class Auth implements AuthService, ConnectionManager {
     }
 
     /**
-     * This method will gather all AWS accounts/roles that are associated with SSO connections.
+     * Gathers all AWS accounts/roles associated with SSO ("IAM Identity Center", "IdC") connections.
      *
      * Use {@link Auth.listConnections} when you do not want to make extra API calls to the SSO service.
      */
@@ -232,20 +232,22 @@ export class Auth implements AuthService, ConnectionManager {
             const linked = this.store
                 .listProfiles()
                 .filter(isLinkable)
-                .map(([id, profile]) =>
-                    toCollection(() =>
+                .map(([id, profile]) => {
+                    const startUrl = this.truncateStartUrl(profile.startUrl)
+                    return toCollection(() =>
                         loadLinkedProfilesIntoStore(
                             this.store,
                             id,
-                            this.createSsoClient(profile.ssoRegion, this.getTokenProvider(id, profile))
+                            this.createSsoClient(profile.ssoRegion, this.getTokenProvider(id, profile)),
+                            startUrl
                         )
                     )
                         .catch(err => {
                             getLogger().warn(`auth: failed to load linked profiles from "${id}": %s`, err)
                         })
                         .filter(isNonNullable)
                         .map(entry => this.getConnectionFromStoreEntry(entry))
-                )
+                })
 
             yield* linked.reduce(join, stream)
         }
@@ -748,8 +750,12 @@ export class Auth implements AuthService, ConnectionManager {
         return (this.#instance ??= new Auth(new ProfileStore(memento)))
     }
 
+    private truncateStartUrl(startUrl: string) {
+        return startUrl.match(/https?:\/\/(.*)\.awsapps\.com\/start/)?.[1] ?? startUrl
+    }
+
     private getSsoProfileLabel(profile: SsoProfile) {
-        const truncatedUrl = profile.startUrl.match(/https?:\/\/(.*)\.awsapps\.com\/start/)?.[1] ?? profile.startUrl
+        const truncatedUrl = this.truncateStartUrl(profile.startUrl)
 
         return profile.startUrl === builderIdStartUrl
             ? localizedText.builderId()

src/auth/auth.ts

@@ -9,6 +9,7 @@ import { builderIdStartUrl, SsoToken } from './sso/model'
 import { SsoClient } from './sso/clients'
 import { CredentialsProviderManager } from './providers/credentialsProviderManager'
 import { fromString } from './providers/credentials'
+import { getLogger } from '../shared/logger/logger'
 
 export const ssoScope = 'sso:account:access'
 export const codecatalystScopes = ['codecatalyst:read_write']
@@ -247,18 +248,27 @@ export async function loadIamProfilesIntoStore(store: ProfileStore, manager: Cre
     }
 }
 
+/**
+ * Fetches profiles from the given SSO ("IAM Identity Center", "IdC") connection.
+ */
 export async function* loadLinkedProfilesIntoStore(
     store: ProfileStore,
     source: SsoConnection['id'],
-    client: SsoClient
+    client: SsoClient,
+    profileLabel: string
 ) {
+    const accounts = new Set<string>()
+    const found = new Set<Connection['id']>()
+
     const stream = client
         .listAccounts()
         .flatten()
-        .map(resp => client.listAccountRoles({ accountId: resp.accountId }).flatten())
+        .map(resp => {
+            accounts.add(resp.accountId)
+            return client.listAccountRoles({ accountId: resp.accountId }).flatten()
+        })
         .flatten()
 
-    const found = new Set<Connection['id']>()
     for await (const info of stream) {
         const name = `${info.roleName}-${info.accountId}`
         const id = `sso:${source}#${name}`
@@ -280,6 +290,20 @@ export async function* loadLinkedProfilesIntoStore(
         yield [id, profile] as const
     }
 
+    if (accounts.size === 0) {
+        // Possible causes:
+        // - SSO org has no "Permission sets"
+        // - user is not an "Assigned user" in any account in the SSO org
+        // - user is an "Assigned user" but no "Permission sets"
+        getLogger().warn('auth: SSO org (%s) returned no accounts', profileLabel)
+    } else if (found.size === 0) {
+        getLogger().warn(
+            'auth: SSO org (%s) returned no IAM credentials for account: %s',
+            profileLabel,
+            Array.from(accounts).join()
+        )
+    }
+
     // Clean-up stale references in case the user no longer has access
     for (const [id, profile] of store.listProfiles()) {
         if (profile.type === 'iam' && profile.subtype === 'linked' && profile.ssoSession === source && !found.has(id)) {

src/auth/connection.ts

@@ -12,7 +12,6 @@ import { hasProps, selectFrom } from '../../shared/utilities/tsUtils'
 import { SsoToken, ClientRegistration } from './model'
 import { SystemUtilities } from '../../shared/systemUtilities'
 import { DevSettings } from '../../shared/settings'
-import { statSync, Stats, readdirSync, unlinkSync } from 'fs'
 
 interface RegistrationKey {
     readonly region: string
@@ -34,46 +33,13 @@ export interface SsoCache {
 const defaultCacheDir = path.join(SystemUtilities.getHomeDirectory(), '.aws', 'sso', 'cache')
 export const getCacheDir = () => DevSettings.instance.get('ssoCacheDirectory', defaultCacheDir)
 
-export function getCache(directory = getCacheDir(), statFunc = getFileStats): SsoCache {
-    try {
-        deleteOldFiles(directory, statFunc)
-    } catch (e) {
-        getLogger().warn('auth: error deleting old files in sso cache: %s', e)
-    }
-
+export function getCache(directory = getCacheDir()): SsoCache {
     return {
         token: getTokenCache(directory),
         registration: getRegistrationCache(directory),
     }
 }
 
-function deleteOldFiles(directory: string, statFunc: typeof getFileStats) {
-    if (!isDirSafeToDeleteFrom(directory)) {
-        getLogger().warn(`Skipped deleting files in directory: ${path.resolve(directory)}`)
-        return
-    }
-
-    const fileNames = readdirSync(directory)
-    fileNames.forEach(fileName => {
-        const filePath = path.join(directory, fileName)
-        if (path.extname(filePath) === '.json' && isOldFile(filePath, statFunc)) {
-            unlinkSync(filePath)
-            getLogger().warn(`auth: removed old cache file: ${filePath}`)
-        }
-    })
-}
-
-export function isDirSafeToDeleteFrom(dirPath: string): boolean {
-    const resolvedPath = path.resolve(dirPath)
-    const isRoot = resolvedPath === path.resolve('/')
-    const isCwd = resolvedPath === path.resolve('.')
-    const isAbsolute = path.isAbsolute(dirPath)
-    const pathDepth = resolvedPath.split(path.sep).length
-
-    const isSafe = !isRoot && !isCwd && isAbsolute && pathDepth >= 5
-    return isSafe
-}
-
 export function getRegistrationCache(directory = getCacheDir()): KeyedCache<ClientRegistration, RegistrationKey> {
     // Compatability for older Toolkit versions (format on disk is unchanged)
     type StoredRegistration = Omit<ClientRegistration, 'expiresAt'> & { readonly expiresAt: string }
@@ -144,30 +110,7 @@ export function getTokenCache(directory = getCacheDir()): KeyedCache<SsoAccess>
     return mapCache(cache, read, write)
 }
 
-function getFileStats(file: string): Stats {
-    return statSync(file)
-}
-
-const firstValidDate = new Date(2023, 3, 14) // April 14, 2023
-
-/**
- * @returns true if file is older than the first valid date
- */
-function isOldFile(file: string, statFunc: typeof getFileStats): boolean {
-    try {
-        const statResult = statFunc(file)
-        // Depending on the Windows filesystem, birthtime may be 0, so we fall back to ctime (last time metadata was changed)
-        // https://nodejs.org/api/fs.html#stat-time-values
-        return statResult.birthtimeMs !== 0
-            ? statResult.birthtimeMs < firstValidDate.getTime()
-            : statResult.ctime < firstValidDate
-    } catch (err) {
-        getLogger().debug(`SSO cache file age not be verified: ${file}: ${err}`)
-        return false // Assume it is no old since we cannot validate
-    }
-}
-
-export function getTokenCacheFile(ssoCacheDir: string, ssoUrl: string): string {
+function getTokenCacheFile(ssoCacheDir: string, ssoUrl: string): string {
     const encoded = encodeURI(ssoUrl)
     // Per the spec: 'SSO Login Token Flow' the access token must be
     // cached as the SHA1 hash of the bytes of the UTF-8 encoded
@@ -183,7 +126,7 @@ export function getTokenCacheFile(ssoCacheDir: string, ssoUrl: string): string {
     return path.join(ssoCacheDir, `${hashedUrl}.json`)
 }
 
-export function getRegistrationCacheFile(ssoCacheDir: string, key: RegistrationKey): string {
+function getRegistrationCacheFile(ssoCacheDir: string, key: RegistrationKey): string {
     const hashScopes = (scopes: string[]) => {
         const shasum = crypto.createHash('sha256')
         scopes.forEach(s => shasum.update(s))

src/auth/sso/cache.ts

@@ -12,15 +12,14 @@ import { copyToClipboard } from '../../shared/utilities/messages'
 
 export async function copyLogResource(uri?: vscode.Uri): Promise<void> {
     try {
-
         if (!uri) {
             // No URI = used command palette as entrypoint, attempt to get URI from active editor
             // should work correctly under any normal circumstances since the action only appears in command palette when the editor is a CloudWatch Logs editor
             uri = vscode.window.activeTextEditor?.document.uri
             if (!uri) {
-                throw new Error("no active text editor, or undefined URI")
+                throw new Error('no active text editor, or undefined URI')
             }
-        } 
+        }
         const parsedUri = parseCloudWatchLogsUri(uri)
         const resourceName = isLogStreamUri(uri) ? parsedUri.logGroupInfo.streamName : parsedUri.logGroupInfo.groupName