feat(auth): improve messaging for file system permissions issues (#3358)

## Problem
Several users have reported problems related to permissions. This is probably because we use the user's home directory rather than a directory provided by VSC.

## Solution
Show more info regarding permissions issues when they occur

Author: JadenSimon

.changes/next-release/Feature-e72f5dc7-cedf-4aa5-ad60-28328ffaa0b3.json

@@ -0,0 +1,4 @@
+{
+	"type": "Feature",
+	"description": "Improved error messages for file system permissions issues"
+}

buildspec/linuxTests.yml

@@ -2,7 +2,6 @@ version: 0.2
 
 env:
     variables:
-        AWS_TOOLKIT_TEST_USER_DIR: '/tmp/'
         AWS_TOOLKIT_TEST_NO_COLOR: '1'
 
 phases:
@@ -32,9 +31,9 @@ phases:
 
     build:
         commands:
-            - npm run testCompile
-            - npm run lint
-            - xvfb-run npm test --silent
+            - mkdir -p /home/codebuild-user
+            - chown -R codebuild-user:codebuild-user /tmp /home/codebuild-user .
+            - su codebuild-user -c "xvfb-run npm test --silent"
             - VCS_COMMIT_ID="${CODEBUILD_RESOLVED_SOURCE_VERSION}"
             - CI_BUILD_URL=$(echo $CODEBUILD_BUILD_URL | sed 's/#/%23/g') # Encode `#` in the URL because otherwise the url is clipped in the Codecov.io site
             - CI_BUILD_ID="${CODEBUILD_BUILD_ID}"

src/codecatalyst/tools.ts

@@ -253,8 +253,9 @@ async function verifySSHHost({
 
         const sshConfigPath = getSshConfigPath()
         try {
-            await fs.mkdirp(path.dirname(sshConfigPath))
-            await fs.appendFile(sshConfigPath, section)
+            await fs.ensureDir(path.dirname(path.dirname(sshConfigPath)), { mode: 0o755 })
+            await fs.mkdir(path.dirname(sshConfigPath), 0o700)
+            await fs.appendFile(sshConfigPath, section, { mode: 0o600 })
         } catch (e) {
             const message = localize(
                 'AWS.codecatalyst.error.writeFail',

src/credentials/activation.ts

@@ -5,7 +5,6 @@
 
 import * as vscode from 'vscode'
 import { AwsContext } from '../shared/awsContext'
-import { Settings } from '../shared/settings'
 import { Auth } from './auth'
 import { LoginManager } from './loginManager'
 import { fromString } from './providers/credentials'
@@ -15,7 +14,6 @@ import { registerCommandsWithVSCode } from '../shared/vscode/commands2'
 export async function initialize(
     extensionContext: vscode.ExtensionContext,
     awsContext: AwsContext,
-    settings: Settings,
     loginManager: LoginManager
 ): Promise<void> {
     Auth.instance.onDidChangeActiveConnection(conn => {

src/credentials/sso/cache.ts

@@ -4,13 +4,14 @@
  */
 
 import * as crypto from 'crypto'
-import { homedir } from 'os'
-import { join } from 'path'
+import * as path from 'path'
 import { getLogger } from '../../shared/logger/logger'
 import { createDiskCache, KeyedCache, mapCache } from '../../shared/utilities/cacheUtils'
 import { stripUndefined } from '../../shared/utilities/collectionUtils'
 import { hasProps, selectFrom } from '../../shared/utilities/tsUtils'
 import { SsoToken, ClientRegistration } from './model'
+import { SystemUtilities } from '../../shared/systemUtilities'
+import { DevSettings } from '../../shared/settings'
 
 interface RegistrationKey {
     readonly region: string
@@ -29,16 +30,17 @@ export interface SsoCache {
     readonly registration: KeyedCache<ClientRegistration, RegistrationKey>
 }
 
-const cacheDir = join(homedir(), '.aws', 'sso', 'cache')
+const defaultCacheDir = path.join(SystemUtilities.getHomeDirectory(), '.aws', 'sso', 'cache')
+export const getCacheDir = () => DevSettings.instance.get('ssoCacheDirectory', defaultCacheDir)
 
-export function getCache(directory = cacheDir): SsoCache {
+export function getCache(directory = getCacheDir()): SsoCache {
     return {
         token: getTokenCache(directory),
         registration: getRegistrationCache(directory),
     }
 }
 
-export function getRegistrationCache(directory = cacheDir): KeyedCache<ClientRegistration, RegistrationKey> {
+export function getRegistrationCache(directory = getCacheDir()): KeyedCache<ClientRegistration, RegistrationKey> {
     const hashScopes = (scopes: string[]) => {
         const shasum = crypto.createHash('sha256')
         scopes.forEach(s => shasum.update(s))
@@ -47,7 +49,7 @@ export function getRegistrationCache(directory = cacheDir): KeyedCache<ClientReg
 
     const getTarget = (key: RegistrationKey) => {
         const suffix = `${key.region}${key.scopes && key.scopes.length > 0 ? `-${hashScopes(key.scopes)}` : ''}`
-        return join(directory, `aws-toolkit-vscode-client-id-${suffix}.json`)
+        return path.join(directory, `aws-toolkit-vscode-client-id-${suffix}.json`)
     }
 
     // Compatability for older Toolkit versions (format on disk is unchanged)
@@ -61,7 +63,7 @@ export function getRegistrationCache(directory = cacheDir): KeyedCache<ClientReg
     return mapCache(cache, read, write)
 }
 
-export function getTokenCache(directory = cacheDir): KeyedCache<SsoAccess> {
+export function getTokenCache(directory = getCacheDir()): KeyedCache<SsoAccess> {
     // Older specs do not store the registration
     type MaybeRegistration = Partial<Omit<ClientRegistration, 'expiresAt'> & { readonly registrationExpiresAt: string }>
 
@@ -123,7 +125,7 @@ export function getTokenCache(directory = cacheDir): KeyedCache<SsoAccess> {
         shasum.update(encoded) // lgtm[js/weak-cryptographic-algorithm]
         const hashedUrl = shasum.digest('hex') // lgtm[js/weak-cryptographic-algorithm]
 
-        return join(directory, `${hashedUrl}.json`)
+        return path.join(directory, `${hashedUrl}.json`)
     }
 
     const logger = (message: string) => getLogger().debug(`SSO token cache: ${message}`)

src/dev/beta.ts

@@ -87,7 +87,7 @@ async function checkBetaUrl(vsixUrl: string): Promise<void> {
         try {
             await promptInstallToolkit(betaPath, latestBetaInfo.version, vsixUrl)
         } finally {
-            await SystemUtilities.remove(tmpFolder)
+            await SystemUtilities.delete(tmpFolder, { recursive: true })
         }
     } else {
         await updateBetaToolkitData(vsixUrl, {

src/extension.ts

@@ -124,7 +124,7 @@ export async function activate(context: vscode.ExtensionContext) {
         const settings = Settings.instance
         const experiments = Experiments.instance
 
-        await initializeCredentials(context, awsContext, settings, loginManager)
+        await initializeCredentials(context, awsContext, loginManager)
         await activateTelemetry(context, awsContext, settings)
 
         experiments.onDidChange(({ key }) => {

src/integrationTest/globalSetup.test.ts

@@ -26,6 +26,11 @@ export async function mochaGlobalSetup(this: Mocha.Runner) {
     this.on('hook', hook => setRunnableTimeout(hook, maxTestDuration))
     this.on('test', test => setRunnableTimeout(test, maxTestDuration))
 
+    // Mocha won't show the full error chain
+    this.on('fail', (test, err) => {
+        getLogger().error(`test "${test.title}" failed: %s`, err)
+    })
+
     // Set up a listener for proxying login requests
     patchWindow()
 

src/shared/errors.ts

@@ -3,13 +3,15 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-import { Uri } from 'vscode'
+import * as vscode from 'vscode'
 import { AWSError } from 'aws-sdk'
 import { ServiceException } from '@aws-sdk/smithy-client'
 import { isThrottlingError, isTransientError } from '@aws-sdk/service-error-classification'
 import { Result } from './telemetry/telemetry'
 import { CancellationError } from './utilities/timeoutUtils'
-import { isNonNullable } from './utilities/tsUtils'
+import { hasKey, isNonNullable } from './utilities/tsUtils'
+import type * as fs from 'fs'
+import type * as os from 'os'
 
 export const errorCode = {
     invalidConnection: 'InvalidConnection',
@@ -81,7 +83,7 @@ export interface ErrorInformation {
      *
      * TODO: implement this
      */
-    readonly documentationUri?: Uri
+    readonly documentationUri?: vscode.Uri
 }
 
 /**
@@ -397,3 +399,90 @@ export function getRequestId(error: unknown): string | undefined {
         return error.$metadata.requestId
     }
 }
+
+export function isFileNotFoundError(err: unknown): boolean {
+    if (err instanceof vscode.FileSystemError) {
+        return err.code === vscode.FileSystemError.FileNotFound().code
+    } else if (isNonNullable(err) && typeof err === 'object' && hasKey(err, 'code')) {
+        return err.code === 'ENOENT'
+    }
+
+    return false
+}
+
+export function isNoPermissionsError(err: unknown): boolean {
+    if (err instanceof vscode.FileSystemError) {
+        return (
+            err.code === vscode.FileSystemError.NoPermissions().code ||
+            // The code _should_ be `NoPermissions`, maybe this is a bug?
+            (err.code === 'Unknown' && err.message.includes('EACCES: permission denied'))
+        )
+    } else if (isNonNullable(err) && typeof err === 'object' && hasKey(err, 'code')) {
+        return err.code === 'EACCES'
+    }
+
+    return false
+}
+
+const modeToString = (mode: number) =>
+    Array.from('rwxrwxrwx')
+        .map((c, i, a) => ((mode >> (a.length - (i + 1))) & 1 ? c : '-'))
+        .join('')
+
+function getEffectivePerms(uid: number, gid: number, stats: fs.Stats) {
+    const mode = stats.mode
+    const isOwner = uid === stats.uid
+    const isGroup = gid === stats.gid && !isOwner
+
+    // Many unix systems support multiple groups but we only know the primary
+    // The user can still have group permissions despite not having the same `gid`
+    // These situations are ambiguous, so the effective permissions are the
+    // intersection of the two bitfields
+    if (!isOwner && !isGroup) {
+        return {
+            isAmbiguous: true,
+            effective: mode & 0o007 & ((mode & 0o070) >> 3),
+        }
+    }
+
+    const ownerMask = isOwner ? 0o700 : 0
+    const groupMask = isGroup ? 0o070 : 0
+
+    return {
+        isAmbiguous: false,
+        effective: ((mode & groupMask) >> 3) | ((mode & ownerMask) >> 6),
+    }
+}
+
+// The wildcard (`*`) symbol is non-standard. It's used to represent "don't cares" and takes
+// on the actual flag once known.
+export type PermissionsTriplet = `${'r' | '-' | '*'}${'w' | '-' | '*'}${'x' | '-' | '*'}`
+export class PermissionsError extends ToolkitError {
+    public readonly actual: string // This is a resolved triplet, _not_ the full bits
+
+    public constructor(
+        public readonly uri: vscode.Uri,
+        public readonly stats: fs.Stats,
+        public readonly userInfo: os.UserInfo<string>,
+        public readonly expected: PermissionsTriplet
+    ) {
+        const mode = `${stats.isDirectory() ? 'd' : '-'}${modeToString(stats.mode)}`
+        const owner = stats.uid === userInfo.uid ? userInfo.username : stats.uid
+        const { effective, isAmbiguous } = getEffectivePerms(userInfo.uid, userInfo.gid, stats)
+        const actual = modeToString(effective).slice(-3)
+        const resolvedExpected = Array.from(expected)
+            .map((c, i) => (c === '*' ? actual[i] : c))
+            .join('')
+        const actualText = !isAmbiguous ? actual : `${mode.slice(-6, -3)} & ${mode.slice(-3)} (ambiguous)`
+
+        super(`${uri.fsPath} has incorrect permissions. Expected ${resolvedExpected}, found ${actualText}.`, {
+            code: 'InvalidPermissions',
+            details: {
+                isOwner: stats.uid === -1 ? 'unknown' : userInfo.uid == stats.uid,
+                mode: `${mode}${stats.uid === -1 ? '' : ` ${owner}`}${stats.gid === -1 ? '' : ` ${stats.gid}`}`,
+            },
+        })
+
+        this.actual = actual
+    }
+}

src/shared/settings.ts

@@ -588,6 +588,7 @@ const devSettings = {
     renderDebugDetails: Boolean,
     endpoints: Record(String, String),
     cawsStage: String,
+    ssoCacheDirectory: String,
 }
 type ResolvedDevSettings = FromDescriptor<typeof devSettings>
 type AwsDevSetting = keyof ResolvedDevSettings