auth: Helper methods to check if connection exists (#3747)

* auth: funcs to indicate if the connection exists

Signed-off-by: Nikolas Komonen <[email protected]>

* codewhisperer: method that indicates if valid connection exists

For the add connection telemetry we want to know if a CW auth'
connection already exists, not necessarily the currently active
one.

This adds 2 methods that return true if the valid CW connection
exists and is known by the toolkit.

Signed-off-by: Nikolas Komonen <[email protected]>

* refactor: create isSsoConnection() alternatives

A sso connection contains different types of sso connections,
such as Builder ID or AWS Identity Center (Base).

This commit creates functions to enable a user to check
with specificity of if a connection is of a specific type
of sso connection.

Additionally, it updates existing uses to the appropriate
implementation.

Signed-off-by: Nikolas Komonen <[email protected]>

* codecatalyst: function if toolkit is aware of valid builder id

Signed-off-by: Nikolas Komonen <[email protected]>

* refactor: fix circular dep issue

Moves isValidCodeCatalystConnection() to the
auth/connections.ts module and it fixes the circular dep

Signed-off-by: Nikolas Komonen <[email protected]>

* refactor: rename 'base' sso to 'idc' sso

This naming is easier to understand even though
the term Identity Center (idc) is purely a brand
name and subject to change in the future.

Signed-off-by: nkomonen <[email protected]>

---------

Signed-off-by: Nikolas Komonen <[email protected]>
Signed-off-by: nkomonen <[email protected]>

Author: nkomonen-amazon

src/auth/connection.ts

@@ -23,10 +23,36 @@ export const ssoAccountAccessScopes = ['sso:account:access']
 export const codewhispererScopes = ['codewhisperer:completions', 'codewhisperer:analysis']
 export const defaultSsoRegion = 'us-east-1'
 
+type SsoType =
+    | 'any' // any type of sso
+    | 'idc' // AWS Identity Center
+    | 'builderId'
+
 export const isIamConnection = (conn?: Connection): conn is IamConnection => conn?.type === 'iam'
-export const isSsoConnection = (conn?: Connection): conn is SsoConnection => conn?.type === 'sso'
-export const isBuilderIdConnection = (conn?: Connection): conn is SsoConnection =>
-    isSsoConnection(conn) && conn.startUrl === builderIdStartUrl
+export const isSsoConnection = (conn?: Connection, type: SsoType = 'any'): conn is SsoConnection => {
+    if (conn?.type !== 'sso') {
+        return false
+    }
+    // At this point the conn is an SSO conn, but now we must determine the specific type
+    switch (type) {
+        case 'idc':
+            // An Identity Center SSO connection is the Base/Root and doesn't
+            // have any unique identifiers, so we must eliminate the other SSO
+            // types to determine if this is Identity Center.
+            // This condition should grow as more SsoType's get added.
+            return !isBuilderIdConnection(conn)
+        case 'builderId':
+            return conn.startUrl === builderIdStartUrl
+        case 'any':
+            return true
+    }
+}
+export const isAnySsoConnection = (conn?: Connection): conn is SsoConnection => isSsoConnection(conn, 'any')
+export const isIdcSsoConnection = (conn?: Connection): conn is SsoConnection => isSsoConnection(conn, 'idc')
+export const isBuilderIdConnection = (conn?: Connection): conn is SsoConnection => isSsoConnection(conn, 'builderId')
+
+export const isValidCodeCatalystConnection = (conn: Connection): conn is SsoConnection =>
+    isBuilderIdConnection(conn) && hasScopes(conn, codecatalystScopes)
 
 export function hasScopes(target: SsoConnection | SsoProfile, scopes: string[]): boolean {
     return scopes?.every(s => target.scopes?.includes(s))

src/auth/sso/validation.ts

@@ -5,7 +5,7 @@
 import * as vscode from 'vscode'
 import { UnknownError } from '../../shared/errors'
 import { AuthType } from '../auth'
-import { isSsoConnection, SsoConnection, hasScopes } from '../connection'
+import { SsoConnection, hasScopes, isAnySsoConnection } from '../connection'
 
 export function validateSsoUrl(auth: AuthType, url: string, requiredScopes?: string[]) {
     const urlFormatError = validateSsoUrlFormat(url)
@@ -28,7 +28,7 @@ export async function validateIsNewSsoUrlAsync(
     requiredScopes?: string[]
 ): Promise<string | undefined> {
     return auth.listConnections().then(conns => {
-        return validateIsNewSsoUrl(url, requiredScopes, conns.filter(isSsoConnection))
+        return validateIsNewSsoUrl(url, requiredScopes, conns.filter(isAnySsoConnection))
     })
 }
 

src/auth/utils.ts

@@ -32,18 +32,23 @@ import { SectionName, StaticProfile } from './credentials/types'
 import { throwOnInvalidCredentials } from './credentials/validation'
 import {
     Connection,
+    SsoConnection,
     createBuilderIdProfile,
     createSsoProfile,
     defaultSsoRegion,
+    isAnySsoConnection,
+    isIdcSsoConnection,
     isBuilderIdConnection,
-    isSsoConnection,
+    isIamConnection,
+    isValidCodeCatalystConnection,
 } from './connection'
 import { Commands } from '../shared/vscode/commands2'
 import { Auth } from './auth'
 import { validateIsNewSsoUrl, validateSsoUrlFormat } from './sso/validation'
 import { openUrl } from '../shared/utilities/vsCodeUtils'
 import { AuthSource } from './ui/vue/show'
 import { getLogger } from '../shared/logger'
+import { isValidCodeWhispererConnection } from '../codewhisperer/util/authUtil'
 
 // TODO: Look to do some refactoring to handle circular dependency later and move this to ./commands.ts
 export const showConnectionsPageCommand = 'aws.auth.manageConnections'
@@ -144,7 +149,7 @@ export const createIamItem = () =>
     } as DataQuickPickItem<'iam'>)
 
 export async function createStartUrlPrompter(title: string, requiredScopes?: string[]) {
-    const existingConnections = (await Auth.instance.listConnections()).filter(isSsoConnection)
+    const existingConnections = (await Auth.instance.listConnections()).filter(isAnySsoConnection)
 
     function validateSsoUrl(url: string) {
         const urlFormatError = validateSsoUrlFormat(url)
@@ -558,6 +563,81 @@ export class AuthNode implements TreeNode<Auth> {
     }
 }
 
+export async function hasIamCredentials(
+    allConnections = () => Auth.instance.listAndTraverseConnections().promise()
+): Promise<boolean> {
+    return (await allConnections()).some(isIamConnection)
+}
+
+export type SsoKind = 'any' | 'codewhisperer'
+
+/**
+ * Returns true if an Identity Center SSO connection exists.
+ *
+ * @param kind A specific kind of Identity Center SSO connection that must exist.
+ * @param allConnections func to get all connections that exist
+ */
+export async function hasSso(
+    kind: SsoKind = 'any',
+    allConnections = () => Auth.instance.listConnections()
+): Promise<boolean> {
+    return (await findSsoConnections(kind, allConnections)).length > 0
+}
+
+async function findSsoConnections(
+    kind: SsoKind = 'any',
+    allConnections = () => Auth.instance.listConnections()
+): Promise<SsoConnection[]> {
+    let predicate: (c?: Connection) => boolean
+    switch (kind) {
+        case 'codewhisperer':
+            predicate = (conn?: Connection) => {
+                return isIdcSsoConnection(conn) && isValidCodeWhispererConnection(conn)
+            }
+            break
+        case 'any':
+            predicate = isIdcSsoConnection
+    }
+    return (await allConnections()).filter(predicate).filter(isIdcSsoConnection)
+}
+
+export type BuilderIdKind = 'any' | 'codewhisperer' | 'codecatalyst'
+
+/**
+ * Returns true if a Builder ID connection exists.
+ *
+ * @param kind A Builder ID connection that has the scopes of this kind.
+ * @param allConnections func to get all connections that exist
+ */
+export async function hasBuilderId(
+    kind: BuilderIdKind = 'any',
+    allConnections = () => Auth.instance.listConnections()
+): Promise<boolean> {
+    return (await findBuilderIdConnections(kind, allConnections)).length > 0
+}
+
+async function findBuilderIdConnections(
+    kind: BuilderIdKind = 'any',
+    allConnections = () => Auth.instance.listConnections()
+): Promise<SsoConnection[]> {
+    let predicate: (c?: Connection) => boolean
+    switch (kind) {
+        case 'codewhisperer':
+            predicate = (conn?: Connection) => {
+                return isBuilderIdConnection(conn) && isValidCodeWhispererConnection(conn)
+            }
+            break
+        case 'codecatalyst':
+            predicate = (conn?: Connection) => {
+                return isBuilderIdConnection(conn) && isValidCodeCatalystConnection(conn)
+            }
+            break
+        case 'any':
+            predicate = isBuilderIdConnection
+    }
+    return (await allConnections()).filter(predicate).filter(isAnySsoConnection)
+}
+
 /**
  * Class to get info about the user + use of this extension
  *

src/codecatalyst/auth.ts

@@ -15,9 +15,9 @@ import {
     ssoAccountAccessScopes,
     codecatalystScopes,
     SsoConnection,
-    hasScopes,
     Connection,
     isBuilderIdConnection,
+    isValidCodeCatalystConnection,
 } from '../auth/connection'
 import { createBuilderIdConnection } from '../auth/utils'
 
@@ -39,8 +39,6 @@ export class CodeCatalystAuthStorage {
 export const onboardingUrl = vscode.Uri.parse('https://codecatalyst.aws/onboarding/view')
 
 const defaultScopes = [...ssoAccountAccessScopes, ...codecatalystScopes]
-export const isValidCodeCatalystConnection = (conn: Connection): conn is SsoConnection =>
-    isBuilderIdConnection(conn) && hasScopes(conn, codecatalystScopes)
 
 export const isUpgradeableConnection = (conn: Connection): conn is SsoConnection =>
     isBuilderIdConnection(conn) && !isValidCodeCatalystConnection(conn)

src/codewhisperer/util/authUtil.ts

@@ -27,7 +27,7 @@ import { getLogger } from '../../shared/logger'
 export const defaultCwScopes = [...ssoAccountAccessScopes, ...codewhispererScopes]
 export const awsBuilderIdSsoProfile = createBuilderIdProfile(defaultCwScopes)
 
-export const isValidCodeWhispererConnection = (conn: Connection): conn is Connection => {
+export const isValidCodeWhispererConnection = (conn?: Connection): conn is Connection => {
     if (isCloud9('classic')) {
         return isIamConnection(conn)
     }

src/test/codewhisperer/util/authUtil.test.ts

@@ -9,7 +9,7 @@ import { getTestWindow } from '../../shared/vscode/window'
 import { SeverityLevel } from '../../shared/vscode/message'
 import { createBuilderIdProfile, createSsoProfile, createTestAuth } from '../../credentials/testUtil'
 import { captureEventOnce } from '../../testUtil'
-import { codewhispererScopes, isSsoConnection } from '../../../auth/connection'
+import { codewhispererScopes, isAnySsoConnection, isBuilderIdConnection } from '../../../auth/connection'
 
 const enterpriseSsoStartUrl = 'https://enterprise.awsapps.com/start'
 
@@ -111,9 +111,9 @@ describe('AuthUtil', async function () {
         await authUtil.connectToAwsBuilderId()
         assert.ok(authUtil.isConnected())
 
-        const ssoConnectionIds = new Set(auth.activeConnectionEvents.emits.filter(isSsoConnection).map(c => c.id))
+        const ssoConnectionIds = new Set(auth.activeConnectionEvents.emits.filter(isAnySsoConnection).map(c => c.id))
         assert.strictEqual(ssoConnectionIds.size, 1, 'Expected exactly 1 unique SSO connection id')
-        assert.strictEqual((await auth.listConnections()).filter(isSsoConnection).length, 1)
+        assert.strictEqual((await auth.listConnections()).filter(isAnySsoConnection).length, 1)
     })
 
     it('automatically upgrades connections if they do not have the required scopes', async function () {
@@ -124,11 +124,11 @@ describe('AuthUtil', async function () {
         await authUtil.connectToAwsBuilderId()
         assert.ok(authUtil.isConnected())
         assert.ok(authUtil.isConnectionValid())
-        assert.ok(isSsoConnection(authUtil.conn))
+        assert.ok(isBuilderIdConnection(authUtil.conn))
         assert.strictEqual(authUtil.conn?.id, upgradeableConn.id)
         assert.strictEqual(authUtil.conn.startUrl, upgradeableConn.startUrl)
         assert.strictEqual(authUtil.conn.ssoRegion, upgradeableConn.ssoRegion)
-        assert.strictEqual((await auth.listConnections()).filter(isSsoConnection).length, 1)
+        assert.strictEqual((await auth.listConnections()).filter(isAnySsoConnection).length, 1)
     })
 
     it('test reformatStartUrl should remove trailing slash and hash', function () {

src/test/credentials/testUtil.ts

@@ -17,7 +17,20 @@ import globals from '../../shared/extensionGlobals'
 import { fromString } from '../../auth/providers/credentials'
 import { mergeAndValidateSections, parseIni } from '../../auth/credentials/sharedCredentials'
 import { SharedCredentialsProvider } from '../../auth/providers/sharedCredentialsProvider'
-import { Connection, ProfileStore, SsoConnection, SsoProfile } from '../../auth/connection'
+import { Connection, IamConnection, ProfileStore, SsoConnection, SsoProfile } from '../../auth/connection'
+import * as sinon from 'sinon'
+
+/** Mock Connection objects for test usage */
+export const ssoConnection: SsoConnection = {
+    type: 'sso',
+    id: '0',
+    label: 'sso',
+    ssoRegion: 'us-east-1',
+    startUrl: 'https://nkomonen.awsapps.com/start',
+    getToken: sinon.stub(),
+}
+export const builderIdConnection: SsoConnection = { ...ssoConnection, startUrl: builderIdStartUrl, label: 'builderId' }
+export const iamConnection: IamConnection = { type: 'iam', id: '0', label: 'iam', getCredentials: sinon.stub() }
 
 export function createSsoProfile(props?: Partial<Omit<SsoProfile, 'type'>>): SsoProfile {
     return {

src/test/credentials/utils.test.ts

@@ -5,7 +5,9 @@
 import * as vscode from 'vscode'
 import assert from 'assert'
 import { FakeExtensionContext } from '../fakeExtensionContext'
-import { ExtensionUse } from '../../auth/utils'
+import { BuilderIdKind, ExtensionUse, SsoKind, hasBuilderId, hasIamCredentials, hasSso } from '../../auth/utils'
+import { Connection, SsoConnection, codecatalystScopes, codewhispererScopes } from '../../auth/connection'
+import { builderIdConnection, iamConnection, ssoConnection } from './testUtil'
 
 describe('ExtensionUse.isFirstUse()', function () {
     let fakeState: vscode.Memento
@@ -62,3 +64,104 @@ describe('ExtensionUse.isFirstUse()', function () {
         return new ExtensionUse()
     }
 })
+
+type SsoTestCase = { kind: SsoKind; connections: Connection[]; expected: boolean }
+type BuilderIdTestCase = { kind: BuilderIdKind; connections: Connection[]; expected: boolean }
+
+describe('connection exists funcs', function () {
+    const cwIdcConnection: SsoConnection = { ...ssoConnection, scopes: codewhispererScopes, label: 'codeWhispererSso' }
+    const cwBuilderIdConnection: SsoConnection = {
+        ...builderIdConnection,
+        scopes: codewhispererScopes,
+        label: 'codeWhispererBuilderId',
+    }
+    const ccBuilderIdConnection: SsoConnection = {
+        ...builderIdConnection,
+        scopes: codecatalystScopes,
+        label: 'codeCatalystBuilderId',
+    }
+    const ssoConnections: Connection[] = [
+        ssoConnection,
+        builderIdConnection,
+        cwIdcConnection,
+        cwBuilderIdConnection,
+        ccBuilderIdConnection,
+    ]
+    const allConnections = [iamConnection, ...ssoConnections]
+
+    describe('ssoExists()', function () {
+        const anyCases: SsoTestCase[] = [
+            { connections: [ssoConnection], expected: true },
+            { connections: allConnections, expected: true },
+            { connections: [], expected: false },
+            { connections: [iamConnection], expected: false },
+        ].map(c => {
+            return { ...c, kind: 'any' }
+        })
+        const cwIdcCases: SsoTestCase[] = [
+            { connections: [cwIdcConnection], expected: true },
+            { connections: allConnections, expected: true },
+            { connections: [], expected: false },
+            { connections: allConnections.filter(c => c !== cwIdcConnection), expected: false },
+        ].map(c => {
+            return { ...c, kind: 'codewhisperer' }
+        })
+        const allCases = [...anyCases, ...cwIdcCases]
+
+        allCases.forEach(args => {
+            it(`ssoExists() returns '${args.expected}' when kind '${args.kind}' given [${args.connections
+                .map(c => c.label)
+                .join(', ')}]`, async function () {
+                assert.strictEqual(await hasSso(args.kind, async () => args.connections), args.expected)
+            })
+        })
+    })
+
+    describe('builderIdExists()', function () {
+        const cwBuilderIdCases: BuilderIdTestCase[] = [
+            { connections: [cwBuilderIdConnection], expected: true },
+            { connections: allConnections, expected: true },
+            { connections: [], expected: false },
+            { connections: allConnections.filter(c => c !== cwBuilderIdConnection), expected: false },
+        ].map(c => {
+            return { ...c, kind: 'codewhisperer' }
+        })
+
+        const ccBuilderIdCases: BuilderIdTestCase[] = [
+            {connections: [ccBuilderIdConnection], expected: true},
+            {connections: allConnections, expected: true},
+            {connections: [], expected: false},
+            {connections: allConnections.filter(c => c !== ccBuilderIdConnection), expected: false},
+        ].map(c => { return {...c, kind: 'codecatalyst'}})
+
+        const allCases = [...cwBuilderIdCases, ...ccBuilderIdCases]
+
+        allCases.forEach(args => {
+            it(`builderIdExists() returns '${args.expected}' when kind '${args.kind}' given [${args.connections
+                .map(c => c.label)
+                .join(', ')}]`, async function () {
+                assert.strictEqual(await hasBuilderId(args.kind, async () => args.connections), args.expected)
+            })
+        })
+    })
+
+    describe('credentialExists()', function () {
+        const cases: [Connection[], boolean][] = [
+            [[iamConnection], true],
+            [allConnections, true],
+            [[], false],
+            [allConnections.filter(c => c !== iamConnection), false],
+        ]
+
+        cases.forEach(args => {
+            it(`credentialExists() returns '${args[1]}' given [${args[0]
+                .map(c => c.label)
+                .join(', ')}]`, async function () {
+                const connections = args[0]
+                const expected = args[1]
+    
+                assert.strictEqual(await hasIamCredentials(async () => connections), expected)
+            })
+        })
+    })
+})

src/testE2E/codecatalyst/client.test.ts

@@ -14,7 +14,7 @@ import {
 } from '../../shared/clients/codecatalystClient'
 import { getThisDevEnv, prepareDevEnvConnection } from '../../codecatalyst/model'
 import { Auth } from '../../auth/auth'
-import { CodeCatalystAuthenticationProvider, isValidCodeCatalystConnection } from '../../codecatalyst/auth'
+import { CodeCatalystAuthenticationProvider } from '../../codecatalyst/auth'
 import { CodeCatalystCommands, DevEnvironmentSettings } from '../../codecatalyst/commands'
 import globals from '../../shared/extensionGlobals'
 import { CodeCatalystCreateWebview, SourceResponse } from '../../codecatalyst/vue/create/backend'
@@ -30,7 +30,12 @@ import { toStream } from '../../shared/utilities/collectionUtils'
 import { toCollection } from '../../shared/utilities/asyncCollection'
 import { getLogger } from '../../shared/logger'
 import { isAwsError } from '../../shared/errors'
-import { codecatalystScopes, createBuilderIdProfile, SsoConnection } from '../../auth/connection'
+import {
+    codecatalystScopes,
+    createBuilderIdProfile,
+    isValidCodeCatalystConnection,
+    SsoConnection,
+} from '../../auth/connection'
 
 let spaceName: CodeCatalystOrg['name']
 let projectName: CodeCatalystProject['name']