fix(auth): invalid sso tokens being loaded

Problem:

At a certain point in time sso tokens were became invalid.
We stored those tokens in cache and eventually they will
throw errors to the user when the are attempted to be
refreshed.

Solution:

When the cache is being setup delete any invalid files.
Invalid files are files that were created before
a certain date.

Signed-off-by: Nikolas Komonen <[email protected]>

Author: nkomonen-amazon

src/credentials/sso/cache.ts

@@ -12,6 +12,7 @@ import { hasProps, selectFrom } from '../../shared/utilities/tsUtils'
 import { SsoToken, ClientRegistration } from './model'
 import { SystemUtilities } from '../../shared/systemUtilities'
 import { DevSettings } from '../../shared/settings'
+import { statSync, Stats, readdirSync, unlinkSync } from 'fs'
 
 interface RegistrationKey {
     readonly region: string
@@ -33,13 +34,46 @@ export interface SsoCache {
 const defaultCacheDir = path.join(SystemUtilities.getHomeDirectory(), '.aws', 'sso', 'cache')
 export const getCacheDir = () => DevSettings.instance.get('ssoCacheDirectory', defaultCacheDir)
 
-export function getCache(directory = getCacheDir()): SsoCache {
+export function getCache(directory = getCacheDir(), statFunc = getFileStats): SsoCache {
+    try {
+        deleteOldFiles(directory, statFunc)
+    } catch (e) {
+        getLogger().warn('auth: error deleting old files in sso cache: %s', e)
+    }
+
     return {
         token: getTokenCache(directory),
         registration: getRegistrationCache(directory),
     }
 }
 
+function deleteOldFiles(directory: string, statFunc: typeof getFileStats) {
+    if (!isDirSafeToDeleteFrom(directory)) {
+        getLogger().warn(`Skipped deleting files in directory: ${path.resolve(directory)}`)
+        return
+    }
+
+    const fileNames = readdirSync(directory)
+    fileNames.forEach(fileName => {
+        const filePath = path.join(directory, fileName)
+        if (path.extname(filePath) === '.json' && isOldFile(filePath, statFunc)) {
+            unlinkSync(filePath)
+            getLogger().warn(`auth: removed old cache file: ${filePath}`)
+        }
+    })
+}
+
+export function isDirSafeToDeleteFrom(dirPath: string): boolean {
+    const resolvedPath = path.resolve(dirPath)
+    const isRoot = resolvedPath === path.resolve('/')
+    const isCwd = resolvedPath === path.resolve('.')
+    const isAbsolute = path.isAbsolute(dirPath)
+    const pathDepth = resolvedPath.split(path.sep).length
+
+    const isSafe = !isRoot && !isCwd && isAbsolute && pathDepth >= 5
+    return isSafe
+}
+
 export function getRegistrationCache(directory = getCacheDir()): KeyedCache<ClientRegistration, RegistrationKey> {
     // Compatability for older Toolkit versions (format on disk is unchanged)
     type StoredRegistration = Omit<ClientRegistration, 'expiresAt'> & { readonly expiresAt: string }
@@ -110,7 +144,30 @@ export function getTokenCache(directory = getCacheDir()): KeyedCache<SsoAccess>
     return mapCache(cache, read, write)
 }
 
-function getTokenCacheFile(ssoCacheDir: string, ssoUrl: string) {
+function getFileStats(file: string): Stats {
+    return statSync(file)
+}
+
+const firstValidDate = new Date(2023, 3, 14) // April 14, 2023
+
+/**
+ * @returns true if file is older than the first valid date
+ */
+function isOldFile(file: string, statFunc: typeof getFileStats): boolean {
+    try {
+        const statResult = statFunc(file)
+        // Depending on the Windows filesystem, birthtime may be 0, so we fall back to ctime (last time metadata was changed)
+        // https://nodejs.org/api/fs.html#stat-time-values
+        return statResult.birthtimeMs !== 0
+            ? statResult.birthtimeMs < firstValidDate.getTime()
+            : statResult.ctime < firstValidDate
+    } catch (err) {
+        getLogger().debug(`SSO cache file age not be verified: ${file}: ${err}`)
+        return false // Assume it is no old since we cannot validate
+    }
+}
+
+export function getTokenCacheFile(ssoCacheDir: string, ssoUrl: string): string {
     const encoded = encodeURI(ssoUrl)
     // Per the spec: 'SSO Login Token Flow' the access token must be
     // cached as the SHA1 hash of the bytes of the UTF-8 encoded
@@ -126,7 +183,7 @@ function getTokenCacheFile(ssoCacheDir: string, ssoUrl: string) {
     return path.join(ssoCacheDir, `${hashedUrl}.json`)
 }
 
-const getRegistrationCacheFile = (ssoCacheDir: string, key: RegistrationKey) => {
+export function getRegistrationCacheFile(ssoCacheDir: string, key: RegistrationKey): string {
     const hashScopes = (scopes: string[]) => {
         const shasum = crypto.createHash('sha256')
         scopes.forEach(s => shasum.update(s))

src/test/credentials/sso/ssoAccessTokenProvider.test.ts

@@ -8,7 +8,12 @@ import * as FakeTimers from '@sinonjs/fake-timers'
 import * as sinon from 'sinon'
 import { SsoAccessTokenProvider } from '../../../credentials/sso/ssoAccessTokenProvider'
 import { installFakeClock } from '../../testUtil'
-import { getCache } from '../../../credentials/sso/cache'
+import {
+    getCache,
+    getTokenCacheFile,
+    isDirSafeToDeleteFrom,
+    getRegistrationCacheFile,
+} from '../../../credentials/sso/cache'
 
 import { instance, mock, when, anything, reset } from '../../utilities/mockito'
 import { makeTemporaryToolkitFolder, tryRemoveFolder } from '../../../shared/filesystemUtilities'
@@ -25,6 +30,8 @@ import { getOpenExternalStub } from '../../globalSetup.test'
 import { getTestWindow } from '../../shared/vscode/window'
 import { SeverityLevel } from '../../shared/vscode/message'
 import { ToolkitError } from '../../../shared/errors'
+import * as fs from 'fs'
+import * as path from 'path'
 
 const hourInMs = 3600000
 
@@ -66,6 +73,13 @@ describe('SsoAccessTokenProvider', function () {
         }
     }
 
+    async function makeTemporaryTokenCacheFolder() {
+        const root = await makeTemporaryToolkitFolder()
+        const cacheDir = path.join(root, '.aws', 'sso', 'cache')
+        fs.mkdirSync(cacheDir, { recursive: true })
+        return cacheDir
+    }
+
     before(function () {
         clock = installFakeClock()
     })
@@ -75,7 +89,7 @@ describe('SsoAccessTokenProvider', function () {
     })
 
     beforeEach(async function () {
-        tempDir = await makeTemporaryToolkitFolder()
+        tempDir = await makeTemporaryTokenCacheFolder()
         cache = getCache(tempDir)
         sut = new SsoAccessTokenProvider({ region, startUrl }, cache, instance(oidcClient))
     })
@@ -115,6 +129,74 @@ describe('SsoAccessTokenProvider', function () {
             assert.strictEqual(await cache.token.load(startUrl), undefined)
         })
 
+        describe('does not return old tokens', function () {
+            // A file is old when the creation time is under a certain date
+            const oldTime: Date = new Date(2023, 3, 10) // April 10, 2023
+            const nonOldTime: Date = new Date(2023, 3, 15) // April 15, 2023
+
+            function oldBirthtime(file: fs.PathLike): fs.Stats {
+                return { birthtimeMs: oldTime.getTime(), birthtime: oldTime } as fs.Stats
+            }
+
+            /** Windows edge case where birthtime does not exist, instead check ctime */
+            function noBirthtimeOldCTime(file: fs.PathLike): fs.Stats {
+                return { birthtimeMs: 0, ctime: oldTime } as fs.Stats
+            }
+
+            const oldStatsFuncs = [oldBirthtime, noBirthtimeOldCTime]
+
+            oldStatsFuncs.forEach(invalidStatsFunc => {
+                it(`deletes old invalid tokens when ${invalidStatsFunc.name} then returns undefined`, async function () {
+                    await cache.token.save(startUrl, { region, startUrl, token: createToken(hourInMs) })
+                    const tokenCacheFile = getTokenCacheFile(tempDir, startUrl)
+                    assert.strictEqual(fs.existsSync(tokenCacheFile), true)
+
+                    // Set the func which returns Stats that are always 'invalid'
+                    cache = getCache(tempDir, invalidStatsFunc)
+
+                    assert.strictEqual(await cache.token.load(startUrl), undefined)
+                    assert.strictEqual(fs.existsSync(tokenCacheFile), false)
+                })
+
+                it(`deletes old invalid registrations when ${invalidStatsFunc.name} then returns undefined`, async function () {
+                    const registrationKey = { region }
+                    await cache.registration.save(registrationKey, createRegistration(hourInMs))
+                    const registrationCacheFile = getRegistrationCacheFile(tempDir, registrationKey)
+                    assert.strictEqual(fs.existsSync(registrationCacheFile), true)
+
+                    // Set the func which returns Stats that are always 'invalid'
+                    cache = getCache(tempDir, invalidStatsFunc)
+                    assert.strictEqual(await cache.token.load(startUrl), undefined)
+                    assert.strictEqual(fs.existsSync(registrationCacheFile), false)
+                })
+            })
+
+            function nonOldBirthtime(file: fs.PathLike): fs.Stats {
+                return { birthtimeMs: nonOldTime.getTime() } as fs.Stats
+            }
+
+            it(`returns token from non-old file`, async function () {
+                const token = createToken(hourInMs)
+                await cache.token.save(startUrl, { region, startUrl, token })
+                const tokenCacheFile = getTokenCacheFile(tempDir, startUrl)
+                assert.strictEqual(fs.existsSync(tokenCacheFile), true)
+
+                cache = getCache(tempDir, nonOldBirthtime)
+
+                assert.deepStrictEqual((await cache.token.load(startUrl))!.token, token)
+                assert.strictEqual(fs.existsSync(tokenCacheFile), true)
+            })
+
+            it('isDirSafeToDeleteFrom()', function () {
+                assert.ok(!isDirSafeToDeleteFrom('.'))
+                assert.ok(!isDirSafeToDeleteFrom('/'))
+                assert.ok(!isDirSafeToDeleteFrom('not/an/absolute/path'))
+                assert.ok(!isDirSafeToDeleteFrom('/a/b/c')) // Too shallow
+
+                assert.ok(isDirSafeToDeleteFrom('/a/b/c/d'))
+            })
+        })
+
         it('returns `undefined` for expired tokens that cannot be refreshed', async function () {
             const expiredToken = createToken(-hourInMs)
             await cache.token.save(startUrl, { region, startUrl, token: expiredToken })

src/test/techdebt.test.ts

@@ -42,4 +42,12 @@ describe('tech debt', function () {
             'with node16+, we can use crypto.randomUUID and remove the "uuid" dependency'
         )
     })
+
+    it('temporary code removed', function () {
+        // Reason: https://sim.amazon.com/issues/IDE-10559
+        // At this point in time most users who would have run in to this error
+        // will have already had their old files deleted.
+        const august2023 = new Date(2023, 7, 1)
+        assert.ok(Date.now() < august2023.getTime(), 'remove `deleteOldFiles()` in `cache.ts`')
+    })
 })