Merge #3362 nkomonen-amazon/removeOldSsoCacheSimpler

Author: justinmk3

src/credentials/sso/cache.ts

@@ -12,6 +12,7 @@ import { hasProps, selectFrom } from '../../shared/utilities/tsUtils'
 import { SsoToken, ClientRegistration } from './model'
 import { SystemUtilities } from '../../shared/systemUtilities'
 import { DevSettings } from '../../shared/settings'
+import { statSync, Stats, readdirSync, unlinkSync } from 'fs'
 
 interface RegistrationKey {
     readonly region: string
@@ -33,32 +34,57 @@ export interface SsoCache {
 const defaultCacheDir = path.join(SystemUtilities.getHomeDirectory(), '.aws', 'sso', 'cache')
 export const getCacheDir = () => DevSettings.instance.get('ssoCacheDirectory', defaultCacheDir)
 
-export function getCache(directory = getCacheDir()): SsoCache {
+export function getCache(directory = getCacheDir(), statFunc = getFileStats): SsoCache {
+    try {
+        deleteOldFiles(directory, statFunc)
+    } catch (e) {
+        getLogger().warn('auth: error deleting old files in sso cache: %s', e)
+    }
+
     return {
         token: getTokenCache(directory),
         registration: getRegistrationCache(directory),
     }
 }
 
-export function getRegistrationCache(directory = getCacheDir()): KeyedCache<ClientRegistration, RegistrationKey> {
-    const hashScopes = (scopes: string[]) => {
-        const shasum = crypto.createHash('sha256')
-        scopes.forEach(s => shasum.update(s))
-        return shasum.digest('hex')
+function deleteOldFiles(directory: string, statFunc: typeof getFileStats) {
+    if (!isDirSafeToDeleteFrom(directory)) {
+        getLogger().warn(`Skipped deleting files in directory: ${path.resolve(directory)}`)
+        return
     }
 
-    const getTarget = (key: RegistrationKey) => {
-        const suffix = `${key.region}${key.scopes && key.scopes.length > 0 ? `-${hashScopes(key.scopes)}` : ''}`
-        return path.join(directory, `aws-toolkit-vscode-client-id-${suffix}.json`)
-    }
+    const fileNames = readdirSync(directory)
+    fileNames.forEach(fileName => {
+        const filePath = path.join(directory, fileName)
+        if (path.extname(filePath) === '.json' && isOldFile(filePath, statFunc)) {
+            unlinkSync(filePath)
+            getLogger().warn(`auth: removed old cache file: ${filePath}`)
+        }
+    })
+}
+
+export function isDirSafeToDeleteFrom(dirPath: string): boolean {
+    const resolvedPath = path.resolve(dirPath)
+    const isRoot = resolvedPath === path.resolve('/')
+    const isCwd = resolvedPath === path.resolve('.')
+    const isAbsolute = path.isAbsolute(dirPath)
+    const pathDepth = resolvedPath.split(path.sep).length
+
+    const isSafe = !isRoot && !isCwd && isAbsolute && pathDepth >= 5
+    return isSafe
+}
 
+export function getRegistrationCache(directory = getCacheDir()): KeyedCache<ClientRegistration, RegistrationKey> {
     // Compatability for older Toolkit versions (format on disk is unchanged)
     type StoredRegistration = Omit<ClientRegistration, 'expiresAt'> & { readonly expiresAt: string }
     const read = (data: StoredRegistration) => ({ ...data, expiresAt: new Date(data.expiresAt) })
     const write = (data: ClientRegistration) => ({ ...data, expiresAt: data.expiresAt.toISOString() })
 
     const logger = (message: string) => getLogger().debug(`SSO registration cache: ${message}`)
-    const cache: KeyedCache<StoredRegistration, RegistrationKey> = createDiskCache(getTarget, logger)
+    const cache: KeyedCache<StoredRegistration, RegistrationKey> = createDiskCache(
+        (registrationKey: RegistrationKey) => getRegistrationCacheFile(directory, registrationKey),
+        logger
+    )
 
     return mapCache(cache, read, write)
 }
@@ -112,24 +138,58 @@ export function getTokenCache(directory = getCacheDir()): KeyedCache<SsoAccess>
         }
     }
 
-    const getTarget = (ssoUrl: string) => {
-        const encoded = encodeURI(ssoUrl)
-        // Per the spec: 'SSO Login Token Flow' the access token must be
-        // cached as the SHA1 hash of the bytes of the UTF-8 encoded
-        // startUrl value with ".json" appended to the end.
+    const logger = (message: string) => getLogger().debug(`SSO token cache: ${message}`)
+    const cache = createDiskCache<StoredToken, string>((ssoUrl: string) => getTokenCacheFile(directory, ssoUrl), logger)
 
-        const shasum = crypto.createHash('sha1')
-        // Suppress warning because:
-        //   1. SHA1 is prescribed by the AWS SSO spec
-        //   2. the hashed startUrl value is not a secret
-        shasum.update(encoded) // lgtm[js/weak-cryptographic-algorithm]
-        const hashedUrl = shasum.digest('hex') // lgtm[js/weak-cryptographic-algorithm]
+    return mapCache(cache, read, write)
+}
 
-        return path.join(directory, `${hashedUrl}.json`)
+function getFileStats(file: string): Stats {
+    return statSync(file)
+}
+
+const firstValidDate = new Date(2023, 3, 14) // April 14, 2023
+
+/**
+ * @returns true if file is older than the first valid date
+ */
+function isOldFile(file: string, statFunc: typeof getFileStats): boolean {
+    try {
+        const statResult = statFunc(file)
+        // Depending on the Windows filesystem, birthtime may be 0, so we fall back to ctime (last time metadata was changed)
+        // https://nodejs.org/api/fs.html#stat-time-values
+        return statResult.birthtimeMs !== 0
+            ? statResult.birthtimeMs < firstValidDate.getTime()
+            : statResult.ctime < firstValidDate
+    } catch (err) {
+        getLogger().debug(`SSO cache file age not be verified: ${file}: ${err}`)
+        return false // Assume it is no old since we cannot validate
     }
+}
 
-    const logger = (message: string) => getLogger().debug(`SSO token cache: ${message}`)
-    const cache = createDiskCache<StoredToken, string>(getTarget, logger)
+export function getTokenCacheFile(ssoCacheDir: string, ssoUrl: string): string {
+    const encoded = encodeURI(ssoUrl)
+    // Per the spec: 'SSO Login Token Flow' the access token must be
+    // cached as the SHA1 hash of the bytes of the UTF-8 encoded
+    // startUrl value with ".json" appended to the end.
 
-    return mapCache(cache, read, write)
+    const shasum = crypto.createHash('sha1')
+    // Suppress warning because:
+    //   1. SHA1 is prescribed by the AWS SSO spec
+    //   2. the hashed startUrl value is not a secret
+    shasum.update(encoded) // lgtm[js/weak-cryptographic-algorithm]
+    const hashedUrl = shasum.digest('hex') // lgtm[js/weak-cryptographic-algorithm]
+
+    return path.join(ssoCacheDir, `${hashedUrl}.json`)
+}
+
+export function getRegistrationCacheFile(ssoCacheDir: string, key: RegistrationKey): string {
+    const hashScopes = (scopes: string[]) => {
+        const shasum = crypto.createHash('sha256')
+        scopes.forEach(s => shasum.update(s))
+        return shasum.digest('hex')
+    }
+
+    const suffix = `${key.region}${key.scopes && key.scopes.length > 0 ? `-${hashScopes(key.scopes)}` : ''}`
+    return path.join(ssoCacheDir, `aws-toolkit-vscode-client-id-${suffix}.json`)
 }

src/test/credentials/sso/ssoAccessTokenProvider.test.ts

@@ -8,7 +8,12 @@ import * as FakeTimers from '@sinonjs/fake-timers'
 import * as sinon from 'sinon'
 import { SsoAccessTokenProvider } from '../../../credentials/sso/ssoAccessTokenProvider'
 import { installFakeClock } from '../../testUtil'
-import { getCache } from '../../../credentials/sso/cache'
+import {
+    getCache,
+    getTokenCacheFile,
+    isDirSafeToDeleteFrom,
+    getRegistrationCacheFile,
+} from '../../../credentials/sso/cache'
 
 import { instance, mock, when, anything, reset } from '../../utilities/mockito'
 import { makeTemporaryToolkitFolder, tryRemoveFolder } from '../../../shared/filesystemUtilities'
@@ -25,6 +30,8 @@ import { getOpenExternalStub } from '../../globalSetup.test'
 import { getTestWindow } from '../../shared/vscode/window'
 import { SeverityLevel } from '../../shared/vscode/message'
 import { ToolkitError } from '../../../shared/errors'
+import * as fs from 'fs'
+import * as path from 'path'
 
 const hourInMs = 3600000
 
@@ -66,6 +73,13 @@ describe('SsoAccessTokenProvider', function () {
         }
     }
 
+    async function makeTemporaryTokenCacheFolder() {
+        const root = await makeTemporaryToolkitFolder()
+        const cacheDir = path.join(root, '.aws', 'sso', 'cache')
+        fs.mkdirSync(cacheDir, { recursive: true })
+        return cacheDir
+    }
+
     before(function () {
         clock = installFakeClock()
     })
@@ -75,7 +89,7 @@ describe('SsoAccessTokenProvider', function () {
     })
 
     beforeEach(async function () {
-        tempDir = await makeTemporaryToolkitFolder()
+        tempDir = await makeTemporaryTokenCacheFolder()
         cache = getCache(tempDir)
         sut = new SsoAccessTokenProvider({ region, startUrl }, cache, instance(oidcClient))
     })
@@ -115,6 +129,74 @@ describe('SsoAccessTokenProvider', function () {
             assert.strictEqual(await cache.token.load(startUrl), undefined)
         })
 
+        describe('does not return old tokens', function () {
+            // A file is old when the creation time is under a certain date
+            const oldTime: Date = new Date(2023, 3, 10) // April 10, 2023
+            const nonOldTime: Date = new Date(2023, 3, 15) // April 15, 2023
+
+            function oldBirthtime(file: fs.PathLike): fs.Stats {
+                return { birthtimeMs: oldTime.getTime(), birthtime: oldTime } as fs.Stats
+            }
+
+            /** Windows edge case where birthtime does not exist, instead check ctime */
+            function noBirthtimeOldCTime(file: fs.PathLike): fs.Stats {
+                return { birthtimeMs: 0, ctime: oldTime } as fs.Stats
+            }
+
+            const oldStatsFuncs = [oldBirthtime, noBirthtimeOldCTime]
+
+            oldStatsFuncs.forEach(invalidStatsFunc => {
+                it(`deletes old invalid tokens when ${invalidStatsFunc.name} then returns undefined`, async function () {
+                    await cache.token.save(startUrl, { region, startUrl, token: createToken(hourInMs) })
+                    const tokenCacheFile = getTokenCacheFile(tempDir, startUrl)
+                    assert.strictEqual(fs.existsSync(tokenCacheFile), true)
+
+                    // Set the func which returns Stats that are always 'invalid'
+                    cache = getCache(tempDir, invalidStatsFunc)
+
+                    assert.strictEqual(await cache.token.load(startUrl), undefined)
+                    assert.strictEqual(fs.existsSync(tokenCacheFile), false)
+                })
+
+                it(`deletes old invalid registrations when ${invalidStatsFunc.name} then returns undefined`, async function () {
+                    const registrationKey = { region }
+                    await cache.registration.save(registrationKey, createRegistration(hourInMs))
+                    const registrationCacheFile = getRegistrationCacheFile(tempDir, registrationKey)
+                    assert.strictEqual(fs.existsSync(registrationCacheFile), true)
+
+                    // Set the func which returns Stats that are always 'invalid'
+                    cache = getCache(tempDir, invalidStatsFunc)
+                    assert.strictEqual(await cache.token.load(startUrl), undefined)
+                    assert.strictEqual(fs.existsSync(registrationCacheFile), false)
+                })
+            })
+
+            function nonOldBirthtime(file: fs.PathLike): fs.Stats {
+                return { birthtimeMs: nonOldTime.getTime() } as fs.Stats
+            }
+
+            it(`returns token from non-old file`, async function () {
+                const token = createToken(hourInMs)
+                await cache.token.save(startUrl, { region, startUrl, token })
+                const tokenCacheFile = getTokenCacheFile(tempDir, startUrl)
+                assert.strictEqual(fs.existsSync(tokenCacheFile), true)
+
+                cache = getCache(tempDir, nonOldBirthtime)
+
+                assert.deepStrictEqual((await cache.token.load(startUrl))!.token, token)
+                assert.strictEqual(fs.existsSync(tokenCacheFile), true)
+            })
+
+            it('isDirSafeToDeleteFrom()', function () {
+                assert.ok(!isDirSafeToDeleteFrom('.'))
+                assert.ok(!isDirSafeToDeleteFrom('/'))
+                assert.ok(!isDirSafeToDeleteFrom('not/an/absolute/path'))
+                assert.ok(!isDirSafeToDeleteFrom('/a/b/c')) // Too shallow
+
+                assert.ok(isDirSafeToDeleteFrom('/a/b/c/d'))
+            })
+        })
+
         it('returns `undefined` for expired tokens that cannot be refreshed', async function () {
             const expiredToken = createToken(-hourInMs)
             await cache.token.save(startUrl, { region, startUrl, token: expiredToken })

src/test/techdebt.test.ts

@@ -42,4 +42,12 @@ describe('tech debt', function () {
             'with node16+, we can use crypto.randomUUID and remove the "uuid" dependency'
         )
     })
+
+    it('temporary code removed', function () {
+        // Reason: https://sim.amazon.com/issues/IDE-10559
+        // At this point in time most users who would have run in to this error
+        // will have already had their old files deleted.
+        const august2023 = new Date(2023, 7, 1)
+        assert.ok(Date.now() < august2023.getTime(), 'remove `deleteOldFiles()` in `cache.ts`')
+    })
 })