Merge master into feature/web

Author: aws-toolkit-automation

src/auth/auth.ts

@@ -24,6 +24,11 @@ import { CredentialsProviderManager } from './providers/credentialsProviderManag
 import { asString, CredentialsId, CredentialsProvider, fromString } from './providers/credentials'
 import { once } from '../shared/utilities/functionUtils'
 import { CredentialsSettings } from './credentials/utils'
+import {
+    extractDataFromSection,
+    getSectionOrThrow,
+    loadSharedCredentialsSections,
+} from './credentials/sharedCredentials'
 import { getCodeCatalystDevEnvId } from '../shared/vscode/env'
 import { partition } from '../shared/utilities/mementos'
 import { SsoCredentialsProvider } from './providers/ssoCredentialsProvider'
@@ -47,8 +52,9 @@ import {
     StoredProfile,
     codecatalystScopes,
     createBuilderIdProfile,
+    createSsoProfile,
     hasScopes,
-    isBuilderIdConnection,
+    isValidCodeCatalystConnection,
     loadIamProfilesIntoStore,
     loadLinkedProfilesIntoStore,
     ssoAccountAccessScopes,
@@ -521,9 +527,11 @@ export class Auth implements AuthService, ConnectionManager {
     }
 
     // XXX: always read from the same location in a dev environment
-    private getSsoSessionName = once(() => {
+    // This detection is fuzzy if an sso-session section exists for any other reason.
+    private detectSsoSessionNameForCodeCatalyst = once((): string => {
         try {
             const configFile = getConfigFilename()
+            // `require('fs')` is workaround for web mode:
             const contents: string = require('fs').readFileSync(configFile, 'utf-8')
             const identifier = contents.match(/\[sso\-session (.*)\]/)?.[1]
             if (!identifier) {
@@ -532,21 +540,40 @@ export class Auth implements AuthService, ConnectionManager {
 
             return identifier
         } catch (err) {
-            const defaultName = 'codecatalyst'
-            getLogger().warn(`auth: unable to get an sso session name, defaulting to "${defaultName}": %s`, err)
-
-            return defaultName
+            const identifier = 'codecatalyst'
+            getLogger().warn(`auth: unable to get an sso session name, defaulting to "${identifier}": %s`, err)
+            return identifier
         }
     })
 
+    private createCodeCatalystDevEnvProfile = async (): Promise<[id: string, profile: SsoProfile]> => {
+        const identifier = this.detectSsoSessionNameForCodeCatalyst()
+
+        const { sections } = await loadSharedCredentialsSections()
+        const { sso_region: region, sso_start_url: startUrl } = extractDataFromSection(
+            getSectionOrThrow(sections, identifier, 'sso-session')
+        )
+
+        if ([region, startUrl].some(prop => typeof prop !== 'string')) {
+            throw new ToolkitError('sso-session data missing in ~/.aws/config', { code: 'NoSsoSession' })
+        }
+
+        return startUrl === builderIdStartUrl
+            ? [identifier, createBuilderIdProfile(codecatalystScopes)]
+            : [identifier, createSsoProfile(region, startUrl, codecatalystScopes)]
+    }
+
     private getTokenProvider(id: Connection['id'], profile: StoredProfile<SsoProfile>) {
-        // XXX: Use the token created by dev environments if and only if the profile is strictly for CodeCatalyst
+        // XXX: Use the token created by Dev Environments if and only if the profile is strictly
+        // for CodeCatalyst, as indicated by its set of scopes. A consequence of these semantics is
+        // that any profile will be coerced to use this token if that profile exclusively contains
+        // CodeCatalyst scopes. Similarly, if additional scopes are added to a profile, the profile
+        // no longer matches this condition.
         const shouldUseSoftwareStatement =
             getCodeCatalystDevEnvId() !== undefined &&
-            profile.startUrl === builderIdStartUrl &&
             profile.scopes?.every(scope => codecatalystScopes.includes(scope))
 
-        const tokenIdentifier = shouldUseSoftwareStatement ? this.getSsoSessionName() : id
+        const tokenIdentifier = shouldUseSoftwareStatement ? this.detectSsoSessionNameForCodeCatalyst() : id
 
         return this.createTokenProvider(
             {
@@ -702,15 +729,28 @@ export class Auth implements AuthService, ConnectionManager {
             })
         )
 
-        // Use the environment token if available
-        // This token only has CC permissions currently!
+        // When opening a Dev Environment, use the environment token if no other CodeCatalyst
+        // credential is in use. This token only has CC permissions currently!
         if (getCodeCatalystDevEnvId() !== undefined) {
-            const connections = (await this.listConnections()).filter(isBuilderIdConnection)
-
-            if (connections.length === 0) {
-                const key = uuid.v4()
-                await this.store.addProfile(key, createBuilderIdProfile(codecatalystScopes))
-                await this.store.setCurrentProfileId(key)
+            const connections = await this.listConnections()
+            const shouldInsertDevEnvCredential = !connections.some(isValidCodeCatalystConnection)
+
+            if (shouldInsertDevEnvCredential) {
+                // Insert a profile based on the `~/.aws/config` sso-session:
+                try {
+                    // After creating a CodeCatalyst Dev Environment profile based on sso-session,
+                    // we discard the actual key, and we insert the profile with an arbitrary key.
+                    // The cache key for any strictly-CodeCatalyst profile is overriden to the
+                    // sso-session identifier on read. If the coerce-on-read semantics ever become
+                    // an issue, it should be possible to use the actual key here However, this
+                    // would require deleting existing profiles to avoid inserting duplicates.
+                    const [_dangerousDiscardActualKey, devEnvProfile] = await this.createCodeCatalystDevEnvProfile()
+                    const key = uuid.v4()
+                    await this.store.addProfile(key, devEnvProfile)
+                    await this.store.setCurrentProfileId(key)
+                } catch (err) {
+                    getLogger().warn(`auth: failed to insert dev env profile: %s`, err)
+                }
             }
         }
 

src/auth/connection.ts

@@ -52,7 +52,7 @@ export const isIdcSsoConnection = (conn?: Connection): conn is SsoConnection =>
 export const isBuilderIdConnection = (conn?: Connection): conn is SsoConnection => isSsoConnection(conn, 'builderId')
 
 export const isValidCodeCatalystConnection = (conn: Connection): conn is SsoConnection =>
-    isBuilderIdConnection(conn) && hasScopes(conn, codecatalystScopes)
+    isSsoConnection(conn) && hasScopes(conn, codecatalystScopes)
 
 export function hasScopes(target: SsoConnection | SsoProfile, scopes: string[]): boolean {
     return scopes?.every(s => target.scopes?.includes(s))

src/auth/sso/cache.ts

@@ -105,25 +105,28 @@ export function getTokenCache(directory = getCacheDir()): KeyedCache<SsoAccess>
     }
 
     const logger = (message: string) => getLogger().debug(`SSO token cache: ${message}`)
-    const cache = createDiskCache<StoredToken, string>((ssoUrl: string) => getTokenCacheFile(directory, ssoUrl), logger)
+    const cache = createDiskCache<StoredToken, string>((key: string) => getTokenCacheFile(directory, key), logger)
 
     return mapCache(cache, read, write)
 }
 
-function getTokenCacheFile(ssoCacheDir: string, ssoUrl: string): string {
-    const encoded = encodeURI(ssoUrl)
+function getTokenCacheFile(ssoCacheDir: string, key: string): string {
+    const encoded = encodeURI(key)
     // Per the spec: 'SSO Login Token Flow' the access token must be
     // cached as the SHA1 hash of the bytes of the UTF-8 encoded
-    // startUrl value with ".json" appended to the end.
+    // startUrl value with ".json" appended to the end. However, the
+    // cache key used by the Toolkit is an alternative arbitrary key
+    // in most scenarios. This alternative cache key still conforms
+    // to the same ${sha1(key)}.json cache location semantics.
 
     const shasum = crypto.createHash('sha1')
     // Suppress warning because:
     //   1. SHA1 is prescribed by the AWS SSO spec
-    //   2. the hashed startUrl value is not a secret
+    //   2. the hashed startUrl or other key value is not a secret
     shasum.update(encoded) // lgtm[js/weak-cryptographic-algorithm]
-    const hashedUrl = shasum.digest('hex') // lgtm[js/weak-cryptographic-algorithm]
+    const hashedKey = shasum.digest('hex') // lgtm[js/weak-cryptographic-algorithm]
 
-    return path.join(ssoCacheDir, `${hashedUrl}.json`)
+    return path.join(ssoCacheDir, `${hashedKey}.json`)
 }
 
 function getRegistrationCacheFile(ssoCacheDir: string, key: RegistrationKey): string {

src/auth/ui/vue/authForms/manageIdentityCenter.vue

@@ -360,6 +360,45 @@ export class CodeWhispererIdentityCenterState extends BaseIdentityCenterState {
     }
 }
 
+export class CodeCatalystIdentityCenterState extends BaseIdentityCenterState {
+    override get id(): AuthFormId {
+        return 'identityCenterCodeCatalyst'
+    }
+
+    override get name(): string {
+        return 'CodeCatalyst'
+    }
+
+    override get uiClickOpenId(): AuthUiClick {
+        return 'auth_openCodeCatalyst'
+    }
+
+    override get uiClickSignout(): AuthUiClick {
+        return 'auth_codecatalyst_signoutIdentityCenter'
+    }
+
+    override get featureType(): FeatureId {
+        return 'codecatalyst'
+    }
+
+    protected override async _startIdentityCenterSetup(): Promise<AuthError | undefined> {
+        const data = await this.getSubmittableDataOrThrow()
+        return client.startCodeCatalystIdentityCenterSetup(data.startUrl, data.region)
+    }
+
+    override async isAuthConnected(): Promise<boolean> {
+        return client.isCodeCatalystIdentityCenterConnected()
+    }
+
+    override async showView(): Promise<void> {
+        client.showCodeCatalystNode()
+    }
+
+    override signout(): Promise<void> {
+        return client.signoutCodeCatalystIdentityCenter()
+    }
+}
+
 /**
  * In the context of the Explorer, an Identity Center connection
  * is not required to be active. This is due to us only needing

src/auth/ui/vue/authForms/shared.vue

@@ -1,7 +1,11 @@
 <script lang="ts">
 import { CodeCatalystBuilderIdState, CodeWhispererBuilderIdState } from './manageBuilderId.vue'
 import { CredentialsState } from './manageCredentials.vue'
-import { CodeWhispererIdentityCenterState, ExplorerIdentityCenterState } from './manageIdentityCenter.vue'
+import {
+    CodeCatalystIdentityCenterState,
+    CodeWhispererIdentityCenterState,
+    ExplorerIdentityCenterState,
+} from './manageIdentityCenter.vue'
 import { AuthFormId } from './types'
 
 /**
@@ -12,6 +16,7 @@ const authFormsState = {
     builderIdCodeWhisperer: CodeWhispererBuilderIdState.instance,
     builderIdCodeCatalyst: CodeCatalystBuilderIdState.instance,
     identityCenterCodeWhisperer: new CodeWhispererIdentityCenterState(),
+    identityCenterCodeCatalyst: new CodeCatalystIdentityCenterState(),
     identityCenterExplorer: new ExplorerIdentityCenterState(),
 } as const
 

src/auth/ui/vue/authForms/types.ts

@@ -8,6 +8,7 @@ export type AuthFormId =
     | 'builderIdCodeWhisperer'
     | 'builderIdCodeCatalyst'
     | 'identityCenterCodeWhisperer'
+    | 'identityCenterCodeCatalyst'
     | 'identityCenterExplorer'
     | 'aggregateExplorer'
 
@@ -19,6 +20,7 @@ export const AuthFormDisplayName: Record<AuthFormId, string> = {
     credentials: 'IAM Credentials',
     builderIdCodeCatalyst: 'CodeCatalyst with AWS Builder ID',
     builderIdCodeWhisperer: 'CodeWhisperer with AWS Builder ID',
+    identityCenterCodeCatalyst: 'CodeCatalyst with IAM Identity Center',
     identityCenterCodeWhisperer: 'CodeWhisperer with IAM Identity Center',
     identityCenterExplorer: 'AWS Explorer with IAM Identity Center',
     aggregateExplorer: '',

src/auth/ui/vue/serviceItemContent/codeCatalystContent.vue

@@ -32,34 +32,62 @@
                     @auth-connection-updated="onAuthConnectionUpdated"
                 ></BuilderIdForm>
             </div>
+
+            <div>
+                <div v-on:click="toggleIdentityCenterShown" style="cursor: pointer; display: flex; flex-direction: row">
+                    <div style="font-weight: bold; font-size: medium" :class="identityCenterCollapsibleClass"></div>
+                    <div>
+                        <div style="font-weight: bold; font-size: 14px">Sign in with IAM Identity Center.</div>
+                    </div>
+                </div>
+            </div>
+
+            <IdentityCenterForm
+                :state="identityCenterState"
+                :allow-existing-start-url="true"
+                @auth-connection-updated="onAuthConnectionUpdated"
+                v-show="isIdentityCenterShown"
+            ></IdentityCenterForm>
         </div>
     </div>
 </template>
 
 <script lang="ts">
 import { defineComponent } from 'vue'
 import BuilderIdForm, { CodeCatalystBuilderIdState } from '../authForms/manageBuilderId.vue'
+import IdentityCenterForm, { CodeCatalystIdentityCenterState } from '../authForms/manageIdentityCenter.vue'
 import BaseServiceItemContent from './baseServiceItemContent.vue'
 import authFormsState, { AuthForm, FeatureStatus } from '../authForms/shared.vue'
 import { AuthFormId } from '../authForms/types'
 import { ConnectionUpdateArgs } from '../authForms/baseAuth.vue'
+import { WebviewClientFactory } from '../../../../webviews/client'
+import { AuthWebview } from '../show'
+
+const client = WebviewClientFactory.create<AuthWebview>()
 
 export default defineComponent({
     name: 'CodeCatalystContent',
-    components: { BuilderIdForm },
+    components: { BuilderIdForm, IdentityCenterForm },
     extends: BaseServiceItemContent,
     data() {
         return {
             isLoaded: {
                 builderIdCodeCatalyst: false,
             } as Record<AuthFormId, boolean>,
             isAllAuthsLoaded: false,
+            isIdentityCenterShown: false,
         }
     },
     computed: {
         builderIdState(): CodeCatalystBuilderIdState {
             return authFormsState.builderIdCodeCatalyst
         },
+        identityCenterState(): CodeCatalystIdentityCenterState {
+            return authFormsState.identityCenterCodeCatalyst
+        },
+        identityCenterCollapsibleClass() {
+            return this.isIdentityCenterShown ? 'icon icon-vscode-chevron-down' : 'icon icon-vscode-chevron-right'
+        },
     },
     methods: {
         updateIsAllAuthsLoaded() {
@@ -71,12 +99,18 @@ export default defineComponent({
             this.updateIsAllAuthsLoaded()
             this.emitAuthConnectionUpdated('codecatalyst', args)
         },
+        toggleIdentityCenterShown() {
+            this.isIdentityCenterShown = !this.isIdentityCenterShown
+            if (this.isIdentityCenterShown) {
+                client.emitUiClick('auth_codecatalyst_expandIAMIdentityCenter')
+            }
+        },
     },
 })
 
 export class CodeCatalystContentState extends FeatureStatus {
     override getAuthForms(): AuthForm[] {
-        return [authFormsState.builderIdCodeCatalyst]
+        return [authFormsState.builderIdCodeCatalyst, authFormsState.identityCenterCodeCatalyst]
     }
 }
 </script>