fix(codecatalyst): avoid PAT in git clone URL

Problem:
The private token (PAT) is part of the git clone URL in .git/config

Solution:
Use vscode-git extension CredentialProvider API, which stores the token
in the OS keychain. Remove clone support on Cloud9.

Author: JadenSimon

package.json

@@ -1281,7 +1281,7 @@
                 },
                 {
                     "command": "aws.codecatalyst.cloneRepo",
-                    "when": "view == aws.codecatalyst",
+                    "when": "view == aws.codecatalyst && !isCloud9",
                     "group": "1_codeCatalyst@1"
                 },
                 {
@@ -1998,7 +1998,8 @@
             {
                 "command": "aws.codecatalyst.cloneRepo",
                 "title": "%AWS.command.codecatalyst.cloneRepo%",
-                "category": "AWS"
+                "category": "AWS",
+                "enablement": "!isCloud9"
             },
             {
                 "command": "aws.codecatalyst.createDevEnv",

src/codecatalyst/activation.ts

@@ -20,6 +20,7 @@ import { dontShow } from '../shared/localizedText'
 import { isCloud9 } from '../shared/extensionUtilities'
 import { watchBetaVSIX } from './beta'
 import { Commands } from '../shared/vscode/commands2'
+import { getCodeCatalystConfig } from '../shared/clients/codecatalystClient'
 
 const localize = nls.loadMessageBundle()
 
@@ -36,11 +37,21 @@ export async function activate(ctx: ExtContext): Promise<void> {
         ...Object.values(CodeCatalystCommands.declared).map(c => c.register(commands))
     )
 
-    GitExtension.instance.registerRemoteSourceProvider(remoteSourceProvider).then(disposable => {
-        ctx.extensionContext.subscriptions.push(disposable)
-    })
-
     if (!isCloud9()) {
+        GitExtension.instance.registerRemoteSourceProvider(remoteSourceProvider).then(disposable => {
+            ctx.extensionContext.subscriptions.push(disposable)
+        })
+
+        GitExtension.instance
+            .registerCredentialsProvider({
+                getCredentials(uri: vscode.Uri) {
+                    if (uri.authority.endsWith(getCodeCatalystConfig().gitHostname)) {
+                        return commands.withClient(client => authProvider.getCredentialsForGit(client))
+                    }
+                },
+            })
+            .then(disposable => ctx.extensionContext.subscriptions.push(disposable))
+
         watchRestartingDevEnvs(ctx, authProvider)
         watchBetaVSIX()
     }

src/codecatalyst/auth.ts

@@ -8,19 +8,20 @@ import { ConnectedCodeCatalystClient } from '../shared/clients/codecatalystClien
 import { isCloud9 } from '../shared/extensionUtilities'
 import { Auth, isBuilderIdConnection, Connection, SsoConnection, codecatalystScopes } from '../credentials/auth'
 import { getSecondaryAuth } from '../credentials/secondaryAuth'
+import { getLogger } from '../shared/logger'
 
 // Secrets stored on the macOS keychain appear as individual entries for each key
 // This is fine so long as the user has only a few accounts. Otherwise this should
 // store secrets as a map.
 export class CodeCatalystAuthStorage {
     public constructor(private readonly secrets: vscode.SecretStorage) {}
 
-    public async getPat(id: string): Promise<string | undefined> {
-        return this.secrets.get(`codecatalyst.pat.${id}`)
+    public async getPat(username: string): Promise<string | undefined> {
+        return this.secrets.get(`codecatalyst.pat.${username}`)
     }
 
-    public async storePat(id: string, pat: string): Promise<void> {
-        await this.secrets.store(`codecatalyst.pat.${id}`, pat)
+    public async storePat(username: string, pat: string): Promise<void> {
+        await this.secrets.store(`codecatalyst.pat.${username}`, pat)
     }
 }
 
@@ -46,19 +47,34 @@ export class CodeCatalystAuthenticationProvider {
     }
 
     // Get rid of this? Not sure where to put PAT code.
-    public async getPat(client: ConnectedCodeCatalystClient): Promise<string> {
-        const stored = await this.storage.getPat(client.identity.id)
+    public async getPat(client: ConnectedCodeCatalystClient, username = client.identity.name): Promise<string> {
+        const stored = await this.storage.getPat(username)
 
         if (stored) {
             return stored
         }
 
         const resp = await client.createAccessToken({ name: 'aws-toolkits-vscode-token' })
-        await this.storage.storePat(client.identity.id, resp.secret)
+        await this.storage.storePat(username, resp.secret)
 
         return resp.secret
     }
 
+    public async getCredentialsForGit(client: ConnectedCodeCatalystClient) {
+        getLogger().verbose(`codecatalyst (git): attempting to provide credentials`)
+
+        const username = client.identity.name
+
+        try {
+            return {
+                username,
+                password: await this.getPat(client, username),
+            }
+        } catch (err) {
+            getLogger().verbose(`codecatalyst (git): failed to get credentials for user "${username}": %s`, err)
+        }
+    }
+
     public async removeSavedConnection() {
         await this.secondaryAuth.removeConnection()
     }

src/codecatalyst/commands.ts

@@ -18,7 +18,7 @@ import {
     ConnectedCodeCatalystClient,
     CodeCatalystResource,
 } from '../shared/clients/codecatalystClient'
-import { createClientFactory, DevEnvironmentId, getConnectedDevEnv, getRepoCloneUrl, openDevEnv } from './model'
+import { createClientFactory, DevEnvironmentId, getConnectedDevEnv, openDevEnv } from './model'
 import { showConfigureDevEnv } from './vue/configure/backend'
 import { showCreateDevEnv } from './vue/create/backend'
 import { CancellationError } from '../shared/utilities/timeoutUtils'
@@ -35,12 +35,6 @@ export async function listCommands(): Promise<void> {
 
 /** "Clone CodeCatalyst Repository" command. */
 export async function cloneCodeCatalystRepo(client: ConnectedCodeCatalystClient, url?: vscode.Uri): Promise<void> {
-    async function getPat() {
-        // FIXME: make it easier to go from auth -> client so we don't need to do this
-        const auth = CodeCatalystAuthenticationProvider.fromContext(globals.context)
-        return auth.getPat(client)
-    }
-
     let resource: { name: string; project: string; org: string }
     if (!url) {
         const r = await selectCodeCatalystResource(client, 'repo')
@@ -56,16 +50,11 @@ export async function cloneCodeCatalystRepo(client: ConnectedCodeCatalystClient,
         resource = { name: repo, project, org }
     }
 
-    const uri = await getRepoCloneUrl(
-        client,
-        {
-            spaceName: resource.org,
-            projectName: resource.project,
-            sourceRepositoryName: resource.name,
-        },
-        client.identity.name,
-        await getPat()
-    )
+    const uri = await client.getRepoCloneUrl({
+        spaceName: resource.org,
+        projectName: resource.project,
+        sourceRepositoryName: resource.name,
+    })
     await vscode.commands.executeCommand('git.clone', uri)
 }
 

src/codecatalyst/explorer.ts

@@ -5,7 +5,7 @@
 
 import * as vscode from 'vscode'
 import { RootNode } from '../awsexplorer/localExplorer'
-import { createBuilderIdConnection, isBuilderIdConnection } from '../credentials/auth'
+import { Connection, createBuilderIdConnection, isBuilderIdConnection } from '../credentials/auth'
 import { DevEnvironment } from '../shared/clients/codecatalystClient'
 import { UnknownError } from '../shared/errors'
 import { isCloud9 } from '../shared/extensionUtilities'
@@ -30,6 +30,14 @@ const learnMoreCommand = Commands.register('aws.learnMore', async (docsUrl: vsco
     return vscode.env.openExternal(docsUrl)
 })
 
+// Only used in rare cases on C9
+const reauth = Commands.register(
+    '_aws.codecatalyst.reauthenticate',
+    async (conn: Connection, authProvider: CodeCatalystAuthenticationProvider) => {
+        await authProvider.auth.reauthenticate(conn)
+    }
+)
+
 function getLocalCommands(auth: CodeCatalystAuthenticationProvider) {
     const docsUrl = isCloud9() ? codecatalyst.docs.cloud9.overview : codecatalyst.docs.vscode.overview
     if (!isBuilderIdConnection(auth.activeConnection)) {
@@ -45,19 +53,20 @@ function getLocalCommands(auth: CodeCatalystAuthenticationProvider) {
         ]
     }
 
-    const cmds = [
-        CodeCatalystCommands.declared.cloneRepo.build().asTreeNode({
-            label: 'Clone Repository',
-            iconPath: getIcon('vscode-symbol-namespace'),
-        }),
-    ]
-
     if (isCloud9()) {
-        return cmds
+        const item = reauth.build(auth.activeConnection, auth).asTreeNode({
+            label: 'Failed to get the current Dev Environment. Click to try again.',
+            iconPath: getIcon(`vscode-error`),
+        })
+
+        return [item]
     }
 
     return [
-        ...cmds,
+        CodeCatalystCommands.declared.cloneRepo.build().asTreeNode({
+            label: 'Clone Repository',
+            iconPath: getIcon('vscode-symbol-namespace'),
+        }),
         CodeCatalystCommands.declared.openDevEnv.build().asTreeNode({
             label: 'Open Dev Environment',
             iconPath: getIcon('vscode-vm-connect'),

src/codecatalyst/model.ts

@@ -27,7 +27,6 @@ import { ensureDependencies, HOST_NAME_PREFIX } from './tools'
 import { isCodeCatalystVSCode } from './utils'
 import { Timeout } from '../shared/utilities/timeoutUtils'
 import { Commands } from '../shared/vscode/commands2'
-import * as codecatalyst from '../../types/clientcodecatalyst'
 
 export type DevEnvironmentId = Pick<DevEnvironment, 'id' | 'org' | 'project'>
 
@@ -300,36 +299,6 @@ export async function getDevfileLocation(client: DevEnvClient, root?: vscode.Uri
     return vscode.Uri.joinPath(rootDirectory, devfileLocation)
 }
 
-function toCodeCatalystGitUri(username: string, token: string, cloneUrl: string): string {
-    // "https://[email protected].…" => "git.gamma.…"
-    let url = cloneUrl.replace(/https:\/\/[^@\/]+@/, '')
-    if (url === cloneUrl) {
-        // URL didn't change, so it's missing the "user@" part.
-        // "https://git.gamma.…" => "git.gamma.…"
-        url = cloneUrl.replace('https://', '')
-    }
-    return `https://${username}:${token}@${url}`
-}
-
-/**
- * Gets a URL including username and password (PAT) that can be used by git to clone the given CodeCatalyst repo.
- *
- * Example: "https://user:[email protected].…"
- *
- * @param args
- * @returns Clone URL (example: "https://user:[email protected].…")
- */
-export async function getRepoCloneUrl(
-    client: ConnectedCodeCatalystClient,
-    args: codecatalyst.GetSourceRepositoryCloneUrlsRequest,
-    user: string,
-    password: string
-): Promise<string> {
-    const url = await client.getRepoCloneUrl(args)
-    const cloneurl = toCodeCatalystGitUri(user, password, url)
-    return cloneurl
-}
-
 /**
  * Given a collection of CodeCatalyst repos, try to find a corresponding devenv, if any
  */

src/codecatalyst/repos/remoteSourceProvider.ts

@@ -10,7 +10,6 @@ import * as vscode from 'vscode'
 import { RemoteSource, RemoteSourceProvider } from '../../../types/git'
 import { CodeCatalystAuthenticationProvider } from '../auth'
 import { createRepoLabel } from '../wizards/selectResource'
-import { getRepoCloneUrl } from '../model'
 import { CodeCatalystCommands } from '../commands'
 import { CodeCatalystRepo } from '../../shared/clients/codecatalystClient'
 import { getIcon, Icon } from '../../shared/icons'
@@ -57,17 +56,11 @@ export class CodeCatalystRemoteSourceProvider implements RemoteSourceProvider {
         return this.commands.withClient(async client => {
             const intoRemote = async (repo: CodeCatalystRepo): Promise<RemoteSource> => {
                 const resource = { name: repo.name, project: repo.project.name, org: repo.org.name }
-                const pat = await this.authProvider.getPat(client)
-                const url = await getRepoCloneUrl(
-                    client,
-                    {
-                        spaceName: resource.org,
-                        projectName: resource.project,
-                        sourceRepositoryName: resource.name,
-                    },
-                    client.identity.name,
-                    pat
-                )
+                const url = await client.getRepoCloneUrl({
+                    spaceName: resource.org,
+                    projectName: resource.project,
+                    sourceRepositoryName: resource.name,
+                })
 
                 return {
                     name: createRepoLabel(repo),

src/shared/clients/codecatalystClient.ts

@@ -516,7 +516,9 @@ class CodeCatalystClientInternal {
      */
     public async getRepoCloneUrl(args: codecatalyst.GetSourceRepositoryCloneUrlsRequest): Promise<string> {
         const r = await this.call(this.sdkClient.getSourceRepositoryCloneUrls(args), false)
-        return r.https
+
+        // The git extension skips over credential providers if the username is included in the authority
+        return `https://${r.https.replace(/.*@/, '')}`
     }
 
     public async createDevEnvironment(args: codecatalyst.CreateDevEnvironmentRequest): Promise<DevEnvironment> {

src/shared/extensions/git.ts

@@ -390,4 +390,14 @@ export class GitExtension {
 
         return api.registerRemoteSourceProvider(provider)
     }
+
+    public async registerCredentialsProvider(provider: GitTypes.CredentialsProvider): Promise<vscode.Disposable> {
+        const api = await this.validateApi('git: extension disabled, unable to register credentials provider')
+
+        if (!api) {
+            return { dispose: () => {} }
+        }
+
+        return api.registerCredentialsProvider(provider)
+    }
 }