fix(auth): improve IdC connection lifespan #3501

JadenSimon · web-flow · commit ecd0eeab61a2 · 2023-05-26T13:15:34.000-07:00
Problem:
Networking issues cause connections to appear invalidated because we can't refresh the access token.
But the refresh token may still be valid.

Solution:
Assume that the connection is still valid if we see a networking issue.
Callers will receive an exception when attempting to fetch a token without an internet connection.
diff --git a/.changes/next-release/Bug Fix-2679f992-963a-454e-b2a4-1f8a61e9c5ed.json b/.changes/next-release/Bug Fix-2679f992-963a-454e-b2a4-1f8a61e9c5ed.json
@@ -0,0 +1,4 @@
+{
+	"type": "Bug Fix",
+	"description": "auth: IAM Identity Center connections expire sooner than expected"
+}
diff --git a/src/credentials/auth.ts b/src/credentials/auth.ts
@@ -18,7 +18,7 @@ import { Commands } from '../shared/vscode/commands2'
 import { createQuickPick, DataQuickPickItem, showQuickPick } from '../shared/ui/pickerPrompter'
 import { isValidResponse } from '../shared/wizards/wizard'
 import { CancellationError, Timeout } from '../shared/utilities/timeoutUtils'
-import { errorCode, formatError, isAwsError, ToolkitError, UnknownError } from '../shared/errors'
+import { errorCode, formatError, isAwsError, isNetworkError, ToolkitError, UnknownError } from '../shared/errors'
 import { getCache } from './sso/cache'
 import { createFactoryFunction, isNonNullable, Mutable } from '../shared/utilities/tsUtils'
 import { builderIdStartUrl, SsoToken } from './sso/model'
@@ -877,6 +877,13 @@ export class Auth implements AuthService, ConnectionManager {
     private readonly getToken = keyedDebounce(this._getToken.bind(this))
     private async _getToken(id: Connection['id'], provider: SsoAccessTokenProvider): Promise<SsoToken> {
         const token = await provider.getToken().catch(err => {
+            // Bubble-up networking issues so we don't treat the session as invalid
+            if (isNetworkError(err)) {
+                throw new ToolkitError('Failed to refresh connection due to networking issues', {
+                    cause: err,
+                })
+            }
+
             this.#validationErrors.set(id, err)
         })
 
diff --git a/src/credentials/sso/ssoAccessTokenProvider.ts b/src/credentials/sso/ssoAccessTokenProvider.ts
@@ -15,7 +15,14 @@ import { hasProps, hasStringProps, RequiredProps, selectFrom } from '../../share
 import { CancellationError, sleep } from '../../shared/utilities/timeoutUtils'
 import { OidcClient } from './clients'
 import { loadOr } from '../../shared/utilities/cacheUtils'
-import { getRequestId, getTelemetryReason, getTelemetryResult, isClientFault, ToolkitError } from '../../shared/errors'
+import {
+    getRequestId,
+    getTelemetryReason,
+    getTelemetryResult,
+    isClientFault,
+    isNetworkError,
+    ToolkitError,
+} from '../../shared/errors'
 import { getLogger } from '../../shared/logger'
 import { AwsRefreshCredentials, telemetry } from '../../shared/telemetry/telemetry'
 import { getIdeProperties, isCloud9 } from '../../shared/extensionUtilities'
@@ -123,17 +130,19 @@ export class SsoAccessTokenProvider {
 
             return refreshed
         } catch (err) {
-            telemetry.aws_refreshCredentials.emit({
-                result: getTelemetryResult(err),
-                reason: getTelemetryReason(err),
-                requestId: getRequestId(err),
-                sessionDuration: getSessionDuration(this.tokenCacheKey),
-                credentialType: 'bearerToken',
-                credentialSourceId: this.profile.startUrl === builderIdStartUrl ? 'awsId' : 'iamIdentityCenter',
-            } as AwsRefreshCredentials)
-
-            if (err instanceof SSOOIDCServiceException && isClientFault(err)) {
-                await this.cache.token.clear(this.tokenCacheKey)
+            if (!isNetworkError(err)) {
+                telemetry.aws_refreshCredentials.emit({
+                    result: getTelemetryResult(err),
+                    reason: getTelemetryReason(err),
+                    requestId: getRequestId(err),
+                    sessionDuration: getSessionDuration(this.tokenCacheKey),
+                    credentialType: 'bearerToken',
+                    credentialSourceId: this.profile.startUrl === builderIdStartUrl ? 'awsId' : 'iamIdentityCenter',
+                } as AwsRefreshCredentials)
+
+                if (err instanceof SSOOIDCServiceException && isClientFault(err)) {
+                    await this.cache.token.clear(this.tokenCacheKey)
+                }
             }
 
             throw err
diff --git a/src/shared/errors.ts b/src/shared/errors.ts
@@ -9,7 +9,7 @@ import { ServiceException } from '@aws-sdk/smithy-client'
 import { isThrottlingError, isTransientError } from '@aws-sdk/service-error-classification'
 import { Result } from './telemetry/telemetry'
 import { CancellationError } from './utilities/timeoutUtils'
-import { hasKey, isNonNullable } from './utilities/tsUtils'
+import { isNonNullable } from './utilities/tsUtils'
 import type * as fs from 'fs'
 import type * as os from 'os'
 
@@ -371,7 +371,7 @@ export function isAwsError(error: unknown): error is AWSError {
     return error instanceof Error && hasCode(error) && hasTime(error)
 }
 
-function hasCode(error: Error): error is typeof error & { code: string } {
+function hasCode<T>(error: T): error is T & { code: string } {
     return typeof (error as { code?: unknown }).code === 'string'
 }
 
@@ -403,7 +403,7 @@ export function getRequestId(error: unknown): string | undefined {
 export function isFileNotFoundError(err: unknown): boolean {
     if (err instanceof vscode.FileSystemError) {
         return err.code === vscode.FileSystemError.FileNotFound().code
-    } else if (isNonNullable(err) && typeof err === 'object' && hasKey(err, 'code')) {
+    } else if (hasCode(err)) {
         return err.code === 'ENOENT'
     }
 
@@ -417,7 +417,7 @@ export function isNoPermissionsError(err: unknown): boolean {
             // The code _should_ be `NoPermissions`, maybe this is a bug?
             (err.code === 'Unknown' && err.message.includes('EACCES: permission denied'))
         )
-    } else if (isNonNullable(err) && typeof err === 'object' && hasKey(err, 'code')) {
+    } else if (hasCode(err)) {
         return err.code === 'EACCES'
     }
 
@@ -494,3 +494,11 @@ export class PermissionsError extends ToolkitError {
         this.actual = actual
     }
 }
+
+export function isNetworkError(err?: unknown) {
+    if (!hasCode(err)) {
+        return false
+    }
+
+    return ['ENOTFOUND', 'EAI_AGAIN', 'ECONNRESET', 'ECONNREFUSED', 'ETIMEDOUT'].includes(err.code)
+}
diff --git a/src/test/credentials/auth.test.ts b/src/test/credentials/auth.test.ts
@@ -236,6 +236,16 @@ describe('Auth', function () {
             assert.ok(err2 instanceof ToolkitError)
             assert.strictEqual(err2.cause, err1)
         })
+
+        it('bubbles up networking issues instead of invalidating the connection', async function () {
+            const expected = new ToolkitError('test', { code: 'ETIMEDOUT' })
+            const conn = await auth.createConnection(ssoProfile)
+            auth.getTestTokenProvider(conn)?.getToken.rejects(expected)
+            const actual = await conn.getToken().catch(e => e)
+            assert.ok(actual instanceof ToolkitError)
+            assert.strictEqual(actual.cause, expected)
+            assert.strictEqual(auth.getConnectionState(conn), 'valid')
+        })
     })
 
     describe('Linked Connections', function () {

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +{
 +	"type": "Bug Fix",
 +	"description": "auth: IAM Identity Center connections expire sooner than expected"
 +}
Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@ import { ServiceException } from '@aws-sdk/smithy-client'`
`9`	`9`	`import { isThrottlingError, isTransientError } from '@aws-sdk/service-error-classification'`
`10`	`10`	`import { Result } from './telemetry/telemetry'`
`11`	`11`	`import { CancellationError } from './utilities/timeoutUtils'`
`12`		`-import { hasKey, isNonNullable } from './utilities/tsUtils'`
	`12`	`+import { isNonNullable } from './utilities/tsUtils'`
`13`	`13`	`import type * as fs from 'fs'`
`14`	`14`	`import type * as os from 'os'`
`15`	`15`
`@@ -371,7 +371,7 @@ export function isAwsError(error: unknown): error is AWSError {`
`371`	`371`	`return error instanceof Error && hasCode(error) && hasTime(error)`
`372`	`372`	`}`
`373`	`373`
`374`		`-function hasCode(error: Error): error is typeof error & { code: string } {`
	`374`	`+function hasCode<T>(error: T): error is T & { code: string } {`
`375`	`375`	`return typeof (error as { code?: unknown }).code === 'string'`
`376`	`376`	`}`
`377`	`377`
`@@ -403,7 +403,7 @@ export function getRequestId(error: unknown): string \| undefined {`
`403`	`403`	`export function isFileNotFoundError(err: unknown): boolean {`
`404`	`404`	`if (err instanceof vscode.FileSystemError) {`
`405`	`405`	`return err.code === vscode.FileSystemError.FileNotFound().code`
`406`		`- } else if (isNonNullable(err) && typeof err === 'object' && hasKey(err, 'code')) {`
	`406`	`+ } else if (hasCode(err)) {`
`407`	`407`	`return err.code === 'ENOENT'`
`408`	`408`	`}`
`409`	`409`
`@@ -417,7 +417,7 @@ export function isNoPermissionsError(err: unknown): boolean {`
`417`	`417`	// The code _should_ be `NoPermissions`, maybe this is a bug?
`418`	`418`	`(err.code === 'Unknown' && err.message.includes('EACCES: permission denied'))`
`419`	`419`	`)`
`420`		`- } else if (isNonNullable(err) && typeof err === 'object' && hasKey(err, 'code')) {`
	`420`	`+ } else if (hasCode(err)) {`
`421`	`421`	`return err.code === 'EACCES'`
`422`	`422`	`}`
`423`	`423`
`@@ -494,3 +494,11 @@ export class PermissionsError extends ToolkitError {`
`494`	`494`	`this.actual = actual`
`495`	`495`	`}`
`496`	`496`	`}`
	`497`	`+`
	`498`	`+export function isNetworkError(err?: unknown) {`
	`499`	`+ if (!hasCode(err)) {`
	`500`	`+ return false`
	`501`	`+ }`
	`502`	`+`
	`503`	`+ return ['ENOTFOUND', 'EAI_AGAIN', 'ECONNRESET', 'ECONNREFUSED', 'ETIMEDOUT'].includes(err.code)`
	`504`	`+}`