auth: emit user scopes in auth_userState (#5019)

Author: hayemaxi

packages/amazonq/src/auth/util.ts

@@ -5,7 +5,7 @@
 
 import { AuthUtil } from 'aws-core-vscode/codewhisperer'
 import { AuthStatus } from 'aws-core-vscode/telemetry'
-import { AwsConnection, Connection, AuthUtils } from 'aws-core-vscode/auth'
+import { AwsConnection, Connection, SsoConnection, AuthUtils } from 'aws-core-vscode/auth'
 import { activateExtension, getLogger } from 'aws-core-vscode/shared'
 import { VSCODE_EXTENSION_ID } from 'aws-core-vscode/utils'
 
@@ -15,6 +15,7 @@ export async function getAuthStatus() {
     const authState = (await AuthUtil.instance.getChatAuthState()).codewhispererChat
     let authEnabledConnections = AuthUtils.getAuthFormIdsFromConnection(AuthUtil.instance.conn)
     let authStatus: AuthStatus = authState === 'connected' || authState === 'expired' ? authState : 'notConnected'
+    let authScopes: string[] = (AuthUtil.instance.conn as SsoConnection)?.scopes ?? []
 
     // If the Q extension does not have its own connection, it will fallback and check
     // if the Toolkit extension can provide a connection that works with Q
@@ -33,10 +34,11 @@ export async function getAuthStatus() {
             // Though TS won't say it, AwsConnection sufficiently overlaps with Connection for the purposes
             // of `getAuthFormIdsFromConnection`
             authEnabledConnections = AuthUtils.getAuthFormIdsFromConnection(autoConnectConn as unknown as Connection)
+            authScopes = autoConnectConn.scopes ?? []
         }
     }
 
-    return { authStatus, authEnabledConnections: authEnabledConnections.join(',') }
+    return { authStatus, authEnabledConnections: authEnabledConnections.join(','), authScopes: authScopes.join(',') }
 }
 
 /**

packages/amazonq/src/extensionShared.ts

@@ -156,10 +156,11 @@ export async function activateShared(context: vscode.ExtensionContext, isWeb: bo
             telemetry.record({ source: ExtStartUpSources.reload })
         }
 
-        const { authStatus, authEnabledConnections } = await getAuthStatus()
+        const { authStatus, authEnabledConnections, authScopes } = await getAuthStatus()
         telemetry.record({
             authStatus,
             authEnabledConnections,
+            authScopes,
         })
     })
 }

packages/core/src/auth/index.ts

@@ -10,7 +10,7 @@
  */
 export { initialize as initializeAuth } from './activation'
 export { initializeAwsCredentialsStatusBarItem } from './ui/statusBarItem'
-export { Connection, AwsConnection } from './connection'
+export { Connection, AwsConnection, SsoConnection } from './connection'
 export { Auth } from './auth'
 export { CredentialsStore } from './credentials/store'
 export { LoginManager } from './deprecated/loginManager'

packages/core/src/extensionShared.ts

@@ -46,6 +46,7 @@ import { ExtStartUpSources } from './shared/telemetry/util'
 import { ExtensionUse, getAuthFormIdsFromConnection } from './auth/utils'
 import { Auth } from './auth'
 import { AuthFormId } from './auth/ui/vue/authForms/types'
+import { isSsoConnection } from './auth/connection'
 
 // In web mode everything must be in a single file, so things like the endpoints file will not be available.
 // The following imports the endpoints file, which causes webpack to bundle it in the final output file
@@ -256,6 +257,7 @@ export async function emitUserState() {
 
         let authStatus: AuthStatus = 'notConnected'
         const enabledConnections: Set<AuthFormId> = new Set()
+        const enabledScopes: Set<string> = new Set()
         if (Auth.instance.hasConnections) {
             authStatus = 'expired'
             ;(await Auth.instance.listConnections()).forEach(conn => {
@@ -265,11 +267,15 @@ export async function emitUserState() {
                 }
 
                 getAuthFormIdsFromConnection(conn).forEach(id => enabledConnections.add(id))
+                if (isSsoConnection(conn)) {
+                    conn.scopes?.forEach(s => enabledScopes.add(s))
+                }
             })
         }
         telemetry.record({
             authStatus,
             authEnabledConnections: [...enabledConnections].join(','),
+            authScopes: [...enabledScopes].join(','),
         })
     })
 }

packages/core/src/shared/telemetry/vscodeTelemetry.json

@@ -323,6 +323,11 @@
             "type": "string",
             "description": "Comma-delimited list of enabled auths."
         },
+        {
+            "name": "authScopes",
+            "type": "string",
+            "description": "Comma-delimited list of scopes that user has."
+        },
         {
             "name": "region",
             "type": "string",
@@ -1116,6 +1121,10 @@
                     "type": "authStatus",
                     "required": true
                 },
+                {
+                    "type": "authScopes",
+                    "required": false
+                },
                 {
                     "type": "authEnabledConnections",
                     "required": true
@@ -1217,6 +1226,10 @@
                     "type": "authEnabledFeatures",
                     "required": false
                 },
+                {
+                    "type": "authScopes",
+                    "required": false
+                },
                 {
                     "type": "reason",
                     "required": false