test(ec2): add security related unit tests

packages/core/src/codewhisperer/commands/basicCommands.ts

@@ -41,8 +41,9 @@ import { ToolkitError, getTelemetryReason, getTelemetryReasonDesc } from '../../
 import { isRemoteWorkspace } from '../../shared/vscode/env'
 import { isBuilderIdConnection } from '../../auth/connection'
 import globals from '../../shared/extensionGlobals'
-import { getVscodeCliPath, tryRun } from '../../shared/utilities/pathFind'
+import { getVscodeCliPath } from '../../shared/utilities/pathFind'
 import { setContext } from '../../shared/vscode/setContext'
+import { tryRun } from '../../shared/utilities/pathFind'
 
 const MessageTimeOut = 5_000
 

packages/core/src/shared/remoteSession.ts

@@ -30,7 +30,7 @@ export interface MissingTool {
     readonly reason?: string
 }
 
-const minimumSsmActions = [
+export const minimumSsmActions = [
     'ssmmessages:CreateControlChannel',
     'ssmmessages:CreateDataChannel',
     'ssmmessages:OpenControlChannel',

packages/core/src/shared/utilities/pathFind.ts

@@ -6,44 +6,17 @@
 import * as vscode from 'vscode'
 import * as path from 'path'
 import fs from '../../shared/fs/fs'
-import { ChildProcess, ChildProcessOptions } from './processUtils'
 import { GitExtension } from '../extensions/git'
 import { Settings } from '../settings'
-import { getLogger } from '../logger/logger'
+import { ChildProcess, ChildProcessOptions } from './processUtils'
+import { getLogger } from '..'
 
 /** Full path to VSCode CLI. */
 let vscPath: string
 let sshPath: string
 let gitPath: string
 let bashPath: string
 
-/**
- * Tries to execute a program at path `p` with the given args and
- * optionally checks the output for `expected`.
- *
- * @param p path to a program to execute
- * @param args program args
- * @param doLog log failures
- * @param expected output must contain this string
- */
-export async function tryRun(
-    p: string,
-    args: string[],
-    logging: 'yes' | 'no' | 'noresult' = 'yes',
-    expected?: string,
-    opt?: ChildProcessOptions
-): Promise<boolean> {
-    const proc = new ChildProcess(p, args, { logging: 'no' })
-    const r = await proc.run(opt)
-    const ok = r.exitCode === 0 && (expected === undefined || r.stdout.includes(expected))
-    if (logging === 'noresult') {
-        getLogger().info('tryRun: %s: %s', ok ? 'ok' : 'failed', proc)
-    } else if (logging !== 'no') {
-        getLogger().info('tryRun: %s: %s %O', ok ? 'ok' : 'failed', proc, proc.result())
-    }
-    return ok
-}
-
 /**
  * Gets the fullpath to `code` (VSCode CLI), or falls back to "code" (not
  * absolute) if it works.
@@ -115,8 +88,8 @@ export async function findTypescriptCompiler(): Promise<string | undefined> {
  * Gets the configured `ssh` path, or falls back to "ssh" (not absolute),
  * or tries common locations, or returns undefined.
  */
-export async function findSshPath(): Promise<string | undefined> {
-    if (sshPath !== undefined) {
+export async function findSshPath(useCache: boolean = true): Promise<string | undefined> {
+    if (useCache && sshPath !== undefined) {
         return sshPath
     }
 
@@ -133,7 +106,7 @@ export async function findSshPath(): Promise<string | undefined> {
             continue
         }
         if (await tryRun(p, ['-G', 'x'], 'noresult' /* "ssh -G" prints quasi-sensitive info. */)) {
-            sshPath = p
+            sshPath = useCache ? p : sshPath
             return p
         }
     }
@@ -180,3 +153,30 @@ export async function findBashPath(): Promise<string | undefined> {
         }
     }
 }
+
+/**
+ * Tries to execute a program at path `p` with the given args and
+ * optionally checks the output for `expected`.
+ *
+ * @param p path to a program to execute
+ * @param args program args
+ * @param doLog log failures
+ * @param expected output must contain this string
+ */
+export async function tryRun(
+    p: string,
+    args: string[],
+    logging: 'yes' | 'no' | 'noresult' = 'yes',
+    expected?: string,
+    opt?: ChildProcessOptions
+): Promise<boolean> {
+    const proc = new ChildProcess(p, args, { logging: 'no' })
+    const r = await proc.run(opt)
+    const ok = r.exitCode === 0 && (expected === undefined || r.stdout.includes(expected))
+    if (logging === 'noresult') {
+        getLogger().info('tryRun: %s: %s', ok ? 'ok' : 'failed', proc)
+    } else if (logging !== 'no') {
+        getLogger().info('tryRun: %s: %s %O', ok ? 'ok' : 'failed', proc, proc.result())
+    }
+    return ok
+}

packages/core/src/test/shared/remoteSession.test.ts

@@ -0,0 +1,32 @@
+/*!
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import assert from 'assert'
+import { minimumSsmActions, promptToAddInlinePolicy } from '../../shared/remoteSession'
+import { IamClient } from '../../shared/clients/iamClient'
+import { getTestWindow } from './vscode/window'
+import { cancel } from '../../shared'
+
+describe('minimumSsmActions', function () {
+    it('should contain minimal actions needed for ssm connection', function () {
+        assert.deepStrictEqual(minimumSsmActions, [
+            'ssmmessages:CreateControlChannel',
+            'ssmmessages:CreateDataChannel',
+            'ssmmessages:OpenControlChannel',
+            'ssmmessages:OpenDataChannel',
+            'ssm:DescribeAssociation',
+            'ssm:ListAssociations',
+            'ssm:UpdateInstanceInformation',
+        ])
+    })
+
+    it('prompts the user for confirmation before adding policies and allow cancels', async function () {
+        getTestWindow().onDidShowMessage((message) => {
+            assert.ok(message.message.includes('add'), 'should prompt to add policies')
+            getTestWindow().getFirstMessage().selectItem(cancel)
+        })
+        const added = await promptToAddInlinePolicy({} as IamClient, 'roleArnTest')
+        assert.ok(!added, 'should not add policies by default')
+    })
+})

packages/core/src/test/shared/utilities/pathFind.test.ts

@@ -7,16 +7,15 @@ import assert from 'assert'
 import * as vscode from 'vscode'
 import * as os from 'os'
 import * as path from 'path'
-
 import * as testutil from '../../testUtil'
-import { findTypescriptCompiler, getVscodeCliPath } from '../../../shared/utilities/pathFind'
 import { fs } from '../../../shared'
+import { findSshPath, findTypescriptCompiler, getVscodeCliPath } from '../../../shared/utilities/pathFind'
+import { isWin } from '../../../shared/vscode/env'
 
 describe('pathFind', function () {
     it('findTypescriptCompiler()', async function () {
-        const iswin = process.platform === 'win32'
         const workspace = vscode.workspace.workspaceFolders![0]
-        const tscNodemodules = path.join(workspace.uri.fsPath, `foo/bar/node_modules/.bin/tsc${iswin ? '.cmd' : ''}`)
+        const tscNodemodules = path.join(workspace.uri.fsPath, `foo/bar/node_modules/.bin/tsc${isWin() ? '.cmd' : ''}`)
         await fs.delete(tscNodemodules, { force: true })
 
         // The test workspace normally doesn't have node_modules so this will
@@ -42,4 +41,50 @@ describe('pathFind', function () {
         const regex = /bin[\\\/](code|code-insiders)$/
         assert.ok(regex.test(vscPath), `expected regex ${regex} to match: "${vscPath}"`)
     })
+
+    describe('findSshPath', function () {
+        it('first tries ssh in $PATH', async function () {
+            const workspace = await testutil.createTestWorkspaceFolder()
+            const fakeSshPath = path.join(workspace.uri.fsPath, `ssh${isWin() ? '.cmd' : ''}`)
+
+            await testutil.withEnvPath(workspace.uri.fsPath, async () => {
+                const firstResult = await findSshPath(false)
+
+                await testutil.createExecutableFile(fakeSshPath, 'echo "this is ssh"')
+
+                const secondResult = await findSshPath(false)
+
+                assert.notStrictEqual(firstResult, secondResult)
+                assert.strictEqual(secondResult, 'ssh')
+            })
+        })
+
+        it('only returns executable ssh path', async function () {
+            const workspace = await testutil.createTestWorkspaceFolder()
+            const fakeSshPath = path.join(workspace.uri.fsPath, `ssh${isWin() ? '.cmd' : ''}`)
+            await fs.writeFile(fakeSshPath, 'this is not executable')
+
+            await testutil.withEnvPath(workspace.uri.fsPath, async () => {
+                const firstResult = await findSshPath(false)
+                assert.notStrictEqual(firstResult, 'ssh')
+            })
+        })
+
+        it('caches result from previous runs', async function () {
+            const workspace = await testutil.createTestWorkspaceFolder()
+            const fakeSshPath = path.join(workspace.uri.fsPath, `ssh${isWin() ? '.cmd' : ''}`)
+            await testutil.createExecutableFile(fakeSshPath, 'echo "this is ssh"')
+
+            await testutil.withEnvPath(workspace.uri.fsPath, async () => {
+                const firstResult = await findSshPath(true)
+
+                await fs.delete(fakeSshPath)
+
+                const secondResult = await findSshPath(true)
+
+                assert.strictEqual(firstResult, secondResult)
+                assert.strictEqual(secondResult, 'ssh')
+            })
+        })
+    })
 })

packages/core/src/test/shared/utilities/testUtil.test.ts

@@ -0,0 +1,28 @@
+/*!
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import assert from 'assert'
+import { createTestWorkspaceFolder, readEnvPath, withEnvPath } from '../../testUtil'
+
+describe('withEnvPath', function () {
+    it('resets path when error in task', async function () {
+        const originalPath = readEnvPath()
+        const tempFolder = await createTestWorkspaceFolder()
+        try {
+            await withEnvPath(tempFolder.uri.fsPath, async () => {
+                throw new Error()
+            })
+        } catch {}
+        assert.strictEqual(readEnvPath(), originalPath)
+    })
+
+    it('changes $PATH temporarily', async function () {
+        const originalPath = readEnvPath()
+        const tempFolder = await createTestWorkspaceFolder()
+        await withEnvPath(tempFolder.uri.fsPath, async () => {
+            assert.strictEqual(readEnvPath(), tempFolder.uri.fsPath)
+        })
+        assert.strictEqual(readEnvPath(), originalPath)
+    })
+})

packages/core/src/test/testUtil.ts

@@ -614,3 +614,25 @@ export function tryRegister(command: DeclaredCommand<() => Promise<any>>) {
 export function getFetchStubWithResponse(response: Partial<Response>) {
     return stub(request, 'fetch').returns({ response: new Promise((res, _) => res(response)) } as any)
 }
+
+export function setEnvPath(newPath: string): void {
+    process.env.PATH = newPath
+}
+
+export function readEnvPath(): string {
+    return process.env.PATH || ''
+}
+/**
+ * Overwrite the $PATH environment variable for the span of the provided task, then reset it.
+ * @param newPath temporary $PATH value
+ * @param task work to be done with $PATH set.
+ */
+export async function withEnvPath(newPath: string, task: () => Promise<void>): Promise<void | never> {
+    const originalPath = readEnvPath()
+    setEnvPath(newPath)
+    try {
+        await task()
+    } finally {
+        setEnvPath(originalPath)
+    }
+}