fix(amazonq): fix iam credential update logic to use custom comparator and added buffer time in cred validation #8070
Conversation
…r and added buffer time in cred validation
|
⏳ I'm reviewing this pull request for security vulnerabilities and code quality issues. I'll provide an update when I'm done |
|
|
✅ I finished the code review, and didn't find any security or code quality issues. |
|
/retryBuilds |
packages/amazonq/src/lsp/auth.ts
Outdated
| } | ||
|
|
||
| public updateIamCredentials = onceChanged(this._updateIamCredentials.bind(this)) | ||
| private areCredentialsEqual(creds1: any, creds2: any): boolean { |
There was a problem hiding this comment.
Ack, let me check if it can be moved to auth related util
There was a problem hiding this comment.
fixed in new commit
packages/amazonq/src/lsp/auth.ts
Outdated
|
|
||
| public updateIamCredentials = onceChanged(this._updateIamCredentials.bind(this)) | ||
| private areCredentialsEqual(creds1: any, creds2: any): boolean { | ||
| if (!creds1 && !creds2) return true |
There was a problem hiding this comment.
Shouldn't this be false? We want this method to return true only if the creds are not empty and contain the same values right?
There was a problem hiding this comment.
No, refactored logic however when credentials object is empty, we don't want updateIAM call to be invoked right?
- the wrapper controls when to invoke update iam call alone and doesn't force creating a new credential object
packages/core/src/auth/auth.ts
Outdated
| if (creds !== undefined && creds.credentialsHashCode === provider.getHashCode()) { | ||
| return creds.credentials | ||
| } | ||
| return undefined |
There was a problem hiding this comment.
By default the method returns undefined, added explicit statement, can this be nit?
| import { getLogger } from '../../shared/logger/logger' | ||
| import { asString, CredentialsProvider, CredentialsId } from '../providers/credentials' | ||
| import { CredentialsProviderManager } from '../providers/credentialsProviderManager' | ||
| // import { get } from 'lodash' |
There was a problem hiding this comment.
addressed with new commit
| return expiration !== undefined ? expiration >= new globals.clock.Date() : true | ||
| const now = new globals.clock.Date() | ||
| const bufferedNow = new globals.clock.Date(now.getTime() + expirationBufferMs) | ||
| const isValid = expiration !== undefined ? expiration >= bufferedNow : true |
There was a problem hiding this comment.
Why are we adding 60 seconds? Not sure I follow the buffer logic. Can you explain this via inline code comments?
There was a problem hiding this comment.
- Adding buffer time as a defensive programming practice here to refresh/rotate credentials before they actually expire
- SSO Token expiration logic also follows similar pattern
There was a problem hiding this comment.
Already added inline comment
|
/retryBuilds |
|
⏳ I'm reviewing this pull request for security vulnerabilities and code quality issues. I'll provide an update when I'm done |
|
✅ I finished the code review, and didn't find any security or code quality issues. |
5 participants
Problem
Solution
secretAccessKey, sessionToken) instead of string comparison
npm run package && npm run testsucceededfeature/xbranches will not be squash-merged at release time.