fix: incorporate PR feedback

Author: liramon1

server/aws-lsp-identity/src/iam/iamProvider.ts

@@ -0,0 +1,29 @@
+import { AwsErrorCodes, IamCredentials, Profile, ProfileKind } from '@aws/language-server-runtimes/server-interface'
+import { AwsError, Observability } from '@aws/lsp-core'
+import { ProfileStore } from '../language-server/profiles/profileService'
+
+export class IamProvider {
+    constructor(
+        private readonly observability: Observability, // In case we need telemetry and logging in the future
+        private readonly profileStore: ProfileStore // Will be used when assuming role with source_profile
+    ) {}
+
+    async getCredential(profile: Profile, callStsOnInvalidIamCredential: boolean): Promise<IamCredentials> {
+        let credentials: IamCredentials
+        // Get the credentials directly from the profile
+        if (profile.kinds.includes(ProfileKind.IamCredentialsProfile)) {
+            credentials = {
+                accessKeyId: profile.settings!.aws_access_key_id!,
+                secretAccessKey: profile.settings!.aws_secret_access_key!,
+                sessionToken: profile.settings!.aws_session_token!,
+            }
+        } else {
+            throw new AwsError(
+                'Credentials could not be found for provided profile kind',
+                AwsErrorCodes.E_INVALID_PROFILE
+            )
+        }
+
+        return credentials
+    }
+}

server/aws-lsp-identity/src/iam/utils.ts

@@ -0,0 +1,38 @@
+import { IAMClient, SimulatePrincipalPolicyCommand, SimulatePrincipalPolicyCommandOutput } from '@aws-sdk/client-iam'
+import { GetCallerIdentityCommand, STSClient } from '@aws-sdk/client-sts'
+import {
+    AwsErrorCodes,
+    GetMfaCodeParams,
+    GetMfaCodeResult,
+    IamCredentials,
+} from '@aws/language-server-runtimes/server-interface'
+import { AwsError } from '@aws/lsp-core'
+
+// Simulate permissions on the identity associated with the credentials
+export async function simulatePermissions(
+    credentials: IamCredentials,
+    permissions: string[],
+    region?: string
+): Promise<SimulatePrincipalPolicyCommandOutput> {
+    // Convert the credentials into an identity
+    const stsClient = new STSClient({ region: region || 'us-east-1', credentials: credentials })
+    const identity = await stsClient.send(new GetCallerIdentityCommand({}))
+    if (!identity.Arn) {
+        throw new AwsError('Caller identity ARN not found.', AwsErrorCodes.E_INVALID_PROFILE)
+    }
+
+    // Simulate permissions on the identity
+    const iamClient = new IAMClient({ region: region || 'us-east-1', credentials: credentials })
+    return await iamClient.send(
+        new SimulatePrincipalPolicyCommand({
+            PolicySourceArn: identity.Arn,
+            ActionNames: permissions,
+        })
+    )
+}
+
+export type SendGetMfaCode = (params: GetMfaCodeParams) => Promise<GetMfaCodeResult>
+
+export type IamHandlers = {
+    sendGetMfaCode: SendGetMfaCode
+}

server/aws-lsp-identity/src/language-server/identityServer.ts

@@ -19,6 +19,8 @@ import { SsoTokenAutoRefresher } from './ssoTokenAutoRefresher'
 import { AwsError, ServerBase } from '@aws/lsp-core'
 import { Features } from '@aws/language-server-runtimes/server-interface/server'
 import { ShowUrl, ShowMessageRequest, ShowProgress } from '../sso/utils'
+import { SendGetMfaCode } from '../iam/utils'
+import { IamProvider } from '../iam/iamProvider'
 
 export class IdentityServer extends ServerBase {
     constructor(features: Features) {
@@ -39,6 +41,7 @@ export class IdentityServer extends ServerBase {
         const showMessageRequest: ShowMessageRequest = (params: ShowMessageRequestParams) =>
             this.features.lsp.window.showMessageRequest(params)
         const showProgress: ShowProgress = this.features.lsp.sendProgress
+        const sendGetMfaCode: SendGetMfaCode = this.features.identityManagement.sendGetMfaCode
 
         // Initialize dependencies
         const profileStore = new SharedConfigProfileStore(this.observability)
@@ -51,11 +54,14 @@ export class IdentityServer extends ServerBase {
 
         const autoRefresher = new SsoTokenAutoRefresher(ssoCache, this.observability)
 
+        const iamProvider = new IamProvider(this.observability, profileStore)
+
         const identityService = new IdentityService(
             profileStore,
             ssoCache,
             autoRefresher,
-            { showUrl, showMessageRequest, showProgress },
+            iamProvider,
+            { showUrl, showMessageRequest, showProgress, sendGetMfaCode },
             this.getClientName(params),
             this.observability
         )

server/aws-lsp-identity/src/language-server/identityService.test.ts

@@ -16,6 +16,7 @@ import { Logging, Telemetry } from '@aws/language-server-runtimes/server-interfa
 import { Observability } from '@aws/lsp-core'
 import { STSClient } from '@aws-sdk/client-sts'
 import { IAMClient } from '@aws-sdk/client-iam'
+import { IamProvider } from '../iam/iamProvider'
 
 // eslint-disable-next-line
 use(require('chai-as-promised'))
@@ -25,6 +26,7 @@ let sut: IdentityService
 let profileStore: StubbedInstance<ProfileStore>
 let ssoCache: StubbedInstance<SsoCache>
 let autoRefresher: StubbedInstance<SsoTokenAutoRefresher>
+let iamProvider: StubbedInstance<IamProvider>
 let observability: StubbedInstance<Observability>
 let authFlowFn: SinonSpy
 
@@ -113,6 +115,14 @@ describe('IdentityService', () => {
             unwatch: undefined,
         }) as StubbedInstance<SsoTokenAutoRefresher>
 
+        iamProvider = stubInterface<IamProvider>({
+            getCredential: Promise.resolve({
+                accessKeyId: 'my-access-key',
+                secretAccessKey: 'my-secret-key',
+                sessionToken: 'my-session-token',
+            }),
+        })
+
         authFlowFn = spy(() =>
             Promise.resolve({
                 accessToken: 'my-access-token',
@@ -128,10 +138,12 @@ describe('IdentityService', () => {
             profileStore,
             ssoCache,
             autoRefresher,
+            iamProvider,
             {
                 showUrl: _ => {},
                 showMessageRequest: _ => Promise.resolve({ title: 'client-response' }),
                 showProgress: _ => Promise.resolve(),
+                sendGetMfaCode: () => Promise.resolve({ code: 'mfa-code' }),
             },
             'My Client',
             observability,
@@ -317,19 +329,12 @@ describe('IdentityService', () => {
     })
 
     describe('getIamCredential', () => {
-        it('Can login with access key and secret key.', async () => {
-            const actual = await sut.getIamCredential({ profileName: 'my-iam-profile' }, CancellationToken.None)
-
-            expect(actual.credentials.accessKeyId).to.equal('my-access-key')
-            expect(actual.credentials.secretAccessKey).to.equal('my-secret-key')
-        })
-
         it('Can login with access key, secret key, and session token.', async () => {
             const actual = await sut.getIamCredential({ profileName: 'my-sts-profile' }, CancellationToken.None)
 
-            expect(actual.credentials.accessKeyId).to.equal('my-access-key')
-            expect(actual.credentials.secretAccessKey).to.equal('my-secret-key')
-            expect(actual.credentials.sessionToken).to.equal('my-session-token')
+            expect(actual.credential.credentials.accessKeyId).to.equal('my-access-key')
+            expect(actual.credential.credentials.secretAccessKey).to.equal('my-secret-key')
+            expect(actual.credential.credentials.sessionToken).to.equal('my-session-token')
         })
     })
 

server/aws-lsp-identity/src/language-server/identityService.ts

@@ -9,14 +9,12 @@ import {
     getIamCredentialOptionsDefaults,
     GetSsoTokenParams,
     GetSsoTokenResult,
-    IamCredentials,
     IamIdentityCenterSsoTokenSource,
     InvalidateSsoTokenParams,
     InvalidateSsoTokenResult,
     MetricEvent,
     SsoSession,
     SsoTokenSourceKind,
-    ProfileKind,
 } from '@aws/language-server-runtimes/server-interface'
 
 import { normalizeSettingList, ProfileStore } from './profiles/profileService'
@@ -28,45 +26,31 @@ import {
     throwOnInvalidSsoSession,
     throwOnInvalidSsoSessionName,
     SsoFlowParams,
+    SsoHandlers,
 } from '../sso/utils'
+import { IamHandlers, simulatePermissions } from '../iam/utils'
 import { AwsError, Observability } from '@aws/lsp-core'
-import { GetCallerIdentityCommand, STSClient } from '@aws-sdk/client-sts'
 import { __ServiceException } from '@aws-sdk/client-sso-oidc/dist-types/models/SSOOIDCServiceException'
 import { deviceCodeFlow } from '../sso/deviceCode/deviceCodeFlow'
 import { SSOToken } from '@smithy/shared-ini-file-loader'
-import { IAMClient, SimulatePrincipalPolicyCommand, SimulatePrincipalPolicyCommandOutput } from '@aws-sdk/client-iam'
+import { IamProvider } from '../iam/iamProvider'
 
 type SsoTokenSource = IamIdentityCenterSsoTokenSource | AwsBuilderIdSsoTokenSource
 type AuthFlows = Record<AuthorizationFlowKind, (params: SsoFlowParams) => Promise<SSOToken>>
+type Handlers = SsoHandlers & IamHandlers
 
 const flows: AuthFlows = {
     [AuthorizationFlowKind.DeviceCode]: deviceCodeFlow,
     [AuthorizationFlowKind.Pkce]: authorizationCodePkceFlow,
 }
-const qPermissions = [
-    'q:StartConversation',
-    'q:SendMessage',
-    'q:GetConversation',
-    'q:ListConversations',
-    'q:UpdateConversation',
-    'q:DeleteConversation',
-    'q:PassRequest',
-    'q:StartTroubleshootingAnalysis',
-    'q:StartTroubleshootingResolutionExplanation',
-    'q:GetTroubleshootingResults',
-    'q:UpdateTroubleshootingCommandResult',
-    'q:GetIdentityMetaData',
-    'q:GenerateCodeFromCommands',
-    'q:UsePlugin',
-    'codewhisperer:GenerateRecommendations',
-]
 
 export class IdentityService {
     constructor(
         private readonly profileStore: ProfileStore,
         private readonly ssoCache: SsoCache,
         private readonly autoRefresher: SsoTokenAutoRefresher,
-        private readonly handlers: SsoFlowParams['handlers'],
+        private readonly iamProvider: IamProvider,
+        private readonly handlers: Handlers,
         private readonly clientName: string,
         private readonly observability: Observability,
         private readonly authFlows: AuthFlows = flows
@@ -119,7 +103,7 @@ export class IdentityService {
                     clientName: this.clientName,
                     clientRegistration,
                     ssoSession,
-                    handlers: this.handlers,
+                    handlers: this.handlers as Pick<Handlers, keyof SsoHandlers>,
                     token,
                     observability: this.observability,
                 }
@@ -173,9 +157,7 @@ export class IdentityService {
             const options = { ...getIamCredentialOptionsDefaults, ...params.options }
 
             token.onCancellationRequested(_ => {
-                if (options.callStsOnInvalidIamCredential) {
-                    emitMetric('Cancelled', null)
-                }
+                emitMetric('Cancelled', null)
             })
 
             // Get the profile with provided name
@@ -186,33 +168,20 @@ export class IdentityService {
                 throw new AwsError('Profile not found.', AwsErrorCodes.E_PROFILE_NOT_FOUND)
             }
 
-            let credentials: IamCredentials
-            // Get the credentials directly from the profile
-            if (profile.kinds.includes(ProfileKind.IamCredentialsProfile)) {
-                credentials = {
-                    accessKeyId: profile.settings!.aws_access_key_id!,
-                    secretAccessKey: profile.settings!.aws_secret_access_key!,
-                    sessionToken: profile.settings!.aws_session_token!,
-                }
-            } else {
-                throw new AwsError('Credentials could not be found for profile', AwsErrorCodes.E_INVALID_PROFILE)
-            }
+            const credentials = await this.iamProvider.getCredential(profile, options.callStsOnInvalidIamCredential)
 
             // Validate permissions
-            if (options.validatePermissions) {
-                const response = await this.simulatePermissions(credentials, qPermissions, profile.settings?.region)
+            if (options.permissionSet.length > 0) {
+                const response = await simulatePermissions(credentials, options.permissionSet, profile.settings?.region)
                 if (!response?.EvaluationResults?.every(result => result.EvalDecision === 'allowed')) {
-                    throw new AwsError(
-                        `User or assumed role has insufficient permissions.`,
-                        AwsErrorCodes.E_INVALID_PROFILE
-                    )
+                    throw new AwsError(`Credentials have insufficient permissions.`, AwsErrorCodes.E_INVALID_PROFILE)
                 }
             }
 
             emitMetric('Succeeded')
+
             return {
-                id: profile.name,
-                credentials: credentials,
+                credential: { id: params.profileName, credentials: credentials },
                 updateCredentialsParams: { data: credentials, encrypted: false },
             }
         } catch (e) {
@@ -332,27 +301,4 @@ export class IdentityService {
 
         return ssoSession
     }
-
-    // Simulate permissions on the identity associated with the credentials
-    private async simulatePermissions(
-        credentials: IamCredentials,
-        permissions: string[],
-        region?: string
-    ): Promise<SimulatePrincipalPolicyCommandOutput> {
-        // Convert the credentials into an identity
-        const stsClient = new STSClient({ region: region || 'us-east-1', credentials: credentials })
-        const identity = await stsClient.send(new GetCallerIdentityCommand({}))
-        if (!identity.Arn) {
-            throw new AwsError('Caller identity ARN not found.', AwsErrorCodes.E_INVALID_PROFILE)
-        }
-
-        // Simulate permissions on the identity
-        const iamClient = new IAMClient({ region: region || 'us-east-1', credentials: credentials })
-        return await iamClient.send(
-            new SimulatePrincipalPolicyCommand({
-                PolicySourceArn: identity.Arn,
-                ActionNames: permissions,
-            })
-        )
-    }
 }

server/aws-lsp-identity/src/language-server/profiles/sharedConfigProfileStore.test.ts

@@ -99,7 +99,9 @@ describe('SharedConfigProfileStore', async () => {
                 {
                     kinds: [ProfileKind.Unknown],
                     name: 'subsettings',
-                    settings: {},
+                    settings: {
+                        region: undefined,
+                    },
                 },
                 {
                     kinds: [ProfileKind.SsoTokenProfile],
@@ -190,7 +192,9 @@ describe('SharedConfigProfileStore', async () => {
                     {
                         kinds: [ProfileKind.Unknown],
                         name: 'subsettings',
-                        settings: {},
+                        settings: {
+                            region: undefined,
+                        },
                     },
                     {
                         kinds: [ProfileKind.SsoTokenProfile],
@@ -286,7 +290,9 @@ describe('SharedConfigProfileStore', async () => {
                     {
                         kinds: [ProfileKind.Unknown],
                         name: 'subsettings',
-                        settings: {},
+                        settings: {
+                            region: undefined,
+                        },
                     },
                     {
                         kinds: ['SsoTokenProfile'],
@@ -434,7 +440,9 @@ describe('SharedConfigProfileStore', async () => {
                 {
                     kinds: [ProfileKind.Unknown],
                     name: 'subsettings',
-                    settings: {},
+                    settings: {
+                        region: undefined,
+                    },
                 },
             ],
             ssoSessions: [

server/aws-lsp-identity/src/language-server/profiles/sharedConfigProfileStore.ts

@@ -67,6 +67,8 @@ export class SharedConfigProfileStore implements ProfileStore {
                     // If the profile does not match any profile type, mark it as an unknown profile
                     if (profile.kinds.length === 0) {
                         profile.kinds.push(ProfileKind.Unknown)
+                        // Dummy field to avoid deleting profile when loading and saving 0 changes to the profile
+                        profile.settings!['region'] = settings['region']
                     }
                     result.profiles.push(profile)
                     break