Credentials Management

[awschristou]

Description

This change introduces a more managed approach to implementing Credentials Providers for the toolkit. The goal is to make it easier to onboard support for new credentials types moving forward. This design is very similar to the approach taken in the AWS Toolkit for JetBrains.

The design document is in #889

Integrating this new system brought about some functional changes and bug fixes.

New Behavior:

• added logging for Shared Credentials profiles detection and validation
• credentials are now shown by "credential provider id" instead of profile name (example: profile:default)
• whenever users run the "Connect to AWS" command, the Toolkit's list of available credentials providers is refreshed (eg: pulling the latest updates from the shared credentials files)
• Credentials are cached and re-used for the duration of a toolkit session. When logging in, if a Shared Credentials Profile has been modified since it was cached, the updated version of the profile will be used instead of the cached version now.
• updated the "Invalid Credentials" notification, and added a button guiding users to the logs
  

Out of scope:

• a follow-up PR will normalize all credentials related code locations
• a follow-up PR will normalize all user facing text and all code names related to credential vs profile. "profile" terminology will be removed except where explicitly referencing profiles. Previously, the codebase wrongly used these terms rather interchangeably.

Testing

• additional tests were added to the codebase
• with logging on verbose level:
  • bring up the 'connect to aws' credentials list successive times. See that the logs show that the shared credentials files are only loaded once
  • bring up the 'connect to aws' credentials, then modify the shared credentials files. Bring up the credentials list again. See that the logs show that the shared credentials files were loaded twice
  • set up profiles that make a cyclical reference, and that refer to a nonexistent profile. Bring up the 'connect to aws' credentials list, and see that these profiles are not in the list (and that their validation issues are logged)
  • log in with profile X. Edit the credentials file to alter profile X. log in again with profile X in the same toolkit session. See that the logs show the profile was re-loaded and the new version of X was used to make a connection.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[codecov-io]

Codecov Report

❗ No coverage uploaded for pull request base (master@4a0e321). Click here to learn what that means.
The diff coverage is 81.25%.

@@            Coverage Diff            @@
##             master     #888   +/-   ##
=========================================
  Coverage          ?   57.32%           
=========================================
  Files             ?      163           
  Lines             ?     5819           
  Branches          ?      784           
=========================================
  Hits              ?     3336           
  Misses            ?     2483           
  Partials          ?        0

Impacted Files	Coverage Δ
src/credentials/activation.ts	0% <0%> (ø)
src/shared/defaultAwsContextCommands.ts	0% <0%> (ø)
src/lambda/wizards/samInitWizard.ts	39.72% <0%> (ø)
...redentials/providers/credentialsProviderManager.ts	100% <100%> (ø)
src/credentials/providers/credentialsProviderId.ts	100% <100%> (ø)
...ials/providers/sharedCredentialsProviderFactory.ts	92.85% <100%> (ø)
...redentials/providers/credentialsProviderFactory.ts	100% <100%> (ø)
src/shared/utilities/textUtilities.ts	83.33% <100%> (ø)
src/credentials/credentialsStore.ts	100% <100%> (ø)
...dentials/defaultCredentialSelectionDataProvider.ts	38.96% <100%> (ø)
... and 2 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 4a0e321...ab3807e. Read the comment docs.

[bryceitoc9]

Only through half of the PR right now but did want to provide some feedback before EOD

[bryceitoc9]

Nit: I feel like we can preemptively make these generic (AWS.getHelp, AWS.viewLogs or something). Also, capitalize "Logs"

[awschristou]

I'm going to leave these strings as credentials concerns for now, but a separate pass over all of the text to look for general-purpose opportunities is a good idea.

Capitalizing Logs

[bryceitoc9]

I get that this will make it more seamless for a user but I don't care to have this lying around if it's solely for that purpose. I'd say just invalidate the existing credentials and have the user log back in...it's fast enough that it shouldn't be an issue. At most, give them a one-version grace period and mark this for deletion in the next release afterwards.

[awschristou]

This can be removed after a few versions. It makes for a better experience than seeing an "invalid credentials" notification, or a phantom log-out. It's low cost, the comment explains what is going on, and git history will tell us (if necessary) when this was added.

[bryceitoc9]

Nit: change the name to getOrCreateCredentials; put the actions first.

[awschristou]

Good catch

[awschristou]

Unfortunately, this was added in a separate PR, so the rename belongs in a separate PR.

[awschristou]

The cache has been updated to treat Credentials + Hash as one object, so I added the rename as well.

[bryceitoc9]

Nit: the toolkit wasn't connected to AWS in the first place.

[bryceitoc9]

I feel like you can just roll the filter statement from the getMissingProperties call into here and remove the statement.

[awschristou]

I don't follow.

[bryceitoc9]

Remove the getMissingProperties function and just call the array filter here.

[awschristou]

That felt more repetitive (see line 78). I figured there's more likelihood of adding similar checks in the future for other (future) property pairings.

[bryceitoc9]

Remove the getMissingProperties function and just call the array filter here.

[bryceitoc9]

= configFileExists.toString() ?

[bryceitoc9]

Do we need to explicitly set this value?

[awschristou]

Unfortunately, we want this envvar to reflect reality as close to when we're using shared credentials as possible. Otherwise you can get into states where errors are raised due to missing files, or where profile data is ignored in newly created files.

[bryceitoc9]

Can we just use a library?

[awschristou]

Prefer not to use a library -- we're pushing credentials profile data through this

[bryceitoc9]

Perhaps test a profile with a colon in the name.

[bryceitoc9]

Pull this out into the generic test utils.

[awschristou]

It makes sense to do that when there is a test that has a need for this to be shared

[bryceitoc9]

I'm shocked that we don't have a single utils dir and (I don't think) any tests that check substrings. This stays.

[kiiadi]

is this something that should be attached to the credential itself rather than a top-level on awsContext

[awschristou]

awsContext contains an AwsContextCredentials object, which then backs these calls. Would it make more sense to have a single getter for that object instead of getters for each property?

[kiiadi]

nit: I really don't like the "create a mutable variable, apply a conditional and maybe re-assign it's value cos it's convenient" pattern - I know it's tightly scoped but I really like to avoid mutability where possible. It's a smell.

I think you're better off changing this to something like :

const previousCredentialsId = toolkitSettings.readSetting<string>(profileSettingKey, '')

if (previousCredentialsId) {
    // Migrate from older Toolkits - If the last providerId isn't in the new CredentialProviderId format,
    // treat it like a Shared Crdentials Provider.
    const loginCredential = previousCredentialsId.indexOf(CREDENTIALS_PROVIDER_ID_SEPARATOR) === -1 ? 
        previousCredentialsId = makeCredentialsProviderId({
            credentialType: SharedCredentialsProviderFactory.CREDENTIAL_TYPE,
            credentialTypeId: previousCredentialsId
        }) : previousCredentialsId

    await loginManager.login(loginCredential)
} else {
    await loginManager.logout()
}

[awschristou]

I completely agree. Prefer immutable where possible. Will change

[kiiadi]

what is this for?

[awschristou]

It is a hash of the contents that were used to produce the credentials.
Its purpose is to detect when things like Shared Credentials Profiles change during a toolkit session.

[kiiadi]

Are these bubbled to the user? Should they be localized?

[bryceitoc9]

They're only surfaced to the user in the form of logs. Might be a good idea to surface the error to the user through the interface, but we definitely don't want to localize the logs.

[awschristou]

They are only logged (not placed in a notification). The current approach has been to only localize contents that are sent to the UI, and not logged materials.

[awschristou]

Take a look at the revamped notification in the PR description. The intent was to steer people to the logs if they were interested, without having to route specific details about the error into the UI.

[kiiadi]

Is an array / list really the right data-structure here? We seem to be doing lookup-style operations mostly that point to a dictionary / map being a better choice.

[awschristou]

The top access is a mix of "list all providers" and "get provider x" (the doc is currently open in #889 ). Collection still seems reasonable to me -- the lookups don't seem like they would have a heavy performance.

[kiiadi]

This "splitting by :" logic seems to have leaked into a bunch of places. A "CredentialProvider" has a type and identifier which together form a 'compound-style' key that we can use to store them - but couldn't that concern be localized into a credential ID object itself?

[awschristou]

I think it is only explicit in the tests, for readability. Anywhere in the toolkit code goes through the make/decode methods.

I initially stopped short of creating a credential provider id object. Since the intent was to support additional data in the future (using the separator), its probably saving future pain to make and pass around an object now instead of a string.

I'll give this a go.

[bryceitoc9]

Why not just use a template literal?

[awschristou]

Personal preference on this one, I find this more legible than ${credentialsProviderId.credentialType}${CREDENTIALS_PROVIDER_ID_SEPARATOR}${credentialsProviderId.credentialTypeId}