aws · awschristou · Jan 13, 2020 · Jan 4, 2020 · Jan 4, 2020 · Jan 6, 2020
@@ -0,0 +1,4 @@
+{
+    "type": "Feature",
+    "description": "When credentials are invalid, more information is logged. A button has been added to the notification that opens the logs."
+}
@@ -0,0 +1,4 @@
+{
+    "type": "Feature",
+    "description": "When changes are made to Shared Credentials files, the changes will be picked up the next time that credentials are selected for connecting to AWS. This also fixes an issue that required users to close and re-open VS Code before Credentials changes were used by the Toolkit."
+}
@@ -0,0 +1,4 @@
+{
+    "type": "Feature",
+    "description": "Credentials were previously shown by their Shared Credentials profile names. They are now displayed in a \"type:name\" format, to better indicate the type of Credentials being used, and to support additional Credentials types in the future. Shared Credentials are shown with the type \"profile\"."
+}
@@ -87,8 +87,9 @@
     "AWS.log.invalidLevel": "Invalid log level: {0}",
     "AWS.message.loading": "Loading...",
     "AWS.message.credentials.error": "There was an issue trying to use credentials profile {0}: {1}",
-    "AWS.message.credentials.invalidProfile": "Credentials profile {0} is invalid",
-    "AWS.message.credentials.invalidProfile.help": "Get Help...",
+    "AWS.message.credentials.invalid": "Invalid Credentials {0}, see logs for more information.",
+    "AWS.message.credentials.invalid.help": "Get Help...",
+    "AWS.message.credentials.invalid.logs": "View logs",
     "AWS.message.enterProfileName": "Enter the name of the credential profile to use",
     "AWS.message.info.cloudFormation.delete": "Deleted CloudFormation Stack {0}",
     "AWS.message.error.cloudFormation.delete": "An error occurred while deleting CloudFormation Stack {0}. Please check the stack events on the AWS Console",

@@ -9,7 +9,6 @@ const localize = nls.loadMessageBundle()
 import * as vscode from 'vscode'
 import { AwsContext } from '../shared/awsContext'
 import { extensionSettingsPrefix } from '../shared/constants'
-import { DefaultCredentialsFileReaderWriter } from '../shared/credentials/defaultCredentialsFileReaderWriter'
 import { AwsExplorer } from './awsExplorer'
 
 /**
@@ -51,9 +50,7 @@ export async function checkExplorerForDefaultRegion(
     awsContext: AwsContext,
     awsExplorer: AwsExplorer
 ): Promise<void> {
-    const credentialReaderWriter = new DefaultCredentialsFileReaderWriter()
-
-    const profileRegion = await credentialReaderWriter.getDefaultRegion(profileName)
+    const profileRegion = awsContext.getCredentialDefaultRegion()
     if (!profileRegion) {
         return
     }

@@ -9,6 +9,8 @@ import { profileSettingKey } from '../shared/constants'
 import { CredentialsProfileMru } from '../shared/credentials/credentialsProfileMru'
 import { SettingsConfiguration } from '../shared/settingsConfiguration'
 import { LoginManager } from './loginManager'
+import { CREDENTIALS_PROVIDER_ID_SEPARATOR, makeCredentialsProviderId } from './providers/credentialsProviderId'
+import { SharedCredentialsProviderFactory } from './providers/sharedCredentialsProviderFactory'
 
 export interface CredentialsInitializeParameters {
     extensionContext: vscode.ExtensionContext
@@ -29,8 +31,17 @@ export async function loginWithMostRecentCredentials(
     toolkitSettings: SettingsConfiguration,
     loginManager: LoginManager
 ): Promise<void> {
-    const previousCredentialsId = toolkitSettings.readSetting(profileSettingKey, '')
+    let previousCredentialsId = toolkitSettings.readSetting<string>(profileSettingKey, '')
     if (previousCredentialsId) {
+        // Migrate from older Toolkits - If the last providerId isn't in the new CredentialProviderId format,
+        // treat it like a Shared Crdentials Provider.
+        if (previousCredentialsId.indexOf(CREDENTIALS_PROVIDER_ID_SEPARATOR) === -1) {
+            previousCredentialsId = makeCredentialsProviderId({
+                credentialType: SharedCredentialsProviderFactory.CREDENTIAL_TYPE,
+                credentialTypeId: previousCredentialsId
+            })
+        }
+
         await loginManager.login(previousCredentialsId)
     } else {
         await loginManager.logout()

@@ -6,27 +6,13 @@
 import * as nls from 'vscode-nls'
 const localize = nls.loadMessageBundle()
 
-import * as AWS from 'aws-sdk'
 import * as vscode from 'vscode'
 
 const ERROR_MESSAGE_USER_CANCELLED = localize(
     'AWS.error.mfa.userCancelled',
     'User cancelled entering authentication code'
 )
 
-export async function createCredentials(profileName: string): Promise<AWS.Credentials> {
-    const provider = new AWS.CredentialProviderChain([
-        () => new AWS.ProcessCredentials({ profile: profileName }),
-        () =>
-            new AWS.SharedIniFileCredentials({
-                profile: profileName,
-                tokenCodeFn: async (mfaSerial, callback) => await getMfaTokenFromUser(mfaSerial, profileName, callback)
-            })
-    ])
-
-    return provider.resolvePromise()
-}
-
 /**
  * @description Prompts user for MFA token
  *

@@ -5,11 +5,16 @@
 
 import * as AWS from 'aws-sdk'
 
+interface CredentialsData {
+    credentials: AWS.Credentials
+    credentialsHashCode: number
+}
+
 /**
  * Simple cache for credentials
  */
 export class CredentialsStore {
-    private readonly credentialsCache: { [key: string]: AWS.Credentials }
+    private readonly credentialsCache: { [key: string]: CredentialsData }
 
     public constructor() {
         this.credentialsCache = {}
@@ -19,26 +24,33 @@ export class CredentialsStore {
      * Returns undefined if credentials are not stored for given ID
      */
     public async getCredentials(credentialsId: string): Promise<AWS.Credentials | undefined> {
-        return this.credentialsCache[credentialsId]
+        return this.credentialsCache[credentialsId]?.credentials
     }
 
     /**
      * If credentials are not stored, the provided create function is called. Created credentials are then stored.
      */
     public async getCredentialsOrCreate(
         credentialsId: string,
-        createCredentialsFn: (credentialsId: string) => Promise<AWS.Credentials>
+        createCredentialsFn: (credentialsId: string) => Promise<CredentialsData>
     ): Promise<AWS.Credentials> {
-        let credentials = await this.getCredentials(credentialsId)
+        const credentials = await this.getCredentials(credentialsId)
 
         if (credentials) {
             return credentials
         }
 
-        credentials = await createCredentialsFn(credentialsId)
-        this.credentialsCache[credentialsId] = credentials
+        const newCredentials = await createCredentialsFn(credentialsId)
+        this.credentialsCache[credentialsId] = newCredentials
+
+        return newCredentials.credentials
+    }
 
-        return credentials
+    /**
+     * Returns undefined if credentials are not stored for given ID
+     */
+    public getCredentialsHashCode(credentialsId: string): number | undefined {
+        return this.credentialsCache[credentialsId]?.credentialsHashCode
     }
 
     /**

@@ -1,14 +1,19 @@
 /*!
- * Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
  * SPDX-License-Identifier: Apache-2.0
  */
 
+import * as nls from 'vscode-nls'
+const localize = nls.loadMessageBundle()
+
+import * as vscode from 'vscode'
 import { AwsContext } from '../shared/awsContext'
+import { credentialHelpUrl } from '../shared/constants'
 import { getAccountId } from '../shared/credentials/accountId'
-import { UserCredentialsUtils } from '../shared/credentials/userCredentialsUtils'
 import { getLogger } from '../shared/logger'
-import { createCredentials } from './credentialsCreator'
 import { CredentialsStore } from './credentialsStore'
+import { CredentialsProvider } from './providers/credentialsProvider'
+import { getCredentialsProviderManagerInstance } from './providers/credentialsProviderManager'
 
 export class LoginManager {
     private readonly credentialsStore: CredentialsStore = new CredentialsStore()
@@ -21,31 +26,40 @@ export class LoginManager {
      */
     public async login(credentialsId: string): Promise<void> {
         try {
-            const credentials = await this.credentialsStore.getCredentialsOrCreate(credentialsId, createCredentials)
+            const provider = await getCredentialsProviderManagerInstance().getCredentialsProvider(credentialsId)
+            if (!provider) {
+                throw new Error(`Could not find Credentials Provider for ${credentialsId}`)
+            }
+
+            await this.updateCredentialsStore(credentialsId, provider)
+
+            const credentials = await this.credentialsStore.getCredentials(credentialsId)
             if (!credentials) {
                 throw new Error(`No credentials found for id ${credentialsId}`)
             }
 
             // TODO : Get a region relevant to the partition for these credentials -- https://github.com/aws/aws-toolkit-vscode/issues/188
             const accountId = await getAccountId(credentials, 'us-east-1')
-
             if (!accountId) {
                 throw new Error('Could not determine Account Id for credentials')
             }
 
             await this.awsContext.setCredentials({
                 credentials: credentials,
                 credentialsId: credentialsId,
-                accountId: accountId
+                accountId: accountId,
+                defaultRegion: provider.getDefaultRegion()
             })
         } catch (err) {
-            getLogger().error('Error logging in', err as Error)
+            getLogger().error(
+                `Error trying to connect to AWS with Credentials Provider ${credentialsId}. Toolkit will now disconnect from AWS.`,
+                err as Error
+            )
             this.credentialsStore.invalidateCredentials(credentialsId)
 
             await this.logout()
 
-            // tslint:disable-next-line: no-floating-promises
-            UserCredentialsUtils.notifyUserCredentialsAreBad(credentialsId)
+            this.notifyUserInvalidCredentials(credentialsId)
         }
     }
 
@@ -55,4 +69,45 @@ export class LoginManager {
     public async logout(): Promise<void> {
         await this.awsContext.setCredentials(undefined)
     }
+
+    /**
+     * Updates the CredentialsStore if the credentials are considered different
+     */
+    private async updateCredentialsStore(credentialsId: string, provider: CredentialsProvider): Promise<void> {
+        const currentHash = this.credentialsStore.getCredentialsHashCode(credentialsId)
+        if (provider.getHashCode() !== currentHash) {
+            getLogger().verbose(`Credentials for ${credentialsId} have changed, using updated credentials.`)
+            this.credentialsStore.invalidateCredentials(credentialsId)
+        }
+
+        await this.credentialsStore.getCredentialsOrCreate(credentialsId, async () => {
+            return {
+                credentials: await provider.getCredentials(),
+                credentialsHashCode: provider.getHashCode()
+            }
+        })
+    }
+
+    private notifyUserInvalidCredentials(credentialProviderId: string) {
+        const getHelp = localize('AWS.message.credentials.invalid.help', 'Get Help...')
+        const viewLogs = localize('AWS.message.credentials.invalid.logs', 'View logs')
+
+        vscode.window
+            .showErrorMessage(
+                localize(
+                    'AWS.message.credentials.invalid',
+                    'Invalid Credentials {0}, see logs for more information.',
+                    credentialProviderId
+                ),
+                getHelp,
+                viewLogs
+            )
+            .then((selection: string | undefined) => {
+                if (selection === getHelp) {
+                    vscode.env.openExternal(vscode.Uri.parse(credentialHelpUrl))
+                } else if (selection === viewLogs) {
+                    vscode.commands.executeCommand('aws.viewLogs')
+                }
+            })
+    }
 }
@@ -0,0 +1,11 @@
+/*!
+ * Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+export interface CredentialsProvider {
+    getCredentialsProviderId(): string
+    getDefaultRegion(): string | undefined
+    getHashCode(): number
+    getCredentials(): Promise<AWS.Credentials>
+}
@@ -0,0 +1,50 @@
+/*!
+ * Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { CredentialsProvider } from './credentialsProvider'
+
+/**
+ * Responsible for producing CredentialsProvider objects for a Credential Type
+ */
+export interface CredentialsProviderFactory {
+    getCredentialType(): string
+    listProviders(): CredentialsProvider[]
+    getProvider(credentialsProviderId: string): CredentialsProvider | undefined
+    refresh(): Promise<void>
+}
+
+export abstract class BaseCredentialsProviderFactory<T extends CredentialsProvider>
+    implements CredentialsProviderFactory {
+    protected providers: T[] = []
+    public abstract getCredentialType(): string
+
+    public listProviders(): T[] {
+        return [...this.providers]
+    }
+
+    public getProvider(credentialsProviderId: string): CredentialsProvider | undefined {
+        for (const provider of this.providers) {
+            if (provider.getCredentialsProviderId() === credentialsProviderId) {
+                return provider
+            }
+        }
+
+        return undefined
+    }
+
+    public abstract async refresh(): Promise<void>
+
+    protected addProvider(provider: T) {
+        this.providers.push(provider)
+    }
+
+    protected removeProvider(provider: T) {
+        this.providers = this.providers.filter(x => x !== provider)
+    }
+
+    protected resetProviders() {
+        this.providers = []
+    }
+}
@@ -0,0 +1,30 @@
+/*!
+ * Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+export const CREDENTIALS_PROVIDER_ID_SEPARATOR = ':'
+
+export interface CredentialsProviderIdComponents {
+    credentialType: string
+    credentialTypeId: string
+}
+
+export function makeCredentialsProviderIdComponents(credentialsProviderId: string): CredentialsProviderIdComponents {
+    const chunks = credentialsProviderId.split(CREDENTIALS_PROVIDER_ID_SEPARATOR)
+
+    if (chunks.length !== 2) {
+        throw new Error(`Unexpected credentialsProviderId format: ${credentialsProviderId}`)
+    }
+
+    return {
+        credentialType: chunks[0],
+        credentialTypeId: chunks[1]
+    }
+}
+
+export function makeCredentialsProviderId(credentialsProviderIdComponents: CredentialsProviderIdComponents): string {
+    return [credentialsProviderIdComponents.credentialType, credentialsProviderIdComponents.credentialTypeId].join(
+        CREDENTIALS_PROVIDER_ID_SEPARATOR
+    )
+}