Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix: force reauth when client registration is not found in cache #5102

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Fix: force reauth when client registration is not found in cache #5102

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
6cb8f1f
initial commit
samgst-amazon Nov 18, 2024
f1d29ef
detekt
samgst-amazon Nov 18, 2024
9b7c3a5
Merge branch 'main' into samgst/ReauthOnLostClientRegistration
samgst-amazon Dec 5, 2024
9686ab5
Merge branch 'main' into samgst/ReauthOnLostClientRegistration
samgst-amazon Dec 5, 2024
dafd506
diskCacheTests
samgst-amazon Dec 12, 2024
81098fa
SsoAccessTokenProvider tests
samgst-amazon Dec 12, 2024
72d57fe
Merge branch 'main' into samgst/ReauthOnLostClientRegistration
samgst-amazon Dec 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions ...jetbrains-community/src/software/aws/toolkits/jetbrains/core/credentials/sso/DiskCache.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,9 @@ class DiskCache(
reason = "Failed to load Client Registration",
reasonDesc = "Load Step:$stage failed. Cache file does not exist"
)
if (source == SsoAccessTokenProvider.SourceOfLoadRegistration.REFRESH_TOKEN.toString()) {
throw ClientRegistrationNotFoundException()
}
return null
}
return loadClientRegistration(inputStream)
Expand Down Expand Up @@ -320,3 +323,5 @@ class DiskCache(
private val LOG = getLogger<DiskCache>()
}
}

class ClientRegistrationNotFoundException : RuntimeException("Client registration file not found")
4 changes: 4 additions & 0 deletions ...munity/src/software/aws/toolkits/jetbrains/core/credentials/sso/SsoAccessTokenProvider.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -434,6 +434,10 @@ class SsoAccessTokenProvider(
is DeviceAuthorizationGrantToken -> loadDagClientRegistration(SourceOfLoadRegistration.REFRESH_TOKEN.toString())
is PKCEAuthorizationGrantToken -> loadPkceClientRegistration(SourceOfLoadRegistration.REFRESH_TOKEN.toString())
}
} catch (e: ClientRegistrationNotFoundException) {
// invalidate tokens to force a reauth
invalidate()
null
} catch (e: Exception) {
val message = e.message ?: "$stageName: ${e::class.java.name}"
sendRefreshCredentialsMetric(
Expand Down
28 changes: 28 additions & 0 deletions ...rains-community/tst/software/aws/toolkits/jetbrains/core/credentials/sso/DiskCacheTest.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import com.intellij.openapi.util.SystemInfo
import com.intellij.openapi.util.io.NioFiles
import com.intellij.testFramework.ApplicationExtension
import org.assertj.core.api.Assertions.assertThat
import org.assertj.core.api.Assertions.assertThatThrownBy
import org.junit.jupiter.api.BeforeEach
import org.junit.jupiter.api.Test
import org.junit.jupiter.api.condition.DisabledOnOs
Expand Down Expand Up @@ -714,4 +715,31 @@ class DiskCacheTest {
.usingRecursiveComparison()
.isEqualTo(sut.loadAccessToken(key2))
}

@Test
fun `loadClientRegistration returns null when file not found during registration`() {
val key = DeviceAuthorizationClientRegistrationCacheKey(
startUrl = ssoUrl,
scopes = scopes,
region = ssoRegion
)

assertThat(sut.loadClientRegistration(key, SsoAccessTokenProvider.SourceOfLoadRegistration.REGISTER_CLIENT.toString())).isNull()
}

@Test
fun `loadClientRegistration throws exception when file not found during refresh`() {
val key = DeviceAuthorizationClientRegistrationCacheKey(
startUrl = ssoUrl,
scopes = scopes,
region = ssoRegion
)

assertThatThrownBy {
sut.loadClientRegistration(
key,
SsoAccessTokenProvider.SourceOfLoadRegistration.REFRESH_TOKEN.toString()
)
}.isInstanceOf(ClientRegistrationNotFoundException::class.java)
}
}
33 changes: 33 additions & 0 deletions ...ty/tst/software/aws/toolkits/jetbrains/core/credentials/sso/SsoAccessTokenProviderTest.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -479,6 +479,39 @@ class SsoAccessTokenProviderTest {
verify(ssoCache).invalidateAccessToken(ssoUrl)
}

@Test
fun `refreshToken invalidates tokens when client registration not found during refresh`() {
setPkceTrue()

val accessToken = PKCEAuthorizationGrantToken(
ssoUrl,
ssoRegion,
"dummyToken",
"refreshToken",
clock.instant(),
clock.instant()
)

ssoCache.stub {
on(ssoCache.loadAccessToken(any<PKCEAccessTokenCacheKey>()))
.thenReturn(accessToken)
on(
ssoCache.loadClientRegistration(
any<PKCEClientRegistrationCacheKey>(),
eq(SsoAccessTokenProvider.SourceOfLoadRegistration.REFRESH_TOKEN.toString())
)
).thenThrow(ClientRegistrationNotFoundException())
}

assertThatThrownBy {
runBlocking {
sut.refreshToken(sut.accessToken())
}
}.isInstanceOf(InvalidClientException::class.java)

verify(ssoCache, times(2)).invalidateAccessToken(any<AccessTokenCacheKey>())
}

private fun setupCacheStub(expirationClientRegistration: Instant) {
setupCacheStub(DeviceAuthorizationClientRegistration(clientId, clientSecret, expirationClientRegistration))
}
Expand Down
Loading