Concept: IDE extensions provide credentials to language server (#523)

This change demonstrates how we can let the IDE extension handle credentials configuration/resolution, and provide credentials into the language servers. This way, the language servers do not have to maintain an identical credential management implementation, which can drift over time.

When the server is started with a specific command line argument, the server waits to receive the encryption key over stdin before listening for the LSP protocol. Extensions then pass a marker through the LSP Initialization message. When the server detects this marker, it registers a custom notification handler that will be used to receive credentials. The extension then pushes credentials (using custom notification messages) whenever the credential state changes. In this way, the server always has credentials available for use. At times when no credentials can be resolved, the server's credentials are "un-set".

The sample S3 language server has been updated with this credentials concept. The sample VS and VS Code extensions have been updated with ways to simulate resolving credentials, and pushing them to the language server.

This concept is subject to additional changes before its initial release.

Author: awschristou

.prettierignore

@@ -1 +1,2 @@
-telemetry/service/service-model.json
+telemetry/definitions/commonDefinitions.json
+telemetry/service/service-model.json

lsp/.vscode/launch.json

@@ -51,14 +51,15 @@
             "preLaunchTask": "npm: compile"
         },
         {
-            "name": "S3 Server",
+            "name": "S3 Server (with Credentials support)",
             "type": "extensionHost",
             "request": "launch",
             "runtimeExecutable": "${execPath}",
             "args": ["--extensionDevelopmentPath=${workspaceFolder}/client/vscode"],
             "outFiles": ["${workspaceFolder}/client/vscode/out/**/*.js"],
             "env": {
-                "LSP_SERVER": "${workspaceFolder}/app/aws-lsp-s3-binary/out/index.js"
+                "LSP_SERVER": "${workspaceFolder}/app/aws-lsp-s3-binary/out/index.js",
+                "ENABLE_IAM_PROVIDER": "true"
             },
             "preLaunchTask": "npm: compile"
         },

lsp/README.md

@@ -29,7 +29,12 @@ Monorepo
 ── server - packages that contain Language Server implementations
     └── aws-lsp-buildspec - Language Server that wraps a JSON Schema for CodeBuild buildspec
     └── aws-lsp-cloudformation - Language Server that wraps a JSON Schema for CloudFormation
+    └── aws-lsp-codewhisperer - Language Server that surfaces CodeWhisperer recommendations
+                              - experimental. Shows how recommendations can surface through
+                                completion lists and as ghost text
     └── aws-lsp-s3 - Example language server that provides S3 bucket names as completion items
+                   - Shows a concept where credentials can be provided from an IDE extension
+                     (See vscode and vs client readmes)
 ```
 
 ## How To Contribute

lsp/app/aws-lsp-s3-binary/src/index.ts

@@ -1,17 +1,82 @@
+import {
+    AwsInitializationOptions,
+    EncryptionInitialization,
+    IdeCredentialsProvider,
+    shouldWaitForEncryptionKey,
+    validateEncryptionDetails,
+} from '@lsp-placeholder/aws-lsp-core'
 import { S3Server, S3ServerProps, S3ServiceProps, createS3ervice } from '@lsp-placeholder/aws-lsp-s3'
+import { Readable } from 'stream'
 import { ProposedFeatures, createConnection } from 'vscode-languageserver/node'
 
-const connection = createConnection(ProposedFeatures.all)
+const lspConnection = createConnection(ProposedFeatures.all)
 
-const serviceProps: S3ServiceProps = {
-    displayName: S3Server.serverId,
+if (shouldWaitForEncryptionKey()) {
+    // Before starting the language server, accept encryption initialization details
+    // directly from the host. This avoids writing the key to the same channel used
+    // to send encrypted data.
+    // Contract: Only read up to (and including) the first newline (\n).
+    readLine(process.stdin).then(input => {
+        const encryptionDetails = JSON.parse(input) as EncryptionInitialization
+
+        validateEncryptionDetails(encryptionDetails)
+
+        createServer(lspConnection, encryptionDetails.key)
+    })
+} else {
+    createServer(lspConnection)
 }
 
-const cloudformationService = createS3ervice(serviceProps)
+/**
+ * Read from the given stream, stopping after the first newline (\n).
+ * Return the string consumed from the stream.
+ */
+function readLine(stream: Readable): Promise<string> {
+    return new Promise<string>((resolve, reject) => {
+        let contents = ''
+
+        // Fires when the stream has contents that can be read
+        const onStreamIsReadable = () => {
+            while (true) {
+                const byteRead: Buffer = process.stdin.read(1)
+                if (byteRead == null) {
+                    // wait for more content to arrive on the stream
+                    break
+                }
+
+                const nextChar = byteRead.toString('utf-8')
+                contents += nextChar
+
+                if (nextChar == '\n') {
+                    // Stop reading this stream, we have read a line from it
+                    stream.removeListener('readable', onStreamIsReadable)
+                    resolve(contents)
+                    break
+                }
+            }
+        }
 
-const props: S3ServerProps = {
-    connection,
-    s3Service: cloudformationService,
+        stream.on('readable', onStreamIsReadable)
+    })
 }
 
-export const server = new S3Server(props)
+function createServer(connection: any, key?: string): S3Server {
+    const credentialsProvider = new IdeCredentialsProvider(connection, key)
+
+    const serviceProps: S3ServiceProps = {
+        displayName: S3Server.serverId,
+        credentialsProvider,
+    }
+
+    const service = createS3ervice(serviceProps)
+
+    const props: S3ServerProps = {
+        connection,
+        s3Service: service,
+        onInitialize: (props: AwsInitializationOptions) => {
+            credentialsProvider.initialize(props)
+        },
+    }
+
+    return new S3Server(props)
+}

lsp/client/visualStudio/IdesLspPoc/Credentials/UpdateCredentialsRequest.cs

@@ -0,0 +1,36 @@
+using Newtonsoft.Json;
+
+namespace IdesLspPoc.Credentials
+{
+    /// <summary>
+    // Request that the host uses when talking to custom notifications in
+    // order to send updated credentials and bearer tokens to the language server.
+    // 
+    // See credentialsProtocolMethodNames in core\aws-lsp-core\src\credentials\credentialsProvider.ts
+    // for the custom notification names.
+    // 
+    // While there are separate notifications for sending credentials and sending bearer tokens,
+    // both notifications use this request.The `data` field is different for each notification.
+    /// </summary>
+    public class UpdateCredentialsRequest
+    {
+        /// <summary>
+        /// Initialization vector for encrypted data, in base64
+        /// </summary>
+        [JsonProperty("iv")]
+        public string Iv;
+
+        /// <summary>
+        /// Encrypted data, in base64. The data contents will vary based on the request made.
+        /// (eg: The payload is different when requesting IAM vs Bearer token)
+        /// </summary>
+        [JsonProperty("data")]
+        public string Data;
+
+        /// <summary>
+        /// Encrypted data's authTag - used for decryption validation
+        /// </summary>
+        [JsonProperty("authTag")]
+        public string AuthTag;
+    }
+}

lsp/client/visualStudio/IdesLspPoc/Credentials/UpdateIamCredentialsRequestData.cs

@@ -0,0 +1,9 @@
+namespace IdesLspPoc.Credentials
+{
+    public class UpdateIamCredentialsRequestData
+    {
+        public string AccessKeyId;
+        public string SecretAccessKey;
+        public string SessionToken;
+    }
+}

lsp/client/visualStudio/IdesLspPoc/IdesLspPoc.csproj

@@ -47,8 +47,12 @@
   <ItemGroup>
     <Compile Include="ContentDefinitions\BuildSpec.cs" />
     <Compile Include="ContentDefinitions\JsonContentType.cs" />
+    <Compile Include="Credentials\UpdateCredentialsRequest.cs" />
     <Compile Include="LspClient\BuildspecLspClient.cs" />
+    <Compile Include="Credentials\UpdateIamCredentialsRequestData.cs" />
+    <Compile Include="LspClient\S3LspClient.cs" />
     <Compile Include="LspClient\CloudFormationLspClient.cs" />
+    <Compile Include="LspClient\S3\S3CredentialsUpdater.cs" />
     <Compile Include="LspClient\ToolkitLspClient.cs" />
     <Compile Include="Output\OutputWindow.cs" />
     <Compile Include="Properties\AssemblyInfo.cs" />
@@ -70,6 +74,12 @@
     <Reference Include="System" />
   </ItemGroup>
   <ItemGroup>
+    <PackageReference Include="AWSSDK.Core">
+      <Version>3.7.107.9</Version>
+    </PackageReference>
+    <PackageReference Include="BouncyCastle.Cryptography">
+      <Version>2.2.1</Version>
+    </PackageReference>
     <PackageReference Include="Microsoft.VisualStudio.LanguageServer.Client">
       <Version>17.0.5165</Version>
     </PackageReference>

lsp/client/visualStudio/IdesLspPoc/LspClient/S3/S3CredentialsUpdater.cs

@@ -0,0 +1,149 @@
+using Amazon.Runtime;
+using Amazon.Runtime.CredentialManagement;
+using IdesLspPoc.Credentials;
+using IdesLspPoc.Output;
+using Microsoft.VisualStudio.Threading;
+using Newtonsoft.Json;
+using Newtonsoft.Json.Serialization;
+using Org.BouncyCastle.Crypto.Engines;
+using Org.BouncyCastle.Crypto.Modes;
+using Org.BouncyCastle.Crypto.Parameters;
+using Org.BouncyCastle.Security;
+using StreamJsonRpc;
+using System;
+using System.Text;
+using System.Threading.Tasks;
+using System.Timers;
+
+namespace IdesLspPoc.LspClient.S3
+{
+    /// <summary>
+    /// This class knows how to push credentials over to the language server (via SendIamCredentialsAsync)
+    /// PROOF OF CONCEPT - this class would be used in a product like the AWS Toolkit 
+    /// to push credentials to the server whenever the credentials state changes (eg: user selects another profile, or
+    /// credentials expire). For this concept, it is resolving and pushing credentials every 10 seconds as a 
+    /// simulation of the Toolkit sending credentials to the server.
+    /// This class would also know how to clear credentials from the language server.
+    /// </summary>
+    internal class S3CredentialsUpdater
+    {
+        private static readonly JsonSerializerSettings _serializerSettings = new JsonSerializerSettings
+        {
+            ContractResolver = new DefaultContractResolver
+            {
+                NamingStrategy = new CamelCaseNamingStrategy(),
+            }
+        };
+
+        private Timer _resendTimer;
+        private OutputWindow _outputWindow;
+        private JsonRpc _rpc;
+        private byte[] _aesKey;
+
+        public S3CredentialsUpdater(JsonRpc rpc, byte[] aesKey, OutputWindow outputWindow)
+        {
+            this._rpc = rpc;
+            _aesKey = aesKey;
+            _outputWindow = outputWindow;
+        }
+
+        /// <summary>
+        /// We start sending the lsp server credentials every 10 seconds as a simulation of the credentials state changing
+        /// </summary>
+        public void StartCredentialsRefreshSimulation()
+        {
+            _resendTimer?.Stop();
+
+            _resendTimer = new Timer()
+            {
+                AutoReset = true,
+                Interval = 10_000,
+            };
+
+            _resendTimer.Elapsed += OnRefreshCredentials;
+
+            _resendTimer.Start();
+        }
+
+        private void OnRefreshCredentials(object sender, ElapsedEventArgs e)
+        {
+            // PROOF OF CONCEPT
+            // We will resolve the default profile from the local system.
+            // In a product, the host extension would know which profile it is configured to provide to the language server.
+            var creds = new SharedCredentialsFile();
+            if (!creds.TryGetProfile("default", out var profile))
+            {
+                _outputWindow.WriteLine("Client: Unable to get default profile");
+                return;
+            }
+
+            Task.Run(async () =>
+            {
+                AWSCredentials awsCredentials = profile.GetAWSCredentials(creds);
+                var request = CreateUpdateCredentialsRequest(await awsCredentials.GetCredentialsAsync(), _aesKey);
+                await SendIamCredentialsAsync(request);
+            }).Forget();
+        }
+
+        public async Task SendIamCredentialsAsync(UpdateCredentialsRequest request)
+        {
+            _outputWindow.WriteLine("Client: Sending (simulated) refreshed Credentials to the server");
+            await this._rpc.NotifyAsync("$/aws/credentials/iam/update", request);
+        }
+
+        private static UpdateCredentialsRequest CreateUpdateCredentialsRequest(ImmutableCredentials credentials, byte[] aesKey)
+        {
+            var requestData = new UpdateIamCredentialsRequestData
+            {
+                AccessKeyId = credentials.AccessKey,
+                SecretAccessKey = credentials.SecretKey,
+                SessionToken = credentials.Token,
+            };
+
+            return CreateUpdateCredentialsRequest(requestData, aesKey);
+        }
+
+        /// <summary>
+        /// Creates an "update credentials" request that contains encrypted data
+        /// </summary>
+        private static UpdateCredentialsRequest CreateUpdateCredentialsRequest(object data, byte[] aesKey)
+        {
+            byte[] iv = CreateInitializationVector();
+
+            var aesEngine = new AesEngine();
+            int macSize = 8 * aesEngine.GetBlockSize();
+
+            GcmBlockCipher cipher = new GcmBlockCipher(aesEngine);
+            AeadParameters parameters = new AeadParameters(new KeyParameter(aesKey), macSize, iv);
+            cipher.Init(true, parameters);
+
+            var json = JsonConvert.SerializeObject(data, _serializerSettings);
+
+            // Encrypt json
+            byte[] cipherText = new byte[cipher.GetOutputSize(json.Length)];
+            int len = cipher.ProcessBytes(Encoding.UTF8.GetBytes(json), 0, json.Length, cipherText, 0);
+            cipher.DoFinal(cipherText, len);
+
+            // Get the authTag
+            byte[] mac = cipher.GetMac();
+            string authtag = Convert.ToBase64String(mac);
+            var dataLength = cipherText.Length - mac.Length;
+
+            return new UpdateCredentialsRequest
+            {
+                Iv = Convert.ToBase64String(iv),
+                // Remove Mac from end of cipherText
+                Data = Convert.ToBase64String(cipherText, 0, dataLength),
+                AuthTag = authtag,
+            };
+        }
+
+        private static byte[] CreateInitializationVector()
+        {
+            var iv = new byte[16];
+            SecureRandom random = new SecureRandom();
+            random.NextBytes(iv);
+            return iv;
+        }
+    }
+}