Merge master into feature/console-session-profile

Author: aws-toolkit-automation

packages/core/src/sagemakerunifiedstudio/auth/providers/smusAuthenticationProvider.ts

@@ -20,6 +20,7 @@ import {
     SmusErrorCodes,
     extractAccountIdFromResourceMetadata,
     convertToToolkitCredentialProvider,
+    isIamDomain,
 } from '../../shared/smusUtils'
 import {
     createSmusProfile,
@@ -212,10 +213,15 @@ export class SmusAuthenticationProvider {
 
                 const credentialsProvider = (await this.getDerCredentialsProvider()) as CredentialsProvider
 
-                // Get DataZoneCustomClientHelper instance and check if domain is IAM mode
+                // Get DataZoneCustomClientHelper instance and fetch domain details to check if it's IAM mode
                 const datazoneCustomClientHelper = DataZoneCustomClientHelper.getInstance(credentialsProvider, region)
-                const isIamMode = await datazoneCustomClientHelper.isIamDomain(domainId)
-                this.logger.debug(`is in IAM mode ${isIamMode}`)
+                const domain = await datazoneCustomClientHelper.getDomain(domainId)
+                const isIamMode = isIamDomain({
+                    domainVersion: domain.domainVersion,
+                    iamSignIns: domain.iamSignIns,
+                    domainId: domainId,
+                })
+                this.logger.debug(`Domain ${domainId} is in IAM mode: ${isIamMode}`)
                 await setSmusIamModeContext(isIamMode)
             }
         } catch (error) {

packages/core/src/sagemakerunifiedstudio/shared/client/datazoneCustomClientHelper.ts

@@ -12,7 +12,7 @@ import * as DataZoneCustomClient from './datazonecustomclient'
 import { adaptConnectionCredentialsProvider } from './credentialsAdapter'
 import { CredentialsProvider } from '../../../auth/providers/credentials'
 import { ToolkitError } from '../../../shared/errors'
-import { SmusUtils } from '../smusUtils'
+import { SmusUtils, isIamDomain } from '../smusUtils'
 import { DevSettings } from '../../../shared/settings'
 
 import { SmusErrorCodes } from '../smusUtils'
@@ -196,7 +196,7 @@ export class DataZoneCustomClientHelper {
     }
 
     /**
-     * Gets the domain with IAM authentication mode in preferences using pagination with early termination
+     * Gets the domain with IAM authentication mode using pagination with early termination
      * @returns Promise resolving to the DataZone domain or undefined if not found
      */
     public async getIamDomain(): Promise<DataZoneCustomClient.Types.DomainSummary | undefined> {
@@ -209,7 +209,7 @@ export class DataZoneCustomClientHelper {
             let totalDomainsChecked = 0
             const maxResultsPerPage = 25
 
-            // Paginate through domains and check each page for IAM-based domain
+            // Paginate through domains and check each page for IAM domain
             do {
                 const response = await this.listDomains({
                     status: 'AVAILABLE',
@@ -224,12 +224,19 @@ export class DataZoneCustomClientHelper {
                     `DataZoneCustomClientHelper: Checking ${domains.length} domains in current page (total checked: ${totalDomainsChecked})`
                 )
 
-                // Check each domain in the current page for IAM authentication mode
+                // Check each domain in the current page for IAM domain
                 for (const domain of domains) {
-                    if (domain.preferences && domain.preferences.DOMAIN_MODE === 'EXPRESS') {
-                        logger.info(
-                            `DataZoneCustomClientHelper: Found IAM-based domain, id: ${domain.id} (${domain.name})`
-                        )
+                    // Log the complete domain object for debugging
+                    logger.debug(`DataZoneCustomClientHelper: Domain ${domain.id} full response: %O`, domain)
+
+                    const isIam = isIamDomain({
+                        domainVersion: domain.domainVersion,
+                        iamSignIns: domain.iamSignIns,
+                        domainId: domain.id,
+                    })
+
+                    if (isIam) {
+                        logger.info(`DataZoneCustomClientHelper: Found IAM domain, id: ${domain.id} (${domain.name})`)
                         return domain
                     }
                 }
@@ -238,7 +245,7 @@ export class DataZoneCustomClientHelper {
             } while (nextToken)
 
             logger.info(
-                `DataZoneCustomClientHelper: No domain with IAM authentication (DOMAIN_MODE: EXPRESS) found after checking all ${totalDomainsChecked} domains`
+                `DataZoneCustomClientHelper: No IAM domain found after checking all ${totalDomainsChecked} domains`
             )
             return undefined
         } catch (err) {
@@ -272,28 +279,6 @@ export class DataZoneCustomClientHelper {
         }
     }
 
-    /**
-     * Checks if a specific domain is an IAM-based domain
-     * @param domainId The ID of the domain to check
-     * @returns Promise resolving to true if the domain is IAM-based, false otherwise
-     */
-    public async isIamDomain(domainId: string): Promise<boolean> {
-        try {
-            this.logger.debug(`DataZoneCustomClientHelper: Checking if domain ${domainId} is IAM-based`)
-
-            const domain = await this.getDomain(domainId)
-            const isIamMode = domain.preferences?.DOMAIN_MODE === 'EXPRESS' || false
-
-            this.logger.debug(
-                `DataZoneCustomClientHelper: Domain ${domainId} is ${isIamMode ? 'IAM-based' : 'not IAM-based'}`
-            )
-            return isIamMode
-        } catch (err) {
-            this.logger.error('DataZoneCustomClientHelper: Failed to check if domain is IAM-based: %s', err as Error)
-            throw err
-        }
-    }
-
     /**
      * Searches for group profiles in the DataZone domain
      * @param domainIdentifier The domain identifier to search in

packages/core/src/sagemakerunifiedstudio/shared/smusUtils.ts

@@ -108,6 +108,27 @@ export const SmusTimeouts = {
  */
 export const DataZoneServiceId = 'datazone'
 
+/**
+ * Domain version constants
+ */
+export const DomainVersionV1 = 'V1'
+export const DomainVersionV2 = 'V2'
+
+/**
+ * IAM sign-in type constants
+ */
+export const IamSignInRole = 'IAM_ROLE'
+export const IamSignInUser = 'IAM_USER'
+
+/**
+ * Input interface for IAM domain check function
+ */
+export interface IamDomainCheckInput {
+    domainVersion: string | undefined
+    iamSignIns?: string[] | undefined
+    domainId?: string
+}
+
 /**
  * Interface for AWS credential objects that need validation
  */
@@ -490,6 +511,49 @@ export class SmusUtils {
     }
 }
 
+/**
+ * Determines if a domain is an IAM domain based on IamSignIns field.
+ *
+ * IAM domains are V2 domains that support both IAM role and IAM user authentication.
+ * A domain is considered an IAM domain if its IamSignIns array contains both:
+ * - IAM_ROLE
+ * - IAM_USER
+ *
+ * @param input - Object containing domain version, IamSignIns, and optional domainId for logging
+ * @returns true if the domain is an IAM domain, false otherwise
+ */
+export function isIamDomain(input: IamDomainCheckInput): boolean {
+    const logger = getLogger('smus')
+    const domainIdLog = input.domainId ? ` for domain ${input.domainId}` : ''
+
+    // Only V2 domains can be IAM domains
+    if (input.domainVersion !== DomainVersionV2) {
+        logger.debug(
+            `IAM domain check${domainIdLog}: Domain version is not V2 (value: ${input.domainVersion}), returning false`
+        )
+        return false
+    }
+
+    // Check if IamSignIns contains both IAM_ROLE and IAM_USER
+    if (!input.iamSignIns || !Array.isArray(input.iamSignIns)) {
+        logger.debug(`IAM domain check${domainIdLog}: IamSignIns is missing or invalid, returning false`)
+        return false
+    }
+
+    const hasIamRole = input.iamSignIns.includes(IamSignInRole)
+    const hasIamUser = input.iamSignIns.includes(IamSignInUser)
+
+    if (hasIamRole && hasIamUser) {
+        logger.debug(`IAM domain check${domainIdLog}: IAM domain detected via IamSignIns`)
+        return true
+    }
+
+    logger.debug(
+        `IAM domain check${domainIdLog}: IamSignIns does not contain both IAM_ROLE and IAM_USER, returning false`
+    )
+    return false
+}
+
 /**
  * Extracts the account ID from a SageMaker ARN.
  * Supports formats like:

packages/core/src/test/sagemakerunifiedstudio/auth/smusAuthenticationProvider.test.ts

@@ -1374,7 +1374,6 @@ describe('SmusAuthenticationProvider', function () {
         let getResourceMetadataStub: sinon.SinonStub
         let getDerCredentialsProviderStub: sinon.SinonStub
         let getInstanceStub: sinon.SinonStub
-        let isIamDomainStub: sinon.SinonStub
         let mockCredentialsProvider: any
         let mockClientHelper: any
 
@@ -1404,12 +1403,19 @@ describe('SmusAuthenticationProvider', function () {
                 .resolves(mockCredentialsProvider)
 
             // Mock DataZoneCustomClientHelper
-            isIamDomainStub = sinon.stub()
+            const getDomainStub = sinon.stub()
             mockClientHelper = {
-                isIamDomain: isIamDomainStub,
+                getDomain: getDomainStub,
             }
 
             getInstanceStub = sinon.stub(DataZoneCustomClientHelper, 'getInstance').returns(mockClientHelper)
+
+            // Setup getDomain to return domain details
+            getDomainStub.resolves({
+                id: testResourceMetadata.AdditionalMetadata.DataZoneDomainId,
+                domainVersion: 'V2',
+                iamSignIns: ['IAM_ROLE', 'IAM_USER'],
+            })
         })
 
         afterEach(function () {
@@ -1418,7 +1424,6 @@ describe('SmusAuthenticationProvider', function () {
 
         it('should set IAM mode context to true when domain is IAM mode', async function () {
             getResourceMetadataStub.returns(testResourceMetadata)
-            isIamDomainStub.resolves(true)
 
             await smusAuthProvider['initIamModeContextInSpaceEnvironment']()
 
@@ -1430,13 +1435,17 @@ describe('SmusAuthenticationProvider', function () {
                     testResourceMetadata.AdditionalMetadata.DataZoneDomainRegion
                 )
             )
-            assert.ok(isIamDomainStub.calledWith(testResourceMetadata.AdditionalMetadata.DataZoneDomainId))
             assert.ok(setContextStubGlobal.calledWith('aws.smus.isIamMode', true))
         })
 
         it('should set IAM mode context to false when domain is not IAM mode', async function () {
             getResourceMetadataStub.returns(testResourceMetadata)
-            isIamDomainStub.resolves(false)
+
+            // Override getDomain to return a non-IAM domain
+            mockClientHelper.getDomain = sinon.stub().resolves({
+                id: testResourceMetadata.AdditionalMetadata.DataZoneDomainId,
+                domainVersion: 'V2',
+            })
 
             await smusAuthProvider['initIamModeContextInSpaceEnvironment']()
 
@@ -1448,7 +1457,6 @@ describe('SmusAuthenticationProvider', function () {
                     testResourceMetadata.AdditionalMetadata.DataZoneDomainRegion
                 )
             )
-            assert.ok(isIamDomainStub.calledWith(testResourceMetadata.AdditionalMetadata.DataZoneDomainId))
             assert.ok(setContextStubGlobal.calledWith('aws.smus.isIamMode', false))
         })
 
@@ -1460,7 +1468,6 @@ describe('SmusAuthenticationProvider', function () {
             assert.ok(getResourceMetadataStub.called)
             assert.ok(getDerCredentialsProviderStub.notCalled)
             assert.ok(getInstanceStub.notCalled)
-            assert.ok(isIamDomainStub.notCalled)
             assert.ok(setContextStubGlobal.notCalled)
         })
 
@@ -1474,7 +1481,6 @@ describe('SmusAuthenticationProvider', function () {
             assert.ok(getResourceMetadataStub.called)
             assert.ok(getDerCredentialsProviderStub.called)
             assert.ok(getInstanceStub.notCalled)
-            assert.ok(isIamDomainStub.notCalled)
             assert.ok(setContextStubGlobal.calledWith('aws.smus.isIamMode', false))
         })
     })

packages/core/src/test/sagemakerunifiedstudio/shared/client/datazoneCustomClientHelper.test.ts

@@ -247,6 +247,8 @@ describe('DataZoneCustomClientHelper', () => {
                         managedAccountId: '123456789012',
                         status: 'AVAILABLE',
                         createdAt: new Date(),
+                        domainVersion: 'V2',
+                        iamSignIns: ['IAM_ROLE'],
                         preferences: { DOMAIN_MODE: 'STANDARD' },
                     },
                     {
@@ -256,6 +258,8 @@ describe('DataZoneCustomClientHelper', () => {
                         managedAccountId: '123456789012',
                         status: 'AVAILABLE',
                         createdAt: new Date(),
+                        domainVersion: 'V2',
+                        iamSignIns: ['IAM_ROLE', 'IAM_USER'],
                         preferences: { DOMAIN_MODE: 'EXPRESS' },
                     },
                 ] as DataZoneDomain[],
@@ -412,65 +416,6 @@ describe('DataZoneCustomClientHelper', () => {
         })
     })
 
-    describe('isIamDomain', () => {
-        it('should return true for EXPRESS domain', async () => {
-            const mockDomainId = 'dzd_express123'
-            const mockResponse = {
-                id: mockDomainId,
-                name: 'Express Domain',
-                arn: `arn:aws:datazone:us-east-1:123456789012:domain/${mockDomainId}`,
-                status: 'AVAILABLE',
-                preferences: { DOMAIN_MODE: 'EXPRESS' },
-            }
-
-            const getDomainStub = sinon.stub(client, 'getDomain').resolves(mockResponse)
-
-            const result = await client.isIamDomain(mockDomainId)
-
-            assert.strictEqual(result, true)
-            assert.ok(getDomainStub.calledOnce)
-            assert.strictEqual(getDomainStub.firstCall.args[0], mockDomainId)
-        })
-
-        it('should return false for STANDARD domain', async () => {
-            const mockDomainId = 'dzd_standard123'
-            const mockResponse = {
-                id: mockDomainId,
-                name: 'Standard Domain',
-                arn: `arn:aws:datazone:us-east-1:123456789012:domain/${mockDomainId}`,
-                status: 'AVAILABLE',
-                preferences: { DOMAIN_MODE: 'STANDARD' },
-            }
-
-            const getDomainStub = sinon.stub(client, 'getDomain').resolves(mockResponse)
-
-            const result = await client.isIamDomain(mockDomainId)
-
-            assert.strictEqual(result, false)
-            assert.ok(getDomainStub.calledOnce)
-            assert.strictEqual(getDomainStub.firstCall.args[0], mockDomainId)
-        })
-
-        it('should return false for domain without preferences', async () => {
-            const mockDomainId = 'dzd_no_prefs123'
-            const mockResponse = {
-                id: mockDomainId,
-                name: 'Domain Without Preferences',
-                arn: `arn:aws:datazone:us-east-1:123456789012:domain/${mockDomainId}`,
-                status: 'AVAILABLE',
-                // No preferences field
-            }
-
-            const getDomainStub = sinon.stub(client, 'getDomain').resolves(mockResponse)
-
-            const result = await client.isIamDomain(mockDomainId)
-
-            assert.strictEqual(result, false)
-            assert.ok(getDomainStub.calledOnce)
-            assert.strictEqual(getDomainStub.firstCall.args[0], mockDomainId)
-        })
-    })
-
     describe('searchGroupProfiles', () => {
         const mockDomainId = 'dzd_test123'