telemetry(auth): report sessionDuration on reauth `aws_loginWithBrows…

…er` (aws#6013) Depends on aws/aws-toolkit-common#914 ## Problem On the condition of: - SSO session is BuilderID or Internal Amazon IdC - Subsequent login for same SSO session happened earlier than 90 days (the expected session expiration) We need to know on the client side to be able to report this information so that CloudWatch alarms can consume this. ## Solution By adding the existing sessionDuration field, which is `currentTime - whenThePreviousSessionWasCreated`, to `aws_loginWithBrowser` we will have all the information we need to alarm on. ---  License: I confirm that my contribution is made under the terms of the Apache 2.0 license. --------- Signed-off-by: nkomonen-amazon <[email protected]>
Will-ShaoHua · Nov 14, 2024 · 384d287 · 384d287
1 parent 127a7ff
commit 384d287
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 8 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -39,7 +39,7 @@
         "generateNonCodeFiles": "npm run generateNonCodeFiles -w packages/ --if-present"
     },
     "devDependencies": {
-        "@aws-toolkits/telemetry": "^1.0.274",
+        "@aws-toolkits/telemetry": "^1.0.282",
         "@playwright/browser-chromium": "^1.43.1",
         "@types/he": "^1.2.3",
         "@types/vscode": "^1.68.0",
@@ -71,7 +71,6 @@
     },
     "dependencies": {
         "@types/node": "^22.7.5",
-        "@aws-toolkits/telemetry": "^1.0.242",
         "vscode-nls": "^5.2.0",
         "vscode-nls-dev": "^4.0.4"
     }

diff --git a/packages/core/src/auth/sso/ssoAccessTokenProvider.ts b/packages/core/src/auth/sso/ssoAccessTokenProvider.ts
@@ -256,6 +256,7 @@ export abstract class SsoAccessTokenProvider {
                 awsRegion: this.profile.region,
                 ssoRegistrationExpiresAt: args?.registrationExpiresAt,
                 ssoRegistrationClientId: args?.registrationClientId,
+                sessionDuration: getSessionDuration(this.tokenCacheKey),
             })
 
             // Reset source in case there is a case where browser login was called but we forgot to set the source.
@@ -396,7 +397,7 @@ async function pollForTokenWithProgress<T extends { requestId?: string }>(
  */
 function getSessionDuration(id: string) {
     const creationDate = globals.globalState.getSsoSessionCreationDate(id)
-    return creationDate !== undefined ? Date.now() - creationDate : undefined
+    return creationDate !== undefined ? globals.clock.Date.now() - creationDate : undefined
 }
 
 /**

diff --git a/packages/core/src/test/credentials/sso/ssoAccessTokenProvider.test.ts b/packages/core/src/test/credentials/sso/ssoAccessTokenProvider.test.ts
@@ -265,6 +265,50 @@ describe('SsoAccessTokenProvider', function () {
             assert.notDeepStrictEqual(await sut.getToken(), cachedToken)
         })
 
+        it(`emits session duration between logins of the same startUrl`, async function () {
+            setupFlow()
+            stubOpen()
+
+            await sut.createToken()
+            clock.tick(5000)
+            await sut.createToken()
+            clock.tick(10_000)
+            await sut.createToken()
+
+            // Mimic when we sign out then in again with the same region+startUrl. The ID is the only thing different.
+            sut = SsoAccessTokenProvider.create(
+                { region, startUrl, identifier: 'bbb' },
+                cache,
+                oidcClient,
+                reAuthState,
+                () => true
+            )
+            await sut.createToken()
+
+            assertTelemetry('aws_loginWithBrowser', [
+                {
+                    credentialStartUrl: startUrl,
+                    awsRegion: region,
+                    sessionDuration: undefined, // A new login.
+                },
+                {
+                    credentialStartUrl: startUrl,
+                    awsRegion: region,
+                    sessionDuration: 5000, // A reauth. 5000 - 0, is the diff between this and previous login
+                },
+                {
+                    credentialStartUrl: startUrl,
+                    awsRegion: region,
+                    sessionDuration: 10000, // A reauth. 15_000 - 5000 is the diff between this and previous login
+                },
+                {
+                    credentialStartUrl: startUrl,
+                    awsRegion: region,
+                    sessionDuration: undefined, // A new login, since we signed out of the last.
+                },
+            ])
+        })
+
         it('respects the device authorization expiration time', async function () {
             // XXX: Don't know how to fix this "unhandled rejection" caused by this test:
             //      rejected promise not handled within 1 second: Error: Timed-out waiting for browser login flow to complete