* Run awsAuthRefresh to perform interactive authentication (e.g., aws sso login) * Streams output in real-time for user visibility
()
| 610 | * Streams output in real-time for user visibility |
| 611 | */ |
| 612 | async function runAwsAuthRefresh(): Promise<boolean> { |
| 613 | const awsAuthRefresh = getConfiguredAwsAuthRefresh() |
| 614 | |
| 615 | if (!awsAuthRefresh) { |
| 616 | return false // Not configured, treat as success |
| 617 | } |
| 618 | |
| 619 | // SECURITY: Check if awsAuthRefresh is from project settings |
| 620 | if (isAwsAuthRefreshFromProjectSettings()) { |
| 621 | // Check if trust has been established for this project |
| 622 | const hasTrust = checkHasTrustDialogAccepted() |
| 623 | if (!hasTrust && !getIsNonInteractiveSession()) { |
| 624 | const error = new Error( |
| 625 | `Security: awsAuthRefresh executed before workspace trust is confirmed. If you see this message, post in ${MACRO.FEEDBACK_CHANNEL}.`, |
| 626 | ) |
| 627 | logAntError('awsAuthRefresh invoked before trust check', error) |
| 628 | logEvent('tengu_awsAuthRefresh_missing_trust', {}) |
| 629 | return false |
| 630 | } |
| 631 | } |
| 632 | |
| 633 | try { |
| 634 | logForDebugging('Fetching AWS caller identity for AWS auth refresh command') |
| 635 | await checkStsCallerIdentity() |
| 636 | logForDebugging( |
| 637 | 'Fetched AWS caller identity, skipping AWS auth refresh command', |
| 638 | ) |
| 639 | return false |
| 640 | } catch { |
| 641 | // only actually do the refresh if caller-identity calls |
| 642 | return refreshAwsAuth(awsAuthRefresh) |
| 643 | } |
| 644 | } |
| 645 | |
| 646 | // Timeout for AWS auth refresh command (3 minutes). |
| 647 | // Long enough for browser-based SSO flows, short enough to prevent indefinite hangs. |
no test coverage detected