Encrypt and decrypt chat lsp communication

[angjordn]

Description

• Iniitalizes the Amazon Q LSP Server into an encrypted mode
  • The Amazon Q LSP server waits for an encryption key to be sent over stdin before initializing server (signified by the --set-credentials-encryption-key flag in the start command)
  • Once the encryption key is retrieved by the LSP server, it stores the key to be used for future requests
• The Amazon Q Plugin encrypts and decrypts chat requests and responses
  • Encrypts the ChatRequestParams into a jwt
  • Decrypts the partial result responses from the a jwt into ChatResult
  • Decrypts the final result response from a jwt into a ChatResult

[shruti0085]

It seems like both the encrypted classes have the same properties. Any reason we can't have a single class and use it for both use-cases?

[angjordn]

In order to best match the models provided in the Language Server Runtime types repo, I think it'd be best to continue with two separate classes

See EncryptedChatParams
See EncryptedQuickActionParams

[shruti0085]

I can't recall but do these calls get exception handled upstream from any calling code? Saw the throw calls within these decrypt/encrypt calls but don't rememeber if they should be caught or not to prevent any unexpected state to occur.

[angjordn]

These exceptions should be caught at the top-level in the Q Chat Part (See

amazon-q-eclipse/plugin/src/software/aws/toolkits/eclipse/amazonq/views/AmazonQChatWebview.java

Lines 73 to 75 in 49c450f

	} catch (Exception e) {
	PluginLogger.error("Error processing message from Browser", e);
	}

)

[shruti0085]

Now that we are using encrypted params should L79 instead be changed to EncryptedQuickActionParams for setting partial result token. Don't see the value in using that anymore

[angjordn]

Good question, the partialResultToken is an attribute in both the QuickActionParams as well as EncryptedQuickActionParams.

In QuickActionParams, we have:

    private final String tabId;
    private final String quickAction;
    private final String prompt;
    private String partialResultToken;

In EncryptedQuickActionParams, we have

   @JsonProperty("message") String message, // Message as encrypted jwt
   @JsonProperty("partialResultToken") String partialResultToken) {

Therefore the partialResultToken is located in both the encrypted message attibute as well as a direct attribute under the EncryptedQuickActionParams attribute.

After diving deeper into the EncryptedChat Communication, I see that the inner-most partialResultToken is being over written by the outer-most token (see https://github.com/aws/language-server-runtimes/blob/4bd707cb4220253620b5550e6dd48cd08a5350b3/runtimes/runtimes/chat/encryptedChat.ts#L76-L77)

To test my theory, I removed the line to set the partialResultToken in the QuickActionPrams and kept the partialResultToken on the EncryptedQuickActionParams - the partial results is continuing to work successfully. I am going to make the same change to ChatParams and EncryptedChatParams

[shruti0085]

Great digging! Please inform Flare team about this overriding behavior since it introduces risk. We wouldn't want to get in a scenario where there is change in this data contract on their end and we get impacted by it. i.e a scenario in future where they start honoring the decrypted partial token present in the innermost chat request param object