test(credential-providers): more tests

Author: kuhe

packages/credential-provider-node/src/runtime/memoize-chain.spec.ts

@@ -8,7 +8,7 @@ describe("memoize runtime config aware AWS credential chain", () => {
   let staticCredentials!: RuntimeConfigAwsCredentialIdentityProvider;
   let expiringCredentials!: RuntimeConfigAwsCredentialIdentityProvider;
 
-  const expiration = new Date();
+  const expiration = new Date(Date.now() + 5_000);
 
   beforeEach(() => {
     vi.resetAllMocks();

packages/credential-provider-node/src/runtime/memoize-chain.ts

@@ -34,6 +34,11 @@ export function memoizeChain(
     if (options?.forceRefresh) {
       return await chain(options);
     }
+    if (credentials?.expiration) {
+      if (credentials?.expiration?.getTime() < Date.now()) {
+        credentials = undefined;
+      }
+    }
     if (activeLock) {
       await activeLock;
     } else if (!credentials || treatAsExpired?.(credentials!)) {

packages/credential-provider-node/tests/credential-provider-node.integ.spec.ts

@@ -4,11 +4,10 @@ import {
   fromCognitoIdentity,
   fromCognitoIdentityPool,
   fromIni,
-  fromNodeProviderChain,
   fromTokenFile,
   fromWebToken,
 } from "@aws-sdk/credential-providers";
-import { MockNodeHttpHandler, assumeRoleArns } from "@aws-sdk/credential-providers/tests/_test-lib.spec";
+import { assumeRoleArns, MockNodeHttpHandler } from "@aws-sdk/credential-providers/tests/_test-lib.spec";
 import { NodeHttpHandler } from "@smithy/node-http-handler";
 import { externalDataInterceptor } from "@smithy/shared-ini-file-loader";
 import type { HttpRequest, MiddlewareStack, ParsedIniData } from "@smithy/types";
@@ -19,7 +18,6 @@ import { homedir } from "node:os";
 import { join } from "node:path";
 import { afterAll, afterEach, beforeAll, beforeEach, describe, expect, test as it, vi } from "vitest";
 
-// eslint-disable-next-line no-restricted-imports
 import { defaultProvider } from "../src/defaultProvider";
 
 describe("credential-provider-node integration test", () => {
@@ -1510,181 +1508,5 @@ describe("credential-provider-node integration test", () => {
         });
       });
     });
-
-    describe("STS region logic", () => {
-      type Parameters = {
-        // has caller context client
-        withCaller: boolean;
-        // has region specified on the caller client
-        codeRegion: boolean;
-        // AWS_REGION is set
-        envRegion: boolean;
-        // profile regions are set
-        profileRegion: boolean;
-        // provider itself has a clientConfig.region
-        providerRegion: boolean;
-        // profile name
-        profile: string | undefined;
-      };
-
-      function serializeParams(params: Parameters) {
-        let buffer = "";
-        for (const [key, value] of Object.entries(params)) {
-          if (typeof value === "boolean") {
-            if (value) {
-              buffer += ` ${key},`;
-            }
-          } else {
-            buffer += ` ${key} = ${value},`;
-          }
-        }
-        return buffer;
-      }
-
-      for (const withCaller of [true, false]) {
-        for (const codeRegion of [true, false]) {
-          for (const envRegion of [true, false]) {
-            for (const profileRegion of [true, false]) {
-              for (const providerRegion of [true, false]) {
-                for (const profile of ["default", "alt", undefined]) {
-                  if (!codeRegion && !profileRegion && !envRegion) {
-                    continue;
-                  }
-
-                  const params = {
-                    withCaller,
-                    codeRegion,
-                    envRegion,
-                    profileRegion,
-                    providerRegion,
-                    profile,
-                  };
-
-                  it(`${serializeParams(params)}`, async () => {
-                    const region = await resolveStsRegion(params);
-
-                    if (providerRegion) {
-                      expect(region).toBe("provider-region");
-                      return;
-                    }
-
-                    if (profileRegion) {
-                      expect(region).toBe(`${profile ?? "default"}-profile-region`);
-                      return;
-                    }
-
-                    if (codeRegion && withCaller) {
-                      expect(region).toBe("code-region");
-                      return;
-                    }
-
-                    if (envRegion) {
-                      expect(region).toBe("env-region");
-                      return;
-                    }
-
-                    expect(region).toBe("us-east-1");
-                  });
-                }
-              }
-            }
-          }
-        }
-      }
-
-      async function resolveStsRegion({
-        withCaller,
-        envRegion,
-        profile,
-        profileRegion,
-        codeRegion,
-        providerRegion,
-      }: Parameters) {
-        if (envRegion) {
-          process.env.AWS_REGION = "env-region";
-        } else {
-          delete process.env.AWS_REGION;
-        }
-
-        if (profileRegion) {
-          iniProfileData = {
-            default: {
-              region: "default-profile-region",
-              role_arn: "ROLE_ARN",
-              role_session_name: "ROLE_SESSION_NAME",
-              external_id: "EXTERNAL_ID",
-              source_profile: "assume",
-            },
-            assume: {
-              region: "assume-profile-region",
-              aws_access_key_id: "ASSUME_STATIC_ACCESS_KEY",
-              aws_secret_access_key: "ASSUME_STATIC_SECRET_KEY",
-            },
-            alt: {
-              region: "alt-profile-region",
-              role_arn: "ROLE_ARN",
-              role_session_name: "ROLE_SESSION_NAME",
-              external_id: "EXTERNAL_ID",
-              source_profile: "assume2",
-            },
-            assume2: {
-              region: "assume2-profile-region",
-              aws_access_key_id: "ASSUME_STATIC_ACCESS_KEY",
-              aws_secret_access_key: "ASSUME_STATIC_SECRET_KEY",
-            },
-          };
-        } else {
-          iniProfileData = {
-            default: {
-              role_arn: "ROLE_ARN",
-              role_session_name: "ROLE_SESSION_NAME",
-              external_id: "EXTERNAL_ID",
-              source_profile: "assume",
-            },
-            assume: {
-              aws_access_key_id: "ASSUME_STATIC_ACCESS_KEY",
-              aws_secret_access_key: "ASSUME_STATIC_SECRET_KEY",
-            },
-            alt: {
-              role_arn: "ROLE_ARN",
-              role_session_name: "ROLE_SESSION_NAME",
-              external_id: "EXTERNAL_ID",
-              source_profile: "assume2",
-            },
-            assume2: {
-              aws_access_key_id: "ASSUME_STATIC_ACCESS_KEY",
-              aws_secret_access_key: "ASSUME_STATIC_SECRET_KEY",
-            },
-          };
-        }
-        setIniProfileData(iniProfileData);
-
-        if (withCaller) {
-          const sts = new STS({
-            profile,
-            region: codeRegion ? "code-region" : undefined,
-            credentials: fromNodeProviderChain({
-              clientConfig: {
-                region: providerRegion ? "provider-region" : undefined,
-              },
-            }),
-          });
-
-          await sts.getCallerIdentity({});
-          const credentials = await sts.config.credentials();
-          return credentials.sessionToken!.replace("STS_AR_SESSION_TOKEN_", "");
-        }
-
-        const provider = fromNodeProviderChain({
-          profile,
-          clientConfig: {
-            region: providerRegion ? "provider-region" : undefined,
-          },
-        });
-
-        const credentials = await provider();
-        return credentials.sessionToken!.replace("STS_AR_SESSION_TOKEN_", "");
-      }
-    });
   });
 });

packages/credential-providers/src/fromSSO.ts

@@ -44,6 +44,6 @@ import { AwsCredentialIdentityProvider } from "@smithy/types";
  *
  * @public
  */
-export const fromSSO = (init: FromSSOInit = {}): AwsCredentialIdentityProvider => {
+export const fromSSO = (init: Parameters<typeof _fromSSO>[0] = {}): AwsCredentialIdentityProvider => {
   return _fromSSO({ ...init });
 };

packages/credential-providers/tests/_test-lib.spec.ts

@@ -1,4 +1,6 @@
 import { S3 } from "@aws-sdk/client-s3";
+import { fromSSO } from "@aws-sdk/credential-providers";
+import { warning } from "@aws-sdk/region-config-resolver";
 import { ParsedIniData, RuntimeConfigAwsCredentialIdentityProvider } from "@aws-sdk/types";
 import { NodeHttpHandler } from "@smithy/node-http-handler";
 import { HttpResponse } from "@smithy/protocol-http";
@@ -9,14 +11,10 @@ import { createHash } from "node:crypto";
 import { homedir } from "node:os";
 import { join } from "node:path";
 import { PassThrough } from "node:stream";
-import { afterAll, afterEach, beforeAll, beforeEach, describe, expect, test as it } from "vitest";
-import { fromSSO } from "@aws-sdk/credential-providers";
-
-describe("placeholder for testing lib", () => {
-  it("", () => {});
-});
+import { afterAll, afterEach, beforeAll, beforeEach, expect, test as it } from "vitest";
 
 export const assumeRoleArns: string[] = [];
+warning.silence = true;
 let iniProfileData: ParsedIniData = null as any;
 
 export type CredentialTestParameters = {
@@ -52,13 +50,13 @@ export class CTest<P extends (init?: any) => RuntimeConfigAwsCredentialIdentityP
     fallbackRegion,
   }: {
     credentialProvider: P;
-    providerParams: (testParams: CredentialTestParameters) => Parameters<P>[0];
+    providerParams?: (testParams: CredentialTestParameters) => Parameters<P>[0];
     profileCredentials?: boolean;
     filter?: (testParams: CredentialTestParameters) => boolean;
     fallbackRegion?: string;
   }) {
     this.credentialProvider = credentialProvider;
-    this.providerParams = providerParams;
+    this.providerParams = providerParams ?? CTest.defaultRegionConfigProvider;
     this.profileCredentials = !!profileCredentials;
     this.filter = filter ?? (() => true);
     this.fallbackRegion = fallbackRegion ?? "unresolved";
@@ -354,7 +352,7 @@ export class MockNodeHttpHandler {
 
     const region = (request.hostname.match(/(sts|cognito-identity|portal\.sso)\.(.*?)\./) || [, , "unknown"])[2];
 
-    if (request.headers.Authorization === "container-authorization") {
+    if (request.headers.Authorization === "container-authorization" || request.hostname === "169.254.170.23") {
       body.write(
         JSON.stringify({
           AccessKeyId: "CONTAINER_ACCESS_KEY",
@@ -446,6 +444,7 @@ export class MockNodeHttpHandler {
       console.log(request);
       throw new Error("request not supported.");
     }
+
     body.end();
     return {
       response: new HttpResponse({

packages/credential-providers/tests/fromCognitoIdentity.integ.spec.ts

@@ -1,5 +1,6 @@
+import { S3 } from "@aws-sdk/client-s3";
 import { fromCognitoIdentity } from "@aws-sdk/credential-providers";
-import { describe } from "vitest";
+import { describe, expect, test as it } from "vitest";
 
 import { CTest } from "./_test-lib.spec";
 
@@ -17,4 +18,38 @@ describe(fromCognitoIdentity.name, () => {
   });
 
   ctest.testRegion();
+
+  describe("configure from env", () => {
+    it("is not configurable from env", async () => {
+      expect("ok").toBeTruthy();
+    });
+  });
+
+  describe("configure from profile", () => {
+    it("is not configurable from profile", async () => {
+      expect("ok").toBeTruthy();
+    });
+  });
+
+  describe("configure from code", () => {
+    it("should be configurable from code", async () => {
+      const s3 = new S3({
+        region: "us-east-2",
+        credentials: fromCognitoIdentity({
+          identityId: "us-east-2:128d0a74-c82f-4553-916d-90053example",
+        }),
+      });
+      await s3.listBuckets();
+      expect(await s3.config.credentials()).toEqual({
+        $source: {
+          CREDENTIALS_CODE: "e",
+        },
+        accessKeyId: "COGNITO_ACCESS_KEY_ID",
+        expiration: new Date("3000-01-01T00:00:00.000Z"),
+        identityId: "us-east-2:128d0a74-c82f-4553-916d-90053example",
+        secretAccessKey: "COGNITO_SECRET_KEY",
+        sessionToken: "COGNITO_SESSION_TOKEN_us-east-2",
+      });
+    });
+  });
 });

packages/credential-providers/tests/fromCognitoIdentityPool.integ.spec.ts

@@ -1,5 +1,6 @@
+import { S3 } from "@aws-sdk/client-s3";
 import { fromCognitoIdentityPool } from "@aws-sdk/credential-providers";
-import { describe } from "vitest";
+import { describe, expect, test as it } from "vitest";
 
 import { CTest } from "./_test-lib.spec";
 
@@ -17,4 +18,38 @@ describe(fromCognitoIdentityPool.name, () => {
   });
 
   ctest.testRegion();
+
+  describe("configure from env", () => {
+    it("is not configurable from env", async () => {
+      expect("ok").toBeTruthy();
+    });
+  });
+
+  describe("configure from profile", () => {
+    it("is not configurable from profile", async () => {
+      expect("ok").toBeTruthy();
+    });
+  });
+
+  describe("configure from code", () => {
+    it("should be configurable from code", async () => {
+      const s3 = new S3({
+        region: "us-east-2",
+        credentials: fromCognitoIdentityPool({
+          identityPoolId: "us-east-2:COGNITO_IDENTITY_ID",
+        }),
+      });
+      await s3.listBuckets();
+      expect(await s3.config.credentials()).toEqual({
+        $source: {
+          CREDENTIALS_CODE: "e",
+        },
+        accessKeyId: "COGNITO_ACCESS_KEY_ID",
+        expiration: new Date("3000-01-01T00:00:00.000Z"),
+        identityId: "us-east-2:COGNITO_IDENTITY_ID",
+        secretAccessKey: "COGNITO_SECRET_KEY",
+        sessionToken: "COGNITO_SESSION_TOKEN_us-east-2",
+      });
+    });
+  });
 });