Skip to content

Commit

Permalink
test: implement tests for behavior of credentials provider
Browse files Browse the repository at this point in the history
  • Loading branch information
@Hweinstock
Hweinstock committed Jan 31, 2025
1 parent d7bede6 commit d7a9ca3
Show file tree
Hide file tree
Showing 2 changed files with 89 additions and 5 deletions.
21 changes: 16 additions & 5 deletions packages/core/src/auth/providers/sharedCredentialsProvider.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -389,7 +389,8 @@ export class SharedCredentialsProvider implements CredentialsProvider {
)

return async () => {
const profile: CredentialsData = (loadedCreds ?? profiles)[this.profileName]
const iniData = loadedCreds ?? profiles
const profile: CredentialsData = iniData[this.profileName]
if (!profile) {
throw new ToolkitError(`auth: Profile ${this.profileName} not found`)
}
Expand All @@ -401,8 +402,18 @@ export class SharedCredentialsProvider implements CredentialsProvider {
sessionToken: profile.aws_session_token,
}
}

const stsClient = new DefaultStsClient(this.getDefaultRegion() ?? 'us-east-1')
if (!profile.source_profile || !iniData[profile.source_profile]) {
throw new ToolkitError(
`auth: Profile ${this.profileName} is missing source_profile for role assumption`
)
}
// Use source profile to assume IAM role based on role ARN provided.
const sourceProfile = iniData[profile.source_profile!]
const stsClient = new DefaultStsClient(this.getDefaultRegion() ?? 'us-east-1', {
accessKeyId: sourceProfile.aws_access_key_id!,
secretAccessKey: sourceProfile.aws_secret_access_key!,
})
// Prompt for MFA Token if needed.
const assumeRoleReq: STS.AssumeRoleRequest = profile.mfa_serial
? {
RoleArn: profile.role_arn,
Expand All @@ -417,8 +428,8 @@ export class SharedCredentialsProvider implements CredentialsProvider {
const assumeRoleRsp = await stsClient.assumeRole(assumeRoleReq)
return {
accessKeyId: assumeRoleRsp.Credentials!.AccessKeyId!,
secretAccessKey: assumeRoleRsp.Credentials!.AccessKeyId!,
sessionToken: assumeRoleRsp.Credentials?.AccessKeyId,
secretAccessKey: assumeRoleRsp.Credentials!.SecretAccessKey!,
sessionToken: assumeRoleRsp.Credentials?.SessionToken,
expiration: assumeRoleRsp.Credentials?.Expiration,
}
}
Expand Down
73 changes: 73 additions & 0 deletions packages/core/src/test/credentials/provider/sharedCredentialsProvider.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ import { SsoClient } from '../../../auth/sso/clients'
import { stub } from '../../utilities/stubber'
import { SsoAccessTokenProvider } from '../../../auth/sso/ssoAccessTokenProvider'
import { createTestSections } from '../testUtil'
import { DefaultStsClient } from '../../../shared/clients/stsClient'
import { oneDay } from '../../../shared/datetime'
import { getTestWindow } from '../../shared/vscode/window'

const missingPropertiesFragment = 'missing properties'

Expand Down Expand Up @@ -450,6 +453,76 @@ describe('SharedCredentialsProvider', async function () {
})
})
})

describe('makeSharedIniFileCredentialsProvider', function () {
let defaultSection: string

before(function () {
defaultSection = `[profile default]
aws_access_key_id = x
aws_secret_access_key = y`
})

beforeEach(function () {
sandbox.stub(DefaultStsClient.prototype, 'assumeRole').callsFake(async (request) => {
assert.strictEqual(request.RoleArn, 'testarn')
if (request.SerialNumber) {
assert.strictEqual(request.SerialNumber, 'mfaSerialToken')
assert.strictEqual(request.TokenCode, 'mfaToken')
}
return {
Credentials: {
AccessKeyId: 'id',
SecretAccessKey: 'secret',
SessionToken: 'token',
Expiration: new Date(Date.now() + oneDay),
},
}
})
})

it('assumes role given in ini data', async function () {
const sections = await createTestSections(`
${defaultSection}
[profile assume]
source_profile = default
role_arn = testarn
`)

const sut = new SharedCredentialsProvider('assume', sections)
const creds = await sut.getCredentials()
assert.strictEqual(creds.accessKeyId, 'id')
assert.strictEqual(creds.secretAccessKey, 'secret')
assert.strictEqual(creds.sessionToken, 'token')
})

it('assumes role with mfa token', async function () {
const sections = await createTestSections(`
${defaultSection}
[profile assume]
source_profile = default
role_arn = testarn
mfa_serial= mfaSerialToken
`)
const sut = new SharedCredentialsProvider('assume', sections)

getTestWindow().onDidShowInputBox((inputBox) => {
inputBox.acceptValue('mfaToken')
})

const creds = await sut.getCredentials()
assert.strictEqual(creds.accessKeyId, 'id')
assert.strictEqual(creds.secretAccessKey, 'secret')
assert.strictEqual(creds.sessionToken, 'token')
})

it('does not assume role when no roleArn is present', async function () {
const sut = new SharedCredentialsProvider('default', await createTestSections(defaultSection))
const creds = await sut.getCredentials()
assert.strictEqual(creds.accessKeyId, 'x')
assert.strictEqual(creds.secretAccessKey, 'y')
})
})
})

function assertSubstringsInText(text: string | undefined, ...substrings: string[]) {
Expand Down

0 comments on commit d7a9ca3

Please sign in to comment.