From 9802649c9d98766c602f8657e81b66c976badf05 Mon Sep 17 00:00:00 2001 From: Adam Brodziak Date: Tue, 3 May 2022 12:57:12 +0200 Subject: [PATCH 1/2] fix: Default username in RoleSessionName In case user does not have entry in `/etc/passwd` the `os.userInfo()` call will throw `SystemError` exception as documented: https://nodejs.org/docs/latest-v16.x/api/os.html#osuserinfooptions Fixes #19401 issue. It can be tested inside Docker for ad-hoc 1234 user ID: ```sh docker run -u 1234 -e CDK_HOME=/tmp npm run cdk diff ``` The `CDK_HOME=/tmp` is a workaround for #7937 issue, where CDK complains that it can't write cached info in user homedir, because it does not exists. Once #7937 will be fixed then #19401 will most likely hit users. However above workaround is a viable option. Hence those two issues are related, but not duplicated. --- packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts | 6 +++++- packages/cdk-assets/lib/aws.ts | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts b/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts index 39f7cd2f2a1b1..200f6548c6554 100644 --- a/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts +++ b/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts @@ -459,7 +459,11 @@ function readIfPossible(filename: string): string | undefined { * @see https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html#API_AssumeRole_RequestParameters */ function safeUsername() { - return os.userInfo().username.replace(/[^\w+=,.@-]/g, '@'); + try { + return os.userInfo().username.replace(/[^\w+=,.@-]/g, '@'); + } catch (e) { + return 'noname'; + } } /** diff --git a/packages/cdk-assets/lib/aws.ts b/packages/cdk-assets/lib/aws.ts index c35dedb38bbe2..4f79ead780227 100644 --- a/packages/cdk-assets/lib/aws.ts +++ b/packages/cdk-assets/lib/aws.ts @@ -150,6 +150,10 @@ export class DefaultAwsClient implements IAws { * @see https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html#API_AssumeRole_RequestParameters */ function safeUsername() { - return os.userInfo().username.replace(/[^\w+=,.@-]/g, '@'); + try { + return os.userInfo().username.replace(/[^\w+=,.@-]/g, '@'); + } catch (e) { + return 'noname'; + } } From ea4db71730f87dbc0b6022c2427fb95ee0b5ed41 Mon Sep 17 00:00:00 2001 From: Adam Brodziak Date: Fri, 20 May 2022 09:51:12 +0200 Subject: [PATCH 2/2] Test case for safeUsername() try catch handling Test case is essentially a copy of the following one: `assuming a role sanitizes the username into the session name` --- .../aws-cdk/test/api/sdk-provider.test.ts | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/packages/aws-cdk/test/api/sdk-provider.test.ts b/packages/aws-cdk/test/api/sdk-provider.test.ts index c2e3d311af647..9c03a7be0beed 100644 --- a/packages/aws-cdk/test/api/sdk-provider.test.ts +++ b/packages/aws-cdk/test/api/sdk-provider.test.ts @@ -341,6 +341,34 @@ describe('with intercepted network calls', () => { }); }); + test('assuming a role does not fail when OS username cannot be read', async () => { + // GIVEN + prepareCreds({ + fakeSts, + config: { + default: { aws_access_key_id: 'foo', $account: '11111' }, + }, + }); + + await withMocked(os, 'userInfo', async (userInfo) => { + userInfo.mockImplementation(() => { + // SystemError thrown as documented: https://nodejs.org/docs/latest-v16.x/api/os.html#osuserinfooptions + throw new Error('SystemError on Linux: uv_os_get_passwd returned ENOENT. See #19401 issue.'); + }); + + // WHEN + const provider = await providerFromProfile(undefined); + + const sdk = (await provider.forEnvironment(env(uniq('88888')), Mode.ForReading, { assumeRoleArn: 'arn:aws:role' })).sdk as SDK; + await sdk.currentAccount(); + + // THEN + expect(fakeSts.assumedRoles[0]).toEqual(expect.objectContaining({ + roleSessionName: 'aws-cdk-noname', + })); + }); + }); + test('even if current credentials are for the wrong account, we will still use them to AssumeRole', async () => { // GIVEN prepareCreds({