Skip to content

Commit

Permalink
chore(credential-providers): pass logger through to CredentialsProvid…
Browse files Browse the repository at this point in the history
…erError
  • Loading branch information
kuhe committed May 24, 2024
1 parent 8d0324a commit 0c98dfd
Show file tree
Hide file tree
Showing 19 changed files with 127 additions and 74 deletions.
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
import type { CredentialProviderOptions } from "@aws-sdk/types";
import { CredentialsProviderError } from "@smithy/property-provider";
import { AwsCredentialIdentity, Provider } from "@smithy/types";
import { AwsCredentialIdentity, Logger, Provider } from "@smithy/types";

import { CognitoProviderParameters } from "./CognitoProviderParameters";
import { resolveLogins } from "./resolveLogins";
Expand Down Expand Up @@ -35,11 +35,11 @@ export function fromCognitoIdentity(parameters: FromCognitoIdentityParameters):

const {
Credentials: {
AccessKeyId = throwOnMissingAccessKeyId(),
AccessKeyId = throwOnMissingAccessKeyId(parameters.logger),
Expiration,
SecretKey = throwOnMissingSecretKey(),
SecretKey = throwOnMissingSecretKey(parameters.logger),
SessionToken,
} = throwOnMissingCredentials(),
} = throwOnMissingCredentials(parameters.logger),
} = await (
parameters.client ??
new CognitoIdentityClient(
Expand Down Expand Up @@ -76,14 +76,14 @@ export interface FromCognitoIdentityParameters extends CognitoProviderParameters
identityId: string;
}

function throwOnMissingAccessKeyId(): never {
throw new CredentialsProviderError("Response from Amazon Cognito contained no access key ID");
function throwOnMissingAccessKeyId(logger?: Logger): never {
throw new CredentialsProviderError("Response from Amazon Cognito contained no access key ID", { logger });
}

function throwOnMissingCredentials(): never {
throw new CredentialsProviderError("Response from Amazon Cognito contained no credentials");
function throwOnMissingCredentials(logger?: Logger): never {
throw new CredentialsProviderError("Response from Amazon Cognito contained no credentials", { logger });
}

function throwOnMissingSecretKey(): never {
throw new CredentialsProviderError("Response from Amazon Cognito contained no secret key");
function throwOnMissingSecretKey(logger?: Logger): never {
throw new CredentialsProviderError("Response from Amazon Cognito contained no secret key", { logger });
}
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
import type { CredentialProviderOptions } from "@aws-sdk/types";
import { CredentialsProviderError } from "@smithy/property-provider";
import { Logger } from "@smithy/types";

import { CognitoProviderParameters } from "./CognitoProviderParameters";
import { CognitoIdentityCredentialProvider, fromCognitoIdentity } from "./fromCognitoIdentity";
Expand Down Expand Up @@ -44,7 +45,7 @@ export function fromCognitoIdentityPool({

let identityId: string | undefined = (cacheKey && (await cache.getItem(cacheKey))) as string | undefined;
if (!identityId) {
const { IdentityId = throwOnMissingId() } = await _client.send(
const { IdentityId = throwOnMissingId(logger) } = await _client.send(
new GetIdCommand({
AccountId: accountId,
IdentityPoolId: identityPoolId,
Expand Down Expand Up @@ -116,6 +117,6 @@ export interface FromCognitoIdentityPoolParameters extends CognitoProviderParame
userIdentifier?: string;
}

function throwOnMissingId(): never {
throw new CredentialsProviderError("Response from Amazon Cognito contained no identity ID");
function throwOnMissingId(logger?: Logger): never {
throw new CredentialsProviderError("Response from Amazon Cognito contained no identity ID", { logger });
}
2 changes: 1 addition & 1 deletion packages/credential-provider-env/src/fromEnv.ts
Original file line number Diff line number Diff line change
Expand Up @@ -52,5 +52,5 @@ export const fromEnv =
};
}

throw new CredentialsProviderError("Unable to find environment variable credentials.");
throw new CredentialsProviderError("Unable to find environment variable credentials.", { logger: init?.logger });
};
7 changes: 5 additions & 2 deletions packages/credential-provider-http/src/fromHttp/checkUrl.ts
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import { CredentialsProviderError } from "@smithy/property-provider";
import { Logger } from "@smithy/types";

/**
* @internal
Expand Down Expand Up @@ -28,9 +29,10 @@ const EKS_CONTAINER_HOST_IPv6 = "[fd00:ec2::23]";
* @internal
*
* @param url - to be validated.
* @param logger - passed to CredentialsProviderError.
* @throws if not acceptable to this provider.
*/
export const checkUrl = (url: URL): void => {
export const checkUrl = (url: URL, logger?: Logger): void => {
if (url.protocol === "https:") {
// no additional requirements for HTTPS.
return;
Expand Down Expand Up @@ -74,6 +76,7 @@ export const checkUrl = (url: URL): void => {
`URL not accepted. It must either be HTTPS or match one of the following:
- loopback CIDR 127.0.0.0/8 or [::1/128]
- ECS container host 169.254.170.2
- EKS container host 169.254.170.23 or [fd00:ec2::23]`
- EKS container host 169.254.170.23 or [fd00:ec2::23]`,
{ logger }
);
};
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ import { retryWrapper } from "./retry-wrapper";
/**
* Creates a provider that gets credentials via HTTP request.
*/
export const fromHttp = (options: FromHttpOptions): AwsCredentialIdentityProvider => {
export const fromHttp = (options: FromHttpOptions = {}): AwsCredentialIdentityProvider => {
options.logger?.debug("@aws-sdk/credential-provider-http", "fromHttp");
let host: string;

Expand All @@ -19,14 +19,14 @@ export const fromHttp = (options: FromHttpOptions): AwsCredentialIdentityProvide
if (full) {
host = full;
} else {
throw new CredentialsProviderError("No HTTP credential provider host provided.");
throw new CredentialsProviderError("No HTTP credential provider host provided.", { logger: options.logger });
}

// throws if invalid format.
const url = new URL(host);

// throws if not to spec for provider.
checkUrl(url);
checkUrl(url, options.logger);

const requestHandler = new FetchHttpHandler();

Expand Down
28 changes: 16 additions & 12 deletions packages/credential-provider-http/src/fromHttp/fromHttp.ts
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ const AWS_CONTAINER_AUTHORIZATION_TOKEN = "AWS_CONTAINER_AUTHORIZATION_TOKEN";
/**
* Creates a provider that gets credentials via HTTP request.
*/
export const fromHttp = (options: FromHttpOptions): AwsCredentialIdentityProvider => {
export const fromHttp = (options: FromHttpOptions = {}): AwsCredentialIdentityProvider => {
options.logger?.debug("@aws-sdk/credential-provider-http", "fromHttp");
let host: string;

Expand All @@ -26,20 +26,23 @@ export const fromHttp = (options: FromHttpOptions): AwsCredentialIdentityProvide
const token = options.awsContainerAuthorizationToken ?? process.env[AWS_CONTAINER_AUTHORIZATION_TOKEN];
const tokenFile = options.awsContainerAuthorizationTokenFile ?? process.env[AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE];

const warn: (warning: string) => void =
options.logger?.constructor?.name === "NoOpLogger" || !options.logger ? console.warn : options.logger.warn;

if (relative && full) {
console.warn(
"AWS SDK HTTP credentials provider:",
"you have set both awsContainerCredentialsRelativeUri and awsContainerCredentialsFullUri."
warn(
"@aws-sdk/credential-provider-http: " +
"you have set both awsContainerCredentialsRelativeUri and awsContainerCredentialsFullUri."
);
console.warn("awsContainerCredentialsFullUri will take precedence.");
warn("awsContainerCredentialsFullUri will take precedence.");
}

if (token && tokenFile) {
console.warn(
"AWS SDK HTTP credentials provider:",
"you have set both awsContainerAuthorizationToken and awsContainerAuthorizationTokenFile."
warn(
"@aws-sdk/credential-provider-http: " +
"you have set both awsContainerAuthorizationToken and awsContainerAuthorizationTokenFile."
);
console.warn("awsContainerAuthorizationToken will take precedence.");
warn("awsContainerAuthorizationToken will take precedence.");
}

if (full) {
Expand All @@ -49,15 +52,16 @@ export const fromHttp = (options: FromHttpOptions): AwsCredentialIdentityProvide
} else {
throw new CredentialsProviderError(
`No HTTP credential provider host provided.
Set AWS_CONTAINER_CREDENTIALS_FULL_URI or AWS_CONTAINER_CREDENTIALS_RELATIVE_URI.`
Set AWS_CONTAINER_CREDENTIALS_FULL_URI or AWS_CONTAINER_CREDENTIALS_RELATIVE_URI.`,
{ logger: options.logger }
);
}

// throws if invalid format.
const url = new URL(host);

// throws if not to spec for provider.
checkUrl(url);
checkUrl(url, options.logger);

const requestHandler = new NodeHttpHandler({
requestTimeout: options.timeout ?? 1000,
Expand All @@ -79,7 +83,7 @@ Set AWS_CONTAINER_CREDENTIALS_FULL_URI or AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
const result = await requestHandler.handle(request);
return getCredentials(result.response);
} catch (e: unknown) {
throw new CredentialsProviderError(String(e));
throw new CredentialsProviderError(String(e), { logger: options.logger });
}
},
options.maxRetries ?? 3,
Expand Down
25 changes: 16 additions & 9 deletions packages/credential-provider-http/src/fromHttp/requestHelpers.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ import { AwsCredentialIdentity } from "@aws-sdk/types";
import { CredentialsProviderError } from "@smithy/property-provider";
import { HttpRequest } from "@smithy/protocol-http";
import { parseRfc3339DateTime } from "@smithy/smithy-client";
import { HttpResponse } from "@smithy/types";
import { HttpResponse, Logger } from "@smithy/types";
import { sdkStreamMixin } from "@smithy/util-stream";

import { HttpProviderCredentials } from "./fromHttpTypes";
Expand All @@ -27,11 +27,13 @@ export function createGetRequest(url: URL): HttpRequest {
/**
* @internal
*/
export async function getCredentials(response: HttpResponse): Promise<AwsCredentialIdentity> {
export async function getCredentials(response: HttpResponse, logger?: Logger): Promise<AwsCredentialIdentity> {
const contentType = response?.headers["content-type"] ?? response?.headers["Content-Type"] ?? "";

if (!contentType.includes("json")) {
console.warn(
const warn: (warning: string) => void =
logger?.constructor?.name === "NoOpLogger" || !logger ? console.warn : logger.warn;
warn(
"HTTP credential provider response header content-type was not application/json. Observed: " + contentType + "."
);
}
Expand All @@ -50,7 +52,9 @@ export async function getCredentials(response: HttpResponse): Promise<AwsCredent
) {
throw new CredentialsProviderError(
"HTTP credential provider response not of the required format, an object matching: " +
"{ AccessKeyId: string, SecretAccessKey: string, Token: string, Expiration: string(rfc3339) }"
"{ AccessKeyId: string, SecretAccessKey: string, Token: string, Expiration: string(rfc3339) }",
void 0,
logger
);
}

Expand All @@ -67,10 +71,13 @@ export async function getCredentials(response: HttpResponse): Promise<AwsCredent
parsedBody = JSON.parse(str);
} catch (e) {}

throw Object.assign(new CredentialsProviderError(`Server responded with status: ${response.statusCode}`), {
Code: parsedBody.Code,
Message: parsedBody.Message,
});
throw Object.assign(
new CredentialsProviderError(`Server responded with status: ${response.statusCode}`, { logger }),
{
Code: parsedBody.Code,
Message: parsedBody.Message,
}
);
}
throw new CredentialsProviderError(`Server responded with status: ${response.statusCode}`);
throw new CredentialsProviderError(`Server responded with status: ${response.statusCode}`, { logger });
}
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ export const resolveAssumeRoleCredentials = async (
`Detected a cycle attempting to resolve credentials for profile` +
` ${getProfileName(options)}. Profiles visited: ` +
Object.keys(visitedProfiles).join(", "),
false
{ logger: options.logger }
);
}

Expand All @@ -128,7 +128,7 @@ export const resolveAssumeRoleCredentials = async (
if (!options.mfaCodeProvider) {
throw new CredentialsProviderError(
`Profile ${profileName} requires multi-factor authentication, but no MFA code callback was provided.`,
false
{ logger: options.logger }
);
}
params.SerialNumber = mfa_serial;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,8 @@ export const resolveCredentialSource = (
} else {
throw new CredentialsProviderError(
`Unsupported credential source in profile ${profileName}. Got ${credentialSource}, ` +
`expected EcsContainer or Ec2InstanceMetadata or Environment.`
`expected EcsContainer or Ec2InstanceMetadata or Environment.`,
{ logger }
);
}
};
5 changes: 4 additions & 1 deletion packages/credential-provider-ini/src/resolveProfileData.ts
Original file line number Diff line number Diff line change
Expand Up @@ -59,5 +59,8 @@ export const resolveProfileData = async (
// terminal resolution error if a profile has been specified by the user
// (whether via a parameter, an environment variable, or another profile's
// `source_profile` key).
throw new CredentialsProviderError(`Profile ${profileName} could not be found or parsed in shared credentials file.`);
throw new CredentialsProviderError(
`Profile ${profileName} could not be found or parsed in shared credentials file.`,
{ logger: options.logger }
);
};
8 changes: 6 additions & 2 deletions packages/credential-provider-node/src/defaultProvider.ts
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,8 @@ export const defaultProvider = (init: DefaultProviderInit = {}): MemoizedProvide
const { ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoSession } = init;
if (!ssoStartUrl && !ssoAccountId && !ssoRegion && !ssoRoleName && !ssoSession) {
throw new CredentialsProviderError(
"Skipping SSO provider in default chain (inputs do not include SSO fields)."
"Skipping SSO provider in default chain (inputs do not include SSO fields).",
{ logger: init.logger }
);
}
const { fromSSO } = await import("@aws-sdk/credential-provider-sso");
Expand All @@ -95,7 +96,10 @@ export const defaultProvider = (init: DefaultProviderInit = {}): MemoizedProvide
return (await remoteProvider(init))();
},
async () => {
throw new CredentialsProviderError("Could not load credentials from any providers", false);
throw new CredentialsProviderError("Could not load credentials from any providers", {
tryNextLink: false,
logger: init.logger,
});
}
),
credentialsTreatedAsExpired,
Expand Down
2 changes: 1 addition & 1 deletion packages/credential-provider-node/src/remoteProvider.ts
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ export const remoteProvider = async (init: RemoteProviderInit): Promise<AwsCrede

if (process.env[ENV_IMDS_DISABLED]) {
return async () => {
throw new CredentialsProviderError("EC2 Instance Metadata Service access disabled");
throw new CredentialsProviderError("EC2 Instance Metadata Service access disabled", { logger: init.logger });
};
}

Expand Down
2 changes: 1 addition & 1 deletion packages/credential-provider-process/src/fromProcess.ts
Original file line number Diff line number Diff line change
Expand Up @@ -20,5 +20,5 @@ export const fromProcess =
async () => {
init.logger?.debug("@aws-sdk/credential-provider-process", "fromProcess");
const profiles = await parseKnownFiles(init);
return resolveProcessCredentials(getProfileName(init), profiles);
return resolveProcessCredentials(getProfileName(init), profiles, init.logger);
};
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
import { CredentialsProviderError } from "@smithy/property-provider";
import { AwsCredentialIdentity, ParsedIniData } from "@smithy/types";
import { AwsCredentialIdentity, Logger, ParsedIniData } from "@smithy/types";
import { exec } from "child_process";
import { promisify } from "util";

Expand All @@ -11,7 +11,8 @@ import { ProcessCredentials } from "./ProcessCredentials";
*/
export const resolveProcessCredentials = async (
profileName: string,
profiles: ParsedIniData
profiles: ParsedIniData,
logger?: Logger
): Promise<AwsCredentialIdentity> => {
const profile = profiles[profileName];

Expand All @@ -29,16 +30,18 @@ export const resolveProcessCredentials = async (
}
return getValidatedProcessCredentials(profileName, data as ProcessCredentials);
} catch (error) {
throw new CredentialsProviderError(error.message);
throw new CredentialsProviderError(error.message, { logger });
}
} else {
throw new CredentialsProviderError(`Profile ${profileName} did not contain credential_process.`);
throw new CredentialsProviderError(`Profile ${profileName} did not contain credential_process.`, { logger });
}
} else {
// If the profile cannot be parsed or does not contain the default or
// specified profile throw an error. This should be considered a terminal
// resolution error if a profile has been specified by the user (whether via
// a parameter, anenvironment variable, or another profile's `source_profile` key).
throw new CredentialsProviderError(`Profile ${profileName} could not be found in shared credentials file.`);
throw new CredentialsProviderError(`Profile ${profileName} could not be found in shared credentials file.`, {
logger,
});
}
};
Loading

0 comments on commit 0c98dfd

Please sign in to comment.