From 63558900eeb477ef63596006b8dd1798092e1056 Mon Sep 17 00:00:00 2001
From: George Fu <kuhe@users.noreply.github.com>
Date: Fri, 24 May 2024 19:27:42 +0000
Subject: [PATCH] test: add scenario in credential chain integration test

---
 .../credential-provider-node.integ.spec.ts    | 39 +++++++++++++++++++
 .../src/defaultProvider.ts                    |  2 +
 .../src/remoteProvider.ts                     |  5 ++-
 3 files changed, 45 insertions(+), 1 deletion(-)

diff --git a/packages/credential-provider-node/src/credential-provider-node.integ.spec.ts b/packages/credential-provider-node/src/credential-provider-node.integ.spec.ts
index 624b42f7bde45..3b83e504cc33c 100644
--- a/packages/credential-provider-node/src/credential-provider-node.integ.spec.ts
+++ b/packages/credential-provider-node/src/credential-provider-node.integ.spec.ts
@@ -1,4 +1,5 @@
 import { STS } from "@aws-sdk/client-sts";
+import * as credentialProviderHttp from "@aws-sdk/credential-provider-http";
 import { HttpResponse } from "@smithy/protocol-http";
 import type { SourceProfileInit } from "@smithy/shared-ini-file-loader";
 import type { HttpRequest, NodeHttpHandlerOptions, ParsedIniData } from "@smithy/types";
@@ -490,6 +491,44 @@ describe("credential-provider-node integration test", () => {
         credentialScope: "us-sso-1-us-sso-region-1",
       });
     });
+
+    it("should be able to combine a source_profile having credential_source with an origin profile having role_arn and source_profile", async () => {
+      process.env.AWS_CONTAINER_CREDENTIALS_FULL_URI = "http://169.254.170.23";
+      process.env.AWS_CONTAINER_AUTHORIZATION_TOKEN = "container-authorization";
+      iniProfileData.default.source_profile = "credential_source_profile";
+      iniProfileData.default.role_arn = "ROLE_ARN";
+      iniProfileData.credential_source_profile = {
+        credential_source: "EcsContainer",
+      };
+      const spy = jest.spyOn(credentialProviderHttp, "fromHttp");
+      sts = new STS({
+        region: "us-west-2",
+        requestHandler: mockRequestHandler,
+        credentials: defaultProvider({
+          awsContainerCredentialsFullUri: process.env.AWS_CONTAINER_CREDENTIALS_FULL_URI,
+          awsContainerAuthorizationToken: process.env.AWS_CONTAINER_AUTHORIZATION_TOKEN,
+          clientConfig: {
+            region: "us-west-2",
+          },
+        }),
+      });
+      await sts.getCallerIdentity({});
+      const credentials = await sts.config.credentials();
+      expect(credentials).toEqual({
+        accessKeyId: "STS_AR_ACCESS_KEY_ID",
+        secretAccessKey: "STS_AR_SECRET_ACCESS_KEY",
+        sessionToken: "STS_AR_SESSION_TOKEN",
+        expiration: new Date("3000-01-01T00:00:00.000Z"),
+        credentialScope: "us-stsar-1__us-west-2",
+      });
+      expect(spy).toHaveBeenCalledWith(
+        expect.objectContaining({
+          awsContainerCredentialsFullUri: process.env.AWS_CONTAINER_CREDENTIALS_FULL_URI,
+          awsContainerAuthorizationToken: process.env.AWS_CONTAINER_AUTHORIZATION_TOKEN,
+        })
+      );
+      spy.mockClear();
+    });
   });
 
   describe("fromProcess", () => {
diff --git a/packages/credential-provider-node/src/defaultProvider.ts b/packages/credential-provider-node/src/defaultProvider.ts
index 72101174ee62f..65b8c4b2cf29e 100644
--- a/packages/credential-provider-node/src/defaultProvider.ts
+++ b/packages/credential-provider-node/src/defaultProvider.ts
@@ -1,4 +1,5 @@
 import { fromEnv } from "@aws-sdk/credential-provider-env";
+import type { FromHttpOptions } from "@aws-sdk/credential-provider-http";
 import type { FromIniInit } from "@aws-sdk/credential-provider-ini";
 import type { FromProcessInit } from "@aws-sdk/credential-provider-process";
 import type { FromSSOInit, SsoCredentialsParameters } from "@aws-sdk/credential-provider-sso";
@@ -14,6 +15,7 @@ import { remoteProvider } from "./remoteProvider";
  * @public
  */
 export type DefaultProviderInit = FromIniInit &
+  FromHttpOptions &
   RemoteProviderInit &
   FromProcessInit &
   (FromSSOInit & Partial<SsoCredentialsParameters>) &
diff --git a/packages/credential-provider-node/src/remoteProvider.ts b/packages/credential-provider-node/src/remoteProvider.ts
index 7f64789be0828..27dce9a2de8e7 100644
--- a/packages/credential-provider-node/src/remoteProvider.ts
+++ b/packages/credential-provider-node/src/remoteProvider.ts
@@ -1,3 +1,4 @@
+import type { FromHttpOptions } from "@aws-sdk/credential-provider-http";
 import type { RemoteProviderInit } from "@smithy/credential-provider-imds";
 import { chain, CredentialsProviderError } from "@smithy/property-provider";
 import type { AwsCredentialIdentityProvider } from "@smithy/types";
@@ -10,7 +11,9 @@ export const ENV_IMDS_DISABLED = "AWS_EC2_METADATA_DISABLED";
 /**
  * @internal
  */
-export const remoteProvider = async (init: RemoteProviderInit): Promise<AwsCredentialIdentityProvider> => {
+export const remoteProvider = async (
+  init: RemoteProviderInit | FromHttpOptions
+): Promise<AwsCredentialIdentityProvider> => {
   const { ENV_CMDS_FULL_URI, ENV_CMDS_RELATIVE_URI, fromContainerMetadata, fromInstanceMetadata } = await import(
     "@smithy/credential-provider-imds"
   );