From b3fd4383946b191944c1e9f96b90d5f0bc647655 Mon Sep 17 00:00:00 2001
From: Sami Jaktholm <sjakthol@outlook.com>
Date: Sat, 10 Jun 2023 13:49:04 +0300
Subject: [PATCH] fix(credential-provider-ini): support sso-session based
 profile as source_profile

Previously, when credential-provider-ini resolved credentials for a
source profile, it loaded the profile properties, checked if the profile
was an SSO profile, validated that all required sso_* properties were
present and then resolved credentials with credential-provider-sso
module.

When source profile was an SSO profile that did not use an SSO session,
this logic worked fine as the profile must include all the sso_*
properties for SSO to succeed. However, when source profile was an SSO
profile that used an SSO session, credential-provider-ini only resolved
profile properties directly from the profile but not from the related
SSO session.

This caused sso-session based profiles to fail validation as some of the
required sso_* properties are only defined in the referenced sso-session
section. And hence the provider failed to resolve credentials for SSO
session based source_profiles.

This commit changes credential-provider-ini module to not resolve or
validate SSO profile properties but delegate that all to the
credential-provider-sso module that already contains all the logic
needed to load and resolve profile properties and AWS credentials for
both sso-session and non-sso-session based profiles.

Instead of passing profile properties to credential-provider-sso
fromSSO() method, new version only passes the profile name there and
lets the credential-provider-sso module load and resolve the SSO
profile with the logic that already exist in that module.

Unit tests have been adjusted to function with the updated behavior.

Following scenarios were also tested manually:

* Resolve credentials for SSO profile without sso_session option
* Resolve credentials for SSO profile with sso_session option
* Resolve credentials for an assumed role profile whose source profile
  is an SSO profile without sso_session option
* Resolve credentials for an assumed role profile whose source profile
  is an SSO profile with sso_session option

AWS SDK resolved credentials correctly in all four cases.

Fixes #4757.
---
 .../src/resolveProfileData.spec.ts            |  2 +-
 .../src/resolveProfileData.ts                 |  2 +-
 .../src/resolveSsoCredentials.spec.ts         | 81 ++-----------------
 .../src/resolveSsoCredentials.ts              | 11 +--
 4 files changed, 12 insertions(+), 84 deletions(-)

diff --git a/packages/credential-provider-ini/src/resolveProfileData.spec.ts b/packages/credential-provider-ini/src/resolveProfileData.spec.ts
index 20d6317928e7..397685ee690c 100644
--- a/packages/credential-provider-ini/src/resolveProfileData.spec.ts
+++ b/packages/credential-provider-ini/src/resolveProfileData.spec.ts
@@ -117,6 +117,6 @@ describe(resolveProfileData.name, () => {
     (resolveSsoCredentials as jest.Mock).mockImplementation(() => Promise.resolve(mockCreds));
     const receivedCreds = await resolveProfileData(mockProfileName, mockProfiles, mockOptions);
     expect(receivedCreds).toStrictEqual(mockCreds);
-    expect(resolveSsoCredentials).toHaveBeenCalledWith(mockProfiles[mockProfileName]);
+    expect(resolveSsoCredentials).toHaveBeenCalledWith(mockProfileName);
   });
 });
diff --git a/packages/credential-provider-ini/src/resolveProfileData.ts b/packages/credential-provider-ini/src/resolveProfileData.ts
index b1815e1262be..f5dd121c91d9 100644
--- a/packages/credential-provider-ini/src/resolveProfileData.ts
+++ b/packages/credential-provider-ini/src/resolveProfileData.ts
@@ -51,7 +51,7 @@ export const resolveProfileData = async (
   }
 
   if (isSsoProfile(data)) {
-    return await resolveSsoCredentials(data);
+    return await resolveSsoCredentials(profileName);
   }
 
   // If the profile cannot be parsed or contains neither static credentials
diff --git a/packages/credential-provider-ini/src/resolveSsoCredentials.spec.ts b/packages/credential-provider-ini/src/resolveSsoCredentials.spec.ts
index b030f3c0df7c..ee943ae9170d 100644
--- a/packages/credential-provider-ini/src/resolveSsoCredentials.spec.ts
+++ b/packages/credential-provider-ini/src/resolveSsoCredentials.spec.ts
@@ -19,107 +19,40 @@ describe(isSsoProfile.name, () => {
 });
 
 describe(resolveSsoCredentials.name, () => {
-  const getMockOriginalSsoProfile = () => ({
-    sso_start_url: "mock_sso_start_url",
-    sso_account_id: "mock_sso_account_id",
-    sso_region: "mock_sso_region",
-    sso_role_name: "mock_sso_role_name",
-  });
-
-  const getMockValidatedSsoProfile = <T>(add: T = {} as T) => ({
-    sso_start_url: "mock_validated_sso_start_url",
-    sso_account_id: "mock_validated_sso_account_id",
-    sso_region: "mock_validated_sso_region",
-    sso_role_name: "mock_validated_sso_role_name",
-    ...add,
-  });
-
   afterEach(() => {
     jest.clearAllMocks();
   });
 
-  it("throws error when validation fails", async () => {
-    const mockProfile = getMockOriginalSsoProfile();
-    const expectedError = new Error("error from validateSsoProfile");
-    (validateSsoProfile as jest.Mock).mockImplementation(() => {
-      throw expectedError;
-    });
-    try {
-      await resolveSsoCredentials(mockProfile);
-      fail(`expected ${expectedError}`);
-    } catch (error) {
-      expect(error).toStrictEqual(expectedError);
-    }
-    expect(validateSsoProfile).toHaveBeenCalledWith(mockProfile);
-  });
-
   it("throws error when fromSSO throws error", async () => {
-    const mockProfile = getMockOriginalSsoProfile();
-    const mockValidatedProfile = getMockValidatedSsoProfile();
+    const mockProfileName = "mockProfileName";
     const expectedError = new Error("error from fromSSO");
 
-    (validateSsoProfile as jest.Mock).mockReturnValue(mockValidatedProfile);
     (fromSSO as jest.Mock).mockReturnValue(() => Promise.reject(expectedError));
 
     try {
-      await resolveSsoCredentials(mockProfile);
+      await resolveSsoCredentials(mockProfileName);
       fail(`expected ${expectedError}`);
     } catch (error) {
       expect(error).toStrictEqual(expectedError);
     }
-    expect(validateSsoProfile).toHaveBeenCalledWith(mockProfile);
     expect(fromSSO).toHaveBeenCalledWith({
-      ssoStartUrl: mockValidatedProfile.sso_start_url,
-      ssoAccountId: mockValidatedProfile.sso_account_id,
-      ssoRegion: mockValidatedProfile.sso_region,
-      ssoRoleName: mockValidatedProfile.sso_role_name,
+      profile: mockProfileName,
     });
   });
 
-  it("calls fromSSO when validation succeeds", async () => {
-    const mockProfile = getMockOriginalSsoProfile();
-    const mockValidatedProfile = getMockValidatedSsoProfile();
-
+  it("calls fromSSO", async () => {
+    const mockProfileName = "mockProfileName";
     const mockCreds: AwsCredentialIdentity = {
       accessKeyId: "mockAccessKeyId",
       secretAccessKey: "mockSecretAccessKey",
     };
 
-    (validateSsoProfile as jest.Mock).mockReturnValue(mockValidatedProfile);
     (fromSSO as jest.Mock).mockReturnValue(() => Promise.resolve(mockCreds));
 
-    const receivedCreds = await resolveSsoCredentials(mockProfile);
+    const receivedCreds = await resolveSsoCredentials(mockProfileName);
     expect(receivedCreds).toStrictEqual(mockCreds);
-    expect(validateSsoProfile).toHaveBeenCalledWith(mockProfile);
-    expect(fromSSO).toHaveBeenCalledWith({
-      ssoStartUrl: mockValidatedProfile.sso_start_url,
-      ssoAccountId: mockValidatedProfile.sso_account_id,
-      ssoRegion: mockValidatedProfile.sso_region,
-      ssoRoleName: mockValidatedProfile.sso_role_name,
-    });
-  });
-
-  it("calls fromSSO with optional sso session name", async () => {
-    const mockProfile = getMockOriginalSsoProfile();
-    const mockValidatedProfile = getMockValidatedSsoProfile({
-      sso_session: "test-session",
-    });
-
-    const mockCreds: AwsCredentialIdentity = {
-      accessKeyId: "mockAccessKeyId",
-      secretAccessKey: "mockSecretAccessKey",
-    };
-
-    (validateSsoProfile as jest.Mock).mockReturnValue(mockValidatedProfile);
-    (fromSSO as jest.Mock).mockReturnValue(() => Promise.resolve(mockCreds));
-
-    await resolveSsoCredentials(mockProfile);
     expect(fromSSO).toHaveBeenCalledWith({
-      ssoStartUrl: mockValidatedProfile.sso_start_url,
-      ssoAccountId: mockValidatedProfile.sso_account_id,
-      ssoRegion: mockValidatedProfile.sso_region,
-      ssoRoleName: mockValidatedProfile.sso_role_name,
-      ssoSession: mockValidatedProfile.sso_session,
+      profile: mockProfileName,
     });
   });
 });
diff --git a/packages/credential-provider-ini/src/resolveSsoCredentials.ts b/packages/credential-provider-ini/src/resolveSsoCredentials.ts
index 50742e9ed448..1151f7b89315 100644
--- a/packages/credential-provider-ini/src/resolveSsoCredentials.ts
+++ b/packages/credential-provider-ini/src/resolveSsoCredentials.ts
@@ -4,15 +4,10 @@ import type { Profile } from "@smithy/types";
 /**
  * @internal
  */
-export const resolveSsoCredentials = async (data: Partial<SsoProfile>) => {
-  const { fromSSO, validateSsoProfile } = await import("@aws-sdk/credential-provider-sso");
-  const { sso_start_url, sso_account_id, sso_session, sso_region, sso_role_name } = validateSsoProfile(data);
+export const resolveSsoCredentials = async (profile: string) => {
+  const { fromSSO } = await import("@aws-sdk/credential-provider-sso");
   return fromSSO({
-    ssoStartUrl: sso_start_url,
-    ssoAccountId: sso_account_id,
-    ssoSession: sso_session,
-    ssoRegion: sso_region,
-    ssoRoleName: sso_role_name,
+    profile,
   })();
 };