Skip to content

Commit

Permalink
Ensure master credentials are refreshed before refreshing temporary c…
Browse files Browse the repository at this point in the history
…redentials (#1389)

* Ensure master credentials are refreshed before refreshing temporary credentials

* Add changelog entry
  • Loading branch information
jeskew authored Mar 10, 2017
1 parent fb2fef7 commit 373a148
Show file tree
Hide file tree
Showing 4 changed files with 38 additions and 15 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{
"type": "bugfix",
"category": "TemporaryCredentials",
"description": "Ensure master credentials are not expired before using them to refresh temporary credentials"
}
14 changes: 7 additions & 7 deletions lib/credentials.d.ts
Original file line number Diff line number Diff line change
Expand Up @@ -36,26 +36,26 @@ export class Credentials {
/**
* AWS access key ID.
*/
accessKeyId: string
accessKeyId: string;
/**
* Whether the credentials have been expired and require a refresh.
* Used in conjunction with expireTime.
*/
expired: boolean
expired: boolean;
/**
* Time when credentials should be considered expired.
* Used in conjunction with expired.
*/
expireTime: Date
static expiryWindow: number
expireTime: Date;
static expiryWindow: number;
/**
* AWS secret access key.
*/
secretAccessKey: string
secretAccessKey: string;
/**
* AWS session token.
*/
sessionToken: string
sessionToken: string;
}

interface CredentialsOptions {
Expand All @@ -71,4 +71,4 @@ interface CredentialsOptions {
* AWS session token.
*/
sessionToken?: string
}
}
22 changes: 14 additions & 8 deletions lib/credentials/temporary_credentials.js
Original file line number Diff line number Diff line change
Expand Up @@ -83,14 +83,16 @@ AWS.TemporaryCredentials = AWS.util.inherit(AWS.Credentials, {
self.createClients();
if (!callback) callback = function(err) { if (err) throw err; };

self.service.config.credentials = self.masterCredentials;
var operation = self.params.RoleArn ?
self.service.assumeRole : self.service.getSessionToken;
operation.call(self.service, function (err, data) {
if (!err) {
self.service.credentialsFrom(data, self);
}
callback(err);
self.masterCredentials.get(function() {
self.service.config.credentials = self.masterCredentials;
var operation = self.params.RoleArn ?
self.service.assumeRole : self.service.getSessionToken;
operation.call(self.service, function (err, data) {
if (!err) {
self.service.credentialsFrom(data, self);
}
callback(err);
});
});
},

Expand All @@ -102,6 +104,10 @@ AWS.TemporaryCredentials = AWS.util.inherit(AWS.Credentials, {
while (this.masterCredentials.masterCredentials) {
this.masterCredentials = this.masterCredentials.masterCredentials;
}

if (typeof this.masterCredentials.get !== 'function') {
this.masterCredentials = new AWS.Credentials(this.masterCredentials);
}
},

/**
Expand Down
12 changes: 12 additions & 0 deletions test/credentials.spec.coffee
Original file line number Diff line number Diff line change
Expand Up @@ -664,6 +664,18 @@ describe 'AWS.TemporaryCredentials', ->
creds.refresh ->
expect(spy.calls.length).to.equal(4)

it 'should refresh expired master credentials when refreshing self', ->
masterCreds = new AWS.Credentials('akid', 'secret')
masterCreds.expired = true;
refreshSpy = helpers.spyOn(masterCreds, 'refresh')

creds = new AWS.TemporaryCredentials({RoleArn: 'ARN'}, masterCreds);
creds.createClients()
mockSTS(new Date(AWS.util.date.getDate().getTime() + 100000),
RoleArn: 'ARN', RoleSessionName: 'temporary-credentials')
creds.refresh(->)
expect(refreshSpy.calls.length).to.equal(1)

describe 'AWS.WebIdentityCredentials', ->
creds = null

Expand Down

0 comments on commit 373a148

Please sign in to comment.