From 373a1481d3d281895ac686e74f29a6181c4d6a84 Mon Sep 17 00:00:00 2001 From: Jonathan Eskew Date: Thu, 9 Mar 2017 17:25:03 -0800 Subject: [PATCH] Ensure master credentials are refreshed before refreshing temporary credentials (#1389) * Ensure master credentials are refreshed before refreshing temporary credentials * Add changelog entry --- .../bugfix-TemporaryCredentials-685384e2.json | 5 +++++ lib/credentials.d.ts | 14 ++++++------ lib/credentials/temporary_credentials.js | 22 ++++++++++++------- test/credentials.spec.coffee | 12 ++++++++++ 4 files changed, 38 insertions(+), 15 deletions(-) create mode 100644 .changes/next-release/bugfix-TemporaryCredentials-685384e2.json diff --git a/.changes/next-release/bugfix-TemporaryCredentials-685384e2.json b/.changes/next-release/bugfix-TemporaryCredentials-685384e2.json new file mode 100644 index 0000000000..c281780f46 --- /dev/null +++ b/.changes/next-release/bugfix-TemporaryCredentials-685384e2.json @@ -0,0 +1,5 @@ +{ + "type": "bugfix", + "category": "TemporaryCredentials", + "description": "Ensure master credentials are not expired before using them to refresh temporary credentials" +} \ No newline at end of file diff --git a/lib/credentials.d.ts b/lib/credentials.d.ts index ccfbcbca1b..090fe07ae2 100644 --- a/lib/credentials.d.ts +++ b/lib/credentials.d.ts @@ -36,26 +36,26 @@ export class Credentials { /** * AWS access key ID. */ - accessKeyId: string + accessKeyId: string; /** * Whether the credentials have been expired and require a refresh. * Used in conjunction with expireTime. */ - expired: boolean + expired: boolean; /** * Time when credentials should be considered expired. * Used in conjunction with expired. */ - expireTime: Date - static expiryWindow: number + expireTime: Date; + static expiryWindow: number; /** * AWS secret access key. */ - secretAccessKey: string + secretAccessKey: string; /** * AWS session token. */ - sessionToken: string + sessionToken: string; } interface CredentialsOptions { @@ -71,4 +71,4 @@ interface CredentialsOptions { * AWS session token. */ sessionToken?: string -} \ No newline at end of file +} diff --git a/lib/credentials/temporary_credentials.js b/lib/credentials/temporary_credentials.js index bc8f342bd6..f396fabd6c 100644 --- a/lib/credentials/temporary_credentials.js +++ b/lib/credentials/temporary_credentials.js @@ -83,14 +83,16 @@ AWS.TemporaryCredentials = AWS.util.inherit(AWS.Credentials, { self.createClients(); if (!callback) callback = function(err) { if (err) throw err; }; - self.service.config.credentials = self.masterCredentials; - var operation = self.params.RoleArn ? - self.service.assumeRole : self.service.getSessionToken; - operation.call(self.service, function (err, data) { - if (!err) { - self.service.credentialsFrom(data, self); - } - callback(err); + self.masterCredentials.get(function() { + self.service.config.credentials = self.masterCredentials; + var operation = self.params.RoleArn ? + self.service.assumeRole : self.service.getSessionToken; + operation.call(self.service, function (err, data) { + if (!err) { + self.service.credentialsFrom(data, self); + } + callback(err); + }); }); }, @@ -102,6 +104,10 @@ AWS.TemporaryCredentials = AWS.util.inherit(AWS.Credentials, { while (this.masterCredentials.masterCredentials) { this.masterCredentials = this.masterCredentials.masterCredentials; } + + if (typeof this.masterCredentials.get !== 'function') { + this.masterCredentials = new AWS.Credentials(this.masterCredentials); + } }, /** diff --git a/test/credentials.spec.coffee b/test/credentials.spec.coffee index 59459c108b..e85b875153 100644 --- a/test/credentials.spec.coffee +++ b/test/credentials.spec.coffee @@ -664,6 +664,18 @@ describe 'AWS.TemporaryCredentials', -> creds.refresh -> expect(spy.calls.length).to.equal(4) + it 'should refresh expired master credentials when refreshing self', -> + masterCreds = new AWS.Credentials('akid', 'secret') + masterCreds.expired = true; + refreshSpy = helpers.spyOn(masterCreds, 'refresh') + + creds = new AWS.TemporaryCredentials({RoleArn: 'ARN'}, masterCreds); + creds.createClients() + mockSTS(new Date(AWS.util.date.getDate().getTime() + 100000), + RoleArn: 'ARN', RoleSessionName: 'temporary-credentials') + creds.refresh(->) + expect(refreshSpy.calls.length).to.equal(1) + describe 'AWS.WebIdentityCredentials', -> creds = null