@aws-sdk/credential-provider-sso 3.21.0 → 3.25.0

package/src/index.spec.ts

@@ -2,10 +2,10 @@ jest.useFakeTimers("modern");
 const now = 1613699814645;
 jest.setSystemTime(now);
 
-const mockParseKnowFiles = jest.fn();
+const mockParseKnownFiles = jest.fn();
 const mockGetMasterProfileName = jest.fn();
-jest.mock("@aws-sdk/credential-provider-ini", () => ({
-  parseKnownFiles: mockParseKnowFiles,
+jest.mock("@aws-sdk/util-credentials", () => ({
+  parseKnownFiles: mockParseKnownFiles,
   getMasterProfileName: mockGetMasterProfileName,
 }));
 
@@ -36,170 +36,232 @@ const toRFC3339String = (date: number): string => {
   return timestamp.replace(/\.[\d]+Z$/, "Z");
 };
 
-describe("fromSSO", () => {
-  const ssoConfig = {
-    sso_start_url: "https:some-url/start",
-    sso_account_id: "1234567890",
-    sso_region: "us-foo-1",
-    sso_role_name: "some-role",
-  };
+describe("fromSSO()", () => {
+  const ssoStartUrl = "https:some-url/start";
+  const ssoAccountId = "1234567890";
+  const ssoRegion = "us-foo-1";
+  const ssoRoleName = "some-role";
   const token = {
-    startUrl: ssoConfig.sso_start_url,
-    region: ssoConfig.sso_region,
+    startUrl: ssoStartUrl,
+    region: ssoRegion,
     accessToken: "base64 encoded string",
     expiresAt: toRFC3339String(now + 60 * 60 * 1000),
   };
+
   beforeEach(() => {
-    mockParseKnowFiles.mockClear();
+    mockParseKnownFiles.mockClear();
     mockGetMasterProfileName.mockClear();
     mockReadFileSync.mockClear();
     mockSSOSend.mockClear();
   });
 
-  it("should fetch credentials from resolved token file", async () => {
-    mockParseKnowFiles.mockReturnValue(Promise.resolve({ default: ssoConfig }));
-    mockGetMasterProfileName.mockReturnValue("default");
-    mockReadFileSync.mockReturnValue(JSON.stringify(token));
-    const { roleCredentials } = mockRoleCredentials;
-    expect(await fromSSO()()).toEqual({ ...roleCredentials, expiration: new Date(roleCredentials.expiration) });
-    expect(mockReadFileSync.mock.calls[0][0]).toEqual(
-      expect.stringMatching(/fcab95d6966151d97d9ee7776a90d895b5e5fbe6.json$/)
-    );
-    expect(mockReadFileSync.mock.calls[0][1]).toMatchObject({ encoding: "utf-8" });
-    expect(mockGetRoleCredentialsCommand).toHaveBeenCalledWith({
-      accountId: ssoConfig.sso_account_id,
-      roleName: ssoConfig.sso_role_name,
-      accessToken: token.accessToken,
+  describe("load from shared config file", () => {
+    const ssoConfig = {
+      sso_start_url: ssoStartUrl,
+      sso_account_id: ssoAccountId,
+      sso_region: ssoRegion,
+      sso_role_name: ssoRoleName,
+    };
+
+    it("should fetch credentials from resolved token file", async () => {
+      mockParseKnownFiles.mockReturnValue(Promise.resolve({ default: ssoConfig }));
+      mockGetMasterProfileName.mockReturnValue("default");
+      mockReadFileSync.mockReturnValue(JSON.stringify(token));
+      const { roleCredentials } = mockRoleCredentials;
+      expect(await fromSSO()()).toEqual({ ...roleCredentials, expiration: new Date(roleCredentials.expiration) });
+      expect(mockReadFileSync.mock.calls[0][0]).toEqual(
+        expect.stringMatching(/fcab95d6966151d97d9ee7776a90d895b5e5fbe6.json$/)
+      );
+      expect(mockReadFileSync.mock.calls[0][1]).toMatchObject({ encoding: "utf-8" });
+      expect(mockGetRoleCredentialsCommand).toHaveBeenCalledWith({
+        accountId: ssoConfig.sso_account_id,
+        roleName: ssoConfig.sso_role_name,
+        accessToken: token.accessToken,
+      });
     });
-  });
 
-  it("should allow supplying custom client", async () => {
-    mockParseKnowFiles.mockReturnValue(Promise.resolve({ default: ssoConfig }));
-    mockGetMasterProfileName.mockReturnValue("default");
-    mockReadFileSync.mockReturnValue(JSON.stringify(token));
-    const newSSOClient = { send: jest.fn().mockReturnValue(Promise.resolve(mockRoleCredentials)) };
-    //@ts-expect-error
-    await fromSSO({ ssoClient: newSSOClient })();
-    expect(newSSOClient.send).toHaveBeenCalled();
-    expect(mockSSOSend).not.toHaveBeenCalled();
-  });
+    it("should allow supplying custom client", async () => {
+      mockParseKnownFiles.mockReturnValue(Promise.resolve({ default: ssoConfig }));
+      mockGetMasterProfileName.mockReturnValue("default");
+      mockReadFileSync.mockReturnValue(JSON.stringify(token));
+      const newSSOClient = { send: jest.fn().mockReturnValue(Promise.resolve(mockRoleCredentials)) };
+      //@ts-expect-error
+      await fromSSO({ ssoClient: newSSOClient })();
+      expect(newSSOClient.send).toHaveBeenCalled();
+      expect(mockSSOSend).not.toHaveBeenCalled();
+    });
 
-  it("should throw if profile doesn't exist in the config files", () => {
-    const profile = "exist";
-    mockParseKnowFiles.mockReturnValue(Promise.resolve({ non_exist: { foo: "bar" } }));
-    mockGetMasterProfileName.mockReturnValue(profile);
-    return expect(async () => {
-      await fromSSO()();
-    }).rejects.toMatchObject({
-      message: `Profile ${profile} could not be found in shared credentials file.`,
-      tryNextLink: true,
+    it("should throw if profile doesn't exist in the config files", () => {
+      const profile = "exist";
+      mockParseKnownFiles.mockReturnValue(Promise.resolve({ non_exist: { foo: "bar" } }));
+      mockGetMasterProfileName.mockReturnValue(profile);
+      return expect(async () => {
+        await fromSSO()();
+      }).rejects.toMatchObject({
+        name: "CredentialsProviderError",
+        message: expect.stringContaining("Profile exist is not configured with SSO credentials"),
+        tryNextLink: true,
+      });
     });
-  });
 
-  it("should throw if profile is not configured with SSO credential", () => {
-    const profile = "exist";
-    mockParseKnowFiles.mockReturnValue(Promise.resolve({ [profile]: { foo: "bar" } }));
-    mockGetMasterProfileName.mockReturnValue(profile);
-    return expect(async () => {
-      await fromSSO()();
-    }).rejects.toMatchObject({
-      message: `Profile ${profile} is not configured with SSO credentials.`,
-      tryNextLink: true,
+    it("should throw if profile is not configured with SSO credential", () => {
+      const profile = "exist";
+      mockParseKnownFiles.mockReturnValue(Promise.resolve({ [profile]: { foo: "bar" } }));
+      mockGetMasterProfileName.mockReturnValue(profile);
+      return expect(async () => {
+        await fromSSO()();
+      }).rejects.toMatchObject({
+        message: `Profile ${profile} is not configured with SSO credentials.`,
+        tryNextLink: true,
+      });
     });
-  });
 
-  for (let i = 0; i < Object.keys(ssoConfig).length; i++) {
-    const keyToRemove = Object.keys(ssoConfig)[i];
-    it(`should throw if sso configuration is missing ${keyToRemove}`, async () => {
+    it.each(Object.keys(ssoConfig))("should throw if sso configuration is missing %s", async (keyToRemove) => {
       expect.assertions(2);
       const config = { ...ssoConfig };
       //@ts-ignore
       delete config[keyToRemove];
-      mockParseKnowFiles.mockReturnValue(Promise.resolve({ default: config }));
+      mockParseKnownFiles.mockReturnValue(Promise.resolve({ default: config }));
       mockGetMasterProfileName.mockReturnValue("default");
       try {
         await fromSSO()();
       } catch (e) {
-        expect(e.message).toContain("Profile default does not have valid SSO credentials.");
+        expect(e.message).toContain("Profile is configured with invalid SSO credentials.");
         expect(e.tryNextLink).toBeFalsy();
       }
     });
-  }
 
-  it("should throw if token cache file is not found", async () => {
-    expect.assertions(2);
-    mockReadFileSync.mockImplementation(() => {
-      throw new Error("File not found.");
+    it("should throw if token cache file is not found", async () => {
+      expect.assertions(2);
+      mockReadFileSync.mockImplementation(() => {
+        throw new Error("File not found.");
+      });
+      mockParseKnownFiles.mockReturnValue(Promise.resolve({ default: ssoConfig }));
+      mockGetMasterProfileName.mockReturnValue("default");
+      try {
+        await fromSSO()();
+      } catch (e) {
+        expect(e.message).toContain(
+          "The SSO session associated with this profile has expired or is otherwise invalid."
+        );
+        expect(e.tryNextLink).toBeFalsy();
+      }
     });
-    mockParseKnowFiles.mockReturnValue(Promise.resolve({ default: ssoConfig }));
-    mockGetMasterProfileName.mockReturnValue("default");
-    try {
-      await fromSSO()();
-    } catch (e) {
-      expect(e.message).toContain("The SSO session associated with this profile has expired or is otherwise invalid.");
-      expect(e.tryNextLink).toBeFalsy();
-    }
-  });
 
-  it("should throw if token cache file is invalid", async () => {
-    expect.assertions(2);
-    mockReadFileSync.mockReturnValue("invalid JSON content");
-    mockParseKnowFiles.mockReturnValue(Promise.resolve({ default: ssoConfig }));
-    mockGetMasterProfileName.mockReturnValue("default");
-    try {
-      await fromSSO()();
-    } catch (e) {
-      expect(e.message).toContain("The SSO session associated with this profile has expired or is otherwise invalid.");
-      expect(e.tryNextLink).toBeFalsy();
-    }
-  });
+    it("should throw if token cache file is invalid", async () => {
+      expect.assertions(2);
+      mockReadFileSync.mockReturnValue("invalid JSON content");
+      mockParseKnownFiles.mockReturnValue(Promise.resolve({ default: ssoConfig }));
+      mockGetMasterProfileName.mockReturnValue("default");
+      try {
+        await fromSSO()();
+      } catch (e) {
+        expect(e.message).toContain(
+          "The SSO session associated with this profile has expired or is otherwise invalid."
+        );
+        expect(e.tryNextLink).toBeFalsy();
+      }
+    });
 
-  it("should throw if token cache is expired", async () => {
-    expect.assertions(2);
-    mockReadFileSync.mockReturnValue({ ...token, expiration: toRFC3339String(now + EXPIRE_WINDOW_MS - 2) });
-    mockParseKnowFiles.mockReturnValue(Promise.resolve({ default: ssoConfig }));
-    mockGetMasterProfileName.mockReturnValue("default");
-    try {
-      await fromSSO()();
-    } catch (e) {
-      expect(e.message).toContain("The SSO session associated with this profile has expired or is otherwise invalid.");
-      expect(e.tryNextLink).toBeFalsy();
-    }
-  });
+    it("should throw if token cache is expired", async () => {
+      expect.assertions(2);
+      mockReadFileSync.mockReturnValue({ ...token, expiration: toRFC3339String(now + EXPIRE_WINDOW_MS - 2) });
+      mockParseKnownFiles.mockReturnValue(Promise.resolve({ default: ssoConfig }));
+      mockGetMasterProfileName.mockReturnValue("default");
+      try {
+        await fromSSO()();
+      } catch (e) {
+        expect(e.message).toContain(
+          "The SSO session associated with this profile has expired or is otherwise invalid."
+        );
+        expect(e.tryNextLink).toBeFalsy();
+      }
+    });
 
-  it("should throw if SSO client throws", async () => {
-    expect.assertions(3);
-    mockParseKnowFiles.mockReturnValue(Promise.resolve({ default: ssoConfig }));
-    mockGetMasterProfileName.mockReturnValue("default");
-    mockReadFileSync.mockReturnValue(JSON.stringify(token));
-    const clientError = new Error("No account is found for the user");
-    //@ts-ignore
-    clientError.$fault = "client";
-    mockSSOSend.mockImplementation(async () => {
-      throw clientError;
+    it("should throw if SSO client throws", async () => {
+      expect.assertions(3);
+      mockParseKnownFiles.mockReturnValue(Promise.resolve({ default: ssoConfig }));
+      mockGetMasterProfileName.mockReturnValue("default");
+      mockReadFileSync.mockReturnValue(JSON.stringify(token));
+      const clientError = new Error("No account is found for the user");
+      //@ts-ignore
+      clientError.$fault = "client";
+      mockSSOSend.mockImplementation(async () => {
+        throw clientError;
+      });
+      try {
+        await fromSSO()();
+      } catch (e) {
+        expect(e.message).toContain(clientError.message);
+        expect(e.tryNextLink).toBeFalsy();
+        expect(e.$fault).toBe("client");
+      }
+    });
+
+    it("should throw if credentials from SSO client is invalid", async () => {
+      expect.assertions(2);
+      mockReadFileSync.mockReturnValue(JSON.stringify(token));
+      mockParseKnownFiles.mockReturnValue(Promise.resolve({ default: ssoConfig }));
+      mockGetMasterProfileName.mockReturnValue("default");
+      mockSSOSend.mockResolvedValue({
+        roleCredentials: { ...mockRoleCredentials.roleCredentials, accessKeyId: undefined },
+      });
+      try {
+        await fromSSO()();
+      } catch (e) {
+        expect(e.message).toContain("SSO returns an invalid temporary credential.");
+        expect(e.tryNextLink).toBeFalsy();
+      } finally {
+        mockSSOSend.mockResolvedValue(mockRoleCredentials);
+      }
     });
-    try {
-      await fromSSO()();
-    } catch (e) {
-      expect(e.message).toContain(clientError.message);
-      expect(e.tryNextLink).toBeFalsy();
-      expect(e.$fault).toBe("client");
-    }
   });
 
-  it("should throw if credentials from SSO client is invalid", async () => {
-    expect.assertions(2);
-    mockReadFileSync.mockReturnValue(JSON.stringify(token));
-    mockParseKnowFiles.mockReturnValue(Promise.resolve({ default: ssoConfig }));
-    mockGetMasterProfileName.mockReturnValue("default");
-    mockSSOSend.mockResolvedValue({
-      roleCredentials: { ...mockRoleCredentials.roleCredentials, accessKeyId: undefined },
+  describe("load with sso parameters", () => {
+    it("should fetch credentials from resolved token file without reading shared config file", async () => {
+      mockParseKnownFiles.mockRejectedValue("Should not call parseKnownFiles()");
+      mockGetMasterProfileName.mockRejectedValue("Should not call getMasterProfileName()");
+      mockReadFileSync.mockReturnValue(JSON.stringify(token));
+      const { roleCredentials } = mockRoleCredentials;
+      expect(
+        await fromSSO({
+          ssoStartUrl,
+          ssoAccountId,
+          ssoRegion,
+          ssoRoleName,
+        })()
+      ).toEqual({ ...roleCredentials, expiration: new Date(roleCredentials.expiration) });
+      expect(mockReadFileSync.mock.calls[0][0]).toEqual(
+        expect.stringMatching(/fcab95d6966151d97d9ee7776a90d895b5e5fbe6.json$/)
+      );
+      expect(mockReadFileSync.mock.calls[0][1]).toMatchObject({ encoding: "utf-8" });
+      expect(mockGetRoleCredentialsCommand).toHaveBeenCalledWith({
+        accountId: ssoAccountId,
+        roleName: ssoRoleName,
+        accessToken: token.accessToken,
+      });
     });
-    try {
-      await fromSSO()();
-    } catch (e) {
-      expect(e.message).toContain("SSO returns an invalid temporary credential.");
-      expect(e.tryNextLink).toBeFalsy();
-    }
+
+    it.each(["ssoStartUrl", "ssoAccountId", "ssoRegion", "ssoRoleName"])(
+      "should throw for incomplete sso parameters(missing %s)",
+      (undefinedKey) => {
+        mockParseKnownFiles.mockRejectedValue("Should not call parseKnownFiles()");
+        mockGetMasterProfileName.mockRejectedValue("Should not call getMasterProfileName()");
+        mockReadFileSync.mockReturnValue(JSON.stringify(token));
+        return expect(
+          async () =>
+            await fromSSO({
+              ssoStartUrl,
+              ssoAccountId,
+              ssoRegion,
+              ssoRoleName,
+              ...{ [undefinedKey]: undefined },
+            } as any)()
+        ).rejects.toMatchObject({
+          name: "CredentialsProviderError",
+          message: expect.stringMatching("Incomplete configuration"),
+        });
+      }
+    );
   });
 });

package/src/index.ts

@@ -1,8 +1,8 @@
 import { GetRoleCredentialsCommand, GetRoleCredentialsCommandOutput, SSOClient } from "@aws-sdk/client-sso";
-import { getMasterProfileName, parseKnownFiles, SourceProfileInit } from "@aws-sdk/credential-provider-ini";
 import { CredentialsProviderError } from "@aws-sdk/property-provider";
-import { getHomeDir, ParsedIniData } from "@aws-sdk/shared-ini-file-loader";
+import { getHomeDir, Profile } from "@aws-sdk/shared-ini-file-loader";
 import { CredentialProvider, Credentials } from "@aws-sdk/types";
+import { getMasterProfileName, parseKnownFiles, SourceProfileInit } from "@aws-sdk/util-credentials";
 import { createHash } from "crypto";
 import { readFileSync } from "fs";
 import { join } from "path";
@@ -29,6 +29,27 @@ interface SSOToken {
   startUrl?: string;
 }
 
+export interface SsoCredentialsParameters {
+  /**
+   * The URL to the AWS SSO service.
+   */
+  ssoStartUrl: string;
+
+  /**
+   * The ID of the AWS account to use for temporary credentials.
+   */
+  ssoAccountId: string;
+
+  /**
+   * The AWS region to use for temporary credentials.
+   */
+  ssoRegion: string;
+
+  /**
+   * The name of the AWS role to assume.
+   */
+  ssoRoleName: string;
+}
 export interface FromSSOInit extends SourceProfileInit {
   ssoClient?: SSOClient;
 }
@@ -38,34 +59,44 @@ export interface FromSSOInit extends SourceProfileInit {
  * in ini files.
  */
 export const fromSSO =
-  (init: FromSSOInit = {}): CredentialProvider =>
+  (init: FromSSOInit & Partial<SsoCredentialsParameters> = {} as any): CredentialProvider =>
   async () => {
-    const profiles = await parseKnownFiles(init);
-    return resolveSSOCredentials(getMasterProfileName(init), profiles, init);
+    const { ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoClient } = init;
+    if (!ssoStartUrl && !ssoAccountId && !ssoRegion && !ssoRoleName) {
+      // Load the SSO config from shared AWS config file.
+      const profiles = await parseKnownFiles(init);
+      const profileName = getMasterProfileName(init);
+      const profile = profiles[profileName];
+      if (!isSsoProfile(profile)) {
+        throw new CredentialsProviderError(`Profile ${profileName} is not configured with SSO credentials.`);
+      }
+      const { sso_start_url, sso_account_id, sso_region, sso_role_name } = validateSsoProfile(profile);
+      return resolveSSOCredentials({
+        ssoStartUrl: sso_start_url,
+        ssoAccountId: sso_account_id,
+        ssoRegion: sso_region,
+        ssoRoleName: sso_role_name,
+        ssoClient: ssoClient,
+      });
+    } else if (!ssoStartUrl || !ssoAccountId || !ssoRegion || !ssoRoleName) {
+      throw new CredentialsProviderError(
+        'Incomplete configuration. The fromSSO() argument hash must include "ssoStartUrl",' +
+          ' "ssoAccountId", "ssoRegion", "ssoRoleName"'
+      );
+    } else {
+      return resolveSSOCredentials({ ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoClient });
+    }
   };
 
-const resolveSSOCredentials = async (
-  profileName: string,
-  profiles: ParsedIniData,
-  options: FromSSOInit
-): Promise<Credentials> => {
-  const profile = profiles[profileName];
-  if (!profile) {
-    throw new CredentialsProviderError(`Profile ${profileName} could not be found in shared credentials file.`);
-  }
-  const { sso_start_url: startUrl, sso_account_id: accountId, sso_region: region, sso_role_name: roleName } = profile;
-  if (!startUrl && !accountId && !region && !roleName) {
-    throw new CredentialsProviderError(`Profile ${profileName} is not configured with SSO credentials.`);
-  }
-  if (!startUrl || !accountId || !region || !roleName) {
-    throw new CredentialsProviderError(
-      `Profile ${profileName} does not have valid SSO credentials. Required parameters "sso_account_id", "sso_region", ` +
-        `"sso_role_name", "sso_start_url". Reference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html`,
-      SHOULD_FAIL_CREDENTIAL_CHAIN
-    );
-  }
+const resolveSSOCredentials = async ({
+  ssoStartUrl,
+  ssoAccountId,
+  ssoRegion,
+  ssoRoleName,
+  ssoClient,
+}: FromSSOInit & SsoCredentialsParameters): Promise<Credentials> => {
   const hasher = createHash("sha1");
-  const cacheName = hasher.update(startUrl).digest("hex");
+  const cacheName = hasher.update(ssoStartUrl).digest("hex");
   const tokenFile = join(getHomeDir(), ".aws", "sso", "cache", `${cacheName}.json`);
   let token: SSOToken;
   try {
@@ -81,13 +112,13 @@ const resolveSSOCredentials = async (
     );
   }
   const { accessToken } = token;
-  const sso = options.ssoClient || new SSOClient({ region });
+  const sso = ssoClient || new SSOClient({ region: ssoRegion });
   let ssoResp: GetRoleCredentialsCommandOutput;
   try {
     ssoResp = await sso.send(
       new GetRoleCredentialsCommand({
-        accountId,
-        roleName,
+        accountId: ssoAccountId,
+        roleName: ssoRoleName,
         accessToken,
       })
     );
@@ -100,3 +131,40 @@ const resolveSSOCredentials = async (
   }
   return { accessKeyId, secretAccessKey, sessionToken, expiration: new Date(expiration) };
 };
+
+/**
+ * @internal
+ */
+export interface SsoProfile extends Profile {
+  sso_start_url: string;
+  sso_account_id: string;
+  sso_region: string;
+  sso_role_name: string;
+}
+
+/**
+ * @internal
+ */
+export const validateSsoProfile = (profile: Partial<SsoProfile>): SsoProfile => {
+  const { sso_start_url, sso_account_id, sso_region, sso_role_name } = profile;
+  if (!sso_start_url || !sso_account_id || !sso_region || !sso_role_name) {
+    throw new CredentialsProviderError(
+      `Profile is configured with invalid SSO credentials. Required parameters "sso_account_id", "sso_region", ` +
+        `"sso_role_name", "sso_start_url". Got ${Object.keys(profile).join(
+          ", "
+        )}\nReference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html`,
+      SHOULD_FAIL_CREDENTIAL_CHAIN
+    );
+  }
+  return profile as SsoProfile;
+};
+
+/**
+ * @internal
+ */
+export const isSsoProfile = (arg: Profile): arg is Partial<SsoProfile> =>
+  arg &&
+  (typeof arg.sso_start_url === "string" ||
+    typeof arg.sso_account_id === "string" ||
+    typeof arg.sso_region === "string" ||
+    typeof arg.sso_role_name === "string");