Embed chain continuation flag in provider promise rejections

Author: jeskew

packages/credential-provider/.gitignore

@@ -0,0 +1,4 @@
+/node_modules/
+*.js
+*.js.map
+*.d.ts

packages/credential-provider/__tests__/chain.ts

@@ -1,6 +1,7 @@
 import {chain} from "../lib/chain";
 import {fromCredentials} from "../lib/fromCredentials";
 import {isCredentials} from "../lib/isCredentials";
+import {CredentialError} from "../lib/CredentialError";
 
 describe('chain', () => {
     it('should distill many credential providers into one', async () => {
@@ -15,8 +16,8 @@ describe('chain', () => {
     it('should return the resolved value of the first successful promise', async () => {
         const creds = {accessKeyId: 'foo', secretAccessKey: 'bar'};
         const provider = chain(
-            () => Promise.reject('Move along'),
-            () => Promise.reject('Nothing to see here'),
+            () => Promise.reject(new CredentialError('Move along')),
+            () => Promise.reject(new CredentialError('Nothing to see here')),
             fromCredentials(creds)
         );
 
@@ -26,7 +27,7 @@ describe('chain', () => {
     it('should not invoke subsequent providers one resolves', async () => {
         const creds = {accessKeyId: 'foo', secretAccessKey: 'bar'};
         const providers = [
-            jest.fn(() => Promise.reject('Move along')),
+            jest.fn(() => Promise.reject(new CredentialError('Move along'))),
             jest.fn(() => Promise.resolve(creds)),
             jest.fn(() => fail('This provider should not be invoked'))
         ];

packages/credential-provider/__tests__/fromContainerMetadata.ts

@@ -42,7 +42,9 @@ describe('fromContainerMetadata', () => {
             delete process.env[ENV_CMDS_RELATIVE_URI];
             await fromContainerMetadata()().then(
                 () => { throw new Error('The promise should have been rejected'); },
-                () => { /* promise rejected, as expected */ }
+                err => {
+                    expect((err as any).tryNextLink).toBeFalsy();
+                }
             );
         }
     );

packages/credential-provider/__tests__/fromEnv.ts

@@ -4,6 +4,7 @@ import {
     ENV_SESSION,
     fromEnv,
 } from "../lib/fromEnv";
+import {CredentialError} from "../lib/CredentialError";
 
 const akid = process.env[ENV_KEY];
 const secret = process.env[ENV_SECRET];
@@ -54,4 +55,13 @@ describe('fromEnv', () => {
             );
         }
     );
+
+    it('should flag a lack of credentials as a non-terminal error', async () => {
+        await fromEnv()().then(
+            () => { throw new Error('The promise should have been rejected.'); },
+            err => {
+                expect((err as CredentialError).tryNextLink).toBe(true);
+            }
+        );
+    });
 });

packages/credential-provider/__tests__/fromIni.ts

@@ -13,6 +13,7 @@ import {
     ENV_PROFILE,
     fromIni
 } from "../lib/fromIni";
+import {CredentialError} from "../lib/CredentialError";
 
 const DEFAULT_CREDS = {
     accessKeyId: 'AKIAIOSFODNN7EXAMPLE',
@@ -54,6 +55,15 @@ afterAll(() => {
 });
 
 describe('fromIni', () => {
+    it('should flag a lack of credentials as a non-terminal error', async () => {
+        await fromIni()().then(
+            () => { throw new Error('The promise should have been rejected.'); },
+            err => {
+                expect((err as CredentialError).tryNextLink).toBe(true);
+            }
+        );
+    });
+
     describe('shared credentials file', () => {
         const SIMPLE_CREDS_FILE = `
 [default]
@@ -100,7 +110,7 @@ aws_session_token = ${FOO_CREDS.sessionToken}`.trim();
             async () => {
                 process.env[ENV_CREDENTIALS_PATH] = join('foo', 'bar', 'baz');
                 __addMatcher(
-                    process.env[ENV_CREDENTIALS_PATH], 
+                    process.env[ENV_CREDENTIALS_PATH],
                     SIMPLE_CREDS_FILE
                 );
 
@@ -464,7 +474,7 @@ source_profile = default`.trim()
         });
 
         it(
-            'should reject the promise if no role assumer provided',
+            'should reject the promise with a terminal error if no role assumer provided',
             async () => {
                 __addMatcher(join(homedir(), '.aws', 'credentials'), `
 [default]
@@ -479,7 +489,9 @@ source_profile = bar`.trim()
 
                 await fromIni({profile: 'foo'})().then(
                     () => { throw new Error('The promise should have been rejected'); },
-                    () => { /* Promise rejected as expected */ }
+                    err => {
+                        expect((err as any).tryNextLink).toBeFalsy();
+                    }
                 );
             }
         );
@@ -679,7 +691,7 @@ source_profile = default`.trim()
         );
 
         it(
-            'should reject the promise if a MFA serial is present but no mfaCodeProvider was provided',
+            'should reject the promise with a terminal error if a MFA serial is present but no mfaCodeProvider was provided',
             async () => {
                 const roleArn = 'arn:aws:iam::123456789:role/foo';
                 const mfaSerial = 'mfaSerial';
@@ -702,7 +714,9 @@ source_profile = default`.trim()
 
                 await provider().then(
                     () => { throw new Error('The promise should have been rejected'); },
-                    () => { /* Promise rejected as expected */ }
+                    err => {
+                        expect((err as any).tryNextLink).toBeFalsy();
+                    }
                 );
             }
         );

packages/credential-provider/__tests__/fromInstanceMetadata.ts

@@ -97,8 +97,6 @@ describe('fromInstanceMetadata', () => {
         });
     });
 
-
-
     it('should retry the profile name fetch as necessary', async () => {
         const defaultTimeout = 1000;
         const profile = 'foo-profile';

packages/credential-provider/__tests__/remoteProvider/httpGet.ts

@@ -1,5 +1,6 @@
 import {createServer} from 'http';
 import {httpGet} from "../../lib/remoteProvider/httpGet";
+import {CredentialError} from "../../lib/CredentialError";
 
 const matchers = new Map<string, string>();
 
@@ -55,14 +56,37 @@ describe('httpGet', () => {
             .toEqual(expectedResponse);
     });
 
-    it('should reject the promise if a 404 status code is received', async () => {
-        addMatcher('/fizz', 'buzz');
+    it(
+        'should reject the promise with a non-terminal error if a 404 status code is received',
+        async () => {
+            addMatcher('/fizz', 'buzz');
 
-        await httpGet(`http://localhost:${port}/foo`).then(
-            () => { throw new Error('The promise should have been rejected'); },
-            () => { /* promise rejected, as expected */ }
-        );
-    });
+            await httpGet(`http://localhost:${port}/foo`).then(
+                () => {
+                    throw new Error('The promise should have been rejected');
+                },
+                err => {
+                    expect((err as CredentialError).tryNextLink).toBe(true);
+                }
+            );
+        }
+    );
+
+    it(
+        'should reject the promise with a non-terminal error if the remote server cannot be contacted',
+        async () => {
+            server.close();
+
+            await httpGet(`http://localhost:${port}/foo`).then(
+                () => {
+                    throw new Error('The promise should have been rejected');
+                },
+                err => {
+                    expect((err as CredentialError).tryNextLink).toBe(true);
+                }
+            );
+        }
+    );
 });
 
 

packages/credential-provider/lib/CredentialError.ts

@@ -0,0 +1,5 @@
+export class CredentialError extends Error {
+    constructor(message: string, public readonly tryNextLink: boolean = true) {
+        super(message);
+    }
+}

packages/credential-provider/lib/chain.ts

@@ -1,15 +1,28 @@
-import {CredentialProvider, Credentials} from "@aws/types";
+import {CredentialProvider} from "@aws/types";
+import {CredentialError} from "./CredentialError";
 
-export function chain(...providers: Array<CredentialProvider>): CredentialProvider {
+export function chain(
+    ...providers: Array<CredentialProvider>
+): CredentialProvider {
     return () => {
         providers = providers.slice(0);
         let provider = providers.shift();
         if (provider === undefined) {
-            return Promise.reject<Credentials>('No credential providers in chain');
+            return Promise.reject(new CredentialError(
+                'No credential providers in chain'
+            ));
         }
         let promise = provider();
         while (provider = providers.shift()) {
-            promise = promise.catch(provider);
+            promise = promise.catch((provider => {
+                return (err: CredentialError) => {
+                    if (err.tryNextLink) {
+                        return provider();
+                    }
+
+                    throw err;
+                }
+            })(provider));
         }
 
         return promise;

packages/credential-provider/lib/fromContainerMetadata.ts

@@ -9,6 +9,7 @@ import {
     isImdsCredentials,
 } from './remoteProvider/ImdsCredentials';
 import {retry} from './remoteProvider/retry';
+import {CredentialError} from "./CredentialError";
 
 export const ENV_CMDS_RELATIVE_URI = 'AWS_CONTAINER_CREDENTIALS_RELATIVE_URI';
 
@@ -20,17 +21,20 @@ export function fromContainerMetadata(
         const path = process.env[ENV_CMDS_RELATIVE_URI];
 
         if (!path) {
-            return Promise.reject(new Error('The container metadata credential'
-                + ` provider cannot be used unless the ${ENV_CMDS_RELATIVE_URI}`
-                + ' environment variable is set'));
+            return Promise.reject(new CredentialError(
+                'The container metadata credential provider cannot be used' +
+                ` unless the ${ENV_CMDS_RELATIVE_URI}  environment variable` +
+                ' is set',
+                false
+            ));
         }
 
         return retry(async () => {
             const credsResponse = JSON.parse(
                 await requestFromEcsImds(timeout, path)
             );
             if (!isImdsCredentials(credsResponse)) {
-                throw new Error(
+                throw new CredentialError(
                     'Invalid response received from instance metadata service.'
                 );
             }

packages/credential-provider/lib/fromEnv.ts

@@ -1,4 +1,5 @@
-import {CredentialProvider, Credentials} from "@aws/types";
+import {CredentialProvider} from "@aws/types";
+import {CredentialError} from "./CredentialError";
 
 export const ENV_KEY = 'AWS_ACCESS_KEY_ID';
 export const ENV_SECRET = 'AWS_SECRET_ACCESS_KEY';
@@ -9,13 +10,15 @@ export function fromEnv(): CredentialProvider {
         const accessKeyId: string = process.env[ENV_KEY];
         const secretAccessKey: string = process.env[ENV_SECRET];
         if (accessKeyId && secretAccessKey) {
-            return Promise.resolve<Credentials>({
+            return Promise.resolve({
                 accessKeyId,
                 secretAccessKey,
                 sessionToken: process.env[ENV_SESSION],
             });
         }
 
-        return Promise.reject<Credentials>('Unable to find environment variable credentials.');
+        return Promise.reject(new CredentialError(
+            'Unable to find environment variable credentials.'
+        ));
     };
 }