feat(sso): use SSOTokenProvider in SSOCredentialProvider implementation

Author: kuhe

packages/credential-provider-ini/src/resolveSsoCredentials.spec.ts

@@ -24,12 +24,14 @@ describe(resolveSsoCredentials.name, () => {
     sso_role_name: "mock_sso_role_name",
   });
 
-  const getMockValidatedSsoProfile = () => ({
-    sso_start_url: "mock_validated_sso_start_url",
-    sso_account_id: "mock_validated_sso_account_id",
-    sso_region: "mock_validated_sso_region",
-    sso_role_name: "mock_validated_sso_role_name",
-  });
+  const getMockValidatedSsoProfile = <T>(add: T = {} as T) =>
+    ({
+      sso_start_url: "mock_validated_sso_start_url",
+      sso_account_id: "mock_validated_sso_account_id",
+      sso_region: "mock_validated_sso_region",
+      sso_role_name: "mock_validated_sso_role_name",
+      ...add,
+    });
 
   afterEach(() => {
     jest.clearAllMocks();
@@ -95,4 +97,28 @@ describe(resolveSsoCredentials.name, () => {
       ssoRoleName: mockValidatedProfile.sso_role_name,
     });
   });
+
+  it("calls fromSSO with optional sso session name", async () => {
+    const mockProfile = getMockOriginalSsoProfile();
+    const mockValidatedProfile = getMockValidatedSsoProfile({
+      sso_session: "test-session",
+    });
+
+    const mockCreds: Credentials = {
+      accessKeyId: "mockAccessKeyId",
+      secretAccessKey: "mockSecretAccessKey",
+    };
+
+    (validateSsoProfile as jest.Mock).mockReturnValue(mockValidatedProfile);
+    (fromSSO as jest.Mock).mockReturnValue(() => Promise.resolve(mockCreds));
+
+    await resolveSsoCredentials(mockProfile);
+    expect(fromSSO).toHaveBeenCalledWith({
+      ssoStartUrl: mockValidatedProfile.sso_start_url,
+      ssoAccountId: mockValidatedProfile.sso_account_id,
+      ssoRegion: mockValidatedProfile.sso_region,
+      ssoRoleName: mockValidatedProfile.sso_role_name,
+      ssoSession: mockValidatedProfile.sso_session,
+    });
+  });
 });

packages/credential-provider-sso/package.json

@@ -27,6 +27,7 @@
     "@aws-sdk/client-sso": "*",
     "@aws-sdk/property-provider": "*",
     "@aws-sdk/shared-ini-file-loader": "*",
+    "@aws-sdk/token-providers": "*",
     "@aws-sdk/types": "*",
     "tslib": "^2.3.1"
   },

packages/credential-provider-sso/src/fromSSO.spec.ts

@@ -27,6 +27,8 @@ describe(fromSSO.name, () => {
     secretAccessKey: "mockSecretAccessKey",
   };
 
+  const mockProfileName = "mockProfileName";
+
   beforeEach(() => {
     (resolveSSOCredentials as jest.Mock).mockResolvedValue(mockCreds);
   });
@@ -36,7 +38,6 @@ describe(fromSSO.name, () => {
   });
 
   describe("all sso* values are not set", () => {
-    const mockProfileName = "mockProfileName";
     const mockInit = { profile: mockProfileName };
     const mockProfiles = { [mockProfileName]: mockSsoProfile };
 
@@ -97,6 +98,8 @@ describe(fromSSO.name, () => {
         ssoAccountId: mockValidatedSsoProfile.sso_account_id,
         ssoRegion: mockValidatedSsoProfile.sso_region,
         ssoRoleName: mockValidatedSsoProfile.sso_role_name,
+        profile: mockProfileName,
+        ssoSession: undefined,
       });
     });
   });
@@ -117,7 +120,12 @@ describe(fromSSO.name, () => {
   });
 
   it("calls resolveSSOCredentials if all sso* values are set", async () => {
-    const mockOptions = { ...mockSsoProfile, ssoClient: mockSsoClient };
+    const mockOptions = {
+      ...mockSsoProfile,
+      ssoClient: mockSsoClient,
+      profile: mockProfileName,
+      ssoSession: "sso-session-name",
+    };
     const receivedCreds = await fromSSO(mockOptions)();
     expect(receivedCreds).toStrictEqual(mockCreds);
     expect(resolveSSOCredentials).toHaveBeenCalledWith(mockOptions);

packages/credential-provider-sso/src/fromSSO.ts

@@ -1,6 +1,11 @@
 import { SSOClient } from "@aws-sdk/client-sso";
 import { CredentialsProviderError } from "@aws-sdk/property-provider";
-import { getProfileName, parseKnownFiles, SourceProfileInit } from "@aws-sdk/shared-ini-file-loader";
+import {
+  getProfileName,
+  loadSsoSessionData,
+  parseKnownFiles,
+  SourceProfileInit,
+} from "@aws-sdk/shared-ini-file-loader";
 import { CredentialProvider } from "@aws-sdk/types";
 
 import { isSsoProfile } from "./isSsoProfile";
@@ -72,15 +77,26 @@ export const fromSSO =
   (init: FromSSOInit & Partial<SsoCredentialsParameters> = {}): CredentialProvider =>
   async () => {
     const { ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoClient, ssoSession } = init;
+    const profileName = getProfileName(init);
+
     if (!ssoStartUrl && !ssoAccountId && !ssoRegion && !ssoRoleName && !ssoSession) {
       // Load the SSO config from shared AWS config file.
       const profiles = await parseKnownFiles(init);
-      const profileName = getProfileName(init);
       const profile = profiles[profileName];
 
-      // TODO(sso): merge [sso-session X] data into the profile if sso_session exists in it.
-      // TODO(sso): if the sso profile and the sso-session both have region and start URL,
-      // TODO(sso):    they must match or an error shall be thrown.
+      if (profile.sso_session) {
+        const ssoSessions = await loadSsoSessionData(init);
+        const session = ssoSessions[profile.sso_session];
+        const conflictMsg = ` configurations in profile ${profileName} and sso-session ${profile.sso_session}`;
+        if (ssoRegion && ssoRegion !== session.sso_region) {
+          throw new Error(`Conflicting SSO region` + conflictMsg);
+        }
+        if (ssoStartUrl && ssoStartUrl !== session.sso_start_url) {
+          throw new Error(`Conflicting SSO start url` + conflictMsg);
+        }
+        profile.sso_region = session.sso_region;
+        profile.sso_start_url = session.sso_start_url;
+      }
 
       if (!isSsoProfile(profile)) {
         throw new CredentialsProviderError(`Profile ${profileName} is not configured with SSO credentials.`);
@@ -94,13 +110,22 @@ export const fromSSO =
         ssoRegion: sso_region,
         ssoRoleName: sso_role_name,
         ssoClient: ssoClient,
+        profile: profileName,
       });
-    } else if (!ssoStartUrl || !ssoAccountId || !ssoRegion || !ssoRoleName || !ssoSession) {
+    } else if (!ssoStartUrl || !ssoAccountId || !ssoRegion || !ssoRoleName) {
       throw new CredentialsProviderError(
-        'Incomplete configuration. The fromSSO() argument hash must include "ssoAccountId",' +
-          ' "ssoRegion", "ssoRoleName", and one of "ssoStartUrl" or "ssoSession".'
+        "Incomplete configuration. The fromSSO() argument hash must include " +
+          '"ssoStartUrl", "ssoAccountId", "ssoRegion", "ssoRoleName"'
       );
     } else {
-      return resolveSSOCredentials({ ssoStartUrl, ssoSession, ssoAccountId, ssoRegion, ssoRoleName, ssoClient });
+      return resolveSSOCredentials({
+        ssoStartUrl,
+        ssoSession,
+        ssoAccountId,
+        ssoRegion,
+        ssoRoleName,
+        ssoClient,
+        profile: profileName,
+      });
     }
   };

packages/credential-provider-sso/src/isSsoProfile.spec.ts

@@ -5,7 +5,7 @@ describe(isSsoProfile.name, () => {
     expect(isSsoProfile({})).toEqual(false);
   });
 
-  it.each(["sso_start_url", "sso_account_id", "sso_region", "sso_role_name"])(
+  it.each(["sso_start_url", "sso_account_id", "sso_region", "sso_session", "sso_role_name"])(
     "returns true if value at '%s' is of type string",
     (key) => {
       expect(isSsoProfile({ [key]: "string" })).toEqual(true);

packages/credential-provider-sso/src/resolveSSOCredentials.spec.ts

@@ -1,11 +1,22 @@
 import { GetRoleCredentialsCommand, SSOClient } from "@aws-sdk/client-sso";
 import { CredentialsProviderError } from "@aws-sdk/property-provider";
 import { getSSOTokenFromFile } from "@aws-sdk/shared-ini-file-loader";
+import * as tokenProviders from "@aws-sdk/token-providers";
 
 import { resolveSSOCredentials } from "./resolveSSOCredentials";
 
 jest.mock("@aws-sdk/shared-ini-file-loader");
 jest.mock("@aws-sdk/client-sso");
+jest.mock("@aws-sdk/token-providers", () => {
+  return {
+    fromSso: jest.fn(() => async () => {
+      return {
+        token: "mockAccessToken",
+        expiration: new Date(Date.now() + 6_000_000),
+      };
+    }),
+  };
+});
 
 describe(resolveSSOCredentials.name, () => {
   const mockToken = {
@@ -57,6 +68,16 @@ describe(resolveSSOCredentials.name, () => {
     }
   });
 
+  it("uses the SSOTokenProvider if SSO Session name is present", async () => {
+    await resolveSSOCredentials({
+      ...mockOptions,
+      ssoSession: "test-sso-session",
+    });
+    expect(tokenProviders.fromSso).toHaveBeenCalledWith({
+      profile: undefined,
+    });
+  });
+
   describe("throws error on expiration", () => {
     afterEach(async () => {
       const expectedError = new CredentialsProviderError(
@@ -134,18 +155,15 @@ describe(resolveSSOCredentials.name, () => {
     });
 
     it("returns valid credentials from sso.getRoleCredentials", async () => {
-      const receivedCreds = await resolveSSOCredentials(mockOptions);
-      expect(receivedCreds).toStrictEqual(receivedCreds);
+      await resolveSSOCredentials(mockOptions);
       expect(mockSsoSend).toHaveBeenCalledTimes(1);
     });
 
     it("creates SSO client with provided region, if client is not passed", async () => {
       const mockCustomSsoSend = jest.fn().mockResolvedValue({ roleCredentials: mockCreds });
       (SSOClient as jest.Mock).mockReturnValue({ send: mockCustomSsoSend });
 
-      const receivedCreds = await resolveSSOCredentials({ ...mockOptions, ssoClient: undefined });
-      expect(receivedCreds).toStrictEqual(receivedCreds);
-
+      await resolveSSOCredentials({ ...mockOptions, ssoClient: undefined });
       expect(mockCustomSsoSend).toHaveBeenCalledTimes(1);
     });
   });

packages/credential-provider-sso/src/resolveSSOCredentials.ts

@@ -1,6 +1,7 @@
 import { GetRoleCredentialsCommand, GetRoleCredentialsCommandOutput, SSOClient } from "@aws-sdk/client-sso";
 import { CredentialsProviderError } from "@aws-sdk/property-provider";
 import { getSSOTokenFromFile, SSOToken } from "@aws-sdk/shared-ini-file-loader";
+import { fromSso as getSsoTokenProvider } from "@aws-sdk/token-providers";
 import { Credentials } from "@aws-sdk/types";
 
 import { FromSSOInit, SsoCredentialsParameters } from "./fromSSO";
@@ -15,27 +16,43 @@ const EXPIRE_WINDOW_MS = 15 * 60 * 1000;
 
 const SHOULD_FAIL_CREDENTIAL_CHAIN = false;
 
+/**
+ * @private
+ */
 export const resolveSSOCredentials = async ({
   ssoStartUrl,
   ssoSession,
   ssoAccountId,
   ssoRegion,
   ssoRoleName,
   ssoClient,
+  profile,
 }: FromSSOInit & SsoCredentialsParameters): Promise<Credentials> => {
   let token: SSOToken;
   const refreshMessage = `To refresh this SSO session run aws sso login with the corresponding profile.`;
-  try {
-    // TODO(sso): if (ssoSession)
-    // TODO(sso): { use SSOTokenProvider }
 
-    // TODO(sso): else
-    token = await getSSOTokenFromFile(ssoStartUrl);
-  } catch (e) {
-    throw new CredentialsProviderError(
-      `The SSO session associated with this profile is invalid. ${refreshMessage}`,
-      SHOULD_FAIL_CREDENTIAL_CHAIN
-    );
+  if (ssoSession) {
+    try {
+      const _token = await getSsoTokenProvider({ profile })();
+      token = {
+        accessToken: _token.token,
+        expiresAt: new Date(_token.expiration!).toISOString(),
+      };
+    } catch (e) {
+      throw new CredentialsProviderError(
+        `The SSO session ${ssoSession} for this profile is invalid. ${refreshMessage}\n` + String(e),
+        SHOULD_FAIL_CREDENTIAL_CHAIN
+      );
+    }
+  } else {
+    try {
+      token = await getSSOTokenFromFile(ssoStartUrl);
+    } catch (e) {
+      throw new CredentialsProviderError(
+        `The SSO session associated with this profile is invalid. ${refreshMessage}`,
+        SHOULD_FAIL_CREDENTIAL_CHAIN
+      );
+    }
   }
 
   if (new Date(token.expiresAt).getTime() - Date.now() <= EXPIRE_WINDOW_MS) {

packages/credential-provider-sso/src/types.ts

@@ -16,7 +16,7 @@ export interface SSOToken {
  * @internal
  */
 export interface SsoProfile extends Profile {
-  sso_start_url?: string;
+  sso_start_url: string;
   sso_session?: string;
   sso_account_id: string;
   sso_region: string;

packages/credential-provider-sso/src/validateSsoProfile.spec.ts

@@ -17,7 +17,7 @@ describe(validateSsoProfile.name, () => {
   });
 
   it.each(["sso_start_url", "sso_account_id", "sso_region", "sso_role_name"])(
-    "throws is '%s' is missing from profile",
+    "throws if '%s' is missing from profile",
     (key) => {
       const profileToVerify = getMockSsoProfile();
       delete profileToVerify[key];
@@ -26,13 +26,22 @@ describe(validateSsoProfile.name, () => {
         validateSsoProfile(profileToVerify);
       }).toThrowError(
         new CredentialsProviderError(
-          `Profile is configured with invalid SSO credentials. Required parameters "sso_account_id", "sso_region", ` +
-            `"sso_role_name", "sso_start_url". Got ${Object.keys(profileToVerify).join(
+          `Profile is configured with invalid SSO credentials. Required parameters ` +
+            `"sso_account_id", "sso_region", "sso_role_name", "sso_start_url". Got ${Object.keys(profileToVerify).join(
               ", "
             )}\nReference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html`,
           false
         )
       );
     }
   );
+
+  it.each(["sso_session"])("does not throw if '%s' is missing from profile", (key) => {
+    const profileToVerify = getMockSsoProfile();
+    delete profileToVerify[key];
+
+    expect(() => {
+      validateSsoProfile(profileToVerify);
+    }).not.toThrowError();
+  });
 });

packages/credential-provider-sso/src/validateSsoProfile.ts

@@ -6,13 +6,13 @@ import { SsoProfile } from "./types";
  * @internal
  */
 export const validateSsoProfile = (profile: Partial<SsoProfile>): SsoProfile => {
-  const { sso_start_url, sso_account_id, sso_session, sso_region, sso_role_name } = profile;
-  if ((!sso_start_url && !sso_session) || !sso_account_id || !sso_region || !sso_role_name) {
+  const { sso_start_url, sso_account_id, sso_region, sso_role_name } = profile;
+  if (!sso_start_url || !sso_account_id || !sso_region || !sso_role_name) {
     throw new CredentialsProviderError(
-      `Profile is configured with invalid SSO credentials. Required parameters "sso_region", ` +
-        `"sso_role_name", "sso_account_id", and one of "sso_start_url" or "sso_session". Got ${Object.keys(
-          profile
-        ).join(", ")}\nReference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html`,
+      `Profile is configured with invalid SSO credentials. Required parameters "sso_account_id", ` +
+        `"sso_region", "sso_role_name", "sso_start_url". Got ${Object.keys(profile).join(
+          ", "
+        )}\nReference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html`,
       false
     );
   }

packages/token-providers/src/fromSso.ts

@@ -68,7 +68,7 @@ export const fromSso =
 
     let ssoToken: SSOToken;
     try {
-      ssoToken = await getSSOTokenFromFile(ssoSessionName);
+      ssoToken = await getSSOTokenFromFile(ssoStartUrl);
     } catch (e) {
       throw new TokenProviderError(
         `The SSO session associated with this profile is invalid. ${REFRESH_MESSAGE}`,