Skip to content

Commit

Permalink
chore: make tests work with new SDKv3 version (#33016)
Browse files Browse the repository at this point in the history 
In a recent upgrade of the SDKv3, the INI credential provider has gotten
a private copy of the STS Client, to make AssumeRole calls with. This
means the STS Client used by the INI provider is now unmockable.

In #31702, we migrated the tests of the credentials chain mostly to
using mocks, as opposed to what it was doing in the past: intercepting
network traffic and emulating a fake STS Endpoint. These tests now start
failing due to an SDK upgrade.

Fortunately, most of the old code was still there, so in this change I'm
ripping out the STS Mocking and doing a couple minor changes; the tests
now pass again.

This PR also upgrades the SDKv3 version at the same time, some other
packages that needed to be upgraded along with this as well
(`@smithy/middleware-endpoint` and `cdk-assets` which covers a new enum
value for the S3 client).

----

*By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license*

---------

Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
  • Loading branch information
@rix0rrr @mergify
rix0rrr and mergify[bot] authored Jan 20, 2025
1 parent c9d4a67 commit d4845ce
Show file tree
Hide file tree
Showing 6 changed files with 2,253 additions and 14,143 deletions.
14,224 changes: 224 additions & 14,000 deletions packages/aws-cdk/THIRD_PARTY_LICENSES
View file

Large diffs are not rendered by default.

58 changes: 29 additions & 29 deletions packages/aws-cdk/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,38 +108,38 @@
"@aws-cdk/cloudformation-diff": "0.0.0",
"@aws-cdk/cx-api": "0.0.0",
"@aws-cdk/region-info": "0.0.0",
"@aws-sdk/client-appsync": "3.699.0",
"@aws-sdk/client-cloudformation": "3.699.0",
"@aws-sdk/client-cloudwatch-logs": "3.699.0",
"@aws-sdk/client-codebuild": "3.699.0",
"@aws-sdk/client-ec2": "3.699.0",
"@aws-sdk/client-ecr": "3.699.0",
"@aws-sdk/client-ecs": "3.699.0",
"@aws-sdk/client-elastic-load-balancing-v2": "3.699.0",
"@aws-sdk/client-iam": "3.699.0",
"@aws-sdk/client-kms": "3.699.0",
"@aws-sdk/client-lambda": "3.699.0",
"@aws-sdk/client-route-53": "3.699.0",
"@aws-sdk/client-s3": "3.699.0",
"@aws-sdk/client-secrets-manager": "3.699.0",
"@aws-sdk/client-sfn": "3.699.0",
"@aws-sdk/client-ssm": "3.699.0",
"@aws-sdk/client-sts": "3.699.0",
"@aws-sdk/credential-providers": "3.699.0",
"@aws-sdk/ec2-metadata-service": "3.699.0",
"@aws-sdk/lib-storage": "3.699.0",
"@aws-sdk/client-appsync": "^3.699.0",
"@aws-sdk/client-cloudformation": "^3.699.0",
"@aws-sdk/client-cloudwatch-logs": "^3.699.0",
"@aws-sdk/client-codebuild": "^3.699.0",
"@aws-sdk/client-ec2": "^3.699.0",
"@aws-sdk/client-ecr": "^3.699.0",
"@aws-sdk/client-ecs": "^3.699.0",
"@aws-sdk/client-elastic-load-balancing-v2": "^3.699.0",
"@aws-sdk/client-iam": "^3.699.0",
"@aws-sdk/client-kms": "^3.699.0",
"@aws-sdk/client-lambda": "^3.699.0",
"@aws-sdk/client-route-53": "^3.699.0",
"@aws-sdk/client-s3": "^3.699.0",
"@aws-sdk/client-secrets-manager": "^3.699.0",
"@aws-sdk/client-sfn": "^3.699.0",
"@aws-sdk/client-ssm": "^3.699.0",
"@aws-sdk/client-sts": "^3.699.0",
"@aws-sdk/credential-providers": "^3.699.0",
"@aws-sdk/ec2-metadata-service": "^3.699.0",
"@aws-sdk/lib-storage": "^3.699.0",
"@jsii/check-node": "1.104.0",
"@smithy/middleware-endpoint": "3.1.4",
"@smithy/node-http-handler": "3.2.4",
"@smithy/property-provider": "3.1.10",
"@smithy/shared-ini-file-loader": "3.1.8",
"@smithy/types": "3.5.0",
"@smithy/util-retry": "3.0.7",
"@smithy/util-stream": "3.1.9",
"@smithy/util-waiter": "3.1.6",
"@smithy/middleware-endpoint": "^4",
"@smithy/node-http-handler": "^3.2.4",
"@smithy/property-provider": "^3.1.10",
"@smithy/shared-ini-file-loader": "^3.1.8",
"@smithy/types": "^3.5.0",
"@smithy/util-retry": "^3.0.7",
"@smithy/util-stream": "^3.1.9",
"@smithy/util-waiter": "^3.1.6",
"archiver": "^5.3.2",
"camelcase": "^6.3.0",
"cdk-assets": "^3.0.0-rc.111",
"cdk-assets": "^3.0.0-rc.123",
"cdk-from-cfn": "^0.162.0",
"chalk": "^4",
"chokidar": "^3.6.0",
Expand Down
71 changes: 33 additions & 38 deletions packages/aws-cdk/test/api/fake-sts.ts
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,8 @@
import { AssumeRoleCommand, GetCallerIdentityCommand, Tag } from '@aws-sdk/client-sts';
import { Tag } from '@aws-sdk/client-sts';
import * as nock from 'nock';
import * as uuid from 'uuid';
import * as xmlJs from 'xml-js';
import { formatErrorMessage } from '../../lib/util/error';
import { mockSTSClient } from '../util/mock-sdk';

interface RegisteredIdentity {
readonly account: string;
Expand All @@ -21,6 +20,7 @@ interface RegisteredRole {
interface AssumedRole {
readonly roleArn: string;
readonly serialNumber: string;
readonly externalId?: string;
readonly tokenCode: string;
readonly roleSessionName: string;
readonly tags?: Tag[];
Expand All @@ -43,10 +43,22 @@ interface AssumedRole {
export class FakeSts {
public readonly assumedRoles = new Array<AssumedRole>();

/**
* AccessKey -> User or Session
*/
private identities: Record<string, RegisteredIdentity> = {};

/**
* RoleARN -> Role
*
* When a Role is assumed it creates a Session.
*/
private roles: Record<string, RegisteredRole> = {};

constructor() {}
/**
* Throw this error when AssumeRole is called
*/
public failAssumeRole?: Error;

/**
* Begin mocking
Expand All @@ -71,7 +83,8 @@ export class FakeSts {
parsedBody,
headers: this.req.headers,
});
cb(null, [200, xmlJs.js2xml(response, { compact: true })]);
const xml = xmlJs.js2xml(response, { compact: true });
cb(null, [200, xml]);
} catch (e: any) {
cb(null, [
400,
Expand Down Expand Up @@ -111,6 +124,13 @@ export class FakeSts {
nock.enableNetConnect();
}

public printState() {
// eslint-disable-next-line no-console
console.log(this.roles);
// eslint-disable-next-line no-console
console.log(this.identities);
}

/**
* Register a user
*/
Expand All @@ -124,8 +144,6 @@ export class FakeSts {
arn,
userId,
};

this.setSTSMocks(account, arn, userName, accessKey);
}

/**
Expand All @@ -140,44 +158,17 @@ export class FakeSts {
roleName,
account,
};

this.setSTSMocks(account, roleArn, roleArn);
}

private setSTSMocks(account: string, roleArn: string, name: string, accessKey?: string) {
const accessKeyId = accessKey ?? uuid.v4();
mockSTSClient
.on(GetCallerIdentityCommand)
.resolves({
Account: account,
Arn: roleArn,
UserId: name,
})
.on(AssumeRoleCommand)
.resolves({
AssumedRoleUser: {
Arn: roleArn,
AssumedRoleId: `${accessKeyId}:${name}`,
},
Credentials: {
AccessKeyId: accessKeyId,
SecretAccessKey: 'Secret',
SessionToken: 'Token',
Expiration: new Date(Date.now() + 3600 * 1000),
},
PackedPolicySize: 6,
});
}

private handleRequest(mockRequest: MockRequest): Record<string, any> {
const response = (() => {
const identity = this.identity(mockRequest);

switch (mockRequest.parsedBody.Action) {
case 'GetCallerIdentityCommand':
case 'GetCallerIdentity':
return this.handleGetCallerIdentity(identity);

case 'AssumeRoleCommand':
case 'AssumeRole':
return this.handleAssumeRole(identity, mockRequest);
}

Expand Down Expand Up @@ -229,6 +220,9 @@ export class FakeSts {

private handleAssumeRole(identity: RegisteredIdentity, mockRequest: MockRequest): Record<string, any> {
this.checkForFailure(mockRequest.parsedBody.RoleArn);
if (this.failAssumeRole) {
throw this.failAssumeRole;
}

this.assumedRoles.push({
roleArn: mockRequest.parsedBody.RoleArn,
Expand All @@ -237,6 +231,7 @@ export class FakeSts {
tokenCode: mockRequest.parsedBody.TokenCode,
tags: this.decodeMapFromRequestBody('Tags', mockRequest.parsedBody),
transitiveTagKeys: this.decodeListKeysFromRequestBody('TransitiveTagKeys', mockRequest.parsedBody),
externalId: mockRequest.parsedBody.ExternalId,
});

const roleArn = mockRequest.parsedBody.RoleArn;
Expand Down Expand Up @@ -274,9 +269,9 @@ export class FakeSts {
},
PackedPolicySize: 6,
},
},
ResponseMetadata: {
RequestId: '1',
ResponseMetadata: {
RequestId: '1',
},
},
};
}
Expand Down
Loading

0 comments on commit d4845ce

Please sign in to comment.