Add sso session and token provider support #4885
Conversation
# Conflicts: # CHANGELOG_PENDING.md
# Conflicts: # CHANGELOG_PENDING.md
# Conflicts: # CHANGELOG_PENDING.md
Add sso token provider
sync main to feat-sso-session
* Merge logic of resolving sso section in shared config file * Modify and Merge shared config unit test case * Modify and Merge logic of shared config loaded from files --------- Co-authored-by: Tianyi Wang <wty@amazon.com>
sync main into current branch
sync main branch into current branch
sync main into branch
* Update and Merge logic of sso credential provider to support token provider * Add and Merge sso credential provider unit test data * Modify and Merge sso credential provider's token provider field and unit test * Modify and Merge sso credential provider's token provider and unit test * Modify and Merge sso credential provider's unit test --------- Co-authored-by: Tianyi Wang <wty@amazon.com>
sync main into current branch
There was a problem hiding this comment.
Looks good. I pulled it down and played with it locally and it works as expected.
Housekeeping notes:
- Be sure to squash when you merge and update the commit description and comment to be something meaningful (GH will default to all commit messages which is not useful).
- Remember to get a second reviewer before merging.
CHANGELOG_PENDING.md
Outdated
| @@ -3,3 +3,5 @@ | |||
| ### SDK Enhancements | |||
|
|
|||
| ### SDK Bugs | |||
| * `aws/credentials/ssocreds`: Implement SSO token provider to support for `sso-session` in AWS shared config. | |||
There was a problem hiding this comment.
nit: "Implement SSO token provider to support for ..."
sync main into current branch
| "time" | ||
| ) | ||
|
|
||
| type Token struct { |
There was a problem hiding this comment.
nit: did your IDE not complain about no comment/documentation here? this is a public type, so it should have some documentation here.
aws/auth/bearer/token.go
Outdated
| } | ||
|
|
||
| // Expired returns if the token's Expires time is before or equal to the time | ||
| // provided. If CanExpires is false, Expired will always return false. |
There was a problem hiding this comment.
| // provided. If CanExpires is false, Expired will always return false. | |
| // provided. If CanExpire is false, Expired will always return false. |
|
|
||
| return p.Response() | ||
| } | ||
|
|
||
| func (m mockClient) GetRoleCredentialsWithContext(ctx aws.Context, params *sso.GetRoleCredentialsInput, _ ...request.Option) (*sso.GetRoleCredentialsOutput, error) { |
There was a problem hiding this comment.
i know this is not part of your changeset. so this is just a comment for the future. but i dont think we should be including the Go testing framework object in the mocked client.
when validating the errors in the mocked client, it shouldnt directly invoke the testing object framework, but we should actually mock the returned errors, and then catch those in the test case execution
| return bearer.Token{}, fmt.Errorf("mock token provider return error") | ||
| }, | ||
| }, | ||
| AccountID: "012345678901", |
There was a problem hiding this comment.
nit: whats the purpose of AccountID Region RoleName, and StartURL? removing them doesnt change the outcome of the test, and the mocked token provider doesnt seem to be reacting to them at all.
There was a problem hiding this comment.
StartURL will be used to get legacy ssoToken while token provider is unavailable, AccountID and RoleName will be checked with expected value in mock SSO Client while calling GetRoleCredentialsWithContext. But some error case won't reach that step so I will just remove their fields. Additionally Region is not used in all cases so I will remove it from test case struct.
| UnknownFields map[string]interface{} `json:"-"` | ||
| } | ||
|
|
||
| func (t cachedToken) MarshalJSON() ([]byte, error) { |
There was a problem hiding this comment.
can you add some documentation for this function and func (t *cachedToken) UnmarshalJSON on why we need a custom marshaller/unmarshaller? we need documentation on public functions, and its not immediately obvious why the standard Go marshaller doesnt suffice.
There was a problem hiding this comment.
i see your added documentation now. and i think i get it. but the documentation as is isnt very clear. how about this:
MarshalJSON provides custom marshalling because the standard library Go marshaller ignores unknown/unspecified fields when marshalling from a struct.
https://pkg.go.dev/encoding/json#Marshal
This function adds some extra validation to the known fields and captures unknown fields.
fix this and UnmarshalJSON and then ship it.
| @@ -507,6 +528,15 @@ func TestLoadSharedConfigFromFile(t *testing.T) { | |||
| S3UseARNRegion: true, | |||
| }, | |||
| }, | |||
| { | |||
| Profile: "sso-session-success", | |||
There was a problem hiding this comment.
whats the difference between this test and the other test above that tests sso-session-success?
| UnknownFields map[string]interface{} `json:"-"` | ||
| } | ||
|
|
||
| func (t cachedToken) MarshalJSON() ([]byte, error) { |
There was a problem hiding this comment.
i see your added documentation now. and i think i get it. but the documentation as is isnt very clear. how about this:
MarshalJSON provides custom marshalling because the standard library Go marshaller ignores unknown/unspecified fields when marshalling from a struct.
https://pkg.go.dev/encoding/json#Marshal
This function adds some extra validation to the known fields and captures unknown fields.
fix this and UnmarshalJSON and then ship it.
| fields[key] = value | ||
| } | ||
|
|
||
| // UnmarshalJSON decode cachedToken known/unknown fields from json format |
There was a problem hiding this comment.
i see your added documentation now. and i think i get it. but the documentation as is isnt very clear. how about this:
UnmarshalJSON provides custom unmarshalling because the standard library Go unmarshaller ignores unknown/unspecified fields when unmarshalling from a struct.
https://pkg.go.dev/encoding/json#Unmarshal
This function adds some extra validation to the known fields and captures unknown fields.
fix this and MarshalJSON and ship it
Update sso credential provider logic to support both sso token provider and legacy sso config.
The manual test of sso-session section support in shared config file follows steps below:
running the sso login flow with the AWS CLI
using the access token generated, calling S3 List Buckets on the configured AWS account
when the access token expires, re-calling S3 List buckets and see it succeed with an updated expiration in the SSO cached token
This PR will resolve #4649 with prvious PRs on the same branch.