Skip to content

Commit

Permalink
fix(cli): allow credential plugins to return null for expiration (a…
Browse files Browse the repository at this point in the history
…ws#32554)

According to the type definitions, the `expiration` field of V3 AWS credentials must be `undefined` or `Date`, but we are running into situations in reality where the value is `null`, leading to the error:

```
TypeError: Cannot read properties of null (reading 'getTime')
```

Survive that specific case.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
rix0rrr authored Dec 17, 2024
1 parent 537cabf commit d4f6946
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 1 deletion.
2 changes: 1 addition & 1 deletion packages/aws-cdk/lib/api/aws-auth/provider-caching.ts
Original file line number Diff line number Diff line change
Expand Up @@ -20,5 +20,5 @@ export function makeCachingProvider(provider: AwsCredentialIdentityProvider): Aw

export function credentialsAboutToExpire(token: AwsCredentialIdentity) {
const expiryMarginSecs = 5;
return token.expiration !== undefined && token.expiration.getTime() - Date.now() < expiryMarginSecs * 1000;
return !!token.expiration && token.expiration.getTime() - Date.now() < expiryMarginSecs * 1000;
}
10 changes: 10 additions & 0 deletions packages/aws-cdk/test/api/plugin/credential-plugin.test.ts
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import { CredentialPlugins } from '../../../lib/api/aws-auth/credential-plugins';
import { credentialsAboutToExpire } from '../../../lib/api/aws-auth/provider-caching';
import { CredentialProviderSource, Mode, SDKv3CompatibleCredentials } from '../../../lib/api/plugin/credential-provider-source';
import { PluginHost, markTesting } from '../../../lib/api/plugin/plugin';

Expand Down Expand Up @@ -134,6 +135,15 @@ test('plugin must not return something that is not a credential', async () => {
await expect(fetchNow()).rejects.toThrow(/Plugin returned a value that/);
});

test('token expiration is allowed to be null', () => {
expect(credentialsAboutToExpire({
accessKeyId: 'key',
secretAccessKey: 'secret',
// This is not allowed according to the `.d.ts` contract, but it can happen in reality
expiration: null as any,
})).toEqual(false);
});

function mockCredentialFunction(p: CredentialProviderSource['getProvider']) {
mockCredentialPlugin({
name: 'test',
Expand Down

0 comments on commit d4f6946

Please sign in to comment.