From d4f6946dbc97161749a33d3e89514a8f7ca4aa0a Mon Sep 17 00:00:00 2001 From: Rico Hermans Date: Tue, 17 Dec 2024 17:51:31 +0100 Subject: [PATCH] fix(cli): allow credential plugins to return `null` for `expiration` (#32554) According to the type definitions, the `expiration` field of V3 AWS credentials must be `undefined` or `Date`, but we are running into situations in reality where the value is `null`, leading to the error: ``` TypeError: Cannot read properties of null (reading 'getTime') ``` Survive that specific case. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/aws-cdk/lib/api/aws-auth/provider-caching.ts | 2 +- .../aws-cdk/test/api/plugin/credential-plugin.test.ts | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/packages/aws-cdk/lib/api/aws-auth/provider-caching.ts b/packages/aws-cdk/lib/api/aws-auth/provider-caching.ts index 0fe68a1a637c6..22e4b357e191d 100644 --- a/packages/aws-cdk/lib/api/aws-auth/provider-caching.ts +++ b/packages/aws-cdk/lib/api/aws-auth/provider-caching.ts @@ -20,5 +20,5 @@ export function makeCachingProvider(provider: AwsCredentialIdentityProvider): Aw export function credentialsAboutToExpire(token: AwsCredentialIdentity) { const expiryMarginSecs = 5; - return token.expiration !== undefined && token.expiration.getTime() - Date.now() < expiryMarginSecs * 1000; + return !!token.expiration && token.expiration.getTime() - Date.now() < expiryMarginSecs * 1000; } diff --git a/packages/aws-cdk/test/api/plugin/credential-plugin.test.ts b/packages/aws-cdk/test/api/plugin/credential-plugin.test.ts index 77fc97731e58d..af5f6012ed09d 100644 --- a/packages/aws-cdk/test/api/plugin/credential-plugin.test.ts +++ b/packages/aws-cdk/test/api/plugin/credential-plugin.test.ts @@ -1,4 +1,5 @@ import { CredentialPlugins } from '../../../lib/api/aws-auth/credential-plugins'; +import { credentialsAboutToExpire } from '../../../lib/api/aws-auth/provider-caching'; import { CredentialProviderSource, Mode, SDKv3CompatibleCredentials } from '../../../lib/api/plugin/credential-provider-source'; import { PluginHost, markTesting } from '../../../lib/api/plugin/plugin'; @@ -134,6 +135,15 @@ test('plugin must not return something that is not a credential', async () => { await expect(fetchNow()).rejects.toThrow(/Plugin returned a value that/); }); +test('token expiration is allowed to be null', () => { + expect(credentialsAboutToExpire({ + accessKeyId: 'key', + secretAccessKey: 'secret', + // This is not allowed according to the `.d.ts` contract, but it can happen in reality + expiration: null as any, + })).toEqual(false); +}); + function mockCredentialFunction(p: CredentialProviderSource['getProvider']) { mockCredentialPlugin({ name: 'test',