ProfileCredentialsProviderTest.java

/*
 * Copyright 2010-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 *
 * Licensed under the Apache License, Version 2.0 (the "License").
 * You may not use this file except in compliance with the License.
 * A copy of the License is located at
 *
 *  http://aws.amazon.com/apache2.0
 *
 * or in the "license" file accompanying this file. This file is distributed
 * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
 * express or implied. See the License for the specific language governing
 * permissions and limitations under the License.
 */
package com.amazonaws.auth.profile;

import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.auth.profile.internal.AwsProfileNameLoader;
import com.amazonaws.auth.profile.internal.Profile;
import com.amazonaws.auth.profile.internal.securitytoken.ProfileCredentialsService;
import com.amazonaws.auth.profile.internal.securitytoken.RoleInfo;
import com.amazonaws.internal.StaticCredentialsProvider;

import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;

import java.io.File;
import java.lang.reflect.Field;
import java.util.Map;

public class ProfileCredentialsProviderTest {

    private static final String DEFAULT_PROFILE_NAME = "default";

    private static File profileLocation = null;

    @BeforeClass
    public static void setUp() {
        profileLocation = ProfileResourceLoader.profilesContainingOtherConfiguration().asFile();
    }

    private ProfileCredentialsProvider newProvider() {
        return new ProfileCredentialsProvider(profileLocation.getAbsolutePath(), null);
    }

    @Test
    public void testDefault() {
        ProfileCredentialsProvider provider = newProvider();

        AWSCredentials credentials = provider.getCredentials();

        // Yep, this is correct - they're backwards in
        // ProfilesContainingOtherConfigurations.tst
        Assert.assertEquals("defaultSecretAccessKey", credentials.getAWSAccessKeyId());

        Assert.assertEquals("defaultAccessKey", credentials.getAWSSecretKey());
    }

    @Test
    public void testEnvironmentVariable() throws Exception {
        Map<String, String> immutableEnv = System.getenv();

        Class<?> unMap = Class.forName("java.util.Collections$UnmodifiableMap");
        Field m = unMap.getDeclaredField("m");
        m.setAccessible(true);

        @SuppressWarnings("unchecked")
        Map<String, String> env = (Map<String, String>) m.get(immutableEnv);

        try {
            env.put(AwsProfileNameLoader.AWS_PROFILE_ENVIRONMENT_VARIABLE, "test");

            ProfileCredentialsProvider provider = newProvider();

            AWSCredentials credentials = provider.getCredentials();
            Assert.assertEquals("test", credentials.getAWSAccessKeyId());
            Assert.assertEquals("test key", credentials.getAWSSecretKey());

        } finally {
            env.remove(AwsProfileNameLoader.AWS_PROFILE_ENVIRONMENT_VARIABLE);
        }
    }

    @Test
    public void testSystemProperty() {
        try {
            System.setProperty(AwsProfileNameLoader.AWS_PROFILE_SYSTEM_PROPERTY, "test");

            ProfileCredentialsProvider provider = newProvider();

            AWSCredentials credentials = provider.getCredentials();
            Assert.assertEquals("test", credentials.getAWSAccessKeyId());
            Assert.assertEquals("test key", credentials.getAWSSecretKey());

        } finally {
            System.setProperty(AwsProfileNameLoader.AWS_PROFILE_SYSTEM_PROPERTY, "");
        }
    }

    @Test
    public void testBoth() throws Exception {
        Map<String, String> immutableEnv = System.getenv();

        Class<?> unMap = Class.forName("java.util.Collections$UnmodifiableMap");
        Field m = unMap.getDeclaredField("m");
        m.setAccessible(true);

        @SuppressWarnings("unchecked")
        Map<String, String> env = (Map<String, String>) m.get(immutableEnv);

        try {
            // If both are set, env var should take precedence.
            env.put(AwsProfileNameLoader.AWS_PROFILE_ENVIRONMENT_VARIABLE, "test");

            System.setProperty(AwsProfileNameLoader.AWS_PROFILE_SYSTEM_PROPERTY, "bogus");

            ProfileCredentialsProvider provider = newProvider();

            AWSCredentials credentials = provider.getCredentials();
            Assert.assertEquals("test", credentials.getAWSAccessKeyId());
            Assert.assertEquals("test key", credentials.getAWSSecretKey());

        } finally {
            System.setProperty(AwsProfileNameLoader.AWS_PROFILE_SYSTEM_PROPERTY, "");

            env.remove(AwsProfileNameLoader.AWS_PROFILE_ENVIRONMENT_VARIABLE);
        }
    }

    @Test
    public void testExplicit() throws Exception {

        Map<String, String> immutableEnv = System.getenv();

        Class<?> unMap = Class.forName("java.util.Collections$UnmodifiableMap");
        Field m = unMap.getDeclaredField("m");
        m.setAccessible(true);

        @SuppressWarnings("unchecked")
        Map<String, String> env = (Map<String, String>) m.get(immutableEnv);

        try {
            env.put(AwsProfileNameLoader.AWS_PROFILE_ENVIRONMENT_VARIABLE, "test");

            System.setProperty(AwsProfileNameLoader.AWS_PROFILE_SYSTEM_PROPERTY, "test");

            // If an explicit override is provided, that beats anything else.
            ProfileCredentialsProvider provider = new ProfileCredentialsProvider(
                    profileLocation.getAbsolutePath(), "bogus");

            try {
                provider.getCredentials();
                Assert.fail("Expected IllegalArgumentException");
            } catch (IllegalArgumentException expected) {
            }

        } finally {
            System.setProperty(AwsProfileNameLoader.AWS_PROFILE_SYSTEM_PROPERTY, "");

            env.remove(AwsProfileNameLoader.AWS_PROFILE_ENVIRONMENT_VARIABLE);
        }
    }


    @Test
    public void testUpdate() throws Exception {
        ProfilesConfigFile fixture = new ProfilesConfigFile(
                ProfileResourceLoader.basicProfile().asFile());
        File modifiable = File.createTempFile("UpdatableProfile", ".tst");
        ProfilesConfigFileWriter.dumpToFile(modifiable, true, fixture.getAllProfiles().values()
                .toArray(new Profile[1]));

        ProfileCredentialsProvider test = new ProfileCredentialsProvider(modifiable.getPath(),
                                                                         null);
        AWSCredentials orig = test.getCredentials();
        Assert.assertEquals("defaultAccessKey", orig.getAWSAccessKeyId());
        Assert.assertEquals("defaultSecretAccessKey", orig.getAWSSecretKey());
        //Sleep to ensure that the timestamp on the file (when we modify it) is
        //distinguishably later from the original write.
        try {
            Thread.sleep(2000);
        } catch (Exception e) {
        }

        Profile newProfile = new Profile(DEFAULT_PROFILE_NAME,
                                         new BasicAWSCredentials("newAccessKey", "newSecretKey"));
        ProfilesConfigFileWriter.modifyOneProfile(modifiable, DEFAULT_PROFILE_NAME, newProfile);
        test.refresh();
        AWSCredentials updated = test.getCredentials();
        Assert.assertEquals("newAccessKey", updated.getAWSAccessKeyId());
        Assert.assertEquals("newSecretKey", updated.getAWSSecretKey());
    }

    @Test
    public void testForcedRefresh() throws Exception {
        ProfilesConfigFile profilesConfigFileBeforeRefresh = new ProfilesConfigFile(
                ProfileResourceLoader.basicProfile().asFile());
        File profilesFile = File.createTempFile("UpdatableProfile", ".tst");
        ProfilesConfigFileWriter.dumpToFile(profilesFile, true,
                                            profilesConfigFileBeforeRefresh.getAllProfiles()
                                                    .values().toArray(new Profile[1]));

        ProfileCredentialsProvider profileCredentialsProvider = new ProfileCredentialsProvider(
                profilesFile.getPath(), null);

            /*
             * Sleep for 1 second so that the profiles file last modified time has a chance to update.
             * If this wait is not here, com.amazonaws.auth.profile.ProfilesConfigFile.refresh() profileFile.lastModified() will not be updated, therefore the
             * credentials will not refresh.
             *
             * This is also in testRefresh()
             */
        Thread.sleep(1000);
        ProfilesConfigFile profilesConfigFileAfterRefresh = new ProfilesConfigFile(
                ProfileResourceLoader.basicProfile2().asFile());
        ProfilesConfigFileWriter.dumpToFile(profilesFile, true,
                                            profilesConfigFileAfterRefresh.getAllProfiles().values()
                                                    .toArray(new Profile[1]));

        profileCredentialsProvider.setRefreshForceIntervalNanos(1l);

        AWSCredentials credentialsAfterRefresh = profileCredentialsProvider.getCredentials();

        Assert.assertEquals("credentialsAfterRefresh AWSAccessKeyId", "accessKey2",
                            credentialsAfterRefresh.getAWSAccessKeyId());
        Assert.assertEquals("credentialsAfterRefresh AWSSecretKey", "secretAccessKey2",
                            credentialsAfterRefresh.getAWSSecretKey());
    }

    @Test
    public void testRefresh() throws Exception {
        ProfilesConfigFile profilesConfigFileBeforeRefresh = new ProfilesConfigFile(
                ProfileResourceLoader.basicProfile().asFile());
        File profilesFile = File.createTempFile("UpdatableProfile", ".tst");
        ProfilesConfigFileWriter.dumpToFile(profilesFile, true,
                                            profilesConfigFileBeforeRefresh.getAllProfiles()
                                                    .values().toArray(new Profile[1]));

        ProfileCredentialsProvider profileCredentialsProvider = new ProfileCredentialsProvider(
                profilesFile.getPath(), null);

        Thread.sleep(1000); // see testForcedRefresh()
        ProfilesConfigFile profilesConfigFileAfterRefresh = new ProfilesConfigFile(
                ProfileResourceLoader.basicProfile2().asFile());
        ProfilesConfigFileWriter.dumpToFile(profilesFile, true,
                                            profilesConfigFileAfterRefresh.getAllProfiles().values()
                                                    .toArray(new Profile[1]));

        profileCredentialsProvider.setRefreshIntervalNanos(1l);

        AWSCredentials credentialsAfterRefresh = profileCredentialsProvider.getCredentials();

        Assert.assertEquals("credentialsAfterRefresh AWSAccessKeyId", "accessKey2",
                            credentialsAfterRefresh.getAWSAccessKeyId());
        Assert.assertEquals("credentialsAfterRefresh AWSSecretKey", "secretAccessKey2",
                            credentialsAfterRefresh.getAWSSecretKey());
    }

    @Test
    public void testAssumeRole() throws Exception {
        ProfilesConfigFile profilesFile = new ProfilesConfigFile(
                ProfileResourceLoader.profileWithRole().asFile(), new ProfileCredentialsService() {
            @Override
            public AWSCredentialsProvider getAssumeRoleCredentialsProvider(
                    RoleInfo targetRoleInfo) {
                AWSCredentials credentials = targetRoleInfo.getLongLivedCredentialsProvider()
                        .getCredentials();
                Assert.assertEquals("sourceProfile AWSAccessKeyId", "defaultAccessKey",
                                    credentials.getAWSAccessKeyId());
                Assert.assertEquals("sourceProfile AWSSecretKey", "defaultSecretAccessKey",
                                    credentials.getAWSSecretKey());
                Assert.assertEquals("role_arn", "arn:aws:iam::123456789012:role/testRole",
                                    targetRoleInfo.getRoleArn());
                Assert.assertNull("external_id", targetRoleInfo.getExternalId());
                Assert.assertTrue("role_session_name",
                                  targetRoleInfo.getRoleSessionName().startsWith("aws-sdk-java-"));
                return new StaticCredentialsProvider(
                        new BasicAWSCredentials("sessionAccessKey", "sessionSecretKey"));
            }
        });

        ProfileCredentialsProvider profileCredentialsProvider = new ProfileCredentialsProvider(
                profilesFile, "test");
        AWSCredentials credentials = profileCredentialsProvider.getCredentials();

        Assert.assertEquals("sessionAccessKey", credentials.getAWSAccessKeyId());
        Assert.assertEquals("sessionSecretKey", credentials.getAWSSecretKey());
    }

    @Test
    public void testAssumeRoleWithNameAndExternalId() throws Exception {
        ProfilesConfigFile profilesFile = new ProfilesConfigFile(
                ProfileResourceLoader.profileWithRole2().asFile(), new ProfileCredentialsService() {
            @Override
            public AWSCredentialsProvider getAssumeRoleCredentialsProvider(
                    RoleInfo targetRoleInfo) {
                AWSCredentials credentials = targetRoleInfo.getLongLivedCredentialsProvider()
                        .getCredentials();
                Assert.assertEquals("sourceProfile AWSAccessKeyId", "defaultAccessKey",
                                    credentials.getAWSAccessKeyId());
                Assert.assertEquals("sourceProfile AWSSecretKey", "defaultSecretAccessKey",
                                    credentials.getAWSSecretKey());
                Assert.assertEquals("role_arn", "arn:aws:iam::123456789012:role/testRole",
                                    targetRoleInfo.getRoleArn());
                Assert.assertEquals("external_id", "testExternalId",
                                    targetRoleInfo.getExternalId());
                Assert.assertEquals("role_session_name", "testSessionName",
                                    targetRoleInfo.getRoleSessionName());
                return new StaticCredentialsProvider(
                        new BasicAWSCredentials("sessionAccessKey", "sessionSecretKey"));
            }
        });

        ProfileCredentialsProvider profileCredentialsProvider = new ProfileCredentialsProvider(
                profilesFile, "test");
        AWSCredentials credentials = profileCredentialsProvider.getCredentials();

        Assert.assertEquals("sessionAccessKey", credentials.getAWSAccessKeyId());
        Assert.assertEquals("sessionSecretKey", credentials.getAWSSecretKey());
    }

    @Test
    public void testAssumeRoleWithSourceAfterRole() throws Exception {
        ProfilesConfigFile profilesFile = new ProfilesConfigFile(
                ProfileResourceLoader.profileWithSourceAfterRole().asFile(),
                new ProfileCredentialsService() {
                    @Override
                    public AWSCredentialsProvider getAssumeRoleCredentialsProvider(
                            RoleInfo targetRoleInfo) {
                        AWSCredentials credentials = targetRoleInfo
                                .getLongLivedCredentialsProvider().getCredentials();
                        Assert.assertEquals("sourceProfile AWSAccessKeyId", "defaultAccessKey",
                                            credentials.getAWSAccessKeyId());
                        Assert.assertEquals("sourceProfile AWSSecretKey", "defaultSecretAccessKey",
                                            credentials.getAWSSecretKey());
                        Assert.assertEquals("role_arn", "arn:aws:iam::123456789012:role/testRole",
                                            targetRoleInfo.getRoleArn());
                        Assert.assertNull("external_id", targetRoleInfo.getExternalId());
                        Assert.assertTrue("role_session_name", targetRoleInfo.getRoleSessionName()
                                .startsWith("aws-sdk-java-"));
                        return new StaticCredentialsProvider(
                                new BasicAWSCredentials("sessionAccessKey", "sessionSecretKey"));
                    }
                });

        ProfileCredentialsProvider profileCredentialsProvider = new ProfileCredentialsProvider(
                profilesFile, "test");
        AWSCredentials credentials = profileCredentialsProvider.getCredentials();

        Assert.assertEquals("sessionAccessKey", credentials.getAWSAccessKeyId());
        Assert.assertEquals("sessionSecretKey", credentials.getAWSSecretKey());
    }
}