chore: address PR feedback and include tests

yenfryherrerafeliz · yenfryherrerafeliz · commit 9d5f0c821eee · 2024-03-05T09:43:23.000-08:00
Addresses feedback for conditionally calling the method resolvingAccountId based on if the parameter is present in the rulesset of the endpoint provider.
Include tests coverage for AssumeRoleCredentialProvider, AssumeRoleWithWebIdentityCredentialProvider, process, shared files, and credentials from environment.
diff --git a/src/AwsClient.php b/src/AwsClient.php
@@ -572,7 +572,7 @@ private function setClientContextParams($args)
     private function setClientBuiltIns($args, $resolvedConfig)
     {
         $builtIns = [];
-        $config = $this->getConfig();
+        $config = $resolvedConfig['config'];
         $service = $args['service'];
 
         $builtIns['SDK::Endpoint'] = null;
@@ -593,7 +593,6 @@ private function setClientBuiltIns($args, $resolvedConfig)
             $builtIns['AWS::S3::ForcePathStyle'] = $config['use_path_style_endpoint'];
             $builtIns['AWS::S3::DisableMultiRegionAccessPoints'] = $config['disable_multiregion_access_points'];
         }
-        $builtIns['AWS::Auth::AccountId'] = null;
         $builtIns['AWS::Auth::AccountIdEndpointMode'] = $resolvedConfig['account_id_endpoint_mode'];
 
         $this->clientBuiltIns += $builtIns;
diff --git a/src/ClientResolver.php b/src/ClientResolver.php
@@ -293,7 +293,7 @@ class ClientResolver
         'account_id_endpoint_mode' => [
             'type'      => 'value',
             'valid'     => ['string'],
-            'doc'       => 'To decide whether account_id must a be a required resolved credentials parameter. If this configuration is set to disabled, then account_id is not required. If set to preferred a warning will be logged when account_id is not resolved, and when set to required an exception will be thrown if account_id is not resolved.',
+            'doc'       => 'Decides whether account_id must a be a required resolved credentials property. If this configuration is set to disabled, then account_id is not required. If set to preferred a warning will be logged when account_id is not resolved, and when set to required an exception will be thrown if account_id is not resolved.',
             'default'  => [__CLASS__, '_default_account_id_endpoint_mode'],
             'fn'       => [__CLASS__, '_apply_account_id_endpoint_mode']
         ],
diff --git a/src/Credentials/CredentialProvider.php b/src/Credentials/CredentialProvider.php
@@ -292,17 +292,15 @@ public static function env()
             // Use credentials from environment variables, if available
             $key = getenv(self::ENV_KEY);
             $secret = getenv(self::ENV_SECRET);
-            $accountId = getenv(self::ENV_ACCOUNT_ID);
-            if (empty($accountId)) {
-                $accountId = null;
-            }
+            $accountId = getenv(self::ENV_ACCOUNT_ID) ?: null;
+            $token = getenv(self::ENV_SESSION) ?: null;
 
             if ($key && $secret) {
                 return Promise\Create::promiseFor(
                     new Credentials(
                         $key,
                         $secret,
-                        getenv(self::ENV_SESSION) ?: NULL,
+                        $token,
                         null,
                         $accountId
                     )
@@ -549,18 +547,13 @@ public static function ini($profile = null, $filename = null, array $config = []
                     : null;
             }
 
-            $accountId = null;
-            if (!empty($data[$profile]['aws_account_id'])) {
-                $accountId = $data[$profile]['aws_account_id'];
-            }
-
             return Promise\Create::promiseFor(
                 new Credentials(
                     $data[$profile]['aws_access_key_id'],
                     $data[$profile]['aws_secret_access_key'],
                     $data[$profile]['aws_session_token'],
                     null,
-                    $accountId
+                    $data[$profile]['aws_account_id'] ?? null
                 )
             );
         };
diff --git a/src/Credentials/EcsCredentialProvider.php b/src/Credentials/EcsCredentialProvider.php
@@ -76,7 +76,7 @@ public function __invoke()
                     $result['SecretAccessKey'],
                     $result['Token'],
                     strtotime($result['Expiration']),
-                    $result['AccountId']
+                    $result['AccountId'] ?? null
                 );
             })->otherwise(function ($reason) {
                 $reason = is_array($reason) ? $reason['exception'] : $reason;
diff --git a/src/Credentials/InstanceProfileProvider.php b/src/Credentials/InstanceProfileProvider.php
@@ -216,17 +216,12 @@ public function __invoke($previousCredentials = null)
             if (!isset($result)) {
                 $credentials = $previousCredentials;
             } else {
-                $accountId = null;
-                if (!empty($result['AccountId'])) {
-                    $accountId = $result['AccountId'];
-                }
-
                 $credentials = new Credentials(
                     $result['AccessKeyId'],
                     $result['SecretAccessKey'],
                     $result['Token'],
                     strtotime($result['Expiration']),
-                    $accountId
+                    $result['AccountId'] ?? null
                 );
             }
 
diff --git a/src/EndpointV2/EndpointV2Middleware.php b/src/EndpointV2/EndpointV2Middleware.php
@@ -20,6 +20,7 @@
 class EndpointV2Middleware
 {
     const ACCOUNT_ID_PARAM = 'AccountId';
+    const ACCOUNT_ID_ENDPOINT_MODE_PARAM = 'AccountIdEndpointMode';
     private static $validAuthSchemes = [
         'sigv4' => true,
         'sigv4a' => true,
@@ -39,6 +40,7 @@ class EndpointV2Middleware
 
     /** @var array */
     private $clientArgs;
+
     /** @var Closure */
     private $identityProvider;
 
@@ -75,7 +77,7 @@ public function __construct(
         EndpointProviderV2 $endpointProvider,
         Service $api,
         array $args,
-        callable $identityProvider
+        callable $identityProvider = null
     )
     {
         $this->nextHandler = $nextHandler;
@@ -121,7 +123,10 @@ private function resolveArgs(array $commandArgs, Operation $operation) : array
     {
         $rulesetParams = $this->endpointProvider->getRuleset()->getParameters();
 
-        $this->resolveAccountId($commandArgs, $rulesetParams);
+        if (isset($rulesetParams[self::ACCOUNT_ID_PARAM])
+            && isset($rulesetParams[self::ACCOUNT_ID_ENDPOINT_MODE_PARAM])) {
+            $this->resolveAccountId($commandArgs);
+        }
 
         $endpointCommandArgs = $this->filterEndpointCommandArgs(
             $rulesetParams,
@@ -323,32 +328,27 @@ private function normalizeAuthScheme(array $authScheme) : array
      * and we will inject the resolved identity into the $command['@context'] property, so it can be reused along the way.
      *
      * @param array $commandArgs
-     * @param array $rulesetParams
      * @return void
      */
-    private function resolveAccountId(array &$commandArgs, array $rulesetParams)
+    private function resolveAccountId(array &$commandArgs)
     {
         $accountIdEndpointMode = $this->clientArgs['AccountIdEndpointMode'];
-        if (!isset($rulesetParams[self::ACCOUNT_ID_PARAM]) || $accountIdEndpointMode === 'disabled') {
-            return;
-        }
-
         $identity = null;
         if (isset($commandArgs['@context']['resolved_identity'])) {
-            $identity = $commandArgs['@context']['resolved_identity']->wait();
+            $identity = $commandArgs['@context']['resolved_identity'];
         } else {
             $identityProviderFn = $this->identityProvider;
             $identity = $identityProviderFn()->wait();
-            $commandArgs['@context']['resolved_identity'] = Create::promiseFor($identity);
+            $commandArgs['@context']['resolved_identity'] = $identity;
         }
 
         if (empty($identity->getAccountId())) {
             switch ($accountIdEndpointMode) {
                 case 'preferred':
-                    trigger_error($this->getAccountIdNotResolvedErrorMessage($accountIdEndpointMode), E_USER_WARNING);
+                    trigger_error($this->getAccountIdErrorMessage($accountIdEndpointMode), E_USER_WARNING);
                     break;
                 case 'required':
-                    throw new AccountIdNotFoundException($this->getAccountIdNotResolvedErrorMessage($accountIdEndpointMode));
+                    throw new AccountIdNotFoundException($this->getAccountIdErrorMessage($accountIdEndpointMode));
                 default:
                     throw new \InvalidArgumentException('account_id_endpoint_mode value not supported: '. $accountIdEndpointMode);
             }
@@ -359,7 +359,7 @@ private function resolveAccountId(array &$commandArgs, array $rulesetParams)
         $commandArgs[self::ACCOUNT_ID_PARAM] = $identity->getAccountId();
     }
 
-    private function getAccountIdNotResolvedErrorMessage($mode) : string
+    private function getAccountIdErrorMessage($mode) : string
     {
         return "Unable to resolve an `accountId` as part of the credentials identity when `account_id_endpoint_mode` is set to {$mode}. "
             . "\nTo remedy this you can:"
diff --git a/src/Middleware.php b/src/Middleware.php
@@ -145,7 +145,7 @@ function (TokenInterface $token)
                 if ($signer instanceof S3ExpressSignature) {
                     $credentialPromise = $config['s3_express_identity_provider']($command);
                 } elseif (isset($command['@context']['resolved_identity'])) {
-                    $credentialPromise = $command['@context']['resolved_identity'];
+                    $credentialPromise = Promise\Create::promiseFor($command['@context']['resolved_identity']);
                 } else {
                     $credentialPromise = $credProvider();
                 }
diff --git a/src/Sts/StsClient.php b/src/Sts/StsClient.php
@@ -80,6 +80,9 @@ public function createCredentials(Result $result)
         if ($result->hasKey('AssumedRoleUser')) {
             $parsedArn = ArnParser::parse($result->get('AssumedRoleUser')['Arn']);
             $accountId = $parsedArn->getAccountId();
+        } elseif ($result->hasKey('FederatedUser')) {
+            $parsedArn = ArnParser::parse($result->get('FederatedUser')['Arn']);
+            $accountId = $parsedArn->getAccountId();
         }
 
         $credentials = $result['Credentials'];
diff --git a/tests/AwsClientTest.php b/tests/AwsClientTest.php
@@ -504,6 +504,7 @@ public function testGetClientBuiltins()
             'AWS::UseFIPS' => false,
             'AWS::UseDualStack' => false,
             'AWS::STS::UseGlobalEndpoint' => true,
+            'AWS::Auth::AccountIdEndpointMode' => 'preferred',
         ];
         $builtIns = $client->getClientBuiltIns();
         $this->assertEquals(
@@ -524,6 +525,7 @@ public function testGetEndpointProviderArgs()
             'UseFIPS' => false,
             'UseDualStack' => false,
             'UseGlobalEndpoint' => true,
+            'AccountIdEndpointMode' => 'preferred'
         ];
         $providerArgs = $client->getEndpointProviderArgs();
         $this->assertEquals(
diff --git a/tests/Credentials/AssumeRoleCredentialProviderTest.php b/tests/Credentials/AssumeRoleCredentialProviderTest.php
@@ -1,6 +1,7 @@
 <?php
 namespace Aws\Test\Credentials;
 
+use Aws\Arn\ArnParser;
 use Aws\Credentials\AssumeRoleCredentialProvider;
 use Aws\Credentials\Credentials;
 use Aws\Exception\AwsException;
@@ -92,6 +93,8 @@ function ($c, $r) use ($result) {
         $this->assertNull($creds->getSecurityToken());
         $this->assertIsInt($creds->getExpiration());
         $this->assertFalse($creds->isExpired());
+        $expectedAccountId = ArnParser::parse(self::SAMPLE_ROLE_ARN)->getAccountId();
+        $this->assertSame($expectedAccountId, $creds->getAccountId());
     }
 
     public function testThrowsExceptionWhenRetrievingAssumeRoleCredentialFails()
diff --git a/tests/Credentials/AssumeRoleWithWebIdentityCredentialProviderTest.php b/tests/Credentials/AssumeRoleWithWebIdentityCredentialProviderTest.php
@@ -1,6 +1,7 @@
 <?php
 namespace Aws\Test\Credentials;
 
+use Aws\Arn\ArnParser;
 use Aws\Command;
 use Aws\Credentials\AssumeRoleWithWebIdentityCredentialProvider;
 use Aws\Credentials\Credentials;
@@ -76,6 +77,10 @@ public function testCanLoadAssumeRoleWithWebIdentityCredentials()
                 'SessionToken'    => 'baz',
                 'Expiration'      => DateTimeResult::fromEpoch(time() + 10)
             ],
+            'AssumedRoleUser' => [
+                'AssumedRoleId' => 'test_user_621903f1f21f5.01530789',
+                'Arn' => self::SAMPLE_ROLE_ARN
+            ]
         ];
 
         $tokenPath = $dir . '/my-token.jwt';
@@ -102,6 +107,8 @@ function ($c, $r) use ($result) {
             $this->assertSame('baz', $creds->getSecurityToken());
             $this->assertIsInt($creds->getExpiration());
             $this->assertFalse($creds->isExpired());
+            $expectedAccountId = ArnParser::parse(self::SAMPLE_ROLE_ARN)->getAccountId();
+            $this->assertSame($expectedAccountId, $creds->getAccountId());
         } catch (\Error $e) {
             throw $e;
         } finally {
diff --git a/tests/Credentials/CredentialProviderTest.php b/tests/Credentials/CredentialProviderTest.php
diff --git a/tests/Credentials/CredentialsTest.php b/tests/Credentials/CredentialsTest.php

Original file line number	Diff line number	Diff line change
`@@ -572,7 +572,7 @@ private function setClientContextParams($args)`
`572`	`572`	`private function setClientBuiltIns($args, $resolvedConfig)`
`573`	`573`	`{`
`574`	`574`	`$builtIns = [];`
`575`		`- $config = $this->getConfig();`
	`575`	`+ $config = $resolvedConfig['config'];`
`576`	`576`	`$service = $args['service'];`
`577`	`577`
`578`	`578`	`$builtIns['SDK::Endpoint'] = null;`
`@@ -593,7 +593,6 @@ private function setClientBuiltIns($args, $resolvedConfig)`
`593`	`593`	`$builtIns['AWS::S3::ForcePathStyle'] = $config['use_path_style_endpoint'];`
`594`	`594`	`$builtIns['AWS::S3::DisableMultiRegionAccessPoints'] = $config['disable_multiregion_access_points'];`
`595`	`595`	`}`
`596`		`- $builtIns['AWS::Auth::AccountId'] = null;`
`597`	`596`	`$builtIns['AWS::Auth::AccountIdEndpointMode'] = $resolvedConfig['account_id_endpoint_mode'];`
`598`	`597`
`599`	`598`	`$this->clientBuiltIns += $builtIns;`
Original file line number	Diff line number	Diff line change
`@@ -145,7 +145,7 @@ function (TokenInterface $token)`
`145`	`145`	`if ($signer instanceof S3ExpressSignature) {`
`146`	`146`	`$credentialPromise = $config['s3_express_identity_provider']($command);`
`147`	`147`	`} elseif (isset($command['@context']['resolved_identity'])) {`
`148`		`- $credentialPromise = $command['@context']['resolved_identity'];`
	`148`	`+ $credentialPromise = Promise\Create::promiseFor($command['@context']['resolved_identity']);`
`149`	`149`	`} else {`
`150`	`150`	`$credentialPromise = $credProvider();`
`151`	`151`	`}`
Original file line number	Diff line number	Diff line change
`@@ -80,6 +80,9 @@ public function createCredentials(Result $result)`
`80`	`80`	`if ($result->hasKey('AssumedRoleUser')) {`
`81`	`81`	`$parsedArn = ArnParser::parse($result->get('AssumedRoleUser')['Arn']);`
`82`	`82`	`$accountId = $parsedArn->getAccountId();`
	`83`	`+ } elseif ($result->hasKey('FederatedUser')) {`
	`84`	`+ $parsedArn = ArnParser::parse($result->get('FederatedUser')['Arn']);`
	`85`	`+ $accountId = $parsedArn->getAccountId();`
`83`	`86`	`}`
`84`	`87`
`85`	`88`	`$credentials = $result['Credentials'];`