From 03cb46108497edb228b321735b225749b855a6a8 Mon Sep 17 00:00:00 2001
From: Rico Huijbers <rix0rrr@gmail.com>
Date: Wed, 5 Jul 2023 20:41:50 +0200
Subject: [PATCH 1/3] fix(cli): credential plugin exceptions stop the entire
 CLI

Credential provider plugins may sometimes misbehave.

Catch any exceptions they may throw and continue.
---
 .../lib/api/aws-auth/credential-plugins.ts    | 22 +++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts b/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts
index 95b8ad2eb9c16..7e334b37653e1 100644
--- a/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts
+++ b/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts
@@ -1,6 +1,7 @@
 import { debug } from './_env';
 import { Mode } from './credentials';
 import { CredentialProviderSource, PluginHost } from '../plugin';
+import { warn } from 'console';
 
 /**
  * Cache for credential providers.
@@ -33,12 +34,29 @@ export class CredentialPlugins {
     const triedSources: CredentialProviderSource[] = [];
     // Otherwise, inspect the various credential sources we have
     for (const source of PluginHost.instance.credentialProviderSources) {
-      if (!(await source.isAvailable())) {
+      let available: boolean;
+      try {
+        available = await source.isAvailable();
+      } catch (e: any) {
+        // This shouldn't happen, but let's guard against it anyway
+        warn(`Uncaught exception in ${source.name}: ${e.message}`);
+        available = false;
+      }
+
+      if (!available) {
         debug('Credentials source %s is not available, ignoring it.', source.name);
         continue;
       }
       triedSources.push(source);
-      if (!(await source.canProvideCredentials(awsAccountId))) { continue; }
+      let canProvide: boolean;
+      try {
+        canProvide = await source.canProvideCredentials(awsAccountId);
+      } catch (e: any) {
+        // This shouldn't happen, but let's guard against it anyway
+        warn(`Uncaught exception in ${source.name}: ${e.message}`);
+        canProvide = false;
+      }
+      if (!canProvide) { continue; }
       debug(`Using ${source.name} credentials for account ${awsAccountId}`);
       const providerOrCreds = await source.getProvider(awsAccountId, mode);
 

From 7370a677abbf1787218022dfbdfa336312e1233d Mon Sep 17 00:00:00 2001
From: Rico Huijbers <rix0rrr@gmail.com>
Date: Wed, 5 Jul 2023 20:43:48 +0200
Subject: [PATCH 2/3] Fix logging

---
 packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts b/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts
index 7e334b37653e1..63542fde6b012 100644
--- a/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts
+++ b/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts
@@ -1,7 +1,7 @@
 import { debug } from './_env';
 import { Mode } from './credentials';
 import { CredentialProviderSource, PluginHost } from '../plugin';
-import { warn } from 'console';
+import { warning } from '../../logging';
 
 /**
  * Cache for credential providers.
@@ -39,7 +39,7 @@ export class CredentialPlugins {
         available = await source.isAvailable();
       } catch (e: any) {
         // This shouldn't happen, but let's guard against it anyway
-        warn(`Uncaught exception in ${source.name}: ${e.message}`);
+        warning(`Uncaught exception in ${source.name}: ${e.message}`);
         available = false;
       }
 
@@ -53,7 +53,7 @@ export class CredentialPlugins {
         canProvide = await source.canProvideCredentials(awsAccountId);
       } catch (e: any) {
         // This shouldn't happen, but let's guard against it anyway
-        warn(`Uncaught exception in ${source.name}: ${e.message}`);
+        warning(`Uncaught exception in ${source.name}: ${e.message}`);
         canProvide = false;
       }
       if (!canProvide) { continue; }

From a4ab7b72d0510f9d90f2f5b4a0d8554086175ea0 Mon Sep 17 00:00:00 2001
From: Rico Hermans <rix0rrr@gmail.com>
Date: Fri, 7 Jul 2023 15:12:47 +0200
Subject: [PATCH 3/3] Update credential-plugins.ts

---
 packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts b/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts
index 63542fde6b012..640e8cf4b462f 100644
--- a/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts
+++ b/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts
@@ -1,7 +1,7 @@
 import { debug } from './_env';
 import { Mode } from './credentials';
-import { CredentialProviderSource, PluginHost } from '../plugin';
 import { warning } from '../../logging';
+import { CredentialProviderSource, PluginHost } from '../plugin';
 
 /**
  * Cache for credential providers.
@@ -73,4 +73,4 @@ export class CredentialPlugins {
 export interface PluginCredentials {
   readonly credentials: AWS.Credentials;
   readonly pluginName: string;
-}
\ No newline at end of file
+}