From 6bd58e421d15097cb982a944970d7981390f9a20 Mon Sep 17 00:00:00 2001 From: Sean McGrail Date: Tue, 18 May 2021 16:32:40 +0000 Subject: [PATCH] config: Enable SSO provider to be mixed with other credential providers (#1255) --- .../016af652b95e472f960ded9a2e976e11.json | 8 + .../9eda03d68f1849a981362947a1a2941f.json | 8 + .../f2c891806ed64485bdbee78723db3a88.json | 8 + config/resolve_credentials.go | 16 +- config/resolve_credentials_test.go | 50 ++++- config/shared_config.go | 8 +- config/shared_config_test.go | 199 ++++++++++++++---- config/shared_test.go | 22 ++ config/testdata/config_source_shared | 19 ++ .../testdata/config_source_shared_for_windows | 19 ++ config/testdata/shared_config | 39 ++++ config/testdata/shared_credentials | 20 ++ config/testdata/wit.txt | 1 + internal/ini/visitor.go | 2 - internal/ini/walker_test.go | 3 - 15 files changed, 354 insertions(+), 68 deletions(-) create mode 100644 .changelog/016af652b95e472f960ded9a2e976e11.json create mode 100644 .changelog/9eda03d68f1849a981362947a1a2941f.json create mode 100644 .changelog/f2c891806ed64485bdbee78723db3a88.json create mode 100644 config/testdata/shared_credentials create mode 100644 config/testdata/wit.txt diff --git a/.changelog/016af652b95e472f960ded9a2e976e11.json b/.changelog/016af652b95e472f960ded9a2e976e11.json new file mode 100644 index 00000000000..8d7dc036853 --- /dev/null +++ b/.changelog/016af652b95e472f960ded9a2e976e11.json @@ -0,0 +1,8 @@ +{ + "id": "016af652-b95e-472f-960d-ed9a2e976e11", + "type": "bugfix", + "description": "`internal/ini`: Disable normalization of config profile names", + "modules": [ + "." + ] +} diff --git a/.changelog/9eda03d68f1849a981362947a1a2941f.json b/.changelog/9eda03d68f1849a981362947a1a2941f.json new file mode 100644 index 00000000000..efd20334938 --- /dev/null +++ b/.changelog/9eda03d68f1849a981362947a1a2941f.json @@ -0,0 +1,8 @@ +{ + "id": "9eda03d6-8f18-49a9-8136-2947a1a2941f", + "type": "feature", + "description": "SSO credentials can now be defined alongside other credential providers within the same configuration profile.", + "modules": [ + "config" + ] +} \ No newline at end of file diff --git a/.changelog/f2c891806ed64485bdbee78723db3a88.json b/.changelog/f2c891806ed64485bdbee78723db3a88.json new file mode 100644 index 00000000000..d9d4be28ea2 --- /dev/null +++ b/.changelog/f2c891806ed64485bdbee78723db3a88.json @@ -0,0 +1,8 @@ +{ + "id": "f2c89180-6ed6-4485-bdbe-e78723db3a88", + "type": "bugfix", + "description": "Fixed a bug that caused configuration profile names to be incorrectly normalized, which could cause incorrect profile loading in certain cases. ([#1204](https://github.com/aws/aws-sdk-go-v2/issues/1204))", + "modules": [ + "config" + ] +} \ No newline at end of file diff --git a/config/resolve_credentials.go b/config/resolve_credentials.go index 449fc393d95..bc1385af886 100644 --- a/config/resolve_credentials.go +++ b/config/resolve_credentials.go @@ -123,13 +123,6 @@ func resolveCredsFromProfile(ctx context.Context, cfg *aws.Config, envConfig *En Value: sharedConfig.Credentials, } - case sharedConfig.hasSSOConfiguration(): - err = resolveSSOCredentials(ctx, cfg, sharedConfig, configs) - - case len(sharedConfig.CredentialProcess) != 0: - // Get credentials from CredentialProcess - err = processCredentials(ctx, cfg, sharedConfig, configs) - case len(sharedConfig.CredentialSource) != 0: err = resolveCredsFromSource(ctx, cfg, envConfig, sharedConfig, configs) @@ -137,7 +130,14 @@ func resolveCredsFromProfile(ctx context.Context, cfg *aws.Config, envConfig *En // Credentials from Assume Web Identity token require an IAM Role, and // that roll will be assumed. May be wrapped with another assume role // via SourceProfile. - err = assumeWebIdentity(ctx, cfg, sharedConfig.WebIdentityTokenFile, sharedConfig.RoleARN, sharedConfig.RoleSessionName, configs) + return assumeWebIdentity(ctx, cfg, sharedConfig.WebIdentityTokenFile, sharedConfig.RoleARN, sharedConfig.RoleSessionName, configs) + + case sharedConfig.hasSSOConfiguration(): + err = resolveSSOCredentials(ctx, cfg, sharedConfig, configs) + + case len(sharedConfig.CredentialProcess) != 0: + // Get credentials from CredentialProcess + err = processCredentials(ctx, cfg, sharedConfig, configs) case len(envConfig.ContainerCredentialsEndpoint) != 0: err = resolveLocalHTTPCredProvider(ctx, cfg, envConfig.ContainerCredentialsEndpoint, envConfig.ContainerAuthorizationToken, configs) diff --git a/config/resolve_credentials_test.go b/config/resolve_credentials_test.go index 3257789709e..fdd430600a8 100644 --- a/config/resolve_credentials_test.go +++ b/config/resolve_credentials_test.go @@ -19,6 +19,7 @@ import ( "github.com/aws/aws-sdk-go-v2/service/sso" "github.com/aws/aws-sdk-go-v2/service/sts" "github.com/aws/smithy-go/middleware" + smithytime "github.com/aws/smithy-go/time" ) func swapECSContainerURI(path string) func() { @@ -61,11 +62,29 @@ func setupCredentialsEndpoints(t *testing.T) (aws.EndpointResolver, func()) { stsServer := httptest.NewServer(http.HandlerFunc( func(w http.ResponseWriter, r *http.Request) { - w.Write([]byte(fmt.Sprintf( - assumeRoleRespMsg, - time.Now(). - Add(15*time.Minute). - Format("2006-01-02T15:04:05Z")))) + if err := r.ParseForm(); err != nil { + w.WriteHeader(500) + return + } + + form := r.Form + + switch form.Get("Action") { + case "AssumeRole": + w.Write([]byte(fmt.Sprintf( + assumeRoleRespMsg, + smithytime.FormatDateTime(time.Now(). + Add(15*time.Minute))))) + return + case "AssumeRoleWithWebIdentity": + w.Write([]byte(fmt.Sprintf(assumeRoleWithWebIdentityResponse, + smithytime.FormatDateTime(time.Now(). + Add(15*time.Minute))))) + return + default: + w.WriteHeader(404) + return + } })) ssoServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { @@ -310,6 +329,27 @@ func TestSharedConfigCredentialSource(t *testing.T) { return func() {}, nil }, }, + "sso mixed with credential process provider": { + envProfile: "sso_mixed_credproc", + expectedAccessKey: "SSO_AKID", + expectedSecretKey: "SSO_SECRET_KEY", + expectedSessionToken: "SSO_SESSION_TOKEN", + init: func() (func(), error) { + return ssoTestSetup() + }, + }, + "sso mixed with web identity token provider": { + envProfile: "sso_mixed_webident", + expectedAccessKey: "WEB_IDENTITY_AKID", + expectedSecretKey: "WEB_IDENTITY_SECRET", + expectedSessionToken: "WEB_IDENTITY_SESSION_TOKEN", + }, + "web identity": { + envProfile: "webident", + expectedAccessKey: "WEB_IDENTITY_AKID", + expectedSecretKey: "WEB_IDENTITY_SECRET", + expectedSessionToken: "WEB_IDENTITY_SESSION_TOKEN", + }, } for name, c := range cases { diff --git a/config/shared_config.go b/config/shared_config.go index 8c34a61b687..02378c8d467 100644 --- a/config/shared_config.go +++ b/config/shared_config.go @@ -320,9 +320,6 @@ func LoadSharedConfigProfile(ctx context.Context, profile string, optFns ...func return SharedConfig{}, err } - // profile should be lower-cased to standardize - profile = strings.ToLower(profile) - cfg := SharedConfig{} profiles := map[string]struct{}{} if err = cfg.setFromIniSections(profiles, profile, configSections, option.Logger); err != nil { @@ -915,7 +912,6 @@ func (c *SharedConfig) validateCredentialType() error { len(c.CredentialSource) != 0, len(c.CredentialProcess) != 0, len(c.WebIdentityTokenFile) != 0, - c.hasSSOConfiguration(), ) { return fmt.Errorf("only one credential type may be specified per profile: source profile, credential source, credential process, web identity token, or sso") } @@ -993,6 +989,10 @@ func (c *SharedConfig) clearCredentialOptions() { c.CredentialProcess = "" c.WebIdentityTokenFile = "" c.Credentials = aws.Credentials{} + c.SSOAccountID = "" + c.SSORegion = "" + c.SSORoleName = "" + c.SSOStartURL = "" } // SharedConfigLoadError is an error for the shared config file failed to load. diff --git a/config/shared_config_test.go b/config/shared_config_test.go index 02d7ab6c1c1..183f6cc669d 100644 --- a/config/shared_config_test.go +++ b/config/shared_config_test.go @@ -9,6 +9,7 @@ import ( "strconv" "strings" "testing" + "time" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/internal/ini" @@ -22,31 +23,33 @@ var _ regionProvider = (*SharedConfig)(nil) var ( testConfigFilename = filepath.Join("testdata", "shared_config") testConfigOtherFilename = filepath.Join("testdata", "shared_config_other") + testCredentialsFilename = filepath.Join("testdata", "shared_credentials") ) func TestNewSharedConfig(t *testing.T) { cases := map[string]struct { - Filenames []string - Profile string - Expected SharedConfig - Err error + ConfigFilenames []string + CredentialsFilenames []string + Profile string + Expected SharedConfig + Err error }{ "file not exist": { - Filenames: []string{"file_not_exist"}, - Profile: "default", - Err: fmt.Errorf("failed to get shared config profile"), + ConfigFilenames: []string{"file_not_exist"}, + Profile: "default", + Err: fmt.Errorf("failed to get shared config profile"), }, "default profile": { - Filenames: []string{testConfigFilename}, - Profile: "default", + ConfigFilenames: []string{testConfigFilename}, + Profile: "default", Expected: SharedConfig{ Profile: "default", Region: "default_region", }, }, "multiple config files": { - Filenames: []string{testConfigOtherFilename, testConfigFilename}, - Profile: "config_file_load_order", + ConfigFilenames: []string{testConfigOtherFilename, testConfigFilename}, + Profile: "config_file_load_order", Expected: SharedConfig{ Profile: "config_file_load_order", Region: "shared_config_region", @@ -58,8 +61,8 @@ func TestNewSharedConfig(t *testing.T) { }, }, "mutliple config files reverse order": { - Filenames: []string{testConfigFilename, testConfigOtherFilename}, - Profile: "config_file_load_order", + ConfigFilenames: []string{testConfigFilename, testConfigOtherFilename}, + Profile: "config_file_load_order", Expected: SharedConfig{ Profile: "config_file_load_order", Region: "shared_config_other_region", @@ -71,8 +74,8 @@ func TestNewSharedConfig(t *testing.T) { }, }, "Assume role": { - Filenames: []string{testConfigOtherFilename, testConfigFilename}, - Profile: "assume_role", + ConfigFilenames: []string{testConfigOtherFilename, testConfigFilename}, + Profile: "assume_role", Expected: SharedConfig{ Profile: "assume_role", RoleARN: "assume_role_role_arn", @@ -88,8 +91,8 @@ func TestNewSharedConfig(t *testing.T) { }, }, "Assume role with invalid source profile": { - Filenames: []string{testConfigOtherFilename, testConfigFilename}, - Profile: "assume_role_invalid_source_profile", + ConfigFilenames: []string{testConfigOtherFilename, testConfigFilename}, + Profile: "assume_role_invalid_source_profile", Err: SharedConfigAssumeRoleError{ Profile: "profile_not_exists", RoleARN: "assume_role_invalid_source_profile_role_arn", @@ -100,8 +103,8 @@ func TestNewSharedConfig(t *testing.T) { }, }, "Assume role with creds": { - Filenames: []string{testConfigOtherFilename, testConfigFilename}, - Profile: "assume_role_w_creds", + ConfigFilenames: []string{testConfigOtherFilename, testConfigFilename}, + Profile: "assume_role_w_creds", Expected: SharedConfig{ Profile: "assume_role_w_creds", RoleARN: "assume_role_w_creds_role_arn", @@ -119,8 +122,8 @@ func TestNewSharedConfig(t *testing.T) { }, }, "Assume role without creds": { - Filenames: []string{testConfigOtherFilename, testConfigFilename}, - Profile: "assume_role_wo_creds", + ConfigFilenames: []string{testConfigOtherFilename, testConfigFilename}, + Profile: "assume_role_wo_creds", Expected: SharedConfig{ Profile: "assume_role_wo_creds", RoleARN: "assume_role_wo_creds_role_arn", @@ -132,32 +135,32 @@ func TestNewSharedConfig(t *testing.T) { }, }, "Invalid INI file": { - Filenames: []string{filepath.Join("testdata", "shared_config_invalid_ini")}, - Profile: "profile_name", + ConfigFilenames: []string{filepath.Join("testdata", "shared_config_invalid_ini")}, + Profile: "profile_name", Err: SharedConfigLoadError{ Filename: filepath.Join("testdata", "shared_config_invalid_ini"), Err: fmt.Errorf("invalid state"), }, }, "S3UseARNRegion property on profile": { - Profile: "valid_arn_region", - Filenames: []string{testConfigFilename}, + Profile: "valid_arn_region", + ConfigFilenames: []string{testConfigFilename}, Expected: SharedConfig{ Profile: "valid_arn_region", S3UseARNRegion: ptr.Bool(true), }, }, "EndpointDiscovery property on profile": { - Profile: "endpoint_discovery", - Filenames: []string{testConfigFilename}, + Profile: "endpoint_discovery", + ConfigFilenames: []string{testConfigFilename}, Expected: SharedConfig{ Profile: "endpoint_discovery", EnableEndpointDiscovery: ptr.Bool(true), }, }, "Assume role with credential source Ec2Metadata": { - Filenames: []string{testConfigOtherFilename, testConfigFilename}, - Profile: "assume_role_with_credential_source", + ConfigFilenames: []string{testConfigOtherFilename, testConfigFilename}, + Profile: "assume_role_with_credential_source", Expected: SharedConfig{ Profile: "assume_role_with_credential_source", RoleARN: "assume_role_with_credential_source_role_arn", @@ -165,8 +168,8 @@ func TestNewSharedConfig(t *testing.T) { }, }, "Assume role chained with creds": { - Filenames: []string{testConfigOtherFilename, testConfigFilename}, - Profile: "multiple_assume_role", + ConfigFilenames: []string{testConfigOtherFilename, testConfigFilename}, + Profile: "multiple_assume_role", Expected: SharedConfig{ Profile: "multiple_assume_role", RoleARN: "multiple_assume_role_role_arn", @@ -187,8 +190,8 @@ func TestNewSharedConfig(t *testing.T) { }, }, "Assume role chained with credential source": { - Filenames: []string{testConfigOtherFilename, testConfigFilename}, - Profile: "multiple_assume_role_with_credential_source", + ConfigFilenames: []string{testConfigOtherFilename, testConfigFilename}, + Profile: "multiple_assume_role_with_credential_source", Expected: SharedConfig{ Profile: "multiple_assume_role_with_credential_source", RoleARN: "multiple_assume_role_with_credential_source_role_arn", @@ -201,8 +204,8 @@ func TestNewSharedConfig(t *testing.T) { }, }, "Assume role chained with credential source reversed order": { - Filenames: []string{testConfigOtherFilename, testConfigFilename}, - Profile: "multiple_assume_role_with_credential_source2", + ConfigFilenames: []string{testConfigOtherFilename, testConfigFilename}, + Profile: "multiple_assume_role_with_credential_source2", Expected: SharedConfig{ Profile: "multiple_assume_role_with_credential_source2", RoleARN: "multiple_assume_role_with_credential_source2_role_arn", @@ -220,8 +223,8 @@ func TestNewSharedConfig(t *testing.T) { }, }, "AWS SSO Profile": { - Filenames: []string{testConfigFilename}, - Profile: "sso_creds", + ConfigFilenames: []string{testConfigFilename}, + Profile: "sso_creds", Expected: SharedConfig{ Profile: "sso_creds", SSOAccountID: "012345678901", @@ -231,8 +234,8 @@ func TestNewSharedConfig(t *testing.T) { }, }, "Assume Role with AWS SSO Credentials": { - Filenames: []string{testConfigFilename}, - Profile: "source_sso_creds", + ConfigFilenames: []string{testConfigFilename}, + Profile: "source_sso_creds", Expected: SharedConfig{ Profile: "source_sso_creds", RoleARN: "source_sso_creds_arn", @@ -247,8 +250,8 @@ func TestNewSharedConfig(t *testing.T) { }, }, "AWS SSO Profile and Static Credentials": { - Filenames: []string{testConfigFilename}, - Profile: "sso_and_static", + ConfigFilenames: []string{testConfigFilename}, + Profile: "sso_and_static", Expected: SharedConfig{ Profile: "sso_and_static", Credentials: aws.Credentials{ @@ -264,17 +267,121 @@ func TestNewSharedConfig(t *testing.T) { }, }, "Assume Role with AWS SSO Configuration and Source Profile": { - Filenames: []string{testConfigFilename}, - Profile: "source_sso_and_assume", - Err: fmt.Errorf("only one credential type may be specified per profile"), + ConfigFilenames: []string{testConfigFilename}, + Profile: "source_sso_and_assume", + Expected: SharedConfig{ + Profile: "source_sso_and_assume", + RoleARN: "source_sso_and_assume_arn", + SourceProfileName: "sso_and_assume", + Source: &SharedConfig{ + Profile: "sso_and_assume", + RoleARN: "sso_with_assume_role_arn", + SourceProfileName: "multiple_assume_role_with_credential_source", + Source: &SharedConfig{ + Profile: "multiple_assume_role_with_credential_source", + RoleARN: "multiple_assume_role_with_credential_source_role_arn", + SourceProfileName: "assume_role_with_credential_source", + Source: &SharedConfig{ + Profile: "assume_role_with_credential_source", + RoleARN: "assume_role_with_credential_source_role_arn", + CredentialSource: credSourceEc2Metadata, + }, + }, + }, + }, + }, + "SSO Mixed with Additional Credential Providrer": { + ConfigFilenames: []string{testConfigFilename}, + Profile: "sso_mixed_credproc", + Expected: SharedConfig{ + Profile: "sso_mixed_credproc", + SSOAccountID: "012345678901", + SSORegion: "us-west-2", + SSORoleName: "TestRole", + SSOStartURL: "https://127.0.0.1/start", + CredentialProcess: "/path/to/process", + }, + }, + "profile names are case-sensitive (Mixed)": { + ConfigFilenames: []string{testConfigFilename}, + CredentialsFilenames: []string{testCredentialsFilename}, + Profile: "DoNotNormalize", + Expected: SharedConfig{ + Profile: "DoNotNormalize", + Credentials: aws.Credentials{ + AccessKeyID: "DoNotNormalize_credentials_akid", + SecretAccessKey: "DoNotNormalize_credentials_secret", + SessionToken: "DoNotNormalize_config_session_token", + Source: fmt.Sprintf("SharedConfigCredentials: %s", testCredentialsFilename), + }, + RoleDurationSeconds: func() *time.Duration { d := time.Minute * 20; return &d }(), + Region: "eu-west-1", + }, + }, + "profile names are case-sensitive (lower)": { + ConfigFilenames: []string{testConfigFilename}, + CredentialsFilenames: []string{testCredentialsFilename}, + Profile: "donotnormalize", + Expected: SharedConfig{ + Profile: "donotnormalize", + Credentials: aws.Credentials{ + AccessKeyID: "donotnormalize_credentials_akid", + SecretAccessKey: "donotnormalize_credentials_secret", + SessionToken: "donotnormalize_config_session_token", + Source: fmt.Sprintf("SharedConfigCredentials: %s", testCredentialsFilename), + }, + RoleDurationSeconds: func() *time.Duration { d := time.Minute * 25; return &d }(), + Region: "eu-west-2", + }, + }, + "profile names are case-sensitive (upper)": { + ConfigFilenames: []string{testConfigFilename}, + CredentialsFilenames: []string{testCredentialsFilename}, + Profile: "DONOTNORMALIZE", + Expected: SharedConfig{ + Profile: "DONOTNORMALIZE", + Credentials: aws.Credentials{ + AccessKeyID: "DONOTNORMALIZE_credentials_akid", + SecretAccessKey: "DONOTNORMALIZE_credentials_secret", + SessionToken: "DONOTNORMALIZE_config_session_token", + Source: fmt.Sprintf("SharedConfigCredentials: %s", testCredentialsFilename), + }, + RoleDurationSeconds: func() *time.Duration { d := time.Minute * 30; return &d }(), + Region: "eu-west-3", + }, + }, + "source profile name is case-sensitive": { + ConfigFilenames: []string{testConfigFilename}, + CredentialsFilenames: []string{testCredentialsFilename}, + Profile: "AssumeWithDoNotNormalize", + Expected: SharedConfig{ + Profile: "AssumeWithDoNotNormalize", + RoleARN: "AssumeWithDoNotNormalize_role_arn", + SourceProfileName: "DoNotNormalize", + Source: &SharedConfig{ + Profile: "DoNotNormalize", + Credentials: aws.Credentials{ + AccessKeyID: "DoNotNormalize_credentials_akid", + SecretAccessKey: "DoNotNormalize_credentials_secret", + SessionToken: "DoNotNormalize_config_session_token", + Source: fmt.Sprintf("SharedConfigCredentials: %s", testCredentialsFilename), + }, + RoleDurationSeconds: func() *time.Duration { d := time.Minute * 20; return &d }(), + Region: "eu-west-1", + }, + }, }, } for name, c := range cases { t.Run(name, func(t *testing.T) { cfg, err := LoadSharedConfigProfile(context.TODO(), c.Profile, func(o *LoadSharedConfigOptions) { - o.ConfigFiles = c.Filenames - o.CredentialsFiles = []string{filepath.Join("testdata", "empty_creds_config")} + o.ConfigFiles = c.ConfigFilenames + if c.CredentialsFilenames != nil { + o.CredentialsFiles = c.CredentialsFilenames + } else { + o.CredentialsFiles = []string{filepath.Join("testdata", "empty_creds_config")} + } }) if c.Err != nil && err != nil { if e, a := c.Err.Error(), err.Error(); !strings.Contains(a, e) { diff --git a/config/shared_test.go b/config/shared_test.go index ebe91923385..ecadcbcbf52 100644 --- a/config/shared_test.go +++ b/config/shared_test.go @@ -47,6 +47,28 @@ const assumeRoleRespMsg = ` ` +var assumeRoleWithWebIdentityResponse = ` + + amzn1.account.AF6RHO7KZU5XRVQJGXK6HB56KR2A + client.5498841531868486423.1548@apps.example.com + + arn:aws:sts::123456789012:assumed-role/FederatedWebIdentityRole/app1 + AROACLKWSDQRAOEXAMPLE:app1 + + + WEB_IDENTITY_AKID + WEB_IDENTITY_SECRET + WEB_IDENTITY_SESSION_TOKEN + %s + + www.amazon.com + + + request-id + + +` + const getRoleCredentialsResponse = `{ "roleCredentials": { "accessKeyId": "SSO_AKID", diff --git a/config/testdata/config_source_shared b/config/testdata/config_source_shared index bc0bbdb28bd..0de4dc6dee5 100644 --- a/config/testdata/config_source_shared +++ b/config/testdata/config_source_shared @@ -60,3 +60,22 @@ sso_start_url = https://THIS_SHOULD_NOT_BE_IN_TESTDATA_CACHE/start [profile sso_invalid] sso_account_id = 012345678901 sso_role_name = TestRole + +[profile sso_mixed_credproc] +sso_account_id = 012345678901 +sso_region = us-west-2 +sso_role_name = TestRole +sso_start_url = https://127.0.0.1/start +credential_process = cat ./testdata/test_json.json + +[profile sso_mixed_webident] +web_identity_token_file = ./testdata/wit.txt +role_arn = sso_mixed_webident_arn +sso_account_id = 012345678901 +sso_region = us-west-2 +sso_role_name = TestRole +sso_start_url = https://127.0.0.1/start + +[profile webident] +web_identity_token_file = ./testdata/wit.txt +role_arn = webident_arn diff --git a/config/testdata/config_source_shared_for_windows b/config/testdata/config_source_shared_for_windows index dc5d435dc99..5193756f9d6 100644 --- a/config/testdata/config_source_shared_for_windows +++ b/config/testdata/config_source_shared_for_windows @@ -8,3 +8,22 @@ credential_process = type .\testdata\test_json.json [profile chained_cred_proc] role_arn = assume_role_w_creds_proc_source_prof source_profile = cred_proc_no_arn_set + +[profile sso_mixed_credproc] +sso_account_id = 012345678901 +sso_region = us-west-2 +sso_role_name = TestRole +sso_start_url = https://127.0.0.1/start +credential_process = type .\testdata\test_json.json + +[profile sso_mixed_webident] +web_identity_token_file = .\testdata\wit.txt +role_arn = sso_mixed_webident_arn +sso_account_id = 012345678901 +sso_region = us-west-2 +sso_role_name = TestRole +sso_start_url = https://127.0.0.1/start + +[profile webident] +web_identity_token_file = .\testdata\wit.txt +role_arn = webident_arn diff --git a/config/testdata/shared_config b/config/testdata/shared_config index ca3540c03b6..db8ce4836a3 100644 --- a/config/testdata/shared_config +++ b/config/testdata/shared_config @@ -135,3 +135,42 @@ source_profile = multiple_assume_role_with_credential_source [profile source_sso_and_assume] role_arn = source_sso_and_assume_arn source_profile = sso_and_assume + +[profile sso_mixed_credproc] +sso_account_id = 012345678901 +sso_region = us-west-2 +sso_role_name = TestRole +sso_start_url = https://127.0.0.1/start +credential_process = /path/to/process + +[profile DoNotNormalize] +aws_access_key_id = DoNotNormalize_config_akid +aws_secret_access_key = DoNotNormalize_config_secret +aws_session_token = DoNotNormalize_config_session_token + +[profile donotnormalize] +aws_access_key_id = donotnormalize_config_akid +aws_secret_access_key = donotnormalize_config_secret +aws_session_token = donotnormalize_config_session_token + + +[profile DONOTNORMALIZE] +aws_access_key_id = DONOTNORMALIZE_config_akid +aws_secret_access_key = DONOTNORMALIZE_config_secret +aws_session_token = DONOTNORMALIZE_config_session_token + +[profile DoNotNormalize] +region = us-west-2 +duration_seconds = 1200 + +[profile donotnormalize] +region = us-west-1 +duration_seconds = 1500 + +[profile DONOTNORMALIZE] +region = us-west-3 +duration_seconds = 1800 + +[profile AssumeWithDoNotNormalize] +role_arn = AssumeWithDoNotNormalize_role_arn +source_profile = DoNotNormalize diff --git a/config/testdata/shared_credentials b/config/testdata/shared_credentials new file mode 100644 index 00000000000..8b33504d77d --- /dev/null +++ b/config/testdata/shared_credentials @@ -0,0 +1,20 @@ +[DoNotNormalize] +aws_access_key_id = DoNotNormalize_credentials_akid +aws_secret_access_key = DoNotNormalize_credentials_secret + +[donotnormalize] +aws_access_key_id = donotnormalize_credentials_akid +aws_secret_access_key = donotnormalize_credentials_secret + +[DONOTNORMALIZE] +aws_access_key_id = DONOTNORMALIZE_credentials_akid +aws_secret_access_key = DONOTNORMALIZE_credentials_secret + +[DoNotNormalize] +region = eu-west-1 + +[donotnormalize] +region = eu-west-2 + +[DONOTNORMALIZE] +region = eu-west-3 diff --git a/config/testdata/wit.txt b/config/testdata/wit.txt new file mode 100644 index 00000000000..809def20ec1 --- /dev/null +++ b/config/testdata/wit.txt @@ -0,0 +1 @@ +YXdzIHNkayBmb3IgZ28gd2ViIGlkZW50aXR5IHRva2Vu diff --git a/internal/ini/visitor.go b/internal/ini/visitor.go index cfd6fe4d673..4c8a7c290f6 100644 --- a/internal/ini/visitor.go +++ b/internal/ini/visitor.go @@ -120,8 +120,6 @@ func (v *DefaultVisitor) VisitStatement(stmt AST) error { name = names[0] + " " + strings.TrimLeft(names[1], " ") } - // lower casing name to handle duplicates correctly. - name = strings.ToLower(name) // attach profile name on section if !v.Sections.HasSection(name) { v.Sections.container[name] = NewSection(name) diff --git a/internal/ini/walker_test.go b/internal/ini/walker_test.go index 10b90637949..5ceaa24b780 100644 --- a/internal/ini/walker_test.go +++ b/internal/ini/walker_test.go @@ -52,9 +52,6 @@ func TestValidDataFiles(t *testing.T) { } for profile, tableIface := range e { - // standardize by lower casing - profile = strings.ToLower(profile) - p, ok := v.Sections.GetSection(profile) if !ok { t.Fatal("could not find profile " + profile)