save sso cache token expiresAt in UTC

If the expiresAt field is saved with time zone (e.g. 2024-06-10T15:00:06-08:00) it will fail to load in certain SDKs such as the rust AWS SDK. To avoid this, ensure that it is always saved as a UTC format.
aws · Aug 23, 2024 · db1b63a · db1b63a
1 parent 87cea8b
commit db1b63a
Show file tree

Hide file tree

Showing 4 changed files with 70 additions and 4 deletions.
diff --git a/credentials/ssocreds/sso_cached_token.go b/credentials/ssocreds/sso_cached_token.go
@@ -225,7 +225,7 @@ func (r *rfc3339) UnmarshalJSON(bytes []byte) (err error) {
 }
 
 func (r *rfc3339) MarshalJSON() ([]byte, error) {
-	value := time.Time(*r).Format(time.RFC3339)
+	value := time.Time(*r).UTC().Format(time.RFC3339)
 
 	// Use JSON unmarshal to unescape the quoted value making use of JSON's
 	// quoting rules.

diff --git a/credentials/ssocreds/sso_cached_token_test.go b/credentials/ssocreds/sso_cached_token_test.go
@@ -102,6 +102,24 @@ func TestLoadCachedToken(t *testing.T) {
 				},
 			},
 		},
+		"non-utc token": {
+			filename: filepath.Join("testdata", "non_utc_token.json"),
+			expectToken: token{
+				tokenKnownFields: tokenKnownFields{
+					AccessToken:  "dGhpcyBpcyBub3QgYSByZWFsIHZhbHVl",
+					ExpiresAt:    (*rfc3339)(aws.Time(time.Date(2044, 4, 4, 7, 0, 1, 0, time.UTC))),
+					ClientID:     "client id",
+					ClientSecret: "client secret",
+					RefreshToken: "refresh token",
+				},
+				UnknownFields: map[string]interface{}{
+					"unknownField":          "some value",
+					"registrationExpiresAt": "2044-04-04T07:00:01Z",
+					"region":                "region",
+					"startURL":              "start URL",
+				},
+			},
+		},
 	}
 
 	for name, c := range cases {
@@ -120,7 +138,7 @@ func TestLoadCachedToken(t *testing.T) {
 				t.Fatalf("expect no error, got %v", err)
 			}
 
-			if diff := cmpDiff(c.expectToken, actualToken); diff != "" {
+			if diff := cmpDiffToken(c.expectToken, actualToken); diff != "" {
 				t.Errorf("expect tokens match\n%s", diff)
 			}
 		})
@@ -162,6 +180,25 @@ func TestStoreCachedToken(t *testing.T) {
 				},
 			},
 		},
+		"non-utc token": {
+			filename: filepath.Join(tempDir, "token_file.json"),
+			fileMode: 0600,
+			token: token{
+				tokenKnownFields: tokenKnownFields{
+					AccessToken:  "dGhpcyBpcyBub3QgYSByZWFsIHZhbHVl",
+					ExpiresAt:    (*rfc3339)(aws.Time(time.Date(2044, 4, 4, 7, 0, 1, 0, time.FixedZone("UTC-8", -8*60*60)))),
+					ClientID:     "client id",
+					ClientSecret: "client secret",
+					RefreshToken: "refresh token",
+				},
+				UnknownFields: map[string]interface{}{
+					"unknownField":          "some value",
+					"registrationExpiresAt": "2044-04-04T07:00:01Z",
+					"region":                "region",
+					"startURL":              "start URL",
+				},
+			},
+		},
 	}
 
 	for name, c := range cases {
@@ -176,7 +213,7 @@ func TestStoreCachedToken(t *testing.T) {
 				t.Fatalf("failed to load stored token, %v", err)
 			}
 
-			if diff := cmpDiff(c.token, actual); diff != "" {
+			if diff := cmpDiffToken(c.token, actual); diff != "" {
 				t.Errorf("expect tokens match\n%s", diff)
 			}
 		})

diff --git a/credentials/ssocreds/sso_token_provider_test.go b/credentials/ssocreds/sso_token_provider_test.go
@@ -109,7 +109,7 @@ func TestSSOTokenProvider(t *testing.T) {
 					},
 				}
 
-				if diff := cmpDiff(expect, actual); diff != "" {
+				if diff := cmpDiffToken(expect, actual); diff != "" {
 					return fmt.Errorf("expect token file match\n%s", diff)
 				}
 				return nil
@@ -233,3 +233,19 @@ func cmpDiff(e, a interface{}) string {
 	}
 	return ""
 }
+
+func cmpDiffToken(e token, a token) string {
+	if !reflect.DeepEqual(e.UnknownFields, a.UnknownFields) {
+		return fmt.Sprintf("%v != %v", e, a)
+	}
+	// treats token times as the same if they are the same in UTC
+	if time.Time(*e.ExpiresAt).UTC() != time.Time(*a.ExpiresAt).UTC() {
+		return fmt.Sprintf("%v != %v", e, a)
+	}
+	eTokenKnownFields := e.tokenKnownFields
+	eTokenKnownFields.ExpiresAt = a.tokenKnownFields.ExpiresAt
+	if !reflect.DeepEqual(eTokenKnownFields, a.tokenKnownFields) {
+		return fmt.Sprintf("%v != %v", e, a)
+	}
+	return ""
+}
diff --git a/credentials/ssocreds/testdata/non_utc_token.json b/credentials/ssocreds/testdata/non_utc_token.json
@@ -0,0 +1,13 @@
+{
+    "accessToken": "dGhpcyBpcyBub3QgYSByZWFsIHZhbHVl",
+    "expiresAt": "2044-04-04T00:00:01-07:00",
+
+    "refreshToken": "refresh token",
+    "clientId": "client id",
+    "clientSecret": "client secret",
+
+    "unknownField": "some value",
+    "region": "region",
+    "registrationExpiresAt": "2044-04-04T07:00:01Z",
+    "startURL": "start URL"
+}