fixing setAssumeRoleSource to return source collision error

aws · Oct 11, 2018 · 3bbb620 · 3bbb620
1 parent 4b39ef4
commit 3bbb620
Show file tree

Hide file tree

Showing 7 changed files with 26 additions and 19 deletions.
diff --git a/aws/defaults/defaults.go b/aws/defaults/defaults.go
@@ -24,7 +24,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/ec2metadata"
 	"github.com/aws/aws-sdk-go/aws/endpoints"
 	"github.com/aws/aws-sdk-go/aws/request"
-	"github.com/aws/aws-sdk-go/internal/container"
+	"github.com/aws/aws-sdk-go/internal/shareddefaults"
 )
 
 // A Defaults provides a collection of default values for SDK clients.
@@ -115,9 +115,6 @@ func CredProviders(cfg *aws.Config, handlers request.Handlers) []credentials.Pro
 const (
 	httpProviderAuthorizationEnvVar = "AWS_CONTAINER_AUTHORIZATION_TOKEN"
 	httpProviderEnvVar              = "AWS_CONTAINER_CREDENTIALS_FULL_URI"
-	// EcsCredsProviderEnvVar is an environmental variable key used to
-	// determine which path needs to be hit.
-	EcsCredsProviderEnvVar = "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
 )
 
 // RemoteCredProvider returns a credentials provider for the default remote
@@ -127,8 +124,8 @@ func RemoteCredProvider(cfg aws.Config, handlers request.Handlers) credentials.P
 		return localHTTPCredProvider(cfg, handlers, u)
 	}
 
-	if uri := os.Getenv(EcsCredsProviderEnvVar); len(uri) > 0 {
-		u := fmt.Sprintf("%s%s", container.URI, uri)
+	if uri := os.Getenv(shareddefaults.ECSCredsProviderEnvVar); len(uri) > 0 {
+		u := fmt.Sprintf("%s%s", shareddefaults.ECSContainerCredentialsURI, uri)
 		return httpCredProvider(cfg, handlers, u)
 	}
 

diff --git a/aws/defaults/defaults_test.go b/aws/defaults/defaults_test.go
@@ -10,6 +10,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
 	"github.com/aws/aws-sdk-go/aws/credentials/endpointcreds"
 	"github.com/aws/aws-sdk-go/aws/request"
+	"github.com/aws/aws-sdk-go/internal/shareddefaults"
 )
 
 func TestHTTPCredProvider(t *testing.T) {
@@ -90,7 +91,7 @@ func TestHTTPCredProvider(t *testing.T) {
 
 func TestECSCredProvider(t *testing.T) {
 	defer os.Clearenv()
-	os.Setenv(EcsCredsProviderEnvVar, "/abc/123")
+	os.Setenv(shareddefaults.ECSCredsProviderEnvVar, "/abc/123")
 
 	provider := RemoteCredProvider(aws.Config{}, request.Handlers{})
 	if provider == nil {

diff --git a/aws/session/session.go b/aws/session/session.go
@@ -19,6 +19,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/defaults"
 	"github.com/aws/aws-sdk-go/aws/endpoints"
 	"github.com/aws/aws-sdk-go/aws/request"
+	"github.com/aws/aws-sdk-go/internal/shareddefaults"
 )
 
 const (
@@ -488,7 +489,7 @@ func mergeConfigSrcs(cfg, userCfg *aws.Config, envCfg envConfig, sharedCfg share
 					envCfg.Creds,
 				)
 			case credSourceECSContainer:
-				if len(os.Getenv(defaults.EcsCredsProviderEnvVar)) == 0 {
+				if len(os.Getenv(shareddefaults.ECSCredsProviderEnvVar)) == 0 {
 					return ErrSharedConfigECSContainerEnvVarEmpty
 				}
 

diff --git a/aws/session/session_test.go b/aws/session/session_test.go
@@ -16,7 +16,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/defaults"
 	"github.com/aws/aws-sdk-go/aws/endpoints"
 	"github.com/aws/aws-sdk-go/awstesting"
-	"github.com/aws/aws-sdk-go/internal/container"
+	"github.com/aws/aws-sdk-go/internal/shareddefaults"
 	"github.com/aws/aws-sdk-go/service/s3"
 )
 
@@ -592,7 +592,7 @@ func TestSharedConfigCredentialSource(t *testing.T) {
 					}
 				}))
 
-				container.URI = ecsMetadataServer.URL
+				shareddefaults.ECSContainerCredentialsURI = ecsMetadataServer.URL
 
 				stsServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 					w.Write([]byte(fmt.Sprintf(assumeRoleRespMsg, time.Now().Add(15*time.Minute).Format("2006-01-02T15:04:05Z"))))

diff --git a/aws/session/shared_config.go b/aws/session/shared_config.go
@@ -94,7 +94,7 @@ func loadSharedConfig(profile string, filenames []string) (sharedConfig, error)
 		return sharedConfig{}, err
 	}
 
-	if len(cfg.AssumeRole.SourceProfile) > 0 || len(cfg.AssumeRole.CredentialSource) > 0 {
+	if len(cfg.AssumeRole.SourceProfile) > 0 {
 		if err := cfg.setAssumeRoleSource(profile, files); err != nil {
 			return sharedConfig{}, err
 		}
@@ -130,8 +130,10 @@ func (cfg *sharedConfig) setAssumeRoleSource(origProfile string, files []sharedC
 	var assumeRoleSrc sharedConfig
 
 	if len(cfg.AssumeRole.CredentialSource) > 0 {
-		cfg.AssumeRoleSource = &sharedConfig{}
-		return nil
+		// setAssumeRoleSource is only called when source_profile is found.
+		// If both source_profile and credential_source are set, then
+		// ErrSharedConfigSourceCollision will be returned
+		return ErrSharedConfigSourceCollision
 	}
 
 	// Multiple level assume role chains are not support

diff --git a/internal/container/uri.go b/internal/container/uri.go
diff --git a/internal/shareddefaults/ecs_container.go b/internal/shareddefaults/ecs_container.go
@@ -0,0 +1,12 @@
+package shareddefaults
+
+const (
+	// ECSCredsProviderEnvVar is an environmental variable key used to
+	// determine which path needs to be hit.
+	ECSCredsProviderEnvVar = "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
+)
+
+// ECSContainerCredentialsURI is the endpoint to retrieve container
+// credentials. This can be overriden to test to ensure the credential process
+// is behaving correctly.
+var ECSContainerCredentialsURI = "http://169.254.170.2"