From d78f55b1db65186cb251a8504ae9527af06fc5fd Mon Sep 17 00:00:00 2001 From: Peter Woodworth <44349620+peterwoodworth@users.noreply.github.com> Date: Tue, 5 Sep 2023 14:19:05 -0700 Subject: [PATCH] fix: validation logic throwing unwanted errors (#818) * fix: throws error even when valid credentials are present * fix: throws error when invalid credentials are present despite not wanting to use them --- .github/workflows/tests-integ.yml | 29 ++++++++++++++++++++++++++++- dist/index.js | 10 +++++----- src/index.ts | 12 +++++------- test/index.test.ts | 7 ++++--- 4 files changed, 42 insertions(+), 16 deletions(-) diff --git a/.github/workflows/tests-integ.yml b/.github/workflows/tests-integ.yml index 84dd384..722bbee 100644 --- a/.github/workflows/tests-integ.yml +++ b/.github/workflows/tests-integ.yml @@ -1,4 +1,4 @@ -name: Run tests +name: Run Integ tests on: workflow_dispatch: @@ -27,6 +27,33 @@ jobs: role-duration-seconds: 900 role-session-name: IntegOidcAssumeRole role-external-id: ${{ secrets.SECRETS_OIDC_AWS_ROLE_EXTERNAL_ID }} + integ-oidc-env: + permissions: + contents: read + id-token: write + strategy: + fail-fast: false + matrix: + os: [[self-hosted, linux-fargate], windows-latest, ubuntu-latest, macos-latest] + node: [14, 16, 18] + name: Run OIDC integ tests with existing invalid env vars + runs-on: ${{ matrix.os }} + env: + AWS_ACCESS_KEY_ID: dummyaccesskeyid + AWS_SECRET_ACCESS_KEY: dummysecretkey + AWS_SESSION_TOKEN: dummytoken + timeout-minutes: 30 + steps: + - name: "Checkout repository" + uses: actions/checkout@v3 + - name: Integ test for OIDC + uses: ./ + with: + aws-region: us-west-2 + role-to-assume: ${{ secrets.SECRETS_OIDC_AWS_ROLE_TO_ASSUME }} + role-duration-seconds: 900 + role-session-name: IntegOidcAssumeRole + role-external-id: ${{ secrets.SECRETS_OIDC_AWS_ROLE_EXTERNAL_ID }} integ-access-keys: strategy: fail-fast: false diff --git a/dist/index.js b/dist/index.js index 6609210..a0c7c39 100644 --- a/dist/index.js +++ b/dist/index.js @@ -520,12 +520,12 @@ async function run() { // in any error messages. (0, helpers_1.exportCredentials)({ AccessKeyId, SecretAccessKey, SessionToken }); } - else if (!webIdentityTokenFile && - !roleChaining && - !(process.env['AWS_ACCESS_KEY_ID'] && process.env['AWS_SECRET_ACCESS_KEY'])) { - throw new Error('Could not determine how to assume credentials. Please check your inputs and try again.'); + else if (!webIdentityTokenFile && !roleChaining) { + // Proceed only if credentials can be picked up + await credentialsClient.validateCredentials(); + sourceAccountId = await (0, helpers_1.exportAccountId)(credentialsClient, maskAccountId); } - if (AccessKeyId || roleChaining || (process.env['AWS_ACCESS_KEY_ID'] && process.env['AWS_SECRET_ACCESS_KEY'])) { + if (AccessKeyId || roleChaining) { // Validate that the SDK can actually pick up credentials. // This validates cases where this action is using existing environment credentials, // and cases where the user intended to provide input credentials but the secrets inputs resolved to empty strings. diff --git a/src/index.ts b/src/index.ts index cc24be8..da296c7 100644 --- a/src/index.ts +++ b/src/index.ts @@ -128,15 +128,13 @@ export async function run() { // the source credentials to already be masked as secrets // in any error messages. exportCredentials({ AccessKeyId, SecretAccessKey, SessionToken }); - } else if ( - !webIdentityTokenFile && - !roleChaining && - !(process.env['AWS_ACCESS_KEY_ID'] && process.env['AWS_SECRET_ACCESS_KEY']) - ) { - throw new Error('Could not determine how to assume credentials. Please check your inputs and try again.'); + } else if (!webIdentityTokenFile && !roleChaining) { + // Proceed only if credentials can be picked up + await credentialsClient.validateCredentials(); + sourceAccountId = await exportAccountId(credentialsClient, maskAccountId); } - if (AccessKeyId || roleChaining || (process.env['AWS_ACCESS_KEY_ID'] && process.env['AWS_SECRET_ACCESS_KEY'])) { + if (AccessKeyId || roleChaining) { // Validate that the SDK can actually pick up credentials. // This validates cases where this action is using existing environment credentials, // and cases where the user intended to provide input credentials but the secrets inputs resolved to empty strings. diff --git a/test/index.test.ts b/test/index.test.ts index ccb6fc4..42fad85 100644 --- a/test/index.test.ts +++ b/test/index.test.ts @@ -202,7 +202,7 @@ describe('Configure AWS Credentials', () => { await run(); expect(core.setFailed).toHaveBeenCalledWith( - 'Could not determine how to assume credentials. Please check your inputs and try again.' + 'Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers' ); }); @@ -217,7 +217,7 @@ describe('Configure AWS Credentials', () => { await run(); expect(core.setFailed).toHaveBeenCalledWith( - 'Could not determine how to assume credentials. Please check your inputs and try again.' + 'Credentials could not be loaded, please check your action inputs: Access key ID empty after loading credentials' ); }); @@ -508,6 +508,7 @@ describe('Configure AWS Credentials', () => { }); test('GH OIDC check fails if token is not set', async () => { + (fromEnv as jest.Mock).mockReset(); process.env['ACTIONS_ID_TOKEN_REQUEST_TOKEN'] = undefined; process.env['GITHUB_ACTIONS'] = 'true'; jest.spyOn(core, 'getInput').mockImplementation( @@ -524,7 +525,7 @@ describe('Configure AWS Credentials', () => { ' If you are not trying to authenticate with OIDC and the action is working successfully, you can ignore this message.' ); expect(core.setFailed).toHaveBeenCalledWith( - 'Could not determine how to assume credentials. Please check your inputs and try again.' + 'Credentials could not be loaded, please check your action inputs: provider is not a function' ); });