chore: make tests work with new SDKv3 version (#33016)

In a recent upgrade of the SDKv3, the INI credential provider has gotten
a private copy of the STS Client, to make AssumeRole calls with. This
means the STS Client used by the INI provider is now unmockable.

In #31702, we migrated the tests of the credentials chain mostly to
using mocks, as opposed to what it was doing in the past: intercepting
network traffic and emulating a fake STS Endpoint. These tests now start
failing due to an SDK upgrade.

Fortunately, most of the old code was still there, so in this change I'm
ripping out the STS Mocking and doing a couple minor changes; the tests
now pass again.

This PR also upgrades the SDKv3 version at the same time, some other
packages that needed to be upgraded along with this as well
(`@smithy/middleware-endpoint` and `cdk-assets` which covers a new enum
value for the S3 client).

----

*By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license*

---------

Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>

Author: rix0rrr

packages/aws-cdk/THIRD_PARTY_LICENSES

@@ -108,38 +108,38 @@
     "@aws-cdk/cloudformation-diff": "0.0.0",
     "@aws-cdk/cx-api": "0.0.0",
     "@aws-cdk/region-info": "0.0.0",
-    "@aws-sdk/client-appsync": "3.699.0",
-    "@aws-sdk/client-cloudformation": "3.699.0",
-    "@aws-sdk/client-cloudwatch-logs": "3.699.0",
-    "@aws-sdk/client-codebuild": "3.699.0",
-    "@aws-sdk/client-ec2": "3.699.0",
-    "@aws-sdk/client-ecr": "3.699.0",
-    "@aws-sdk/client-ecs": "3.699.0",
-    "@aws-sdk/client-elastic-load-balancing-v2": "3.699.0",
-    "@aws-sdk/client-iam": "3.699.0",
-    "@aws-sdk/client-kms": "3.699.0",
-    "@aws-sdk/client-lambda": "3.699.0",
-    "@aws-sdk/client-route-53": "3.699.0",
-    "@aws-sdk/client-s3": "3.699.0",
-    "@aws-sdk/client-secrets-manager": "3.699.0",
-    "@aws-sdk/client-sfn": "3.699.0",
-    "@aws-sdk/client-ssm": "3.699.0",
-    "@aws-sdk/client-sts": "3.699.0",
-    "@aws-sdk/credential-providers": "3.699.0",
-    "@aws-sdk/ec2-metadata-service": "3.699.0",
-    "@aws-sdk/lib-storage": "3.699.0",
+    "@aws-sdk/client-appsync": "^3.699.0",
+    "@aws-sdk/client-cloudformation": "^3.699.0",
+    "@aws-sdk/client-cloudwatch-logs": "^3.699.0",
+    "@aws-sdk/client-codebuild": "^3.699.0",
+    "@aws-sdk/client-ec2": "^3.699.0",
+    "@aws-sdk/client-ecr": "^3.699.0",
+    "@aws-sdk/client-ecs": "^3.699.0",
+    "@aws-sdk/client-elastic-load-balancing-v2": "^3.699.0",
+    "@aws-sdk/client-iam": "^3.699.0",
+    "@aws-sdk/client-kms": "^3.699.0",
+    "@aws-sdk/client-lambda": "^3.699.0",
+    "@aws-sdk/client-route-53": "^3.699.0",
+    "@aws-sdk/client-s3": "^3.699.0",
+    "@aws-sdk/client-secrets-manager": "^3.699.0",
+    "@aws-sdk/client-sfn": "^3.699.0",
+    "@aws-sdk/client-ssm": "^3.699.0",
+    "@aws-sdk/client-sts": "^3.699.0",
+    "@aws-sdk/credential-providers": "^3.699.0",
+    "@aws-sdk/ec2-metadata-service": "^3.699.0",
+    "@aws-sdk/lib-storage": "^3.699.0",
     "@jsii/check-node": "1.104.0",
-    "@smithy/middleware-endpoint": "3.1.4",
-    "@smithy/node-http-handler": "3.2.4",
-    "@smithy/property-provider": "3.1.10",
-    "@smithy/shared-ini-file-loader": "3.1.8",
-    "@smithy/types": "3.5.0",
-    "@smithy/util-retry": "3.0.7",
-    "@smithy/util-stream": "3.1.9",
-    "@smithy/util-waiter": "3.1.6",
+    "@smithy/middleware-endpoint": "^4",
+    "@smithy/node-http-handler": "^3.2.4",
+    "@smithy/property-provider": "^3.1.10",
+    "@smithy/shared-ini-file-loader": "^3.1.8",
+    "@smithy/types": "^3.5.0",
+    "@smithy/util-retry": "^3.0.7",
+    "@smithy/util-stream": "^3.1.9",
+    "@smithy/util-waiter": "^3.1.6",
     "archiver": "^5.3.2",
     "camelcase": "^6.3.0",
-    "cdk-assets": "^3.0.0-rc.111",
+    "cdk-assets": "^3.0.0-rc.123",
     "cdk-from-cfn": "^0.162.0",
     "chalk": "^4",
     "chokidar": "^3.6.0",

packages/aws-cdk/package.json

@@ -1,9 +1,8 @@
-import { AssumeRoleCommand, GetCallerIdentityCommand, Tag } from '@aws-sdk/client-sts';
+import { Tag } from '@aws-sdk/client-sts';
 import * as nock from 'nock';
 import * as uuid from 'uuid';
 import * as xmlJs from 'xml-js';
 import { formatErrorMessage } from '../../lib/util/error';
-import { mockSTSClient } from '../util/mock-sdk';
 
 interface RegisteredIdentity {
   readonly account: string;
@@ -21,6 +20,7 @@ interface RegisteredRole {
 interface AssumedRole {
   readonly roleArn: string;
   readonly serialNumber: string;
+  readonly externalId?: string;
   readonly tokenCode: string;
   readonly roleSessionName: string;
   readonly tags?: Tag[];
@@ -43,10 +43,22 @@ interface AssumedRole {
 export class FakeSts {
   public readonly assumedRoles = new Array<AssumedRole>();
 
+  /**
+   * AccessKey -> User or Session
+   */
   private identities: Record<string, RegisteredIdentity> = {};
+
+  /**
+   * RoleARN -> Role
+   *
+   * When a Role is assumed it creates a Session.
+   */
   private roles: Record<string, RegisteredRole> = {};
 
-  constructor() {}
+  /**
+   * Throw this error when AssumeRole is called
+   */
+  public failAssumeRole?: Error;
 
   /**
    * Begin mocking
@@ -71,7 +83,8 @@ export class FakeSts {
             parsedBody,
             headers: this.req.headers,
           });
-          cb(null, [200, xmlJs.js2xml(response, { compact: true })]);
+          const xml = xmlJs.js2xml(response, { compact: true });
+          cb(null, [200, xml]);
         } catch (e: any) {
           cb(null, [
             400,
@@ -111,6 +124,13 @@ export class FakeSts {
     nock.enableNetConnect();
   }
 
+  public printState() {
+    // eslint-disable-next-line no-console
+    console.log(this.roles);
+    // eslint-disable-next-line no-console
+    console.log(this.identities);
+  }
+
   /**
    * Register a user
    */
@@ -124,8 +144,6 @@ export class FakeSts {
       arn,
       userId,
     };
-
-    this.setSTSMocks(account, arn, userName, accessKey);
   }
 
   /**
@@ -140,44 +158,17 @@ export class FakeSts {
       roleName,
       account,
     };
-
-    this.setSTSMocks(account, roleArn, roleArn);
-  }
-
-  private setSTSMocks(account: string, roleArn: string, name: string, accessKey?: string) {
-    const accessKeyId = accessKey ?? uuid.v4();
-    mockSTSClient
-      .on(GetCallerIdentityCommand)
-      .resolves({
-        Account: account,
-        Arn: roleArn,
-        UserId: name,
-      })
-      .on(AssumeRoleCommand)
-      .resolves({
-        AssumedRoleUser: {
-          Arn: roleArn,
-          AssumedRoleId: `${accessKeyId}:${name}`,
-        },
-        Credentials: {
-          AccessKeyId: accessKeyId,
-          SecretAccessKey: 'Secret',
-          SessionToken: 'Token',
-          Expiration: new Date(Date.now() + 3600 * 1000),
-        },
-        PackedPolicySize: 6,
-      });
   }
 
   private handleRequest(mockRequest: MockRequest): Record<string, any> {
     const response = (() => {
       const identity = this.identity(mockRequest);
 
       switch (mockRequest.parsedBody.Action) {
-        case 'GetCallerIdentityCommand':
+        case 'GetCallerIdentity':
           return this.handleGetCallerIdentity(identity);
 
-        case 'AssumeRoleCommand':
+        case 'AssumeRole':
           return this.handleAssumeRole(identity, mockRequest);
       }
 
@@ -229,6 +220,9 @@ export class FakeSts {
 
   private handleAssumeRole(identity: RegisteredIdentity, mockRequest: MockRequest): Record<string, any> {
     this.checkForFailure(mockRequest.parsedBody.RoleArn);
+    if (this.failAssumeRole) {
+      throw this.failAssumeRole;
+    }
 
     this.assumedRoles.push({
       roleArn: mockRequest.parsedBody.RoleArn,
@@ -237,6 +231,7 @@ export class FakeSts {
       tokenCode: mockRequest.parsedBody.TokenCode,
       tags: this.decodeMapFromRequestBody('Tags', mockRequest.parsedBody),
       transitiveTagKeys: this.decodeListKeysFromRequestBody('TransitiveTagKeys', mockRequest.parsedBody),
+      externalId: mockRequest.parsedBody.ExternalId,
     });
 
     const roleArn = mockRequest.parsedBody.RoleArn;
@@ -274,9 +269,9 @@ export class FakeSts {
           },
           PackedPolicySize: 6,
         },
-      },
-      ResponseMetadata: {
-        RequestId: '1',
+        ResponseMetadata: {
+          RequestId: '1',
+        },
       },
     };
   }