fix(cli): allow credential plugins to return null for expiration (#32554)

rix0rrr · HBobertz · commit e59b1db4d8da · 2024-12-17T14:22:31.000-05:00
According to the type definitions, the `expiration` field of V3 AWS credentials must be `undefined` or `Date`, but we are running into situations in reality where the value is `null`, leading to the error:

```
TypeError: Cannot read properties of null (reading 'getTime')
```

Survive that specific case.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/aws-cdk/lib/api/aws-auth/provider-caching.ts b/packages/aws-cdk/lib/api/aws-auth/provider-caching.ts
@@ -20,5 +20,5 @@ export function makeCachingProvider(provider: AwsCredentialIdentityProvider): Aw
 
 export function credentialsAboutToExpire(token: AwsCredentialIdentity) {
   const expiryMarginSecs = 5;
-  return token.expiration !== undefined && token.expiration.getTime() - Date.now() < expiryMarginSecs * 1000;
+  return !!token.expiration && token.expiration.getTime() - Date.now() < expiryMarginSecs * 1000;
 }
diff --git a/packages/aws-cdk/test/api/plugin/credential-plugin.test.ts b/packages/aws-cdk/test/api/plugin/credential-plugin.test.ts
@@ -1,4 +1,5 @@
 import { CredentialPlugins } from '../../../lib/api/aws-auth/credential-plugins';
+import { credentialsAboutToExpire } from '../../../lib/api/aws-auth/provider-caching';
 import { CredentialProviderSource, Mode, SDKv3CompatibleCredentials } from '../../../lib/api/plugin/credential-provider-source';
 import { PluginHost, markTesting } from '../../../lib/api/plugin/plugin';
 
@@ -134,6 +135,15 @@ test('plugin must not return something that is not a credential', async () => {
   await expect(fetchNow()).rejects.toThrow(/Plugin returned a value that/);
 });
 
+test('token expiration is allowed to be null', () => {
+  expect(credentialsAboutToExpire({
+    accessKeyId: 'key',
+    secretAccessKey: 'secret',
+    // This is not allowed according to the `.d.ts` contract, but it can happen in reality
+    expiration: null as any,
+  })).toEqual(false);
+});
+
 function mockCredentialFunction(p: CredentialProviderSource['getProvider']) {
   mockCredentialPlugin({
     name: 'test',

Original file line number	Diff line number	Diff line change
`@@ -20,5 +20,5 @@ export function makeCachingProvider(provider: AwsCredentialIdentityProvider): Aw`
`20`	`20`
`21`	`21`	`export function credentialsAboutToExpire(token: AwsCredentialIdentity) {`
`22`	`22`	`const expiryMarginSecs = 5;`
`23`		`- return token.expiration !== undefined && token.expiration.getTime() - Date.now() < expiryMarginSecs * 1000;`
	`23`	`+ return !!token.expiration && token.expiration.getTime() - Date.now() < expiryMarginSecs * 1000;`
`24`	`24`	`}`