fix(credentials): used selected auth scheme identity instead of calling credentials provider (#6555)

kuhe · web-flow · commit 27f462b20c94 · 2024-10-09T12:31:31.000-04:00
* fix(credentials): used selected auth scheme identity instead of calling credentials provider

* test(middleware-user-agent): add unit test for empty config/context
diff --git a/packages/middleware-user-agent/src/check-features.spec.ts b/packages/middleware-user-agent/src/check-features.spec.ts
@@ -0,0 +1,34 @@
+import { AwsHandlerExecutionContext } from "@aws-sdk/types";
+
+import { checkFeatures } from "./check-features";
+
+describe(checkFeatures.name, () => {
+  it("should not call the credentials provider to retrieve the identity", async () => {
+    const config = {
+      credentials: jest.fn(),
+    };
+
+    const context = {
+      __smithy_context: {
+        selectedHttpAuthScheme: {
+          identity: {
+            accountId: "123456789012",
+            $source: {},
+          },
+        },
+      },
+    } as AwsHandlerExecutionContext;
+
+    await checkFeatures(context, config, {
+      request: undefined,
+      input: undefined,
+    });
+
+    expect(config.credentials).not.toHaveBeenCalled();
+    expect(context.__aws_sdk_context?.features?.RESOLVED_ACCOUNT_ID).toBe("T");
+  });
+
+  it("should not throw an error if no fields are present", async () => {
+    await checkFeatures({}, {}, {} as any);
+  });
+});
diff --git a/packages/middleware-user-agent/src/check-features.ts b/packages/middleware-user-agent/src/check-features.ts
@@ -42,20 +42,16 @@ export async function checkFeatures(
     }
   }
 
-  if (typeof config.credentials === "function") {
-    try {
-      const credentials: AttributedAwsCredentialIdentity = await config.credentials?.();
-      if (credentials.accountId) {
-        setFeature(context, "RESOLVED_ACCOUNT_ID", "T");
-      }
-      for (const [key, value] of Object.entries(credentials.$source ?? {})) {
-        setFeature(context, key as keyof AwsSdkCredentialsFeatures, value);
-      }
-    } catch (e: unknown) {
-      // Sometimes config.credentials is a function but only throws
-      // as a way of informing users that something is missing.
-      // That error and any other credential retrieval errors are
-      // not relevant for feature-checking and should be ignored.
+  // TODO: later version of @smithy/types has explicit typing for this.
+  const identity = (context.__smithy_context?.selectedHttpAuthScheme as any)?.identity;
+
+  if ((identity as AttributedAwsCredentialIdentity)?.$source) {
+    const credentials = identity as AttributedAwsCredentialIdentity;
+    if (credentials.accountId) {
+      setFeature(context, "RESOLVED_ACCOUNT_ID", "T");
+    }
+    for (const [key, value] of Object.entries(credentials.$source ?? {})) {
+      setFeature(context, key as keyof AwsSdkCredentialsFeatures, value);
     }
   }
 }
