refactor: Update AWS credential handling to create new BedrockRuntimeClient instances with refreshed credentials

dwin · dwin · commit 7abfeb51000d · 2025-04-10T13:15:44.000-04:00
diff --git a/src/api/providers/__tests__/bedrock-custom-arn.test.ts b/src/api/providers/__tests__/bedrock-custom-arn.test.ts
@@ -2,6 +2,17 @@ import { AwsBedrockHandler } from "../bedrock"
 import { ApiHandlerOptions } from "../../../shared/api"
 import { logger } from "../../../utils/logging"
 
+// Mock AWS SDK credential providers
+jest.mock("@aws-sdk/credential-providers", () => {
+	const mockFromIni = jest.fn().mockImplementation(() => {
+		return async () => ({
+			accessKeyId: "profile-access-key",
+			secretAccessKey: "profile-secret-key",
+		})
+	})
+	return { fromIni: mockFromIni }
+})
+
 // Mock the logger
 jest.mock("../../../utils/logging", () => ({
 	logger: {
@@ -253,15 +264,21 @@ describe("Bedrock ARN Handling", () => {
 		})
 
 		it("should refresh AWS credentials when they expire", async () => {
-			// Mock the send method to simulate expired credentials
-			const mockSend = jest.fn().mockImplementationOnce(async () => {
-				const error = new Error("The security token included in the request is expired")
-				error.name = "ExpiredTokenException"
-				throw error
-			})
-
-			// Mock the BedrockRuntimeClient to use the custom send method
-			bedrockMock.MockBedrockRuntimeClient.prototype.send = mockSend
+			// Get the mock send function
+			const mockSend = bedrockMock.mockSend
+
+			// Configure mockSend to throw an error on first call and succeed on second call
+			mockSend
+				.mockImplementationOnce(async () => {
+					const error = new Error("The security token included in the request is expired")
+					error.name = "ExpiredTokenException"
+					throw error
+				})
+				.mockImplementationOnce(async () => {
+					return {
+						output: new TextEncoder().encode(JSON.stringify({ content: "Test response" })),
+					}
+				})
 
 			// Create a handler with profile-based credentials
 			const profileHandler = new AwsBedrockHandler({
@@ -271,13 +288,16 @@ describe("Bedrock ARN Handling", () => {
 				awsRegion: "us-east-1",
 			})
 
+			// Import fromIni after mocking
+			const { fromIni } = require("@aws-sdk/credential-providers")
+
 			// Mock the fromIni method to simulate refreshed credentials
-			const mockFromIni = jest.fn().mockReturnValue({
-				accessKeyId: "refreshed-access-key",
-				secretAccessKey: "refreshed-secret-key",
+			fromIni.mockImplementation(() => {
+				return async () => ({
+					accessKeyId: "refreshed-access-key",
+					secretAccessKey: "refreshed-secret-key",
+				})
 			})
-			const { fromIni } = require("@aws-sdk/credential-providers")
-			fromIni.mockImplementation(mockFromIni)
 
 			// Attempt to create a message, which should trigger credential refresh
 			const messageGenerator = profileHandler.createMessage("system prompt", [
@@ -294,7 +314,7 @@ describe("Bedrock ARN Handling", () => {
 			}
 
 			// Verify that fromIni was called to refresh credentials
-			expect(mockFromIni).toHaveBeenCalledWith({ profile: "test-profile" })
+			expect(fromIni).toHaveBeenCalledWith({ profile: "test-profile" })
 
 			// Verify that the send method was called twice (once for the initial attempt and once after refresh)
 			expect(mockSend).toHaveBeenCalledTimes(2)
diff --git a/src/api/providers/__tests__/bedrock-invokedModelId.test.ts b/src/api/providers/__tests__/bedrock-invokedModelId.test.ts
@@ -1,15 +1,18 @@
 import { AwsBedrockHandler } from "../bedrock"
 import { ApiHandlerOptions } from "../../../shared/api"
 import { BedrockRuntimeClient } from "@aws-sdk/client-bedrock-runtime"
-const { fromIni } = require("@aws-sdk/credential-providers")
-
 // Mock AWS SDK credential providers and Bedrock client
-jest.mock("@aws-sdk/credential-providers", () => ({
-	fromIni: jest.fn().mockReturnValue({
-		accessKeyId: "profile-access-key",
-		secretAccessKey: "profile-secret-key",
-	}),
-}))
+jest.mock("@aws-sdk/credential-providers", () => {
+	const mockFromIni = jest.fn().mockImplementation(() => {
+		return async () => ({
+			accessKeyId: "profile-access-key",
+			secretAccessKey: "profile-secret-key",
+		})
+	})
+	return { fromIni: mockFromIni }
+})
+
+const { fromIni } = require("@aws-sdk/credential-providers")
 
 // Mock Smithy client
 jest.mock("@smithy/smithy-client", () => ({
@@ -78,7 +81,7 @@ describe("AwsBedrockHandler with invokedModelId", () => {
 	})
 
 	// Helper function to create a mock async iterable stream
-	function createMockStream(events: StreamEvent[]) {
+	function createMockStream(events: any[]) {
 		return {
 			[Symbol.asyncIterator]: async function* () {
 				for (const event of events) {
@@ -363,15 +366,37 @@ describe("AwsBedrockHandler with invokedModelId", () => {
 	})
 
 	it("should refresh AWS credentials when they expire", async () => {
-		// Mock the send method to simulate expired credentials
-		const mockSend = jest.fn().mockImplementationOnce(async () => {
-			const error = new Error("The security token included in the request is expired")
-			error.name = "ExpiredTokenException"
-			throw error
-		})
-
-		// Mock the BedrockRuntimeClient to use the custom send method
-		BedrockRuntimeClient.prototype.send = mockSend
+		// Get the mock send function from our mocked module
+		const { BedrockRuntimeClient } = require("@aws-sdk/client-bedrock-runtime")
+		const mockSend = BedrockRuntimeClient().send
+
+		// Configure mockSend to throw an error on first call and succeed on second call
+		mockSend
+			.mockImplementationOnce(async () => {
+				const error = new Error("The security token included in the request is expired")
+				error.name = "ExpiredTokenException"
+				throw error
+			})
+			.mockImplementationOnce(async () => {
+				return {
+					$metadata: {
+						httpStatusCode: 200,
+						requestId: "mock-request-id",
+					},
+					stream: {
+						[Symbol.asyncIterator]: async function* () {
+							yield {
+								metadata: {
+									usage: {
+										inputTokens: 100,
+										outputTokens: 200,
+									},
+								},
+							}
+						},
+					},
+				}
+			})
 
 		// Create a handler with profile-based credentials
 		const profileHandler = new AwsBedrockHandler({
@@ -382,11 +407,12 @@ describe("AwsBedrockHandler with invokedModelId", () => {
 		})
 
 		// Mock the fromIni method to simulate refreshed credentials
-		const mockFromIni = jest.fn().mockReturnValue({
-			accessKeyId: "refreshed-access-key",
-			secretAccessKey: "refreshed-secret-key",
+		fromIni.mockImplementation(() => {
+			return async () => ({
+				accessKeyId: "refreshed-access-key",
+				secretAccessKey: "refreshed-secret-key",
+			})
 		})
-		fromIni.mockImplementation(mockFromIni)
 
 		// Attempt to create a message, which should trigger credential refresh
 		const messageGenerator = profileHandler.createMessage("system prompt", [
@@ -403,7 +429,7 @@ describe("AwsBedrockHandler with invokedModelId", () => {
 		}
 
 		// Verify that fromIni was called to refresh credentials
-		expect(mockFromIni).toHaveBeenCalledWith({ profile: "test-profile" })
+		expect(fromIni).toHaveBeenCalledWith({ profile: "test-profile" })
 
 		// Verify that the send method was called twice (once for the initial attempt and once after refresh)
 		expect(mockSend).toHaveBeenCalledTimes(2)
diff --git a/src/api/providers/__tests__/bedrock.test.ts b/src/api/providers/__tests__/bedrock.test.ts
@@ -7,9 +7,11 @@ import { logger } from "../../../utils/logging"
 
 // Mock AWS SDK credential providers
 jest.mock("@aws-sdk/credential-providers", () => {
-	const mockFromIni = jest.fn().mockReturnValue({
-		accessKeyId: "profile-access-key",
-		secretAccessKey: "profile-secret-key",
+	const mockFromIni = jest.fn().mockImplementation(() => {
+		return async () => ({
+			accessKeyId: "profile-access-key",
+			secretAccessKey: "profile-secret-key",
+		})
 	})
 	return { fromIni: mockFromIni }
 })
@@ -171,15 +173,37 @@ describe("AwsBedrockHandler", () => {
 
 	describe("AWS Credential Refresh", () => {
 		it("should refresh AWS credentials when they expire", async () => {
-			// Mock the send method to simulate expired credentials
-			const mockSend = jest.fn().mockImplementationOnce(async () => {
-				const error = new Error("The security token included in the request is expired")
-				error.name = "ExpiredTokenException"
-				throw error
-			})
-
-			// Mock the BedrockRuntimeClient to use the custom send method
-			BedrockRuntimeClient.prototype.send = mockSend
+			// Get the mock send function from our mocked module
+			const { BedrockRuntimeClient } = require("@aws-sdk/client-bedrock-runtime")
+			const mockSend = BedrockRuntimeClient().send
+
+			// Configure mockSend to throw an error on first call and succeed on second call
+			mockSend
+				.mockImplementationOnce(async () => {
+					const error = new Error("The security token included in the request is expired")
+					error.name = "ExpiredTokenException"
+					throw error
+				})
+				.mockImplementationOnce(async () => {
+					return {
+						$metadata: {
+							httpStatusCode: 200,
+							requestId: "mock-request-id",
+						},
+						stream: {
+							[Symbol.asyncIterator]: async function* () {
+								yield {
+									metadata: {
+										usage: {
+											inputTokens: 100,
+											outputTokens: 200,
+										},
+									},
+								}
+							},
+						},
+					}
+				})
 
 			// Create a handler with profile-based credentials
 			const profileHandler = new AwsBedrockHandler({
@@ -190,11 +214,12 @@ describe("AwsBedrockHandler", () => {
 			})
 
 			// Mock the fromIni method to simulate refreshed credentials
-			const mockFromIni = jest.fn().mockReturnValue({
-				accessKeyId: "refreshed-access-key",
-				secretAccessKey: "refreshed-secret-key",
+			fromIni.mockImplementation(() => {
+				return async () => ({
+					accessKeyId: "refreshed-access-key",
+					secretAccessKey: "refreshed-secret-key",
+				})
 			})
-			fromIni.mockImplementation(mockFromIni)
 
 			// Attempt to create a message, which should trigger credential refresh
 			const messageGenerator = profileHandler.createMessage("system prompt", [
@@ -211,7 +236,7 @@ describe("AwsBedrockHandler", () => {
 			}
 
 			// Verify that fromIni was called to refresh credentials
-			expect(mockFromIni).toHaveBeenCalledWith({ profile: "test-profile" })
+			expect(fromIni).toHaveBeenCalledWith({ profile: "test-profile" })
 
 			// Verify that the send method was called twice (once for the initial attempt and once after refresh)
 			expect(mockSend).toHaveBeenCalledTimes(2)
diff --git a/src/api/providers/bedrock.ts b/src/api/providers/bedrock.ts
@@ -1132,13 +1132,24 @@ Suggestions:
 			const refreshedCredentials = await fromIni({
 				profile: this.options.awsProfile,
 			})()
-			this.client.config.credentials = refreshedCredentials
+			// Create a new client with the refreshed credentials
+			const clientConfig: BedrockRuntimeClientConfig = {
+				region: this.options.awsRegion,
+				credentials: refreshedCredentials,
+			}
+			this.client = new BedrockRuntimeClient(clientConfig)
 		} else if (this.options.awsAccessKey && this.options.awsSecretKey) {
-			this.client.config.credentials = {
+			const newCredentials = {
 				accessKeyId: this.options.awsAccessKey,
 				secretAccessKey: this.options.awsSecretKey,
 				...(this.options.awsSessionToken ? { sessionToken: this.options.awsSessionToken } : {}),
 			}
+			// Create a new client with the new credentials
+			const clientConfig: BedrockRuntimeClientConfig = {
+				region: this.options.awsRegion,
+				credentials: newCredentials,
+			}
+			this.client = new BedrockRuntimeClient(clientConfig)
 		}
 	}
 }
