Skip to content

Commit 1520944

Browse files
sbalujasbaluja
authored
SSO role URL encoding fix in SSOCredentialsClient (#3485)
* SSOCredentialsClient - Remove duplicate URLEncode call in GetSSOCredentials * AWSCredentialsProviderTest - Add test for SSOCredentials provider when Role contains special characters
1 parent 2fa2000 commit 1520944

File tree

2 files changed

+71
-2
lines changed

2 files changed

+71
-2
lines changed

src/aws-cpp-sdk-core/source/internal/AWSHttpResourceClient.cpp

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -661,8 +661,8 @@ namespace Aws
661661

662662
httpRequest->SetUserAgent(m_userAgent);
663663

664-
httpRequest->AddQueryStringParameter("account_id", Aws::Utils::StringUtils::URLEncode(request.m_ssoAccountId.c_str()));
665-
httpRequest->AddQueryStringParameter("role_name", Aws::Utils::StringUtils::URLEncode(request.m_ssoRoleName.c_str()));
664+
httpRequest->AddQueryStringParameter("account_id", request.m_ssoAccountId);
665+
httpRequest->AddQueryStringParameter("role_name", request.m_ssoRoleName);
666666

667667
Aws::String credentialsStr = GetResourceWithAWSWebServiceResult(httpRequest).GetPayload();
668668

tests/aws-cpp-sdk-core-tests/aws/auth/AWSCredentialsProviderTest.cpp

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -970,6 +970,75 @@ sso_start_url = https://d-92671207e4.awsapps.com/start
970970
ASSERT_EQ(DateTime((int64_t) 2303614800000), creds.GetExpiration());
971971
}
972972

973+
TEST_F(SSOCredentialsProviderTest, TestParseCredentialsFromNonAsciiRole)
974+
{
975+
AWS_LOGSTREAM_DEBUG("TEST_SSO", "Preparing Test Token file in: " << m_ssoTokenRefreshFileName);
976+
Aws::OFStream tokenFile(m_ssoTokenRefreshFileName.c_str(), Aws::OFStream::out | Aws::OFStream::trunc);
977+
tokenFile << R"({
978+
"accessToken": "base64string",
979+
"expiresAt": ")";
980+
tokenFile << DateTime::Now().GetYear() + 1;
981+
tokenFile << R"(-01-02T00:00:00Z",
982+
"region": "us-west-2",
983+
"startUrl": "https://d-92671207e4.awsapps.com/start"
984+
})";
985+
tokenFile.close();
986+
Aws::Environment::SetEnv("AWS_DEFAULT_PROFILE", "sso-profile", 1/*override*/);
987+
Aws::Environment::SetEnv("AWS_PROFILE", "sso-profile", 1/*override*/);
988+
Aws::OFStream configFile(m_configFileName.c_str(), Aws::OFStream::out | Aws::OFStream::trunc);
989+
configFile << R"([profile sso-profile]
990+
sso_session = dev
991+
sso_account_id = 012345678901
992+
sso_role_name = Sample@@Role
993+
sso_region = us-east-1
994+
sso_start_url = https://d-92671207e4.awsapps.com/start
995+
996+
[sso-session dev]
997+
sso_region = us-east-1
998+
sso_start_url = https://d-92671207e4.awsapps.com/start
999+
)";
1000+
configFile.close();
1001+
1002+
Aws::Config::ReloadCachedConfigFile();
1003+
SSOCredentialsProvider provider;
1004+
1005+
// No response is set to mockHttpClient, there will be no response
1006+
auto creds = provider.GetAWSCredentials();
1007+
ASSERT_TRUE(creds.IsEmpty());
1008+
auto request = mockHttpClient->GetMostRecentHttpRequest();
1009+
1010+
ASSERT_EQ("https://portal.sso.us-east-1.amazonaws.com/federation/credentials?account_id=012345678901&role_name=Sample%40%40Role", request.GetURIString());
1011+
ASSERT_EQ("base64string", request.GetHeaderValue("x-amz-sso_bearer_token"));
1012+
// No response is set to mockHttpClient, there will be no response
1013+
creds = provider.GetAWSCredentials();
1014+
ASSERT_TRUE(creds.IsEmpty());
1015+
1016+
// adding a valid response to the http request
1017+
std::shared_ptr<HttpRequest> requestTmp = CreateHttpRequest(URI(request.GetURIString(true /*include querystring*/)), HttpMethod::HTTP_GET, Aws::Utils::Stream::DefaultResponseStreamFactoryMethod);
1018+
//Made up credentials
1019+
Aws::String goodResult = R"({
1020+
"roleCredentials": {
1021+
"accessKeyId": "access",
1022+
"expiration": 2303614800000,
1023+
"secretAccessKey": "secret",
1024+
"sessionToken": "token"
1025+
}
1026+
}
1027+
)";
1028+
1029+
std::shared_ptr<StandardHttpResponse> goodResponse = Aws::MakeShared<StandardHttpResponse>(AllocationTag, requestTmp);
1030+
goodResponse->SetResponseCode(HttpResponseCode::OK);
1031+
goodResponse->GetResponseBody() << goodResult;
1032+
mockHttpClient->AddResponseToReturn(goodResponse);
1033+
1034+
creds = provider.GetAWSCredentials();
1035+
ASSERT_FALSE(creds.IsEmpty());
1036+
ASSERT_EQ("access", creds.GetAWSAccessKeyId());
1037+
ASSERT_EQ("secret", creds.GetAWSSecretKey());
1038+
ASSERT_EQ("token", creds.GetSessionToken());
1039+
ASSERT_EQ(DateTime((int64_t) 2303614800000), creds.GetExpiration());
1040+
}
1041+
9731042
TEST_F(SSOCredentialsProviderTest, TestParseCredentialsFromConfigFailsWithConflictingConfiguration)
9741043
{
9751044
AWS_LOGSTREAM_DEBUG("TEST_SSO", "Preparing Test Token file in: " << m_ssoTokenRefreshFileName);

0 commit comments

Comments
 (0)