1use crate::identity::IdentityCache;
14use crate::sso::cache::{
15 load_cached_token, save_cached_token, CachedSsoToken, CachedSsoTokenError,
16};
17use aws_credential_types::provider::token::ProvideToken;
18use aws_credential_types::provider::{
19 error::TokenError, future::ProvideToken as ProvideTokenFuture,
20};
21use aws_sdk_ssooidc::error::DisplayErrorContext;
22use aws_sdk_ssooidc::operation::create_token::CreateTokenOutput;
23use aws_sdk_ssooidc::Client as SsoOidcClient;
24use aws_smithy_async::time::SharedTimeSource;
25use aws_smithy_runtime::expiring_cache::ExpiringCache;
26use aws_smithy_runtime_api::client::identity::http::Token;
27use aws_smithy_runtime_api::client::identity::{IdentityFuture, ResolveIdentity};
28use aws_smithy_runtime_api::client::runtime_components::RuntimeComponents;
29use aws_smithy_types::config_bag::ConfigBag;
30use aws_types::os_shim_internal::{Env, Fs};
31use aws_types::region::Region;
32use aws_types::SdkConfig;
33use std::error::Error as StdError;
34use std::fmt;
35use std::sync::{Arc, Mutex};
36use std::time::{Duration, SystemTime};
37use zeroize::Zeroizing;
38
39const REFRESH_BUFFER_TIME: Duration = Duration::from_secs(5 * 60 );
40const MIN_TIME_BETWEEN_REFRESH: Duration = Duration::from_secs(30);
41
42#[derive(Debug)]
49pub struct SsoTokenProvider {
50 inner: Arc<Inner>,
51 token_cache: ExpiringCache<CachedSsoToken, SsoTokenProviderError>,
52}
53
54#[derive(Debug)]
55struct Inner {
56 env: Env,
57 fs: Fs,
58 region: Region,
59 session_name: String,
60 start_url: String,
61 sdk_config: SdkConfig,
62 last_refresh_attempt: Mutex<Option<SystemTime>>,
63}
64
65impl SsoTokenProvider {
66 pub fn builder() -> Builder {
68 Default::default()
69 }
70
71 async fn refresh_cached_token(
72 inner: &Inner,
73 cached_token: &CachedSsoToken,
74 identifier: &str,
75 now: SystemTime,
76 ) -> Result<Option<CachedSsoToken>, SsoTokenProviderError> {
77 let config = inner
79 .sdk_config
80 .to_builder()
81 .region(Some(inner.region.clone()))
82 .identity_cache(IdentityCache::no_cache())
83 .build();
84 let client = SsoOidcClient::new(&config);
85 let resp = client
86 .create_token()
87 .grant_type("refresh_token")
88 .client_id(
89 cached_token
90 .client_id
91 .as_ref()
92 .expect("required for token refresh")
93 .clone(),
94 )
95 .client_secret(
96 cached_token
97 .client_secret
98 .as_ref()
99 .expect("required for token refresh")
100 .as_str(),
101 )
102 .refresh_token(
103 cached_token
104 .refresh_token
105 .as_ref()
106 .expect("required for token refresh")
107 .as_str(),
108 )
109 .send()
110 .await;
111 match resp {
112 Ok(CreateTokenOutput {
113 access_token: Some(access_token),
114 refresh_token,
115 expires_in,
116 ..
117 }) => {
118 let refreshed_token = CachedSsoToken {
119 access_token: Zeroizing::new(access_token),
120 client_id: cached_token.client_id.clone(),
121 client_secret: cached_token.client_secret.clone(),
122 expires_at: now
123 + Duration::from_secs(
124 u64::try_from(expires_in)
125 .map_err(|_| SsoTokenProviderError::BadExpirationTimeFromSsoOidc)?,
126 ),
127 refresh_token: refresh_token
128 .map(Zeroizing::new)
129 .or_else(|| cached_token.refresh_token.clone()),
130 region: Some(inner.region.to_string()),
131 registration_expires_at: cached_token.registration_expires_at,
132 start_url: Some(inner.start_url.clone()),
133 };
134 save_cached_token(&inner.env, &inner.fs, identifier, &refreshed_token).await?;
135 tracing::debug!("saved refreshed SSO token");
136 Ok(Some(refreshed_token))
137 }
138 Ok(_) => {
139 tracing::debug!("SSO OIDC CreateToken responded without an access token");
140 Ok(None)
141 }
142 Err(err) => {
143 tracing::debug!(
144 "call to SSO OIDC CreateToken for SSO token refresh failed: {}",
145 DisplayErrorContext(&err)
146 );
147 Ok(None)
148 }
149 }
150 }
151
152 pub(super) fn resolve_token(
153 &self,
154 time_source: SharedTimeSource,
155 ) -> impl std::future::Future<Output = Result<CachedSsoToken, TokenError>> + 'static {
156 let token_cache = self.token_cache.clone();
157 let inner = self.inner.clone();
158
159 async move {
160 if let Some(token) = token_cache
161 .yield_or_clear_if_expired(time_source.now())
162 .await
163 {
164 tracing::debug!("using cached SSO token");
165 return Ok(token);
166 }
167 let token = token_cache
168 .get_or_load(|| async move {
169 tracing::debug!("expiring cache asked for an updated SSO token");
170 let mut token =
171 load_cached_token(&inner.env, &inner.fs, &inner.session_name).await?;
172 tracing::debug!("loaded cached SSO token");
173
174 let now = time_source.now();
175 let expired = token.expires_at <= now;
176 let expires_soon = token.expires_at - REFRESH_BUFFER_TIME <= now;
177 let last_refresh = *inner.last_refresh_attempt.lock().unwrap();
178 let min_time_passed = last_refresh
179 .map(|lr| {
180 now.duration_since(lr).expect("last_refresh is in the past")
181 >= MIN_TIME_BETWEEN_REFRESH
182 })
183 .unwrap_or(true);
184 let registration_expired = token
185 .registration_expires_at
186 .map(|t| t <= now)
187 .unwrap_or(true);
188 let refreshable =
189 token.refreshable() && min_time_passed && !registration_expired;
190
191 tracing::debug!(
192 expired = ?expired,
193 expires_soon = ?expires_soon,
194 min_time_passed = ?min_time_passed,
195 registration_expired = ?registration_expired,
196 refreshable = ?refreshable,
197 will_refresh = ?(expires_soon && refreshable),
198 "cached SSO token refresh decision"
199 );
200
201 if expired && !refreshable {
203 tracing::debug!("cached SSO token is expired and cannot be refreshed");
204 return Err(SsoTokenProviderError::ExpiredToken);
205 }
206
207 if expires_soon && refreshable {
209 tracing::debug!("attempting to refresh SSO token");
210 if let Some(refreshed_token) =
211 Self::refresh_cached_token(&inner, &token, &inner.session_name, now)
212 .await?
213 {
214 token = refreshed_token;
215 }
216 *inner.last_refresh_attempt.lock().unwrap() = Some(now);
217 }
218
219 let expires_at = token.expires_at;
220 Ok((token, expires_at))
221 })
222 .await
223 .map_err(TokenError::provider_error)?;
224
225 Ok(token)
226 }
227 }
228}
229
230impl ProvideToken for SsoTokenProvider {
231 fn provide_token<'a>(&'a self) -> ProvideTokenFuture<'a>
232 where
233 Self: 'a,
234 {
235 let time_source = self
236 .inner
237 .sdk_config
238 .time_source()
239 .expect("a time source required by SsoTokenProvider");
240 let token_future = self.resolve_token(time_source);
241 ProvideTokenFuture::new(Box::pin(async move {
242 let token = token_future.await?;
243 Ok(Token::new(
244 token.access_token.as_str(),
245 Some(token.expires_at),
246 ))
247 }))
248 }
249}
250
251impl ResolveIdentity for SsoTokenProvider {
252 fn resolve_identity<'a>(
253 &'a self,
254 runtime_components: &'a RuntimeComponents,
255 config_bag: &'a ConfigBag,
256 ) -> IdentityFuture<'a> {
257 IdentityFuture::new(Box::pin(async move {
258 self.provide_token()
259 .await?
260 .resolve_identity(runtime_components, config_bag)
261 .await
262 }))
263 }
264}
265
266#[derive(Debug, Default)]
268pub struct Builder {
269 sdk_config: Option<SdkConfig>,
270 region: Option<Region>,
271 session_name: Option<String>,
272 start_url: Option<String>,
273}
274
275impl Builder {
276 pub fn new() -> Self {
278 Default::default()
279 }
280
281 pub fn configure(mut self, sdk_config: &SdkConfig) -> Self {
283 self.sdk_config = Some(sdk_config.clone());
284 self
285 }
286
287 pub fn region(mut self, region: impl Into<Region>) -> Self {
291 self.region = Some(region.into());
292 self
293 }
294
295 pub fn set_region(&mut self, region: Option<Region>) -> &mut Self {
299 self.region = region;
300 self
301 }
302
303 pub fn session_name(mut self, session_name: impl Into<String>) -> Self {
307 self.session_name = Some(session_name.into());
308 self
309 }
310
311 pub fn set_session_name(&mut self, session_name: Option<String>) -> &mut Self {
315 self.session_name = session_name;
316 self
317 }
318
319 pub fn start_url(mut self, start_url: impl Into<String>) -> Self {
323 self.start_url = Some(start_url.into());
324 self
325 }
326
327 pub fn set_start_url(&mut self, start_url: Option<String>) -> &mut Self {
331 self.start_url = start_url;
332 self
333 }
334
335 pub async fn build(mut self) -> SsoTokenProvider {
341 if self.sdk_config.is_none() {
342 self.sdk_config = Some(crate::load_defaults(crate::BehaviorVersion::latest()).await);
343 }
344 self.build_with(Env::real(), Fs::real())
345 }
346
347 pub(crate) fn build_with(self, env: Env, fs: Fs) -> SsoTokenProvider {
348 SsoTokenProvider {
349 inner: Arc::new(Inner {
350 env,
351 fs,
352 region: self.region.expect("region is required"),
353 session_name: self.session_name.expect("session_name is required"),
354 start_url: self.start_url.expect("start_url is required"),
355 sdk_config: self.sdk_config.expect("sdk_config is required"),
356 last_refresh_attempt: Mutex::new(None),
357 }),
358 token_cache: ExpiringCache::new(REFRESH_BUFFER_TIME),
359 }
360 }
361}
362
363#[derive(Debug)]
364pub(super) enum SsoTokenProviderError {
365 BadExpirationTimeFromSsoOidc,
366 FailedToLoadToken {
367 source: Box<dyn StdError + Send + Sync>,
368 },
369 ExpiredToken,
370}
371
372impl fmt::Display for SsoTokenProviderError {
373 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
374 match self {
375 Self::BadExpirationTimeFromSsoOidc => {
376 f.write_str("SSO OIDC responded with a negative expiration duration")
377 }
378 Self::ExpiredToken => f.write_str("the SSO token has expired and cannot be refreshed"),
379 Self::FailedToLoadToken { .. } => f.write_str("failed to load the cached SSO token"),
380 }
381 }
382}
383
384impl StdError for SsoTokenProviderError {
385 fn cause(&self) -> Option<&dyn StdError> {
386 match self {
387 Self::BadExpirationTimeFromSsoOidc => None,
388 Self::ExpiredToken => None,
389 Self::FailedToLoadToken { source } => Some(source.as_ref()),
390 }
391 }
392}
393
394impl From<CachedSsoTokenError> for SsoTokenProviderError {
395 fn from(source: CachedSsoTokenError) -> Self {
396 Self::FailedToLoadToken {
397 source: source.into(),
398 }
399 }
400}
401
402#[cfg(test)]
403mod tests {
404 use super::*;
405 use aws_sdk_sso::config::{AsyncSleep, SharedAsyncSleep};
406 use aws_smithy_async::rt::sleep::TokioSleep;
407 use aws_smithy_async::test_util::instant_time_and_sleep;
408 use aws_smithy_async::time::{StaticTimeSource, TimeSource};
409 use aws_smithy_http_client::test_util::{capture_request, ReplayEvent, StaticReplayClient};
410 use aws_smithy_runtime::{
411 assert_str_contains, test_util::capture_test_logs::capture_test_logs,
412 };
413 use aws_smithy_runtime_api::client::http::HttpClient;
414 use aws_smithy_runtime_api::client::runtime_components::RuntimeComponentsBuilder;
415 use aws_smithy_types::body::SdkBody;
416 use aws_smithy_types::date_time::Format;
417 use aws_smithy_types::retry::RetryConfig;
418 use aws_smithy_types::DateTime;
419
420 fn time(s: &str) -> SystemTime {
421 SystemTime::try_from(DateTime::from_str(s, Format::DateTime).unwrap()).unwrap()
422 }
423
424 struct TestHarness {
425 time_source: SharedTimeSource,
426 token_provider: SsoTokenProvider,
427 env: Env,
428 fs: Fs,
429 }
430
431 impl TestHarness {
432 fn new(
433 time_source: impl TimeSource + 'static,
434 sleep_impl: impl AsyncSleep + 'static,
435 http_client: impl HttpClient + 'static,
436 fs: Fs,
437 ) -> Self {
438 let env = Env::from_slice(&[("HOME", "/home/user")]);
439 let time_source = SharedTimeSource::new(time_source);
440 let config = SdkConfig::builder()
441 .http_client(http_client)
442 .time_source(time_source.clone())
443 .sleep_impl(SharedAsyncSleep::new(sleep_impl))
444 .retry_config(RetryConfig::disabled())
446 .behavior_version(crate::BehaviorVersion::latest())
447 .build();
448 Self {
449 time_source,
450 token_provider: SsoTokenProvider::builder()
451 .configure(&config)
452 .session_name("test")
453 .region(Region::new("us-west-2"))
454 .start_url("https://d-123.awsapps.com/start")
455 .build_with(env.clone(), fs.clone()),
456 env,
457 fs,
458 }
459 }
460
461 async fn expect_sso_token(&self, value: &str, expires_at: &str) -> CachedSsoToken {
462 let token = self
463 .token_provider
464 .resolve_token(self.time_source.clone())
465 .await
466 .unwrap();
467 assert_eq!(value, token.access_token.as_str());
468 assert_eq!(time(expires_at), token.expires_at);
469 token
470 }
471
472 async fn expect_token(&self, value: &str, expires_at: &str) {
473 let runtime_components = RuntimeComponentsBuilder::for_tests()
474 .with_time_source(Some(self.time_source.clone()))
475 .build()
476 .unwrap();
477 let config_bag = ConfigBag::base();
478 let identity = self
479 .token_provider
480 .resolve_identity(&runtime_components, &config_bag)
481 .await
482 .unwrap();
483 let token = identity.data::<Token>().unwrap().clone();
484 assert_eq!(value, token.token());
485 assert_eq!(time(expires_at), identity.expiration().unwrap());
486 }
487
488 async fn expect_expired_token_err(&self) {
489 let err = DisplayErrorContext(
490 &self
491 .token_provider
492 .resolve_token(self.time_source.clone())
493 .await
494 .expect_err("expected failure"),
495 )
496 .to_string();
497 assert_str_contains!(err, "the SSO token has expired");
498 }
499
500 fn last_refresh_attempt_time(&self) -> Option<String> {
501 self.token_provider
502 .inner
503 .last_refresh_attempt
504 .lock()
505 .unwrap()
506 .map(|time| {
507 DateTime::try_from(time)
508 .unwrap()
509 .fmt(Format::DateTime)
510 .unwrap()
511 })
512 }
513 }
514
515 #[cfg_attr(windows, ignore)]
517 #[tokio::test]
518 async fn use_unexpired_cached_token() {
519 let fs = Fs::from_slice(&[(
520 "/home/user/.aws/sso/cache/a94a8fe5ccb19ba61c4c0873d391e987982fbbd3.json",
521 r#"
522 { "accessToken": "some-token",
523 "expiresAt": "1975-01-01T00:00:00Z" }
524 "#,
525 )]);
526
527 let now = time("1974-12-25T00:00:00Z");
528 let time_source = SharedTimeSource::new(StaticTimeSource::new(now));
529
530 let (conn, req_rx) = capture_request(None);
531 let harness = TestHarness::new(time_source, TokioSleep::new(), conn, fs);
532
533 harness
534 .expect_token("some-token", "1975-01-01T00:00:00Z")
535 .await;
536 req_rx.expect_no_request();
538 }
539
540 #[cfg_attr(windows, ignore)]
542 #[tokio::test]
543 async fn expired_cached_token() {
544 let fs = Fs::from_slice(&[(
545 "/home/user/.aws/sso/cache/a94a8fe5ccb19ba61c4c0873d391e987982fbbd3.json",
546 r#"
547 { "accessToken": "some-token",
548 "expiresAt": "1999-12-15T00:00:00Z" }
549 "#,
550 )]);
551
552 let now = time("2023-01-01T00:00:00Z");
553 let time_source = SharedTimeSource::new(StaticTimeSource::new(now));
554
555 let (conn, req_rx) = capture_request(None);
556 let harness = TestHarness::new(time_source, TokioSleep::new(), conn, fs);
557
558 harness.expect_expired_token_err().await;
559 req_rx.expect_no_request();
561 }
562
563 #[cfg_attr(windows, ignore)]
565 #[tokio::test]
566 async fn expired_token_and_expired_client_registration() {
567 let fs = Fs::from_slice(&[(
568 "/home/user/.aws/sso/cache/a94a8fe5ccb19ba61c4c0873d391e987982fbbd3.json",
569 r#"
570 { "startUrl": "https://d-123.awsapps.com/start",
571 "region": "us-west-2",
572 "accessToken": "cachedtoken",
573 "expiresAt": "2021-10-25T13:00:00Z",
574 "clientId": "clientid",
575 "clientSecret": "YSBzZWNyZXQ=",
576 "registrationExpiresAt": "2021-11-25T13:30:00Z",
577 "refreshToken": "cachedrefreshtoken" }
578 "#,
579 )]);
580
581 let now = time("2023-08-11T04:11:17Z");
582 let time_source = SharedTimeSource::new(StaticTimeSource::new(now));
583
584 let (conn, req_rx) = capture_request(None);
585 let harness = TestHarness::new(time_source, TokioSleep::new(), conn, fs);
586
587 harness.expect_expired_token_err().await;
589 req_rx.expect_no_request();
590 }
591
592 #[cfg_attr(windows, ignore)]
594 #[tokio::test]
595 async fn expired_token_refresh_with_refresh_token() {
596 let fs = Fs::from_slice(&[(
597 "/home/user/.aws/sso/cache/a94a8fe5ccb19ba61c4c0873d391e987982fbbd3.json",
598 r#"
599 { "startUrl": "https://d-123.awsapps.com/start",
600 "region": "us-west-2",
601 "accessToken": "cachedtoken",
602 "expiresAt": "2021-12-25T13:00:00Z",
603 "clientId": "clientid",
604 "clientSecret": "YSBzZWNyZXQ=",
605 "registrationExpiresAt": "2022-12-25T13:30:00Z",
606 "refreshToken": "cachedrefreshtoken" }
607 "#,
608 )]);
609
610 let now = time("2021-12-25T13:30:00Z");
611 let time_source = SharedTimeSource::new(StaticTimeSource::new(now));
612
613 let (conn, req_rx) = capture_request(Some(
614 http::Response::builder()
615 .status(200)
616 .body(SdkBody::from(
617 r#"
618 { "tokenType": "Bearer",
619 "accessToken": "newtoken",
620 "expiresIn": 28800,
621 "refreshToken": "newrefreshtoken" }
622 "#,
623 ))
624 .unwrap(),
625 ));
626 let harness = TestHarness::new(time_source, TokioSleep::new(), conn, fs);
627
628 let returned_token = harness
629 .expect_sso_token("newtoken", "2021-12-25T21:30:00Z")
630 .await;
631 let cached_token = load_cached_token(&harness.env, &harness.fs, "test")
632 .await
633 .unwrap();
634 assert_eq!(returned_token, cached_token);
635 assert_eq!(
636 "newrefreshtoken",
637 returned_token.refresh_token.unwrap().as_str()
638 );
639 assert_eq!(
640 "https://d-123.awsapps.com/start",
641 returned_token.start_url.unwrap()
642 );
643 assert_eq!("us-west-2", returned_token.region.unwrap().to_string());
644 assert_eq!("clientid", returned_token.client_id.unwrap());
645 assert_eq!(
646 "YSBzZWNyZXQ=",
647 returned_token.client_secret.unwrap().as_str()
648 );
649 assert_eq!(
650 SystemTime::UNIX_EPOCH + Duration::from_secs(1_671_975_000),
651 returned_token.registration_expires_at.unwrap()
652 );
653
654 let refresh_req = req_rx.expect_request();
655 let parsed_req: serde_json::Value =
656 serde_json::from_slice(refresh_req.body().bytes().unwrap()).unwrap();
657 let parsed_req = parsed_req.as_object().unwrap();
658 assert_eq!(
659 "clientid",
660 parsed_req.get("clientId").unwrap().as_str().unwrap()
661 );
662 assert_eq!(
663 "YSBzZWNyZXQ=",
664 parsed_req.get("clientSecret").unwrap().as_str().unwrap()
665 );
666 assert_eq!(
667 "refresh_token",
668 parsed_req.get("grantType").unwrap().as_str().unwrap()
669 );
670 assert_eq!(
671 "cachedrefreshtoken",
672 parsed_req.get("refreshToken").unwrap().as_str().unwrap()
673 );
674 }
675
676 #[cfg_attr(windows, ignore)]
678 #[tokio::test]
679 async fn expired_token_refresh_fails() {
680 let fs = Fs::from_slice(&[(
681 "/home/user/.aws/sso/cache/a94a8fe5ccb19ba61c4c0873d391e987982fbbd3.json",
682 r#"
683 { "startUrl": "https://d-123.awsapps.com/start",
684 "region": "us-west-2",
685 "accessToken": "cachedtoken",
686 "expiresAt": "2021-12-25T13:00:00Z",
687 "clientId": "clientid",
688 "clientSecret": "YSBzZWNyZXQ=",
689 "registrationExpiresAt": "2022-12-25T13:30:00Z",
690 "refreshToken": "cachedrefreshtoken" }
691 "#,
692 )]);
693
694 let now = time("2021-12-25T13:30:00Z");
695 let time_source = SharedTimeSource::new(StaticTimeSource::new(now));
696
697 let (conn, req_rx) = capture_request(Some(
698 http::Response::builder()
699 .status(500)
700 .body(SdkBody::from(""))
701 .unwrap(),
702 ));
703 let harness = TestHarness::new(time_source, TokioSleep::new(), conn, fs);
704
705 let returned_token = harness
707 .expect_sso_token("cachedtoken", "2021-12-25T13:00:00Z")
708 .await;
709 let cached_token = load_cached_token(&harness.env, &harness.fs, "test")
710 .await
711 .unwrap();
712 assert_eq!(returned_token, cached_token);
713
714 let _ = req_rx.expect_request();
715 }
716
717 #[cfg_attr(windows, ignore)]
719 #[tokio::test]
721 async fn expired_token_refresh_without_new_refresh_token() {
722 let fs = Fs::from_slice(&[(
723 "/home/user/.aws/sso/cache/a94a8fe5ccb19ba61c4c0873d391e987982fbbd3.json",
724 r#"
725 { "startUrl": "https://d-123.awsapps.com/start",
726 "region": "us-west-2",
727 "accessToken": "cachedtoken",
728 "expiresAt": "2021-12-25T13:00:00Z",
729 "clientId": "clientid",
730 "clientSecret": "YSBzZWNyZXQ=",
731 "registrationExpiresAt": "2022-12-25T13:30:00Z",
732 "refreshToken": "cachedrefreshtoken" }
733 "#,
734 )]);
735
736 let now = time("2021-12-25T13:30:00Z");
737 let time_source = SharedTimeSource::new(StaticTimeSource::new(now));
738
739 let (conn, req_rx) = capture_request(Some(
740 http::Response::builder()
741 .status(200)
742 .body(SdkBody::from(
743 r#"
744 { "tokenType": "Bearer",
745 "accessToken": "newtoken",
746 "expiresIn": 28800 }
747 "#,
748 ))
749 .unwrap(),
750 ));
751 let harness = TestHarness::new(time_source, TokioSleep::new(), conn, fs);
752
753 let returned_token = harness
754 .expect_sso_token("newtoken", "2021-12-25T21:30:00Z")
755 .await;
756 let cached_token = load_cached_token(&harness.env, &harness.fs, "test")
757 .await
758 .unwrap();
759 assert_eq!(returned_token, cached_token);
760 assert_eq!(
761 "cachedrefreshtoken",
762 returned_token.refresh_token.unwrap().as_str(),
763 "it should have kept the old refresh token"
764 );
765
766 let _ = req_rx.expect_request();
767 }
768
769 #[cfg_attr(windows, ignore)]
771 #[tokio::test]
772 async fn refresh_timings() {
773 let _logs = capture_test_logs();
774
775 let start_time = DateTime::from_str("2023-01-01T00:00:00Z", Format::DateTime).unwrap();
776 let (time_source, sleep_impl) = instant_time_and_sleep(start_time.try_into().unwrap());
777 let shared_time_source = SharedTimeSource::new(time_source.clone());
778
779 let fs = Fs::from_slice(&[(
780 "/home/user/.aws/sso/cache/a94a8fe5ccb19ba61c4c0873d391e987982fbbd3.json",
781 r#"
782 { "startUrl": "https://d-123.awsapps.com/start",
783 "region": "us-west-2",
784 "accessToken": "first_token",
785 "_comment_expiresAt": "-------- Ten minutes after the start time: ------",
786 "expiresAt": "2023-01-01T00:10:00Z",
787 "clientId": "clientid",
788 "clientSecret": "YSBzZWNyZXQ=",
789 "registrationExpiresAt": "2023-01-02T12:00:00Z",
790 "refreshToken": "cachedrefreshtoken" }
791 "#,
792 )]);
793
794 let events = vec![
795 ReplayEvent::new(
797 http::Request::new(SdkBody::from("")), http::Response::builder()
799 .status(500)
800 .body(SdkBody::from(""))
801 .unwrap(),
802 ),
803 ReplayEvent::new(
805 http::Request::new(SdkBody::from("")), http::Response::builder()
807 .status(500)
808 .body(SdkBody::from(""))
809 .unwrap(),
810 ),
811 ReplayEvent::new(
813 http::Request::new(SdkBody::from("")), http::Response::builder()
815 .status(200)
816 .body(SdkBody::from(
817 r#"
818 { "tokenType": "Bearer",
819 "accessToken": "second_token",
820 "expiresIn": 28800 }
821 "#,
822 ))
823 .unwrap(),
824 ),
825 ];
826 let http_client = StaticReplayClient::new(events);
827 let harness = TestHarness::new(shared_time_source, sleep_impl, http_client, fs);
828
829 tracing::info!("test: first token retrieval should return the cached token");
830 assert!(
831 harness.last_refresh_attempt_time().is_none(),
832 "the last attempt time should start empty"
833 );
834 harness
835 .expect_token("first_token", "2023-01-01T00:10:00Z")
836 .await;
837 assert!(
838 harness.last_refresh_attempt_time().is_none(),
839 "it shouldn't have tried to refresh, so the last refresh attempt time shouldn't be set"
840 );
841
842 tracing::info!("test: advance 3 minutes");
843 time_source.advance(Duration::from_secs(3 * 60));
844
845 tracing::info!("test: the token shouldn't get refreshed since it's not in the 5 minute buffer time yet");
846 harness
847 .expect_token("first_token", "2023-01-01T00:10:00Z")
848 .await;
849 assert!(
850 harness.last_refresh_attempt_time().is_none(),
851 "it shouldn't have tried to refresh since the token isn't expiring soon"
852 );
853
854 tracing::info!("test: advance 2 minutes");
855 time_source.advance(Duration::from_secs(2 * 60));
856
857 tracing::info!(
858 "test: the token will fail to refresh, and the old cached token will be returned"
859 );
860 harness
861 .expect_token("first_token", "2023-01-01T00:10:00Z")
862 .await;
863 assert_eq!(
864 Some("2023-01-01T00:05:00Z"),
865 harness.last_refresh_attempt_time().as_deref(),
866 "it should update the last refresh attempt time since the expiration time is soon"
867 );
868
869 tracing::info!("test: advance 15 seconds");
870 time_source.advance(Duration::from_secs(15));
871
872 tracing::info!(
873 "test: the token will not refresh because the minimum time hasn't passed between attempts"
874 );
875 harness
876 .expect_token("first_token", "2023-01-01T00:10:00Z")
877 .await;
878
879 tracing::info!("test: advance 15 seconds");
880 time_source.advance(Duration::from_secs(15));
881
882 tracing::info!(
883 "test: the token will fail to refresh, and the old cached token will be returned"
884 );
885 harness
886 .expect_token("first_token", "2023-01-01T00:10:00Z")
887 .await;
888
889 tracing::info!("test: advance 30 seconds");
890 time_source.advance(Duration::from_secs(30));
891
892 tracing::info!("test: the token will refresh successfully");
893 harness
894 .expect_token("second_token", "2023-01-01T08:06:00Z")
895 .await;
896 }
897}