aws_config/sso/
token.rs

1/*
2 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 * SPDX-License-Identifier: Apache-2.0
4 */
5
6//! SSO Token Provider
7//!
8//! This token provider enables loading an access token from `~/.aws/sso/cache`. For more information,
9//! see [AWS Builder ID for developers](https://docs.aws.amazon.com/toolkit-for-vscode/latest/userguide/builder-id.html).
10//!
11//! This provider is included automatically when profiles are loaded.
12
13use crate::identity::IdentityCache;
14use crate::sso::cache::{
15    load_cached_token, save_cached_token, CachedSsoToken, CachedSsoTokenError,
16};
17use aws_credential_types::provider::token::ProvideToken;
18use aws_credential_types::provider::{
19    error::TokenError, future::ProvideToken as ProvideTokenFuture,
20};
21use aws_sdk_ssooidc::error::DisplayErrorContext;
22use aws_sdk_ssooidc::operation::create_token::CreateTokenOutput;
23use aws_sdk_ssooidc::Client as SsoOidcClient;
24use aws_smithy_async::time::SharedTimeSource;
25use aws_smithy_runtime::expiring_cache::ExpiringCache;
26use aws_smithy_runtime_api::client::identity::http::Token;
27use aws_smithy_runtime_api::client::identity::{IdentityFuture, ResolveIdentity};
28use aws_smithy_runtime_api::client::runtime_components::RuntimeComponents;
29use aws_smithy_types::config_bag::ConfigBag;
30use aws_types::os_shim_internal::{Env, Fs};
31use aws_types::region::Region;
32use aws_types::SdkConfig;
33use std::error::Error as StdError;
34use std::fmt;
35use std::sync::{Arc, Mutex};
36use std::time::{Duration, SystemTime};
37use zeroize::Zeroizing;
38
39const REFRESH_BUFFER_TIME: Duration = Duration::from_secs(5 * 60 /* 5 minutes */);
40const MIN_TIME_BETWEEN_REFRESH: Duration = Duration::from_secs(30);
41
42/// SSO Token Provider
43///
44/// This token provider will use cached SSO tokens stored in `~/.aws/sso/cache/<hash>.json`.
45/// `<hash>` is computed based on the configured [`session_name`](Builder::session_name).
46///
47/// If possible, the cached token will be refreshed when it gets close to expiring.
48#[derive(Debug)]
49pub struct SsoTokenProvider {
50    inner: Arc<Inner>,
51    token_cache: ExpiringCache<CachedSsoToken, SsoTokenProviderError>,
52}
53
54#[derive(Debug)]
55struct Inner {
56    env: Env,
57    fs: Fs,
58    region: Region,
59    session_name: String,
60    start_url: String,
61    sdk_config: SdkConfig,
62    last_refresh_attempt: Mutex<Option<SystemTime>>,
63}
64
65impl SsoTokenProvider {
66    /// Creates a `SsoTokenProvider` builder.
67    pub fn builder() -> Builder {
68        Default::default()
69    }
70
71    async fn refresh_cached_token(
72        inner: &Inner,
73        cached_token: &CachedSsoToken,
74        identifier: &str,
75        now: SystemTime,
76    ) -> Result<Option<CachedSsoToken>, SsoTokenProviderError> {
77        // TODO(enableNewSmithyRuntimeCleanup): Use `customize().config_override()` to set the region instead of creating a new client once middleware is removed
78        let config = inner
79            .sdk_config
80            .to_builder()
81            .region(Some(inner.region.clone()))
82            .identity_cache(IdentityCache::no_cache())
83            .build();
84        let client = SsoOidcClient::new(&config);
85        let resp = client
86            .create_token()
87            .grant_type("refresh_token")
88            .client_id(
89                cached_token
90                    .client_id
91                    .as_ref()
92                    .expect("required for token refresh")
93                    .clone(),
94            )
95            .client_secret(
96                cached_token
97                    .client_secret
98                    .as_ref()
99                    .expect("required for token refresh")
100                    .as_str(),
101            )
102            .refresh_token(
103                cached_token
104                    .refresh_token
105                    .as_ref()
106                    .expect("required for token refresh")
107                    .as_str(),
108            )
109            .send()
110            .await;
111        match resp {
112            Ok(CreateTokenOutput {
113                access_token: Some(access_token),
114                refresh_token,
115                expires_in,
116                ..
117            }) => {
118                let refreshed_token = CachedSsoToken {
119                    access_token: Zeroizing::new(access_token),
120                    client_id: cached_token.client_id.clone(),
121                    client_secret: cached_token.client_secret.clone(),
122                    expires_at: now
123                        + Duration::from_secs(
124                            u64::try_from(expires_in)
125                                .map_err(|_| SsoTokenProviderError::BadExpirationTimeFromSsoOidc)?,
126                        ),
127                    refresh_token: refresh_token
128                        .map(Zeroizing::new)
129                        .or_else(|| cached_token.refresh_token.clone()),
130                    region: Some(inner.region.to_string()),
131                    registration_expires_at: cached_token.registration_expires_at,
132                    start_url: Some(inner.start_url.clone()),
133                };
134                save_cached_token(&inner.env, &inner.fs, identifier, &refreshed_token).await?;
135                tracing::debug!("saved refreshed SSO token");
136                Ok(Some(refreshed_token))
137            }
138            Ok(_) => {
139                tracing::debug!("SSO OIDC CreateToken responded without an access token");
140                Ok(None)
141            }
142            Err(err) => {
143                tracing::debug!(
144                    "call to SSO OIDC CreateToken for SSO token refresh failed: {}",
145                    DisplayErrorContext(&err)
146                );
147                Ok(None)
148            }
149        }
150    }
151
152    pub(super) fn resolve_token(
153        &self,
154        time_source: SharedTimeSource,
155    ) -> impl std::future::Future<Output = Result<CachedSsoToken, TokenError>> + 'static {
156        let token_cache = self.token_cache.clone();
157        let inner = self.inner.clone();
158
159        async move {
160            if let Some(token) = token_cache
161                .yield_or_clear_if_expired(time_source.now())
162                .await
163            {
164                tracing::debug!("using cached SSO token");
165                return Ok(token);
166            }
167            let token = token_cache
168                .get_or_load(|| async move {
169                    tracing::debug!("expiring cache asked for an updated SSO token");
170                    let mut token =
171                        load_cached_token(&inner.env, &inner.fs, &inner.session_name).await?;
172                    tracing::debug!("loaded cached SSO token");
173
174                    let now = time_source.now();
175                    let expired = token.expires_at <= now;
176                    let expires_soon = token.expires_at - REFRESH_BUFFER_TIME <= now;
177                    let last_refresh = *inner.last_refresh_attempt.lock().unwrap();
178                    let min_time_passed = last_refresh
179                        .map(|lr| {
180                            now.duration_since(lr).expect("last_refresh is in the past")
181                                >= MIN_TIME_BETWEEN_REFRESH
182                        })
183                        .unwrap_or(true);
184                    let registration_expired = token
185                        .registration_expires_at
186                        .map(|t| t <= now)
187                        .unwrap_or(true);
188                    let refreshable =
189                        token.refreshable() && min_time_passed && !registration_expired;
190
191                    tracing::debug!(
192                        expired = ?expired,
193                        expires_soon = ?expires_soon,
194                        min_time_passed = ?min_time_passed,
195                        registration_expired = ?registration_expired,
196                        refreshable = ?refreshable,
197                        will_refresh = ?(expires_soon && refreshable),
198                        "cached SSO token refresh decision"
199                    );
200
201                    // Fail fast if the token has expired and we can't refresh it
202                    if expired && !refreshable {
203                        tracing::debug!("cached SSO token is expired and cannot be refreshed");
204                        return Err(SsoTokenProviderError::ExpiredToken);
205                    }
206
207                    // Refresh the token if it is going to expire soon
208                    if expires_soon && refreshable {
209                        tracing::debug!("attempting to refresh SSO token");
210                        if let Some(refreshed_token) =
211                            Self::refresh_cached_token(&inner, &token, &inner.session_name, now)
212                                .await?
213                        {
214                            token = refreshed_token;
215                        }
216                        *inner.last_refresh_attempt.lock().unwrap() = Some(now);
217                    }
218
219                    let expires_at = token.expires_at;
220                    Ok((token, expires_at))
221                })
222                .await
223                .map_err(TokenError::provider_error)?;
224
225            Ok(token)
226        }
227    }
228}
229
230impl ProvideToken for SsoTokenProvider {
231    fn provide_token<'a>(&'a self) -> ProvideTokenFuture<'a>
232    where
233        Self: 'a,
234    {
235        let time_source = self
236            .inner
237            .sdk_config
238            .time_source()
239            .expect("a time source required by SsoTokenProvider");
240        let token_future = self.resolve_token(time_source);
241        ProvideTokenFuture::new(Box::pin(async move {
242            let token = token_future.await?;
243            Ok(Token::new(
244                token.access_token.as_str(),
245                Some(token.expires_at),
246            ))
247        }))
248    }
249}
250
251impl ResolveIdentity for SsoTokenProvider {
252    fn resolve_identity<'a>(
253        &'a self,
254        runtime_components: &'a RuntimeComponents,
255        config_bag: &'a ConfigBag,
256    ) -> IdentityFuture<'a> {
257        IdentityFuture::new(Box::pin(async move {
258            self.provide_token()
259                .await?
260                .resolve_identity(runtime_components, config_bag)
261                .await
262        }))
263    }
264}
265
266/// Builder for [`SsoTokenProvider`].
267#[derive(Debug, Default)]
268pub struct Builder {
269    sdk_config: Option<SdkConfig>,
270    region: Option<Region>,
271    session_name: Option<String>,
272    start_url: Option<String>,
273}
274
275impl Builder {
276    /// Creates a new builder for [`SsoTokenProvider`].
277    pub fn new() -> Self {
278        Default::default()
279    }
280
281    /// Override the configuration used for this provider
282    pub fn configure(mut self, sdk_config: &SdkConfig) -> Self {
283        self.sdk_config = Some(sdk_config.clone());
284        self
285    }
286
287    /// Sets the SSO region.
288    ///
289    /// This is a required field.
290    pub fn region(mut self, region: impl Into<Region>) -> Self {
291        self.region = Some(region.into());
292        self
293    }
294
295    /// Sets the SSO region.
296    ///
297    /// This is a required field.
298    pub fn set_region(&mut self, region: Option<Region>) -> &mut Self {
299        self.region = region;
300        self
301    }
302
303    /// Sets the SSO session name.
304    ///
305    /// This is a required field.
306    pub fn session_name(mut self, session_name: impl Into<String>) -> Self {
307        self.session_name = Some(session_name.into());
308        self
309    }
310
311    /// Sets the SSO session name.
312    ///
313    /// This is a required field.
314    pub fn set_session_name(&mut self, session_name: Option<String>) -> &mut Self {
315        self.session_name = session_name;
316        self
317    }
318
319    /// Sets the SSO start URL.
320    ///
321    /// This is a required field.
322    pub fn start_url(mut self, start_url: impl Into<String>) -> Self {
323        self.start_url = Some(start_url.into());
324        self
325    }
326
327    /// Sets the SSO start URL.
328    ///
329    /// This is a required field.
330    pub fn set_start_url(&mut self, start_url: Option<String>) -> &mut Self {
331        self.start_url = start_url;
332        self
333    }
334
335    /// Builds the [`SsoTokenProvider`].
336    ///
337    /// # Panics
338    ///
339    /// This will panic if any of the required fields are not given.
340    pub async fn build(mut self) -> SsoTokenProvider {
341        if self.sdk_config.is_none() {
342            self.sdk_config = Some(crate::load_defaults(crate::BehaviorVersion::latest()).await);
343        }
344        self.build_with(Env::real(), Fs::real())
345    }
346
347    pub(crate) fn build_with(self, env: Env, fs: Fs) -> SsoTokenProvider {
348        SsoTokenProvider {
349            inner: Arc::new(Inner {
350                env,
351                fs,
352                region: self.region.expect("region is required"),
353                session_name: self.session_name.expect("session_name is required"),
354                start_url: self.start_url.expect("start_url is required"),
355                sdk_config: self.sdk_config.expect("sdk_config is required"),
356                last_refresh_attempt: Mutex::new(None),
357            }),
358            token_cache: ExpiringCache::new(REFRESH_BUFFER_TIME),
359        }
360    }
361}
362
363#[derive(Debug)]
364pub(super) enum SsoTokenProviderError {
365    BadExpirationTimeFromSsoOidc,
366    FailedToLoadToken {
367        source: Box<dyn StdError + Send + Sync>,
368    },
369    ExpiredToken,
370}
371
372impl fmt::Display for SsoTokenProviderError {
373    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
374        match self {
375            Self::BadExpirationTimeFromSsoOidc => {
376                f.write_str("SSO OIDC responded with a negative expiration duration")
377            }
378            Self::ExpiredToken => f.write_str("the SSO token has expired and cannot be refreshed"),
379            Self::FailedToLoadToken { .. } => f.write_str("failed to load the cached SSO token"),
380        }
381    }
382}
383
384impl StdError for SsoTokenProviderError {
385    fn cause(&self) -> Option<&dyn StdError> {
386        match self {
387            Self::BadExpirationTimeFromSsoOidc => None,
388            Self::ExpiredToken => None,
389            Self::FailedToLoadToken { source } => Some(source.as_ref()),
390        }
391    }
392}
393
394impl From<CachedSsoTokenError> for SsoTokenProviderError {
395    fn from(source: CachedSsoTokenError) -> Self {
396        Self::FailedToLoadToken {
397            source: source.into(),
398        }
399    }
400}
401
402#[cfg(test)]
403mod tests {
404    use super::*;
405    use aws_sdk_sso::config::{AsyncSleep, SharedAsyncSleep};
406    use aws_smithy_async::rt::sleep::TokioSleep;
407    use aws_smithy_async::test_util::instant_time_and_sleep;
408    use aws_smithy_async::time::{StaticTimeSource, TimeSource};
409    use aws_smithy_http_client::test_util::{capture_request, ReplayEvent, StaticReplayClient};
410    use aws_smithy_runtime::{
411        assert_str_contains, test_util::capture_test_logs::capture_test_logs,
412    };
413    use aws_smithy_runtime_api::client::http::HttpClient;
414    use aws_smithy_runtime_api::client::runtime_components::RuntimeComponentsBuilder;
415    use aws_smithy_types::body::SdkBody;
416    use aws_smithy_types::date_time::Format;
417    use aws_smithy_types::retry::RetryConfig;
418    use aws_smithy_types::DateTime;
419
420    fn time(s: &str) -> SystemTime {
421        SystemTime::try_from(DateTime::from_str(s, Format::DateTime).unwrap()).unwrap()
422    }
423
424    struct TestHarness {
425        time_source: SharedTimeSource,
426        token_provider: SsoTokenProvider,
427        env: Env,
428        fs: Fs,
429    }
430
431    impl TestHarness {
432        fn new(
433            time_source: impl TimeSource + 'static,
434            sleep_impl: impl AsyncSleep + 'static,
435            http_client: impl HttpClient + 'static,
436            fs: Fs,
437        ) -> Self {
438            let env = Env::from_slice(&[("HOME", "/home/user")]);
439            let time_source = SharedTimeSource::new(time_source);
440            let config = SdkConfig::builder()
441                .http_client(http_client)
442                .time_source(time_source.clone())
443                .sleep_impl(SharedAsyncSleep::new(sleep_impl))
444                // disable retry to simplify testing
445                .retry_config(RetryConfig::disabled())
446                .behavior_version(crate::BehaviorVersion::latest())
447                .build();
448            Self {
449                time_source,
450                token_provider: SsoTokenProvider::builder()
451                    .configure(&config)
452                    .session_name("test")
453                    .region(Region::new("us-west-2"))
454                    .start_url("https://d-123.awsapps.com/start")
455                    .build_with(env.clone(), fs.clone()),
456                env,
457                fs,
458            }
459        }
460
461        async fn expect_sso_token(&self, value: &str, expires_at: &str) -> CachedSsoToken {
462            let token = self
463                .token_provider
464                .resolve_token(self.time_source.clone())
465                .await
466                .unwrap();
467            assert_eq!(value, token.access_token.as_str());
468            assert_eq!(time(expires_at), token.expires_at);
469            token
470        }
471
472        async fn expect_token(&self, value: &str, expires_at: &str) {
473            let runtime_components = RuntimeComponentsBuilder::for_tests()
474                .with_time_source(Some(self.time_source.clone()))
475                .build()
476                .unwrap();
477            let config_bag = ConfigBag::base();
478            let identity = self
479                .token_provider
480                .resolve_identity(&runtime_components, &config_bag)
481                .await
482                .unwrap();
483            let token = identity.data::<Token>().unwrap().clone();
484            assert_eq!(value, token.token());
485            assert_eq!(time(expires_at), identity.expiration().unwrap());
486        }
487
488        async fn expect_expired_token_err(&self) {
489            let err = DisplayErrorContext(
490                &self
491                    .token_provider
492                    .resolve_token(self.time_source.clone())
493                    .await
494                    .expect_err("expected failure"),
495            )
496            .to_string();
497            assert_str_contains!(err, "the SSO token has expired");
498        }
499
500        fn last_refresh_attempt_time(&self) -> Option<String> {
501            self.token_provider
502                .inner
503                .last_refresh_attempt
504                .lock()
505                .unwrap()
506                .map(|time| {
507                    DateTime::try_from(time)
508                        .unwrap()
509                        .fmt(Format::DateTime)
510                        .unwrap()
511                })
512        }
513    }
514
515    // TODO(https://github.com/awslabs/aws-sdk-rust/issues/1117) This test is ignored on Windows because it uses Unix-style paths
516    #[cfg_attr(windows, ignore)]
517    #[tokio::test]
518    async fn use_unexpired_cached_token() {
519        let fs = Fs::from_slice(&[(
520            "/home/user/.aws/sso/cache/a94a8fe5ccb19ba61c4c0873d391e987982fbbd3.json",
521            r#"
522            { "accessToken": "some-token",
523              "expiresAt": "1975-01-01T00:00:00Z" }
524            "#,
525        )]);
526
527        let now = time("1974-12-25T00:00:00Z");
528        let time_source = SharedTimeSource::new(StaticTimeSource::new(now));
529
530        let (conn, req_rx) = capture_request(None);
531        let harness = TestHarness::new(time_source, TokioSleep::new(), conn, fs);
532
533        harness
534            .expect_token("some-token", "1975-01-01T00:00:00Z")
535            .await;
536        // it can't refresh this token
537        req_rx.expect_no_request();
538    }
539
540    // TODO(https://github.com/awslabs/aws-sdk-rust/issues/1117) This test is ignored on Windows because it uses Unix-style paths
541    #[cfg_attr(windows, ignore)]
542    #[tokio::test]
543    async fn expired_cached_token() {
544        let fs = Fs::from_slice(&[(
545            "/home/user/.aws/sso/cache/a94a8fe5ccb19ba61c4c0873d391e987982fbbd3.json",
546            r#"
547            { "accessToken": "some-token",
548              "expiresAt": "1999-12-15T00:00:00Z" }
549            "#,
550        )]);
551
552        let now = time("2023-01-01T00:00:00Z");
553        let time_source = SharedTimeSource::new(StaticTimeSource::new(now));
554
555        let (conn, req_rx) = capture_request(None);
556        let harness = TestHarness::new(time_source, TokioSleep::new(), conn, fs);
557
558        harness.expect_expired_token_err().await;
559        // it can't refresh this token
560        req_rx.expect_no_request();
561    }
562
563    // TODO(https://github.com/awslabs/aws-sdk-rust/issues/1117) This test is ignored on Windows because it uses Unix-style paths
564    #[cfg_attr(windows, ignore)]
565    #[tokio::test]
566    async fn expired_token_and_expired_client_registration() {
567        let fs = Fs::from_slice(&[(
568            "/home/user/.aws/sso/cache/a94a8fe5ccb19ba61c4c0873d391e987982fbbd3.json",
569            r#"
570            { "startUrl": "https://d-123.awsapps.com/start",
571              "region": "us-west-2",
572              "accessToken": "cachedtoken",
573              "expiresAt": "2021-10-25T13:00:00Z",
574              "clientId": "clientid",
575              "clientSecret": "YSBzZWNyZXQ=",
576              "registrationExpiresAt": "2021-11-25T13:30:00Z",
577              "refreshToken": "cachedrefreshtoken" }
578            "#,
579        )]);
580
581        let now = time("2023-08-11T04:11:17Z");
582        let time_source = SharedTimeSource::new(StaticTimeSource::new(now));
583
584        let (conn, req_rx) = capture_request(None);
585        let harness = TestHarness::new(time_source, TokioSleep::new(), conn, fs);
586
587        // the registration has expired, so the token can't be refreshed
588        harness.expect_expired_token_err().await;
589        req_rx.expect_no_request();
590    }
591
592    // TODO(https://github.com/awslabs/aws-sdk-rust/issues/1117) This test is ignored on Windows because it uses Unix-style paths
593    #[cfg_attr(windows, ignore)]
594    #[tokio::test]
595    async fn expired_token_refresh_with_refresh_token() {
596        let fs = Fs::from_slice(&[(
597            "/home/user/.aws/sso/cache/a94a8fe5ccb19ba61c4c0873d391e987982fbbd3.json",
598            r#"
599            { "startUrl": "https://d-123.awsapps.com/start",
600              "region": "us-west-2",
601              "accessToken": "cachedtoken",
602              "expiresAt": "2021-12-25T13:00:00Z",
603              "clientId": "clientid",
604              "clientSecret": "YSBzZWNyZXQ=",
605              "registrationExpiresAt": "2022-12-25T13:30:00Z",
606              "refreshToken": "cachedrefreshtoken" }
607            "#,
608        )]);
609
610        let now = time("2021-12-25T13:30:00Z");
611        let time_source = SharedTimeSource::new(StaticTimeSource::new(now));
612
613        let (conn, req_rx) = capture_request(Some(
614            http::Response::builder()
615                .status(200)
616                .body(SdkBody::from(
617                    r#"
618                    { "tokenType": "Bearer",
619                      "accessToken": "newtoken",
620                      "expiresIn": 28800,
621                      "refreshToken": "newrefreshtoken" }
622                    "#,
623                ))
624                .unwrap(),
625        ));
626        let harness = TestHarness::new(time_source, TokioSleep::new(), conn, fs);
627
628        let returned_token = harness
629            .expect_sso_token("newtoken", "2021-12-25T21:30:00Z")
630            .await;
631        let cached_token = load_cached_token(&harness.env, &harness.fs, "test")
632            .await
633            .unwrap();
634        assert_eq!(returned_token, cached_token);
635        assert_eq!(
636            "newrefreshtoken",
637            returned_token.refresh_token.unwrap().as_str()
638        );
639        assert_eq!(
640            "https://d-123.awsapps.com/start",
641            returned_token.start_url.unwrap()
642        );
643        assert_eq!("us-west-2", returned_token.region.unwrap().to_string());
644        assert_eq!("clientid", returned_token.client_id.unwrap());
645        assert_eq!(
646            "YSBzZWNyZXQ=",
647            returned_token.client_secret.unwrap().as_str()
648        );
649        assert_eq!(
650            SystemTime::UNIX_EPOCH + Duration::from_secs(1_671_975_000),
651            returned_token.registration_expires_at.unwrap()
652        );
653
654        let refresh_req = req_rx.expect_request();
655        let parsed_req: serde_json::Value =
656            serde_json::from_slice(refresh_req.body().bytes().unwrap()).unwrap();
657        let parsed_req = parsed_req.as_object().unwrap();
658        assert_eq!(
659            "clientid",
660            parsed_req.get("clientId").unwrap().as_str().unwrap()
661        );
662        assert_eq!(
663            "YSBzZWNyZXQ=",
664            parsed_req.get("clientSecret").unwrap().as_str().unwrap()
665        );
666        assert_eq!(
667            "refresh_token",
668            parsed_req.get("grantType").unwrap().as_str().unwrap()
669        );
670        assert_eq!(
671            "cachedrefreshtoken",
672            parsed_req.get("refreshToken").unwrap().as_str().unwrap()
673        );
674    }
675
676    // TODO(https://github.com/awslabs/aws-sdk-rust/issues/1117) This test is ignored on Windows because it uses Unix-style paths
677    #[cfg_attr(windows, ignore)]
678    #[tokio::test]
679    async fn expired_token_refresh_fails() {
680        let fs = Fs::from_slice(&[(
681            "/home/user/.aws/sso/cache/a94a8fe5ccb19ba61c4c0873d391e987982fbbd3.json",
682            r#"
683            { "startUrl": "https://d-123.awsapps.com/start",
684              "region": "us-west-2",
685              "accessToken": "cachedtoken",
686              "expiresAt": "2021-12-25T13:00:00Z",
687              "clientId": "clientid",
688              "clientSecret": "YSBzZWNyZXQ=",
689              "registrationExpiresAt": "2022-12-25T13:30:00Z",
690              "refreshToken": "cachedrefreshtoken" }
691            "#,
692        )]);
693
694        let now = time("2021-12-25T13:30:00Z");
695        let time_source = SharedTimeSource::new(StaticTimeSource::new(now));
696
697        let (conn, req_rx) = capture_request(Some(
698            http::Response::builder()
699                .status(500)
700                .body(SdkBody::from(""))
701                .unwrap(),
702        ));
703        let harness = TestHarness::new(time_source, TokioSleep::new(), conn, fs);
704
705        // it should return the previous token since refresh failed and it hasn't expired yet
706        let returned_token = harness
707            .expect_sso_token("cachedtoken", "2021-12-25T13:00:00Z")
708            .await;
709        let cached_token = load_cached_token(&harness.env, &harness.fs, "test")
710            .await
711            .unwrap();
712        assert_eq!(returned_token, cached_token);
713
714        let _ = req_rx.expect_request();
715    }
716
717    // TODO(https://github.com/awslabs/aws-sdk-rust/issues/1117) This test is ignored on Windows because it uses Unix-style paths
718    #[cfg_attr(windows, ignore)]
719    // Expired token refresh without new refresh token
720    #[tokio::test]
721    async fn expired_token_refresh_without_new_refresh_token() {
722        let fs = Fs::from_slice(&[(
723            "/home/user/.aws/sso/cache/a94a8fe5ccb19ba61c4c0873d391e987982fbbd3.json",
724            r#"
725            { "startUrl": "https://d-123.awsapps.com/start",
726              "region": "us-west-2",
727              "accessToken": "cachedtoken",
728              "expiresAt": "2021-12-25T13:00:00Z",
729              "clientId": "clientid",
730              "clientSecret": "YSBzZWNyZXQ=",
731              "registrationExpiresAt": "2022-12-25T13:30:00Z",
732              "refreshToken": "cachedrefreshtoken" }
733            "#,
734        )]);
735
736        let now = time("2021-12-25T13:30:00Z");
737        let time_source = SharedTimeSource::new(StaticTimeSource::new(now));
738
739        let (conn, req_rx) = capture_request(Some(
740            http::Response::builder()
741                .status(200)
742                .body(SdkBody::from(
743                    r#"
744                    { "tokenType": "Bearer",
745                      "accessToken": "newtoken",
746                      "expiresIn": 28800 }
747                    "#,
748                ))
749                .unwrap(),
750        ));
751        let harness = TestHarness::new(time_source, TokioSleep::new(), conn, fs);
752
753        let returned_token = harness
754            .expect_sso_token("newtoken", "2021-12-25T21:30:00Z")
755            .await;
756        let cached_token = load_cached_token(&harness.env, &harness.fs, "test")
757            .await
758            .unwrap();
759        assert_eq!(returned_token, cached_token);
760        assert_eq!(
761            "cachedrefreshtoken",
762            returned_token.refresh_token.unwrap().as_str(),
763            "it should have kept the old refresh token"
764        );
765
766        let _ = req_rx.expect_request();
767    }
768
769    // TODO(https://github.com/awslabs/aws-sdk-rust/issues/1117) This test is ignored on Windows because it uses Unix-style paths
770    #[cfg_attr(windows, ignore)]
771    #[tokio::test]
772    async fn refresh_timings() {
773        let _logs = capture_test_logs();
774
775        let start_time = DateTime::from_str("2023-01-01T00:00:00Z", Format::DateTime).unwrap();
776        let (time_source, sleep_impl) = instant_time_and_sleep(start_time.try_into().unwrap());
777        let shared_time_source = SharedTimeSource::new(time_source.clone());
778
779        let fs = Fs::from_slice(&[(
780            "/home/user/.aws/sso/cache/a94a8fe5ccb19ba61c4c0873d391e987982fbbd3.json",
781            r#"
782            { "startUrl": "https://d-123.awsapps.com/start",
783              "region": "us-west-2",
784              "accessToken": "first_token",
785              "_comment_expiresAt": "-------- Ten minutes after the start time: ------",
786              "expiresAt": "2023-01-01T00:10:00Z",
787              "clientId": "clientid",
788              "clientSecret": "YSBzZWNyZXQ=",
789              "registrationExpiresAt": "2023-01-02T12:00:00Z",
790              "refreshToken": "cachedrefreshtoken" }
791            "#,
792        )]);
793
794        let events = vec![
795            // First refresh attempt should fail
796            ReplayEvent::new(
797                http::Request::new(SdkBody::from("")), // don't really care what the request looks like
798                http::Response::builder()
799                    .status(500)
800                    .body(SdkBody::from(""))
801                    .unwrap(),
802            ),
803            // Second refresh attempt should also fail
804            ReplayEvent::new(
805                http::Request::new(SdkBody::from("")), // don't really care what the request looks like
806                http::Response::builder()
807                    .status(500)
808                    .body(SdkBody::from(""))
809                    .unwrap(),
810            ),
811            // Third refresh attempt will succeed
812            ReplayEvent::new(
813                http::Request::new(SdkBody::from("")), // don't really care what the request looks like
814                http::Response::builder()
815                    .status(200)
816                    .body(SdkBody::from(
817                        r#"
818                        { "tokenType": "Bearer",
819                          "accessToken": "second_token",
820                          "expiresIn": 28800 }
821                        "#,
822                    ))
823                    .unwrap(),
824            ),
825        ];
826        let http_client = StaticReplayClient::new(events);
827        let harness = TestHarness::new(shared_time_source, sleep_impl, http_client, fs);
828
829        tracing::info!("test: first token retrieval should return the cached token");
830        assert!(
831            harness.last_refresh_attempt_time().is_none(),
832            "the last attempt time should start empty"
833        );
834        harness
835            .expect_token("first_token", "2023-01-01T00:10:00Z")
836            .await;
837        assert!(
838            harness.last_refresh_attempt_time().is_none(),
839            "it shouldn't have tried to refresh, so the last refresh attempt time shouldn't be set"
840        );
841
842        tracing::info!("test: advance 3 minutes");
843        time_source.advance(Duration::from_secs(3 * 60));
844
845        tracing::info!("test: the token shouldn't get refreshed since it's not in the 5 minute buffer time yet");
846        harness
847            .expect_token("first_token", "2023-01-01T00:10:00Z")
848            .await;
849        assert!(
850            harness.last_refresh_attempt_time().is_none(),
851            "it shouldn't have tried to refresh since the token isn't expiring soon"
852        );
853
854        tracing::info!("test: advance 2 minutes");
855        time_source.advance(Duration::from_secs(2 * 60));
856
857        tracing::info!(
858            "test: the token will fail to refresh, and the old cached token will be returned"
859        );
860        harness
861            .expect_token("first_token", "2023-01-01T00:10:00Z")
862            .await;
863        assert_eq!(
864            Some("2023-01-01T00:05:00Z"),
865            harness.last_refresh_attempt_time().as_deref(),
866            "it should update the last refresh attempt time since the expiration time is soon"
867        );
868
869        tracing::info!("test: advance 15 seconds");
870        time_source.advance(Duration::from_secs(15));
871
872        tracing::info!(
873            "test: the token will not refresh because the minimum time hasn't passed between attempts"
874        );
875        harness
876            .expect_token("first_token", "2023-01-01T00:10:00Z")
877            .await;
878
879        tracing::info!("test: advance 15 seconds");
880        time_source.advance(Duration::from_secs(15));
881
882        tracing::info!(
883            "test: the token will fail to refresh, and the old cached token will be returned"
884        );
885        harness
886            .expect_token("first_token", "2023-01-01T00:10:00Z")
887            .await;
888
889        tracing::info!("test: advance 30 seconds");
890        time_source.advance(Duration::from_secs(30));
891
892        tracing::info!("test: the token will refresh successfully");
893        harness
894            .expect_token("second_token", "2023-01-01T08:06:00Z")
895            .await;
896    }
897}