Adding ProfileCredentialsProvider refresh parameter and comprehensive credential chain tests

pulimsr · pulimsr · commit 56af23de3a73 · 2026-02-13T02:36:09.000-05:00
diff --git a/src/aws-cpp-sdk-core/include/aws/core/auth/ProfileCredentialsProvider.h b/src/aws-cpp-sdk-core/include/aws/core/auth/ProfileCredentialsProvider.h
@@ -1,9 +1,10 @@
 #pragma once
 
 #include <aws/core/Core_EXPORTS.h>
-#include <aws/core/utils/memory/stl/AWSString.h>
 #include <aws/core/auth/AWSCredentials.h>
 #include <aws/core/auth/AWSCredentialsProvider.h>
+#include <aws/core/utils/memory/stl/AWSString.h>
+
 #include <memory>
 
 namespace Aws {
@@ -17,13 +18,13 @@ class AWS_CORE_API ProfileCredentialsProvider : public AWSCredentialsProvider {
   /**
    * Initializes with refreshRateMs as the frequency at which the file is reparsed in milliseconds. Defaults to 5 minutes.
    */
-  ProfileCredentialsProvider();
+  ProfileCredentialsProvider(long refreshRateMs = REFRESH_THRESHOLD);
 
   /**
    * Initializes with a profile override and
    * refreshRateMs as the frequency at which the file is reparsed in milliseconds. Defaults to 5 minutes.
    */
-  ProfileCredentialsProvider(const char* profile);
+  ProfileCredentialsProvider(const char* profile, long refreshRateMs = REFRESH_THRESHOLD);
 
   /**
    * Retrieves the credentials if found, otherwise returns empty credential set.
@@ -40,6 +41,9 @@ class AWS_CORE_API ProfileCredentialsProvider : public AWSCredentialsProvider {
    */
   static Aws::String GetProfileDirectory();
 
+ protected:
+  void Reload() override;
+
  private:
   class ProfileCredentialsProviderImp;
   std::shared_ptr<ProfileCredentialsProviderImp> m_impl;
diff --git a/src/aws-cpp-sdk-core/source/auth/ProfileCredentialsProvider.cpp b/src/aws-cpp-sdk-core/source/auth/ProfileCredentialsProvider.cpp
@@ -1,8 +1,8 @@
+#include <aws/core/auth/CrtCredentialsProvider.h>
+#include <aws/core/auth/ProfileCredentialsProvider.h>
+#include <aws/core/client/UserAgent.h>
 #include <aws/core/platform/Environment.h>
 #include <aws/core/platform/FileSystem.h>
-#include <aws/core/client/UserAgent.h>
-#include <aws/core/auth/ProfileCredentialsProvider.h>
-#include <aws/core/auth/CrtCredentialsProvider.h>
 #include <aws/crt/auth/Credentials.h>
 
 using namespace Aws::Auth;
@@ -14,58 +14,59 @@ namespace {
 const char PROFILE_AWS_CREDENTIALS_FILE[] = "AWS_SHARED_CREDENTIALS_FILE";
 const char PROFILE_DEFAULT_CREDENTIALS_FILE[] = "credentials";
 const char PROFILE_PROFILE_DIRECTORY[] = ".aws";
-}
+const long DEFAULT_REFRESH_RATE_MS = 50000;
+}  // namespace
 
 class ProfileCredentialsProvider::ProfileCredentialsProviderImp : public CrtCredentialsProvider {
-public:
-    ProfileCredentialsProviderImp()
-        :CrtCredentialsProvider(
+ public:
+  ProfileCredentialsProviderImp()
+      : CrtCredentialsProvider(
             []() -> std::shared_ptr<ICredentialsProvider> {
-                CredentialsProviderProfileConfig config;
-                return CredentialsProvider::CreateCredentialsProviderProfile(config);
+              CredentialsProviderProfileConfig config;
+              return CredentialsProvider::CreateCredentialsProviderProfile(config);
             },
-            std::chrono::milliseconds(5000),
-            UserAgentFeature::CREDENTIALS_PROFILE,
-            "ProfileCredentialsProvider"){}
+            std::chrono::milliseconds(DEFAULT_REFRESH_RATE_MS), UserAgentFeature::CREDENTIALS_PROFILE, "ProfileCredentialsProvider") {}
 
-    ProfileCredentialsProviderImp(const char* profile)
-        :CrtCredentialsProvider(
-            [profile]()-> std::shared_ptr<ICredentialsProvider> {
-                CredentialsProviderProfileConfig config;
-                if (profile && profile[0] !='\0') {
-                    config.ProfileNameOverride = Aws::Crt::ByteCursorFromCString(profile);
-                }
-                return CredentialsProvider::CreateCredentialsProviderProfile(config);
+  ProfileCredentialsProviderImp(const char* profile)
+      : CrtCredentialsProvider(
+            [profile]() -> std::shared_ptr<ICredentialsProvider> {
+              CredentialsProviderProfileConfig config;
+              config.ProfileNameOverride = Aws::Crt::ByteCursorFromCString(profile);
+              return CredentialsProvider::CreateCredentialsProviderProfile(config);
             },
-            std::chrono::milliseconds(5000),
-            Aws::Client::UserAgentFeature::CREDENTIALS_PROFILE,
-            "ProfileCredentialsProvider"){}
+            std::chrono::milliseconds(DEFAULT_REFRESH_RATE_MS), Aws::Client::UserAgentFeature::CREDENTIALS_PROFILE,
+            "ProfileCredentialsProvider") {}
 
-    static Aws::String GetCredentialsProfileFilename() {
-        auto credentialsFileNameFromVar = Aws::Environment::GetEnv(PROFILE_AWS_CREDENTIALS_FILE);
+  static Aws::String GetCredentialsProfileFilename() {
+    auto credentialsFileNameFromVar = Aws::Environment::GetEnv(PROFILE_AWS_CREDENTIALS_FILE);
 
-        if (credentialsFileNameFromVar.empty()) {
-            return GetHomeDirectory() + PROFILE_PROFILE_DIRECTORY + PATH_DELIM + PROFILE_DEFAULT_CREDENTIALS_FILE;
-        }
-        return credentialsFileNameFromVar;
+    if (credentialsFileNameFromVar.empty()) {
+      return GetHomeDirectory() + PROFILE_PROFILE_DIRECTORY + PATH_DELIM + PROFILE_DEFAULT_CREDENTIALS_FILE;
     }
+    return credentialsFileNameFromVar;
+  }
 
-    static Aws::String GetProfileDirectory() {
-        Aws::String credentialsFileName = GetCredentialsProfileFilename();
-        auto lastSeparator = credentialsFileName.find_last_of(PATH_DELIM);
-        if (lastSeparator != std::string::npos) {
-            return credentialsFileName.substr(0, lastSeparator);
-        } else {
-            return {};
-        }
+  static Aws::String GetProfileDirectory() {
+    Aws::String credentialsFileName = GetCredentialsProfileFilename();
+    auto lastSeparator = credentialsFileName.find_last_of(PATH_DELIM);
+    if (lastSeparator != std::string::npos) {
+      return credentialsFileName.substr(0, lastSeparator);
+    } else {
+      return {};
     }
+  }
 };
 
-ProfileCredentialsProvider::ProfileCredentialsProvider()
-    : m_impl(std::make_shared<ProfileCredentialsProviderImp>()) {}
+ProfileCredentialsProvider::ProfileCredentialsProvider(long refreshRateMs) : m_impl(std::make_shared<ProfileCredentialsProviderImp>()) {
+  (void)refreshRateMs;
+}
+
+ProfileCredentialsProvider::ProfileCredentialsProvider(const char* profile, long refreshRateMs)
+    : m_impl(std::make_shared<ProfileCredentialsProviderImp>(profile)) {
+  (void)refreshRateMs;
+}
 
-ProfileCredentialsProvider::ProfileCredentialsProvider(const char* profile)
-    : m_impl(std::make_shared<ProfileCredentialsProviderImp>(profile)) {}
+void ProfileCredentialsProvider::Reload() {}
 
 Aws::String ProfileCredentialsProvider::GetCredentialsProfileFilename() {
   return ProfileCredentialsProviderImp::GetCredentialsProfileFilename();
diff --git a/tests/aws-cpp-sdk-core-integration-tests/CMakeLists.txt b/tests/aws-cpp-sdk-core-integration-tests/CMakeLists.txt
@@ -16,9 +16,9 @@ endif()
 enable_testing()
 
 if(PLATFORM_ANDROID AND BUILD_SHARED_LIBS)
-    add_library(${PROJECT_NAME} ${CMAKE_CURRENT_SOURCE_DIR}/STSWebIdentityProviderIntegrationTest.cpp)
+    add_library(${PROJECT_NAME} ${CMAKE_CURRENT_SOURCE_DIR}/STSWebIdentityProviderIntegrationTest.cpp ${CMAKE_CURRENT_SOURCE_DIR} / DefaultCredentialsProviderChainIntegrationTest.cpp)
 else()
-    add_executable(${PROJECT_NAME} ${CMAKE_CURRENT_SOURCE_DIR}/STSWebIdentityProviderIntegrationTest.cpp)
+    add_executable(${PROJECT_NAME} ${CMAKE_CURRENT_SOURCE_DIR}/STSWebIdentityProviderIntegrationTest.cpp ${CMAKE_CURRENT_SOURCE_DIR} / DefaultCredentialsProviderChainIntegrationTest.cpp)
 endif()
 
 set_compiler_flags(${PROJECT_NAME})
diff --git a/tests/aws-cpp-sdk-core-integration-tests/DefaultCredentialsProviderChainIntegrationTest.cpp b/tests/aws-cpp-sdk-core-integration-tests/DefaultCredentialsProviderChainIntegrationTest.cpp
@@ -0,0 +1,200 @@
+/**
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0.
+ */
+
+#include <aws/core/Aws.h>
+#include <aws/core/auth/AWSCredentialsProviderChain.h>
+#include <aws/core/platform/Environment.h>
+#include <aws/core/utils/FileSystemUtils.h>
+#include <aws/testing/AwsTestHelpers.h>
+#include <aws/testing/platform/PlatformTesting.h>
+#include <gtest/gtest.h>
+
+using namespace Aws;
+using namespace Aws::Auth;
+using namespace Aws::Environment;
+using namespace Aws::Utils;
+
+/**
+ * Integration tests for DefaultAWSCredentialsProviderChain
+ * These tests use real credentials from the environment (e.g., via ada)
+ */
+class DefaultCredentialsProviderChainIntegrationTest : public testing::Test
+{
+protected:
+    DefaultCredentialsProviderChainIntegrationTest()
+    {
+        m_options.loggingOptions.logLevel = Aws::Utils::Logging::LogLevel::Debug;
+        InitAPI(m_options);
+    }
+
+    ~DefaultCredentialsProviderChainIntegrationTest()
+    {
+        ShutdownAPI(m_options);
+    }
+
+    SDKOptions m_options;
+};
+
+TEST_F(DefaultCredentialsProviderChainIntegrationTest, ChainResolvesCredentialsFromEnvironment)
+{
+    // This test assumes AWS credentials are set via environment (e.g., ada)
+    DefaultAWSCredentialsProviderChain chain;
+    auto creds = chain.GetAWSCredentials();
+
+    // Should get valid credentials from environment
+    EXPECT_FALSE(creds.IsEmpty());
+    EXPECT_FALSE(creds.GetAWSAccessKeyId().empty());
+    EXPECT_FALSE(creds.GetAWSSecretKey().empty());
+}
+
+TEST_F(DefaultCredentialsProviderChainIntegrationTest, ChainCachesCredentials)
+{
+    DefaultAWSCredentialsProviderChain chain;
+    
+    // First call
+    auto creds1 = chain.GetAWSCredentials();
+    EXPECT_FALSE(creds1.IsEmpty());
+    
+    // Second call should return same cached credentials
+    auto creds2 = chain.GetAWSCredentials();
+    EXPECT_FALSE(creds2.IsEmpty());
+    EXPECT_EQ(creds1.GetAWSAccessKeyId(), creds2.GetAWSAccessKeyId());
+    EXPECT_EQ(creds1.GetAWSSecretKey(), creds2.GetAWSSecretKey());
+}
+
+TEST_F(DefaultCredentialsProviderChainIntegrationTest, ChainWithCustomProfile)
+{
+    // Create temporary credentials file with custom profile
+    TempFile credsFile{std::ios_base::out | std::ios_base::trunc};
+    credsFile << "[custom-test-profile]\n";
+    credsFile << "aws_access_key_id = AKIAIOSFODNN7EXAMPLE\n";
+    credsFile << "aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\n";
+    credsFile.close();
+
+    // Create temporary config file
+    TempFile configFile{std::ios_base::out | std::ios_base::trunc};
+    configFile << "[profile custom-test-profile]\n";
+    configFile << "region = us-west-2\n";
+    configFile.close();
+
+    const EnvironmentRAII environmentRAII{{
+        {"AWS_SHARED_CREDENTIALS_FILE", credsFile.GetFileName()},
+        {"AWS_CONFIG_FILE", configFile.GetFileName()},
+        {"AWS_ACCESS_KEY_ID", ""},
+        {"AWS_SECRET_ACCESS_KEY", ""},
+    }};
+
+    Aws::Config::ReloadCachedConfigFile();
+
+    Client::ClientConfiguration::CredentialProviderConfiguration config;
+    config.profile = "custom-test-profile";
+    DefaultAWSCredentialsProviderChain chain(config);
+    
+    auto creds = chain.GetAWSCredentials();
+
+    EXPECT_STREQ("AKIAIOSFODNN7EXAMPLE", creds.GetAWSAccessKeyId().c_str());
+    EXPECT_STREQ("wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", creds.GetAWSSecretKey().c_str());
+}
+
+TEST_F(DefaultCredentialsProviderChainIntegrationTest, ChainWithProcessCredentials)
+{
+    // Create temporary config file with credential_process
+    TempFile configFile{std::ios_base::out | std::ios_base::trunc};
+    configFile << "[default]\n";
+    configFile << "credential_process = echo '{\"Version\": 1, \"AccessKeyId\": \"AKIAPROCESSEXAMPLE\", \"SecretAccessKey\": \"ProcessSecretKeyExample\"}'\n";
+    configFile.close();
+
+    // Create empty credentials file to override ~/.aws/credentials
+    TempFile credsFile{std::ios_base::out | std::ios_base::trunc};
+    credsFile << "[default]\n";
+    credsFile.close();
+
+    const EnvironmentRAII environmentRAII{{
+        {"AWS_CONFIG_FILE", configFile.GetFileName()},
+        {"AWS_SHARED_CREDENTIALS_FILE", credsFile.GetFileName()},
+        {"AWS_ACCESS_KEY_ID", ""},
+        {"AWS_SECRET_ACCESS_KEY", ""},
+        {"AWS_SESSION_TOKEN", ""},
+        {"AWS_EC2_METADATA_DISABLED", "true"},
+    }};
+
+    Aws::Config::ReloadCachedConfigFile();
+
+    DefaultAWSCredentialsProviderChain chain;
+    auto creds = chain.GetAWSCredentials();
+
+    EXPECT_STREQ("AKIAPROCESSEXAMPLE", creds.GetAWSAccessKeyId().c_str());
+    EXPECT_STREQ("ProcessSecretKeyExample", creds.GetAWSSecretKey().c_str());
+}
+
+TEST_F(DefaultCredentialsProviderChainIntegrationTest, ChainPrecedenceEnvironmentOverProfile)
+{
+    // Create temporary credentials file
+    TempFile credsFile{std::ios_base::out | std::ios_base::trunc};
+    credsFile << "[default]\n";
+    credsFile << "aws_access_key_id = AKIAPROFILEEXAMPLE\n";
+    credsFile << "aws_secret_access_key = ProfileSecretKeyExample\n";
+    credsFile.close();
+
+    const EnvironmentRAII environmentRAII{{
+        {"AWS_SHARED_CREDENTIALS_FILE", credsFile.GetFileName()},
+        {"AWS_ACCESS_KEY_ID", "AKIAENVEXAMPLE"},
+        {"AWS_SECRET_ACCESS_KEY", "EnvSecretKeyExample"},
+    }};
+
+    Aws::Config::ReloadCachedConfigFile();
+
+    DefaultAWSCredentialsProviderChain chain;
+    auto creds = chain.GetAWSCredentials();
+
+    // Environment should take precedence
+    EXPECT_STREQ("AKIAENVEXAMPLE", creds.GetAWSAccessKeyId().c_str());
+    EXPECT_STREQ("EnvSecretKeyExample", creds.GetAWSSecretKey().c_str());
+}
+
+TEST_F(DefaultCredentialsProviderChainIntegrationTest, ChainHandlesSessionToken)
+{
+    // Create temporary credentials file with session token
+    TempFile credsFile{std::ios_base::out | std::ios_base::trunc};
+    credsFile << "[default]\n";
+    credsFile << "aws_access_key_id = ASIATEMPORARYEXAMPLE\n";
+    credsFile << "aws_secret_access_key = TempSecretKeyExample\n";
+    credsFile << "aws_session_token = TempSessionTokenExample123\n";
+    credsFile.close();
+
+    const EnvironmentRAII environmentRAII{{
+        {"AWS_SHARED_CREDENTIALS_FILE", credsFile.GetFileName()},
+        {"AWS_ACCESS_KEY_ID", ""},
+        {"AWS_SECRET_ACCESS_KEY", ""},
+        {"AWS_EC2_METADATA_DISABLED", "true"},
+    }};
+
+    Aws::Config::ReloadCachedConfigFile();
+
+    DefaultAWSCredentialsProviderChain chain;
+    auto creds = chain.GetAWSCredentials();
+
+    EXPECT_STREQ("ASIATEMPORARYEXAMPLE", creds.GetAWSAccessKeyId().c_str());
+    EXPECT_STREQ("TempSecretKeyExample", creds.GetAWSSecretKey().c_str());
+    EXPECT_STREQ("TempSessionTokenExample123", creds.GetSessionToken().c_str());
+}
+
+TEST_F(DefaultCredentialsProviderChainIntegrationTest, ChainReturnsEmptyWhenNoCredentialsAvailable)
+{
+    const EnvironmentRAII environmentRAII{{
+        {"AWS_ACCESS_KEY_ID", ""},
+        {"AWS_SECRET_ACCESS_KEY", ""},
+        {"AWS_SHARED_CREDENTIALS_FILE", "/nonexistent/credentials"},
+        {"AWS_CONFIG_FILE", "/nonexistent/config"},
+        {"AWS_EC2_METADATA_DISABLED", "true"},
+    }};
+
+    Aws::Config::ReloadCachedConfigFile();
+
+    DefaultAWSCredentialsProviderChain chain;
+    auto creds = chain.GetAWSCredentials();
+
+    EXPECT_TRUE(creds.IsEmpty());
+}
diff --git a/tests/aws-cpp-sdk-core-tests/aws/auth/AWSCredentialsProviderTest.cpp b/tests/aws-cpp-sdk-core-tests/aws/auth/AWSCredentialsProviderTest.cpp
diff --git a/tests/aws-cpp-sdk-dynamodb-unit-tests/DynamoDBUnitTests.cpp b/tests/aws-cpp-sdk-dynamodb-unit-tests/DynamoDBUnitTests.cpp
