From 3210aff617fdcb1f7bb9b613b03fffe7929a0415 Mon Sep 17 00:00:00 2001
From: Erik Erikson <erik.m.erikson@nordstrom.com>
Date: Thu, 1 Dec 2016 01:37:26 -0800
Subject: [PATCH] Detect Successful Async Credential Loading

Check for the roleArn attribute on ini file loaded credentials.  If that exists, then asynchronous (assume role) credentials are being loaded but they may not yet be received.  Accept these as valid credentials and use the containing credentials object as the current credentials object.

Clean up the test data (fakeCredentials didn't need so much)
Create a test that verifies the async credential loading functionality
Create a test that ensures a non-existent profile one attempts to load does not load any credentials

Bump the version of the aws-sdk so that the modified aws-sdk will be demanded for proper handling of this feature.
---
 lib/plugins/aws/provider/awsProvider.js      |  7 ++---
 lib/plugins/aws/provider/awsProvider.test.js | 27 +++++++++-----------
 package.json                                 |  2 +-
 3 files changed, 17 insertions(+), 19 deletions(-)

diff --git a/lib/plugins/aws/provider/awsProvider.js b/lib/plugins/aws/provider/awsProvider.js
index 0f89fe5c6..dd473686d 100644
--- a/lib/plugins/aws/provider/awsProvider.js
+++ b/lib/plugins/aws/provider/awsProvider.js
@@ -23,12 +23,13 @@ const impl = {
     let result = false;
     if (credentials) {
       if (
-        (
+        ( // valid credentials loaded
           credentials.accessKeyId && credentials.accessKeyId !== 'undefined' &&
           credentials.secretAccessKey && credentials.secretAccessKey !== 'undefined'
         ) || (
-          credentials.role_arn && credentials.role_arn !== 'undefined' &&
-          credentials.source_profile && credentials.source_profile !== 'undefined'
+          // a role to assume has been successfully loaded, the associated STS request has been
+          // sent, and the temporary credentials will be asynchronously delivered.
+          credentials.roleArn
         )
       ) {
         result = true;
diff --git a/lib/plugins/aws/provider/awsProvider.test.js b/lib/plugins/aws/provider/awsProvider.test.js
index f08dca031..24a1dadf4 100644
--- a/lib/plugins/aws/provider/awsProvider.test.js
+++ b/lib/plugins/aws/provider/awsProvider.test.js
@@ -239,9 +239,7 @@ describe('AwsProvider', () => {
       secretAccessKey: '0123456789876543',
       sessionToken: '981237917391273918273918723987129837129873',
       roleArn: 'a:role:arn',
-      role_session_name: 'a-role-session-name',
-      external_id: 'external-id',
-      source_profile: 'notDefaultTemporary',
+      sourceProfile: 'notDefaultTemporary',
     };
 
     let originalProviderCredentials;
@@ -265,8 +263,6 @@ describe('AwsProvider', () => {
         '\n' +
         '[notDefaultAsync]\n' +
         `role_arn = ${fakeCredentials.roleArn}\n` +
-        `role_session_name = ${fakeCredentials.roleSessionName}\n` +
-        `external_id = ${fakeCredentials.externalId}\n` +
         `source_profile = ${fakeCredentials.sourceProfile}\n`
       );
       newAwsProvider = new AwsProviderProxyquired(serverless, newOptions);
@@ -327,16 +323,17 @@ describe('AwsProvider', () => {
       expect(credentials.credentials.sessionToken).to.equal(undefined);
     });
 
-    // TODO this test doesn't work but I don't think I have the proper set up to test it with
-    // TODO How to test the asynchronous/assumeRole based credentials loading capability?
-    // it('should load async profiles properly', () => {
-    //   serverless.service.provider.profile = 'notDefaultAsync';
-    //   const credentials = newAwsProvider.getCredentials();
-    //   expect(credentials.credentials.roleArn).to.equal(fakeCredentials.roleArn);
-    //   expect(credentials.credentials.roleSessionName).to.equal(fakeCredentials.roleSessionName);
-    //   expect(credentials.credentials.externalId).to.equal(fakeCredentials.externalId);
-    //   expect(credentials.credentials.sourceProfile).to.equal(fakeCredentials.sourceProfile);
-    // });
+    it('should load async profiles properly', () => {
+      serverless.service.provider.profile = 'notDefaultAsync';
+      const credentials = newAwsProvider.getCredentials();
+      expect(credentials.credentials.roleArn).to.equal(fakeCredentials.roleArn);
+    });
+
+    it('should not set credentials if a non-existent profile is set', () => {
+      serverless.service.provider.profile = 'not-a-defined-profile';
+      const credentials = newAwsProvider.getCredentials();
+      expect(credentials).to.eql({ region: newOptions.region });
+    });
 
     it('should not set credentials if empty profile is set', () => {
       serverless.service.provider.profile = '';
diff --git a/package.json b/package.json
index 0e21f8542..9fa1cdd75 100644
--- a/package.json
+++ b/package.json
@@ -72,7 +72,7 @@
   "dependencies": {
     "archiver": "^1.1.0",
     "async": "^1.5.2",
-    "aws-sdk": "^2.3.17",
+    "aws-sdk": "^v2.7.10",
     "bluebird": "^3.4.0",
     "chalk": "^1.1.1",
     "download": "^5.0.2",