update unit test. add additional entries to credential profile type detector

peterrsongg · peterrsongg · commit 848b721a7dfe · 2025-04-11T09:09:42.000-07:00
diff --git a/generator/.DevConfigs/b24980c4-b6f6-4181-9789-fda85df054a3.json b/generator/.DevConfigs/b24980c4-b6f6-4181-9789-fda85df054a3.json
@@ -1,7 +1,7 @@
 {
     "core": {
       "changeLogMessages": [
-        "[Breaking Change] Allow source_profile to be used in conjunction with sso_session. If the profile specified via source_profile has sso_session, credentials will be retrieved from sso. The sso credentials will then be used to assume the role specified in the original profile. Previous behavior was that it assumed the role specified in source_profile, which is incorrect."
+        "[Breaking Change] Allow source_profile to be used in conjunction with sso_session. If the profile specified via source_profile has sso_session, and the sso_session section is correctly configured, credentials will be retrieved from sso. The sso credentials will then be used to assume the role specified in the original profile. Previous behavior was that it assumed the role specified in source_profile, which does not follow the assume role profile chaining pattern."
       ],
       "type": "patch",
       "updateMinimum": true
diff --git a/sdk/src/Core/Amazon.Runtime/CredentialManagement/Internal/CredentialProfileTypeDetector.cs b/sdk/src/Core/Amazon.Runtime/CredentialManagement/Internal/CredentialProfileTypeDetector.cs
@@ -106,83 +106,107 @@ public static class CredentialProfileTypeDetector
                     {
                         new HashSet<string> { RoleArn, SourceProfile },
                         new HashSet<string> { RoleArn, SourceProfile, AwsAccountId },
+                        new HashSet<string> { RoleArn, SourceProfile, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
+                        new HashSet<string> { RoleArn, SourceProfile, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
                     }
                 },
                 {
                     CredentialProfileType.AssumeRoleMFA, new List<HashSet<string>>()
                     {
                         new HashSet<string> { MfaSerial, RoleArn, SourceProfile },
+                        new HashSet<string> { MfaSerial, RoleArn, SourceProfile, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
                         new HashSet<string> { MfaSerial, RoleArn, SourceProfile, AwsAccountId },
+                        new HashSet<string> { MfaSerial, RoleArn, SourceProfile, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
                     }
                 },
                 {
                     CredentialProfileType.AssumeRoleMFASessionName, new List<HashSet<string>>()
                     {
                         new HashSet<string> { MfaSerial, RoleArn, SourceProfile, RoleSessionName },
+                        new HashSet<string> { MfaSerial, RoleArn, SourceProfile, RoleSessionName, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
                         new HashSet<string> { MfaSerial, RoleArn, SourceProfile, RoleSessionName, AwsAccountId },
+                        new HashSet<string> { MfaSerial, RoleArn, SourceProfile, RoleSessionName, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl }
                     }
                 },
                 {
                     CredentialProfileType.AssumeRoleExternalMFA, new List<HashSet<string>>()
                     {
-                        new HashSet<string> { ExternalID, RoleArn, SourceProfile, MfaSerial }
+                        new HashSet<string> { ExternalID, RoleArn, SourceProfile, MfaSerial },
+                        new HashSet<string> { ExternalID, RoleArn, SourceProfile, MfaSerial, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl }
                     }
                 },
                 {
                     CredentialProfileType.AssumeRoleExternal, new List<HashSet<string>>()
                     {
                         new HashSet<string> { ExternalID, RoleArn, SourceProfile },
+                        new HashSet<string> { ExternalID, RoleArn, SourceProfile, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
                         new HashSet<string> { ExternalID, RoleArn, SourceProfile, AwsAccountId },
+                        new HashSet<string> { ExternalID, RoleArn, SourceProfile, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl}
                     }
                 },
                 {
                     CredentialProfileType.AssumeRoleSessionName, new List<HashSet<string>>()
                     {
                         new HashSet<string> { RoleArn, SourceProfile, RoleSessionName },
+                        new HashSet<string> { RoleArn, SourceProfile, RoleSessionName, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl},
                         new HashSet<string> { RoleArn, SourceProfile, RoleSessionName, AwsAccountId },
+                        new HashSet<string> { RoleArn, SourceProfile, RoleSessionName, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
                     }
                 },
                 {
                     CredentialProfileType.AssumeRoleExternalSessionName, new List<HashSet<string>>()
                     {
                         new HashSet<string> { ExternalID, RoleArn, SourceProfile, RoleSessionName },
+                        new HashSet<string> { ExternalID, RoleArn, SourceProfile, RoleSessionName, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
                         new HashSet<string> { ExternalID, RoleArn, SourceProfile, RoleSessionName, AwsAccountId },
+                        new HashSet<string> { ExternalID, RoleArn, SourceProfile, RoleSessionName, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
                     }
                 },
                 {
                     CredentialProfileType.AssumeRoleExternalMFASessionName, new List<HashSet<string>>()
                     {
                         new HashSet<string> { ExternalID, MfaSerial, RoleArn, SourceProfile, RoleSessionName },
+                        new HashSet<string> { ExternalID, MfaSerial, RoleArn, SourceProfile, RoleSessionName, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
                         new HashSet<string> { ExternalID, MfaSerial, RoleArn, SourceProfile, RoleSessionName, AwsAccountId },
+                        new HashSet<string> { ExternalID, MfaSerial, RoleArn, SourceProfile, RoleSessionName, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
                     }
                 },
                 { 
                     CredentialProfileType.AssumeRoleCredentialSource, new List<HashSet<string>>() 
                     { 
                         new HashSet<string> { RoleArn, CredentialSource },
-                        new HashSet<string> { RoleArn, CredentialSource, AwsAccountId }
+                        new HashSet<string> { RoleArn, CredentialSource, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
+                        new HashSet<string> { RoleArn, CredentialSource, AwsAccountId },
+                        new HashSet<string> { RoleArn, CredentialSource, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl }
                     } 
                 },
                 {
                     CredentialProfileType.AssumeRoleCredentialSourceSessionName, new List<HashSet<string>>()
                     {
                         new HashSet<string> { RoleArn, CredentialSource, RoleSessionName },
+                        new HashSet<string> { RoleArn, CredentialSource, RoleSessionName, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
                         new HashSet<string> { RoleArn, CredentialSource, RoleSessionName, AwsAccountId},
+                        new HashSet<string> { RoleArn, CredentialSource, RoleSessionName, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
                     }
                 },
                 { 
                     CredentialProfileType.AssumeRoleWithWebIdentity, new List<HashSet<string>>() 
                     {
                         new HashSet<string> { RoleArn, WebIdentityTokenFile },
+                        new HashSet<string> { RoleArn, WebIdentityTokenFile, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
                         new HashSet<string> { RoleArn, WebIdentityTokenFile, CredentialSource },
+                        new HashSet<string> { RoleArn, WebIdentityTokenFile, CredentialSource, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
                         new HashSet<string> { RoleArn, WebIdentityTokenFile, CredentialSource, AwsAccountId },
+                        new HashSet<string> { RoleArn, WebIdentityTokenFile, CredentialSource, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
                     } 
                 },
                 { 
                     CredentialProfileType.AssumeRoleWithWebIdentitySessionName, new List<HashSet<string>>() 
                     { 
                         new HashSet<string> { RoleArn, WebIdentityTokenFile, RoleSessionName },
-                        new HashSet<string> { RoleArn, WebIdentityTokenFile, RoleSessionName, AwsAccountId } ,
+                        new HashSet<string> { RoleArn, WebIdentityTokenFile, RoleSessionName, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },
+                        new HashSet<string> { RoleArn, WebIdentityTokenFile, RoleSessionName, AwsAccountId },
+                        new HashSet<string> { RoleArn, WebIdentityTokenFile, RoleSessionName, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl } ,
                     } 
                 },
                 { 
@@ -253,13 +277,16 @@ public static string GetUserFriendlyCredentialType(CredentialProfileType? profil
 
             HashSet<string> propertyNames = GetPropertyNames(profileOptions);
 
+            //SPEC: if sso_account_id or sso_role_name exist credentials MUST be resolved by the sso credential provider.
+            if (propertyNames.Contains(SsoAccountId) || propertyNames.Contains(SsoRoleName))
+                return CredentialProfileType.SSO;
 
             // brute force algorithm - but it's a very small set
             foreach (var pair in TypePropertyDictionary)
             {
                 foreach (var item in pair.Value)
                 {
-                    if (item.IsSubsetOf(propertyNames))
+                    if (item.SetEquals(propertyNames))
                     {
                         profileType = pair.Key;
                     }
diff --git a/sdk/test/UnitTests/Custom/Runtime/Credentials/AWSCredentialsFactoryTest.cs b/sdk/test/UnitTests/Custom/Runtime/Credentials/AWSCredentialsFactoryTest.cs
@@ -493,7 +493,7 @@ public void GetSsoCredentialsWithMissingFields()
 
             AssertExtensions.ExpectException(() =>
                     AWSCredentialsFactory.GetAWSCredentials(SsoProfileMissingFields, ProfileStore),
-                typeof(ArgumentNullException)); 
+                typeof(InvalidDataException)); 
         }
 
         [TestMethod]

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"core": {`
`3`	`3`	`"changeLogMessages": [`
`4`		`- "[Breaking Change] Allow source_profile to be used in conjunction with sso_session. If the profile specified via source_profile has sso_session, credentials will be retrieved from sso. The sso credentials will then be used to assume the role specified in the original profile. Previous behavior was that it assumed the role specified in source_profile, which is incorrect."`
	`4`	`+ "[Breaking Change] Allow source_profile to be used in conjunction with sso_session. If the profile specified via source_profile has sso_session, and the sso_session section is correctly configured, credentials will be retrieved from sso. The sso credentials will then be used to assume the role specified in the original profile. Previous behavior was that it assumed the role specified in source_profile, which does not follow the assume role profile chaining pattern."`
`5`	`5`	`],`
`6`	`6`	`"type": "patch",`
`7`	`7`	`"updateMinimum": true`
Original file line number	Diff line number	Diff line change
`@@ -106,83 +106,107 @@ public static class CredentialProfileTypeDetector`
`106`	`106`	`{`
`107`	`107`	`new HashSet<string> { RoleArn, SourceProfile },`
`108`	`108`	`new HashSet<string> { RoleArn, SourceProfile, AwsAccountId },`
	`109`	`+ new HashSet<string> { RoleArn, SourceProfile, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },`
	`110`	`+ new HashSet<string> { RoleArn, SourceProfile, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },`
`109`	`111`	`}`
`110`	`112`	`},`
`111`	`113`	`{`
`112`	`114`	`CredentialProfileType.AssumeRoleMFA, new List<HashSet<string>>()`
`113`	`115`	`{`
`114`	`116`	`new HashSet<string> { MfaSerial, RoleArn, SourceProfile },`
	`117`	`+ new HashSet<string> { MfaSerial, RoleArn, SourceProfile, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },`
`115`	`118`	`new HashSet<string> { MfaSerial, RoleArn, SourceProfile, AwsAccountId },`
	`119`	`+ new HashSet<string> { MfaSerial, RoleArn, SourceProfile, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },`
`116`	`120`	`}`
`117`	`121`	`},`
`118`	`122`	`{`
`119`	`123`	`CredentialProfileType.AssumeRoleMFASessionName, new List<HashSet<string>>()`
`120`	`124`	`{`
`121`	`125`	`new HashSet<string> { MfaSerial, RoleArn, SourceProfile, RoleSessionName },`
	`126`	`+ new HashSet<string> { MfaSerial, RoleArn, SourceProfile, RoleSessionName, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },`
`122`	`127`	`new HashSet<string> { MfaSerial, RoleArn, SourceProfile, RoleSessionName, AwsAccountId },`
	`128`	`+ new HashSet<string> { MfaSerial, RoleArn, SourceProfile, RoleSessionName, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl }`
`123`	`129`	`}`
`124`	`130`	`},`
`125`	`131`	`{`
`126`	`132`	`CredentialProfileType.AssumeRoleExternalMFA, new List<HashSet<string>>()`
`127`	`133`	`{`
`128`		`- new HashSet<string> { ExternalID, RoleArn, SourceProfile, MfaSerial }`
	`134`	`+ new HashSet<string> { ExternalID, RoleArn, SourceProfile, MfaSerial },`
	`135`	`+ new HashSet<string> { ExternalID, RoleArn, SourceProfile, MfaSerial, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl }`
`129`	`136`	`}`
`130`	`137`	`},`
`131`	`138`	`{`
`132`	`139`	`CredentialProfileType.AssumeRoleExternal, new List<HashSet<string>>()`
`133`	`140`	`{`
`134`	`141`	`new HashSet<string> { ExternalID, RoleArn, SourceProfile },`
	`142`	`+ new HashSet<string> { ExternalID, RoleArn, SourceProfile, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },`
`135`	`143`	`new HashSet<string> { ExternalID, RoleArn, SourceProfile, AwsAccountId },`
	`144`	`+ new HashSet<string> { ExternalID, RoleArn, SourceProfile, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl}`
`136`	`145`	`}`
`137`	`146`	`},`
`138`	`147`	`{`
`139`	`148`	`CredentialProfileType.AssumeRoleSessionName, new List<HashSet<string>>()`
`140`	`149`	`{`
`141`	`150`	`new HashSet<string> { RoleArn, SourceProfile, RoleSessionName },`
	`151`	`+ new HashSet<string> { RoleArn, SourceProfile, RoleSessionName, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl},`
`142`	`152`	`new HashSet<string> { RoleArn, SourceProfile, RoleSessionName, AwsAccountId },`
	`153`	`+ new HashSet<string> { RoleArn, SourceProfile, RoleSessionName, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },`
`143`	`154`	`}`
`144`	`155`	`},`
`145`	`156`	`{`
`146`	`157`	`CredentialProfileType.AssumeRoleExternalSessionName, new List<HashSet<string>>()`
`147`	`158`	`{`
`148`	`159`	`new HashSet<string> { ExternalID, RoleArn, SourceProfile, RoleSessionName },`
	`160`	`+ new HashSet<string> { ExternalID, RoleArn, SourceProfile, RoleSessionName, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },`
`149`	`161`	`new HashSet<string> { ExternalID, RoleArn, SourceProfile, RoleSessionName, AwsAccountId },`
	`162`	`+ new HashSet<string> { ExternalID, RoleArn, SourceProfile, RoleSessionName, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },`
`150`	`163`	`}`
`151`	`164`	`},`
`152`	`165`	`{`
`153`	`166`	`CredentialProfileType.AssumeRoleExternalMFASessionName, new List<HashSet<string>>()`
`154`	`167`	`{`
`155`	`168`	`new HashSet<string> { ExternalID, MfaSerial, RoleArn, SourceProfile, RoleSessionName },`
	`169`	`+ new HashSet<string> { ExternalID, MfaSerial, RoleArn, SourceProfile, RoleSessionName, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },`
`156`	`170`	`new HashSet<string> { ExternalID, MfaSerial, RoleArn, SourceProfile, RoleSessionName, AwsAccountId },`
	`171`	`+ new HashSet<string> { ExternalID, MfaSerial, RoleArn, SourceProfile, RoleSessionName, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },`
`157`	`172`	`}`
`158`	`173`	`},`
`159`	`174`	`{`
`160`	`175`	`CredentialProfileType.AssumeRoleCredentialSource, new List<HashSet<string>>()`
`161`	`176`	`{`
`162`	`177`	`new HashSet<string> { RoleArn, CredentialSource },`
`163`		`- new HashSet<string> { RoleArn, CredentialSource, AwsAccountId }`
	`178`	`+ new HashSet<string> { RoleArn, CredentialSource, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },`
	`179`	`+ new HashSet<string> { RoleArn, CredentialSource, AwsAccountId },`
	`180`	`+ new HashSet<string> { RoleArn, CredentialSource, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl }`
`164`	`181`	`}`
`165`	`182`	`},`
`166`	`183`	`{`
`167`	`184`	`CredentialProfileType.AssumeRoleCredentialSourceSessionName, new List<HashSet<string>>()`
`168`	`185`	`{`
`169`	`186`	`new HashSet<string> { RoleArn, CredentialSource, RoleSessionName },`
	`187`	`+ new HashSet<string> { RoleArn, CredentialSource, RoleSessionName, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },`
`170`	`188`	`new HashSet<string> { RoleArn, CredentialSource, RoleSessionName, AwsAccountId},`
	`189`	`+ new HashSet<string> { RoleArn, CredentialSource, RoleSessionName, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },`
`171`	`190`	`}`
`172`	`191`	`},`
`173`	`192`	`{`
`174`	`193`	`CredentialProfileType.AssumeRoleWithWebIdentity, new List<HashSet<string>>()`
`175`	`194`	`{`
`176`	`195`	`new HashSet<string> { RoleArn, WebIdentityTokenFile },`
	`196`	`+ new HashSet<string> { RoleArn, WebIdentityTokenFile, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },`
`177`	`197`	`new HashSet<string> { RoleArn, WebIdentityTokenFile, CredentialSource },`
	`198`	`+ new HashSet<string> { RoleArn, WebIdentityTokenFile, CredentialSource, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },`
`178`	`199`	`new HashSet<string> { RoleArn, WebIdentityTokenFile, CredentialSource, AwsAccountId },`
	`200`	`+ new HashSet<string> { RoleArn, WebIdentityTokenFile, CredentialSource, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },`
`179`	`201`	`}`
`180`	`202`	`},`
`181`	`203`	`{`
`182`	`204`	`CredentialProfileType.AssumeRoleWithWebIdentitySessionName, new List<HashSet<string>>()`
`183`	`205`	`{`
`184`	`206`	`new HashSet<string> { RoleArn, WebIdentityTokenFile, RoleSessionName },`
`185`		`- new HashSet<string> { RoleArn, WebIdentityTokenFile, RoleSessionName, AwsAccountId } ,`
	`207`	`+ new HashSet<string> { RoleArn, WebIdentityTokenFile, RoleSessionName, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl },`
	`208`	`+ new HashSet<string> { RoleArn, WebIdentityTokenFile, RoleSessionName, AwsAccountId },`
	`209`	`+ new HashSet<string> { RoleArn, WebIdentityTokenFile, RoleSessionName, AwsAccountId, SsoSession, SsoRegion, SsoRegistrationScopes, SsoStartUrl } ,`
`186`	`210`	`}`
`187`	`211`	`},`
`188`	`212`	`{`
`@@ -253,13 +277,16 @@ public static string GetUserFriendlyCredentialType(CredentialProfileType? profil`
`253`	`277`
`254`	`278`	`HashSet<string> propertyNames = GetPropertyNames(profileOptions);`
`255`	`279`
	`280`	`+ //SPEC: if sso_account_id or sso_role_name exist credentials MUST be resolved by the sso credential provider.`
	`281`	`+ if (propertyNames.Contains(SsoAccountId) \|\| propertyNames.Contains(SsoRoleName))`
	`282`	`+ return CredentialProfileType.SSO;`
`256`	`283`
`257`	`284`	`// brute force algorithm - but it's a very small set`
`258`	`285`	`foreach (var pair in TypePropertyDictionary)`
`259`	`286`	`{`
`260`	`287`	`foreach (var item in pair.Value)`
`261`	`288`	`{`
`262`		`- if (item.IsSubsetOf(propertyNames))`
	`289`	`+ if (item.SetEquals(propertyNames))`
`263`	`290`	`{`
`264`	`291`	`profileType = pair.Key;`
`265`	`292`	`}`
Original file line number	Diff line number	Diff line change
`@@ -493,7 +493,7 @@ public void GetSsoCredentialsWithMissingFields()`
`493`	`493`
`494`	`494`	`AssertExtensions.ExpectException(() =>`
`495`	`495`	`AWSCredentialsFactory.GetAWSCredentials(SsoProfileMissingFields, ProfileStore),`
`496`		`- typeof(ArgumentNullException));`
	`496`	`+ typeof(InvalidDataException));`
`497`	`497`	`}`
`498`	`498`
`499`	`499`	`[TestMethod]`