Handle sso session names with quotes/spaces (#2895)

aws · Aug 9, 2023 · 2f9c7e9 · 2f9c7e9
1 parent 1b79077
commit 2f9c7e9
Show file tree

Hide file tree

Showing 5 changed files with 61 additions and 19 deletions.
diff --git a/gems/aws-sdk-core/CHANGELOG.md b/gems/aws-sdk-core/CHANGELOG.md
@@ -1,6 +1,8 @@
 Unreleased Changes
 ------------------
 
+* Issue - Add support for sso-session names with whitespace configured by the CLI `aws sso configure` command (#2895).
+
 3.180.2 (2023-08-07)
 ------------------
 

diff --git a/gems/aws-sdk-core/lib/aws-sdk-core/shared_config.rb b/gems/aws-sdk-core/lib/aws-sdk-core/shared_config.rb
@@ -359,12 +359,8 @@ def sso_credentials_from_profile(cfg, profile)
          !(prof_config.keys & SSO_CREDENTIAL_PROFILE_KEYS).empty?
 
         if sso_session_name = prof_config['sso_session']
-          sso_session = cfg["sso-session #{sso_session_name}"]
-          unless sso_session
-            raise ArgumentError,
-                  "sso-session #{sso_session_name} must be defined in the config file. " \
-                    "Referenced by profile #{profile}"
-          end
+          sso_session = sso_session(cfg, profile, sso_session_name)
+
           sso_region = sso_session['sso_region']
           sso_start_url = sso_session['sso_start_url']
 
@@ -389,7 +385,7 @@ def sso_credentials_from_profile(cfg, profile)
           sso_role_name: prof_config['sso_role_name'],
           sso_session: prof_config['sso_session'],
           sso_region: sso_region,
-          sso_start_url: prof_config['sso_start_url']
+          sso_start_url: sso_start_url
           )
       end
     end
@@ -402,16 +398,7 @@ def sso_token_from_profile(cfg, profile)
         !(prof_config.keys & SSO_TOKEN_PROFILE_KEYS).empty?
 
         sso_session_name = prof_config['sso_session']
-        sso_session = cfg["sso-session #{sso_session_name}"]
-        unless sso_session
-          raise ArgumentError,
-                "sso-session #{sso_session_name} must be defined in the config file." \
-                  "Referenced by profile #{profile}"
-        end
-
-        unless sso_session['sso_region']
-          raise ArgumentError, "sso-session #{sso_session_name} missing required parameter: sso_region"
-        end
+        sso_session = sso_session(cfg, profile, sso_session_name)
 
         SSOTokenProvider.new(
           sso_session: sso_session_name,
@@ -469,5 +456,22 @@ def determine_profile(options)
       ret ||= 'default'
       ret
     end
+
+    def sso_session(cfg, profile, sso_session_name)
+      # aws sso-configure may add quotes around sso session names with whitespace
+      sso_session = cfg["sso-session #{sso_session_name}"] || cfg["sso-session '#{sso_session_name}'"]
+
+      unless sso_session
+        raise ArgumentError,
+          "sso-session #{sso_session_name} must be defined in the config file. " \
+                    "Referenced by profile #{profile}"
+      end
+
+      unless sso_session['sso_region']
+        raise ArgumentError, "sso-session #{sso_session_name} missing required parameter: sso_region"
+      end
+
+      sso_session
+    end
   end
 end
diff --git a/gems/aws-sdk-core/spec/aws/credential_resolution_chain_spec.rb b/gems/aws-sdk-core/spec/aws/credential_resolution_chain_spec.rb
@@ -95,7 +95,7 @@ module Aws
 
       it 'prefers sso credentials over assume role' do
         expect(SSOCredentials).to receive(:new).with(
-          sso_start_url: nil,
+          sso_start_url: 'START_URL',
           sso_region: 'us-east-1',
           sso_account_id: 'SSO_ACCOUNT_ID',
           sso_role_name: 'SSO_ROLE_NAME',
@@ -161,6 +161,29 @@ module Aws
         ).to eq('SSO_AKID')
       end
 
+      it 'loads SSO credentials from when the session name has quotes' do
+        expect(SSOCredentials).to receive(:new).with(
+          sso_start_url: 'START_URL',
+          sso_region: 'us-east-1',
+          sso_account_id: 'SSO_ACCOUNT_ID',
+          sso_role_name: 'SSO_ROLE_NAME',
+          sso_session: 'sso test session'
+        ).and_return(
+          double(
+            'creds',
+            set?: true,
+            credentials: double(access_key_id: 'SSO_AKID')
+          )
+        )
+        client = ApiHelper.sample_rest_xml::Client.new(
+          profile: 'sso_creds_session_with_quotes',
+          token_provider: nil
+        )
+        expect(
+          client.config.credentials.credentials.access_key_id
+        ).to eq('SSO_AKID')
+      end
+
       it 'raises when attempting to load an incomplete SSO Profile' do
         expect do
           ApiHelper.sample_rest_xml::Client.new(
@@ -366,7 +389,7 @@ module Aws
 
         it 'supports :source_profile from sso credentials' do
           expect(SSOCredentials).to receive(:new).with(
-            sso_start_url: nil,
+            sso_start_url: 'START_URL',
             sso_region: 'us-east-1',
             sso_account_id: 'SSO_ACCOUNT_ID',
             sso_role_name: 'SSO_ROLE_NAME',

diff --git a/gems/aws-sdk-core/spec/aws/ini_parser_spec.rb b/gems/aws-sdk-core/spec/aws/ini_parser_spec.rb
@@ -30,6 +30,9 @@ module Aws
 [sso-session dev]
 sso_region = us-east-1
 
+[sso-session 'profile with spaces']
+sso_region = us-east-1
+
 [services test-services]
 s3 =
    endpoint_url = https://localhost:8000

diff --git a/gems/aws-sdk-core/spec/fixtures/credentials/mock_shared_config b/gems/aws-sdk-core/spec/fixtures/credentials/mock_shared_config
@@ -169,6 +169,16 @@ sso_account_id = 123456789012
 source_profile = sso_creds
 role_arn = arn:aws:iam::123456789012:role/bar
 
+[profile sso_creds_session_with_quotes]
+sso_account_id = SSO_ACCOUNT_ID
+sso_role_name = SSO_ROLE_NAME
+sso_session = sso test session
+region = us-west-1
+
+[sso-session 'sso test session']
+sso_region = us-east-1
+sso_start_url = START_URL
+
 [profile sts_regional]
 aws_access_key_id = AKID
 aws_secret_access_key = SECRET