From 9a5903e2adda2a1d71e9f7e69f9bd60cde137c60 Mon Sep 17 00:00:00 2001
From: Alex Woods <alexwoo@amazon.com>
Date: Wed, 9 Aug 2023 08:59:21 -0700
Subject: [PATCH 1/4] Handle sso session names with quotes/spaces

---
 .../lib/aws-sdk-core/shared_config.rb         | 40 +++++++++++--------
 .../aws/credential_resolution_chain_spec.rb   | 23 +++++++++++
 gems/aws-sdk-core/spec/aws/ini_parser_spec.rb |  3 ++
 .../fixtures/credentials/mock_shared_config   | 10 +++++
 4 files changed, 60 insertions(+), 16 deletions(-)

diff --git a/gems/aws-sdk-core/lib/aws-sdk-core/shared_config.rb b/gems/aws-sdk-core/lib/aws-sdk-core/shared_config.rb
index 98fa832ab93..9be824ca38b 100644
--- a/gems/aws-sdk-core/lib/aws-sdk-core/shared_config.rb
+++ b/gems/aws-sdk-core/lib/aws-sdk-core/shared_config.rb
@@ -359,12 +359,8 @@ def sso_credentials_from_profile(cfg, profile)
          !(prof_config.keys & SSO_CREDENTIAL_PROFILE_KEYS).empty?
 
         if sso_session_name = prof_config['sso_session']
-          sso_session = cfg["sso-session #{sso_session_name}"]
-          unless sso_session
-            raise ArgumentError,
-                  "sso-session #{sso_session_name} must be defined in the config file. " \
-                    "Referenced by profile #{profile}"
-          end
+          sso_session = sso_session(cfg, profile, sso_session_name)
+
           sso_region = sso_session['sso_region']
           sso_start_url = sso_session['sso_start_url']
 
@@ -402,16 +398,7 @@ def sso_token_from_profile(cfg, profile)
         !(prof_config.keys & SSO_TOKEN_PROFILE_KEYS).empty?
 
         sso_session_name = prof_config['sso_session']
-        sso_session = cfg["sso-session #{sso_session_name}"]
-        unless sso_session
-          raise ArgumentError,
-                "sso-session #{sso_session_name} must be defined in the config file." \
-                  "Referenced by profile #{profile}"
-        end
-
-        unless sso_session['sso_region']
-          raise ArgumentError, "sso-session #{sso_session_name} missing required parameter: sso_region"
-        end
+        sso_session = sso_session(cfg, profile, sso_session_name)
 
         SSOTokenProvider.new(
           sso_session: sso_session_name,
@@ -469,5 +456,26 @@ def determine_profile(options)
       ret ||= 'default'
       ret
     end
+
+    def sso_session(cfg, profile, sso_session_name)
+      sso_session = cfg["sso-session #{sso_session_name}"]
+
+      if sso_session.nil? && sso_session_name.match(/\s/)
+        # aws sso-configure may add quotes around sso session names with whitespace
+        sso_session = cfg["sso-session '#{sso_session_name}'"]
+      end
+
+      unless sso_session
+        raise ArgumentError,
+          "sso-session #{sso_session_name} must be defined in the config file. " \
+                    "Referenced by profile #{profile}"
+      end
+
+      unless sso_session['sso_region']
+        raise ArgumentError, "sso-session #{sso_session_name} missing required parameter: sso_region"
+      end
+
+      sso_session
+    end
   end
 end
diff --git a/gems/aws-sdk-core/spec/aws/credential_resolution_chain_spec.rb b/gems/aws-sdk-core/spec/aws/credential_resolution_chain_spec.rb
index 8c1acf4f062..b76209c79df 100644
--- a/gems/aws-sdk-core/spec/aws/credential_resolution_chain_spec.rb
+++ b/gems/aws-sdk-core/spec/aws/credential_resolution_chain_spec.rb
@@ -161,6 +161,29 @@ module Aws
         ).to eq('SSO_AKID')
       end
 
+      it 'loads SSO credentials from when the session name has quotes' do
+        expect(SSOCredentials).to receive(:new).with(
+          sso_start_url: nil,
+          sso_region: 'us-east-1',
+          sso_account_id: 'SSO_ACCOUNT_ID',
+          sso_role_name: 'SSO_ROLE_NAME',
+          sso_session: 'sso test session'
+        ).and_return(
+          double(
+            'creds',
+            set?: true,
+            credentials: double(access_key_id: 'SSO_AKID')
+          )
+        )
+        client = ApiHelper.sample_rest_xml::Client.new(
+          profile: 'sso_creds_session_with_quotes',
+          token_provider: nil
+        )
+        expect(
+          client.config.credentials.credentials.access_key_id
+        ).to eq('SSO_AKID')
+      end
+
       it 'raises when attempting to load an incomplete SSO Profile' do
         expect do
           ApiHelper.sample_rest_xml::Client.new(
diff --git a/gems/aws-sdk-core/spec/aws/ini_parser_spec.rb b/gems/aws-sdk-core/spec/aws/ini_parser_spec.rb
index 99a2602e6f5..a1b453f8186 100644
--- a/gems/aws-sdk-core/spec/aws/ini_parser_spec.rb
+++ b/gems/aws-sdk-core/spec/aws/ini_parser_spec.rb
@@ -30,6 +30,9 @@ module Aws
 [sso-session dev]
 sso_region = us-east-1
 
+[sso-session 'profile with spaces']
+sso_region = us-east-1
+
 [services test-services]
 s3 =
    endpoint_url = https://localhost:8000
diff --git a/gems/aws-sdk-core/spec/fixtures/credentials/mock_shared_config b/gems/aws-sdk-core/spec/fixtures/credentials/mock_shared_config
index 1086afd6441..d6f08fba9bc 100644
--- a/gems/aws-sdk-core/spec/fixtures/credentials/mock_shared_config
+++ b/gems/aws-sdk-core/spec/fixtures/credentials/mock_shared_config
@@ -169,6 +169,16 @@ sso_account_id = 123456789012
 source_profile = sso_creds
 role_arn = arn:aws:iam::123456789012:role/bar
 
+[profile sso_creds_session_with_quotes]
+sso_account_id = SSO_ACCOUNT_ID
+sso_role_name = SSO_ROLE_NAME
+sso_session = sso test session
+region = us-west-1
+
+[sso-session 'sso test session']
+sso_region = us-east-1
+sso_start_url = START_URL
+
 [profile sts_regional]
 aws_access_key_id = AKID
 aws_secret_access_key = SECRET

From dc053152aae8e4ff6276b717eda3f4cf1ce7306e Mon Sep 17 00:00:00 2001
From: Alex Woods <alexwoo@amazon.com>
Date: Wed, 9 Aug 2023 09:04:26 -0700
Subject: [PATCH 2/4] Add changelog

---
 gems/aws-sdk-core/CHANGELOG.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gems/aws-sdk-core/CHANGELOG.md b/gems/aws-sdk-core/CHANGELOG.md
index f3e08e0e42e..d89d4737a86 100644
--- a/gems/aws-sdk-core/CHANGELOG.md
+++ b/gems/aws-sdk-core/CHANGELOG.md
@@ -1,6 +1,8 @@
 Unreleased Changes
 ------------------
 
+* Issue - Add support for sso-session names with whitespace configured by the CLI `aws sso configure` command (#2895).
+
 3.180.2 (2023-08-07)
 ------------------
 

From ef5d0758c290288162307f430715643205b7f35c Mon Sep 17 00:00:00 2001
From: Alex Woods <alexwoo@amazon.com>
Date: Wed, 9 Aug 2023 10:24:49 -0700
Subject: [PATCH 3/4] Minor cleanups

---
 gems/aws-sdk-core/lib/aws-sdk-core/shared_config.rb | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/gems/aws-sdk-core/lib/aws-sdk-core/shared_config.rb b/gems/aws-sdk-core/lib/aws-sdk-core/shared_config.rb
index 9be824ca38b..3180e05de51 100644
--- a/gems/aws-sdk-core/lib/aws-sdk-core/shared_config.rb
+++ b/gems/aws-sdk-core/lib/aws-sdk-core/shared_config.rb
@@ -385,7 +385,7 @@ def sso_credentials_from_profile(cfg, profile)
           sso_role_name: prof_config['sso_role_name'],
           sso_session: prof_config['sso_session'],
           sso_region: sso_region,
-          sso_start_url: prof_config['sso_start_url']
+          sso_start_url: sso_start_url
           )
       end
     end
@@ -458,12 +458,8 @@ def determine_profile(options)
     end
 
     def sso_session(cfg, profile, sso_session_name)
-      sso_session = cfg["sso-session #{sso_session_name}"]
-
-      if sso_session.nil? && sso_session_name.match(/\s/)
-        # aws sso-configure may add quotes around sso session names with whitespace
-        sso_session = cfg["sso-session '#{sso_session_name}'"]
-      end
+      # aws sso-configure may add quotes around sso session names with whitespace
+      sso_session = cfg["sso-session #{sso_session_name}"] || cfg["sso-session '#{sso_session_name}'"]
 
       unless sso_session
         raise ArgumentError,

From 733322a50f9010e55200df96da568d6930068323 Mon Sep 17 00:00:00 2001
From: Alex Woods <alexwoo@amazon.com>
Date: Wed, 9 Aug 2023 10:42:25 -0700
Subject: [PATCH 4/4] Fix tests

---
 .../spec/aws/credential_resolution_chain_spec.rb            | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/gems/aws-sdk-core/spec/aws/credential_resolution_chain_spec.rb b/gems/aws-sdk-core/spec/aws/credential_resolution_chain_spec.rb
index b76209c79df..8cddbc7ae58 100644
--- a/gems/aws-sdk-core/spec/aws/credential_resolution_chain_spec.rb
+++ b/gems/aws-sdk-core/spec/aws/credential_resolution_chain_spec.rb
@@ -95,7 +95,7 @@ module Aws
 
       it 'prefers sso credentials over assume role' do
         expect(SSOCredentials).to receive(:new).with(
-          sso_start_url: nil,
+          sso_start_url: 'START_URL',
           sso_region: 'us-east-1',
           sso_account_id: 'SSO_ACCOUNT_ID',
           sso_role_name: 'SSO_ROLE_NAME',
@@ -163,7 +163,7 @@ module Aws
 
       it 'loads SSO credentials from when the session name has quotes' do
         expect(SSOCredentials).to receive(:new).with(
-          sso_start_url: nil,
+          sso_start_url: 'START_URL',
           sso_region: 'us-east-1',
           sso_account_id: 'SSO_ACCOUNT_ID',
           sso_role_name: 'SSO_ROLE_NAME',
@@ -389,7 +389,7 @@ module Aws
 
         it 'supports :source_profile from sso credentials' do
           expect(SSOCredentials).to receive(:new).with(
-            sso_start_url: nil,
+            sso_start_url: 'START_URL',
             sso_region: 'us-east-1',
             sso_account_id: 'SSO_ACCOUNT_ID',
             sso_role_name: 'SSO_ROLE_NAME',