update the testcases accordingly

Author: smilkuri

packages/credential-provider-imds/src/fromInstanceMetadata.spec.ts

@@ -1,22 +1,27 @@
+import { loadConfig } from "@smithy/node-config-provider";
 import { CredentialsProviderError } from "@smithy/property-provider";
 import { afterEach, beforeEach, describe, expect, test as it, vi } from "vitest";
-
 import { InstanceMetadataV1FallbackError } from "./error/InstanceMetadataV1FallbackError";
-import { fromInstanceMetadata } from "./fromInstanceMetadata";
+import { checkIfImdsDisabled, fromInstanceMetadata } from "./fromInstanceMetadata";
+import * as fromInstanceMetadataModule from "./fromInstanceMetadata";
 import { httpRequest } from "./remoteProvider/httpRequest";
 import { fromImdsCredentials, isImdsCredentials } from "./remoteProvider/ImdsCredentials";
 import { providerConfigFromInit } from "./remoteProvider/RemoteProviderInit";
 import { retry } from "./remoteProvider/retry";
 import { getInstanceMetadataEndpoint } from "./utils/getInstanceMetadataEndpoint";
 import { staticStabilityProvider } from "./utils/staticStabilityProvider";
 
+
+
+vi.mock("@smithy/node-config-provider");
 vi.mock("./remoteProvider/httpRequest");
 vi.mock("./remoteProvider/ImdsCredentials");
 vi.mock("./remoteProvider/retry");
 vi.mock("./remoteProvider/RemoteProviderInit");
 vi.mock("./utils/getInstanceMetadataEndpoint");
 vi.mock("./utils/staticStabilityProvider");
 
+
 describe("fromInstanceMetadata", () => {
   const hostname = "127.0.0.1";
   const mockTimeout = 1000;
@@ -36,7 +41,7 @@ describe("fromInstanceMetadata", () => {
 
   const mockProfileRequestOptions = {
     hostname,
-    path: "/latest/meta-data/iam/security-credentials/",
+    path: "/latest/meta-data/iam/security-credentials-extended/",
     timeout: mockTimeout,
     headers: {
       "x-aws-ec2-metadata-token": mockToken,
@@ -49,18 +54,22 @@ describe("fromInstanceMetadata", () => {
     SecretAccessKey: "bar",
     Token: "baz",
     Expiration: ONE_HOUR_IN_FUTURE.toISOString(),
+    AccountId: "123456789012"
   });
 
   const mockCreds = Object.freeze({
     accessKeyId: mockImdsCreds.AccessKeyId,
     secretAccessKey: mockImdsCreds.SecretAccessKey,
     sessionToken: mockImdsCreds.Token,
     expiration: new Date(mockImdsCreds.Expiration),
+    accountId: mockImdsCreds.AccountId
   });
 
   beforeEach(() => {
     vi.mocked(staticStabilityProvider).mockImplementation((input) => input);
     vi.mocked(getInstanceMetadataEndpoint).mockResolvedValue({ hostname } as any);
+    vi.mocked(loadConfig).mockReturnValue(() => Promise.resolve(false));
+    vi.spyOn(fromInstanceMetadataModule, "checkIfImdsDisabled").mockResolvedValue(undefined);
     (isImdsCredentials as unknown as any).mockReturnValue(true);
     vi.mocked(providerConfigFromInit).mockReturnValue({
       timeout: mockTimeout,
@@ -72,6 +81,67 @@ describe("fromInstanceMetadata", () => {
     vi.resetAllMocks();
   });
 
+  it("returns no credentials when AWS_EC2_METADATA_DISABLED=true", async () => {
+  vi.mocked(loadConfig).mockReturnValueOnce(() => Promise.resolve(true));
+  vi.mocked(fromInstanceMetadataModule.checkIfImdsDisabled).mockRejectedValueOnce(
+    new CredentialsProviderError("IMDS credential fetching is disabled")
+  );
+  const provider = fromInstanceMetadata({});
+
+  await expect(provider()).rejects.toEqual(
+    new CredentialsProviderError("IMDS credential fetching is disabled")
+  );
+  expect(httpRequest).not.toHaveBeenCalled();
+  });
+
+  it("returns valid credentials with account ID when ec2InstanceProfileName is provided", async () => {
+  const profileName = "my-profile-0002";
+  
+  vi.mocked(httpRequest)
+    .mockResolvedValueOnce(mockToken as any)
+    .mockResolvedValueOnce(JSON.stringify(mockImdsCreds) as any);
+  
+  vi.mocked(retry).mockImplementation((fn: any) => fn());
+  vi.mocked(fromImdsCredentials).mockReturnValue(mockCreds);
+  
+  const result = await fromInstanceMetadata({ ec2InstanceProfileName: profileName })();
+  
+  expect(result).toEqual(mockCreds);
+  expect(result.accountId).toBe(mockCreds.accountId);
+
+  expect(httpRequest).toHaveBeenCalledTimes(2);
+  expect(httpRequest).toHaveBeenNthCalledWith(1, mockTokenRequestOptions);
+  expect(httpRequest).toHaveBeenNthCalledWith(2, {
+    ...mockProfileRequestOptions,
+    path: `${mockProfileRequestOptions.path}${profileName}`,
+  });
+  });
+
+  it("returns valid credentials with account ID when profile is discovered from IMDS", async () => {
+  vi.mocked(httpRequest)
+    .mockResolvedValueOnce(mockToken as any)               
+    .mockResolvedValueOnce(mockProfile as any)           
+    .mockResolvedValueOnce(JSON.stringify(mockImdsCreds) as any); 
+
+  vi.mocked(retry).mockImplementation((fn: any) => fn());
+  vi.mocked(fromImdsCredentials).mockReturnValue(mockCreds);
+
+  const provider = fromInstanceMetadata({});
+
+  const result = await provider();
+
+  expect(result).toEqual(mockCreds);
+  expect(result.accountId).toBe(mockCreds.accountId);
+
+  expect(httpRequest).toHaveBeenCalledTimes(3);
+  expect(httpRequest).toHaveBeenNthCalledWith(1, mockTokenRequestOptions);
+  expect(httpRequest).toHaveBeenNthCalledWith(2, mockProfileRequestOptions);
+  expect(httpRequest).toHaveBeenNthCalledWith(3, {
+    ...mockProfileRequestOptions,
+    path: `${mockProfileRequestOptions.path}${mockProfile}`,
+  });
+});
+
   it("gets token and profile name to fetch credentials", async () => {
     vi.mocked(httpRequest)
       .mockResolvedValueOnce(mockToken as any)
@@ -99,6 +169,7 @@ describe("fromInstanceMetadata", () => {
 
     vi.mocked(retry).mockImplementation((fn: any) => fn());
     vi.mocked(fromImdsCredentials).mockReturnValue(mockCreds);
+    vi.mocked(checkIfImdsDisabled).mockReturnValueOnce(Promise.resolve());
 
     await expect(fromInstanceMetadata()()).resolves.toEqual(mockCreds);
     expect(httpRequest).toHaveBeenNthCalledWith(3, {
@@ -109,6 +180,7 @@ describe("fromInstanceMetadata", () => {
 
   it("passes {} to providerConfigFromInit if init not defined", async () => {
     vi.mocked(retry).mockResolvedValueOnce(mockProfile).mockResolvedValueOnce(mockCreds);
+    vi.mocked(loadConfig).mockReturnValueOnce(() => Promise.resolve(false));
 
     await expect(fromInstanceMetadata()()).resolves.toEqual(mockCreds);
     expect(providerConfigFromInit).toHaveBeenCalledTimes(1);
@@ -117,6 +189,7 @@ describe("fromInstanceMetadata", () => {
 
   it("passes init to providerConfigFromInit", async () => {
     vi.mocked(retry).mockResolvedValueOnce(mockProfile).mockResolvedValueOnce(mockCreds);
+    vi.mocked(loadConfig).mockReturnValueOnce(() => Promise.resolve(false));
 
     const init = { maxRetries: 5, timeout: 1213 };
     await expect(fromInstanceMetadata(init)()).resolves.toEqual(mockCreds);
@@ -213,6 +286,79 @@ describe("fromInstanceMetadata", () => {
     expect(vi.mocked(staticStabilityProvider)).toBeCalledTimes(1);
   });
 
+  describe("getImdsProfileHelper", () => {
+  beforeEach(() => {
+    vi.mocked(httpRequest).mockClear();
+    vi.mocked(loadConfig).mockClear();
+    vi.mocked(retry).mockImplementation((fn: any) => fn());
+  });
+  
+  it("uses ec2InstanceProfileName from init if provided", async () => {
+  const profileName = "profile-from-init";
+  const options = { hostname } as any;
+
+  // Only use vi.spyOn for imported functions
+  vi.spyOn(fromInstanceMetadataModule, "getConfiguredProfileName").mockResolvedValueOnce(profileName);
+
+  const result = await fromInstanceMetadataModule.getImdsProfileHelper(
+    options, mockMaxRetries, { ec2InstanceProfileName: profileName }
+  );
+
+  expect(result).toBe(profileName);
+  expect(httpRequest).not.toHaveBeenCalled();
+  });
+  
+  it("uses environment variable if ec2InstanceProfileName not provided", async () => {
+  const envProfileName = "profile-from-env";
+  const options = { hostname } as any;
+
+  // Mock loadConfig to simulate env variable present
+  vi.mocked(loadConfig).mockReturnValue(() => Promise.resolve(envProfileName));
+
+  const result = await fromInstanceMetadataModule.getImdsProfileHelper(
+    options, mockMaxRetries, {}
+  );
+
+  expect(result).toBe(envProfileName);
+  expect(httpRequest).not.toHaveBeenCalled();
+});
+  
+  it("uses profile from config file if present, otherwise falls back to IMDS (extended then legacy)", async () => {
+  const configProfileName = "profile-from-config";
+  const legacyProfileName = "profile-from-legacy";
+  const options = { hostname } as any;
+
+  // 1. Simulate config file present: should return configProfileName, no IMDS call
+  vi.mocked(loadConfig).mockReturnValue(() => Promise.resolve(configProfileName));
+
+  let result = await fromInstanceMetadataModule.getImdsProfileHelper(
+    options, mockMaxRetries, {}
+  );
+  expect(result).toBe(configProfileName);
+  expect(httpRequest).not.toHaveBeenCalled();
+
+  // 2. Simulate config file missing: should call IMDS (extended fails, legacy succeeds)
+  vi.mocked(loadConfig).mockReturnValue(() => Promise.resolve(null));
+  vi.mocked(httpRequest)
+    .mockRejectedValueOnce(Object.assign(new Error(), { statusCode: 404 }))
+    .mockResolvedValueOnce(legacyProfileName as any);
+
+  result = await fromInstanceMetadataModule.getImdsProfileHelper(
+    options, mockMaxRetries, {}
+  );
+  expect(result).toBe(legacyProfileName);
+  expect(httpRequest).toHaveBeenCalledTimes(2);
+  expect(httpRequest).toHaveBeenNthCalledWith(1, {
+    ...options,
+    path: "/latest/meta-data/iam/security-credentials-extended/"
+  });
+  expect(httpRequest).toHaveBeenNthCalledWith(2, {
+    ...options,
+    path: "/latest/meta-data/iam/security-credentials/"
+  });
+});
+});
+
   describe("disables fetching of token", () => {
     beforeEach(() => {
       vi.mocked(retry).mockImplementation((fn: any) => fn());
@@ -303,4 +449,4 @@ describe("fromInstanceMetadata", () => {
     });
     await expect(() => fromInstanceMetadataFunc()).rejects.toBeInstanceOf(InstanceMetadataV1FallbackError);
   });
-});
+});

packages/credential-provider-imds/src/fromInstanceMetadata.ts

@@ -147,15 +147,21 @@ const getInstanceMetadataProvider = (init: RemoteProviderInit = {}) => {
  * @internal
  * Gets IMDS profile with proper error handling and retries
  */
-const getImdsProfileHelper = async (
+export const getImdsProfileHelper = async (
   options: RequestOptions,
   maxRetries: number,
   init: RemoteProviderInit = {},
-  profile?: string
+  profile?: string,
+  resetCache?: boolean
 ): Promise<string> => {
   let apiVersion: "unknown" | "extended" | "legacy" = "unknown";
   let resolvedProfile: string | null = null;
-  
+
+  // If resetCache is true, clear the cached profile name
+  if (resetCache) {
+    resolvedProfile = null;
+  }
+
   return retry<string>(async () => {
     // First check if a profile name is configured
     const configuredName = await getConfiguredProfileName(init, profile);
@@ -206,7 +212,7 @@ const getMetadataToken = async (options: RequestOptions) =>
  * @internal
  * Checks if IMDS credential fetching is disabled through configuration
  */
-const checkIfImdsDisabled = async (profile?: string, logger?: any): Promise<void> => {
+export const checkIfImdsDisabled = async (profile?: string, logger?: any): Promise<void> => {
   // Load configuration in priority order
   const disableImds = await loadConfig(
     {
@@ -235,7 +241,7 @@ const checkIfImdsDisabled = async (profile?: string, logger?: any): Promise<void
  * @internal
  * Gets configured profile name from various sources
  */
-const getConfiguredProfileName = async (init: RemoteProviderInit, profile?: string): Promise<string | null> => {
+export const getConfiguredProfileName = async (init: RemoteProviderInit, profile?: string): Promise<string | null> => {
   // Load configuration in priority order
   const profileName = await loadConfig(
     {
@@ -278,8 +284,8 @@ const getCredentialsFromProfile = async (profile: string, options: RequestOption
             // If legacy API also returns 404 and we're using a cached profile name,
             // the profile might have changed - clear cache and retry
             const resolvedProfile = null;
-            const newProfileName = await getImdsProfileHelper(options, init.maxRetries ?? 3, init, profile);
-            return getCredentialsFromProfile(newProfileName, options, init);
+            const newProfileName = await getImdsProfileHelper(options, init.maxRetries ?? 3, init, profile, true);
+            return getCredentialsFromProfile(newProfileName, options, init);           
           }
         throw legacyError;
       }