rebase: bump github.com/aws/aws-sdk-go-v2/service/sts

Bumps [github.com/aws/aws-sdk-go-v2/service/sts](https://github.com/aws/aws-sdk-go-v2) from 1.16.0 to 1.16.3. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/v1.16.0...service/efs/v1.16.3) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/sts dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
2025-06-13 10:33:35 +00:00 · 2022-04-08 14:26:28 +00:00
parent a44a97f3c5
commit 539050a857
18 changed files with 200 additions and 62 deletions
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/credential_cache.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/credential_cache.go
@ -2,6 +2,7 @@ package aws

 import (
 	"context"
+	"fmt"
 	"sync/atomic"
 	"time"

@ -24,11 +25,13 @@ type CredentialsCacheOptions struct {
 	// If ExpiryWindow is 0 or less it will be ignored.
 	ExpiryWindow time.Duration

-	// ExpiryWindowJitterFrac provides a mechanism for randomizing the expiration of credentials
-	// within the configured ExpiryWindow by a random percentage. Valid values are between 0.0 and 1.0.
+	// ExpiryWindowJitterFrac provides a mechanism for randomizing the
+	// expiration of credentials within the configured ExpiryWindow by a random
+	// percentage. Valid values are between 0.0 and 1.0.
 	//
-	// As an example if ExpiryWindow is 60 seconds and ExpiryWindowJitterFrac is 0.5 then credentials will be set to
-	// expire between 30 to 60 seconds prior to their actual expiration time.
+	// As an example if ExpiryWindow is 60 seconds and ExpiryWindowJitterFrac
+	// is 0.5 then credentials will be set to expire between 30 to 60 seconds
+	// prior to their actual expiration time.
 	//
 	// If ExpiryWindow is 0 or less then ExpiryWindowJitterFrac is ignored.
 	// If ExpiryWindowJitterFrac is 0 then no randomization will be applied to the window.
@ -39,8 +42,19 @@ type CredentialsCacheOptions struct {

 // CredentialsCache provides caching and concurrency safe credentials retrieval
 // via the provider's retrieve method.
+//
+// CredentialsCache will look for optional interfaces on the Provider to adjust
+// how the credential cache handles credentials caching.
+//
+//   * HandleFailRefreshCredentialsCacheStrategy - Allows provider to handle
+//   credential refresh failures. This could return an updated Credentials
+//   value, or attempt another means of retrieving credentials.
+//
+//   * AdjustExpiresByCredentialsCacheStrategy - Allows provider to adjust how
+//   credentials Expires is modified. This could modify how the Credentials
+//   Expires is adjusted based on the CredentialsCache ExpiryWindow option.
+//   Such as providing a floor not to reduce the Expires below.
 type CredentialsCache struct {
-	// provider is the CredentialProvider implementation to be wrapped by the CredentialCache.
 	provider CredentialsProvider

 	options CredentialsCacheOptions
@ -48,8 +62,9 @@ type CredentialsCache struct {
 	sf      singleflight.Group
 }

-// NewCredentialsCache returns a CredentialsCache that wraps provider. Provider is expected to not be nil. A variadic
-// list of one or more functions can be provided to modify the CredentialsCache configuration. This allows for
+// NewCredentialsCache returns a CredentialsCache that wraps provider. Provider
+// is expected to not be nil. A variadic list of one or more functions can be
+// provided to modify the CredentialsCache configuration. This allows for
 // configuration of credential expiry window and jitter.
 func NewCredentialsCache(provider CredentialsProvider, optFns ...func(options *CredentialsCacheOptions)) *CredentialsCache {
 	options := CredentialsCacheOptions{}
@ -81,8 +96,8 @@ func NewCredentialsCache(provider CredentialsProvider, optFns ...func(options *C
 //
 // Returns and error if the provider's retrieve method returns an error.
 func (p *CredentialsCache) Retrieve(ctx context.Context) (Credentials, error) {
-	if creds := p.getCreds(); creds != nil {
-		return *creds, nil
+	if creds, ok := p.getCreds(); ok && !creds.Expired() {
+		return creds, nil
 	}

 	resCh := p.sf.DoChan("", func() (interface{}, error) {
@ -97,39 +112,64 @@ func (p *CredentialsCache) Retrieve(ctx context.Context) (Credentials, error) {
 }

 func (p *CredentialsCache) singleRetrieve(ctx context.Context) (interface{}, error) {
-	if creds := p.getCreds(); creds != nil {
-		return *creds, nil
+	currCreds, ok := p.getCreds()
+	if ok && !currCreds.Expired() {
+		return currCreds, nil
 	}

-	creds, err := p.provider.Retrieve(ctx)
-	if err == nil {
-		if creds.CanExpire {
-			randFloat64, err := sdkrand.CryptoRandFloat64()
-			if err != nil {
-				return Credentials{}, err
-			}
-			jitter := time.Duration(randFloat64 * p.options.ExpiryWindowJitterFrac * float64(p.options.ExpiryWindow))
-			creds.Expires = creds.Expires.Add(-(p.options.ExpiryWindow - jitter))
+	newCreds, err := p.provider.Retrieve(ctx)
+	if err != nil {
+		handleFailToRefresh := defaultHandleFailToRefresh
+		if cs, ok := p.provider.(HandleFailRefreshCredentialsCacheStrategy); ok {
+			handleFailToRefresh = cs.HandleFailToRefresh
+		}
+		newCreds, err = handleFailToRefresh(ctx, currCreds, err)
+		if err != nil {
+			return Credentials{}, fmt.Errorf("failed to refresh cached credentials, %w", err)
+		}
+	}
+
+	if newCreds.CanExpire && p.options.ExpiryWindow > 0 {
+		adjustExpiresBy := defaultAdjustExpiresBy
+		if cs, ok := p.provider.(AdjustExpiresByCredentialsCacheStrategy); ok {
+			adjustExpiresBy = cs.AdjustExpiresBy
 		}

-		p.creds.Store(&creds)
+		randFloat64, err := sdkrand.CryptoRandFloat64()
+		if err != nil {
+			return Credentials{}, fmt.Errorf("failed to get random provider, %w", err)
+		}
+
+		var jitter time.Duration
+		if p.options.ExpiryWindowJitterFrac > 0 {
+			jitter = time.Duration(randFloat64 *
+				p.options.ExpiryWindowJitterFrac * float64(p.options.ExpiryWindow))
+		}
+
+		newCreds, err = adjustExpiresBy(newCreds, -(p.options.ExpiryWindow - jitter))
+		if err != nil {
+			return Credentials{}, fmt.Errorf("failed to adjust credentials expires, %w", err)
+		}
 	}

-	return creds, err
+	p.creds.Store(&newCreds)
+	return newCreds, nil
 }

-func (p *CredentialsCache) getCreds() *Credentials {
+// getCreds returns the currently stored credentials and true. Returning false
+// if no credentials were stored.
+func (p *CredentialsCache) getCreds() (Credentials, bool) {
 	v := p.creds.Load()
 	if v == nil {
-		return nil
+		return Credentials{}, false
 	}

 	c := v.(*Credentials)
-	if c != nil && c.HasKeys() && !c.Expired() {
-		return c
+	if c == nil || !c.HasKeys() {
+		return Credentials{}, false
 	}

-	return nil
+	return *c, true
 }

 // Invalidate will invalidate the cached credentials. The next call to Retrieve
@ -137,3 +177,42 @@ func (p *CredentialsCache) getCreds() *Credentials {
 func (p *CredentialsCache) Invalidate() {
 	p.creds.Store((*Credentials)(nil))
 }
+
+// HandleFailRefreshCredentialsCacheStrategy is an interface for
+// CredentialsCache to allow CredentialsProvider  how failed to refresh
+// credentials is handled.
+type HandleFailRefreshCredentialsCacheStrategy interface {
+	// Given the previously cached Credentials, if any, and refresh error, may
+	// returns new or modified set of Credentials, or error.
+	//
+	// Credential caches may use default implementation if nil.
+	HandleFailToRefresh(context.Context, Credentials, error) (Credentials, error)
+}
+
+// defaultHandleFailToRefresh returns the passed in error.
+func defaultHandleFailToRefresh(ctx context.Context, _ Credentials, err error) (Credentials, error) {
+	return Credentials{}, err
+}
+
+// AdjustExpiresByCredentialsCacheStrategy is an interface for CredentialCache
+// to allow CredentialsProvider to intercept adjustments to Credentials expiry
+// based on expectations and use cases of CredentialsProvider.
+//
+// Credential caches may use default implementation if nil.
+type AdjustExpiresByCredentialsCacheStrategy interface {
+	// Given a Credentials as input, applying any mutations and
+	// returning the potentially updated Credentials, or error.
+	AdjustExpiresBy(Credentials, time.Duration) (Credentials, error)
+}
+
+// defaultAdjustExpiresBy adds the duration to the passed in credentials Expires,
+// and returns the updated credentials value. If Credentials value's CanExpire
+// is false, the passed in credentials are returned unchanged.
+func defaultAdjustExpiresBy(creds Credentials, dur time.Duration) (Credentials, error) {
+	if !creds.CanExpire {
+		return creds, nil
+	}
+
+	creds.Expires = creds.Expires.Add(dur)
+	return creds, nil
+}
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/credentials.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/credentials.go
@ -83,16 +83,20 @@ type Credentials struct {
 	// Source of the credentials
 	Source string

-	// Time the credentials will expire.
+	// States if the credentials can expire or not.
 	CanExpire bool
-	Expires   time.Time
+
+	// The time the credentials will expire at. Should be ignored if CanExpire
+	// is false.
+	Expires time.Time
 }

 // Expired returns if the credentials have expired.
 func (v Credentials) Expired() bool {
 	if v.CanExpire {
-		// Calling Round(0) on the current time will truncate the monotonic reading only. Ensures credential expiry
-		// time is always based on reported wall-clock time.
+		// Calling Round(0) on the current time will truncate the monotonic
+		// reading only. Ensures credential expiry time is always based on
+		// reported wall-clock time.
 		return !v.Expires.After(sdk.NowTime().Round(0))
 	}

--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go
@ -3,4 +3,4 @@
 package aws

 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.15.0"
+const goModuleVersion = "1.16.2"
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md
@ -1,3 +1,15 @@
+# v1.1.9 (2022-03-30)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.1.8 (2022-03-24)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.1.7 (2022-03-23)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.1.6 (2022-03-08)

 * **Dependency Update**: Updated to the latest SDK module versions
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go
@ -3,4 +3,4 @@
 package configsources

 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.1.6"
+const goModuleVersion = "1.1.9"
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md
@ -1,3 +1,15 @@
+# v2.4.3 (2022-03-30)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v2.4.2 (2022-03-24)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v2.4.1 (2022-03-23)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v2.4.0 (2022-03-08)

 * **Feature**: Updated `github.com/aws/smithy-go` to latest version
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go
@ -3,4 +3,4 @@
 package endpoints

 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "2.4.0"
+const goModuleVersion = "2.4.3"
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/rand/rand.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/rand/rand.go
@ -29,5 +29,5 @@ func Float64(reader io.Reader) (float64, error) {
 // CryptoRandFloat64 returns a random float64 obtained from the crypto rand
 // source.
 func CryptoRandFloat64() (float64, error) {
-	return Float64(rand.Reader)
+	return Float64(Reader)
 }
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md
@ -1,3 +1,15 @@
+# v1.9.3 (2022-03-30)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.9.2 (2022-03-24)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.9.1 (2022-03-23)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.9.0 (2022-03-08)

 * **Feature**: Updated `github.com/aws/smithy-go` to latest version
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go
@ -3,4 +3,4 @@
 package presignedurl

 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.9.0"
+const goModuleVersion = "1.9.3"
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md
@ -1,3 +1,15 @@
+# v1.16.3 (2022-03-30)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.16.2 (2022-03-24)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.16.1 (2022-03-23)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.16.0 (2022-03-08)

 * **Feature**: Updated `github.com/aws/smithy-go` to latest version
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go
@ -3,4 +3,4 @@
 package sts

 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.16.0"
+const goModuleVersion = "1.16.3"