From 2a872adac4f1c49d45feb5b368e72adf0c343cf4 Mon Sep 17 00:00:00 2001
From: Jonathan Stewmon <jstewmon@gmail.com>
Date: Thu, 20 Dec 2018 18:55:44 -0600
Subject: [PATCH] EC2MetadataCredentials should fail to refresh when loaded
 credentials are expired (#2444)

---
 ...ature-EC2MetadataCredentials-bebc1355.json |  5 +++
 lib/credentials/ec2_metadata_credentials.js   | 23 ++++++++----
 test/credentials.spec.js                      | 37 +++++++++++++------
 3 files changed, 46 insertions(+), 19 deletions(-)
 create mode 100644 .changes/next-release/feature-EC2MetadataCredentials-bebc1355.json

diff --git a/.changes/next-release/feature-EC2MetadataCredentials-bebc1355.json b/.changes/next-release/feature-EC2MetadataCredentials-bebc1355.json
new file mode 100644
index 0000000000..3e52773a79
--- /dev/null
+++ b/.changes/next-release/feature-EC2MetadataCredentials-bebc1355.json
@@ -0,0 +1,5 @@
+{
+  "type": "feature",
+  "category": "EC2MetadataCredentials",
+  "description": "refresh now passes an error to callback if metadata service responds with expired credentials"
+}
\ No newline at end of file
diff --git a/lib/credentials/ec2_metadata_credentials.js b/lib/credentials/ec2_metadata_credentials.js
index 2e1966726c..cd2dba31f0 100644
--- a/lib/credentials/ec2_metadata_credentials.js
+++ b/lib/credentials/ec2_metadata_credentials.js
@@ -72,14 +72,23 @@ AWS.EC2MetadataCredentials = AWS.util.inherit(AWS.Credentials, {
    */
   load: function load(callback) {
     var self = this;
-    self.metadataService.loadCredentials(function (err, creds) {
+    self.metadataService.loadCredentials(function(err, creds) {
       if (!err) {
-        self.expired = false;
-        self.metadata = creds;
-        self.accessKeyId = creds.AccessKeyId;
-        self.secretAccessKey = creds.SecretAccessKey;
-        self.sessionToken = creds.Token;
-        self.expireTime = new Date(creds.Expiration);
+        var currentTime = AWS.util.date.getDate();
+        var expireTime = new Date(creds.Expiration);
+        if (expireTime < currentTime) {
+          err = AWS.util.error(
+            new Error('EC2 Instance Metadata Serivce provided expired credentials'),
+            { code: 'EC2MetadataCredentialsProviderFailure' }
+          );
+        } else {
+          self.expired = false;
+          self.metadata = creds;
+          self.accessKeyId = creds.AccessKeyId;
+          self.secretAccessKey = creds.SecretAccessKey;
+          self.sessionToken = creds.Token;
+          self.expireTime = expireTime;
+        }
       }
       callback(err);
     });
diff --git a/test/credentials.spec.js b/test/credentials.spec.js
index cd067f50e9..d7a0f72c8d 100644
--- a/test/credentials.spec.js
+++ b/test/credentials.spec.js
@@ -806,23 +806,27 @@
         });
       });
       describe('needsRefresh', function() {
-        return it('can be expired based on expire time from EC2 Metadata service', function() {
+        return it('can be expired based on expire time from EC2 Metadata service', function(done) {
           mockMetadataService(new Date(0));
-          creds.refresh(function() {});
-          return expect(creds.needsRefresh()).to.equal(true);
+          creds.refresh(function () {
+            expect(creds.needsRefresh()).to.equal(true);
+            done();
+          });
         });
       });
-      return describe('refresh', function() {
-        it('loads credentials from EC2 Metadata service', function() {
+      describe('refresh', function() {
+        it('loads credentials from EC2 Metadata service', function(done) {
           mockMetadataService(new Date(AWS.util.date.getDate().getTime() + 100000));
-          creds.refresh(function() {});
-          expect(creds.metadata.Code).to.equal('Success');
-          expect(creds.accessKeyId).to.equal('KEY');
-          expect(creds.secretAccessKey).to.equal('SECRET');
-          expect(creds.sessionToken).to.equal('TOKEN');
-          return expect(creds.needsRefresh()).to.equal(false);
+          creds.refresh(function () {
+            expect(creds.metadata.Code).to.equal('Success');
+            expect(creds.accessKeyId).to.equal('KEY');
+            expect(creds.secretAccessKey).to.equal('SECRET');
+            expect(creds.sessionToken).to.equal('TOKEN');
+            expect(creds.needsRefresh()).to.equal(false);
+            done();
+          });
         });
-        return it('does try to load creds second time if Metadata service failed', function() {
+        it('does try to load creds second time if Metadata service failed', function() {
           var spy;
           spy = helpers.spyOn(creds.metadataService, 'loadCredentials').andCallFake(function(cb) {
             return cb(new Error('INVALID SERVICE'));
@@ -838,6 +842,15 @@
             });
           });
         });
+        it('fails if the loaded credentials are expired', function (done) {
+          mockMetadataService(new Date(Date.now() - 1))
+          creds.refresh(function (err) {
+            expect(err).to.be.not.null;
+            expect(err.message).to.equal('EC2 Instance Metadata Serivce provided expired credentials');
+            expect(err.code).to.equal('EC2MetadataCredentialsProviderFailure');
+            done();
+          })
+        });
       });
     });
     describe('AWS.RemoteCredentials', function() {