Forcing expiration of instance profile credentials early to prevent u…

…sing expired credentials.
ragboyjr · Apr 30, 2015 · 300df7a · 300df7a
1 parent ca60073
commit 300df7a
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 2 deletions.
diff --git a/src/Aws/Common/Credentials/RefreshableInstanceProfileCredentials.php b/src/Aws/Common/Credentials/RefreshableInstanceProfileCredentials.php
@@ -50,10 +50,10 @@ public function __construct(CredentialsInterface $credentials, InstanceMetadataC
     protected function refresh()
     {
         $credentials = $this->client->getInstanceProfileCredentials();
-        // Expire the token 1 minute before it actually expires to pre-fetch before expiring
+        // Expire the token 30 minutes early to pre-fetch before expiring.
         $this->credentials->setAccessKeyId($credentials->getAccessKeyId())
             ->setSecretKey($credentials->getSecretKey())
             ->setSecurityToken($credentials->getSecurityToken())
-            ->setExpiration($credentials->getExpiration());
+            ->setExpiration($credentials->getExpiration() - 1800);
     }
 }
diff --git a/tests/Aws/Tests/Common/Credentials/RefreshableInstanceProfileCredentialsIntegrationTest.php b/tests/Aws/Tests/Common/Credentials/RefreshableInstanceProfileCredentialsIntegrationTest.php
@@ -32,6 +32,7 @@ class RefreshableInstanceProfileCredentialsIntegrationTest extends \Aws\Tests\In
      */
     public function testUsesInstanceProfileCredentialsByDefault()
     {
+        $_SERVER['HOME'] = '/tmp';
         $client = InstanceMetadataClient::factory();
         $credentials = Credentials::factory(array(
             'credentials.client' => $client
@@ -73,6 +74,7 @@ public function testRefreshesExpiredCredentials(array $creds)
      */
     public function testClientsUseInstanceProfileCredentialsByDefault()
     {
+        $_SERVER['HOME'] = '/tmp';
         $client = DynamoDbClient::factory(array(
             'region' => 'us-east-1'
         ));
@@ -108,6 +110,7 @@ public function testClientsUseInstanceProfileCredentials(array $creds)
 
     public function testCredentialsUsesApcCacheWhenCacheIsTrue()
     {
+        $_SERVER['HOME'] = '/tmp';
         if (!extension_loaded('apc')) {
             $this->markTestSkipped('APC is not installed');
         }
@@ -124,6 +127,7 @@ public function testCredentialsUsesApcCacheWhenCacheIsTrue()
 
     public function testCredentialsCanInjectCacheAndUsesHostnameBasedKey()
     {
+        $_SERVER['HOME'] = '/tmp';
         $cache = new DoctrineCacheAdapter(new ArrayCache());
         $cache->save('credentials_' . crc32(gethostname()), new Credentials('ABC', '123', 'Listen to me', time() + 10000));
         $credentials = Credentials::factory(array(

diff --git a/tests/Aws/Tests/Common/Credentials/RefreshableInstanceProfileCredentialsTest.php b/tests/Aws/Tests/Common/Credentials/RefreshableInstanceProfileCredentialsTest.php
@@ -48,6 +48,9 @@ public function testMetadataCredentialsCanBeRefreshed()
 
         $credentials->getSecurityToken();
 
+        // Should expire 30 minutes before the returned expiration date.
+        $this->assertEquals(1904598340, $credentials->getExpiration());
+
         $mockedRequests = $mock->getReceivedRequests();
         $this->assertEquals(2, count($mockedRequests));
         $this->assertContains('/webapp', (string) $mockedRequests[1]->getUrl());