@@ -271,7 +271,7 @@ pub(crate) mod identity_cache {
271271
272272 let key = sut. key (
273273 "test-bucket--usw2-az1--x-s3" ,
274- & Credentials :: for_tests_with_session_token ( ) ,
274+ & Credentials :: for_tests ( ) ,
275275 ) ;
276276
277277 // First call to the cache, populating a cache entry.
@@ -337,7 +337,7 @@ pub(crate) mod identity_cache {
337337 for i in 0 ..number_of_buckets {
338338 let key = sut. key (
339339 & format ! ( "test-bucket-{i}-usw2-az1--x-s3" ) ,
340- & Credentials :: for_tests_with_session_token ( ) ,
340+ & Credentials :: for_tests ( ) ,
341341 ) ;
342342 for _ in 0 ..50 {
343343 let sut = sut. clone ( ) ;
@@ -391,7 +391,7 @@ pub(crate) mod identity_cache {
391391 let [ key1, key2, key3] = [ 1 , 2 , 3 ] . map ( |i| {
392392 sut. key (
393393 & format ! ( "test-bucket-{i}--usw2-az1--x-s3" ) ,
394- & Credentials :: for_tests_with_session_token ( ) ,
394+ & Credentials :: for_tests ( ) ,
395395 )
396396 } ) ;
397397
@@ -637,9 +637,15 @@ pub(crate) mod identity_provider {
637637 use super :: * ;
638638 use aws_credential_types:: credential_feature:: AwsCredentialFeature ;
639639 use aws_credential_types:: Credentials ;
640+ use aws_smithy_runtime:: client:: http:: test_util:: { ReplayEvent , StaticReplayClient } ;
640641
641642 #[ test]
642- fn test_s3express_identity_contains_feature ( ) {
643+ fn test_s3express_credentials_contain_feature ( ) {
644+ // This test verifies that when SessionCredentials are converted to Credentials
645+ // within the identity provider code path, the S3ExpressBucket feature is embedded.
646+ // We test the conversion logic directly rather than the full identity() method
647+ // to avoid complex mocking of HTTP clients and runtime components.
648+
643649 let session_creds = SessionCredentials :: builder ( )
644650 . access_key_id ( "test_access_key" )
645651 . secret_access_key ( "test_secret_key" )
@@ -648,12 +654,15 @@ pub(crate) mod identity_provider {
648654 . build ( )
649655 . expect ( "valid session credentials" ) ;
650656
657+ // Simulate what the identity provider does: convert SessionCredentials to Credentials
658+ // and embed the S3ExpressBucket feature
651659 let mut credentials =
652660 Credentials :: try_from ( session_creds) . expect ( "conversion should succeed" ) ;
653661 credentials
654662 . get_property_mut_or_default :: < Vec < AwsCredentialFeature > > ( )
655663 . push ( AwsCredentialFeature :: S3ExpressBucket ) ;
656664
665+ // Verify the feature is embedded in the Credentials
657666 let creds_features = credentials
658667 . get_property :: < Vec < AwsCredentialFeature > > ( )
659668 . expect ( "features should be present in credentials" ) ;
@@ -662,6 +671,7 @@ pub(crate) mod identity_provider {
662671 "S3ExpressBucket feature should be embedded in Credentials"
663672 ) ;
664673
674+ // Verify the feature propagates to Identity when converted
665675 let identity = Identity :: from ( credentials. clone ( ) ) ;
666676 assert ! (
667677 identity. data:: <Credentials >( ) . is_some( ) ,
@@ -676,7 +686,7 @@ pub(crate) mod identity_provider {
676686 . expect ( "features should be present in Identity's credentials" ) ;
677687 assert ! (
678688 identity_features. contains( & AwsCredentialFeature :: S3ExpressBucket ) ,
679- "S3ExpressBucket feature should be present in Identity's Credentials after conversion"
689+ "S3ExpressBucket feature should propagate to Identity after conversion"
680690 ) ;
681691 }
682692
@@ -854,25 +864,32 @@ pub(crate) mod runtime_plugin {
854864
855865 #[ test]
856866 fn disable_option_set_from_service_client_should_take_the_highest_precedence ( ) {
867+ // Disable option is set from service client.
857868 let disable_s3_express_session_token = crate :: config:: DisableS3ExpressSessionAuth ( true ) ;
858869
870+ // An environment variable says the session auth is _not_ disabled,
871+ // but it will be overruled by what is in `layer`.
859872 let actual = config (
860873 Some ( disable_s3_express_session_token) ,
861874 Env :: from_slice ( & [ ( super :: env:: S3_DISABLE_EXPRESS_SESSION_AUTH , "false" ) ] ) ,
862875 ) ;
863876
877+ // A config layer from this runtime plugin should not provide
878+ // a new `DisableS3ExpressSessionAuth` if the disable option is set from service client.
864879 assert ! ( actual
865880 . load:: <crate :: config:: DisableS3ExpressSessionAuth >( )
866881 . is_none( ) ) ;
867882 }
868883
869884 #[ test]
870885 fn disable_option_set_from_env_should_take_the_second_highest_precedence ( ) {
886+ // Disable option is set from environment variable.
871887 let actual = config (
872888 None ,
873889 Env :: from_slice ( & [ ( super :: env:: S3_DISABLE_EXPRESS_SESSION_AUTH , "true" ) ] ) ,
874890 ) ;
875891
892+ // The config layer should provide `DisableS3ExpressSessionAuth` from the environment variable.
876893 assert ! (
877894 actual
878895 . load:: <crate :: config:: DisableS3ExpressSessionAuth >( )
@@ -889,42 +906,49 @@ pub(crate) mod runtime_plugin {
889906
890907 #[ test]
891908 fn disable_option_should_be_unspecified_if_unset ( ) {
909+ // Disable option is not set anywhere.
892910 let actual = config ( None , Env :: from_slice ( & [ ] ) ) ;
893911
912+ // The config layer should not provide `DisableS3ExpressSessionAuth` when it's not configured.
894913 assert ! ( actual
895914 . load:: <crate :: config:: DisableS3ExpressSessionAuth >( )
896915 . is_none( ) ) ;
897916 }
898917
899918 #[ test]
900919 fn s3_express_runtime_plugin_should_set_default_identity_resolver ( ) {
920+ // Config has SigV4 credentials provider, so S3 Express identity resolver should be set.
901921 let config = crate :: Config :: builder ( )
902922 . behavior_version_latest ( )
903923 . time_source ( aws_smithy_async:: time:: SystemTimeSource :: new ( ) )
904924 . credentials_provider ( Credentials :: for_tests ( ) )
905925 . build ( ) ;
906926
907927 let actual = runtime_components_builder ( config) ;
928+ // The runtime plugin should provide a default S3 Express identity resolver.
908929 assert ! ( actual
909930 . identity_resolver( & crate :: s3_express:: auth:: SCHEME_ID )
910931 . is_some( ) ) ;
911932 }
912933
913934 #[ test]
914935 fn s3_express_plugin_should_not_set_default_identity_resolver_without_sigv4_counterpart ( ) {
936+ // Config does not have SigV4 credentials provider.
915937 let config = crate :: Config :: builder ( )
916938 . behavior_version_latest ( )
917939 . time_source ( aws_smithy_async:: time:: SystemTimeSource :: new ( ) )
918940 . build ( ) ;
919941
920942 let actual = runtime_components_builder ( config) ;
943+ // The runtime plugin should not provide S3 Express identity resolver without SigV4 credentials.
921944 assert ! ( actual
922945 . identity_resolver( & crate :: s3_express:: auth:: SCHEME_ID )
923946 . is_none( ) ) ;
924947 }
925948
926949 #[ tokio:: test]
927950 async fn s3_express_plugin_should_not_set_default_identity_resolver_if_user_provided ( ) {
951+ // User provides a custom S3 Express credentials provider.
928952 let expected_access_key_id = "expected acccess key ID" ;
929953 let config = crate :: Config :: builder ( )
930954 . behavior_version_latest ( )
@@ -939,11 +963,13 @@ pub(crate) mod runtime_plugin {
939963 . time_source ( aws_smithy_async:: time:: SystemTimeSource :: new ( ) )
940964 . build ( ) ;
941965
966+ // The runtime plugin should not override the user-provided identity resolver.
942967 let runtime_components_builder = runtime_components_builder ( config. clone ( ) ) ;
943968 assert ! ( runtime_components_builder
944969 . identity_resolver( & crate :: s3_express:: auth:: SCHEME_ID )
945970 . is_none( ) ) ;
946971
972+ // The user-provided identity resolver should be used.
947973 let express_identity_resolver = config
948974 . runtime_components
949975 . identity_resolver ( & crate :: s3_express:: auth:: SCHEME_ID )
0 commit comments