test: fix unit tests

karenc-bq · karenc-bq · commit dece3e3bcdda · 2026-01-28T17:56:09.000-08:00
diff --git a/aws_advanced_python_wrapper/aws_credentials_manager.py b/aws_advanced_python_wrapper/aws_credentials_manager.py
@@ -58,7 +58,7 @@ def get_session(host_info: HostInfo, props: Properties, region: str) -> Session:
         # Initialize session outside of lock.
         session = handler(host_info, props) if handler else None
 
-        if session is not None and not isinstance(session, Session):
+        if session is not None and not isinstance(session, type(Session())):
             raise TypeError(Messages.get_formatted("AwsCredentialsManager.InvalidHandler", type(session).__name__))
 
         if session is None:
diff --git a/aws_advanced_python_wrapper/federated_plugin.py b/aws_advanced_python_wrapper/federated_plugin.py
@@ -14,6 +14,7 @@
 
 from __future__ import annotations
 
+from copy import deepcopy
 from html import unescape
 from re import DOTALL, findall, search
 from typing import TYPE_CHECKING, List
@@ -28,7 +29,6 @@
 from aws_advanced_python_wrapper.utils.saml_utils import SamlUtils
 
 if TYPE_CHECKING:
-    from boto3 import Session
     from aws_advanced_python_wrapper.driver_dialect import DriverDialect
     from aws_advanced_python_wrapper.hostinfo import HostInfo
     from aws_advanced_python_wrapper.pep249 import Connection
@@ -57,7 +57,7 @@ class FederatedAuthPlugin(Plugin):
     _rds_utils: RdsUtils = RdsUtils()
     _token_cache: Dict[str, TokenInfo] = {}
 
-    def __init__(self, plugin_service: PluginService, credentials_provider_factory: CredentialsProviderFactory, session: Optional[Session] = None):
+    def __init__(self, plugin_service: PluginService, credentials_provider_factory: CredentialsProviderFactory):
         self._plugin_service = plugin_service
         self._credentials_provider_factory = credentials_provider_factory
 
@@ -101,11 +101,13 @@ def _connect(self, host_info: HostInfo, props: Properties, connect_func: Callabl
 
         token_info: Optional[TokenInfo] = FederatedAuthPlugin._token_cache.get(cache_key)
 
+        token_host_info = deepcopy(host_info)
+        token_host_info.host = host
         if token_info is not None and not token_info.is_expired():
             logger.debug("FederatedAuthPlugin.UseCachedToken", token_info.token)
             self._plugin_service.driver_dialect.set_password(props, token_info.token)
         else:
-            self._update_authentication_token(host_info, props, user, region, cache_key)
+            self._update_authentication_token(token_host_info, props, user, region, cache_key)
 
         WrapperProperties.USER.set(props, WrapperProperties.DB_USER.get(props))
 
@@ -115,7 +117,7 @@ def _connect(self, host_info: HostInfo, props: Properties, connect_func: Callabl
             if token_info is None or token_info.is_expired() or not self._plugin_service.is_login_exception(e):
                 raise e
 
-            self._update_authentication_token(host_info, props, user, region, cache_key)
+            self._update_authentication_token(token_host_info, props, user, region, cache_key)
 
             try:
                 return connect_func()
diff --git a/aws_advanced_python_wrapper/iam_plugin.py b/aws_advanced_python_wrapper/iam_plugin.py
@@ -14,6 +14,7 @@
 
 from __future__ import annotations
 
+from copy import deepcopy
 from typing import TYPE_CHECKING
 
 from aws_advanced_python_wrapper.aws_credentials_manager import \
@@ -22,14 +23,13 @@
 from aws_advanced_python_wrapper.utils.region_utils import RegionUtils
 
 if TYPE_CHECKING:
-    from boto3 import Session
     from aws_advanced_python_wrapper.driver_dialect import DriverDialect
     from aws_advanced_python_wrapper.hostinfo import HostInfo
     from aws_advanced_python_wrapper.pep249 import Connection
     from aws_advanced_python_wrapper.plugin_service import PluginService
 
 from datetime import datetime, timedelta
-from typing import Callable, Dict, Optional, Set
+from typing import Callable, Dict, Set
 
 from aws_advanced_python_wrapper.errors import AwsWrapperError
 from aws_advanced_python_wrapper.pep249_methods import DbApiMethod
@@ -51,7 +51,7 @@ class IamAuthPlugin(Plugin):
     _rds_utils: RdsUtils = RdsUtils()
     _token_cache: Dict[str, TokenInfo] = {}
 
-    def __init__(self, plugin_service: PluginService, session: Optional[Session] = None):
+    def __init__(self, plugin_service: PluginService):
         self._plugin_service = plugin_service
 
         self._region_utils = RegionUtils()
@@ -106,11 +106,13 @@ def _connect(self, host_info: HostInfo, props: Properties, connect_func: Callabl
             if self._fetch_token_counter is not None:
                 self._fetch_token_counter.inc()
 
+            session_host_info = deepcopy(host_info)
+            session_host_info.host = host
             session = AwsCredentialsManager.get_session(host_info, props, region)
             token: str = IamAuthUtils.generate_authentication_token(
                 self._plugin_service,
                 user,
-                host_info.host,
+                host,
                 port,
                 region,
                 session)
@@ -132,7 +134,10 @@ def _connect(self, host_info: HostInfo, props: Properties, connect_func: Callabl
             token_expiry = datetime.now() + timedelta(seconds=token_expiration_sec)
             if self._fetch_token_counter is not None:
                 self._fetch_token_counter.inc()
-            session = AwsCredentialsManager.get_session(host_info, props, region)
+
+            session_host_info = deepcopy(host_info)
+            session_host_info.host = host
+            session = AwsCredentialsManager.get_session(session_host_info, props, region)
             token = IamAuthUtils.generate_authentication_token(self._plugin_service, user, host, port, region, session)
             self._plugin_service.driver_dialect.set_password(props, token)
             IamAuthPlugin._token_cache[cache_key] = TokenInfo(token, token_expiry)
diff --git a/aws_advanced_python_wrapper/okta_plugin.py b/aws_advanced_python_wrapper/okta_plugin.py
@@ -14,6 +14,7 @@
 
 from __future__ import annotations
 
+from copy import deepcopy
 from datetime import datetime, timedelta
 from html import unescape
 from re import search
@@ -28,7 +29,6 @@
 from aws_advanced_python_wrapper.utils.saml_utils import SamlUtils
 
 if TYPE_CHECKING:
-    from boto3 import Session
     from aws_advanced_python_wrapper.driver_dialect import DriverDialect
     from aws_advanced_python_wrapper.hostinfo import HostInfo
     from aws_advanced_python_wrapper.pep249 import Connection
@@ -53,7 +53,7 @@ class OktaAuthPlugin(Plugin):
     _rds_utils: RdsUtils = RdsUtils()
     _token_cache: Dict[str, TokenInfo] = {}
 
-    def __init__(self, plugin_service: PluginService, credentials_provider_factory: CredentialsProviderFactory, session: Optional[Session] = None):
+    def __init__(self, plugin_service: PluginService, credentials_provider_factory: CredentialsProviderFactory):
         self._plugin_service = plugin_service
         self._credentials_provider_factory = credentials_provider_factory
 
@@ -97,11 +97,13 @@ def _connect(self, host_info: HostInfo, props: Properties, connect_func: Callabl
 
         token_info: Optional[TokenInfo] = OktaAuthPlugin._token_cache.get(cache_key)
 
+        token_host_info = deepcopy(host_info)
+        token_host_info.host = host
         if token_info is not None and not token_info.is_expired():
             logger.debug("OktaAuthPlugin.UseCachedToken", token_info.token)
             self._plugin_service.driver_dialect.set_password(props, token_info.token)
         else:
-            self._update_authentication_token(host_info, props, user, region, cache_key)
+            self._update_authentication_token(token_host_info, props, user, region, cache_key)
 
         WrapperProperties.USER.set(props, WrapperProperties.DB_USER.get(props))
 
@@ -111,7 +113,7 @@ def _connect(self, host_info: HostInfo, props: Properties, connect_func: Callabl
             if token_info is None or token_info.is_expired() or not self._plugin_service.is_login_exception(e):
                 raise e
 
-            self._update_authentication_token(host_info, props, user, region, cache_key)
+            self._update_authentication_token(token_host_info, props, user, region, cache_key)
 
             try:
                 return connect_func()
@@ -154,6 +156,12 @@ def _update_authentication_token(self,
         WrapperProperties.PASSWORD.set(props, token)
         OktaAuthPlugin._token_cache[cache_key] = TokenInfo(token, token_expiry)
 
+    @staticmethod
+    def release_resources() -> None:
+        OktaAuthPlugin._token_cache.clear()
+        AwsCredentialsManager.release_resources()
+        return None
+
 
 class OktaCredentialsProviderFactory(SamlCredentialsProviderFactory):
     _SAML_RESPONSE_PATTERN = r"\"SAMLResponse\" .* value=\"(?P<saml>[^\"]+)\""
@@ -227,11 +235,6 @@ def get_saml_assertion(self, props: Properties):
             logger.debug(error_message, e)
             raise AwsWrapperError(Messages.get_formatted(error_message, e))
 
-    @staticmethod
-    def release_resources() -> None:
-        AwsCredentialsManager.release_resources()
-        return None
-
 
 class OktaAuthPluginFactory(PluginFactory):
     @staticmethod
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -32,6 +32,7 @@ types_aws_xray_sdk = "^2.13.0"
 opentelemetry-api = "^1.22.0"
 opentelemetry-sdk = "^1.22.0"
 requests = "^2.32.2"
+boto3-stubs = "~=1.37.38"
 
 [tool.poetry.group.dev.dependencies]
 mypy = "^1.9.0"
diff --git a/tests/unit/test_federated_auth_plugin.py b/tests/unit/test_federated_auth_plugin.py
@@ -19,7 +19,10 @@
 from unittest.mock import patch
 
 import pytest
+from boto3 import Session
 
+from aws_advanced_python_wrapper.aws_credentials_manager import \
+    AwsCredentialsManager
 from aws_advanced_python_wrapper.federated_plugin import FederatedAuthPlugin
 from aws_advanced_python_wrapper.hostinfo import HostInfo
 from aws_advanced_python_wrapper.iam_plugin import TokenInfo
@@ -40,11 +43,12 @@
 @pytest.fixture(autouse=True)
 def clear_cache():
     _token_cache.clear()
+    FederatedAuthPlugin.release_resources()
 
 
 @pytest.fixture
 def mock_session(mocker):
-    return mocker.MagicMock()
+    return mocker.MagicMock(spec=Session)
 
 
 @pytest.fixture
@@ -91,6 +95,13 @@ def mock_default_behavior(mock_session, mock_client, mock_func, mock_connection,
                                                                           "SecretAccessKey": "test-secret-access",
                                                                           "SessionToken": "test-session-token"}
 
+    def custom_handler(host_info: HostInfo, props: Properties) -> Session:
+        return mock_session
+
+    AwsCredentialsManager.set_custom_handler(custom_handler)
+    yield
+    AwsCredentialsManager.reset_custom_handler()
+
 
 @patch("aws_advanced_python_wrapper.federated_plugin.FederatedAuthPlugin._token_cache", _token_cache)
 def test_pg_connect_valid_token_in_cache(mocker, mock_plugin_service, mock_session, mock_func, mock_client, mock_dialect):
@@ -129,7 +140,7 @@ def test_expired_cached_token(mocker, mock_plugin_service, mock_session, mock_fu
     initial_token = TokenInfo(_TEST_TOKEN, datetime.now() - timedelta(minutes=5))
     _token_cache[_PG_CACHE_KEY] = initial_token
 
-    target_plugin: FederatedAuthPlugin = FederatedAuthPlugin(mock_plugin_service, mock_credentials_provider_factory, mock_session)
+    target_plugin: FederatedAuthPlugin = FederatedAuthPlugin(mock_plugin_service, mock_credentials_provider_factory)
 
     target_plugin.connect(
         target_driver_func=mocker.MagicMock(),
@@ -154,7 +165,7 @@ def test_no_cached_token(mocker, mock_plugin_service, mock_session, mock_func, m
     test_props: Properties = Properties({"plugins": "federated_auth", "user": "postgresqlUser", "idp_username": "user", "idp_password": "password"})
     WrapperProperties.DB_USER.set(test_props, _DB_USER)
 
-    target_plugin: FederatedAuthPlugin = FederatedAuthPlugin(mock_plugin_service, mock_credentials_provider_factory, mock_session)
+    target_plugin: FederatedAuthPlugin = FederatedAuthPlugin(mock_plugin_service, mock_credentials_provider_factory)
 
     target_plugin.connect(
         target_driver_func=mocker.MagicMock(),
@@ -183,8 +194,7 @@ def test_no_cached_token_raises_exception(mocker, mock_plugin_service, mock_sess
     exception_message = "generic exception"
     mock_func.side_effect = Exception(exception_message)
 
-    target_plugin: FederatedAuthPlugin = FederatedAuthPlugin(mock_plugin_service, mock_credentials_provider_factory,
-                                                             mock_session)
+    target_plugin: FederatedAuthPlugin = FederatedAuthPlugin(mock_plugin_service, mock_credentials_provider_factory)
     with pytest.raises(Exception) as e_info:
         target_plugin.connect(
             target_driver_func=mocker.MagicMock(),
@@ -229,11 +239,11 @@ def test_connect_with_specified_iam_host_port_region(mocker,
 
     mock_client.generate_db_auth_token.return_value = f"{_TEST_TOKEN}:{expected_region}"
 
-    target_plugin: FederatedAuthPlugin = FederatedAuthPlugin(mock_plugin_service, mock_credentials_provider_factory, mock_session)
+    target_plugin: FederatedAuthPlugin = FederatedAuthPlugin(mock_plugin_service, mock_credentials_provider_factory)
     target_plugin.connect(
         target_driver_func=mocker.MagicMock(),
         driver_dialect=mock_dialect,
-        host_info=HostInfo(expected_host),
+        host_info=HostInfo("foo.com"),
         props=properties,
         is_initial_connection=False,
         connect_func=mock_func)
diff --git a/tests/unit/test_iam_plugin.py b/tests/unit/test_iam_plugin.py
diff --git a/tests/unit/test_okta_plugin.py b/tests/unit/test_okta_plugin.py
