fix: handle SecurityException for ProfileFileLocation access checks while accessing aws shared credentials file (#5904)

* fix: handle SecurityException for ProfileFileLocation access checks while accessing aws shared credentials file

* Added changelog

* Updated test to junit 5

Author: joviegas

.changes/next-release/bugfix-AWSSDKforJavav2-3fa3788.json

@@ -0,0 +1,6 @@
+{
+    "type": "bugfix",
+    "category": "AWS SDK for Java v2",
+    "contributor": "",
+    "description": "Handle SecurityException for ProfileFileLocation access checks while accessing aws shared credentials file."
+}

core/auth/src/test/java/software/amazon/awssdk/auth/credentials/InstanceProfileCredentialsProviderTest.java

@@ -42,6 +42,7 @@
 import com.github.tomakehurst.wiremock.matching.RequestPattern;
 import com.github.tomakehurst.wiremock.matching.RequestPatternBuilder;
 import java.net.SocketTimeoutException;
+import java.security.Permission;
 import java.time.Clock;
 import java.time.Duration;
 import java.time.Instant;
@@ -54,6 +55,8 @@
 import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.condition.EnabledForJreRange;
+import org.junit.jupiter.api.condition.JRE;
 import org.junit.jupiter.api.extension.RegisterExtension;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.ValueSource;
@@ -651,6 +654,41 @@ void shouldNotRetry_whenSucceeds() {
         WireMock.verify(exactly(1), getRequestedFor(urlPathEqualTo(CREDENTIALS_RESOURCE_PATH + "some-profile")));
     }
 
+    @Test
+    @EnabledForJreRange(min = JRE.JAVA_8, max = JRE.JAVA_16)
+    void resolveCredentialsFromInstanceProfile_when_defaultProfileHasSecurityException() {
+        SecurityManager originalSecurityManager = System.getSecurityManager();
+        SecurityManager securityManager = new SecurityManager() {
+            @Override
+            public void checkPermission(Permission perm) {
+                if (perm instanceof java.io.FilePermission) {
+                    String path = perm.getName();
+                    if (path.contains(".aws") && path.contains("credentials") &&
+                        (perm.getActions().contains("read") || perm.getActions().contains("execute"))) {
+                        throw new SecurityException("Access to AWS credentials denied");
+                    }
+                }
+            }
+        };
+
+        System.setSecurityManager(securityManager);
+        try {
+            stubSecureCredentialsResponse(aResponse().withBody(STUB_CREDENTIALS));
+            InstanceProfileCredentialsProvider provider = InstanceProfileCredentialsProvider.builder().build();
+            AwsCredentials credentials = provider.resolveCredentials();
+
+            // Verify credentials are correctly resolved from instance profile
+            assertThat(credentials.accessKeyId()).isEqualTo("ACCESS_KEY_ID");
+            assertThat(credentials.secretAccessKey()).isEqualTo("SECRET_ACCESS_KEY");
+            assertThat(credentials.providerName()).isPresent().contains("InstanceProfileCredentialsProvider");
+
+            // Verify IMDS was called
+            verifyImdsCallWithToken();
+        } finally {
+            System.setSecurityManager(originalSecurityManager);
+        }
+    }
+
     private AwsCredentialsProvider credentialsProviderWithClock(Clock clock) {
         InstanceProfileCredentialsProvider.BuilderImpl builder =
             (InstanceProfileCredentialsProvider.BuilderImpl) InstanceProfileCredentialsProvider.builder();

core/profiles/pom.xml

@@ -61,6 +61,21 @@
             <version>${jimfs.version}</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-api</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-core</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-slf4j-impl</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>

core/profiles/src/main/java/software/amazon/awssdk/profiles/ProfileFileLocation.java

@@ -24,12 +24,16 @@
 import java.util.Optional;
 import java.util.regex.Pattern;
 import software.amazon.awssdk.annotations.SdkPublicApi;
+import software.amazon.awssdk.utils.Logger;
 
 /**
  * A collection of static methods for loading the location for configuration and credentials files.
  */
 @SdkPublicApi
 public final class ProfileFileLocation {
+
+    private static final Logger LOG = Logger.loggerFor(ProfileFileLocation.class);
+
     private static final Pattern HOME_DIRECTORY_PATTERN =
         Pattern.compile("^~(/|" + Pattern.quote(FileSystems.getDefault().getSeparator()) + ").*$");
 
@@ -87,6 +91,16 @@ private static Path resolveProfileFilePath(String path) {
     }
 
     private static Optional<Path> resolveIfExists(Path path) {
-        return Optional.ofNullable(path).filter(Files::isRegularFile).filter(Files::isReadable);
+        return Optional.ofNullable(path).filter(ProfileFileLocation::isReadableRegularFile);
+    }
+
+    private static boolean isReadableRegularFile(Path path) {
+        try {
+            return Files.isRegularFile(path) && Files.isReadable(path);
+        } catch (SecurityException e) {
+            // Treats SecurityExceptions from JVM as non-existent file.
+            LOG.debug(() -> String.format("Security restrictions prevented access to profile file: %s", e.getMessage()), e);
+            return false;
+        }
     }
 }

core/profiles/src/test/java/software/amazon/awssdk/profiles/ProfileFileSupplierTest.java

@@ -24,6 +24,7 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.attribute.FileTime;
+import java.security.Permission;
 import java.time.Clock;
 import java.time.Duration;
 import java.time.Instant;
@@ -40,11 +41,16 @@
 import java.util.function.Predicate;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
+import org.apache.logging.log4j.Level;
+import org.apache.logging.log4j.core.LogEvent;
 import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.condition.EnabledForJreRange;
+import org.junit.jupiter.api.condition.JRE;
 import software.amazon.awssdk.utils.Pair;
 import software.amazon.awssdk.utils.StringInputStream;
+import software.amazon.awssdk.testutils.LogCaptor;
 
 class ProfileFileSupplierTest {
 
@@ -541,6 +547,41 @@ void get_givenOnLoadAction_callsActionOncePerNewProfileFile() {
         assertThat(blockCount.get()).isEqualTo(actualProfilesCount);
     }
 
+    @Test
+    @EnabledForJreRange(min = JRE.JAVA_8, max = JRE.JAVA_16)
+    void credentialsFileLocation_securityException_returnsEmpty() throws IOException {
+        SecurityManager originalSecurityManager = System.getSecurityManager();
+
+        try (LogCaptor logCaptor = LogCaptor.create(Level.DEBUG)) {
+            // Set up security manager that blocks access to credentials file
+            SecurityManager securityManager = new SecurityManager() {
+                @Override
+                public void checkPermission(Permission perm) {
+                    if (perm instanceof java.io.FilePermission) {
+                        String path = perm.getName();
+                        if (path.contains(".aws") && path.contains("credentials")) {
+                            throw new SecurityException("Access to AWS credentials denied");
+                        }
+                    }
+                }
+            };
+
+            System.setSecurityManager(securityManager);
+
+            // Test the method behavior
+            assertThat(ProfileFileLocation.credentialsFileLocation()).isEmpty();
+
+            // Verify logging behavior
+            List<LogEvent> logEvents = logCaptor.loggedEvents();
+            assertThat(logEvents).hasSize(1);
+            assertThat(logEvents.get(0).getMessage().getFormattedMessage())
+                .contains("Security restrictions prevented access to profile file: Access to AWS credentials denied");
+        } finally {
+            System.setSecurityManager(originalSecurityManager);
+        }
+    }
+
+
     private Path writeTestFile(String contents, Path path) {
         try {
             Files.createDirectories(testDirectory);

core/regions/pom.xml

@@ -98,6 +98,21 @@
             <artifactId>byte-buddy</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-api</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-core</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-slf4j-impl</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>

core/regions/src/test/java/software/amazon/awssdk/regions/providers/AwsProfileRegionProviderTest.java

@@ -20,20 +20,38 @@
 
 import java.net.URISyntaxException;
 import java.nio.file.Paths;
-import org.junit.Rule;
-import org.junit.Test;
+import java.security.AccessControlException;
+import java.security.Permission;
+import java.util.List;
+import org.apache.logging.log4j.Level;
+import org.apache.logging.log4j.core.LogEvent;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.condition.EnabledForJreRange;
 import software.amazon.awssdk.core.exception.SdkClientException;
 import software.amazon.awssdk.profiles.ProfileFileSystemSetting;
 import software.amazon.awssdk.regions.Region;
 import software.amazon.awssdk.testutils.EnvironmentVariableHelper;
+import software.amazon.awssdk.testutils.LogCaptor;
+import org.junit.jupiter.api.condition.JRE;
 
-public class AwsProfileRegionProviderTest {
+class AwsProfileRegionProviderTest {
 
-    @Rule
-    public EnvironmentVariableHelper settingsHelper = new EnvironmentVariableHelper();
+    public EnvironmentVariableHelper settingsHelper;
+
+    @BeforeEach
+    void setUp() {
+        settingsHelper = new EnvironmentVariableHelper();
+    }
+
+    @AfterEach
+    void tearDown() {
+        settingsHelper.reset();
+    }
 
     @Test
-    public void nonExistentDefaultConfigFile_ThrowsException() {
+    void nonExistentDefaultConfigFile_ThrowsException() {
         settingsHelper.set(ProfileFileSystemSetting.AWS_CONFIG_FILE, "/var/tmp/this/is/invalid.txt");
         settingsHelper.set(ProfileFileSystemSetting.AWS_SHARED_CREDENTIALS_FILE, "/var/tmp/this/is/also.invalid.txt");
         assertThatThrownBy(() -> new AwsProfileRegionProvider().getRegion())
@@ -42,11 +60,48 @@ public void nonExistentDefaultConfigFile_ThrowsException() {
     }
 
     @Test
-    public void profilePresentAndRegionIsSet_ProvidesCorrectRegion() throws URISyntaxException {
+    void profilePresentAndRegionIsSet_ProvidesCorrectRegion() throws URISyntaxException {
         String testFile = "/profileconfig/test-profiles.tst";
 
         settingsHelper.set(ProfileFileSystemSetting.AWS_PROFILE, "test");
         settingsHelper.set(ProfileFileSystemSetting.AWS_CONFIG_FILE, Paths.get(getClass().getResource(testFile).toURI()).toString());
         assertThat(new AwsProfileRegionProvider().getRegion()).isEqualTo(Region.of("saa"));
     }
+
+    @Test
+    @EnabledForJreRange(min = JRE.JAVA_8, max = JRE.JAVA_16)
+    void profilePresentAndRegionIsSet_ProvidesCorrectRegion_withException() throws URISyntaxException {
+        // Set up test configuration
+        String testFile = "/profileconfig/test-profiles.tst";
+        settingsHelper.set(ProfileFileSystemSetting.AWS_PROFILE, "test");
+        settingsHelper.set(ProfileFileSystemSetting.AWS_CONFIG_FILE, Paths.get(getClass().getResource(testFile).toURI()).toString());
+
+        SecurityManager originalSecurityManager = System.getSecurityManager();
+
+        try (LogCaptor logCaptor = LogCaptor.create(Level.DEBUG)) {
+            // Set up security manager that blocks access to credentials file
+            SecurityManager securityManager = new SecurityManager() {
+                @Override
+                public void checkPermission(Permission perm) {
+                    if (perm instanceof java.io.FilePermission) {
+                        String path = perm.getName();
+                        if (path.contains(".aws") && path.contains("credentials")) {
+                            throw new AccessControlException("Access to AWS credentials denied");
+                        }
+                    }
+                }
+            };
+
+            System.setSecurityManager(securityManager);
+            // Test the region provider behavior
+            assertThat(new AwsProfileRegionProvider().getRegion()).isEqualTo(Region.of("saa"));
+
+            List<LogEvent> logEvents = logCaptor.loggedEvents();
+            assertThat(logEvents).hasSize(1);
+            assertThat(logEvents.get(0).getMessage().getFormattedMessage())
+                .contains("Security restrictions prevented access to profile file: Access to AWS credentials denied");
+        } finally {
+            System.setSecurityManager(originalSecurityManager);
+        }
+    }
 }