Add role ARN as parameter.

Author: dkocher

s3/src/main/java/ch/cyberduck/core/sts/STSAssumeRoleRequestInterceptor.java

@@ -51,10 +51,12 @@ public STSAssumeRoleRequestInterceptor(final Host host, final X509TrustManager t
     public TemporaryAccessTokens refresh(final Credentials credentials) throws BackgroundException {
         lock.lock();
         try {
-            if(StringUtils.isNotBlank(new ProxyPreferencesReader(credentials, host).getProperty(Profile.STS_ROLE_ARN_PROPERTY_KEY, "s3.assumerole.rolearn"))) {
+            final String arn = new ProxyPreferencesReader(host, credentials).getProperty(Profile.STS_ROLE_ARN_PROPERTY_KEY, "s3.assumerole.rolearn");
+            log.debug("Use ARN {}", arn);
+            if(StringUtils.isNotBlank(arn)) {
                 log.debug("Retrieve temporary credentials with {}", credentials);
                 // AssumeRoleRequest
-                return tokens = this.assumeRole(credentials);
+                return tokens = this.assumeRole(credentials, arn);
             }
             log.warn("Skip requesting tokens from token service for {}", credentials);
             return TemporaryAccessTokens.EMPTY;

s3/src/main/java/ch/cyberduck/core/sts/STSAssumeRoleWithWebIdentityRequestInterceptor.java

@@ -18,13 +18,16 @@
 import ch.cyberduck.core.Credentials;
 import ch.cyberduck.core.Host;
 import ch.cyberduck.core.LoginCallback;
+import ch.cyberduck.core.Profile;
 import ch.cyberduck.core.TemporaryAccessTokens;
 import ch.cyberduck.core.exception.BackgroundException;
 import ch.cyberduck.core.oauth.OAuth2RequestInterceptor;
+import ch.cyberduck.core.preferences.ProxyPreferencesReader;
 import ch.cyberduck.core.s3.S3CredentialsStrategy;
 import ch.cyberduck.core.ssl.X509KeyManager;
 import ch.cyberduck.core.ssl.X509TrustManager;
 
+import org.apache.commons.lang3.StringUtils;
 import org.apache.http.HttpRequestInterceptor;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -43,21 +46,27 @@ public class STSAssumeRoleWithWebIdentityRequestInterceptor extends STSRequestIn
      * Handle authentication with OpenID connect retrieving token for STS
      */
     private final OAuth2RequestInterceptor oauth;
+    private final Host host;
 
     public STSAssumeRoleWithWebIdentityRequestInterceptor(final OAuth2RequestInterceptor oauth, final Host host,
                                                           final X509TrustManager trust, final X509KeyManager key,
                                                           final LoginCallback prompt) {
         super(host, trust, key, prompt);
         this.oauth = oauth;
+        this.host = host;
     }
 
     @Override
     public TemporaryAccessTokens refresh(final Credentials credentials) throws BackgroundException {
         lock.lock();
         try {
-            credentials.setOauth(oauth.refresh(credentials.getOauth()));
-            log.debug("Retrieve temporary credentials with {}", credentials);
-            return tokens = this.assumeRoleWithWebIdentity(credentials);
+            final String arn = new ProxyPreferencesReader(host, credentials).getProperty(Profile.STS_ROLE_ARN_PROPERTY_KEY, "s3.assumerole.rolearn");
+            log.debug("Use ARN {}", arn);
+            if(StringUtils.isNotBlank(arn)) {
+                return tokens = this.assumeRoleWithWebIdentity(oauth.refresh(credentials.getOauth()), arn);
+            }
+            log.warn("Skip requesting tokens from token service for {}", credentials);
+            return TemporaryAccessTokens.EMPTY;
         }
         finally {
             lock.unlock();

s3/src/main/java/ch/cyberduck/core/sts/STSAuthorizationService.java

@@ -102,13 +102,11 @@ public String getCallerIdentity(final Credentials credentials) throws Background
         }
     }
 
-    public TemporaryAccessTokens getSessionToken(final Credentials credentials) throws BackgroundException {
+    public TemporaryAccessTokens getSessionToken(final Credentials credentials, final String mfaArn) throws BackgroundException {
         log.debug("Get session token with credentials {} for {}", credentials, bookmark);
-        final PreferencesReader settings = new ProxyPreferencesReader(credentials, bookmark);
         //  The purpose of the sts:GetSessionToken operation is to authenticate the user using MFA.
         final GetSessionTokenRequest request = new GetSessionTokenRequest()
                 .withRequestCredentialsProvider(S3CredentialsStrategy.toCredentialsProvider(credentials));
-        final String mfaArn = settings.getProperty(Profile.STS_MFA_ARN_PROPERTY_KEY);
         if(StringUtils.isNotBlank(mfaArn)) {
             log.debug("Found MFA ARN {} for {}", mfaArn, bookmark);
             request.setSerialNumber(mfaArn);
@@ -173,9 +171,9 @@ public TemporaryAccessTokens getSessionToken(final Credentials credentials) thro
      * @see Profile#STS_ROLE_ARN_PROPERTY_KEY
      * @see Profile#STS_MFA_ARN_PROPERTY_KEY
      */
-    public TemporaryAccessTokens assumeRole(final Credentials credentials) throws BackgroundException {
+    public TemporaryAccessTokens assumeRole(final Credentials credentials, final String roleArn) throws BackgroundException {
         log.debug("Assume role with credentials {} for {}", credentials, bookmark);
-        final PreferencesReader settings = new ProxyPreferencesReader(credentials, bookmark);
+        final PreferencesReader settings = new ProxyPreferencesReader(bookmark, credentials);
         final AssumeRoleRequest request = new AssumeRoleRequest()
                 .withRequestCredentialsProvider(S3CredentialsStrategy.toCredentialsProvider(credentials));
         if(StringUtils.isNotBlank(settings.getProperty("s3.assumerole.durationseconds", Profile.STS_DURATION_SECONDS_PROPERTY_KEY))) {
@@ -184,7 +182,6 @@ public TemporaryAccessTokens assumeRole(final Credentials credentials) throws Ba
         request.setTags(settings.getMap(Profile.STS_TAGS_PROPERTY_KEY).entrySet().stream().map(
                 entry -> new Tag().withKey(entry.getKey()).withValue(entry.getValue())).collect(Collectors.toList())
         );
-        final String roleArn = settings.getProperty(Profile.STS_ROLE_ARN_PROPERTY_KEY, "s3.assumerole.rolearn");
         if(StringUtils.isNotBlank(roleArn)) {
             log.debug("Found Role ARN {} for {}", roleArn, bookmark);
             request.setRoleArn(roleArn);
@@ -264,15 +261,15 @@ public TemporaryAccessTokens assumeRole(final Credentials credentials) throws Ba
         }
     }
 
-    public TemporaryAccessTokens assumeRoleWithSAML(final Credentials credentials) throws BackgroundException {
-        log.debug("Assume role with SAML with credentials {} for {}", credentials, bookmark);
-        final PreferencesReader settings = new ProxyPreferencesReader(credentials, bookmark);
-        final AssumeRoleWithSAMLRequest request = new AssumeRoleWithSAMLRequest().withSAMLAssertion(credentials.getToken());
+    public TemporaryAccessTokens assumeRoleWithSAML(final String samlAssertion, final String roleArn) throws BackgroundException {
+        log.debug("Assume role with SAML with assertion {} for {}", samlAssertion, bookmark);
+        final PreferencesReader settings = HostPreferencesFactory.get(bookmark);
+        final AssumeRoleWithSAMLRequest request = new AssumeRoleWithSAMLRequest().withSAMLAssertion(samlAssertion)
+                .withRequestCredentialsProvider(new AWSStaticCredentialsProvider(new AnonymousAWSCredentials()));
         if(StringUtils.isNotBlank(settings.getProperty("s3.assumerole.durationseconds", Profile.STS_DURATION_SECONDS_PROPERTY_KEY))) {
             request.setDurationSeconds(PreferencesReader.toInteger(settings.getProperty("s3.assumerole.durationseconds", Profile.STS_DURATION_SECONDS_PROPERTY_KEY)));
         }
         request.setPolicy(settings.getProperty("s3.assumerole.policy"));
-        final String roleArn = settings.getProperty(Profile.STS_ROLE_ARN_PROPERTY_KEY, "s3.assumerole.rolearn");
         if(StringUtils.isNotBlank(roleArn)) {
             log.debug("Found Role ARN {} for {}", roleArn, bookmark);
             request.setRoleArn(roleArn);
@@ -293,21 +290,21 @@ public TemporaryAccessTokens assumeRoleWithSAML(final Credentials credentials) t
     /**
      * Assume role with web identity token
      *
-     * @param credentials OIDC tokens
+     * @param oauth OIDC tokens
      * @return Temporary access tokens for the assumed role
      */
-    public TemporaryAccessTokens assumeRoleWithWebIdentity(final Credentials credentials) throws BackgroundException {
-        log.debug("Assume role with web identity with credentials {} for {}", credentials, bookmark);
-        final PreferencesReader settings = new ProxyPreferencesReader(credentials, bookmark);
-        final AssumeRoleWithWebIdentityRequest request = new AssumeRoleWithWebIdentityRequest();
+    public TemporaryAccessTokens assumeRoleWithWebIdentity(final OAuthTokens oauth, final String roleArn) throws BackgroundException {
+        log.debug("Assume role with web identity {} for {}", oauth, bookmark);
+        final PreferencesReader settings = HostPreferencesFactory.get(bookmark);
+        final AssumeRoleWithWebIdentityRequest request = new AssumeRoleWithWebIdentityRequest()
+                .withRequestCredentialsProvider(new AWSStaticCredentialsProvider(new AnonymousAWSCredentials()));
         log.debug("Assume role with OIDC Id token for {}", bookmark);
-        final String webIdentityToken = this.getWebIdentityToken(credentials.getOauth());
+        final String webIdentityToken = this.getWebIdentityToken(oauth);
         request.setWebIdentityToken(webIdentityToken);
         if(StringUtils.isNotBlank(settings.getProperty("s3.assumerole.durationseconds", Profile.STS_DURATION_SECONDS_PROPERTY_KEY))) {
             request.setDurationSeconds(PreferencesReader.toInteger(settings.getProperty("s3.assumerole.durationseconds", Profile.STS_DURATION_SECONDS_PROPERTY_KEY)));
         }
         request.setPolicy(settings.getProperty("s3.assumerole.policy"));
-        final String roleArn = settings.getProperty(Profile.STS_ROLE_ARN_PROPERTY_KEY, "s3.assumerole.rolearn");
         if(StringUtils.isNotBlank(roleArn)) {
             request.setRoleArn(roleArn);
         }

s3/src/main/java/ch/cyberduck/core/sts/STSGetSessionTokenRequestInterceptor.java

@@ -52,10 +52,12 @@ public STSGetSessionTokenRequestInterceptor(final Host host, final X509TrustMana
     public TemporaryAccessTokens refresh(final Credentials credentials) throws BackgroundException {
         lock.lock();
         try {
-            if(StringUtils.isNotBlank(new ProxyPreferencesReader(credentials, host).getProperty(Profile.STS_MFA_ARN_PROPERTY_KEY))) {
+            final String arn = new ProxyPreferencesReader(host, credentials).getProperty(Profile.STS_MFA_ARN_PROPERTY_KEY);
+            log.debug("Use ARN {}", arn);
+            if(StringUtils.isNotBlank(arn)) {
                 log.debug("Retrieve temporary credentials with {}", credentials);
                 // GetSessionToken
-                return tokens = this.getSessionToken(credentials);
+                return tokens = this.getSessionToken(credentials, arn);
             }
             log.warn("Skip requesting tokens from token service for {}", credentials);
             return TemporaryAccessTokens.EMPTY;