Merge pull request #17440 from iterate-ch/feature/GH-17437

Interceptor for STS AssumeRole and GetSessionToken

Author: dkocher

core/src/main/java/ch/cyberduck/core/AbstractProtocol.java

@@ -35,7 +35,6 @@
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
-import java.util.Objects;
 import java.util.Set;
 import java.util.stream.Collectors;
 
@@ -292,6 +291,16 @@ public boolean isPrivateKeyConfigurable() {
         return false;
     }
 
+    @Override
+    public boolean isRoleConfigurable() {
+        return false;
+    }
+
+    @Override
+    public boolean isMultiFactorConfigurable() {
+        return false;
+    }
+
     @Override
     public boolean isUTCTimezone() {
         return true;
@@ -445,23 +454,27 @@ public boolean validate(final Credentials credentials, final LoginOptions option
             }
         }
         if(options.password) {
+            if(credentials.isAnonymousLogin()) {
+                return true;
+            }
             switch(this.getType()) {
                 case ftp:
                 case dav:
-                    return Objects.nonNull(credentials.getPassword());
+                    // Allow blank password
+                    return credentials.isPasswordAuthentication(true);
                 case sftp:
                     // SFTP agent auth requires no password and no private key selection
                     return true;
                 default:
-                    return StringUtils.isNotBlank(credentials.getPassword());
+                    return credentials.isPasswordAuthentication();
             }
         }
         if(options.oauth) {
-            // Always refresh tokens in login
+            // Always authentication with no tokens preset
             return true;
         }
         if(options.token) {
-            return StringUtils.isNotBlank(credentials.getToken());
+            return credentials.isTokenAuthentication();
         }
         return true;
     }

core/src/main/java/ch/cyberduck/core/AnonymousConnectionService.java

@@ -19,15 +19,18 @@
  */
 
 import ch.cyberduck.core.preferences.PreferencesFactory;
+import ch.cyberduck.core.preferences.PreferencesReader;
 
 import org.apache.commons.lang3.StringUtils;
 
+import java.util.HashMap;
+import java.util.Map;
 import java.util.Objects;
 
 /**
  * Stores the login credentials
  */
-public class Credentials implements Comparable<Credentials> {
+public class Credentials implements Comparable<Credentials>, PreferencesReader {
 
     /**
      * The login name
@@ -38,13 +41,26 @@ public class Credentials implements Comparable<Credentials> {
      * The login password
      */
     private String password = StringUtils.EMPTY;
+    /**
+     * Temporary access tokens
+     */
     private TemporaryAccessTokens tokens = TemporaryAccessTokens.EMPTY;
+    /**
+     * OIDC tokens
+     */
     private OAuthTokens oauth = OAuthTokens.EMPTY;
+    /**
+     * Custom protocol dependent properties related to authentication
+     */
+    private final Map<String, String> properties = new HashMap<>();
 
     /**
      * Private key identity for SSH public key authentication.
      */
     private Local identity;
+    /**
+     * Passphrase for private key identity for SSH public key authentication.
+     */
     private String identityPassphrase = StringUtils.EMPTY;
 
     /**
@@ -69,6 +85,7 @@ public Credentials(final Credentials copy) {
         this.password = copy.password;
         this.tokens = copy.tokens;
         this.oauth = copy.oauth;
+        this.properties.putAll(copy.properties);
         this.identity = copy.identity;
         this.identityPassphrase = copy.identityPassphrase;
         this.certificate = copy.certificate;
@@ -199,15 +216,26 @@ public boolean isAnonymousLogin() {
     }
 
     public boolean isPasswordAuthentication() {
+        return this.isPasswordAuthentication(false);
+    }
+
+    /**
+     * @param allowblank Allow blank password
+     */
+    public boolean isPasswordAuthentication(final boolean allowblank) {
+        if(allowblank) {
+            // Allow blank password
+            return Objects.nonNull(password);
+        }
         return StringUtils.isNotBlank(password);
     }
 
     public boolean isTokenAuthentication() {
-        return StringUtils.isNotBlank(tokens.getSessionToken());
+        return tokens != TemporaryAccessTokens.EMPTY;
     }
 
     public boolean isOAuthAuthentication() {
-        return oauth.validate();
+        return oauth != OAuthTokens.EMPTY;
     }
 
     /**
@@ -273,6 +301,16 @@ public boolean isCertificateAuthentication() {
         return true;
     }
 
+    public Credentials withProperty(final String key, final String value) {
+        properties.put(key, value);
+        return this;
+    }
+
+    @Override
+    public String getProperty(final String key) {
+        return properties.get(key);
+    }
+
     /**
      * @param protocol The protocol to verify against.
      * @param options  Options
@@ -337,6 +375,7 @@ public String toString() {
         sb.append(", tokens='").append(tokens).append('\'');
         sb.append(", oauth='").append(oauth).append('\'');
         sb.append(", identity=").append(identity);
+        sb.append(", properties=").append(properties);
         sb.append('}');
         return sb.toString();
     }

core/src/main/java/ch/cyberduck/core/Credentials.java

@@ -20,6 +20,7 @@
 
 import ch.cyberduck.core.ftp.FTPConnectMode;
 import ch.cyberduck.core.preferences.PreferencesFactory;
+import ch.cyberduck.core.preferences.PreferencesReader;
 import ch.cyberduck.core.serializer.Serializer;
 
 import org.apache.commons.lang3.StringUtils;
@@ -31,7 +32,7 @@
 import java.util.Set;
 import java.util.TimeZone;
 
-public class Host implements Serializable, Comparable<Host> {
+public class Host implements Serializable, Comparable<Host>, PreferencesReader {
 
     /**
      * The credentials to authenticate with for the CDN
@@ -347,6 +348,7 @@ public Credentials getCredentials() {
     }
 
     public void setCredentials(final Credentials credentials) {
+        log.debug("Setting credentials for {} to {}", this, credentials);
         this.credentials = credentials;
     }
 
@@ -527,11 +529,15 @@ public void setTimezone(final TimeZone timezone) {
      * @param key Property name
      * @return Value for property key
      */
+    @Override
     public String getProperty(final String key) {
         final Map<String, String> overrides = this.getCustom();
         if(overrides.containsKey(key)) {
             return overrides.get(key);
         }
+        if(credentials.getProperty(key) != null) {
+            return credentials.getProperty(key);
+        }
         return protocol.getProperties().get(key);
     }
 

core/src/main/java/ch/cyberduck/core/Host.java

@@ -22,7 +22,6 @@
 import ch.cyberduck.core.exception.LocalAccessDeniedException;
 import ch.cyberduck.core.exception.LoginCanceledException;
 import ch.cyberduck.core.exception.LoginFailureException;
-import ch.cyberduck.core.proxy.ProxyFinder;
 import ch.cyberduck.core.threading.CancelCallback;
 
 import org.apache.commons.lang3.StringUtils;
@@ -61,8 +60,7 @@ public void validate(final Host bookmark, final LoginCallback prompt, final Logi
                     if(StringUtils.isNotBlank(password)) {
                         log.info("Fetched password from keychain for {}", bookmark);
                         // No need to reinsert found password to the keychain.
-                        credentials.setSaved(false);
-                        credentials.setPassword(password);
+                        credentials.withPassword(password).setSaved(false);
                     }
                 }
             }
@@ -72,8 +70,7 @@ public void validate(final Host bookmark, final LoginCallback prompt, final Logi
                     if(StringUtils.isNotBlank(token)) {
                         log.info("Fetched token from keychain for {}", bookmark);
                         // No need to reinsert found token to the keychain.
-                        credentials.setSaved(false);
-                        credentials.setToken(token);
+                        credentials.withToken(token).setSaved(false);
                     }
                 }
             }
@@ -82,26 +79,27 @@ public void validate(final Host bookmark, final LoginCallback prompt, final Logi
                 if(StringUtils.isNotBlank(passphrase)) {
                     log.info("Fetched private key passphrase from keychain for {}", bookmark);
                     // No need to reinsert found token to the keychain.
-                    credentials.setSaved(false);
-                    credentials.setIdentityPassphrase(passphrase);
+                    credentials.withIdentityPassphrase(passphrase).setSaved(false);
                 }
             }
             if(options.oauth) {
                 final OAuthTokens tokens = keychain.findOAuthTokens(bookmark);
                 if(tokens.validate()) {
                     log.info("Fetched OAuth token from keychain for {}", bookmark);
                     // No need to reinsert found token to the keychain.
-                    credentials.setSaved(tokens.isExpired());
-                    credentials.setOauth(tokens);
+                    credentials.withOauth(tokens).setSaved(tokens.isExpired());
                 }
             }
         }
         if(!credentials.validate(bookmark.getProtocol(), options)) {
-            final CredentialsConfigurator configurator = bookmark.getProtocol().getFeature(CredentialsConfigurator.class);
+            final CredentialsConfigurator configurator = CredentialsConfiguratorFactory.get(bookmark.getProtocol());
             log.debug("Auto configure credentials with {}", configurator);
-            bookmark.setCredentials(configurator.configure(bookmark));
-        }
-        if(!credentials.validate(bookmark.getProtocol(), options)) {
+            final Credentials configuration = configurator.configure(bookmark);
+            if(configuration.validate(bookmark.getProtocol(), options)) {
+                bookmark.setCredentials(configuration);
+                log.info("Auto configured credentials {} for {}", configuration, bookmark);
+                return;
+            }
             final StringAppender message = new StringAppender();
             if(options.password) {
                 message.append(MessageFormat.format(LocaleFactory.localizedString(
@@ -157,7 +155,7 @@ public boolean prompt(final Host bookmark, final String message, final LoginCall
     }
 
     @Override
-    public boolean authenticate(final ProxyFinder proxy, final Session session, final ProgressListener listener,
+    public boolean authenticate(final Session<?> session, final ProgressListener listener,
                                 final LoginCallback prompt, final CancelCallback cancel) throws BackgroundException {
         final Host bookmark = session.getHost();
         final Credentials credentials = bookmark.getCredentials();
@@ -187,7 +185,7 @@ public boolean authenticate(final ProxyFinder proxy, final Session session, fina
                     c.initCause(e);
                 }
                 catch(IllegalArgumentException | IllegalStateException r) {
-                    log.warn("Ignore error {} initializing faiulre {} with cause {}", r, e, c);
+                    log.warn("Ignore error {} initializing failure {} with cause {}", r, e, c);
                 }
                 throw c;
             }

core/src/main/java/ch/cyberduck/core/KeychainLoginService.java

@@ -151,19 +151,19 @@ public void connect(final Session<?> session, final CancelCallback cancel) throw
         }
         // Login
         try {
-            this.authenticate(proxy, session, cancel);
+            this.authenticate(session, cancel);
         }
         catch(BackgroundException e) {
             this.close(session);
             throw e;
         }
     }
 
-    private void authenticate(final ProxyFinder proxy, final Session session, final CancelCallback callback) throws BackgroundException {
-        if(!login.authenticate(proxy, session, listener, prompt, callback)) {
+    private void authenticate(final Session<?> session, final CancelCallback callback) throws BackgroundException {
+        if(!login.authenticate(session, listener, prompt, callback)) {
             if(session.isConnected()) {
                 // Next attempt with updated credentials but cancel when prompt is dismissed
-                this.authenticate(proxy, session, callback);
+                this.authenticate(session, callback);
             }
             else {
                 // Reconnect and next attempt with updated credentials

core/src/main/java/ch/cyberduck/core/LoginConnectionService.java

@@ -21,12 +21,11 @@
 import ch.cyberduck.core.exception.ConnectionCanceledException;
 import ch.cyberduck.core.exception.LoginCanceledException;
 import ch.cyberduck.core.exception.LoginFailureException;
-import ch.cyberduck.core.proxy.ProxyFinder;
 import ch.cyberduck.core.threading.CancelCallback;
 
 public interface LoginService {
     /**
-     * Obtain password from keychain or prompt panel
+     * Obtain password from password store or prompt user for input
      *
      * @param bookmark Credentials
      * @param pompt    Login prompt
@@ -37,14 +36,13 @@ public interface LoginService {
     /**
      * Login and prompt on failure
      *
-     * @param proxy    Proxy configuration
      * @param session  Session
      * @param listener Authentication message callback
-     * @param prompt    Login prompt
+     * @param prompt   Login prompt
      * @param cancel   Cancel callback while authentication is in progress
      * @return False if authentication fails
      * @throws LoginCanceledException Login prompt canceled by user
      * @throws LoginFailureException  Login attempt failed
      */
-    boolean authenticate(ProxyFinder proxy, Session session, ProgressListener listener, LoginCallback prompt, CancelCallback cancel) throws BackgroundException;
+    boolean authenticate(Session<?> session, ProgressListener listener, LoginCallback prompt, CancelCallback cancel) throws BackgroundException;
 }

core/src/main/java/ch/cyberduck/core/LoginService.java

@@ -20,7 +20,7 @@
 import java.util.Objects;
 
 public final class OAuthTokens {
-    public static final OAuthTokens EMPTY = new OAuthTokens(null, null, Long.MAX_VALUE, null);
+    public static final OAuthTokens EMPTY = new OAuthTokens(null, null, -1L, null);
 
     private final String accessToken;
     private final String refreshToken;