Merge pull request #185 from /issues/184-sts

Refactor handlers for temporary authentication tokens

Author: dkocher

hub/src/main/java/cloud/katta/protocols/hub/HubUVFVault.java

@@ -17,6 +17,7 @@
 import ch.cyberduck.core.cryptomator.UVFVault;
 import ch.cyberduck.core.exception.BackgroundException;
 import ch.cyberduck.core.features.Directory;
+import ch.cyberduck.core.features.Write;
 import ch.cyberduck.core.preferences.PreferencesFactory;
 import ch.cyberduck.core.proxy.ProxyFactory;
 import ch.cyberduck.core.transfer.TransferStatus;
@@ -89,9 +90,9 @@ public synchronized Path create(final Session<?> session, final String region, f
         log.debug("Create vault root directory at {}", secondLevel);
         final TransferStatus status = (new TransferStatus()).setRegion(region);
 
-        directory.mkdir(dataDir, status);
-        directory.mkdir(firstLevel, status);
-        directory.mkdir(secondLevel, status);
+        directory.mkdir(session._getFeature(Write.class), dataDir, status);
+        directory.mkdir(session._getFeature(Write.class), firstLevel, status);
+        directory.mkdir(session._getFeature(Write.class), secondLevel, status);
         new ContentWriter(session).write(new Path(secondLevel, "dir.uvf", EnumSet.of(AbstractPath.Type.file)), rootDirUvf);
         return home;
     }

hub/src/main/java/cloud/katta/protocols/s3/S3AssumeRoleProtocol.java

@@ -5,6 +5,7 @@
 package cloud.katta.protocols.s3;
 
 import ch.cyberduck.core.CredentialsConfigurator;
+import ch.cyberduck.core.Profile;
 import ch.cyberduck.core.Protocol;
 import ch.cyberduck.core.s3.S3Protocol;
 
@@ -19,9 +20,9 @@ public class S3AssumeRoleProtocol extends S3Protocol {
     public static final String OAUTH_TOKENEXCHANGE_BASEPATH = "oauth.tokenexchange.basepath";
 
     // STS assume role with web identity from Cyberduck core (AWS + MinIO)
-    public static final String S3_ASSUMEROLE_ROLEARN = "s3.assumerole.rolearn";
-    public static final String S3_ASSUMEROLE_ROLESESSIONNAME = "s3.assumerole.rolesessionname";
-    public static final String S3_ASSUMEROLE_DURATIONSECONDS = "s3.assumerole.durationseconds";
+    public static final String S3_ASSUMEROLE_ROLEARN = Profile.STS_ROLE_ARN_PROPERTY_KEY;
+    public static final String S3_ASSUMEROLE_ROLESESSIONNAME = Profile.STS_ROLE_SESSION_NAME_PROPERTY_KEY;
+    public static final String S3_ASSUMEROLE_DURATIONSECONDS = Profile.STS_DURATION_SECONDS_PROPERTY_KEY;
     public static final String S3_ASSUMEROLE_POLICY = "s3.assumerole.policy";
     // STS role chaining (AWS only)
     public static final String S3_ASSUMEROLE_ROLEARN_2 = "s3.assumerole.rolearn.2";

hub/src/main/java/cloud/katta/protocols/s3/S3AssumeRoleSession.java

@@ -7,33 +7,20 @@
 import ch.cyberduck.core.Host;
 import ch.cyberduck.core.LoginCallback;
 import ch.cyberduck.core.OAuthTokens;
-import ch.cyberduck.core.aws.CustomClientConfiguration;
 import ch.cyberduck.core.exception.LoginCanceledException;
-import ch.cyberduck.core.http.CustomServiceUnavailableRetryStrategy;
-import ch.cyberduck.core.http.ExecutionCountServiceUnavailableRetryStrategy;
 import ch.cyberduck.core.oauth.OAuth2AuthorizationService;
 import ch.cyberduck.core.oauth.OAuth2RequestInterceptor;
-import ch.cyberduck.core.preferences.HostPreferences;
-import ch.cyberduck.core.proxy.ProxyFinder;
-import ch.cyberduck.core.s3.S3AuthenticationResponseInterceptor;
+import ch.cyberduck.core.preferences.HostPreferencesFactory;
 import ch.cyberduck.core.s3.S3CredentialsStrategy;
 import ch.cyberduck.core.s3.S3Session;
-import ch.cyberduck.core.ssl.ThreadLocalHostnameDelegatingTrustManager;
 import ch.cyberduck.core.ssl.X509KeyManager;
 import ch.cyberduck.core.ssl.X509TrustManager;
-import ch.cyberduck.core.sts.STSAssumeRoleCredentialsRequestInterceptor;
+import ch.cyberduck.core.sts.STSRequestInterceptor;
 
-import org.apache.commons.lang3.StringUtils;
 import org.apache.http.impl.client.HttpClientBuilder;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
-import com.amazonaws.auth.AWSStaticCredentialsProvider;
-import com.amazonaws.auth.AnonymousAWSCredentials;
-import com.amazonaws.client.builder.AwsClientBuilder;
-import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
-import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
-
 import static cloud.katta.protocols.s3.S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE;
 
 public class S3AssumeRoleSession extends S3Session {
@@ -45,18 +32,17 @@ public S3AssumeRoleSession(final Host host, final X509TrustManager trust, final
 
     /**
      * Configured by default with credentials strategy using assume role with web identity followed by
-     * exchaing the retrieved OIDC token with scoped OAuth tokens to obtain temporary credentials from security
+     * exchanging the retrieved OIDC token with scoped OAuth tokens to obtain temporary credentials from security
      * token server (STS)
      *
      * @see S3AssumeRoleProtocol#OAUTH_TOKENEXCHANGE
      * @see S3AssumeRoleProtocol#S3_ASSUMEROLE_ROLEARN_2
      */
     @Override
-    protected S3CredentialsStrategy configureCredentialsStrategy(final ProxyFinder proxy, final HttpClientBuilder configuration,
-                                                                 final LoginCallback prompt) throws LoginCanceledException {
+    protected S3CredentialsStrategy configureCredentialsStrategy(final HttpClientBuilder configuration, final LoginCallback prompt) throws LoginCanceledException {
         if(host.getProtocol().isOAuthConfigurable()) {
             final OAuth2RequestInterceptor oauth;
-            if(new HostPreferences(host).getBoolean(OAUTH_TOKENEXCHANGE)) {
+            if(HostPreferencesFactory.get(host).getBoolean(OAUTH_TOKENEXCHANGE)) {
                 oauth = new TokenExchangeRequestInterceptor(configuration.build(), host, prompt);
             }
             else {
@@ -68,37 +54,16 @@ protected S3CredentialsStrategy configureCredentialsStrategy(final ProxyFinder p
             }
             log.debug("Register interceptor {}", oauth);
             configuration.addInterceptorLast(oauth);
-            final AWSSecurityTokenService tokenService = AWSSecurityTokenServiceClientBuilder
-                    .standard()
-                    .withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration(host.getProtocol().getSTSEndpoint(), null))
-                    .withCredentials(new AWSStaticCredentialsProvider(new AnonymousAWSCredentials()))
-                    .withClientConfiguration(new CustomClientConfiguration(host,
-                            new ThreadLocalHostnameDelegatingTrustManager(trust, host.getProtocol().getSTSEndpoint()), key))
-                    .build();
-            final STSAssumeRoleCredentialsRequestInterceptor sts;
-            if(StringUtils.isNotBlank(host.getProperty(S3AssumeRoleProtocol.S3_ASSUMEROLE_ROLEARN_2))) {
-                sts = new STSChainedAssumeRoleRequestInterceptor(oauth, this, tokenService, prompt) {
-                    @Override
-                    protected String getWebIdentityToken(final OAuthTokens oauth) {
-                        return oauth.getAccessToken();
-                    }
-                };
-            }
-            else {
-                sts = new STSAssumeRoleCredentialsRequestInterceptor(oauth, this, tokenService, prompt) {
-                    @Override
-                    protected String getWebIdentityToken(final OAuthTokens oauth) {
-                        return oauth.getAccessToken();
-                    }
-                };
-            }
+            final STSRequestInterceptor sts = new STSChainedAssumeRoleRequestInterceptor(oauth, host, trust, key, prompt) {
+                @Override
+                protected String getWebIdentityToken(final OAuthTokens oauth) {
+                    return oauth.getAccessToken();
+                }
+            };
             log.debug("Register interceptor {}", sts);
             configuration.addInterceptorLast(sts);
-            final S3AuthenticationResponseInterceptor interceptor = new S3AuthenticationResponseInterceptor(this, sts);
-            configuration.setServiceUnavailableRetryStrategy(new CustomServiceUnavailableRetryStrategy(host,
-                    new ExecutionCountServiceUnavailableRetryStrategy(interceptor)));
             return sts;
         }
-        return super.configureCredentialsStrategy(proxy, configuration, prompt);
+        return super.configureCredentialsStrategy(configuration, prompt);
     }
 }

hub/src/main/java/cloud/katta/protocols/s3/STSChainedAssumeRoleRequestInterceptor.java

@@ -4,129 +4,59 @@
 
 package cloud.katta.protocols.s3;
 
-import ch.cyberduck.core.AsciiRandomStringService;
+import ch.cyberduck.core.Credentials;
 import ch.cyberduck.core.Host;
 import ch.cyberduck.core.LoginCallback;
-import ch.cyberduck.core.OAuthTokens;
+import ch.cyberduck.core.Profile;
 import ch.cyberduck.core.TemporaryAccessTokens;
 import ch.cyberduck.core.exception.BackgroundException;
-import ch.cyberduck.core.exception.LoginFailureException;
 import ch.cyberduck.core.oauth.OAuth2RequestInterceptor;
-import ch.cyberduck.core.preferences.HostPreferences;
 import ch.cyberduck.core.preferences.PreferencesReader;
-import ch.cyberduck.core.s3.S3Session;
-import ch.cyberduck.core.sts.STSAssumeRoleCredentialsRequestInterceptor;
-import ch.cyberduck.core.sts.STSExceptionMappingService;
+import ch.cyberduck.core.preferences.ProxyPreferencesReader;
+import ch.cyberduck.core.ssl.X509KeyManager;
+import ch.cyberduck.core.ssl.X509TrustManager;
+import ch.cyberduck.core.sts.STSAssumeRoleWithWebIdentityRequestInterceptor;
 
 import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
-import java.util.Collections;
-
-import com.amazonaws.auth.AWSSessionCredentials;
-import com.amazonaws.auth.AWSSessionCredentialsProvider;
-import com.amazonaws.auth.BasicSessionCredentials;
-import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
-import com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException;
-import com.amazonaws.services.securitytoken.model.AssumeRoleRequest;
-import com.amazonaws.services.securitytoken.model.AssumeRoleResult;
-import com.amazonaws.services.securitytoken.model.Tag;
-import com.auth0.jwt.JWT;
-import com.auth0.jwt.exceptions.JWTDecodeException;
-
 /**
  * Assume role with temporary credentials obtained using OIDC token from security token service (STS)
  */
-public class STSChainedAssumeRoleRequestInterceptor extends STSAssumeRoleCredentialsRequestInterceptor {
+public class STSChainedAssumeRoleRequestInterceptor extends STSAssumeRoleWithWebIdentityRequestInterceptor {
     private static final Logger log = LogManager.getLogger(STSChainedAssumeRoleRequestInterceptor.class);
 
     private final Host bookmark;
-    private final AWSSecurityTokenService service;
-
-    public STSChainedAssumeRoleRequestInterceptor(final OAuth2RequestInterceptor oauth, final S3Session session,
-                                                  final AWSSecurityTokenService service, final LoginCallback prompt) {
-        super(oauth, session, service, prompt);
-        this.service = service;
-        this.bookmark = session.getHost();
-    }
 
-    @Override
-    public TemporaryAccessTokens authorize(final OAuthTokens oauth) throws BackgroundException {
-        return this.authorize(oauth, super.authorize(oauth));
+    public STSChainedAssumeRoleRequestInterceptor(final OAuth2RequestInterceptor oauth, final Host host,
+                                                  final X509TrustManager trust, final X509KeyManager key,
+                                                  final LoginCallback prompt) {
+        super(oauth, host, trust, key, prompt);
+        this.bookmark = host;
     }
 
     /**
      * Assume role with previously obtained temporary access token
      *
-     * @param tokens Session credentials
+     * @param credentials Session credentials
      * @return Temporary scoped access tokens
      * @throws ch.cyberduck.core.exception.ExpiredTokenException Expired identity
      * @throws ch.cyberduck.core.exception.LoginFailureException Authorization failure
      */
-    public TemporaryAccessTokens authorize(final OAuthTokens oauth, final TemporaryAccessTokens tokens) throws BackgroundException {
-        final AssumeRoleRequest request = new AssumeRoleRequest()
-                .withRequestCredentialsProvider(new AWSSessionCredentialsProvider() {
-                    @Override
-                    public AWSSessionCredentials getCredentials() {
-                        return new BasicSessionCredentials(
-                                tokens.getAccessKeyId(),
-                                tokens.getSecretAccessKey(),
-                                tokens.getSessionToken());
-                    }
-
-                    @Override
-                    public void refresh() {
-                        // nothing to do
-                    }
-                });
-        log.debug("Chained assume role for {}", bookmark);
-        log.debug("Assume role with temporary credentials {}", tokens);
-        final PreferencesReader preferences = new HostPreferences(bookmark);
-        if(preferences.getInteger(S3AssumeRoleProtocol.S3_ASSUMEROLE_DURATIONSECONDS) != -1) {
-            request.setDurationSeconds(preferences.getInteger(S3AssumeRoleProtocol.S3_ASSUMEROLE_DURATIONSECONDS));
-        }
-        if(StringUtils.isNotBlank(preferences.getProperty(S3AssumeRoleProtocol.S3_ASSUMEROLE_POLICY))) {
-            request.setPolicy(preferences.getProperty(S3AssumeRoleProtocol.S3_ASSUMEROLE_POLICY));
-        }
-        request.setRoleArn(preferences.getProperty(S3AssumeRoleProtocol.S3_ASSUMEROLE_ROLEARN_2));
-        final String sub;
-        final String identityToken = this.getWebIdentityToken(oauth);
-        try {
-            sub = JWT.decode(identityToken).getSubject();
-        }
-        catch(JWTDecodeException e) {
-            log.warn("Failure {} decoding JWT {}", e, identityToken);
-            throw new LoginFailureException("Invalid JWT or JSON format in authentication token", e);
-        }
-        if(StringUtils.isNotBlank(preferences.getProperty(S3AssumeRoleProtocol.S3_ASSUMEROLE_ROLESESSIONNAME))) {
-            request.setRoleSessionName(preferences.getProperty(S3AssumeRoleProtocol.S3_ASSUMEROLE_ROLESESSIONNAME));
-        }
-        else {
-            if(StringUtils.isNotBlank(sub)) {
-                request.setRoleSessionName(sub);
-            }
-            else {
-                log.warn("Missing subject in decoding JWT {}", identityToken);
-                request.setRoleSessionName(new AsciiRandomStringService().random());
-            }
-        }
-        if(StringUtils.isNotBlank(preferences.getProperty("s3.assumerole.tag"))) {
-            request.setTags(Collections.singletonList(new Tag()
-                    .withKey(preferences.getProperty("s3.assumerole.tag"))
-                    .withValue(preferences.getProperty(S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_VAULT))));
-        }
-        try {
-            log.debug("Use request {}", request);
-            final AssumeRoleResult result = service.assumeRole(request);
-            log.debug("Received assume role result {} for host {}", result, bookmark);
-            return new TemporaryAccessTokens(result.getCredentials().getAccessKeyId(),
-                    result.getCredentials().getSecretAccessKey(),
-                    result.getCredentials().getSessionToken(),
-                    result.getCredentials().getExpiration().getTime());
-        }
-        catch(AWSSecurityTokenServiceException e) {
-            throw new STSExceptionMappingService().map(e);
-        }
+    @Override
+    public TemporaryAccessTokens assumeRoleWithWebIdentity(final Credentials credentials) throws BackgroundException {
+        final PreferencesReader settings = new ProxyPreferencesReader(bookmark, credentials);
+        final TemporaryAccessTokens tokens = super.assumeRoleWithWebIdentity(credentials
+                .withProperty(Profile.STS_ROLE_ARN_PROPERTY_KEY, settings.getProperty(S3AssumeRoleProtocol.S3_ASSUMEROLE_ROLEARN)));
+        if(StringUtils.isNotBlank(settings.getProperty(S3AssumeRoleProtocol.S3_ASSUMEROLE_ROLEARN_2))) {
+            log.debug("Assume role with temporary credentials {}", tokens);
+            // Assume role with previously obtained temporary access token
+            return super.assumeRole(credentials.withTokens(tokens)
+                    .withProperty(Profile.STS_ROLE_ARN_PROPERTY_KEY, settings.getProperty(S3AssumeRoleProtocol.S3_ASSUMEROLE_ROLEARN_2))
+                    .withProperty(Profile.STS_TAGS_PROPERTY_KEY, String.format("%s=%s", "VaultRequested", settings.getProperty(S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_VAULT)))
+            );
+        }
+        return tokens;
     }
 }

hub/src/main/java/cloud/katta/workflows/CreateVaultService.java

@@ -202,7 +202,7 @@ static class STSInlinePolicyService {
         static STSInlinePolicyService disabled = new STSInlinePolicyService() {
             @Override
             TemporaryAccessTokens getSTSTokensFromAccessTokenWithCreateBucketInlinePolicy(final String token, final String roleArn, final String roleSessionName, final String stsEndpoint, final String bucketName, final String region, final Boolean bucketAcceleration) {
-                return new TemporaryAccessTokens(null);
+                return TemporaryAccessTokens.EMPTY;
             }
         };
 

hub/src/test/java/cloud/katta/core/AbstractHubSynchronizeTest.java

@@ -270,7 +270,7 @@ public void test03AddVault(final HubTestConfig config) throws Exception {
                 assertNotNull(vaults.find(new SimplePathPredicate(bucket)));
 
                 assertTrue(hubSession.getFeature(Find.class).find(bucket));
-                assertEquals(bucket.attributes(), hubSession.getFeature(AttributesFinder.class).find(bucket));
+                assertEquals(config.vault.region, hubSession.getFeature(AttributesFinder.class).find(bucket).getRegion());
 
                 assertNotSame(Vault.DISABLED, vaultRegistry.find(hubSession, bucket));
 
@@ -304,7 +304,7 @@ public void test03AddVault(final HubTestConfig config) throws Exception {
                 // directory creation and listing
                 final Path folder = new Path(vault, new AlphanumericRandomStringService(25).random(), EnumSet.of(Path.Type.directory));
 
-                hubSession.getFeature(Directory.class).mkdir(folder, new TransferStatus());
+                hubSession.getFeature(Directory.class).mkdir(hubSession.getFeature(Write.class), folder, new TransferStatus());
                 final AttributedList<Path> list = hubSession.getFeature(ListService.class).list(vault, new DisabledListProgressListener());
                 assertEquals(2, list.size()); // a file and a folder
 

hub/src/test/java/cloud/katta/testsetup/AbstractHubTest.java

@@ -50,14 +50,11 @@ public abstract class AbstractHubTest extends VaultTest {
     private static final HubTestConfig.VaultSpec minioSTSVaultConfig = new HubTestConfig.VaultSpec("MinIO STS", "732D43FA-3716-46C4-B931-66EA5405EF1C",
             null, null, null, "eu-west-1");
     private static final HubTestConfig.VaultSpec minioStaticVaultConfig = new HubTestConfig.VaultSpec("MinIO static", "71B910E0-2ECC-46DE-A871-8DB28549677E",
-            "handmade", "minioadmin", "minioadmin", null);
+            "handmade", "minioadmin", "minioadmin", "us-east-1");
     private static final HubTestConfig.VaultSpec awsSTSVaultConfig = new HubTestConfig.VaultSpec("AWS STS", "844BD517-96D4-4787-BCFA-238E103149F6",
             null, null, null, "eu-west-1");
     private static final HubTestConfig.VaultSpec awsStaticVaultConfig = new HubTestConfig.VaultSpec("AWS static", "72736C19-283C-49D3-80A5-AB74B5202543",
-            "handmade2",
-            PROPERTIES.get("handmade2.s3.amazonaws.com.username"),
-            PROPERTIES.get("handmade2.s3.amazonaws.com.password"),
-            "eu-north-1"
+            "handmade2", PROPERTIES.get("handmade2.s3.amazonaws.com.username"), PROPERTIES.get("handmade2.s3.amazonaws.com.password"), "eu-north-1"
     );
 
     /**