Adopt reusable authentication with temporeary credentials assuming role from STS.

dkocher · dkocher · commit bffc3bb2c732 · 2025-10-15T13:58:53.000+02:00
diff --git a/hub/src/main/java/cloud/katta/protocols/s3/S3AssumeRoleSession.java b/hub/src/main/java/cloud/katta/protocols/s3/S3AssumeRoleSession.java
@@ -7,33 +7,20 @@
 import ch.cyberduck.core.Host;
 import ch.cyberduck.core.LoginCallback;
 import ch.cyberduck.core.OAuthTokens;
-import ch.cyberduck.core.aws.CustomClientConfiguration;
 import ch.cyberduck.core.exception.LoginCanceledException;
-import ch.cyberduck.core.http.CustomServiceUnavailableRetryStrategy;
-import ch.cyberduck.core.http.ExecutionCountServiceUnavailableRetryStrategy;
 import ch.cyberduck.core.oauth.OAuth2AuthorizationService;
 import ch.cyberduck.core.oauth.OAuth2RequestInterceptor;
-import ch.cyberduck.core.preferences.HostPreferences;
-import ch.cyberduck.core.proxy.ProxyFinder;
-import ch.cyberduck.core.s3.S3AuthenticationResponseInterceptor;
+import ch.cyberduck.core.preferences.HostPreferencesFactory;
 import ch.cyberduck.core.s3.S3CredentialsStrategy;
 import ch.cyberduck.core.s3.S3Session;
-import ch.cyberduck.core.ssl.ThreadLocalHostnameDelegatingTrustManager;
 import ch.cyberduck.core.ssl.X509KeyManager;
 import ch.cyberduck.core.ssl.X509TrustManager;
-import ch.cyberduck.core.sts.STSAssumeRoleCredentialsRequestInterceptor;
+import ch.cyberduck.core.sts.STSRequestInterceptor;
 
-import org.apache.commons.lang3.StringUtils;
 import org.apache.http.impl.client.HttpClientBuilder;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
-import com.amazonaws.auth.AWSStaticCredentialsProvider;
-import com.amazonaws.auth.AnonymousAWSCredentials;
-import com.amazonaws.client.builder.AwsClientBuilder;
-import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
-import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
-
 import static cloud.katta.protocols.s3.S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE;
 
 public class S3AssumeRoleSession extends S3Session {
@@ -45,18 +32,17 @@ public S3AssumeRoleSession(final Host host, final X509TrustManager trust, final
 
     /**
      * Configured by default with credentials strategy using assume role with web identity followed by
-     * exchaing the retrieved OIDC token with scoped OAuth tokens to obtain temporary credentials from security
+     * exchanging the retrieved OIDC token with scoped OAuth tokens to obtain temporary credentials from security
      * token server (STS)
      *
      * @see S3AssumeRoleProtocol#OAUTH_TOKENEXCHANGE
      * @see S3AssumeRoleProtocol#S3_ASSUMEROLE_ROLEARN_2
      */
     @Override
-    protected S3CredentialsStrategy configureCredentialsStrategy(final ProxyFinder proxy, final HttpClientBuilder configuration,
-                                                                 final LoginCallback prompt) throws LoginCanceledException {
+    protected S3CredentialsStrategy configureCredentialsStrategy(final HttpClientBuilder configuration, final LoginCallback prompt) throws LoginCanceledException {
         if(host.getProtocol().isOAuthConfigurable()) {
             final OAuth2RequestInterceptor oauth;
-            if(new HostPreferences(host).getBoolean(OAUTH_TOKENEXCHANGE)) {
+            if(HostPreferencesFactory.get(host).getBoolean(OAUTH_TOKENEXCHANGE)) {
                 oauth = new TokenExchangeRequestInterceptor(configuration.build(), host, prompt);
             }
             else {
@@ -68,37 +54,16 @@ protected S3CredentialsStrategy configureCredentialsStrategy(final ProxyFinder p
             }
             log.debug("Register interceptor {}", oauth);
             configuration.addInterceptorLast(oauth);
-            final AWSSecurityTokenService tokenService = AWSSecurityTokenServiceClientBuilder
-                    .standard()
-                    .withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration(host.getProtocol().getSTSEndpoint(), null))
-                    .withCredentials(new AWSStaticCredentialsProvider(new AnonymousAWSCredentials()))
-                    .withClientConfiguration(new CustomClientConfiguration(host,
-                            new ThreadLocalHostnameDelegatingTrustManager(trust, host.getProtocol().getSTSEndpoint()), key))
-                    .build();
-            final STSAssumeRoleCredentialsRequestInterceptor sts;
-            if(StringUtils.isNotBlank(host.getProperty(S3AssumeRoleProtocol.S3_ASSUMEROLE_ROLEARN_2))) {
-                sts = new STSChainedAssumeRoleRequestInterceptor(oauth, this, tokenService, prompt) {
-                    @Override
-                    protected String getWebIdentityToken(final OAuthTokens oauth) {
-                        return oauth.getAccessToken();
-                    }
-                };
-            }
-            else {
-                sts = new STSAssumeRoleCredentialsRequestInterceptor(oauth, this, tokenService, prompt) {
-                    @Override
-                    protected String getWebIdentityToken(final OAuthTokens oauth) {
-                        return oauth.getAccessToken();
-                    }
-                };
-            }
+            final STSRequestInterceptor sts = new STSChainedAssumeRoleRequestInterceptor(oauth, host, trust, key, prompt) {
+                @Override
+                protected String getWebIdentityToken(final OAuthTokens oauth) {
+                    return oauth.getAccessToken();
+                }
+            };
             log.debug("Register interceptor {}", sts);
             configuration.addInterceptorLast(sts);
-            final S3AuthenticationResponseInterceptor interceptor = new S3AuthenticationResponseInterceptor(this, sts);
-            configuration.setServiceUnavailableRetryStrategy(new CustomServiceUnavailableRetryStrategy(host,
-                    new ExecutionCountServiceUnavailableRetryStrategy(interceptor)));
             return sts;
         }
-        return super.configureCredentialsStrategy(proxy, configuration, prompt);
+        return super.configureCredentialsStrategy(configuration, prompt);
     }
 }
diff --git a/hub/src/main/java/cloud/katta/protocols/s3/STSChainedAssumeRoleRequestInterceptor.java b/hub/src/main/java/cloud/katta/protocols/s3/STSChainedAssumeRoleRequestInterceptor.java
@@ -4,129 +4,59 @@
 
 package cloud.katta.protocols.s3;
 
-import ch.cyberduck.core.AsciiRandomStringService;
+import ch.cyberduck.core.Credentials;
 import ch.cyberduck.core.Host;
 import ch.cyberduck.core.LoginCallback;
-import ch.cyberduck.core.OAuthTokens;
+import ch.cyberduck.core.Profile;
 import ch.cyberduck.core.TemporaryAccessTokens;
 import ch.cyberduck.core.exception.BackgroundException;
-import ch.cyberduck.core.exception.LoginFailureException;
 import ch.cyberduck.core.oauth.OAuth2RequestInterceptor;
-import ch.cyberduck.core.preferences.HostPreferences;
 import ch.cyberduck.core.preferences.PreferencesReader;
-import ch.cyberduck.core.s3.S3Session;
-import ch.cyberduck.core.sts.STSAssumeRoleCredentialsRequestInterceptor;
-import ch.cyberduck.core.sts.STSExceptionMappingService;
+import ch.cyberduck.core.preferences.ProxyPreferencesReader;
+import ch.cyberduck.core.ssl.X509KeyManager;
+import ch.cyberduck.core.ssl.X509TrustManager;
+import ch.cyberduck.core.sts.STSAssumeRoleWithWebIdentityRequestInterceptor;
 
 import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
-import java.util.Collections;
-
-import com.amazonaws.auth.AWSSessionCredentials;
-import com.amazonaws.auth.AWSSessionCredentialsProvider;
-import com.amazonaws.auth.BasicSessionCredentials;
-import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
-import com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException;
-import com.amazonaws.services.securitytoken.model.AssumeRoleRequest;
-import com.amazonaws.services.securitytoken.model.AssumeRoleResult;
-import com.amazonaws.services.securitytoken.model.Tag;
-import com.auth0.jwt.JWT;
-import com.auth0.jwt.exceptions.JWTDecodeException;
-
 /**
  * Assume role with temporary credentials obtained using OIDC token from security token service (STS)
  */
-public class STSChainedAssumeRoleRequestInterceptor extends STSAssumeRoleCredentialsRequestInterceptor {
+public class STSChainedAssumeRoleRequestInterceptor extends STSAssumeRoleWithWebIdentityRequestInterceptor {
     private static final Logger log = LogManager.getLogger(STSChainedAssumeRoleRequestInterceptor.class);
 
     private final Host bookmark;
-    private final AWSSecurityTokenService service;
-
-    public STSChainedAssumeRoleRequestInterceptor(final OAuth2RequestInterceptor oauth, final S3Session session,
-                                                  final AWSSecurityTokenService service, final LoginCallback prompt) {
-        super(oauth, session, service, prompt);
-        this.service = service;
-        this.bookmark = session.getHost();
-    }
 
-    @Override
-    public TemporaryAccessTokens authorize(final OAuthTokens oauth) throws BackgroundException {
-        return this.authorize(oauth, super.authorize(oauth));
+    public STSChainedAssumeRoleRequestInterceptor(final OAuth2RequestInterceptor oauth, final Host host,
+                                                  final X509TrustManager trust, final X509KeyManager key,
+                                                  final LoginCallback prompt) {
+        super(oauth, host, trust, key, prompt);
+        this.bookmark = host;
     }
 
     /**
      * Assume role with previously obtained temporary access token
      *
-     * @param tokens Session credentials
+     * @param credentials Session credentials
      * @return Temporary scoped access tokens
      * @throws ch.cyberduck.core.exception.ExpiredTokenException Expired identity
      * @throws ch.cyberduck.core.exception.LoginFailureException Authorization failure
      */
-    public TemporaryAccessTokens authorize(final OAuthTokens oauth, final TemporaryAccessTokens tokens) throws BackgroundException {
-        final AssumeRoleRequest request = new AssumeRoleRequest()
-                .withRequestCredentialsProvider(new AWSSessionCredentialsProvider() {
-                    @Override
-                    public AWSSessionCredentials getCredentials() {
-                        return new BasicSessionCredentials(
-                                tokens.getAccessKeyId(),
-                                tokens.getSecretAccessKey(),
-                                tokens.getSessionToken());
-                    }
-
-                    @Override
-                    public void refresh() {
-                        // nothing to do
-                    }
-                });
-        log.debug("Chained assume role for {}", bookmark);
-        log.debug("Assume role with temporary credentials {}", tokens);
-        final PreferencesReader preferences = new HostPreferences(bookmark);
-        if(preferences.getInteger(S3AssumeRoleProtocol.S3_ASSUMEROLE_DURATIONSECONDS) != -1) {
-            request.setDurationSeconds(preferences.getInteger(S3AssumeRoleProtocol.S3_ASSUMEROLE_DURATIONSECONDS));
-        }
-        if(StringUtils.isNotBlank(preferences.getProperty(S3AssumeRoleProtocol.S3_ASSUMEROLE_POLICY))) {
-            request.setPolicy(preferences.getProperty(S3AssumeRoleProtocol.S3_ASSUMEROLE_POLICY));
-        }
-        request.setRoleArn(preferences.getProperty(S3AssumeRoleProtocol.S3_ASSUMEROLE_ROLEARN_2));
-        final String sub;
-        final String identityToken = this.getWebIdentityToken(oauth);
-        try {
-            sub = JWT.decode(identityToken).getSubject();
-        }
-        catch(JWTDecodeException e) {
-            log.warn("Failure {} decoding JWT {}", e, identityToken);
-            throw new LoginFailureException("Invalid JWT or JSON format in authentication token", e);
-        }
-        if(StringUtils.isNotBlank(preferences.getProperty(S3AssumeRoleProtocol.S3_ASSUMEROLE_ROLESESSIONNAME))) {
-            request.setRoleSessionName(preferences.getProperty(S3AssumeRoleProtocol.S3_ASSUMEROLE_ROLESESSIONNAME));
-        }
-        else {
-            if(StringUtils.isNotBlank(sub)) {
-                request.setRoleSessionName(sub);
-            }
-            else {
-                log.warn("Missing subject in decoding JWT {}", identityToken);
-                request.setRoleSessionName(new AsciiRandomStringService().random());
-            }
-        }
-        if(StringUtils.isNotBlank(preferences.getProperty("s3.assumerole.tag"))) {
-            request.setTags(Collections.singletonList(new Tag()
-                    .withKey(preferences.getProperty("s3.assumerole.tag"))
-                    .withValue(preferences.getProperty(S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_VAULT))));
-        }
-        try {
-            log.debug("Use request {}", request);
-            final AssumeRoleResult result = service.assumeRole(request);
-            log.debug("Received assume role result {} for host {}", result, bookmark);
-            return new TemporaryAccessTokens(result.getCredentials().getAccessKeyId(),
-                    result.getCredentials().getSecretAccessKey(),
-                    result.getCredentials().getSessionToken(),
-                    result.getCredentials().getExpiration().getTime());
-        }
-        catch(AWSSecurityTokenServiceException e) {
-            throw new STSExceptionMappingService().map(e);
-        }
+    @Override
+    public TemporaryAccessTokens assumeRoleWithWebIdentity(final Credentials credentials) throws BackgroundException {
+        final TemporaryAccessTokens tokens = super.assumeRoleWithWebIdentity(credentials
+                .withProperty(Profile.STS_ROLE_ARN_PROPERTY_KEY, bookmark.getProperty(Profile.STS_ROLE_ARN_PROPERTY_KEY)));
+        final PreferencesReader settings = new ProxyPreferencesReader(bookmark, credentials);
+        if(StringUtils.isNotBlank(settings.getProperty(S3AssumeRoleProtocol.S3_ASSUMEROLE_ROLEARN_2))) {
+            log.debug("Assume role with temporary credentials {}", tokens);
+            // Assume role with previously obtained temporary access token
+            return super.assumeRole(credentials.withTokens(tokens)
+                    .withProperty(Profile.STS_ROLE_ARN_PROPERTY_KEY, settings.getProperty(S3AssumeRoleProtocol.S3_ASSUMEROLE_ROLEARN_2))
+                    .withProperty(Profile.STS_TAGS_PROPERTY_KEY, String.format("%s=%s", "VaultRequested", settings.getProperty(S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_VAULT)))
+            );
+        }
+        return tokens;
     }
 }
