Test credentials using sts:GetCallerIdentity.

iterate-ch · Nov 1, 2024 · 73aba70 · 73aba70
1 parent 93069ec
commit 73aba70
Showing 1 changed file with 48 additions and 18 deletions.
diff --git a/s3/src/main/java/ch/cyberduck/core/s3/S3Session.java b/s3/src/main/java/ch/cyberduck/core/s3/S3Session.java
@@ -28,7 +28,9 @@
 import ch.cyberduck.core.PathContainerService;
 import ch.cyberduck.core.Scheme;
 import ch.cyberduck.core.UrlProvider;
+import ch.cyberduck.core.auth.AWSCredentialsConfigurator;
 import ch.cyberduck.core.auth.AWSSessionCredentialsRetriever;
+import ch.cyberduck.core.aws.CustomClientConfiguration;
 import ch.cyberduck.core.cdn.Distribution;
 import ch.cyberduck.core.cdn.DistributionConfiguration;
 import ch.cyberduck.core.cloudfront.CloudFrontDistributionConfigurationPreloader;
@@ -59,6 +61,7 @@
 import ch.cyberduck.core.ssl.X509KeyManager;
 import ch.cyberduck.core.ssl.X509TrustManager;
 import ch.cyberduck.core.sts.STSAssumeRoleCredentialsRequestInterceptor;
+import ch.cyberduck.core.sts.STSExceptionMappingService;
 import ch.cyberduck.core.threading.CancelCallback;
 
 import org.apache.http.HttpHeaders;
@@ -87,6 +90,12 @@
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 
+import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
+import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
+import com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException;
+import com.amazonaws.services.securitytoken.model.GetCallerIdentityRequest;
+import com.amazonaws.services.securitytoken.model.GetCallerIdentityResult;
+
 import static com.amazonaws.services.s3.Headers.*;
 
 public class S3Session extends HttpSession<RequestEntityRestStorageService> {
@@ -335,32 +344,53 @@ public void login(final LoginCallback prompt, final CancelCallback cancel) throw
             log.warn(String.format("Skip verifying credentials with previous successful authentication event for %s", this));
             return;
         }
-        try {
-            final Path home = new DelegatingHomeFeature(new DefaultPathHomeFeature(host)).find();
-            if(home.isRoot()) {
+        if(S3Session.isAwsHostname(host.getHostname(), false)) {
+            final CustomClientConfiguration configuration = new CustomClientConfiguration(host,
+                    new ThreadLocalHostnameDelegatingTrustManager(trust, host.getHostname()), key);
+            final AWSSecurityTokenServiceClientBuilder builder = AWSSecurityTokenServiceClientBuilder.standard()
+                    .withCredentials(AWSCredentialsConfigurator.toAWSCredentialsProvider(client.getProviderCredentials()))
+                    .withClientConfiguration(configuration);
+            final AWSSecurityTokenService service = builder.build();
+            // Returns details about the IAM user or role whose credentials are used to call the operation.
+            // No permissions are required to perform this operation.
+            try {
+                final GetCallerIdentityResult identity = service.getCallerIdentity(new GetCallerIdentityRequest());
                 if(log.isDebugEnabled()) {
-                    log.debug(String.format("Skip querying region for %s", home));
+                    log.debug(String.format("Successfully verified credentials for %s", identity));
                 }
             }
-            else {
-                final Location.Name location = new S3LocationFeature(S3Session.this, regions).getLocation(home);
-                if(log.isDebugEnabled()) {
-                    log.debug(String.format("Retrieved region %s", location));
+            catch(AWSSecurityTokenServiceException e) {
+                throw new STSExceptionMappingService().map(e);
+            }
+        }
+        else {
+            try {
+                final Path home = new DelegatingHomeFeature(new DefaultPathHomeFeature(host)).find();
+                if(home.isRoot()) {
+                    if(log.isDebugEnabled()) {
+                        log.debug(String.format("Skip querying region for %s", home));
+                    }
                 }
-                if(!Location.unknown.equals(location)) {
+                else {
+                    final Location.Name location = new S3LocationFeature(S3Session.this, regions).getLocation(home);
                     if(log.isDebugEnabled()) {
-                        log.debug(String.format("Set default region to %s determined from %s", location, home));
+                        log.debug(String.format("Retrieved region %s", location));
+                    }
+                    if(!Location.unknown.equals(location)) {
+                        if(log.isDebugEnabled()) {
+                            log.debug(String.format("Set default region to %s determined from %s", location, home));
+                        }
+                        //
+                        host.setProperty("s3.location", location.getIdentifier());
                     }
-                    //
-                    host.setProperty("s3.location", location.getIdentifier());
                 }
             }
-        }
-        catch(AccessDeniedException | InteroperabilityException e) {
-            log.warn(String.format("Failure %s querying region", e));
-            final Path home = new DefaultHomeFinderService(this).find();
-            if(log.isDebugEnabled()) {
-                log.debug(String.format("Retrieved %s", home));
+            catch(AccessDeniedException | InteroperabilityException e) {
+                log.warn(String.format("Failure %s querying region", e));
+                final Path home = new DefaultHomeFinderService(this).find();
+                if(log.isDebugEnabled()) {
+                    log.debug(String.format("Retrieved %s", home));
+                }
             }
         }
     }