Merge pull request #17538 from iterate-ch/feature/GH-17437-tags

dkocher · web-flow · commit 2439e27e3c06 · 2025-10-02T10:53:40.000+02:00
Add option to define tags when assuming role.
diff --git a/core/src/main/java/ch/cyberduck/core/Profile.java b/core/src/main/java/ch/cyberduck/core/Profile.java
@@ -69,6 +69,7 @@ public class Profile implements Protocol {
      * A constant key used to define the Amazon Resource Name (ARN) for AWS Security Token Service (STS)
      */
     public static final String STS_ROLE_ARN_PROPERTY_KEY = "role_arn";
+    public static final String STS_TAGS_PROPERTY_KEY = "tags";
     public static final String STS_ROLE_SESSION_NAME_PROPERTY_KEY = "role_session_name";
     public static final String STS_DURATION_SECONDS_PROPERTY_KEY = "duration_seconds";
     /**
diff --git a/s3/src/main/java/ch/cyberduck/core/sts/STSAssumeRoleRequestInterceptor.java b/s3/src/main/java/ch/cyberduck/core/sts/STSAssumeRoleRequestInterceptor.java
@@ -52,7 +52,7 @@ public STSAssumeRoleRequestInterceptor(final Host host, final X509TrustManager t
     public TemporaryAccessTokens refresh(final Credentials credentials) throws BackgroundException {
         lock.lock();
         try {
-            if(StringUtils.isNotBlank(new ProxyPreferencesReader(host, credentials).getProperty(Profile.STS_ROLE_ARN_PROPERTY_KEY, "s3.assumerole.rolearn"))) {
+            if(StringUtils.isNotBlank(new ProxyPreferencesReader(credentials, host).getProperty(Profile.STS_ROLE_ARN_PROPERTY_KEY, "s3.assumerole.rolearn"))) {
                 log.debug("Retrieve temporary credentials with {}", credentials);
                 // AssumeRoleRequest
                 return tokens = this.assumeRole(credentials);
diff --git a/s3/src/main/java/ch/cyberduck/core/sts/STSAuthorizationService.java b/s3/src/main/java/ch/cyberduck/core/sts/STSAuthorizationService.java
@@ -41,6 +41,8 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
+import java.util.stream.Collectors;
+
 import com.amazonaws.auth.AWSStaticCredentialsProvider;
 import com.amazonaws.auth.AnonymousAWSCredentials;
 import com.amazonaws.client.builder.AwsClientBuilder;
@@ -57,6 +59,7 @@
 import com.amazonaws.services.securitytoken.model.GetCallerIdentityResult;
 import com.amazonaws.services.securitytoken.model.GetSessionTokenRequest;
 import com.amazonaws.services.securitytoken.model.GetSessionTokenResult;
+import com.amazonaws.services.securitytoken.model.Tag;
 import com.auth0.jwt.JWT;
 import com.auth0.jwt.exceptions.JWTDecodeException;
 
@@ -100,7 +103,7 @@ public String validate(final Credentials credentials) throws BackgroundException
     }
 
     public TemporaryAccessTokens getSessionToken(final Credentials credentials) throws BackgroundException {
-        final PreferencesReader settings = new ProxyPreferencesReader(bookmark, credentials);
+        final PreferencesReader settings = new ProxyPreferencesReader(credentials, bookmark);
         //  The purpose of the sts:GetSessionToken operation is to authenticate the user using MFA.
         final GetSessionTokenRequest request = new GetSessionTokenRequest()
                 .withRequestCredentialsProvider(S3CredentialsStrategy.toCredentialsProvider(credentials));
@@ -170,12 +173,15 @@ public TemporaryAccessTokens getSessionToken(final Credentials credentials) thro
      * @see Profile#STS_MFA_ARN_PROPERTY_KEY
      */
     public TemporaryAccessTokens assumeRole(final Credentials credentials) throws BackgroundException {
-        final PreferencesReader settings = new ProxyPreferencesReader(bookmark, credentials);
+        final PreferencesReader settings = new ProxyPreferencesReader(credentials, bookmark);
         final AssumeRoleRequest request = new AssumeRoleRequest()
                 .withRequestCredentialsProvider(S3CredentialsStrategy.toCredentialsProvider(credentials));
         if(StringUtils.isNotBlank(settings.getProperty("s3.assumerole.durationseconds", Profile.STS_DURATION_SECONDS_PROPERTY_KEY))) {
             request.setDurationSeconds(PreferencesReader.toInteger(settings.getProperty("s3.assumerole.durationseconds", Profile.STS_DURATION_SECONDS_PROPERTY_KEY)));
         }
+        request.setTags(settings.getMap(Profile.STS_TAGS_PROPERTY_KEY).entrySet().stream().map(
+                entry -> new Tag().withKey(entry.getKey()).withValue(entry.getValue())).collect(Collectors.toList())
+        );
         final String roleArn = settings.getProperty(Profile.STS_ROLE_ARN_PROPERTY_KEY, "s3.assumerole.rolearn");
         if(StringUtils.isNotBlank(roleArn)) {
             log.debug("Found Role ARN {} for {}", roleArn, bookmark);
@@ -257,7 +263,7 @@ public TemporaryAccessTokens assumeRole(final Credentials credentials) throws Ba
     }
 
     public TemporaryAccessTokens assumeRoleWithSAML(final Credentials credentials) throws BackgroundException {
-        final PreferencesReader settings = new ProxyPreferencesReader(bookmark, credentials);
+        final PreferencesReader settings = new ProxyPreferencesReader(credentials, bookmark);
         final AssumeRoleWithSAMLRequest request = new AssumeRoleWithSAMLRequest().withSAMLAssertion(credentials.getToken());
         if(StringUtils.isNotBlank(settings.getProperty("s3.assumerole.durationseconds", Profile.STS_DURATION_SECONDS_PROPERTY_KEY))) {
             request.setDurationSeconds(PreferencesReader.toInteger(settings.getProperty("s3.assumerole.durationseconds", Profile.STS_DURATION_SECONDS_PROPERTY_KEY)));
@@ -288,7 +294,7 @@ public TemporaryAccessTokens assumeRoleWithSAML(final Credentials credentials) t
      * @return Temporary access tokens for the assumed role
      */
     public TemporaryAccessTokens assumeRoleWithWebIdentity(final Credentials credentials) throws BackgroundException {
-        final PreferencesReader settings = new ProxyPreferencesReader(bookmark, credentials);
+        final PreferencesReader settings = new ProxyPreferencesReader(credentials, bookmark);
         final AssumeRoleWithWebIdentityRequest request = new AssumeRoleWithWebIdentityRequest();
         log.debug("Assume role with OIDC Id token for {}", bookmark);
         final String webIdentityToken = this.getWebIdentityToken(credentials.getOauth());
diff --git a/s3/src/main/java/ch/cyberduck/core/sts/STSGetSessionTokenRequestInterceptor.java b/s3/src/main/java/ch/cyberduck/core/sts/STSGetSessionTokenRequestInterceptor.java
@@ -52,7 +52,7 @@ public STSGetSessionTokenRequestInterceptor(final Host host, final X509TrustMana
     public TemporaryAccessTokens refresh(final Credentials credentials) throws BackgroundException {
         lock.lock();
         try {
-            if(StringUtils.isNotBlank(new ProxyPreferencesReader(host, credentials).getProperty(Profile.STS_MFA_ARN_PROPERTY_KEY))) {
+            if(StringUtils.isNotBlank(new ProxyPreferencesReader(credentials, host).getProperty(Profile.STS_MFA_ARN_PROPERTY_KEY))) {
                 log.debug("Retrieve temporary credentials with {}", credentials);
                 // GetSessionToken
                 return tokens = this.getSessionToken(credentials);
