Merge pull request #17722 from iterate-ch/bugfix/GH-17690

dkocher · web-flow · commit fe45d01a1ad9 · 2025-12-05T10:37:43.000+01:00
Fix #17690. Validate tokens when using AWS CLI profile.
diff --git a/s3/src/main/java/ch/cyberduck/core/s3/S3Protocol.java b/s3/src/main/java/ch/cyberduck/core/s3/S3Protocol.java
@@ -18,9 +18,11 @@
  */
 
 import ch.cyberduck.core.AbstractProtocol;
+import ch.cyberduck.core.Credentials;
 import ch.cyberduck.core.CredentialsConfigurator;
 import ch.cyberduck.core.DirectoryDelimiterPathContainerService;
 import ch.cyberduck.core.LocaleFactory;
+import ch.cyberduck.core.LoginOptions;
 import ch.cyberduck.core.PathContainerService;
 import ch.cyberduck.core.Protocol;
 import ch.cyberduck.core.Scheme;
@@ -31,6 +33,7 @@
 import ch.cyberduck.core.synchronization.DefaultComparisonService;
 import ch.cyberduck.core.synchronization.ETagComparisonService;
 
+import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
@@ -117,6 +120,21 @@ public String getAuthorization() {
         return PreferencesFactory.get().getProperty("s3.signature.version");
     }
 
+    @Override
+    public boolean validate(final Credentials credentials, final LoginOptions options) {
+        if(options.token) {
+            if(credentials.isTokenAuthentication()) {
+                if(StringUtils.isBlank(credentials.getTokens().getAccessKeyId())) {
+                    return false;
+                }
+                if(StringUtils.isBlank(credentials.getTokens().getSecretAccessKey())) {
+                    return false;
+                }
+            }
+        }
+        return super.validate(credentials, options);
+    }
+
     public enum AuthenticationHeaderSignatureVersion {
         AWS2 {
             @Override
diff --git a/s3/src/test/java/ch/cyberduck/core/s3/S3ProtocolTest.java b/s3/src/test/java/ch/cyberduck/core/s3/S3ProtocolTest.java
@@ -5,6 +5,7 @@
 import ch.cyberduck.core.Profile;
 import ch.cyberduck.core.ProtocolFactory;
 import ch.cyberduck.core.Scheme;
+import ch.cyberduck.core.TemporaryAccessTokens;
 import ch.cyberduck.core.TestProtocol;
 import ch.cyberduck.core.serializer.impl.dd.ProfilePlistReader;
 
@@ -88,5 +89,11 @@ public void testValidateCredentials() {
         assertFalse(new Credentials("user", "").validate(new S3Protocol(), new LoginOptions(new S3Protocol())));
         assertFalse(new Credentials("user", " ").validate(new S3Protocol(), new LoginOptions(new S3Protocol())));
         assertTrue(new Credentials("user", "key").validate(new S3Protocol(), new LoginOptions(new S3Protocol())));
+        assertFalse(new Credentials("alias").setTokens(new TemporaryAccessTokens("a", "b"))
+                .validate(new S3Protocol(), new LoginOptions(new S3Protocol())));
+        assertTrue(new Credentials("alias").setTokens(new TemporaryAccessTokens("a", "b"))
+                .validate(new S3Protocol(), new LoginOptions(new S3Protocol()).password(false).token(true)));
+        assertTrue(new Credentials("alias").setTokens(new TemporaryAccessTokens("a", "b", "c"))
+                .validate(new S3Protocol(), new LoginOptions(new S3Protocol()).password(false).token(true)));
     }
 }
