[DSC-1897] Fixes awsCredentialSupplier creation for awsSessionToken

4Science · Nov 22, 2024 · 2ac3949 · 2ac3949
1 parent 230ca94
commit 2ac3949
Showing 1 changed file with 16 additions and 8 deletions.
diff --git a/dspace-api/src/main/java/org/dspace/storage/bitstore/S3BitStoreService.java b/dspace-api/src/main/java/org/dspace/storage/bitstore/S3BitStoreService.java
@@ -83,6 +83,7 @@
 public class S3BitStoreService extends BaseBitStoreService {
     protected static final String DEFAULT_BUCKET_PREFIX = "dspace-asset-";
     protected static final Gson GSON = new GsonBuilder().serializeNulls().setPrettyPrinting().create();
+    public static final String REGEX_SECRET = "^(.{3})(.*)(.{3})$";
     // Prefix indicating a registered bitstream
     protected final String REGISTERED_FLAG = "-R";
     /**
@@ -272,8 +273,8 @@ protected static Supplier<AWSStaticCredentialsProvider> getAwsCredentialsSupplie
         BasicAWSCredentials credentials = new BasicAWSCredentials(awsAccessKey, awsSecretKey);
         log.info(
             "AmazonS3Client credentials - accessKey: {}, secretKey: {}",
-            credentials.getAWSAccessKeyId().replaceFirst("^(.{3})(.*)(.{3})$", "$1***$3"),
-            credentials.getAWSSecretKey().replaceFirst("^(.{3})(.*)(.{3})$", "$1***$3")
+            credentials.getAWSAccessKeyId().replaceFirst(REGEX_SECRET, "$1***$3"),
+            credentials.getAWSSecretKey().replaceFirst(REGEX_SECRET, "$1***$3")
         );
         return getAwsCredentialsSupplier(credentials);
     }
@@ -289,9 +290,10 @@ protected static Supplier<AWSStaticCredentialsProvider> getBasicCredentialsSuppl
     ) {
         BasicSessionCredentials credentials = new BasicSessionCredentials(awsAccessKey, awsSecretKey, awsSessionToken);
         log.info(
-            "AmazonS3Client credentials - accessKey: {}, secretKey: {}",
-            credentials.getAWSAccessKeyId().replaceFirst("^(.{3})(.*)(.{3})$", "$1***$3"),
-            credentials.getAWSSecretKey().replaceFirst("^(.{3})(.*)(.{3})$", "$1***$3")
+            "AmazonS3Client credentials - accessKey: {}, secretKey: {}, awsSessionToken: {}",
+            credentials.getAWSAccessKeyId().replaceFirst(REGEX_SECRET, "$1***$3"),
+            credentials.getAWSSecretKey().replaceFirst(REGEX_SECRET, "$1***$3"),
+            credentials.getSessionToken().replaceFirst(REGEX_SECRET, "$1***$3")
         );
         return getAwsCredentialsSupplier(credentials);
     }
@@ -345,9 +347,15 @@ public void init() throws IOException {
         try {
             Supplier<? extends AWSCredentialsProvider> awsCredentialsSupplier;
             if (StringUtils.isNotBlank(getAwsAccessKey()) && StringUtils.isNotBlank(getAwsSecretKey())) {
-                log.warn("Use local defined S3 credentials");
-                awsCredentialsSupplier = getBasicCredentialsSupplier(getAwsAccessKey(), getAwsSecretKey(),
-                    getAwsSessionToken());
+                if (StringUtils.isNotBlank(getAwsSessionToken())) {
+                    log.warn("Use local S3 credentials with session token");
+                    awsCredentialsSupplier =
+                        getBasicCredentialsSupplier(getAwsAccessKey(), getAwsSecretKey(), getAwsSessionToken());
+                } else {
+                    log.warn("Use local S3 credentials with access and secret keys");
+                    awsCredentialsSupplier =
+                        getAwsCredentialsSupplier(getAwsAccessKey(), getAwsSecretKey());
+                }
             } else {
                 log.info("Use an IAM role or aws environment credentials");
                 awsCredentialsSupplier = DefaultAWSCredentialsProviderChain::new;