Ensure token cache files are created with 0600 (#6867)

alextwoods · web-flow · commit 3f5e314e3a9a · 2026-04-16T18:38:32.000Z
* Ensure token cache files are created with 0600

* Add fallback when atomic move not supported

* Add changelogs
diff --git a/.changes/next-release/bugfix-AWSSSOOIDC-b48f8a3.json b/.changes/next-release/bugfix-AWSSSOOIDC-b48f8a3.json
@@ -0,0 +1,6 @@
+{
+    "type": "bugfix",
+    "category": "AWS SSO OIDC",
+    "contributor": "",
+    "description": "Add defensive checks to ensure token cache file is created with user read only where possible and use atomic write/copy."
+}
diff --git a/.changes/next-release/bugfix-AWSSignin-6c46302.json b/.changes/next-release/bugfix-AWSSignin-6c46302.json
@@ -0,0 +1,6 @@
+{
+    "type": "bugfix",
+    "category": "AWS Signin",
+    "contributor": "",
+    "description": "Add defensive checks to ensure token cache file is writen with user read permissions only where possible."
+}
diff --git a/services/signin/src/main/java/software/amazon/awssdk/services/signin/internal/OnDiskTokenManager.java b/services/signin/src/main/java/software/amazon/awssdk/services/signin/internal/OnDiskTokenManager.java
@@ -20,15 +20,21 @@
 import java.io.OutputStream;
 import java.io.UncheckedIOException;
 import java.nio.charset.StandardCharsets;
+import java.nio.file.AtomicMoveNotSupportedException;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.StandardCopyOption;
+import java.nio.file.attribute.FileAttribute;
+import java.nio.file.attribute.PosixFilePermission;
+import java.nio.file.attribute.PosixFilePermissions;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.time.Instant;
 import java.time.format.DateTimeFormatter;
+import java.util.EnumSet;
 import java.util.Locale;
 import java.util.Optional;
+import java.util.Set;
 import software.amazon.awssdk.annotations.SdkInternalApi;
 import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
 import software.amazon.awssdk.core.exception.SdkClientException;
@@ -41,6 +47,9 @@
 
 @SdkInternalApi
 public final class OnDiskTokenManager implements AccessTokenManager {
+    private static final Set<PosixFilePermission> OWNER_ONLY_PERMISSIONS =
+        EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE);
+
     private final JsonNodeParser jsonParser = JsonNodeParser.builder().removeErrorLocations(true).build();
 
     private final Path tokenLocation;
@@ -82,18 +91,45 @@ public Optional<LoginAccessToken> loadToken() {
 
     @Override
     public void storeToken(LoginAccessToken token) {
-        // atomic write (write to a temp file and then move/replace the destination location).
+        // Write to a temp file first, then move to the destination to avoid partial reads.
         try {
-            Path temp = Files.createTempFile(tokenLocation.getParent(), "token-", ".tmp");
+            Path temp = createOwnerOnlyTempFile(tokenLocation.getParent(), "token-", ".tmp");
             try (OutputStream os = Files.newOutputStream(temp)) {
                 os.write(marshalToken(token));
             }
-            Files.move(temp, tokenLocation, StandardCopyOption.REPLACE_EXISTING, StandardCopyOption.ATOMIC_MOVE);
+            atomicOrFallbackMove(temp, tokenLocation);
         } catch (IOException | UncheckedIOException e) {
             throw SdkClientException.create("Unable to write token to location " + tokenLocation, e);
         }
     }
 
+    /**
+     * Creates a temp file with owner-only read/write permissions (0600) on POSIX-compatible file systems.
+     * On non-POSIX file systems (e.g., Windows), falls back to default permissions.
+     */
+    private static Path createOwnerOnlyTempFile(Path dir, String prefix, String suffix) throws IOException {
+        try {
+            FileAttribute<Set<PosixFilePermission>> attr =
+                PosixFilePermissions.asFileAttribute(OWNER_ONLY_PERMISSIONS);
+            return Files.createTempFile(dir, prefix, suffix, attr);
+        } catch (UnsupportedOperationException | IllegalArgumentException e) {
+            // File system does not support POSIX permissions (e.g., Windows, or in-memory file systems);
+            // fall back to default permissions.
+            return Files.createTempFile(dir, prefix, suffix);
+        }
+    }
+
+    /**
+     * Attempts an atomic move, falling back to a non-atomic replace if the file system does not support it.
+     */
+    private static void atomicOrFallbackMove(Path source, Path target) throws IOException {
+        try {
+            Files.move(source, target, StandardCopyOption.REPLACE_EXISTING, StandardCopyOption.ATOMIC_MOVE);
+        } catch (AtomicMoveNotSupportedException e) {
+            Files.move(source, target, StandardCopyOption.REPLACE_EXISTING);
+        }
+    }
+
     @Override
     public void close() {
 
diff --git a/services/ssooidc/src/main/java/software/amazon/awssdk/services/ssooidc/internal/OnDiskTokenManager.java b/services/ssooidc/src/main/java/software/amazon/awssdk/services/ssooidc/internal/OnDiskTokenManager.java
@@ -22,15 +22,22 @@
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.nio.charset.StandardCharsets;
+import java.nio.file.AtomicMoveNotSupportedException;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
+import java.nio.file.StandardCopyOption;
+import java.nio.file.attribute.FileAttribute;
+import java.nio.file.attribute.PosixFilePermission;
+import java.nio.file.attribute.PosixFilePermissions;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.time.Instant;
 import java.time.format.DateTimeFormatter;
+import java.util.EnumSet;
 import java.util.Locale;
 import java.util.Optional;
+import java.util.Set;
 import software.amazon.awssdk.annotations.SdkInternalApi;
 import software.amazon.awssdk.awscore.internal.token.TokenManager;
 import software.amazon.awssdk.core.exception.SdkClientException;
@@ -48,6 +55,8 @@
 @SdkInternalApi
 public final class OnDiskTokenManager implements TokenManager<SsoOidcToken> {
     private static final Path DEFAULT_TOKEN_LOCATION = Paths.get(userHomeDirectory(), ".aws", "sso", "cache");
+    private static final Set<PosixFilePermission> OWNER_ONLY_PERMISSIONS =
+        EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE);
 
     private final JsonNodeParser jsonParser = JsonNodeParser.builder().removeErrorLocations(true).build();
 
@@ -77,13 +86,45 @@ public Optional<SsoOidcToken> loadToken() {
 
     @Override
     public void storeToken(SsoOidcToken token) {
-        try (OutputStream os = Files.newOutputStream(tokenLocation)) {
-            os.write(marshalToken(token));
+        // Write to a temp file first, then move to the destination to avoid partial reads.
+        try {
+            Path temp = createOwnerOnlyTempFile(tokenLocation.getParent(), "token-", ".tmp");
+            try (OutputStream os = Files.newOutputStream(temp)) {
+                os.write(marshalToken(token));
+            }
+            atomicOrFallbackMove(temp, tokenLocation);
         } catch (IOException e) {
             throw SdkClientException.create("Unable to write token to location " + tokenLocation, e);
         }
     }
 
+    /**
+     * Creates a temp file with owner-only read/write permissions (0600) on POSIX-compatible file systems.
+     * On non-POSIX file systems (e.g., Windows), falls back to default permissions.
+     */
+    private static Path createOwnerOnlyTempFile(Path dir, String prefix, String suffix) throws IOException {
+        try {
+            FileAttribute<Set<PosixFilePermission>> attr =
+                PosixFilePermissions.asFileAttribute(OWNER_ONLY_PERMISSIONS);
+            return Files.createTempFile(dir, prefix, suffix, attr);
+        } catch (UnsupportedOperationException | IllegalArgumentException e) {
+            // File system does not support POSIX permissions (e.g., Windows, or in-memory file systems);
+            // fall back to default permissions.
+            return Files.createTempFile(dir, prefix, suffix);
+        }
+    }
+
+    /**
+     * Attempts an atomic move, falling back to a non-atomic replace if the file system does not support it.
+     */
+    private static void atomicOrFallbackMove(Path source, Path target) throws IOException {
+        try {
+            Files.move(source, target, StandardCopyOption.REPLACE_EXISTING, StandardCopyOption.ATOMIC_MOVE);
+        } catch (AtomicMoveNotSupportedException e) {
+            Files.move(source, target, StandardCopyOption.REPLACE_EXISTING);
+        }
+    }
+
     @Override
     public void close() {
     }
