From abf680501db526aff673e29d6d73ef4ebde99e1b Mon Sep 17 00:00:00 2001
From: Nick Sloan <all+github@nicksloan.com>
Date: Tue, 23 Apr 2024 02:12:27 +0000
Subject: [PATCH] Fix failure to handle session tokens

---
 .../Soto/Extensions/S3/S3+presignedPost.swift |  5 ++
 .../Services/S3/S3ExtensionTests.swift        | 50 +++++++++++++++++++
 2 files changed, 55 insertions(+)

diff --git a/Sources/Soto/Extensions/S3/S3+presignedPost.swift b/Sources/Soto/Extensions/S3/S3+presignedPost.swift
index 915963a631..68fb63d5db 100644
--- a/Sources/Soto/Extensions/S3/S3+presignedPost.swift
+++ b/Sources/Soto/Extensions/S3/S3+presignedPost.swift
@@ -189,6 +189,11 @@ extension S3 {
         fields["x-amz-date"] = longDate
         fields["x-amz-credential"] = presignedPostCredential
 
+        if let sessionToken = clientCredentials.sessionToken {
+            conditions.append(.match("x-amz-security-token", sessionToken))
+            fields["x-amz-security-token"] = sessionToken
+        }
+
         // Create the policy and add to fields
         let policy = PostPolicy(expiration: date.addingTimeInterval(expiresIn), conditions: conditions)
         let stringToSign = try policy.stringToSign()
diff --git a/Tests/SotoTests/Services/S3/S3ExtensionTests.swift b/Tests/SotoTests/Services/S3/S3ExtensionTests.swift
index 2ad22faa46..fc704e4411 100644
--- a/Tests/SotoTests/Services/S3/S3ExtensionTests.swift
+++ b/Tests/SotoTests/Services/S3/S3ExtensionTests.swift
@@ -498,4 +498,54 @@ extension S3Tests {
 
         XCTAssertEqual(credential, expectedCredential)
     }
+
+    func testSessionToken() {
+        let clent = AWSClient(
+            credentialProvider: .static(
+                accessKeyId: "AKIAIOSFODNN7EXAMPLE",
+                secretAccessKey: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
+                sessionToken: "EXAMPLESESSIONTOKEN"
+            )
+        )
+
+        let s3 = S3(client: client, region: .useast1)
+        
+        defer { try? client.syncShutdown() }
+
+        let fields = [
+            "acl": "public-read",
+            "success_action_redirect": "http://sigv4examplebucket.s3.amazonaws.com/successful_upload.html",
+            "x-amz-meta-uuid": "14365123651274",
+            "x-amz-server-side-encryption": "AES256",
+        ]
+
+        let conditions: [S3.PostPolicyCondition] = [
+            .match("acl", "public-read"),
+            .match("success_action_redirect", "http://sigv4examplebucket.s3.amazonaws.com/successful_upload.html"),
+            .match("x-amz-meta-uuid", "14365123651274"),
+            .match("x-amz-server-side-encryption", "AES256"),
+            .rule("starts-with", "$Content-Type", "image/"),
+            .rule("starts-with", "$x-amz-meta-tag", "")
+        ]
+
+        let expiresIn = 36.0 * 60.0 * 60.0
+        var dateComponents = DateComponents()
+        dateComponents.year = 2015
+        dateComponents.month = 12
+        dateComponents.day = 29
+        dateComponents.timeZone = TimeZone(secondsFromGMT: 0)!
+
+        let date = Calendar(identifier: .gregorian).date(from: dateComponents)!
+
+        let presignedPost = try await s3.generatePresignedPost(
+            key: "user/user1/${filename}",
+            bucket: "sigv4examplebucket",
+            fields: fields,
+            conditions: conditions,
+            expiresIn: expiresIn,
+            date: date
+        )
+
+        XCTAssertEqual(presignedPost.fields["x-amz-session-token"], "EXAMPLESESSIONTOKEN")
+    }
 }