Explicitly set 0600 permissions on SSO/login cache files (#3373)

Author: richardwang1124

gems/aws-sdk-core/CHANGELOG.md

@@ -1,6 +1,8 @@
 Unreleased Changes
 ------------------
 
+* Issue - Explicitly set 0600 permissions on SSO/login cache files.
+
 3.244.0 (2026-03-18)
 ------------------
 

gems/aws-sdk-core/lib/aws-sdk-core/login_credentials.rb

@@ -221,6 +221,7 @@ def update_token_cache(token_json)
         temp_file.write(Json.dump(cached_token))
         temp_file.close
         FileUtils.mv(temp_file.path, login_cache_file)
+        File.chmod(0o600, login_cache_file)
       ensure
         temp_file.unlink if File.exist?(temp_file.path) # Ensure temp file is cleaned up
       end

gems/aws-sdk-core/lib/aws-sdk-core/sso_token_provider.rb

@@ -108,6 +108,7 @@ def update_token_cache(token_json)
       cached_token = token_json.dup
       cached_token['expiresAt'] = cached_token['expiresAt'].iso8601
       File.write(sso_cache_file, Json.dump(cached_token))
+      File.chmod(0o600, sso_cache_file)
     end
 
     def sso_cache_file

gems/aws-sdk-core/spec/aws/sso_token_provider_spec.rb

@@ -56,6 +56,7 @@ def expect_token_write_back(sso_session, expected_token)
         expect(arg1).to eq(path)
         expect(Json.load(arg2)).to eq(expected_token)
       end
+      expect(File).to receive(:chmod).with(0o600, path)
     end
 
     describe '#initialize' do

gems/aws-sdk-core/spec/login_credentials_helper.rb

@@ -20,8 +20,9 @@ def mock_token_file(login_session, cached_token)
   end
 
   def expect_token_write_back(expected_token)
-    actual_token = JSON.parse(File.read(token_file.path))
+    actual_token = JSON.load_file(token_file.path)
     expect(actual_token).to eq(JSON.parse(JSON.dump(expected_token)))
+    expect(File.stat(token_file.path).mode & 0o777).to eq(0o600)
   end
 
   def verify_dpop(dpop_proof)