aws-sdk-core 3.103.0 → 3.130.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +1304 -0
- data/LICENSE.txt +202 -0
- data/VERSION +1 -1
- data/lib/aws-defaults/default_configuration.rb +153 -0
- data/lib/aws-defaults/defaults_mode_config_resolver.rb +107 -0
- data/lib/aws-defaults.rb +3 -0
- data/lib/aws-sdk-core/arn.rb +13 -0
- data/lib/aws-sdk-core/assume_role_credentials.rb +20 -1
- data/lib/aws-sdk-core/assume_role_web_identity_credentials.rb +9 -4
- data/lib/aws-sdk-core/client_stubs.rb +5 -1
- data/lib/aws-sdk-core/credential_provider_chain.rb +21 -1
- data/lib/aws-sdk-core/ec2_metadata.rb +238 -0
- data/lib/aws-sdk-core/ecs_credentials.rb +8 -4
- data/lib/aws-sdk-core/errors.rb +9 -2
- data/lib/aws-sdk-core/instance_profile_credentials.rb +122 -22
- data/lib/aws-sdk-core/json/json_engine.rb +10 -8
- data/lib/aws-sdk-core/json/oj_engine.rb +33 -6
- data/lib/aws-sdk-core/json/parser.rb +8 -0
- data/lib/aws-sdk-core/json.rb +8 -26
- data/lib/aws-sdk-core/log/formatter.rb +1 -1
- data/lib/aws-sdk-core/log/param_filter.rb +11 -3
- data/lib/aws-sdk-core/pageable_response.rb +80 -32
- data/lib/aws-sdk-core/pager.rb +3 -0
- data/lib/aws-sdk-core/param_validator.rb +52 -4
- data/lib/aws-sdk-core/plugins/api_key.rb +3 -1
- data/lib/aws-sdk-core/plugins/checksum_algorithm.rb +340 -0
- data/lib/aws-sdk-core/plugins/credentials_configuration.rb +24 -7
- data/lib/aws-sdk-core/plugins/defaults_mode.rb +40 -0
- data/lib/aws-sdk-core/plugins/endpoint_pattern.rb +6 -6
- data/lib/aws-sdk-core/plugins/http_checksum.rb +8 -1
- data/lib/aws-sdk-core/plugins/protocols/api_gateway.rb +17 -0
- data/lib/aws-sdk-core/plugins/protocols/rest_json.rb +16 -1
- data/lib/aws-sdk-core/plugins/recursion_detection.rb +27 -0
- data/lib/aws-sdk-core/plugins/regional_endpoint.rb +48 -2
- data/lib/aws-sdk-core/plugins/response_paging.rb +1 -1
- data/lib/aws-sdk-core/plugins/retries/error_inspector.rb +5 -3
- data/lib/aws-sdk-core/plugins/retry_errors.rb +25 -8
- data/lib/aws-sdk-core/plugins/signature_v4.rb +15 -24
- data/lib/aws-sdk-core/plugins/stub_responses.rb +7 -1
- data/lib/aws-sdk-core/process_credentials.rb +5 -4
- data/lib/aws-sdk-core/refreshing_credentials.rb +42 -11
- data/lib/aws-sdk-core/rest/request/body.rb +19 -1
- data/lib/aws-sdk-core/rest/request/headers.rb +18 -6
- data/lib/aws-sdk-core/rest/response/headers.rb +4 -3
- data/lib/aws-sdk-core/shared_config.rb +60 -8
- data/lib/aws-sdk-core/shared_credentials.rb +7 -1
- data/lib/aws-sdk-core/sso_credentials.rb +141 -0
- data/lib/aws-sdk-core/structure.rb +10 -1
- data/lib/aws-sdk-core/stubbing/protocols/json.rb +1 -1
- data/lib/aws-sdk-core/stubbing/protocols/rest.rb +1 -1
- data/lib/aws-sdk-core/stubbing/protocols/rest_json.rb +1 -1
- data/lib/aws-sdk-core/stubbing/protocols/rest_xml.rb +0 -2
- data/lib/aws-sdk-core/xml/builder.rb +2 -2
- data/lib/aws-sdk-core/xml/doc_builder.rb +6 -1
- data/lib/aws-sdk-core/xml/parser/engines/ox.rb +1 -1
- data/lib/aws-sdk-core/xml/parser/frame.rb +23 -0
- data/lib/aws-sdk-core/xml/parser.rb +5 -0
- data/lib/aws-sdk-core.rb +13 -3
- data/lib/aws-sdk-sso/client.rb +570 -0
- data/lib/aws-sdk-sso/client_api.rb +190 -0
- data/lib/aws-sdk-sso/customizations.rb +1 -0
- data/lib/aws-sdk-sso/errors.rb +102 -0
- data/lib/aws-sdk-sso/resource.rb +26 -0
- data/lib/aws-sdk-sso/types.rb +352 -0
- data/lib/aws-sdk-sso.rb +55 -0
- data/lib/aws-sdk-sts/client.rb +536 -435
- data/lib/aws-sdk-sts/client_api.rb +7 -1
- data/lib/aws-sdk-sts/errors.rb +1 -1
- data/lib/aws-sdk-sts/plugins/sts_regional_endpoints.rb +5 -1
- data/lib/aws-sdk-sts/presigner.rb +7 -1
- data/lib/aws-sdk-sts/resource.rb +1 -1
- data/lib/aws-sdk-sts/types.rb +332 -193
- data/lib/aws-sdk-sts.rb +8 -3
- data/lib/seahorse/client/base.rb +1 -0
- data/lib/seahorse/client/block_io.rb +3 -2
- data/lib/seahorse/client/configuration.rb +4 -0
- data/lib/seahorse/client/h2/connection.rb +15 -13
- data/lib/seahorse/client/h2/handler.rb +4 -5
- data/lib/seahorse/client/http/response.rb +1 -1
- data/lib/seahorse/client/net_http/connection_pool.rb +10 -4
- data/lib/seahorse/client/net_http/handler.rb +17 -8
- data/lib/seahorse/client/net_http/patches.rb +13 -84
- data/lib/seahorse/client/plugins/content_length.rb +11 -5
- data/lib/seahorse/client/plugins/h2.rb +4 -1
- data/lib/seahorse/client/plugins/net_http.rb +37 -3
- data/lib/seahorse/client/plugins/request_callback.rb +110 -0
- data/lib/seahorse/client/plugins/response_target.rb +3 -4
- data/lib/seahorse/model/operation.rb +3 -0
- data/lib/seahorse/model/shapes.rb +25 -0
- data/lib/seahorse/util.rb +6 -1
- data/lib/seahorse.rb +1 -0
- metadata +26 -9
@@ -0,0 +1,141 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Aws
|
4
|
+
# An auto-refreshing credential provider that works by assuming a
|
5
|
+
# role via {Aws::SSO::Client#get_role_credentials} using a cached access
|
6
|
+
# token. This class does NOT implement the SSO login token flow - tokens
|
7
|
+
# must generated and refreshed separately by running `aws login` from the
|
8
|
+
# AWS CLI with the correct profile.
|
9
|
+
#
|
10
|
+
# For more background on AWS SSO see the official
|
11
|
+
# {https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html what is SSO Userguide}
|
12
|
+
#
|
13
|
+
# ## Refreshing Credentials from SSO
|
14
|
+
#
|
15
|
+
# The `SSOCredentials` will auto-refresh the AWS credentials from SSO. In
|
16
|
+
# addition to AWS credentials expiring after a given amount of time, the
|
17
|
+
# access token generated and cached from `aws login` will also expire.
|
18
|
+
# Once this token expires, it will not be usable to refresh AWS credentials,
|
19
|
+
# and another token will be needed. The SDK does not manage refreshing of
|
20
|
+
# the token value, but this can be done by running `aws login` with the
|
21
|
+
# correct profile.
|
22
|
+
#
|
23
|
+
#
|
24
|
+
# # You must first run aws sso login --profile your-sso-profile
|
25
|
+
# sso_credentials = Aws::SSOCredentials.new(
|
26
|
+
# sso_account_id: '123456789',
|
27
|
+
# sso_role_name: "role_name",
|
28
|
+
# sso_region: "us-east-1",
|
29
|
+
# sso_start_url: 'https://your-start-url.awsapps.com/start'
|
30
|
+
# )
|
31
|
+
#
|
32
|
+
# ec2 = Aws::EC2::Client.new(credentials: sso_credentials)
|
33
|
+
#
|
34
|
+
# If you omit `:client` option, a new {SSO::Client} object will be
|
35
|
+
# constructed.
|
36
|
+
class SSOCredentials
|
37
|
+
|
38
|
+
include CredentialProvider
|
39
|
+
include RefreshingCredentials
|
40
|
+
|
41
|
+
# @api private
|
42
|
+
SSO_REQUIRED_OPTS = [:sso_account_id, :sso_region, :sso_role_name, :sso_start_url].freeze
|
43
|
+
|
44
|
+
# @api private
|
45
|
+
SSO_LOGIN_GUIDANCE = 'The SSO session associated with this profile has '\
|
46
|
+
'expired or is otherwise invalid. To refresh this SSO session run '\
|
47
|
+
'aws sso login with the corresponding profile.'.freeze
|
48
|
+
|
49
|
+
# @option options [required, String] :sso_account_id The AWS account ID
|
50
|
+
# that temporary AWS credentials will be resolved for
|
51
|
+
#
|
52
|
+
# @option options [required, String] :sso_region The AWS region where the
|
53
|
+
# SSO directory for the given sso_start_url is hosted.
|
54
|
+
#
|
55
|
+
# @option options [required, String] :sso_role_name The corresponding
|
56
|
+
# IAM role in the AWS account that temporary AWS credentials
|
57
|
+
# will be resolved for.
|
58
|
+
#
|
59
|
+
# @option options [required, String] :sso_start_url The start URL is
|
60
|
+
# provided by the SSO service via the console and is the URL used to
|
61
|
+
# login to the SSO directory. This is also sometimes referred to as
|
62
|
+
# the "User Portal URL"
|
63
|
+
#
|
64
|
+
# @option options [SSO::Client] :client Optional `SSO::Client`. If not
|
65
|
+
# provided, a client will be constructed.
|
66
|
+
#
|
67
|
+
# @option options [Callable] before_refresh Proc called before
|
68
|
+
# credentials are refreshed. `before_refresh` is called
|
69
|
+
# with an instance of this object when
|
70
|
+
# AWS credentials are required and need to be refreshed.
|
71
|
+
def initialize(options = {})
|
72
|
+
|
73
|
+
missing_keys = SSO_REQUIRED_OPTS.select { |k| options[k].nil? }
|
74
|
+
unless missing_keys.empty?
|
75
|
+
raise ArgumentError, "Missing required keys: #{missing_keys}"
|
76
|
+
end
|
77
|
+
|
78
|
+
@sso_start_url = options.delete(:sso_start_url)
|
79
|
+
@sso_region = options.delete(:sso_region)
|
80
|
+
@sso_role_name = options.delete(:sso_role_name)
|
81
|
+
@sso_account_id = options.delete(:sso_account_id)
|
82
|
+
|
83
|
+
# validate we can read the token file
|
84
|
+
read_cached_token
|
85
|
+
|
86
|
+
|
87
|
+
client_opts = {}
|
88
|
+
options.each_pair { |k,v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) }
|
89
|
+
client_opts[:region] = @sso_region
|
90
|
+
client_opts[:credentials] = nil
|
91
|
+
|
92
|
+
@client = options[:client] || Aws::SSO::Client.new(client_opts)
|
93
|
+
@async_refresh = true
|
94
|
+
super
|
95
|
+
end
|
96
|
+
|
97
|
+
# @return [SSO::Client]
|
98
|
+
attr_reader :client
|
99
|
+
|
100
|
+
private
|
101
|
+
|
102
|
+
def read_cached_token
|
103
|
+
cached_token = Json.load(File.read(sso_cache_file))
|
104
|
+
# validation
|
105
|
+
unless cached_token['accessToken'] && cached_token['expiresAt']
|
106
|
+
raise ArgumentError, 'Missing required field(s)'
|
107
|
+
end
|
108
|
+
expires_at = DateTime.parse(cached_token['expiresAt'])
|
109
|
+
if expires_at < DateTime.now
|
110
|
+
raise ArgumentError, 'Cached SSO Token is expired.'
|
111
|
+
end
|
112
|
+
cached_token
|
113
|
+
rescue Errno::ENOENT, Aws::Json::ParseError, ArgumentError
|
114
|
+
raise Errors::InvalidSSOCredentials, SSO_LOGIN_GUIDANCE
|
115
|
+
end
|
116
|
+
|
117
|
+
def refresh
|
118
|
+
cached_token = read_cached_token
|
119
|
+
c = @client.get_role_credentials(
|
120
|
+
account_id: @sso_account_id,
|
121
|
+
role_name: @sso_role_name,
|
122
|
+
access_token: cached_token['accessToken']
|
123
|
+
).role_credentials
|
124
|
+
|
125
|
+
@credentials = Credentials.new(
|
126
|
+
c.access_key_id,
|
127
|
+
c.secret_access_key,
|
128
|
+
c.session_token
|
129
|
+
)
|
130
|
+
@expiration = c.expiration
|
131
|
+
end
|
132
|
+
|
133
|
+
def sso_cache_file
|
134
|
+
start_url_sha1 = OpenSSL::Digest::SHA1.hexdigest(@sso_start_url.encode('utf-8'))
|
135
|
+
File.join(Dir.home, '.aws', 'sso', 'cache', "#{start_url_sha1}.json")
|
136
|
+
rescue ArgumentError
|
137
|
+
# Dir.home raises ArgumentError when ENV['home'] is not set
|
138
|
+
raise ArgumentError, "Unable to load sso_cache_file: ENV['HOME'] is not set."
|
139
|
+
end
|
140
|
+
end
|
141
|
+
end
|
@@ -70,11 +70,20 @@ module Aws
|
|
70
70
|
end
|
71
71
|
|
72
72
|
end
|
73
|
+
|
74
|
+
module Union
|
75
|
+
def member
|
76
|
+
self.members.select { |k| self[k] != nil }.first
|
77
|
+
end
|
78
|
+
|
79
|
+
def value
|
80
|
+
self[member] if member
|
81
|
+
end
|
82
|
+
end
|
73
83
|
end
|
74
84
|
|
75
85
|
# @api private
|
76
86
|
class EmptyStructure < Struct.new('AwsEmptyStructure')
|
77
87
|
include(Aws::Structure)
|
78
88
|
end
|
79
|
-
|
80
89
|
end
|
@@ -120,7 +120,7 @@ module Aws
|
|
120
120
|
|
121
121
|
def encode_unknown_event(opts, event_type, event_data)
|
122
122
|
# right now h2 events are only rest_json
|
123
|
-
opts[:payload] = StringIO.new(
|
123
|
+
opts[:payload] = StringIO.new(Aws::Json.dump(event_data))
|
124
124
|
opts[:headers][':event-type'] = Aws::EventStream::HeaderValue.new(
|
125
125
|
value: event_type.to_s,
|
126
126
|
type: 'string'
|
@@ -11,7 +11,7 @@ module Aws
|
|
11
11
|
def initialize(rules, options = {})
|
12
12
|
@rules = rules
|
13
13
|
@xml = options[:target] || []
|
14
|
-
indent = options[:indent] || '
|
14
|
+
indent = options[:indent] || ''
|
15
15
|
pad = options[:pad] || ''
|
16
16
|
@builder = DocBuilder.new(target: @xml, indent: indent, pad: pad)
|
17
17
|
end
|
@@ -48,7 +48,7 @@ module Aws
|
|
48
48
|
end
|
49
49
|
|
50
50
|
def list(name, ref, values)
|
51
|
-
if ref.shape.flattened
|
51
|
+
if ref[:flattened] || ref.shape.flattened
|
52
52
|
values.each do |value|
|
53
53
|
member(ref.shape.member.location_name || name, ref.shape.member, value)
|
54
54
|
end
|
@@ -67,7 +67,12 @@ module Aws
|
|
67
67
|
end
|
68
68
|
|
69
69
|
def escape(string, text_or_attr)
|
70
|
-
string.to_s
|
70
|
+
string.to_s
|
71
|
+
.encode(:xml => text_or_attr)
|
72
|
+
.gsub("\u{000D}", '
') # Carriage Return
|
73
|
+
.gsub("\u{000A}", '
') # Line Feed
|
74
|
+
.gsub("\u{0085}", '…') # Next Line
|
75
|
+
.gsub("\u{2028}", '
') # Line Separator
|
71
76
|
end
|
72
77
|
|
73
78
|
def attributes(attr)
|
@@ -95,6 +95,8 @@ module Aws
|
|
95
95
|
def child_frame(xml_name)
|
96
96
|
if @member = @members[xml_name]
|
97
97
|
Frame.new(xml_name, self, @member[:ref])
|
98
|
+
elsif @ref.shape.union
|
99
|
+
UnknownMemberFrame.new(xml_name, self, nil, @result)
|
98
100
|
else
|
99
101
|
NullFrame.new(xml_name, self)
|
100
102
|
end
|
@@ -106,10 +108,24 @@ module Aws
|
|
106
108
|
@result[@member[:name]][child.key.result] = child.value.result
|
107
109
|
when FlatListFrame
|
108
110
|
@result[@member[:name]] << child.result
|
111
|
+
when UnknownMemberFrame
|
112
|
+
@result[:unknown] = { 'name' => child.path.last, 'value' => child.result }
|
109
113
|
when NullFrame
|
110
114
|
else
|
111
115
|
@result[@member[:name]] = child.result
|
112
116
|
end
|
117
|
+
|
118
|
+
if @ref.shape.union
|
119
|
+
# a union may only have one member set
|
120
|
+
# convert to the union subclass
|
121
|
+
# The default Struct created will have defaults set for all values
|
122
|
+
# This also sets only one of the values leaving everything else nil
|
123
|
+
# as required for unions
|
124
|
+
set_member_name = @member ? @member[:name] : :unknown
|
125
|
+
member_subclass = @ref.shape.member_subclass(set_member_name).new # shape.member_subclass(target.member).new
|
126
|
+
member_subclass[set_member_name] = @result[set_member_name]
|
127
|
+
@result = member_subclass
|
128
|
+
end
|
113
129
|
end
|
114
130
|
|
115
131
|
private
|
@@ -242,6 +258,12 @@ module Aws
|
|
242
258
|
end
|
243
259
|
end
|
244
260
|
|
261
|
+
class UnknownMemberFrame < Frame
|
262
|
+
def result
|
263
|
+
@text.join
|
264
|
+
end
|
265
|
+
end
|
266
|
+
|
245
267
|
class BlobFrame < Frame
|
246
268
|
def result
|
247
269
|
@text.empty? ? nil : Base64.decode64(@text.join)
|
@@ -302,6 +324,7 @@ module Aws
|
|
302
324
|
MapShape => MapFrame,
|
303
325
|
StringShape => StringFrame,
|
304
326
|
StructureShape => StructureFrame,
|
327
|
+
UnionShape => StructureFrame,
|
305
328
|
TimestampShape => TimestampFrame,
|
306
329
|
}
|
307
330
|
|
@@ -70,6 +70,11 @@ module Aws
|
|
70
70
|
[:ox, :oga, :libxml, :nokogiri, :rexml].each do |name|
|
71
71
|
@engine ||= try_load_engine(name)
|
72
72
|
end
|
73
|
+
unless @engine
|
74
|
+
raise 'Unable to find a compatible xml library. ' \
|
75
|
+
'Ensure that you have installed or added to your Gemfile one of ' \
|
76
|
+
'ox, oga, libxml, nokogiri or rexml'
|
77
|
+
end
|
73
78
|
end
|
74
79
|
|
75
80
|
private
|
data/lib/aws-sdk-core.rb
CHANGED
@@ -18,6 +18,7 @@ require_relative 'aws-sdk-core/ecs_credentials'
|
|
18
18
|
require_relative 'aws-sdk-core/instance_profile_credentials'
|
19
19
|
require_relative 'aws-sdk-core/shared_credentials'
|
20
20
|
require_relative 'aws-sdk-core/process_credentials'
|
21
|
+
require_relative 'aws-sdk-core/sso_credentials'
|
21
22
|
|
22
23
|
# client modules
|
23
24
|
|
@@ -81,14 +82,23 @@ require_relative 'aws-sdk-core/endpoint_cache'
|
|
81
82
|
require_relative 'aws-sdk-core/client_side_monitoring/request_metrics'
|
82
83
|
require_relative 'aws-sdk-core/client_side_monitoring/publisher'
|
83
84
|
|
84
|
-
#
|
85
|
+
# utilities
|
85
86
|
|
86
87
|
require_relative 'aws-sdk-core/arn'
|
87
88
|
require_relative 'aws-sdk-core/arn_parser'
|
89
|
+
require_relative 'aws-sdk-core/ec2_metadata'
|
88
90
|
|
89
|
-
#
|
91
|
+
# defaults
|
92
|
+
require_relative 'aws-defaults'
|
90
93
|
|
91
|
-
|
94
|
+
# plugins
|
95
|
+
# loaded through building STS or SSO ..
|
96
|
+
|
97
|
+
# aws-sdk-sts is included to support Aws::AssumeRoleCredentials
|
98
|
+
require_relative 'aws-sdk-sts'
|
99
|
+
|
100
|
+
# aws-sdk-sso is included to support Aws::SSOCredentials
|
101
|
+
require_relative 'aws-sdk-sso'
|
92
102
|
|
93
103
|
module Aws
|
94
104
|
|