aws-sdk-core 3.105.0 → 3.130.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +1304 -0
- data/LICENSE.txt +202 -0
- data/VERSION +1 -1
- data/lib/aws-defaults/default_configuration.rb +153 -0
- data/lib/aws-defaults/defaults_mode_config_resolver.rb +107 -0
- data/lib/aws-defaults.rb +3 -0
- data/lib/aws-sdk-core/arn.rb +13 -0
- data/lib/aws-sdk-core/assume_role_credentials.rb +20 -1
- data/lib/aws-sdk-core/assume_role_web_identity_credentials.rb +9 -4
- data/lib/aws-sdk-core/client_stubs.rb +5 -1
- data/lib/aws-sdk-core/credential_provider_chain.rb +2 -1
- data/lib/aws-sdk-core/ec2_metadata.rb +238 -0
- data/lib/aws-sdk-core/ecs_credentials.rb +5 -0
- data/lib/aws-sdk-core/errors.rb +6 -2
- data/lib/aws-sdk-core/instance_profile_credentials.rb +119 -18
- data/lib/aws-sdk-core/json/json_engine.rb +10 -8
- data/lib/aws-sdk-core/json/oj_engine.rb +33 -6
- data/lib/aws-sdk-core/json/parser.rb +8 -0
- data/lib/aws-sdk-core/json.rb +8 -26
- data/lib/aws-sdk-core/log/formatter.rb +1 -1
- data/lib/aws-sdk-core/log/param_filter.rb +9 -1
- data/lib/aws-sdk-core/pageable_response.rb +72 -26
- data/lib/aws-sdk-core/pager.rb +3 -0
- data/lib/aws-sdk-core/param_validator.rb +29 -0
- data/lib/aws-sdk-core/plugins/checksum_algorithm.rb +340 -0
- data/lib/aws-sdk-core/plugins/credentials_configuration.rb +3 -1
- data/lib/aws-sdk-core/plugins/defaults_mode.rb +40 -0
- data/lib/aws-sdk-core/plugins/endpoint_pattern.rb +6 -6
- data/lib/aws-sdk-core/plugins/http_checksum.rb +8 -1
- data/lib/aws-sdk-core/plugins/protocols/api_gateway.rb +17 -0
- data/lib/aws-sdk-core/plugins/protocols/rest_json.rb +16 -1
- data/lib/aws-sdk-core/plugins/recursion_detection.rb +27 -0
- data/lib/aws-sdk-core/plugins/regional_endpoint.rb +48 -2
- data/lib/aws-sdk-core/plugins/response_paging.rb +1 -1
- data/lib/aws-sdk-core/plugins/retries/error_inspector.rb +5 -3
- data/lib/aws-sdk-core/plugins/retry_errors.rb +25 -8
- data/lib/aws-sdk-core/plugins/signature_v4.rb +15 -24
- data/lib/aws-sdk-core/plugins/stub_responses.rb +5 -1
- data/lib/aws-sdk-core/process_credentials.rb +3 -2
- data/lib/aws-sdk-core/refreshing_credentials.rb +42 -11
- data/lib/aws-sdk-core/rest/request/body.rb +19 -1
- data/lib/aws-sdk-core/rest/request/headers.rb +18 -6
- data/lib/aws-sdk-core/rest/response/headers.rb +3 -1
- data/lib/aws-sdk-core/shared_config.rb +28 -8
- data/lib/aws-sdk-core/shared_credentials.rb +7 -1
- data/lib/aws-sdk-core/sso_credentials.rb +35 -10
- data/lib/aws-sdk-core/structure.rb +10 -1
- data/lib/aws-sdk-core/stubbing/protocols/json.rb +1 -1
- data/lib/aws-sdk-core/stubbing/protocols/rest_json.rb +1 -1
- data/lib/aws-sdk-core/stubbing/protocols/rest_xml.rb +0 -2
- data/lib/aws-sdk-core/xml/builder.rb +2 -2
- data/lib/aws-sdk-core/xml/doc_builder.rb +6 -1
- data/lib/aws-sdk-core/xml/parser/engines/ox.rb +1 -1
- data/lib/aws-sdk-core/xml/parser/frame.rb +23 -0
- data/lib/aws-sdk-core/xml/parser.rb +5 -0
- data/lib/aws-sdk-core.rb +11 -3
- data/lib/aws-sdk-sso/client.rb +28 -6
- data/lib/aws-sdk-sso/client_api.rb +1 -1
- data/lib/aws-sdk-sso/errors.rb +1 -1
- data/lib/aws-sdk-sso/resource.rb +1 -1
- data/lib/aws-sdk-sso/types.rb +1 -1
- data/lib/aws-sdk-sso.rb +7 -4
- data/lib/aws-sdk-sts/client.rb +515 -429
- data/lib/aws-sdk-sts/client_api.rb +7 -1
- data/lib/aws-sdk-sts/errors.rb +1 -1
- data/lib/aws-sdk-sts/plugins/sts_regional_endpoints.rb +5 -1
- data/lib/aws-sdk-sts/presigner.rb +7 -1
- data/lib/aws-sdk-sts/resource.rb +1 -1
- data/lib/aws-sdk-sts/types.rb +332 -193
- data/lib/aws-sdk-sts.rb +7 -2
- data/lib/seahorse/client/configuration.rb +4 -0
- data/lib/seahorse/client/h2/connection.rb +15 -13
- data/lib/seahorse/client/h2/handler.rb +4 -5
- data/lib/seahorse/client/net_http/connection_pool.rb +7 -0
- data/lib/seahorse/client/net_http/handler.rb +17 -8
- data/lib/seahorse/client/net_http/patches.rb +13 -84
- data/lib/seahorse/client/plugins/content_length.rb +11 -5
- data/lib/seahorse/client/plugins/h2.rb +4 -1
- data/lib/seahorse/client/plugins/net_http.rb +37 -3
- data/lib/seahorse/client/plugins/response_target.rb +0 -1
- data/lib/seahorse/model/operation.rb +3 -0
- data/lib/seahorse/model/shapes.rb +25 -0
- data/lib/seahorse/util.rb +6 -1
- metadata +17 -10
- data/lib/aws-sdk-sso/plugins/content_type.rb +0 -25
@@ -0,0 +1,238 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'time'
|
4
|
+
require 'net/http'
|
5
|
+
|
6
|
+
module Aws
|
7
|
+
# A client that can query version 2 of the EC2 Instance Metadata
|
8
|
+
class EC2Metadata
|
9
|
+
# Path for PUT request for token
|
10
|
+
# @api private
|
11
|
+
METADATA_TOKEN_PATH = '/latest/api/token'.freeze
|
12
|
+
|
13
|
+
# Raised when the PUT request is not valid. This would be thrown if
|
14
|
+
# `token_ttl` is not an Integer.
|
15
|
+
# @api private
|
16
|
+
class TokenRetrievalError < RuntimeError; end
|
17
|
+
|
18
|
+
# Token has expired, and the request can be retried with a new token.
|
19
|
+
# @api private
|
20
|
+
class TokenExpiredError < RuntimeError; end
|
21
|
+
|
22
|
+
# The requested metadata path does not exist.
|
23
|
+
# @api private
|
24
|
+
class MetadataNotFoundError < RuntimeError; end
|
25
|
+
|
26
|
+
# The request is not allowed or IMDS is turned off.
|
27
|
+
# @api private
|
28
|
+
class RequestForbiddenError < RuntimeError; end
|
29
|
+
|
30
|
+
# Creates a client that can query version 2 of the EC2 Instance Metadata
|
31
|
+
# service (IMDS).
|
32
|
+
#
|
33
|
+
# @note Customers using containers may need to increase their hop limit
|
34
|
+
# to access IMDSv2.
|
35
|
+
# @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html#instance-metadata-transition-to-version-2
|
36
|
+
#
|
37
|
+
# @param [Hash] options
|
38
|
+
# @option options [Integer] :token_ttl (21600) The session token's TTL,
|
39
|
+
# defaulting to 6 hours.
|
40
|
+
# @option options [Integer] :retries (3) The number of retries for failed
|
41
|
+
# requests.
|
42
|
+
# @option options [String] :endpoint ('http://169.254.169.254') The IMDS
|
43
|
+
# endpoint. This option has precedence over the :endpoint_mode.
|
44
|
+
# @option options [String] :endpoint_mode ('IPv4') The endpoint mode for
|
45
|
+
# the instance metadata service. This is either 'IPv4'
|
46
|
+
# ('http://169.254.169.254') or 'IPv6' ('http://[fd00:ec2::254]').
|
47
|
+
# @option options [Integer] :port (80) The IMDS endpoint port.
|
48
|
+
# @option options [Integer] :http_open_timeout (1) The number of seconds to
|
49
|
+
# wait for the connection to open.
|
50
|
+
# @option options [Integer] :http_read_timeout (1) The number of seconds for
|
51
|
+
# one chunk of data to be read.
|
52
|
+
# @option options [IO] :http_debug_output An output stream for debugging. Do
|
53
|
+
# not use this in production.
|
54
|
+
# @option options [Integer,Proc] :backoff A backoff used for retryable
|
55
|
+
# requests. When given an Integer, it sleeps that amount. When given a
|
56
|
+
# Proc, it is called with the current number of failed retries.
|
57
|
+
def initialize(options = {})
|
58
|
+
@token_ttl = options[:token_ttl] || 21_600
|
59
|
+
@retries = options[:retries] || 3
|
60
|
+
@backoff = backoff(options[:backoff])
|
61
|
+
|
62
|
+
endpoint_mode = options[:endpoint_mode] || 'IPv4'
|
63
|
+
@endpoint = resolve_endpoint(options[:endpoint], endpoint_mode)
|
64
|
+
@port = options[:port] || 80
|
65
|
+
|
66
|
+
@http_open_timeout = options[:http_open_timeout] || 1
|
67
|
+
@http_read_timeout = options[:http_read_timeout] || 1
|
68
|
+
@http_debug_output = options[:http_debug_output]
|
69
|
+
|
70
|
+
@token = nil
|
71
|
+
@mutex = Mutex.new
|
72
|
+
end
|
73
|
+
|
74
|
+
# Fetches a given metadata category using a String path, and returns the
|
75
|
+
# result as a String. A path starts with the API version (usually
|
76
|
+
# "/latest/"). See the instance data categories for possible paths.
|
77
|
+
#
|
78
|
+
# @example Fetching the instance ID
|
79
|
+
#
|
80
|
+
# ec2_metadata = Aws::EC2Metadata.new
|
81
|
+
# ec2_metadata.get('/latest/meta-data/instance-id')
|
82
|
+
# => "i-023a25f10a73a0f79"
|
83
|
+
#
|
84
|
+
# @note This implementation always returns a String and will not parse any
|
85
|
+
# responses. Parsable responses may include JSON objects or directory
|
86
|
+
# listings, which are strings separated by line feeds (ASCII 10).
|
87
|
+
#
|
88
|
+
# @example Fetching and parsing JSON meta-data
|
89
|
+
#
|
90
|
+
# require 'json'
|
91
|
+
# data = ec2_metadata.get('/latest/dynamic/instance-identity/document')
|
92
|
+
# JSON.parse(data)
|
93
|
+
# => {"accountId"=>"012345678912", ... }
|
94
|
+
#
|
95
|
+
# @example Fetching and parsing directory listings
|
96
|
+
#
|
97
|
+
# listing = ec2_metadata.get('/latest/meta-data')
|
98
|
+
# listing.split(10.chr)
|
99
|
+
# => ["ami-id", "ami-launch-index", ...]
|
100
|
+
#
|
101
|
+
# @note Unlike other services, IMDS does not have a service API model. This
|
102
|
+
# means that we cannot confidently generate code with methods and
|
103
|
+
# response structures. This implementation ensures that new IMDS features
|
104
|
+
# are always supported by being deployed to the instance and does not
|
105
|
+
# require code changes.
|
106
|
+
#
|
107
|
+
# @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-categories.html
|
108
|
+
# @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
|
109
|
+
# @param [String] path The full path to the metadata.
|
110
|
+
def get(path)
|
111
|
+
retry_errors(max_retries: @retries) do
|
112
|
+
@mutex.synchronize do
|
113
|
+
fetch_token unless @token && !@token.expired?
|
114
|
+
end
|
115
|
+
|
116
|
+
open_connection do |conn|
|
117
|
+
http_get(conn, path, @token.value)
|
118
|
+
end
|
119
|
+
end
|
120
|
+
end
|
121
|
+
|
122
|
+
private
|
123
|
+
|
124
|
+
def resolve_endpoint(endpoint, endpoint_mode)
|
125
|
+
return endpoint if endpoint
|
126
|
+
|
127
|
+
case endpoint_mode.downcase
|
128
|
+
when 'ipv4' then 'http://169.254.169.254'
|
129
|
+
when 'ipv6' then 'http://[fd00:ec2::254]'
|
130
|
+
else
|
131
|
+
raise ArgumentError,
|
132
|
+
':endpoint_mode is not valid, expected IPv4 or IPv6, '\
|
133
|
+
"got: #{endpoint_mode}"
|
134
|
+
end
|
135
|
+
end
|
136
|
+
|
137
|
+
def fetch_token
|
138
|
+
open_connection do |conn|
|
139
|
+
created_time = Time.now
|
140
|
+
token_value, token_ttl = http_put(conn, @token_ttl)
|
141
|
+
@token = Token.new(value: token_value, ttl: token_ttl, created_time: created_time)
|
142
|
+
end
|
143
|
+
end
|
144
|
+
|
145
|
+
def http_get(connection, path, token)
|
146
|
+
headers = {
|
147
|
+
'User-Agent' => "aws-sdk-ruby3/#{CORE_GEM_VERSION}",
|
148
|
+
'x-aws-ec2-metadata-token' => token
|
149
|
+
}
|
150
|
+
request = Net::HTTP::Get.new(path, headers)
|
151
|
+
response = connection.request(request)
|
152
|
+
|
153
|
+
case response.code.to_i
|
154
|
+
when 200
|
155
|
+
response.body
|
156
|
+
when 401
|
157
|
+
raise TokenExpiredError
|
158
|
+
when 404
|
159
|
+
raise MetadataNotFoundError
|
160
|
+
end
|
161
|
+
end
|
162
|
+
|
163
|
+
def http_put(connection, ttl)
|
164
|
+
headers = {
|
165
|
+
'User-Agent' => "aws-sdk-ruby3/#{CORE_GEM_VERSION}",
|
166
|
+
'x-aws-ec2-metadata-token-ttl-seconds' => ttl.to_s
|
167
|
+
}
|
168
|
+
request = Net::HTTP::Put.new(METADATA_TOKEN_PATH, headers)
|
169
|
+
response = connection.request(request)
|
170
|
+
|
171
|
+
case response.code.to_i
|
172
|
+
when 200
|
173
|
+
[
|
174
|
+
response.body,
|
175
|
+
response.header['x-aws-ec2-metadata-token-ttl-seconds'].to_i
|
176
|
+
]
|
177
|
+
when 400
|
178
|
+
raise TokenRetrievalError
|
179
|
+
when 403
|
180
|
+
raise RequestForbiddenError
|
181
|
+
end
|
182
|
+
end
|
183
|
+
|
184
|
+
def open_connection
|
185
|
+
uri = URI.parse(@endpoint)
|
186
|
+
http = Net::HTTP.new(uri.hostname || @endpoint, @port || uri.port)
|
187
|
+
http.open_timeout = @http_open_timeout
|
188
|
+
http.read_timeout = @http_read_timeout
|
189
|
+
http.set_debug_output(@http_debug_output) if @http_debug_output
|
190
|
+
http.start
|
191
|
+
yield(http).tap { http.finish }
|
192
|
+
end
|
193
|
+
|
194
|
+
def retry_errors(options = {}, &_block)
|
195
|
+
max_retries = options[:max_retries]
|
196
|
+
retries = 0
|
197
|
+
begin
|
198
|
+
yield
|
199
|
+
# These errors should not be retried.
|
200
|
+
rescue TokenRetrievalError, MetadataNotFoundError, RequestForbiddenError
|
201
|
+
raise
|
202
|
+
# StandardError is not ideal but it covers Net::HTTP errors.
|
203
|
+
# https://gist.github.com/tenderlove/245188
|
204
|
+
rescue StandardError, TokenExpiredError
|
205
|
+
raise unless retries < max_retries
|
206
|
+
|
207
|
+
@backoff.call(retries)
|
208
|
+
retries += 1
|
209
|
+
retry
|
210
|
+
end
|
211
|
+
end
|
212
|
+
|
213
|
+
def backoff(backoff)
|
214
|
+
case backoff
|
215
|
+
when Proc then backoff
|
216
|
+
when Numeric then ->(_) { Kernel.sleep(backoff) }
|
217
|
+
else ->(num_failures) { Kernel.sleep(1.2**num_failures) }
|
218
|
+
end
|
219
|
+
end
|
220
|
+
|
221
|
+
# @api private
|
222
|
+
class Token
|
223
|
+
def initialize(options = {})
|
224
|
+
@ttl = options[:ttl]
|
225
|
+
@value = options[:value]
|
226
|
+
@created_time = options[:created_time] || Time.now
|
227
|
+
end
|
228
|
+
|
229
|
+
# [String] Returns the token value.
|
230
|
+
attr_reader :value
|
231
|
+
|
232
|
+
# [Boolean] Returns true if the token expired.
|
233
|
+
def expired?
|
234
|
+
Time.now - @created_time > @ttl
|
235
|
+
end
|
236
|
+
end
|
237
|
+
end
|
238
|
+
end
|
@@ -43,6 +43,10 @@ module Aws
|
|
43
43
|
# @option options [IO] :http_debug_output (nil) HTTP wire
|
44
44
|
# traces are sent to this object. You can specify something
|
45
45
|
# like $stdout.
|
46
|
+
# @option options [Callable] before_refresh Proc called before
|
47
|
+
# credentials are refreshed. `before_refresh` is called
|
48
|
+
# with an instance of this object when
|
49
|
+
# AWS credentials are required and need to be refreshed.
|
46
50
|
def initialize options = {}
|
47
51
|
@retries = options[:retries] || 5
|
48
52
|
@ip_address = options[:ip_address] || '169.254.170.2'
|
@@ -58,6 +62,7 @@ module Aws
|
|
58
62
|
@http_read_timeout = options[:http_read_timeout] || 5
|
59
63
|
@http_debug_output = options[:http_debug_output]
|
60
64
|
@backoff = backoff(options[:backoff])
|
65
|
+
@async_refresh = false
|
61
66
|
super
|
62
67
|
end
|
63
68
|
|
data/lib/aws-sdk-core/errors.rb
CHANGED
@@ -16,10 +16,10 @@ module Aws
|
|
16
16
|
# @param [Aws::Structure] data
|
17
17
|
def initialize(context, message, data = Aws::EmptyStructure.new)
|
18
18
|
@code = self.class.code
|
19
|
-
@message = message if message && !message.empty?
|
20
19
|
@context = context
|
21
20
|
@data = data
|
22
|
-
|
21
|
+
@message = message && !message.empty? ? message : self.class.to_s
|
22
|
+
super(@message)
|
23
23
|
end
|
24
24
|
|
25
25
|
# @return [String]
|
@@ -210,6 +210,10 @@ module Aws
|
|
210
210
|
# Raised when SSO Credentials are invalid
|
211
211
|
class InvalidSSOCredentials < RuntimeError; end
|
212
212
|
|
213
|
+
# Raised when there is a circular reference in chained
|
214
|
+
# source_profiles
|
215
|
+
class SourceProfileCircularReferenceError < RuntimeError; end
|
216
|
+
|
213
217
|
# Raised when a client is constructed and region is not specified.
|
214
218
|
class MissingRegionError < ArgumentError
|
215
219
|
def initialize(*args)
|
@@ -5,7 +5,6 @@ require 'net/http'
|
|
5
5
|
|
6
6
|
module Aws
|
7
7
|
class InstanceProfileCredentials
|
8
|
-
|
9
8
|
include CredentialProvider
|
10
9
|
include RefreshingCredentials
|
11
10
|
|
@@ -44,7 +43,13 @@ module Aws
|
|
44
43
|
# @param [Hash] options
|
45
44
|
# @option options [Integer] :retries (1) Number of times to retry
|
46
45
|
# when retrieving credentials.
|
47
|
-
# @option options [String] :
|
46
|
+
# @option options [String] :endpoint ('http://169.254.169.254') The IMDS
|
47
|
+
# endpoint. This option has precedence over the :endpoint_mode.
|
48
|
+
# @option options [String] :endpoint_mode ('IPv4') The endpoint mode for
|
49
|
+
# the instance metadata service. This is either 'IPv4' ('169.254.169.254')
|
50
|
+
# or 'IPv6' ('[fd00:ec2::254]').
|
51
|
+
# @option options [String] :ip_address ('169.254.169.254') Deprecated. Use
|
52
|
+
# :endpoint instead. The IP address for the endpoint.
|
48
53
|
# @option options [Integer] :port (80)
|
49
54
|
# @option options [Float] :http_open_timeout (1)
|
50
55
|
# @option options [Float] :http_read_timeout (1)
|
@@ -58,9 +63,14 @@ module Aws
|
|
58
63
|
# @option options [Integer] :token_ttl Time-to-Live in seconds for EC2
|
59
64
|
# Metadata Token used for fetching Metadata Profile Credentials, defaults
|
60
65
|
# to 21600 seconds
|
66
|
+
# @option options [Callable] before_refresh Proc called before
|
67
|
+
# credentials are refreshed. `before_refresh` is called
|
68
|
+
# with an instance of this object when
|
69
|
+
# AWS credentials are required and need to be refreshed.
|
61
70
|
def initialize(options = {})
|
62
71
|
@retries = options[:retries] || 1
|
63
|
-
|
72
|
+
endpoint_mode = resolve_endpoint_mode(options)
|
73
|
+
@endpoint = resolve_endpoint(options, endpoint_mode)
|
64
74
|
@port = options[:port] || 80
|
65
75
|
@http_open_timeout = options[:http_open_timeout] || 1
|
66
76
|
@http_read_timeout = options[:http_read_timeout] || 1
|
@@ -68,6 +78,8 @@ module Aws
|
|
68
78
|
@backoff = backoff(options[:backoff])
|
69
79
|
@token_ttl = options[:token_ttl] || 21_600
|
70
80
|
@token = nil
|
81
|
+
@no_refresh_until = nil
|
82
|
+
@async_refresh = false
|
71
83
|
super
|
72
84
|
end
|
73
85
|
|
@@ -78,6 +90,34 @@ module Aws
|
|
78
90
|
|
79
91
|
private
|
80
92
|
|
93
|
+
def resolve_endpoint_mode(options)
|
94
|
+
value = options[:endpoint_mode]
|
95
|
+
value ||= ENV['AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE']
|
96
|
+
value ||= Aws.shared_config.ec2_metadata_service_endpoint_mode(
|
97
|
+
profile: options[:profile]
|
98
|
+
)
|
99
|
+
value || 'IPv4'
|
100
|
+
end
|
101
|
+
|
102
|
+
def resolve_endpoint(options, endpoint_mode)
|
103
|
+
value = options[:endpoint] || options[:ip_address]
|
104
|
+
value ||= ENV['AWS_EC2_METADATA_SERVICE_ENDPOINT']
|
105
|
+
value ||= Aws.shared_config.ec2_metadata_service_endpoint(
|
106
|
+
profile: options[:profile]
|
107
|
+
)
|
108
|
+
|
109
|
+
return value if value
|
110
|
+
|
111
|
+
case endpoint_mode.downcase
|
112
|
+
when 'ipv4' then 'http://169.254.169.254'
|
113
|
+
when 'ipv6' then 'http://[fd00:ec2::254]'
|
114
|
+
else
|
115
|
+
raise ArgumentError,
|
116
|
+
':endpoint_mode is not valid, expected IPv4 or IPv6, '\
|
117
|
+
"got: #{endpoint_mode}"
|
118
|
+
end
|
119
|
+
end
|
120
|
+
|
81
121
|
def backoff(backoff)
|
82
122
|
case backoff
|
83
123
|
when Proc then backoff
|
@@ -87,18 +127,48 @@ module Aws
|
|
87
127
|
end
|
88
128
|
|
89
129
|
def refresh
|
130
|
+
if @no_refresh_until && @no_refresh_until > Time.now
|
131
|
+
warn_expired_credentials
|
132
|
+
return
|
133
|
+
end
|
134
|
+
|
90
135
|
# Retry loading credentials up to 3 times is the instance metadata
|
91
136
|
# service is responding but is returning invalid JSON documents
|
92
137
|
# in response to the GET profile credentials call.
|
93
138
|
begin
|
94
139
|
retry_errors([Aws::Json::ParseError, StandardError], max_retries: 3) do
|
95
140
|
c = Aws::Json.load(get_credentials.to_s)
|
96
|
-
@credentials
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
141
|
+
if empty_credentials?(@credentials)
|
142
|
+
@credentials = Credentials.new(
|
143
|
+
c['AccessKeyId'],
|
144
|
+
c['SecretAccessKey'],
|
145
|
+
c['Token']
|
146
|
+
)
|
147
|
+
@expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
|
148
|
+
if @expiration && @expiration < Time.now
|
149
|
+
@no_refresh_until = Time.now + refresh_offset
|
150
|
+
warn_expired_credentials
|
151
|
+
end
|
152
|
+
else
|
153
|
+
# credentials are already set, update them only if the new ones are not empty
|
154
|
+
if !c['AccessKeyId'] || c['AccessKeyId'].empty?
|
155
|
+
# error getting new credentials
|
156
|
+
@no_refresh_until = Time.now + refresh_offset
|
157
|
+
warn_expired_credentials
|
158
|
+
else
|
159
|
+
@credentials = Credentials.new(
|
160
|
+
c['AccessKeyId'],
|
161
|
+
c['SecretAccessKey'],
|
162
|
+
c['Token']
|
163
|
+
)
|
164
|
+
@expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
|
165
|
+
if @expiration && @expiration < Time.now
|
166
|
+
@no_refresh_until = Time.now + refresh_offset
|
167
|
+
warn_expired_credentials
|
168
|
+
end
|
169
|
+
end
|
170
|
+
end
|
171
|
+
|
102
172
|
end
|
103
173
|
rescue Aws::Json::ParseError
|
104
174
|
raise Aws::Errors::MetadataParserError
|
@@ -119,10 +189,11 @@ module Aws
|
|
119
189
|
begin
|
120
190
|
retry_errors(NETWORK_ERRORS, max_retries: @retries) do
|
121
191
|
unless token_set?
|
192
|
+
created_time = Time.now
|
122
193
|
token_value, ttl = http_put(
|
123
194
|
conn, METADATA_TOKEN_PATH, @token_ttl
|
124
195
|
)
|
125
|
-
@token = Token.new(token_value, ttl) if token_value && ttl
|
196
|
+
@token = Token.new(token_value, ttl, created_time) if token_value && ttl
|
126
197
|
end
|
127
198
|
end
|
128
199
|
rescue *NETWORK_ERRORS
|
@@ -132,9 +203,17 @@ module Aws
|
|
132
203
|
end
|
133
204
|
|
134
205
|
token = @token.value if token_set?
|
135
|
-
|
136
|
-
|
137
|
-
|
206
|
+
|
207
|
+
begin
|
208
|
+
metadata = http_get(conn, METADATA_PATH_BASE, token)
|
209
|
+
profile_name = metadata.lines.first.strip
|
210
|
+
http_get(conn, METADATA_PATH_BASE + profile_name, token)
|
211
|
+
rescue TokenExpiredError
|
212
|
+
# Token has expired, reset it
|
213
|
+
# The next retry should fetch it
|
214
|
+
@token = nil
|
215
|
+
raise Non200Response
|
216
|
+
end
|
138
217
|
end
|
139
218
|
end
|
140
219
|
rescue
|
@@ -152,7 +231,8 @@ module Aws
|
|
152
231
|
end
|
153
232
|
|
154
233
|
def open_connection
|
155
|
-
|
234
|
+
uri = URI.parse(@endpoint)
|
235
|
+
http = Net::HTTP.new(uri.hostname || @endpoint, @port || uri.port)
|
156
236
|
http.open_timeout = @http_open_timeout
|
157
237
|
http.read_timeout = @http_read_timeout
|
158
238
|
http.set_debug_output(@http_debug_output) if @http_debug_output
|
@@ -165,9 +245,15 @@ module Aws
|
|
165
245
|
headers = { 'User-Agent' => "aws-sdk-ruby3/#{CORE_GEM_VERSION}" }
|
166
246
|
headers['x-aws-ec2-metadata-token'] = token if token
|
167
247
|
response = connection.request(Net::HTTP::Get.new(path, headers))
|
168
|
-
raise Non200Response unless response.code.to_i == 200
|
169
248
|
|
170
|
-
response.
|
249
|
+
case response.code.to_i
|
250
|
+
when 200
|
251
|
+
response.body
|
252
|
+
when 401
|
253
|
+
raise TokenExpiredError
|
254
|
+
else
|
255
|
+
raise Non200Response
|
256
|
+
end
|
171
257
|
end
|
172
258
|
|
173
259
|
# PUT request fetch token with ttl
|
@@ -206,13 +292,28 @@ module Aws
|
|
206
292
|
end
|
207
293
|
end
|
208
294
|
|
295
|
+
def warn_expired_credentials
|
296
|
+
warn("Attempting credential expiration extension due to a credential "\
|
297
|
+
"service availability issue. A refresh of these credentials "\
|
298
|
+
"will be attempted again in 5 minutes.")
|
299
|
+
end
|
300
|
+
|
301
|
+
def empty_credentials?(creds)
|
302
|
+
!creds || !creds.access_key_id || creds.access_key_id.empty?
|
303
|
+
end
|
304
|
+
|
305
|
+
# Compute an offset for refresh with jitter
|
306
|
+
def refresh_offset
|
307
|
+
300 + rand(0..60)
|
308
|
+
end
|
309
|
+
|
209
310
|
# @api private
|
210
311
|
# Token used to fetch IMDS profile and credentials
|
211
312
|
class Token
|
212
|
-
def initialize(value, ttl)
|
313
|
+
def initialize(value, ttl, created_time = Time.now)
|
213
314
|
@ttl = ttl
|
214
315
|
@value = value
|
215
|
-
@created_time =
|
316
|
+
@created_time = created_time
|
216
317
|
end
|
217
318
|
|
218
319
|
# [String] token value
|
@@ -2,16 +2,18 @@
|
|
2
2
|
|
3
3
|
module Aws
|
4
4
|
module Json
|
5
|
-
|
5
|
+
module JSONEngine
|
6
|
+
class << self
|
7
|
+
def load(json)
|
8
|
+
JSON.parse(json)
|
9
|
+
rescue JSON::ParserError => e
|
10
|
+
raise ParseError.new(e)
|
11
|
+
end
|
6
12
|
|
7
|
-
|
8
|
-
|
13
|
+
def dump(value)
|
14
|
+
JSON.dump(value)
|
15
|
+
end
|
9
16
|
end
|
10
|
-
|
11
|
-
def self.dump(value)
|
12
|
-
Oj.dump(value)
|
13
|
-
end
|
14
|
-
|
15
17
|
end
|
16
18
|
end
|
17
19
|
end
|
@@ -2,16 +2,43 @@
|
|
2
2
|
|
3
3
|
module Aws
|
4
4
|
module Json
|
5
|
-
|
5
|
+
module OjEngine
|
6
|
+
# @api private
|
7
|
+
LOAD_OPTIONS = { mode: :compat, symbol_keys: false, empty_string: false }.freeze
|
6
8
|
|
7
|
-
|
8
|
-
|
9
|
-
|
9
|
+
# @api private
|
10
|
+
DUMP_OPTIONS = { mode: :compat }.freeze
|
11
|
+
|
12
|
+
class << self
|
13
|
+
def load(json)
|
14
|
+
Oj.load(json, LOAD_OPTIONS)
|
15
|
+
rescue *PARSE_ERRORS => e
|
16
|
+
raise ParseError.new(e)
|
17
|
+
end
|
18
|
+
|
19
|
+
def dump(value)
|
20
|
+
Oj.dump(value, DUMP_OPTIONS)
|
21
|
+
end
|
22
|
+
|
23
|
+
private
|
24
|
+
|
25
|
+
# Oj before 1.4.0 does not define Oj::ParseError and instead raises
|
26
|
+
# SyntaxError on failure
|
27
|
+
def detect_oj_parse_errors
|
28
|
+
require 'oj'
|
10
29
|
|
11
|
-
|
12
|
-
|
30
|
+
if Oj.const_defined?(:ParseError)
|
31
|
+
[Oj::ParseError, EncodingError, JSON::ParserError]
|
32
|
+
else
|
33
|
+
[SyntaxError]
|
34
|
+
end
|
35
|
+
rescue LoadError
|
36
|
+
nil
|
37
|
+
end
|
13
38
|
end
|
14
39
|
|
40
|
+
# @api private
|
41
|
+
PARSE_ERRORS = detect_oj_parse_errors
|
15
42
|
end
|
16
43
|
end
|
17
44
|
end
|
@@ -28,8 +28,16 @@ module Aws
|
|
28
28
|
member_name, member_ref = shape.member_by_location_name(key)
|
29
29
|
if member_ref
|
30
30
|
target[member_name] = parse_ref(member_ref, value)
|
31
|
+
elsif shape.union
|
32
|
+
target[:unknown] = { 'name' => key, 'value' => value }
|
31
33
|
end
|
32
34
|
end
|
35
|
+
if shape.union
|
36
|
+
# convert to subclass
|
37
|
+
member_subclass = shape.member_subclass(target.member).new
|
38
|
+
member_subclass[target.member] = target.value
|
39
|
+
target = member_subclass
|
40
|
+
end
|
33
41
|
target
|
34
42
|
end
|
35
43
|
|
data/lib/aws-sdk-core/json.rb
CHANGED
@@ -5,6 +5,8 @@ require_relative 'json/builder'
|
|
5
5
|
require_relative 'json/error_handler'
|
6
6
|
require_relative 'json/handler'
|
7
7
|
require_relative 'json/parser'
|
8
|
+
require_relative 'json/json_engine'
|
9
|
+
require_relative 'json/oj_engine'
|
8
10
|
|
9
11
|
module Aws
|
10
12
|
# @api private
|
@@ -20,9 +22,7 @@ module Aws
|
|
20
22
|
|
21
23
|
class << self
|
22
24
|
def load(json)
|
23
|
-
ENGINE.load(json
|
24
|
-
rescue *ENGINE_ERRORS => e
|
25
|
-
raise ParseError, e
|
25
|
+
ENGINE.load(json)
|
26
26
|
end
|
27
27
|
|
28
28
|
def load_file(path)
|
@@ -30,38 +30,20 @@ module Aws
|
|
30
30
|
end
|
31
31
|
|
32
32
|
def dump(value)
|
33
|
-
ENGINE.dump(value
|
33
|
+
ENGINE.dump(value)
|
34
34
|
end
|
35
35
|
|
36
36
|
private
|
37
37
|
|
38
|
-
def
|
38
|
+
def select_engine
|
39
39
|
require 'oj'
|
40
|
-
|
41
|
-
Oj,
|
42
|
-
[{ mode: :compat, symbol_keys: false, empty_string: false }],
|
43
|
-
[{ mode: :compat }],
|
44
|
-
oj_parse_error
|
45
|
-
]
|
40
|
+
OjEngine
|
46
41
|
rescue LoadError
|
47
|
-
|
48
|
-
end
|
49
|
-
|
50
|
-
def json_engine
|
51
|
-
[JSON, [], [], [JSON::ParserError]]
|
52
|
-
end
|
53
|
-
|
54
|
-
def oj_parse_error
|
55
|
-
if Oj.const_defined?('ParseError')
|
56
|
-
[Oj::ParseError, EncodingError, JSON::ParserError]
|
57
|
-
else
|
58
|
-
[SyntaxError]
|
59
|
-
end
|
42
|
+
JSONEngine
|
60
43
|
end
|
61
44
|
end
|
62
45
|
|
63
46
|
# @api private
|
64
|
-
ENGINE
|
65
|
-
oj_engine || json_engine
|
47
|
+
ENGINE = select_engine
|
66
48
|
end
|
67
49
|
end
|
@@ -97,7 +97,7 @@ module Aws
|
|
97
97
|
# @return [String]
|
98
98
|
attr_reader :pattern
|
99
99
|
|
100
|
-
# Given a
|
100
|
+
# Given a response, this will format a log message and return it as a
|
101
101
|
# string according to {#pattern}.
|
102
102
|
# @param [Seahorse::Client::Response] response
|
103
103
|
# @return [String]
|