aws-sdk-core 3.114.0 → 3.180.2

data/lib/aws-sdk-core/endpoints/rule_set.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module Aws
+  module Endpoints
+    # This class is deprecated. It is used by the Runtime endpoint
+    # resolution approach. It has been replaced by a code generated
+    # approach in each service gem. It can be removed in a new
+    # major version. It has to exist because
+    # old service gems can use a new core version.
+    # @api private
+    class RuleSet
+      def initialize(version:, service_id:, parameters:, rules:)
+        @version = version
+        @service_id = service_id
+        @parameters = parameters
+        @rules = RuleSet.rules_from_json(rules || [])
+      end
+
+      attr_reader :version
+      attr_reader :service_id
+      attr_reader :parameters
+      attr_reader :rules
+
+      def self.rules_from_json(rules_json)
+        rules_json.each.with_object([]) do |rule, rules|
+          if rule['type'] == 'endpoint'
+            rules << EndpointRule.new(
+              conditions: rule['conditions'],
+              endpoint: rule['endpoint'],
+              documentation: rule['documentation']
+            )
+          elsif rule['type'] == 'error'
+            rules << ErrorRule.new(
+              conditions: rule['conditions'],
+              error: rule['error'],
+              documentation: rule['documentation']
+            )
+          elsif rule['type'] == 'tree'
+            rules << TreeRule.new(
+              conditions: rule['conditions'],
+              rules: rule['rules'],
+              documentation: rule['documentation']
+            )
+          else
+            # should not happen
+            raise "Unknown endpoint rule type: #{rule}"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/endpoints/rules_provider.rb

@@ -0,0 +1,37 @@
+module Aws
+  module Endpoints
+    # This class is deprecated. It is used by the Runtime endpoint
+    # resolution approach. It has been replaced by a code generated
+    # approach in each service gem. It can be removed in a new
+    # major version. It has to exist because
+    # old service gems can use a new core version.
+    # @api private
+    class RulesProvider
+      def initialize(rule_set)
+        @rule_set = rule_set
+      end
+
+      def resolve_endpoint(parameters)
+        obj = resolve_rules(parameters)
+        case obj
+        when Endpoint
+          obj
+        when ArgumentError
+          raise obj
+        else
+          raise ArgumentError, 'No endpoint could be resolved'
+        end
+      end
+
+      private
+
+      def resolve_rules(parameters)
+        @rule_set.rules.each do |rule|
+          output = rule.match(parameters)
+          return output if output
+        end
+        nil
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/endpoints/templater.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module Aws
+  module Endpoints
+    # Does substitutions for templated endpoint strings
+
+    # This class is deprecated. It is used by the Runtime endpoint
+    # resolution approach. It has been replaced by a code generated
+    # approach in each service gem. It can be removed in a new
+    # major version. It has to exist because
+    # old service gems can use a new core version.
+    # @api private
+    module Templater
+      class << self
+        def resolve(string, parameters, assigns)
+          # scans for strings in curly brackets {}
+          string.scan(/\{.+?\}/).each do |capture|
+            value = capture[1..-2] # strips curly brackets
+            string = string.gsub(capture, replace(value, parameters, assigns))
+          end
+          string
+        end
+
+        private
+
+        # Replaces the captured value with values from parameters or assign
+        def replace(capture, parameters, assigns)
+          # Pound sigil is used for getAttr calls
+          indexes = capture.split('#')
+
+          # no sigil found, just do substitution
+          if indexes.size == 1
+            extract_value(capture, parameters, assigns)
+          # sigil was found, need to call getAttr
+          elsif indexes.size == 2
+            ref, property = indexes
+            param = extract_value(ref, parameters, assigns)
+            Matchers.attr(param, property)
+          else
+            raise "Invalid templatable value: #{capture}"
+          end
+        end
+
+        # Checks both parameters and assigns hash for the referenced value
+        def extract_value(key, parameters, assigns)
+          if assigns.key?(key)
+            assigns[key]
+          elsif parameters.class.singleton_class::PARAM_MAP.key?(key)
+            member_name = parameters.class.singleton_class::PARAM_MAP[key]
+            parameters[member_name]
+          else
+            raise "Templatable value not found: #{key}"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/endpoints/tree_rule.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module Aws
+  module Endpoints
+    # This class is deprecated. It is used by the Runtime endpoint
+    # resolution approach. It has been replaced by a code generated
+    # approach in each service gem. It can be removed in a new
+    # major version. It has to exist because
+    # old service gems can use a new core version.
+    # @api private
+    class TreeRule
+      def initialize(type: 'tree', conditions:, rules:, documentation: nil)
+        @type = type
+        @conditions = Condition.from_json(conditions)
+        @rules = RuleSet.rules_from_json(rules)
+        @documentation = documentation
+      end
+
+      attr_reader :type
+      attr_reader :conditions
+      attr_reader :error
+      attr_reader :documentation
+
+      def match(parameters, assigned = {})
+        assigns = assigned.dup
+        matched = conditions.all? do |condition|
+          output = condition.match?(parameters, assigns)
+          assigns = assigns.merge(condition.assigned) if condition.assign
+          output
+        end
+        resolve_rules(parameters, assigns) if matched
+      end
+
+      private
+
+      def resolve_rules(parameters, assigns)
+        @rules.each do |rule|
+          output = rule.match(parameters, assigns)
+          return output if output
+        end
+        nil
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/endpoints/url.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+require 'ipaddr'
+
+module Aws
+  module Endpoints
+
+    # @api private
+    class URL
+      def initialize(url)
+        uri = URI(url)
+        @scheme = uri.scheme
+        # only support http and https schemes
+        raise ArgumentError unless %w[https http].include?(@scheme)
+
+        # do not support query
+        raise ArgumentError if uri.query
+
+        @authority = _authority(url, uri)
+        @path = uri.path
+        @normalized_path = uri.path + (uri.path[-1] == '/' ? '' : '/')
+        @is_ip = _is_ip(uri.host)
+      end
+
+      attr_reader :scheme
+      attr_reader :authority
+      attr_reader :path
+      attr_reader :normalized_path
+      attr_reader :is_ip
+
+      def as_json(_options = {})
+        {
+          'scheme' => scheme,
+          'authority' => authority,
+          'path' => path,
+          'normalizedPath' => normalized_path,
+          'isIp' => is_ip
+        }
+      end
+
+      private
+
+      def _authority(url, uri)
+        # don't include port if it's default and not parsed originally
+        if uri.default_port == uri.port && !url.include?(":#{uri.port}")
+          uri.host
+        else
+          "#{uri.host}:#{uri.port}"
+        end
+      end
+
+      def _is_ip(authority)
+        IPAddr.new(authority)
+        true
+      rescue IPAddr::InvalidAddressError
+        false
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/endpoints.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require_relative 'endpoints/rule'
+require_relative 'endpoints/condition'
+require_relative 'endpoints/endpoint_rule'
+require_relative 'endpoints/endpoint'
+require_relative 'endpoints/error_rule'
+require_relative 'endpoints/function'
+require_relative 'endpoints/matchers'
+require_relative 'endpoints/reference'
+require_relative 'endpoints/rules_provider'
+require_relative 'endpoints/rule_set'
+require_relative 'endpoints/templater'
+require_relative 'endpoints/tree_rule'
+require_relative 'endpoints/url'
+
+module Aws
+  # @api private
+  module Endpoints
+    class << self
+      def resolve_auth_scheme(context, endpoint)
+        if endpoint && (auth_schemes = endpoint.properties['authSchemes'])
+          auth_scheme = auth_schemes.find do |scheme|
+            Aws::Plugins::Sign::SUPPORTED_AUTH_TYPES.include?(scheme['name'])
+          end
+          raise 'No supported auth scheme for this endpoint.' unless auth_scheme
+
+          merge_signing_defaults(auth_scheme, context.config)
+        else
+          default_auth_scheme(context)
+        end
+      end
+
+      private
+
+      def default_auth_scheme(context)
+        case default_api_authtype(context)
+        when 'v4', 'v4-unsigned-body'
+          auth_scheme = { 'name' => 'sigv4' }
+          merge_signing_defaults(auth_scheme, context.config)
+        when 's3', 's3v4'
+          auth_scheme = {
+            'name' => 'sigv4',
+            'disableDoubleEncoding' => true,
+            'disableNormalizePath' => true
+          }
+          merge_signing_defaults(auth_scheme, context.config)
+        when 'bearer'
+          { 'name' => 'bearer' }
+        when 'none', nil
+          { 'name' => 'none' }
+        end
+      end
+
+      def merge_signing_defaults(auth_scheme, config)
+        if %w[sigv4 sigv4a].include?(auth_scheme['name'])
+          auth_scheme['signingName'] ||= sigv4_name(config)
+          if auth_scheme['name'] == 'sigv4a'
+            auth_scheme['signingRegionSet'] ||= ['*']
+          else
+            auth_scheme['signingRegion'] ||= config.region
+          end
+        end
+        auth_scheme
+      end
+
+      def default_api_authtype(context)
+        context.config.api.operation(context.operation_name)['authtype'] ||
+          context.config.api.metadata['signatureVersion']
+      end
+
+      def sigv4_name(config)
+        config.api.metadata['signingName'] ||
+          config.api.metadata['endpointPrefix']
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/errors.rb

@@ -18,7 +18,7 @@ module Aws
         @code = self.class.code
         @context = context
         @data = data
-        @message = message && !message.empty? ? message : self.class
+        @message = message && !message.empty? ? message : self.class.to_s
         super(@message)
       end
 
@@ -210,6 +210,23 @@ module Aws
     # Raised when SSO Credentials are invalid
     class InvalidSSOCredentials < RuntimeError; end
 
+    # Raised when SSO Token is invalid
+    class InvalidSSOToken < RuntimeError; end
+
+    # Raised when a client is unable to sign a request because
+    # the bearer token is not configured or available
+    class MissingBearerTokenError < RuntimeError
+      def initialize(*args)
+        msg = 'unable to sign request without token set'
+        super(msg)
+      end
+    end
+
+
+    # Raised when there is a circular reference in chained
+    # source_profiles
+    class SourceProfileCircularReferenceError < RuntimeError; end
+
     # Raised when a client is constructed and region is not specified.
     class MissingRegionError < ArgumentError
       def initialize(*args)

data/lib/aws-sdk-core/ini_parser.rb

@@ -8,6 +8,8 @@ module Aws
       def ini_parse(raw)
         current_profile = nil
         current_prefix = nil
+        item = nil
+        previous_item = nil
         raw.lines.inject({}) do |acc, line|
           line = line.split(/^|\s;/).first # remove comments
           profile = line.match(/^\[([^\[\]]+)\]\s*(#.+)?$/) unless line.nil?
@@ -17,11 +19,16 @@ module Aws
             current_profile = named_profile[1] if named_profile
           elsif current_profile
             unless line.nil?
+              previous_item = item
               item = line.match(/^(.+?)\s*=\s*(.+?)\s*$/)
               prefix = line.match(/^(.+?)\s*=\s*$/)
             end
             if item && item[1].match(/^\s+/)
               # Need to add lines to a nested configuration.
+              if current_prefix.nil? && previous_item[2].strip.empty?
+                current_prefix = previous_item[1]
+                acc[current_profile][current_prefix] = {}
+              end
               inner_item = line.match(/^\s*(.+?)\s*=\s*(.+?)\s*$/)
               acc[current_profile] ||= {}
               acc[current_profile][current_prefix] ||= {}

data/lib/aws-sdk-core/instance_profile_credentials.rb

@@ -4,8 +4,12 @@ require 'time'
 require 'net/http'
 
 module Aws
+  # An auto-refreshing credential provider that loads credentials from
+  # EC2 instances.
+  #
+  #     instance_credentials = Aws::InstanceProfileCredentials.new
+  #     ec2 = Aws::EC2::Client.new(credentials: instance_credentials)
   class InstanceProfileCredentials
-
     include CredentialProvider
     include RefreshingCredentials
 
@@ -44,7 +48,13 @@ module Aws
     # @param [Hash] options
     # @option options [Integer] :retries (1) Number of times to retry
     #   when retrieving credentials.
-    # @option options [String] :ip_address ('169.254.169.254')
+    # @option options [String] :endpoint ('http://169.254.169.254') The IMDS
+    #   endpoint. This option has precedence over the :endpoint_mode.
+    # @option options [String] :endpoint_mode ('IPv4') The endpoint mode for
+    #   the instance metadata service. This is either 'IPv4' ('169.254.169.254')
+    #   or 'IPv6' ('[fd00:ec2::254]').
+    # @option options [String] :ip_address ('169.254.169.254') Deprecated. Use
+    #   :endpoint instead. The IP address for the endpoint.
     # @option options [Integer] :port (80)
     # @option options [Float] :http_open_timeout (1)
     # @option options [Float] :http_read_timeout (1)
@@ -58,9 +68,14 @@ module Aws
     # @option options [Integer] :token_ttl Time-to-Live in seconds for EC2
     #   Metadata Token used for fetching Metadata Profile Credentials, defaults
     #   to 21600 seconds
+    # @option options [Callable] before_refresh Proc called before
+    #   credentials are refreshed. `before_refresh` is called
+    #   with an instance of this object when
+    #   AWS credentials are required and need to be refreshed.
     def initialize(options = {})
       @retries = options[:retries] || 1
-      @ip_address = options[:ip_address] || '169.254.169.254'
+      endpoint_mode = resolve_endpoint_mode(options)
+      @endpoint = resolve_endpoint(options, endpoint_mode)
       @port = options[:port] || 80
       @http_open_timeout = options[:http_open_timeout] || 1
       @http_read_timeout = options[:http_read_timeout] || 1
@@ -68,6 +83,8 @@ module Aws
       @backoff = backoff(options[:backoff])
       @token_ttl = options[:token_ttl] || 21_600
       @token = nil
+      @no_refresh_until = nil
+      @async_refresh = false
       super
     end
 
@@ -78,6 +95,34 @@ module Aws
 
     private
 
+    def resolve_endpoint_mode(options)
+      value = options[:endpoint_mode]
+      value ||= ENV['AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE']
+      value ||= Aws.shared_config.ec2_metadata_service_endpoint_mode(
+        profile: options[:profile]
+      )
+      value || 'IPv4'
+    end
+
+    def resolve_endpoint(options, endpoint_mode)
+      value = options[:endpoint] || options[:ip_address]
+      value ||= ENV['AWS_EC2_METADATA_SERVICE_ENDPOINT']
+      value ||= Aws.shared_config.ec2_metadata_service_endpoint(
+        profile: options[:profile]
+      )
+
+      return value if value
+
+      case endpoint_mode.downcase
+      when 'ipv4' then 'http://169.254.169.254'
+      when 'ipv6' then 'http://[fd00:ec2::254]'
+      else
+        raise ArgumentError,
+              ':endpoint_mode is not valid, expected IPv4 or IPv6, '\
+              "got: #{endpoint_mode}"
+      end
+    end
+
     def backoff(backoff)
       case backoff
       when Proc then backoff
@@ -87,18 +132,48 @@ module Aws
     end
 
     def refresh
+      if @no_refresh_until && @no_refresh_until > Time.now
+        warn_expired_credentials
+        return
+      end
+
       # Retry loading credentials up to 3 times is the instance metadata
       # service is responding but is returning invalid JSON documents
       # in response to the GET profile credentials call.
       begin
         retry_errors([Aws::Json::ParseError, StandardError], max_retries: 3) do
           c = Aws::Json.load(get_credentials.to_s)
-          @credentials = Credentials.new(
-            c['AccessKeyId'],
-            c['SecretAccessKey'],
-            c['Token']
-          )
-          @expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
+          if empty_credentials?(@credentials)
+            @credentials = Credentials.new(
+              c['AccessKeyId'],
+              c['SecretAccessKey'],
+              c['Token']
+            )
+            @expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
+            if @expiration && @expiration < Time.now
+              @no_refresh_until = Time.now + refresh_offset
+              warn_expired_credentials
+            end
+          else
+            #  credentials are already set, update them only if the new ones are not empty
+            if !c['AccessKeyId'] || c['AccessKeyId'].empty?
+              # error getting new credentials
+              @no_refresh_until = Time.now + refresh_offset
+              warn_expired_credentials
+            else
+              @credentials = Credentials.new(
+                c['AccessKeyId'],
+                c['SecretAccessKey'],
+                c['Token']
+              )
+              @expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
+              if @expiration && @expiration < Time.now
+                @no_refresh_until = Time.now + refresh_offset
+                warn_expired_credentials
+              end
+            end
+          end
+
         end
       rescue Aws::Json::ParseError
         raise Aws::Errors::MetadataParserError
@@ -119,10 +194,11 @@ module Aws
               begin
                 retry_errors(NETWORK_ERRORS, max_retries: @retries) do
                   unless token_set?
+                    created_time = Time.now
                     token_value, ttl = http_put(
                       conn, METADATA_TOKEN_PATH, @token_ttl
                     )
-                    @token = Token.new(token_value, ttl) if token_value && ttl
+                    @token = Token.new(token_value, ttl, created_time) if token_value && ttl
                   end
                 end
               rescue *NETWORK_ERRORS
@@ -132,9 +208,17 @@ module Aws
               end
 
               token = @token.value if token_set?
-              metadata = http_get(conn, METADATA_PATH_BASE, token)
-              profile_name = metadata.lines.first.strip
-              http_get(conn, METADATA_PATH_BASE + profile_name, token)
+
+              begin
+                metadata = http_get(conn, METADATA_PATH_BASE, token)
+                profile_name = metadata.lines.first.strip
+                http_get(conn, METADATA_PATH_BASE + profile_name, token)
+              rescue TokenExpiredError
+                # Token has expired, reset it
+                # The next retry should fetch it
+                @token = nil
+                raise Non200Response
+              end
             end
           end
         rescue
@@ -152,7 +236,8 @@ module Aws
     end
 
     def open_connection
-      http = Net::HTTP.new(@ip_address, @port, nil)
+      uri = URI.parse(@endpoint)
+      http = Net::HTTP.new(uri.hostname || @endpoint, @port || uri.port)
       http.open_timeout = @http_open_timeout
       http.read_timeout = @http_read_timeout
       http.set_debug_output(@http_debug_output) if @http_debug_output
@@ -165,9 +250,15 @@ module Aws
       headers = { 'User-Agent' => "aws-sdk-ruby3/#{CORE_GEM_VERSION}" }
       headers['x-aws-ec2-metadata-token'] = token if token
       response = connection.request(Net::HTTP::Get.new(path, headers))
-      raise Non200Response unless response.code.to_i == 200
 
-      response.body
+      case response.code.to_i
+      when 200
+        response.body
+      when 401
+        raise TokenExpiredError
+      else
+        raise Non200Response
+      end
     end
 
     # PUT request fetch token with ttl
@@ -206,13 +297,28 @@ module Aws
       end
     end
 
+    def warn_expired_credentials
+      warn("Attempting credential expiration extension due to a credential "\
+        "service availability issue. A refresh of these credentials "\
+        "will be attempted again in 5 minutes.")
+    end
+
+    def empty_credentials?(creds)
+      !creds || !creds.access_key_id || creds.access_key_id.empty?
+    end
+
+    # Compute an offset for refresh with jitter
+    def refresh_offset
+      300 + rand(0..60)
+    end
+
     # @api private
     # Token used to fetch IMDS profile and credentials
     class Token
-      def initialize(value, ttl)
+      def initialize(value, ttl, created_time = Time.now)
         @ttl = ttl
         @value = value
-        @created_time = Time.now
+        @created_time = created_time
       end
 
       # [String] token value

data/lib/aws-sdk-core/json/error_handler.rb

@@ -26,7 +26,13 @@ module Aws
       end
 
       def error_code(json, context)
-        code = json['__type']
+        code =
+          if aws_query_error?(context)
+            error = context.http_response.headers['x-amzn-query-error'].split(';')[0]
+            remove_prefix(error, context)
+          else
+            json['__type']
+          end
         code ||= json['code']
         code ||= context.http_response.headers['x-amzn-errortype']
         if code
@@ -36,6 +42,19 @@ module Aws
         end
       end
 
+      def aws_query_error?(context)
+        context.config.api.metadata['awsQueryCompatible'] &&
+          context.http_response.headers['x-amzn-query-error']
+      end
+
+      def remove_prefix(error_code, context)
+        if prefix = context.config.api.metadata['errorPrefix']
+          error_code.sub(/^#{prefix}/, '')
+        else
+          error_code
+        end
+      end
+
       def error_message(code, json)
         if code == 'RequestEntityTooLarge'
           'Request body must be less than 1 MB'

data/lib/aws-sdk-core/json/json_engine.rb

@@ -2,16 +2,18 @@
 
 module Aws
   module Json
-    class JSONEngine
+    module JSONEngine
+      class << self
+        def load(json)
+          JSON.parse(json)
+        rescue JSON::ParserError => e
+          raise ParseError.new(e)
+        end
 
-      def self.load(json)
-        JSON.load(json)
+        def dump(value)
+          JSON.dump(value)
+        end
       end
-
-      def self.dump(value)
-        JSON.dump(value)
-      end
-
     end
   end
 end