aws-sdk-core 3.114.0 → 3.180.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +617 -0
- data/VERSION +1 -1
- data/lib/aws-defaults/default_configuration.rb +153 -0
- data/lib/aws-defaults/defaults_mode_config_resolver.rb +107 -0
- data/lib/aws-defaults.rb +3 -0
- data/lib/aws-sdk-core/arn.rb +13 -0
- data/lib/aws-sdk-core/assume_role_credentials.rb +21 -7
- data/lib/aws-sdk-core/assume_role_web_identity_credentials.rb +14 -10
- data/lib/aws-sdk-core/binary/encode_handler.rb +12 -1
- data/lib/aws-sdk-core/client_stubs.rb +5 -1
- data/lib/aws-sdk-core/credential_provider.rb +3 -0
- data/lib/aws-sdk-core/credential_provider_chain.rb +10 -6
- data/lib/aws-sdk-core/ec2_metadata.rb +27 -7
- data/lib/aws-sdk-core/ecs_credentials.rb +121 -53
- data/lib/aws-sdk-core/endpoints/condition.rb +41 -0
- data/lib/aws-sdk-core/endpoints/endpoint.rb +17 -0
- data/lib/aws-sdk-core/endpoints/endpoint_rule.rb +75 -0
- data/lib/aws-sdk-core/endpoints/error_rule.rb +42 -0
- data/lib/aws-sdk-core/endpoints/function.rb +80 -0
- data/lib/aws-sdk-core/endpoints/matchers.rb +127 -0
- data/lib/aws-sdk-core/endpoints/reference.rb +31 -0
- data/lib/aws-sdk-core/endpoints/rule.rb +25 -0
- data/lib/aws-sdk-core/endpoints/rule_set.rb +52 -0
- data/lib/aws-sdk-core/endpoints/rules_provider.rb +37 -0
- data/lib/aws-sdk-core/endpoints/templater.rb +58 -0
- data/lib/aws-sdk-core/endpoints/tree_rule.rb +45 -0
- data/lib/aws-sdk-core/endpoints/url.rb +60 -0
- data/lib/aws-sdk-core/endpoints.rb +78 -0
- data/lib/aws-sdk-core/errors.rb +18 -1
- data/lib/aws-sdk-core/ini_parser.rb +7 -0
- data/lib/aws-sdk-core/instance_profile_credentials.rb +124 -18
- data/lib/aws-sdk-core/json/error_handler.rb +20 -1
- data/lib/aws-sdk-core/json/json_engine.rb +10 -8
- data/lib/aws-sdk-core/json/oj_engine.rb +33 -6
- data/lib/aws-sdk-core/json/parser.rb +8 -0
- data/lib/aws-sdk-core/json.rb +8 -26
- data/lib/aws-sdk-core/log/formatter.rb +6 -0
- data/lib/aws-sdk-core/log/param_filter.rb +9 -1
- data/lib/aws-sdk-core/pageable_response.rb +81 -26
- data/lib/aws-sdk-core/pager.rb +3 -0
- data/lib/aws-sdk-core/param_validator.rb +29 -0
- data/lib/aws-sdk-core/plugins/bearer_authorization.rb +67 -0
- data/lib/aws-sdk-core/plugins/checksum_algorithm.rb +340 -0
- data/lib/aws-sdk-core/plugins/credentials_configuration.rb +27 -1
- data/lib/aws-sdk-core/plugins/defaults_mode.rb +40 -0
- data/lib/aws-sdk-core/plugins/endpoint_discovery.rb +6 -2
- data/lib/aws-sdk-core/plugins/http_checksum.rb +8 -1
- data/lib/aws-sdk-core/plugins/jsonvalue_converter.rb +34 -6
- data/lib/aws-sdk-core/plugins/protocols/api_gateway.rb +17 -0
- data/lib/aws-sdk-core/plugins/protocols/rest_json.rb +16 -1
- data/lib/aws-sdk-core/plugins/recursion_detection.rb +38 -0
- data/lib/aws-sdk-core/plugins/regional_endpoint.rb +144 -17
- data/lib/aws-sdk-core/plugins/request_compression.rb +217 -0
- data/lib/aws-sdk-core/plugins/response_paging.rb +1 -1
- data/lib/aws-sdk-core/plugins/retries/error_inspector.rb +7 -4
- data/lib/aws-sdk-core/plugins/retry_errors.rb +21 -5
- data/lib/aws-sdk-core/plugins/sign.rb +201 -0
- data/lib/aws-sdk-core/plugins/signature_v2.rb +1 -0
- data/lib/aws-sdk-core/plugins/signature_v4.rb +28 -31
- data/lib/aws-sdk-core/plugins/stub_responses.rb +5 -1
- data/lib/aws-sdk-core/plugins/user_agent.rb +117 -14
- data/lib/aws-sdk-core/process_credentials.rb +9 -11
- data/lib/aws-sdk-core/refreshing_credentials.rb +41 -16
- data/lib/aws-sdk-core/refreshing_token.rb +71 -0
- data/lib/aws-sdk-core/rest/handler.rb +1 -1
- data/lib/aws-sdk-core/rest/request/body.rb +19 -1
- data/lib/aws-sdk-core/rest/request/headers.rb +14 -6
- data/lib/aws-sdk-core/rest/response/headers.rb +3 -1
- data/lib/aws-sdk-core/shared_config.rb +127 -13
- data/lib/aws-sdk-core/shared_credentials.rb +7 -1
- data/lib/aws-sdk-core/sso_credentials.rb +92 -52
- data/lib/aws-sdk-core/sso_token_provider.rb +135 -0
- data/lib/aws-sdk-core/static_token_provider.rb +14 -0
- data/lib/aws-sdk-core/structure.rb +16 -5
- data/lib/aws-sdk-core/stubbing/protocols/json.rb +1 -1
- data/lib/aws-sdk-core/stubbing/stub_data.rb +11 -0
- data/lib/aws-sdk-core/token.rb +31 -0
- data/lib/aws-sdk-core/token_provider.rb +15 -0
- data/lib/aws-sdk-core/token_provider_chain.rb +51 -0
- data/lib/aws-sdk-core/waiters/poller.rb +3 -1
- data/lib/aws-sdk-core/xml/builder.rb +1 -1
- data/lib/aws-sdk-core/xml/error_handler.rb +7 -0
- data/lib/aws-sdk-core/xml/parser/engines/oga.rb +2 -0
- data/lib/aws-sdk-core/xml/parser/engines/ox.rb +1 -1
- data/lib/aws-sdk-core/xml/parser/engines/rexml.rb +0 -8
- data/lib/aws-sdk-core/xml/parser/frame.rb +23 -0
- data/lib/aws-sdk-core.rb +20 -0
- data/lib/aws-sdk-sso/client.rb +97 -15
- data/lib/aws-sdk-sso/endpoint_parameters.rb +66 -0
- data/lib/aws-sdk-sso/endpoint_provider.rb +51 -0
- data/lib/aws-sdk-sso/endpoints.rb +72 -0
- data/lib/aws-sdk-sso/plugins/endpoints.rb +76 -0
- data/lib/aws-sdk-sso/types.rb +8 -43
- data/lib/aws-sdk-sso.rb +5 -1
- data/lib/aws-sdk-ssooidc/client.rb +626 -0
- data/lib/aws-sdk-ssooidc/client_api.rb +216 -0
- data/lib/aws-sdk-ssooidc/customizations.rb +1 -0
- data/lib/aws-sdk-ssooidc/endpoint_parameters.rb +66 -0
- data/lib/aws-sdk-ssooidc/endpoint_provider.rb +51 -0
- data/lib/aws-sdk-ssooidc/endpoints.rb +58 -0
- data/lib/aws-sdk-ssooidc/errors.rb +290 -0
- data/lib/aws-sdk-ssooidc/plugins/endpoints.rb +74 -0
- data/lib/aws-sdk-ssooidc/resource.rb +26 -0
- data/lib/aws-sdk-ssooidc/types.rb +502 -0
- data/lib/aws-sdk-ssooidc.rb +59 -0
- data/lib/aws-sdk-sts/client.rb +535 -472
- data/lib/aws-sdk-sts/client_api.rb +10 -0
- data/lib/aws-sdk-sts/endpoint_parameters.rb +78 -0
- data/lib/aws-sdk-sts/endpoint_provider.rb +112 -0
- data/lib/aws-sdk-sts/endpoints.rb +136 -0
- data/lib/aws-sdk-sts/plugins/endpoints.rb +84 -0
- data/lib/aws-sdk-sts/plugins/sts_regional_endpoints.rb +5 -1
- data/lib/aws-sdk-sts/presigner.rb +13 -9
- data/lib/aws-sdk-sts/types.rb +248 -313
- data/lib/aws-sdk-sts.rb +5 -1
- data/lib/seahorse/client/async_base.rb +0 -1
- data/lib/seahorse/client/configuration.rb +5 -5
- data/lib/seahorse/client/h2/connection.rb +26 -22
- data/lib/seahorse/client/h2/handler.rb +4 -5
- data/lib/seahorse/client/net_http/connection_pool.rb +7 -0
- data/lib/seahorse/client/net_http/handler.rb +15 -7
- data/lib/seahorse/client/net_http/patches.rb +13 -84
- data/lib/seahorse/client/plugins/content_length.rb +11 -5
- data/lib/seahorse/client/plugins/net_http.rb +33 -2
- data/lib/seahorse/client/plugins/request_callback.rb +9 -9
- data/lib/seahorse/client/response.rb +6 -0
- data/lib/seahorse/model/operation.rb +6 -0
- data/lib/seahorse/model/shapes.rb +25 -0
- data/lib/seahorse/util.rb +4 -0
- metadata +64 -12
- data/lib/aws-sdk-sso/plugins/content_type.rb +0 -25
@@ -0,0 +1,52 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Aws
|
4
|
+
module Endpoints
|
5
|
+
# This class is deprecated. It is used by the Runtime endpoint
|
6
|
+
# resolution approach. It has been replaced by a code generated
|
7
|
+
# approach in each service gem. It can be removed in a new
|
8
|
+
# major version. It has to exist because
|
9
|
+
# old service gems can use a new core version.
|
10
|
+
# @api private
|
11
|
+
class RuleSet
|
12
|
+
def initialize(version:, service_id:, parameters:, rules:)
|
13
|
+
@version = version
|
14
|
+
@service_id = service_id
|
15
|
+
@parameters = parameters
|
16
|
+
@rules = RuleSet.rules_from_json(rules || [])
|
17
|
+
end
|
18
|
+
|
19
|
+
attr_reader :version
|
20
|
+
attr_reader :service_id
|
21
|
+
attr_reader :parameters
|
22
|
+
attr_reader :rules
|
23
|
+
|
24
|
+
def self.rules_from_json(rules_json)
|
25
|
+
rules_json.each.with_object([]) do |rule, rules|
|
26
|
+
if rule['type'] == 'endpoint'
|
27
|
+
rules << EndpointRule.new(
|
28
|
+
conditions: rule['conditions'],
|
29
|
+
endpoint: rule['endpoint'],
|
30
|
+
documentation: rule['documentation']
|
31
|
+
)
|
32
|
+
elsif rule['type'] == 'error'
|
33
|
+
rules << ErrorRule.new(
|
34
|
+
conditions: rule['conditions'],
|
35
|
+
error: rule['error'],
|
36
|
+
documentation: rule['documentation']
|
37
|
+
)
|
38
|
+
elsif rule['type'] == 'tree'
|
39
|
+
rules << TreeRule.new(
|
40
|
+
conditions: rule['conditions'],
|
41
|
+
rules: rule['rules'],
|
42
|
+
documentation: rule['documentation']
|
43
|
+
)
|
44
|
+
else
|
45
|
+
# should not happen
|
46
|
+
raise "Unknown endpoint rule type: #{rule}"
|
47
|
+
end
|
48
|
+
end
|
49
|
+
end
|
50
|
+
end
|
51
|
+
end
|
52
|
+
end
|
@@ -0,0 +1,37 @@
|
|
1
|
+
module Aws
|
2
|
+
module Endpoints
|
3
|
+
# This class is deprecated. It is used by the Runtime endpoint
|
4
|
+
# resolution approach. It has been replaced by a code generated
|
5
|
+
# approach in each service gem. It can be removed in a new
|
6
|
+
# major version. It has to exist because
|
7
|
+
# old service gems can use a new core version.
|
8
|
+
# @api private
|
9
|
+
class RulesProvider
|
10
|
+
def initialize(rule_set)
|
11
|
+
@rule_set = rule_set
|
12
|
+
end
|
13
|
+
|
14
|
+
def resolve_endpoint(parameters)
|
15
|
+
obj = resolve_rules(parameters)
|
16
|
+
case obj
|
17
|
+
when Endpoint
|
18
|
+
obj
|
19
|
+
when ArgumentError
|
20
|
+
raise obj
|
21
|
+
else
|
22
|
+
raise ArgumentError, 'No endpoint could be resolved'
|
23
|
+
end
|
24
|
+
end
|
25
|
+
|
26
|
+
private
|
27
|
+
|
28
|
+
def resolve_rules(parameters)
|
29
|
+
@rule_set.rules.each do |rule|
|
30
|
+
output = rule.match(parameters)
|
31
|
+
return output if output
|
32
|
+
end
|
33
|
+
nil
|
34
|
+
end
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
@@ -0,0 +1,58 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Aws
|
4
|
+
module Endpoints
|
5
|
+
# Does substitutions for templated endpoint strings
|
6
|
+
|
7
|
+
# This class is deprecated. It is used by the Runtime endpoint
|
8
|
+
# resolution approach. It has been replaced by a code generated
|
9
|
+
# approach in each service gem. It can be removed in a new
|
10
|
+
# major version. It has to exist because
|
11
|
+
# old service gems can use a new core version.
|
12
|
+
# @api private
|
13
|
+
module Templater
|
14
|
+
class << self
|
15
|
+
def resolve(string, parameters, assigns)
|
16
|
+
# scans for strings in curly brackets {}
|
17
|
+
string.scan(/\{.+?\}/).each do |capture|
|
18
|
+
value = capture[1..-2] # strips curly brackets
|
19
|
+
string = string.gsub(capture, replace(value, parameters, assigns))
|
20
|
+
end
|
21
|
+
string
|
22
|
+
end
|
23
|
+
|
24
|
+
private
|
25
|
+
|
26
|
+
# Replaces the captured value with values from parameters or assign
|
27
|
+
def replace(capture, parameters, assigns)
|
28
|
+
# Pound sigil is used for getAttr calls
|
29
|
+
indexes = capture.split('#')
|
30
|
+
|
31
|
+
# no sigil found, just do substitution
|
32
|
+
if indexes.size == 1
|
33
|
+
extract_value(capture, parameters, assigns)
|
34
|
+
# sigil was found, need to call getAttr
|
35
|
+
elsif indexes.size == 2
|
36
|
+
ref, property = indexes
|
37
|
+
param = extract_value(ref, parameters, assigns)
|
38
|
+
Matchers.attr(param, property)
|
39
|
+
else
|
40
|
+
raise "Invalid templatable value: #{capture}"
|
41
|
+
end
|
42
|
+
end
|
43
|
+
|
44
|
+
# Checks both parameters and assigns hash for the referenced value
|
45
|
+
def extract_value(key, parameters, assigns)
|
46
|
+
if assigns.key?(key)
|
47
|
+
assigns[key]
|
48
|
+
elsif parameters.class.singleton_class::PARAM_MAP.key?(key)
|
49
|
+
member_name = parameters.class.singleton_class::PARAM_MAP[key]
|
50
|
+
parameters[member_name]
|
51
|
+
else
|
52
|
+
raise "Templatable value not found: #{key}"
|
53
|
+
end
|
54
|
+
end
|
55
|
+
end
|
56
|
+
end
|
57
|
+
end
|
58
|
+
end
|
@@ -0,0 +1,45 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Aws
|
4
|
+
module Endpoints
|
5
|
+
# This class is deprecated. It is used by the Runtime endpoint
|
6
|
+
# resolution approach. It has been replaced by a code generated
|
7
|
+
# approach in each service gem. It can be removed in a new
|
8
|
+
# major version. It has to exist because
|
9
|
+
# old service gems can use a new core version.
|
10
|
+
# @api private
|
11
|
+
class TreeRule
|
12
|
+
def initialize(type: 'tree', conditions:, rules:, documentation: nil)
|
13
|
+
@type = type
|
14
|
+
@conditions = Condition.from_json(conditions)
|
15
|
+
@rules = RuleSet.rules_from_json(rules)
|
16
|
+
@documentation = documentation
|
17
|
+
end
|
18
|
+
|
19
|
+
attr_reader :type
|
20
|
+
attr_reader :conditions
|
21
|
+
attr_reader :error
|
22
|
+
attr_reader :documentation
|
23
|
+
|
24
|
+
def match(parameters, assigned = {})
|
25
|
+
assigns = assigned.dup
|
26
|
+
matched = conditions.all? do |condition|
|
27
|
+
output = condition.match?(parameters, assigns)
|
28
|
+
assigns = assigns.merge(condition.assigned) if condition.assign
|
29
|
+
output
|
30
|
+
end
|
31
|
+
resolve_rules(parameters, assigns) if matched
|
32
|
+
end
|
33
|
+
|
34
|
+
private
|
35
|
+
|
36
|
+
def resolve_rules(parameters, assigns)
|
37
|
+
@rules.each do |rule|
|
38
|
+
output = rule.match(parameters, assigns)
|
39
|
+
return output if output
|
40
|
+
end
|
41
|
+
nil
|
42
|
+
end
|
43
|
+
end
|
44
|
+
end
|
45
|
+
end
|
@@ -0,0 +1,60 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'ipaddr'
|
4
|
+
|
5
|
+
module Aws
|
6
|
+
module Endpoints
|
7
|
+
|
8
|
+
# @api private
|
9
|
+
class URL
|
10
|
+
def initialize(url)
|
11
|
+
uri = URI(url)
|
12
|
+
@scheme = uri.scheme
|
13
|
+
# only support http and https schemes
|
14
|
+
raise ArgumentError unless %w[https http].include?(@scheme)
|
15
|
+
|
16
|
+
# do not support query
|
17
|
+
raise ArgumentError if uri.query
|
18
|
+
|
19
|
+
@authority = _authority(url, uri)
|
20
|
+
@path = uri.path
|
21
|
+
@normalized_path = uri.path + (uri.path[-1] == '/' ? '' : '/')
|
22
|
+
@is_ip = _is_ip(uri.host)
|
23
|
+
end
|
24
|
+
|
25
|
+
attr_reader :scheme
|
26
|
+
attr_reader :authority
|
27
|
+
attr_reader :path
|
28
|
+
attr_reader :normalized_path
|
29
|
+
attr_reader :is_ip
|
30
|
+
|
31
|
+
def as_json(_options = {})
|
32
|
+
{
|
33
|
+
'scheme' => scheme,
|
34
|
+
'authority' => authority,
|
35
|
+
'path' => path,
|
36
|
+
'normalizedPath' => normalized_path,
|
37
|
+
'isIp' => is_ip
|
38
|
+
}
|
39
|
+
end
|
40
|
+
|
41
|
+
private
|
42
|
+
|
43
|
+
def _authority(url, uri)
|
44
|
+
# don't include port if it's default and not parsed originally
|
45
|
+
if uri.default_port == uri.port && !url.include?(":#{uri.port}")
|
46
|
+
uri.host
|
47
|
+
else
|
48
|
+
"#{uri.host}:#{uri.port}"
|
49
|
+
end
|
50
|
+
end
|
51
|
+
|
52
|
+
def _is_ip(authority)
|
53
|
+
IPAddr.new(authority)
|
54
|
+
true
|
55
|
+
rescue IPAddr::InvalidAddressError
|
56
|
+
false
|
57
|
+
end
|
58
|
+
end
|
59
|
+
end
|
60
|
+
end
|
@@ -0,0 +1,78 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require_relative 'endpoints/rule'
|
4
|
+
require_relative 'endpoints/condition'
|
5
|
+
require_relative 'endpoints/endpoint_rule'
|
6
|
+
require_relative 'endpoints/endpoint'
|
7
|
+
require_relative 'endpoints/error_rule'
|
8
|
+
require_relative 'endpoints/function'
|
9
|
+
require_relative 'endpoints/matchers'
|
10
|
+
require_relative 'endpoints/reference'
|
11
|
+
require_relative 'endpoints/rules_provider'
|
12
|
+
require_relative 'endpoints/rule_set'
|
13
|
+
require_relative 'endpoints/templater'
|
14
|
+
require_relative 'endpoints/tree_rule'
|
15
|
+
require_relative 'endpoints/url'
|
16
|
+
|
17
|
+
module Aws
|
18
|
+
# @api private
|
19
|
+
module Endpoints
|
20
|
+
class << self
|
21
|
+
def resolve_auth_scheme(context, endpoint)
|
22
|
+
if endpoint && (auth_schemes = endpoint.properties['authSchemes'])
|
23
|
+
auth_scheme = auth_schemes.find do |scheme|
|
24
|
+
Aws::Plugins::Sign::SUPPORTED_AUTH_TYPES.include?(scheme['name'])
|
25
|
+
end
|
26
|
+
raise 'No supported auth scheme for this endpoint.' unless auth_scheme
|
27
|
+
|
28
|
+
merge_signing_defaults(auth_scheme, context.config)
|
29
|
+
else
|
30
|
+
default_auth_scheme(context)
|
31
|
+
end
|
32
|
+
end
|
33
|
+
|
34
|
+
private
|
35
|
+
|
36
|
+
def default_auth_scheme(context)
|
37
|
+
case default_api_authtype(context)
|
38
|
+
when 'v4', 'v4-unsigned-body'
|
39
|
+
auth_scheme = { 'name' => 'sigv4' }
|
40
|
+
merge_signing_defaults(auth_scheme, context.config)
|
41
|
+
when 's3', 's3v4'
|
42
|
+
auth_scheme = {
|
43
|
+
'name' => 'sigv4',
|
44
|
+
'disableDoubleEncoding' => true,
|
45
|
+
'disableNormalizePath' => true
|
46
|
+
}
|
47
|
+
merge_signing_defaults(auth_scheme, context.config)
|
48
|
+
when 'bearer'
|
49
|
+
{ 'name' => 'bearer' }
|
50
|
+
when 'none', nil
|
51
|
+
{ 'name' => 'none' }
|
52
|
+
end
|
53
|
+
end
|
54
|
+
|
55
|
+
def merge_signing_defaults(auth_scheme, config)
|
56
|
+
if %w[sigv4 sigv4a].include?(auth_scheme['name'])
|
57
|
+
auth_scheme['signingName'] ||= sigv4_name(config)
|
58
|
+
if auth_scheme['name'] == 'sigv4a'
|
59
|
+
auth_scheme['signingRegionSet'] ||= ['*']
|
60
|
+
else
|
61
|
+
auth_scheme['signingRegion'] ||= config.region
|
62
|
+
end
|
63
|
+
end
|
64
|
+
auth_scheme
|
65
|
+
end
|
66
|
+
|
67
|
+
def default_api_authtype(context)
|
68
|
+
context.config.api.operation(context.operation_name)['authtype'] ||
|
69
|
+
context.config.api.metadata['signatureVersion']
|
70
|
+
end
|
71
|
+
|
72
|
+
def sigv4_name(config)
|
73
|
+
config.api.metadata['signingName'] ||
|
74
|
+
config.api.metadata['endpointPrefix']
|
75
|
+
end
|
76
|
+
end
|
77
|
+
end
|
78
|
+
end
|
data/lib/aws-sdk-core/errors.rb
CHANGED
@@ -18,7 +18,7 @@ module Aws
|
|
18
18
|
@code = self.class.code
|
19
19
|
@context = context
|
20
20
|
@data = data
|
21
|
-
@message = message && !message.empty? ? message : self.class
|
21
|
+
@message = message && !message.empty? ? message : self.class.to_s
|
22
22
|
super(@message)
|
23
23
|
end
|
24
24
|
|
@@ -210,6 +210,23 @@ module Aws
|
|
210
210
|
# Raised when SSO Credentials are invalid
|
211
211
|
class InvalidSSOCredentials < RuntimeError; end
|
212
212
|
|
213
|
+
# Raised when SSO Token is invalid
|
214
|
+
class InvalidSSOToken < RuntimeError; end
|
215
|
+
|
216
|
+
# Raised when a client is unable to sign a request because
|
217
|
+
# the bearer token is not configured or available
|
218
|
+
class MissingBearerTokenError < RuntimeError
|
219
|
+
def initialize(*args)
|
220
|
+
msg = 'unable to sign request without token set'
|
221
|
+
super(msg)
|
222
|
+
end
|
223
|
+
end
|
224
|
+
|
225
|
+
|
226
|
+
# Raised when there is a circular reference in chained
|
227
|
+
# source_profiles
|
228
|
+
class SourceProfileCircularReferenceError < RuntimeError; end
|
229
|
+
|
213
230
|
# Raised when a client is constructed and region is not specified.
|
214
231
|
class MissingRegionError < ArgumentError
|
215
232
|
def initialize(*args)
|
@@ -8,6 +8,8 @@ module Aws
|
|
8
8
|
def ini_parse(raw)
|
9
9
|
current_profile = nil
|
10
10
|
current_prefix = nil
|
11
|
+
item = nil
|
12
|
+
previous_item = nil
|
11
13
|
raw.lines.inject({}) do |acc, line|
|
12
14
|
line = line.split(/^|\s;/).first # remove comments
|
13
15
|
profile = line.match(/^\[([^\[\]]+)\]\s*(#.+)?$/) unless line.nil?
|
@@ -17,11 +19,16 @@ module Aws
|
|
17
19
|
current_profile = named_profile[1] if named_profile
|
18
20
|
elsif current_profile
|
19
21
|
unless line.nil?
|
22
|
+
previous_item = item
|
20
23
|
item = line.match(/^(.+?)\s*=\s*(.+?)\s*$/)
|
21
24
|
prefix = line.match(/^(.+?)\s*=\s*$/)
|
22
25
|
end
|
23
26
|
if item && item[1].match(/^\s+/)
|
24
27
|
# Need to add lines to a nested configuration.
|
28
|
+
if current_prefix.nil? && previous_item[2].strip.empty?
|
29
|
+
current_prefix = previous_item[1]
|
30
|
+
acc[current_profile][current_prefix] = {}
|
31
|
+
end
|
25
32
|
inner_item = line.match(/^\s*(.+?)\s*=\s*(.+?)\s*$/)
|
26
33
|
acc[current_profile] ||= {}
|
27
34
|
acc[current_profile][current_prefix] ||= {}
|
@@ -4,8 +4,12 @@ require 'time'
|
|
4
4
|
require 'net/http'
|
5
5
|
|
6
6
|
module Aws
|
7
|
+
# An auto-refreshing credential provider that loads credentials from
|
8
|
+
# EC2 instances.
|
9
|
+
#
|
10
|
+
# instance_credentials = Aws::InstanceProfileCredentials.new
|
11
|
+
# ec2 = Aws::EC2::Client.new(credentials: instance_credentials)
|
7
12
|
class InstanceProfileCredentials
|
8
|
-
|
9
13
|
include CredentialProvider
|
10
14
|
include RefreshingCredentials
|
11
15
|
|
@@ -44,7 +48,13 @@ module Aws
|
|
44
48
|
# @param [Hash] options
|
45
49
|
# @option options [Integer] :retries (1) Number of times to retry
|
46
50
|
# when retrieving credentials.
|
47
|
-
# @option options [String] :
|
51
|
+
# @option options [String] :endpoint ('http://169.254.169.254') The IMDS
|
52
|
+
# endpoint. This option has precedence over the :endpoint_mode.
|
53
|
+
# @option options [String] :endpoint_mode ('IPv4') The endpoint mode for
|
54
|
+
# the instance metadata service. This is either 'IPv4' ('169.254.169.254')
|
55
|
+
# or 'IPv6' ('[fd00:ec2::254]').
|
56
|
+
# @option options [String] :ip_address ('169.254.169.254') Deprecated. Use
|
57
|
+
# :endpoint instead. The IP address for the endpoint.
|
48
58
|
# @option options [Integer] :port (80)
|
49
59
|
# @option options [Float] :http_open_timeout (1)
|
50
60
|
# @option options [Float] :http_read_timeout (1)
|
@@ -58,9 +68,14 @@ module Aws
|
|
58
68
|
# @option options [Integer] :token_ttl Time-to-Live in seconds for EC2
|
59
69
|
# Metadata Token used for fetching Metadata Profile Credentials, defaults
|
60
70
|
# to 21600 seconds
|
71
|
+
# @option options [Callable] before_refresh Proc called before
|
72
|
+
# credentials are refreshed. `before_refresh` is called
|
73
|
+
# with an instance of this object when
|
74
|
+
# AWS credentials are required and need to be refreshed.
|
61
75
|
def initialize(options = {})
|
62
76
|
@retries = options[:retries] || 1
|
63
|
-
|
77
|
+
endpoint_mode = resolve_endpoint_mode(options)
|
78
|
+
@endpoint = resolve_endpoint(options, endpoint_mode)
|
64
79
|
@port = options[:port] || 80
|
65
80
|
@http_open_timeout = options[:http_open_timeout] || 1
|
66
81
|
@http_read_timeout = options[:http_read_timeout] || 1
|
@@ -68,6 +83,8 @@ module Aws
|
|
68
83
|
@backoff = backoff(options[:backoff])
|
69
84
|
@token_ttl = options[:token_ttl] || 21_600
|
70
85
|
@token = nil
|
86
|
+
@no_refresh_until = nil
|
87
|
+
@async_refresh = false
|
71
88
|
super
|
72
89
|
end
|
73
90
|
|
@@ -78,6 +95,34 @@ module Aws
|
|
78
95
|
|
79
96
|
private
|
80
97
|
|
98
|
+
def resolve_endpoint_mode(options)
|
99
|
+
value = options[:endpoint_mode]
|
100
|
+
value ||= ENV['AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE']
|
101
|
+
value ||= Aws.shared_config.ec2_metadata_service_endpoint_mode(
|
102
|
+
profile: options[:profile]
|
103
|
+
)
|
104
|
+
value || 'IPv4'
|
105
|
+
end
|
106
|
+
|
107
|
+
def resolve_endpoint(options, endpoint_mode)
|
108
|
+
value = options[:endpoint] || options[:ip_address]
|
109
|
+
value ||= ENV['AWS_EC2_METADATA_SERVICE_ENDPOINT']
|
110
|
+
value ||= Aws.shared_config.ec2_metadata_service_endpoint(
|
111
|
+
profile: options[:profile]
|
112
|
+
)
|
113
|
+
|
114
|
+
return value if value
|
115
|
+
|
116
|
+
case endpoint_mode.downcase
|
117
|
+
when 'ipv4' then 'http://169.254.169.254'
|
118
|
+
when 'ipv6' then 'http://[fd00:ec2::254]'
|
119
|
+
else
|
120
|
+
raise ArgumentError,
|
121
|
+
':endpoint_mode is not valid, expected IPv4 or IPv6, '\
|
122
|
+
"got: #{endpoint_mode}"
|
123
|
+
end
|
124
|
+
end
|
125
|
+
|
81
126
|
def backoff(backoff)
|
82
127
|
case backoff
|
83
128
|
when Proc then backoff
|
@@ -87,18 +132,48 @@ module Aws
|
|
87
132
|
end
|
88
133
|
|
89
134
|
def refresh
|
135
|
+
if @no_refresh_until && @no_refresh_until > Time.now
|
136
|
+
warn_expired_credentials
|
137
|
+
return
|
138
|
+
end
|
139
|
+
|
90
140
|
# Retry loading credentials up to 3 times is the instance metadata
|
91
141
|
# service is responding but is returning invalid JSON documents
|
92
142
|
# in response to the GET profile credentials call.
|
93
143
|
begin
|
94
144
|
retry_errors([Aws::Json::ParseError, StandardError], max_retries: 3) do
|
95
145
|
c = Aws::Json.load(get_credentials.to_s)
|
96
|
-
@credentials
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
146
|
+
if empty_credentials?(@credentials)
|
147
|
+
@credentials = Credentials.new(
|
148
|
+
c['AccessKeyId'],
|
149
|
+
c['SecretAccessKey'],
|
150
|
+
c['Token']
|
151
|
+
)
|
152
|
+
@expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
|
153
|
+
if @expiration && @expiration < Time.now
|
154
|
+
@no_refresh_until = Time.now + refresh_offset
|
155
|
+
warn_expired_credentials
|
156
|
+
end
|
157
|
+
else
|
158
|
+
# credentials are already set, update them only if the new ones are not empty
|
159
|
+
if !c['AccessKeyId'] || c['AccessKeyId'].empty?
|
160
|
+
# error getting new credentials
|
161
|
+
@no_refresh_until = Time.now + refresh_offset
|
162
|
+
warn_expired_credentials
|
163
|
+
else
|
164
|
+
@credentials = Credentials.new(
|
165
|
+
c['AccessKeyId'],
|
166
|
+
c['SecretAccessKey'],
|
167
|
+
c['Token']
|
168
|
+
)
|
169
|
+
@expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
|
170
|
+
if @expiration && @expiration < Time.now
|
171
|
+
@no_refresh_until = Time.now + refresh_offset
|
172
|
+
warn_expired_credentials
|
173
|
+
end
|
174
|
+
end
|
175
|
+
end
|
176
|
+
|
102
177
|
end
|
103
178
|
rescue Aws::Json::ParseError
|
104
179
|
raise Aws::Errors::MetadataParserError
|
@@ -119,10 +194,11 @@ module Aws
|
|
119
194
|
begin
|
120
195
|
retry_errors(NETWORK_ERRORS, max_retries: @retries) do
|
121
196
|
unless token_set?
|
197
|
+
created_time = Time.now
|
122
198
|
token_value, ttl = http_put(
|
123
199
|
conn, METADATA_TOKEN_PATH, @token_ttl
|
124
200
|
)
|
125
|
-
@token = Token.new(token_value, ttl) if token_value && ttl
|
201
|
+
@token = Token.new(token_value, ttl, created_time) if token_value && ttl
|
126
202
|
end
|
127
203
|
end
|
128
204
|
rescue *NETWORK_ERRORS
|
@@ -132,9 +208,17 @@ module Aws
|
|
132
208
|
end
|
133
209
|
|
134
210
|
token = @token.value if token_set?
|
135
|
-
|
136
|
-
|
137
|
-
|
211
|
+
|
212
|
+
begin
|
213
|
+
metadata = http_get(conn, METADATA_PATH_BASE, token)
|
214
|
+
profile_name = metadata.lines.first.strip
|
215
|
+
http_get(conn, METADATA_PATH_BASE + profile_name, token)
|
216
|
+
rescue TokenExpiredError
|
217
|
+
# Token has expired, reset it
|
218
|
+
# The next retry should fetch it
|
219
|
+
@token = nil
|
220
|
+
raise Non200Response
|
221
|
+
end
|
138
222
|
end
|
139
223
|
end
|
140
224
|
rescue
|
@@ -152,7 +236,8 @@ module Aws
|
|
152
236
|
end
|
153
237
|
|
154
238
|
def open_connection
|
155
|
-
|
239
|
+
uri = URI.parse(@endpoint)
|
240
|
+
http = Net::HTTP.new(uri.hostname || @endpoint, @port || uri.port)
|
156
241
|
http.open_timeout = @http_open_timeout
|
157
242
|
http.read_timeout = @http_read_timeout
|
158
243
|
http.set_debug_output(@http_debug_output) if @http_debug_output
|
@@ -165,9 +250,15 @@ module Aws
|
|
165
250
|
headers = { 'User-Agent' => "aws-sdk-ruby3/#{CORE_GEM_VERSION}" }
|
166
251
|
headers['x-aws-ec2-metadata-token'] = token if token
|
167
252
|
response = connection.request(Net::HTTP::Get.new(path, headers))
|
168
|
-
raise Non200Response unless response.code.to_i == 200
|
169
253
|
|
170
|
-
response.
|
254
|
+
case response.code.to_i
|
255
|
+
when 200
|
256
|
+
response.body
|
257
|
+
when 401
|
258
|
+
raise TokenExpiredError
|
259
|
+
else
|
260
|
+
raise Non200Response
|
261
|
+
end
|
171
262
|
end
|
172
263
|
|
173
264
|
# PUT request fetch token with ttl
|
@@ -206,13 +297,28 @@ module Aws
|
|
206
297
|
end
|
207
298
|
end
|
208
299
|
|
300
|
+
def warn_expired_credentials
|
301
|
+
warn("Attempting credential expiration extension due to a credential "\
|
302
|
+
"service availability issue. A refresh of these credentials "\
|
303
|
+
"will be attempted again in 5 minutes.")
|
304
|
+
end
|
305
|
+
|
306
|
+
def empty_credentials?(creds)
|
307
|
+
!creds || !creds.access_key_id || creds.access_key_id.empty?
|
308
|
+
end
|
309
|
+
|
310
|
+
# Compute an offset for refresh with jitter
|
311
|
+
def refresh_offset
|
312
|
+
300 + rand(0..60)
|
313
|
+
end
|
314
|
+
|
209
315
|
# @api private
|
210
316
|
# Token used to fetch IMDS profile and credentials
|
211
317
|
class Token
|
212
|
-
def initialize(value, ttl)
|
318
|
+
def initialize(value, ttl, created_time = Time.now)
|
213
319
|
@ttl = ttl
|
214
320
|
@value = value
|
215
|
-
@created_time =
|
321
|
+
@created_time = created_time
|
216
322
|
end
|
217
323
|
|
218
324
|
# [String] token value
|
@@ -26,7 +26,13 @@ module Aws
|
|
26
26
|
end
|
27
27
|
|
28
28
|
def error_code(json, context)
|
29
|
-
code =
|
29
|
+
code =
|
30
|
+
if aws_query_error?(context)
|
31
|
+
error = context.http_response.headers['x-amzn-query-error'].split(';')[0]
|
32
|
+
remove_prefix(error, context)
|
33
|
+
else
|
34
|
+
json['__type']
|
35
|
+
end
|
30
36
|
code ||= json['code']
|
31
37
|
code ||= context.http_response.headers['x-amzn-errortype']
|
32
38
|
if code
|
@@ -36,6 +42,19 @@ module Aws
|
|
36
42
|
end
|
37
43
|
end
|
38
44
|
|
45
|
+
def aws_query_error?(context)
|
46
|
+
context.config.api.metadata['awsQueryCompatible'] &&
|
47
|
+
context.http_response.headers['x-amzn-query-error']
|
48
|
+
end
|
49
|
+
|
50
|
+
def remove_prefix(error_code, context)
|
51
|
+
if prefix = context.config.api.metadata['errorPrefix']
|
52
|
+
error_code.sub(/^#{prefix}/, '')
|
53
|
+
else
|
54
|
+
error_code
|
55
|
+
end
|
56
|
+
end
|
57
|
+
|
39
58
|
def error_message(code, json)
|
40
59
|
if code == 'RequestEntityTooLarge'
|
41
60
|
'Request body must be less than 1 MB'
|
@@ -2,16 +2,18 @@
|
|
2
2
|
|
3
3
|
module Aws
|
4
4
|
module Json
|
5
|
-
|
5
|
+
module JSONEngine
|
6
|
+
class << self
|
7
|
+
def load(json)
|
8
|
+
JSON.parse(json)
|
9
|
+
rescue JSON::ParserError => e
|
10
|
+
raise ParseError.new(e)
|
11
|
+
end
|
6
12
|
|
7
|
-
|
8
|
-
|
13
|
+
def dump(value)
|
14
|
+
JSON.dump(value)
|
15
|
+
end
|
9
16
|
end
|
10
|
-
|
11
|
-
def self.dump(value)
|
12
|
-
JSON.dump(value)
|
13
|
-
end
|
14
|
-
|
15
17
|
end
|
16
18
|
end
|
17
19
|
end
|