aws-sdk-core 3.121.1 → 3.174.0

data/lib/aws-sdk-core/plugins/checksum_algorithm.rb

@@ -0,0 +1,340 @@
+# frozen_string_literal: true
+
+module Aws
+  module Plugins
+    # @api private
+    class ChecksumAlgorithm < Seahorse::Client::Plugin
+      CHUNK_SIZE = 1 * 1024 * 1024 # one MB
+
+      # determine the set of supported client side checksum algorithms
+      # CRC32c requires aws-crt (optional sdk dependency) for support
+      CLIENT_ALGORITHMS = begin
+        supported = %w[SHA256 SHA1 CRC32]
+        begin
+          require 'aws-crt'
+          supported << 'CRC32C'
+        rescue LoadError
+        end
+        supported
+      end.freeze
+
+      # priority order of checksum algorithms to validate responses against
+      # Remove any algorithms not supported by client (ie, depending on CRT availability)
+      CHECKSUM_ALGORITHM_PRIORITIES = %w[CRC32C SHA1 CRC32 SHA256] & CLIENT_ALGORITHMS
+
+      # byte size of checksums, used in computing the trailer length
+      CHECKSUM_SIZE = {
+        'CRC32' => 16,
+        'CRC32C' => 16,
+        'SHA1' => 36,
+        'SHA256' => 52
+      }
+
+      # Interface for computing digests on request/response bodies
+      # which may be files, strings or IO like objects
+      # Applies only to digest functions that produce 32 bit integer checksums
+      # (eg CRC32)
+      class Digest32
+
+        attr_reader :value
+
+        # @param [Object] digest_fn
+        def initialize(digest_fn)
+          @digest_fn = digest_fn
+          @value = 0
+        end
+
+        def update(chunk)
+          @value = @digest_fn.call(chunk, @value)
+        end
+
+        def base64digest
+          Base64.encode64([@value].pack('N')).chomp
+        end
+      end
+
+      def add_handlers(handlers, _config)
+        handlers.add(OptionHandler, step: :initialize)
+        # priority set low to ensure checksum is computed AFTER the request is
+        # built but before it is signed
+        handlers.add(ChecksumHandler, priority: 15, step: :build)
+      end
+
+      private
+
+      def self.request_algorithm_selection(context)
+        return unless context.operation.http_checksum
+
+        input_member = context.operation.http_checksum['requestAlgorithmMember']
+        context.params[input_member.to_sym]&.upcase if input_member
+      end
+
+      def self.request_validation_mode(context)
+        return unless context.operation.http_checksum
+
+        input_member = context.operation.http_checksum['requestValidationModeMember']
+        context.params[input_member.to_sym] if input_member
+      end
+
+      def self.operation_response_algorithms(context)
+        return unless context.operation.http_checksum
+
+        context.operation.http_checksum['responseAlgorithms']
+      end
+
+
+      # @api private
+      class OptionHandler < Seahorse::Client::Handler
+        def call(context)
+          context[:http_checksum] ||= {}
+
+          # validate request configuration
+          if (request_input = ChecksumAlgorithm.request_algorithm_selection(context))
+            unless CLIENT_ALGORITHMS.include? request_input
+              if (request_input == 'CRC32C')
+                raise ArgumentError, "CRC32C requires crt support - install the aws-crt gem for support."
+              else
+                raise ArgumentError, "#{request_input} is not a supported checksum algorithm."
+              end
+            end
+          end
+
+        # validate response configuration
+          if (ChecksumAlgorithm.request_validation_mode(context))
+            # Compute an ordered list as the union between priority supported and the
+            # operation's modeled response algorithms.
+            validation_list = CHECKSUM_ALGORITHM_PRIORITIES &
+              ChecksumAlgorithm.operation_response_algorithms(context)
+            context[:http_checksum][:validation_list] = validation_list
+          end
+
+          @handler.call(context)
+        end
+      end
+
+      # @api private
+      class ChecksumHandler < Seahorse::Client::Handler
+
+        def call(context)
+          if should_calculate_request_checksum?(context)
+            request_algorithm_input = ChecksumAlgorithm.request_algorithm_selection(context)
+            context[:checksum_algorithms] = request_algorithm_input
+
+            request_checksum_property = {
+              'algorithm' => request_algorithm_input,
+              'in' => checksum_request_in(context),
+              'name' => "x-amz-checksum-#{request_algorithm_input.downcase}"
+            }
+
+            calculate_request_checksum(context, request_checksum_property)
+          end
+
+          if should_verify_response_checksum?(context)
+            add_verify_response_checksum_handlers(context)
+          end
+
+          @handler.call(context)
+        end
+
+        private
+
+        def should_calculate_request_checksum?(context)
+          context.operation.http_checksum &&
+            ChecksumAlgorithm.request_algorithm_selection(context)
+        end
+
+        def should_verify_response_checksum?(context)
+          context[:http_checksum][:validation_list] && !context[:http_checksum][:validation_list].empty?
+        end
+
+        def calculate_request_checksum(context, checksum_properties)
+          case checksum_properties['in']
+          when 'header'
+            header_name = checksum_properties['name']
+            body = context.http_request.body_contents
+            if body
+              context.http_request.headers[header_name] ||=
+                ChecksumAlgorithm.calculate_checksum(checksum_properties['algorithm'], body)
+            end
+          when 'trailer'
+            apply_request_trailer_checksum(context, checksum_properties)
+          end
+        end
+
+        def apply_request_trailer_checksum(context, checksum_properties)
+          location_name = checksum_properties['name']
+
+          # set required headers
+          headers = context.http_request.headers
+          headers['Content-Encoding'] = 'aws-chunked'
+          headers['X-Amz-Content-Sha256'] = 'STREAMING-UNSIGNED-PAYLOAD-TRAILER'
+          headers['X-Amz-Trailer'] = location_name
+
+          # We currently always compute the size in the modified body wrapper - allowing us
+          # to set the Content-Length header (set by content_length plugin).
+          # This means we cannot use Transfer-Encoding=chunked
+
+          if !context.http_request.body.respond_to?(:size)
+            raise Aws::Errors::ChecksumError, 'Could not determine length of the body'
+          end
+          headers['X-Amz-Decoded-Content-Length'] = context.http_request.body.size
+
+          context.http_request.body = AwsChunkedTrailerDigestIO.new(
+            context.http_request.body,
+            checksum_properties['algorithm'],
+            location_name
+          )
+        end
+
+        # Add events to the http_response to verify the checksum as its read
+        # This prevents the body from being read multiple times
+        # verification is done only once a successful response has completed
+        def add_verify_response_checksum_handlers(context)
+          http_response = context.http_response
+          checksum_context = { }
+          http_response.on_headers do |_status, headers|
+            header_name, algorithm = response_header_to_verify(headers, context[:http_checksum][:validation_list])
+            if header_name
+              expected = headers[header_name]
+
+              unless context[:http_checksum][:skip_on_suffix] && /-[\d]+$/.match(expected)
+                checksum_context[:algorithm] = algorithm
+                checksum_context[:header_name] = header_name
+                checksum_context[:digest] = ChecksumAlgorithm.digest_for_algorithm(algorithm)
+                checksum_context[:expected] = expected
+              end
+            end
+          end
+
+          http_response.on_data do |chunk|
+            checksum_context[:digest].update(chunk) if checksum_context[:digest]
+          end
+
+          http_response.on_success do
+            if checksum_context[:digest] &&
+              (computed = checksum_context[:digest].base64digest)
+
+              if computed != checksum_context[:expected]
+                raise Aws::Errors::ChecksumError,
+                      "Checksum validation failed on #{checksum_context[:header_name]} "\
+                      "computed: #{computed}, expected: #{checksum_context[:expected]}"
+              end
+
+              context[:http_checksum][:validated] = checksum_context[:algorithm]
+            end
+          end
+        end
+
+        # returns nil if no headers to verify
+        def response_header_to_verify(headers, validation_list)
+          validation_list.each do |algorithm|
+            header_name = "x-amz-checksum-#{algorithm}"
+            return [header_name, algorithm] if headers[header_name]
+          end
+          nil
+        end
+
+        # determine where (header vs trailer) a request checksum should be added
+        def checksum_request_in(context)
+          if context.operation['authtype'].eql?('v4-unsigned-body')
+            'trailer'
+          else
+            'header'
+          end
+        end
+
+      end
+
+      def self.calculate_checksum(algorithm, body)
+        digest = ChecksumAlgorithm.digest_for_algorithm(algorithm)
+        if body.respond_to?(:read)
+          ChecksumAlgorithm.update_in_chunks(digest, body)
+        else
+          digest.update(body)
+        end
+        digest.base64digest
+      end
+
+      def self.digest_for_algorithm(algorithm)
+        case algorithm
+        when 'CRC32'
+          Digest32.new(Zlib.method(:crc32))
+        when 'CRC32C'
+          # this will only be used if input algorithm is CRC32C AND client supports it (crt available)
+          Digest32.new(Aws::Crt::Checksums.method(:crc32c))
+        when 'SHA1'
+          Digest::SHA1.new
+        when 'SHA256'
+          Digest::SHA256.new
+        end
+      end
+
+      # The trailer size (in bytes) is the overhead + the trailer name +
+      # the length of the base64 encoded checksum
+      def self.trailer_length(algorithm, location_name)
+        CHECKSUM_SIZE[algorithm] + location_name.size
+      end
+
+      def self.update_in_chunks(digest, io)
+        loop do
+          chunk = io.read(CHUNK_SIZE)
+          break unless chunk
+          digest.update(chunk)
+        end
+        io.rewind
+      end
+
+      # Wrapper for request body that implements application-layer
+      # chunking with Digest computed on chunks + added as a trailer
+      class AwsChunkedTrailerDigestIO
+        CHUNK_SIZE = 16384
+
+        def initialize(io, algorithm, location_name)
+          @io = io
+          @location_name = location_name
+          @algorithm = algorithm
+          @digest = ChecksumAlgorithm.digest_for_algorithm(algorithm)
+          @trailer_io = nil
+        end
+
+        # the size of the application layer aws-chunked + trailer body
+        def size
+          # compute the number of chunks
+          # a full chunk has 4 + 4 bytes overhead, a partial chunk is len.to_s(16).size + 4
+          orig_body_size = @io.size
+          n_full_chunks = orig_body_size / CHUNK_SIZE
+          partial_bytes = orig_body_size % CHUNK_SIZE
+          chunked_body_size = n_full_chunks * (CHUNK_SIZE + 8)
+          chunked_body_size += partial_bytes.to_s(16).size + partial_bytes + 4 unless  partial_bytes.zero?
+          trailer_size = ChecksumAlgorithm.trailer_length(@algorithm, @location_name)
+          chunked_body_size + trailer_size
+        end
+
+        def rewind
+          @io.rewind
+        end
+
+        def read(length, buf = nil)
+          # account for possible leftover bytes at the end, if we have trailer bytes, send them
+          if @trailer_io
+            return @trailer_io.read(length, buf)
+          end
+
+          chunk = @io.read(length)
+          if chunk
+            @digest.update(chunk)
+            application_chunked = "#{chunk.bytesize.to_s(16)}\r\n#{chunk}\r\n"
+            return StringIO.new(application_chunked).read(application_chunked.size, buf)
+          else
+            trailers = {}
+            trailers[@location_name] = @digest.base64digest
+            trailers = trailers.map { |k,v| "#{k}:#{v}"}.join("\r\n")
+            @trailer_io = StringIO.new("0\r\n#{trailers}\r\n\r\n")
+            chunk = @trailer_io.read(length, buf)
+          end
+          chunk
+        end
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/plugins/credentials_configuration.rb

@@ -64,7 +64,9 @@ locations will be searched for credentials:
 * EC2/ECS IMDS instance profile - When used by default, the timeouts
   are very aggressive. Construct and pass an instance of
   `Aws::InstanceProfileCredentails` or `Aws::ECSCredentials` to
-  enable retries and extended timeouts.
+  enable retries and extended timeouts. Instance profile credential
+  fetching can be disabled by setting ENV['AWS_EC2_METADATA_DISABLED']
+  to true.
         DOCS
       ) do |config|
         CredentialProviderChain.new(config).resolve
@@ -74,6 +76,30 @@ locations will be searched for credentials:
 
       option(:instance_profile_credentials_timeout, 1)
 
+      option(:token_provider,
+             required: false,
+             doc_type: 'Aws::TokenProvider',
+             docstring: <<-DOCS
+A Bearer Token Provider. This can be an instance of any one of the
+following classes:
+
+* `Aws::StaticTokenProvider` - Used for configuring static, non-refreshing
+  tokens.
+
+* `Aws::SSOTokenProvider` - Used for loading tokens from AWS SSO using an
+  access token generated from `aws login`.
+
+When `:token_provider` is not configured directly, the `Aws::TokenProviderChain`
+will be used to search for tokens configured for your profile in shared configuration files.
+      DOCS
+      ) do |config|
+        if config.stub_responses
+          StaticTokenProvider.new('token')
+        else
+          TokenProviderChain.new(config).resolve
+        end
+      end
+
     end
   end
 end

data/lib/aws-sdk-core/plugins/defaults_mode.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module Aws
+  # @api private
+  module Plugins
+    # @api private
+    class DefaultsMode < Seahorse::Client::Plugin
+
+      option(:defaults_mode,
+             default: 'legacy',
+             doc_type: String,
+             docstring: <<-DOCS
+See {Aws::DefaultsModeConfiguration} for a list of the 
+accepted modes and the configuration defaults that are included.
+      DOCS
+      ) do |cfg|
+        resolve_defaults_mode(cfg)
+      end
+
+      option(:defaults_mode_config_resolver,
+             doc_type: 'Aws::DefaultsModeConfigResolver') do |cfg|
+        Aws::DefaultsModeConfigResolver.new(
+          Aws::DefaultsModeConfiguration::SDK_DEFAULT_CONFIGURATION, cfg)
+      end
+
+      class << self
+        private
+
+        def resolve_defaults_mode(cfg)
+          value = ENV['AWS_DEFAULTS_MODE']
+          value ||= Aws.shared_config.defaults_mode(
+            profile: cfg.profile
+          )
+          value&.downcase || "legacy"
+        end
+      end
+
+    end
+  end
+end

data/lib/aws-sdk-core/plugins/endpoint_discovery.rb

@@ -72,7 +72,11 @@ the background every 60 secs (default). Defaults to `false`.
               context,
               Aws::Util.str_2_bool(discovery_cfg["required"])
             )
-            context.http_request.endpoint = _valid_uri(endpoint.address) if endpoint
+            if endpoint
+              context.http_request.endpoint = _valid_uri(endpoint.address)
+              # Skips dynamic endpoint usage, use this endpoint instead
+              context[:discovered_endpoint] = true
+            end
             if endpoint || context.config.endpoint_discovery
               _apply_endpoint_discovery_user_agent(context)
             end
@@ -100,7 +104,7 @@ the background every 60 secs (default). Defaults to `false`.
         end
 
         def _discover_endpoint(ctx, required)
-          cache = ctx.config.endpoint_cache 
+          cache = ctx.config.endpoint_cache
           key = cache.extract_key(ctx)
 
           if required

data/lib/aws-sdk-core/plugins/http_checksum.rb

@@ -11,7 +11,8 @@ module Aws
         CHUNK_SIZE = 1 * 1024 * 1024 # one MB
 
         def call(context)
-          if context.operation.http_checksum_required
+          if checksum_required?(context) &&
+             !context[:checksum_algorithms] # skip in favor of flexible checksum
             body = context.http_request.body
             context.http_request.headers['Content-Md5'] ||= md5(body)
           end
@@ -20,6 +21,12 @@ module Aws
 
         private
 
+        def checksum_required?(context)
+          context.operation.http_checksum_required ||
+            (context.operation.http_checksum &&
+              context.operation.http_checksum['requestChecksumRequired'])
+        end
+
         # @param [File, Tempfile, IO#read, String] value
         # @return [String<MD5>]
         def md5(value)

data/lib/aws-sdk-core/plugins/jsonvalue_converter.rb

@@ -11,15 +11,43 @@ module Aws
 
         def call(context)
           context.operation.input.shape.members.each do |m, ref|
-            if ref['jsonvalue']
-              param_value = context.params[m]
-              unless param_value.respond_to?(:to_json)
-                raise ArgumentError, "The value of params[#{m}] is not JSON serializable."
+            convert_jsonvalue(m, ref, context.params, 'params')
+          end
+          @handler.call(context)
+        end
+
+        def convert_jsonvalue(m, ref, params, context)
+          return if params.nil? || !params.key?(m)
+
+          if ref['jsonvalue']
+            params[m] = serialize_jsonvalue(params[m], "#{context}[#{m}]")
+          else
+            case ref.shape
+            when Seahorse::Model::Shapes::StructureShape
+              ref.shape.members.each do |member_m, ref|
+                convert_jsonvalue(member_m, ref, params[m], "#{context}[#{m}]")
+              end
+            when Seahorse::Model::Shapes::ListShape
+              if ref.shape.member['jsonvalue']
+                params[m] = params[m].each_with_index.map do |v, i|
+                  serialize_jsonvalue(v, "#{context}[#{m}][#{i}]")
+                end
+              end
+            when Seahorse::Model::Shapes::MapShape
+              if ref.shape.value['jsonvalue']
+                params[m].each do |k, v|
+                  params[m][k] = serialize_jsonvalue(v, "#{context}[#{m}][#{k}]")
+                end
               end
-              context.params[m] = param_value.to_json
             end
           end
-          @handler.call(context)
+        end
+
+        def serialize_jsonvalue(v, context)
+          unless v.respond_to?(:to_json)
+            raise ArgumentError, "The value of #{context} is not JSON serializable."
+          end
+          v.to_json
         end
 
       end

data/lib/aws-sdk-core/plugins/protocols/api_gateway.rb

@@ -4,9 +4,26 @@ module Aws
   module Plugins
     module Protocols
       class ApiGateway < Seahorse::Client::Plugin
+
+        class ContentTypeHandler < Seahorse::Client::Handler
+          def call(context)
+            body = context.http_request.body
+            # Rest::Handler will set a default JSON body, so size can be checked
+            # if this handler is run after serialization.
+            if !body.respond_to?(:size) ||
+               (body.respond_to?(:size) && body.size > 0)
+               context.http_request.headers['Content-Type'] ||=
+                 'application/json'
+            end
+            @handler.call(context)
+          end
+        end
+
         handler(Rest::Handler)
+        handler(ContentTypeHandler, priority: 30)
         handler(Json::ErrorHandler, step: :sign)
       end
+
     end
   end
 end

data/lib/aws-sdk-core/plugins/protocols/rest_json.rb

@@ -5,10 +5,25 @@ module Aws
     module Protocols
       class RestJson < Seahorse::Client::Plugin
 
+        class ContentTypeHandler < Seahorse::Client::Handler
+          def call(context)
+            body = context.http_request.body
+            # Rest::Handler will set a default JSON body, so size can be checked
+            # if this handler is run after serialization.
+            if !body.respond_to?(:size) ||
+               (body.respond_to?(:size) && body.size > 0)
+              context.http_request.headers['Content-Type'] ||=
+                'application/json'
+            end
+            @handler.call(context)
+          end
+        end
+
         handler(Rest::Handler)
+        handler(ContentTypeHandler, priority: 30)
         handler(Json::ErrorHandler, step: :sign)
-
       end
+
     end
   end
 end

data/lib/aws-sdk-core/plugins/recursion_detection.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module Aws
+  module Plugins
+    # @api private
+    class RecursionDetection < Seahorse::Client::Plugin
+
+      # @api private
+      class Handler < Seahorse::Client::Handler
+        def call(context)
+
+          unless context.http_request.headers.key?('x-amzn-trace-id')
+            if ENV['AWS_LAMBDA_FUNCTION_NAME'] &&
+              (trace_id = validate_header(ENV['_X_AMZN_TRACE_ID']))
+              context.http_request.headers['x-amzn-trace-id'] = trace_id
+            end
+          end
+          @handler.call(context)
+        end
+
+        private
+        def validate_header(header_value)
+          return unless header_value
+
+          if (header_value.chars & (0..31).map(&:chr)).any?
+            raise ArgumentError, 'Invalid _X_AMZN_TRACE_ID value: '\
+              'contains ASCII control characters'
+          end
+          header_value
+        end
+      end
+
+      # should be at the end of build so that
+      # modeled traits / service customizations apply first
+      handler(Handler, step: :build, order: 99)
+    end
+  end
+end

data/lib/aws-sdk-core/plugins/regional_endpoint.rb

@@ -24,8 +24,32 @@ a default `:region` is searched for in the following locations:
         resolve_region(cfg)
       end
 
+      option(:use_dualstack_endpoint,
+        doc_type: 'Boolean',
+        docstring: <<-DOCS) do |cfg|
+When set to `true`, dualstack enabled endpoints (with `.aws` TLD)
+will be used if available.
+        DOCS
+        resolve_use_dualstack_endpoint(cfg)
+      end
+
+      option(:use_fips_endpoint,
+        doc_type: 'Boolean',
+        docstring: <<-DOCS) do |cfg|
+When set to `true`, fips compatible endpoints will be used if available.
+When a `fips` region is used, the region is normalized and this config
+is set to `true`.
+        DOCS
+        resolve_use_fips_endpoint(cfg)
+      end
+
+      # This option signals whether :endpoint was provided or not.
+      # Legacy endpoints must continue to be generated at client time.
       option(:regional_endpoint, false)
 
+      # NOTE: All of the defaults block code is effectively deprecated.
+      # Because old services can depend on this new core version, we must
+      # retain it.
       option(:endpoint, doc_type: String, docstring: <<-DOCS) do |cfg|
 The client endpoint is normally constructed from the `:region`
 option. You should only configure an `:endpoint` when connecting
@@ -42,10 +66,23 @@ to test or custom endpoints. This should be a valid HTTP(S) URI.
             raise Errors::InvalidRegionError
           end
 
+          region = cfg.region
+          new_region = region.gsub('fips-', '').gsub('-fips', '')
+          if region != new_region
+            warn("Legacy region #{region} was transformed to #{new_region}."\
+                 '`use_fips_endpoint` config was set to true.')
+            cfg.override_config(:use_fips_endpoint, true)
+            cfg.override_config(:region, new_region)
+          end
+
           Aws::Partitions::EndpointProvider.resolve(
             cfg.region,
             endpoint_prefix,
-            sts_regional
+            sts_regional,
+            {
+              dualstack: cfg.use_dualstack_endpoint,
+              fips: cfg.use_fips_endpoint
+            }
           )
         end
       end
@@ -66,6 +103,20 @@ to test or custom endpoints. This should be a valid HTTP(S) URI.
           cfg_region = Aws.shared_config.region(profile: cfg.profile)
           env_region || cfg_region
         end
+
+        def resolve_use_dualstack_endpoint(cfg)
+          value = ENV['AWS_USE_DUALSTACK_ENDPOINT']
+          value ||= Aws.shared_config.use_dualstack_endpoint(
+            profile: cfg.profile
+          )
+          Aws::Util.str_2_bool(value) || false
+        end
+
+        def resolve_use_fips_endpoint(cfg)
+          value = ENV['AWS_USE_FIPS_ENDPOINT']
+          value ||= Aws.shared_config.use_fips_endpoint(profile: cfg.profile)
+          Aws::Util.str_2_bool(value) || false
+        end
       end
     end
   end