aws-sdk-core 3.122.0 → 3.180.1

data/lib/aws-defaults/defaults_mode_config_resolver.rb

@@ -0,0 +1,107 @@
+# frozen_string_literal: true
+
+module Aws
+  #@api private
+  class DefaultsModeConfigResolver
+
+    @@application_region = nil
+    @@application_region_mutex = Mutex.new
+    @@imds_client = EC2Metadata.new(retries: 0, http_open_timeout: 0.01)
+
+    # mappings from Ruby SDK configuration names to the
+    # sdk defaults option names and (optional) scale modifiers
+    CFG_OPTIONS = {
+      retry_mode: { name: "retryMode" },
+      sts_regional_endpoints: { name: "stsRegionalEndpoints" },
+      s3_us_east_1_regional_endpoint: { name: "s3UsEast1RegionalEndpoints" },
+      http_open_timeout: { name: "connectTimeoutInMillis", scale: 0.001 },
+      http_read_timeout: { name: "timeToFirstByteTimeoutInMillis", scale: 0.001 },
+      ssl_timeout: { name: "tlsNegotiationTimeoutInMillis", scale: 0.001 }
+    }.freeze
+
+    def initialize(sdk_defaults, cfg)
+      @sdk_defaults = sdk_defaults
+      @cfg = cfg
+      @resolved_mode = nil
+      @mutex = Mutex.new
+    end
+
+    # option_name should be the symbolized ruby name to resolve
+    # returns the ruby appropriate value or nil if none are resolved
+    def resolve(option_name)
+      return unless (std_option = CFG_OPTIONS[option_name])
+      mode = resolved_mode.downcase
+
+      return nil if mode == 'legacy'
+
+      value = resolve_for_mode(std_option[:name], mode)
+      value = value * std_option[:scale] if value && std_option[:scale]
+
+      value
+    end
+
+    private
+    def resolved_mode
+      @mutex.synchronize do
+        return @resolved_mode unless @resolved_mode.nil?
+
+        @resolved_mode = @cfg.defaults_mode == 'auto' ? resolve_auto_mode : @cfg.defaults_mode
+      end
+    end
+
+    def resolve_auto_mode
+      return "mobile" if env_mobile?
+
+      region = application_current_region
+
+      if region
+        @cfg.region == region ? "in-region": "cross-region"
+      else
+        # We don't seem to be mobile, and we couldn't determine whether we're running within an AWS region. Fall back to standard.
+        'standard'
+      end
+    end
+
+    def application_current_region
+      resolved_region = @@application_region_mutex.synchronize do
+        return @@application_region unless @@application_region.nil?
+
+        region = nil
+        if ENV['AWS_EXECUTION_ENV']
+          region = ENV['AWS_REGION'] || ENV['AWS_DEFAULT_REGION']
+        end
+
+        if region.nil? && ENV['AWS_EC2_METADATA_DISABLED']&.downcase != "true"
+          begin
+            region = @@imds_client.get('/latest/meta-data/placement/region')
+          rescue
+            # unable to get region, leave it unset
+          end
+        end
+
+        # required so that we cache the unknown/nil result
+        @@application_region = region || :unknown
+      end
+      resolved_region == :unknown ? nil : resolved_region
+    end
+
+    def resolve_for_mode(name, mode)
+      base_value = @sdk_defaults['base'][name]
+      mode_value = @sdk_defaults['modes'].fetch(mode, {})[name]
+
+      if mode_value.nil?
+        return base_value
+      end
+
+      return mode_value['override'] unless mode_value['override'].nil?
+      return base_value + mode_value['add'] unless mode_value['add'].nil?
+      return base_value * mode_value['multiply'] unless mode_value['multiply'].nil?
+      return base_value
+    end
+
+    def env_mobile?
+      false
+    end
+
+  end
+end

data/lib/aws-defaults.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require_relative 'aws-defaults/default_configuration'

data/lib/aws-sdk-core/arn.rb

@@ -88,5 +88,18 @@ module Aws
         resource: @resource
       }
     end
+
+    # Return the ARN as JSON
+    #
+    # @return [Hash]
+    def as_json(_options = nil)
+      {
+        'partition' => @partition,
+        'service' => @service,
+        'region' => @region,
+        'accountId' => @account_id,
+        'resource' => @resource
+      }
+    end
   end
 end

data/lib/aws-sdk-core/assume_role_credentials.rb

@@ -3,20 +3,20 @@
 require 'set'
 
 module Aws
-
-  # An auto-refreshing credential provider that works by assuming
-  # a role via {Aws::STS::Client#assume_role}.
+  # An auto-refreshing credential provider that assumes a role via
+  # {Aws::STS::Client#assume_role}.
   #
   #     role_credentials = Aws::AssumeRoleCredentials.new(
   #       client: Aws::STS::Client.new(...),
   #       role_arn: "linked::account::arn",
   #       role_session_name: "session-name"
   #     )
-  #
   #     ec2 = Aws::EC2::Client.new(credentials: role_credentials)
   #
-  # If you omit `:client` option, a new {STS::Client} object will be
-  # constructed.
+  # If you omit `:client` option, a new {Aws::STS::Client} object will be
+  # constructed with additional options that were provided.
+  #
+  # @see Aws::STS::Client#assume_role
   class AssumeRoleCredentials
 
     include CredentialProvider
@@ -28,23 +28,37 @@ module Aws
     # @option options [Integer] :duration_seconds
     # @option options [String] :external_id
     # @option options [STS::Client] :client
+    # @option options [Callable] before_refresh Proc called before
+    #   credentials are refreshed.  Useful for updating tokens.
+    #   `before_refresh` is called when AWS credentials are
+    #   required and need to be refreshed. Tokens can be refreshed using
+    #   the following example:
+    #
+    #      before_refresh = Proc.new do |assume_role_credentials| do
+    #        assume_role_credentials.assume_role_params['token_code'] = update_token
+    #      end
+    #
     def initialize(options = {})
       client_opts = {}
       @assume_role_params = {}
       options.each_pair do |key, value|
         if self.class.assume_role_options.include?(key)
           @assume_role_params[key] = value
-        else
+        elsif !CLIENT_EXCLUDE_OPTIONS.include?(key)
           client_opts[key] = value
         end
       end
       @client = client_opts[:client] || STS::Client.new(client_opts)
+      @async_refresh = true
       super
     end
 
     # @return [STS::Client]
     attr_reader :client
 
+    # @return [Hash]
+    attr_reader :assume_role_params
+
     private
 
     def refresh

data/lib/aws-sdk-core/assume_role_web_identity_credentials.rb

@@ -5,9 +5,8 @@ require 'securerandom'
 require 'base64'
 
 module Aws
-
-  # An auto-refreshing credential provider that works by assuming
-  # a role via {Aws::STS::Client#assume_role_with_web_identity}.
+  # An auto-refreshing credential provider that assumes a role via
+  # {Aws::STS::Client#assume_role_with_web_identity}.
   #
   #     role_credentials = Aws::AssumeRoleWebIdentityCredentials.new(
   #       client: Aws::STS::Client.new(...),
@@ -16,12 +15,12 @@ module Aws
   #       role_session_name: "session-name"
   #       ...
   #     )
-  #     For full list of parameters accepted
-  #     @see Aws::STS::Client#assume_role_with_web_identity 
+  #     ec2 = Aws::EC2::Client.new(credentials: role_credentials)
   #
+  # If you omit `:client` option, a new {Aws::STS::Client} object will be
+  # constructed with additional options that were provided.
   #
-  # If you omit `:client` option, a new {STS::Client} object will be
-  # constructed.
+  # @see Aws::STS::Client#assume_role_with_web_identity
   class AssumeRoleWebIdentityCredentials
 
     include CredentialProvider
@@ -39,14 +38,20 @@ module Aws
     #   encoded UUID is generated as the session name
     #
     # @option options [STS::Client] :client
+    #
+    # @option options [Callable] before_refresh Proc called before
+    #   credentials are refreshed. `before_refresh` is called
+    #   with an instance of this object when
+    #   AWS credentials are required and need to be refreshed.
     def initialize(options = {})
       client_opts = {}
       @assume_role_web_identity_params = {}
       @token_file = options.delete(:web_identity_token_file)
+      @async_refresh = true
       options.each_pair do |key, value|
         if self.class.assume_role_web_identity_options.include?(key)
           @assume_role_web_identity_params[key] = value
-        else
+        elsif !CLIENT_EXCLUDE_OPTIONS.include?(key)
           client_opts[key] = value
         end
       end
@@ -94,11 +99,10 @@ module Aws
       # @api private
       def assume_role_web_identity_options
         @arwio ||= begin
-          input = STS::Client.api.operation(:assume_role_with_web_identity).input
+          input = Aws::STS::Client.api.operation(:assume_role_with_web_identity).input
           Set.new(input.shape.member_names)
         end
       end
-
     end
   end
 end

data/lib/aws-sdk-core/binary/encode_handler.rb

@@ -13,7 +13,7 @@ module Aws
             context.config.api.metadata['protocol'],
             eventstream_member,
             context.operation.input,
-            context.config.sigv4_signer
+            signer_for(context)
           )
           context[:input_event_emitter] = input_es_handler.event_emitter
         end
@@ -22,6 +22,17 @@ module Aws
 
       private
 
+      def signer_for(context)
+        # New endpoint/signing logic, use the auth scheme to make a signer
+        if context[:auth_scheme]
+          Aws::Plugins::Sign.signer_for(context[:auth_scheme], context.config)
+        else
+          # Previous implementation always assumed sigv4_signer from config.
+          # Relies only on sigv4 signing (and plugin) for event stream services
+          context.config.sigv4_signer
+        end
+      end
+
       def eventstream_input?(ctx)
         ctx.operation.input.shape.members.each do |_, ref|
           return ref if ref.eventstream

data/lib/aws-sdk-core/client_stubs.rb

@@ -262,13 +262,17 @@ module Aws
     end
 
     def convert_stub(operation_name, stub)
-      case stub
+      stub = case stub
       when Proc then stub
       when Exception, Class then { error: stub }
       when String then service_error_stub(stub)
       when Hash then http_response_stub(operation_name, stub)
       else { data: stub }
       end
+      if Hash === stub
+        stub[:mutex] = Mutex.new
+      end
+      stub
     end
 
     def service_error_stub(error_code)

data/lib/aws-sdk-core/credential_provider.rb

@@ -6,6 +6,9 @@ module Aws
     # @return [Credentials]
     attr_reader :credentials
 
+    # @return [Time]
+    attr_reader :expiration
+
     # @return [Boolean]
     def set?
       !!credentials && credentials.set?

data/lib/aws-sdk-core/credential_provider_chain.rb

@@ -161,7 +161,8 @@ module Aws
 
     def instance_profile_credentials(options)
       profile_name = determine_profile_name(options)
-      if ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI']
+      if ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] ||
+         ENV['AWS_CONTAINER_CREDENTIALS_FULL_URI']
         ECSCredentials.new(options)
       else
         InstanceProfileCredentials.new(options.merge(profile: profile_name))
@@ -169,12 +170,14 @@ module Aws
     end
 
     def assume_role_with_profile(options, profile_name)
-      region = (options[:config] && options[:config].region)
-      Aws.shared_config.assume_role_credentials_from_config(
+      assume_opts = {
         profile: profile_name,
-        region: region,
         chain_config: @config
-      )
+      }
+      if options[:config] && options[:config].region
+        assume_opts[:region] = options[:config].region
+      end
+      Aws.shared_config.assume_role_credentials_from_config(assume_opts)
     end
   end
 end

data/lib/aws-sdk-core/ec2_metadata.rb

@@ -136,8 +136,9 @@ module Aws
 
     def fetch_token
       open_connection do |conn|
+        created_time = Time.now
         token_value, token_ttl = http_put(conn, @token_ttl)
-        @token = Token.new(value: token_value, ttl: token_ttl)
+        @token = Token.new(value: token_value, ttl: token_ttl, created_time: created_time)
       end
     end
 
@@ -222,7 +223,7 @@ module Aws
       def initialize(options = {})
         @ttl   = options[:ttl]
         @value = options[:value]
-        @created_time = Time.now
+        @created_time = options[:created_time] || Time.now
       end
 
       # [String] Returns the token value.

data/lib/aws-sdk-core/ecs_credentials.rb

@@ -2,10 +2,15 @@
 
 require 'time'
 require 'net/http'
+require 'resolv'
 
 module Aws
+  # An auto-refreshing credential provider that loads credentials from
+  # instances running in ECS.
+  #
+  #     ecs_credentials = Aws::ECSCredentials.new(retries: 3)
+  #     ec2 = Aws::EC2::Client.new(credentials: ecs_credentials)
   class ECSCredentials
-
     include CredentialProvider
     include RefreshingCredentials
 
@@ -24,16 +29,22 @@ module Aws
       Errno::ENETUNREACH,
       SocketError,
       Timeout::Error,
-      Non200Response,
-    ]
+      Non200Response
+    ].freeze
 
     # @param [Hash] options
     # @option options [Integer] :retries (5) Number of times to retry
     #   when retrieving credentials.
-    # @option options [String] :ip_address ('169.254.170.2')
-    # @option options [Integer] :port (80)
+    # @option options [String] :ip_address ('169.254.170.2') This value is
+    #   ignored if `endpoint` is set and `credential_path` is not set.
+    # @option options [Integer] :port (80) This value is ignored if `endpoint`
+    #   is set and `credential_path` is not set.
     # @option options [String] :credential_path By default, the value of the
     #   AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable.
+    # @option options [String] :endpoint The ECS credential endpoint.
+    #   By default, this is the value of the AWS_CONTAINER_CREDENTIALS_FULL_URI
+    #   environment variable. This value is ignored if `credential_path` or
+    #   ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] is set.
     # @option options [Float] :http_open_timeout (5)
     # @option options [Float] :http_read_timeout (5)
     # @option options [Numeric, Proc] :delay By default, failures are retried
@@ -43,21 +54,24 @@ module Aws
     # @option options [IO] :http_debug_output (nil) HTTP wire
     #   traces are sent to this object.  You can specify something
     #   like $stdout.
-    def initialize options = {}
+    # @option options [Callable] before_refresh Proc called before
+    #   credentials are refreshed. `before_refresh` is called
+    #   with an instance of this object when
+    #   AWS credentials are required and need to be refreshed.
+    def initialize(options = {})
+      credential_path = options[:credential_path] ||
+                        ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI']
+      endpoint = options[:endpoint] ||
+                 ENV['AWS_CONTAINER_CREDENTIALS_FULL_URI']
+      initialize_uri(options, credential_path, endpoint)
+      @authorization_token = ENV['AWS_CONTAINER_AUTHORIZATION_TOKEN']
+
       @retries = options[:retries] || 5
-      @ip_address = options[:ip_address] || '169.254.170.2'
-      @port = options[:port] || 80
-      @credential_path = options[:credential_path]
-      @credential_path ||= ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI']
-      unless @credential_path
-        raise ArgumentError.new(
-          "Cannot instantiate an ECS Credential Provider without a credential path."
-        )
-      end
       @http_open_timeout = options[:http_open_timeout] || 5
       @http_read_timeout = options[:http_read_timeout] || 5
       @http_debug_output = options[:http_debug_output]
       @backoff = backoff(options[:backoff])
+      @async_refresh = false
       super
     end
 
@@ -67,11 +81,69 @@ module Aws
 
     private
 
+    def initialize_uri(options, credential_path, endpoint)
+      if credential_path
+        initialize_relative_uri(options, credential_path)
+      # Use FULL_URI/endpoint only if RELATIVE_URI/path is not set
+      elsif endpoint
+        initialize_full_uri(endpoint)
+      else
+        raise ArgumentError,
+              'Cannot instantiate an ECS Credential Provider '\
+              'without a credential path or endpoint.'
+      end
+    end
+
+    def initialize_relative_uri(options, path)
+      @host = options[:ip_address] || '169.254.170.2'
+      @port = options[:port] || 80
+      @scheme = 'http'
+      @credential_path = path
+    end
+
+    def initialize_full_uri(endpoint)
+      uri = URI.parse(endpoint)
+      validate_full_uri!(uri)
+      @host = uri.host
+      @port = uri.port
+      @scheme = uri.scheme
+      @credential_path = uri.path
+    end
+
+    # Validate that the full URI is using a loopback address if scheme is http.
+    def validate_full_uri!(full_uri)
+      return unless full_uri.scheme == 'http'
+
+      begin
+        return if ip_loopback?(IPAddr.new(full_uri.host))
+      rescue IPAddr::InvalidAddressError
+        addresses = Resolv.getaddresses(full_uri.host)
+        return if addresses.all? { |addr| ip_loopback?(IPAddr.new(addr)) }
+      end
+
+      raise ArgumentError,
+            'AWS_CONTAINER_CREDENTIALS_FULL_URI must use a loopback '\
+            'address when using the http scheme.'
+    end
+
+    # loopback? method is available in Ruby 2.5+
+    # Replicate the logic here.
+    def ip_loopback?(ip_address)
+      case ip_address.family
+      when Socket::AF_INET
+        ip_address & 0xff000000 == 0x7f000000
+      when Socket::AF_INET6
+        ip_address == 1
+      else
+        false
+      end
+    end
+
     def backoff(backoff)
       case backoff
       when Proc then backoff
-      when Numeric then lambda { |_| sleep(backoff) }
-      else lambda { |num_failures| Kernel.sleep(1.2 ** num_failures) }
+      when Numeric then ->(_) { sleep(backoff) }
+      else ->(num_failures) { Kernel.sleep(1.2**num_failures) }
       end
     end
 
@@ -79,68 +151,64 @@ module Aws
       # Retry loading credentials up to 3 times is the instance metadata
       # service is responding but is returning invalid JSON documents
       # in response to the GET profile credentials call.
-      begin
-        retry_errors([Aws::Json::ParseError, StandardError], max_retries: 3) do
-          c = Aws::Json.load(get_credentials.to_s)
-          @credentials = Credentials.new(
-            c['AccessKeyId'],
-            c['SecretAccessKey'],
-            c['Token']
-          )
-          @expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
-        end
-      rescue Aws::Json::ParseError
-        raise Aws::Errors::MetadataParserError.new
+
+      retry_errors([Aws::Json::ParseError, StandardError], max_retries: 3) do
+        c = Aws::Json.load(get_credentials.to_s)
+        @credentials = Credentials.new(
+          c['AccessKeyId'],
+          c['SecretAccessKey'],
+          c['Token']
+        )
+        @expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
       end
+    rescue Aws::Json::ParseError
+      raise Aws::Errors::MetadataParserError
     end
 
     def get_credentials
       # Retry loading credentials a configurable number of times if
       # the instance metadata service is not responding.
-      begin
-        retry_errors(NETWORK_ERRORS, max_retries: @retries) do
-          open_connection do |conn|
-            http_get(conn, @credential_path)
-          end
+
+      retry_errors(NETWORK_ERRORS, max_retries: @retries) do
+        open_connection do |conn|
+          http_get(conn, @credential_path)
         end
-      rescue
-        '{}'
       end
+    rescue StandardError
+      '{}'
     end
 
     def open_connection
-      http = Net::HTTP.new(@ip_address, @port, nil)
+      http = Net::HTTP.new(@host, @port, nil)
       http.open_timeout = @http_open_timeout
       http.read_timeout = @http_read_timeout
       http.set_debug_output(@http_debug_output) if @http_debug_output
+      http.use_ssl = @scheme == 'https'
       http.start
       yield(http).tap { http.finish }
     end
 
     def http_get(connection, path)
-      response = connection.request(Net::HTTP::Get.new(path))
-      if response.code.to_i == 200
-        response.body
-      else
-        raise Non200Response
-      end
+      request = Net::HTTP::Get.new(path)
+      request['Authorization'] = @authorization_token if @authorization_token
+      response = connection.request(request)
+      raise Non200Response unless response.code.to_i == 200
+
+      response.body
     end
 
-    def retry_errors(error_classes, options = {}, &block)
+    def retry_errors(error_classes, options = {})
       max_retries = options[:max_retries]
       retries = 0
       begin
         yield
-      rescue *error_classes => _error
-        if retries < max_retries
-          @backoff.call(retries)
-          retries += 1
-          retry
-        else
-          raise
-        end
+      rescue *error_classes => _e
+        raise unless retries < max_retries
+
+        @backoff.call(retries)
+        retries += 1
+        retry
       end
     end
-
   end
 end

data/lib/aws-sdk-core/endpoints/condition.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Aws
+  module Endpoints
+    # This class is deprecated. It is used by the Runtime endpoint
+    # resolution approach. It has been replaced by a code generated
+    # approach in each service gem. It can be removed in a new
+    # major version. It has to exist because
+    # old service gems can use a new core version.
+    # @api private
+    class Condition
+      def initialize(fn:, argv:, assign: nil)
+        @fn = Function.new(fn: fn, argv: argv)
+        @assign = assign
+        @assigned = {}
+      end
+
+      attr_reader :fn
+      attr_reader :argv
+      attr_reader :assign
+
+      attr_reader :assigned
+
+      def match?(parameters, assigns)
+        output = @fn.call(parameters, assigns)
+        @assigned = @assigned.merge({ @assign => output }) if @assign
+        output
+      end
+
+      def self.from_json(conditions_json)
+        conditions_json.each.with_object([]) do |condition, conditions|
+          conditions << new(
+            fn: condition['fn'],
+            argv: condition['argv'],
+            assign: condition['assign']
+          )
+        end
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/endpoints/endpoint.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Aws
+  module Endpoints
+    class Endpoint
+      def initialize(url:, properties: {}, headers: {})
+        @url = url
+        @properties = properties
+        @headers = headers
+      end
+
+      attr_reader :url
+      attr_reader :properties
+      attr_reader :headers
+    end
+  end
+end