aws-sdk-core 3.124.0 → 3.186.0

data/lib/aws-defaults/default_configuration.rb

@@ -0,0 +1,153 @@
+# frozen_string_literal: true
+
+require_relative 'defaults_mode_config_resolver'
+
+module Aws
+
+  # A defaults mode determines how certain default configuration options are resolved in the SDK.
+  #
+  # *Note*: For any mode other than `'legacy'` the vended default values might change as best practices may
+  # evolve. As a result, it is encouraged to perform testing when upgrading the SDK if you are using a mode other than
+  # `'legacy'`.  While the `'legacy'` defaults mode is specific to Ruby,
+  # other modes are standardized across all of the AWS SDKs.
+  #
+  #  The defaults mode can be configured:
+  #
+  #  * Directly on a client via `:defaults_mode`
+  #
+  #  * On a configuration profile via the "defaults_mode" profile file property.
+  #
+  #  * Globally via the "AWS_DEFAULTS_MODE" environment variable.
+  #
+  #
+  # #defaults START - documentation
+  # The following `:default_mode` values are supported:
+  #
+  # * `'standard'` -
+  #   The STANDARD mode provides the latest recommended default values
+  #   that should be safe to run in most scenarios
+  #
+  #   Note that the default values vended from this mode might change as
+  #   best practices may evolve. As a result, it is encouraged to perform
+  #   tests when upgrading the SDK
+  #
+  # * `'in-region'` -
+  #   The IN\_REGION mode builds on the standard mode and includes
+  #   optimization tailored for applications which call AWS services from
+  #   within the same AWS region
+  #
+  #   Note that the default values vended from this mode might change as
+  #   best practices may evolve. As a result, it is encouraged to perform
+  #   tests when upgrading the SDK
+  #
+  # * `'cross-region'` -
+  #   The CROSS\_REGION mode builds on the standard mode and includes
+  #   optimization tailored for applications which call AWS services in a
+  #   different region
+  #
+  #   Note that the default values vended from this mode might change as
+  #   best practices may evolve. As a result, it is encouraged to perform
+  #   tests when upgrading the SDK
+  #
+  # * `'mobile'` -
+  #   The MOBILE mode builds on the standard mode and includes
+  #   optimization tailored for mobile applications
+  #
+  #   Note that the default values vended from this mode might change as
+  #   best practices may evolve. As a result, it is encouraged to perform
+  #   tests when upgrading the SDK
+  #
+  # * `'auto'` -
+  #   The AUTO mode is an experimental mode that builds on the standard
+  #   mode. The SDK will attempt to discover the execution environment to
+  #   determine the appropriate settings automatically.
+  #
+  #   Note that the auto detection is heuristics-based and does not
+  #   guarantee 100% accuracy. STANDARD mode will be used if the execution
+  #   environment cannot be determined. The auto detection might query
+  #   [EC2 Instance Metadata service][1], which might introduce latency.
+  #   Therefore we recommend choosing an explicit defaults\_mode instead
+  #   if startup latency is critical to your application
+  #
+  # * `'legacy'` -
+  #   The LEGACY mode provides default settings that vary per SDK and were
+  #   used prior to establishment of defaults\_mode
+  #
+  # Based on the provided mode, the SDK will vend sensible default values
+  # tailored to the mode for the following settings:
+  #
+  # * `:retry_mode` -
+  #   A retry mode specifies how the SDK attempts retries. See [Retry
+  #   Mode][2]
+  #
+  # * `:sts_regional_endpoints` -
+  #   Specifies how the SDK determines the AWS service endpoint that it
+  #   uses to talk to the AWS Security Token Service (AWS STS). See
+  #   [Setting STS Regional endpoints][3]
+  #
+  # * `:s3_us_east_1_regional_endpoint` -
+  #   Specifies how the SDK determines the AWS service endpoint that it
+  #   uses to talk to the Amazon S3 for the us-east-1 region
+  #
+  # * `:http_open_timeout` -
+  #   The amount of time after making an initial connection attempt on a
+  #   socket, where if the client does not receive a completion of the
+  #   connect handshake, the client gives up and fails the operation
+  #
+  # * `:ssl_timeout` -
+  #   The maximum amount of time that a TLS handshake is allowed to take
+  #   from the time the CLIENT HELLO message is sent to ethe time the
+  #   client and server have fully negotiated ciphers and exchanged keys
+  #
+  #  All options above can be configured by users, and the overridden value will take precedence.
+  #
+  # [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
+  # [2]: https://docs.aws.amazon.com/sdkref/latest/guide/setting-global-retry_mode.html
+  # [3]: https://docs.aws.amazon.com/sdkref/latest/guide/setting-global-sts_regional_endpoints.html
+  #
+  # #defaults END - documentation
+  module DefaultsModeConfiguration
+    # @api private
+    # #defaults START - configuration
+    SDK_DEFAULT_CONFIGURATION = 
+    {
+      "version" => 1,
+      "base" => {
+        "retryMode" => "standard",
+        "stsRegionalEndpoints" => "regional",
+        "s3UsEast1RegionalEndpoints" => "regional",
+        "connectTimeoutInMillis" => 1100,
+        "tlsNegotiationTimeoutInMillis" => 1100
+      },
+      "modes" => {
+        "standard" => {
+          "connectTimeoutInMillis" => {
+            "override" => 3100
+          },
+          "tlsNegotiationTimeoutInMillis" => {
+            "override" => 3100
+          }
+        },
+        "in-region" => {
+        },
+        "cross-region" => {
+          "connectTimeoutInMillis" => {
+            "override" => 3100
+          },
+          "tlsNegotiationTimeoutInMillis" => {
+            "override" => 3100
+          }
+        },
+        "mobile" => {
+          "connectTimeoutInMillis" => {
+            "override" => 30000
+          },
+          "tlsNegotiationTimeoutInMillis" => {
+            "override" => 30000
+          }
+        }
+      }
+    }
+    # #defaults END - configuration
+  end
+end

data/lib/aws-defaults/defaults_mode_config_resolver.rb

@@ -0,0 +1,107 @@
+# frozen_string_literal: true
+
+module Aws
+  #@api private
+  class DefaultsModeConfigResolver
+
+    @@application_region = nil
+    @@application_region_mutex = Mutex.new
+    @@imds_client = EC2Metadata.new(retries: 0, http_open_timeout: 0.01)
+
+    # mappings from Ruby SDK configuration names to the
+    # sdk defaults option names and (optional) scale modifiers
+    CFG_OPTIONS = {
+      retry_mode: { name: "retryMode" },
+      sts_regional_endpoints: { name: "stsRegionalEndpoints" },
+      s3_us_east_1_regional_endpoint: { name: "s3UsEast1RegionalEndpoints" },
+      http_open_timeout: { name: "connectTimeoutInMillis", scale: 0.001 },
+      http_read_timeout: { name: "timeToFirstByteTimeoutInMillis", scale: 0.001 },
+      ssl_timeout: { name: "tlsNegotiationTimeoutInMillis", scale: 0.001 }
+    }.freeze
+
+    def initialize(sdk_defaults, cfg)
+      @sdk_defaults = sdk_defaults
+      @cfg = cfg
+      @resolved_mode = nil
+      @mutex = Mutex.new
+    end
+
+    # option_name should be the symbolized ruby name to resolve
+    # returns the ruby appropriate value or nil if none are resolved
+    def resolve(option_name)
+      return unless (std_option = CFG_OPTIONS[option_name])
+      mode = resolved_mode.downcase
+
+      return nil if mode == 'legacy'
+
+      value = resolve_for_mode(std_option[:name], mode)
+      value = value * std_option[:scale] if value && std_option[:scale]
+
+      value
+    end
+
+    private
+    def resolved_mode
+      @mutex.synchronize do
+        return @resolved_mode unless @resolved_mode.nil?
+
+        @resolved_mode = @cfg.defaults_mode == 'auto' ? resolve_auto_mode : @cfg.defaults_mode
+      end
+    end
+
+    def resolve_auto_mode
+      return "mobile" if env_mobile?
+
+      region = application_current_region
+
+      if region
+        @cfg.region == region ? "in-region": "cross-region"
+      else
+        # We don't seem to be mobile, and we couldn't determine whether we're running within an AWS region. Fall back to standard.
+        'standard'
+      end
+    end
+
+    def application_current_region
+      resolved_region = @@application_region_mutex.synchronize do
+        return @@application_region unless @@application_region.nil?
+
+        region = nil
+        if ENV['AWS_EXECUTION_ENV']
+          region = ENV['AWS_REGION'] || ENV['AWS_DEFAULT_REGION']
+        end
+
+        if region.nil? && ENV['AWS_EC2_METADATA_DISABLED']&.downcase != "true"
+          begin
+            region = @@imds_client.get('/latest/meta-data/placement/region')
+          rescue
+            # unable to get region, leave it unset
+          end
+        end
+
+        # required so that we cache the unknown/nil result
+        @@application_region = region || :unknown
+      end
+      resolved_region == :unknown ? nil : resolved_region
+    end
+
+    def resolve_for_mode(name, mode)
+      base_value = @sdk_defaults['base'][name]
+      mode_value = @sdk_defaults['modes'].fetch(mode, {})[name]
+
+      if mode_value.nil?
+        return base_value
+      end
+
+      return mode_value['override'] unless mode_value['override'].nil?
+      return base_value + mode_value['add'] unless mode_value['add'].nil?
+      return base_value * mode_value['multiply'] unless mode_value['multiply'].nil?
+      return base_value
+    end
+
+    def env_mobile?
+      false
+    end
+
+  end
+end

data/lib/aws-defaults.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require_relative 'aws-defaults/default_configuration'

data/lib/aws-sdk-core/arn.rb

@@ -88,5 +88,18 @@ module Aws
         resource: @resource
       }
     end
+
+    # Return the ARN as JSON
+    #
+    # @return [Hash]
+    def as_json(_options = nil)
+      {
+        'partition' => @partition,
+        'service' => @service,
+        'region' => @region,
+        'accountId' => @account_id,
+        'resource' => @resource
+      }
+    end
   end
 end

data/lib/aws-sdk-core/assume_role_credentials.rb

@@ -3,20 +3,20 @@
 require 'set'
 
 module Aws
-
-  # An auto-refreshing credential provider that works by assuming
-  # a role via {Aws::STS::Client#assume_role}.
+  # An auto-refreshing credential provider that assumes a role via
+  # {Aws::STS::Client#assume_role}.
   #
   #     role_credentials = Aws::AssumeRoleCredentials.new(
   #       client: Aws::STS::Client.new(...),
   #       role_arn: "linked::account::arn",
   #       role_session_name: "session-name"
   #     )
-  #
   #     ec2 = Aws::EC2::Client.new(credentials: role_credentials)
   #
-  # If you omit `:client` option, a new {STS::Client} object will be
-  # constructed.
+  # If you omit `:client` option, a new {Aws::STS::Client} object will be
+  # constructed with additional options that were provided.
+  #
+  # @see Aws::STS::Client#assume_role
   class AssumeRoleCredentials
 
     include CredentialProvider
@@ -28,23 +28,37 @@ module Aws
     # @option options [Integer] :duration_seconds
     # @option options [String] :external_id
     # @option options [STS::Client] :client
+    # @option options [Callable] before_refresh Proc called before
+    #   credentials are refreshed.  Useful for updating tokens.
+    #   `before_refresh` is called when AWS credentials are
+    #   required and need to be refreshed. Tokens can be refreshed using
+    #   the following example:
+    #
+    #      before_refresh = Proc.new do |assume_role_credentials| do
+    #        assume_role_credentials.assume_role_params['token_code'] = update_token
+    #      end
+    #
     def initialize(options = {})
       client_opts = {}
       @assume_role_params = {}
       options.each_pair do |key, value|
         if self.class.assume_role_options.include?(key)
           @assume_role_params[key] = value
-        else
+        elsif !CLIENT_EXCLUDE_OPTIONS.include?(key)
           client_opts[key] = value
         end
       end
       @client = client_opts[:client] || STS::Client.new(client_opts)
+      @async_refresh = true
       super
     end
 
     # @return [STS::Client]
     attr_reader :client
 
+    # @return [Hash]
+    attr_reader :assume_role_params
+
     private
 
     def refresh

data/lib/aws-sdk-core/assume_role_web_identity_credentials.rb

@@ -5,9 +5,8 @@ require 'securerandom'
 require 'base64'
 
 module Aws
-
-  # An auto-refreshing credential provider that works by assuming
-  # a role via {Aws::STS::Client#assume_role_with_web_identity}.
+  # An auto-refreshing credential provider that assumes a role via
+  # {Aws::STS::Client#assume_role_with_web_identity}.
   #
   #     role_credentials = Aws::AssumeRoleWebIdentityCredentials.new(
   #       client: Aws::STS::Client.new(...),
@@ -16,12 +15,12 @@ module Aws
   #       role_session_name: "session-name"
   #       ...
   #     )
-  #     For full list of parameters accepted
-  #     @see Aws::STS::Client#assume_role_with_web_identity 
+  #     ec2 = Aws::EC2::Client.new(credentials: role_credentials)
   #
+  # If you omit `:client` option, a new {Aws::STS::Client} object will be
+  # constructed with additional options that were provided.
   #
-  # If you omit `:client` option, a new {STS::Client} object will be
-  # constructed.
+  # @see Aws::STS::Client#assume_role_with_web_identity
   class AssumeRoleWebIdentityCredentials
 
     include CredentialProvider
@@ -39,14 +38,20 @@ module Aws
     #   encoded UUID is generated as the session name
     #
     # @option options [STS::Client] :client
+    #
+    # @option options [Callable] before_refresh Proc called before
+    #   credentials are refreshed. `before_refresh` is called
+    #   with an instance of this object when
+    #   AWS credentials are required and need to be refreshed.
     def initialize(options = {})
       client_opts = {}
       @assume_role_web_identity_params = {}
       @token_file = options.delete(:web_identity_token_file)
+      @async_refresh = true
       options.each_pair do |key, value|
         if self.class.assume_role_web_identity_options.include?(key)
           @assume_role_web_identity_params[key] = value
-        else
+        elsif !CLIENT_EXCLUDE_OPTIONS.include?(key)
           client_opts[key] = value
         end
       end
@@ -94,11 +99,10 @@ module Aws
       # @api private
       def assume_role_web_identity_options
         @arwio ||= begin
-          input = STS::Client.api.operation(:assume_role_with_web_identity).input
+          input = Aws::STS::Client.api.operation(:assume_role_with_web_identity).input
           Set.new(input.shape.member_names)
         end
       end
-
     end
   end
 end

data/lib/aws-sdk-core/binary/encode_handler.rb

@@ -13,7 +13,7 @@ module Aws
             context.config.api.metadata['protocol'],
             eventstream_member,
             context.operation.input,
-            context.config.sigv4_signer
+            signer_for(context)
           )
           context[:input_event_emitter] = input_es_handler.event_emitter
         end
@@ -22,6 +22,17 @@ module Aws
 
       private
 
+      def signer_for(context)
+        # New endpoint/signing logic, use the auth scheme to make a signer
+        if context[:auth_scheme]
+          Aws::Plugins::Sign.signer_for(context[:auth_scheme], context.config)
+        else
+          # Previous implementation always assumed sigv4_signer from config.
+          # Relies only on sigv4 signing (and plugin) for event stream services
+          context.config.sigv4_signer
+        end
+      end
+
       def eventstream_input?(ctx)
         ctx.operation.input.shape.members.each do |_, ref|
           return ref if ref.eventstream

data/lib/aws-sdk-core/client_stubs.rb

@@ -262,13 +262,17 @@ module Aws
     end
 
     def convert_stub(operation_name, stub)
-      case stub
+      stub = case stub
       when Proc then stub
       when Exception, Class then { error: stub }
       when String then service_error_stub(stub)
       when Hash then http_response_stub(operation_name, stub)
       else { data: stub }
       end
+      if Hash === stub
+        stub[:mutex] = Mutex.new
+      end
+      stub
     end
 
     def service_error_stub(error_code)

data/lib/aws-sdk-core/credential_provider.rb

@@ -6,6 +6,9 @@ module Aws
     # @return [Credentials]
     attr_reader :credentials
 
+    # @return [Time]
+    attr_reader :expiration
+
     # @return [Boolean]
     def set?
       !!credentials && credentials.set?

data/lib/aws-sdk-core/credential_provider_chain.rb

@@ -161,7 +161,8 @@ module Aws
 
     def instance_profile_credentials(options)
       profile_name = determine_profile_name(options)
-      if ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI']
+      if ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] ||
+         ENV['AWS_CONTAINER_CREDENTIALS_FULL_URI']
         ECSCredentials.new(options)
       else
         InstanceProfileCredentials.new(options.merge(profile: profile_name))
@@ -169,12 +170,14 @@ module Aws
     end
 
     def assume_role_with_profile(options, profile_name)
-      region = (options[:config] && options[:config].region)
-      Aws.shared_config.assume_role_credentials_from_config(
+      assume_opts = {
         profile: profile_name,
-        region: region,
         chain_config: @config
-      )
+      }
+      if options[:config] && options[:config].region
+        assume_opts[:region] = options[:config].region
+      end
+      Aws.shared_config.assume_role_credentials_from_config(assume_opts)
     end
   end
 end

data/lib/aws-sdk-core/ec2_metadata.rb

@@ -136,8 +136,9 @@ module Aws
 
     def fetch_token
       open_connection do |conn|
+        created_time = Time.now
         token_value, token_ttl = http_put(conn, @token_ttl)
-        @token = Token.new(value: token_value, ttl: token_ttl)
+        @token = Token.new(value: token_value, ttl: token_ttl, created_time: created_time)
       end
     end
 
@@ -222,7 +223,7 @@ module Aws
       def initialize(options = {})
         @ttl   = options[:ttl]
         @value = options[:value]
-        @created_time = Time.now
+        @created_time = options[:created_time] || Time.now
       end
 
       # [String] Returns the token value.