aws-sdk-core 3.124.0 → 3.186.0

data/lib/aws-sdk-core/plugins/sign.rb

@@ -0,0 +1,201 @@
+# frozen_string_literal: true
+
+require 'aws-sigv4'
+
+module Aws
+  module Plugins
+    # @api private
+    class Sign < Seahorse::Client::Plugin
+      # These once had defaults. But now they are used as overrides to
+      # new endpoint and auth resolution.
+      option(:sigv4_signer)
+      option(:sigv4_name)
+      option(:sigv4_region)
+      option(:unsigned_operations, default: [])
+
+      supported_auth_types = %w[sigv4 bearer none]
+      supported_auth_types += ['sigv4a'] if Aws::Sigv4::Signer.use_crt?
+      SUPPORTED_AUTH_TYPES = supported_auth_types.freeze
+
+      def add_handlers(handlers, cfg)
+        operations = cfg.api.operation_names - cfg.unsigned_operations
+        handlers.add(Handler, step: :sign, operations: operations)
+      end
+
+      # @api private
+      # Return a signer with the `sign(context)` method
+      def self.signer_for(auth_scheme, config, region_override = nil)
+        case auth_scheme['name']
+        when 'sigv4', 'sigv4a'
+          SignatureV4.new(auth_scheme, config, region_override)
+        when 'bearer'
+          Bearer.new
+        else
+          NullSigner.new
+        end
+      end
+
+      class Handler < Seahorse::Client::Handler
+        def call(context)
+          # Skip signing if using sigv2 signing from s3_signer in S3
+          unless v2_signing?(context.config)
+            signer = Sign.signer_for(
+              context[:auth_scheme],
+              context.config,
+              context[:sigv4_region]
+            )
+            signer.sign(context)
+          end
+          @handler.call(context)
+        end
+
+        private
+
+        def v2_signing?(config)
+          # 's3' is legacy signing, 'v4' is default
+          config.respond_to?(:signature_version) &&
+            config.signature_version == 's3'
+        end
+      end
+
+      # @api private
+      class Bearer
+        def initialize
+        end
+
+        def sign(context)
+          if context.http_request.endpoint.scheme != 'https'
+            raise ArgumentError,
+                  'Unable to use bearer authorization on non https endpoint.'
+          end
+
+          token_provider = context.config.token_provider
+
+          raise Errors::MissingBearerTokenError unless token_provider&.set?
+
+          context.http_request.headers['Authorization'] =
+            "Bearer #{token_provider.token.token}"
+        end
+
+        def presign_url(*args)
+          raise ArgumentError, 'Bearer auth does not support presigned urls'
+        end
+
+        def sign_event(*args)
+          raise ArgumentError, 'Bearer auth does not support event signing'
+        end
+      end
+
+      # @api private
+      class SignatureV4
+        def initialize(auth_scheme, config, region_override = nil)
+          scheme_name = auth_scheme['name']
+
+          unless %w[sigv4 sigv4a].include?(scheme_name)
+            raise ArgumentError,
+                  "Expected sigv4 or sigv4a auth scheme, got #{scheme_name}"
+          end
+
+          region = if scheme_name == 'sigv4a'
+                     auth_scheme['signingRegionSet'].first
+                   else
+                     auth_scheme['signingRegion']
+                   end
+          begin
+            @signer = Aws::Sigv4::Signer.new(
+              service: config.sigv4_name || auth_scheme['signingName'],
+              region: region_override || config.sigv4_region || region,
+              credentials_provider: config.credentials,
+              signing_algorithm: scheme_name.to_sym,
+              uri_escape_path: !!!auth_scheme['disableDoubleEncoding'],
+              normalize_path: !!!auth_scheme['disableNormalizePath'],
+              unsigned_headers: %w[content-length user-agent x-amzn-trace-id]
+            )
+          rescue Aws::Sigv4::Errors::MissingCredentialsError
+            raise Aws::Errors::MissingCredentialsError
+          end
+        end
+
+        def sign(context)
+          req = context.http_request
+
+          apply_authtype(context, req)
+          reset_signature(req)
+          apply_clock_skew(context, req)
+
+          # compute the signature
+          begin
+            signature = @signer.sign_request(
+              http_method: req.http_method,
+              url: req.endpoint,
+              headers: req.headers,
+              body: req.body
+            )
+          rescue Aws::Sigv4::Errors::MissingCredentialsError
+            # Necessary for when credentials is explicitly set to nil
+            raise Aws::Errors::MissingCredentialsError
+          end
+          # apply signature headers
+          req.headers.update(signature.headers)
+
+          # add request metadata with signature components for debugging
+          context[:canonical_request] = signature.canonical_request
+          context[:string_to_sign] = signature.string_to_sign
+        end
+
+        def presign_url(*args)
+          @signer.presign_url(*args)
+        end
+
+        def sign_event(*args)
+          @signer.sign_event(*args)
+        end
+
+        private
+
+        def apply_authtype(context, req)
+          if context.operation['authtype'].eql?('v4-unsigned-body') &&
+             req.endpoint.scheme.eql?('https')
+            req.headers['X-Amz-Content-Sha256'] ||= 'UNSIGNED-PAYLOAD'
+          end
+        end
+
+        def reset_signature(req)
+          # in case this request is being re-signed
+          req.headers.delete('Authorization')
+          req.headers.delete('X-Amz-Security-Token')
+          req.headers.delete('X-Amz-Date')
+          req.headers.delete('x-Amz-Region-Set')
+        end
+
+        def apply_clock_skew(context, req)
+          if context.config.respond_to?(:clock_skew) &&
+             context.config.clock_skew &&
+             context.config.correct_clock_skew
+
+            endpoint = context.http_request.endpoint
+            skew = context.config.clock_skew.clock_correction(endpoint)
+            if skew.abs.positive?
+              req.headers['X-Amz-Date'] =
+                (Time.now.utc + skew).strftime('%Y%m%dT%H%M%SZ')
+            end
+          end
+        end
+
+      end
+
+      # @api private
+      class NullSigner
+
+        def sign(context)
+        end
+
+        def presign_url(*args)
+        end
+
+        def sign_event(*args)
+        end
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/plugins/signature_v2.rb

@@ -3,6 +3,7 @@
 module Aws
   module Plugins
     # @api private
+    # Necessary to keep after Endpoints 2.0
     class SignatureV2 < Seahorse::Client::Plugin
 
       option(:v2_signer) do |cfg|

data/lib/aws-sdk-core/plugins/signature_v4.rb

@@ -5,8 +5,11 @@ require 'aws-sigv4'
 module Aws
   module Plugins
     # @api private
+    # Necessary to exist after endpoints 2.0
     class SignatureV4 < Seahorse::Client::Plugin
 
+      V4_AUTH = %w[v4 v4-unsigned-payload v4-unsigned-body]
+
       option(:sigv4_signer) do |cfg|
         SignatureV4.build_signer(cfg)
       end
@@ -32,13 +35,16 @@ module Aws
       end
 
       option(:unsigned_operations) do |cfg|
-        cfg.api.operation_names.inject([]) do |unsigned, operation_name|
-          if cfg.api.operation(operation_name)['authtype'] == 'none' ||
-             cfg.api.operation(operation_name)['authtype'] == 'custom'
-            # Unsign requests that has custom apigateway authorizer as well
-            unsigned << operation_name
-          else
-            unsigned
+        if cfg.api.metadata['signatureVersion'] == 'v4'
+          # select operations where authtype is set and is not v4
+          cfg.api.operation_names.select do |o|
+            cfg.api.operation(o)['authtype'] && !V4_AUTH.include?(cfg.api.operation(o)['authtype'])
+          end
+        else # service is not v4 auth
+          # select all operations where authtype is not v4
+          # (includes operations with no explicit authtype)
+          cfg.api.operation_names.select do |o|
+            !V4_AUTH.include?(cfg.api.operation(o)['authtype'])
           end
         end
       end
@@ -98,6 +104,7 @@ module Aws
           req.headers.delete('Authorization')
           req.headers.delete('X-Amz-Security-Token')
           req.headers.delete('X-Amz-Date')
+          req.headers.delete('x-Amz-Region-Set')
 
           if context.config.respond_to?(:clock_skew) &&
              context.config.clock_skew &&
@@ -134,7 +141,7 @@ module Aws
         def apply_authtype(context)
           if context.operation['authtype'].eql?('v4-unsigned-body') &&
              context.http_request.endpoint.scheme.eql?('https')
-            context.http_request.headers['X-Amz-Content-Sha256'] = 'UNSIGNED-PAYLOAD'
+            context.http_request.headers['X-Amz-Content-Sha256'] ||= 'UNSIGNED-PAYLOAD'
           end
           context
         end

data/lib/aws-sdk-core/plugins/stub_responses.rb

@@ -51,7 +51,11 @@ requests are made, and retries are disabled.
           stub = context.client.next_stub(context)
           resp = Seahorse::Client::Response.new(context: context)
           async_mode = context.client.is_a? Seahorse::Client::AsyncBase
-          apply_stub(stub, resp, async_mode)
+          if Hash === stub && stub[:mutex]
+            stub[:mutex].synchronize { apply_stub(stub, resp, async_mode) }
+          else
+            apply_stub(stub, resp, async_mode)
+          end
 
           async_mode ? Seahorse::Client::AsyncResponse.new(
             context: context, stream: context[:input_event_stream_handler].event_emitter.stream, sync_queue: Queue.new) : resp

data/lib/aws-sdk-core/plugins/user_agent.rb

@@ -4,7 +4,31 @@ module Aws
   module Plugins
     # @api private
     class UserAgent < Seahorse::Client::Plugin
+      # @api private
       option(:user_agent_suffix)
+      # @api private
+      option(:user_agent_frameworks, default: [])
+
+      option(
+        :sdk_ua_app_id,
+        doc_type: 'String',
+        docstring: <<-DOCS) do |cfg|
+A unique and opaque application ID that is appended to the
+User-Agent header as app/<sdk_ua_app_id>. It should have a
+maximum length of 50.
+        DOCS
+        app_id = ENV['AWS_SDK_UA_APP_ID']
+        app_id ||= Aws.shared_config.sdk_ua_app_id(profile: cfg.profile)
+        app_id
+      end
+
+      def self.feature(feature, &block)
+        Thread.current[:aws_sdk_core_user_agent_feature] ||= []
+        Thread.current[:aws_sdk_core_user_agent_feature] << "ft/#{feature}"
+        block.call
+      ensure
+        Thread.current[:aws_sdk_core_user_agent_feature].pop
+      end
 
       # @api private
       class Handler < Seahorse::Client::Handler
@@ -14,33 +38,112 @@ module Aws
         end
 
         def set_user_agent(context)
-          ua = "aws-sdk-ruby3/#{CORE_GEM_VERSION}"
+          context.http_request.headers['User-Agent'] = UserAgent.new(context).to_s
+        end
+
+        class UserAgent
+          def initialize(context)
+            @context = context
+          end
+
+          def to_s
+            ua = "aws-sdk-ruby3/#{CORE_GEM_VERSION}"
+            ua += ' ua/2.0'
+            ua += " #{api_metadata}" if api_metadata
+            ua += " #{os_metadata}"
+            ua += " #{language_metadata}"
+            ua += " #{env_metadata}" if env_metadata
+            ua += " #{config_metadata}" if config_metadata
+            ua += " #{app_id}" if app_id
+            ua += " #{feature_metadata}" if feature_metadata
+            ua += " #{framework_metadata}" if framework_metadata
+            if @context.config.user_agent_suffix
+              ua += " #{@context.config.user_agent_suffix}"
+            end
+            ua.strip
+          end
+
+          private
 
-          begin
-            ua += " #{RUBY_ENGINE}/#{RUBY_VERSION}"
-          rescue
-            ua += " RUBY_ENGINE_NA/#{RUBY_VERSION}"
+          # Used to be gem_name/gem_version
+          def api_metadata
+            service_id = @context.config.api.metadata['serviceId']
+            return unless service_id
+
+            service_id = service_id.gsub(' ', '_').downcase
+            gem_version = @context[:gem_version]
+            "api/#{service_id}##{gem_version}"
+          end
+
+          # Used to be RUBY_PLATFORM
+          def os_metadata
+            os =
+              case RbConfig::CONFIG['host_os']
+              when /mac|darwin/
+                'macos'
+              when /linux|cygwin/
+                'linux'
+              when /mingw|mswin/
+                'windows'
+              else
+                'other'
+              end
+            metadata = "os/#{os}"
+            local_version = Gem::Platform.local.version
+            metadata += "##{local_version}" if local_version
+            metadata += " md/#{RbConfig::CONFIG['host_cpu']}"
+            metadata
           end
 
-          ua += " #{RUBY_PLATFORM}"
+          # Used to be RUBY_ENGINE/RUBY_VERSION
+          def language_metadata
+            "lang/#{RUBY_ENGINE}##{RUBY_ENGINE_VERSION} md/#{RUBY_VERSION}"
+          end
+
+          def env_metadata
+            return unless (execution_env = ENV['AWS_EXECUTION_ENV'])
+
+            "exec-env/#{execution_env}"
+          end
 
-          if context[:gem_name] && context[:gem_version]
-            ua += " #{context[:gem_name]}/#{context[:gem_version]}"
+          def config_metadata
+            "cfg/retry-mode##{@context.config.retry_mode}"
           end
 
-          if (execution_env = ENV['AWS_EXECUTION_ENV'])
-            ua += " exec-env/#{execution_env}"
+          def app_id
+            return unless (app_id = @context.config.sdk_ua_app_id)
+
+            # Sanitize and only allow these characters
+            app_id = app_id.gsub(/[^!#$%&'*+\-.^_`|~0-9A-Za-z]/, '-')
+            "app/#{app_id}"
           end
 
-          if context.config.user_agent_suffix
-            ua += " #{context.config.user_agent_suffix}"
+          def feature_metadata
+            return unless Thread.current[:aws_sdk_core_user_agent_feature]
+
+            Thread.current[:aws_sdk_core_user_agent_feature].join(' ')
           end
 
-          context.http_request.headers['User-Agent'] = ua.strip
+          def framework_metadata
+            if (frameworks_cfg = @context.config.user_agent_frameworks).empty?
+              return
+            end
+
+            # Frameworks may be aws-record, aws-sdk-rails, etc.
+            regex = /gems\/(?<name>#{frameworks_cfg.join('|')})-(?<version>\d+\.\d+\.\d+)/.freeze
+            frameworks = {}
+            Kernel.caller.each do |line|
+              match = line.match(regex)
+              next unless match
+
+              frameworks[match[:name]] = match[:version]
+            end
+            frameworks.map { |n, v| "lib/#{n}##{v}" }.join(' ')
+          end
         end
       end
 
-      handler(Handler)
+      handler(Handler, priority: 1)
     end
   end
 end

data/lib/aws-sdk-core/process_credentials.rb

@@ -1,19 +1,16 @@
 # frozen_string_literal: true
 
 module Aws
-
   # A credential provider that executes a given process and attempts
-  # to read its stdout to recieve a JSON payload containing the credentials
-  #
-  # Automatically handles refreshing credentials if an Expiration time is
-  # provided in the credentials payload
-  #
-  #     credentials = Aws::ProcessCredentials.new('/usr/bin/credential_proc').credentials
+  # to read its stdout to recieve a JSON payload containing the credentials.
   #
+  #     credentials = Aws::ProcessCredentials.new('/usr/bin/credential_proc')
   #     ec2 = Aws::EC2::Client.new(credentials: credentials)
   #
-  # More documentation on process based credentials can be found here:
-  # https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#sourcing-credentials-from-external-processes
+  # Automatically handles refreshing credentials if an Expiration time is
+  # provided in the credentials payload.
+  #
+  # @see https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#sourcing-credentials-from-external-processes
   class ProcessCredentials
 
     include CredentialProvider
@@ -27,6 +24,7 @@ module Aws
     def initialize(process)
       @process = process
       @credentials = credentials_from_process(@process)
+      @async_refresh = false
 
       super
     end
@@ -73,9 +71,9 @@ module Aws
       @credentials = credentials_from_process(@process)
     end
 
-    def near_expiration?
+    def near_expiration?(expiration_length)
       # are we within 5 minutes of expiration?
-      @expiration && (Time.now.to_i + 5 * 60) > @expiration.to_i
+      @expiration && (Time.now.to_i + expiration_length) > @expiration.to_i
     end
   end
 end

data/lib/aws-sdk-core/refreshing_credentials.rb

@@ -17,45 +17,70 @@ module Aws
   # @api private
   module RefreshingCredentials
 
+    SYNC_EXPIRATION_LENGTH = 300 # 5 minutes
+    ASYNC_EXPIRATION_LENGTH = 600 # 10 minutes
+
+    CLIENT_EXCLUDE_OPTIONS = Set.new([:before_refresh]).freeze
+
     def initialize(options = {})
       @mutex = Mutex.new
+      @before_refresh = options.delete(:before_refresh) if Hash === options
+
+      @before_refresh.call(self) if @before_refresh
       refresh
     end
 
     # @return [Credentials]
     def credentials
-      refresh_if_near_expiration
+      refresh_if_near_expiration!
       @credentials
     end
 
-    # @return [Time,nil]
-    def expiration
-      refresh_if_near_expiration
-      @expiration
-    end
-
     # Refresh credentials.
     # @return [void]
     def refresh!
-      @mutex.synchronize { refresh }
+      @mutex.synchronize do
+        @before_refresh.call(self) if @before_refresh
+
+        refresh
+      end
     end
 
     private
 
-    # Refreshes instance metadata credentials if they are within
-    # 5 minutes of expiration.
-    def refresh_if_near_expiration
-      if near_expiration?
+    # Refreshes credentials asynchronously and synchronously.
+    # If we are near to expiration, block while getting new credentials.
+    # Otherwise, if we're approaching expiration, use the existing credentials
+    # but attempt a refresh in the background.
+    def refresh_if_near_expiration!
+      # Note: This check is an optimization. Rather than acquire the mutex on every #refresh_if_near_expiration
+      # call, we check before doing so, and then we check within the mutex to avoid a race condition.
+      # See issue: https://github.com/aws/aws-sdk-ruby/issues/2641 for more info.
+      if near_expiration?(SYNC_EXPIRATION_LENGTH)
         @mutex.synchronize do
-          refresh if near_expiration?
+          if near_expiration?(SYNC_EXPIRATION_LENGTH)
+            @before_refresh.call(self) if @before_refresh
+            refresh
+          end
+        end
+      elsif @async_refresh && near_expiration?(ASYNC_EXPIRATION_LENGTH)
+        unless @mutex.locked?
+          Thread.new do
+            @mutex.synchronize do
+              if near_expiration?(ASYNC_EXPIRATION_LENGTH)
+                @before_refresh.call(self) if @before_refresh
+                refresh
+              end
+            end
+          end
         end
       end
     end
 
-    def near_expiration?
+    def near_expiration?(expiration_length)
       if @expiration
-        # are we within 5 minutes of expiration?
-        (Time.now.to_i + 5 * 60) > @expiration.to_i
+        # Are we within expiration?
+        (Time.now.to_i + expiration_length) > @expiration.to_i
       else
         true
       end

data/lib/aws-sdk-core/refreshing_token.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+require 'thread'
+
+module Aws
+
+  # Module/mixin used by token provider classes that can be refreshed. This
+  # provides basic refresh logic in a thread-safe manner. Classes mixing in
+  # this module are expected to implement a #refresh method that populates
+  # the following instance variable:
+  #
+  # * `@token` [Token] - {Aws::Token} object with the `expiration` and `token`
+  #       fields set.
+  #
+  # @api private
+  module RefreshingToken
+
+    def initialize(options = {})
+      @mutex = Mutex.new
+      @before_refresh = options.delete(:before_refresh) if Hash === options
+
+      @before_refresh.call(self) if @before_refresh
+      refresh
+    end
+
+    # @return [Token]
+    def token
+      refresh_if_near_expiration
+      @token
+    end
+
+    # @return [Time,nil]
+    def expiration
+      refresh_if_near_expiration
+      @expiration
+    end
+
+    # Refresh token.
+    # @return [void]
+    def refresh!
+      @mutex.synchronize do
+        @before_refresh.call(self) if @before_refresh
+        refresh
+      end
+    end
+
+    private
+
+    # Refreshes token if it is within
+    # 5 minutes of expiration.
+    def refresh_if_near_expiration
+      if near_expiration?
+        @mutex.synchronize do
+          if near_expiration?
+            @before_refresh.call(self) if @before_refresh
+            refresh
+          end
+        end
+      end
+    end
+
+    def near_expiration?
+      if @token && @token.expiration
+        # are we within 5 minutes of expiration?
+        (Time.now.to_i + 5 * 60) > @token.expiration.to_i
+      else
+        true
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/rest/handler.rb

@@ -17,7 +17,7 @@ module Aws
 
       def apply_request_id(context)
         h = context.http_response.headers
-        context[:request_id] = h['x-amz-request-id'] || h['x-amzn-requestid']
+        context[:request_id] ||= h['x-amz-request-id'] || h['x-amzn-requestid']
       end
 
     end

data/lib/aws-sdk-core/rest/request/headers.rb

@@ -32,12 +32,11 @@ module Aws
 
         def apply_header_value(headers, ref, value)
           value = apply_json_trait(value) if ref['jsonvalue']
-          headers[ref.location_name] =
-            case ref.shape
-            when TimestampShape then timestamp(ref, value)
-            when ListShape then list(ref, value)
-            else value.to_s
-            end
+          case ref.shape
+          when TimestampShape then headers[ref.location_name] = timestamp(ref, value)
+          when ListShape then list(headers, ref, value)
+          else headers[ref.location_name] = value.to_s
+          end
         end
 
         def timestamp(ref, value)
@@ -50,8 +49,12 @@ module Aws
           end
         end
 
-        def list(_ref, value)
-          value.compact.join(",")
+        def list(headers, ref, value)
+          return if !value || value.empty?
+          headers[ref.location_name] = value
+            .compact
+            .map { |s| Seahorse::Util.escape_header_list_string(s.to_s) }
+            .join(',')
         end
 
         def apply_header_map(headers, ref, values)