aws-sdk-core 3.125.5 → 3.130.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6097fa7cc1661cdca09ad52fbf3f6ac5d0e2cb23f12c042afb83348fbb682167
-  data.tar.gz: 7674b35f80736d81b5f239bff160457ca5a377c576720f27aae4099298bb7dae
+  metadata.gz: d7804cbac83996a95b2cacbd808389798eb0b461229a9e8e2a966cd28d599aa6
+  data.tar.gz: ce3557bcbd4d6a5edaa1bc99fbd7e75f9b2e23eb6fadb8be06a69b91e2e8a4a7
 SHA512:
-  metadata.gz: 8ec3ffb176c06f067369f3a58ce65fa3fe03fe017312d67a10bbeeae9dcaaaa95ddbbc295b0235fa7671037768ece22a0d6c5d2691fb93d11fd08235dcb80b15
-  data.tar.gz: 0da7d408ebe2173564167decedeb434dc941b786eca73e207c82d93663fc85d9dadaedca6e1a643cfa375332ebd40866f791fa815bb4356a4536c48604991235
+  metadata.gz: d1d0b4ec0b478389290d84409869ed012e4a2ce6408d3dc5c46c618771cc970d9086eb4686dd64b740ebd5eeafe7cc0e8b6fa63d3f89202e8f2841d9a203bdbb
+  data.tar.gz: f4c41ffb85d712bcaf8701aa61a886837517df23e14a53c2b9201d86bfcc1fd41b5b8badded9f91aeb0ee77553c9e2af80b4c82d1e249486b5630afc1582939c

data/CHANGELOG.md

@@ -1,6 +1,65 @@
 Unreleased Changes
 ------------------
 
+3.130.0 (2022-03-11)
+------------------
+
+* Feature - Asynchronously refresh AWS credentials (#2641).
+
+* Issue - Add x-amz-region-set to list of headers deleted for re-sign.
+
+3.129.1 (2022-03-10)
+------------------
+
+* Issue - Make stubs thread safe by creating new responses for each operation call (#2675).
+
+3.129.0 (2022-03-08)
+------------------
+
+* Feature - Add support for cases when `InstanceProfileCredentials` (IMDS) is unable to refresh credentials.
+
+3.128.1 (2022-03-07)
+------------------
+
+* Issue - Fixed `Aws::PageableResponse` invalidating Ruby's global constant cache.
+
+3.128.0 (2022-03-04)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+3.127.0 (2022-02-24)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+* Feature - Support `HttpChecksum` trait for requests and responses.
+
+3.126.2 (2022-02-16)
+------------------
+
+* Issue - Add a before_refresh callback to AssumeRoleCredentials (#2529). 
+* Issue - Raise a `NoSuchProfileError` when config and credentials files don't exist.
+
+3.126.1 (2022-02-14)
+------------------
+
+* Issue - Set `create_time` on IMDS tokens before fetch to reduce chance of using expired tokens and retry failures due to using expired tokens.
+
+3.126.0 (2022-02-03)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+* Feature - Add support for recursion detection.
+
+3.125.6 (2022-02-02)
+------------------
+
+* Issue - Ensure default message for ServiceError is a string (#2643).
+
 3.125.5 (2022-01-19)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-3.125.5
+3.130.0

data/lib/aws-sdk-core/assume_role_credentials.rb

@@ -17,6 +17,11 @@ module Aws
   #
   # If you omit `:client` option, a new {STS::Client} object will be
   # constructed.
+  #
+  # The AssumeRoleCredentials also provides a `before_refresh` callback
+  # that can be used to help manage refreshing tokens.
+  # `before_refresh` is called when AWS credentials are required and need
+  # to be refreshed and it is called with the AssumeRoleCredentials object.
   class AssumeRoleCredentials
 
     include CredentialProvider
@@ -28,6 +33,16 @@ module Aws
     # @option options [Integer] :duration_seconds
     # @option options [String] :external_id
     # @option options [STS::Client] :client
+    # @option options [Callable] before_refresh Proc called before
+    #   credentials are refreshed.  Useful for updating tokens.
+    #   `before_refresh` is called when AWS credentials are
+    #   required and need to be refreshed. Tokens can be refreshed using
+    #   the following example:
+    #
+    #      before_refresh = Proc.new do |assume_role_credentials| do
+    #        assume_role_credentials.assume_role_params['token_code'] = update_token
+    #      end
+    #
     def initialize(options = {})
       client_opts = {}
       @assume_role_params = {}
@@ -39,12 +54,16 @@ module Aws
         end
       end
       @client = client_opts[:client] || STS::Client.new(client_opts)
+      @async_refresh = true
       super
     end
 
     # @return [STS::Client]
     attr_reader :client
 
+    # @return [Hash]
+    attr_reader :assume_role_params
+
     private
 
     def refresh

data/lib/aws-sdk-core/assume_role_web_identity_credentials.rb

@@ -17,7 +17,7 @@ module Aws
   #       ...
   #     )
   #     For full list of parameters accepted
-  #     @see Aws::STS::Client#assume_role_with_web_identity 
+  #     @see Aws::STS::Client#assume_role_with_web_identity
   #
   #
   # If you omit `:client` option, a new {STS::Client} object will be
@@ -39,10 +39,16 @@ module Aws
     #   encoded UUID is generated as the session name
     #
     # @option options [STS::Client] :client
+    #
+    # @option options [Callable] before_refresh Proc called before
+    #   credentials are refreshed. `before_refresh` is called
+    #   with an instance of this object when
+    #   AWS credentials are required and need to be refreshed.
     def initialize(options = {})
       client_opts = {}
       @assume_role_web_identity_params = {}
       @token_file = options.delete(:web_identity_token_file)
+      @async_refresh = true
       options.each_pair do |key, value|
         if self.class.assume_role_web_identity_options.include?(key)
           @assume_role_web_identity_params[key] = value

data/lib/aws-sdk-core/client_stubs.rb

@@ -262,13 +262,17 @@ module Aws
     end
 
     def convert_stub(operation_name, stub)
-      case stub
+      stub = case stub
       when Proc then stub
       when Exception, Class then { error: stub }
       when String then service_error_stub(stub)
       when Hash then http_response_stub(operation_name, stub)
       else { data: stub }
       end
+      if Hash === stub
+        stub[:mutex] = Mutex.new
+      end
+      stub
     end
 
     def service_error_stub(error_code)

data/lib/aws-sdk-core/ec2_metadata.rb

@@ -136,8 +136,9 @@ module Aws
 
     def fetch_token
       open_connection do |conn|
+        created_time = Time.now
         token_value, token_ttl = http_put(conn, @token_ttl)
-        @token = Token.new(value: token_value, ttl: token_ttl)
+        @token = Token.new(value: token_value, ttl: token_ttl, created_time: created_time)
       end
     end
 
@@ -222,7 +223,7 @@ module Aws
       def initialize(options = {})
         @ttl   = options[:ttl]
         @value = options[:value]
-        @created_time = Time.now
+        @created_time = options[:created_time] || Time.now
       end
 
       # [String] Returns the token value.

data/lib/aws-sdk-core/ecs_credentials.rb

@@ -43,6 +43,10 @@ module Aws
     # @option options [IO] :http_debug_output (nil) HTTP wire
     #   traces are sent to this object.  You can specify something
     #   like $stdout.
+    # @option options [Callable] before_refresh Proc called before
+    #   credentials are refreshed. `before_refresh` is called
+    #   with an instance of this object when
+    #   AWS credentials are required and need to be refreshed.
     def initialize options = {}
       @retries = options[:retries] || 5
       @ip_address = options[:ip_address] || '169.254.170.2'
@@ -58,6 +62,7 @@ module Aws
       @http_read_timeout = options[:http_read_timeout] || 5
       @http_debug_output = options[:http_debug_output]
       @backoff = backoff(options[:backoff])
+      @async_refresh = false
       super
     end
 

data/lib/aws-sdk-core/errors.rb

@@ -18,7 +18,7 @@ module Aws
         @code = self.class.code
         @context = context
         @data = data
-        @message = message && !message.empty? ? message : self.class
+        @message = message && !message.empty? ? message : self.class.to_s
         super(@message)
       end
 

data/lib/aws-sdk-core/instance_profile_credentials.rb

@@ -63,6 +63,10 @@ module Aws
     # @option options [Integer] :token_ttl Time-to-Live in seconds for EC2
     #   Metadata Token used for fetching Metadata Profile Credentials, defaults
     #   to 21600 seconds
+    # @option options [Callable] before_refresh Proc called before
+    #   credentials are refreshed. `before_refresh` is called
+    #   with an instance of this object when
+    #   AWS credentials are required and need to be refreshed.
     def initialize(options = {})
       @retries = options[:retries] || 1
       endpoint_mode = resolve_endpoint_mode(options)
@@ -74,6 +78,8 @@ module Aws
       @backoff = backoff(options[:backoff])
       @token_ttl = options[:token_ttl] || 21_600
       @token = nil
+      @no_refresh_until = nil
+      @async_refresh = false
       super
     end
 
@@ -121,18 +127,48 @@ module Aws
     end
 
     def refresh
+      if @no_refresh_until && @no_refresh_until > Time.now
+        warn_expired_credentials
+        return
+      end
+
       # Retry loading credentials up to 3 times is the instance metadata
       # service is responding but is returning invalid JSON documents
       # in response to the GET profile credentials call.
       begin
         retry_errors([Aws::Json::ParseError, StandardError], max_retries: 3) do
           c = Aws::Json.load(get_credentials.to_s)
-          @credentials = Credentials.new(
-            c['AccessKeyId'],
-            c['SecretAccessKey'],
-            c['Token']
-          )
-          @expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
+          if empty_credentials?(@credentials)
+            @credentials = Credentials.new(
+              c['AccessKeyId'],
+              c['SecretAccessKey'],
+              c['Token']
+            )
+            @expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
+            if @expiration && @expiration < Time.now
+              @no_refresh_until = Time.now + refresh_offset
+              warn_expired_credentials
+            end
+          else
+            #  credentials are already set, update them only if the new ones are not empty
+            if !c['AccessKeyId'] || c['AccessKeyId'].empty?
+              # error getting new credentials
+              @no_refresh_until = Time.now + refresh_offset
+              warn_expired_credentials
+            else
+              @credentials = Credentials.new(
+                c['AccessKeyId'],
+                c['SecretAccessKey'],
+                c['Token']
+              )
+              @expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
+              if @expiration && @expiration < Time.now
+                @no_refresh_until = Time.now + refresh_offset
+                warn_expired_credentials
+              end
+            end
+          end
+
         end
       rescue Aws::Json::ParseError
         raise Aws::Errors::MetadataParserError
@@ -153,10 +189,11 @@ module Aws
               begin
                 retry_errors(NETWORK_ERRORS, max_retries: @retries) do
                   unless token_set?
+                    created_time = Time.now
                     token_value, ttl = http_put(
                       conn, METADATA_TOKEN_PATH, @token_ttl
                     )
-                    @token = Token.new(token_value, ttl) if token_value && ttl
+                    @token = Token.new(token_value, ttl, created_time) if token_value && ttl
                   end
                 end
               rescue *NETWORK_ERRORS
@@ -166,9 +203,17 @@ module Aws
               end
 
               token = @token.value if token_set?
-              metadata = http_get(conn, METADATA_PATH_BASE, token)
-              profile_name = metadata.lines.first.strip
-              http_get(conn, METADATA_PATH_BASE + profile_name, token)
+
+              begin
+                metadata = http_get(conn, METADATA_PATH_BASE, token)
+                profile_name = metadata.lines.first.strip
+                http_get(conn, METADATA_PATH_BASE + profile_name, token)
+              rescue TokenExpiredError
+                # Token has expired, reset it
+                # The next retry should fetch it
+                @token = nil
+                raise Non200Response
+              end
             end
           end
         rescue
@@ -200,9 +245,15 @@ module Aws
       headers = { 'User-Agent' => "aws-sdk-ruby3/#{CORE_GEM_VERSION}" }
       headers['x-aws-ec2-metadata-token'] = token if token
       response = connection.request(Net::HTTP::Get.new(path, headers))
-      raise Non200Response unless response.code.to_i == 200
 
-      response.body
+      case response.code.to_i
+      when 200
+        response.body
+      when 401
+        raise TokenExpiredError
+      else
+        raise Non200Response
+      end
     end
 
     # PUT request fetch token with ttl
@@ -241,13 +292,28 @@ module Aws
       end
     end
 
+    def warn_expired_credentials
+      warn("Attempting credential expiration extension due to a credential "\
+        "service availability issue. A refresh of these credentials "\
+        "will be attempted again in 5 minutes.")
+    end
+
+    def empty_credentials?(creds)
+      !creds || !creds.access_key_id || creds.access_key_id.empty?
+    end
+
+    # Compute an offset for refresh with jitter
+    def refresh_offset
+      300 + rand(0..60)
+    end
+
     # @api private
     # Token used to fetch IMDS profile and credentials
     class Token
-      def initialize(value, ttl)
+      def initialize(value, ttl, created_time = Time.now)
         @ttl = ttl
         @value = value
-        @created_time = Time.now
+        @created_time = created_time
       end
 
       # [String] token value

data/lib/aws-sdk-core/pageable_response.rb

@@ -48,11 +48,11 @@ module Aws
   #
   module PageableResponse
 
-    def self.extended(base)
-      base.extend Enumerable
-      base.extend UnsafeEnumerableMethods
-      base.instance_variable_set("@last_page", nil)
-      base.instance_variable_set("@more_results", nil)
+    def self.apply(base)
+      base.extend Extension
+      base.instance_variable_set(:@last_page, nil)
+      base.instance_variable_set(:@more_results, nil)
+      base
     end
 
     # @return [Paging::Pager]
@@ -62,39 +62,26 @@ module Aws
     # when this method returns `false` will raise an error.
     # @return [Boolean]
     def last_page?
-      if @last_page.nil?
-        @last_page = !@pager.truncated?(self)
-      end
-      @last_page
+      # Actual implementation is in PageableResponse::Extension
     end
 
     # Returns `true` if there are more results.  Calling {#next_page} will
     # return the next response.
     # @return [Boolean]
     def next_page?
-      !last_page?
+      # Actual implementation is in PageableResponse::Extension
     end
 
     # @return [Seahorse::Client::Response]
     def next_page(params = {})
-      if last_page?
-        raise LastPageError.new(self)
-      else
-        next_response(params)
-      end
+      # Actual implementation is in PageableResponse::Extension
     end
 
     # Yields the current and each following response to the given block.
     # @yieldparam [Response] response
     # @return [Enumerable,nil] Returns a new Enumerable if no block is given.
     def each(&block)
-      return enum_for(:each_page) unless block_given?
-      response = self
-      yield(response)
-      until response.last_page?
-        response = response.next_page
-        yield(response)
-      end
+      # Actual implementation is in PageableResponse::Extension
     end
     alias each_page each
 
@@ -105,9 +92,7 @@ module Aws
     # @return [Seahorse::Client::Response] Returns the next page of
     #   results.
     def next_response(params)
-      params = next_page_params(params)
-      request = context.client.build_request(context.operation_name, params)
-      request.send_request
+      # Actual implementation is in PageableResponse::Extension
     end
 
     # @param [Hash] params A hash of additional request params to
@@ -115,13 +100,7 @@ module Aws
     # @return [Hash] Returns the hash of request parameters for the
     #   next page, merging any given params.
     def next_page_params(params)
-      # Remove all previous tokens from original params
-      # Sometimes a token can be nil and merge would not include it.
-      tokens = @pager.tokens.values.map(&:to_sym)
-
-      params_without_tokens = context[:original_params].reject { |k, _v| tokens.include?(k) }
-      params_without_tokens.merge!(@pager.next_tokens(self).merge(params))
-      params_without_tokens
+      # Actual implementation is in PageableResponse::Extension
     end
 
     # Raised when calling {PageableResponse#next_page} on a pager that
@@ -168,5 +147,66 @@ module Aws
       end
 
     end
+
+    # The actual decorator module implementation. It is in a distinct module
+    # so that it can be used to extend objects without busting Ruby's constant cache.
+    # object.extend(mod) bust the constant cache only if `mod` contains constants of its own.
+    # @api private
+    module Extension
+
+      include Enumerable
+      include UnsafeEnumerableMethods
+
+      attr_accessor :pager
+
+      def last_page?
+        if @last_page.nil?
+          @last_page = !@pager.truncated?(self)
+        end
+        @last_page
+      end
+
+      def next_page?
+        !last_page?
+      end
+
+      def next_page(params = {})
+        if last_page?
+          raise LastPageError.new(self)
+        else
+          next_response(params)
+        end
+      end
+
+      def each(&block)
+        return enum_for(:each_page) unless block_given?
+        response = self
+        yield(response)
+        until response.last_page?
+          response = response.next_page
+          yield(response)
+        end
+      end
+      alias each_page each
+
+      private
+
+      def next_response(params)
+        params = next_page_params(params)
+        request = context.client.build_request(context.operation_name, params)
+        request.send_request
+      end
+
+      def next_page_params(params)
+        # Remove all previous tokens from original params
+        # Sometimes a token can be nil and merge would not include it.
+        tokens = @pager.tokens.values.map(&:to_sym)
+
+        params_without_tokens = context[:original_params].reject { |k, _v| tokens.include?(k) }
+        params_without_tokens.merge!(@pager.next_tokens(self).merge(params))
+        params_without_tokens
+      end
+
+    end
   end
 end