aws-sdk-core 3.125.6 → 3.188.0

data/lib/aws-sdk-core/sso_credentials.rb

@@ -1,45 +1,37 @@
 # frozen_string_literal: true
 
 module Aws
-  # An auto-refreshing credential provider that works by assuming a
-  # role via {Aws::SSO::Client#get_role_credentials} using a cached access
-  # token.  This class does NOT implement the SSO login token flow - tokens
-  # must generated and refreshed separately by running `aws login` from the
-  # AWS CLI with the correct profile.
-  #
-  # For more background on AWS SSO see the official
-  # {https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html what is SSO Userguide}
-  #
-  # ## Refreshing Credentials from SSO
-  #
-  # The `SSOCredentials` will auto-refresh the AWS credentials from SSO. In
-  # addition to AWS credentials expiring after a given amount of time, the
-  # access token generated and cached from `aws login` will also expire.
-  # Once this token expires, it will not be usable to refresh AWS credentials,
-  # and another token will be needed. The SDK does not manage refreshing of
-  # the token value, but this can be done by running `aws login` with the
-  # correct profile.
-  #
+  # An auto-refreshing credential provider that assumes a role via
+  # {Aws::SSO::Client#get_role_credentials} using a cached access
+  # token. When `sso_session` is specified, token refresh logic from
+  # {Aws::SSOTokenProvider} will be used to refresh the token if possible.
+  # This class does NOT implement the SSO login token flow - tokens
+  # must generated separately by running `aws login` from the
+  # AWS CLI with the correct profile. The `SSOCredentials` will
+  # auto-refresh the AWS credentials from SSO.
   #
   #     # You must first run aws sso login --profile your-sso-profile
   #     sso_credentials = Aws::SSOCredentials.new(
   #       sso_account_id: '123456789',
   #       sso_role_name: "role_name",
   #       sso_region: "us-east-1",
-  #       sso_start_url: 'https://your-start-url.awsapps.com/start'
+  #       sso_session: 'my_sso_session'
   #     )
-  #
   #     ec2 = Aws::EC2::Client.new(credentials: sso_credentials)
   #
-  # If you omit `:client` option, a new {SSO::Client} object will be
-  # constructed.
+  # If you omit `:client` option, a new {Aws::SSO::Client} object will be
+  # constructed with additional options that were provided.
+  #
+  # @see Aws::SSO::Client#get_role_credentials
+  # @see https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html
   class SSOCredentials
 
     include CredentialProvider
     include RefreshingCredentials
 
     # @api private
-    SSO_REQUIRED_OPTS = [:sso_account_id, :sso_region, :sso_role_name, :sso_start_url].freeze
+    LEGACY_REQUIRED_OPTS =         [:sso_start_url, :sso_account_id, :sso_region, :sso_role_name].freeze
+    TOKEN_PROVIDER_REQUIRED_OPTS = [:sso_session, :sso_account_id, :sso_region, :sso_role_name].freeze
 
     # @api private
     SSO_LOGIN_GUIDANCE = 'The SSO session associated with this profile has '\
@@ -49,38 +41,79 @@ module Aws
     # @option options [required, String] :sso_account_id The AWS account ID
     #   that temporary AWS credentials will be resolved for
     #
-    # @option options [required, String] :sso_region The AWS region where the
-    #   SSO directory for the given sso_start_url is hosted.
-    #
     # @option options [required, String] :sso_role_name The corresponding
     #   IAM role in the AWS account that temporary AWS credentials
     #   will be resolved for.
     #
-    # @option options [required, String] :sso_start_url The start URL is
-    #   provided by the SSO service via the console and is the URL used to
+    # @option options [required, String] :sso_region The AWS region where the
+    #   SSO directory for the given sso_start_url is hosted.
+    #
+    # @option options [String] :sso_session The SSO Token used for fetching
+    #   the token. If provided, refresh logic from the {Aws::SSOTokenProvider}
+    #   will be used.
+    #
+    # @option options [String] :sso_start_url (legacy profiles) If provided,
+    #   legacy token fetch behavior will be used, which does not support
+    #   token refreshing.  The start URL is provided by the SSO
+    #   service via the console and is the URL used to
     #   login to the SSO directory. This is also sometimes referred to as
-    #   the "User Portal URL"
+    #   the "User Portal URL".
     #
     # @option options [SSO::Client] :client Optional `SSO::Client`.  If not
     #   provided, a client will be constructed.
+    #
+    # @option options [Callable] before_refresh Proc called before
+    #   credentials are refreshed. `before_refresh` is called
+    #   with an instance of this object when
+    #   AWS credentials are required and need to be refreshed.
     def initialize(options = {})
+      options = options.select {|k, v| !v.nil? }
+      if (options[:sso_session])
+        missing_keys = TOKEN_PROVIDER_REQUIRED_OPTS.select { |k| options[k].nil? }
+        unless missing_keys.empty?
+          raise ArgumentError, "Missing required keys: #{missing_keys}"
+        end
+        @legacy = false
+        @sso_role_name = options.delete(:sso_role_name)
+        @sso_account_id = options.delete(:sso_account_id)
 
-      missing_keys = SSO_REQUIRED_OPTS.select { |k| options[k].nil? }
-      unless missing_keys.empty?
-        raise ArgumentError, "Missing required keys: #{missing_keys}"
-      end
+        # if client has been passed, don't pass through to SSOTokenProvider
+        @client = options.delete(:client)
+        options.delete(:sso_start_url)
+        @token_provider = Aws::SSOTokenProvider.new(options.dup)
+        @sso_session = options.delete(:sso_session)
+        @sso_region = options.delete(:sso_region)
+
+        unless @client
+          client_opts = {}
+          options.each_pair { |k,v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) }
+          client_opts[:region] = @sso_region
+          client_opts[:credentials] = nil
+          @client = Aws::SSO::Client.new(client_opts)
+        end
+      else # legacy behavior
+        missing_keys = LEGACY_REQUIRED_OPTS.select { |k| options[k].nil? }
+        unless missing_keys.empty?
+          raise ArgumentError, "Missing required keys: #{missing_keys}"
+        end
+        @legacy = true
+        @sso_start_url = options.delete(:sso_start_url)
+        @sso_region = options.delete(:sso_region)
+        @sso_role_name = options.delete(:sso_role_name)
+        @sso_account_id = options.delete(:sso_account_id)
 
-      @sso_start_url = options.delete(:sso_start_url)
-      @sso_region = options.delete(:sso_region)
-      @sso_role_name = options.delete(:sso_role_name)
-      @sso_account_id = options.delete(:sso_account_id)
+        # validate we can read the token file
+        read_cached_token
 
-      # validate we can read the token file
-      read_cached_token
+        client_opts = {}
+        options.each_pair { |k,v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) }
+        client_opts[:region] = @sso_region
+        client_opts[:credentials] = nil
+
+        @client = options[:client] || Aws::SSO::Client.new(client_opts)
+      end
 
-      options[:region] = @sso_region
-      options[:credentials] = nil
-      @client = options[:client] || Aws::SSO::Client.new(options)
+      @async_refresh = true
       super
     end
 
@@ -105,19 +138,27 @@ module Aws
     end
 
     def refresh
-      cached_token = read_cached_token
-      c = @client.get_role_credentials(
-        account_id: @sso_account_id,
-        role_name: @sso_role_name,
-        access_token: cached_token['accessToken']
-      ).role_credentials
+      c = if @legacy
+            cached_token = read_cached_token
+            @client.get_role_credentials(
+              account_id: @sso_account_id,
+              role_name: @sso_role_name,
+              access_token: cached_token['accessToken']
+            ).role_credentials
+          else
+            @client.get_role_credentials(
+              account_id: @sso_account_id,
+              role_name: @sso_role_name,
+              access_token: @token_provider.token.token
+            ).role_credentials
+          end
 
       @credentials = Credentials.new(
         c.access_key_id,
         c.secret_access_key,
         c.session_token
       )
-      @expiration = c.expiration
+      @expiration = Time.at(c.expiration / 1000.0)
     end
 
     def sso_cache_file

data/lib/aws-sdk-core/sso_token_provider.rb

@@ -0,0 +1,135 @@
+# frozen_string_literal: true
+
+module Aws
+  class SSOTokenProvider
+
+    include TokenProvider
+    include RefreshingToken
+
+    # @api private
+    SSO_REQUIRED_OPTS = [:sso_region, :sso_session].freeze
+
+    # @api private
+    SSO_LOGIN_GUIDANCE = 'The SSO session associated with this profile has '\
+    'expired or is otherwise invalid. To refresh this SSO session run '\
+    'aws sso login with the corresponding profile.'.freeze
+
+    # @option options [required, String] :sso_region The AWS region where the
+    #   SSO directory for the given sso_start_url is hosted.
+    #
+    # @option options [required, String] :sso_session The SSO Session used to
+    #   for fetching this token.
+    #
+    # @option options [SSOOIDC::Client] :client Optional `SSOOIDC::Client`.  If not
+    #   provided, a client will be constructed.
+    #
+    # @option options [Callable] before_refresh Proc called before
+    #   credentials are refreshed. `before_refresh` is called
+    #   with an instance of this object when
+    #   AWS credentials are required and need to be refreshed.
+    def initialize(options = {})
+
+      missing_keys = SSO_REQUIRED_OPTS.select { |k| options[k].nil? }
+      unless missing_keys.empty?
+        raise ArgumentError, "Missing required keys: #{missing_keys}"
+      end
+
+      @sso_session = options.delete(:sso_session)
+      @sso_region = options.delete(:sso_region)
+
+      options[:region] = @sso_region
+      options[:credentials] = nil
+      options[:token_provider] = nil
+      @client = options[:client] || Aws::SSOOIDC::Client.new(options)
+
+      super
+    end
+
+    # @return [SSOOIDC::Client]
+    attr_reader :client
+
+    private
+
+    def refresh
+      # token is valid and not in refresh window - do not refresh it.
+      return if @token && @token.expiration && !near_expiration?
+
+      # token may not exist or is out of the expiration window
+      # attempt to refresh from disk first (another process/application may have refreshed already)
+      token_json = read_cached_token
+      @token = Token.new(token_json['accessToken'], token_json['expiresAt'])
+      return if @token && @token.expiration && !near_expiration?
+
+      # The token is expired and needs to be refreshed
+      if can_refresh_token?(token_json)
+        begin
+          current_time = Time.now
+          resp = @client.create_token(
+            grant_type: 'refresh_token',
+            client_id: token_json['clientId'],
+            client_secret: token_json['clientSecret'],
+            refresh_token: token_json['refreshToken']
+          )
+          token_json['accessToken'] = resp.access_token
+          token_json['expiresAt'] = current_time + resp.expires_in
+          @token = Token.new(token_json['accessToken'], token_json['expiresAt'])
+
+          if resp.refresh_token
+            token_json['refreshToken'] = resp.refresh_token
+          else
+            token_json.delete('refreshToken')
+          end
+
+          update_token_cache(token_json)
+        rescue
+          # refresh has failed, continue attempting to use the token if its not hard expired
+        end
+      end
+
+      if !@token.expiration || @token.expiration < Time.now
+        # Token is hard expired, raise an exception
+        raise Errors::InvalidSSOToken, 'Token is invalid and failed to refresh.'
+      end
+    end
+
+    def read_cached_token
+      cached_token = Json.load(File.read(sso_cache_file))
+      # validation
+      unless cached_token['accessToken'] && cached_token['expiresAt']
+        raise ArgumentError, 'Missing required field(s)'
+      end
+      cached_token['expiresAt'] = Time.parse(cached_token['expiresAt'])
+      cached_token
+    rescue Errno::ENOENT, Aws::Json::ParseError, ArgumentError
+      raise Errors::InvalidSSOToken, SSO_LOGIN_GUIDANCE
+    end
+
+    def update_token_cache(token_json)
+      cached_token = token_json.dup
+      cached_token['expiresAt'] = cached_token['expiresAt'].iso8601
+      File.write(sso_cache_file, Json.dump(cached_token))
+    end
+
+    def sso_cache_file
+      sso_session_sha1 = OpenSSL::Digest::SHA1.hexdigest(@sso_session.encode('utf-8'))
+      File.join(Dir.home, '.aws', 'sso', 'cache', "#{sso_session_sha1}.json")
+    rescue ArgumentError
+      # Dir.home raises ArgumentError when ENV['home'] is not set
+      raise ArgumentError, "Unable to load sso_cache_file: ENV['HOME'] is not set."
+    end
+
+    # return true if all required fields are present
+    # return false if registrationExpiresAt exists and is later than now
+    def can_refresh_token?(token_json)
+      if token_json['clientId'] &&
+        token_json['clientSecret'] &&
+        token_json['refreshToken']
+
+        return !token_json['registrationExpiresAt'] ||
+          Time.parse(token_json['registrationExpiresAt']) > Time.now
+      else
+        false
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/static_token_provider.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Aws
+  class StaticTokenProvider
+
+    include TokenProvider
+
+    # @param [String] token
+    # @param [Time] expiration
+    def initialize(token, expiration=nil)
+      @token = Token.new(token, expiration)
+    end
+  end
+end

data/lib/aws-sdk-core/structure.rb

@@ -28,18 +28,20 @@ module Aws
     # in stdlib Struct.
     #
     # @return [Hash]
-    def to_h(obj = self)
+    def to_h(obj = self, options = {})
       case obj
       when Struct
         obj.each_pair.with_object({}) do |(member, value), hash|
-          hash[member] = to_hash(value) unless value.nil?
+          member = member.to_s if options[:as_json]
+          hash[member] = to_hash(value, options) unless value.nil?
         end
       when Hash
         obj.each.with_object({}) do |(key, value), hash|
-          hash[key] = to_hash(value)
+          key = key.to_s if options[:as_json]
+          hash[key] = to_hash(value, options)
         end
       when Array
-        obj.collect { |value| to_hash(value) }
+        obj.collect { |value| to_hash(value, options) }
       else
         obj
       end

data/lib/aws-sdk-core/stubbing/stub_data.rb

@@ -13,12 +13,23 @@ module Aws
       def stub(data = {})
         stub = EmptyStub.new(@rules).stub
         remove_paging_tokens(stub)
+        remove_checksums(stub)
         apply_data(data, stub)
         stub
       end
 
       private
 
+      def remove_checksums(stub)
+        if @rules && @rules.shape.is_a?(Seahorse::Model::Shapes::StructureShape)
+          @rules.shape.members.each do |key, member|
+            if member.location == 'header' && member.location_name.start_with?('x-amz-checksum-')
+              stub[key] = nil
+            end
+          end
+        end
+      end
+
       def remove_paging_tokens(stub)
         if @pager
           @pager.instance_variable_get("@tokens").keys.each do |path|

data/lib/aws-sdk-core/token.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Aws
+  class Token
+
+    # @param [String] token
+    # @param [Time] expiration
+    def initialize(token, expiration=nil)
+      @token = token
+      @expiration = expiration
+    end
+
+    # @return [String, nil]
+    attr_reader :token
+
+    # @return [Time, nil]
+    attr_reader :expiration
+
+    # @return [Boolean] Returns `true` if token is set
+    def set?
+      !token.nil? && !token.empty?
+    end
+
+    # Removing the token from the default inspect string.
+    # @api private
+    def inspect
+      "#<#{self.class.name} token=[FILTERED]> expiration=#{expiration}>"
+    end
+
+  end
+end

data/lib/aws-sdk-core/token_provider.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Aws
+  module TokenProvider
+
+    # @return [Token]
+    attr_reader :token
+
+    # @return [Boolean]
+    def set?
+      !!token && token.set?
+    end
+
+  end
+end

data/lib/aws-sdk-core/token_provider_chain.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module Aws
+  # @api private
+  class TokenProviderChain
+    def initialize(config = nil)
+      @config = config
+    end
+
+    # @return [TokenProvider, nil]
+    def resolve
+      providers.each do |method_name, options|
+        provider = send(method_name, options.merge(config: @config))
+        return provider if provider && provider.set?
+      end
+      nil
+    end
+
+    private
+
+    def providers
+      [
+        [:static_profile_sso_token, {}],
+        [:sso_token, {}]
+      ]
+    end
+
+    def static_profile_sso_token(options)
+      if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
+        Aws.shared_config.sso_token_from_config(
+          profile: options[:config].profile
+        )
+      end
+    end
+
+
+    def sso_token(options)
+      profile_name = determine_profile_name(options)
+      if Aws.shared_config.config_enabled?
+        Aws.shared_config.sso_token_from_config(profile: profile_name)
+      end
+    rescue Errors::NoSuchProfileError
+      nil
+    end
+
+    def determine_profile_name(options)
+      (options[:config] && options[:config].profile) || ENV['AWS_PROFILE'] || ENV['AWS_DEFAULT_PROFILE'] || 'default'
+    end
+
+  end
+end

data/lib/aws-sdk-core/waiters/poller.rb

@@ -62,7 +62,9 @@ module Aws
       def send_request(options)
         req = options[:client].build_request(@operation_name, options[:params])
         req.handlers.remove(RAISE_HANDLER)
-        req.send_request
+        Aws::Plugins::UserAgent.feature('waiter') do
+          req.send_request
+        end
       end
 
       def acceptor_matches?(acceptor, response)

data/lib/aws-sdk-core/xml/error_handler.rb

@@ -24,6 +24,7 @@ module Aws
         else
           code, message, data = extract_error(body, context)
         end
+        context[:request_id] = request_id(body)
         errors_module = context.client.class.errors_module
         error_class = errors_module.error_class(code).new(context, message, data)
         error_class
@@ -94,6 +95,12 @@ module Aws
         end
       end
 
+      def request_id(body)
+        if matches = body.match(/<RequestId>(.+?)<\/RequestId>/m)
+          matches[1]
+        end
+      end
+
       def unescape(str)
         CGI.unescapeHTML(str)
       end

data/lib/aws-sdk-core/xml/parser/engines/oga.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+# Oga Java requires JRuby.runtime
+require 'jruby' if RUBY_PLATFORM == 'java'
 require 'oga'
 
 module Aws

data/lib/aws-sdk-core.rb

@@ -20,6 +20,15 @@ require_relative 'aws-sdk-core/shared_credentials'
 require_relative 'aws-sdk-core/process_credentials'
 require_relative 'aws-sdk-core/sso_credentials'
 
+# tokens and token providers
+require_relative 'aws-sdk-core/token'
+require_relative 'aws-sdk-core/token_provider'
+require_relative 'aws-sdk-core/static_token_provider'
+require_relative 'aws-sdk-core/refreshing_token'
+require_relative 'aws-sdk-core/sso_token_provider'
+require_relative 'aws-sdk-core/token_provider_chain'
+require_relative 'aws-sdk-core/plugins/bearer_authorization'
+
 # client modules
 
 require_relative 'aws-sdk-core/client_stubs'
@@ -88,6 +97,10 @@ require_relative 'aws-sdk-core/arn'
 require_relative 'aws-sdk-core/arn_parser'
 require_relative 'aws-sdk-core/ec2_metadata'
 
+# dynamic endpoints
+require_relative 'aws-sdk-core/endpoints'
+require_relative 'aws-sdk-core/plugins/signature_v4'
+
 # defaults
 require_relative 'aws-defaults'
 
@@ -99,6 +112,7 @@ require_relative 'aws-sdk-sts'
 
 # aws-sdk-sso is included to support Aws::SSOCredentials
 require_relative 'aws-sdk-sso'
+require_relative 'aws-sdk-ssooidc'
 
 module Aws