aws-sdk-core 3.125.6 → 3.188.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +533 -0
- data/VERSION +1 -1
- data/lib/aws-defaults/default_configuration.rb +4 -4
- data/lib/aws-sdk-core/arn.rb +13 -0
- data/lib/aws-sdk-core/assume_role_credentials.rb +21 -7
- data/lib/aws-sdk-core/assume_role_web_identity_credentials.rb +14 -10
- data/lib/aws-sdk-core/binary/encode_handler.rb +12 -1
- data/lib/aws-sdk-core/client_stubs.rb +5 -1
- data/lib/aws-sdk-core/credential_provider.rb +3 -0
- data/lib/aws-sdk-core/credential_provider_chain.rb +8 -5
- data/lib/aws-sdk-core/ec2_metadata.rb +3 -2
- data/lib/aws-sdk-core/ecs_credentials.rb +186 -52
- data/lib/aws-sdk-core/endpoints/condition.rb +41 -0
- data/lib/aws-sdk-core/endpoints/endpoint.rb +17 -0
- data/lib/aws-sdk-core/endpoints/endpoint_rule.rb +75 -0
- data/lib/aws-sdk-core/endpoints/error_rule.rb +42 -0
- data/lib/aws-sdk-core/endpoints/function.rb +80 -0
- data/lib/aws-sdk-core/endpoints/matchers.rb +131 -0
- data/lib/aws-sdk-core/endpoints/reference.rb +31 -0
- data/lib/aws-sdk-core/endpoints/rule.rb +25 -0
- data/lib/aws-sdk-core/endpoints/rule_set.rb +52 -0
- data/lib/aws-sdk-core/endpoints/rules_provider.rb +37 -0
- data/lib/aws-sdk-core/endpoints/templater.rb +58 -0
- data/lib/aws-sdk-core/endpoints/tree_rule.rb +45 -0
- data/lib/aws-sdk-core/endpoints/url.rb +60 -0
- data/lib/aws-sdk-core/endpoints.rb +78 -0
- data/lib/aws-sdk-core/errors.rb +14 -1
- data/lib/aws-sdk-core/ini_parser.rb +7 -0
- data/lib/aws-sdk-core/instance_profile_credentials.rb +124 -31
- data/lib/aws-sdk-core/json/error_handler.rb +20 -1
- data/lib/aws-sdk-core/json/handler.rb +8 -1
- data/lib/aws-sdk-core/json/parser.rb +27 -2
- data/lib/aws-sdk-core/log/formatter.rb +6 -0
- data/lib/aws-sdk-core/pageable_response.rb +81 -32
- data/lib/aws-sdk-core/param_validator.rb +2 -2
- data/lib/aws-sdk-core/plugins/bearer_authorization.rb +67 -0
- data/lib/aws-sdk-core/plugins/checksum_algorithm.rb +340 -0
- data/lib/aws-sdk-core/plugins/credentials_configuration.rb +24 -0
- data/lib/aws-sdk-core/plugins/endpoint_discovery.rb +6 -2
- data/lib/aws-sdk-core/plugins/http_checksum.rb +8 -1
- data/lib/aws-sdk-core/plugins/jsonvalue_converter.rb +34 -6
- data/lib/aws-sdk-core/plugins/recursion_detection.rb +38 -0
- data/lib/aws-sdk-core/plugins/regional_endpoint.rb +111 -30
- data/lib/aws-sdk-core/plugins/request_compression.rb +217 -0
- data/lib/aws-sdk-core/plugins/response_paging.rb +1 -1
- data/lib/aws-sdk-core/plugins/retries/error_inspector.rb +3 -2
- data/lib/aws-sdk-core/plugins/retry_errors.rb +12 -2
- data/lib/aws-sdk-core/plugins/sign.rb +201 -0
- data/lib/aws-sdk-core/plugins/signature_v2.rb +1 -0
- data/lib/aws-sdk-core/plugins/signature_v4.rb +15 -8
- data/lib/aws-sdk-core/plugins/stub_responses.rb +5 -1
- data/lib/aws-sdk-core/plugins/user_agent.rb +117 -14
- data/lib/aws-sdk-core/process_credentials.rb +9 -11
- data/lib/aws-sdk-core/refreshing_credentials.rb +41 -16
- data/lib/aws-sdk-core/refreshing_token.rb +71 -0
- data/lib/aws-sdk-core/rest/handler.rb +1 -1
- data/lib/aws-sdk-core/rest/request/headers.rb +2 -6
- data/lib/aws-sdk-core/rest/request/querystring_builder.rb +43 -29
- data/lib/aws-sdk-core/shared_config.rb +107 -12
- data/lib/aws-sdk-core/sso_credentials.rb +91 -50
- data/lib/aws-sdk-core/sso_token_provider.rb +135 -0
- data/lib/aws-sdk-core/static_token_provider.rb +14 -0
- data/lib/aws-sdk-core/structure.rb +6 -4
- data/lib/aws-sdk-core/stubbing/stub_data.rb +11 -0
- data/lib/aws-sdk-core/token.rb +31 -0
- data/lib/aws-sdk-core/token_provider.rb +15 -0
- data/lib/aws-sdk-core/token_provider_chain.rb +51 -0
- data/lib/aws-sdk-core/waiters/poller.rb +3 -1
- data/lib/aws-sdk-core/xml/error_handler.rb +7 -0
- data/lib/aws-sdk-core/xml/parser/engines/oga.rb +2 -0
- data/lib/aws-sdk-core.rb +14 -0
- data/lib/aws-sdk-sso/client.rb +75 -11
- data/lib/aws-sdk-sso/endpoint_parameters.rb +66 -0
- data/lib/aws-sdk-sso/endpoint_provider.rb +57 -0
- data/lib/aws-sdk-sso/endpoints.rb +72 -0
- data/lib/aws-sdk-sso/plugins/endpoints.rb +76 -0
- data/lib/aws-sdk-sso/types.rb +8 -43
- data/lib/aws-sdk-sso.rb +5 -1
- data/lib/aws-sdk-ssooidc/client.rb +935 -0
- data/lib/aws-sdk-ssooidc/client_api.rb +271 -0
- data/lib/aws-sdk-ssooidc/customizations.rb +1 -0
- data/lib/aws-sdk-ssooidc/endpoint_parameters.rb +66 -0
- data/lib/aws-sdk-ssooidc/endpoint_provider.rb +57 -0
- data/lib/aws-sdk-ssooidc/endpoints.rb +72 -0
- data/lib/aws-sdk-ssooidc/errors.rb +321 -0
- data/lib/aws-sdk-ssooidc/plugins/endpoints.rb +76 -0
- data/lib/aws-sdk-ssooidc/resource.rb +26 -0
- data/lib/aws-sdk-ssooidc/types.rb +755 -0
- data/lib/aws-sdk-ssooidc.rb +59 -0
- data/lib/aws-sdk-sts/client.rb +330 -262
- data/lib/aws-sdk-sts/client_api.rb +12 -1
- data/lib/aws-sdk-sts/endpoint_parameters.rb +78 -0
- data/lib/aws-sdk-sts/endpoint_provider.rb +112 -0
- data/lib/aws-sdk-sts/endpoints.rb +136 -0
- data/lib/aws-sdk-sts/plugins/endpoints.rb +84 -0
- data/lib/aws-sdk-sts/presigner.rb +14 -16
- data/lib/aws-sdk-sts/types.rb +135 -204
- data/lib/aws-sdk-sts.rb +5 -1
- data/lib/seahorse/client/async_base.rb +0 -1
- data/lib/seahorse/client/configuration.rb +1 -5
- data/lib/seahorse/client/h2/connection.rb +12 -11
- data/lib/seahorse/client/net_http/patches.rb +1 -4
- data/lib/seahorse/client/plugins/h2.rb +3 -3
- data/lib/seahorse/client/plugins/request_callback.rb +40 -9
- data/lib/seahorse/client/response.rb +6 -0
- data/lib/seahorse/model/operation.rb +6 -0
- data/lib/seahorse/util.rb +4 -0
- metadata +59 -9
@@ -1,45 +1,37 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
3
|
module Aws
|
4
|
-
# An auto-refreshing credential provider that
|
5
|
-
#
|
6
|
-
# token.
|
7
|
-
#
|
8
|
-
#
|
9
|
-
#
|
10
|
-
#
|
11
|
-
#
|
12
|
-
#
|
13
|
-
# ## Refreshing Credentials from SSO
|
14
|
-
#
|
15
|
-
# The `SSOCredentials` will auto-refresh the AWS credentials from SSO. In
|
16
|
-
# addition to AWS credentials expiring after a given amount of time, the
|
17
|
-
# access token generated and cached from `aws login` will also expire.
|
18
|
-
# Once this token expires, it will not be usable to refresh AWS credentials,
|
19
|
-
# and another token will be needed. The SDK does not manage refreshing of
|
20
|
-
# the token value, but this can be done by running `aws login` with the
|
21
|
-
# correct profile.
|
22
|
-
#
|
4
|
+
# An auto-refreshing credential provider that assumes a role via
|
5
|
+
# {Aws::SSO::Client#get_role_credentials} using a cached access
|
6
|
+
# token. When `sso_session` is specified, token refresh logic from
|
7
|
+
# {Aws::SSOTokenProvider} will be used to refresh the token if possible.
|
8
|
+
# This class does NOT implement the SSO login token flow - tokens
|
9
|
+
# must generated separately by running `aws login` from the
|
10
|
+
# AWS CLI with the correct profile. The `SSOCredentials` will
|
11
|
+
# auto-refresh the AWS credentials from SSO.
|
23
12
|
#
|
24
13
|
# # You must first run aws sso login --profile your-sso-profile
|
25
14
|
# sso_credentials = Aws::SSOCredentials.new(
|
26
15
|
# sso_account_id: '123456789',
|
27
16
|
# sso_role_name: "role_name",
|
28
17
|
# sso_region: "us-east-1",
|
29
|
-
#
|
18
|
+
# sso_session: 'my_sso_session'
|
30
19
|
# )
|
31
|
-
#
|
32
20
|
# ec2 = Aws::EC2::Client.new(credentials: sso_credentials)
|
33
21
|
#
|
34
|
-
# If you omit `:client` option, a new {SSO::Client} object will be
|
35
|
-
# constructed.
|
22
|
+
# If you omit `:client` option, a new {Aws::SSO::Client} object will be
|
23
|
+
# constructed with additional options that were provided.
|
24
|
+
#
|
25
|
+
# @see Aws::SSO::Client#get_role_credentials
|
26
|
+
# @see https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html
|
36
27
|
class SSOCredentials
|
37
28
|
|
38
29
|
include CredentialProvider
|
39
30
|
include RefreshingCredentials
|
40
31
|
|
41
32
|
# @api private
|
42
|
-
|
33
|
+
LEGACY_REQUIRED_OPTS = [:sso_start_url, :sso_account_id, :sso_region, :sso_role_name].freeze
|
34
|
+
TOKEN_PROVIDER_REQUIRED_OPTS = [:sso_session, :sso_account_id, :sso_region, :sso_role_name].freeze
|
43
35
|
|
44
36
|
# @api private
|
45
37
|
SSO_LOGIN_GUIDANCE = 'The SSO session associated with this profile has '\
|
@@ -49,38 +41,79 @@ module Aws
|
|
49
41
|
# @option options [required, String] :sso_account_id The AWS account ID
|
50
42
|
# that temporary AWS credentials will be resolved for
|
51
43
|
#
|
52
|
-
# @option options [required, String] :sso_region The AWS region where the
|
53
|
-
# SSO directory for the given sso_start_url is hosted.
|
54
|
-
#
|
55
44
|
# @option options [required, String] :sso_role_name The corresponding
|
56
45
|
# IAM role in the AWS account that temporary AWS credentials
|
57
46
|
# will be resolved for.
|
58
47
|
#
|
59
|
-
# @option options [required, String] :
|
60
|
-
#
|
48
|
+
# @option options [required, String] :sso_region The AWS region where the
|
49
|
+
# SSO directory for the given sso_start_url is hosted.
|
50
|
+
#
|
51
|
+
# @option options [String] :sso_session The SSO Token used for fetching
|
52
|
+
# the token. If provided, refresh logic from the {Aws::SSOTokenProvider}
|
53
|
+
# will be used.
|
54
|
+
#
|
55
|
+
# @option options [String] :sso_start_url (legacy profiles) If provided,
|
56
|
+
# legacy token fetch behavior will be used, which does not support
|
57
|
+
# token refreshing. The start URL is provided by the SSO
|
58
|
+
# service via the console and is the URL used to
|
61
59
|
# login to the SSO directory. This is also sometimes referred to as
|
62
|
-
# the "User Portal URL"
|
60
|
+
# the "User Portal URL".
|
63
61
|
#
|
64
62
|
# @option options [SSO::Client] :client Optional `SSO::Client`. If not
|
65
63
|
# provided, a client will be constructed.
|
64
|
+
#
|
65
|
+
# @option options [Callable] before_refresh Proc called before
|
66
|
+
# credentials are refreshed. `before_refresh` is called
|
67
|
+
# with an instance of this object when
|
68
|
+
# AWS credentials are required and need to be refreshed.
|
66
69
|
def initialize(options = {})
|
70
|
+
options = options.select {|k, v| !v.nil? }
|
71
|
+
if (options[:sso_session])
|
72
|
+
missing_keys = TOKEN_PROVIDER_REQUIRED_OPTS.select { |k| options[k].nil? }
|
73
|
+
unless missing_keys.empty?
|
74
|
+
raise ArgumentError, "Missing required keys: #{missing_keys}"
|
75
|
+
end
|
76
|
+
@legacy = false
|
77
|
+
@sso_role_name = options.delete(:sso_role_name)
|
78
|
+
@sso_account_id = options.delete(:sso_account_id)
|
67
79
|
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
80
|
+
# if client has been passed, don't pass through to SSOTokenProvider
|
81
|
+
@client = options.delete(:client)
|
82
|
+
options.delete(:sso_start_url)
|
83
|
+
@token_provider = Aws::SSOTokenProvider.new(options.dup)
|
84
|
+
@sso_session = options.delete(:sso_session)
|
85
|
+
@sso_region = options.delete(:sso_region)
|
86
|
+
|
87
|
+
unless @client
|
88
|
+
client_opts = {}
|
89
|
+
options.each_pair { |k,v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) }
|
90
|
+
client_opts[:region] = @sso_region
|
91
|
+
client_opts[:credentials] = nil
|
92
|
+
@client = Aws::SSO::Client.new(client_opts)
|
93
|
+
end
|
94
|
+
else # legacy behavior
|
95
|
+
missing_keys = LEGACY_REQUIRED_OPTS.select { |k| options[k].nil? }
|
96
|
+
unless missing_keys.empty?
|
97
|
+
raise ArgumentError, "Missing required keys: #{missing_keys}"
|
98
|
+
end
|
99
|
+
@legacy = true
|
100
|
+
@sso_start_url = options.delete(:sso_start_url)
|
101
|
+
@sso_region = options.delete(:sso_region)
|
102
|
+
@sso_role_name = options.delete(:sso_role_name)
|
103
|
+
@sso_account_id = options.delete(:sso_account_id)
|
72
104
|
|
73
|
-
|
74
|
-
|
75
|
-
@sso_role_name = options.delete(:sso_role_name)
|
76
|
-
@sso_account_id = options.delete(:sso_account_id)
|
105
|
+
# validate we can read the token file
|
106
|
+
read_cached_token
|
77
107
|
|
78
|
-
|
79
|
-
|
108
|
+
client_opts = {}
|
109
|
+
options.each_pair { |k,v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) }
|
110
|
+
client_opts[:region] = @sso_region
|
111
|
+
client_opts[:credentials] = nil
|
112
|
+
|
113
|
+
@client = options[:client] || Aws::SSO::Client.new(client_opts)
|
114
|
+
end
|
80
115
|
|
81
|
-
|
82
|
-
options[:credentials] = nil
|
83
|
-
@client = options[:client] || Aws::SSO::Client.new(options)
|
116
|
+
@async_refresh = true
|
84
117
|
super
|
85
118
|
end
|
86
119
|
|
@@ -105,19 +138,27 @@ module Aws
|
|
105
138
|
end
|
106
139
|
|
107
140
|
def refresh
|
108
|
-
|
109
|
-
|
110
|
-
|
111
|
-
|
112
|
-
|
113
|
-
|
141
|
+
c = if @legacy
|
142
|
+
cached_token = read_cached_token
|
143
|
+
@client.get_role_credentials(
|
144
|
+
account_id: @sso_account_id,
|
145
|
+
role_name: @sso_role_name,
|
146
|
+
access_token: cached_token['accessToken']
|
147
|
+
).role_credentials
|
148
|
+
else
|
149
|
+
@client.get_role_credentials(
|
150
|
+
account_id: @sso_account_id,
|
151
|
+
role_name: @sso_role_name,
|
152
|
+
access_token: @token_provider.token.token
|
153
|
+
).role_credentials
|
154
|
+
end
|
114
155
|
|
115
156
|
@credentials = Credentials.new(
|
116
157
|
c.access_key_id,
|
117
158
|
c.secret_access_key,
|
118
159
|
c.session_token
|
119
160
|
)
|
120
|
-
@expiration = c.expiration
|
161
|
+
@expiration = Time.at(c.expiration / 1000.0)
|
121
162
|
end
|
122
163
|
|
123
164
|
def sso_cache_file
|
@@ -0,0 +1,135 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Aws
|
4
|
+
class SSOTokenProvider
|
5
|
+
|
6
|
+
include TokenProvider
|
7
|
+
include RefreshingToken
|
8
|
+
|
9
|
+
# @api private
|
10
|
+
SSO_REQUIRED_OPTS = [:sso_region, :sso_session].freeze
|
11
|
+
|
12
|
+
# @api private
|
13
|
+
SSO_LOGIN_GUIDANCE = 'The SSO session associated with this profile has '\
|
14
|
+
'expired or is otherwise invalid. To refresh this SSO session run '\
|
15
|
+
'aws sso login with the corresponding profile.'.freeze
|
16
|
+
|
17
|
+
# @option options [required, String] :sso_region The AWS region where the
|
18
|
+
# SSO directory for the given sso_start_url is hosted.
|
19
|
+
#
|
20
|
+
# @option options [required, String] :sso_session The SSO Session used to
|
21
|
+
# for fetching this token.
|
22
|
+
#
|
23
|
+
# @option options [SSOOIDC::Client] :client Optional `SSOOIDC::Client`. If not
|
24
|
+
# provided, a client will be constructed.
|
25
|
+
#
|
26
|
+
# @option options [Callable] before_refresh Proc called before
|
27
|
+
# credentials are refreshed. `before_refresh` is called
|
28
|
+
# with an instance of this object when
|
29
|
+
# AWS credentials are required and need to be refreshed.
|
30
|
+
def initialize(options = {})
|
31
|
+
|
32
|
+
missing_keys = SSO_REQUIRED_OPTS.select { |k| options[k].nil? }
|
33
|
+
unless missing_keys.empty?
|
34
|
+
raise ArgumentError, "Missing required keys: #{missing_keys}"
|
35
|
+
end
|
36
|
+
|
37
|
+
@sso_session = options.delete(:sso_session)
|
38
|
+
@sso_region = options.delete(:sso_region)
|
39
|
+
|
40
|
+
options[:region] = @sso_region
|
41
|
+
options[:credentials] = nil
|
42
|
+
options[:token_provider] = nil
|
43
|
+
@client = options[:client] || Aws::SSOOIDC::Client.new(options)
|
44
|
+
|
45
|
+
super
|
46
|
+
end
|
47
|
+
|
48
|
+
# @return [SSOOIDC::Client]
|
49
|
+
attr_reader :client
|
50
|
+
|
51
|
+
private
|
52
|
+
|
53
|
+
def refresh
|
54
|
+
# token is valid and not in refresh window - do not refresh it.
|
55
|
+
return if @token && @token.expiration && !near_expiration?
|
56
|
+
|
57
|
+
# token may not exist or is out of the expiration window
|
58
|
+
# attempt to refresh from disk first (another process/application may have refreshed already)
|
59
|
+
token_json = read_cached_token
|
60
|
+
@token = Token.new(token_json['accessToken'], token_json['expiresAt'])
|
61
|
+
return if @token && @token.expiration && !near_expiration?
|
62
|
+
|
63
|
+
# The token is expired and needs to be refreshed
|
64
|
+
if can_refresh_token?(token_json)
|
65
|
+
begin
|
66
|
+
current_time = Time.now
|
67
|
+
resp = @client.create_token(
|
68
|
+
grant_type: 'refresh_token',
|
69
|
+
client_id: token_json['clientId'],
|
70
|
+
client_secret: token_json['clientSecret'],
|
71
|
+
refresh_token: token_json['refreshToken']
|
72
|
+
)
|
73
|
+
token_json['accessToken'] = resp.access_token
|
74
|
+
token_json['expiresAt'] = current_time + resp.expires_in
|
75
|
+
@token = Token.new(token_json['accessToken'], token_json['expiresAt'])
|
76
|
+
|
77
|
+
if resp.refresh_token
|
78
|
+
token_json['refreshToken'] = resp.refresh_token
|
79
|
+
else
|
80
|
+
token_json.delete('refreshToken')
|
81
|
+
end
|
82
|
+
|
83
|
+
update_token_cache(token_json)
|
84
|
+
rescue
|
85
|
+
# refresh has failed, continue attempting to use the token if its not hard expired
|
86
|
+
end
|
87
|
+
end
|
88
|
+
|
89
|
+
if !@token.expiration || @token.expiration < Time.now
|
90
|
+
# Token is hard expired, raise an exception
|
91
|
+
raise Errors::InvalidSSOToken, 'Token is invalid and failed to refresh.'
|
92
|
+
end
|
93
|
+
end
|
94
|
+
|
95
|
+
def read_cached_token
|
96
|
+
cached_token = Json.load(File.read(sso_cache_file))
|
97
|
+
# validation
|
98
|
+
unless cached_token['accessToken'] && cached_token['expiresAt']
|
99
|
+
raise ArgumentError, 'Missing required field(s)'
|
100
|
+
end
|
101
|
+
cached_token['expiresAt'] = Time.parse(cached_token['expiresAt'])
|
102
|
+
cached_token
|
103
|
+
rescue Errno::ENOENT, Aws::Json::ParseError, ArgumentError
|
104
|
+
raise Errors::InvalidSSOToken, SSO_LOGIN_GUIDANCE
|
105
|
+
end
|
106
|
+
|
107
|
+
def update_token_cache(token_json)
|
108
|
+
cached_token = token_json.dup
|
109
|
+
cached_token['expiresAt'] = cached_token['expiresAt'].iso8601
|
110
|
+
File.write(sso_cache_file, Json.dump(cached_token))
|
111
|
+
end
|
112
|
+
|
113
|
+
def sso_cache_file
|
114
|
+
sso_session_sha1 = OpenSSL::Digest::SHA1.hexdigest(@sso_session.encode('utf-8'))
|
115
|
+
File.join(Dir.home, '.aws', 'sso', 'cache', "#{sso_session_sha1}.json")
|
116
|
+
rescue ArgumentError
|
117
|
+
# Dir.home raises ArgumentError when ENV['home'] is not set
|
118
|
+
raise ArgumentError, "Unable to load sso_cache_file: ENV['HOME'] is not set."
|
119
|
+
end
|
120
|
+
|
121
|
+
# return true if all required fields are present
|
122
|
+
# return false if registrationExpiresAt exists and is later than now
|
123
|
+
def can_refresh_token?(token_json)
|
124
|
+
if token_json['clientId'] &&
|
125
|
+
token_json['clientSecret'] &&
|
126
|
+
token_json['refreshToken']
|
127
|
+
|
128
|
+
return !token_json['registrationExpiresAt'] ||
|
129
|
+
Time.parse(token_json['registrationExpiresAt']) > Time.now
|
130
|
+
else
|
131
|
+
false
|
132
|
+
end
|
133
|
+
end
|
134
|
+
end
|
135
|
+
end
|
@@ -0,0 +1,14 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Aws
|
4
|
+
class StaticTokenProvider
|
5
|
+
|
6
|
+
include TokenProvider
|
7
|
+
|
8
|
+
# @param [String] token
|
9
|
+
# @param [Time] expiration
|
10
|
+
def initialize(token, expiration=nil)
|
11
|
+
@token = Token.new(token, expiration)
|
12
|
+
end
|
13
|
+
end
|
14
|
+
end
|
@@ -28,18 +28,20 @@ module Aws
|
|
28
28
|
# in stdlib Struct.
|
29
29
|
#
|
30
30
|
# @return [Hash]
|
31
|
-
def to_h(obj = self)
|
31
|
+
def to_h(obj = self, options = {})
|
32
32
|
case obj
|
33
33
|
when Struct
|
34
34
|
obj.each_pair.with_object({}) do |(member, value), hash|
|
35
|
-
|
35
|
+
member = member.to_s if options[:as_json]
|
36
|
+
hash[member] = to_hash(value, options) unless value.nil?
|
36
37
|
end
|
37
38
|
when Hash
|
38
39
|
obj.each.with_object({}) do |(key, value), hash|
|
39
|
-
|
40
|
+
key = key.to_s if options[:as_json]
|
41
|
+
hash[key] = to_hash(value, options)
|
40
42
|
end
|
41
43
|
when Array
|
42
|
-
obj.collect { |value| to_hash(value) }
|
44
|
+
obj.collect { |value| to_hash(value, options) }
|
43
45
|
else
|
44
46
|
obj
|
45
47
|
end
|
@@ -13,12 +13,23 @@ module Aws
|
|
13
13
|
def stub(data = {})
|
14
14
|
stub = EmptyStub.new(@rules).stub
|
15
15
|
remove_paging_tokens(stub)
|
16
|
+
remove_checksums(stub)
|
16
17
|
apply_data(data, stub)
|
17
18
|
stub
|
18
19
|
end
|
19
20
|
|
20
21
|
private
|
21
22
|
|
23
|
+
def remove_checksums(stub)
|
24
|
+
if @rules && @rules.shape.is_a?(Seahorse::Model::Shapes::StructureShape)
|
25
|
+
@rules.shape.members.each do |key, member|
|
26
|
+
if member.location == 'header' && member.location_name.start_with?('x-amz-checksum-')
|
27
|
+
stub[key] = nil
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
31
|
+
end
|
32
|
+
|
22
33
|
def remove_paging_tokens(stub)
|
23
34
|
if @pager
|
24
35
|
@pager.instance_variable_get("@tokens").keys.each do |path|
|
@@ -0,0 +1,31 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Aws
|
4
|
+
class Token
|
5
|
+
|
6
|
+
# @param [String] token
|
7
|
+
# @param [Time] expiration
|
8
|
+
def initialize(token, expiration=nil)
|
9
|
+
@token = token
|
10
|
+
@expiration = expiration
|
11
|
+
end
|
12
|
+
|
13
|
+
# @return [String, nil]
|
14
|
+
attr_reader :token
|
15
|
+
|
16
|
+
# @return [Time, nil]
|
17
|
+
attr_reader :expiration
|
18
|
+
|
19
|
+
# @return [Boolean] Returns `true` if token is set
|
20
|
+
def set?
|
21
|
+
!token.nil? && !token.empty?
|
22
|
+
end
|
23
|
+
|
24
|
+
# Removing the token from the default inspect string.
|
25
|
+
# @api private
|
26
|
+
def inspect
|
27
|
+
"#<#{self.class.name} token=[FILTERED]> expiration=#{expiration}>"
|
28
|
+
end
|
29
|
+
|
30
|
+
end
|
31
|
+
end
|
@@ -0,0 +1,51 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Aws
|
4
|
+
# @api private
|
5
|
+
class TokenProviderChain
|
6
|
+
def initialize(config = nil)
|
7
|
+
@config = config
|
8
|
+
end
|
9
|
+
|
10
|
+
# @return [TokenProvider, nil]
|
11
|
+
def resolve
|
12
|
+
providers.each do |method_name, options|
|
13
|
+
provider = send(method_name, options.merge(config: @config))
|
14
|
+
return provider if provider && provider.set?
|
15
|
+
end
|
16
|
+
nil
|
17
|
+
end
|
18
|
+
|
19
|
+
private
|
20
|
+
|
21
|
+
def providers
|
22
|
+
[
|
23
|
+
[:static_profile_sso_token, {}],
|
24
|
+
[:sso_token, {}]
|
25
|
+
]
|
26
|
+
end
|
27
|
+
|
28
|
+
def static_profile_sso_token(options)
|
29
|
+
if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
|
30
|
+
Aws.shared_config.sso_token_from_config(
|
31
|
+
profile: options[:config].profile
|
32
|
+
)
|
33
|
+
end
|
34
|
+
end
|
35
|
+
|
36
|
+
|
37
|
+
def sso_token(options)
|
38
|
+
profile_name = determine_profile_name(options)
|
39
|
+
if Aws.shared_config.config_enabled?
|
40
|
+
Aws.shared_config.sso_token_from_config(profile: profile_name)
|
41
|
+
end
|
42
|
+
rescue Errors::NoSuchProfileError
|
43
|
+
nil
|
44
|
+
end
|
45
|
+
|
46
|
+
def determine_profile_name(options)
|
47
|
+
(options[:config] && options[:config].profile) || ENV['AWS_PROFILE'] || ENV['AWS_DEFAULT_PROFILE'] || 'default'
|
48
|
+
end
|
49
|
+
|
50
|
+
end
|
51
|
+
end
|
@@ -62,7 +62,9 @@ module Aws
|
|
62
62
|
def send_request(options)
|
63
63
|
req = options[:client].build_request(@operation_name, options[:params])
|
64
64
|
req.handlers.remove(RAISE_HANDLER)
|
65
|
-
|
65
|
+
Aws::Plugins::UserAgent.feature('waiter') do
|
66
|
+
req.send_request
|
67
|
+
end
|
66
68
|
end
|
67
69
|
|
68
70
|
def acceptor_matches?(acceptor, response)
|
@@ -24,6 +24,7 @@ module Aws
|
|
24
24
|
else
|
25
25
|
code, message, data = extract_error(body, context)
|
26
26
|
end
|
27
|
+
context[:request_id] = request_id(body)
|
27
28
|
errors_module = context.client.class.errors_module
|
28
29
|
error_class = errors_module.error_class(code).new(context, message, data)
|
29
30
|
error_class
|
@@ -94,6 +95,12 @@ module Aws
|
|
94
95
|
end
|
95
96
|
end
|
96
97
|
|
98
|
+
def request_id(body)
|
99
|
+
if matches = body.match(/<RequestId>(.+?)<\/RequestId>/m)
|
100
|
+
matches[1]
|
101
|
+
end
|
102
|
+
end
|
103
|
+
|
97
104
|
def unescape(str)
|
98
105
|
CGI.unescapeHTML(str)
|
99
106
|
end
|
data/lib/aws-sdk-core.rb
CHANGED
@@ -20,6 +20,15 @@ require_relative 'aws-sdk-core/shared_credentials'
|
|
20
20
|
require_relative 'aws-sdk-core/process_credentials'
|
21
21
|
require_relative 'aws-sdk-core/sso_credentials'
|
22
22
|
|
23
|
+
# tokens and token providers
|
24
|
+
require_relative 'aws-sdk-core/token'
|
25
|
+
require_relative 'aws-sdk-core/token_provider'
|
26
|
+
require_relative 'aws-sdk-core/static_token_provider'
|
27
|
+
require_relative 'aws-sdk-core/refreshing_token'
|
28
|
+
require_relative 'aws-sdk-core/sso_token_provider'
|
29
|
+
require_relative 'aws-sdk-core/token_provider_chain'
|
30
|
+
require_relative 'aws-sdk-core/plugins/bearer_authorization'
|
31
|
+
|
23
32
|
# client modules
|
24
33
|
|
25
34
|
require_relative 'aws-sdk-core/client_stubs'
|
@@ -88,6 +97,10 @@ require_relative 'aws-sdk-core/arn'
|
|
88
97
|
require_relative 'aws-sdk-core/arn_parser'
|
89
98
|
require_relative 'aws-sdk-core/ec2_metadata'
|
90
99
|
|
100
|
+
# dynamic endpoints
|
101
|
+
require_relative 'aws-sdk-core/endpoints'
|
102
|
+
require_relative 'aws-sdk-core/plugins/signature_v4'
|
103
|
+
|
91
104
|
# defaults
|
92
105
|
require_relative 'aws-defaults'
|
93
106
|
|
@@ -99,6 +112,7 @@ require_relative 'aws-sdk-sts'
|
|
99
112
|
|
100
113
|
# aws-sdk-sso is included to support Aws::SSOCredentials
|
101
114
|
require_relative 'aws-sdk-sso'
|
115
|
+
require_relative 'aws-sdk-ssooidc'
|
102
116
|
|
103
117
|
module Aws
|
104
118
|
|