aws-sdk-core 3.130.0 → 3.150.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d7804cbac83996a95b2cacbd808389798eb0b461229a9e8e2a966cd28d599aa6
-  data.tar.gz: ce3557bcbd4d6a5edaa1bc99fbd7e75f9b2e23eb6fadb8be06a69b91e2e8a4a7
+  metadata.gz: 6e48c7a4f814d1be349fc135259cf773061e0b433c1dd1227b4e1dff040725cc
+  data.tar.gz: 8fe44d28c5302975a2590296d5af2e2eb6337e79a9c38f4f07c380728974c1ad
 SHA512:
-  metadata.gz: d1d0b4ec0b478389290d84409869ed012e4a2ce6408d3dc5c46c618771cc970d9086eb4686dd64b740ebd5eeafe7cc0e8b6fa63d3f89202e8f2841d9a203bdbb
-  data.tar.gz: f4c41ffb85d712bcaf8701aa61a886837517df23e14a53c2b9201d86bfcc1fd41b5b8badded9f91aeb0ee77553c9e2af80b4c82d1e249486b5630afc1582939c
+  metadata.gz: c17d6185b0dbcccde742918b1a78ec4fa73b7235216f99ff83b44eb7b4282cb2925cc6deaa0cd79a5f1e7f9acef0e074279279bf318d252352954aa38a7c1648
+  data.tar.gz: 679cbcc65fedea907a6aab89e4bd86b04bac83ca61d4f1c00b21f2e3c0e595f20a06f07ab1b49b2c68cb63091b005804dfcc771b9c5a0abe6238a43e398e4c06

data/CHANGELOG.md

@@ -1,6 +1,152 @@
 Unreleased Changes
 ------------------
 
+3.150.0 (2022-09-19)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.149.0 (2022-09-16)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.148.0 (2022-09-15)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.147.0 (2022-09-14)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.146.0 (2022-09-13)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.145.0 (2022-09-12)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.144.0 (2022-09-09)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.143.0 (2022-09-08)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.142.0 (2022-09-07)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.141.0 (2022-09-06)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.140.0 (2022-09-02)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.139.0 (2022-09-01)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.138.0 (2022-08-31)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.137.0 (2022-08-30)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+* Issue - Fix errors in recursion detection when `_X_AMZN_TRACE_ID` is unset (#2748).
+
+3.136.0 (2022-08-25)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.135.0 (2022-08-24)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.134.0 (2022-08-23)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+* Feature - Add support for Bearer Token Authentication and TokenProviders.
+* Issue - Validate that `_X_AMZN_TRACE_ID` ENV value contains only valid, non-control characters.
+
+3.133.0 (2022-08-22)
+------------------
+
+* Feature - Moved functionality from `aws-sdk-ssoidc` into core.
+
+3.132.0 (2022-08-08)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.131.6 (2022-08-03)
+------------------
+
+* Issue - Fix typo in `RecursionDetection`, change amz to amzn in header and env name.
+
+3.131.5 (2022-07-28)
+------------------
+
+* Issue - Fix `to_json` usage in nested hashes by defining `as_json` (#2733).
+
+3.131.4 (2022-07-27)
+------------------
+
+* Issue - Fix `to_json` usage on pageable responses when using Rails (#2733).
+* Issue - Use `expand_path` on credential/config paths in SharedConfig (#2735).
+
+3.131.3 (2022-07-18)
+------------------
+
+* Issue - Add support for serializing shapes on the body with `jsonvalue` members.
+
+3.131.2 (2022-06-20)
+------------------
+
+* Issue - Populate context :request_id for XML error responses.
+
+3.131.1 (2022-05-20)
+------------------
+
+* Issue - Bump the minimum version of `jmespath` dependency.
+
+3.131.0 (2022-05-16)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+3.130.2 (2022-04-22)
+------------------
+
+* Issue - Don't pass `:before_refresh` to Client constructors in RefreshingCredential implementations (#2690).
+
+3.130.1 (2022-04-12)
+------------------
+
+* Issue - Don't call `refresh!` on non-refreshable `Credentials` when retrying errors (#2685).
+
 3.130.0 (2022-03-11)
 ------------------
 
@@ -40,7 +186,7 @@ Unreleased Changes
 3.126.2 (2022-02-16)
 ------------------
 
-* Issue - Add a before_refresh callback to AssumeRoleCredentials (#2529). 
+* Issue - Add a before_refresh callback to AssumeRoleCredentials (#2529).
 * Issue - Raise a `NoSuchProfileError` when config and credentials files don't exist.
 
 3.126.1 (2022-02-14)

data/VERSION

@@ -1 +1 @@
-3.130.0
+3.150.0

data/lib/aws-sdk-core/assume_role_credentials.rb

@@ -3,25 +3,20 @@
 require 'set'
 
 module Aws
-
-  # An auto-refreshing credential provider that works by assuming
-  # a role via {Aws::STS::Client#assume_role}.
+  # An auto-refreshing credential provider that assumes a role via
+  # {Aws::STS::Client#assume_role}.
   #
   #     role_credentials = Aws::AssumeRoleCredentials.new(
   #       client: Aws::STS::Client.new(...),
   #       role_arn: "linked::account::arn",
   #       role_session_name: "session-name"
   #     )
-  #
   #     ec2 = Aws::EC2::Client.new(credentials: role_credentials)
   #
-  # If you omit `:client` option, a new {STS::Client} object will be
-  # constructed.
+  # If you omit `:client` option, a new {Aws::STS::Client} object will be
+  # constructed with additional options that were provided.
   #
-  # The AssumeRoleCredentials also provides a `before_refresh` callback
-  # that can be used to help manage refreshing tokens.
-  # `before_refresh` is called when AWS credentials are required and need
-  # to be refreshed and it is called with the AssumeRoleCredentials object.
+  # @see Aws::STS::Client#assume_role
   class AssumeRoleCredentials
 
     include CredentialProvider
@@ -49,7 +44,7 @@ module Aws
       options.each_pair do |key, value|
         if self.class.assume_role_options.include?(key)
           @assume_role_params[key] = value
-        else
+        elsif !CLIENT_EXCLUDE_OPTIONS.include?(key)
           client_opts[key] = value
         end
       end

data/lib/aws-sdk-core/assume_role_web_identity_credentials.rb

@@ -5,9 +5,8 @@ require 'securerandom'
 require 'base64'
 
 module Aws
-
-  # An auto-refreshing credential provider that works by assuming
-  # a role via {Aws::STS::Client#assume_role_with_web_identity}.
+  # An auto-refreshing credential provider that assumes a role via
+  # {Aws::STS::Client#assume_role_with_web_identity}.
   #
   #     role_credentials = Aws::AssumeRoleWebIdentityCredentials.new(
   #       client: Aws::STS::Client.new(...),
@@ -16,12 +15,12 @@ module Aws
   #       role_session_name: "session-name"
   #       ...
   #     )
-  #     For full list of parameters accepted
-  #     @see Aws::STS::Client#assume_role_with_web_identity
+  #     ec2 = Aws::EC2::Client.new(credentials: role_credentials)
   #
+  # If you omit `:client` option, a new {Aws::STS::Client} object will be
+  # constructed with additional options that were provided.
   #
-  # If you omit `:client` option, a new {STS::Client} object will be
-  # constructed.
+  # @see Aws::STS::Client#assume_role_with_web_identity
   class AssumeRoleWebIdentityCredentials
 
     include CredentialProvider
@@ -52,7 +51,7 @@ module Aws
       options.each_pair do |key, value|
         if self.class.assume_role_web_identity_options.include?(key)
           @assume_role_web_identity_params[key] = value
-        else
+        elsif !CLIENT_EXCLUDE_OPTIONS.include?(key)
           client_opts[key] = value
         end
       end
@@ -100,11 +99,10 @@ module Aws
       # @api private
       def assume_role_web_identity_options
         @arwio ||= begin
-          input = STS::Client.api.operation(:assume_role_with_web_identity).input
+          input = Aws::STS::Client.api.operation(:assume_role_with_web_identity).input
           Set.new(input.shape.member_names)
         end
       end
-
     end
   end
 end

data/lib/aws-sdk-core/ecs_credentials.rb

@@ -4,6 +4,11 @@ require 'time'
 require 'net/http'
 
 module Aws
+  # An auto-refreshing credential provider that loads credentials from
+  # instances running in ECS.
+  #
+  #     ecs_credentials = Aws::ECSCredentials.new(retries: 3)
+  #     ec2 = Aws::EC2::Client.new(credentials: ecs_credentials)
   class ECSCredentials
 
     include CredentialProvider

data/lib/aws-sdk-core/errors.rb

@@ -210,6 +210,19 @@ module Aws
     # Raised when SSO Credentials are invalid
     class InvalidSSOCredentials < RuntimeError; end
 
+    # Raised when SSO Token is invalid
+    class InvalidSSOToken < RuntimeError; end
+
+    # Raised when a client is unable to sign a request because
+    # the bearer token is not configured or available
+    class MissingBearerTokenError < RuntimeError
+      def initialize(*args)
+        msg = 'unable to sign request without token set'
+        super(msg)
+      end
+    end
+
+
     # Raised when there is a circular reference in chained
     # source_profiles
     class SourceProfileCircularReferenceError < RuntimeError; end

data/lib/aws-sdk-core/instance_profile_credentials.rb

@@ -4,6 +4,11 @@ require 'time'
 require 'net/http'
 
 module Aws
+  # An auto-refreshing credential provider that loads credentials from
+  # EC2 instances.
+  #
+  #     instance_credentials = Aws::InstanceProfileCredentials.new
+  #     ec2 = Aws::EC2::Client.new(credentials: instance_credentials)
   class InstanceProfileCredentials
     include CredentialProvider
     include RefreshingCredentials

data/lib/aws-sdk-core/pageable_response.rb

@@ -146,6 +146,13 @@ module Aws
         data.to_h
       end
 
+      def as_json(_options = {})
+        data.to_h(data, as_json: true)
+      end
+
+      def to_json(options = {})
+        as_json.to_json(options)
+      end
     end
 
     # The actual decorator module implementation. It is in a distinct module

data/lib/aws-sdk-core/plugins/bearer_authorization.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+module Aws
+  # @api private
+  module Plugins
+    # @api private
+    class BearerAuthorization < Seahorse::Client::Plugin
+
+      option(:token_provider,
+             required: false,
+             doc_type: 'Aws::TokenProvider',
+             docstring: <<-DOCS
+A Bearer Token Provider. This can be an instance of any one of the
+following classes:
+
+* `Aws::StaticTokenProvider` - Used for configuring static, non-refreshing
+  tokens.
+
+* `Aws::SSOTokenProvider` - Used for loading tokens from AWS SSO using an
+  access token generated from `aws login`.
+
+When `:token_provider` is not configured directly, the `Aws::TokenProviderChain`
+will be used to search for tokens configured for your profile in shared configuration files.
+      DOCS
+      ) do |config|
+        if config.stub_responses
+          StaticTokenProvider.new('token')
+        else
+          TokenProviderChain.new(config).resolve
+        end
+      end
+
+
+      def add_handlers(handlers, cfg)
+        bearer_operations =
+          if cfg.api.metadata['signatureVersion'] == 'bearer'
+            # select operations where authtype is either not set or is bearer
+            cfg.api.operation_names.select do |o|
+              !cfg.api.operation(o)['authtype'] || cfg.api.operation(o)['authtype'] == 'bearer'
+            end
+          else # service is not bearer auth
+            # select only operations where authtype is explicitly bearer
+            cfg.api.operation_names.select do |o|
+              cfg.api.operation(o)['authtype'] == 'bearer'
+            end
+          end
+        handlers.add(Handler, step: :sign, operations: bearer_operations)
+      end
+
+      class Handler < Seahorse::Client::Handler
+        def call(context)
+          if context.http_request.endpoint.scheme != 'https'
+            raise ArgumentError, 'Unable to use bearer authorization on non https endpoint.'
+          end
+
+          token_provider = context.config.token_provider
+          if token_provider && token_provider.set?
+            context.http_request.headers['Authorization'] = "Bearer #{token_provider.token.token}"
+          else
+            raise Errors::MissingBearerTokenError
+          end
+          @handler.call(context)
+        end
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/plugins/jsonvalue_converter.rb

@@ -11,15 +11,43 @@ module Aws
 
         def call(context)
           context.operation.input.shape.members.each do |m, ref|
-            if ref['jsonvalue']
-              param_value = context.params[m]
-              unless param_value.respond_to?(:to_json)
-                raise ArgumentError, "The value of params[#{m}] is not JSON serializable."
+            convert_jsonvalue(m, ref, context.params, 'params')
+          end
+          @handler.call(context)
+        end
+
+        def convert_jsonvalue(m, ref, params, context)
+          return if params.nil? || !params.key?(m)
+
+          if ref['jsonvalue']
+            params[m] = serialize_jsonvalue(params[m], "#{context}[#{m}]")
+          else
+            case ref.shape
+            when Seahorse::Model::Shapes::StructureShape
+              ref.shape.members.each do |member_m, ref|
+                convert_jsonvalue(member_m, ref, params[m], "#{context}[#{m}]")
+              end
+            when Seahorse::Model::Shapes::ListShape
+              if ref.shape.member['jsonvalue']
+                params[m] = params[m].each_with_index.map do |v, i|
+                  serialize_jsonvalue(v, "#{context}[#{m}][#{i}]")
+                end
+              end
+            when Seahorse::Model::Shapes::MapShape
+              if ref.shape.value['jsonvalue']
+                params[m].each do |k, v|
+                  params[m][k] = serialize_jsonvalue(v, "#{context}[#{m}][#{k}]")
+                end
               end
-              context.params[m] = param_value.to_json
             end
           end
-          @handler.call(context)
+        end
+
+        def serialize_jsonvalue(v, context)
+          unless v.respond_to?(:to_json)
+            raise ArgumentError, "The value of #{context} is not JSON serializable."
+          end
+          v.to_json
         end
 
       end

data/lib/aws-sdk-core/plugins/recursion_detection.rb

@@ -9,14 +9,25 @@ module Aws
       class Handler < Seahorse::Client::Handler
         def call(context)
 
-          unless context.http_request.headers.key?('x-amz-trace-id')
+          unless context.http_request.headers.key?('x-amzn-trace-id')
             if ENV['AWS_LAMBDA_FUNCTION_NAME'] &&
-              (trace_id = ENV['_X_AMZ_TRACE_ID'])
-              context.http_request.headers['x-amz-trace-id'] = trace_id
+              (trace_id = validate_header(ENV['_X_AMZN_TRACE_ID']))
+              context.http_request.headers['x-amzn-trace-id'] = trace_id
             end
           end
           @handler.call(context)
         end
+
+        private
+        def validate_header(header_value)
+          return unless header_value
+
+          if (header_value.chars & (0..31).map(&:chr)).any?
+            raise ArgumentError, 'Invalid _X_AMZN_TRACE_ID value: '\
+              'contains ASCII control characters'
+          end
+          header_value
+        end
       end
 
       # should be at the end of build so that

data/lib/aws-sdk-core/plugins/retry_errors.rb

@@ -313,12 +313,17 @@ a clock skew correction and retry requests with skewed client clocks.
 
         def retry_request(context, error)
           context.retries += 1
-          context.config.credentials.refresh! if error.expired_credentials?
+          context.config.credentials.refresh! if refresh_credentials?(context, error)
           context.http_request.body.rewind
           context.http_response.reset
           call(context)
         end
 
+        def refresh_credentials?(context, error)
+          error.expired_credentials? &&
+            context.config.credentials.respond_to?(:refresh!)
+        end
+
         def add_retry_headers(context)
           request_pairs = {
             'attempt' => context.retries,
@@ -383,7 +388,7 @@ a clock skew correction and retry requests with skewed client clocks.
         def retry_request(context, error)
           delay_retry(context)
           context.retries += 1
-          context.config.credentials.refresh! if error.expired_credentials?
+          context.config.credentials.refresh! if refresh_credentials?(context, error)
           context.http_request.body.rewind
           context.http_response.reset
           call(context)
@@ -399,6 +404,11 @@ a clock skew correction and retry requests with skewed client clocks.
             response_truncatable?(context)
         end
 
+        def refresh_credentials?(context, error)
+          error.expired_credentials? &&
+            context.config.credentials.respond_to?(:refresh!)
+        end
+
         def retry_limit(context)
           context.config.retry_limit
         end

data/lib/aws-sdk-core/plugins/signature_v4.rb

@@ -7,6 +7,8 @@ module Aws
     # @api private
     class SignatureV4 < Seahorse::Client::Plugin
 
+      V4_AUTH = %w[v4 v4-unsigned-payload v4-unsigned-body]
+
       option(:sigv4_signer) do |cfg|
         SignatureV4.build_signer(cfg)
       end
@@ -32,13 +34,16 @@ module Aws
       end
 
       option(:unsigned_operations) do |cfg|
-        cfg.api.operation_names.inject([]) do |unsigned, operation_name|
-          if cfg.api.operation(operation_name)['authtype'] == 'none' ||
-             cfg.api.operation(operation_name)['authtype'] == 'custom'
-            # Unsign requests that has custom apigateway authorizer as well
-            unsigned << operation_name
-          else
-            unsigned
+        if cfg.api.metadata['signatureVersion'] == 'v4'
+          # select operations where authtype is set and is not v4
+          cfg.api.operation_names.select do |o|
+            cfg.api.operation(o)['authtype'] && !V4_AUTH.include?(cfg.api.operation(o)['authtype'])
+          end
+        else # service is not v4 auth
+          # select all operations where authtype is not v4
+          # (includes operations with no explicit authtype)
+          cfg.api.operation_names.select do |o|
+            !V4_AUTH.include?(cfg.api.operation(o)['authtype'])
           end
         end
       end

data/lib/aws-sdk-core/process_credentials.rb

@@ -1,19 +1,16 @@
 # frozen_string_literal: true
 
 module Aws
-
   # A credential provider that executes a given process and attempts
-  # to read its stdout to recieve a JSON payload containing the credentials
-  #
-  # Automatically handles refreshing credentials if an Expiration time is
-  # provided in the credentials payload
-  #
-  #     credentials = Aws::ProcessCredentials.new('/usr/bin/credential_proc').credentials
+  # to read its stdout to recieve a JSON payload containing the credentials.
   #
+  #     credentials = Aws::ProcessCredentials.new('/usr/bin/credential_proc')
   #     ec2 = Aws::EC2::Client.new(credentials: credentials)
   #
-  # More documentation on process based credentials can be found here:
-  # https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#sourcing-credentials-from-external-processes
+  # Automatically handles refreshing credentials if an Expiration time is
+  # provided in the credentials payload.
+  #
+  # @see https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#sourcing-credentials-from-external-processes
   class ProcessCredentials
 
     include CredentialProvider

data/lib/aws-sdk-core/refreshing_credentials.rb

@@ -20,6 +20,8 @@ module Aws
     SYNC_EXPIRATION_LENGTH = 300 # 5 minutes
     ASYNC_EXPIRATION_LENGTH = 600 # 10 minutes
 
+    CLIENT_EXCLUDE_OPTIONS = Set.new([:before_refresh]).freeze
+
     def initialize(options = {})
       @mutex = Mutex.new
       @before_refresh = options.delete(:before_refresh) if Hash === options

data/lib/aws-sdk-core/refreshing_token.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+require 'thread'
+
+module Aws
+
+  # Module/mixin used by token provider classes that can be refreshed. This
+  # provides basic refresh logic in a thread-safe manner. Classes mixing in
+  # this module are expected to implement a #refresh method that populates
+  # the following instance variable:
+  #
+  # * `@token` [Token] - {Aws::Token} object with the `expiration` and `token`
+  #       fields set.
+  #
+  # @api private
+  module RefreshingToken
+
+    def initialize(options = {})
+      @mutex = Mutex.new
+      @before_refresh = options.delete(:before_refresh) if Hash === options
+
+      @before_refresh.call(self) if @before_refresh
+      refresh
+    end
+
+    # @return [Token]
+    def token
+      refresh_if_near_expiration
+      @token
+    end
+
+    # @return [Time,nil]
+    def expiration
+      refresh_if_near_expiration
+      @expiration
+    end
+
+    # Refresh token.
+    # @return [void]
+    def refresh!
+      @mutex.synchronize do
+        @before_refresh.call(self) if @before_refresh
+        refresh
+      end
+    end
+
+    private
+
+    # Refreshes token if it is within
+    # 5 minutes of expiration.
+    def refresh_if_near_expiration
+      if near_expiration?
+        @mutex.synchronize do
+          if near_expiration?
+            @before_refresh.call(self) if @before_refresh
+            refresh
+          end
+        end
+      end
+    end
+
+    def near_expiration?
+      if @token && @token.expiration
+        # are we within 5 minutes of expiration?
+        (Time.now.to_i + 5 * 60) > @token.expiration.to_i
+      else
+        true
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/rest/handler.rb

@@ -17,7 +17,7 @@ module Aws
 
       def apply_request_id(context)
         h = context.http_response.headers
-        context[:request_id] = h['x-amz-request-id'] || h['x-amzn-requestid']
+        context[:request_id] ||= h['x-amz-request-id'] || h['x-amzn-requestid']
       end
 
     end