aws-sdk-core 3.130.1 → 3.171.0

data/lib/aws-sdk-core/plugins/sign.rb

@@ -0,0 +1,200 @@
+# frozen_string_literal: true
+
+require 'aws-sigv4'
+
+module Aws
+  module Plugins
+    # @api private
+    class Sign < Seahorse::Client::Plugin
+      # These once had defaults. But now they are used as overrides to
+      # new endpoint and auth resolution.
+      option(:sigv4_signer)
+      option(:sigv4_name)
+      option(:sigv4_region)
+      option(:unsigned_operations, default: [])
+
+      supported_auth_types = %w[sigv4 bearer none]
+      supported_auth_types += ['sigv4a'] if Aws::Sigv4::Signer.use_crt?
+      SUPPORTED_AUTH_TYPES = supported_auth_types.freeze
+
+      def add_handlers(handlers, cfg)
+        operations = cfg.api.operation_names - cfg.unsigned_operations
+        handlers.add(Handler, step: :sign, operations: operations)
+      end
+
+      # @api private
+      # Return a signer with the `sign(context)` method
+      def self.signer_for(auth_scheme, config, region_override = nil)
+        case auth_scheme['name']
+        when 'sigv4', 'sigv4a'
+          SignatureV4.new(auth_scheme, config, region_override)
+        when 'bearer'
+          Bearer.new
+        else
+          NullSigner.new
+        end
+      end
+
+      class Handler < Seahorse::Client::Handler
+        def call(context)
+          # Skip signing if using sigv2 signing from s3_signer in S3
+          unless v2_signing?(context.config)
+            signer = Sign.signer_for(
+              context[:auth_scheme],
+              context.config,
+              context[:sigv4_region]
+            )
+            signer.sign(context)
+          end
+          @handler.call(context)
+        end
+
+        private
+
+        def v2_signing?(config)
+          # 's3' is legacy signing, 'v4' is default
+          config.respond_to?(:signature_version) &&
+            config.signature_version == 's3'
+        end
+      end
+
+      # @api private
+      class Bearer
+        def initialize
+        end
+
+        def sign(context)
+          if context.http_request.endpoint.scheme != 'https'
+            raise ArgumentError,
+                  'Unable to use bearer authorization on non https endpoint.'
+          end
+
+          token_provider = context.config.token_provider
+
+          raise Errors::MissingBearerTokenError unless token_provider&.set?
+
+          context.http_request.headers['Authorization'] =
+            "Bearer #{token_provider.token.token}"
+        end
+
+        def presign_url(*args)
+          raise ArgumentError, 'Bearer auth does not support presigned urls'
+        end
+
+        def sign_event(*args)
+          raise ArgumentError, 'Bearer auth does not support event signing'
+        end
+      end
+
+      # @api private
+      class SignatureV4
+        def initialize(auth_scheme, config, region_override = nil)
+          scheme_name = auth_scheme['name']
+
+          unless %w[sigv4 sigv4a].include?(scheme_name)
+            raise ArgumentError,
+                  "Expected sigv4 or sigv4a auth scheme, got #{scheme_name}"
+          end
+
+          region = if scheme_name == 'sigv4a'
+                     auth_scheme['signingRegionSet'].first
+                   else
+                     auth_scheme['signingRegion']
+                   end
+          begin
+            @signer = Aws::Sigv4::Signer.new(
+              service: config.sigv4_name || auth_scheme['signingName'],
+              region: region_override || config.sigv4_region || region,
+              credentials_provider: config.credentials,
+              signing_algorithm: scheme_name.to_sym,
+              uri_escape_path: !!!auth_scheme['disableDoubleEncoding'],
+              unsigned_headers: %w[content-length user-agent x-amzn-trace-id]
+            )
+          rescue Aws::Sigv4::Errors::MissingCredentialsError
+            raise Aws::Errors::MissingCredentialsError
+          end
+        end
+
+        def sign(context)
+          req = context.http_request
+
+          apply_authtype(context, req)
+          reset_signature(req)
+          apply_clock_skew(context, req)
+
+          # compute the signature
+          begin
+            signature = @signer.sign_request(
+              http_method: req.http_method,
+              url: req.endpoint,
+              headers: req.headers,
+              body: req.body
+            )
+          rescue Aws::Sigv4::Errors::MissingCredentialsError
+            # Necessary for when credentials is explicitly set to nil
+            raise Aws::Errors::MissingCredentialsError
+          end
+          # apply signature headers
+          req.headers.update(signature.headers)
+
+          # add request metadata with signature components for debugging
+          context[:canonical_request] = signature.canonical_request
+          context[:string_to_sign] = signature.string_to_sign
+        end
+
+        def presign_url(*args)
+          @signer.presign_url(*args)
+        end
+
+        def sign_event(*args)
+          @signer.sign_event(*args)
+        end
+
+        private
+
+        def apply_authtype(context, req)
+          if context.operation['authtype'].eql?('v4-unsigned-body') &&
+             req.endpoint.scheme.eql?('https')
+            req.headers['X-Amz-Content-Sha256'] ||= 'UNSIGNED-PAYLOAD'
+          end
+        end
+
+        def reset_signature(req)
+          # in case this request is being re-signed
+          req.headers.delete('Authorization')
+          req.headers.delete('X-Amz-Security-Token')
+          req.headers.delete('X-Amz-Date')
+          req.headers.delete('x-Amz-Region-Set')
+        end
+
+        def apply_clock_skew(context, req)
+          if context.config.respond_to?(:clock_skew) &&
+             context.config.clock_skew &&
+             context.config.correct_clock_skew
+
+            endpoint = context.http_request.endpoint
+            skew = context.config.clock_skew.clock_correction(endpoint)
+            if skew.abs.positive?
+              req.headers['X-Amz-Date'] =
+                (Time.now.utc + skew).strftime('%Y%m%dT%H%M%SZ')
+            end
+          end
+        end
+
+      end
+
+      # @api private
+      class NullSigner
+
+        def sign(context)
+        end
+
+        def presign_url(*args)
+        end
+
+        def sign_event(*args)
+        end
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/plugins/signature_v2.rb

@@ -3,6 +3,7 @@
 module Aws
   module Plugins
     # @api private
+    # Necessary to keep after Endpoints 2.0
     class SignatureV2 < Seahorse::Client::Plugin
 
       option(:v2_signer) do |cfg|

data/lib/aws-sdk-core/plugins/signature_v4.rb

@@ -5,8 +5,11 @@ require 'aws-sigv4'
 module Aws
   module Plugins
     # @api private
+    # Necessary to exist after endpoints 2.0
     class SignatureV4 < Seahorse::Client::Plugin
 
+      V4_AUTH = %w[v4 v4-unsigned-payload v4-unsigned-body]
+
       option(:sigv4_signer) do |cfg|
         SignatureV4.build_signer(cfg)
       end
@@ -32,13 +35,16 @@ module Aws
       end
 
       option(:unsigned_operations) do |cfg|
-        cfg.api.operation_names.inject([]) do |unsigned, operation_name|
-          if cfg.api.operation(operation_name)['authtype'] == 'none' ||
-             cfg.api.operation(operation_name)['authtype'] == 'custom'
-            # Unsign requests that has custom apigateway authorizer as well
-            unsigned << operation_name
-          else
-            unsigned
+        if cfg.api.metadata['signatureVersion'] == 'v4'
+          # select operations where authtype is set and is not v4
+          cfg.api.operation_names.select do |o|
+            cfg.api.operation(o)['authtype'] && !V4_AUTH.include?(cfg.api.operation(o)['authtype'])
+          end
+        else # service is not v4 auth
+          # select all operations where authtype is not v4
+          # (includes operations with no explicit authtype)
+          cfg.api.operation_names.select do |o|
+            !V4_AUTH.include?(cfg.api.operation(o)['authtype'])
           end
         end
       end

data/lib/aws-sdk-core/process_credentials.rb

@@ -1,19 +1,16 @@
 # frozen_string_literal: true
 
 module Aws
-
   # A credential provider that executes a given process and attempts
-  # to read its stdout to recieve a JSON payload containing the credentials
-  #
-  # Automatically handles refreshing credentials if an Expiration time is
-  # provided in the credentials payload
-  #
-  #     credentials = Aws::ProcessCredentials.new('/usr/bin/credential_proc').credentials
+  # to read its stdout to recieve a JSON payload containing the credentials.
   #
+  #     credentials = Aws::ProcessCredentials.new('/usr/bin/credential_proc')
   #     ec2 = Aws::EC2::Client.new(credentials: credentials)
   #
-  # More documentation on process based credentials can be found here:
-  # https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#sourcing-credentials-from-external-processes
+  # Automatically handles refreshing credentials if an Expiration time is
+  # provided in the credentials payload.
+  #
+  # @see https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#sourcing-credentials-from-external-processes
   class ProcessCredentials
 
     include CredentialProvider

data/lib/aws-sdk-core/refreshing_credentials.rb

@@ -20,6 +20,8 @@ module Aws
     SYNC_EXPIRATION_LENGTH = 300 # 5 minutes
     ASYNC_EXPIRATION_LENGTH = 600 # 10 minutes
 
+    CLIENT_EXCLUDE_OPTIONS = Set.new([:before_refresh]).freeze
+
     def initialize(options = {})
       @mutex = Mutex.new
       @before_refresh = options.delete(:before_refresh) if Hash === options

data/lib/aws-sdk-core/refreshing_token.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+require 'thread'
+
+module Aws
+
+  # Module/mixin used by token provider classes that can be refreshed. This
+  # provides basic refresh logic in a thread-safe manner. Classes mixing in
+  # this module are expected to implement a #refresh method that populates
+  # the following instance variable:
+  #
+  # * `@token` [Token] - {Aws::Token} object with the `expiration` and `token`
+  #       fields set.
+  #
+  # @api private
+  module RefreshingToken
+
+    def initialize(options = {})
+      @mutex = Mutex.new
+      @before_refresh = options.delete(:before_refresh) if Hash === options
+
+      @before_refresh.call(self) if @before_refresh
+      refresh
+    end
+
+    # @return [Token]
+    def token
+      refresh_if_near_expiration
+      @token
+    end
+
+    # @return [Time,nil]
+    def expiration
+      refresh_if_near_expiration
+      @expiration
+    end
+
+    # Refresh token.
+    # @return [void]
+    def refresh!
+      @mutex.synchronize do
+        @before_refresh.call(self) if @before_refresh
+        refresh
+      end
+    end
+
+    private
+
+    # Refreshes token if it is within
+    # 5 minutes of expiration.
+    def refresh_if_near_expiration
+      if near_expiration?
+        @mutex.synchronize do
+          if near_expiration?
+            @before_refresh.call(self) if @before_refresh
+            refresh
+          end
+        end
+      end
+    end
+
+    def near_expiration?
+      if @token && @token.expiration
+        # are we within 5 minutes of expiration?
+        (Time.now.to_i + 5 * 60) > @token.expiration.to_i
+      else
+        true
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/rest/handler.rb

@@ -17,7 +17,7 @@ module Aws
 
       def apply_request_id(context)
         h = context.http_response.headers
-        context[:request_id] = h['x-amz-request-id'] || h['x-amzn-requestid']
+        context[:request_id] ||= h['x-amz-request-id'] || h['x-amzn-requestid']
       end
 
     end

data/lib/aws-sdk-core/rest/request/headers.rb

@@ -53,12 +53,8 @@ module Aws
           return if !value || value.empty?
           headers[ref.location_name] = value
             .compact
-            .map { |s| escape_header_list_string(s.to_s) }
-            .join(",")
-        end
-
-        def escape_header_list_string(s)
-          (s.include?('"') || s.include?(",")) ? "\"#{s.gsub('"', '\"')}\"" : s
+            .map { |s| Seahorse::Util.escape_header_list_string(s.to_s) }
+            .join(',')
         end
 
         def apply_header_map(headers, ref, values)

data/lib/aws-sdk-core/shared_config.rb

@@ -3,7 +3,11 @@
 module Aws
   # @api private
   class SharedConfig
-    SSO_PROFILE_KEYS = %w[sso_start_url sso_region sso_account_id sso_role_name].freeze
+    SSO_CREDENTIAL_PROFILE_KEYS = %w[sso_account_id sso_role_name].freeze
+    SSO_PROFILE_KEYS = %w[sso_session sso_start_url sso_region sso_account_id sso_role_name].freeze
+    SSO_TOKEN_PROFILE_KEYS = %w[sso_session].freeze
+    SSO_SESSION_KEYS = %w[sso_region sso_start_url].freeze
+
 
     # @return [String]
     attr_reader :credentials_path
@@ -51,10 +55,12 @@ module Aws
       @config_enabled = options[:config_enabled]
       @credentials_path = options[:credentials_path] ||
                           determine_credentials_path
+      @credentials_path = File.expand_path(@credentials_path) if @credentials_path
       @parsed_credentials = {}
       load_credentials_file if loadable?(@credentials_path)
       if @config_enabled
         @config_path = options[:config_path] || determine_config_path
+        @config_path = File.expand_path(@config_path) if @config_path
         load_config_file if loadable?(@config_path)
       end
     end
@@ -149,6 +155,18 @@ module Aws
       credentials
     end
 
+    # Attempts to load from shared config or shared credentials file.
+    # Will always attempt first to load from the shared credentials
+    # file, if present.
+    def sso_token_from_config(opts = {})
+      p = opts[:profile] || @profile_name
+      token = sso_token_from_profile(@parsed_credentials, p)
+      if @parsed_config
+        token ||= sso_token_from_profile(@parsed_config, p)
+      end
+      token
+    end
+
     # Add an accessor method (similar to attr_reader) to return a configuration value
     # Uses the get_config_value below to control where
     # values are loaded from
@@ -314,13 +332,66 @@ module Aws
     def sso_credentials_from_profile(cfg, profile)
       if @parsed_config &&
          (prof_config = cfg[profile]) &&
-         !(prof_config.keys & SSO_PROFILE_KEYS).empty?
+         !(prof_config.keys & SSO_CREDENTIAL_PROFILE_KEYS).empty?
+
+        if sso_session_name = prof_config['sso_session']
+          sso_session = cfg["sso-session #{sso_session_name}"]
+          unless sso_session
+            raise ArgumentError,
+                  "sso-session #{sso_session_name} must be defined in the config file. " \
+                    "Referenced by profile #{profile}"
+          end
+          sso_region = sso_session['sso_region']
+          sso_start_url = sso_session['sso_start_url']
+
+          # validate sso_region and sso_start_url don't conflict if set on profile and session
+          if prof_config['sso_region'] &&  prof_config['sso_region'] != sso_region
+            raise ArgumentError,
+                  "sso-session #{sso_session_name}'s sso_region (#{sso_region}) " \
+                    "does not match the profile #{profile}'s sso_region (#{prof_config['sso_region']}'"
+          end
+          if prof_config['sso_start_url'] &&  prof_config['sso_start_url'] != sso_start_url
+            raise ArgumentError,
+                  "sso-session #{sso_session_name}'s sso_start_url (#{sso_start_url}) " \
+                    "does not match the profile #{profile}'s sso_start_url (#{prof_config['sso_start_url']}'"
+          end
+        else
+          sso_region = prof_config['sso_region']
+          sso_start_url = prof_config['sso_start_url']
+        end
 
         SSOCredentials.new(
-          sso_start_url: prof_config['sso_start_url'],
-          sso_region: prof_config['sso_region'],
           sso_account_id: prof_config['sso_account_id'],
-          sso_role_name: prof_config['sso_role_name']
+          sso_role_name: prof_config['sso_role_name'],
+          sso_session: prof_config['sso_session'],
+          sso_region: sso_region,
+          sso_start_url: prof_config['sso_start_url']
+          )
+      end
+    end
+
+    # If the required sso_ profile values are present, attempt to construct
+    # SSOTokenProvider
+    def sso_token_from_profile(cfg, profile)
+      if @parsed_config &&
+        (prof_config = cfg[profile]) &&
+        !(prof_config.keys & SSO_TOKEN_PROFILE_KEYS).empty?
+
+        sso_session_name = prof_config['sso_session']
+        sso_session = cfg["sso-session #{sso_session_name}"]
+        unless sso_session
+          raise ArgumentError,
+                "sso-session #{sso_session_name} must be defined in the config file." \
+                  "Referenced by profile #{profile}"
+        end
+
+        unless sso_session['sso_region']
+          raise ArgumentError, "sso-session #{sso_session_name} missing required parameter: sso_region"
+        end
+
+        SSOTokenProvider.new(
+          sso_session: sso_session_name,
+          sso_region: sso_session['sso_region']
         )
       end
     end

data/lib/aws-sdk-core/sso_credentials.rb

@@ -1,45 +1,37 @@
 # frozen_string_literal: true
 
 module Aws
-  # An auto-refreshing credential provider that works by assuming a
-  # role via {Aws::SSO::Client#get_role_credentials} using a cached access
-  # token.  This class does NOT implement the SSO login token flow - tokens
-  # must generated and refreshed separately by running `aws login` from the
-  # AWS CLI with the correct profile.
-  #
-  # For more background on AWS SSO see the official
-  # {https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html what is SSO Userguide}
-  #
-  # ## Refreshing Credentials from SSO
-  #
-  # The `SSOCredentials` will auto-refresh the AWS credentials from SSO. In
-  # addition to AWS credentials expiring after a given amount of time, the
-  # access token generated and cached from `aws login` will also expire.
-  # Once this token expires, it will not be usable to refresh AWS credentials,
-  # and another token will be needed. The SDK does not manage refreshing of
-  # the token value, but this can be done by running `aws login` with the
-  # correct profile.
-  #
+  # An auto-refreshing credential provider that assumes a role via
+  # {Aws::SSO::Client#get_role_credentials} using a cached access
+  # token. When `sso_session` is specified, token refresh logic from
+  # {Aws::SSOTokenProvider} will be used to refresh the token if possible.
+  # This class does NOT implement the SSO login token flow - tokens
+  # must generated separately by running `aws login` from the
+  # AWS CLI with the correct profile. The `SSOCredentials` will
+  # auto-refresh the AWS credentials from SSO.
   #
   #     # You must first run aws sso login --profile your-sso-profile
   #     sso_credentials = Aws::SSOCredentials.new(
   #       sso_account_id: '123456789',
   #       sso_role_name: "role_name",
   #       sso_region: "us-east-1",
-  #       sso_start_url: 'https://your-start-url.awsapps.com/start'
+  #       sso_session: 'my_sso_session'
   #     )
-  #
   #     ec2 = Aws::EC2::Client.new(credentials: sso_credentials)
   #
-  # If you omit `:client` option, a new {SSO::Client} object will be
-  # constructed.
+  # If you omit `:client` option, a new {Aws::SSO::Client} object will be
+  # constructed with additional options that were provided.
+  #
+  # @see Aws::SSO::Client#get_role_credentials
+  # @see https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html
   class SSOCredentials
 
     include CredentialProvider
     include RefreshingCredentials
 
     # @api private
-    SSO_REQUIRED_OPTS = [:sso_account_id, :sso_region, :sso_role_name, :sso_start_url].freeze
+    LEGACY_REQUIRED_OPTS =         [:sso_start_url, :sso_account_id, :sso_region, :sso_role_name].freeze
+    TOKEN_PROVIDER_REQUIRED_OPTS = [:sso_session, :sso_account_id, :sso_region, :sso_role_name].freeze
 
     # @api private
     SSO_LOGIN_GUIDANCE = 'The SSO session associated with this profile has '\
@@ -49,17 +41,23 @@ module Aws
     # @option options [required, String] :sso_account_id The AWS account ID
     #   that temporary AWS credentials will be resolved for
     #
-    # @option options [required, String] :sso_region The AWS region where the
-    #   SSO directory for the given sso_start_url is hosted.
-    #
     # @option options [required, String] :sso_role_name The corresponding
     #   IAM role in the AWS account that temporary AWS credentials
     #   will be resolved for.
     #
-    # @option options [required, String] :sso_start_url The start URL is
-    #   provided by the SSO service via the console and is the URL used to
+    # @option options [required, String] :sso_region The AWS region where the
+    #   SSO directory for the given sso_start_url is hosted.
+    #
+    # @option options [String] :sso_session The SSO Token used for fetching
+    #   the token. If provided, refresh logic from the {Aws::SSOTokenProvider}
+    #   will be used.
+    #
+    # @option options [String] :sso_start_url (legacy profiles) If provided,
+    #   legacy token fetch behavior will be used, which does not support
+    #   token refreshing.  The start URL is provided by the SSO
+    #   service via the console and is the URL used to
     #   login to the SSO directory. This is also sometimes referred to as
-    #   the "User Portal URL"
+    #   the "User Portal URL".
     #
     # @option options [SSO::Client] :client Optional `SSO::Client`.  If not
     #   provided, a client will be constructed.
@@ -69,23 +67,52 @@ module Aws
     #   with an instance of this object when
     #   AWS credentials are required and need to be refreshed.
     def initialize(options = {})
+      options = options.select {|k, v| !v.nil? }
+      if (options[:sso_session])
+        missing_keys = TOKEN_PROVIDER_REQUIRED_OPTS.select { |k| options[k].nil? }
+        unless missing_keys.empty?
+          raise ArgumentError, "Missing required keys: #{missing_keys}"
+        end
+        @legacy = false
+        @sso_role_name = options.delete(:sso_role_name)
+        @sso_account_id = options.delete(:sso_account_id)
 
-      missing_keys = SSO_REQUIRED_OPTS.select { |k| options[k].nil? }
-      unless missing_keys.empty?
-        raise ArgumentError, "Missing required keys: #{missing_keys}"
-      end
+        # if client has been passed, don't pass through to SSOTokenProvider
+        @client = options.delete(:client)
+        options.delete(:sso_start_url)
+        @token_provider = Aws::SSOTokenProvider.new(options.dup)
+        @sso_session = options.delete(:sso_session)
+        @sso_region = options.delete(:sso_region)
+
+        unless @client
+          client_opts = {}
+          options.each_pair { |k,v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) }
+          client_opts[:region] = @sso_region
+          client_opts[:credentials] = nil
+          @client = Aws::SSO::Client.new(client_opts)
+        end
+      else # legacy behavior
+        missing_keys = LEGACY_REQUIRED_OPTS.select { |k| options[k].nil? }
+        unless missing_keys.empty?
+          raise ArgumentError, "Missing required keys: #{missing_keys}"
+        end
+        @legacy = true
+        @sso_start_url = options.delete(:sso_start_url)
+        @sso_region = options.delete(:sso_region)
+        @sso_role_name = options.delete(:sso_role_name)
+        @sso_account_id = options.delete(:sso_account_id)
 
-      @sso_start_url = options.delete(:sso_start_url)
-      @sso_region = options.delete(:sso_region)
-      @sso_role_name = options.delete(:sso_role_name)
-      @sso_account_id = options.delete(:sso_account_id)
+        # validate we can read the token file
+        read_cached_token
 
-      # validate we can read the token file
-      read_cached_token
+        client_opts = {}
+        options.each_pair { |k,v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) }
+        client_opts[:region] = @sso_region
+        client_opts[:credentials] = nil
+
+        @client = options[:client] || Aws::SSO::Client.new(client_opts)
+      end
 
-      options[:region] = @sso_region
-      options[:credentials] = nil
-      @client = options[:client] || Aws::SSO::Client.new(options)
       @async_refresh = true
       super
     end
@@ -111,12 +138,20 @@ module Aws
     end
 
     def refresh
-      cached_token = read_cached_token
-      c = @client.get_role_credentials(
-        account_id: @sso_account_id,
-        role_name: @sso_role_name,
-        access_token: cached_token['accessToken']
-      ).role_credentials
+      c = if @legacy
+            cached_token = read_cached_token
+            @client.get_role_credentials(
+              account_id: @sso_account_id,
+              role_name: @sso_role_name,
+              access_token: cached_token['accessToken']
+            ).role_credentials
+          else
+            @client.get_role_credentials(
+              account_id: @sso_account_id,
+              role_name: @sso_role_name,
+              access_token: @token_provider.token.token
+            ).role_credentials
+          end
 
       @credentials = Credentials.new(
         c.access_key_id,