aws-sdk-core 3.130.1 → 3.178.0

data/lib/aws-sdk-core/plugins/user_agent.rb

@@ -4,7 +4,31 @@ module Aws
   module Plugins
     # @api private
     class UserAgent < Seahorse::Client::Plugin
+      # @api private
       option(:user_agent_suffix)
+      # @api private
+      option(:user_agent_frameworks, default: [])
+
+      option(
+        :sdk_ua_app_id,
+        doc_type: 'String',
+        docstring: <<-DOCS) do |cfg|
+A unique and opaque application ID that is appended to the
+User-Agent header as app/<sdk_ua_app_id>. It should have a
+maximum length of 50.
+        DOCS
+        app_id = ENV['AWS_SDK_UA_APP_ID']
+        app_id ||= Aws.shared_config.sdk_ua_app_id(profile: cfg.profile)
+        app_id
+      end
+
+      def self.feature(feature, &block)
+        Thread.current[:aws_sdk_core_user_agent_feature] ||= []
+        Thread.current[:aws_sdk_core_user_agent_feature] << "ft/#{feature}"
+        block.call
+      ensure
+        Thread.current[:aws_sdk_core_user_agent_feature].pop
+      end
 
       # @api private
       class Handler < Seahorse::Client::Handler
@@ -14,33 +38,112 @@ module Aws
         end
 
         def set_user_agent(context)
-          ua = "aws-sdk-ruby3/#{CORE_GEM_VERSION}"
+          context.http_request.headers['User-Agent'] = UserAgent.new(context).to_s
+        end
+
+        class UserAgent
+          def initialize(context)
+            @context = context
+          end
+
+          def to_s
+            ua = "aws-sdk-ruby3/#{CORE_GEM_VERSION}"
+            ua += ' ua/2.0'
+            ua += " #{api_metadata}" if api_metadata
+            ua += " #{os_metadata}"
+            ua += " #{language_metadata}"
+            ua += " #{env_metadata}" if env_metadata
+            ua += " #{config_metadata}" if config_metadata
+            ua += " #{app_id}" if app_id
+            ua += " #{feature_metadata}" if feature_metadata
+            ua += " #{framework_metadata}" if framework_metadata
+            if @context.config.user_agent_suffix
+              ua += " #{@context.config.user_agent_suffix}"
+            end
+            ua.strip
+          end
+
+          private
 
-          begin
-            ua += " #{RUBY_ENGINE}/#{RUBY_VERSION}"
-          rescue
-            ua += " RUBY_ENGINE_NA/#{RUBY_VERSION}"
+          # Used to be gem_name/gem_version
+          def api_metadata
+            service_id = @context.config.api.metadata['serviceId']
+            return unless service_id
+
+            service_id = service_id.gsub(' ', '_').downcase
+            gem_version = @context[:gem_version]
+            "api/#{service_id}##{gem_version}"
+          end
+
+          # Used to be RUBY_PLATFORM
+          def os_metadata
+            os =
+              case RbConfig::CONFIG['host_os']
+              when /mac|darwin/
+                'macos'
+              when /linux|cygwin/
+                'linux'
+              when /mingw|mswin/
+                'windows'
+              else
+                'other'
+              end
+            metadata = "os/#{os}"
+            local_version = Gem::Platform.local.version
+            metadata += "##{local_version}" if local_version
+            metadata += " md/#{RbConfig::CONFIG['host_cpu']}"
+            metadata
           end
 
-          ua += " #{RUBY_PLATFORM}"
+          # Used to be RUBY_ENGINE/RUBY_VERSION
+          def language_metadata
+            "lang/#{RUBY_ENGINE}##{RUBY_ENGINE_VERSION} md/#{RUBY_VERSION}"
+          end
+
+          def env_metadata
+            return unless (execution_env = ENV['AWS_EXECUTION_ENV'])
+
+            "exec-env/#{execution_env}"
+          end
 
-          if context[:gem_name] && context[:gem_version]
-            ua += " #{context[:gem_name]}/#{context[:gem_version]}"
+          def config_metadata
+            "cfg/retry-mode##{@context.config.retry_mode}"
           end
 
-          if (execution_env = ENV['AWS_EXECUTION_ENV'])
-            ua += " exec-env/#{execution_env}"
+          def app_id
+            return unless (app_id = @context.config.sdk_ua_app_id)
+
+            # Sanitize and only allow these characters
+            app_id = app_id.gsub(/[^!#$%&'*+\-.^_`|~0-9A-Za-z]/, '-')
+            "app/#{app_id}"
           end
 
-          if context.config.user_agent_suffix
-            ua += " #{context.config.user_agent_suffix}"
+          def feature_metadata
+            return unless Thread.current[:aws_sdk_core_user_agent_feature]
+
+            Thread.current[:aws_sdk_core_user_agent_feature].join(' ')
           end
 
-          context.http_request.headers['User-Agent'] = ua.strip
+          def framework_metadata
+            if (frameworks_cfg = @context.config.user_agent_frameworks).empty?
+              return
+            end
+
+            # Frameworks may be aws-record, aws-sdk-rails, etc.
+            regex = /gems\/(?<name>#{frameworks_cfg.join('|')})-(?<version>\d+\.\d+\.\d+)/.freeze
+            frameworks = {}
+            Kernel.caller.each do |line|
+              match = line.match(regex)
+              next unless match
+
+              frameworks[match[:name]] = match[:version]
+            end
+            frameworks.map { |n, v| "lib/#{n}##{v}" }.join(' ')
+          end
         end
       end
 
-      handler(Handler)
+      handler(Handler, priority: 1)
     end
   end
 end

data/lib/aws-sdk-core/process_credentials.rb

@@ -1,19 +1,16 @@
 # frozen_string_literal: true
 
 module Aws
-
   # A credential provider that executes a given process and attempts
-  # to read its stdout to recieve a JSON payload containing the credentials
-  #
-  # Automatically handles refreshing credentials if an Expiration time is
-  # provided in the credentials payload
-  #
-  #     credentials = Aws::ProcessCredentials.new('/usr/bin/credential_proc').credentials
+  # to read its stdout to recieve a JSON payload containing the credentials.
   #
+  #     credentials = Aws::ProcessCredentials.new('/usr/bin/credential_proc')
   #     ec2 = Aws::EC2::Client.new(credentials: credentials)
   #
-  # More documentation on process based credentials can be found here:
-  # https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#sourcing-credentials-from-external-processes
+  # Automatically handles refreshing credentials if an Expiration time is
+  # provided in the credentials payload.
+  #
+  # @see https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#sourcing-credentials-from-external-processes
   class ProcessCredentials
 
     include CredentialProvider

data/lib/aws-sdk-core/refreshing_credentials.rb

@@ -20,6 +20,8 @@ module Aws
     SYNC_EXPIRATION_LENGTH = 300 # 5 minutes
     ASYNC_EXPIRATION_LENGTH = 600 # 10 minutes
 
+    CLIENT_EXCLUDE_OPTIONS = Set.new([:before_refresh]).freeze
+
     def initialize(options = {})
       @mutex = Mutex.new
       @before_refresh = options.delete(:before_refresh) if Hash === options
@@ -34,12 +36,6 @@ module Aws
       @credentials
     end
 
-    # @return [Time,nil]
-    def expiration
-      refresh_if_near_expiration!
-      @expiration
-    end
-
     # Refresh credentials.
     # @return [void]
     def refresh!

data/lib/aws-sdk-core/refreshing_token.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+require 'thread'
+
+module Aws
+
+  # Module/mixin used by token provider classes that can be refreshed. This
+  # provides basic refresh logic in a thread-safe manner. Classes mixing in
+  # this module are expected to implement a #refresh method that populates
+  # the following instance variable:
+  #
+  # * `@token` [Token] - {Aws::Token} object with the `expiration` and `token`
+  #       fields set.
+  #
+  # @api private
+  module RefreshingToken
+
+    def initialize(options = {})
+      @mutex = Mutex.new
+      @before_refresh = options.delete(:before_refresh) if Hash === options
+
+      @before_refresh.call(self) if @before_refresh
+      refresh
+    end
+
+    # @return [Token]
+    def token
+      refresh_if_near_expiration
+      @token
+    end
+
+    # @return [Time,nil]
+    def expiration
+      refresh_if_near_expiration
+      @expiration
+    end
+
+    # Refresh token.
+    # @return [void]
+    def refresh!
+      @mutex.synchronize do
+        @before_refresh.call(self) if @before_refresh
+        refresh
+      end
+    end
+
+    private
+
+    # Refreshes token if it is within
+    # 5 minutes of expiration.
+    def refresh_if_near_expiration
+      if near_expiration?
+        @mutex.synchronize do
+          if near_expiration?
+            @before_refresh.call(self) if @before_refresh
+            refresh
+          end
+        end
+      end
+    end
+
+    def near_expiration?
+      if @token && @token.expiration
+        # are we within 5 minutes of expiration?
+        (Time.now.to_i + 5 * 60) > @token.expiration.to_i
+      else
+        true
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/rest/handler.rb

@@ -17,7 +17,7 @@ module Aws
 
       def apply_request_id(context)
         h = context.http_response.headers
-        context[:request_id] = h['x-amz-request-id'] || h['x-amzn-requestid']
+        context[:request_id] ||= h['x-amz-request-id'] || h['x-amzn-requestid']
       end
 
     end

data/lib/aws-sdk-core/rest/request/headers.rb

@@ -53,12 +53,8 @@ module Aws
           return if !value || value.empty?
           headers[ref.location_name] = value
             .compact
-            .map { |s| escape_header_list_string(s.to_s) }
-            .join(",")
-        end
-
-        def escape_header_list_string(s)
-          (s.include?('"') || s.include?(",")) ? "\"#{s.gsub('"', '\"')}\"" : s
+            .map { |s| Seahorse::Util.escape_header_list_string(s.to_s) }
+            .join(',')
         end
 
         def apply_header_map(headers, ref, values)

data/lib/aws-sdk-core/shared_config.rb

@@ -3,7 +3,11 @@
 module Aws
   # @api private
   class SharedConfig
-    SSO_PROFILE_KEYS = %w[sso_start_url sso_region sso_account_id sso_role_name].freeze
+    SSO_CREDENTIAL_PROFILE_KEYS = %w[sso_account_id sso_role_name].freeze
+    SSO_PROFILE_KEYS = %w[sso_session sso_start_url sso_region sso_account_id sso_role_name].freeze
+    SSO_TOKEN_PROFILE_KEYS = %w[sso_session].freeze
+    SSO_SESSION_KEYS = %w[sso_region sso_start_url].freeze
+
 
     # @return [String]
     attr_reader :credentials_path
@@ -51,10 +55,12 @@ module Aws
       @config_enabled = options[:config_enabled]
       @credentials_path = options[:credentials_path] ||
                           determine_credentials_path
+      @credentials_path = File.expand_path(@credentials_path) if @credentials_path
       @parsed_credentials = {}
       load_credentials_file if loadable?(@credentials_path)
       if @config_enabled
         @config_path = options[:config_path] || determine_config_path
+        @config_path = File.expand_path(@config_path) if @config_path
         load_config_file if loadable?(@config_path)
       end
     end
@@ -149,6 +155,38 @@ module Aws
       credentials
     end
 
+    # Attempts to load from shared config or shared credentials file.
+    # Will always attempt first to load from the shared credentials
+    # file, if present.
+    def sso_token_from_config(opts = {})
+      p = opts[:profile] || @profile_name
+      token = sso_token_from_profile(@parsed_credentials, p)
+      if @parsed_config
+        token ||= sso_token_from_profile(@parsed_config, p)
+      end
+      token
+    end
+
+    # Source a custom configured endpoint from the shared configuration file
+    #
+    # @param [Hash] options
+    # @option options [String] :profile
+    # @option options [String] :service_id
+    def configured_endpoint(opts = {})
+      # services section is only allowed in the shared config file (not credentials)
+      profile = opts[:profile] || @profile_name
+      service_id = opts[:service_id]&.gsub(" ", "_")&.downcase
+      if @parsed_config && (prof_config = @parsed_config[profile])
+        services_section_name = prof_config['services']
+        if (services_config = @parsed_config["services #{services_section_name}"]) &&
+          (service_config = services_config[service_id])
+          return service_config['endpoint_url'] if service_config['endpoint_url']
+        end
+        return prof_config['endpoint_url']
+      end
+      nil
+    end
+
     # Add an accessor method (similar to attr_reader) to return a configuration value
     # Uses the get_config_value below to control where
     # values are loaded from
@@ -179,7 +217,11 @@ module Aws
       :s3_use_arn_region,
       :s3_us_east_1_regional_endpoint,
       :s3_disable_multiregion_access_points,
-      :defaults_mode
+      :defaults_mode,
+      :sdk_ua_app_id,
+      :disable_request_compression,
+      :request_min_compression_size_bytes,
+      :ignore_configured_endpoint_urls
     )
 
     private
@@ -314,13 +356,66 @@ module Aws
     def sso_credentials_from_profile(cfg, profile)
       if @parsed_config &&
          (prof_config = cfg[profile]) &&
-         !(prof_config.keys & SSO_PROFILE_KEYS).empty?
+         !(prof_config.keys & SSO_CREDENTIAL_PROFILE_KEYS).empty?
+
+        if sso_session_name = prof_config['sso_session']
+          sso_session = cfg["sso-session #{sso_session_name}"]
+          unless sso_session
+            raise ArgumentError,
+                  "sso-session #{sso_session_name} must be defined in the config file. " \
+                    "Referenced by profile #{profile}"
+          end
+          sso_region = sso_session['sso_region']
+          sso_start_url = sso_session['sso_start_url']
+
+          # validate sso_region and sso_start_url don't conflict if set on profile and session
+          if prof_config['sso_region'] &&  prof_config['sso_region'] != sso_region
+            raise ArgumentError,
+                  "sso-session #{sso_session_name}'s sso_region (#{sso_region}) " \
+                    "does not match the profile #{profile}'s sso_region (#{prof_config['sso_region']}'"
+          end
+          if prof_config['sso_start_url'] &&  prof_config['sso_start_url'] != sso_start_url
+            raise ArgumentError,
+                  "sso-session #{sso_session_name}'s sso_start_url (#{sso_start_url}) " \
+                    "does not match the profile #{profile}'s sso_start_url (#{prof_config['sso_start_url']}'"
+          end
+        else
+          sso_region = prof_config['sso_region']
+          sso_start_url = prof_config['sso_start_url']
+        end
 
         SSOCredentials.new(
-          sso_start_url: prof_config['sso_start_url'],
-          sso_region: prof_config['sso_region'],
           sso_account_id: prof_config['sso_account_id'],
-          sso_role_name: prof_config['sso_role_name']
+          sso_role_name: prof_config['sso_role_name'],
+          sso_session: prof_config['sso_session'],
+          sso_region: sso_region,
+          sso_start_url: prof_config['sso_start_url']
+          )
+      end
+    end
+
+    # If the required sso_ profile values are present, attempt to construct
+    # SSOTokenProvider
+    def sso_token_from_profile(cfg, profile)
+      if @parsed_config &&
+        (prof_config = cfg[profile]) &&
+        !(prof_config.keys & SSO_TOKEN_PROFILE_KEYS).empty?
+
+        sso_session_name = prof_config['sso_session']
+        sso_session = cfg["sso-session #{sso_session_name}"]
+        unless sso_session
+          raise ArgumentError,
+                "sso-session #{sso_session_name} must be defined in the config file." \
+                  "Referenced by profile #{profile}"
+        end
+
+        unless sso_session['sso_region']
+          raise ArgumentError, "sso-session #{sso_session_name} missing required parameter: sso_region"
+        end
+
+        SSOTokenProvider.new(
+          sso_session: sso_session_name,
+          sso_region: sso_session['sso_region']
         )
       end
     end

data/lib/aws-sdk-core/sso_credentials.rb

@@ -1,45 +1,37 @@
 # frozen_string_literal: true
 
 module Aws
-  # An auto-refreshing credential provider that works by assuming a
-  # role via {Aws::SSO::Client#get_role_credentials} using a cached access
-  # token.  This class does NOT implement the SSO login token flow - tokens
-  # must generated and refreshed separately by running `aws login` from the
-  # AWS CLI with the correct profile.
-  #
-  # For more background on AWS SSO see the official
-  # {https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html what is SSO Userguide}
-  #
-  # ## Refreshing Credentials from SSO
-  #
-  # The `SSOCredentials` will auto-refresh the AWS credentials from SSO. In
-  # addition to AWS credentials expiring after a given amount of time, the
-  # access token generated and cached from `aws login` will also expire.
-  # Once this token expires, it will not be usable to refresh AWS credentials,
-  # and another token will be needed. The SDK does not manage refreshing of
-  # the token value, but this can be done by running `aws login` with the
-  # correct profile.
-  #
+  # An auto-refreshing credential provider that assumes a role via
+  # {Aws::SSO::Client#get_role_credentials} using a cached access
+  # token. When `sso_session` is specified, token refresh logic from
+  # {Aws::SSOTokenProvider} will be used to refresh the token if possible.
+  # This class does NOT implement the SSO login token flow - tokens
+  # must generated separately by running `aws login` from the
+  # AWS CLI with the correct profile. The `SSOCredentials` will
+  # auto-refresh the AWS credentials from SSO.
   #
   #     # You must first run aws sso login --profile your-sso-profile
   #     sso_credentials = Aws::SSOCredentials.new(
   #       sso_account_id: '123456789',
   #       sso_role_name: "role_name",
   #       sso_region: "us-east-1",
-  #       sso_start_url: 'https://your-start-url.awsapps.com/start'
+  #       sso_session: 'my_sso_session'
   #     )
-  #
   #     ec2 = Aws::EC2::Client.new(credentials: sso_credentials)
   #
-  # If you omit `:client` option, a new {SSO::Client} object will be
-  # constructed.
+  # If you omit `:client` option, a new {Aws::SSO::Client} object will be
+  # constructed with additional options that were provided.
+  #
+  # @see Aws::SSO::Client#get_role_credentials
+  # @see https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html
   class SSOCredentials
 
     include CredentialProvider
     include RefreshingCredentials
 
     # @api private
-    SSO_REQUIRED_OPTS = [:sso_account_id, :sso_region, :sso_role_name, :sso_start_url].freeze
+    LEGACY_REQUIRED_OPTS =         [:sso_start_url, :sso_account_id, :sso_region, :sso_role_name].freeze
+    TOKEN_PROVIDER_REQUIRED_OPTS = [:sso_session, :sso_account_id, :sso_region, :sso_role_name].freeze
 
     # @api private
     SSO_LOGIN_GUIDANCE = 'The SSO session associated with this profile has '\
@@ -49,17 +41,23 @@ module Aws
     # @option options [required, String] :sso_account_id The AWS account ID
     #   that temporary AWS credentials will be resolved for
     #
-    # @option options [required, String] :sso_region The AWS region where the
-    #   SSO directory for the given sso_start_url is hosted.
-    #
     # @option options [required, String] :sso_role_name The corresponding
     #   IAM role in the AWS account that temporary AWS credentials
     #   will be resolved for.
     #
-    # @option options [required, String] :sso_start_url The start URL is
-    #   provided by the SSO service via the console and is the URL used to
+    # @option options [required, String] :sso_region The AWS region where the
+    #   SSO directory for the given sso_start_url is hosted.
+    #
+    # @option options [String] :sso_session The SSO Token used for fetching
+    #   the token. If provided, refresh logic from the {Aws::SSOTokenProvider}
+    #   will be used.
+    #
+    # @option options [String] :sso_start_url (legacy profiles) If provided,
+    #   legacy token fetch behavior will be used, which does not support
+    #   token refreshing.  The start URL is provided by the SSO
+    #   service via the console and is the URL used to
     #   login to the SSO directory. This is also sometimes referred to as
-    #   the "User Portal URL"
+    #   the "User Portal URL".
     #
     # @option options [SSO::Client] :client Optional `SSO::Client`.  If not
     #   provided, a client will be constructed.
@@ -69,23 +67,52 @@ module Aws
     #   with an instance of this object when
     #   AWS credentials are required and need to be refreshed.
     def initialize(options = {})
+      options = options.select {|k, v| !v.nil? }
+      if (options[:sso_session])
+        missing_keys = TOKEN_PROVIDER_REQUIRED_OPTS.select { |k| options[k].nil? }
+        unless missing_keys.empty?
+          raise ArgumentError, "Missing required keys: #{missing_keys}"
+        end
+        @legacy = false
+        @sso_role_name = options.delete(:sso_role_name)
+        @sso_account_id = options.delete(:sso_account_id)
 
-      missing_keys = SSO_REQUIRED_OPTS.select { |k| options[k].nil? }
-      unless missing_keys.empty?
-        raise ArgumentError, "Missing required keys: #{missing_keys}"
-      end
+        # if client has been passed, don't pass through to SSOTokenProvider
+        @client = options.delete(:client)
+        options.delete(:sso_start_url)
+        @token_provider = Aws::SSOTokenProvider.new(options.dup)
+        @sso_session = options.delete(:sso_session)
+        @sso_region = options.delete(:sso_region)
+
+        unless @client
+          client_opts = {}
+          options.each_pair { |k,v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) }
+          client_opts[:region] = @sso_region
+          client_opts[:credentials] = nil
+          @client = Aws::SSO::Client.new(client_opts)
+        end
+      else # legacy behavior
+        missing_keys = LEGACY_REQUIRED_OPTS.select { |k| options[k].nil? }
+        unless missing_keys.empty?
+          raise ArgumentError, "Missing required keys: #{missing_keys}"
+        end
+        @legacy = true
+        @sso_start_url = options.delete(:sso_start_url)
+        @sso_region = options.delete(:sso_region)
+        @sso_role_name = options.delete(:sso_role_name)
+        @sso_account_id = options.delete(:sso_account_id)
 
-      @sso_start_url = options.delete(:sso_start_url)
-      @sso_region = options.delete(:sso_region)
-      @sso_role_name = options.delete(:sso_role_name)
-      @sso_account_id = options.delete(:sso_account_id)
+        # validate we can read the token file
+        read_cached_token
 
-      # validate we can read the token file
-      read_cached_token
+        client_opts = {}
+        options.each_pair { |k,v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) }
+        client_opts[:region] = @sso_region
+        client_opts[:credentials] = nil
+
+        @client = options[:client] || Aws::SSO::Client.new(client_opts)
+      end
 
-      options[:region] = @sso_region
-      options[:credentials] = nil
-      @client = options[:client] || Aws::SSO::Client.new(options)
       @async_refresh = true
       super
     end
@@ -111,19 +138,27 @@ module Aws
     end
 
     def refresh
-      cached_token = read_cached_token
-      c = @client.get_role_credentials(
-        account_id: @sso_account_id,
-        role_name: @sso_role_name,
-        access_token: cached_token['accessToken']
-      ).role_credentials
+      c = if @legacy
+            cached_token = read_cached_token
+            @client.get_role_credentials(
+              account_id: @sso_account_id,
+              role_name: @sso_role_name,
+              access_token: cached_token['accessToken']
+            ).role_credentials
+          else
+            @client.get_role_credentials(
+              account_id: @sso_account_id,
+              role_name: @sso_role_name,
+              access_token: @token_provider.token.token
+            ).role_credentials
+          end
 
       @credentials = Credentials.new(
         c.access_key_id,
         c.secret_access_key,
         c.session_token
       )
-      @expiration = c.expiration
+      @expiration = Time.at(c.expiration / 1000.0)
     end
 
     def sso_cache_file