aws-sdk-core 3.131.1 → 3.148.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d25aed21a4d1a4e440f095565b04567939d9f1762346a1402373e19c402ca8f0
-  data.tar.gz: 237863ff6fbc7e36e5787721ae68c50f04e4453265f14465c7c51ba168d59a05
+  metadata.gz: 5469fd4081057eecd1781cd8bcf9d5d8c8703616d626b895541e3e72ce7671dc
+  data.tar.gz: fd3087eec39a586f868099a95a9b7be59e3c3cc02d67d7010a2e3cab8a325f7e
 SHA512:
-  metadata.gz: 5864566f11163702d6a0d3e187ee827f47ebfd1c24030d8da65d4b4e234532338c532669e6fea385ef94b433e49a29ed84be5aa85740504cf86d2f764e779313
-  data.tar.gz: 1afd6c9611c06bda29cadf6fc0ffa29a1f3baec7d31a8365a0de91e6cf273bbd403a44f075da83dd22c61fc3f0f62ceb1ad59b78cc6df2f18ebd82774face1c7
+  metadata.gz: 97f88e28c0056ca13daaff0bf6092ecf8f5d88255846b8517099b35a3fb1946160b2a7049d4ca059c8797c7ae0ca74362a2b50131baa7072c2ad32b30349199a
+  data.tar.gz: 60c574c3bfd3cd90123099ece6c1575af52a36357be2848807da713577c8ac8a3a9baa1b89a17f82f46040086c6163be525026bd11fb1e80662b31a4f8a79ca4

data/CHANGELOG.md

@@ -1,6 +1,122 @@
 Unreleased Changes
 ------------------
 
+3.148.0 (2022-09-15)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.147.0 (2022-09-14)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.146.0 (2022-09-13)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.145.0 (2022-09-12)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.144.0 (2022-09-09)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.143.0 (2022-09-08)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.142.0 (2022-09-07)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.141.0 (2022-09-06)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.140.0 (2022-09-02)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.139.0 (2022-09-01)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.138.0 (2022-08-31)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.137.0 (2022-08-30)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+* Issue - Fix errors in recursion detection when `_X_AMZN_TRACE_ID` is unset (#2748).
+
+3.136.0 (2022-08-25)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.135.0 (2022-08-24)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.134.0 (2022-08-23)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+* Feature - Add support for Bearer Token Authentication and TokenProviders.
+* Issue - Validate that `_X_AMZN_TRACE_ID` ENV value contains only valid, non-control characters.
+
+3.133.0 (2022-08-22)
+------------------
+
+* Feature - Moved functionality from `aws-sdk-ssoidc` into core.
+
+3.132.0 (2022-08-08)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.131.6 (2022-08-03)
+------------------
+
+* Issue - Fix typo in `RecursionDetection`, change amz to amzn in header and env name.
+
+3.131.5 (2022-07-28)
+------------------
+
+* Issue - Fix `to_json` usage in nested hashes by defining `as_json` (#2733).
+
+3.131.4 (2022-07-27)
+------------------
+
+* Issue - Fix `to_json` usage on pageable responses when using Rails (#2733).
+* Issue - Use `expand_path` on credential/config paths in SharedConfig (#2735).
+
+3.131.3 (2022-07-18)
+------------------
+
+* Issue - Add support for serializing shapes on the body with `jsonvalue` members.
+
+3.131.2 (2022-06-20)
+------------------
+
+* Issue - Populate context :request_id for XML error responses.
+
 3.131.1 (2022-05-20)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-3.131.1
+3.148.0

data/lib/aws-sdk-core/errors.rb

@@ -210,6 +210,19 @@ module Aws
     # Raised when SSO Credentials are invalid
     class InvalidSSOCredentials < RuntimeError; end
 
+    # Raised when SSO Token is invalid
+    class InvalidSSOToken < RuntimeError; end
+
+    # Raised when a client is unable to sign a request because
+    # the bearer token is not configured or available
+    class MissingBearerTokenError < RuntimeError
+      def initialize(*args)
+        msg = 'unable to sign request without token set'
+        super(msg)
+      end
+    end
+
+
     # Raised when there is a circular reference in chained
     # source_profiles
     class SourceProfileCircularReferenceError < RuntimeError; end

data/lib/aws-sdk-core/pageable_response.rb

@@ -146,6 +146,13 @@ module Aws
         data.to_h
       end
 
+      def as_json(_options = {})
+        data.to_h(data, as_json: true)
+      end
+
+      def to_json(options = {})
+        as_json.to_json(options)
+      end
     end
 
     # The actual decorator module implementation. It is in a distinct module

data/lib/aws-sdk-core/plugins/bearer_authorization.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+module Aws
+  # @api private
+  module Plugins
+    # @api private
+    class BearerAuthorization < Seahorse::Client::Plugin
+
+      option(:token_provider,
+             required: false,
+             doc_type: 'Aws::TokenProvider',
+             docstring: <<-DOCS
+A Bearer Token Provider. This can be an instance of any one of the
+following classes:
+
+* `Aws::StaticTokenProvider` - Used for configuring static, non-refreshing
+  tokens.
+
+* `Aws::SSOTokenProvider` - Used for loading tokens from AWS SSO using an
+  access token generated from `aws login`.
+
+When `:token_provider` is not configured directly, the `Aws::TokenProviderChain`
+will be used to search for tokens configured for your profile in shared configuration files.
+      DOCS
+      ) do |config|
+        if config.stub_responses
+          StaticTokenProvider.new('token')
+        else
+          TokenProviderChain.new(config).resolve
+        end
+      end
+
+
+      def add_handlers(handlers, cfg)
+        bearer_operations =
+          if cfg.api.metadata['signatureVersion'] == 'bearer'
+            # select operations where authtype is either not set or is bearer
+            cfg.api.operation_names.select do |o|
+              !cfg.api.operation(o)['authtype'] || cfg.api.operation(o)['authtype'] == 'bearer'
+            end
+          else # service is not bearer auth
+            # select only operations where authtype is explicitly bearer
+            cfg.api.operation_names.select do |o|
+              cfg.api.operation(o)['authtype'] == 'bearer'
+            end
+          end
+        handlers.add(Handler, step: :sign, operations: bearer_operations)
+      end
+
+      class Handler < Seahorse::Client::Handler
+        def call(context)
+          if context.http_request.endpoint.scheme != 'https'
+            raise ArgumentError, 'Unable to use bearer authorization on non https endpoint.'
+          end
+
+          token_provider = context.config.token_provider
+          if token_provider && token_provider.set?
+            context.http_request.headers['Authorization'] = "Bearer #{token_provider.token.token}"
+          else
+            raise Errors::MissingBearerTokenError
+          end
+          @handler.call(context)
+        end
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/plugins/jsonvalue_converter.rb

@@ -11,15 +11,43 @@ module Aws
 
         def call(context)
           context.operation.input.shape.members.each do |m, ref|
-            if ref['jsonvalue']
-              param_value = context.params[m]
-              unless param_value.respond_to?(:to_json)
-                raise ArgumentError, "The value of params[#{m}] is not JSON serializable."
+            convert_jsonvalue(m, ref, context.params, 'params')
+          end
+          @handler.call(context)
+        end
+
+        def convert_jsonvalue(m, ref, params, context)
+          return if params.nil? || !params.key?(m)
+
+          if ref['jsonvalue']
+            params[m] = serialize_jsonvalue(params[m], "#{context}[#{m}]")
+          else
+            case ref.shape
+            when Seahorse::Model::Shapes::StructureShape
+              ref.shape.members.each do |member_m, ref|
+                convert_jsonvalue(member_m, ref, params[m], "#{context}[#{m}]")
+              end
+            when Seahorse::Model::Shapes::ListShape
+              if ref.shape.member['jsonvalue']
+                params[m] = params[m].each_with_index.map do |v, i|
+                  serialize_jsonvalue(v, "#{context}[#{m}][#{i}]")
+                end
+              end
+            when Seahorse::Model::Shapes::MapShape
+              if ref.shape.value['jsonvalue']
+                params[m].each do |k, v|
+                  params[m][k] = serialize_jsonvalue(v, "#{context}[#{m}][#{k}]")
+                end
               end
-              context.params[m] = param_value.to_json
             end
           end
-          @handler.call(context)
+        end
+
+        def serialize_jsonvalue(v, context)
+          unless v.respond_to?(:to_json)
+            raise ArgumentError, "The value of #{context} is not JSON serializable."
+          end
+          v.to_json
         end
 
       end

data/lib/aws-sdk-core/plugins/recursion_detection.rb

@@ -9,14 +9,25 @@ module Aws
       class Handler < Seahorse::Client::Handler
         def call(context)
 
-          unless context.http_request.headers.key?('x-amz-trace-id')
+          unless context.http_request.headers.key?('x-amzn-trace-id')
             if ENV['AWS_LAMBDA_FUNCTION_NAME'] &&
-              (trace_id = ENV['_X_AMZ_TRACE_ID'])
-              context.http_request.headers['x-amz-trace-id'] = trace_id
+              (trace_id = validate_header(ENV['_X_AMZN_TRACE_ID']))
+              context.http_request.headers['x-amzn-trace-id'] = trace_id
             end
           end
           @handler.call(context)
         end
+
+        private
+        def validate_header(header_value)
+          return unless header_value
+
+          if (header_value.chars & (0..31).map(&:chr)).any?
+            raise ArgumentError, 'Invalid _X_AMZN_TRACE_ID value: '\
+              'contains ASCII control characters'
+          end
+          header_value
+        end
       end
 
       # should be at the end of build so that

data/lib/aws-sdk-core/plugins/signature_v4.rb

@@ -7,6 +7,8 @@ module Aws
     # @api private
     class SignatureV4 < Seahorse::Client::Plugin
 
+      V4_AUTH = %w[v4 v4-unsigned-payload v4-unsigned-body]
+
       option(:sigv4_signer) do |cfg|
         SignatureV4.build_signer(cfg)
       end
@@ -32,13 +34,16 @@ module Aws
       end
 
       option(:unsigned_operations) do |cfg|
-        cfg.api.operation_names.inject([]) do |unsigned, operation_name|
-          if cfg.api.operation(operation_name)['authtype'] == 'none' ||
-             cfg.api.operation(operation_name)['authtype'] == 'custom'
-            # Unsign requests that has custom apigateway authorizer as well
-            unsigned << operation_name
-          else
-            unsigned
+        if cfg.api.metadata['signatureVersion'] == 'v4'
+          # select operations where authtype is set and is not v4
+          cfg.api.operation_names.select do |o|
+            cfg.api.operation(o)['authtype'] && !V4_AUTH.include?(cfg.api.operation(o)['authtype'])
+          end
+        else # service is not v4 auth
+          # select all operations where authtype is not v4
+          # (includes operations with no explicit authtype)
+          cfg.api.operation_names.select do |o|
+            !V4_AUTH.include?(cfg.api.operation(o)['authtype'])
           end
         end
       end

data/lib/aws-sdk-core/refreshing_token.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+require 'thread'
+
+module Aws
+
+  # Module/mixin used by token provider classes that can be refreshed. This
+  # provides basic refresh logic in a thread-safe manner. Classes mixing in
+  # this module are expected to implement a #refresh method that populates
+  # the following instance variable:
+  #
+  # * `@token` [Token] - {Aws::Token} object with the `expiration` and `token`
+  #       fields set.
+  #
+  # @api private
+  module RefreshingToken
+
+    def initialize(options = {})
+      @mutex = Mutex.new
+      @before_refresh = options.delete(:before_refresh) if Hash === options
+
+      @before_refresh.call(self) if @before_refresh
+      refresh
+    end
+
+    # @return [Token]
+    def token
+      refresh_if_near_expiration
+      @token
+    end
+
+    # @return [Time,nil]
+    def expiration
+      refresh_if_near_expiration
+      @expiration
+    end
+
+    # Refresh token.
+    # @return [void]
+    def refresh!
+      @mutex.synchronize do
+        @before_refresh.call(self) if @before_refresh
+        refresh
+      end
+    end
+
+    private
+
+    # Refreshes token if it is within
+    # 5 minutes of expiration.
+    def refresh_if_near_expiration
+      if near_expiration?
+        @mutex.synchronize do
+          if near_expiration?
+            @before_refresh.call(self) if @before_refresh
+            refresh
+          end
+        end
+      end
+    end
+
+    def near_expiration?
+      if @token && @token.expiration
+        # are we within 5 minutes of expiration?
+        (Time.now.to_i + 5 * 60) > @token.expiration.to_i
+      else
+        true
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/rest/handler.rb

@@ -17,7 +17,7 @@ module Aws
 
       def apply_request_id(context)
         h = context.http_response.headers
-        context[:request_id] = h['x-amz-request-id'] || h['x-amzn-requestid']
+        context[:request_id] ||= h['x-amz-request-id'] || h['x-amzn-requestid']
       end
 
     end

data/lib/aws-sdk-core/shared_config.rb

@@ -4,6 +4,9 @@ module Aws
   # @api private
   class SharedConfig
     SSO_PROFILE_KEYS = %w[sso_start_url sso_region sso_account_id sso_role_name].freeze
+    SSO_TOKEN_PROFILE_KEYS = %w[sso_session].freeze
+    SSO_SESSION_KEYS = %w[sso_region]
+
 
     # @return [String]
     attr_reader :credentials_path
@@ -51,10 +54,12 @@ module Aws
       @config_enabled = options[:config_enabled]
       @credentials_path = options[:credentials_path] ||
                           determine_credentials_path
+      @credentials_path = File.expand_path(@credentials_path) if @credentials_path
       @parsed_credentials = {}
       load_credentials_file if loadable?(@credentials_path)
       if @config_enabled
         @config_path = options[:config_path] || determine_config_path
+        @config_path = File.expand_path(@config_path) if @config_path
         load_config_file if loadable?(@config_path)
       end
     end
@@ -149,6 +154,18 @@ module Aws
       credentials
     end
 
+    # Attempts to load from shared config or shared credentials file.
+    # Will always attempt first to load from the shared credentials
+    # file, if present.
+    def sso_token_from_config(opts = {})
+      p = opts[:profile] || @profile_name
+      token = sso_token_from_profile(@parsed_credentials, p)
+      if @parsed_config
+        token ||= sso_token_from_profile(@parsed_config, p)
+      end
+      token
+    end
+
     # Add an accessor method (similar to attr_reader) to return a configuration value
     # Uses the get_config_value below to control where
     # values are loaded from
@@ -325,6 +342,32 @@ module Aws
       end
     end
 
+    # If the required sso_ profile values are present, attempt to construct
+    # SSOTokenProvider
+    def sso_token_from_profile(cfg, profile)
+      if @parsed_config &&
+        (prof_config = cfg[profile]) &&
+        !(prof_config.keys & SSO_TOKEN_PROFILE_KEYS).empty?
+
+        sso_session_name = prof_config['sso_session']
+        sso_session = cfg["sso-session #{sso_session_name}"]
+        unless sso_session
+          raise ArgumentError,
+                "sso-session #{sso_session_name} must be defined in the config file." /
+                  "Referenced by profile #{profile}"
+        end
+
+        unless sso_session['sso_region']
+          raise ArgumentError, "sso-session #{sso_session_name} missing required parameter: sso_region"
+        end
+
+        SSOTokenProvider.new(
+          sso_session: sso_session_name,
+          sso_region: sso_session['sso_region']
+        )
+      end
+    end
+
     def credentials_from_profile(prof_config)
       creds = Credentials.new(
         prof_config['aws_access_key_id'],

data/lib/aws-sdk-core/sso_token_provider.rb

@@ -0,0 +1,134 @@
+# frozen_string_literal: true
+
+module Aws
+  class SSOTokenProvider
+
+    include TokenProvider
+    include RefreshingToken
+
+    # @api private
+    SSO_REQUIRED_OPTS = [:sso_region, :sso_session].freeze
+
+    # @api private
+    SSO_LOGIN_GUIDANCE = 'The SSO session associated with this profile has '\
+    'expired or is otherwise invalid. To refresh this SSO session run '\
+    'aws sso login with the corresponding profile.'.freeze
+
+    # @option options [required, String] :sso_region The AWS region where the
+    #   SSO directory for the given sso_start_url is hosted.
+    #
+    # @option options [required, String] :sso_session The SSO Session used to
+    #   for fetching this token.
+    #
+    # @option options [SSOOIDC::Client] :client Optional `SSOOIDC::Client`.  If not
+    #   provided, a client will be constructed.
+    #
+    # @option options [Callable] before_refresh Proc called before
+    #   credentials are refreshed. `before_refresh` is called
+    #   with an instance of this object when
+    #   AWS credentials are required and need to be refreshed.
+    def initialize(options = {})
+
+      missing_keys = SSO_REQUIRED_OPTS.select { |k| options[k].nil? }
+      unless missing_keys.empty?
+        raise ArgumentError, "Missing required keys: #{missing_keys}"
+      end
+
+      @sso_session = options.delete(:sso_session)
+      @sso_region = options.delete(:sso_region)
+
+      options[:region] = @sso_region
+      options[:credentials] = nil
+      @client = options[:client] || Aws::SSOOIDC::Client.new(options)
+
+      super
+    end
+
+    # @return [SSO::Client]
+    attr_reader :client
+
+    private
+
+    def refresh
+      # token is valid and not in refresh window - do not refresh it.
+      return if @token && @token.expiration && !near_expiration?
+
+      # token may not exist or is out of the expiration window
+      # attempt to refresh from disk first (another process/application may have refreshed already)
+      token_json = read_cached_token
+      @token = Token.new(token_json['accessToken'], token_json['expiresAt'])
+      return if @token && @token.expiration && !near_expiration?
+
+      # The token is expired and needs to be refreshed
+      if can_refresh_token?(token_json)
+        begin
+          current_time = Time.now
+          resp = @client.create_token(
+            grant_type: 'refresh_token',
+            client_id: token_json['clientId'],
+            client_secret: token_json['client_secret'],
+            refresh_token: token_json['refreshToken']
+          )
+          token_json['accessToken'] = resp.access_token
+          token_json['expiresAt'] = current_time + resp.expires_in
+          @token = Token.new(token_json['accessToken'], token_json['expiresAt'])
+
+          if resp.refresh_token
+            token_json['refreshToken'] = resp.refresh_token
+          else
+            token_json.delete('refreshToken')
+          end
+
+          update_token_cache(token_json)
+        rescue
+          # refresh has failed, continue attempting to use the token if its not hard expired
+        end
+      end
+
+      if !@token.expiration || @token.expiration < Time.now
+        # Token is hard expired, raise an exception
+        raise Errors::InvalidSSOToken, 'Token is invalid and failed to refresh.'
+      end
+    end
+
+    def read_cached_token
+      cached_token = Json.load(File.read(sso_cache_file))
+      # validation
+      unless cached_token['accessToken'] && cached_token['expiresAt']
+        raise ArgumentError, 'Missing required field(s)'
+      end
+      cached_token['expiresAt'] = Time.parse(cached_token['expiresAt'])
+      cached_token
+    rescue Errno::ENOENT, Aws::Json::ParseError, ArgumentError
+      raise Errors::InvalidSSOToken, SSO_LOGIN_GUIDANCE
+    end
+
+    def update_token_cache(token_json)
+      cached_token = token_json.dup
+      cached_token['expiresAt'] = cached_token['expiresAt'].iso8601
+      File.write(sso_cache_file, Json.dump(cached_token))
+    end
+
+    def sso_cache_file
+      sso_session_sha1 = OpenSSL::Digest::SHA1.hexdigest(@sso_session.encode('utf-8'))
+      File.join(Dir.home, '.aws', 'sso', 'cache', "#{sso_session_sha1}.json")
+    rescue ArgumentError
+      # Dir.home raises ArgumentError when ENV['home'] is not set
+      raise ArgumentError, "Unable to load sso_cache_file: ENV['HOME'] is not set."
+    end
+
+    # return true if all required fields are present
+    # return false if registrationExpiresAt exists and is later than now
+    def can_refresh_token?(token_json)
+      if token_json['clientId'] &&
+        token_json['clientSecret'] &&
+        token_json['refreshToken']
+
+        return !token_json['registrationExpiresAt'] ||
+          Time.parse(token_json['registrationExpiresAt']) > Time.now
+      else
+        false
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/static_token_provider.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Aws
+  class StaticTokenProvider
+
+    include TokenProvider
+
+    # @param [String] token
+    # @param [Time] expiration
+    def initialize(token, expiration=nil)
+      @token = Token.new(token, expiration)
+    end
+  end
+end

data/lib/aws-sdk-core/structure.rb

@@ -28,18 +28,20 @@ module Aws
     # in stdlib Struct.
     #
     # @return [Hash]
-    def to_h(obj = self)
+    def to_h(obj = self, options = {})
       case obj
       when Struct
         obj.each_pair.with_object({}) do |(member, value), hash|
-          hash[member] = to_hash(value) unless value.nil?
+          member = member.to_s if options[:as_json]
+          hash[member] = to_hash(value, options) unless value.nil?
         end
       when Hash
         obj.each.with_object({}) do |(key, value), hash|
-          hash[key] = to_hash(value)
+          key = key.to_s if options[:as_json]
+          hash[key] = to_hash(value, options)
         end
       when Array
-        obj.collect { |value| to_hash(value) }
+        obj.collect { |value| to_hash(value, options) }
       else
         obj
       end