aws-sdk-core 3.152.0 → 3.234.0

data/lib/aws-sdk-core/rpc_v2/handler.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+module Aws
+  module RpcV2
+    class Handler < Seahorse::Client::Handler
+      # @param [Seahorse::Client::RequestContext] context
+      # @return [Seahorse::Client::Response]
+      def call(context)
+        build_request(context)
+        response = with_metric { @handler.call(context) }
+        response.on(200..299) { |resp| resp.data = parse_body(context) }
+        response.on(200..599) { |_resp| apply_request_id(context) }
+        response
+      end
+
+      private
+
+      def with_metric(&block)
+        Aws::Plugins::UserAgent.metric('PROTOCOL_RPC_V2_CBOR', &block)
+      end
+
+      def build_request(context)
+        context.http_request.headers['Smithy-Protocol'] = 'rpc-v2-cbor'
+        context.http_request.headers['X-Amzn-Query-Mode'] = 'true' if query_compatible?(context)
+        context.http_request.http_method = 'POST'
+        context.http_request.body = build_body(context)
+        build_url(context)
+      end
+
+      def build_url(context)
+        base = context.http_request.endpoint
+        service_name = context.config.api.metadata['targetPrefix']
+        base.path += "/service/#{service_name}/operation/#{context.operation.name}"
+      end
+
+      def build_body(context)
+        Builder.new(context.operation.input).serialize(context.params)
+      end
+
+      def parse_body(context)
+        cbor = context.http_response.body_contents
+        if (rules = context.operation.output)
+          if cbor.is_a?(Array)
+            # an array of emitted events
+            if cbor[0].respond_to?(:response)
+              # initial response exists
+              # it must be the first event arrived
+              resp_struct = cbor.shift.response
+            else
+              resp_struct = context.operation.output.shape.struct_class.new
+            end
+
+            rules.shape.members.each do |name, ref|
+              if ref.eventstream
+                resp_struct.send("#{name}=", cbor.to_enum)
+              end
+            end
+            resp_struct
+          else
+            Parser.new(
+              rules,
+              query_compatible: query_compatible?(context)
+            ).parse(cbor)
+          end
+        else
+          EmptyStructure.new
+        end
+      end
+
+      def apply_request_id(context)
+        context[:request_id] = context.http_response.headers['x-amzn-requestid']
+      end
+
+      def query_compatible?(context)
+        context.config.api.metadata.key?('awsQueryCompatible')
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/rpc_v2/parser.rb

@@ -0,0 +1,98 @@
+# frozen_string_literal: true
+
+require 'time'
+
+module Aws
+  module RpcV2
+    class Parser
+      include Seahorse::Model::Shapes
+
+      # @param [Seahorse::Model::ShapeRef] rules
+      def initialize(rules, query_compatible: false)
+        @rules = rules
+        @query_compatible = query_compatible
+      end
+
+      def parse(cbor, target = nil)
+        return {} if cbor.empty?
+
+        parse_ref(@rules, RpcV2.decode(cbor), target)
+      end
+
+      private
+
+      def structure(ref, values, target = nil)
+        shape = ref.shape
+        target = ref.shape.struct_class.new if target.nil?
+        values.each do |key, value|
+          member_name, member_ref = shape.member_by_location_name(key)
+          if member_ref
+            target[member_name] = parse_ref(member_ref, value)
+          elsif shape.union && key != '__type'
+            target[:unknown] = { 'name' => key, 'value' => value }
+          end
+        end
+        # In services that were previously Query/XML, members that were
+        # "flattened" defaulted to empty lists. In JSON, these values are nil,
+        # which is backwards incompatible. To preserve backwards compatibility,
+        # we set a default value of [] for these members.
+        if @query_compatible
+          ref.shape.members.each do |member_name, member_target|
+            next unless target[member_name].nil?
+
+            if flattened_list?(member_target.shape)
+              target[member_name] = []
+            elsif flattened_map?(member_target.shape)
+              target[member_name] = {}
+            end
+          end
+        end
+
+        if shape.union
+          # convert to subclass
+          member_subclass = shape.member_subclass(target.member).new
+          member_subclass[target.member] = target.value
+          target = member_subclass
+        end
+        target
+      end
+
+      def list(ref, values, target = nil)
+        target = [] if target.nil?
+        values.each do |value|
+          target << parse_ref(ref.shape.member, value)
+        end
+        target
+      end
+
+      def map(ref, values, target = nil)
+        target = {} if target.nil?
+        values.each do |key, value|
+          target[key] = parse_ref(ref.shape.value, value) unless value.nil?
+        end
+        target
+      end
+
+      def parse_ref(ref, value, target = nil)
+        if value.nil?
+          nil
+        else
+          case ref.shape
+          when StructureShape then structure(ref, value, target)
+          when ListShape then list(ref, value, target)
+          when MapShape then map(ref, value, target)
+          else value
+          end
+        end
+      end
+
+      def flattened_list?(shape)
+        shape.is_a?(ListShape) && shape.flattened
+      end
+
+      def flattened_map?(shape)
+        shape.is_a?(MapShape) && shape.flattened
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/rpc_v2.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+require_relative 'cbor'
+require_relative 'rpc_v2/builder'
+require_relative 'rpc_v2/content_type_handler'
+require_relative 'rpc_v2/error_handler'
+require_relative 'rpc_v2/handler'
+require_relative 'rpc_v2/parser'
+
+module Aws
+  # @api private
+  module RpcV2
+    class << self
+      # @param [Symbol,Class] engine
+      #   Must be one of the following values:
+      #
+      #   * :cbor
+      #
+      def engine=(engine)
+        @engine = Class === engine ? engine : load_engine(engine)
+      end
+
+      # @return [Class] Returns the default engine.
+      #   One of:
+      #
+      #   * {CborEngine}
+      #
+      def engine
+        set_default_engine unless @engine
+        @engine
+      end
+
+      def encode(data)
+        @engine.encode(data)
+      end
+
+      def decode(bytes)
+        bytes.force_encoding(Encoding::BINARY)
+        @engine.decode(bytes)
+      end
+
+      def set_default_engine
+        [:cbor].each do |name|
+          @engine ||= try_load_engine(name)
+        end
+
+        unless @engine
+          raise 'Unable to find a compatible cbor library.'
+        end
+      end
+
+      private
+
+      def load_engine(name)
+        require "aws-sdk-core/rpc_v2/#{name}_engine"
+        const_name = name[0].upcase + name[1..-1] + 'Engine'
+        const_get(const_name)
+      end
+
+      def try_load_engine(name)
+        load_engine(name)
+      rescue LoadError
+        false
+      end
+    end
+
+    set_default_engine
+  end
+end

data/lib/aws-sdk-core/shared_config.rb

@@ -3,9 +3,10 @@
 module Aws
   # @api private
   class SharedConfig
-    SSO_PROFILE_KEYS = %w[sso_start_url sso_region sso_account_id sso_role_name].freeze
+    SSO_CREDENTIAL_PROFILE_KEYS = %w[sso_account_id sso_role_name].freeze
+    SSO_PROFILE_KEYS = %w[sso_session sso_start_url sso_region sso_account_id sso_role_name].freeze
     SSO_TOKEN_PROFILE_KEYS = %w[sso_session].freeze
-    SSO_SESSION_KEYS = %w[sso_region]
+    SSO_SESSION_KEYS = %w[sso_region sso_start_url].freeze
 
 
     # @return [String]
@@ -137,7 +138,11 @@ module Aws
             role_session_name: entry['role_session_name']
           }
           cfg[:region] = opts[:region] if opts[:region]
-          AssumeRoleWebIdentityCredentials.new(cfg)
+          with_metrics('CREDENTIALS_PROFILE_STS_WEB_ID_TOKEN') do
+            creds = AssumeRoleWebIdentityCredentials.new(cfg)
+            creds.metrics << 'CREDENTIALS_PROFILE_STS_WEB_ID_TOKEN'
+            creds
+          end
         end
       end
     end
@@ -166,6 +171,26 @@ module Aws
       token
     end
 
+    # Source a custom configured endpoint from the shared configuration file
+    #
+    # @param [Hash] opts
+    # @option opts [String] :profile
+    # @option opts [String] :service_id
+    def configured_endpoint(opts = {})
+      # services section is only allowed in the shared config file (not credentials)
+      profile = opts[:profile] || @profile_name
+      service_id = opts[:service_id]&.gsub(" ", "_")&.downcase
+      if @parsed_config && (prof_config = @parsed_config[profile])
+        services_section_name = prof_config['services']
+        if (services_config = @parsed_config["services #{services_section_name}"]) &&
+          (service_config = services_config[service_id])
+          return service_config['endpoint_url'] if service_config['endpoint_url']
+        end
+        return prof_config['endpoint_url']
+      end
+      nil
+    end
+
     # Add an accessor method (similar to attr_reader) to return a configuration value
     # Uses the get_config_value below to control where
     # values are loaded from
@@ -177,6 +202,9 @@ module Aws
 
     config_reader(
       :region,
+      :account_id_endpoint_mode,
+      :auth_scheme_preference,
+      :sigv4a_signing_region_set,
       :ca_bundle,
       :credential_process,
       :endpoint_discovery_enabled,
@@ -184,10 +212,14 @@ module Aws
       :use_fips_endpoint,
       :ec2_metadata_service_endpoint,
       :ec2_metadata_service_endpoint_mode,
+      :ec2_metadata_v1_disabled,
+      :disable_host_prefix_injection,
       :max_attempts,
       :retry_mode,
       :adaptive_retry_wait_to_fill,
       :correct_clock_skew,
+      :request_checksum_calculation,
+      :response_checksum_validation,
       :csm_client_id,
       :csm_enabled,
       :csm_host,
@@ -196,7 +228,12 @@ module Aws
       :s3_use_arn_region,
       :s3_us_east_1_regional_endpoint,
       :s3_disable_multiregion_access_points,
-      :defaults_mode
+      :s3_disable_express_session_auth,
+      :defaults_mode,
+      :sdk_ua_app_id,
+      :disable_request_compression,
+      :request_min_compression_size_bytes,
+      :ignore_configured_endpoint_urls
     )
 
     private
@@ -224,8 +261,8 @@ module Aws
             'provide only source_profile or credential_source, not both.'
         elsif opts[:source_profile]
           opts[:visited_profiles] ||= Set.new
-          opts[:credentials] = resolve_source_profile(opts[:source_profile], opts)
-          if opts[:credentials]
+          provider = resolve_source_profile(opts[:source_profile], opts)
+          if provider && (opts[:credentials] = provider.credentials)
             opts[:role_session_name] ||= prof_cfg['role_session_name']
             opts[:role_session_name] ||= 'default_session'
             opts[:role_arn] ||= prof_cfg['role_arn']
@@ -234,17 +271,28 @@ module Aws
             opts[:serial_number] ||= prof_cfg['mfa_serial']
             opts[:profile] = opts.delete(:source_profile)
             opts.delete(:visited_profiles)
-            AssumeRoleCredentials.new(opts)
+
+            metrics = provider.metrics
+            if provider.is_a?(AssumeRoleCredentials)
+              opts[:credentials] = provider
+              metrics.delete('CREDENTIALS_STS_ASSUME_ROLE')
+            else
+              metrics << 'CREDENTIALS_PROFILE_SOURCE_PROFILE'
+            end
+            # Set the original credentials metrics to [] to prevent duplicate metrics during sign plugin
+            opts[:credentials].metrics = []
+            with_metrics(metrics) do
+              creds = AssumeRoleCredentials.new(opts)
+              creds.metrics.push(*metrics)
+              creds
+            end
           else
             raise Errors::NoSourceProfileError,
               "Profile #{profile} has a role_arn, and source_profile, but the"\
               ' source_profile does not have credentials.'
           end
         elsif credential_source
-          opts[:credentials] = credentials_from_source(
-            credential_source,
-            chain_config
-          )
+          opts[:credentials] = credentials_from_source(credential_source, chain_config)
           if opts[:credentials]
             opts[:role_session_name] ||= prof_cfg['role_session_name']
             opts[:role_session_name] ||= 'default_session'
@@ -253,7 +301,16 @@ module Aws
             opts[:external_id] ||= prof_cfg['external_id']
             opts[:serial_number] ||= prof_cfg['mfa_serial']
             opts.delete(:source_profile) # Cleanup
-            AssumeRoleCredentials.new(opts)
+
+            metrics = opts[:credentials].metrics
+            metrics << 'CREDENTIALS_PROFILE_NAMED_PROVIDER'
+            # Set the original credentials metrics to [] to prevent duplicate metrics during sign plugin
+            opts[:credentials].metrics = []
+            with_metrics(metrics) do
+              creds = AssumeRoleCredentials.new(opts)
+              creds.metrics.push(*metrics)
+              creds
+            end
           else
             raise Errors::NoSourceCredentials,
               "Profile #{profile} could not get source credentials from"\
@@ -281,12 +338,24 @@ module Aws
       elsif profile_config && profile_config['source_profile']
         opts.delete(:source_profile)
         assume_role_credentials_from_config(opts.merge(profile: profile))
-      elsif (provider = assume_role_web_identity_credentials_from_config(opts.merge(profile: profile)))
-        provider.credentials if provider.credentials.set?
+      elsif (provider = assume_role_web_identity_credentials_from_config_with_metrics(opts.merge(profile: profile)))
+        provider if provider.credentials.set?
       elsif (provider = assume_role_process_credentials_from_config(profile))
-        provider.credentials if provider.credentials.set?
-      elsif (provider = sso_credentials_from_config(profile: profile))
-        provider.credentials if provider.credentials.set?
+        provider if provider.credentials.set?
+      elsif (provider = sso_credentials_from_config_with_metrics(profile))
+        provider if provider.credentials.set?
+      end
+    end
+
+    def assume_role_web_identity_credentials_from_config_with_metrics(opts)
+      with_metrics('CREDENTIALS_PROFILE_SOURCE_PROFILE') do
+        assume_role_web_identity_credentials_from_config(opts)
+      end
+    end
+
+    def sso_credentials_from_config_with_metrics(profile)
+      with_metrics('CREDENTIALS_PROFILE_SOURCE_PROFILE') do
+        sso_credentials_from_config(profile: profile)
       end
     end
 
@@ -300,6 +369,15 @@ module Aws
         )
       when 'EcsContainer'
         ECSCredentials.new
+      when 'Environment'
+        creds = Credentials.new(
+          ENV['AWS_ACCESS_KEY_ID'],
+          ENV['AWS_SECRET_ACCESS_KEY'],
+          ENV['AWS_SESSION_TOKEN'],
+          account_id: ENV['AWS_ACCOUNT_ID']
+        )
+        creds.metrics = ['CREDENTIALS_ENV_VARS']
+        creds
       else
         raise Errors::InvalidCredentialSourceError, "Unsupported credential_source: #{credential_source}"
       end
@@ -311,7 +389,11 @@ module Aws
       if @parsed_config
         credential_process ||= @parsed_config.fetch(profile, {})['credential_process']
       end
-      ProcessCredentials.new(credential_process) if credential_process
+      if credential_process
+        creds = ProcessCredentials.new([credential_process])
+        creds.metrics << 'CREDENTIALS_PROFILE_PROCESS'
+        creds
+      end
     end
 
     def credentials_from_shared(profile, _opts)
@@ -331,14 +413,42 @@ module Aws
     def sso_credentials_from_profile(cfg, profile)
       if @parsed_config &&
          (prof_config = cfg[profile]) &&
-         !(prof_config.keys & SSO_PROFILE_KEYS).empty?
+         !(prof_config.keys & SSO_CREDENTIAL_PROFILE_KEYS).empty?
 
-        SSOCredentials.new(
-          sso_start_url: prof_config['sso_start_url'],
-          sso_region: prof_config['sso_region'],
-          sso_account_id: prof_config['sso_account_id'],
-          sso_role_name: prof_config['sso_role_name']
-        )
+        if sso_session_name = prof_config['sso_session']
+          sso_session = sso_session(cfg, profile, sso_session_name)
+
+          sso_region = sso_session['sso_region']
+          sso_start_url = sso_session['sso_start_url']
+
+          # validate sso_region and sso_start_url don't conflict if set on profile and session
+          if prof_config['sso_region'] &&  prof_config['sso_region'] != sso_region
+            raise ArgumentError,
+                  "sso-session #{sso_session_name}'s sso_region (#{sso_region}) " \
+                    "does not match the profile #{profile}'s sso_region (#{prof_config['sso_region']}'"
+          end
+          if prof_config['sso_start_url'] &&  prof_config['sso_start_url'] != sso_start_url
+            raise ArgumentError,
+                  "sso-session #{sso_session_name}'s sso_start_url (#{sso_start_url}) " \
+                    "does not match the profile #{profile}'s sso_start_url (#{prof_config['sso_start_url']}'"
+          end
+        else
+          sso_region = prof_config['sso_region']
+          sso_start_url = prof_config['sso_start_url']
+        end
+
+        metric = prof_config['sso_session'] ? 'CREDENTIALS_PROFILE_SSO' : 'CREDENTIALS_PROFILE_SSO_LEGACY'
+        with_metrics(metric) do
+          creds = SSOCredentials.new(
+            sso_account_id: prof_config['sso_account_id'],
+            sso_role_name: prof_config['sso_role_name'],
+            sso_session: prof_config['sso_session'],
+            sso_region: sso_region,
+            sso_start_url: sso_start_url
+          )
+          creds.metrics << metric
+          creds
+        end
       end
     end
 
@@ -350,16 +460,7 @@ module Aws
         !(prof_config.keys & SSO_TOKEN_PROFILE_KEYS).empty?
 
         sso_session_name = prof_config['sso_session']
-        sso_session = cfg["sso-session #{sso_session_name}"]
-        unless sso_session
-          raise ArgumentError,
-                "sso-session #{sso_session_name} must be defined in the config file." /
-                  "Referenced by profile #{profile}"
-        end
-
-        unless sso_session['sso_region']
-          raise ArgumentError, "sso-session #{sso_session_name} missing required parameter: sso_region"
-        end
+        sso_session = sso_session(cfg, profile, sso_session_name)
 
         SSOTokenProvider.new(
           sso_session: sso_session_name,
@@ -372,8 +473,10 @@ module Aws
       creds = Credentials.new(
         prof_config['aws_access_key_id'],
         prof_config['aws_secret_access_key'],
-        prof_config['aws_session_token']
+        prof_config['aws_session_token'],
+        account_id: prof_config['aws_account_id']
       )
+      creds.metrics = ['CREDENTIALS_PROFILE']
       creds if creds.set?
     end
 
@@ -417,5 +520,26 @@ module Aws
       ret ||= 'default'
       ret
     end
+
+    def sso_session(cfg, profile, sso_session_name)
+      # aws sso-configure may add quotes around sso session names with whitespace
+      sso_session = cfg["sso-session #{sso_session_name}"] || cfg["sso-session '#{sso_session_name}'"]
+
+      unless sso_session
+        raise ArgumentError,
+          "sso-session #{sso_session_name} must be defined in the config file. " \
+                    "Referenced by profile #{profile}"
+      end
+
+      unless sso_session['sso_region']
+        raise ArgumentError, "sso-session #{sso_session_name} missing required parameter: sso_region"
+      end
+
+      sso_session
+    end
+
+    def with_metrics(metrics, &block)
+      Aws::Plugins::UserAgent.metric(*metrics, &block)
+    end
   end
 end

data/lib/aws-sdk-core/shared_credentials.rb

@@ -7,13 +7,6 @@ module Aws
 
     include CredentialProvider
 
-    # @api private
-    KEY_MAP = {
-      'aws_access_key_id' => 'access_key_id',
-      'aws_secret_access_key' => 'secret_access_key',
-      'aws_session_token' => 'session_token',
-    }
-
     # Constructs a new SharedCredentials object. This will load static
     # (access_key_id, secret_access_key and session_token) AWS access
     # credentials from an ini file, which supports profiles. The default
@@ -47,6 +40,7 @@ module Aws
         )
         @credentials = config.credentials(profile: @profile_name)
       end
+      @metrics = ['CREDENTIALS_CODE']
     end
 
     # @return [String]