aws-sdk-core 3.152.0 → 3.234.0

data/lib/aws-sdk-core/sso_credentials.rb

@@ -3,24 +3,19 @@
 module Aws
   # An auto-refreshing credential provider that assumes a role via
   # {Aws::SSO::Client#get_role_credentials} using a cached access
-  # token. This class does NOT implement the SSO login token flow - tokens
-  # must generated and refreshed separately by running `aws login` from the
-  # AWS CLI with the correct profile.
-  #
-  # The `SSOCredentials` will auto-refresh the AWS credentials from SSO. In
-  # addition to AWS credentials expiring after a given amount of time, the
-  # access token generated and cached from `aws login` will also expire.
-  # Once this token expires, it will not be usable to refresh AWS credentials,
-  # and another token will be needed. The SDK does not manage refreshing of
-  # the token value, but this can be done by running `aws login` with the
-  # correct profile.
+  # token. When `sso_session` is specified, token refresh logic from
+  # {Aws::SSOTokenProvider} will be used to refresh the token if possible.
+  # This class does NOT implement the SSO login token flow - tokens
+  # must generated separately by running `aws login` from the
+  # AWS CLI with the correct profile. The {SSOCredentials} will
+  # auto-refresh the AWS credentials from SSO.
   #
   #     # You must first run aws sso login --profile your-sso-profile
   #     sso_credentials = Aws::SSOCredentials.new(
   #       sso_account_id: '123456789',
   #       sso_role_name: "role_name",
   #       sso_region: "us-east-1",
-  #       sso_start_url: 'https://your-start-url.awsapps.com/start'
+  #       sso_session: 'my_sso_session'
   #     )
   #     ec2 = Aws::EC2::Client.new(credentials: sso_credentials)
   #
@@ -35,7 +30,8 @@ module Aws
     include RefreshingCredentials
 
     # @api private
-    SSO_REQUIRED_OPTS = [:sso_account_id, :sso_region, :sso_role_name, :sso_start_url].freeze
+    LEGACY_REQUIRED_OPTS =         [:sso_start_url, :sso_account_id, :sso_region, :sso_role_name].freeze
+    TOKEN_PROVIDER_REQUIRED_OPTS = [:sso_session, :sso_account_id, :sso_region, :sso_role_name].freeze
 
     # @api private
     SSO_LOGIN_GUIDANCE = 'The SSO session associated with this profile has '\
@@ -45,17 +41,23 @@ module Aws
     # @option options [required, String] :sso_account_id The AWS account ID
     #   that temporary AWS credentials will be resolved for
     #
-    # @option options [required, String] :sso_region The AWS region where the
-    #   SSO directory for the given sso_start_url is hosted.
-    #
     # @option options [required, String] :sso_role_name The corresponding
     #   IAM role in the AWS account that temporary AWS credentials
     #   will be resolved for.
     #
-    # @option options [required, String] :sso_start_url The start URL is
-    #   provided by the SSO service via the console and is the URL used to
+    # @option options [required, String] :sso_region The AWS region where the
+    #   SSO directory for the given sso_start_url is hosted.
+    #
+    # @option options [String] :sso_session The SSO Token used for fetching
+    #   the token. If provided, refresh logic from the {Aws::SSOTokenProvider}
+    #   will be used.
+    #
+    # @option options [String] :sso_start_url (legacy profiles) If provided,
+    #   legacy token fetch behavior will be used, which does not support
+    #   token refreshing.  The start URL is provided by the SSO
+    #   service via the console and is the URL used to
     #   login to the SSO directory. This is also sometimes referred to as
-    #   the "User Portal URL"
+    #   the "User Portal URL".
     #
     # @option options [SSO::Client] :client Optional `SSO::Client`.  If not
     #   provided, a client will be constructed.
@@ -65,27 +67,54 @@ module Aws
     #   with an instance of this object when
     #   AWS credentials are required and need to be refreshed.
     def initialize(options = {})
-
-      missing_keys = SSO_REQUIRED_OPTS.select { |k| options[k].nil? }
-      unless missing_keys.empty?
-        raise ArgumentError, "Missing required keys: #{missing_keys}"
+      options = options.select {|k, v| !v.nil? }
+      if (options[:sso_session])
+        missing_keys = TOKEN_PROVIDER_REQUIRED_OPTS.select { |k| options[k].nil? }
+        unless missing_keys.empty?
+          raise ArgumentError, "Missing required keys: #{missing_keys}"
+        end
+        @legacy = false
+        @sso_role_name = options.delete(:sso_role_name)
+        @sso_account_id = options.delete(:sso_account_id)
+
+        # if client has been passed, don't pass through to SSOTokenProvider
+        @client = options.delete(:client)
+        options.delete(:sso_start_url)
+        @token_provider = Aws::SSOTokenProvider.new(options.dup)
+        @sso_session = options.delete(:sso_session)
+        @sso_region = options.delete(:sso_region)
+
+        unless @client
+          client_opts = {}
+          options.each_pair { |k,v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) }
+          client_opts[:region] = @sso_region
+          client_opts[:credentials] = nil
+          @client = Aws::SSO::Client.new(client_opts)
+        end
+        @metrics = ['CREDENTIALS_SSO']
+      else # legacy behavior
+        missing_keys = LEGACY_REQUIRED_OPTS.select { |k| options[k].nil? }
+        unless missing_keys.empty?
+          raise ArgumentError, "Missing required keys: #{missing_keys}"
+        end
+        @legacy = true
+        @sso_start_url = options.delete(:sso_start_url)
+        @sso_region = options.delete(:sso_region)
+        @sso_role_name = options.delete(:sso_role_name)
+        @sso_account_id = options.delete(:sso_account_id)
+
+        # validate we can read the token file
+        read_cached_token
+
+        client_opts = {}
+        options.each_pair { |k,v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) }
+        client_opts[:region] = @sso_region
+        client_opts[:credentials] = nil
+
+        @client = options[:client] || Aws::SSO::Client.new(client_opts)
+        @metrics = ['CREDENTIALS_SSO_LEGACY']
       end
 
-      @sso_start_url = options.delete(:sso_start_url)
-      @sso_region = options.delete(:sso_region)
-      @sso_role_name = options.delete(:sso_role_name)
-      @sso_account_id = options.delete(:sso_account_id)
-
-      # validate we can read the token file
-      read_cached_token
-
-
-      client_opts = {}
-      options.each_pair { |k,v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) }
-      client_opts[:region] = @sso_region
-      client_opts[:credentials] = nil
-
-      @client = options[:client] || Aws::SSO::Client.new(client_opts)
       @async_refresh = true
       super
     end
@@ -111,19 +140,28 @@ module Aws
     end
 
     def refresh
-      cached_token = read_cached_token
-      c = @client.get_role_credentials(
-        account_id: @sso_account_id,
-        role_name: @sso_role_name,
-        access_token: cached_token['accessToken']
-      ).role_credentials
+      c = if @legacy
+            cached_token = read_cached_token
+            @client.get_role_credentials(
+              account_id: @sso_account_id,
+              role_name: @sso_role_name,
+              access_token: cached_token['accessToken']
+            ).role_credentials
+          else
+            @client.get_role_credentials(
+              account_id: @sso_account_id,
+              role_name: @sso_role_name,
+              access_token: @token_provider.token.token
+            ).role_credentials
+          end
 
       @credentials = Credentials.new(
         c.access_key_id,
         c.secret_access_key,
-        c.session_token
+        c.session_token,
+        account_id: @sso_account_id
       )
-      @expiration = c.expiration
+      @expiration = Time.at(c.expiration / 1000.0)
     end
 
     def sso_cache_file

data/lib/aws-sdk-core/sso_token_provider.rb

@@ -39,12 +39,13 @@ module Aws
 
       options[:region] = @sso_region
       options[:credentials] = nil
+      options[:token_provider] = nil
       @client = options[:client] || Aws::SSOOIDC::Client.new(options)
 
       super
     end
 
-    # @return [SSO::Client]
+    # @return [SSOOIDC::Client]
     attr_reader :client
 
     private
@@ -66,7 +67,7 @@ module Aws
           resp = @client.create_token(
             grant_type: 'refresh_token',
             client_id: token_json['clientId'],
-            client_secret: token_json['client_secret'],
+            client_secret: token_json['clientSecret'],
             refresh_token: token_json['refreshToken']
           )
           token_json['accessToken'] = resp.access_token

data/lib/aws-sdk-core/static_token_provider.rb

@@ -2,12 +2,11 @@
 
 module Aws
   class StaticTokenProvider
-
     include TokenProvider
 
     # @param [String] token
     # @param [Time] expiration
-    def initialize(token, expiration=nil)
+    def initialize(token, expiration = nil)
       @token = Token.new(token, expiration)
     end
   end

data/lib/aws-sdk-core/stubbing/protocols/ec2.rb

@@ -3,6 +3,7 @@
 module Aws
   module Stubbing
     module Protocols
+      # @api private
       class EC2
 
         def stub_data(api, operation, data)
@@ -16,17 +17,17 @@ module Aws
         end
 
         def stub_error(error_code)
-          http_resp = Seahorse::Client::Http::Response.new
-          http_resp.status_code = 400
-          http_resp.body = <<-XML.strip
-<ErrorResponse>
-  <Error>
-    <Code>#{error_code}</Code>
-    <Message>stubbed-response-error-message</Message>
-  </Error>
-</ErrorResponse>
+          resp = Seahorse::Client::Http::Response.new
+          resp.status_code = 400
+          resp.body = <<~XML.strip
+            <ErrorResponse>
+              <Error>
+                <Code>#{error_code}</Code>
+                <Message>stubbed-response-error-message</Message>
+              </Error>
+            </ErrorResponse>
           XML
-          http_resp
+          resp
         end
 
         private
@@ -37,7 +38,7 @@ module Aws
           xml.shift
           xml.pop
           xmlns = "http://ec2.amazonaws.com/doc/#{api.version}/".inspect
-          xml.unshift("  <requestId>stubbed-request-id</requestId>")
+          xml.unshift('  <requestId>stubbed-request-id</requestId>')
           xml.unshift("<#{operation.name}Response xmlns=#{xmlns}>\n")
           xml.push("</#{operation.name}Response>\n")
           xml.join

data/lib/aws-sdk-core/stubbing/protocols/json.rb

@@ -3,27 +3,28 @@
 module Aws
   module Stubbing
     module Protocols
+      # @api private
       class Json
 
         def stub_data(api, operation, data)
           resp = Seahorse::Client::Http::Response.new
           resp.status_code = 200
-          resp.headers["Content-Type"] = content_type(api)
-          resp.headers["x-amzn-RequestId"] = "stubbed-request-id"
+          resp.headers['Content-Type'] = content_type(api)
+          resp.headers['x-amzn-RequestId'] = 'stubbed-request-id'
           resp.body = build_body(operation, data)
           resp
         end
 
         def stub_error(error_code)
-          http_resp = Seahorse::Client::Http::Response.new
-          http_resp.status_code = 400
-          http_resp.body = <<-JSON.strip
-{
-  "code": #{error_code.inspect},
-  "message": "stubbed-response-error-message"
-}
+          resp = Seahorse::Client::Http::Response.new
+          resp.status_code = 400
+          resp.body = <<~JSON.strip
+            {
+              "code": #{error_code.inspect},
+              "message": "stubbed-response-error-message"
+            }
           JSON
-          http_resp
+          resp
         end
 
         private

data/lib/aws-sdk-core/stubbing/protocols/query.rb

@@ -3,6 +3,7 @@
 module Aws
   module Stubbing
     module Protocols
+      # @api private
       class Query
 
         def stub_data(api, operation, data)
@@ -13,10 +14,10 @@ module Aws
         end
 
         def stub_error(error_code)
-          http_resp = Seahorse::Client::Http::Response.new
-          http_resp.status_code = 400
-          http_resp.body = XmlError.new(error_code).to_xml
-          http_resp
+          resp = Seahorse::Client::Http::Response.new
+          resp.status_code = 400
+          resp.body = XmlError.new(error_code).to_xml
+          resp
         end
 
         private
@@ -24,9 +25,9 @@ module Aws
         def build_body(api, operation, data)
           xml = []
           builder = Aws::Xml::DocBuilder.new(target: xml, indent: '  ')
-          builder.node(operation.name + 'Response', xmlns: xmlns(api)) do
+          builder.node("#{operation.name}Response", xmlns: xmlns(api)) do
             if (rules = operation.output)
-              rules.location_name = operation.name + 'Result'
+              rules.location_name = "#{operation.name}Result"
               Xml::Builder.new(rules, target: xml, pad:'  ').to_xml(data)
             end
             builder.node('ResponseMetadata') do

data/lib/aws-sdk-core/stubbing/protocols/rest.rb

@@ -5,6 +5,7 @@ require 'aws-eventstream'
 module Aws
   module Stubbing
     module Protocols
+      # @api private
       class Rest
 
         include Seahorse::Model::Shapes
@@ -22,7 +23,7 @@ module Aws
         def new_http_response
           resp = Seahorse::Client::Http::Response.new
           resp.status_code = 200
-          resp.headers["x-amzn-RequestId"] = "stubbed-request-id"
+          resp.headers['x-amzn-RequestId'] = 'stubbed-request-id'
           resp
         end
 

data/lib/aws-sdk-core/stubbing/protocols/rest_json.rb

@@ -3,6 +3,7 @@
 module Aws
   module Stubbing
     module Protocols
+      # @api private
       class RestJson < Rest
 
         def body_for(_a, _b, rules, data)
@@ -14,15 +15,15 @@ module Aws
         end
 
         def stub_error(error_code)
-          http_resp = Seahorse::Client::Http::Response.new
-          http_resp.status_code = 400
-          http_resp.body = <<-JSON.strip
-{
-  "code": #{error_code.inspect},
-  "message": "stubbed-response-error-message"
-}
+          resp = Seahorse::Client::Http::Response.new
+          resp.status_code = 400
+          resp.body = <<~JSON.strip
+            {
+              "code": #{error_code.inspect},
+              "message": "stubbed-response-error-message"
+            }
           JSON
-          http_resp
+          resp
         end
 
       end

data/lib/aws-sdk-core/stubbing/protocols/rest_xml.rb

@@ -3,6 +3,7 @@
 module Aws
   module Stubbing
     module Protocols
+      # @api private
       class RestXml < Rest
 
         def body_for(api, operation, rules, data)
@@ -10,7 +11,7 @@ module Aws
             encode_eventstream_response(rules, data, Xml::Builder)
           else
             xml = []
-            rules.location_name = operation.name + 'Result'
+            rules.location_name = "#{operation.name}Result"
             rules['xmlNamespace'] = { 'uri' => api.metadata['xmlNamespace'] }
             Xml::Builder.new(rules, target:xml).to_xml(data)
             xml.join
@@ -18,10 +19,10 @@ module Aws
         end
 
         def stub_error(error_code)
-          http_resp = Seahorse::Client::Http::Response.new
-          http_resp.status_code = 400
-          http_resp.body = XmlError.new(error_code).to_xml
-          http_resp
+          resp = Seahorse::Client::Http::Response.new
+          resp.status_code = 400
+          resp.body = XmlError.new(error_code).to_xml
+          resp
         end
 
         def xmlns(api)

data/lib/aws-sdk-core/stubbing/protocols/rpc_v2.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module Aws
+  module Stubbing
+    module Protocols
+      # @api private
+      class RpcV2
+
+        def stub_data(_api, operation, data)
+          resp = Seahorse::Client::Http::Response.new
+          resp.status_code = 200
+          resp.headers['Smithy-Protocol'] = 'rpc-v2-cbor'
+          resp.headers['Content-Type'] = 'application/cbor'
+          resp.headers['x-amzn-RequestId'] = 'stubbed-request-id'
+          resp.body = build_body(operation, data)
+          resp
+        end
+
+        def stub_error(error_code)
+          resp = Seahorse::Client::Http::Response.new
+          resp.status_code = 400
+          resp.body = Aws::RpcV2.encode(
+            {
+              'code' => error_code,
+              'message' => 'stubbed-response-error-message'
+            }
+          )
+          resp
+        end
+
+        private
+
+        def build_body(operation, data)
+          Aws::RpcV2::Builder.new(operation.output).serialize(data)
+        end
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/stubbing/stub_data.rb

@@ -13,12 +13,23 @@ module Aws
       def stub(data = {})
         stub = EmptyStub.new(@rules).stub
         remove_paging_tokens(stub)
+        remove_checksums(stub)
         apply_data(data, stub)
         stub
       end
 
       private
 
+      def remove_checksums(stub)
+        if @rules && @rules.shape.is_a?(Seahorse::Model::Shapes::StructureShape)
+          @rules.shape.members.each do |key, member|
+            if member.location == 'header' && member.location_name.start_with?('x-amz-checksum-')
+              stub[key] = nil
+            end
+          end
+        end
+      end
+
       def remove_paging_tokens(stub)
         if @pager
           @pager.instance_variable_get("@tokens").keys.each do |path|

data/lib/aws-sdk-core/stubbing.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Aws
+  # @api private
+  module Stubbing
+    autoload :EmptyStub, 'aws-sdk-core/stubbing/empty_stub'
+    autoload :DataApplicator, 'aws-sdk-core/stubbing/data_applicator'
+    autoload :StubData, 'aws-sdk-core/stubbing/stub_data'
+    autoload :XmlError, 'aws-sdk-core/stubbing/xml_error'
+
+    module Protocols
+      autoload :Json, 'aws-sdk-core/stubbing/protocols/json'
+      autoload :Rest, 'aws-sdk-core/stubbing/protocols/rest'
+      autoload :RestJson, 'aws-sdk-core/stubbing/protocols/rest_json'
+      autoload :RestXml, 'aws-sdk-core/stubbing/protocols/rest_xml'
+      autoload :Query, 'aws-sdk-core/stubbing/protocols/query'
+      autoload :EC2, 'aws-sdk-core/stubbing/protocols/ec2'
+      autoload :RpcV2, 'aws-sdk-core/stubbing/protocols/rpc_v2'
+      autoload :ApiGateway, 'aws-sdk-core/stubbing/protocols/api_gateway'
+    end
+  end
+end