aws-sdk-core 3.160.0 → 3.166.0

data/lib/aws-sdk-core/endpoints/tree_rule.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module Aws
+  module Endpoints
+    # @api private
+    class TreeRule
+      def initialize(type: 'tree', conditions:, rules:, documentation: nil)
+        @type = type
+        @conditions = Condition.from_json(conditions)
+        @rules = RuleSet.rules_from_json(rules)
+        @documentation = documentation
+      end
+
+      attr_reader :type
+      attr_reader :conditions
+      attr_reader :error
+      attr_reader :documentation
+
+      def match(parameters, assigned = {})
+        assigns = assigned.dup
+        matched = conditions.all? do |condition|
+          output = condition.match?(parameters, assigns)
+          assigns = assigns.merge(condition.assigned) if condition.assign
+          output
+        end
+        resolve_rules(parameters, assigns) if matched
+      end
+
+      private
+
+      def resolve_rules(parameters, assigns)
+        @rules.each do |rule|
+          output = rule.match(parameters, assigns)
+          return output if output
+        end
+        nil
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/endpoints/url.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+require 'ipaddr'
+
+module Aws
+  module Endpoints
+    # @api private
+    class URL
+      def initialize(url)
+        uri = URI(url)
+        @scheme = uri.scheme
+        # only support http and https schemes
+        raise ArgumentError unless %w[https http].include?(@scheme)
+
+        # do not support query
+        raise ArgumentError if uri.query
+
+        @authority = _authority(url, uri)
+        @path = uri.path
+        @normalized_path = uri.path + (uri.path[-1] == '/' ? '' : '/')
+        @is_ip = _is_ip(uri.host)
+      end
+
+      attr_reader :scheme
+      attr_reader :authority
+      attr_reader :path
+      attr_reader :normalized_path
+      attr_reader :is_ip
+
+      def as_json(_options = {})
+        {
+          'scheme' => scheme,
+          'authority' => authority,
+          'path' => path,
+          'normalizedPath' => normalized_path,
+          'isIp' => is_ip
+        }
+      end
+
+      private
+
+      def _authority(url, uri)
+        # don't include port if it's default and not parsed originally
+        if uri.default_port == uri.port && !url.include?(":#{uri.port}")
+          uri.host
+        else
+          "#{uri.host}:#{uri.port}"
+        end
+      end
+
+      def _is_ip(authority)
+        IPAddr.new(authority)
+        true
+      rescue IPAddr::InvalidAddressError
+        false
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/endpoints.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+require_relative 'endpoints/rule'
+require_relative 'endpoints/condition'
+require_relative 'endpoints/endpoint_rule'
+require_relative 'endpoints/endpoint'
+require_relative 'endpoints/error_rule'
+require_relative 'endpoints/function'
+require_relative 'endpoints/matchers'
+require_relative 'endpoints/reference'
+require_relative 'endpoints/rules_provider'
+require_relative 'endpoints/rule_set'
+require_relative 'endpoints/templater'
+require_relative 'endpoints/tree_rule'
+require_relative 'endpoints/url'
+
+module Aws
+  # @api private
+  module Endpoints
+    class << self
+      def resolve_auth_scheme(context, endpoint)
+        if endpoint && (auth_schemes = endpoint.properties['authSchemes'])
+          auth_scheme = auth_schemes.find do |scheme|
+            Aws::Plugins::Sign::SUPPORTED_AUTH_TYPES.include?(scheme['name'])
+          end
+          raise 'No supported auth scheme for this endpoint.' unless auth_scheme
+
+          merge_signing_defaults(auth_scheme, context.config)
+        else
+          default_auth_scheme(context)
+        end
+      end
+
+      private
+
+      def default_auth_scheme(context)
+        case default_api_authtype(context)
+        when 'v4', 'v4-unsigned-body'
+          auth_scheme = { 'name' => 'sigv4' }
+          merge_signing_defaults(auth_scheme, context.config)
+        when 's3', 's3v4'
+          auth_scheme = { 'name' => 'sigv4', 'disableDoubleEncoding' => true }
+          merge_signing_defaults(auth_scheme, context.config)
+        when 'bearer'
+          { 'name' => 'bearer' }
+        when 'none', nil
+          { 'name' => 'none' }
+        end
+      end
+
+      def merge_signing_defaults(auth_scheme, config)
+        if %w[sigv4 sigv4a].include?(auth_scheme['name'])
+          auth_scheme['signingName'] ||= sigv4_name(config)
+          if auth_scheme['name'] == 'sigv4a'
+            auth_scheme['signingRegionSet'] ||= ['*']
+          else
+            auth_scheme['signingRegion'] ||= config.region
+          end
+        end
+        auth_scheme
+      end
+
+      def default_api_authtype(context)
+        context.config.api.operation(context.operation_name)['authtype'] ||
+          context.config.api.metadata['signatureVersion']
+      end
+
+      def sigv4_name(config)
+        config.api.metadata['signingName'] ||
+          config.api.metadata['endpointPrefix']
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/json/error_handler.rb

@@ -26,7 +26,11 @@ module Aws
       end
 
       def error_code(json, context)
-        code = json['__type']
+        code = if aws_query_error?(context)
+          context.http_response.headers['x-amzn-query-error'].split(';')[0]
+        else
+          json['__type']
+        end
         code ||= json['code']
         code ||= context.http_response.headers['x-amzn-errortype']
         if code
@@ -36,6 +40,11 @@ module Aws
         end
       end
 
+      def aws_query_error?(context)
+        context.config.api.metadata['awsQueryCompatible'] &&
+          context.http_response.headers['x-amzn-query-error']
+      end
+
       def error_message(code, json)
         if code == 'RequestEntityTooLarge'
           'Request body must be less than 1 MB'

data/lib/aws-sdk-core/plugins/credentials_configuration.rb

@@ -76,6 +76,30 @@ locations will be searched for credentials:
 
       option(:instance_profile_credentials_timeout, 1)
 
+      option(:token_provider,
+             required: false,
+             doc_type: 'Aws::TokenProvider',
+             docstring: <<-DOCS
+A Bearer Token Provider. This can be an instance of any one of the
+following classes:
+
+* `Aws::StaticTokenProvider` - Used for configuring static, non-refreshing
+  tokens.
+
+* `Aws::SSOTokenProvider` - Used for loading tokens from AWS SSO using an
+  access token generated from `aws login`.
+
+When `:token_provider` is not configured directly, the `Aws::TokenProviderChain`
+will be used to search for tokens configured for your profile in shared configuration files.
+      DOCS
+      ) do |config|
+        if config.stub_responses
+          StaticTokenProvider.new('token')
+        else
+          TokenProviderChain.new(config).resolve
+        end
+      end
+
     end
   end
 end

data/lib/aws-sdk-core/plugins/endpoint_discovery.rb

@@ -72,7 +72,11 @@ the background every 60 secs (default). Defaults to `false`.
               context,
               Aws::Util.str_2_bool(discovery_cfg["required"])
             )
-            context.http_request.endpoint = _valid_uri(endpoint.address) if endpoint
+            if endpoint
+              context.http_request.endpoint = _valid_uri(endpoint.address)
+              # Skips dynamic endpoint usage, use this endpoint instead
+              context[:discovered_endpoint] = true
+            end
             if endpoint || context.config.endpoint_discovery
               _apply_endpoint_discovery_user_agent(context)
             end
@@ -100,7 +104,7 @@ the background every 60 secs (default). Defaults to `false`.
         end
 
         def _discover_endpoint(ctx, required)
-          cache = ctx.config.endpoint_cache 
+          cache = ctx.config.endpoint_cache
           key = cache.extract_key(ctx)
 
           if required

data/lib/aws-sdk-core/plugins/regional_endpoint.rb

@@ -43,8 +43,13 @@ is set to `true`.
         resolve_use_fips_endpoint(cfg)
       end
 
+      # This option signals whether :endpoint was provided or not.
+      # Legacy endpoints must continue to be generated at client time.
       option(:regional_endpoint, false)
 
+      # NOTE: All of the defaults block code is effectively deprecated.
+      # Because old services can depend on this new core version, we must
+      # retain it.
       option(:endpoint, doc_type: String, docstring: <<-DOCS) do |cfg|
 The client endpoint is normally constructed from the `:region`
 option. You should only configure an `:endpoint` when connecting

data/lib/aws-sdk-core/plugins/sign.rb

@@ -0,0 +1,190 @@
+# frozen_string_literal: true
+
+require 'aws-sigv4'
+
+module Aws
+  module Plugins
+    # @api private
+    class Sign < Seahorse::Client::Plugin
+      # These once had defaults. But now they are used as overrides to
+      # new endpoint and auth resolution.
+      option(:sigv4_signer)
+      option(:sigv4_name)
+      option(:sigv4_region)
+      option(:unsigned_operations, default: [])
+
+      supported_auth_types = %w[sigv4 bearer none]
+      supported_auth_types += ['sigv4a'] if Aws::Sigv4::Signer.use_crt?
+      SUPPORTED_AUTH_TYPES = supported_auth_types.freeze
+
+      def add_handlers(handlers, cfg)
+        operations = cfg.api.operation_names - cfg.unsigned_operations
+        handlers.add(Handler, step: :sign, operations: operations)
+      end
+
+      # @api private
+      # Return a signer with the `sign(context)` method
+      def self.signer_for(auth_scheme, config, region_override = nil)
+        case auth_scheme['name']
+        when 'sigv4', 'sigv4a'
+          SignatureV4.new(auth_scheme, config, region_override)
+        when 'bearer'
+          Bearer.new
+        else
+          NullSigner.new
+        end
+      end
+
+      class Handler < Seahorse::Client::Handler
+        def call(context)
+          signer = Sign.signer_for(
+            context[:auth_scheme],
+            context.config,
+            context[:sigv4_region]
+          )
+
+          signer.sign(context)
+          @handler.call(context)
+        end
+      end
+
+      # @api private
+      class Bearer
+        def initialize
+        end
+
+        def sign(context)
+          if context.http_request.endpoint.scheme != 'https'
+            raise ArgumentError,
+                  'Unable to use bearer authorization on non https endpoint.'
+          end
+
+          token_provider = context.config.token_provider
+
+          raise Errors::MissingBearerTokenError unless token_provider&.set?
+
+          context.http_request.headers['Authorization'] =
+            "Bearer #{token_provider.token.token}"
+        end
+
+        def presign_url(*args)
+          raise ArgumentError, 'Bearer auth does not support presigned urls'
+        end
+
+        def sign_event(*args)
+          raise ArgumentError, 'Bearer auth does not support event signing'
+        end
+      end
+
+      # @api private
+      class SignatureV4
+        def initialize(auth_scheme, config, region_override = nil)
+          scheme_name = auth_scheme['name']
+
+          unless %w[sigv4 sigv4a].include?(scheme_name)
+            raise ArgumentError,
+                  "Expected sigv4 or sigv4a auth scheme, got #{scheme_name}"
+          end
+
+          region = if scheme_name == 'sigv4a'
+                     auth_scheme['signingRegionSet'].first
+                   else
+                     auth_scheme['signingRegion']
+                   end
+          begin
+            @signer = Aws::Sigv4::Signer.new(
+              service: config.sigv4_name || auth_scheme['signingName'],
+              region: region_override || config.sigv4_region || region,
+              credentials_provider: config.credentials,
+              signing_algorithm: scheme_name.to_sym,
+              uri_escape_path: !!!auth_scheme['disableDoubleEncoding'],
+              unsigned_headers: %w[content-length user-agent x-amzn-trace-id]
+            )
+          rescue Aws::Sigv4::Errors::MissingCredentialsError
+            raise Aws::Errors::MissingCredentialsError
+          end
+        end
+
+        def sign(context)
+          req = context.http_request
+
+          apply_authtype(context, req)
+          reset_signature(req)
+          apply_clock_skew(context, req)
+
+          # compute the signature
+          begin
+            signature = @signer.sign_request(
+              http_method: req.http_method,
+              url: req.endpoint,
+              headers: req.headers,
+              body: req.body
+            )
+          rescue Aws::Sigv4::Errors::MissingCredentialsError
+            # Necessary for when credentials is explicitly set to nil
+            raise Aws::Errors::MissingCredentialsError
+          end
+          # apply signature headers
+          req.headers.update(signature.headers)
+
+          # add request metadata with signature components for debugging
+          context[:canonical_request] = signature.canonical_request
+          context[:string_to_sign] = signature.string_to_sign
+        end
+
+        def presign_url(*args)
+          @signer.presign_url(*args)
+        end
+
+        def sign_event(*args)
+          @signer.sign_event(*args)
+        end
+
+        private
+
+        def apply_authtype(context, req)
+          if context.operation['authtype'].eql?('v4-unsigned-body') &&
+             req.endpoint.scheme.eql?('https')
+            req.headers['X-Amz-Content-Sha256'] ||= 'UNSIGNED-PAYLOAD'
+          end
+        end
+
+        def reset_signature(req)
+          # in case this request is being re-signed
+          req.headers.delete('Authorization')
+          req.headers.delete('X-Amz-Security-Token')
+          req.headers.delete('X-Amz-Date')
+          req.headers.delete('x-Amz-Region-Set')
+        end
+
+        def apply_clock_skew(context, req)
+          if context.config.respond_to?(:clock_skew) &&
+             context.config.clock_skew &&
+             context.config.correct_clock_skew
+
+            endpoint = context.http_request.endpoint
+            skew = context.config.clock_skew.clock_correction(endpoint)
+            if skew.abs.positive?
+              req.headers['X-Amz-Date'] =
+                (Time.now.utc + skew).strftime('%Y%m%dT%H%M%SZ')
+            end
+          end
+        end
+
+      end
+
+      # @api private
+      class NullSigner
+
+        def sign(context)
+        end
+
+        def presign_url(*args)
+        end
+
+        def sign_event(*args)
+        end
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/plugins/signature_v2.rb

@@ -3,6 +3,7 @@
 module Aws
   module Plugins
     # @api private
+    # Necessary to keep after Endpoints 2.0
     class SignatureV2 < Seahorse::Client::Plugin
 
       option(:v2_signer) do |cfg|

data/lib/aws-sdk-core/plugins/signature_v4.rb

@@ -5,6 +5,7 @@ require 'aws-sigv4'
 module Aws
   module Plugins
     # @api private
+    # Necessary to exist after endpoints 2.0
     class SignatureV4 < Seahorse::Client::Plugin
 
       V4_AUTH = %w[v4 v4-unsigned-payload v4-unsigned-body]

data/lib/aws-sdk-core/rest/request/headers.rb

@@ -53,12 +53,8 @@ module Aws
           return if !value || value.empty?
           headers[ref.location_name] = value
             .compact
-            .map { |s| escape_header_list_string(s.to_s) }
-            .join(",")
-        end
-
-        def escape_header_list_string(s)
-          (s.include?('"') || s.include?(",")) ? "\"#{s.gsub('"', '\"')}\"" : s
+            .map { |s| Seahorse::Util.escape_header_list_string(s.to_s) }
+            .join(',')
         end
 
         def apply_header_map(headers, ref, values)

data/lib/aws-sdk-core.rb

@@ -97,6 +97,10 @@ require_relative 'aws-sdk-core/arn'
 require_relative 'aws-sdk-core/arn_parser'
 require_relative 'aws-sdk-core/ec2_metadata'
 
+# dynamic endpoints
+require_relative 'aws-sdk-core/endpoints'
+require_relative 'aws-sdk-core/plugins/signature_v4'
+
 # defaults
 require_relative 'aws-defaults'
 

data/lib/aws-sdk-sso/client.rb

@@ -30,7 +30,7 @@ require 'aws-sdk-core/plugins/http_checksum.rb'
 require 'aws-sdk-core/plugins/checksum_algorithm.rb'
 require 'aws-sdk-core/plugins/defaults_mode.rb'
 require 'aws-sdk-core/plugins/recursion_detection.rb'
-require 'aws-sdk-core/plugins/signature_v4.rb'
+require 'aws-sdk-core/plugins/sign.rb'
 require 'aws-sdk-core/plugins/protocols/rest_json.rb'
 
 Aws::Plugins::GlobalConfiguration.add_identifier(:sso)
@@ -79,8 +79,9 @@ module Aws::SSO
     add_plugin(Aws::Plugins::ChecksumAlgorithm)
     add_plugin(Aws::Plugins::DefaultsMode)
     add_plugin(Aws::Plugins::RecursionDetection)
-    add_plugin(Aws::Plugins::SignatureV4)
+    add_plugin(Aws::Plugins::Sign)
     add_plugin(Aws::Plugins::Protocols::RestJson)
+    add_plugin(Aws::SSO::Plugins::Endpoints)
 
     # @overload initialize(options)
     #   @param [Hash] options
@@ -287,6 +288,19 @@ module Aws::SSO
     #     ** Please note ** When response stubbing is enabled, no HTTP
     #     requests are made, and retries are disabled.
     #
+    #   @option options [Aws::TokenProvider] :token_provider
+    #     A Bearer Token Provider. This can be an instance of any one of the
+    #     following classes:
+    #
+    #     * `Aws::StaticTokenProvider` - Used for configuring static, non-refreshing
+    #       tokens.
+    #
+    #     * `Aws::SSOTokenProvider` - Used for loading tokens from AWS SSO using an
+    #       access token generated from `aws login`.
+    #
+    #     When `:token_provider` is not configured directly, the `Aws::TokenProviderChain`
+    #     will be used to search for tokens configured for your profile in shared configuration files.
+    #
     #   @option options [Boolean] :use_dualstack_endpoint
     #     When set to `true`, dualstack enabled endpoints (with `.aws` TLD)
     #     will be used if available.
@@ -300,6 +314,9 @@ module Aws::SSO
     #     When `true`, request parameters are validated before
     #     sending the request.
     #
+    #   @option options [Aws::SSO::EndpointProvider] :endpoint_provider
+    #     The endpoint provider used to resolve endpoints. Any object that responds to `#resolve_endpoint(parameters)` where `parameters` is a Struct similar to `Aws::SSO::EndpointParameters`
+    #
     #   @option options [URI::HTTP,String] :http_proxy A proxy to send
     #     requests through.  Formatted like 'http://proxy.com:123'.
     #
@@ -568,7 +585,7 @@ module Aws::SSO
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.160.0'
+      context[:gem_version] = '3.166.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-sso/endpoint_parameters.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+# WARNING ABOUT GENERATED CODE
+#
+# This file is generated. See the contributing guide for more information:
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
+#
+# WARNING ABOUT GENERATED CODE
+
+module Aws::SSO
+  # Endpoint parameters used to influence endpoints per request.
+  #
+  # @!attribute region
+  #   The AWS region used to dispatch the request.
+  #
+  #   @return [String]
+  #
+  # @!attribute use_dual_stack
+  #   When true, use the dual-stack endpoint. If the configured endpoint does not support dual-stack, dispatching the request MAY return an error.
+  #
+  #   @return [Boolean]
+  #
+  # @!attribute use_fips
+  #   When true, send this request to the FIPS-compliant regional endpoint. If the configured endpoint does not have a FIPS compliant endpoint, dispatching the request will return an error.
+  #
+  #   @return [Boolean]
+  #
+  # @!attribute endpoint
+  #   Override the endpoint used to send this request
+  #
+  #   @return [String]
+  #
+  EndpointParameters = Struct.new(
+    :region,
+    :use_dual_stack,
+    :use_fips,
+    :endpoint,
+  ) do
+    include Aws::Structure
+
+    # @api private
+    class << self
+      PARAM_MAP = {
+        'Region' => :region,
+        'UseDualStack' => :use_dual_stack,
+        'UseFIPS' => :use_fips,
+        'Endpoint' => :endpoint,
+      }.freeze
+    end
+
+    def initialize(options = {})
+      self[:region] = options[:region]
+      self[:use_dual_stack] = options[:use_dual_stack]
+      self[:use_dual_stack] = false if self[:use_dual_stack].nil?
+      if self[:use_dual_stack].nil?
+        raise ArgumentError, "Missing required EndpointParameter: :use_dual_stack"
+      end
+      self[:use_fips] = options[:use_fips]
+      self[:use_fips] = false if self[:use_fips].nil?
+      if self[:use_fips].nil?
+        raise ArgumentError, "Missing required EndpointParameter: :use_fips"
+      end
+      self[:endpoint] = options[:endpoint]
+    end
+  end
+end