aws-sdk-core 3.165.0 → 3.201.0

data/lib/aws-sdk-core/rpc_v2/parser.rb

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+require 'time'
+
+module Aws
+  module RpcV2
+    class Parser
+      include Seahorse::Model::Shapes
+
+      # @param [Seahorse::Model::ShapeRef] rules
+      def initialize(rules, query_compatible: false)
+        @rules = rules
+        @query_compatible = query_compatible
+      end
+
+      def parse(cbor, target = nil)
+        return {} if cbor.empty?
+
+        parse_ref(@rules, Cbor.decode(cbor), target)
+      end
+
+      private
+
+      def structure(ref, values, target = nil)
+        shape = ref.shape
+        target = ref.shape.struct_class.new if target.nil?
+        values.each do |key, value|
+          member_name, member_ref = shape.member_by_location_name(key)
+          if member_ref
+            target[member_name] = parse_ref(member_ref, value)
+          elsif shape.union && key != '__type'
+            target[:unknown] = { 'name' => key, 'value' => value }
+          end
+        end
+        # In services that were previously Query/XML, members that were
+        # "flattened" defaulted to empty lists. In JSON, these values are nil,
+        # which is backwards incompatible. To preserve backwards compatibility,
+        # we set a default value of [] for these members.
+        if @query_compatible
+          ref.shape.members.each do |member_name, member_target|
+            next unless target[member_name].nil?
+
+            if flattened_list?(member_target.shape)
+              target[member_name] = []
+            elsif flattened_map?(member_target.shape)
+              target[member_name] = {}
+            end
+          end
+        end
+
+        if shape.union
+          # convert to subclass
+          member_subclass = shape.member_subclass(target.member).new
+          member_subclass[target.member] = target.value
+          target = member_subclass
+        end
+        target
+      end
+
+      def list(ref, values, target = nil)
+        target = [] if target.nil?
+        values.each do |value|
+          target << parse_ref(ref.shape.member, value)
+        end
+        target
+      end
+
+      def map(ref, values, target = nil)
+        target = {} if target.nil?
+        values.each do |key, value|
+          target[key] = parse_ref(ref.shape.value, value) unless value.nil?
+        end
+        target
+      end
+
+      def parse_ref(ref, value, target = nil)
+        if value.nil?
+          nil
+        else
+          case ref.shape
+          when StructureShape then structure(ref, value, target)
+          when ListShape then list(ref, value, target)
+          when MapShape then map(ref, value, target)
+          else value
+          end
+        end
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/rpc_v2.rb

@@ -0,0 +1,6 @@
+require_relative 'cbor'
+require_relative 'rpc_v2/handler'
+require_relative 'rpc_v2/content_type_handler'
+require_relative 'rpc_v2/error_handler'
+require_relative 'rpc_v2/builder'
+require_relative 'rpc_v2/parser'

data/lib/aws-sdk-core/shared_config.rb

@@ -3,9 +3,10 @@
 module Aws
   # @api private
   class SharedConfig
-    SSO_PROFILE_KEYS = %w[sso_start_url sso_region sso_account_id sso_role_name].freeze
+    SSO_CREDENTIAL_PROFILE_KEYS = %w[sso_account_id sso_role_name].freeze
+    SSO_PROFILE_KEYS = %w[sso_session sso_start_url sso_region sso_account_id sso_role_name].freeze
     SSO_TOKEN_PROFILE_KEYS = %w[sso_session].freeze
-    SSO_SESSION_KEYS = %w[sso_region]
+    SSO_SESSION_KEYS = %w[sso_region sso_start_url].freeze
 
 
     # @return [String]
@@ -166,6 +167,26 @@ module Aws
       token
     end
 
+    # Source a custom configured endpoint from the shared configuration file
+    #
+    # @param [Hash] opts
+    # @option opts [String] :profile
+    # @option opts [String] :service_id
+    def configured_endpoint(opts = {})
+      # services section is only allowed in the shared config file (not credentials)
+      profile = opts[:profile] || @profile_name
+      service_id = opts[:service_id]&.gsub(" ", "_")&.downcase
+      if @parsed_config && (prof_config = @parsed_config[profile])
+        services_section_name = prof_config['services']
+        if (services_config = @parsed_config["services #{services_section_name}"]) &&
+          (service_config = services_config[service_id])
+          return service_config['endpoint_url'] if service_config['endpoint_url']
+        end
+        return prof_config['endpoint_url']
+      end
+      nil
+    end
+
     # Add an accessor method (similar to attr_reader) to return a configuration value
     # Uses the get_config_value below to control where
     # values are loaded from
@@ -177,6 +198,7 @@ module Aws
 
     config_reader(
       :region,
+      :sigv4a_signing_region_set,
       :ca_bundle,
       :credential_process,
       :endpoint_discovery_enabled,
@@ -184,6 +206,7 @@ module Aws
       :use_fips_endpoint,
       :ec2_metadata_service_endpoint,
       :ec2_metadata_service_endpoint_mode,
+      :ec2_metadata_v1_disabled,
       :max_attempts,
       :retry_mode,
       :adaptive_retry_wait_to_fill,
@@ -196,7 +219,12 @@ module Aws
       :s3_use_arn_region,
       :s3_us_east_1_regional_endpoint,
       :s3_disable_multiregion_access_points,
-      :defaults_mode
+      :s3_disable_express_session_auth,
+      :defaults_mode,
+      :sdk_ua_app_id,
+      :disable_request_compression,
+      :request_min_compression_size_bytes,
+      :ignore_configured_endpoint_urls
     )
 
     private
@@ -331,14 +359,37 @@ module Aws
     def sso_credentials_from_profile(cfg, profile)
       if @parsed_config &&
          (prof_config = cfg[profile]) &&
-         !(prof_config.keys & SSO_PROFILE_KEYS).empty?
+         !(prof_config.keys & SSO_CREDENTIAL_PROFILE_KEYS).empty?
+
+        if sso_session_name = prof_config['sso_session']
+          sso_session = sso_session(cfg, profile, sso_session_name)
+
+          sso_region = sso_session['sso_region']
+          sso_start_url = sso_session['sso_start_url']
+
+          # validate sso_region and sso_start_url don't conflict if set on profile and session
+          if prof_config['sso_region'] &&  prof_config['sso_region'] != sso_region
+            raise ArgumentError,
+                  "sso-session #{sso_session_name}'s sso_region (#{sso_region}) " \
+                    "does not match the profile #{profile}'s sso_region (#{prof_config['sso_region']}'"
+          end
+          if prof_config['sso_start_url'] &&  prof_config['sso_start_url'] != sso_start_url
+            raise ArgumentError,
+                  "sso-session #{sso_session_name}'s sso_start_url (#{sso_start_url}) " \
+                    "does not match the profile #{profile}'s sso_start_url (#{prof_config['sso_start_url']}'"
+          end
+        else
+          sso_region = prof_config['sso_region']
+          sso_start_url = prof_config['sso_start_url']
+        end
 
         SSOCredentials.new(
-          sso_start_url: prof_config['sso_start_url'],
-          sso_region: prof_config['sso_region'],
           sso_account_id: prof_config['sso_account_id'],
-          sso_role_name: prof_config['sso_role_name']
-        )
+          sso_role_name: prof_config['sso_role_name'],
+          sso_session: prof_config['sso_session'],
+          sso_region: sso_region,
+          sso_start_url: sso_start_url
+          )
       end
     end
 
@@ -350,16 +401,7 @@ module Aws
         !(prof_config.keys & SSO_TOKEN_PROFILE_KEYS).empty?
 
         sso_session_name = prof_config['sso_session']
-        sso_session = cfg["sso-session #{sso_session_name}"]
-        unless sso_session
-          raise ArgumentError,
-                "sso-session #{sso_session_name} must be defined in the config file." /
-                  "Referenced by profile #{profile}"
-        end
-
-        unless sso_session['sso_region']
-          raise ArgumentError, "sso-session #{sso_session_name} missing required parameter: sso_region"
-        end
+        sso_session = sso_session(cfg, profile, sso_session_name)
 
         SSOTokenProvider.new(
           sso_session: sso_session_name,
@@ -417,5 +459,22 @@ module Aws
       ret ||= 'default'
       ret
     end
+
+    def sso_session(cfg, profile, sso_session_name)
+      # aws sso-configure may add quotes around sso session names with whitespace
+      sso_session = cfg["sso-session #{sso_session_name}"] || cfg["sso-session '#{sso_session_name}'"]
+
+      unless sso_session
+        raise ArgumentError,
+          "sso-session #{sso_session_name} must be defined in the config file. " \
+                    "Referenced by profile #{profile}"
+      end
+
+      unless sso_session['sso_region']
+        raise ArgumentError, "sso-session #{sso_session_name} missing required parameter: sso_region"
+      end
+
+      sso_session
+    end
   end
 end

data/lib/aws-sdk-core/sso_credentials.rb

@@ -3,24 +3,19 @@
 module Aws
   # An auto-refreshing credential provider that assumes a role via
   # {Aws::SSO::Client#get_role_credentials} using a cached access
-  # token. This class does NOT implement the SSO login token flow - tokens
-  # must generated and refreshed separately by running `aws login` from the
-  # AWS CLI with the correct profile.
-  #
-  # The `SSOCredentials` will auto-refresh the AWS credentials from SSO. In
-  # addition to AWS credentials expiring after a given amount of time, the
-  # access token generated and cached from `aws login` will also expire.
-  # Once this token expires, it will not be usable to refresh AWS credentials,
-  # and another token will be needed. The SDK does not manage refreshing of
-  # the token value, but this can be done by running `aws login` with the
-  # correct profile.
+  # token. When `sso_session` is specified, token refresh logic from
+  # {Aws::SSOTokenProvider} will be used to refresh the token if possible.
+  # This class does NOT implement the SSO login token flow - tokens
+  # must generated separately by running `aws login` from the
+  # AWS CLI with the correct profile. The `SSOCredentials` will
+  # auto-refresh the AWS credentials from SSO.
   #
   #     # You must first run aws sso login --profile your-sso-profile
   #     sso_credentials = Aws::SSOCredentials.new(
   #       sso_account_id: '123456789',
   #       sso_role_name: "role_name",
   #       sso_region: "us-east-1",
-  #       sso_start_url: 'https://your-start-url.awsapps.com/start'
+  #       sso_session: 'my_sso_session'
   #     )
   #     ec2 = Aws::EC2::Client.new(credentials: sso_credentials)
   #
@@ -35,7 +30,8 @@ module Aws
     include RefreshingCredentials
 
     # @api private
-    SSO_REQUIRED_OPTS = [:sso_account_id, :sso_region, :sso_role_name, :sso_start_url].freeze
+    LEGACY_REQUIRED_OPTS =         [:sso_start_url, :sso_account_id, :sso_region, :sso_role_name].freeze
+    TOKEN_PROVIDER_REQUIRED_OPTS = [:sso_session, :sso_account_id, :sso_region, :sso_role_name].freeze
 
     # @api private
     SSO_LOGIN_GUIDANCE = 'The SSO session associated with this profile has '\
@@ -45,17 +41,23 @@ module Aws
     # @option options [required, String] :sso_account_id The AWS account ID
     #   that temporary AWS credentials will be resolved for
     #
-    # @option options [required, String] :sso_region The AWS region where the
-    #   SSO directory for the given sso_start_url is hosted.
-    #
     # @option options [required, String] :sso_role_name The corresponding
     #   IAM role in the AWS account that temporary AWS credentials
     #   will be resolved for.
     #
-    # @option options [required, String] :sso_start_url The start URL is
-    #   provided by the SSO service via the console and is the URL used to
+    # @option options [required, String] :sso_region The AWS region where the
+    #   SSO directory for the given sso_start_url is hosted.
+    #
+    # @option options [String] :sso_session The SSO Token used for fetching
+    #   the token. If provided, refresh logic from the {Aws::SSOTokenProvider}
+    #   will be used.
+    #
+    # @option options [String] :sso_start_url (legacy profiles) If provided,
+    #   legacy token fetch behavior will be used, which does not support
+    #   token refreshing.  The start URL is provided by the SSO
+    #   service via the console and is the URL used to
     #   login to the SSO directory. This is also sometimes referred to as
-    #   the "User Portal URL"
+    #   the "User Portal URL".
     #
     # @option options [SSO::Client] :client Optional `SSO::Client`.  If not
     #   provided, a client will be constructed.
@@ -65,27 +67,52 @@ module Aws
     #   with an instance of this object when
     #   AWS credentials are required and need to be refreshed.
     def initialize(options = {})
-
-      missing_keys = SSO_REQUIRED_OPTS.select { |k| options[k].nil? }
-      unless missing_keys.empty?
-        raise ArgumentError, "Missing required keys: #{missing_keys}"
+      options = options.select {|k, v| !v.nil? }
+      if (options[:sso_session])
+        missing_keys = TOKEN_PROVIDER_REQUIRED_OPTS.select { |k| options[k].nil? }
+        unless missing_keys.empty?
+          raise ArgumentError, "Missing required keys: #{missing_keys}"
+        end
+        @legacy = false
+        @sso_role_name = options.delete(:sso_role_name)
+        @sso_account_id = options.delete(:sso_account_id)
+
+        # if client has been passed, don't pass through to SSOTokenProvider
+        @client = options.delete(:client)
+        options.delete(:sso_start_url)
+        @token_provider = Aws::SSOTokenProvider.new(options.dup)
+        @sso_session = options.delete(:sso_session)
+        @sso_region = options.delete(:sso_region)
+
+        unless @client
+          client_opts = {}
+          options.each_pair { |k,v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) }
+          client_opts[:region] = @sso_region
+          client_opts[:credentials] = nil
+          @client = Aws::SSO::Client.new(client_opts)
+        end
+      else # legacy behavior
+        missing_keys = LEGACY_REQUIRED_OPTS.select { |k| options[k].nil? }
+        unless missing_keys.empty?
+          raise ArgumentError, "Missing required keys: #{missing_keys}"
+        end
+        @legacy = true
+        @sso_start_url = options.delete(:sso_start_url)
+        @sso_region = options.delete(:sso_region)
+        @sso_role_name = options.delete(:sso_role_name)
+        @sso_account_id = options.delete(:sso_account_id)
+
+        # validate we can read the token file
+        read_cached_token
+
+        client_opts = {}
+        options.each_pair { |k,v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) }
+        client_opts[:region] = @sso_region
+        client_opts[:credentials] = nil
+
+        @client = options[:client] || Aws::SSO::Client.new(client_opts)
       end
 
-      @sso_start_url = options.delete(:sso_start_url)
-      @sso_region = options.delete(:sso_region)
-      @sso_role_name = options.delete(:sso_role_name)
-      @sso_account_id = options.delete(:sso_account_id)
-
-      # validate we can read the token file
-      read_cached_token
-
-
-      client_opts = {}
-      options.each_pair { |k,v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) }
-      client_opts[:region] = @sso_region
-      client_opts[:credentials] = nil
-
-      @client = options[:client] || Aws::SSO::Client.new(client_opts)
       @async_refresh = true
       super
     end
@@ -111,19 +138,27 @@ module Aws
     end
 
     def refresh
-      cached_token = read_cached_token
-      c = @client.get_role_credentials(
-        account_id: @sso_account_id,
-        role_name: @sso_role_name,
-        access_token: cached_token['accessToken']
-      ).role_credentials
+      c = if @legacy
+            cached_token = read_cached_token
+            @client.get_role_credentials(
+              account_id: @sso_account_id,
+              role_name: @sso_role_name,
+              access_token: cached_token['accessToken']
+            ).role_credentials
+          else
+            @client.get_role_credentials(
+              account_id: @sso_account_id,
+              role_name: @sso_role_name,
+              access_token: @token_provider.token.token
+            ).role_credentials
+          end
 
       @credentials = Credentials.new(
         c.access_key_id,
         c.secret_access_key,
         c.session_token
       )
-      @expiration = c.expiration
+      @expiration = Time.at(c.expiration / 1000.0)
     end
 
     def sso_cache_file

data/lib/aws-sdk-core/sso_token_provider.rb

@@ -39,12 +39,13 @@ module Aws
 
       options[:region] = @sso_region
       options[:credentials] = nil
+      options[:token_provider] = nil
       @client = options[:client] || Aws::SSOOIDC::Client.new(options)
 
       super
     end
 
-    # @return [SSO::Client]
+    # @return [SSOOIDC::Client]
     attr_reader :client
 
     private
@@ -66,7 +67,7 @@ module Aws
           resp = @client.create_token(
             grant_type: 'refresh_token',
             client_id: token_json['clientId'],
-            client_secret: token_json['client_secret'],
+            client_secret: token_json['clientSecret'],
             refresh_token: token_json['refreshToken']
           )
           token_json['accessToken'] = resp.access_token

data/lib/aws-sdk-core/stubbing/protocols/rpc_v2.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Aws
+  module Stubbing
+    module Protocols
+      class RpcV2
+
+        def stub_data(api, operation, data)
+          resp = Seahorse::Client::Http::Response.new
+          resp.status_code = 200
+          resp.headers['Content-Type'] = content_type(api)
+          resp.headers['x-amzn-RequestId'] = 'stubbed-request-id'
+          resp.body = build_body(operation, data)
+          resp
+        end
+
+        def stub_error(error_code)
+          http_resp = Seahorse::Client::Http::Response.new
+          http_resp.status_code = 400
+          http_resp.body = <<-JSON.strip
+{
+  "code": #{error_code.inspect},
+  "message": "stubbed-response-error-message"
+}
+          JSON
+          http_resp
+        end
+
+        private
+
+        def content_type(api)
+          'application/cbor'
+        end
+
+        def build_body(operation, data)
+          Aws::RpcV2::Builder.new(operation.output).serialize(data)
+        end
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/stubbing/stub_data.rb

@@ -13,12 +13,23 @@ module Aws
       def stub(data = {})
         stub = EmptyStub.new(@rules).stub
         remove_paging_tokens(stub)
+        remove_checksums(stub)
         apply_data(data, stub)
         stub
       end
 
       private
 
+      def remove_checksums(stub)
+        if @rules && @rules.shape.is_a?(Seahorse::Model::Shapes::StructureShape)
+          @rules.shape.members.each do |key, member|
+            if member.location == 'header' && member.location_name.start_with?('x-amz-checksum-')
+              stub[key] = nil
+            end
+          end
+        end
+      end
+
       def remove_paging_tokens(stub)
         if @pager
           @pager.instance_variable_get("@tokens").keys.each do |path|

data/lib/aws-sdk-core/util.rb

@@ -67,6 +67,45 @@ module Aws
         end
       end
 
+      # @param [Number] input
+      # @return [Number, String] The serialized number
+      def serialize_number(input)
+        if input == ::Float::INFINITY then 'Infinity'
+        elsif input == -::Float::INFINITY then '-Infinity'
+        elsif input&.nan? then 'NaN'
+        else
+          input
+        end
+      end
+
+      # @param [String] str
+      # @return [Number] The input as a number
+      def deserialize_number(str)
+        case str
+        when 'Infinity' then ::Float::INFINITY
+        when '-Infinity' then -::Float::INFINITY
+        when 'NaN' then ::Float::NAN
+        when nil then nil
+        else str.to_f
+        end
+      end
+
+      # @param [String] value
+      # @return [Time]
+      def deserialize_time(value)
+        case value
+        when nil then nil
+        when /^[\d.]+$/ then Time.at(value.to_f).utc
+        else
+          begin
+            fractional_time = Time.parse(value).to_f
+            Time.at(fractional_time).utc
+          rescue ArgumentError
+            raise "unhandled timestamp format `#{value}'"
+          end
+        end
+      end
+
     end
   end
 end

data/lib/aws-sdk-core/waiters/poller.rb

@@ -62,7 +62,9 @@ module Aws
       def send_request(options)
         req = options[:client].build_request(@operation_name, options[:params])
         req.handlers.remove(RAISE_HANDLER)
-        req.send_request
+        Aws::Plugins::UserAgent.metric('WAITER') do
+          req.send_request
+        end
       end
 
       def acceptor_matches?(acceptor, response)
@@ -95,7 +97,7 @@ module Aws
 
       def matches_error?(acceptor, response)
         Aws::Errors::ServiceError === response.error &&
-        response.error.code == acceptor['expected'].gsub('.', '')
+        response.error.code == acceptor['expected'].delete('.')
       end
 
       def path(acceptor)

data/lib/aws-sdk-core/xml/builder.rb

@@ -10,6 +10,8 @@ module Aws
 
       def initialize(rules, options = {})
         @rules = rules
+        @location_name =
+          options[:location_name].nil? ? @rules.location_name : options[:location_name]
         @xml = options[:target] || []
         indent = options[:indent] || ''
         pad = options[:pad] || ''
@@ -17,7 +19,7 @@ module Aws
       end
 
       def to_xml(params)
-        structure(@rules.location_name, @rules, params)
+        structure(@location_name, @rules, params)
         @xml.join
       end
       alias serialize to_xml
@@ -50,7 +52,7 @@ module Aws
       def list(name, ref, values)
         if ref[:flattened] || ref.shape.flattened
           values.each do |value|
-            member(ref.shape.member.location_name || name, ref.shape.member, value)
+            member(name, ref.shape.member, value)
           end
         else
           node(name, ref) do
@@ -65,7 +67,7 @@ module Aws
       def map(name, ref, hash)
         key_ref = ref.shape.key
         value_ref = ref.shape.value
-        if ref.shape.flattened
+        if ref[:flattened] || ref.shape.flattened
           hash.each do |key, value|
             node(name, ref) do
               member(key_ref.location_name || 'key', key_ref, key)
@@ -75,7 +77,8 @@ module Aws
         else
           node(name, ref) do
             hash.each do |key, value|
-              node('entry', ref)  do
+              # Pass in a new ShapeRef to create an entry node
+              node('entry', ShapeRef.new) do
                 member(key_ref.location_name || 'key', key_ref, key)
                 member(value_ref.location_name || 'value', value_ref, value)
               end
@@ -129,11 +132,16 @@ module Aws
       end
 
       def shape_attrs(ref)
-        if xmlns = ref['xmlNamespace']
-          if prefix = xmlns['prefix']
-            { 'xmlns:' + prefix => xmlns['uri'] }
-          else
-            { 'xmlns' => xmlns['uri'] }
+        if (xmlns = ref['xmlNamespace'])
+          case xmlns
+          when String
+            { 'xmlns' => xmlns }
+          when Hash
+            if (prefix = xmlns['prefix'])
+              { "xmlns:#{prefix}" => xmlns['uri'] }
+            else
+              { 'xmlns' => xmlns['uri'] }
+            end
           end
         else
           {}