aws-sdk-core 3.168.4 → 3.190.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d3feaec82dc395d31e4cd17d9951ac80c191c69156317b9cfab13834fe95755a
-  data.tar.gz: efb2c1a30e3d3baccbcfdeb92390a18efb5aaf8a145d1d0cd6129b10413f6358
+  metadata.gz: 21cdff0abfe2aec5ad4a801e3c2309930e2afb717f30886b1d075b568c28aa56
+  data.tar.gz: 8a7ab6eef02764d83baef04f6b47fce0c290a850a97a53156c4ef988811bc834
 SHA512:
-  metadata.gz: 77b3fe5b4fcfa3c7855b5d9adcae5957cd8080d049abcd346bcf84500c6aa507d22d91cd9bf9b252da95a2414e513c6729bc3d2905b23d8a276ecf9fa07922ca
-  data.tar.gz: 27f2a8fcd85631e81e0055bbd593cfd04dcaf17002d52edb9ff5beb25aff0e0974afad22a5ac905010e9ef8f165fa9ab47cd7bd8e154023f10ac44b185d4afcc
+  metadata.gz: f9e59ce7c7d62a8bc34c3060655ef2c30c913c7d5acc7a1d205c3f124d1978412d904846e2ad696def72fd98fc0acd091bdd73e07a2f060c674ed8a5999abfcc
+  data.tar.gz: 9f3aa78cdd2e71e8b013510919e47bed89fe871b92801559f027929bbc50510fcccef45dc79f8a300bc2fec6c40f03c1de425fde393c0435d2f8c66201daaff2

data/CHANGELOG.md

@@ -1,6 +1,237 @@
 Unreleased Changes
 ------------------
 
+3.190.3 (2024-01-16)
+------------------
+
+* Issue - Add mutex around accessing stub api_requests.
+
+3.190.2 (2024-01-09)
+------------------
+
+* Issue - Minor performance optimization.
+
+3.190.1 (2023-12-20)
+------------------
+
+* Issue - Add mutex around stub api_requests.
+
+3.190.0 (2023-11-29)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+3.189.0 (2023-11-28)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+* Feature - Support S3 Express authentication.
+
+3.188.0 (2023-11-22)
+------------------
+
+* Feature - AWS SDK for Ruby no longer supports Ruby runtime versions 2.3 and 2.4.
+
+* Feature - Support `AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE` in `ECSCredentials` and also allow for ECS and EKS link-local http addresses.
+
+3.187.1 (2023-11-20)
+------------------
+
+* Issue - For `awsQueryCompatible` services, default an empty list or map for shapes that were previously flattened in the query protocol.
+
+3.187.0 (2023-11-17)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
+
+3.186.0 (2023-11-02)
+------------------
+
+* Feature - Support disabling IMDSv1 in `InstanceProfileCredentials` using `ENV['AWS_EC2_METADATA_V1_DISABLED']`, `ec2_metadata_v1_disabled` shared config, or the `disable_imds_v1` credentials option.
+
+3.185.2 (2023-10-31)
+------------------
+
+* Issue - Fix query string support to lists of booleans, floats, integers and timestamps per rest-json protocol.
+
+3.185.1 (2023-10-05)
+------------------
+
+* Issue - Ignore `__type` when deserializing Unions.
+
+3.185.0 (2023-10-02)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.184.0 (2023-09-27)
+------------------
+
+* Feature - Change the `ServiceError` data member from read only to read/write.
+
+3.183.1 (2023-09-25)
+------------------
+
+* Issue - Remove value inspection from param validation errors.
+
+3.183.0 (2023-09-20)
+------------------
+
+* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
+
+3.182.0 (2023-09-19)
+------------------
+
+* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.181.1 (2023-09-14)
+------------------
+
+* Issue - Fix host label validation in endpoint matchers.
+
+3.181.0 (2023-08-22)
+------------------
+
+* Feature - Add support for `on_chunk_received` callback.
+
+3.180.3 (2023-08-09)
+------------------
+
+* Issue - Add support for sso-session names with whitespace configured by the CLI `aws sso configure` command (#2895).
+
+3.180.2 (2023-08-07)
+------------------
+
+* Issue - Fix parsing of ini files with mixes of blank properties and nested configurations.
+
+3.180.1 (2023-07-31)
+------------------
+
+* Issue - Remove checksums from default stubs (#2888).
+
+3.180.0 (2023-07-25)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+3.179.0 (2023-07-24)
+------------------
+
+* Feature - Add `checksum_validated` method to response.
+
+3.178.0 (2023-07-11)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+* Feature - Add support for configuring the endpoint URL in the shared configuration file or via an environment variable for a specific AWS service or all AWS services.
+
+3.177.0 (2023-07-06)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+* Feature - Add support for Request Compression.
+
+3.176.1 (2023-06-29)
+------------------
+
+* Issue - Fix signing for S3/S3 Control and `aws-crt` gem for certain object keys (#2849).
+
+* Issue - Ensure `SSOCredentials` `#expiration` is a `Time` (#2874)
+
+3.176.0 (2023-06-28)
+------------------
+
+* Feature - Add :expiration accessor to `CredentialProvider` and do not refresh credentials when checking expiration (#2872).
+
+3.175.0 (2023-06-15)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.174.0 (2023-05-31)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+* Feature - Improve User-Agent metrics tracking.
+
+3.173.1 (2023-05-24)
+------------------
+
+* Issue - Updated `checksum_algorithm` plugin to use IO.copy_stream for JRuby.
+
+3.173.0 (2023-05-18)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+3.172.0 (2023-05-08)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+* Feature - Add :region option to `Aws::Log::Formatter`.
+
+3.171.1 (2023-05-04)
+------------------
+
+* Issue - Fix error code parsing in AWS query compatible JSON services.
+
+3.171.0 (2023-03-22)
+------------------
+
+* Feature - Add support for `AWS_CONTAINER_CREDENTIALS_FULL_URI` and `AWS_CONTAINER_AUTHORIZATION_TOKEN` environment variables to `ECSCredentials`.
+
+3.170.1 (2023-03-17)
+------------------
+
+* Issue - Reduce memory usage in H2::Connection when `http_wire_log` is not set.
+
+3.170.0 (2023-01-25)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+3.169.0 (2023-01-18)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+* Issue - Replace runtime endpoint resolution approach with generated ruby code for STS, SSO, and SSOOIDC.
+
 3.168.4 (2022-12-08)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-3.168.4
+3.190.3

data/lib/aws-defaults/default_configuration.rb

@@ -20,7 +20,7 @@ module Aws
   #  * Globally via the "AWS_DEFAULTS_MODE" environment variable.
   #
   #
-  # @code_generation START - documentation
+  # #defaults START - documentation
   # The following `:default_mode` values are supported:
   #
   # * `'standard'` -
@@ -105,10 +105,10 @@ module Aws
   # [2]: https://docs.aws.amazon.com/sdkref/latest/guide/setting-global-retry_mode.html
   # [3]: https://docs.aws.amazon.com/sdkref/latest/guide/setting-global-sts_regional_endpoints.html
   #
-  # @code_generation END - documentation
+  # #defaults END - documentation
   module DefaultsModeConfiguration
     # @api private
-    # @code_generation START - configuration
+    # #defaults START - configuration
     SDK_DEFAULT_CONFIGURATION = 
     {
       "version" => 1,
@@ -148,6 +148,6 @@ module Aws
         }
       }
     }
-    # @code_generation END - configuration
+    # #defaults END - configuration
   end
 end

data/lib/aws-sdk-core/client_stubs.rb

@@ -24,15 +24,16 @@ module Aws
       end
 
       # When a client is stubbed allow the user to access the requests made
-      @api_requests = []
-
-      requests = @api_requests
+      requests = @api_requests = []
+      requests_mutex = @requests_mutex = Mutex.new
       self.handle do |context|
-        requests << {
-          operation_name: context.operation_name,
-          params: context.params,
-          context: context
-        }
+        requests_mutex.synchronize do
+          requests << {
+            operation_name: context.operation_name,
+            params: context.params,
+            context: context
+          }
+        end
         @handler.call(context)
       end
     end
@@ -194,10 +195,12 @@ module Aws
     #   is not stubbed.
     def api_requests(options = {})
       if config.stub_responses
-        if options[:exclude_presign]
-          @api_requests.reject {|req| req[:context][:presigned_url] }
-        else
-          @api_requests
+        @requests_mutex.synchronize do
+          if options[:exclude_presign]
+            @api_requests.reject {|req| req[:context][:presigned_url] }
+          else
+            @api_requests
+          end
         end
       else
         msg = 'This method is only implemented for stubbed clients, and is '\

data/lib/aws-sdk-core/credential_provider.rb

@@ -6,6 +6,9 @@ module Aws
     # @return [Credentials]
     attr_reader :credentials
 
+    # @return [Time]
+    attr_reader :expiration
+
     # @return [Boolean]
     def set?
       !!credentials && credentials.set?

data/lib/aws-sdk-core/credential_provider_chain.rb

@@ -161,7 +161,8 @@ module Aws
 
     def instance_profile_credentials(options)
       profile_name = determine_profile_name(options)
-      if ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI']
+      if ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] ||
+         ENV['AWS_CONTAINER_CREDENTIALS_FULL_URI']
         ECSCredentials.new(options)
       else
         InstanceProfileCredentials.new(options.merge(profile: profile_name))

data/lib/aws-sdk-core/ecs_credentials.rb

@@ -2,21 +2,27 @@
 
 require 'time'
 require 'net/http'
+require 'resolv'
 
 module Aws
   # An auto-refreshing credential provider that loads credentials from
-  # instances running in ECS.
+  # instances running in containers.
   #
   #     ecs_credentials = Aws::ECSCredentials.new(retries: 3)
   #     ec2 = Aws::EC2::Client.new(credentials: ecs_credentials)
   class ECSCredentials
-
     include CredentialProvider
     include RefreshingCredentials
 
     # @api private
     class Non200Response < RuntimeError; end
 
+    # Raised when the token file cannot be read.
+    class TokenFileReadError < RuntimeError; end
+
+    # Raised when the token file is invalid.
+    class InvalidTokenError < RuntimeError; end
+
     # These are the errors we trap when attempting to talk to the
     # instance metadata service.  Any of these imply the service
     # is not present, no responding or some other non-recoverable
@@ -29,16 +35,22 @@ module Aws
       Errno::ENETUNREACH,
       SocketError,
       Timeout::Error,
-      Non200Response,
-    ]
+      Non200Response
+    ].freeze
 
     # @param [Hash] options
     # @option options [Integer] :retries (5) Number of times to retry
     #   when retrieving credentials.
-    # @option options [String] :ip_address ('169.254.170.2')
-    # @option options [Integer] :port (80)
+    # @option options [String] :ip_address ('169.254.170.2') This value is
+    #   ignored if `endpoint` is set and `credential_path` is not set.
+    # @option options [Integer] :port (80) This value is ignored if `endpoint`
+    #   is set and `credential_path` is not set.
     # @option options [String] :credential_path By default, the value of the
     #   AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable.
+    # @option options [String] :endpoint The container credential endpoint.
+    #   By default, this is the value of the AWS_CONTAINER_CREDENTIALS_FULL_URI
+    #   environment variable. This value is ignored if `credential_path` or
+    #   ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] is set.
     # @option options [Float] :http_open_timeout (5)
     # @option options [Float] :http_read_timeout (5)
     # @option options [Numeric, Proc] :delay By default, failures are retried
@@ -52,17 +64,14 @@ module Aws
     #   credentials are refreshed. `before_refresh` is called
     #   with an instance of this object when
     #   AWS credentials are required and need to be refreshed.
-    def initialize options = {}
+    def initialize(options = {})
+      credential_path = options[:credential_path] ||
+                        ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI']
+      endpoint = options[:endpoint] ||
+                 ENV['AWS_CONTAINER_CREDENTIALS_FULL_URI']
+      initialize_uri(options, credential_path, endpoint)
+
       @retries = options[:retries] || 5
-      @ip_address = options[:ip_address] || '169.254.170.2'
-      @port = options[:port] || 80
-      @credential_path = options[:credential_path]
-      @credential_path ||= ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI']
-      unless @credential_path
-        raise ArgumentError.new(
-          "Cannot instantiate an ECS Credential Provider without a credential path."
-        )
-      end
       @http_open_timeout = options[:http_open_timeout] || 5
       @http_read_timeout = options[:http_read_timeout] || 5
       @http_debug_output = options[:http_debug_output]
@@ -77,11 +86,95 @@ module Aws
 
     private
 
+    def initialize_uri(options, credential_path, endpoint)
+      if credential_path
+        initialize_relative_uri(options, credential_path)
+      # Use FULL_URI/endpoint only if RELATIVE_URI/path is not set
+      elsif endpoint
+        initialize_full_uri(endpoint)
+      else
+        raise ArgumentError,
+              'Cannot instantiate an ECS Credential Provider '\
+              'without a credential path or endpoint.'
+      end
+    end
+
+    def initialize_relative_uri(options, path)
+      @host = options[:ip_address] || '169.254.170.2'
+      @port = options[:port] || 80
+      @scheme = 'http'
+      @credential_path = path
+    end
+
+    def initialize_full_uri(endpoint)
+      uri = URI.parse(endpoint)
+      validate_full_uri_scheme!(uri)
+      validate_full_uri!(uri)
+      @host = uri.hostname
+      @port = uri.port
+      @scheme = uri.scheme
+      @credential_path = uri.request_uri
+    end
+
+    def validate_full_uri_scheme!(full_uri)
+      return if full_uri.is_a?(URI::HTTP) || full_uri.is_a?(URI::HTTPS)
+
+      raise ArgumentError, "'#{full_uri}' must be a valid HTTP or HTTPS URI"
+    end
+
+    # Validate that the full URI is using a loopback address if scheme is http.
+    def validate_full_uri!(full_uri)
+      return unless full_uri.scheme == 'http'
+
+      begin
+        return if valid_ip_address?(IPAddr.new(full_uri.host))
+      rescue IPAddr::InvalidAddressError
+        addresses = Resolv.getaddresses(full_uri.host)
+        return if addresses.all? { |addr| valid_ip_address?(IPAddr.new(addr)) }
+      end
+
+      raise ArgumentError,
+            'AWS_CONTAINER_CREDENTIALS_FULL_URI must use a local loopback '\
+            'or an ECS or EKS link-local address when using the http scheme.'
+    end
+
+    def valid_ip_address?(ip_address)
+      ip_loopback?(ip_address) || ecs_or_eks_ip?(ip_address)
+    end
+
+    # loopback? method is available in Ruby 2.5+
+    # Replicate the logic here.
+    # loopback (IPv4 127.0.0.0/8, IPv6 ::1/128)
+    def ip_loopback?(ip_address)
+      case ip_address.family
+      when Socket::AF_INET
+        ip_address & 0xff000000 == 0x7f000000
+      when Socket::AF_INET6
+        ip_address == 1
+      else
+        false
+      end
+    end
+
+    # Verify that the IP address is a link-local address from ECS or EKS.
+    # ECS container host (IPv4 `169.254.170.2`)
+    # EKS container host (IPv4 `169.254.170.23`, IPv6 `fd00:ec2::23`)
+    def ecs_or_eks_ip?(ip_address)
+      case ip_address.family
+      when Socket::AF_INET
+        [0xa9feaa02, 0xa9feaa17].include?(ip_address)
+      when Socket::AF_INET6
+        ip_address == 0xfd00_0ec2_0000_0000_0000_0000_0000_0023
+      else
+        false
+      end
+    end
+
     def backoff(backoff)
       case backoff
       when Proc then backoff
-      when Numeric then lambda { |_| sleep(backoff) }
-      else lambda { |num_failures| Kernel.sleep(1.2 ** num_failures) }
+      when Numeric then ->(_) { sleep(backoff) }
+      else ->(num_failures) { Kernel.sleep(1.2**num_failures) }
       end
     end
 
@@ -89,68 +182,99 @@ module Aws
       # Retry loading credentials up to 3 times is the instance metadata
       # service is responding but is returning invalid JSON documents
       # in response to the GET profile credentials call.
-      begin
-        retry_errors([Aws::Json::ParseError, StandardError], max_retries: 3) do
-          c = Aws::Json.load(get_credentials.to_s)
-          @credentials = Credentials.new(
-            c['AccessKeyId'],
-            c['SecretAccessKey'],
-            c['Token']
-          )
-          @expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
-        end
-      rescue Aws::Json::ParseError
-        raise Aws::Errors::MetadataParserError.new
+
+      retry_errors([Aws::Json::ParseError, StandardError], max_retries: 3) do
+        c = Aws::Json.load(get_credentials.to_s)
+        @credentials = Credentials.new(
+          c['AccessKeyId'],
+          c['SecretAccessKey'],
+          c['Token']
+        )
+        @expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
       end
+    rescue Aws::Json::ParseError
+      raise Aws::Errors::MetadataParserError
     end
 
     def get_credentials
       # Retry loading credentials a configurable number of times if
       # the instance metadata service is not responding.
-      begin
-        retry_errors(NETWORK_ERRORS, max_retries: @retries) do
-          open_connection do |conn|
-            http_get(conn, @credential_path)
-          end
+
+      retry_errors(NETWORK_ERRORS, max_retries: @retries) do
+        open_connection do |conn|
+          http_get(conn, @credential_path)
         end
-      rescue
-        '{}'
       end
+    rescue TokenFileReadError, InvalidTokenError
+      raise
+    rescue StandardError
+      '{}'
+    end
+
+    def fetch_authorization_token
+      if (path = ENV['AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE'])
+        fetch_authorization_token_file(path)
+      elsif (token = ENV['AWS_CONTAINER_AUTHORIZATION_TOKEN'])
+        token
+      end
+    end
+
+    def fetch_authorization_token_file(path)
+      File.read(path).strip
+    rescue Errno::ENOENT
+      raise TokenFileReadError,
+            'AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE is set '\
+            "but the file doesn't exist: #{path}"
+    end
+
+    def validate_authorization_token!(token)
+      return unless token.include?("\r\n")
+
+      raise InvalidTokenError,
+            'Invalid Authorization token: token contains '\
+            'a newline and carriage return character.'
     end
 
     def open_connection
-      http = Net::HTTP.new(@ip_address, @port, nil)
+      http = Net::HTTP.new(@host, @port, nil)
       http.open_timeout = @http_open_timeout
       http.read_timeout = @http_read_timeout
       http.set_debug_output(@http_debug_output) if @http_debug_output
+      http.use_ssl = @scheme == 'https'
       http.start
       yield(http).tap { http.finish }
     end
 
     def http_get(connection, path)
-      response = connection.request(Net::HTTP::Get.new(path))
-      if response.code.to_i == 200
-        response.body
-      else
-        raise Non200Response
+      request = Net::HTTP::Get.new(path)
+      set_authorization_token(request)
+      response = connection.request(request)
+      raise Non200Response unless response.code.to_i == 200
+
+      response.body
+    end
+
+    def set_authorization_token(request)
+      if (authorization_token = fetch_authorization_token)
+        validate_authorization_token!(authorization_token)
+        request['Authorization'] = authorization_token
       end
     end
 
-    def retry_errors(error_classes, options = {}, &block)
+    def retry_errors(error_classes, options = {})
       max_retries = options[:max_retries]
       retries = 0
       begin
         yield
-      rescue *error_classes => _error
-        if retries < max_retries
-          @backoff.call(retries)
-          retries += 1
-          retry
-        else
-          raise
-        end
+      rescue TokenFileReadError, InvalidTokenError
+        raise
+      rescue *error_classes => _e
+        raise unless retries < max_retries
+
+        @backoff.call(retries)
+        retries += 1
+        retry
       end
     end
-
   end
 end

data/lib/aws-sdk-core/endpoints/condition.rb

@@ -2,6 +2,11 @@
 
 module Aws
   module Endpoints
+    # This class is deprecated. It is used by the Runtime endpoint
+    # resolution approach. It has been replaced by a code generated
+    # approach in each service gem. It can be removed in a new
+    # major version. It has to exist because
+    # old service gems can use a new core version.
     # @api private
     class Condition
       def initialize(fn:, argv:, assign: nil)

data/lib/aws-sdk-core/endpoints/endpoint_rule.rb

@@ -2,7 +2,11 @@
 
 module Aws
   module Endpoints
-    # @api private
+    # This class is deprecated. It is used by the Runtime endpoint
+    # resolution approach. It has been replaced by a code generated
+    # approach in each service gem. It can be removed in a new
+    # major version. It has to exist because
+    # old service gems can use a new core version.    # @api private
     class EndpointRule < Rule
       def initialize(type: 'endpoint', conditions:, endpoint:,
                      documentation: nil)