aws-sdk-core 3.168.4 → 3.224.1

data/lib/aws-sdk-core/ecs_credentials.rb

@@ -2,21 +2,27 @@
 
 require 'time'
 require 'net/http'
+require 'resolv'
 
 module Aws
   # An auto-refreshing credential provider that loads credentials from
-  # instances running in ECS.
+  # instances running in containers.
   #
   #     ecs_credentials = Aws::ECSCredentials.new(retries: 3)
   #     ec2 = Aws::EC2::Client.new(credentials: ecs_credentials)
   class ECSCredentials
-
     include CredentialProvider
     include RefreshingCredentials
 
     # @api private
     class Non200Response < RuntimeError; end
 
+    # Raised when the token file cannot be read.
+    class TokenFileReadError < RuntimeError; end
+
+    # Raised when the token file is invalid.
+    class InvalidTokenError < RuntimeError; end
+
     # These are the errors we trap when attempting to talk to the
     # instance metadata service.  Any of these imply the service
     # is not present, no responding or some other non-recoverable
@@ -29,16 +35,22 @@ module Aws
       Errno::ENETUNREACH,
       SocketError,
       Timeout::Error,
-      Non200Response,
-    ]
+      Non200Response
+    ].freeze
 
     # @param [Hash] options
     # @option options [Integer] :retries (5) Number of times to retry
     #   when retrieving credentials.
-    # @option options [String] :ip_address ('169.254.170.2')
-    # @option options [Integer] :port (80)
+    # @option options [String] :ip_address ('169.254.170.2') This value is
+    #   ignored if `endpoint` is set and `credential_path` is not set.
+    # @option options [Integer] :port (80) This value is ignored if `endpoint`
+    #   is set and `credential_path` is not set.
     # @option options [String] :credential_path By default, the value of the
     #   AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable.
+    # @option options [String] :endpoint The container credential endpoint.
+    #   By default, this is the value of the AWS_CONTAINER_CREDENTIALS_FULL_URI
+    #   environment variable. This value is ignored if `credential_path` or
+    #   ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] is set.
     # @option options [Float] :http_open_timeout (5)
     # @option options [Float] :http_read_timeout (5)
     # @option options [Numeric, Proc] :delay By default, failures are retried
@@ -52,22 +64,20 @@ module Aws
     #   credentials are refreshed. `before_refresh` is called
     #   with an instance of this object when
     #   AWS credentials are required and need to be refreshed.
-    def initialize options = {}
+    def initialize(options = {})
+      credential_path = options[:credential_path] ||
+                        ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI']
+      endpoint = options[:endpoint] ||
+                 ENV['AWS_CONTAINER_CREDENTIALS_FULL_URI']
+      initialize_uri(options, credential_path, endpoint)
+
       @retries = options[:retries] || 5
-      @ip_address = options[:ip_address] || '169.254.170.2'
-      @port = options[:port] || 80
-      @credential_path = options[:credential_path]
-      @credential_path ||= ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI']
-      unless @credential_path
-        raise ArgumentError.new(
-          "Cannot instantiate an ECS Credential Provider without a credential path."
-        )
-      end
       @http_open_timeout = options[:http_open_timeout] || 5
       @http_read_timeout = options[:http_read_timeout] || 5
       @http_debug_output = options[:http_debug_output]
       @backoff = backoff(options[:backoff])
       @async_refresh = false
+      @metrics = ['CREDENTIALS_HTTP']
       super
     end
 
@@ -77,11 +87,95 @@ module Aws
 
     private
 
+    def initialize_uri(options, credential_path, endpoint)
+      if credential_path
+        initialize_relative_uri(options, credential_path)
+      # Use FULL_URI/endpoint only if RELATIVE_URI/path is not set
+      elsif endpoint
+        initialize_full_uri(endpoint)
+      else
+        raise ArgumentError,
+              'Cannot instantiate an ECS Credential Provider '\
+              'without a credential path or endpoint.'
+      end
+    end
+
+    def initialize_relative_uri(options, path)
+      @host = options[:ip_address] || '169.254.170.2'
+      @port = options[:port] || 80
+      @scheme = 'http'
+      @credential_path = path
+    end
+
+    def initialize_full_uri(endpoint)
+      uri = URI.parse(endpoint)
+      validate_full_uri_scheme!(uri)
+      validate_full_uri!(uri)
+      @host = uri.hostname
+      @port = uri.port
+      @scheme = uri.scheme
+      @credential_path = uri.request_uri
+    end
+
+    def validate_full_uri_scheme!(full_uri)
+      return if full_uri.is_a?(URI::HTTP) || full_uri.is_a?(URI::HTTPS)
+
+      raise ArgumentError, "'#{full_uri}' must be a valid HTTP or HTTPS URI"
+    end
+
+    # Validate that the full URI is using a loopback address if scheme is http.
+    def validate_full_uri!(full_uri)
+      return unless full_uri.scheme == 'http'
+
+      begin
+        return if valid_ip_address?(IPAddr.new(full_uri.host))
+      rescue IPAddr::InvalidAddressError
+        addresses = Resolv.getaddresses(full_uri.host)
+        return if addresses.all? { |addr| valid_ip_address?(IPAddr.new(addr)) }
+      end
+
+      raise ArgumentError,
+            'AWS_CONTAINER_CREDENTIALS_FULL_URI must use a local loopback '\
+            'or an ECS or EKS link-local address when using the http scheme.'
+    end
+
+    def valid_ip_address?(ip_address)
+      ip_loopback?(ip_address) || ecs_or_eks_ip?(ip_address)
+    end
+
+    # loopback? method is available in Ruby 2.5+
+    # Replicate the logic here.
+    # loopback (IPv4 127.0.0.0/8, IPv6 ::1/128)
+    def ip_loopback?(ip_address)
+      case ip_address.family
+      when Socket::AF_INET
+        ip_address & 0xff000000 == 0x7f000000
+      when Socket::AF_INET6
+        ip_address == 1
+      else
+        false
+      end
+    end
+
+    # Verify that the IP address is a link-local address from ECS or EKS.
+    # ECS container host (IPv4 `169.254.170.2`)
+    # EKS container host (IPv4 `169.254.170.23`, IPv6 `fd00:ec2::23`)
+    def ecs_or_eks_ip?(ip_address)
+      case ip_address.family
+      when Socket::AF_INET
+        [0xa9feaa02, 0xa9feaa17].include?(ip_address)
+      when Socket::AF_INET6
+        ip_address == 0xfd00_0ec2_0000_0000_0000_0000_0000_0023
+      else
+        false
+      end
+    end
+
     def backoff(backoff)
       case backoff
       when Proc then backoff
-      when Numeric then lambda { |_| sleep(backoff) }
-      else lambda { |num_failures| Kernel.sleep(1.2 ** num_failures) }
+      when Numeric then ->(_) { sleep(backoff) }
+      else ->(num_failures) { Kernel.sleep(1.2**num_failures) }
       end
     end
 
@@ -89,68 +183,100 @@ module Aws
       # Retry loading credentials up to 3 times is the instance metadata
       # service is responding but is returning invalid JSON documents
       # in response to the GET profile credentials call.
-      begin
-        retry_errors([Aws::Json::ParseError, StandardError], max_retries: 3) do
-          c = Aws::Json.load(get_credentials.to_s)
-          @credentials = Credentials.new(
-            c['AccessKeyId'],
-            c['SecretAccessKey'],
-            c['Token']
-          )
-          @expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
-        end
-      rescue Aws::Json::ParseError
-        raise Aws::Errors::MetadataParserError.new
+
+      retry_errors([Aws::Json::ParseError, StandardError], max_retries: 3) do
+        c = Aws::Json.load(get_credentials.to_s)
+        @credentials = Credentials.new(
+          c['AccessKeyId'],
+          c['SecretAccessKey'],
+          c['Token']
+        )
+        @expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
       end
+    rescue Aws::Json::ParseError
+      raise Aws::Errors::MetadataParserError
     end
 
     def get_credentials
       # Retry loading credentials a configurable number of times if
       # the instance metadata service is not responding.
-      begin
-        retry_errors(NETWORK_ERRORS, max_retries: @retries) do
-          open_connection do |conn|
-            http_get(conn, @credential_path)
-          end
+
+      retry_errors(NETWORK_ERRORS, max_retries: @retries) do
+        open_connection do |conn|
+          http_get(conn, @credential_path)
         end
-      rescue
-        '{}'
       end
+    rescue TokenFileReadError, InvalidTokenError
+      raise
+    rescue StandardError => e
+      warn("Error retrieving ECS Credentials: #{e.message}")
+      '{}'
+    end
+
+    def fetch_authorization_token
+      if (path = ENV['AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE'])
+        fetch_authorization_token_file(path)
+      elsif (token = ENV['AWS_CONTAINER_AUTHORIZATION_TOKEN'])
+        token
+      end
+    end
+
+    def fetch_authorization_token_file(path)
+      File.read(path).strip
+    rescue Errno::ENOENT
+      raise TokenFileReadError,
+            'AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE is set '\
+            "but the file doesn't exist: #{path}"
+    end
+
+    def validate_authorization_token!(token)
+      return unless token.include?("\r\n")
+
+      raise InvalidTokenError,
+            'Invalid Authorization token: token contains '\
+            'a newline and carriage return character.'
     end
 
     def open_connection
-      http = Net::HTTP.new(@ip_address, @port, nil)
+      http = Net::HTTP.new(@host, @port, nil)
       http.open_timeout = @http_open_timeout
       http.read_timeout = @http_read_timeout
       http.set_debug_output(@http_debug_output) if @http_debug_output
+      http.use_ssl = @scheme == 'https'
       http.start
       yield(http).tap { http.finish }
     end
 
     def http_get(connection, path)
-      response = connection.request(Net::HTTP::Get.new(path))
-      if response.code.to_i == 200
-        response.body
-      else
-        raise Non200Response
+      request = Net::HTTP::Get.new(path)
+      set_authorization_token(request)
+      response = connection.request(request)
+      raise Non200Response unless response.code.to_i == 200
+
+      response.body
+    end
+
+    def set_authorization_token(request)
+      if (authorization_token = fetch_authorization_token)
+        validate_authorization_token!(authorization_token)
+        request['Authorization'] = authorization_token
       end
     end
 
-    def retry_errors(error_classes, options = {}, &block)
+    def retry_errors(error_classes, options = {})
       max_retries = options[:max_retries]
       retries = 0
       begin
         yield
-      rescue *error_classes => _error
-        if retries < max_retries
-          @backoff.call(retries)
-          retries += 1
-          retry
-        else
-          raise
-        end
+      rescue TokenFileReadError, InvalidTokenError
+        raise
+      rescue *error_classes => _e
+        raise unless retries < max_retries
+
+        @backoff.call(retries)
+        retries += 1
+        retry
       end
     end
-
   end
 end

data/lib/aws-sdk-core/endpoints/condition.rb

@@ -2,6 +2,11 @@
 
 module Aws
   module Endpoints
+    # This class is deprecated. It is used by the Runtime endpoint
+    # resolution approach. It has been replaced by a code generated
+    # approach in each service gem. It can be removed in a new
+    # major version. It has to exist because
+    # old service gems can use a new core version.
     # @api private
     class Condition
       def initialize(fn:, argv:, assign: nil)

data/lib/aws-sdk-core/endpoints/endpoint.rb

@@ -3,15 +3,17 @@
 module Aws
   module Endpoints
     class Endpoint
-      def initialize(url:, properties: {}, headers: {})
+      def initialize(url:, properties: {}, headers: {}, metadata: {})
         @url = url
         @properties = properties
         @headers = headers
+        @metadata = metadata
       end
 
       attr_reader :url
       attr_reader :properties
       attr_reader :headers
+      attr_reader :metadata
     end
   end
 end

data/lib/aws-sdk-core/endpoints/endpoint_rule.rb

@@ -2,7 +2,11 @@
 
 module Aws
   module Endpoints
-    # @api private
+    # This class is deprecated. It is used by the Runtime endpoint
+    # resolution approach. It has been replaced by a code generated
+    # approach in each service gem. It can be removed in a new
+    # major version. It has to exist because
+    # old service gems can use a new core version.    # @api private
     class EndpointRule < Rule
       def initialize(type: 'endpoint', conditions:, endpoint:,
                      documentation: nil)

data/lib/aws-sdk-core/endpoints/error_rule.rb

@@ -2,6 +2,11 @@
 
 module Aws
   module Endpoints
+    # This class is deprecated. It is used by the Runtime endpoint
+    # resolution approach. It has been replaced by a code generated
+    # approach in each service gem. It can be removed in a new
+    # major version. It has to exist because
+    # old service gems can use a new core version.
     # @api private
     class ErrorRule < Rule
       def initialize(type: 'error', conditions:, error: nil, documentation: nil)

data/lib/aws-sdk-core/endpoints/function.rb

@@ -2,6 +2,11 @@
 
 module Aws
   module Endpoints
+    # This class is deprecated. It is used by the Runtime endpoint
+    # resolution approach. It has been replaced by a code generated
+    # approach in each service gem. It can be removed in a new
+    # major version. It has to exist because
+    # old service gems can use a new core version.
     # @api private
     class Function
       def initialize(fn:, argv:)

data/lib/aws-sdk-core/endpoints/matchers.rb

@@ -28,7 +28,11 @@ module Aws
 
         val = if (index = parts.first[BRACKET_REGEX, 1])
                 # remove brackets and index from part before indexing
-                value[parts.first.gsub(BRACKET_REGEX, '')][index.to_i]
+                if (base = parts.first.gsub(BRACKET_REGEX, '')) && !base.empty?
+                  value[base][index.to_i]
+                else
+                  value[index.to_i]
+                end
               else
                 value[parts.first]
               end
@@ -79,25 +83,18 @@ module Aws
         return false if value.empty?
 
         if allow_sub_domains
-          labels = value.split('.')
+          labels = value.split('.', -1)
           return labels.all? { |l| valid_host_label?(l) }
         end
 
-        value =~ /\A(?!-)[a-zA-Z0-9-]{1,63}(?<!-)\z/
+        !!(value =~ /\A(?!-)[a-zA-Z0-9-]{1,63}(?<!-)\z/)
       end
 
       # AWS
 
       # aws.partition(value: string) Option<Partition>
       def self.aws_partition(value)
-        partition =
-          Aws::Partitions.find { |p| p.region?(value) } ||
-          Aws::Partitions.find { |p| value.match(p.region_regex) } ||
-          Aws::Partitions.find { |p| p.name == 'aws' }
-
-        return nil unless partition
-
-        partition.metadata
+        Aws::Partitions::Metadata.partition(value)
       end
 
       # aws.parseArn(value: string) Option<ARN>
@@ -114,13 +111,17 @@ module Aws
 
       # aws.isVirtualHostableS3Bucket(value: string, allowSubDomains: bool) bool
       def self.aws_virtual_hostable_s3_bucket?(value, allow_sub_domains = false)
-        !!(value.size < 64 &&
-          # regular naming rules
-          value =~ /^[a-z0-9][a-z0-9\-#{'.' if allow_sub_domains}]+[a-z0-9]$/ &&
-          # not IP address
-          value !~ /(\d+\.){3}\d+/ &&
-          # no dash and hyphen together
-          value !~ /[.-]{2}/)
+        return false if value.empty?
+
+        if allow_sub_domains
+          labels = value.split('.', -1)
+          return labels.all? { |l| aws_virtual_hostable_s3_bucket?(l) }
+        end
+
+        # must be between 3 and 63 characters long, no uppercase
+        value =~ /\A(?!-)[a-z0-9-]{3,63}(?<!-)\z/ &&
+          # not an IP address
+          value !~ /(\d+\.){3}\d+/
       end
     end
   end

data/lib/aws-sdk-core/endpoints/reference.rb

@@ -2,6 +2,11 @@
 
 module Aws
   module Endpoints
+    # This class is deprecated. It is used by the Runtime endpoint
+    # resolution approach. It has been replaced by a code generated
+    # approach in each service gem. It can be removed in a new
+    # major version. It has to exist because
+    # old service gems can use a new core version.
     # @api private
     class Reference
       def initialize(ref:)

data/lib/aws-sdk-core/endpoints/rule.rb

@@ -2,6 +2,11 @@
 
 module Aws
   module Endpoints
+    # This class is deprecated. It is used by the Runtime endpoint
+    # resolution approach. It has been replaced by a code generated
+    # approach in each service gem. It can be removed in a new
+    # major version. It has to exist because
+    # old service gems can use a new core version.
     # @api private
     class Rule
       # Resolves a value that is a function, reference, or template string.

data/lib/aws-sdk-core/endpoints/rule_set.rb

@@ -2,6 +2,11 @@
 
 module Aws
   module Endpoints
+    # This class is deprecated. It is used by the Runtime endpoint
+    # resolution approach. It has been replaced by a code generated
+    # approach in each service gem. It can be removed in a new
+    # major version. It has to exist because
+    # old service gems can use a new core version.
     # @api private
     class RuleSet
       def initialize(version:, service_id:, parameters:, rules:)

data/lib/aws-sdk-core/endpoints/rules_provider.rb

@@ -1,5 +1,10 @@
 module Aws
   module Endpoints
+    # This class is deprecated. It is used by the Runtime endpoint
+    # resolution approach. It has been replaced by a code generated
+    # approach in each service gem. It can be removed in a new
+    # major version. It has to exist because
+    # old service gems can use a new core version.
     # @api private
     class RulesProvider
       def initialize(rule_set)

data/lib/aws-sdk-core/endpoints/templater.rb

@@ -3,6 +3,12 @@
 module Aws
   module Endpoints
     # Does substitutions for templated endpoint strings
+
+    # This class is deprecated. It is used by the Runtime endpoint
+    # resolution approach. It has been replaced by a code generated
+    # approach in each service gem. It can be removed in a new
+    # major version. It has to exist because
+    # old service gems can use a new core version.
     # @api private
     module Templater
       class << self

data/lib/aws-sdk-core/endpoints/tree_rule.rb

@@ -2,6 +2,11 @@
 
 module Aws
   module Endpoints
+    # This class is deprecated. It is used by the Runtime endpoint
+    # resolution approach. It has been replaced by a code generated
+    # approach in each service gem. It can be removed in a new
+    # major version. It has to exist because
+    # old service gems can use a new core version.
     # @api private
     class TreeRule
       def initialize(type: 'tree', conditions:, rules:, documentation: nil)

data/lib/aws-sdk-core/endpoints/url.rb

@@ -4,6 +4,7 @@ require 'ipaddr'
 
 module Aws
   module Endpoints
+
     # @api private
     class URL
       def initialize(url)

data/lib/aws-sdk-core/endpoints.rb

@@ -14,9 +14,18 @@ require_relative 'endpoints/templater'
 require_relative 'endpoints/tree_rule'
 require_relative 'endpoints/url'
 
+require 'aws-sigv4'
+
 module Aws
   # @api private
   module Endpoints
+    SUPPORTED_AUTH_TRAITS = %w[
+      aws.auth#sigv4
+      aws.auth#sigv4a
+      smithy.api#httpBearerAuth
+      smithy.api#noAuth
+    ].freeze
+
     class << self
       def resolve_auth_scheme(context, endpoint)
         if endpoint && (auth_schemes = endpoint.properties['authSchemes'])
@@ -33,13 +42,80 @@ module Aws
 
       private
 
+      def merge_signing_defaults(auth_scheme, config)
+        if %w[sigv4 sigv4a sigv4-s3express].include?(auth_scheme['name'])
+          auth_scheme['signingName'] ||= sigv4_name(config)
+
+          # back fill disableNormalizePath for S3 until it gets correctly set in the rules
+          if auth_scheme['signingName'] == 's3' &&
+            !auth_scheme.include?('disableNormalizePath') &&
+            auth_scheme.include?('disableDoubleEncoding')
+            auth_scheme['disableNormalizePath'] = auth_scheme['disableDoubleEncoding']
+          end
+          if auth_scheme['name'] == 'sigv4a'
+            # config option supersedes endpoint properties
+            auth_scheme['signingRegionSet'] =
+              config.sigv4a_signing_region_set || auth_scheme['signingRegionSet'] || [config.region]
+          else
+            auth_scheme['signingRegion'] ||= config.region
+          end
+        end
+        auth_scheme
+      end
+
+      def sigv4_name(config)
+        config.api.metadata['signingName'] ||
+          config.api.metadata['endpointPrefix']
+      end
+
       def default_auth_scheme(context)
-        case default_api_authtype(context)
+        if (auth_list = default_api_auth(context))
+          auth = auth_list.find { |a| SUPPORTED_AUTH_TRAITS.include?(a) }
+          case auth
+          when 'aws.auth#sigv4', 'aws.auth#sigv4a'
+            auth_scheme = { 'name' => auth.split('#').last }
+            if s3_or_s3v4_signature_version?(context)
+              auth_scheme = auth_scheme.merge(
+                'disableDoubleEncoding' => true,
+                'disableNormalizePath' => true
+              )
+            end
+            merge_signing_defaults(auth_scheme, context.config)
+          when 'smithy.api#httpBearerAuth'
+            { 'name' => 'bearer' }
+          when 'smithy.api#noAuth'
+            { 'name' => 'none' }
+          else
+            raise 'No supported auth trait for this endpoint.'
+          end
+        else
+          legacy_default_auth_scheme(context)
+        end
+      end
+
+      def default_api_auth(context)
+        context.config.api.operation(context.operation_name)['auth'] ||
+          context.config.api.metadata['auth']
+      end
+
+      def s3_or_s3v4_signature_version?(context)
+        %w[s3 s3v4].include?(context.config.api.metadata['signatureVersion'])
+      end
+
+      # Legacy auth resolution - looks for deprecated signatureVersion
+      # and authType traits.
+
+      def legacy_default_auth_scheme(context)
+        case legacy_default_api_authtype(context)
         when 'v4', 'v4-unsigned-body'
           auth_scheme = { 'name' => 'sigv4' }
           merge_signing_defaults(auth_scheme, context.config)
         when 's3', 's3v4'
-          auth_scheme = { 'name' => 'sigv4', 'disableDoubleEncoding' => true }
+          auth_scheme = {
+            'name' => 'sigv4',
+            'disableDoubleEncoding' => true,
+            'disableNormalizePath' => true
+          }
           merge_signing_defaults(auth_scheme, context.config)
         when 'bearer'
           { 'name' => 'bearer' }
@@ -48,27 +124,11 @@ module Aws
         end
       end
 
-      def merge_signing_defaults(auth_scheme, config)
-        if %w[sigv4 sigv4a].include?(auth_scheme['name'])
-          auth_scheme['signingName'] ||= sigv4_name(config)
-          if auth_scheme['name'] == 'sigv4a'
-            auth_scheme['signingRegionSet'] ||= ['*']
-          else
-            auth_scheme['signingRegion'] ||= config.region
-          end
-        end
-        auth_scheme
-      end
-
-      def default_api_authtype(context)
+      def legacy_default_api_authtype(context)
         context.config.api.operation(context.operation_name)['authtype'] ||
           context.config.api.metadata['signatureVersion']
       end
 
-      def sigv4_name(config)
-        config.api.metadata['signingName'] ||
-          config.api.metadata['endpointPrefix']
-      end
     end
   end
 end