aws-sdk-core 3.170.1 → 3.171.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 356eca893266769e12ef7bdbbf4e836357f1de35bcfd7c02ba2557a2db0eab47
-  data.tar.gz: 6b9ef8c0bbcc188f06c1d3ab30a39072ffc699f288de496cbb24021f8c6e3836
+  metadata.gz: e4b9ed82ab5a4b3e5871bca537f3a650a468131bc35120873f02edb0a35017b1
+  data.tar.gz: d5a49d43dfdec90623e9ee88be22b5c2e45a7413b91bac4e881b1002e3c6cce0
 SHA512:
-  metadata.gz: 77b2cb81a5a01dbd614eced5c2a06fbf63c6e836706d2203827928a58313540b5b84e0b5a2ccf77b90ed6bb86f7de0eac290a87f762aa198391f6a464ebbe1c7
-  data.tar.gz: 54c3c5554ade60baa2b7bd8102ab2f9d52ecb9619649b2fd4664f0f4ec112ff73739f1427ff7e1c415ba95c84a20b6d04fc3527f8cc24ffe4b6b5dd194b97eca
+  metadata.gz: f0f8e07aada15f369b444d10325601352057ddfff2b6020b27cb8c8c8cdcd42001f8f5ecff8855abdbea8a932ff92b1a8ffd771a2a846f9a595f08f94ee9c28b
+  data.tar.gz: 53f75fd8a1e204a21a231ae4010c85f39a11420ffd430c51430e85c3203d214e51c7fda54c92258409a644f118589ce0bb5dab7e7ec45cbcd927d03afd930c25

data/CHANGELOG.md

@@ -1,6 +1,11 @@
 Unreleased Changes
 ------------------
 
+3.171.0 (2023-03-22)
+------------------
+
+* Feature - Add support for `AWS_CONTAINER_CREDENTIALS_FULL_URI` and `AWS_CONTAINER_AUTHORIZATION_TOKEN` environment variables to `ECSCredentials`.
+
 3.170.1 (2023-03-17)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-3.170.1
+3.171.0

data/lib/aws-sdk-core/credential_provider_chain.rb

@@ -161,7 +161,8 @@ module Aws
 
     def instance_profile_credentials(options)
       profile_name = determine_profile_name(options)
-      if ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI']
+      if ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] ||
+         ENV['AWS_CONTAINER_CREDENTIALS_FULL_URI']
         ECSCredentials.new(options)
       else
         InstanceProfileCredentials.new(options.merge(profile: profile_name))

data/lib/aws-sdk-core/ecs_credentials.rb

@@ -2,6 +2,7 @@
 
 require 'time'
 require 'net/http'
+require 'resolv'
 
 module Aws
   # An auto-refreshing credential provider that loads credentials from
@@ -10,7 +11,6 @@ module Aws
   #     ecs_credentials = Aws::ECSCredentials.new(retries: 3)
   #     ec2 = Aws::EC2::Client.new(credentials: ecs_credentials)
   class ECSCredentials
-
     include CredentialProvider
     include RefreshingCredentials
 
@@ -29,16 +29,22 @@ module Aws
       Errno::ENETUNREACH,
       SocketError,
       Timeout::Error,
-      Non200Response,
-    ]
+      Non200Response
+    ].freeze
 
     # @param [Hash] options
     # @option options [Integer] :retries (5) Number of times to retry
     #   when retrieving credentials.
-    # @option options [String] :ip_address ('169.254.170.2')
-    # @option options [Integer] :port (80)
+    # @option options [String] :ip_address ('169.254.170.2') This value is
+    #   ignored if `endpoint` is set and `credential_path` is not set.
+    # @option options [Integer] :port (80) This value is ignored if `endpoint`
+    #   is set and `credential_path` is not set.
     # @option options [String] :credential_path By default, the value of the
     #   AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable.
+    # @option options [String] :endpoint The ECS credential endpoint.
+    #   By default, this is the value of the AWS_CONTAINER_CREDENTIALS_FULL_URI
+    #   environment variable. This value is ignored if `credential_path` or
+    #   ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] is set.
     # @option options [Float] :http_open_timeout (5)
     # @option options [Float] :http_read_timeout (5)
     # @option options [Numeric, Proc] :delay By default, failures are retried
@@ -52,17 +58,15 @@ module Aws
     #   credentials are refreshed. `before_refresh` is called
     #   with an instance of this object when
     #   AWS credentials are required and need to be refreshed.
-    def initialize options = {}
+    def initialize(options = {})
+      credential_path = options[:credential_path] ||
+                        ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI']
+      endpoint = options[:endpoint] ||
+                 ENV['AWS_CONTAINER_CREDENTIALS_FULL_URI']
+      initialize_uri(options, credential_path, endpoint)
+      @authorization_token = ENV['AWS_CONTAINER_AUTHORIZATION_TOKEN']
+
       @retries = options[:retries] || 5
-      @ip_address = options[:ip_address] || '169.254.170.2'
-      @port = options[:port] || 80
-      @credential_path = options[:credential_path]
-      @credential_path ||= ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI']
-      unless @credential_path
-        raise ArgumentError.new(
-          "Cannot instantiate an ECS Credential Provider without a credential path."
-        )
-      end
       @http_open_timeout = options[:http_open_timeout] || 5
       @http_read_timeout = options[:http_read_timeout] || 5
       @http_debug_output = options[:http_debug_output]
@@ -77,11 +81,69 @@ module Aws
 
     private
 
+    def initialize_uri(options, credential_path, endpoint)
+      if credential_path
+        initialize_relative_uri(options, credential_path)
+      # Use FULL_URI/endpoint only if RELATIVE_URI/path is not set
+      elsif endpoint
+        initialize_full_uri(endpoint)
+      else
+        raise ArgumentError,
+              'Cannot instantiate an ECS Credential Provider '\
+              'without a credential path or endpoint.'
+      end
+    end
+
+    def initialize_relative_uri(options, path)
+      @host = options[:ip_address] || '169.254.170.2'
+      @port = options[:port] || 80
+      @scheme = 'http'
+      @credential_path = path
+    end
+
+    def initialize_full_uri(endpoint)
+      uri = URI.parse(endpoint)
+      validate_full_uri!(uri)
+      @host = uri.host
+      @port = uri.port
+      @scheme = uri.scheme
+      @credential_path = uri.path
+    end
+
+    # Validate that the full URI is using a loopback address if scheme is http.
+    def validate_full_uri!(full_uri)
+      return unless full_uri.scheme == 'http'
+
+      begin
+        return if ip_loopback?(IPAddr.new(full_uri.host))
+      rescue IPAddr::InvalidAddressError
+        addresses = Resolv.getaddresses(full_uri.host)
+        return if addresses.all? { |addr| ip_loopback?(IPAddr.new(addr)) }
+      end
+
+      raise ArgumentError,
+            'AWS_CONTAINER_CREDENTIALS_FULL_URI must use a loopback '\
+            'address when using the http scheme.'
+    end
+
+    # loopback? method is available in Ruby 2.5+
+    # Replicate the logic here.
+    def ip_loopback?(ip_address)
+      case ip_address.family
+      when Socket::AF_INET
+        ip_address & 0xff000000 == 0x7f000000
+      when Socket::AF_INET6
+        ip_address == 1
+      else
+        false
+      end
+    end
+
     def backoff(backoff)
       case backoff
       when Proc then backoff
-      when Numeric then lambda { |_| sleep(backoff) }
-      else lambda { |num_failures| Kernel.sleep(1.2 ** num_failures) }
+      when Numeric then ->(_) { sleep(backoff) }
+      else ->(num_failures) { Kernel.sleep(1.2**num_failures) }
       end
     end
 
@@ -89,68 +151,64 @@ module Aws
       # Retry loading credentials up to 3 times is the instance metadata
       # service is responding but is returning invalid JSON documents
       # in response to the GET profile credentials call.
-      begin
-        retry_errors([Aws::Json::ParseError, StandardError], max_retries: 3) do
-          c = Aws::Json.load(get_credentials.to_s)
-          @credentials = Credentials.new(
-            c['AccessKeyId'],
-            c['SecretAccessKey'],
-            c['Token']
-          )
-          @expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
-        end
-      rescue Aws::Json::ParseError
-        raise Aws::Errors::MetadataParserError.new
+
+      retry_errors([Aws::Json::ParseError, StandardError], max_retries: 3) do
+        c = Aws::Json.load(get_credentials.to_s)
+        @credentials = Credentials.new(
+          c['AccessKeyId'],
+          c['SecretAccessKey'],
+          c['Token']
+        )
+        @expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
       end
+    rescue Aws::Json::ParseError
+      raise Aws::Errors::MetadataParserError
     end
 
     def get_credentials
       # Retry loading credentials a configurable number of times if
       # the instance metadata service is not responding.
-      begin
-        retry_errors(NETWORK_ERRORS, max_retries: @retries) do
-          open_connection do |conn|
-            http_get(conn, @credential_path)
-          end
+
+      retry_errors(NETWORK_ERRORS, max_retries: @retries) do
+        open_connection do |conn|
+          http_get(conn, @credential_path)
         end
-      rescue
-        '{}'
       end
+    rescue StandardError
+      '{}'
     end
 
     def open_connection
-      http = Net::HTTP.new(@ip_address, @port, nil)
+      http = Net::HTTP.new(@host, @port, nil)
       http.open_timeout = @http_open_timeout
       http.read_timeout = @http_read_timeout
       http.set_debug_output(@http_debug_output) if @http_debug_output
+      http.use_ssl = @scheme == 'https'
       http.start
       yield(http).tap { http.finish }
     end
 
     def http_get(connection, path)
-      response = connection.request(Net::HTTP::Get.new(path))
-      if response.code.to_i == 200
-        response.body
-      else
-        raise Non200Response
-      end
+      request = Net::HTTP::Get.new(path)
+      request['Authorization'] = @authorization_token if @authorization_token
+      response = connection.request(request)
+      raise Non200Response unless response.code.to_i == 200
+
+      response.body
     end
 
-    def retry_errors(error_classes, options = {}, &block)
+    def retry_errors(error_classes, options = {})
       max_retries = options[:max_retries]
       retries = 0
       begin
         yield
-      rescue *error_classes => _error
-        if retries < max_retries
-          @backoff.call(retries)
-          retries += 1
-          retry
-        else
-          raise
-        end
+      rescue *error_classes => _e
+        raise unless retries < max_retries
+
+        @backoff.call(retries)
+        retries += 1
+        retry
       end
     end
-
   end
 end

data/lib/aws-sdk-sso/client.rb

@@ -585,7 +585,7 @@ module Aws::SSO
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.170.1'
+      context[:gem_version] = '3.171.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-sso.rb

@@ -54,6 +54,6 @@ require_relative 'aws-sdk-sso/customizations'
 # @!group service
 module Aws::SSO
 
-  GEM_VERSION = '3.170.1'
+  GEM_VERSION = '3.171.0'
 
 end

data/lib/aws-sdk-ssooidc/client.rb

@@ -581,7 +581,7 @@ module Aws::SSOOIDC
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.170.1'
+      context[:gem_version] = '3.171.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-ssooidc.rb

@@ -54,6 +54,6 @@ require_relative 'aws-sdk-ssooidc/customizations'
 # @!group service
 module Aws::SSOOIDC
 
-  GEM_VERSION = '3.170.1'
+  GEM_VERSION = '3.171.0'
 
 end

data/lib/aws-sdk-sts/client.rb

@@ -2318,7 +2318,7 @@ module Aws::STS
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.170.1'
+      context[:gem_version] = '3.171.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-sts.rb

@@ -54,6 +54,6 @@ require_relative 'aws-sdk-sts/customizations'
 # @!group service
 module Aws::STS
 
-  GEM_VERSION = '3.170.1'
+  GEM_VERSION = '3.171.0'
 
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-core
 version: !ruby/object:Gem::Version
-  version: 3.170.1
+  version: 3.171.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-03-17 00:00:00.000000000 Z
+date: 2023-03-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jmespath