aws-sdk-core 3.181.0 → 3.190.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +84 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-core/ecs_credentials.rb +76 -10
- data/lib/aws-sdk-core/endpoints/matchers.rb +13 -9
- data/lib/aws-sdk-core/endpoints.rb +1 -1
- data/lib/aws-sdk-core/errors.rb +1 -1
- data/lib/aws-sdk-core/instance_profile_credentials.rb +52 -30
- data/lib/aws-sdk-core/json/handler.rb +8 -1
- data/lib/aws-sdk-core/json/parser.rb +27 -2
- data/lib/aws-sdk-core/param_validator.rb +2 -2
- data/lib/aws-sdk-core/plugins/checksum_algorithm.rb +4 -2
- data/lib/aws-sdk-core/plugins/http_checksum.rb +2 -1
- data/lib/aws-sdk-core/plugins/sign.rb +15 -10
- data/lib/aws-sdk-core/refreshing_credentials.rb +12 -6
- data/lib/aws-sdk-core/rest/request/querystring_builder.rb +43 -29
- data/lib/aws-sdk-core/shared_config.rb +2 -0
- data/lib/aws-sdk-sso/client.rb +1 -1
- data/lib/aws-sdk-sso/endpoint_provider.rb +30 -24
- data/lib/aws-sdk-sso/plugins/endpoints.rb +3 -2
- data/lib/aws-sdk-sso.rb +1 -1
- data/lib/aws-sdk-ssooidc/client.rb +338 -29
- data/lib/aws-sdk-ssooidc/client_api.rb +56 -1
- data/lib/aws-sdk-ssooidc/endpoint_provider.rb +30 -24
- data/lib/aws-sdk-ssooidc/endpoints.rb +14 -0
- data/lib/aws-sdk-ssooidc/errors.rb +31 -0
- data/lib/aws-sdk-ssooidc/plugins/endpoints.rb +5 -2
- data/lib/aws-sdk-ssooidc/types.rb +302 -49
- data/lib/aws-sdk-ssooidc.rb +1 -1
- data/lib/aws-sdk-sts/client.rb +11 -3
- data/lib/aws-sdk-sts/client_api.rb +2 -1
- data/lib/aws-sdk-sts/endpoint_provider.rb +2 -2
- data/lib/aws-sdk-sts/plugins/endpoints.rb +3 -2
- data/lib/aws-sdk-sts/presigner.rb +1 -1
- data/lib/aws-sdk-sts/types.rb +18 -4
- data/lib/aws-sdk-sts.rb +1 -1
- data/lib/seahorse/client/net_http/patches.rb +1 -4
- data/lib/seahorse/client/plugins/h2.rb +3 -3
- metadata +7 -7
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 2da64972b1ed2710a16962a58908df05a60490439c44bf21e4c9482fef4856c8
|
4
|
+
data.tar.gz: 54aa4de531c85e2d44549a9f984b4074c4728be61b807b57ba3633a69e17fd1c
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 546c523ec0f9324ee3c3ea4fbe4d1a060204b159ce91bda217f4b390c2ca4255a06b8e4580b84f2459d5b5ad1d6cdb75317da96efbcfa119d4ff6308645ace7f
|
7
|
+
data.tar.gz: f663e1491935bc5376af8246b33281a278fd07f40c5309b0c4731e93dbd456156ac4359a24768b3fa87530dc4fa94d8b03b4e7c56fd4ccb6337b76e3aff83678
|
data/CHANGELOG.md
CHANGED
@@ -1,6 +1,90 @@
|
|
1
1
|
Unreleased Changes
|
2
2
|
------------------
|
3
3
|
|
4
|
+
3.190.0 (2023-11-29)
|
5
|
+
------------------
|
6
|
+
|
7
|
+
* Feature - Updated Aws::STS::Client with the latest API changes.
|
8
|
+
|
9
|
+
3.189.0 (2023-11-28)
|
10
|
+
------------------
|
11
|
+
|
12
|
+
* Feature - Updated Aws::STS::Client with the latest API changes.
|
13
|
+
|
14
|
+
* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
|
15
|
+
|
16
|
+
* Feature - Updated Aws::SSO::Client with the latest API changes.
|
17
|
+
|
18
|
+
* Feature - Support S3 Express authentication.
|
19
|
+
|
20
|
+
3.188.0 (2023-11-22)
|
21
|
+
------------------
|
22
|
+
|
23
|
+
* Feature - AWS SDK for Ruby no longer supports Ruby runtime versions 2.3 and 2.4.
|
24
|
+
|
25
|
+
* Feature - Support `AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE` in `ECSCredentials` and also allow for ECS and EKS link-local http addresses.
|
26
|
+
|
27
|
+
3.187.1 (2023-11-20)
|
28
|
+
------------------
|
29
|
+
|
30
|
+
* Issue - For `awsQueryCompatible` services, default an empty list or map for shapes that were previously flattened in the query protocol.
|
31
|
+
|
32
|
+
3.187.0 (2023-11-17)
|
33
|
+
------------------
|
34
|
+
|
35
|
+
* Feature - Updated Aws::STS::Client with the latest API changes.
|
36
|
+
|
37
|
+
* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
|
38
|
+
|
39
|
+
3.186.0 (2023-11-02)
|
40
|
+
------------------
|
41
|
+
|
42
|
+
* Feature - Support disabling IMDSv1 in `InstanceProfileCredentials` using `ENV['AWS_EC2_METADATA_V1_DISABLED']`, `ec2_metadata_v1_disabled` shared config, or the `disable_imds_v1` credentials option.
|
43
|
+
|
44
|
+
3.185.2 (2023-10-31)
|
45
|
+
------------------
|
46
|
+
|
47
|
+
* Issue - Fix query string support to lists of booleans, floats, integers and timestamps per rest-json protocol.
|
48
|
+
|
49
|
+
3.185.1 (2023-10-05)
|
50
|
+
------------------
|
51
|
+
|
52
|
+
* Issue - Ignore `__type` when deserializing Unions.
|
53
|
+
|
54
|
+
3.185.0 (2023-10-02)
|
55
|
+
------------------
|
56
|
+
|
57
|
+
* Feature - Updated Aws::STS::Client with the latest API changes.
|
58
|
+
|
59
|
+
* Feature - Updated Aws::SSO::Client with the latest API changes.
|
60
|
+
|
61
|
+
3.184.0 (2023-09-27)
|
62
|
+
------------------
|
63
|
+
|
64
|
+
* Feature - Change the `ServiceError` data member from read only to read/write.
|
65
|
+
|
66
|
+
3.183.1 (2023-09-25)
|
67
|
+
------------------
|
68
|
+
|
69
|
+
* Issue - Remove value inspection from param validation errors.
|
70
|
+
|
71
|
+
3.183.0 (2023-09-20)
|
72
|
+
------------------
|
73
|
+
|
74
|
+
* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
|
75
|
+
|
76
|
+
3.182.0 (2023-09-19)
|
77
|
+
------------------
|
78
|
+
|
79
|
+
* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
|
80
|
+
|
81
|
+
* Feature - Updated Aws::SSO::Client with the latest API changes.
|
82
|
+
|
83
|
+
3.181.1 (2023-09-14)
|
84
|
+
------------------
|
85
|
+
|
86
|
+
* Issue - Fix host label validation in endpoint matchers.
|
87
|
+
|
4
88
|
3.181.0 (2023-08-22)
|
5
89
|
------------------
|
6
90
|
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
3.
|
1
|
+
3.190.0
|
@@ -6,7 +6,7 @@ require 'resolv'
|
|
6
6
|
|
7
7
|
module Aws
|
8
8
|
# An auto-refreshing credential provider that loads credentials from
|
9
|
-
# instances running in
|
9
|
+
# instances running in containers.
|
10
10
|
#
|
11
11
|
# ecs_credentials = Aws::ECSCredentials.new(retries: 3)
|
12
12
|
# ec2 = Aws::EC2::Client.new(credentials: ecs_credentials)
|
@@ -17,6 +17,12 @@ module Aws
|
|
17
17
|
# @api private
|
18
18
|
class Non200Response < RuntimeError; end
|
19
19
|
|
20
|
+
# Raised when the token file cannot be read.
|
21
|
+
class TokenFileReadError < RuntimeError; end
|
22
|
+
|
23
|
+
# Raised when the token file is invalid.
|
24
|
+
class InvalidTokenError < RuntimeError; end
|
25
|
+
|
20
26
|
# These are the errors we trap when attempting to talk to the
|
21
27
|
# instance metadata service. Any of these imply the service
|
22
28
|
# is not present, no responding or some other non-recoverable
|
@@ -41,7 +47,7 @@ module Aws
|
|
41
47
|
# is set and `credential_path` is not set.
|
42
48
|
# @option options [String] :credential_path By default, the value of the
|
43
49
|
# AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable.
|
44
|
-
# @option options [String] :endpoint The
|
50
|
+
# @option options [String] :endpoint The container credential endpoint.
|
45
51
|
# By default, this is the value of the AWS_CONTAINER_CREDENTIALS_FULL_URI
|
46
52
|
# environment variable. This value is ignored if `credential_path` or
|
47
53
|
# ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] is set.
|
@@ -64,7 +70,6 @@ module Aws
|
|
64
70
|
endpoint = options[:endpoint] ||
|
65
71
|
ENV['AWS_CONTAINER_CREDENTIALS_FULL_URI']
|
66
72
|
initialize_uri(options, credential_path, endpoint)
|
67
|
-
@authorization_token = ENV['AWS_CONTAINER_AUTHORIZATION_TOKEN']
|
68
73
|
|
69
74
|
@retries = options[:retries] || 5
|
70
75
|
@http_open_timeout = options[:http_open_timeout] || 5
|
@@ -103,11 +108,18 @@ module Aws
|
|
103
108
|
|
104
109
|
def initialize_full_uri(endpoint)
|
105
110
|
uri = URI.parse(endpoint)
|
111
|
+
validate_full_uri_scheme!(uri)
|
106
112
|
validate_full_uri!(uri)
|
107
|
-
@host = uri.
|
113
|
+
@host = uri.hostname
|
108
114
|
@port = uri.port
|
109
115
|
@scheme = uri.scheme
|
110
|
-
@credential_path = uri.
|
116
|
+
@credential_path = uri.request_uri
|
117
|
+
end
|
118
|
+
|
119
|
+
def validate_full_uri_scheme!(full_uri)
|
120
|
+
return if full_uri.is_a?(URI::HTTP) || full_uri.is_a?(URI::HTTPS)
|
121
|
+
|
122
|
+
raise ArgumentError, "'#{full_uri}' must be a valid HTTP or HTTPS URI"
|
111
123
|
end
|
112
124
|
|
113
125
|
# Validate that the full URI is using a loopback address if scheme is http.
|
@@ -115,19 +127,24 @@ module Aws
|
|
115
127
|
return unless full_uri.scheme == 'http'
|
116
128
|
|
117
129
|
begin
|
118
|
-
return if
|
130
|
+
return if valid_ip_address?(IPAddr.new(full_uri.host))
|
119
131
|
rescue IPAddr::InvalidAddressError
|
120
132
|
addresses = Resolv.getaddresses(full_uri.host)
|
121
|
-
return if addresses.all? { |addr|
|
133
|
+
return if addresses.all? { |addr| valid_ip_address?(IPAddr.new(addr)) }
|
122
134
|
end
|
123
135
|
|
124
136
|
raise ArgumentError,
|
125
|
-
'AWS_CONTAINER_CREDENTIALS_FULL_URI must use a loopback '\
|
126
|
-
'address when using the http scheme.'
|
137
|
+
'AWS_CONTAINER_CREDENTIALS_FULL_URI must use a local loopback '\
|
138
|
+
'or an ECS or EKS link-local address when using the http scheme.'
|
139
|
+
end
|
140
|
+
|
141
|
+
def valid_ip_address?(ip_address)
|
142
|
+
ip_loopback?(ip_address) || ecs_or_eks_ip?(ip_address)
|
127
143
|
end
|
128
144
|
|
129
145
|
# loopback? method is available in Ruby 2.5+
|
130
146
|
# Replicate the logic here.
|
147
|
+
# loopback (IPv4 127.0.0.0/8, IPv6 ::1/128)
|
131
148
|
def ip_loopback?(ip_address)
|
132
149
|
case ip_address.family
|
133
150
|
when Socket::AF_INET
|
@@ -139,6 +156,20 @@ module Aws
|
|
139
156
|
end
|
140
157
|
end
|
141
158
|
|
159
|
+
# Verify that the IP address is a link-local address from ECS or EKS.
|
160
|
+
# ECS container host (IPv4 `169.254.170.2`)
|
161
|
+
# EKS container host (IPv4 `169.254.170.23`, IPv6 `fd00:ec2::23`)
|
162
|
+
def ecs_or_eks_ip?(ip_address)
|
163
|
+
case ip_address.family
|
164
|
+
when Socket::AF_INET
|
165
|
+
[0xa9feaa02, 0xa9feaa17].include?(ip_address)
|
166
|
+
when Socket::AF_INET6
|
167
|
+
ip_address == 0xfd00_0ec2_0000_0000_0000_0000_0000_0023
|
168
|
+
else
|
169
|
+
false
|
170
|
+
end
|
171
|
+
end
|
172
|
+
|
142
173
|
def backoff(backoff)
|
143
174
|
case backoff
|
144
175
|
when Proc then backoff
|
@@ -174,10 +205,36 @@ module Aws
|
|
174
205
|
http_get(conn, @credential_path)
|
175
206
|
end
|
176
207
|
end
|
208
|
+
rescue TokenFileReadError, InvalidTokenError
|
209
|
+
raise
|
177
210
|
rescue StandardError
|
178
211
|
'{}'
|
179
212
|
end
|
180
213
|
|
214
|
+
def fetch_authorization_token
|
215
|
+
if (path = ENV['AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE'])
|
216
|
+
fetch_authorization_token_file(path)
|
217
|
+
elsif (token = ENV['AWS_CONTAINER_AUTHORIZATION_TOKEN'])
|
218
|
+
token
|
219
|
+
end
|
220
|
+
end
|
221
|
+
|
222
|
+
def fetch_authorization_token_file(path)
|
223
|
+
File.read(path).strip
|
224
|
+
rescue Errno::ENOENT
|
225
|
+
raise TokenFileReadError,
|
226
|
+
'AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE is set '\
|
227
|
+
"but the file doesn't exist: #{path}"
|
228
|
+
end
|
229
|
+
|
230
|
+
def validate_authorization_token!(token)
|
231
|
+
return unless token.include?("\r\n")
|
232
|
+
|
233
|
+
raise InvalidTokenError,
|
234
|
+
'Invalid Authorization token: token contains '\
|
235
|
+
'a newline and carriage return character.'
|
236
|
+
end
|
237
|
+
|
181
238
|
def open_connection
|
182
239
|
http = Net::HTTP.new(@host, @port, nil)
|
183
240
|
http.open_timeout = @http_open_timeout
|
@@ -190,18 +247,27 @@ module Aws
|
|
190
247
|
|
191
248
|
def http_get(connection, path)
|
192
249
|
request = Net::HTTP::Get.new(path)
|
193
|
-
request
|
250
|
+
set_authorization_token(request)
|
194
251
|
response = connection.request(request)
|
195
252
|
raise Non200Response unless response.code.to_i == 200
|
196
253
|
|
197
254
|
response.body
|
198
255
|
end
|
199
256
|
|
257
|
+
def set_authorization_token(request)
|
258
|
+
if (authorization_token = fetch_authorization_token)
|
259
|
+
validate_authorization_token!(authorization_token)
|
260
|
+
request['Authorization'] = authorization_token
|
261
|
+
end
|
262
|
+
end
|
263
|
+
|
200
264
|
def retry_errors(error_classes, options = {})
|
201
265
|
max_retries = options[:max_retries]
|
202
266
|
retries = 0
|
203
267
|
begin
|
204
268
|
yield
|
269
|
+
rescue TokenFileReadError, InvalidTokenError
|
270
|
+
raise
|
205
271
|
rescue *error_classes => _e
|
206
272
|
raise unless retries < max_retries
|
207
273
|
|
@@ -79,11 +79,11 @@ module Aws
|
|
79
79
|
return false if value.empty?
|
80
80
|
|
81
81
|
if allow_sub_domains
|
82
|
-
labels = value.split('.')
|
82
|
+
labels = value.split('.', -1)
|
83
83
|
return labels.all? { |l| valid_host_label?(l) }
|
84
84
|
end
|
85
85
|
|
86
|
-
value =~ /\A(?!-)[a-zA-Z0-9-]{1,63}(?<!-)\z/
|
86
|
+
!!(value =~ /\A(?!-)[a-zA-Z0-9-]{1,63}(?<!-)\z/)
|
87
87
|
end
|
88
88
|
|
89
89
|
# AWS
|
@@ -114,13 +114,17 @@ module Aws
|
|
114
114
|
|
115
115
|
# aws.isVirtualHostableS3Bucket(value: string, allowSubDomains: bool) bool
|
116
116
|
def self.aws_virtual_hostable_s3_bucket?(value, allow_sub_domains = false)
|
117
|
-
|
118
|
-
|
119
|
-
|
120
|
-
|
121
|
-
|
122
|
-
|
123
|
-
|
117
|
+
return false if value.empty?
|
118
|
+
|
119
|
+
if allow_sub_domains
|
120
|
+
labels = value.split('.', -1)
|
121
|
+
return labels.all? { |l| aws_virtual_hostable_s3_bucket?(l) }
|
122
|
+
end
|
123
|
+
|
124
|
+
# must be between 3 and 63 characters long, no uppercase
|
125
|
+
value =~ /\A(?!-)[a-z0-9-]{3,63}(?<!-)\z/ &&
|
126
|
+
# not an IP address
|
127
|
+
value !~ /(\d+\.){3}\d+/
|
124
128
|
end
|
125
129
|
end
|
126
130
|
end
|
@@ -53,7 +53,7 @@ module Aws
|
|
53
53
|
end
|
54
54
|
|
55
55
|
def merge_signing_defaults(auth_scheme, config)
|
56
|
-
if %w[sigv4 sigv4a].include?(auth_scheme['name'])
|
56
|
+
if %w[sigv4 sigv4a sigv4-s3express].include?(auth_scheme['name'])
|
57
57
|
auth_scheme['signingName'] ||= sigv4_name(config)
|
58
58
|
if auth_scheme['name'] == 'sigv4a'
|
59
59
|
auth_scheme['signingRegionSet'] ||= ['*']
|
data/lib/aws-sdk-core/errors.rb
CHANGED
@@ -53,6 +53,8 @@ module Aws
|
|
53
53
|
# @option options [String] :endpoint_mode ('IPv4') The endpoint mode for
|
54
54
|
# the instance metadata service. This is either 'IPv4' ('169.254.169.254')
|
55
55
|
# or 'IPv6' ('[fd00:ec2::254]').
|
56
|
+
# @option options [Boolean] :disable_imds_v1 (false) Disable the use of the
|
57
|
+
# legacy EC2 Metadata Service v1.
|
56
58
|
# @option options [String] :ip_address ('169.254.169.254') Deprecated. Use
|
57
59
|
# :endpoint instead. The IP address for the endpoint.
|
58
60
|
# @option options [Integer] :port (80)
|
@@ -77,6 +79,9 @@ module Aws
|
|
77
79
|
endpoint_mode = resolve_endpoint_mode(options)
|
78
80
|
@endpoint = resolve_endpoint(options, endpoint_mode)
|
79
81
|
@port = options[:port] || 80
|
82
|
+
@disable_imds_v1 = resolve_disable_v1(options)
|
83
|
+
# Flag for if v2 flow fails, skip future attempts
|
84
|
+
@imds_v1_fallback = false
|
80
85
|
@http_open_timeout = options[:http_open_timeout] || 1
|
81
86
|
@http_read_timeout = options[:http_read_timeout] || 1
|
82
87
|
@http_debug_output = options[:http_debug_output]
|
@@ -123,6 +128,16 @@ module Aws
|
|
123
128
|
end
|
124
129
|
end
|
125
130
|
|
131
|
+
def resolve_disable_v1(options)
|
132
|
+
value = options[:disable_imds_v1]
|
133
|
+
value ||= ENV['AWS_EC2_METADATA_V1_DISABLED']
|
134
|
+
value ||= Aws.shared_config.ec2_metadata_v1_disabled(
|
135
|
+
profile: options[:profile]
|
136
|
+
)
|
137
|
+
value = value.to_s.downcase if value
|
138
|
+
Aws::Util.str_2_bool(value) || false
|
139
|
+
end
|
140
|
+
|
126
141
|
def backoff(backoff)
|
127
142
|
case backoff
|
128
143
|
when Proc then backoff
|
@@ -141,7 +156,7 @@ module Aws
|
|
141
156
|
# service is responding but is returning invalid JSON documents
|
142
157
|
# in response to the GET profile credentials call.
|
143
158
|
begin
|
144
|
-
retry_errors([Aws::Json::ParseError
|
159
|
+
retry_errors([Aws::Json::ParseError], max_retries: 3) do
|
145
160
|
c = Aws::Json.load(get_credentials.to_s)
|
146
161
|
if empty_credentials?(@credentials)
|
147
162
|
@credentials = Credentials.new(
|
@@ -173,7 +188,6 @@ module Aws
|
|
173
188
|
end
|
174
189
|
end
|
175
190
|
end
|
176
|
-
|
177
191
|
end
|
178
192
|
rescue Aws::Json::ParseError
|
179
193
|
raise Aws::Errors::MetadataParserError
|
@@ -191,34 +205,14 @@ module Aws
|
|
191
205
|
open_connection do |conn|
|
192
206
|
# attempt to fetch token to start secure flow first
|
193
207
|
# and rescue to failover
|
194
|
-
|
195
|
-
retry_errors(NETWORK_ERRORS, max_retries: @retries) do
|
196
|
-
unless token_set?
|
197
|
-
created_time = Time.now
|
198
|
-
token_value, ttl = http_put(
|
199
|
-
conn, METADATA_TOKEN_PATH, @token_ttl
|
200
|
-
)
|
201
|
-
@token = Token.new(token_value, ttl, created_time) if token_value && ttl
|
202
|
-
end
|
203
|
-
end
|
204
|
-
rescue *NETWORK_ERRORS
|
205
|
-
# token attempt failed, reset token
|
206
|
-
# fallback to non-token mode
|
207
|
-
@token = nil
|
208
|
-
end
|
209
|
-
|
208
|
+
fetch_token(conn) unless @imds_v1_fallback
|
210
209
|
token = @token.value if token_set?
|
211
210
|
|
212
|
-
|
213
|
-
|
214
|
-
|
215
|
-
|
216
|
-
|
217
|
-
# Token has expired, reset it
|
218
|
-
# The next retry should fetch it
|
219
|
-
@token = nil
|
220
|
-
raise Non200Response
|
221
|
-
end
|
211
|
+
# disable insecure flow if we couldn't get token
|
212
|
+
# and imds v1 is disabled
|
213
|
+
raise TokenRetrivalError if token.nil? && @disable_imds_v1
|
214
|
+
|
215
|
+
_get_credentials(conn, token)
|
222
216
|
end
|
223
217
|
end
|
224
218
|
rescue
|
@@ -227,6 +221,36 @@ module Aws
|
|
227
221
|
end
|
228
222
|
end
|
229
223
|
|
224
|
+
def fetch_token(conn)
|
225
|
+
retry_errors(NETWORK_ERRORS, max_retries: @retries) do
|
226
|
+
unless token_set?
|
227
|
+
created_time = Time.now
|
228
|
+
token_value, ttl = http_put(
|
229
|
+
conn, METADATA_TOKEN_PATH, @token_ttl
|
230
|
+
)
|
231
|
+
@token = Token.new(token_value, ttl, created_time) if token_value && ttl
|
232
|
+
end
|
233
|
+
end
|
234
|
+
rescue *NETWORK_ERRORS
|
235
|
+
# token attempt failed, reset token
|
236
|
+
# fallback to non-token mode
|
237
|
+
@token = nil
|
238
|
+
@imds_v1_fallback = true
|
239
|
+
end
|
240
|
+
|
241
|
+
# token is optional - if nil, uses v1 (insecure) flow
|
242
|
+
def _get_credentials(conn, token)
|
243
|
+
metadata = http_get(conn, METADATA_PATH_BASE, token)
|
244
|
+
profile_name = metadata.lines.first.strip
|
245
|
+
http_get(conn, METADATA_PATH_BASE + profile_name, token)
|
246
|
+
rescue TokenExpiredError
|
247
|
+
# Token has expired, reset it
|
248
|
+
# The next retry should fetch it
|
249
|
+
@token = nil
|
250
|
+
@imds_v1_fallback = false
|
251
|
+
raise Non200Response
|
252
|
+
end
|
253
|
+
|
230
254
|
def token_set?
|
231
255
|
@token && !@token.expired?
|
232
256
|
end
|
@@ -276,8 +300,6 @@ module Aws
|
|
276
300
|
]
|
277
301
|
when 400
|
278
302
|
raise TokenRetrivalError
|
279
|
-
when 401
|
280
|
-
raise TokenExpiredError
|
281
303
|
else
|
282
304
|
raise Non200Response
|
283
305
|
end
|
@@ -59,7 +59,10 @@ module Aws
|
|
59
59
|
end
|
60
60
|
resp_struct
|
61
61
|
else
|
62
|
-
Parser.new(
|
62
|
+
Parser.new(
|
63
|
+
rules,
|
64
|
+
query_compatible: query_compatible?(context)
|
65
|
+
).parse(json == '' ? '{}' : json)
|
63
66
|
end
|
64
67
|
else
|
65
68
|
EmptyStructure.new
|
@@ -83,6 +86,10 @@ module Aws
|
|
83
86
|
context.config.simple_json
|
84
87
|
end
|
85
88
|
|
89
|
+
def query_compatible?(context)
|
90
|
+
context.config.api.metadata.key?('awsQueryCompatible')
|
91
|
+
end
|
92
|
+
|
86
93
|
end
|
87
94
|
end
|
88
95
|
end
|
@@ -10,8 +10,9 @@ module Aws
|
|
10
10
|
include Seahorse::Model::Shapes
|
11
11
|
|
12
12
|
# @param [Seahorse::Model::ShapeRef] rules
|
13
|
-
def initialize(rules)
|
13
|
+
def initialize(rules, query_compatible: false)
|
14
14
|
@rules = rules
|
15
|
+
@query_compatible = query_compatible
|
15
16
|
end
|
16
17
|
|
17
18
|
# @param [String<JSON>] json
|
@@ -28,10 +29,26 @@ module Aws
|
|
28
29
|
member_name, member_ref = shape.member_by_location_name(key)
|
29
30
|
if member_ref
|
30
31
|
target[member_name] = parse_ref(member_ref, value)
|
31
|
-
elsif shape.union
|
32
|
+
elsif shape.union && key != '__type'
|
32
33
|
target[:unknown] = { 'name' => key, 'value' => value }
|
33
34
|
end
|
34
35
|
end
|
36
|
+
# In services that were previously Query/XML, members that were
|
37
|
+
# "flattened" defaulted to empty lists. In JSON, these values are nil,
|
38
|
+
# which is backwards incompatible. To preserve backwards compatibility,
|
39
|
+
# we set a default value of [] for these members.
|
40
|
+
if @query_compatible
|
41
|
+
ref.shape.members.each do |member_name, member_target|
|
42
|
+
next unless target[member_name].nil?
|
43
|
+
|
44
|
+
if flattened_list?(member_target.shape)
|
45
|
+
target[member_name] = []
|
46
|
+
elsif flattened_map?(member_target.shape)
|
47
|
+
target[member_name] = {}
|
48
|
+
end
|
49
|
+
end
|
50
|
+
end
|
51
|
+
|
35
52
|
if shape.union
|
36
53
|
# convert to subclass
|
37
54
|
member_subclass = shape.member_subclass(target.member).new
|
@@ -79,6 +96,14 @@ module Aws
|
|
79
96
|
value.is_a?(Numeric) ? Time.at(value) : Time.parse(value)
|
80
97
|
end
|
81
98
|
|
99
|
+
def flattened_list?(shape)
|
100
|
+
shape.is_a?(ListShape) && shape.flattened
|
101
|
+
end
|
102
|
+
|
103
|
+
def flattened_map?(shape)
|
104
|
+
shape.is_a?(MapShape) && shape.flattened
|
105
|
+
end
|
106
|
+
|
82
107
|
end
|
83
108
|
end
|
84
109
|
end
|
@@ -6,7 +6,7 @@ module Aws
|
|
6
6
|
|
7
7
|
include Seahorse::Model::Shapes
|
8
8
|
|
9
|
-
EXPECTED_GOT =
|
9
|
+
EXPECTED_GOT = 'expected %s to be %s, got class %s instead.'
|
10
10
|
|
11
11
|
# @param [Seahorse::Model::Shapes::ShapeRef] rules
|
12
12
|
# @param [Hash] params
|
@@ -230,7 +230,7 @@ module Aws
|
|
230
230
|
end
|
231
231
|
|
232
232
|
def expected_got(context, expected, got)
|
233
|
-
EXPECTED_GOT % [context, expected, got.
|
233
|
+
EXPECTED_GOT % [context, expected, got.class.name]
|
234
234
|
end
|
235
235
|
|
236
236
|
end
|
@@ -117,7 +117,8 @@ module Aws
|
|
117
117
|
|
118
118
|
def call(context)
|
119
119
|
if should_calculate_request_checksum?(context)
|
120
|
-
request_algorithm_input = ChecksumAlgorithm.request_algorithm_selection(context)
|
120
|
+
request_algorithm_input = ChecksumAlgorithm.request_algorithm_selection(context) ||
|
121
|
+
context[:default_request_checksum_algorithm]
|
121
122
|
context[:checksum_algorithms] = request_algorithm_input
|
122
123
|
|
123
124
|
request_checksum_property = {
|
@@ -140,7 +141,8 @@ module Aws
|
|
140
141
|
|
141
142
|
def should_calculate_request_checksum?(context)
|
142
143
|
context.operation.http_checksum &&
|
143
|
-
ChecksumAlgorithm.request_algorithm_selection(context)
|
144
|
+
(ChecksumAlgorithm.request_algorithm_selection(context) ||
|
145
|
+
context[:default_request_checksum_algorithm])
|
144
146
|
end
|
145
147
|
|
146
148
|
def should_verify_response_checksum?(context)
|
@@ -12,7 +12,8 @@ module Aws
|
|
12
12
|
|
13
13
|
def call(context)
|
14
14
|
if checksum_required?(context) &&
|
15
|
-
!context[:checksum_algorithms] # skip in favor of flexible checksum
|
15
|
+
!context[:checksum_algorithms] && # skip in favor of flexible checksum
|
16
|
+
!context[:s3_express_endpoint] # s3 express endpoints do not support md5
|
16
17
|
body = context.http_request.body
|
17
18
|
context.http_request.headers['Content-Md5'] ||= md5(body)
|
18
19
|
end
|
@@ -13,7 +13,7 @@ module Aws
|
|
13
13
|
option(:sigv4_region)
|
14
14
|
option(:unsigned_operations, default: [])
|
15
15
|
|
16
|
-
supported_auth_types = %w[sigv4 bearer none]
|
16
|
+
supported_auth_types = %w[sigv4 bearer sigv4-s3express none]
|
17
17
|
supported_auth_types += ['sigv4a'] if Aws::Sigv4::Signer.use_crt?
|
18
18
|
SUPPORTED_AUTH_TYPES = supported_auth_types.freeze
|
19
19
|
|
@@ -24,10 +24,14 @@ module Aws
|
|
24
24
|
|
25
25
|
# @api private
|
26
26
|
# Return a signer with the `sign(context)` method
|
27
|
-
def self.signer_for(auth_scheme, config,
|
27
|
+
def self.signer_for(auth_scheme, config, sigv4_region_override = nil, sigv4_credentials_override = nil)
|
28
28
|
case auth_scheme['name']
|
29
|
-
when 'sigv4', 'sigv4a'
|
30
|
-
|
29
|
+
when 'sigv4', 'sigv4a', 'sigv4-s3express'
|
30
|
+
sigv4_overrides = {
|
31
|
+
region: sigv4_region_override,
|
32
|
+
credentials: sigv4_credentials_override
|
33
|
+
}
|
34
|
+
SignatureV4.new(auth_scheme, config, sigv4_overrides)
|
31
35
|
when 'bearer'
|
32
36
|
Bearer.new
|
33
37
|
else
|
@@ -42,7 +46,8 @@ module Aws
|
|
42
46
|
signer = Sign.signer_for(
|
43
47
|
context[:auth_scheme],
|
44
48
|
context.config,
|
45
|
-
context[:sigv4_region]
|
49
|
+
context[:sigv4_region],
|
50
|
+
context[:sigv4_credentials]
|
46
51
|
)
|
47
52
|
signer.sign(context)
|
48
53
|
end
|
@@ -88,12 +93,12 @@ module Aws
|
|
88
93
|
|
89
94
|
# @api private
|
90
95
|
class SignatureV4
|
91
|
-
def initialize(auth_scheme, config,
|
96
|
+
def initialize(auth_scheme, config, sigv4_overrides = {})
|
92
97
|
scheme_name = auth_scheme['name']
|
93
98
|
|
94
|
-
unless %w[sigv4 sigv4a].include?(scheme_name)
|
99
|
+
unless %w[sigv4 sigv4a sigv4-s3express].include?(scheme_name)
|
95
100
|
raise ArgumentError,
|
96
|
-
"Expected sigv4 or
|
101
|
+
"Expected sigv4, sigv4a, or sigv4-s3express auth scheme, got #{scheme_name}"
|
97
102
|
end
|
98
103
|
|
99
104
|
region = if scheme_name == 'sigv4a'
|
@@ -104,8 +109,8 @@ module Aws
|
|
104
109
|
begin
|
105
110
|
@signer = Aws::Sigv4::Signer.new(
|
106
111
|
service: config.sigv4_name || auth_scheme['signingName'],
|
107
|
-
region:
|
108
|
-
credentials_provider: config.credentials,
|
112
|
+
region: sigv4_overrides[:region] || config.sigv4_region || region,
|
113
|
+
credentials_provider: sigv4_overrides[:credentials] || config.credentials,
|
109
114
|
signing_algorithm: scheme_name.to_sym,
|
110
115
|
uri_escape_path: !!!auth_scheme['disableDoubleEncoding'],
|
111
116
|
normalize_path: !!!auth_scheme['disableNormalizePath'],
|