aws-sdk-core 3.185.1 → 3.214.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +409 -0
- data/VERSION +1 -1
- data/lib/aws-defaults/default_configuration.rb +1 -2
- data/lib/aws-defaults.rb +4 -1
- data/lib/aws-sdk-core/assume_role_credentials.rb +12 -5
- data/lib/aws-sdk-core/assume_role_web_identity_credentials.rb +13 -7
- data/lib/aws-sdk-core/binary/decode_handler.rb +3 -9
- data/lib/aws-sdk-core/binary/encode_handler.rb +1 -1
- data/lib/aws-sdk-core/binary/event_builder.rb +34 -37
- data/lib/aws-sdk-core/binary/event_stream_decoder.rb +1 -0
- data/lib/aws-sdk-core/binary/event_stream_encoder.rb +4 -3
- data/lib/aws-sdk-core/cbor/decoder.rb +310 -0
- data/lib/aws-sdk-core/cbor/encoder.rb +243 -0
- data/lib/aws-sdk-core/cbor.rb +53 -0
- data/lib/aws-sdk-core/client_side_monitoring.rb +9 -0
- data/lib/aws-sdk-core/client_stubs.rb +23 -19
- data/lib/aws-sdk-core/credential_provider.rb +1 -1
- data/lib/aws-sdk-core/credential_provider_chain.rb +13 -6
- data/lib/aws-sdk-core/credentials.rb +13 -6
- data/lib/aws-sdk-core/ec2_metadata.rb +1 -1
- data/lib/aws-sdk-core/ecs_credentials.rb +78 -11
- data/lib/aws-sdk-core/endpoints/endpoint.rb +3 -1
- data/lib/aws-sdk-core/endpoints/matchers.rb +6 -9
- data/lib/aws-sdk-core/endpoints.rb +74 -18
- data/lib/aws-sdk-core/error_handler.rb +41 -0
- data/lib/aws-sdk-core/errors.rb +11 -2
- data/lib/aws-sdk-core/event_emitter.rb +0 -16
- data/lib/aws-sdk-core/instance_profile_credentials.rb +55 -32
- data/lib/aws-sdk-core/json/builder.rb +8 -1
- data/lib/aws-sdk-core/json/error_handler.rb +17 -11
- data/lib/aws-sdk-core/json/handler.rb +13 -6
- data/lib/aws-sdk-core/json/json_engine.rb +3 -1
- data/lib/aws-sdk-core/json/oj_engine.rb +7 -1
- data/lib/aws-sdk-core/json/parser.rb +32 -2
- data/lib/aws-sdk-core/json.rb +43 -14
- data/lib/aws-sdk-core/log/param_filter.rb +2 -2
- data/lib/aws-sdk-core/log.rb +10 -0
- data/lib/aws-sdk-core/lru_cache.rb +75 -0
- data/lib/aws-sdk-core/pageable_response.rb +1 -1
- data/lib/aws-sdk-core/param_validator.rb +7 -2
- data/lib/aws-sdk-core/plugins/bearer_authorization.rb +2 -0
- data/lib/aws-sdk-core/plugins/checksum_algorithm.rb +6 -3
- data/lib/aws-sdk-core/plugins/client_metrics_plugin.rb +1 -0
- data/lib/aws-sdk-core/plugins/client_metrics_send_plugin.rb +14 -2
- data/lib/aws-sdk-core/plugins/credentials_configuration.rb +9 -3
- data/lib/aws-sdk-core/plugins/global_configuration.rb +8 -9
- data/lib/aws-sdk-core/plugins/http_checksum.rb +2 -1
- data/lib/aws-sdk-core/plugins/invocation_id.rb +1 -11
- data/lib/aws-sdk-core/plugins/logging.rb +2 -0
- data/lib/aws-sdk-core/plugins/protocols/api_gateway.rb +3 -1
- data/lib/aws-sdk-core/plugins/protocols/ec2.rb +2 -24
- data/lib/aws-sdk-core/plugins/protocols/json_rpc.rb +6 -8
- data/lib/aws-sdk-core/plugins/protocols/query.rb +4 -2
- data/lib/aws-sdk-core/plugins/protocols/rest_json.rb +3 -15
- data/lib/aws-sdk-core/plugins/protocols/rest_xml.rb +3 -0
- data/lib/aws-sdk-core/plugins/protocols/rpc_v2.rb +17 -0
- data/lib/aws-sdk-core/plugins/regional_endpoint.rb +74 -25
- data/lib/aws-sdk-core/plugins/request_compression.rb +11 -2
- data/lib/aws-sdk-core/plugins/retry_errors.rb +12 -3
- data/lib/aws-sdk-core/plugins/sign.rb +27 -15
- data/lib/aws-sdk-core/plugins/signature_v2.rb +2 -1
- data/lib/aws-sdk-core/plugins/signature_v4.rb +2 -1
- data/lib/aws-sdk-core/plugins/stub_responses.rb +30 -2
- data/lib/aws-sdk-core/plugins/telemetry.rb +75 -0
- data/lib/aws-sdk-core/plugins/transfer_encoding.rb +16 -9
- data/lib/aws-sdk-core/plugins/user_agent.rb +70 -26
- data/lib/aws-sdk-core/plugins.rb +39 -0
- data/lib/aws-sdk-core/process_credentials.rb +47 -28
- data/lib/aws-sdk-core/query/ec2_handler.rb +27 -0
- data/lib/aws-sdk-core/query/ec2_param_builder.rb +5 -7
- data/lib/aws-sdk-core/query/handler.rb +4 -4
- data/lib/aws-sdk-core/query/param_builder.rb +2 -2
- data/lib/aws-sdk-core/query.rb +2 -1
- data/lib/aws-sdk-core/refreshing_credentials.rb +12 -6
- data/lib/aws-sdk-core/resources.rb +8 -0
- data/lib/aws-sdk-core/rest/content_type_handler.rb +60 -0
- data/lib/aws-sdk-core/rest/handler.rb +3 -4
- data/lib/aws-sdk-core/rest/request/body.rb +32 -5
- data/lib/aws-sdk-core/rest/request/endpoint.rb +24 -4
- data/lib/aws-sdk-core/rest/request/headers.rb +14 -6
- data/lib/aws-sdk-core/rest/request/querystring_builder.rb +62 -36
- data/lib/aws-sdk-core/rest/response/body.rb +15 -1
- data/lib/aws-sdk-core/rest/response/header_list_parser.rb +79 -0
- data/lib/aws-sdk-core/rest/response/headers.rb +8 -3
- data/lib/aws-sdk-core/rest.rb +1 -0
- data/lib/aws-sdk-core/rpc_v2/builder.rb +62 -0
- data/lib/aws-sdk-core/rpc_v2/cbor_engine.rb +18 -0
- data/lib/aws-sdk-core/rpc_v2/content_type_handler.rb +47 -0
- data/lib/aws-sdk-core/rpc_v2/error_handler.rb +85 -0
- data/lib/aws-sdk-core/rpc_v2/handler.rb +79 -0
- data/lib/aws-sdk-core/rpc_v2/parser.rb +90 -0
- data/lib/aws-sdk-core/rpc_v2.rb +69 -0
- data/lib/aws-sdk-core/shared_config.rb +7 -2
- data/lib/aws-sdk-core/shared_credentials.rb +0 -7
- data/lib/aws-sdk-core/sso_credentials.rb +2 -1
- data/lib/aws-sdk-core/stubbing/protocols/ec2.rb +12 -11
- data/lib/aws-sdk-core/stubbing/protocols/json.rb +11 -10
- data/lib/aws-sdk-core/stubbing/protocols/query.rb +7 -6
- data/lib/aws-sdk-core/stubbing/protocols/rest.rb +2 -1
- data/lib/aws-sdk-core/stubbing/protocols/rest_json.rb +9 -8
- data/lib/aws-sdk-core/stubbing/protocols/rest_xml.rb +6 -5
- data/lib/aws-sdk-core/stubbing/protocols/rpc_v2.rb +39 -0
- data/lib/aws-sdk-core/stubbing.rb +22 -0
- data/lib/aws-sdk-core/telemetry/base.rb +177 -0
- data/lib/aws-sdk-core/telemetry/no_op.rb +70 -0
- data/lib/aws-sdk-core/telemetry/otel.rb +235 -0
- data/lib/aws-sdk-core/telemetry/span_kind.rb +22 -0
- data/lib/aws-sdk-core/telemetry/span_status.rb +59 -0
- data/lib/aws-sdk-core/telemetry.rb +78 -0
- data/lib/aws-sdk-core/util.rb +39 -0
- data/lib/aws-sdk-core/waiters/poller.rb +10 -5
- data/lib/aws-sdk-core/xml/builder.rb +17 -9
- data/lib/aws-sdk-core/xml/error_handler.rb +32 -42
- data/lib/aws-sdk-core/xml/parser/frame.rb +4 -20
- data/lib/aws-sdk-core/xml/parser/stack.rb +2 -0
- data/lib/aws-sdk-core/xml/parser.rb +2 -6
- data/lib/aws-sdk-core.rb +82 -107
- data/lib/aws-sdk-sso/client.rb +119 -55
- data/lib/aws-sdk-sso/client_api.rb +7 -0
- data/lib/aws-sdk-sso/endpoint_parameters.rb +9 -6
- data/lib/aws-sdk-sso/endpoints.rb +2 -54
- data/lib/aws-sdk-sso/plugins/endpoints.rb +23 -22
- data/lib/aws-sdk-sso/types.rb +1 -0
- data/lib/aws-sdk-sso.rb +15 -11
- data/lib/aws-sdk-ssooidc/client.rb +504 -83
- data/lib/aws-sdk-ssooidc/client_api.rb +83 -1
- data/lib/aws-sdk-ssooidc/endpoint_parameters.rb +9 -6
- data/lib/aws-sdk-ssooidc/endpoint_provider.rb +2 -2
- data/lib/aws-sdk-ssooidc/endpoints.rb +2 -40
- data/lib/aws-sdk-ssooidc/errors.rb +52 -0
- data/lib/aws-sdk-ssooidc/plugins/endpoints.rb +23 -20
- data/lib/aws-sdk-ssooidc/types.rb +373 -51
- data/lib/aws-sdk-ssooidc.rb +15 -11
- data/lib/aws-sdk-sts/client.rb +334 -105
- data/lib/aws-sdk-sts/client_api.rb +36 -10
- data/lib/aws-sdk-sts/customizations.rb +5 -1
- data/lib/aws-sdk-sts/endpoint_parameters.rb +10 -9
- data/lib/aws-sdk-sts/endpoint_provider.rb +2 -2
- data/lib/aws-sdk-sts/endpoints.rb +2 -118
- data/lib/aws-sdk-sts/plugins/endpoints.rb +23 -30
- data/lib/aws-sdk-sts/presigner.rb +1 -1
- data/lib/aws-sdk-sts/types.rb +188 -30
- data/lib/aws-sdk-sts.rb +15 -11
- data/lib/seahorse/client/async_base.rb +1 -1
- data/lib/seahorse/client/async_response.rb +19 -0
- data/lib/seahorse/client/base.rb +18 -7
- data/lib/seahorse/client/h2/handler.rb +14 -3
- data/lib/seahorse/client/handler.rb +1 -1
- data/lib/seahorse/client/net_http/connection_pool.rb +11 -11
- data/lib/seahorse/client/net_http/handler.rb +21 -9
- data/lib/seahorse/client/net_http/patches.rb +1 -4
- data/lib/seahorse/client/plugin.rb +9 -0
- data/lib/seahorse/client/plugins/endpoint.rb +0 -1
- data/lib/seahorse/client/plugins/h2.rb +3 -3
- data/lib/seahorse/client/plugins/net_http.rb +57 -16
- data/lib/seahorse/client/request_context.rb +8 -1
- data/lib/seahorse/model/shapes.rb +2 -2
- data/sig/aws-sdk-core/client_stubs.rbs +10 -0
- data/sig/aws-sdk-core/errors.rbs +22 -0
- data/sig/aws-sdk-core/resources/collection.rbs +21 -0
- data/sig/aws-sdk-core/structure.rbs +4 -0
- data/sig/aws-sdk-core/telemetry/base.rbs +46 -0
- data/sig/aws-sdk-core/telemetry/otel.rbs +22 -0
- data/sig/aws-sdk-core/telemetry/span_kind.rbs +15 -0
- data/sig/aws-sdk-core/telemetry/span_status.rbs +24 -0
- data/sig/aws-sdk-core/waiters/errors.rbs +20 -0
- data/sig/aws-sdk-core.rbs +7 -0
- data/sig/seahorse/client/base.rbs +25 -0
- data/sig/seahorse/client/handler_builder.rbs +16 -0
- data/sig/seahorse/client/response.rbs +61 -0
- metadata +61 -19
- /data/lib/aws-sdk-core/xml/parser/{engines/libxml.rb → libxml_engine.rb} +0 -0
- /data/lib/aws-sdk-core/xml/parser/{engines/nokogiri.rb → nokogiri_engine.rb} +0 -0
- /data/lib/aws-sdk-core/xml/parser/{engines/oga.rb → oga_engine.rb} +0 -0
- /data/lib/aws-sdk-core/xml/parser/{engines/ox.rb → ox_engine.rb} +0 -0
- /data/lib/aws-sdk-core/xml/parser/{engines/rexml.rb → rexml_engine.rb} +0 -0
|
@@ -45,7 +45,8 @@ module Aws
|
|
|
45
45
|
Credentials.new(
|
|
46
46
|
options[:config].access_key_id,
|
|
47
47
|
options[:config].secret_access_key,
|
|
48
|
-
options[:config].session_token
|
|
48
|
+
options[:config].session_token,
|
|
49
|
+
account_id: options[:config].account_id
|
|
49
50
|
)
|
|
50
51
|
end
|
|
51
52
|
end
|
|
@@ -84,7 +85,7 @@ module Aws
|
|
|
84
85
|
def static_profile_process_credentials(options)
|
|
85
86
|
if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
|
|
86
87
|
process_provider = Aws.shared_config.credential_process(profile: options[:config].profile)
|
|
87
|
-
ProcessCredentials.new(process_provider) if process_provider
|
|
88
|
+
ProcessCredentials.new([process_provider]) if process_provider
|
|
88
89
|
end
|
|
89
90
|
rescue Errors::NoSuchProfileError
|
|
90
91
|
nil
|
|
@@ -94,7 +95,13 @@ module Aws
|
|
|
94
95
|
key = %w[AWS_ACCESS_KEY_ID AMAZON_ACCESS_KEY_ID AWS_ACCESS_KEY]
|
|
95
96
|
secret = %w[AWS_SECRET_ACCESS_KEY AMAZON_SECRET_ACCESS_KEY AWS_SECRET_KEY]
|
|
96
97
|
token = %w[AWS_SESSION_TOKEN AMAZON_SESSION_TOKEN]
|
|
97
|
-
|
|
98
|
+
account_id = %w[AWS_ACCOUNT_ID]
|
|
99
|
+
Credentials.new(
|
|
100
|
+
envar(key),
|
|
101
|
+
envar(secret),
|
|
102
|
+
envar(token),
|
|
103
|
+
account_id: envar(account_id)
|
|
104
|
+
)
|
|
98
105
|
end
|
|
99
106
|
|
|
100
107
|
def envar(keys)
|
|
@@ -117,9 +124,9 @@ module Aws
|
|
|
117
124
|
|
|
118
125
|
def process_credentials(options)
|
|
119
126
|
profile_name = determine_profile_name(options)
|
|
120
|
-
if Aws.shared_config.config_enabled?
|
|
121
|
-
|
|
122
|
-
ProcessCredentials.new(process_provider)
|
|
127
|
+
if Aws.shared_config.config_enabled?
|
|
128
|
+
process_provider = Aws.shared_config.credential_process(profile: profile_name)
|
|
129
|
+
ProcessCredentials.new([process_provider]) if process_provider
|
|
123
130
|
end
|
|
124
131
|
rescue Errors::NoSuchProfileError
|
|
125
132
|
nil
|
|
@@ -6,21 +6,28 @@ module Aws
|
|
|
6
6
|
# @param [String] access_key_id
|
|
7
7
|
# @param [String] secret_access_key
|
|
8
8
|
# @param [String] session_token (nil)
|
|
9
|
-
|
|
9
|
+
# @param [Hash] kwargs
|
|
10
|
+
# @option kwargs [String] :credential_scope (nil)
|
|
11
|
+
def initialize(access_key_id, secret_access_key, session_token = nil,
|
|
12
|
+
**kwargs)
|
|
10
13
|
@access_key_id = access_key_id
|
|
11
14
|
@secret_access_key = secret_access_key
|
|
12
15
|
@session_token = session_token
|
|
16
|
+
@account_id = kwargs[:account_id]
|
|
13
17
|
end
|
|
14
18
|
|
|
15
|
-
# @return [String
|
|
19
|
+
# @return [String]
|
|
16
20
|
attr_reader :access_key_id
|
|
17
21
|
|
|
18
|
-
# @return [String
|
|
22
|
+
# @return [String]
|
|
19
23
|
attr_reader :secret_access_key
|
|
20
24
|
|
|
21
25
|
# @return [String, nil]
|
|
22
26
|
attr_reader :session_token
|
|
23
27
|
|
|
28
|
+
# @return [String, nil]
|
|
29
|
+
attr_reader :account_id
|
|
30
|
+
|
|
24
31
|
# @return [Credentials]
|
|
25
32
|
def credentials
|
|
26
33
|
self
|
|
@@ -30,9 +37,9 @@ module Aws
|
|
|
30
37
|
# access key are both set.
|
|
31
38
|
def set?
|
|
32
39
|
!access_key_id.nil? &&
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
40
|
+
!access_key_id.empty? &&
|
|
41
|
+
!secret_access_key.nil? &&
|
|
42
|
+
!secret_access_key.empty?
|
|
36
43
|
end
|
|
37
44
|
|
|
38
45
|
# Removing the secret access key from the default inspect string.
|
|
@@ -183,7 +183,7 @@ module Aws
|
|
|
183
183
|
|
|
184
184
|
def open_connection
|
|
185
185
|
uri = URI.parse(@endpoint)
|
|
186
|
-
http = Net::HTTP.new(uri.hostname || @endpoint,
|
|
186
|
+
http = Net::HTTP.new(uri.hostname || @endpoint, uri.port || @port)
|
|
187
187
|
http.open_timeout = @http_open_timeout
|
|
188
188
|
http.read_timeout = @http_read_timeout
|
|
189
189
|
http.set_debug_output(@http_debug_output) if @http_debug_output
|
|
@@ -6,7 +6,7 @@ require 'resolv'
|
|
|
6
6
|
|
|
7
7
|
module Aws
|
|
8
8
|
# An auto-refreshing credential provider that loads credentials from
|
|
9
|
-
# instances running in
|
|
9
|
+
# instances running in containers.
|
|
10
10
|
#
|
|
11
11
|
# ecs_credentials = Aws::ECSCredentials.new(retries: 3)
|
|
12
12
|
# ec2 = Aws::EC2::Client.new(credentials: ecs_credentials)
|
|
@@ -17,6 +17,12 @@ module Aws
|
|
|
17
17
|
# @api private
|
|
18
18
|
class Non200Response < RuntimeError; end
|
|
19
19
|
|
|
20
|
+
# Raised when the token file cannot be read.
|
|
21
|
+
class TokenFileReadError < RuntimeError; end
|
|
22
|
+
|
|
23
|
+
# Raised when the token file is invalid.
|
|
24
|
+
class InvalidTokenError < RuntimeError; end
|
|
25
|
+
|
|
20
26
|
# These are the errors we trap when attempting to talk to the
|
|
21
27
|
# instance metadata service. Any of these imply the service
|
|
22
28
|
# is not present, no responding or some other non-recoverable
|
|
@@ -41,7 +47,7 @@ module Aws
|
|
|
41
47
|
# is set and `credential_path` is not set.
|
|
42
48
|
# @option options [String] :credential_path By default, the value of the
|
|
43
49
|
# AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable.
|
|
44
|
-
# @option options [String] :endpoint The
|
|
50
|
+
# @option options [String] :endpoint The container credential endpoint.
|
|
45
51
|
# By default, this is the value of the AWS_CONTAINER_CREDENTIALS_FULL_URI
|
|
46
52
|
# environment variable. This value is ignored if `credential_path` or
|
|
47
53
|
# ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] is set.
|
|
@@ -64,7 +70,6 @@ module Aws
|
|
|
64
70
|
endpoint = options[:endpoint] ||
|
|
65
71
|
ENV['AWS_CONTAINER_CREDENTIALS_FULL_URI']
|
|
66
72
|
initialize_uri(options, credential_path, endpoint)
|
|
67
|
-
@authorization_token = ENV['AWS_CONTAINER_AUTHORIZATION_TOKEN']
|
|
68
73
|
|
|
69
74
|
@retries = options[:retries] || 5
|
|
70
75
|
@http_open_timeout = options[:http_open_timeout] || 5
|
|
@@ -103,11 +108,18 @@ module Aws
|
|
|
103
108
|
|
|
104
109
|
def initialize_full_uri(endpoint)
|
|
105
110
|
uri = URI.parse(endpoint)
|
|
111
|
+
validate_full_uri_scheme!(uri)
|
|
106
112
|
validate_full_uri!(uri)
|
|
107
|
-
@host = uri.
|
|
113
|
+
@host = uri.hostname
|
|
108
114
|
@port = uri.port
|
|
109
115
|
@scheme = uri.scheme
|
|
110
|
-
@credential_path = uri.
|
|
116
|
+
@credential_path = uri.request_uri
|
|
117
|
+
end
|
|
118
|
+
|
|
119
|
+
def validate_full_uri_scheme!(full_uri)
|
|
120
|
+
return if full_uri.is_a?(URI::HTTP) || full_uri.is_a?(URI::HTTPS)
|
|
121
|
+
|
|
122
|
+
raise ArgumentError, "'#{full_uri}' must be a valid HTTP or HTTPS URI"
|
|
111
123
|
end
|
|
112
124
|
|
|
113
125
|
# Validate that the full URI is using a loopback address if scheme is http.
|
|
@@ -115,19 +127,24 @@ module Aws
|
|
|
115
127
|
return unless full_uri.scheme == 'http'
|
|
116
128
|
|
|
117
129
|
begin
|
|
118
|
-
return if
|
|
130
|
+
return if valid_ip_address?(IPAddr.new(full_uri.host))
|
|
119
131
|
rescue IPAddr::InvalidAddressError
|
|
120
132
|
addresses = Resolv.getaddresses(full_uri.host)
|
|
121
|
-
return if addresses.all? { |addr|
|
|
133
|
+
return if addresses.all? { |addr| valid_ip_address?(IPAddr.new(addr)) }
|
|
122
134
|
end
|
|
123
135
|
|
|
124
136
|
raise ArgumentError,
|
|
125
|
-
'AWS_CONTAINER_CREDENTIALS_FULL_URI must use a loopback '\
|
|
126
|
-
'address when using the http scheme.'
|
|
137
|
+
'AWS_CONTAINER_CREDENTIALS_FULL_URI must use a local loopback '\
|
|
138
|
+
'or an ECS or EKS link-local address when using the http scheme.'
|
|
139
|
+
end
|
|
140
|
+
|
|
141
|
+
def valid_ip_address?(ip_address)
|
|
142
|
+
ip_loopback?(ip_address) || ecs_or_eks_ip?(ip_address)
|
|
127
143
|
end
|
|
128
144
|
|
|
129
145
|
# loopback? method is available in Ruby 2.5+
|
|
130
146
|
# Replicate the logic here.
|
|
147
|
+
# loopback (IPv4 127.0.0.0/8, IPv6 ::1/128)
|
|
131
148
|
def ip_loopback?(ip_address)
|
|
132
149
|
case ip_address.family
|
|
133
150
|
when Socket::AF_INET
|
|
@@ -139,6 +156,20 @@ module Aws
|
|
|
139
156
|
end
|
|
140
157
|
end
|
|
141
158
|
|
|
159
|
+
# Verify that the IP address is a link-local address from ECS or EKS.
|
|
160
|
+
# ECS container host (IPv4 `169.254.170.2`)
|
|
161
|
+
# EKS container host (IPv4 `169.254.170.23`, IPv6 `fd00:ec2::23`)
|
|
162
|
+
def ecs_or_eks_ip?(ip_address)
|
|
163
|
+
case ip_address.family
|
|
164
|
+
when Socket::AF_INET
|
|
165
|
+
[0xa9feaa02, 0xa9feaa17].include?(ip_address)
|
|
166
|
+
when Socket::AF_INET6
|
|
167
|
+
ip_address == 0xfd00_0ec2_0000_0000_0000_0000_0000_0023
|
|
168
|
+
else
|
|
169
|
+
false
|
|
170
|
+
end
|
|
171
|
+
end
|
|
172
|
+
|
|
142
173
|
def backoff(backoff)
|
|
143
174
|
case backoff
|
|
144
175
|
when Proc then backoff
|
|
@@ -174,10 +205,37 @@ module Aws
|
|
|
174
205
|
http_get(conn, @credential_path)
|
|
175
206
|
end
|
|
176
207
|
end
|
|
177
|
-
rescue
|
|
208
|
+
rescue TokenFileReadError, InvalidTokenError
|
|
209
|
+
raise
|
|
210
|
+
rescue StandardError => e
|
|
211
|
+
warn("Error retrieving ECS Credentials: #{e.message}")
|
|
178
212
|
'{}'
|
|
179
213
|
end
|
|
180
214
|
|
|
215
|
+
def fetch_authorization_token
|
|
216
|
+
if (path = ENV['AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE'])
|
|
217
|
+
fetch_authorization_token_file(path)
|
|
218
|
+
elsif (token = ENV['AWS_CONTAINER_AUTHORIZATION_TOKEN'])
|
|
219
|
+
token
|
|
220
|
+
end
|
|
221
|
+
end
|
|
222
|
+
|
|
223
|
+
def fetch_authorization_token_file(path)
|
|
224
|
+
File.read(path).strip
|
|
225
|
+
rescue Errno::ENOENT
|
|
226
|
+
raise TokenFileReadError,
|
|
227
|
+
'AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE is set '\
|
|
228
|
+
"but the file doesn't exist: #{path}"
|
|
229
|
+
end
|
|
230
|
+
|
|
231
|
+
def validate_authorization_token!(token)
|
|
232
|
+
return unless token.include?("\r\n")
|
|
233
|
+
|
|
234
|
+
raise InvalidTokenError,
|
|
235
|
+
'Invalid Authorization token: token contains '\
|
|
236
|
+
'a newline and carriage return character.'
|
|
237
|
+
end
|
|
238
|
+
|
|
181
239
|
def open_connection
|
|
182
240
|
http = Net::HTTP.new(@host, @port, nil)
|
|
183
241
|
http.open_timeout = @http_open_timeout
|
|
@@ -190,18 +248,27 @@ module Aws
|
|
|
190
248
|
|
|
191
249
|
def http_get(connection, path)
|
|
192
250
|
request = Net::HTTP::Get.new(path)
|
|
193
|
-
request
|
|
251
|
+
set_authorization_token(request)
|
|
194
252
|
response = connection.request(request)
|
|
195
253
|
raise Non200Response unless response.code.to_i == 200
|
|
196
254
|
|
|
197
255
|
response.body
|
|
198
256
|
end
|
|
199
257
|
|
|
258
|
+
def set_authorization_token(request)
|
|
259
|
+
if (authorization_token = fetch_authorization_token)
|
|
260
|
+
validate_authorization_token!(authorization_token)
|
|
261
|
+
request['Authorization'] = authorization_token
|
|
262
|
+
end
|
|
263
|
+
end
|
|
264
|
+
|
|
200
265
|
def retry_errors(error_classes, options = {})
|
|
201
266
|
max_retries = options[:max_retries]
|
|
202
267
|
retries = 0
|
|
203
268
|
begin
|
|
204
269
|
yield
|
|
270
|
+
rescue TokenFileReadError, InvalidTokenError
|
|
271
|
+
raise
|
|
205
272
|
rescue *error_classes => _e
|
|
206
273
|
raise unless retries < max_retries
|
|
207
274
|
|
|
@@ -3,15 +3,17 @@
|
|
|
3
3
|
module Aws
|
|
4
4
|
module Endpoints
|
|
5
5
|
class Endpoint
|
|
6
|
-
def initialize(url:, properties: {}, headers: {})
|
|
6
|
+
def initialize(url:, properties: {}, headers: {}, metadata: {})
|
|
7
7
|
@url = url
|
|
8
8
|
@properties = properties
|
|
9
9
|
@headers = headers
|
|
10
|
+
@metadata = metadata
|
|
10
11
|
end
|
|
11
12
|
|
|
12
13
|
attr_reader :url
|
|
13
14
|
attr_reader :properties
|
|
14
15
|
attr_reader :headers
|
|
16
|
+
attr_reader :metadata
|
|
15
17
|
end
|
|
16
18
|
end
|
|
17
19
|
end
|
|
@@ -28,7 +28,11 @@ module Aws
|
|
|
28
28
|
|
|
29
29
|
val = if (index = parts.first[BRACKET_REGEX, 1])
|
|
30
30
|
# remove brackets and index from part before indexing
|
|
31
|
-
|
|
31
|
+
if (base = parts.first.gsub(BRACKET_REGEX, '')) && !base.empty?
|
|
32
|
+
value[base][index.to_i]
|
|
33
|
+
else
|
|
34
|
+
value[index.to_i]
|
|
35
|
+
end
|
|
32
36
|
else
|
|
33
37
|
value[parts.first]
|
|
34
38
|
end
|
|
@@ -90,14 +94,7 @@ module Aws
|
|
|
90
94
|
|
|
91
95
|
# aws.partition(value: string) Option<Partition>
|
|
92
96
|
def self.aws_partition(value)
|
|
93
|
-
partition
|
|
94
|
-
Aws::Partitions.find { |p| p.region?(value) } ||
|
|
95
|
-
Aws::Partitions.find { |p| value.match(p.region_regex) } ||
|
|
96
|
-
Aws::Partitions.find { |p| p.name == 'aws' }
|
|
97
|
-
|
|
98
|
-
return nil unless partition
|
|
99
|
-
|
|
100
|
-
partition.metadata
|
|
97
|
+
Aws::Partitions::Metadata.partition(value)
|
|
101
98
|
end
|
|
102
99
|
|
|
103
100
|
# aws.parseArn(value: string) Option<ARN>
|
|
@@ -14,9 +14,18 @@ require_relative 'endpoints/templater'
|
|
|
14
14
|
require_relative 'endpoints/tree_rule'
|
|
15
15
|
require_relative 'endpoints/url'
|
|
16
16
|
|
|
17
|
+
require 'aws-sigv4'
|
|
18
|
+
|
|
17
19
|
module Aws
|
|
18
20
|
# @api private
|
|
19
21
|
module Endpoints
|
|
22
|
+
SUPPORTED_AUTH_TRAITS = %w[
|
|
23
|
+
aws.auth#sigv4
|
|
24
|
+
aws.auth#sigv4a
|
|
25
|
+
smithy.api#httpBearerAuth
|
|
26
|
+
smithy.api#noAuth
|
|
27
|
+
].freeze
|
|
28
|
+
|
|
20
29
|
class << self
|
|
21
30
|
def resolve_auth_scheme(context, endpoint)
|
|
22
31
|
if endpoint && (auth_schemes = endpoint.properties['authSchemes'])
|
|
@@ -33,8 +42,71 @@ module Aws
|
|
|
33
42
|
|
|
34
43
|
private
|
|
35
44
|
|
|
45
|
+
def merge_signing_defaults(auth_scheme, config)
|
|
46
|
+
if %w[sigv4 sigv4a sigv4-s3express].include?(auth_scheme['name'])
|
|
47
|
+
auth_scheme['signingName'] ||= sigv4_name(config)
|
|
48
|
+
|
|
49
|
+
# back fill disableNormalizePath for S3 until it gets correctly set in the rules
|
|
50
|
+
if auth_scheme['signingName'] == 's3' &&
|
|
51
|
+
!auth_scheme.include?('disableNormalizePath') &&
|
|
52
|
+
auth_scheme.include?('disableDoubleEncoding')
|
|
53
|
+
auth_scheme['disableNormalizePath'] = auth_scheme['disableDoubleEncoding']
|
|
54
|
+
end
|
|
55
|
+
if auth_scheme['name'] == 'sigv4a'
|
|
56
|
+
# config option supersedes endpoint properties
|
|
57
|
+
auth_scheme['signingRegionSet'] =
|
|
58
|
+
config.sigv4a_signing_region_set || auth_scheme['signingRegionSet'] || [config.region]
|
|
59
|
+
else
|
|
60
|
+
auth_scheme['signingRegion'] ||= config.region
|
|
61
|
+
end
|
|
62
|
+
end
|
|
63
|
+
auth_scheme
|
|
64
|
+
end
|
|
65
|
+
|
|
66
|
+
def sigv4_name(config)
|
|
67
|
+
config.api.metadata['signingName'] ||
|
|
68
|
+
config.api.metadata['endpointPrefix']
|
|
69
|
+
end
|
|
70
|
+
|
|
36
71
|
def default_auth_scheme(context)
|
|
37
|
-
|
|
72
|
+
if (auth_list = default_api_auth(context))
|
|
73
|
+
auth = auth_list.find { |a| SUPPORTED_AUTH_TRAITS.include?(a) }
|
|
74
|
+
case auth
|
|
75
|
+
when 'aws.auth#sigv4', 'aws.auth#sigv4a'
|
|
76
|
+
auth_scheme = { 'name' => auth.split('#').last }
|
|
77
|
+
if s3_or_s3v4_signature_version?(context)
|
|
78
|
+
auth_scheme = auth_scheme.merge(
|
|
79
|
+
'disableDoubleEncoding' => true,
|
|
80
|
+
'disableNormalizePath' => true
|
|
81
|
+
)
|
|
82
|
+
end
|
|
83
|
+
merge_signing_defaults(auth_scheme, context.config)
|
|
84
|
+
when 'smithy.api#httpBearerAuth'
|
|
85
|
+
{ 'name' => 'bearer' }
|
|
86
|
+
when 'smithy.api#noAuth'
|
|
87
|
+
{ 'name' => 'none' }
|
|
88
|
+
else
|
|
89
|
+
raise 'No supported auth trait for this endpoint.'
|
|
90
|
+
end
|
|
91
|
+
else
|
|
92
|
+
legacy_default_auth_scheme(context)
|
|
93
|
+
end
|
|
94
|
+
end
|
|
95
|
+
|
|
96
|
+
def default_api_auth(context)
|
|
97
|
+
context.config.api.operation(context.operation_name)['auth'] ||
|
|
98
|
+
context.config.api.metadata['auth']
|
|
99
|
+
end
|
|
100
|
+
|
|
101
|
+
def s3_or_s3v4_signature_version?(context)
|
|
102
|
+
%w[s3 s3v4].include?(context.config.api.metadata['signatureVersion'])
|
|
103
|
+
end
|
|
104
|
+
|
|
105
|
+
# Legacy auth resolution - looks for deprecated signatureVersion
|
|
106
|
+
# and authType traits.
|
|
107
|
+
|
|
108
|
+
def legacy_default_auth_scheme(context)
|
|
109
|
+
case legacy_default_api_authtype(context)
|
|
38
110
|
when 'v4', 'v4-unsigned-body'
|
|
39
111
|
auth_scheme = { 'name' => 'sigv4' }
|
|
40
112
|
merge_signing_defaults(auth_scheme, context.config)
|
|
@@ -52,27 +124,11 @@ module Aws
|
|
|
52
124
|
end
|
|
53
125
|
end
|
|
54
126
|
|
|
55
|
-
def
|
|
56
|
-
if %w[sigv4 sigv4a].include?(auth_scheme['name'])
|
|
57
|
-
auth_scheme['signingName'] ||= sigv4_name(config)
|
|
58
|
-
if auth_scheme['name'] == 'sigv4a'
|
|
59
|
-
auth_scheme['signingRegionSet'] ||= ['*']
|
|
60
|
-
else
|
|
61
|
-
auth_scheme['signingRegion'] ||= config.region
|
|
62
|
-
end
|
|
63
|
-
end
|
|
64
|
-
auth_scheme
|
|
65
|
-
end
|
|
66
|
-
|
|
67
|
-
def default_api_authtype(context)
|
|
127
|
+
def legacy_default_api_authtype(context)
|
|
68
128
|
context.config.api.operation(context.operation_name)['authtype'] ||
|
|
69
129
|
context.config.api.metadata['signatureVersion']
|
|
70
130
|
end
|
|
71
131
|
|
|
72
|
-
def sigv4_name(config)
|
|
73
|
-
config.api.metadata['signingName'] ||
|
|
74
|
-
config.api.metadata['endpointPrefix']
|
|
75
|
-
end
|
|
76
132
|
end
|
|
77
133
|
end
|
|
78
134
|
end
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module Aws
|
|
4
|
+
class ErrorHandler < Seahorse::Client::Handler
|
|
5
|
+
|
|
6
|
+
private
|
|
7
|
+
|
|
8
|
+
def error(context)
|
|
9
|
+
body = context.http_response.body_contents
|
|
10
|
+
if body.empty?
|
|
11
|
+
code, message, data = http_status_error(context)
|
|
12
|
+
else
|
|
13
|
+
code, message, data = extract_error(body, context)
|
|
14
|
+
end
|
|
15
|
+
build_error(context, code, message, data)
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
def build_error(context, code, message, data)
|
|
19
|
+
errors_module = context.client.class.errors_module
|
|
20
|
+
errors_module.error_class(code).new(context, message, data)
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
def http_status_error(context)
|
|
24
|
+
[http_status_error_code(context), '', EmptyStructure.new]
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
def http_status_error_code(context)
|
|
28
|
+
status_code = context.http_response.status_code
|
|
29
|
+
{
|
|
30
|
+
302 => 'MovedTemporarily',
|
|
31
|
+
304 => 'NotModified',
|
|
32
|
+
400 => 'BadRequest',
|
|
33
|
+
403 => 'Forbidden',
|
|
34
|
+
404 => 'NotFound',
|
|
35
|
+
412 => 'PreconditionFailed',
|
|
36
|
+
413 => 'RequestEntityTooLarge',
|
|
37
|
+
}[status_code] || "Http#{status_code}Error"
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
end
|
|
41
|
+
end
|
data/lib/aws-sdk-core/errors.rb
CHANGED
|
@@ -12,7 +12,7 @@ module Aws
|
|
|
12
12
|
class ServiceError < RuntimeError
|
|
13
13
|
|
|
14
14
|
# @param [Seahorse::Client::RequestContext] context
|
|
15
|
-
# @param [String] message
|
|
15
|
+
# @param [String, nil] message
|
|
16
16
|
# @param [Aws::Structure] data
|
|
17
17
|
def initialize(context, message, data = Aws::EmptyStructure.new)
|
|
18
18
|
@code = self.class.code
|
|
@@ -34,7 +34,7 @@ module Aws
|
|
|
34
34
|
|
|
35
35
|
class << self
|
|
36
36
|
|
|
37
|
-
# @return [String]
|
|
37
|
+
# @return [String, nil]
|
|
38
38
|
attr_accessor :code
|
|
39
39
|
|
|
40
40
|
end
|
|
@@ -236,6 +236,15 @@ module Aws
|
|
|
236
236
|
end
|
|
237
237
|
end
|
|
238
238
|
|
|
239
|
+
# Raised when a client is constructed and the sigv4a region set is invalid.
|
|
240
|
+
# It is invalid when it is empty and/or contains empty strings.
|
|
241
|
+
class InvalidRegionSetError < ArgumentError
|
|
242
|
+
def initialize(*args)
|
|
243
|
+
msg = 'The provided sigv4a region set was empty or invalid.'
|
|
244
|
+
super(msg)
|
|
245
|
+
end
|
|
246
|
+
end
|
|
247
|
+
|
|
239
248
|
# Raised when a client is contsructed and the region is not valid.
|
|
240
249
|
class InvalidRegionError < ArgumentError
|
|
241
250
|
def initialize(*args)
|
|
@@ -6,7 +6,6 @@ module Aws
|
|
|
6
6
|
def initialize
|
|
7
7
|
@listeners = {}
|
|
8
8
|
@validate_event = true
|
|
9
|
-
@status = :sleep
|
|
10
9
|
@signal_queue = Queue.new
|
|
11
10
|
end
|
|
12
11
|
|
|
@@ -40,25 +39,10 @@ module Aws
|
|
|
40
39
|
Aws::ParamValidator.validate!(
|
|
41
40
|
@encoder.rules.shape.member(type), params)
|
|
42
41
|
end
|
|
43
|
-
_ready_for_events?
|
|
44
42
|
@stream.data(
|
|
45
43
|
@encoder.encode(type, params),
|
|
46
44
|
end_stream: type == :end_stream
|
|
47
45
|
)
|
|
48
46
|
end
|
|
49
|
-
|
|
50
|
-
private
|
|
51
|
-
|
|
52
|
-
def _ready_for_events?
|
|
53
|
-
return true if @status == :ready
|
|
54
|
-
|
|
55
|
-
# blocked until once initial 200 response is received
|
|
56
|
-
# signal will be available in @signal_queue
|
|
57
|
-
# and this check will no longer be blocked
|
|
58
|
-
@signal_queue.pop
|
|
59
|
-
@status = :ready
|
|
60
|
-
true
|
|
61
|
-
end
|
|
62
|
-
|
|
63
47
|
end
|
|
64
48
|
end
|