aws-sdk-core 3.187.1 → 3.188.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +7 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-core/ecs_credentials.rb +76 -10
- data/lib/aws-sdk-sso/client.rb +1 -1
- data/lib/aws-sdk-sso.rb +1 -1
- data/lib/aws-sdk-ssooidc/client.rb +1 -1
- data/lib/aws-sdk-ssooidc.rb +1 -1
- data/lib/aws-sdk-sts/client.rb +1 -1
- data/lib/aws-sdk-sts/presigner.rb +1 -1
- data/lib/aws-sdk-sts.rb +1 -1
- data/lib/seahorse/client/net_http/patches.rb +1 -4
- data/lib/seahorse/client/plugins/h2.rb +3 -3
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 116ce287a47541305621ccf38cc1e53f756812b453ad271432f09b149e0a6a1e
|
4
|
+
data.tar.gz: dead4ace5e8003c81b726f8d33e4d9a87ef67d4ee05f9db0a1b597a0e08efeed
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 5c8e05a07f49a55341bd54cfc39da5383de63172059a51167f26d6410d94f2a2dc6b5afa184efcbd565606e82a4706804d80c7da19ee3a6e32023e743cd24651
|
7
|
+
data.tar.gz: 8e2b3599e93a1fbaa7e1db5509b76a522a0eed215b6823d92cd90575829ace8f0d647e7c936d37ce067a9a25c105761d866fb34239e426240193802aa7d28658
|
data/CHANGELOG.md
CHANGED
@@ -1,6 +1,13 @@
|
|
1
1
|
Unreleased Changes
|
2
2
|
------------------
|
3
3
|
|
4
|
+
3.188.0 (2023-11-22)
|
5
|
+
------------------
|
6
|
+
|
7
|
+
* Feature - AWS SDK for Ruby no longer supports Ruby runtime versions 2.3 and 2.4.
|
8
|
+
|
9
|
+
* Feature - Support `AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE` in `ECSCredentials` and also allow for ECS and EKS link-local http addresses.
|
10
|
+
|
4
11
|
3.187.1 (2023-11-20)
|
5
12
|
------------------
|
6
13
|
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
3.
|
1
|
+
3.188.0
|
@@ -6,7 +6,7 @@ require 'resolv'
|
|
6
6
|
|
7
7
|
module Aws
|
8
8
|
# An auto-refreshing credential provider that loads credentials from
|
9
|
-
# instances running in
|
9
|
+
# instances running in containers.
|
10
10
|
#
|
11
11
|
# ecs_credentials = Aws::ECSCredentials.new(retries: 3)
|
12
12
|
# ec2 = Aws::EC2::Client.new(credentials: ecs_credentials)
|
@@ -17,6 +17,12 @@ module Aws
|
|
17
17
|
# @api private
|
18
18
|
class Non200Response < RuntimeError; end
|
19
19
|
|
20
|
+
# Raised when the token file cannot be read.
|
21
|
+
class TokenFileReadError < RuntimeError; end
|
22
|
+
|
23
|
+
# Raised when the token file is invalid.
|
24
|
+
class InvalidTokenError < RuntimeError; end
|
25
|
+
|
20
26
|
# These are the errors we trap when attempting to talk to the
|
21
27
|
# instance metadata service. Any of these imply the service
|
22
28
|
# is not present, no responding or some other non-recoverable
|
@@ -41,7 +47,7 @@ module Aws
|
|
41
47
|
# is set and `credential_path` is not set.
|
42
48
|
# @option options [String] :credential_path By default, the value of the
|
43
49
|
# AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable.
|
44
|
-
# @option options [String] :endpoint The
|
50
|
+
# @option options [String] :endpoint The container credential endpoint.
|
45
51
|
# By default, this is the value of the AWS_CONTAINER_CREDENTIALS_FULL_URI
|
46
52
|
# environment variable. This value is ignored if `credential_path` or
|
47
53
|
# ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] is set.
|
@@ -64,7 +70,6 @@ module Aws
|
|
64
70
|
endpoint = options[:endpoint] ||
|
65
71
|
ENV['AWS_CONTAINER_CREDENTIALS_FULL_URI']
|
66
72
|
initialize_uri(options, credential_path, endpoint)
|
67
|
-
@authorization_token = ENV['AWS_CONTAINER_AUTHORIZATION_TOKEN']
|
68
73
|
|
69
74
|
@retries = options[:retries] || 5
|
70
75
|
@http_open_timeout = options[:http_open_timeout] || 5
|
@@ -103,11 +108,18 @@ module Aws
|
|
103
108
|
|
104
109
|
def initialize_full_uri(endpoint)
|
105
110
|
uri = URI.parse(endpoint)
|
111
|
+
validate_full_uri_scheme!(uri)
|
106
112
|
validate_full_uri!(uri)
|
107
|
-
@host = uri.
|
113
|
+
@host = uri.hostname
|
108
114
|
@port = uri.port
|
109
115
|
@scheme = uri.scheme
|
110
|
-
@credential_path = uri.
|
116
|
+
@credential_path = uri.request_uri
|
117
|
+
end
|
118
|
+
|
119
|
+
def validate_full_uri_scheme!(full_uri)
|
120
|
+
return if full_uri.is_a?(URI::HTTP) || full_uri.is_a?(URI::HTTPS)
|
121
|
+
|
122
|
+
raise ArgumentError, "'#{full_uri}' must be a valid HTTP or HTTPS URI"
|
111
123
|
end
|
112
124
|
|
113
125
|
# Validate that the full URI is using a loopback address if scheme is http.
|
@@ -115,19 +127,24 @@ module Aws
|
|
115
127
|
return unless full_uri.scheme == 'http'
|
116
128
|
|
117
129
|
begin
|
118
|
-
return if
|
130
|
+
return if valid_ip_address?(IPAddr.new(full_uri.host))
|
119
131
|
rescue IPAddr::InvalidAddressError
|
120
132
|
addresses = Resolv.getaddresses(full_uri.host)
|
121
|
-
return if addresses.all? { |addr|
|
133
|
+
return if addresses.all? { |addr| valid_ip_address?(IPAddr.new(addr)) }
|
122
134
|
end
|
123
135
|
|
124
136
|
raise ArgumentError,
|
125
|
-
'AWS_CONTAINER_CREDENTIALS_FULL_URI must use a loopback '\
|
126
|
-
'address when using the http scheme.'
|
137
|
+
'AWS_CONTAINER_CREDENTIALS_FULL_URI must use a local loopback '\
|
138
|
+
'or an ECS or EKS link-local address when using the http scheme.'
|
139
|
+
end
|
140
|
+
|
141
|
+
def valid_ip_address?(ip_address)
|
142
|
+
ip_loopback?(ip_address) || ecs_or_eks_ip?(ip_address)
|
127
143
|
end
|
128
144
|
|
129
145
|
# loopback? method is available in Ruby 2.5+
|
130
146
|
# Replicate the logic here.
|
147
|
+
# loopback (IPv4 127.0.0.0/8, IPv6 ::1/128)
|
131
148
|
def ip_loopback?(ip_address)
|
132
149
|
case ip_address.family
|
133
150
|
when Socket::AF_INET
|
@@ -139,6 +156,20 @@ module Aws
|
|
139
156
|
end
|
140
157
|
end
|
141
158
|
|
159
|
+
# Verify that the IP address is a link-local address from ECS or EKS.
|
160
|
+
# ECS container host (IPv4 `169.254.170.2`)
|
161
|
+
# EKS container host (IPv4 `169.254.170.23`, IPv6 `fd00:ec2::23`)
|
162
|
+
def ecs_or_eks_ip?(ip_address)
|
163
|
+
case ip_address.family
|
164
|
+
when Socket::AF_INET
|
165
|
+
[0xa9feaa02, 0xa9feaa17].include?(ip_address)
|
166
|
+
when Socket::AF_INET6
|
167
|
+
ip_address == 0xfd00_0ec2_0000_0000_0000_0000_0000_0023
|
168
|
+
else
|
169
|
+
false
|
170
|
+
end
|
171
|
+
end
|
172
|
+
|
142
173
|
def backoff(backoff)
|
143
174
|
case backoff
|
144
175
|
when Proc then backoff
|
@@ -174,10 +205,36 @@ module Aws
|
|
174
205
|
http_get(conn, @credential_path)
|
175
206
|
end
|
176
207
|
end
|
208
|
+
rescue TokenFileReadError, InvalidTokenError
|
209
|
+
raise
|
177
210
|
rescue StandardError
|
178
211
|
'{}'
|
179
212
|
end
|
180
213
|
|
214
|
+
def fetch_authorization_token
|
215
|
+
if (path = ENV['AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE'])
|
216
|
+
fetch_authorization_token_file(path)
|
217
|
+
elsif (token = ENV['AWS_CONTAINER_AUTHORIZATION_TOKEN'])
|
218
|
+
token
|
219
|
+
end
|
220
|
+
end
|
221
|
+
|
222
|
+
def fetch_authorization_token_file(path)
|
223
|
+
File.read(path).strip
|
224
|
+
rescue Errno::ENOENT
|
225
|
+
raise TokenFileReadError,
|
226
|
+
'AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE is set '\
|
227
|
+
"but the file doesn't exist: #{path}"
|
228
|
+
end
|
229
|
+
|
230
|
+
def validate_authorization_token!(token)
|
231
|
+
return unless token.include?("\r\n")
|
232
|
+
|
233
|
+
raise InvalidTokenError,
|
234
|
+
'Invalid Authorization token: token contains '\
|
235
|
+
'a newline and carriage return character.'
|
236
|
+
end
|
237
|
+
|
181
238
|
def open_connection
|
182
239
|
http = Net::HTTP.new(@host, @port, nil)
|
183
240
|
http.open_timeout = @http_open_timeout
|
@@ -190,18 +247,27 @@ module Aws
|
|
190
247
|
|
191
248
|
def http_get(connection, path)
|
192
249
|
request = Net::HTTP::Get.new(path)
|
193
|
-
request
|
250
|
+
set_authorization_token(request)
|
194
251
|
response = connection.request(request)
|
195
252
|
raise Non200Response unless response.code.to_i == 200
|
196
253
|
|
197
254
|
response.body
|
198
255
|
end
|
199
256
|
|
257
|
+
def set_authorization_token(request)
|
258
|
+
if (authorization_token = fetch_authorization_token)
|
259
|
+
validate_authorization_token!(authorization_token)
|
260
|
+
request['Authorization'] = authorization_token
|
261
|
+
end
|
262
|
+
end
|
263
|
+
|
200
264
|
def retry_errors(error_classes, options = {})
|
201
265
|
max_retries = options[:max_retries]
|
202
266
|
retries = 0
|
203
267
|
begin
|
204
268
|
yield
|
269
|
+
rescue TokenFileReadError, InvalidTokenError
|
270
|
+
raise
|
205
271
|
rescue *error_classes => _e
|
206
272
|
raise unless retries < max_retries
|
207
273
|
|
data/lib/aws-sdk-sso/client.rb
CHANGED
data/lib/aws-sdk-sso.rb
CHANGED
data/lib/aws-sdk-ssooidc.rb
CHANGED
data/lib/aws-sdk-sts/client.rb
CHANGED
@@ -2352,7 +2352,7 @@ module Aws::STS
|
|
2352
2352
|
params: params,
|
2353
2353
|
config: config)
|
2354
2354
|
context[:gem_name] = 'aws-sdk-core'
|
2355
|
-
context[:gem_version] = '3.
|
2355
|
+
context[:gem_version] = '3.188.0'
|
2356
2356
|
Seahorse::Client::Request.new(handlers, context)
|
2357
2357
|
end
|
2358
2358
|
|
@@ -35,7 +35,7 @@ module Aws
|
|
35
35
|
# )
|
36
36
|
#
|
37
37
|
# This can be easily converted to a token used by the EKS service:
|
38
|
-
# {https://ruby-
|
38
|
+
# {https://docs.ruby-lang.org/en/3.2/Base64.html#method-i-encode64}
|
39
39
|
# "k8s-aws-v1." + Base64.urlsafe_encode64(url).chomp("==")
|
40
40
|
def get_caller_identity_presigned_url(options = {})
|
41
41
|
req = @client.build_request(:get_caller_identity, {})
|
data/lib/aws-sdk-sts.rb
CHANGED
@@ -12,12 +12,9 @@ module Seahorse
|
|
12
12
|
|
13
13
|
def self.apply!
|
14
14
|
Net::HTTPGenericRequest.prepend(PatchDefaultContentType)
|
15
|
-
return unless RUBY_VERSION < '2.5'
|
16
|
-
|
17
|
-
Net::HTTP::IDEMPOTENT_METHODS_.clear
|
18
15
|
end
|
19
16
|
|
20
|
-
# For requests with
|
17
|
+
# For requests with bodies, Net::HTTP sets a default content type of:
|
21
18
|
# 'application/x-www-form-urlencoded'
|
22
19
|
# There are cases where we should not send content type at all.
|
23
20
|
# Even when no body is supplied, Net::HTTP uses a default empty body
|
@@ -54,9 +54,9 @@ When `true`, HTTP2 debug output will be sent to the `:logger`.
|
|
54
54
|
DOCS
|
55
55
|
|
56
56
|
option(:enable_alpn, default: false, doc_type: 'Boolean', docstring: <<-DOCS)
|
57
|
-
|
58
|
-
|
59
|
-
|
57
|
+
Set to `true` to enable ALPN in HTTP2 over TLS. Requires Openssl version >= 1.0.2.
|
58
|
+
Defaults to false. Note: not all service HTTP2 operations supports ALPN on server
|
59
|
+
side, please refer to service documentation.
|
60
60
|
DOCS
|
61
61
|
|
62
62
|
option(:logger)
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: aws-sdk-core
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.
|
4
|
+
version: 3.188.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Amazon Web Services
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2023-11-
|
11
|
+
date: 2023-11-22 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: jmespath
|
@@ -353,7 +353,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
353
353
|
requirements:
|
354
354
|
- - ">="
|
355
355
|
- !ruby/object:Gem::Version
|
356
|
-
version: '2.
|
356
|
+
version: '2.5'
|
357
357
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
358
358
|
requirements:
|
359
359
|
- - ">="
|