aws-sdk-core 3.187.1 → 3.188.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 561667b57fedf978414b0b67a7f19b73b01efa69bdfdd5db8a08c27c010f7b18
-  data.tar.gz: 460eec65537106f724e800ef0f81508fc714903da611ac8807071109d560206d
+  metadata.gz: 116ce287a47541305621ccf38cc1e53f756812b453ad271432f09b149e0a6a1e
+  data.tar.gz: dead4ace5e8003c81b726f8d33e4d9a87ef67d4ee05f9db0a1b597a0e08efeed
 SHA512:
-  metadata.gz: 63ec538568fc713a797c3f4f8c775482e0e2da2b8ea6938c9c8b7366aa52a36606d5e2feed58f8475306217a7e4599843a7c98889046dc4ea2a2a15ee339d8c9
-  data.tar.gz: c09ed8f0ba5302dbd470132a01c759851eacaab6c18f93034d95e3b755c645fae03702d80e4f1fb20630a2407d778ed60b2a8740f809255e5d00cef89120a982
+  metadata.gz: 5c8e05a07f49a55341bd54cfc39da5383de63172059a51167f26d6410d94f2a2dc6b5afa184efcbd565606e82a4706804d80c7da19ee3a6e32023e743cd24651
+  data.tar.gz: 8e2b3599e93a1fbaa7e1db5509b76a522a0eed215b6823d92cd90575829ace8f0d647e7c936d37ce067a9a25c105761d866fb34239e426240193802aa7d28658

data/CHANGELOG.md

@@ -1,6 +1,13 @@
 Unreleased Changes
 ------------------
 
+3.188.0 (2023-11-22)
+------------------
+
+* Feature - AWS SDK for Ruby no longer supports Ruby runtime versions 2.3 and 2.4.
+
+* Feature - Support `AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE` in `ECSCredentials` and also allow for ECS and EKS link-local http addresses.
+
 3.187.1 (2023-11-20)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-3.187.1
+3.188.0

data/lib/aws-sdk-core/ecs_credentials.rb

@@ -6,7 +6,7 @@ require 'resolv'
 
 module Aws
   # An auto-refreshing credential provider that loads credentials from
-  # instances running in ECS.
+  # instances running in containers.
   #
   #     ecs_credentials = Aws::ECSCredentials.new(retries: 3)
   #     ec2 = Aws::EC2::Client.new(credentials: ecs_credentials)
@@ -17,6 +17,12 @@ module Aws
     # @api private
     class Non200Response < RuntimeError; end
 
+    # Raised when the token file cannot be read.
+    class TokenFileReadError < RuntimeError; end
+
+    # Raised when the token file is invalid.
+    class InvalidTokenError < RuntimeError; end
+
     # These are the errors we trap when attempting to talk to the
     # instance metadata service.  Any of these imply the service
     # is not present, no responding or some other non-recoverable
@@ -41,7 +47,7 @@ module Aws
     #   is set and `credential_path` is not set.
     # @option options [String] :credential_path By default, the value of the
     #   AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable.
-    # @option options [String] :endpoint The ECS credential endpoint.
+    # @option options [String] :endpoint The container credential endpoint.
     #   By default, this is the value of the AWS_CONTAINER_CREDENTIALS_FULL_URI
     #   environment variable. This value is ignored if `credential_path` or
     #   ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] is set.
@@ -64,7 +70,6 @@ module Aws
       endpoint = options[:endpoint] ||
                  ENV['AWS_CONTAINER_CREDENTIALS_FULL_URI']
       initialize_uri(options, credential_path, endpoint)
-      @authorization_token = ENV['AWS_CONTAINER_AUTHORIZATION_TOKEN']
 
       @retries = options[:retries] || 5
       @http_open_timeout = options[:http_open_timeout] || 5
@@ -103,11 +108,18 @@ module Aws
 
     def initialize_full_uri(endpoint)
       uri = URI.parse(endpoint)
+      validate_full_uri_scheme!(uri)
       validate_full_uri!(uri)
-      @host = uri.host
+      @host = uri.hostname
       @port = uri.port
       @scheme = uri.scheme
-      @credential_path = uri.path
+      @credential_path = uri.request_uri
+    end
+
+    def validate_full_uri_scheme!(full_uri)
+      return if full_uri.is_a?(URI::HTTP) || full_uri.is_a?(URI::HTTPS)
+
+      raise ArgumentError, "'#{full_uri}' must be a valid HTTP or HTTPS URI"
     end
 
     # Validate that the full URI is using a loopback address if scheme is http.
@@ -115,19 +127,24 @@ module Aws
       return unless full_uri.scheme == 'http'
 
       begin
-        return if ip_loopback?(IPAddr.new(full_uri.host))
+        return if valid_ip_address?(IPAddr.new(full_uri.host))
       rescue IPAddr::InvalidAddressError
         addresses = Resolv.getaddresses(full_uri.host)
-        return if addresses.all? { |addr| ip_loopback?(IPAddr.new(addr)) }
+        return if addresses.all? { |addr| valid_ip_address?(IPAddr.new(addr)) }
       end
 
       raise ArgumentError,
-            'AWS_CONTAINER_CREDENTIALS_FULL_URI must use a loopback '\
-            'address when using the http scheme.'
+            'AWS_CONTAINER_CREDENTIALS_FULL_URI must use a local loopback '\
+            'or an ECS or EKS link-local address when using the http scheme.'
+    end
+
+    def valid_ip_address?(ip_address)
+      ip_loopback?(ip_address) || ecs_or_eks_ip?(ip_address)
     end
 
     # loopback? method is available in Ruby 2.5+
     # Replicate the logic here.
+    # loopback (IPv4 127.0.0.0/8, IPv6 ::1/128)
     def ip_loopback?(ip_address)
       case ip_address.family
       when Socket::AF_INET
@@ -139,6 +156,20 @@ module Aws
       end
     end
 
+    # Verify that the IP address is a link-local address from ECS or EKS.
+    # ECS container host (IPv4 `169.254.170.2`)
+    # EKS container host (IPv4 `169.254.170.23`, IPv6 `fd00:ec2::23`)
+    def ecs_or_eks_ip?(ip_address)
+      case ip_address.family
+      when Socket::AF_INET
+        [0xa9feaa02, 0xa9feaa17].include?(ip_address)
+      when Socket::AF_INET6
+        ip_address == 0xfd00_0ec2_0000_0000_0000_0000_0000_0023
+      else
+        false
+      end
+    end
+
     def backoff(backoff)
       case backoff
       when Proc then backoff
@@ -174,10 +205,36 @@ module Aws
           http_get(conn, @credential_path)
         end
       end
+    rescue TokenFileReadError, InvalidTokenError
+      raise
     rescue StandardError
       '{}'
     end
 
+    def fetch_authorization_token
+      if (path = ENV['AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE'])
+        fetch_authorization_token_file(path)
+      elsif (token = ENV['AWS_CONTAINER_AUTHORIZATION_TOKEN'])
+        token
+      end
+    end
+
+    def fetch_authorization_token_file(path)
+      File.read(path).strip
+    rescue Errno::ENOENT
+      raise TokenFileReadError,
+            'AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE is set '\
+            "but the file doesn't exist: #{path}"
+    end
+
+    def validate_authorization_token!(token)
+      return unless token.include?("\r\n")
+
+      raise InvalidTokenError,
+            'Invalid Authorization token: token contains '\
+            'a newline and carriage return character.'
+    end
+
     def open_connection
       http = Net::HTTP.new(@host, @port, nil)
       http.open_timeout = @http_open_timeout
@@ -190,18 +247,27 @@ module Aws
 
     def http_get(connection, path)
       request = Net::HTTP::Get.new(path)
-      request['Authorization'] = @authorization_token if @authorization_token
+      set_authorization_token(request)
       response = connection.request(request)
       raise Non200Response unless response.code.to_i == 200
 
       response.body
     end
 
+    def set_authorization_token(request)
+      if (authorization_token = fetch_authorization_token)
+        validate_authorization_token!(authorization_token)
+        request['Authorization'] = authorization_token
+      end
+    end
+
     def retry_errors(error_classes, options = {})
       max_retries = options[:max_retries]
       retries = 0
       begin
         yield
+      rescue TokenFileReadError, InvalidTokenError
+        raise
       rescue *error_classes => _e
         raise unless retries < max_retries
 

data/lib/aws-sdk-sso/client.rb

@@ -605,7 +605,7 @@ module Aws::SSO
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.187.1'
+      context[:gem_version] = '3.188.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-sso.rb

@@ -54,6 +54,6 @@ require_relative 'aws-sdk-sso/customizations'
 # @!group service
 module Aws::SSO
 
-  GEM_VERSION = '3.187.1'
+  GEM_VERSION = '3.188.0'
 
 end

data/lib/aws-sdk-ssooidc/client.rb

@@ -910,7 +910,7 @@ module Aws::SSOOIDC
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.187.1'
+      context[:gem_version] = '3.188.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-ssooidc.rb

@@ -54,6 +54,6 @@ require_relative 'aws-sdk-ssooidc/customizations'
 # @!group service
 module Aws::SSOOIDC
 
-  GEM_VERSION = '3.187.1'
+  GEM_VERSION = '3.188.0'
 
 end

data/lib/aws-sdk-sts/client.rb

@@ -2352,7 +2352,7 @@ module Aws::STS
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.187.1'
+      context[:gem_version] = '3.188.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-sts/presigner.rb

@@ -35,7 +35,7 @@ module Aws
       #   )
       #
       # This can be easily converted to a token used by the EKS service:
-      # {https://ruby-doc.org/stdlib-2.3.1/libdoc/base64/rdoc/Base64.html#method-i-encode64}
+      # {https://docs.ruby-lang.org/en/3.2/Base64.html#method-i-encode64}
       # "k8s-aws-v1." + Base64.urlsafe_encode64(url).chomp("==")
       def get_caller_identity_presigned_url(options = {})
         req = @client.build_request(:get_caller_identity, {})

data/lib/aws-sdk-sts.rb

@@ -54,6 +54,6 @@ require_relative 'aws-sdk-sts/customizations'
 # @!group service
 module Aws::STS
 
-  GEM_VERSION = '3.187.1'
+  GEM_VERSION = '3.188.0'
 
 end

data/lib/seahorse/client/net_http/patches.rb

@@ -12,12 +12,9 @@ module Seahorse
 
         def self.apply!
           Net::HTTPGenericRequest.prepend(PatchDefaultContentType)
-          return unless RUBY_VERSION < '2.5'
-
-          Net::HTTP::IDEMPOTENT_METHODS_.clear
         end
 
-        # For requests with bodys, Net::HTTP sets a default content type of:
+        # For requests with bodies, Net::HTTP sets a default content type of:
         #   'application/x-www-form-urlencoded'
         # There are cases where we should not send content type at all.
         # Even when no body is supplied, Net::HTTP uses a default empty body

data/lib/seahorse/client/plugins/h2.rb

@@ -54,9 +54,9 @@ When `true`, HTTP2 debug output will be sent to the `:logger`.
         DOCS
 
         option(:enable_alpn, default: false, doc_type: 'Boolean', docstring: <<-DOCS)
-Setting to `true` to enable ALPN in HTTP2 over TLS, requires Ruby version >= 2.3 and
-Openssl version >= 1.0.2. Defaults to false. Note: not all service HTTP2 operations
-supports ALPN on server side, please refer to service documentation.
+Set to `true` to enable ALPN in HTTP2 over TLS. Requires Openssl version >= 1.0.2.
+Defaults to false. Note: not all service HTTP2 operations supports ALPN on server
+side, please refer to service documentation.
         DOCS
 
         option(:logger)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-core
 version: !ruby/object:Gem::Version
-  version: 3.187.1
+  version: 3.188.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-11-20 00:00:00.000000000 Z
+date: 2023-11-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jmespath
@@ -353,7 +353,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.3'
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="