aws-sdk-core 3.187.1 → 3.189.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 561667b57fedf978414b0b67a7f19b73b01efa69bdfdd5db8a08c27c010f7b18
-  data.tar.gz: 460eec65537106f724e800ef0f81508fc714903da611ac8807071109d560206d
+  metadata.gz: 5d31e3056417287225e7e768fcc5e0b74e8529240ca9a35072a235950b325353
+  data.tar.gz: 986ab2973fd413c2928beab42e5811e9ae6b190e4dd27b1747cf0852b3ae1a5d
 SHA512:
-  metadata.gz: 63ec538568fc713a797c3f4f8c775482e0e2da2b8ea6938c9c8b7366aa52a36606d5e2feed58f8475306217a7e4599843a7c98889046dc4ea2a2a15ee339d8c9
-  data.tar.gz: c09ed8f0ba5302dbd470132a01c759851eacaab6c18f93034d95e3b755c645fae03702d80e4f1fb20630a2407d778ed60b2a8740f809255e5d00cef89120a982
+  metadata.gz: ea8a8cb3551e0ea979f39d4d4209208395d2bd86fad147ae4af82265c2e72c709057dcfdcfb047612486d01492521b6a83669221e30ff819fbe30734d8f969c2
+  data.tar.gz: 87475be62f02da7a68d6e5e01e8c46215383aedd1d86b56ef588ec9f8d48318b8f0d38ed73ec932f4a6eacbdf1a05d3373db24e8563cfc4a8b7a43887945641e

data/CHANGELOG.md

@@ -1,6 +1,24 @@
 Unreleased Changes
 ------------------
 
+3.189.0 (2023-11-28)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+* Feature - Support S3 Express authentication.
+
+3.188.0 (2023-11-22)
+------------------
+
+* Feature - AWS SDK for Ruby no longer supports Ruby runtime versions 2.3 and 2.4.
+
+* Feature - Support `AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE` in `ECSCredentials` and also allow for ECS and EKS link-local http addresses.
+
 3.187.1 (2023-11-20)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-3.187.1
+3.189.0

data/lib/aws-sdk-core/ecs_credentials.rb

@@ -6,7 +6,7 @@ require 'resolv'
 
 module Aws
   # An auto-refreshing credential provider that loads credentials from
-  # instances running in ECS.
+  # instances running in containers.
   #
   #     ecs_credentials = Aws::ECSCredentials.new(retries: 3)
   #     ec2 = Aws::EC2::Client.new(credentials: ecs_credentials)
@@ -17,6 +17,12 @@ module Aws
     # @api private
     class Non200Response < RuntimeError; end
 
+    # Raised when the token file cannot be read.
+    class TokenFileReadError < RuntimeError; end
+
+    # Raised when the token file is invalid.
+    class InvalidTokenError < RuntimeError; end
+
     # These are the errors we trap when attempting to talk to the
     # instance metadata service.  Any of these imply the service
     # is not present, no responding or some other non-recoverable
@@ -41,7 +47,7 @@ module Aws
     #   is set and `credential_path` is not set.
     # @option options [String] :credential_path By default, the value of the
     #   AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable.
-    # @option options [String] :endpoint The ECS credential endpoint.
+    # @option options [String] :endpoint The container credential endpoint.
     #   By default, this is the value of the AWS_CONTAINER_CREDENTIALS_FULL_URI
     #   environment variable. This value is ignored if `credential_path` or
     #   ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] is set.
@@ -64,7 +70,6 @@ module Aws
       endpoint = options[:endpoint] ||
                  ENV['AWS_CONTAINER_CREDENTIALS_FULL_URI']
       initialize_uri(options, credential_path, endpoint)
-      @authorization_token = ENV['AWS_CONTAINER_AUTHORIZATION_TOKEN']
 
       @retries = options[:retries] || 5
       @http_open_timeout = options[:http_open_timeout] || 5
@@ -103,11 +108,18 @@ module Aws
 
     def initialize_full_uri(endpoint)
       uri = URI.parse(endpoint)
+      validate_full_uri_scheme!(uri)
       validate_full_uri!(uri)
-      @host = uri.host
+      @host = uri.hostname
       @port = uri.port
       @scheme = uri.scheme
-      @credential_path = uri.path
+      @credential_path = uri.request_uri
+    end
+
+    def validate_full_uri_scheme!(full_uri)
+      return if full_uri.is_a?(URI::HTTP) || full_uri.is_a?(URI::HTTPS)
+
+      raise ArgumentError, "'#{full_uri}' must be a valid HTTP or HTTPS URI"
     end
 
     # Validate that the full URI is using a loopback address if scheme is http.
@@ -115,19 +127,24 @@ module Aws
       return unless full_uri.scheme == 'http'
 
       begin
-        return if ip_loopback?(IPAddr.new(full_uri.host))
+        return if valid_ip_address?(IPAddr.new(full_uri.host))
       rescue IPAddr::InvalidAddressError
         addresses = Resolv.getaddresses(full_uri.host)
-        return if addresses.all? { |addr| ip_loopback?(IPAddr.new(addr)) }
+        return if addresses.all? { |addr| valid_ip_address?(IPAddr.new(addr)) }
       end
 
       raise ArgumentError,
-            'AWS_CONTAINER_CREDENTIALS_FULL_URI must use a loopback '\
-            'address when using the http scheme.'
+            'AWS_CONTAINER_CREDENTIALS_FULL_URI must use a local loopback '\
+            'or an ECS or EKS link-local address when using the http scheme.'
+    end
+
+    def valid_ip_address?(ip_address)
+      ip_loopback?(ip_address) || ecs_or_eks_ip?(ip_address)
     end
 
     # loopback? method is available in Ruby 2.5+
     # Replicate the logic here.
+    # loopback (IPv4 127.0.0.0/8, IPv6 ::1/128)
     def ip_loopback?(ip_address)
       case ip_address.family
       when Socket::AF_INET
@@ -139,6 +156,20 @@ module Aws
       end
     end
 
+    # Verify that the IP address is a link-local address from ECS or EKS.
+    # ECS container host (IPv4 `169.254.170.2`)
+    # EKS container host (IPv4 `169.254.170.23`, IPv6 `fd00:ec2::23`)
+    def ecs_or_eks_ip?(ip_address)
+      case ip_address.family
+      when Socket::AF_INET
+        [0xa9feaa02, 0xa9feaa17].include?(ip_address)
+      when Socket::AF_INET6
+        ip_address == 0xfd00_0ec2_0000_0000_0000_0000_0000_0023
+      else
+        false
+      end
+    end
+
     def backoff(backoff)
       case backoff
       when Proc then backoff
@@ -174,10 +205,36 @@ module Aws
           http_get(conn, @credential_path)
         end
       end
+    rescue TokenFileReadError, InvalidTokenError
+      raise
     rescue StandardError
       '{}'
     end
 
+    def fetch_authorization_token
+      if (path = ENV['AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE'])
+        fetch_authorization_token_file(path)
+      elsif (token = ENV['AWS_CONTAINER_AUTHORIZATION_TOKEN'])
+        token
+      end
+    end
+
+    def fetch_authorization_token_file(path)
+      File.read(path).strip
+    rescue Errno::ENOENT
+      raise TokenFileReadError,
+            'AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE is set '\
+            "but the file doesn't exist: #{path}"
+    end
+
+    def validate_authorization_token!(token)
+      return unless token.include?("\r\n")
+
+      raise InvalidTokenError,
+            'Invalid Authorization token: token contains '\
+            'a newline and carriage return character.'
+    end
+
     def open_connection
       http = Net::HTTP.new(@host, @port, nil)
       http.open_timeout = @http_open_timeout
@@ -190,18 +247,27 @@ module Aws
 
     def http_get(connection, path)
       request = Net::HTTP::Get.new(path)
-      request['Authorization'] = @authorization_token if @authorization_token
+      set_authorization_token(request)
       response = connection.request(request)
       raise Non200Response unless response.code.to_i == 200
 
       response.body
     end
 
+    def set_authorization_token(request)
+      if (authorization_token = fetch_authorization_token)
+        validate_authorization_token!(authorization_token)
+        request['Authorization'] = authorization_token
+      end
+    end
+
     def retry_errors(error_classes, options = {})
       max_retries = options[:max_retries]
       retries = 0
       begin
         yield
+      rescue TokenFileReadError, InvalidTokenError
+        raise
       rescue *error_classes => _e
         raise unless retries < max_retries
 

data/lib/aws-sdk-core/endpoints.rb

@@ -53,7 +53,7 @@ module Aws
       end
 
       def merge_signing_defaults(auth_scheme, config)
-        if %w[sigv4 sigv4a].include?(auth_scheme['name'])
+        if %w[sigv4 sigv4a sigv4-s3express].include?(auth_scheme['name'])
           auth_scheme['signingName'] ||= sigv4_name(config)
           if auth_scheme['name'] == 'sigv4a'
             auth_scheme['signingRegionSet'] ||= ['*']

data/lib/aws-sdk-core/plugins/checksum_algorithm.rb

@@ -117,7 +117,8 @@ module Aws
 
         def call(context)
           if should_calculate_request_checksum?(context)
-            request_algorithm_input = ChecksumAlgorithm.request_algorithm_selection(context)
+            request_algorithm_input = ChecksumAlgorithm.request_algorithm_selection(context) ||
+                                      context[:default_request_checksum_algorithm]
             context[:checksum_algorithms] = request_algorithm_input
 
             request_checksum_property = {
@@ -140,7 +141,8 @@ module Aws
 
         def should_calculate_request_checksum?(context)
           context.operation.http_checksum &&
-            ChecksumAlgorithm.request_algorithm_selection(context)
+            (ChecksumAlgorithm.request_algorithm_selection(context) ||
+              context[:default_request_checksum_algorithm])
         end
 
         def should_verify_response_checksum?(context)

data/lib/aws-sdk-core/plugins/http_checksum.rb

@@ -12,7 +12,8 @@ module Aws
 
         def call(context)
           if checksum_required?(context) &&
-             !context[:checksum_algorithms] # skip in favor of flexible checksum
+             !context[:checksum_algorithms] && # skip in favor of flexible checksum
+             !context[:s3_express_endpoint] # s3 express endpoints do not support md5
             body = context.http_request.body
             context.http_request.headers['Content-Md5'] ||= md5(body)
           end

data/lib/aws-sdk-core/plugins/sign.rb

@@ -13,7 +13,7 @@ module Aws
       option(:sigv4_region)
       option(:unsigned_operations, default: [])
 
-      supported_auth_types = %w[sigv4 bearer none]
+      supported_auth_types = %w[sigv4 bearer sigv4-s3express none]
       supported_auth_types += ['sigv4a'] if Aws::Sigv4::Signer.use_crt?
       SUPPORTED_AUTH_TYPES = supported_auth_types.freeze
 
@@ -24,10 +24,14 @@ module Aws
 
       # @api private
       # Return a signer with the `sign(context)` method
-      def self.signer_for(auth_scheme, config, region_override = nil)
+      def self.signer_for(auth_scheme, config, sigv4_region_override = nil, sigv4_credentials_override = nil)
         case auth_scheme['name']
-        when 'sigv4', 'sigv4a'
-          SignatureV4.new(auth_scheme, config, region_override)
+        when 'sigv4', 'sigv4a', 'sigv4-s3express'
+          sigv4_overrides = {
+            region: sigv4_region_override,
+            credentials: sigv4_credentials_override
+          }
+          SignatureV4.new(auth_scheme, config, sigv4_overrides)
         when 'bearer'
           Bearer.new
         else
@@ -42,7 +46,8 @@ module Aws
             signer = Sign.signer_for(
               context[:auth_scheme],
               context.config,
-              context[:sigv4_region]
+              context[:sigv4_region],
+              context[:sigv4_credentials]
             )
             signer.sign(context)
           end
@@ -88,12 +93,12 @@ module Aws
 
       # @api private
       class SignatureV4
-        def initialize(auth_scheme, config, region_override = nil)
+        def initialize(auth_scheme, config, sigv4_overrides = {})
           scheme_name = auth_scheme['name']
 
-          unless %w[sigv4 sigv4a].include?(scheme_name)
+          unless %w[sigv4 sigv4a sigv4-s3express].include?(scheme_name)
             raise ArgumentError,
-                  "Expected sigv4 or sigv4a auth scheme, got #{scheme_name}"
+                  "Expected sigv4, sigv4a, or sigv4-s3express auth scheme, got #{scheme_name}"
           end
 
           region = if scheme_name == 'sigv4a'
@@ -104,8 +109,8 @@ module Aws
           begin
             @signer = Aws::Sigv4::Signer.new(
               service: config.sigv4_name || auth_scheme['signingName'],
-              region: region_override || config.sigv4_region || region,
-              credentials_provider: config.credentials,
+              region: sigv4_overrides[:region] || config.sigv4_region || region,
+              credentials_provider: sigv4_overrides[:credentials] || config.credentials,
               signing_algorithm: scheme_name.to_sym,
               uri_escape_path: !!!auth_scheme['disableDoubleEncoding'],
               normalize_path: !!!auth_scheme['disableNormalizePath'],

data/lib/aws-sdk-core/refreshing_credentials.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require 'thread'
-
 module Aws
 
   # Base class used credential classes that can be refreshed. This
@@ -48,6 +46,14 @@ module Aws
 
     private
 
+    def sync_expiration_length
+      self.class::SYNC_EXPIRATION_LENGTH
+    end
+
+    def async_expiration_length
+      self.class::ASYNC_EXPIRATION_LENGTH
+    end
+
     # Refreshes credentials asynchronously and synchronously.
     # If we are near to expiration, block while getting new credentials.
     # Otherwise, if we're approaching expiration, use the existing credentials
@@ -56,18 +62,18 @@ module Aws
       # Note: This check is an optimization. Rather than acquire the mutex on every #refresh_if_near_expiration
       # call, we check before doing so, and then we check within the mutex to avoid a race condition.
       # See issue: https://github.com/aws/aws-sdk-ruby/issues/2641 for more info.
-      if near_expiration?(SYNC_EXPIRATION_LENGTH)
+      if near_expiration?(sync_expiration_length)
         @mutex.synchronize do
-          if near_expiration?(SYNC_EXPIRATION_LENGTH)
+          if near_expiration?(sync_expiration_length)
             @before_refresh.call(self) if @before_refresh
             refresh
           end
         end
-      elsif @async_refresh && near_expiration?(ASYNC_EXPIRATION_LENGTH)
+      elsif @async_refresh && near_expiration?(async_expiration_length)
         unless @mutex.locked?
           Thread.new do
             @mutex.synchronize do
-              if near_expiration?(ASYNC_EXPIRATION_LENGTH)
+              if near_expiration?(async_expiration_length)
                 @before_refresh.call(self) if @before_refresh
                 refresh
               end

data/lib/aws-sdk-core/shared_config.rb

@@ -218,6 +218,7 @@ module Aws
       :s3_use_arn_region,
       :s3_us_east_1_regional_endpoint,
       :s3_disable_multiregion_access_points,
+      :s3_disable_express_session_auth,
       :defaults_mode,
       :sdk_ua_app_id,
       :disable_request_compression,

data/lib/aws-sdk-sso/client.rb

@@ -605,7 +605,7 @@ module Aws::SSO
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.187.1'
+      context[:gem_version] = '3.189.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-sso/plugins/endpoints.rb

@@ -25,16 +25,17 @@ module Aws::SSO
       # @api private
       class Handler < Seahorse::Client::Handler
         def call(context)
-          # If endpoint was discovered, do not resolve or apply the endpoint.
           unless context[:discovered_endpoint]
             params = parameters_for_operation(context)
             endpoint = context.config.endpoint_provider.resolve_endpoint(params)
 
             context.http_request.endpoint = endpoint.url
             apply_endpoint_headers(context, endpoint.headers)
+
+            context[:endpoint_params] = params
+            context[:endpoint_properties] = endpoint.properties
           end
 
-          context[:endpoint_params] = params
           context[:auth_scheme] =
             Aws::Endpoints.resolve_auth_scheme(context, endpoint)
 

data/lib/aws-sdk-sso.rb

@@ -54,6 +54,6 @@ require_relative 'aws-sdk-sso/customizations'
 # @!group service
 module Aws::SSO
 
-  GEM_VERSION = '3.187.1'
+  GEM_VERSION = '3.189.0'
 
 end

data/lib/aws-sdk-ssooidc/client.rb

@@ -910,7 +910,7 @@ module Aws::SSOOIDC
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.187.1'
+      context[:gem_version] = '3.189.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-ssooidc/plugins/endpoints.rb

@@ -25,16 +25,17 @@ module Aws::SSOOIDC
       # @api private
       class Handler < Seahorse::Client::Handler
         def call(context)
-          # If endpoint was discovered, do not resolve or apply the endpoint.
           unless context[:discovered_endpoint]
             params = parameters_for_operation(context)
             endpoint = context.config.endpoint_provider.resolve_endpoint(params)
 
             context.http_request.endpoint = endpoint.url
             apply_endpoint_headers(context, endpoint.headers)
+
+            context[:endpoint_params] = params
+            context[:endpoint_properties] = endpoint.properties
           end
 
-          context[:endpoint_params] = params
           context[:auth_scheme] =
             Aws::Endpoints.resolve_auth_scheme(context, endpoint)
 

data/lib/aws-sdk-ssooidc.rb

@@ -54,6 +54,6 @@ require_relative 'aws-sdk-ssooidc/customizations'
 # @!group service
 module Aws::SSOOIDC
 
-  GEM_VERSION = '3.187.1'
+  GEM_VERSION = '3.189.0'
 
 end

data/lib/aws-sdk-sts/client.rb

@@ -2352,7 +2352,7 @@ module Aws::STS
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.187.1'
+      context[:gem_version] = '3.189.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-sts/plugins/endpoints.rb

@@ -25,16 +25,17 @@ module Aws::STS
       # @api private
       class Handler < Seahorse::Client::Handler
         def call(context)
-          # If endpoint was discovered, do not resolve or apply the endpoint.
           unless context[:discovered_endpoint]
             params = parameters_for_operation(context)
             endpoint = context.config.endpoint_provider.resolve_endpoint(params)
 
             context.http_request.endpoint = endpoint.url
             apply_endpoint_headers(context, endpoint.headers)
+
+            context[:endpoint_params] = params
+            context[:endpoint_properties] = endpoint.properties
           end
 
-          context[:endpoint_params] = params
           context[:auth_scheme] =
             Aws::Endpoints.resolve_auth_scheme(context, endpoint)
 

data/lib/aws-sdk-sts/presigner.rb

@@ -35,7 +35,7 @@ module Aws
       #   )
       #
       # This can be easily converted to a token used by the EKS service:
-      # {https://ruby-doc.org/stdlib-2.3.1/libdoc/base64/rdoc/Base64.html#method-i-encode64}
+      # {https://docs.ruby-lang.org/en/3.2/Base64.html#method-i-encode64}
       # "k8s-aws-v1." + Base64.urlsafe_encode64(url).chomp("==")
       def get_caller_identity_presigned_url(options = {})
         req = @client.build_request(:get_caller_identity, {})

data/lib/aws-sdk-sts.rb

@@ -54,6 +54,6 @@ require_relative 'aws-sdk-sts/customizations'
 # @!group service
 module Aws::STS
 
-  GEM_VERSION = '3.187.1'
+  GEM_VERSION = '3.189.0'
 
 end

data/lib/seahorse/client/net_http/patches.rb

@@ -12,12 +12,9 @@ module Seahorse
 
         def self.apply!
           Net::HTTPGenericRequest.prepend(PatchDefaultContentType)
-          return unless RUBY_VERSION < '2.5'
-
-          Net::HTTP::IDEMPOTENT_METHODS_.clear
         end
 
-        # For requests with bodys, Net::HTTP sets a default content type of:
+        # For requests with bodies, Net::HTTP sets a default content type of:
         #   'application/x-www-form-urlencoded'
         # There are cases where we should not send content type at all.
         # Even when no body is supplied, Net::HTTP uses a default empty body

data/lib/seahorse/client/plugins/h2.rb

@@ -54,9 +54,9 @@ When `true`, HTTP2 debug output will be sent to the `:logger`.
         DOCS
 
         option(:enable_alpn, default: false, doc_type: 'Boolean', docstring: <<-DOCS)
-Setting to `true` to enable ALPN in HTTP2 over TLS, requires Ruby version >= 2.3 and
-Openssl version >= 1.0.2. Defaults to false. Note: not all service HTTP2 operations
-supports ALPN on server side, please refer to service documentation.
+Set to `true` to enable ALPN in HTTP2 over TLS. Requires Openssl version >= 1.0.2.
+Defaults to false. Note: not all service HTTP2 operations supports ALPN on server
+side, please refer to service documentation.
         DOCS
 
         option(:logger)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-core
 version: !ruby/object:Gem::Version
-  version: 3.187.1
+  version: 3.189.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-11-20 00:00:00.000000000 Z
+date: 2023-11-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jmespath
@@ -56,14 +56,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.5'
+        version: '1.8'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.5'
+        version: '1.8'
 - !ruby/object:Gem::Dependency
   name: aws-eventstream
   requirement: !ruby/object:Gem::Requirement
@@ -73,7 +73,7 @@ dependencies:
         version: '1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.0.2
+        version: 1.3.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -83,7 +83,7 @@ dependencies:
         version: '1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.0.2
+        version: 1.3.0
 description: Provides API clients for AWS. This gem is part of the official AWS SDK
   for Ruby.
 email: 
@@ -353,7 +353,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.3'
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="