aws-sdk-core 3.219.0 → 3.240.0

data/lib/aws-sdk-core/login_credentials.rb

@@ -0,0 +1,229 @@
+# frozen_string_literal: true
+
+module Aws
+  # An auto-refreshing credential provider that retrieves credentials from
+  # a cached login token. This class does NOT implement the AWS Sign-In
+  # login flow - tokens must be generated separately by running `aws login`
+  # from the AWS CLI/AWS Tools for PowerShell with the correct profile.
+  # The {LoginCredentials} will auto-refresh the AWS credentials from AWS Sign-In.
+  #
+  #     # You must first run aws login --profile your-login-profile
+  #     login_credentials = Aws::LoginCredentials.new(login_session: 'my_login_session')
+  #     ec2 = Aws::EC2::Client.new(credentials: login_credentials)
+  #
+  # If you omit the `:client` option, a new {Aws::Signin::Client} object will
+  # be constructed with additional options that were provided.
+  class LoginCredentials
+    include CredentialProvider
+    include RefreshingCredentials
+
+    # @option options [required, String] :login_session An opaque string
+    #   used to determine the cache file location. This value can be found
+    #   in the AWS config file which is set by the AWS CLI/AWS Tools for
+    #   PowerShell automatically.
+    #
+    # @option options [Signin::Client] :client Optional `Signin::Client`.
+    #   If not provided, a client will be constructed.
+    def initialize(options = {})
+      raise ArgumentError, 'Missing login_session' unless options[:login_session]
+
+      @login_session = options.delete(:login_session)
+      @client = options[:client]
+      unless @client
+        client_opts = options.reject { |key, _| CLIENT_EXCLUDE_OPTIONS.include?(key) }
+        @client = Signin::Client.new(client_opts.merge(credentials: nil))
+      end
+      @metrics = ['CREDENTIALS_LOGIN']
+      @async_refresh = true
+      super
+    end
+
+    # @return [Signin::Client]
+    attr_reader :client
+
+    private
+
+    def refresh
+      # First reload the token from disk to ensure it hasn't been refreshed externally
+      token_json = read_cached_token
+      update_creds(token_json['accessToken'])
+      return if @credentials && @expiration && !near_expiration?(sync_expiration_length)
+
+      # Using OpenSSL 3.6.0 may result in errors like "certificate verify failed (unable to get certificate CRL)."
+      # A recommended workaround is to use OpenSSL version < 3.6.0 or requiring the openssl gem with a version of at
+      # least 3.2.2. GitHub issue: https://github.com/openssl/openssl/issues/28752.
+      if OpenSSL::OPENSSL_LIBRARY_VERSION.include?('3.6.') &&
+         (!Gem.loaded_specs['openssl'] || Gem.loaded_specs['openssl'].version < Gem::Version.new('3.2.2'))
+        warn 'WARNING: OpenSSL 3.6.x may cause certificate verify errors - use OpenSSL < 3.6.0 or openssl gem >= 3.2.2'
+      end
+
+      # Attempt to refresh the token
+      attempt_refresh(token_json)
+
+      # Raise if token is hard expired
+      return unless !@expiration || @expiration < Time.now
+
+      raise Errors::InvalidLoginToken,
+            'Login token is invalid and failed to refresh. Please reauthenticate.'
+    end
+
+    def read_cached_token
+      cached_token = JSON.load_file(login_cache_file)
+      validate_cached_token(cached_token)
+      cached_token
+    rescue Errno::ENOENT, Aws::Json::ParseError
+      raise Errors::InvalidLoginToken,
+            "Failed to load a Login token for login session #{@login_session}. Please reauthenticate."
+    end
+
+    def login_cache_file
+      directory = ENV['AWS_LOGIN_CACHE_DIRECTORY'] || File.join(Dir.home, '.aws', 'login', 'cache')
+      login_session_sha = OpenSSL::Digest::SHA256.hexdigest(@login_session.strip.encode('utf-8'))
+      File.join(directory, "#{login_session_sha}.json")
+    end
+
+    def validate_cached_token(cached_token)
+      required_cached_token_fields = %w[accessToken clientId refreshToken dpopKey]
+      missing_fields = required_cached_token_fields.reject { |field| cached_token[field] }
+      unless missing_fields.empty?
+        raise ArgumentError, "Cached login token is missing required field(s): #{missing_fields}. " \
+          'Please reauthenticate.'
+      end
+
+      access_token = cached_token['accessToken']
+      required_access_token_fields = %w[accessKeyId secretAccessKey sessionToken accountId expiresAt]
+      missing_fields = required_access_token_fields.reject { |field| access_token[field] }
+
+      return if missing_fields.empty?
+
+      raise ArgumentError, "Access token in cached login token is missing required field(s): #{missing_fields}. " \
+        'Please reauthenticate.'
+    end
+
+    def update_creds(access_token)
+      @credentials = Credentials.new(
+        access_token['accessKeyId'],
+        access_token['secretAccessKey'],
+        access_token['sessionToken'],
+        account_id: access_token['accountId']
+      )
+      @expiration = Time.parse(access_token['expiresAt'])
+    end
+
+    def attempt_refresh(token_json)
+      resp = make_request(token_json)
+      parse_resp(resp.token_output, token_json)
+      update_creds(token_json['accessToken'])
+      update_token_cache(token_json)
+    rescue Signin::Errors::AccessDeniedException => e
+      case e.error
+      when 'TOKEN_EXPIRED'
+        warn 'Your session has expired. Please reauthenticate.'
+      when 'USER_CREDENTIALS_CHANGED'
+        warn 'Unable to refresh credentials because of a change in your password. ' \
+          'Please reauthenticate with your new password.'
+      when 'INSUFFICIENT_PERMISSIONS'
+        warn 'Unable to refresh credentials due to insufficient permissions. ' \
+          'You may be missing permission for the `CreateOAuth2Token` action.'
+      end
+    rescue StandardError => e
+      warn("Failed to refresh Login token for LoginCredentials: #{e.message}")
+    end
+
+    def make_request(token_json)
+      options = {
+        token_input: {
+          client_id: token_json['clientId'],
+          grant_type: 'refresh_token',
+          refresh_token: token_json['refreshToken']
+        }
+      }
+      req = @client.build_request(:create_o_auth_2_token, options)
+      endpoint_params = Aws::Signin::EndpointParameters.create(req.context.config)
+      endpoint = req.context.config.endpoint_provider.resolve_endpoint(endpoint_params)
+      endpoint = URI.join(endpoint.url, @client.config.api.operation(:create_o_auth_2_token).http_request_uri).to_s
+      req.context.http_request.headers['DPoP'] = dpop_proof(token_json['dpopKey'], endpoint)
+      req.send_request
+    end
+
+    def dpop_proof(dpop_key, endpoint)
+      # Load private key from cached token file
+      private_key = OpenSSL::PKey.read(dpop_key)
+      public_key = private_key.public_key.to_octet_string(:uncompressed)
+
+      # Construct header and payload
+      header = build_header(public_key[1, 32], public_key[33, 32])
+      payload = build_payload(endpoint)
+
+      # Base64URL encode header and payload, sign message using private key, and create header
+      message = build_message(header, payload)
+      signature = private_key.sign(OpenSSL::Digest.new('SHA256'), message)
+      jws_signature = der_to_jws(signature)
+      "#{message}.#{Base64.urlsafe_encode64(jws_signature, padding: false)}"
+    end
+
+    def build_header(x_bytes, y_bytes)
+      {
+        'alg' => 'ES256', # signing algorithm
+        'jwk' => {
+          'crv' => 'P-256', # curve name
+          'kty' => 'EC', # key type
+          'x' => Base64.urlsafe_encode64(x_bytes, padding: false), # public x coordinate
+          'y' => Base64.urlsafe_encode64(y_bytes, padding: false) # public y coordinate
+        },
+        'typ' => 'dpop+jwt' # hardcoded
+      }
+    end
+
+    def build_payload(htu)
+      {
+        'jti' => SecureRandom.uuid, # unique identifier (UUID4)
+        'htm' => @client.config.api.operation(:create_o_auth_2_token).http_method, # POST
+        'htu' => htu, # endpoint of the CreateOAuth2Token operation, with path
+        'iat' => Time.now.utc.to_i # UTC timestamp, specified number of seconds from 1970-01-01T00:00:00Z UTC
+      }
+    end
+
+    def build_message(header, payload)
+      encoded_header = Base64.urlsafe_encode64(JSON.dump(header), padding: false)
+      encoded_payload = Base64.urlsafe_encode64(JSON.dump(payload), padding: false)
+      "#{encoded_header}.#{encoded_payload}"
+    end
+
+    # Converts DER-encoded ASN.1 signature to JWS
+    def der_to_jws(der_signature)
+      asn1 = OpenSSL::ASN1.decode(der_signature)
+      r = asn1.value[0].value
+      s = asn1.value[1].value
+
+      r_hex = r.to_s(16).rjust(64, '0')
+      s_hex = s.to_s(16).rjust(64, '0')
+
+      [r_hex + s_hex].pack('H*')
+    end
+
+    def parse_resp(resp, token_json)
+      access_token = token_json['accessToken']
+      access_token.merge!(
+        'accessKeyId' => resp.access_token.access_key_id,
+        'secretAccessKey' => resp.access_token.secret_access_key,
+        'sessionToken' => resp.access_token.session_token,
+        'expiresAt' => (Time.now.utc + resp.expires_in).to_datetime.rfc3339
+      )
+      token_json['refreshToken'] = resp.refresh_token
+    end
+
+    def update_token_cache(token_json)
+      cached_token = token_json.dup
+      # File.write is not atomic so use temp file and move
+      temp_file = Tempfile.new('temp_file')
+      begin
+        temp_file.write(Json.dump(cached_token))
+        temp_file.close
+        FileUtils.mv(temp_file.path, login_cache_file)
+      ensure
+        temp_file.unlink if File.exist?(temp_file.path) # Ensure temp file is cleaned up
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/plugins/checksum_algorithm.rb

@@ -190,7 +190,6 @@ module Aws
               name: "x-amz-checksum-#{algorithm.downcase}",
               request_algorithm_header: request_algorithm_header(context)
             }
-
             context[:http_checksum][:request_algorithm] = request_algorithm
             calculate_request_checksum(context, request_algorithm)
           end
@@ -249,6 +248,7 @@ module Aws
           return unless context.operation.http_checksum
 
           input_member = context.operation.http_checksum['requestAlgorithmMember']
+
           context.params[input_member.to_sym] ||= DEFAULT_CHECKSUM if input_member
         end
 
@@ -271,25 +271,39 @@ module Aws
           context.operation.http_checksum['responseAlgorithms']
         end
 
-        def checksum_required?(context)
-          (http_checksum = context.operation.http_checksum) &&
-            (checksum_required = http_checksum['requestChecksumRequired']) &&
-            (checksum_required && context.config.request_checksum_calculation == 'when_required')
-        end
-
-        def checksum_optional?(context)
-          context.operation.http_checksum &&
-            context.config.request_checksum_calculation != 'when_required'
-        end
-
         def checksum_provided_as_header?(headers)
           headers.any? { |k, _| k.start_with?('x-amz-checksum-') }
         end
 
+        # Determines whether a request checksum should be calculated.
+        # 1. **No existing checksum in header**: Skips if checksum header already present
+        # 2. **Operation support**: Considers model, client configuration and user input.
         def should_calculate_request_checksum?(context)
           !checksum_provided_as_header?(context.http_request.headers) &&
-            request_algorithm_selection(context) &&
-            (checksum_required?(context) || checksum_optional?(context))
+            checksum_applicable?(context)
+        end
+
+        # Checks if checksum calculation should proceed based on operation requirements and client settings.
+        # Returns true when any of these conditions are met:
+        # 1. http checksum's requestChecksumRequired is true
+        # 2. Config for request_checksum_calculation is "when_supported"
+        # 3. Config for request_checksum_calculation is "when_required" AND user provided checksum algorithm
+        def checksum_applicable?(context)
+          http_checksum = context.operation.http_checksum
+          return false unless http_checksum
+
+          return true if http_checksum['requestChecksumRequired']
+
+          return false unless (algorithm_member = http_checksum['requestAlgorithmMember'])
+
+          case context.config.request_checksum_calculation
+          when 'when_supported'
+            true
+          when 'when_required'
+            !context.params[algorithm_member.to_sym].nil?
+          else
+            false
+          end
         end
 
         def choose_request_algorithm!(context)

data/lib/aws-sdk-core/plugins/client_metrics_plugin.rb

@@ -180,7 +180,6 @@ all generated client side metrics. Defaults to an empty string.
             complete_opts = {
               latency: end_time - start_time,
               attempt_count: context.retries + 1,
-              user_agent: context.http_request.headers["user-agent"],
               final_error_retryable: final_error_retryable,
               final_http_status_code: context.http_response.status_code,
               final_aws_exception: final_aws_exception,

data/lib/aws-sdk-core/plugins/credentials_configuration.rb

@@ -14,64 +14,68 @@ module Aws
 
       option(:account_id, doc_type: String, docstring: '')
 
-      option(:profile,
+      option(
+        :profile,
         doc_default: 'default',
         doc_type: String,
-        docstring: <<-DOCS)
-Used when loading credentials from the shared credentials file
-at HOME/.aws/credentials.  When not specified, 'default' is used.
+        docstring: <<~DOCS)
+          Used when loading credentials from the shared credentials file at `HOME/.aws/credentials`.
+          When not specified, 'default' is used.
         DOCS
 
-      option(:credentials,
+      option(
+        :credentials,
         required: true,
         doc_type: 'Aws::CredentialProvider',
         rbs_type: 'untyped',
-        docstring: <<-DOCS
-Your AWS credentials. This can be an instance of any one of the
-following classes:
+        docstring: <<~DOCS
+          Your AWS credentials used for authentication. This can be any class that includes and implements
+          `Aws::CredentialProvider`, or instance of any one of the following classes:
 
-* `Aws::Credentials` - Used for configuring static, non-refreshing
-  credentials.
+          * `Aws::Credentials` - Used for configuring static, non-refreshing
+            credentials.
 
-* `Aws::SharedCredentials` - Used for loading static credentials from a
-  shared file, such as `~/.aws/config`.
+          * `Aws::SharedCredentials` - Used for loading static credentials from a
+            shared file, such as `~/.aws/config`.
 
-* `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
+          * `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
 
-* `Aws::AssumeRoleWebIdentityCredentials` - Used when you need to
-  assume a role after providing credentials via the web.
+          * `Aws::AssumeRoleWebIdentityCredentials` - Used when you need to
+            assume a role after providing credentials via the web.
 
-* `Aws::SSOCredentials` - Used for loading credentials from AWS SSO using an
-  access token generated from `aws login`.
+          * `Aws::SSOCredentials` - Used for loading credentials from AWS SSO using an
+            access token generated from `aws login`.
 
-* `Aws::ProcessCredentials` - Used for loading credentials from a
-  process that outputs to stdout.
+          * `Aws::ProcessCredentials` - Used for loading credentials from a
+            process that outputs to stdout.
 
-* `Aws::InstanceProfileCredentials` - Used for loading credentials
-  from an EC2 IMDS on an EC2 instance.
+          * `Aws::InstanceProfileCredentials` - Used for loading credentials
+            from an EC2 IMDS on an EC2 instance.
 
-* `Aws::ECSCredentials` - Used for loading credentials from
-  instances running in ECS.
+          * `Aws::ECSCredentials` - Used for loading credentials from
+            instances running in ECS.
 
-* `Aws::CognitoIdentityCredentials` - Used for loading credentials
-  from the Cognito Identity service.
+          * `Aws::CognitoIdentityCredentials` - Used for loading credentials
+            from the Cognito Identity service.
 
-When `:credentials` are not configured directly, the following
-locations will be searched for credentials:
+          When `:credentials` are not configured directly, the following locations will be searched for credentials:
 
-* `Aws.config[:credentials]`
-* The `:access_key_id`, `:secret_access_key`, `:session_token`, and
-  `:account_id` options.
-* ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY'],
-  ENV['AWS_SESSION_TOKEN'], and ENV['AWS_ACCOUNT_ID']
-* `~/.aws/credentials`
-* `~/.aws/config`
-* EC2/ECS IMDS instance profile - When used by default, the timeouts
-  are very aggressive. Construct and pass an instance of
-  `Aws::InstanceProfileCredentials` or `Aws::ECSCredentials` to
-  enable retries and extended timeouts. Instance profile credential
-  fetching can be disabled by setting ENV['AWS_EC2_METADATA_DISABLED']
-  to true.
+          * `Aws.config[:credentials]`
+
+          * The `:access_key_id`, `:secret_access_key`, `:session_token`, and
+            `:account_id` options.
+
+          * `ENV['AWS_ACCESS_KEY_ID']`, `ENV['AWS_SECRET_ACCESS_KEY']`,
+            `ENV['AWS_SESSION_TOKEN']`, and `ENV['AWS_ACCOUNT_ID']`.
+
+          * `~/.aws/credentials`
+
+          * `~/.aws/config`
+
+          * EC2/ECS IMDS instance profile - When used by default, the timeouts are very aggressive.
+            Construct and pass an instance of `Aws::InstanceProfileCredentials` or `Aws::ECSCredentials` to
+            enable retries and extended timeouts. Instance profile credential fetching can be disabled by
+            setting `ENV['AWS_EC2_METADATA_DISABLED']` to `true`.
         DOCS
       ) do |config|
         CredentialProviderChain.new(config).resolve
@@ -81,31 +85,43 @@ locations will be searched for credentials:
 
       option(:instance_profile_credentials_timeout, 1)
 
-      option(:token_provider,
-             required: false,
-             doc_type: 'Aws::TokenProvider',
-             rbs_type: 'untyped',
-             docstring: <<-DOCS
-A Bearer Token Provider. This can be an instance of any one of the
-following classes:
+      option(
+        :token_provider,
+        doc_type: 'Aws::TokenProvider',
+        rbs_type: 'untyped',
+        docstring: <<~DOCS
+          Your Bearer token used for authentication. This can be any class that includes and implements
+          `Aws::TokenProvider`, or instance of any one of the following classes:
 
-* `Aws::StaticTokenProvider` - Used for configuring static, non-refreshing
-  tokens.
+          * `Aws::StaticTokenProvider` - Used for configuring static, non-refreshing
+            tokens.
 
-* `Aws::SSOTokenProvider` - Used for loading tokens from AWS SSO using an
-  access token generated from `aws login`.
+          * `Aws::SSOTokenProvider` - Used for loading tokens from AWS SSO using an
+            access token generated from `aws login`.
 
-When `:token_provider` is not configured directly, the `Aws::TokenProviderChain`
-will be used to search for tokens configured for your profile in shared configuration files.
-      DOCS
+          When `:token_provider` is not configured directly, the `Aws::TokenProviderChain`
+          will be used to search for tokens configured for your profile in shared configuration files.
+        DOCS
       ) do |config|
-        if config.stub_responses
-          StaticTokenProvider.new('token')
-        else
-          TokenProviderChain.new(config).resolve
-        end
+        TokenProviderChain.new(config).resolve
       end
 
+      option(
+        :auth_scheme_preference,
+        doc_type: 'Array<String>',
+        rbs_type: 'Array[String]',
+        docstring: <<~DOCS
+          A list of preferred authentication schemes to use when making a request. Supported values are:
+          `sigv4`, `sigv4a`, `httpBearerAuth`, and `noAuth`. When set using `ENV['AWS_AUTH_SCHEME_PREFERENCE']` or in
+          shared config as `auth_scheme_preference`, the value should be a comma-separated list.
+        DOCS
+      ) do |config|
+        value =
+          ENV['AWS_AUTH_SCHEME_PREFERENCE'] ||
+          Aws.shared_config.auth_scheme_preference(profile: config.profile) ||
+          ''
+        value.gsub(' ', '').gsub("\t", '').split(',')
+      end
     end
   end
 end

data/lib/aws-sdk-core/plugins/endpoint_pattern.rb

@@ -4,62 +4,70 @@ module Aws
   module Plugins
     # @api private
     class EndpointPattern < Seahorse::Client::Plugin
-
-      option(:disable_host_prefix_injection,
+      option(
+        :disable_host_prefix_injection,
         default: false,
         doc_type: 'Boolean',
-        docstring: <<-DOCS
-Set to true to disable SDK automatically adding host prefix
-to default service endpoint when available.
-        DOCS
-      )
+        docstring: 'When `true`, the SDK will not prepend the modeled host prefix to the endpoint.'
+      ) do |cfg|
+        resolve_disable_host_prefix_injection(cfg)
+      end
 
-      def add_handlers(handlers, config)
+      def add_handlers(handlers, _config)
         handlers.add(Handler, priority: 10)
       end
 
-      class Handler < Seahorse::Client::Handler
+      class << self
+        private
+
+        def resolve_disable_host_prefix_injection(cfg)
+          value = ENV['AWS_DISABLE_HOST_PREFIX_INJECTION'] ||
+                  Aws.shared_config.disable_host_prefix_injection(profile: cfg.profile) ||
+                  'false'
+          value = Aws::Util.str_2_bool(value)
+          unless [true, false].include?(value)
+            raise ArgumentError,
+                  'Must provide either `true` or `false` for '\
+                    'disable_host_prefix_injection profile option or for '\
+                    'ENV[\'AWS_DISABLE_HOST_PREFIX_INJECTION\']'
+          end
+          value
+        end
+      end
 
+      # @api private
+      class Handler < Seahorse::Client::Handler
         def call(context)
-          if !context.config.disable_host_prefix_injection
+          unless context.config.disable_host_prefix_injection
             endpoint_trait = context.operation.endpoint_pattern
-            if endpoint_trait && !endpoint_trait.empty?
-              _apply_endpoint_trait(context, endpoint_trait)
-            end
+            apply_endpoint_trait(context, endpoint_trait) if endpoint_trait && !endpoint_trait.empty?
           end
           @handler.call(context)
         end
 
         private
 
-        def _apply_endpoint_trait(context, trait)
-          # currently only support host pattern
-          ori_host = context.http_request.endpoint.host
-          if pattern = trait['hostPrefix']
-            host_prefix = pattern.gsub(/\{.+?\}/) do |label|
-              label = label.delete("{}")
-              _replace_label_value(
-                ori_host, label, context.operation.input, context.params)
-            end
-            context.http_request.endpoint.host = host_prefix + context.http_request.endpoint.host
+        def apply_endpoint_trait(context, trait)
+          pattern = trait['hostPrefix']
+          return unless pattern
+
+          host_prefix = pattern.gsub(/\{.+?}/) do |label|
+            label = label.delete('{}')
+            replace_label_value(label, context.operation.input, context.params)
           end
+          context.http_request.endpoint.host = host_prefix + context.http_request.endpoint.host
         end
 
-        def _replace_label_value(ori, label, input_ref, params)
+        def replace_label_value(label, input_ref, params)
           name = nil
           input_ref.shape.members.each do |m_name, ref|
-            if ref['hostLabel'] && ref['hostLabelName'] == label
-              name = m_name
-            end
-          end
-          if name.nil? || params[name].nil?
-            raise Errors::MissingEndpointHostLabelValue.new(name)
+            name = m_name if ref['hostLabel'] && ref['hostLabelName'] == label
           end
+          raise Errors::MissingEndpointHostLabelValue, name if name.nil? || params[name].nil?
+
           params[name]
         end
-
       end
-
     end
   end
 end