aws-sdk-core 3.226.3 → 3.241.3

data/lib/aws-sdk-core/login_credentials.rb

@@ -0,0 +1,229 @@
+# frozen_string_literal: true
+
+module Aws
+  # An auto-refreshing credential provider that retrieves credentials from
+  # a cached login token. This class does NOT implement the AWS Sign-In
+  # login flow - tokens must be generated separately by running `aws login`
+  # from the AWS CLI/AWS Tools for PowerShell with the correct profile.
+  # The {LoginCredentials} will auto-refresh the AWS credentials from AWS Sign-In.
+  #
+  #     # You must first run aws login --profile your-login-profile
+  #     login_credentials = Aws::LoginCredentials.new(login_session: 'my_login_session')
+  #     ec2 = Aws::EC2::Client.new(credentials: login_credentials)
+  #
+  # If you omit the `:client` option, a new {Aws::Signin::Client} object will
+  # be constructed with additional options that were provided.
+  class LoginCredentials
+    include CredentialProvider
+    include RefreshingCredentials
+
+    # @option options [required, String] :login_session An opaque string
+    #   used to determine the cache file location. This value can be found
+    #   in the AWS config file which is set by the AWS CLI/AWS Tools for
+    #   PowerShell automatically.
+    #
+    # @option options [Signin::Client] :client Optional `Signin::Client`.
+    #   If not provided, a client will be constructed.
+    def initialize(options = {})
+      raise ArgumentError, 'Missing login_session' unless options[:login_session]
+
+      @login_session = options.delete(:login_session)
+      @client = options[:client]
+      unless @client
+        client_opts = options.reject { |key, _| CLIENT_EXCLUDE_OPTIONS.include?(key) }
+        @client = Signin::Client.new(client_opts.merge(credentials: nil))
+      end
+      @metrics = ['CREDENTIALS_LOGIN']
+      @async_refresh = true
+      super
+    end
+
+    # @return [Signin::Client]
+    attr_reader :client
+
+    private
+
+    def refresh
+      # First reload the token from disk to ensure it hasn't been refreshed externally
+      token_json = read_cached_token
+      update_creds(token_json['accessToken'])
+      return if @credentials && @expiration && !near_expiration?(sync_expiration_length)
+
+      # Using OpenSSL 3.6.0 may result in errors like "certificate verify failed (unable to get certificate CRL)."
+      # A recommended workaround is to use OpenSSL version < 3.6.0 or requiring the openssl gem with a version of at
+      # least 3.2.2. GitHub issue: https://github.com/openssl/openssl/issues/28752.
+      if OpenSSL::OPENSSL_LIBRARY_VERSION.include?('3.6.') &&
+         (!Gem.loaded_specs['openssl'] || Gem.loaded_specs['openssl'].version < Gem::Version.new('3.2.2'))
+        warn 'WARNING: OpenSSL 3.6.x may cause certificate verify errors - use OpenSSL < 3.6.0 or openssl gem >= 3.2.2'
+      end
+
+      # Attempt to refresh the token
+      attempt_refresh(token_json)
+
+      # Raise if token is hard expired
+      return unless !@expiration || @expiration < Time.now
+
+      raise Errors::InvalidLoginToken,
+            'Login token is invalid and failed to refresh. Please reauthenticate.'
+    end
+
+    def read_cached_token
+      cached_token = JSON.load_file(login_cache_file)
+      validate_cached_token(cached_token)
+      cached_token
+    rescue Errno::ENOENT, Aws::Json::ParseError
+      raise Errors::InvalidLoginToken,
+            "Failed to load a Login token for login session #{@login_session}. Please reauthenticate."
+    end
+
+    def login_cache_file
+      directory = ENV['AWS_LOGIN_CACHE_DIRECTORY'] || File.join(Dir.home, '.aws', 'login', 'cache')
+      login_session_sha = OpenSSL::Digest::SHA256.hexdigest(@login_session.strip.encode('utf-8'))
+      File.join(directory, "#{login_session_sha}.json")
+    end
+
+    def validate_cached_token(cached_token)
+      required_cached_token_fields = %w[accessToken clientId refreshToken dpopKey]
+      missing_fields = required_cached_token_fields.reject { |field| cached_token[field] }
+      unless missing_fields.empty?
+        raise ArgumentError, "Cached login token is missing required field(s): #{missing_fields}. " \
+          'Please reauthenticate.'
+      end
+
+      access_token = cached_token['accessToken']
+      required_access_token_fields = %w[accessKeyId secretAccessKey sessionToken accountId expiresAt]
+      missing_fields = required_access_token_fields.reject { |field| access_token[field] }
+
+      return if missing_fields.empty?
+
+      raise ArgumentError, "Access token in cached login token is missing required field(s): #{missing_fields}. " \
+        'Please reauthenticate.'
+    end
+
+    def update_creds(access_token)
+      @credentials = Credentials.new(
+        access_token['accessKeyId'],
+        access_token['secretAccessKey'],
+        access_token['sessionToken'],
+        account_id: access_token['accountId']
+      )
+      @expiration = Time.parse(access_token['expiresAt'])
+    end
+
+    def attempt_refresh(token_json)
+      resp = make_request(token_json)
+      parse_resp(resp.token_output, token_json)
+      update_creds(token_json['accessToken'])
+      update_token_cache(token_json)
+    rescue Signin::Errors::AccessDeniedException => e
+      case e.error
+      when 'TOKEN_EXPIRED'
+        warn 'Your session has expired. Please reauthenticate.'
+      when 'USER_CREDENTIALS_CHANGED'
+        warn 'Unable to refresh credentials because of a change in your password. ' \
+          'Please reauthenticate with your new password.'
+      when 'INSUFFICIENT_PERMISSIONS'
+        warn 'Unable to refresh credentials due to insufficient permissions. ' \
+          'You may be missing permission for the `CreateOAuth2Token` action.'
+      end
+    rescue StandardError => e
+      warn("Failed to refresh Login token for LoginCredentials: #{e.message}")
+    end
+
+    def make_request(token_json)
+      options = {
+        token_input: {
+          client_id: token_json['clientId'],
+          grant_type: 'refresh_token',
+          refresh_token: token_json['refreshToken']
+        }
+      }
+      req = @client.build_request(:create_o_auth_2_token, options)
+      endpoint_params = Aws::Signin::EndpointParameters.create(req.context.config)
+      endpoint = req.context.config.endpoint_provider.resolve_endpoint(endpoint_params)
+      endpoint = URI.join(endpoint.url, @client.config.api.operation(:create_o_auth_2_token).http_request_uri).to_s
+      req.context.http_request.headers['DPoP'] = dpop_proof(token_json['dpopKey'], endpoint)
+      req.send_request
+    end
+
+    def dpop_proof(dpop_key, endpoint)
+      # Load private key from cached token file
+      private_key = OpenSSL::PKey.read(dpop_key)
+      public_key = private_key.public_key.to_octet_string(:uncompressed)
+
+      # Construct header and payload
+      header = build_header(public_key[1, 32], public_key[33, 32])
+      payload = build_payload(endpoint)
+
+      # Base64URL encode header and payload, sign message using private key, and create header
+      message = build_message(header, payload)
+      signature = private_key.sign(OpenSSL::Digest.new('SHA256'), message)
+      jws_signature = der_to_jws(signature)
+      "#{message}.#{Base64.urlsafe_encode64(jws_signature, padding: false)}"
+    end
+
+    def build_header(x_bytes, y_bytes)
+      {
+        'alg' => 'ES256', # signing algorithm
+        'jwk' => {
+          'crv' => 'P-256', # curve name
+          'kty' => 'EC', # key type
+          'x' => Base64.urlsafe_encode64(x_bytes, padding: false), # public x coordinate
+          'y' => Base64.urlsafe_encode64(y_bytes, padding: false) # public y coordinate
+        },
+        'typ' => 'dpop+jwt' # hardcoded
+      }
+    end
+
+    def build_payload(htu)
+      {
+        'jti' => SecureRandom.uuid, # unique identifier (UUID4)
+        'htm' => @client.config.api.operation(:create_o_auth_2_token).http_method, # POST
+        'htu' => htu, # endpoint of the CreateOAuth2Token operation, with path
+        'iat' => Time.now.utc.to_i # UTC timestamp, specified number of seconds from 1970-01-01T00:00:00Z UTC
+      }
+    end
+
+    def build_message(header, payload)
+      encoded_header = Base64.urlsafe_encode64(JSON.dump(header), padding: false)
+      encoded_payload = Base64.urlsafe_encode64(JSON.dump(payload), padding: false)
+      "#{encoded_header}.#{encoded_payload}"
+    end
+
+    # Converts DER-encoded ASN.1 signature to JWS
+    def der_to_jws(der_signature)
+      asn1 = OpenSSL::ASN1.decode(der_signature)
+      r = asn1.value[0].value
+      s = asn1.value[1].value
+
+      r_hex = r.to_s(16).rjust(64, '0')
+      s_hex = s.to_s(16).rjust(64, '0')
+
+      [r_hex + s_hex].pack('H*')
+    end
+
+    def parse_resp(resp, token_json)
+      access_token = token_json['accessToken']
+      access_token.merge!(
+        'accessKeyId' => resp.access_token.access_key_id,
+        'secretAccessKey' => resp.access_token.secret_access_key,
+        'sessionToken' => resp.access_token.session_token,
+        'expiresAt' => (Time.now.utc + resp.expires_in).to_datetime.rfc3339
+      )
+      token_json['refreshToken'] = resp.refresh_token
+    end
+
+    def update_token_cache(token_json)
+      cached_token = token_json.dup
+      # File.write is not atomic so use temp file and move
+      temp_file = Tempfile.new('temp_file')
+      begin
+        temp_file.write(Json.dump(cached_token))
+        temp_file.close
+        FileUtils.mv(temp_file.path, login_cache_file)
+      ensure
+        temp_file.unlink if File.exist?(temp_file.path) # Ensure temp file is cleaned up
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/plugins/checksum_algorithm.rb

@@ -4,7 +4,8 @@ module Aws
   module Plugins
     # @api private
     class ChecksumAlgorithm < Seahorse::Client::Plugin
-      CHUNK_SIZE = 1 * 1024 * 1024 # one MB
+      CHECKSUM_CHUNK_SIZE = 1 * 1024 * 1024 # one MB
+      DEFAULT_TRAILER_CHUNK_SIZE = 16_384 # 16 KB
 
       # determine the set of supported client side checksum algorithms
       # CRC32c requires aws-crt (optional sdk dependency) for support
@@ -21,6 +22,7 @@ module Aws
       end.freeze
 
       CRT_ALGORITHMS = %w[CRC32C CRC64NVME].freeze
+      DEFAULT_CHECKSUM = 'CRC32'
 
       # Priority order of checksum algorithms to validate responses against.
       # Remove any algorithms not supported by client (ie, depending on CRT availability).
@@ -37,8 +39,6 @@ module Aws
         'SHA256' => 44 + 1
       }.freeze
 
-      DEFAULT_CHECKSUM = 'CRC32'
-
       option(:request_checksum_calculation,
              doc_default: 'when_supported',
              doc_type: 'String',
@@ -162,9 +162,7 @@ module Aws
           context[:http_checksum] ||= {}
 
           # Set validation mode to enabled when supported.
-          if context.config.response_checksum_validation == 'when_supported'
-            enable_request_validation_mode(context)
-          end
+          enable_request_validation_mode(context) if context.config.response_checksum_validation == 'when_supported'
 
           @handler.call(context)
         end
@@ -190,14 +188,11 @@ module Aws
               name: "x-amz-checksum-#{algorithm.downcase}",
               request_algorithm_header: request_algorithm_header(context)
             }
-
             context[:http_checksum][:request_algorithm] = request_algorithm
             calculate_request_checksum(context, request_algorithm)
           end
 
-          if should_verify_response_checksum?(context)
-            add_verify_response_checksum_handlers(context)
-          end
+          add_verify_response_checksum_handlers(context) if should_verify_response_checksum?(context)
 
           with_metrics(context.config, algorithm) { @handler.call(context) }
         end
@@ -249,6 +244,7 @@ module Aws
           return unless context.operation.http_checksum
 
           input_member = context.operation.http_checksum['requestAlgorithmMember']
+
           context.params[input_member.to_sym] ||= DEFAULT_CHECKSUM if input_member
         end
 
@@ -271,25 +267,38 @@ module Aws
           context.operation.http_checksum['responseAlgorithms']
         end
 
-        def checksum_required?(context)
-          (http_checksum = context.operation.http_checksum) &&
-            (checksum_required = http_checksum['requestChecksumRequired']) &&
-            (checksum_required && context.config.request_checksum_calculation == 'when_required')
-        end
-
-        def checksum_optional?(context)
-          context.operation.http_checksum &&
-            context.config.request_checksum_calculation != 'when_required'
-        end
-
         def checksum_provided_as_header?(headers)
           headers.any? { |k, _| k.start_with?('x-amz-checksum-') }
         end
 
+        # Determines whether a request checksum should be calculated.
+        # 1. **No existing checksum in header**: Skips if checksum header already present
+        # 2. **Operation support**: Considers model, client configuration and user input.
         def should_calculate_request_checksum?(context)
-          !checksum_provided_as_header?(context.http_request.headers) &&
-            request_algorithm_selection(context) &&
-            (checksum_required?(context) || checksum_optional?(context))
+          !checksum_provided_as_header?(context.http_request.headers) && checksum_applicable?(context)
+        end
+
+        # Checks if checksum calculation should proceed based on operation requirements and client settings.
+        # Returns true when any of these conditions are met:
+        # 1. http checksum's requestChecksumRequired is true
+        # 2. Config for request_checksum_calculation is "when_supported"
+        # 3. Config for request_checksum_calculation is "when_required" AND user provided checksum algorithm
+        def checksum_applicable?(context)
+          http_checksum = context.operation.http_checksum
+          return false unless http_checksum
+
+          return true if http_checksum['requestChecksumRequired']
+
+          return false unless (algorithm_member = http_checksum['requestAlgorithmMember'])
+
+          case context.config.request_checksum_calculation
+          when 'when_supported'
+            true
+          when 'when_required'
+            !context.params[algorithm_member.to_sym].nil?
+          else
+            false
+          end
         end
 
         def choose_request_algorithm!(context)
@@ -307,12 +316,13 @@ module Aws
         end
 
         def checksum_request_in(context)
-          if context.operation['unsignedPayload'] ||
-             context.operation['authtype'] == 'v4-unsigned-body'
-            'trailer'
-          else
-            'header'
-          end
+          return 'header' unless supports_trailer_checksums?(context.operation)
+
+          should_fallback_to_header?(context) ? 'header' : 'trailer'
+        end
+
+        def supports_trailer_checksums?(operation)
+          operation['unsignedPayload'] || operation['authtype'] == 'v4-unsigned-body'
         end
 
         def calculate_request_checksum(context, checksum_properties)
@@ -320,6 +330,7 @@ module Aws
           if (algorithm_header = checksum_properties[:request_algorithm_header])
             headers[algorithm_header] = checksum_properties[:algorithm]
           end
+
           case checksum_properties[:in]
           when 'header'
             apply_request_checksum(context, headers, checksum_properties)
@@ -330,19 +341,34 @@ module Aws
           end
         end
 
+        def should_fallback_to_header?(context)
+          # Trailer implementation within Mac/JRUBY environment is facing some
+          # network issues that will need further investigation:
+          # * https://github.com/jruby/jruby-openssl/issues/271
+          # * https://github.com/jruby/jruby-openssl/issues/317
+          return true if defined?(JRUBY_VERSION)
+
+          # Chunked signing is currently not supported
+          # Https is required for unsigned payload for security
+          return true if context.http_request.endpoint.scheme == 'http'
+
+          context[:skip_trailer_checksums]
+        end
+
         def apply_request_checksum(context, headers, checksum_properties)
           header_name = checksum_properties[:name]
-          body = context.http_request.body_contents
           headers[header_name] = calculate_checksum(
             checksum_properties[:algorithm],
-            body
+            context.http_request.body
           )
         end
 
         def calculate_checksum(algorithm, body)
           digest = ChecksumAlgorithm.digest_for_algorithm(algorithm)
           if body.respond_to?(:read)
+            body.rewind
             update_in_chunks(digest, body)
+            body.rewind
           else
             digest.update(body)
           end
@@ -351,7 +377,7 @@ module Aws
 
         def update_in_chunks(digest, io)
           loop do
-            chunk = io.read(CHUNK_SIZE)
+            chunk = io.read(CHECKSUM_CHUNK_SIZE)
             break unless chunk
 
             digest.update(chunk)
@@ -363,7 +389,12 @@ module Aws
           location_name = checksum_properties[:name]
 
           # set required headers
-          headers['Content-Encoding'] = 'aws-chunked'
+          headers['Content-Encoding'] =
+            if headers['Content-Encoding']
+              headers['Content-Encoding'] += ', aws-chunked'
+            else
+              'aws-chunked'
+            end
           headers['X-Amz-Content-Sha256'] = 'STREAMING-UNSIGNED-PAYLOAD-TRAILER'
           headers['X-Amz-Trailer'] = location_name
 
@@ -374,13 +405,14 @@ module Aws
           unless context.http_request.body.respond_to?(:size)
             raise Aws::Errors::ChecksumError, 'Could not determine length of the body'
           end
-          headers['X-Amz-Decoded-Content-Length'] = context.http_request.body.size
 
-          context.http_request.body = AwsChunkedTrailerDigestIO.new(
-            context.http_request.body,
-            checksum_properties[:algorithm],
-            location_name
-          )
+          headers['X-Amz-Decoded-Content-Length'] = context.http_request.body.size
+          context.http_request.body =
+            AwsChunkedTrailerDigestIO.new(
+              io: context.http_request.body,
+              algorithm: checksum_properties[:algorithm],
+              location_name: location_name
+            )
         end
 
         def should_verify_response_checksum?(context)
@@ -398,15 +430,11 @@ module Aws
         end
 
         def add_verify_response_headers_handler(context, checksum_context)
-          validation_list = CHECKSUM_ALGORITHM_PRIORITIES &
-                            operation_response_algorithms(context)
+          validation_list = CHECKSUM_ALGORITHM_PRIORITIES & operation_response_algorithms(context)
           context[:http_checksum][:validation_list] = validation_list
 
           context.http_response.on_headers do |_status, headers|
-            header_name, algorithm = response_header_to_verify(
-              headers,
-              validation_list
-            )
+            header_name, algorithm = response_header_to_verify(headers, validation_list)
             next unless header_name
 
             expected = headers[header_name]
@@ -452,52 +480,94 @@ module Aws
       # Wrapper for request body that implements application-layer
       # chunking with Digest computed on chunks + added as a trailer
       class AwsChunkedTrailerDigestIO
-        CHUNK_SIZE = 16_384
+        CHUNK_OVERHEAD = 4 # "\r\n\r\n"
+        HEX_BASE = 16
 
-        def initialize(io, algorithm, location_name)
-          @io = io
-          @location_name = location_name
-          @algorithm = algorithm
-          @digest = ChecksumAlgorithm.digest_for_algorithm(algorithm)
-          @trailer_io = nil
+        def initialize(options = {})
+          @io = options.delete(:io)
+          @location_name = options.delete(:location_name)
+          @algorithm = options.delete(:algorithm)
+          @digest = ChecksumAlgorithm.digest_for_algorithm(@algorithm)
+          @chunk_size = Thread.current[:net_http_override_body_stream_chunk] || DEFAULT_TRAILER_CHUNK_SIZE
+          @overhead_bytes = calculate_overhead(@chunk_size)
+          @base_chunk_size = @chunk_size - @overhead_bytes
+          @encoded_buffer = +''
+          @eof = false
         end
 
         # the size of the application layer aws-chunked + trailer body
         def size
-          # compute the number of chunks
-          # a full chunk has 4 + 4 bytes overhead, a partial chunk is len.to_s(16).size + 4
           orig_body_size = @io.size
-          n_full_chunks = orig_body_size / CHUNK_SIZE
-          partial_bytes = orig_body_size % CHUNK_SIZE
-          chunked_body_size = n_full_chunks * (CHUNK_SIZE + 8)
-          chunked_body_size += partial_bytes.to_s(16).size + partial_bytes + 4 unless  partial_bytes.zero?
+          n_full_chunks = orig_body_size / @base_chunk_size
+          partial_bytes = orig_body_size % @base_chunk_size
+
+          full_chunk_overhead = @base_chunk_size.to_s(HEX_BASE).size + CHUNK_OVERHEAD
+          chunked_body_size = n_full_chunks * (@base_chunk_size + full_chunk_overhead)
+          unless partial_bytes.zero?
+            chunked_body_size += partial_bytes.to_s(HEX_BASE).size + partial_bytes + CHUNK_OVERHEAD
+          end
           trailer_size = ChecksumAlgorithm.trailer_length(@algorithm, @location_name)
           chunked_body_size + trailer_size
         end
 
         def rewind
           @io.rewind
+          @encoded_buffer = +''
+          @eof = false
+          @digest = ChecksumAlgorithm.digest_for_algorithm(@algorithm)
         end
 
-        def read(length, buf = nil)
-          # account for possible leftover bytes at the end, if we have trailer bytes, send them
-          if @trailer_io
-            return @trailer_io.read(length, buf)
-          end
+        def read(length = nil, buf = nil)
+          return '' if length&.zero?
+          return if eof?
+
+          buf&.clear
+          output_buffer = buf || +''
 
-          chunk = @io.read(length)
-          if chunk
-            @digest.update(chunk)
-            application_chunked = "#{chunk.bytesize.to_s(16)}\r\n#{chunk}\r\n"
-            return StringIO.new(application_chunked).read(application_chunked.size, buf)
+          fill_encoded_buffer(length)
+
+          if length
+            output_buffer << @encoded_buffer.slice!(0, length)
           else
-            trailers = {}
-            trailers[@location_name] = @digest.base64digest
-            trailers = trailers.map { |k,v| "#{k}:#{v}" }.join("\r\n")
-            @trailer_io = StringIO.new("0\r\n#{trailers}\r\n\r\n")
-            chunk = @trailer_io.read(length, buf)
+            output_buffer << @encoded_buffer
+            @encoded_buffer.clear
+          end
+
+          output_buffer.empty? && eof? ? nil : output_buffer
+        end
+
+        def eof?
+          @eof && @encoded_buffer.empty?
+        end
+
+        private
+
+        def calculate_overhead(chunk_size)
+          chunk_size.to_s(HEX_BASE).size + CHUNK_OVERHEAD
+        end
+
+        def fill_encoded_buffer(required_length)
+          return if required_length && @encoded_buffer.bytesize >= required_length
+
+          while !@eof && fill_data?(required_length)
+            chunk = @io.read(@base_chunk_size)
+            if chunk && !chunk.empty?
+              @digest.update(chunk)
+              @encoded_buffer << "#{chunk.bytesize.to_s(HEX_BASE)}\r\n#{chunk}\r\n"
+            else
+              @encoded_buffer << "0\r\n#{trailer_string}\r\n\r\n"
+              @eof = true
+            end
           end
-          chunk
+        end
+
+        def trailer_string
+          { @location_name => @digest.base64digest }.map { |k, v| "#{k}:#{v}" }.join("\r\n")
+        end
+
+        # Returns true if more data needs to be read into the buffer
+        def fill_data?(length)
+          length.nil? || @encoded_buffer.bytesize < length
         end
       end
     end