aws-sdk-core 3.232.0 → 3.246.0

data/lib/aws-sdk-core/plugins/retries/clock_skew.rb

@@ -3,10 +3,8 @@
 module Aws
   module Plugins
     module Retries
-
       # @api private
       class ClockSkew
-
         CLOCK_SKEW_THRESHOLD = 5 * 60 # five minutes
 
         def initialize
@@ -22,9 +20,9 @@ module Aws
         end
 
         # Gets the clock_correction in seconds to apply to a given endpoint
-        # @param endpoint [URI / String]
+        # @param endpoint [URI, String]
         def clock_correction(endpoint)
-          @mutex.synchronize { @endpoint_clock_corrections[endpoint.to_s] }
+          @mutex.synchronize { @endpoint_clock_corrections[normalized_endpoint(endpoint)] }
         end
 
         # The estimated skew factors in any clock skew from
@@ -35,7 +33,7 @@ module Aws
         # Estimated Skew should not be used to correct clock skew errors
         # it should only be used to estimate TTL for a request
         def estimated_skew(endpoint)
-          @mutex.synchronize { @endpoint_estimated_skews[endpoint.to_s] }
+          @mutex.synchronize { @endpoint_estimated_skews[normalized_endpoint(endpoint)] }
         end
 
         # Determines whether a request has clock skew by comparing
@@ -55,9 +53,9 @@ module Aws
           endpoint = context.http_request.endpoint
           now_utc = Time.now.utc
           server_time = server_time(context.http_response)
-          if server_time && (now_utc - server_time).abs > CLOCK_SKEW_THRESHOLD
-            set_clock_correction(endpoint, server_time - now_utc)
-          end
+          return unless server_time && (now_utc - server_time).abs > CLOCK_SKEW_THRESHOLD
+
+          set_clock_correction(normalized_endpoint(endpoint), server_time - now_utc)
         end
 
         # Called for every request
@@ -69,20 +67,35 @@ module Aws
           now_utc = Time.now.utc
           server_time = server_time(context.http_response)
           return unless server_time
+
           @mutex.synchronize do
-            @endpoint_estimated_skews[endpoint.to_s] = server_time - now_utc
+            @endpoint_estimated_skews[normalized_endpoint(endpoint)] = server_time - now_utc
           end
         end
 
         private
 
+        ##
+        # @param endpoint [URI, String]
+        #     the endpoint to normalize
+        #
+        # @return [String]
+        #     the endpoint's schema, host, and port - without any path or query arguments
+        def normalized_endpoint(endpoint)
+          uri = endpoint.is_a?(URI::Generic) ? endpoint : URI(endpoint.to_s)
+
+          return endpoint.to_s unless uri.scheme && uri.host
+
+          "#{uri.scheme}://#{uri.host}:#{uri.port}"
+        rescue URI::InvalidURIError
+          endpoint.to_s
+        end
+
         # @param response [Seahorse::Client::Http::Response:]
         def server_time(response)
-          begin
-            Time.parse(response.headers['date']).utc
-          rescue
-            nil
-          end
+          Time.parse(response.headers['date']).utc
+        rescue StandardError
+          nil
         end
 
         # Sets the clock correction for an endpoint
@@ -90,11 +103,10 @@ module Aws
         # @param correction [Number]
         def set_clock_correction(endpoint, correction)
           @mutex.synchronize do
-            @endpoint_clock_corrections[endpoint.to_s] = correction
+            @endpoint_clock_corrections[normalized_endpoint(endpoint)] = correction
           end
         end
       end
     end
   end
 end
-

data/lib/aws-sdk-core/plugins/user_agent.rb

@@ -55,7 +55,11 @@ module Aws
           "CREDENTIALS_IMDS" : "0",
           "SSO_LOGIN_DEVICE" : "1",
           "SSO_LOGIN_AUTH" : "2",
-          "BEARER_SERVICE_ENV_VARS": "3"
+          "BEARER_SERVICE_ENV_VARS": "3",
+          "CREDENTIALS_PROFILE_LOGIN": "AC",
+          "CREDENTIALS_LOGIN": "AD",
+          "S3_TRANSFER_UPLOAD_DIRECTORY": "9",
+          "S3_TRANSFER_DOWNLOAD_DIRECTORY": "+"
         }
       METRICS
 

data/lib/aws-sdk-core/refreshing_credentials.rb

@@ -1,28 +1,26 @@
 # frozen_string_literal: true
 
 module Aws
-
   # Base class used credential classes that can be refreshed. This
   # provides basic refresh logic in a thread-safe manner. Classes mixing in
-  # this module are expected to implement a #refresh method that populates
+  # this module are expected to implement a `#refresh` method that populates
   # the following instance variables:
   #
-  # * `@access_key_id`
-  # * `@secret_access_key`
-  # * `@session_token`
-  # * `@expiration`
+  # * `@credentials` ({Credentials})
+  # * `@expiration` (Time)
   #
-  # @api private
   module RefreshingCredentials
-
     SYNC_EXPIRATION_LENGTH = 300 # 5 minutes
     ASYNC_EXPIRATION_LENGTH = 600 # 10 minutes
 
     CLIENT_EXCLUDE_OPTIONS = Set.new([:before_refresh]).freeze
 
+    # @param [Hash] options
+    # @option options [Proc] :before_refresh A Proc called before credentials are refreshed.
+    #   It accepts `self` as the only argument.
     def initialize(options = {})
       @mutex = Mutex.new
-      @before_refresh = options.delete(:before_refresh) if Hash === options
+      @before_refresh = options.delete(:before_refresh) if options.is_a?(Hash)
 
       @before_refresh.call(self) if @before_refresh
       refresh
@@ -59,7 +57,7 @@ module Aws
     # Otherwise, if we're approaching expiration, use the existing credentials
     # but attempt a refresh in the background.
     def refresh_if_near_expiration!
-      # Note: This check is an optimization. Rather than acquire the mutex on every #refresh_if_near_expiration
+      # NOTE: This check is an optimization. Rather than acquire the mutex on every #refresh_if_near_expiration
       # call, we check before doing so, and then we check within the mutex to avoid a race condition.
       # See issue: https://github.com/aws/aws-sdk-ruby/issues/2641 for more info.
       if near_expiration?(sync_expiration_length)
@@ -91,6 +89,5 @@ module Aws
         true
       end
     end
-
   end
 end

data/lib/aws-sdk-core/shared_config.rb

@@ -171,6 +171,16 @@ module Aws
       token
     end
 
+    # Attempts to load from shared config or shared credentials file.
+    # Will always attempt first to load from the shared credentials
+    # file, if present.
+    def login_credentials_from_config(opts = {})
+      p = opts[:profile] || @profile_name
+      credentials = login_credentials_from_profile(@parsed_credentials, p, opts[:region])
+      credentials ||= login_credentials_from_profile(@parsed_config, p, opts[:region]) if @parsed_config
+      credentials
+    end
+
     # Source a custom configured endpoint from the shared configuration file
     #
     # @param [Hash] opts
@@ -469,6 +479,16 @@ module Aws
       end
     end
 
+    def login_credentials_from_profile(cfg, profile, region)
+      return unless @parsed_config && (prof_config = cfg[profile]) && prof_config['login_session']
+
+      cfg = { login_session: prof_config['login_session'] }
+      cfg[:region] = region if region
+      creds = LoginCredentials.new(cfg)
+      creds.metrics << 'CREDENTIALS_PROFILE_LOGIN'
+      creds
+    end
+
     def credentials_from_profile(prof_config)
       creds = Credentials.new(
         prof_config['aws_access_key_id'],

data/lib/aws-sdk-core/sso_credentials.rb

@@ -7,7 +7,7 @@ module Aws
   # {Aws::SSOTokenProvider} will be used to refresh the token if possible.
   # This class does NOT implement the SSO login token flow - tokens
   # must generated separately by running `aws login` from the
-  # AWS CLI with the correct profile. The `SSOCredentials` will
+  # AWS CLI with the correct profile. The {SSOCredentials} will
   # auto-refresh the AWS credentials from SSO.
   #
   #     # You must first run aws sso login --profile your-sso-profile

data/lib/aws-sdk-core/sso_token_provider.rb

@@ -108,6 +108,7 @@ module Aws
       cached_token = token_json.dup
       cached_token['expiresAt'] = cached_token['expiresAt'].iso8601
       File.write(sso_cache_file, Json.dump(cached_token))
+      File.chmod(0o600, sso_cache_file)
     end
 
     def sso_cache_file

data/lib/aws-sdk-core/waiters/poller.rb

@@ -97,8 +97,8 @@ module Aws
 
       def matches_error?(acceptor, response)
         case acceptor['expected']
-        when 'false' then response.error.nil?
-        when 'true' then !response.error.nil?
+        when 'false', false then response.error.nil?
+        when 'true', true then !response.error.nil?
         else
           response.error.is_a?(Aws::Errors::ServiceError) &&
             response.error.code == acceptor['expected'].delete('.')

data/lib/aws-sdk-core.rb

@@ -25,6 +25,7 @@ module Aws
   autoload :SharedCredentials, 'aws-sdk-core/shared_credentials'
   autoload :ProcessCredentials, 'aws-sdk-core/process_credentials'
   autoload :SSOCredentials, 'aws-sdk-core/sso_credentials'
+  autoload :LoginCredentials, 'aws-sdk-core/login_credentials'
 
 
   # tokens and token providers
@@ -175,3 +176,6 @@ require_relative 'aws-sdk-sts'
 # aws-sdk-sso is included to support Aws::SSOCredentials
 require_relative 'aws-sdk-sso'
 require_relative 'aws-sdk-ssooidc'
+
+# aws-sdk-signin is included to support Aws::SignInCredentials
+require_relative 'aws-sdk-signin'