aws-sdk-core 3.46.0 → 3.94.0

data/lib/aws-sdk-core/deprecations.rb

@@ -35,33 +35,39 @@ module Aws
   # @api private
   module Deprecations
 
-    # @param [Symbol] method_name The name of the deprecated method.
+    # @param [Symbol] method The name of the deprecated method.
     #
     # @option options [String] :message The warning message to issue
     #   when the deprecated method is called.
     #
-    # @option options [Symbol] :use The name of an use
-    #   method that should be used.
+    # @option options [String] :use The name of a method that should be used.
     #
-    def deprecated(method_name, options = {})
+    # @option options [String] :version The version that will remove the
+    #   deprecated method.
+    #
+    def deprecated(method, options = {})
 
       deprecation_msg = options[:message] || begin
-        msg = "DEPRECATION WARNING: called deprecated method `#{method_name}' "
-        msg << "of an #{self}"
-        msg << ", use #{options[:use]} instead" if options[:use]
+        msg = "#################### DEPRECATION WARNING ####################\n"
+        msg << "Called deprecated method `#{method}` of #{self}."
+        msg << " Use `#{options[:use]}` instead.\n" if options[:use]
+        if options[:version]
+          msg << "Method `#{method}` will be removed in #{options[:version]}."
+        end
+        msg << "\n#############################################################"
         msg
       end
 
-      alias_method(:"deprecated_#{method_name}", method_name)
+      alias_method(:"deprecated_#{method}", method)
 
       warned = false # we only want to issue this warning once
 
-      define_method(method_name) do |*args,&block|
+      define_method(method) do |*args, &block|
         unless warned
           warned = true
           warn(deprecation_msg + "\n" + caller.join("\n"))
         end
-        send("deprecated_#{method_name}", *args, &block)
+        send("deprecated_#{method}", *args, &block)
       end
     end
 

data/lib/aws-sdk-core/ecs_credentials.rb

@@ -78,14 +78,18 @@ module Aws
       # Retry loading credentials up to 3 times is the instance metadata
       # service is responding but is returning invalid JSON documents
       # in response to the GET profile credentials call.
-      retry_errors([JSON::ParserError, StandardError], max_retries: 3) do
-        c = JSON.parse(get_credentials.to_s)
-        @credentials = Credentials.new(
-          c['AccessKeyId'],
-          c['SecretAccessKey'],
-          c['Token']
-        )
-        @expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
+      begin
+        retry_errors([JSON::ParserError, StandardError], max_retries: 3) do
+          c = JSON.parse(get_credentials.to_s)
+          @credentials = Credentials.new(
+            c['AccessKeyId'],
+            c['SecretAccessKey'],
+            c['Token']
+          )
+          @expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
+        end
+      rescue JSON::ParserError
+        raise Aws::Errors::MetadataParserError.new
       end
     end
 

data/lib/aws-sdk-core/endpoint_cache.rb

@@ -47,8 +47,8 @@ module Aws
       @mutex.synchronize do
         # delete the least recent used endpoint when cache is full
         unless @entries.size < @max_entries
-          old_key, _ = @entries.shift
-          self.delete_polling_thread(old_key)
+          old_key, = @entries.shift
+          delete_polling_thread(old_key)
         end
         # delete old value if exists
         @entries.delete(key)
@@ -60,10 +60,12 @@ module Aws
     # @param [String] key
     # @return [Boolean]
     def key?(key)
-      if @entries.key?(key) && (@entries[key].nil? || @entries[key].expired?)
-        self.delete(key)
+      @mutex.synchronize do
+        if @entries.key?(key) && (@entries[key].nil? || @entries[key].expired?)
+          @entries.delete(key)
+        end
+        @entries.key?(key)
       end
-      @entries.key?(key)
     end
 
     # checking whether an polling thread exist for the key
@@ -84,7 +86,7 @@ module Aws
     # kill the old polling thread and remove it from pool
     # @param [String] key
     def delete_polling_thread(key)
-      Thread.kill(@pool[key]) if self.threads_key?(key)
+      Thread.kill(@pool[key]) if threads_key?(key)
       @pool.delete(key)
     end
 
@@ -109,7 +111,7 @@ module Aws
       if _endpoint_operation_identifier(ctx)
         parts << ctx.operation_name
         ctx.operation.input.shape.members.inject(parts) do |p, (name, ref)|
-          p << ctx.params[name] if ref["endpointdiscoveryid"]
+          p << ctx.params[name] if ref['endpointdiscoveryid']
           p
         end
       end
@@ -141,7 +143,7 @@ module Aws
         # build identifier params when available
         params[:operation] = ctx.operation.name
         ctx.operation.input.shape.members.inject(params) do |p, (name, ref)|
-          if ref["endpointdiscoveryid"]
+          if ref['endpointdiscoveryid']
             p[:identifiers] ||= {}
             p[:identifiers][ref.location_name] = ctx.params[name]
           end
@@ -153,19 +155,20 @@ module Aws
         endpoint_operation_name = ctx.config.api.endpoint_operation
         ctx.client.send(endpoint_operation_name, params)
       rescue Aws::Errors::ServiceError
-        nil 
+        nil
       end
     end
 
     def _endpoint_operation_identifier(ctx)
       return @require_identifier unless @require_identifier.nil?
+
       operation_name = ctx.config.api.endpoint_operation
       operation = ctx.config.api.operation(operation_name)
       @require_identifier = operation.input.shape.members.any?
     end
 
     class Endpoint
-    
+
       # default endpoint cache time, 1 minute
       CACHE_PERIOD = 1
 
@@ -175,7 +178,7 @@ module Aws
         @created_time = Time.now
       end
 
-      # [String] valid URI address (with path) 
+      # [String] valid URI address (with path)
       attr_reader :address
 
       def expired?

data/lib/aws-sdk-core/errors.rb

@@ -1,5 +1,3 @@
-require 'thread'
-
 module Aws
   module Errors
 
@@ -13,9 +11,12 @@ module Aws
 
       # @param [Seahorse::Client::RequestContext] context
       # @param [String] message
-      def initialize(context, message)
+      # @param [Aws::Structure] data
+      def initialize(context, message, data = Aws::EmptyStructure.new)
         @code = self.class.code
+        @message = message if message && !message.empty?
         @context = context
+        @data = data
         super(message)
       end
 
@@ -26,12 +27,43 @@ module Aws
       #   that triggered the remote service to return this error.
       attr_reader :context
 
+      # @return [Aws::Structure]
+      attr_reader :data
+
       class << self
 
         # @return [String]
         attr_accessor :code
 
       end
+
+      # @api private undocumented
+      def retryable?
+        false
+      end
+
+      # @api private undocumented
+      def throttling?
+        false
+      end
+    end
+
+    # Raised when InstanceProfileCredentialsProvider or
+    # EcsCredentialsProvider fails to parse the metadata response after retries
+    class MetadataParserError < RuntimeError
+      def initialize(*args)
+        msg = "Failed to parse metadata service response."
+        super(msg)
+      end
+    end
+
+    # Raised when a `streaming` operation has `requiresLength` trait
+    # enabled but request payload size/length cannot be calculated
+    class MissingContentLength < RuntimeError
+      def initialize(*args)
+        msg = 'Required `Content-Length` value missing for the request.'
+        super(msg)
+      end
     end
 
     # Rasied when endpoint discovery failed for operations
@@ -58,10 +90,18 @@ module Aws
 
     end
 
+    # Raised when attempting to #signal an event before
+    # making an async request
+    class SignalEventError < RuntimeError; end
+
     # Raised when EventStream Parser failed to parse
     # a raw event message
     class EventStreamParserError < RuntimeError; end
 
+    # Raise when EventStream Builder failed to build
+    # an event message with parameters provided
+    class EventStreamBuilderError < RuntimeError; end
+
     # Error event in an event stream which has event_type :error
     # error code and error message can be retrieved when available.
     #
@@ -93,6 +133,29 @@ module Aws
 
     end
 
+    # Raised when ARN string input doesn't follow the standard:
+    # https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#genref-arns
+    class InvalidARNError < RuntimeError; end
+
+    # Raised when the region from the ARN string is different from the :region
+    # configured on the service client.
+    class InvalidARNRegionError < RuntimeError
+      def initialize(*args)
+        msg = 'ARN region is different from the configured client region.'
+        super(msg)
+      end
+    end
+
+    # Raised when the partition of the ARN region is different than the
+    # partition of the :region configured on the service client.
+    class InvalidARNPartitionError < RuntimeError
+      def initialize(*args)
+        msg = 'ARN region partition is different from the configured '\
+              'client region partition.'
+        super(msg)
+      end
+    end
+
     # Various plugins perform client-side checksums of responses.
     # This error indicates a checksum failed.
     class ChecksumError < RuntimeError; end
@@ -126,6 +189,18 @@ module Aws
       end
     end
 
+    # Raised when :web_identity_token_file parameter is not
+    # provided or the file doesn't exist when initializing
+    # AssumeRoleWebIdentityCredentials credential provider
+    class MissingWebIdentityTokenFile < RuntimeError
+      def initialize(*args)
+        msg = 'Missing :web_identity_token_file parameter or'\
+          ' invalid file path provided for'\
+          ' Aws::AssumeRoleWebIdentityCredentials provider'
+        super(msg)
+      end
+    end
+
     # Raised when a credentials provider process returns a JSON
     # payload with either invalid version number or malformed contents
     class InvalidProcessCredentialsPayload < RuntimeError; end
@@ -157,8 +232,8 @@ This is typically the result of an invalid `:region` option or a
 poorly formatted `:endpoint` option.
 
 * Avoid configuring the `:endpoint` option directly. Endpoints are constructed
-  from the `:region`. The `:endpoint` option is reserved for connecting to
-  non-standard test endpoints.
+  from the `:region`. The `:endpoint` option is reserved for certain services
+  or for connecting to non-standard test endpoints.
 
 * Not every service is available in every region.
 
@@ -190,6 +265,15 @@ Known AWS regions include (not specific to this service):
 
     end
 
+    # Raised when attempting to retry a request
+    # and no capacity is available to retry (See adaptive retry_mode)
+    class RetryCapacityNotAvailableError < RuntimeError
+      def initialize(*args)
+        msg = 'Insufficient client side capacity available to retry request.'
+        super(msg)
+      end
+    end
+
     # This module is mixed into another module, providing dynamic
     # error classes.  Error classes all inherit from {ServiceError}.
     #
@@ -223,7 +307,11 @@ Known AWS regions include (not specific to this service):
       def error_class(error_code)
         constant = error_class_constant(error_code)
         if error_const_set?(constant)
-          const_get(constant)
+          # modeled error class exist
+          # set code attribute
+          err_class = const_get(constant)
+          err_class.code = constant.to_s
+          err_class
         else
           set_error_constant(constant)
         end

data/lib/aws-sdk-core/event_emitter.rb

@@ -3,8 +3,19 @@ module Aws
 
     def initialize
       @listeners = {}
+      @validate_event = true
+      @status = :sleep
+      @signal_queue = Queue.new
     end
 
+    attr_accessor :stream
+
+    attr_accessor :encoder
+
+    attr_accessor :validate_event
+
+    attr_accessor :signal_queue
+
     def on(type, callback)
       (@listeners[type] ||= []) << callback
     end
@@ -16,5 +27,36 @@ module Aws
       end
     end
 
+    def emit(type, params)
+      unless @stream
+        raise Aws::Errors::SignalEventError.new(
+          "Singaling events before making async request"\
+          " is not allowed."
+        )
+      end
+      if @validate_event && type != :end_stream
+        Aws::ParamValidator.validate!(
+          @encoder.rules.shape.member(type), params)
+      end
+      _ready_for_events?
+      @stream.data(
+        @encoder.encode(type, params),
+        end_stream: type == :end_stream
+      )
+    end
+
+    private
+
+    def _ready_for_events?
+      return true if @status == :ready
+
+      # blocked until once initial 200 response is received
+      # signal will be available in @signal_queue
+      # and this check will no longer be blocked
+      @signal_queue.pop
+      @status = :ready
+      true
+    end
+
   end
 end

data/lib/aws-sdk-core/instance_profile_credentials.rb

@@ -11,6 +11,12 @@ module Aws
     # @api private
     class Non200Response < RuntimeError; end
 
+    # @api private
+    class TokenRetrivalError < RuntimeError; end
+
+    # @api private
+    class TokenExpiredError < RuntimeError; end
+
     # These are the errors we trap when attempting to talk to the
     # instance metadata service.  Any of these imply the service
     # is not present, no responding or some other non-recoverable
@@ -23,16 +29,24 @@ module Aws
       Errno::ENETUNREACH,
       SocketError,
       Timeout::Error,
-      Non200Response,
-    ]
+      Non200Response
+    ].freeze
+
+    # Path base for GET request for profile and credentials
+    # @api private
+    METADATA_PATH_BASE = '/latest/meta-data/iam/security-credentials/'.freeze
+
+    # Path for PUT request for token
+    # @api private
+    METADATA_TOKEN_PATH = '/latest/api/token'.freeze
 
     # @param [Hash] options
-    # @option options [Integer] :retries (5) Number of times to retry
+    # @option options [Integer] :retries (1) Number of times to retry
     #   when retrieving credentials.
     # @option options [String] :ip_address ('169.254.169.254')
     # @option options [Integer] :port (80)
-    # @option options [Float] :http_open_timeout (5)
-    # @option options [Float] :http_read_timeout (5)
+    # @option options [Float] :http_open_timeout (1)
+    # @option options [Float] :http_read_timeout (1)
     # @option options [Numeric, Proc] :delay By default, failures are retried
     #   with exponential back-off, i.e. `sleep(1.2 ** num_failures)`. You can
     #   pass a number of seconds to sleep between failed attempts, or
@@ -40,19 +54,25 @@ module Aws
     # @option options [IO] :http_debug_output (nil) HTTP wire
     #   traces are sent to this object.  You can specify something
     #   like $stdout.
-    def initialize options = {}
-      @retries = options[:retries] || 5
+    # @option options [Integer] :token_ttl Time-to-Live in seconds for EC2
+    #   Metadata Token used for fetching Metadata Profile Credentials, defaults
+    #   to 21600 seconds
+    def initialize(options = {})
+      @retries = options[:retries] || 1
       @ip_address = options[:ip_address] || '169.254.169.254'
       @port = options[:port] || 80
-      @http_open_timeout = options[:http_open_timeout] || 5
-      @http_read_timeout = options[:http_read_timeout] || 5
+      @http_open_timeout = options[:http_open_timeout] || 1
+      @http_read_timeout = options[:http_read_timeout] || 1
       @http_debug_output = options[:http_debug_output]
       @backoff = backoff(options[:backoff])
+      @token_ttl = options[:token_ttl] || 21_600
+      @token = nil
       super
     end
 
-    # @return [Integer] The number of times to retry failed attempts to
-    #   fetch credentials from the instance metadata service. Defaults to 0.
+    # @return [Integer] Number of times to retry when retrieving credentials
+    #   from the instance metadata service. Defaults to 0 when resolving from
+    #   the default credential chain ({Aws::CredentialProviderChain}).
     attr_reader :retries
 
     private
@@ -60,8 +80,8 @@ module Aws
     def backoff(backoff)
       case backoff
       when Proc then backoff
-      when Numeric then lambda { |_| sleep(backoff) }
-      else lambda { |num_failures| Kernel.sleep(1.2 ** num_failures) }
+      when Numeric then ->(_) { sleep(backoff) }
+      else ->(num_failures) { Kernel.sleep(1.2**num_failures) }
       end
     end
 
@@ -69,14 +89,18 @@ module Aws
       # Retry loading credentials up to 3 times is the instance metadata
       # service is responding but is returning invalid JSON documents
       # in response to the GET profile credentials call.
-      retry_errors([JSON::ParserError, StandardError], max_retries: 3) do
-        c = JSON.parse(get_credentials.to_s)
-        @credentials = Credentials.new(
-          c['AccessKeyId'],
-          c['SecretAccessKey'],
-          c['Token']
-        )
-        @expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
+      begin
+        retry_errors([JSON::ParserError, StandardError], max_retries: 3) do
+          c = JSON.parse(get_credentials.to_s)
+          @credentials = Credentials.new(
+            c['AccessKeyId'],
+            c['SecretAccessKey'],
+            c['Token']
+          )
+          @expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
+        end
+      rescue JSON::ParserError
+        raise Aws::Errors::MetadataParserError
       end
     end
 
@@ -89,9 +113,27 @@ module Aws
         begin
           retry_errors(NETWORK_ERRORS, max_retries: @retries) do
             open_connection do |conn|
-              path = '/latest/meta-data/iam/security-credentials/'
-              profile_name = http_get(conn, path).lines.first.strip
-              http_get(conn, path + profile_name)
+              # attempt to fetch token to start secure flow first
+              # and rescue to failover
+              begin
+                retry_errors(NETWORK_ERRORS, max_retries: @retries) do
+                  unless token_set?
+                    token_value, ttl = http_put(
+                      conn, METADATA_TOKEN_PATH, @token_ttl
+                    )
+                    @token = Token.new(token_value, ttl) if token_value && ttl
+                  end
+                end
+              rescue *NETWORK_ERRORS
+                # token attempt failed, reset token
+                # fallback to non-token mode
+                @token = nil
+              end
+
+              token = @token.value if token_set?
+              metadata = http_get(conn, METADATA_PATH_BASE, token)
+              profile_name = metadata.lines.first.strip
+              http_get(conn, METADATA_PATH_BASE + profile_name, token)
             end
           end
         rescue
@@ -100,9 +142,12 @@ module Aws
       end
     end
 
+    def token_set?
+      @token && !@token.expired?
+    end
+
     def _metadata_disabled?
-      flag = ENV["AWS_EC2_METADATA_DISABLED"]
-      !flag.nil? && flag.downcase == "true"
+      ENV.fetch('AWS_EC2_METADATA_DISABLED', 'false').downcase == 'true'
     end
 
     def open_connection
@@ -114,30 +159,67 @@ module Aws
       yield(http).tap { http.finish }
     end
 
-    def http_get(connection, path)
-      response = connection.request(Net::HTTP::Get.new(path, {"User-Agent" => "aws-sdk-ruby3/#{CORE_GEM_VERSION}"}))
-      if response.code.to_i == 200
-        response.body
+    # GET request fetch profile and credentials
+    def http_get(connection, path, token = nil)
+      headers = { 'User-Agent' => "aws-sdk-ruby3/#{CORE_GEM_VERSION}" }
+      headers['x-aws-ec2-metadata-token'] = token if token
+      response = connection.request(Net::HTTP::Get.new(path, headers))
+      raise Non200Response unless response.code.to_i == 200
+
+      response.body
+    end
+
+    # PUT request fetch token with ttl
+    def http_put(connection, path, ttl)
+      headers = {
+        'User-Agent' => "aws-sdk-ruby3/#{CORE_GEM_VERSION}",
+        'x-aws-ec2-metadata-token-ttl-seconds' => ttl.to_s
+      }
+      response = connection.request(Net::HTTP::Put.new(path, headers))
+      case response.code.to_i
+      when 200
+        [
+          response.body,
+          response.header['x-aws-ec2-metadata-token-ttl-seconds'].to_i
+        ]
+      when 400
+        raise TokenRetrivalError
+      when 401
+        raise TokenExpiredError
       else
         raise Non200Response
       end
     end
 
-    def retry_errors(error_classes, options = {}, &block)
+    def retry_errors(error_classes, options = {}, &_block)
       max_retries = options[:max_retries]
       retries = 0
       begin
         yield
       rescue *error_classes
-        if retries < max_retries
-          @backoff.call(retries)
-          retries += 1
-          retry
-        else
-          raise
-        end
+        raise unless retries < max_retries
+
+        @backoff.call(retries)
+        retries += 1
+        retry
       end
     end
 
+    # @api private
+    # Token used to fetch IMDS profile and credentials
+    class Token
+      def initialize(value, ttl)
+        @ttl = ttl
+        @value = value
+        @created_time = Time.now
+      end
+
+      # [String] token value
+      attr_reader :value
+
+      def expired?
+        Time.now - @created_time > @ttl
+      end
+    end
   end
 end