aws-sdk-core 3.46.0 → 3.94.0

data/lib/aws-sdk-core/plugins/signature_v4.rb

@@ -42,7 +42,7 @@ module Aws
       option(:unsigned_operations) do |cfg|
         cfg.api.operation_names.inject([]) do |unsigned, operation_name|
           if cfg.api.operation(operation_name)['authtype'] == 'none' ||
-            cfg.api.operation(operation_name)['authtype'] == 'custom'
+             cfg.api.operation(operation_name)['authtype'] == 'custom'
             # Unsign requests that has custom apigateway authorizer as well
             unsigned << operation_name
           else
@@ -107,6 +107,17 @@ module Aws
           req.headers.delete('X-Amz-Security-Token')
           req.headers.delete('X-Amz-Date')
 
+          if context.config.respond_to?(:clock_skew) &&
+             context.config.clock_skew &&
+             context.config.correct_clock_skew
+
+            endpoint = context.http_request.endpoint
+            skew = context.config.clock_skew.clock_correction(endpoint)
+            if skew.abs > 0
+              req.headers['X-Amz-Date'] = (Time.now.utc + skew).strftime("%Y%m%dT%H%M%SZ")
+            end
+          end
+
           # compute the signature
           begin
             signature = signer.sign_request(
@@ -130,7 +141,7 @@ module Aws
         # @api private
         def apply_authtype(context)
           if context.operation['authtype'].eql?('v4-unsigned-body') &&
-            context.http_request.endpoint.scheme.eql?('https')
+             context.http_request.endpoint.scheme.eql?('https')
             context.http_request.headers['X-Amz-Content-Sha256'] = 'UNSIGNED-PAYLOAD'
           end
           context

data/lib/aws-sdk-core/plugins/stub_responses.rb

@@ -34,6 +34,7 @@ requests are made, and retries are disabled.
         if client.config.stub_responses
           client.setup_stubbing
           client.handlers.remove(RetryErrors::Handler)
+          client.handlers.remove(RetryErrors::LegacyHandler)
           client.handlers.remove(ClientMetricsPlugin::Handler)
           client.handlers.remove(ClientMetricsSendPlugin::LatencyHandler)
           client.handlers.remove(ClientMetricsSendPlugin::AttemptHandler)
@@ -45,15 +46,18 @@ requests are made, and retries are disabled.
         def call(context)
           stub = context.client.next_stub(context)
           resp = Seahorse::Client::Response.new(context: context)
-          apply_stub(stub, resp)
-          resp
+          async_mode = context.client.is_a? Seahorse::Client::AsyncBase
+          apply_stub(stub, resp, async_mode)
+
+          async_mode ? Seahorse::Client::AsyncResponse.new(
+            context: context, stream: context[:input_event_stream_handler].event_emitter.stream, sync_queue: Queue.new) : resp
         end
 
-        def apply_stub(stub, response)
+        def apply_stub(stub, response, async_mode = false)
           http_resp = response.context.http_response
           case
           when stub[:error] then signal_error(stub[:error], http_resp)
-          when stub[:http] then signal_http(stub[:http], http_resp)
+          when stub[:http] then signal_http(stub[:http], http_resp, async_mode)
           when stub[:data] then response.data = stub[:data]
           end
         end
@@ -67,9 +71,18 @@ requests are made, and retries are disabled.
         end
 
         # @param [Seahorse::Client::Http::Response] stub
-        # @param [Seahorse::Client::Http::Response] http_resp
-        def signal_http(stub, http_resp)
-          http_resp.signal_headers(stub.status_code, stub.headers.to_h)
+        # @param [Seahorse::Client::Http::Response | Seahorse::Client::Http::AsyncResponse] http_resp
+        # @param [Boolean] async_mode
+        def signal_http(stub, http_resp, async_mode = false)
+          if async_mode
+            h2_headers = stub.headers.to_h.inject([]) do |arr, (k, v)|
+              arr << [k, v]
+            end
+            h2_headers << [":status", stub.status_code]
+            http_resp.signal_headers(h2_headers)
+          else
+            http_resp.signal_headers(stub.status_code, stub.headers.to_h)
+          end
           while chunk = stub.body.read(1024 * 1024)
             http_resp.signal_data(chunk)
           end

data/lib/aws-sdk-core/plugins/transfer_encoding.rb

@@ -0,0 +1,51 @@
+module Aws
+  module Plugins
+
+    # For Streaming Input Operations, when `requiresLength` is enabled
+    # checking whether `Content-Length` header can be set,
+    # for `v4-unsigned-body` operations, set `Transfer-Encoding` header
+    class TransferEncoding < Seahorse::Client::Plugin
+
+      # @api private
+      class Handler < Seahorse::Client::Handler
+        def call(context)
+          if streaming?(context.operation.input)
+            # If it's an IO object and not a File / String / String IO
+            unless context.http_request.body.respond_to?(:size)
+              if requires_length?(context.operation.input)
+                # if size of the IO is not available but required
+                raise Aws::Errors::MissingContentLength.new
+              elsif context.operation['authtype'] == "v4-unsigned-body"
+                context.http_request.headers['Transfer-Encoding'] = 'chunked'
+              end
+            end
+          end
+
+          @handler.call(context)
+        end
+
+        private
+
+        def streaming?(ref)
+          if payload = ref[:payload_member]
+            payload["streaming"] || # checking ref and shape
+              payload.shape["streaming"]
+          else
+            false
+          end
+        end
+
+        def requires_length?(ref)
+          payload = ref[:payload_member]
+          payload["requiresLength"] || # checking ref and shape
+            payload.shape["requiresLength"]
+        end
+
+      end
+
+      handler(Handler, step: :sign)
+
+    end
+
+  end
+end

data/lib/aws-sdk-core/plugins/user_agent.rb

@@ -2,20 +2,16 @@ module Aws
   module Plugins
     # @api private
     class UserAgent < Seahorse::Client::Plugin
-
       option(:user_agent_suffix)
 
       # @api private
       class Handler < Seahorse::Client::Handler
-
         def call(context)
           set_user_agent(context)
           @handler.call(context)
         end
 
         def set_user_agent(context)
-          execution_env = ENV["AWS_EXECUTION_ENV"]
-
           ua = "aws-sdk-ruby3/#{CORE_GEM_VERSION}"
 
           begin
@@ -30,19 +26,19 @@ module Aws
             ua += " #{context[:gem_name]}/#{context[:gem_version]}"
           end
 
-          if execution_env
+          if (execution_env = ENV['AWS_EXECUTION_ENV'])
             ua += " exec-env/#{execution_env}"
           end
 
-          ua += " #{context.config.user_agent_suffix}" if context.config.user_agent_suffix
+          if context.config.user_agent_suffix
+            ua += " #{context.config.user_agent_suffix}"
+          end
 
           context.http_request.headers['User-Agent'] = ua.strip
         end
-
       end
 
       handler(Handler)
-
     end
   end
 end

data/lib/aws-sdk-core/process_credentials.rb

@@ -5,7 +5,7 @@ module Aws
   # A credential provider that executes a given process and attempts
   # to read its stdout to recieve a JSON payload containing the credentials
   #
-  # Automatically handles refreshing credentials if an Expiration time is 
+  # Automatically handles refreshing credentials if an Expiration time is
   # provided in the credentials payload
   #
   #     credentials = Aws::ProcessCredentials.new('/usr/bin/credential_proc').credentials
@@ -23,10 +23,12 @@ module Aws
     # external process to be used as a credential provider.
     #
     # @param [String] process Invocation string for process
-    # credentials provider. 
+    # credentials provider.
     def initialize(process)
       @process = process
       @credentials = credentials_from_process(@process)
+
+      super
     end
 
     private
@@ -38,7 +40,11 @@ module Aws
       end
 
       if process_status.success?
-        creds_json = JSON.parse(raw_out)
+        begin
+          creds_json = JSON.parse(raw_out)
+        rescue JSON::ParserError
+          raise Errors::InvalidProcessCredentialsPayload.new("Invalid JSON response")
+        end
         payload_version = creds_json['Version']
         if payload_version == 1
           _parse_payload_format_v1(creds_json)

data/lib/aws-sdk-core/shared_config.rb

@@ -1,8 +1,6 @@
 module Aws
-
   # @api private
   class SharedConfig
-
     # @return [String]
     attr_reader :credentials_path
 
@@ -48,7 +46,7 @@ module Aws
       @profile_name = determine_profile(options)
       @config_enabled = options[:config_enabled]
       @credentials_path = options[:credentials_path] ||
-        determine_credentials_path
+                          determine_credentials_path
       @parsed_credentials = {}
       load_credentials_file if loadable?(@credentials_path)
       if @config_enabled
@@ -67,7 +65,7 @@ module Aws
       @config_enabled = options[:config_enabled] ? true : false
       @profile_name = determine_profile(options)
       @credentials_path = options[:credentials_path] ||
-        determine_credentials_path
+                          determine_credentials_path
       load_credentials_file if loadable?(@credentials_path)
       if @config_enabled
         @config_path = options[:config_path] || determine_config_path
@@ -99,12 +97,10 @@ module Aws
     def credentials(opts = {})
       p = opts[:profile] || @profile_name
       validate_profile_exists(p) if credentials_present?
-      if credentials = credentials_from_shared(p, opts)
+      if (credentials = credentials_from_shared(p, opts))
         credentials
-      elsif credentials = credentials_from_config(p, opts)
+      elsif (credentials = credentials_from_config(p, opts))
         credentials
-      else
-        nil
       end
     end
 
@@ -121,79 +117,61 @@ module Aws
       credentials
     end
 
-    def region(opts = {})
+    def assume_role_web_identity_credentials_from_config(opts = {})
       p = opts[:profile] || @profile_name
-      if @config_enabled
-        if @parsed_credentials
-          region = @parsed_credentials.fetch(p, {})["region"]
-        end
-        if @parsed_config
-          region ||= @parsed_config.fetch(p, {})["region"]
+      if @config_enabled && @parsed_config
+        entry = @parsed_config.fetch(p, {})
+        if entry['web_identity_token_file'] && entry['role_arn']
+          cfg = {
+            role_arn: entry['role_arn'],
+            web_identity_token_file: entry['web_identity_token_file'],
+            role_session_name: entry['role_session_name']
+          }
+          cfg[:region] = opts[:region] if opts[:region]
+          AssumeRoleWebIdentityCredentials.new(cfg)
         end
-        region
-      else
-        nil
       end
     end
 
-    def endpoint_discovery(opts = {})
-      p = opts[:profile] || @profile_name
-      if @config_enabled && @parsed_config
-        @parsed_config.fetch(p, {})["endpoint_discovery_enabled"]
+    # Add an accessor method (similar to attr_reader) to return a configuration value
+    # Uses the get_config_value below to control where
+    # values are loaded from
+    def self.config_reader(*attrs)
+      attrs.each do |attr|
+        define_method(attr) { |opts = {}| get_config_value(attr.to_s, opts) }
       end
     end
 
-    def credentials_process(profile)
-      validate_profile_exists(profile)
-      @parsed_config[profile]['credential_process']
-    end
+    config_reader(
+      :region,
+      :credential_process,
+      :endpoint_discovery_enabled,
+      :max_attempts,
+      :retry_mode,
+      :adaptive_retry_wait_to_fill,
+      :correct_clock_skew,
+      :csm_client_id,
+      :csm_enabled,
+      :csm_host,
+      :csm_port,
+      :sts_regional_endpoints,
+      :s3_use_arn_region,
+      :s3_us_east_1_regional_endpoint
+    )
 
-    def csm_enabled(opts = {})
-      p = opts[:profile] || @profile_name
-      if @config_enabled
-        if @parsed_credentials
-          value = @parsed_credentials.fetch(p, {})["csm_enabled"]
-        end
-        if @parsed_config
-          value ||= @parsed_config.fetch(p, {})["csm_enabled"]
-        end
-        value
-      else
-        nil
-      end
-    end
+    private
 
-    def csm_client_id(opts = {})
+    # Get a config value from from shared credential/config files.
+    # Only loads a value when config_enabled is true
+    # Return a value from credentials preferentially over config
+    def get_config_value(key, opts)
       p = opts[:profile] || @profile_name
-      if @config_enabled
-        if @parsed_credentials
-          value = @parsed_credentials.fetch(p, {})["csm_client_id"]
-        end
-        if @parsed_config
-          value ||= @parsed_config.fetch(p, {})["csm_client_id"]
-        end
-        value
-      else
-        nil
-      end
-    end
 
-    def csm_port(opts = {})
-      p = opts[:profile] || @profile_name
-      if @config_enabled
-        if @parsed_credentials
-          value = @parsed_credentials.fetch(p, {})["csm_port"]
-        end
-        if @parsed_config
-          value ||= @parsed_config.fetch(p, {})["csm_port"]
-        end
-        value
-      else
-        nil
-      end
+      value = @parsed_credentials.fetch(p, {})[key] if @parsed_credentials
+      value ||= @parsed_config.fetch(p, {})[key] if @config_enabled && @parsed_config
+      value
     end
 
-    private
     def credentials_present?
       (@parsed_credentials && !@parsed_credentials.empty?) ||
         (@parsed_config && !@parsed_config.empty?)
@@ -201,30 +179,28 @@ module Aws
 
     def assume_role_from_profile(cfg, profile, opts, chain_config)
       if cfg && prof_cfg = cfg[profile]
-        opts[:source_profile] ||= prof_cfg["source_profile"]
+        opts[:source_profile] ||= prof_cfg['source_profile']
         credential_source = opts.delete(:credential_source)
-        credential_source ||= prof_cfg["credential_source"]
+        credential_source ||= prof_cfg['credential_source']
         if opts[:source_profile] && credential_source
-          raise Errors::CredentialSourceConflictError.new(
-            "Profile #{profile} has a source_profile, and "\
-              "a credential_source. For assume role credentials, must "\
-              "provide only source_profile or credential_source, not both."
-          )
+          raise Errors::CredentialSourceConflictError,
+                "Profile #{profile} has a source_profile, and "\
+                'a credential_source. For assume role credentials, must '\
+                'provide only source_profile or credential_source, not both.'
         elsif opts[:source_profile]
-          opts[:credentials] = credentials(profile: opts[:source_profile])
+          opts[:credentials] = resolve_source_profile(opts[:source_profile], opts)
           if opts[:credentials]
-            opts[:role_session_name] ||= prof_cfg["role_session_name"]
-            opts[:role_session_name] ||= "default_session"
-            opts[:role_arn] ||= prof_cfg["role_arn"]
-            opts[:external_id] ||= prof_cfg["external_id"]
-            opts[:serial_number] ||= prof_cfg["mfa_serial"]
+            opts[:role_session_name] ||= prof_cfg['role_session_name']
+            opts[:role_session_name] ||= 'default_session'
+            opts[:role_arn] ||= prof_cfg['role_arn']
+            opts[:duration_seconds] ||= prof_cfg['duration_seconds']
+            opts[:external_id] ||= prof_cfg['external_id']
+            opts[:serial_number] ||= prof_cfg['mfa_serial']
             opts[:profile] = opts.delete(:source_profile)
             AssumeRoleCredentials.new(opts)
           else
-            raise Errors::NoSourceProfileError.new(
-              "Profile #{profile} has a role_arn, and source_profile, but the"\
-                " source_profile does not have credentials."
-            )
+            raise Errors::NoSourceProfileError, "Profile #{profile} has a role_arn, and source_profile, but the"\
+                ' source_profile does not have credentials.'
           end
         elsif credential_source
           opts[:credentials] = credentials_from_source(
@@ -232,61 +208,64 @@ module Aws
             chain_config
           )
           if opts[:credentials]
-            opts[:role_session_name] ||= prof_cfg["role_session_name"]
-            opts[:role_session_name] ||= "default_session"
-            opts[:role_arn] ||= prof_cfg["role_arn"]
-            opts[:external_id] ||= prof_cfg["external_id"]
-            opts[:serial_number] ||= prof_cfg["mfa_serial"]
+            opts[:role_session_name] ||= prof_cfg['role_session_name']
+            opts[:role_session_name] ||= 'default_session'
+            opts[:role_arn] ||= prof_cfg['role_arn']
+            opts[:duration_seconds] ||= prof_cfg['duration_seconds']
+            opts[:external_id] ||= prof_cfg['external_id']
+            opts[:serial_number] ||= prof_cfg['mfa_serial']
             opts.delete(:source_profile) # Cleanup
             AssumeRoleCredentials.new(opts)
           else
-            raise Errors::NoSourceCredentials.new(
-              "Profile #{profile} could not get source credentials from"\
+            raise Errors::NoSourceCredentials, "Profile #{profile} could not get source credentials from"\
                 " provider #{credential_source}"
-            )
           end
-        elsif prof_cfg["role_arn"]
-          raise Errors::NoSourceProfileError.new(
-            "Profile #{profile} has a role_arn, but no source_profile."
-          )
-        else
-          nil
+        elsif prof_cfg['role_arn']
+          raise Errors::NoSourceProfileError, "Profile #{profile} has a role_arn, but no source_profile."
         end
-      else
-        nil
+      end
+    end
+
+    def resolve_source_profile(profile, opts = {})
+      if (creds = credentials(profile: profile))
+        creds # static credentials
+      elsif (provider = assume_role_web_identity_credentials_from_config(opts.merge(profile: profile)))
+        provider.credentials if provider.credentials.set?
+      elsif (provider = assume_role_process_credentials_from_config(profile))
+        provider.credentials if provider.credentials.set?
       end
     end
 
     def credentials_from_source(credential_source, config)
       case credential_source
-      when "Ec2InstanceMetadata"
+      when 'Ec2InstanceMetadata'
         InstanceProfileCredentials.new(
           retries: config ? config.instance_profile_credentials_retries : 0,
           http_open_timeout: config ? config.instance_profile_credentials_timeout : 1,
           http_read_timeout: config ? config.instance_profile_credentials_timeout : 1
         )
-      when "EcsContainer"
+      when 'EcsContainer'
         ECSCredentials.new
       else
-        raise Errors::InvalidCredentialSourceError.new(
-          "Unsupported credential_source: #{credential_source}"
-        )
+        raise Errors::InvalidCredentialSourceError, "Unsupported credential_source: #{credential_source}"
       end
     end
 
-    def credentials_from_shared(profile, opts)
+    def assume_role_process_credentials_from_config(profile)
+      validate_profile_exists(profile)
+      credential_process = @parsed_config[profile]['credential_process']
+      ProcessCredentials.new(credential_process) if credential_process
+    end
+
+    def credentials_from_shared(profile, _opts)
       if @parsed_credentials && prof_config = @parsed_credentials[profile]
         credentials_from_profile(prof_config)
-      else
-        nil
       end
     end
 
-    def credentials_from_config(profile, opts)
+    def credentials_from_config(profile, _opts)
       if @parsed_config && prof_config = @parsed_config[profile]
         credentials_from_profile(prof_config)
-      else
-        nil
       end
     end
 
@@ -296,15 +275,7 @@ module Aws
         prof_config['aws_secret_access_key'],
         prof_config['aws_session_token']
       )
-      if credentials_complete(creds)
-        creds
-      else
-        nil
-      end
-    end
-
-    def credentials_complete(creds)
-      creds.set?
+      creds if creds.set?
     end
 
     def load_credentials_file
@@ -334,19 +305,18 @@ module Aws
 
     def validate_profile_exists(profile)
       unless (@parsed_credentials && @parsed_credentials[profile]) ||
-          (@parsed_config && @parsed_config[profile])
+             (@parsed_config && @parsed_config[profile])
         msg = "Profile `#{profile}' not found in #{@credentials_path}"
         msg << " or #{@config_path}" if @config_path
-        raise Errors::NoSuchProfileError.new(msg)
+        raise Errors::NoSuchProfileError, msg
       end
     end
 
     def determine_profile(options)
       ret = options[:profile_name]
-      ret ||= ENV["AWS_PROFILE"]
-      ret ||= "default"
+      ret ||= ENV['AWS_PROFILE']
+      ret ||= 'default'
       ret
     end
-
   end
 end