aws-sdk-core 3.46.2 → 3.126.2

data/lib/aws-sdk-core/shared_config.rb

@@ -1,7 +1,9 @@
-module Aws
+# frozen_string_literal: true
 
+module Aws
   # @api private
   class SharedConfig
+    SSO_PROFILE_KEYS = %w[sso_start_url sso_region sso_account_id sso_role_name].freeze
 
     # @return [String]
     attr_reader :credentials_path
@@ -48,7 +50,7 @@ module Aws
       @profile_name = determine_profile(options)
       @config_enabled = options[:config_enabled]
       @credentials_path = options[:credentials_path] ||
-        determine_credentials_path
+                          determine_credentials_path
       @parsed_credentials = {}
       load_credentials_file if loadable?(@credentials_path)
       if @config_enabled
@@ -67,7 +69,7 @@ module Aws
       @config_enabled = options[:config_enabled] ? true : false
       @profile_name = determine_profile(options)
       @credentials_path = options[:credentials_path] ||
-        determine_credentials_path
+                          determine_credentials_path
       load_credentials_file if loadable?(@credentials_path)
       if @config_enabled
         @config_path = options[:config_path] || determine_config_path
@@ -98,13 +100,11 @@ module Aws
     #   or `nil` if no valid credentials were found.
     def credentials(opts = {})
       p = opts[:profile] || @profile_name
-      validate_profile_exists(p) if credentials_present?
-      if credentials = credentials_from_shared(p, opts)
+      validate_profile_exists(p)
+      if (credentials = credentials_from_shared(p, opts))
         credentials
-      elsif credentials = credentials_from_config(p, opts)
+      elsif (credentials = credentials_from_config(p, opts))
         credentials
-      else
-        nil
       end
     end
 
@@ -121,110 +121,107 @@ module Aws
       credentials
     end
 
-    def region(opts = {})
+    def assume_role_web_identity_credentials_from_config(opts = {})
       p = opts[:profile] || @profile_name
-      if @config_enabled
-        if @parsed_credentials
-          region = @parsed_credentials.fetch(p, {})["region"]
-        end
-        if @parsed_config
-          region ||= @parsed_config.fetch(p, {})["region"]
+      if @config_enabled && @parsed_config
+        entry = @parsed_config.fetch(p, {})
+        if entry['web_identity_token_file'] && entry['role_arn']
+          cfg = {
+            role_arn: entry['role_arn'],
+            web_identity_token_file: entry['web_identity_token_file'],
+            role_session_name: entry['role_session_name']
+          }
+          cfg[:region] = opts[:region] if opts[:region]
+          AssumeRoleWebIdentityCredentials.new(cfg)
         end
-        region
-      else
-        nil
       end
     end
 
-    def endpoint_discovery(opts = {})
+    # Attempts to load from shared config or shared credentials file.
+    # Will always attempt first to load from the shared credentials
+    # file, if present.
+    def sso_credentials_from_config(opts = {})
       p = opts[:profile] || @profile_name
-      if @config_enabled && @parsed_config
-        @parsed_config.fetch(p, {})["endpoint_discovery_enabled"]
+      credentials = sso_credentials_from_profile(@parsed_credentials, p)
+      if @parsed_config
+        credentials ||= sso_credentials_from_profile(@parsed_config, p)
       end
+      credentials
     end
 
-    def credentials_process(profile)
-      validate_profile_exists(profile)
-      @parsed_config[profile]['credential_process']
-    end
-
-    def csm_enabled(opts = {})
-      p = opts[:profile] || @profile_name
-      if @config_enabled
-        if @parsed_credentials
-          value = @parsed_credentials.fetch(p, {})["csm_enabled"]
-        end
-        if @parsed_config
-          value ||= @parsed_config.fetch(p, {})["csm_enabled"]
-        end
-        value
-      else
-        nil
+    # Add an accessor method (similar to attr_reader) to return a configuration value
+    # Uses the get_config_value below to control where
+    # values are loaded from
+    def self.config_reader(*attrs)
+      attrs.each do |attr|
+        define_method(attr) { |opts = {}| get_config_value(attr.to_s, opts) }
       end
     end
 
-    def csm_client_id(opts = {})
-      p = opts[:profile] || @profile_name
-      if @config_enabled
-        if @parsed_credentials
-          value = @parsed_credentials.fetch(p, {})["csm_client_id"]
-        end
-        if @parsed_config
-          value ||= @parsed_config.fetch(p, {})["csm_client_id"]
-        end
-        value
-      else
-        nil
-      end
-    end
+    config_reader(
+      :region,
+      :ca_bundle,
+      :credential_process,
+      :endpoint_discovery_enabled,
+      :use_dualstack_endpoint,
+      :use_fips_endpoint,
+      :ec2_metadata_service_endpoint,
+      :ec2_metadata_service_endpoint_mode,
+      :max_attempts,
+      :retry_mode,
+      :adaptive_retry_wait_to_fill,
+      :correct_clock_skew,
+      :csm_client_id,
+      :csm_enabled,
+      :csm_host,
+      :csm_port,
+      :sts_regional_endpoints,
+      :s3_use_arn_region,
+      :s3_us_east_1_regional_endpoint,
+      :s3_disable_multiregion_access_points,
+      :defaults_mode
+    )
+
+    private
 
-    def csm_port(opts = {})
+    # Get a config value from from shared credential/config files.
+    # Only loads a value when config_enabled is true
+    # Return a value from credentials preferentially over config
+    def get_config_value(key, opts)
       p = opts[:profile] || @profile_name
-      if @config_enabled
-        if @parsed_credentials
-          value = @parsed_credentials.fetch(p, {})["csm_port"]
-        end
-        if @parsed_config
-          value ||= @parsed_config.fetch(p, {})["csm_port"]
-        end
-        value
-      else
-        nil
-      end
-    end
 
-    private
-    def credentials_present?
-      (@parsed_credentials && !@parsed_credentials.empty?) ||
-        (@parsed_config && !@parsed_config.empty?)
+      value = @parsed_credentials.fetch(p, {})[key] if @parsed_credentials
+      value ||= @parsed_config.fetch(p, {})[key] if @config_enabled && @parsed_config
+      value
     end
 
     def assume_role_from_profile(cfg, profile, opts, chain_config)
       if cfg && prof_cfg = cfg[profile]
-        opts[:source_profile] ||= prof_cfg["source_profile"]
+        opts[:source_profile] ||= prof_cfg['source_profile']
         credential_source = opts.delete(:credential_source)
-        credential_source ||= prof_cfg["credential_source"]
+        credential_source ||= prof_cfg['credential_source']
         if opts[:source_profile] && credential_source
-          raise Errors::CredentialSourceConflictError.new(
+          raise Errors::CredentialSourceConflictError,
             "Profile #{profile} has a source_profile, and "\
-              "a credential_source. For assume role credentials, must "\
-              "provide only source_profile or credential_source, not both."
-          )
+            'a credential_source. For assume role credentials, must '\
+            'provide only source_profile or credential_source, not both.'
         elsif opts[:source_profile]
-          opts[:credentials] = credentials(profile: opts[:source_profile])
+          opts[:visited_profiles] ||= Set.new
+          opts[:credentials] = resolve_source_profile(opts[:source_profile], opts)
           if opts[:credentials]
-            opts[:role_session_name] ||= prof_cfg["role_session_name"]
-            opts[:role_session_name] ||= "default_session"
-            opts[:role_arn] ||= prof_cfg["role_arn"]
-            opts[:external_id] ||= prof_cfg["external_id"]
-            opts[:serial_number] ||= prof_cfg["mfa_serial"]
+            opts[:role_session_name] ||= prof_cfg['role_session_name']
+            opts[:role_session_name] ||= 'default_session'
+            opts[:role_arn] ||= prof_cfg['role_arn']
+            opts[:duration_seconds] ||= prof_cfg['duration_seconds']
+            opts[:external_id] ||= prof_cfg['external_id']
+            opts[:serial_number] ||= prof_cfg['mfa_serial']
             opts[:profile] = opts.delete(:source_profile)
+            opts.delete(:visited_profiles)
             AssumeRoleCredentials.new(opts)
           else
-            raise Errors::NoSourceProfileError.new(
+            raise Errors::NoSourceProfileError,
               "Profile #{profile} has a role_arn, and source_profile, but the"\
-                " source_profile does not have credentials."
-            )
+              ' source_profile does not have credentials.'
           end
         elsif credential_source
           opts[:credentials] = credentials_from_source(
@@ -232,61 +229,99 @@ module Aws
             chain_config
           )
           if opts[:credentials]
-            opts[:role_session_name] ||= prof_cfg["role_session_name"]
-            opts[:role_session_name] ||= "default_session"
-            opts[:role_arn] ||= prof_cfg["role_arn"]
-            opts[:external_id] ||= prof_cfg["external_id"]
-            opts[:serial_number] ||= prof_cfg["mfa_serial"]
+            opts[:role_session_name] ||= prof_cfg['role_session_name']
+            opts[:role_session_name] ||= 'default_session'
+            opts[:role_arn] ||= prof_cfg['role_arn']
+            opts[:duration_seconds] ||= prof_cfg['duration_seconds']
+            opts[:external_id] ||= prof_cfg['external_id']
+            opts[:serial_number] ||= prof_cfg['mfa_serial']
             opts.delete(:source_profile) # Cleanup
             AssumeRoleCredentials.new(opts)
           else
-            raise Errors::NoSourceCredentials.new(
+            raise Errors::NoSourceCredentials,
               "Profile #{profile} could not get source credentials from"\
-                " provider #{credential_source}"
-            )
+              " provider #{credential_source}"
           end
-        elsif prof_cfg["role_arn"]
-          raise Errors::NoSourceProfileError.new(
-            "Profile #{profile} has a role_arn, but no source_profile."
-          )
-        else
-          nil
+        elsif prof_cfg['role_arn']
+          raise Errors::NoSourceProfileError, "Profile #{profile} has a role_arn, but no source_profile."
         end
-      else
-        nil
+      end
+    end
+
+    def resolve_source_profile(profile, opts = {})
+      if opts[:visited_profiles] && opts[:visited_profiles].include?(profile)
+        raise Errors::SourceProfileCircularReferenceError
+      end
+      opts[:visited_profiles].add(profile) if opts[:visited_profiles]
+
+      profile_config = @parsed_credentials[profile]
+      if @config_enabled
+        profile_config ||= @parsed_config[profile]
+      end
+
+      if (creds = credentials(profile: profile))
+        creds # static credentials
+      elsif profile_config && profile_config['source_profile']
+        opts.delete(:source_profile)
+        assume_role_credentials_from_config(opts.merge(profile: profile))
+      elsif (provider = assume_role_web_identity_credentials_from_config(opts.merge(profile: profile)))
+        provider.credentials if provider.credentials.set?
+      elsif (provider = assume_role_process_credentials_from_config(profile))
+        provider.credentials if provider.credentials.set?
+      elsif (provider = sso_credentials_from_config(profile: profile))
+        provider.credentials if provider.credentials.set?
       end
     end
 
     def credentials_from_source(credential_source, config)
       case credential_source
-      when "Ec2InstanceMetadata"
+      when 'Ec2InstanceMetadata'
         InstanceProfileCredentials.new(
           retries: config ? config.instance_profile_credentials_retries : 0,
           http_open_timeout: config ? config.instance_profile_credentials_timeout : 1,
           http_read_timeout: config ? config.instance_profile_credentials_timeout : 1
         )
-      when "EcsContainer"
+      when 'EcsContainer'
         ECSCredentials.new
       else
-        raise Errors::InvalidCredentialSourceError.new(
-          "Unsupported credential_source: #{credential_source}"
-        )
+        raise Errors::InvalidCredentialSourceError, "Unsupported credential_source: #{credential_source}"
+      end
+    end
+
+    def assume_role_process_credentials_from_config(profile)
+      validate_profile_exists(profile)
+      credential_process = @parsed_credentials.fetch(profile, {})['credential_process']
+      if @parsed_config
+        credential_process ||= @parsed_config.fetch(profile, {})['credential_process']
       end
+      ProcessCredentials.new(credential_process) if credential_process
     end
 
-    def credentials_from_shared(profile, opts)
+    def credentials_from_shared(profile, _opts)
       if @parsed_credentials && prof_config = @parsed_credentials[profile]
         credentials_from_profile(prof_config)
-      else
-        nil
       end
     end
 
-    def credentials_from_config(profile, opts)
+    def credentials_from_config(profile, _opts)
       if @parsed_config && prof_config = @parsed_config[profile]
         credentials_from_profile(prof_config)
-      else
-        nil
+      end
+    end
+
+    # If any of the sso_ profile values are present, attempt to construct
+    # SSOCredentials
+    def sso_credentials_from_profile(cfg, profile)
+      if @parsed_config &&
+         (prof_config = cfg[profile]) &&
+         !(prof_config.keys & SSO_PROFILE_KEYS).empty?
+
+        SSOCredentials.new(
+          sso_start_url: prof_config['sso_start_url'],
+          sso_region: prof_config['sso_region'],
+          sso_account_id: prof_config['sso_account_id'],
+          sso_role_name: prof_config['sso_role_name']
+        )
       end
     end
 
@@ -296,15 +331,7 @@ module Aws
         prof_config['aws_secret_access_key'],
         prof_config['aws_session_token']
       )
-      if credentials_complete(creds)
-        creds
-      else
-        nil
-      end
-    end
-
-    def credentials_complete(creds)
-      creds.set?
+      creds if creds.set?
     end
 
     def load_credentials_file
@@ -334,19 +361,18 @@ module Aws
 
     def validate_profile_exists(profile)
       unless (@parsed_credentials && @parsed_credentials[profile]) ||
-          (@parsed_config && @parsed_config[profile])
-        msg = "Profile `#{profile}' not found in #{@credentials_path}"
-        msg << " or #{@config_path}" if @config_path
-        raise Errors::NoSuchProfileError.new(msg)
+             (@parsed_config && @parsed_config[profile])
+        msg = "Profile `#{profile}' not found in #{@credentials_path}"\
+              "#{" or #{@config_path}" if @config_path}"
+        raise Errors::NoSuchProfileError, msg
       end
     end
 
     def determine_profile(options)
       ret = options[:profile_name]
-      ret ||= ENV["AWS_PROFILE"]
-      ret ||= "default"
+      ret ||= ENV['AWS_PROFILE']
+      ret ||= 'default'
       ret
     end
-
   end
 end

data/lib/aws-sdk-core/shared_credentials.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative 'ini_parser'
 
 module Aws
@@ -12,11 +14,17 @@ module Aws
       'aws_session_token' => 'session_token',
     }
 
-    # Constructs a new SharedCredentials object. This will load AWS access
+    # Constructs a new SharedCredentials object. This will load static
+    # (access_key_id, secret_access_key and session_token) AWS access
     # credentials from an ini file, which supports profiles. The default
     # profile name is 'default'. You can specify the profile name with the
     # `ENV['AWS_PROFILE']` or with the `:profile_name` option.
     #
+    # To use credentials from the default credential resolution chain
+    # create a client without the credential option specified.
+    # You may access the resolved credentials through
+    # `client.config.credentials`.
+    #
     # @option [String] :path Path to the shared file.  Defaults
     #   to "#{Dir.home}/.aws/credentials".
     #

data/lib/aws-sdk-core/sso_credentials.rb

@@ -0,0 +1,136 @@
+# frozen_string_literal: true
+
+module Aws
+  # An auto-refreshing credential provider that works by assuming a
+  # role via {Aws::SSO::Client#get_role_credentials} using a cached access
+  # token.  This class does NOT implement the SSO login token flow - tokens
+  # must generated and refreshed separately by running `aws login` from the
+  # AWS CLI with the correct profile.
+  #
+  # For more background on AWS SSO see the official
+  # {https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html what is SSO Userguide}
+  #
+  # ## Refreshing Credentials from SSO
+  #
+  # The `SSOCredentials` will auto-refresh the AWS credentials from SSO. In
+  # addition to AWS credentials expiring after a given amount of time, the
+  # access token generated and cached from `aws login` will also expire.
+  # Once this token expires, it will not be usable to refresh AWS credentials,
+  # and another token will be needed. The SDK does not manage refreshing of
+  # the token value, but this can be done by running `aws login` with the
+  # correct profile.
+  #
+  #
+  #     # You must first run aws sso login --profile your-sso-profile
+  #     sso_credentials = Aws::SSOCredentials.new(
+  #       sso_account_id: '123456789',
+  #       sso_role_name: "role_name",
+  #       sso_region: "us-east-1",
+  #       sso_start_url: 'https://your-start-url.awsapps.com/start'
+  #     )
+  #
+  #     ec2 = Aws::EC2::Client.new(credentials: sso_credentials)
+  #
+  # If you omit `:client` option, a new {SSO::Client} object will be
+  # constructed.
+  class SSOCredentials
+
+    include CredentialProvider
+    include RefreshingCredentials
+
+    # @api private
+    SSO_REQUIRED_OPTS = [:sso_account_id, :sso_region, :sso_role_name, :sso_start_url].freeze
+
+    # @api private
+    SSO_LOGIN_GUIDANCE = 'The SSO session associated with this profile has '\
+    'expired or is otherwise invalid. To refresh this SSO session run '\
+    'aws sso login with the corresponding profile.'.freeze
+
+    # @option options [required, String] :sso_account_id The AWS account ID
+    #   that temporary AWS credentials will be resolved for
+    #
+    # @option options [required, String] :sso_region The AWS region where the
+    #   SSO directory for the given sso_start_url is hosted.
+    #
+    # @option options [required, String] :sso_role_name The corresponding
+    #   IAM role in the AWS account that temporary AWS credentials
+    #   will be resolved for.
+    #
+    # @option options [required, String] :sso_start_url The start URL is
+    #   provided by the SSO service via the console and is the URL used to
+    #   login to the SSO directory. This is also sometimes referred to as
+    #   the "User Portal URL"
+    #
+    # @option options [SSO::Client] :client Optional `SSO::Client`.  If not
+    #   provided, a client will be constructed.
+    #
+    # @option options [Callable] before_refresh Proc called before
+    #   credentials are refreshed. `before_refresh` is called
+    #   with an instance of this object when
+    #   AWS credentials are required and need to be refreshed.
+    def initialize(options = {})
+
+      missing_keys = SSO_REQUIRED_OPTS.select { |k| options[k].nil? }
+      unless missing_keys.empty?
+        raise ArgumentError, "Missing required keys: #{missing_keys}"
+      end
+
+      @sso_start_url = options.delete(:sso_start_url)
+      @sso_region = options.delete(:sso_region)
+      @sso_role_name = options.delete(:sso_role_name)
+      @sso_account_id = options.delete(:sso_account_id)
+
+      # validate we can read the token file
+      read_cached_token
+
+      options[:region] = @sso_region
+      options[:credentials] = nil
+      @client = options[:client] || Aws::SSO::Client.new(options)
+      super
+    end
+
+    # @return [SSO::Client]
+    attr_reader :client
+
+    private
+
+    def read_cached_token
+      cached_token = Json.load(File.read(sso_cache_file))
+      # validation
+      unless cached_token['accessToken'] && cached_token['expiresAt']
+        raise ArgumentError, 'Missing required field(s)'
+      end
+      expires_at = DateTime.parse(cached_token['expiresAt'])
+      if expires_at < DateTime.now
+        raise ArgumentError, 'Cached SSO Token is expired.'
+      end
+      cached_token
+    rescue Errno::ENOENT, Aws::Json::ParseError, ArgumentError
+      raise Errors::InvalidSSOCredentials, SSO_LOGIN_GUIDANCE
+    end
+
+    def refresh
+      cached_token = read_cached_token
+      c = @client.get_role_credentials(
+        account_id: @sso_account_id,
+        role_name: @sso_role_name,
+        access_token: cached_token['accessToken']
+      ).role_credentials
+
+      @credentials = Credentials.new(
+        c.access_key_id,
+        c.secret_access_key,
+        c.session_token
+      )
+      @expiration = c.expiration
+    end
+
+    def sso_cache_file
+      start_url_sha1 = OpenSSL::Digest::SHA1.hexdigest(@sso_start_url.encode('utf-8'))
+      File.join(Dir.home, '.aws', 'sso', 'cache', "#{start_url_sha1}.json")
+    rescue ArgumentError
+      # Dir.home raises ArgumentError when ENV['home'] is not set
+      raise ArgumentError, "Unable to load sso_cache_file: ENV['HOME'] is not set."
+    end
+  end
+end

data/lib/aws-sdk-core/structure.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Aws
   # @api private
   module Structure
@@ -29,8 +31,7 @@ module Aws
     def to_h(obj = self)
       case obj
       when Struct
-        obj.members.each.with_object({}) do |member, hash|
-          value = obj[member]
+        obj.each_pair.with_object({}) do |(member, value), hash|
           hash[member] = to_hash(value) unless value.nil?
         end
       when Hash
@@ -47,7 +48,7 @@ module Aws
 
     # Wraps the default #to_s logic with filtering of sensitive parameters.
     def to_s(obj = self)
-      Aws::Log::ParamFilter.new.filter(obj).to_s
+      Aws::Log::ParamFilter.new.filter(obj, obj.class).to_s
     end
 
     class << self
@@ -69,11 +70,20 @@ module Aws
       end
 
     end
+
+    module Union
+      def member
+        self.members.select { |k| self[k] != nil }.first
+      end
+
+      def value
+        self[member] if member
+      end
+    end
   end
 
   # @api private
   class EmptyStructure < Struct.new('AwsEmptyStructure')
     include(Aws::Structure)
   end
-
 end

data/lib/aws-sdk-core/stubbing/data_applicator.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Aws
   module Stubbing
     class DataApplicator

data/lib/aws-sdk-core/stubbing/empty_stub.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Aws
   module Stubbing
     class EmptyStub

data/lib/aws-sdk-core/stubbing/protocols/api_gateway.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Aws
   module Stubbing
     module Protocols

data/lib/aws-sdk-core/stubbing/protocols/ec2.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Aws
   module Stubbing
     module Protocols

data/lib/aws-sdk-core/stubbing/protocols/json.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Aws
   module Stubbing
     module Protocols
@@ -27,7 +29,7 @@ module Aws
         private
 
         def content_type(api)
-          "application/x-amz-json-#{api.metadata['jsonVerison']}"
+          "application/x-amz-json-#{api.metadata['jsonVersion']}"
         end
 
         def build_body(operation, data)

data/lib/aws-sdk-core/stubbing/protocols/query.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Aws
   module Stubbing
     module Protocols
@@ -23,9 +25,9 @@ module Aws
           xml = []
           builder = Aws::Xml::DocBuilder.new(target: xml, indent: '  ')
           builder.node(operation.name + 'Response', xmlns: xmlns(api)) do
-            if rules = operation.output
+            if (rules = operation.output)
               rules.location_name = operation.name + 'Result'
-              Xml::Builder.new(rules, target:xml, pad:'  ').to_xml(data)
+              Xml::Builder.new(rules, target: xml, pad:'  ').to_xml(data)
             end
             builder.node('ResponseMetadata') do
               builder.node('RequestId', 'stubbed-request-id')