aws-sdk-core 3.46.2 → 3.126.2

data/lib/aws-sdk-core/client_stubs.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'thread'
 
 module Aws
@@ -171,24 +173,25 @@ module Aws
     # @raise [RuntimeError] Raises a runtime error when called
     #   on a client that has not enabled response stubbing via
     #   `:stub_responses => true`.
-    #
     def stub_responses(operation_name, *stubs)
       if config.stub_responses
         apply_stubs(operation_name, stubs.flatten)
       else
-        msg = 'stubbing is not enabled; enable stubbing in the constructor '
-        msg << 'with `:stub_responses => true`'
+        msg = 'stubbing is not enabled; enable stubbing in the constructor '\
+              'with `:stub_responses => true`'
         raise msg
       end
     end
 
-    # Allows you to access all of the requests that the stubbed client has made
-    #
-    # @params [Boolean] exclude_presign Setting to true for filtering out not sent requests from
-    #                 generating presigned urls. Default to false.
-    # @return [Array] Returns an array of the api requests made, each request object contains the
-    #                 :operation_name, :params, and :context of the request. 
-    # @raise [NotImplementedError] Raises `NotImplementedError` when the client is not stubbed
+    # Allows you to access all of the requests that the stubbed client has made.
+    #
+    # @param [Hash] options The options for the api requests.
+    # @option options [Boolean] :exclude_presign (false) Set to true to filter
+    #   out unsent requests from generated presigned urls.
+    # @return [Array] Returns an array of the api requests made. Each request
+    #   object contains the :operation_name, :params, and :context.
+    # @raise [NotImplementedError] Raises `NotImplementedError` when the client
+    #   is not stubbed.
     def api_requests(options = {})
       if config.stub_responses
         if options[:exclude_presign]
@@ -197,8 +200,8 @@ module Aws
           @api_requests
         end
       else
-        msg = 'This method is only implemented for stubbed clients, and is '
-        msg << 'available when you enable stubbing in the constructor with `stub_responses: true`'
+        msg = 'This method is only implemented for stubbed clients, and is '\
+              'available when you enable stubbing in the constructor with `stub_responses: true`'
         raise NotImplementedError.new(msg)
       end
     end
@@ -291,7 +294,7 @@ module Aws
     def data_to_http_resp(operation_name, data)
       api = config.api
       operation = api.operation(operation_name)
-      ParamValidator.validate!(operation.output, data)
+      ParamValidator.new(operation.output, input: false).validate!(data)
       protocol_helper.stub_data(api, operation, data)
     end
 

data/lib/aws-sdk-core/credential_provider.rb

@@ -1,10 +1,8 @@
-require_relative 'deprecations'
+# frozen_string_literal: true
 
 module Aws
   module CredentialProvider
 
-    extend Deprecations
-
     # @return [Credentials]
     attr_reader :credentials
 
@@ -13,32 +11,5 @@ module Aws
       !!credentials && credentials.set?
     end
 
-    # @deprecated Deprecated in 2.1.0. This method is subject to errors
-    #   from a race condition when called against refreshable credential
-    #   objects. Will be removed in 2.2.0.
-    # @see #credentials
-    def access_key_id
-      credentials ? credentials.access_key_id : nil
-    end
-    deprecated(:access_key_id, use: '#credentials')
-
-    # @deprecated Deprecated in 2.1.0. This method is subject to errors
-    #   from a race condition when called against refreshable credential
-    #   objects. Will be removed in 2.2.0.
-    # @see #credentials
-    def secret_access_key
-      credentials ? credentials.secret_access_key : nil
-    end
-    deprecated(:secret_access_key, use: '#credentials')
-
-    # @deprecated Deprecated in 2.1.0. This method is subject to errors
-    #   from a race condition when called against refreshable credential
-    #   objects. Will be removed in 2.2.0.
-    # @see #credentials
-    def session_token
-      credentials ? credentials.session_token : nil
-    end
-    deprecated(:session_token, use: '#credentials')
-
   end
 end

data/lib/aws-sdk-core/credential_provider_chain.rb

@@ -1,7 +1,8 @@
+# frozen_string_literal: true
+
 module Aws
   # @api private
   class CredentialProviderChain
-
     def initialize(config = nil)
       @config = config
     end
@@ -20,15 +21,22 @@ module Aws
     def providers
       [
         [:static_credentials, {}],
+        [:static_profile_assume_role_web_identity_credentials, {}],
+        [:static_profile_sso_credentials, {}],
+        [:static_profile_assume_role_credentials, {}],
+        [:static_profile_credentials, {}],
+        [:static_profile_process_credentials, {}],
         [:env_credentials, {}],
+        [:assume_role_web_identity_credentials, {}],
+        [:sso_credentials, {}],
         [:assume_role_credentials, {}],
         [:shared_credentials, {}],
         [:process_credentials, {}],
         [:instance_profile_credentials, {
           retries: @config ? @config.instance_profile_credentials_retries : 0,
           http_open_timeout: @config ? @config.instance_profile_credentials_timeout : 1,
-          http_read_timeout: @config ? @config.instance_profile_credentials_timeout : 1,
-        }],
+          http_read_timeout: @config ? @config.instance_profile_credentials_timeout : 1
+        }]
       ]
     end
 
@@ -37,48 +45,90 @@ module Aws
         Credentials.new(
           options[:config].access_key_id,
           options[:config].secret_access_key,
-          options[:config].session_token)
-      else
-        nil
+          options[:config].session_token
+        )
+      end
+    end
+
+    def static_profile_assume_role_web_identity_credentials(options)
+      if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
+        Aws.shared_config.assume_role_web_identity_credentials_from_config(
+          profile: options[:config].profile,
+          region: options[:config].region
+        )
       end
     end
 
-    def env_credentials(options)
-      key =    %w(AWS_ACCESS_KEY_ID     AMAZON_ACCESS_KEY_ID     AWS_ACCESS_KEY)
-      secret = %w(AWS_SECRET_ACCESS_KEY AMAZON_SECRET_ACCESS_KEY AWS_SECRET_KEY)
-      token =  %w(AWS_SESSION_TOKEN     AMAZON_SESSION_TOKEN)
+    def static_profile_sso_credentials(options)
+      if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
+        Aws.shared_config.sso_credentials_from_config(
+          profile: options[:config].profile
+        )
+      end
+    end
+
+    def static_profile_assume_role_credentials(options)
+      if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
+        assume_role_with_profile(options, options[:config].profile)
+      end
+    end
+
+    def static_profile_credentials(options)
+      if options[:config] && options[:config].profile
+        SharedCredentials.new(profile_name: options[:config].profile)
+      end
+    rescue Errors::NoSuchProfileError
+      nil
+    end
+
+    def static_profile_process_credentials(options)
+      if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
+        process_provider = Aws.shared_config.credential_process(profile: options[:config].profile)
+        ProcessCredentials.new(process_provider) if process_provider
+      end
+    rescue Errors::NoSuchProfileError
+      nil
+    end
+
+    def env_credentials(_options)
+      key =    %w[AWS_ACCESS_KEY_ID AMAZON_ACCESS_KEY_ID AWS_ACCESS_KEY]
+      secret = %w[AWS_SECRET_ACCESS_KEY AMAZON_SECRET_ACCESS_KEY AWS_SECRET_KEY]
+      token =  %w[AWS_SESSION_TOKEN AMAZON_SESSION_TOKEN]
       Credentials.new(envar(key), envar(secret), envar(token))
     end
 
     def envar(keys)
       keys.each do |key|
-        if ENV.key?(key)
-          return ENV[key]
-        end
+        return ENV[key] if ENV.key?(key)
       end
       nil
     end
 
+    def determine_profile_name(options)
+      (options[:config] && options[:config].profile) || ENV['AWS_PROFILE'] || ENV['AWS_DEFAULT_PROFILE'] || 'default'
+    end
+
     def shared_credentials(options)
-      if options[:config]
-        SharedCredentials.new(profile_name: options[:config].profile)
-      else
-        SharedCredentials.new(
-          profile_name: ENV['AWS_PROFILE'].nil? ? 'default' : ENV['AWS_PROFILE'])
-      end
+      profile_name = determine_profile_name(options)
+      SharedCredentials.new(profile_name: profile_name)
     rescue Errors::NoSuchProfileError
       nil
     end
 
     def process_credentials(options)
-      profile_name = options[:config].profile if options[:config]
-      profile_name ||= ENV['AWS_PROFILE'].nil? ? 'default' : ENV['AWS_PROFILE']
-      
-      config = Aws.shared_config
-      if config.config_enabled? && process_provider = config.credentials_process(profile_name)
+      profile_name = determine_profile_name(options)
+      if Aws.shared_config.config_enabled? &&
+         (process_provider = Aws.shared_config.credential_process(profile: profile_name))
         ProcessCredentials.new(process_provider)
-      else
-        nil
+      end
+    rescue Errors::NoSuchProfileError
+      nil
+    end
+
+    def sso_credentials(options)
+      profile_name = determine_profile_name(options)
+      if Aws.shared_config.config_enabled?
+        Aws.shared_config.sso_credentials_from_config(profile: profile_name)
       end
     rescue Errors::NoSuchProfileError
       nil
@@ -86,33 +136,45 @@ module Aws
 
     def assume_role_credentials(options)
       if Aws.shared_config.config_enabled?
-        profile, region = nil, nil
-        if options[:config]
-          profile = options[:config].profile
-          region = options[:config].region
-          assume_role_with_profile(options[:config].profile, options[:config].region)
-        end
-        assume_role_with_profile(profile, region)
-      else
-        nil
+        assume_role_with_profile(options, determine_profile_name(options))
+      end
+    end
+
+    def assume_role_web_identity_credentials(options)
+      region = options[:config].region if options[:config]
+      if (role_arn = ENV['AWS_ROLE_ARN']) && (token_file = ENV['AWS_WEB_IDENTITY_TOKEN_FILE'])
+        cfg = {
+          role_arn: role_arn,
+          web_identity_token_file: token_file,
+          role_session_name: ENV['AWS_ROLE_SESSION_NAME']
+        }
+        cfg[:region] = region if region
+        AssumeRoleWebIdentityCredentials.new(cfg)
+      elsif Aws.shared_config.config_enabled?
+        profile = options[:config].profile if options[:config]
+        Aws.shared_config.assume_role_web_identity_credentials_from_config(
+          profile: profile,
+          region: region
+        )
       end
     end
 
     def instance_profile_credentials(options)
-      if ENV["AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"]
+      profile_name = determine_profile_name(options)
+      if ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI']
         ECSCredentials.new(options)
       else
-        InstanceProfileCredentials.new(options)
+        InstanceProfileCredentials.new(options.merge(profile: profile_name))
       end
     end
 
-    def assume_role_with_profile(prof, region)
+    def assume_role_with_profile(options, profile_name)
+      region = (options[:config] && options[:config].region)
       Aws.shared_config.assume_role_credentials_from_config(
-        profile: prof,
+        profile: profile_name,
         region: region,
         chain_config: @config
       )
     end
-
   end
 end

data/lib/aws-sdk-core/credentials.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Aws
   class Credentials
 

data/lib/aws-sdk-core/deprecations.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Aws
 
   # A utility module that provides a class method that wraps
@@ -35,33 +37,37 @@ module Aws
   # @api private
   module Deprecations
 
-    # @param [Symbol] method_name The name of the deprecated method.
+    # @param [Symbol] method The name of the deprecated method.
     #
     # @option options [String] :message The warning message to issue
     #   when the deprecated method is called.
     #
-    # @option options [Symbol] :use The name of an use
-    #   method that should be used.
+    # @option options [String] :use The name of a method that should be used.
+    #
+    # @option options [String] :version The version that will remove the
+    #   deprecated method.
     #
-    def deprecated(method_name, options = {})
+    def deprecated(method, options = {})
 
       deprecation_msg = options[:message] || begin
-        msg = "DEPRECATION WARNING: called deprecated method `#{method_name}' "
-        msg << "of an #{self}"
-        msg << ", use #{options[:use]} instead" if options[:use]
-        msg
+        "#################### DEPRECATION WARNING ####################\n"\
+        "Called deprecated method `#{method}` of #{self}."\
+        "#{" Use `#{options[:use]}` instead.\n" if options[:use]}"\
+        "#{"Method `#{method}` will be removed in #{options[:version]}."\
+          if options[:version]}"\
+        "\n#############################################################"
       end
 
-      alias_method(:"deprecated_#{method_name}", method_name)
+      alias_method(:"deprecated_#{method}", method)
 
       warned = false # we only want to issue this warning once
 
-      define_method(method_name) do |*args,&block|
+      define_method(method) do |*args, &block|
         unless warned
           warned = true
           warn(deprecation_msg + "\n" + caller.join("\n"))
         end
-        send("deprecated_#{method_name}", *args, &block)
+        send("deprecated_#{method}", *args, &block)
       end
     end
 

data/lib/aws-sdk-core/eager_loader.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'set'
 
 module Aws

data/lib/aws-sdk-core/ec2_metadata.rb

@@ -0,0 +1,238 @@
+# frozen_string_literal: true
+
+require 'time'
+require 'net/http'
+
+module Aws
+  # A client that can query version 2 of the EC2 Instance Metadata
+  class EC2Metadata
+    # Path for PUT request for token
+    # @api private
+    METADATA_TOKEN_PATH = '/latest/api/token'.freeze
+
+    # Raised when the PUT request is not valid. This would be thrown if
+    # `token_ttl` is not an Integer.
+    # @api private
+    class TokenRetrievalError < RuntimeError; end
+
+    # Token has expired, and the request can be retried with a new token.
+    # @api private
+    class TokenExpiredError < RuntimeError; end
+
+    # The requested metadata path does not exist.
+    # @api private
+    class MetadataNotFoundError < RuntimeError; end
+
+    # The request is not allowed or IMDS is turned off.
+    # @api private
+    class RequestForbiddenError < RuntimeError; end
+
+    # Creates a client that can query version 2 of the EC2 Instance Metadata
+    #   service (IMDS).
+    #
+    # @note Customers using containers may need to increase their hop limit
+    #   to access IMDSv2.
+    # @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html#instance-metadata-transition-to-version-2
+    #
+    # @param [Hash] options
+    # @option options [Integer] :token_ttl (21600) The session token's TTL,
+    #   defaulting to 6 hours.
+    # @option options [Integer] :retries (3) The number of retries for failed
+    #   requests.
+    # @option options [String] :endpoint ('http://169.254.169.254') The IMDS
+    #   endpoint. This option has precedence over the :endpoint_mode.
+    # @option options [String] :endpoint_mode ('IPv4') The endpoint mode for
+    #   the instance metadata service. This is either 'IPv4'
+    #   ('http://169.254.169.254') or 'IPv6' ('http://[fd00:ec2::254]').
+    # @option options [Integer] :port (80) The IMDS endpoint port.
+    # @option options [Integer] :http_open_timeout (1) The number of seconds to
+    #   wait for the connection to open.
+    # @option options [Integer] :http_read_timeout (1) The number of seconds for
+    #   one chunk of data to be read.
+    # @option options [IO] :http_debug_output An output stream for debugging. Do
+    #   not use this in production.
+    # @option options [Integer,Proc] :backoff A backoff used for retryable
+    #   requests. When given an Integer, it sleeps that amount. When given a
+    #   Proc, it is called with the current number of failed retries.
+    def initialize(options = {})
+      @token_ttl = options[:token_ttl] || 21_600
+      @retries = options[:retries] || 3
+      @backoff = backoff(options[:backoff])
+
+      endpoint_mode = options[:endpoint_mode] || 'IPv4'
+      @endpoint = resolve_endpoint(options[:endpoint], endpoint_mode)
+      @port = options[:port] || 80
+
+      @http_open_timeout = options[:http_open_timeout] || 1
+      @http_read_timeout = options[:http_read_timeout] || 1
+      @http_debug_output = options[:http_debug_output]
+
+      @token = nil
+      @mutex = Mutex.new
+    end
+
+    # Fetches a given metadata category using a String path, and returns the
+    #   result as a String. A path starts with the API version (usually
+    #   "/latest/"). See the instance data categories for possible paths.
+    #
+    # @example Fetching the instance ID
+    #
+    #   ec2_metadata = Aws::EC2Metadata.new
+    #   ec2_metadata.get('/latest/meta-data/instance-id')
+    #   => "i-023a25f10a73a0f79"
+    #
+    # @note This implementation always returns a String and will not parse any
+    #   responses. Parsable responses may include JSON objects or directory
+    #   listings, which are strings separated by line feeds (ASCII 10).
+    #
+    # @example Fetching and parsing JSON meta-data
+    #
+    #   require 'json'
+    #   data = ec2_metadata.get('/latest/dynamic/instance-identity/document')
+    #   JSON.parse(data)
+    #   => {"accountId"=>"012345678912", ... }
+    #
+    # @example Fetching and parsing directory listings
+    #
+    #   listing = ec2_metadata.get('/latest/meta-data')
+    #   listing.split(10.chr)
+    #   => ["ami-id", "ami-launch-index", ...]
+    #
+    # @note Unlike other services, IMDS does not have a service API model. This
+    #   means that we cannot confidently generate code with methods and
+    #   response structures. This implementation ensures that new IMDS features
+    #   are always supported by being deployed to the instance and does not
+    #   require code changes.
+    #
+    # @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-categories.html
+    # @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
+    # @param [String] path The full path to the metadata.
+    def get(path)
+      retry_errors(max_retries: @retries) do
+        @mutex.synchronize do
+          fetch_token unless @token && !@token.expired?
+        end
+
+        open_connection do |conn|
+          http_get(conn, path, @token.value)
+        end
+      end
+    end
+
+    private
+
+    def resolve_endpoint(endpoint, endpoint_mode)
+      return endpoint if endpoint
+
+      case endpoint_mode.downcase
+      when 'ipv4' then 'http://169.254.169.254'
+      when 'ipv6' then 'http://[fd00:ec2::254]'
+      else
+        raise ArgumentError,
+              ':endpoint_mode is not valid, expected IPv4 or IPv6, '\
+              "got: #{endpoint_mode}"
+      end
+    end
+
+    def fetch_token
+      open_connection do |conn|
+        created_time = Time.now
+        token_value, token_ttl = http_put(conn, @token_ttl)
+        @token = Token.new(value: token_value, ttl: token_ttl, created_time: created_time)
+      end
+    end
+
+    def http_get(connection, path, token)
+      headers = {
+        'User-Agent' => "aws-sdk-ruby3/#{CORE_GEM_VERSION}",
+        'x-aws-ec2-metadata-token' => token
+      }
+      request = Net::HTTP::Get.new(path, headers)
+      response = connection.request(request)
+
+      case response.code.to_i
+      when 200
+        response.body
+      when 401
+        raise TokenExpiredError
+      when 404
+        raise MetadataNotFoundError
+      end
+    end
+
+    def http_put(connection, ttl)
+      headers = {
+        'User-Agent' => "aws-sdk-ruby3/#{CORE_GEM_VERSION}",
+        'x-aws-ec2-metadata-token-ttl-seconds' => ttl.to_s
+      }
+      request = Net::HTTP::Put.new(METADATA_TOKEN_PATH, headers)
+      response = connection.request(request)
+
+      case response.code.to_i
+      when 200
+        [
+          response.body,
+          response.header['x-aws-ec2-metadata-token-ttl-seconds'].to_i
+        ]
+      when 400
+        raise TokenRetrievalError
+      when 403
+        raise RequestForbiddenError
+      end
+    end
+
+    def open_connection
+      uri = URI.parse(@endpoint)
+      http = Net::HTTP.new(uri.hostname || @endpoint, @port || uri.port)
+      http.open_timeout = @http_open_timeout
+      http.read_timeout = @http_read_timeout
+      http.set_debug_output(@http_debug_output) if @http_debug_output
+      http.start
+      yield(http).tap { http.finish }
+    end
+
+    def retry_errors(options = {}, &_block)
+      max_retries = options[:max_retries]
+      retries = 0
+      begin
+        yield
+      # These errors should not be retried.
+      rescue TokenRetrievalError, MetadataNotFoundError, RequestForbiddenError
+        raise
+      # StandardError is not ideal but it covers Net::HTTP errors.
+      # https://gist.github.com/tenderlove/245188
+      rescue StandardError, TokenExpiredError
+        raise unless retries < max_retries
+
+        @backoff.call(retries)
+        retries += 1
+        retry
+      end
+    end
+
+    def backoff(backoff)
+      case backoff
+      when Proc then backoff
+      when Numeric then ->(_) { Kernel.sleep(backoff) }
+      else ->(num_failures) { Kernel.sleep(1.2**num_failures) }
+      end
+    end
+
+    # @api private
+    class Token
+      def initialize(options = {})
+        @ttl   = options[:ttl]
+        @value = options[:value]
+        @created_time = options[:created_time] || Time.now
+      end
+
+      # [String] Returns the token value.
+      attr_reader :value
+
+      # [Boolean] Returns true if the token expired.
+      def expired?
+        Time.now - @created_time > @ttl
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/ecs_credentials.rb

@@ -1,4 +1,5 @@
-require 'json'
+# frozen_string_literal: true
+
 require 'time'
 require 'net/http'
 
@@ -42,6 +43,10 @@ module Aws
     # @option options [IO] :http_debug_output (nil) HTTP wire
     #   traces are sent to this object.  You can specify something
     #   like $stdout.
+    # @option options [Callable] before_refresh Proc called before
+    #   credentials are refreshed. `before_refresh` is called
+    #   with an instance of this object when
+    #   AWS credentials are required and need to be refreshed.
     def initialize options = {}
       @retries = options[:retries] || 5
       @ip_address = options[:ip_address] || '169.254.170.2'
@@ -78,14 +83,18 @@ module Aws
       # Retry loading credentials up to 3 times is the instance metadata
       # service is responding but is returning invalid JSON documents
       # in response to the GET profile credentials call.
-      retry_errors([JSON::ParserError, StandardError], max_retries: 3) do
-        c = JSON.parse(get_credentials.to_s)
-        @credentials = Credentials.new(
-          c['AccessKeyId'],
-          c['SecretAccessKey'],
-          c['Token']
-        )
-        @expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
+      begin
+        retry_errors([Aws::Json::ParseError, StandardError], max_retries: 3) do
+          c = Aws::Json.load(get_credentials.to_s)
+          @credentials = Credentials.new(
+            c['AccessKeyId'],
+            c['SecretAccessKey'],
+            c['Token']
+          )
+          @expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
+        end
+      rescue Aws::Json::ParseError
+        raise Aws::Errors::MetadataParserError.new
       end
     end