aws-sdk-core 3.54.2 → 3.126.0

data/lib/aws-sdk-core/ec2_metadata.rb

@@ -0,0 +1,237 @@
+# frozen_string_literal: true
+
+require 'time'
+require 'net/http'
+
+module Aws
+  # A client that can query version 2 of the EC2 Instance Metadata
+  class EC2Metadata
+    # Path for PUT request for token
+    # @api private
+    METADATA_TOKEN_PATH = '/latest/api/token'.freeze
+
+    # Raised when the PUT request is not valid. This would be thrown if
+    # `token_ttl` is not an Integer.
+    # @api private
+    class TokenRetrievalError < RuntimeError; end
+
+    # Token has expired, and the request can be retried with a new token.
+    # @api private
+    class TokenExpiredError < RuntimeError; end
+
+    # The requested metadata path does not exist.
+    # @api private
+    class MetadataNotFoundError < RuntimeError; end
+
+    # The request is not allowed or IMDS is turned off.
+    # @api private
+    class RequestForbiddenError < RuntimeError; end
+
+    # Creates a client that can query version 2 of the EC2 Instance Metadata
+    #   service (IMDS).
+    #
+    # @note Customers using containers may need to increase their hop limit
+    #   to access IMDSv2.
+    # @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html#instance-metadata-transition-to-version-2
+    #
+    # @param [Hash] options
+    # @option options [Integer] :token_ttl (21600) The session token's TTL,
+    #   defaulting to 6 hours.
+    # @option options [Integer] :retries (3) The number of retries for failed
+    #   requests.
+    # @option options [String] :endpoint ('http://169.254.169.254') The IMDS
+    #   endpoint. This option has precedence over the :endpoint_mode.
+    # @option options [String] :endpoint_mode ('IPv4') The endpoint mode for
+    #   the instance metadata service. This is either 'IPv4'
+    #   ('http://169.254.169.254') or 'IPv6' ('http://[fd00:ec2::254]').
+    # @option options [Integer] :port (80) The IMDS endpoint port.
+    # @option options [Integer] :http_open_timeout (1) The number of seconds to
+    #   wait for the connection to open.
+    # @option options [Integer] :http_read_timeout (1) The number of seconds for
+    #   one chunk of data to be read.
+    # @option options [IO] :http_debug_output An output stream for debugging. Do
+    #   not use this in production.
+    # @option options [Integer,Proc] :backoff A backoff used for retryable
+    #   requests. When given an Integer, it sleeps that amount. When given a
+    #   Proc, it is called with the current number of failed retries.
+    def initialize(options = {})
+      @token_ttl = options[:token_ttl] || 21_600
+      @retries = options[:retries] || 3
+      @backoff = backoff(options[:backoff])
+
+      endpoint_mode = options[:endpoint_mode] || 'IPv4'
+      @endpoint = resolve_endpoint(options[:endpoint], endpoint_mode)
+      @port = options[:port] || 80
+
+      @http_open_timeout = options[:http_open_timeout] || 1
+      @http_read_timeout = options[:http_read_timeout] || 1
+      @http_debug_output = options[:http_debug_output]
+
+      @token = nil
+      @mutex = Mutex.new
+    end
+
+    # Fetches a given metadata category using a String path, and returns the
+    #   result as a String. A path starts with the API version (usually
+    #   "/latest/"). See the instance data categories for possible paths.
+    #
+    # @example Fetching the instance ID
+    #
+    #   ec2_metadata = Aws::EC2Metadata.new
+    #   ec2_metadata.get('/latest/meta-data/instance-id')
+    #   => "i-023a25f10a73a0f79"
+    #
+    # @note This implementation always returns a String and will not parse any
+    #   responses. Parsable responses may include JSON objects or directory
+    #   listings, which are strings separated by line feeds (ASCII 10).
+    #
+    # @example Fetching and parsing JSON meta-data
+    #
+    #   require 'json'
+    #   data = ec2_metadata.get('/latest/dynamic/instance-identity/document')
+    #   JSON.parse(data)
+    #   => {"accountId"=>"012345678912", ... }
+    #
+    # @example Fetching and parsing directory listings
+    #
+    #   listing = ec2_metadata.get('/latest/meta-data')
+    #   listing.split(10.chr)
+    #   => ["ami-id", "ami-launch-index", ...]
+    #
+    # @note Unlike other services, IMDS does not have a service API model. This
+    #   means that we cannot confidently generate code with methods and
+    #   response structures. This implementation ensures that new IMDS features
+    #   are always supported by being deployed to the instance and does not
+    #   require code changes.
+    #
+    # @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-categories.html
+    # @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
+    # @param [String] path The full path to the metadata.
+    def get(path)
+      retry_errors(max_retries: @retries) do
+        @mutex.synchronize do
+          fetch_token unless @token && !@token.expired?
+        end
+
+        open_connection do |conn|
+          http_get(conn, path, @token.value)
+        end
+      end
+    end
+
+    private
+
+    def resolve_endpoint(endpoint, endpoint_mode)
+      return endpoint if endpoint
+
+      case endpoint_mode.downcase
+      when 'ipv4' then 'http://169.254.169.254'
+      when 'ipv6' then 'http://[fd00:ec2::254]'
+      else
+        raise ArgumentError,
+              ':endpoint_mode is not valid, expected IPv4 or IPv6, '\
+              "got: #{endpoint_mode}"
+      end
+    end
+
+    def fetch_token
+      open_connection do |conn|
+        token_value, token_ttl = http_put(conn, @token_ttl)
+        @token = Token.new(value: token_value, ttl: token_ttl)
+      end
+    end
+
+    def http_get(connection, path, token)
+      headers = {
+        'User-Agent' => "aws-sdk-ruby3/#{CORE_GEM_VERSION}",
+        'x-aws-ec2-metadata-token' => token
+      }
+      request = Net::HTTP::Get.new(path, headers)
+      response = connection.request(request)
+
+      case response.code.to_i
+      when 200
+        response.body
+      when 401
+        raise TokenExpiredError
+      when 404
+        raise MetadataNotFoundError
+      end
+    end
+
+    def http_put(connection, ttl)
+      headers = {
+        'User-Agent' => "aws-sdk-ruby3/#{CORE_GEM_VERSION}",
+        'x-aws-ec2-metadata-token-ttl-seconds' => ttl.to_s
+      }
+      request = Net::HTTP::Put.new(METADATA_TOKEN_PATH, headers)
+      response = connection.request(request)
+
+      case response.code.to_i
+      when 200
+        [
+          response.body,
+          response.header['x-aws-ec2-metadata-token-ttl-seconds'].to_i
+        ]
+      when 400
+        raise TokenRetrievalError
+      when 403
+        raise RequestForbiddenError
+      end
+    end
+
+    def open_connection
+      uri = URI.parse(@endpoint)
+      http = Net::HTTP.new(uri.hostname || @endpoint, @port || uri.port)
+      http.open_timeout = @http_open_timeout
+      http.read_timeout = @http_read_timeout
+      http.set_debug_output(@http_debug_output) if @http_debug_output
+      http.start
+      yield(http).tap { http.finish }
+    end
+
+    def retry_errors(options = {}, &_block)
+      max_retries = options[:max_retries]
+      retries = 0
+      begin
+        yield
+      # These errors should not be retried.
+      rescue TokenRetrievalError, MetadataNotFoundError, RequestForbiddenError
+        raise
+      # StandardError is not ideal but it covers Net::HTTP errors.
+      # https://gist.github.com/tenderlove/245188
+      rescue StandardError, TokenExpiredError
+        raise unless retries < max_retries
+
+        @backoff.call(retries)
+        retries += 1
+        retry
+      end
+    end
+
+    def backoff(backoff)
+      case backoff
+      when Proc then backoff
+      when Numeric then ->(_) { Kernel.sleep(backoff) }
+      else ->(num_failures) { Kernel.sleep(1.2**num_failures) }
+      end
+    end
+
+    # @api private
+    class Token
+      def initialize(options = {})
+        @ttl   = options[:ttl]
+        @value = options[:value]
+        @created_time = Time.now
+      end
+
+      # [String] Returns the token value.
+      attr_reader :value
+
+      # [Boolean] Returns true if the token expired.
+      def expired?
+        Time.now - @created_time > @ttl
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/ecs_credentials.rb

@@ -1,4 +1,5 @@
-require 'json'
+# frozen_string_literal: true
+
 require 'time'
 require 'net/http'
 
@@ -79,8 +80,8 @@ module Aws
       # service is responding but is returning invalid JSON documents
       # in response to the GET profile credentials call.
       begin
-        retry_errors([JSON::ParserError, StandardError], max_retries: 3) do
-          c = JSON.parse(get_credentials.to_s)
+        retry_errors([Aws::Json::ParseError, StandardError], max_retries: 3) do
+          c = Aws::Json.load(get_credentials.to_s)
           @credentials = Credentials.new(
             c['AccessKeyId'],
             c['SecretAccessKey'],
@@ -88,7 +89,7 @@ module Aws
           )
           @expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
         end
-      rescue JSON::ParserError
+      rescue Aws::Json::ParseError
         raise Aws::Errors::MetadataParserError.new
       end
     end

data/lib/aws-sdk-core/endpoint_cache.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Aws
   # @api private
   # a LRU cache caching endpoints data
@@ -47,8 +49,8 @@ module Aws
       @mutex.synchronize do
         # delete the least recent used endpoint when cache is full
         unless @entries.size < @max_entries
-          old_key, _ = @entries.shift
-          self.delete_polling_thread(old_key)
+          old_key, = @entries.shift
+          delete_polling_thread(old_key)
         end
         # delete old value if exists
         @entries.delete(key)
@@ -60,10 +62,12 @@ module Aws
     # @param [String] key
     # @return [Boolean]
     def key?(key)
-      if @entries.key?(key) && (@entries[key].nil? || @entries[key].expired?)
-        self.delete(key)
+      @mutex.synchronize do
+        if @entries.key?(key) && (@entries[key].nil? || @entries[key].expired?)
+          @entries.delete(key)
+        end
+        @entries.key?(key)
       end
-      @entries.key?(key)
     end
 
     # checking whether an polling thread exist for the key
@@ -84,7 +88,7 @@ module Aws
     # kill the old polling thread and remove it from pool
     # @param [String] key
     def delete_polling_thread(key)
-      Thread.kill(@pool[key]) if self.threads_key?(key)
+      Thread.kill(@pool[key]) if threads_key?(key)
       @pool.delete(key)
     end
 
@@ -109,7 +113,7 @@ module Aws
       if _endpoint_operation_identifier(ctx)
         parts << ctx.operation_name
         ctx.operation.input.shape.members.inject(parts) do |p, (name, ref)|
-          p << ctx.params[name] if ref["endpointdiscoveryid"]
+          p << ctx.params[name] if ref['endpointdiscoveryid']
           p
         end
       end
@@ -141,7 +145,7 @@ module Aws
         # build identifier params when available
         params[:operation] = ctx.operation.name
         ctx.operation.input.shape.members.inject(params) do |p, (name, ref)|
-          if ref["endpointdiscoveryid"]
+          if ref['endpointdiscoveryid']
             p[:identifiers] ||= {}
             p[:identifiers][ref.location_name] = ctx.params[name]
           end
@@ -153,19 +157,20 @@ module Aws
         endpoint_operation_name = ctx.config.api.endpoint_operation
         ctx.client.send(endpoint_operation_name, params)
       rescue Aws::Errors::ServiceError
-        nil 
+        nil
       end
     end
 
     def _endpoint_operation_identifier(ctx)
       return @require_identifier unless @require_identifier.nil?
+
       operation_name = ctx.config.api.endpoint_operation
       operation = ctx.config.api.operation(operation_name)
       @require_identifier = operation.input.shape.members.any?
     end
 
     class Endpoint
-    
+
       # default endpoint cache time, 1 minute
       CACHE_PERIOD = 1
 
@@ -175,7 +180,7 @@ module Aws
         @created_time = Time.now
       end
 
-      # [String] valid URI address (with path) 
+      # [String] valid URI address (with path)
       attr_reader :address
 
       def expired?

data/lib/aws-sdk-core/errors.rb

@@ -1,4 +1,4 @@
-require 'thread'
+# frozen_string_literal: true
 
 module Aws
   module Errors
@@ -16,10 +16,10 @@ module Aws
       # @param [Aws::Structure] data
       def initialize(context, message, data = Aws::EmptyStructure.new)
         @code = self.class.code
-        @message = message if message && !message.empty?
         @context = context
         @data = data
-        super(message)
+        @message = message && !message.empty? ? message : self.class.to_s
+        super(@message)
       end
 
       # @return [String]
@@ -38,13 +38,23 @@ module Aws
         attr_accessor :code
 
       end
+
+      # @api private undocumented
+      def retryable?
+        false
+      end
+
+      # @api private undocumented
+      def throttling?
+        false
+      end
     end
 
     # Raised when InstanceProfileCredentialsProvider or
     # EcsCredentialsProvider fails to parse the metadata response after retries
     class MetadataParserError < RuntimeError
       def initialize(*args)
-        msg = "Failed to parse metadata service response."
+        msg = 'Failed to parse metadata service response.'
         super(msg)
       end
     end
@@ -63,7 +73,7 @@ module Aws
     class EndpointDiscoveryError < RuntimeError
       def initialize(*args)
         msg = 'Endpoint discovery failed for the operation or discovered endpoint is not working, '\
-          'request will keep failing until endpoint discovery succeeds or :endpoint option is provided.'
+              'request will keep failing until endpoint discovery succeeds or :endpoint option is provided.'
         super(msg)
       end
     end
@@ -75,8 +85,8 @@ module Aws
 
       def initialize(name)
         msg = "Missing required parameter #{name} to construct"\
-          " endpoint host prefix. You can disable host prefix by"\
-          " setting :disable_host_prefix_injection to `true`."
+              ' endpoint host prefix. You can disable host prefix by'\
+              ' setting :disable_host_prefix_injection to `true`.'
         super(msg)
       end
 
@@ -125,6 +135,29 @@ module Aws
 
     end
 
+    # Raised when ARN string input doesn't follow the standard:
+    # https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#genref-arns
+    class InvalidARNError < RuntimeError; end
+
+    # Raised when the region from the ARN string is different from the :region
+    # configured on the service client.
+    class InvalidARNRegionError < RuntimeError
+      def initialize(*args)
+        msg = 'ARN region is different from the configured client region.'
+        super(msg)
+      end
+    end
+
+    # Raised when the partition of the ARN region is different than the
+    # partition of the :region configured on the service client.
+    class InvalidARNPartitionError < RuntimeError
+      def initialize(*args)
+        msg = 'ARN region partition is different from the configured '\
+              'client region partition.'
+        super(msg)
+      end
+    end
+
     # Various plugins perform client-side checksums of responses.
     # This error indicates a checksum failed.
     class ChecksumError < RuntimeError; end
@@ -158,19 +191,66 @@ module Aws
       end
     end
 
+    # Raised when :web_identity_token_file parameter is not
+    # provided or the file doesn't exist when initializing
+    # AssumeRoleWebIdentityCredentials credential provider
+    class MissingWebIdentityTokenFile < RuntimeError
+      def initialize(*args)
+        msg = 'Missing :web_identity_token_file parameter or'\
+              ' invalid file path provided for'\
+              ' Aws::AssumeRoleWebIdentityCredentials provider'
+        super(msg)
+      end
+    end
+
     # Raised when a credentials provider process returns a JSON
     # payload with either invalid version number or malformed contents
     class InvalidProcessCredentialsPayload < RuntimeError; end
 
+    # Raised when SSO Credentials are invalid
+    class InvalidSSOCredentials < RuntimeError; end
+
+    # Raised when there is a circular reference in chained
+    # source_profiles
+    class SourceProfileCircularReferenceError < RuntimeError; end
+
     # Raised when a client is constructed and region is not specified.
     class MissingRegionError < ArgumentError
       def initialize(*args)
-        msg = "missing region; use :region option or "
-        msg << "export region name to ENV['AWS_REGION']"
+        msg = 'No region was provided. Configure the `:region` option or '\
+          "export the region name to ENV['AWS_REGION']"
         super(msg)
       end
     end
 
+    # Raised when a client is contsructed and the region is not valid.
+    class InvalidRegionError < ArgumentError
+      def initialize(*args)
+        super(<<-MSG)
+Invalid `:region` option was provided.
+
+* Not every service is available in every region.
+
+* Never suffix region names with availability zones.
+  Use "us-east-1", not "us-east-1a"
+
+Known AWS regions include (not specific to this service):
+
+#{possible_regions}
+        MSG
+      end
+
+      private
+
+      def possible_regions
+        Aws.partitions.each_with_object([]) do |partition, region_names|
+          partition.regions.each do |region|
+            region_names << region.name
+          end
+        end.join("\n")
+      end
+    end
+
     # Raised when attempting to connect to an endpoint and a `SocketError`
     # is received from the HTTP client. This error is typically the result
     # of configuring an invalid `:region`.
@@ -183,14 +263,14 @@ module Aws
         super(<<-MSG)
 Encountered a `SocketError` while attempting to connect to:
 
-  #{endpoint.to_s}
+  #{endpoint}
 
 This is typically the result of an invalid `:region` option or a
 poorly formatted `:endpoint` option.
 
 * Avoid configuring the `:endpoint` option directly. Endpoints are constructed
-  from the `:region`. The `:endpoint` option is reserved for connecting to
-  non-standard test endpoints.
+  from the `:region`. The `:endpoint` option is reserved for certain services
+  or for connecting to non-standard test endpoints.
 
 * Not every service is available in every region.
 
@@ -212,14 +292,21 @@ Known AWS regions include (not specific to this service):
       private
 
       def possible_regions
-        Aws.partitions.inject([]) do |region_names, partition|
+        Aws.partitions.each_with_object([]) do |partition, region_names|
           partition.regions.each do |region|
             region_names << region.name
           end
-          region_names
         end.join("\n")
       end
+    end
 
+    # Raised when attempting to retry a request
+    # and no capacity is available to retry (See adaptive retry_mode)
+    class RetryCapacityNotAvailableError < RuntimeError
+      def initialize(*args)
+        msg = 'Insufficient client side capacity available to retry request.'
+        super(msg)
+      end
     end
 
     # This module is mixed into another module, providing dynamic
@@ -237,7 +324,7 @@ Known AWS regions include (not specific to this service):
     module DynamicErrors
 
       def self.extended(submodule)
-        submodule.instance_variable_set("@const_set_mutex", Mutex.new)
+        submodule.instance_variable_set('@const_set_mutex', Mutex.new)
         submodule.const_set(:ServiceError, Class.new(ServiceError))
       end
 

data/lib/aws-sdk-core/event_emitter.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Aws
   class EventEmitter
 

data/lib/aws-sdk-core/ini_parser.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Aws
   # @api private
   class IniParser