aws-sdk-core 3.200.0 → 3.201.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 370a79ef96fb4ff40cbbfcba57d5b0f01d19220c46f8bc77e96984ed14f10ffd
-  data.tar.gz: 5be2366a83a15ced7f51ceb976a934f5b3a4f26b16337f298d12152f9fe576e8
+  metadata.gz: 66b895cbab1c128ae492f8b02d379edf6856cd38a6eadf985b97a798f4cf4252
+  data.tar.gz: dadbea139b8d5e9f72dc66492478f80e17d501c2b1a6f8acb482a0c8b036ace6
 SHA512:
-  metadata.gz: 164598c925b921092a9a9cebc3a28786f6add8737971d3e7322308dad25035d07664a90b7d9cdc01aabb2601a6ebeebeb6ee83a3cfd309fdcd2849eed3f50c51
-  data.tar.gz: 306ce42e04c16d1c7bf3e6509f7641b60be02e74efa80698b3feef014117ee07c256a8703bb6e8de3dd5fc5e33018ff8f1551bef712eb81093b8289e4322ab60
+  metadata.gz: 7f60df6c8bc98191884bfd56ce021b337c2f08e4b87b235afb4a8ea39de9e15f6ff036a9a442cf6b4fb40635a5b03a0bbe082310e498474f251c7e5119cc3d28
+  data.tar.gz: 6ba5a5f1afb8f00cb676a5b61b59a7ca3ccc0922fa92f5548c126151d4d9446a745ea275a88d01ba275fa00583f0cde7fcd276847c513e4e72b26dbb15f2cfc0

data/CHANGELOG.md

@@ -1,6 +1,19 @@
 Unreleased Changes
 ------------------
 
+3.201.0 (2024-07-02)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+* Feature - Support `auth` trait to enable SigV4a based services.
+
+* Feature - Support configuration for sigv4a signing regions using `ENV['AWS_SIGV4A_SIGNING_REGION_SET']`, `sigv4a_signing_region_set` shared config, or the `sigv4a_signing_region_set` client option.
+
 3.200.0 (2024-06-28)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-3.200.0
+3.201.0

data/lib/aws-sdk-core/endpoints.rb

@@ -14,9 +14,15 @@ require_relative 'endpoints/templater'
 require_relative 'endpoints/tree_rule'
 require_relative 'endpoints/url'
 
+require 'aws-sigv4'
+
 module Aws
   # @api private
   module Endpoints
+    supported_auth_traits = %w[aws.auth#sigv4 smithy.api#httpBearerAuth smithy.api#noAuth]
+    supported_auth_traits += ['aws.auth#sigv4a'] if Aws::Sigv4::Signer.use_crt?
+    SUPPORTED_AUTH_TRAITS = supported_auth_traits.freeze
+
     class << self
       def resolve_auth_scheme(context, endpoint)
         if endpoint && (auth_schemes = endpoint.properties['authSchemes'])
@@ -33,8 +39,64 @@ module Aws
 
       private
 
+      def merge_signing_defaults(auth_scheme, config)
+        if %w[sigv4 sigv4a sigv4-s3express].include?(auth_scheme['name'])
+          auth_scheme['signingName'] ||= sigv4_name(config)
+          if auth_scheme['name'] == 'sigv4a'
+            # config option supersedes endpoint properties
+            auth_scheme['signingRegionSet'] =
+              config.sigv4a_signing_region_set || auth_scheme['signingRegionSet'] || [config.region]
+          else
+            auth_scheme['signingRegion'] ||= config.region
+          end
+        end
+        auth_scheme
+      end
+
+      def sigv4_name(config)
+        config.api.metadata['signingName'] ||
+          config.api.metadata['endpointPrefix']
+      end
+
       def default_auth_scheme(context)
-        case default_api_authtype(context)
+        if (auth_list = default_api_auth(context))
+          auth = auth_list.find { |a| SUPPORTED_AUTH_TRAITS.include?(a) }
+          case auth
+          when 'aws.auth#sigv4', 'aws.auth#sigv4a'
+            auth_scheme = { 'name' => auth.split('#').last }
+            if s3_or_s3v4_signature_version?(context)
+              auth_scheme = auth_scheme.merge(
+                'disableDoubleEncoding' => true,
+                'disableNormalizePath' => true
+              )
+            end
+            merge_signing_defaults(auth_scheme, context.config)
+          when 'smithy.api#httpBearerAuth'
+            { 'name' => 'bearer' }
+          when 'smithy.api#noAuth'
+            { 'name' => 'none' }
+          else
+            raise 'No supported auth trait for this endpoint.'
+          end
+        else
+          legacy_default_auth_scheme(context)
+        end
+      end
+
+      def default_api_auth(context)
+        context.config.api.operation(context.operation_name)['auth'] ||
+          context.config.api.metadata['auth']
+      end
+
+      def s3_or_s3v4_signature_version?(context)
+        %w[s3 s3v4].include?(context.config.api.metadata['signatureVersion'])
+      end
+
+      # Legacy auth resolution - looks for deprecated signatureVersion
+      # and authType traits.
+
+      def legacy_default_auth_scheme(context)
+        case legacy_default_api_authtype(context)
         when 'v4', 'v4-unsigned-body'
           auth_scheme = { 'name' => 'sigv4' }
           merge_signing_defaults(auth_scheme, context.config)
@@ -52,27 +114,11 @@ module Aws
         end
       end
 
-      def merge_signing_defaults(auth_scheme, config)
-        if %w[sigv4 sigv4a sigv4-s3express].include?(auth_scheme['name'])
-          auth_scheme['signingName'] ||= sigv4_name(config)
-          if auth_scheme['name'] == 'sigv4a'
-            auth_scheme['signingRegionSet'] ||= ['*']
-          else
-            auth_scheme['signingRegion'] ||= config.region
-          end
-        end
-        auth_scheme
-      end
-
-      def default_api_authtype(context)
+      def legacy_default_api_authtype(context)
         context.config.api.operation(context.operation_name)['authtype'] ||
           context.config.api.metadata['signatureVersion']
       end
 
-      def sigv4_name(config)
-        config.api.metadata['signingName'] ||
-          config.api.metadata['endpointPrefix']
-      end
     end
   end
 end

data/lib/aws-sdk-core/errors.rb

@@ -236,6 +236,15 @@ module Aws
       end
     end
 
+    # Raised when a client is constructed and the sigv4a region set is invalid.
+    # It is invalid when it is empty and/or contains empty strings.
+    class InvalidRegionSetError < ArgumentError
+      def initialize(*args)
+        msg = 'The provided sigv4a region set was empty or invalid.'
+        super(msg)
+      end
+    end
+
     # Raised when a client is contsructed and the region is not valid.
     class InvalidRegionError < ArgumentError
       def initialize(*args)

data/lib/aws-sdk-core/plugins/bearer_authorization.rb

@@ -4,6 +4,8 @@ module Aws
   # @api private
   module Plugins
     # @api private
+    # Deprecated - does not look at new traits like `auth` and `unsignedPayload`
+    # Necessary to exist after endpoints 2.0 for old service clients + new core
     class BearerAuthorization < Seahorse::Client::Plugin
 
       option(:token_provider,

data/lib/aws-sdk-core/plugins/checksum_algorithm.rb

@@ -238,7 +238,8 @@ module Aws
 
         # determine where (header vs trailer) a request checksum should be added
         def checksum_request_in(context)
-          if context.operation['authtype'].eql?('v4-unsigned-body')
+          if context.operation['unsignedPayload'] ||
+             context.operation['authtype'] == 'v4-unsigned-body'
             'trailer'
           else
             'header'

data/lib/aws-sdk-core/plugins/regional_endpoint.rb

@@ -24,6 +24,21 @@ a default `:region` is searched for in the following locations:
         resolve_region(cfg)
       end
 
+      option(:sigv4a_signing_region_set,
+             doc_type: Array,
+             rbs_type: 'Array[String]',
+             docstring: <<-DOCS) do |cfg|
+A list of regions that should be signed with SigV4a signing. When
+not passed, a default `:sigv4a_signing_region_set` is searched for
+in the following locations:
+
+* `Aws.config[:sigv4a_signing_region_set]`
+* `ENV['AWS_SIGV4A_SIGNING_REGION_SET']`
+* `~/.aws/config`
+        DOCS
+        resolve_sigv4a_signing_region_set(cfg)
+      end
+
       option(:use_dualstack_endpoint,
         doc_type: 'Boolean',
         docstring: <<-DOCS) do |cfg|
@@ -65,9 +80,17 @@ to test or custom endpoints. This should be a valid HTTP(S) URI.
       end
 
       def after_initialize(client)
-        if client.config.region.nil? || client.config.region == ''
-          raise Errors::MissingRegionError
-        end
+        region = client.config.region
+        raise Errors::MissingRegionError if region.nil? || region == ''
+
+        region_set = client.config.sigv4a_signing_region_set
+        return if region_set.nil?
+        raise Errors::InvalidRegionSetError unless region_set.is_a?(Array)
+
+        region_set = region_set.compact.reject(&:empty?)
+        raise Errors::InvalidRegionSetError if region_set.empty?
+
+        client.config.sigv4a_signing_region_set = region_set
       end
 
       class << self
@@ -81,6 +104,12 @@ to test or custom endpoints. This should be a valid HTTP(S) URI.
           env_region || cfg_region
         end
 
+        def resolve_sigv4a_signing_region_set(cfg)
+          value = ENV['AWS_SIGV4A_SIGNING_REGION_SET']
+          value ||= Aws.shared_config.sigv4a_signing_region_set(profile: cfg.profile)
+          value.split(',') if value
+        end
+
         def resolve_use_dualstack_endpoint(cfg)
           value = ENV['AWS_USE_DUALSTACK_ENDPOINT']
           value ||= Aws.shared_config.use_dualstack_endpoint(

data/lib/aws-sdk-core/plugins/sign.rb

@@ -102,7 +102,7 @@ module Aws
           end
 
           region = if scheme_name == 'sigv4a'
-                     auth_scheme['signingRegionSet'].first
+                     auth_scheme['signingRegionSet'].join(',')
                    else
                      auth_scheme['signingRegion']
                    end
@@ -159,17 +159,20 @@ module Aws
         private
 
         def apply_authtype(context, req)
-          # only used for eventstreaming at input
+          # only used for event streaming at input
           if context[:input_event_emitter]
             req.headers['X-Amz-Content-Sha256'] = 'STREAMING-AWS4-HMAC-SHA256-EVENTS'
-          else
-            if context.operation['authtype'].eql?('v4-unsigned-body') &&
-              req.endpoint.scheme.eql?('https')
-              req.headers['X-Amz-Content-Sha256'] ||= 'UNSIGNED-PAYLOAD'
-            end
+          elsif unsigned_payload?(context, req)
+            req.headers['X-Amz-Content-Sha256'] ||= 'UNSIGNED-PAYLOAD'
           end
         end
 
+        def unsigned_payload?(context, req)
+          (context.operation['unsignedPayload'] ||
+            context.operation['authtype'] == 'v4-unsigned-body') &&
+            req.endpoint.scheme == 'https'
+        end
+
         def reset_signature(req)
           # in case this request is being re-signed
           req.headers.delete('Authorization')

data/lib/aws-sdk-core/plugins/signature_v2.rb

@@ -3,7 +3,8 @@
 module Aws
   module Plugins
     # @api private
-    # Necessary to keep after Endpoints 2.0
+    # Deprecated - does not look at new traits like `auth` and `unsignedPayload`
+    # Necessary to exist after endpoints 2.0 for old service clients + new core
     class SignatureV2 < Seahorse::Client::Plugin
 
       option(:v2_signer) do |cfg|

data/lib/aws-sdk-core/plugins/signature_v4.rb

@@ -5,7 +5,8 @@ require 'aws-sigv4'
 module Aws
   module Plugins
     # @api private
-    # Necessary to exist after endpoints 2.0
+    # Deprecated - does not look at new traits like `auth` and `unsignedPayload`
+    # Necessary to exist after endpoints 2.0 for old service clients + new core
     class SignatureV4 < Seahorse::Client::Plugin
 
       V4_AUTH = %w[v4 v4-unsigned-payload v4-unsigned-body]

data/lib/aws-sdk-core/plugins/transfer_encoding.rb

@@ -5,7 +5,8 @@ module Aws
 
     # For Streaming Input Operations, when `requiresLength` is enabled
     # checking whether `Content-Length` header can be set,
-    # for `v4-unsigned-body` operations, set `Transfer-Encoding` header
+    # for `unsignedPayload` and `v4-unsigned-body` operations,
+    # set `Transfer-Encoding` header.
     class TransferEncoding < Seahorse::Client::Plugin
 
       # @api private
@@ -16,8 +17,8 @@ module Aws
             unless context.http_request.body.respond_to?(:size)
               if requires_length?(context.operation.input)
                 # if size of the IO is not available but required
-                raise Aws::Errors::MissingContentLength.new
-              elsif context.operation['authtype'] == "v4-unsigned-body"
+                raise Aws::Errors::MissingContentLength
+              elsif unsigned_payload?(context.operation)
                 context.http_request.headers['Transfer-Encoding'] = 'chunked'
               end
             end
@@ -29,18 +30,24 @@ module Aws
         private
 
         def streaming?(ref)
-          if payload = ref[:payload_member]
-            payload["streaming"] || # checking ref and shape
-              payload.shape["streaming"]
+          if (payload = ref[:payload_member])
+            payload['streaming'] || payload.shape['streaming']
           else
             false
           end
         end
 
+        def unsigned_payload?(operation)
+          operation['unsignedPayload'] ||
+            operation['authtype'] == 'v4-unsigned-body'
+        end
+
         def requires_length?(ref)
-          payload = ref[:payload_member]
-          payload["requiresLength"] || # checking ref and shape
-            payload.shape["requiresLength"]
+          if (payload = ref[:payload_member])
+            payload['requiresLength'] || payload.shape['requiresLength']
+          else
+            false
+          end
         end
 
       end

data/lib/aws-sdk-core/shared_config.rb

@@ -198,6 +198,7 @@ module Aws
 
     config_reader(
       :region,
+      :sigv4a_signing_region_set,
       :ca_bundle,
       :credential_process,
       :endpoint_discovery_enabled,

data/lib/aws-sdk-sso/client.rb

@@ -312,6 +312,15 @@ module Aws::SSO
     #
     #   @option options [String] :session_token
     #
+    #   @option options [Array] :sigv4a_signing_region_set
+    #     A list of regions that should be signed with SigV4a signing. When
+    #     not passed, a default `:sigv4a_signing_region_set` is searched for
+    #     in the following locations:
+    #
+    #     * `Aws.config[:sigv4a_signing_region_set]`
+    #     * `ENV['AWS_SIGV4A_SIGNING_REGION_SET']`
+    #     * `~/.aws/config`
+    #
     #   @option options [Boolean] :stub_responses (false)
     #     Causes the client to return stubbed responses. By default
     #     fake responses are generated and returned. You can specify
@@ -633,7 +642,7 @@ module Aws::SSO
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.200.0'
+      context[:gem_version] = '3.201.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-sso/client_api.rb

@@ -129,6 +129,7 @@ module Aws::SSO
         o.http_method = "GET"
         o.http_request_uri = "/federation/credentials"
         o['authtype'] = "none"
+        o['auth'] = ["smithy.api#noAuth"]
         o.input = Shapes::ShapeRef.new(shape: GetRoleCredentialsRequest)
         o.output = Shapes::ShapeRef.new(shape: GetRoleCredentialsResponse)
         o.errors << Shapes::ShapeRef.new(shape: InvalidRequestException)
@@ -142,6 +143,7 @@ module Aws::SSO
         o.http_method = "GET"
         o.http_request_uri = "/assignment/roles"
         o['authtype'] = "none"
+        o['auth'] = ["smithy.api#noAuth"]
         o.input = Shapes::ShapeRef.new(shape: ListAccountRolesRequest)
         o.output = Shapes::ShapeRef.new(shape: ListAccountRolesResponse)
         o.errors << Shapes::ShapeRef.new(shape: InvalidRequestException)
@@ -161,6 +163,7 @@ module Aws::SSO
         o.http_method = "GET"
         o.http_request_uri = "/assignment/accounts"
         o['authtype'] = "none"
+        o['auth'] = ["smithy.api#noAuth"]
         o.input = Shapes::ShapeRef.new(shape: ListAccountsRequest)
         o.output = Shapes::ShapeRef.new(shape: ListAccountsResponse)
         o.errors << Shapes::ShapeRef.new(shape: InvalidRequestException)
@@ -180,6 +183,7 @@ module Aws::SSO
         o.http_method = "POST"
         o.http_request_uri = "/logout"
         o['authtype'] = "none"
+        o['auth'] = ["smithy.api#noAuth"]
         o.input = Shapes::ShapeRef.new(shape: LogoutRequest)
         o.output = Shapes::ShapeRef.new(shape: Shapes::StructureShape.new(struct_class: Aws::EmptyStructure))
         o.errors << Shapes::ShapeRef.new(shape: InvalidRequestException)

data/lib/aws-sdk-sso.rb

@@ -54,6 +54,6 @@ require_relative 'aws-sdk-sso/customizations'
 # @!group service
 module Aws::SSO
 
-  GEM_VERSION = '3.200.0'
+  GEM_VERSION = '3.201.0'
 
 end

data/lib/aws-sdk-ssooidc/client.rb

@@ -312,6 +312,15 @@ module Aws::SSOOIDC
     #
     #   @option options [String] :session_token
     #
+    #   @option options [Array] :sigv4a_signing_region_set
+    #     A list of regions that should be signed with SigV4a signing. When
+    #     not passed, a default `:sigv4a_signing_region_set` is searched for
+    #     in the following locations:
+    #
+    #     * `Aws.config[:sigv4a_signing_region_set]`
+    #     * `ENV['AWS_SIGV4A_SIGNING_REGION_SET']`
+    #     * `~/.aws/config`
+    #
     #   @option options [Boolean] :stub_responses (false)
     #     Causes the client to return stubbed responses. By default
     #     fake responses are generated and returned. You can specify
@@ -986,7 +995,7 @@ module Aws::SSOOIDC
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.200.0'
+      context[:gem_version] = '3.201.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-ssooidc/client_api.rb

@@ -225,6 +225,7 @@ module Aws::SSOOIDC
         o.http_method = "POST"
         o.http_request_uri = "/token"
         o['authtype'] = "none"
+        o['auth'] = ["smithy.api#noAuth"]
         o.input = Shapes::ShapeRef.new(shape: CreateTokenRequest)
         o.output = Shapes::ShapeRef.new(shape: CreateTokenResponse)
         o.errors << Shapes::ShapeRef.new(shape: InvalidRequestException)
@@ -265,6 +266,7 @@ module Aws::SSOOIDC
         o.http_method = "POST"
         o.http_request_uri = "/client/register"
         o['authtype'] = "none"
+        o['auth'] = ["smithy.api#noAuth"]
         o.input = Shapes::ShapeRef.new(shape: RegisterClientRequest)
         o.output = Shapes::ShapeRef.new(shape: RegisterClientResponse)
         o.errors << Shapes::ShapeRef.new(shape: InvalidRequestException)
@@ -280,6 +282,7 @@ module Aws::SSOOIDC
         o.http_method = "POST"
         o.http_request_uri = "/device_authorization"
         o['authtype'] = "none"
+        o['auth'] = ["smithy.api#noAuth"]
         o.input = Shapes::ShapeRef.new(shape: StartDeviceAuthorizationRequest)
         o.output = Shapes::ShapeRef.new(shape: StartDeviceAuthorizationResponse)
         o.errors << Shapes::ShapeRef.new(shape: InvalidRequestException)

data/lib/aws-sdk-ssooidc.rb

@@ -54,6 +54,6 @@ require_relative 'aws-sdk-ssooidc/customizations'
 # @!group service
 module Aws::SSOOIDC
 
-  GEM_VERSION = '3.200.0'
+  GEM_VERSION = '3.201.0'
 
 end

data/lib/aws-sdk-sts/client.rb

@@ -314,6 +314,15 @@ module Aws::STS
     #
     #   @option options [String] :session_token
     #
+    #   @option options [Array] :sigv4a_signing_region_set
+    #     A list of regions that should be signed with SigV4a signing. When
+    #     not passed, a default `:sigv4a_signing_region_set` is searched for
+    #     in the following locations:
+    #
+    #     * `Aws.config[:sigv4a_signing_region_set]`
+    #     * `ENV['AWS_SIGV4A_SIGNING_REGION_SET']`
+    #     * `~/.aws/config`
+    #
     #   @option options [String] :sts_regional_endpoints ("regional")
     #     Passing in 'regional' to enable regional endpoint for STS for all supported
     #     regions (except 'aws-global'). Using 'legacy' mode will force all legacy
@@ -2380,7 +2389,7 @@ module Aws::STS
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.200.0'
+      context[:gem_version] = '3.201.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-sts/client_api.rb

@@ -280,7 +280,7 @@ module Aws::STS
         o.name = "AssumeRoleWithSAML"
         o.http_method = "POST"
         o.http_request_uri = "/"
-        o['authtype'] = "none"
+        o['auth'] = ["smithy.api#noAuth"]
         o.input = Shapes::ShapeRef.new(shape: AssumeRoleWithSAMLRequest)
         o.output = Shapes::ShapeRef.new(shape: AssumeRoleWithSAMLResponse)
         o.errors << Shapes::ShapeRef.new(shape: MalformedPolicyDocumentException)
@@ -295,7 +295,7 @@ module Aws::STS
         o.name = "AssumeRoleWithWebIdentity"
         o.http_method = "POST"
         o.http_request_uri = "/"
-        o['authtype'] = "none"
+        o['auth'] = ["smithy.api#noAuth"]
         o.input = Shapes::ShapeRef.new(shape: AssumeRoleWithWebIdentityRequest)
         o.output = Shapes::ShapeRef.new(shape: AssumeRoleWithWebIdentityResponse)
         o.errors << Shapes::ShapeRef.new(shape: MalformedPolicyDocumentException)

data/lib/aws-sdk-sts.rb

@@ -54,6 +54,6 @@ require_relative 'aws-sdk-sts/customizations'
 # @!group service
 module Aws::STS
 
-  GEM_VERSION = '3.200.0'
+  GEM_VERSION = '3.201.0'
 
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-core
 version: !ruby/object:Gem::Version
-  version: 3.200.0
+  version: 3.201.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-06-28 00:00:00.000000000 Z
+date: 2024-07-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jmespath