aws-sdk-s3 1.100.0 → 1.104.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +20 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-s3/arn/multi_region_access_point_arn.rb +69 -0
- data/lib/aws-sdk-s3/bucket.rb +5 -5
- data/lib/aws-sdk-s3/client.rb +281 -267
- data/lib/aws-sdk-s3/client_api.rb +3 -0
- data/lib/aws-sdk-s3/encryption/decrypt_handler.rb +0 -4
- data/lib/aws-sdk-s3/encryptionV2/decrypt_handler.rb +0 -4
- data/lib/aws-sdk-s3/encryptionV2/encrypt_handler.rb +0 -4
- data/lib/aws-sdk-s3/object.rb +18 -18
- data/lib/aws-sdk-s3/object_summary.rb +12 -12
- data/lib/aws-sdk-s3/plugins/arn.rb +51 -12
- data/lib/aws-sdk-s3/plugins/s3_signer.rb +10 -1
- data/lib/aws-sdk-s3/presigner.rb +6 -0
- data/lib/aws-sdk-s3/types.rb +78 -57
- data/lib/aws-sdk-s3.rb +1 -1
- metadata +8 -7
@@ -22,6 +22,7 @@ module Aws::S3
|
|
22
22
|
AcceptRanges = Shapes::StringShape.new(name: 'AcceptRanges')
|
23
23
|
AccessControlPolicy = Shapes::StructureShape.new(name: 'AccessControlPolicy')
|
24
24
|
AccessControlTranslation = Shapes::StructureShape.new(name: 'AccessControlTranslation')
|
25
|
+
AccessPointArn = Shapes::StringShape.new(name: 'AccessPointArn')
|
25
26
|
AccountId = Shapes::StringShape.new(name: 'AccountId')
|
26
27
|
AllowQuotedRecordDelimiter = Shapes::BooleanShape.new(name: 'AllowQuotedRecordDelimiter')
|
27
28
|
AllowedHeader = Shapes::StringShape.new(name: 'AllowedHeader')
|
@@ -1686,6 +1687,7 @@ module Aws::S3
|
|
1686
1687
|
|
1687
1688
|
MetricsAndOperator.add_member(:prefix, Shapes::ShapeRef.new(shape: Prefix, location_name: "Prefix"))
|
1688
1689
|
MetricsAndOperator.add_member(:tags, Shapes::ShapeRef.new(shape: TagSet, location_name: "Tag", metadata: {"flattened"=>true}))
|
1690
|
+
MetricsAndOperator.add_member(:access_point_arn, Shapes::ShapeRef.new(shape: AccessPointArn, location_name: "AccessPointArn"))
|
1689
1691
|
MetricsAndOperator.struct_class = Types::MetricsAndOperator
|
1690
1692
|
|
1691
1693
|
MetricsConfiguration.add_member(:id, Shapes::ShapeRef.new(shape: MetricsId, required: true, location_name: "Id"))
|
@@ -1696,6 +1698,7 @@ module Aws::S3
|
|
1696
1698
|
|
1697
1699
|
MetricsFilter.add_member(:prefix, Shapes::ShapeRef.new(shape: Prefix, location_name: "Prefix"))
|
1698
1700
|
MetricsFilter.add_member(:tag, Shapes::ShapeRef.new(shape: Tag, location_name: "Tag"))
|
1701
|
+
MetricsFilter.add_member(:access_point_arn, Shapes::ShapeRef.new(shape: AccessPointArn, location_name: "AccessPointArn"))
|
1699
1702
|
MetricsFilter.add_member(:and, Shapes::ShapeRef.new(shape: MetricsAndOperator, location_name: "And"))
|
1700
1703
|
MetricsFilter.struct_class = Types::MetricsFilter
|
1701
1704
|
|
@@ -165,10 +165,6 @@ module Aws
|
|
165
165
|
# to initialize the cipher, and the decrypter truncates the
|
166
166
|
# auth tag from the body when writing the final bytes.
|
167
167
|
def authenticated_decrypter(context, cipher, envelope)
|
168
|
-
if RUBY_VERSION.match(/^1.9/)
|
169
|
-
msg = 'authenticated decryption not supported by OpenSSL in Ruby version ~> 1.9'
|
170
|
-
raise Aws::Errors::NonSupportedRubyVersionError, msg
|
171
|
-
end
|
172
168
|
http_resp = context.http_response
|
173
169
|
content_length = http_resp.headers['content-length'].to_i
|
174
170
|
auth_tag_length = auth_tag_length(envelope)
|
@@ -166,10 +166,6 @@ module Aws
|
|
166
166
|
# to initialize the cipher, and the decrypter truncates the
|
167
167
|
# auth tag from the body when writing the final bytes.
|
168
168
|
def authenticated_decrypter(context, cipher, envelope)
|
169
|
-
if RUBY_VERSION.match(/^1.9/)
|
170
|
-
msg = 'authenticated decryption not supported by OpenSSL in Ruby version ~> 1.9'
|
171
|
-
raise Aws::Errors::NonSupportedRubyVersionError, msg
|
172
|
-
end
|
173
169
|
http_resp = context.http_response
|
174
170
|
content_length = http_resp.headers['content-length'].to_i
|
175
171
|
auth_tag_length = auth_tag_length(envelope)
|
@@ -9,10 +9,6 @@ module Aws
|
|
9
9
|
class EncryptHandler < Seahorse::Client::Handler
|
10
10
|
|
11
11
|
def call(context)
|
12
|
-
if RUBY_VERSION.match(/^1.9/)
|
13
|
-
raise "authenticated encryption not supported by OpenSSL in Ruby version ~> 1.9"
|
14
|
-
raise Aws::Errors::NonSupportedRubyVersionError, msg
|
15
|
-
end
|
16
12
|
envelope, cipher = context[:encryption][:cipher_provider]
|
17
13
|
.encryption_cipher(
|
18
14
|
kms_encryption_context: context[:encryption][:kms_encryption_context]
|
data/lib/aws-sdk-s3/object.rb
CHANGED
@@ -184,10 +184,10 @@ module Aws::S3
|
|
184
184
|
end
|
185
185
|
|
186
186
|
# If the object is stored using server-side encryption either with an
|
187
|
-
# Amazon Web Services KMS
|
188
|
-
#
|
189
|
-
#
|
190
|
-
#
|
187
|
+
# Amazon Web Services KMS key or an Amazon S3-managed encryption key,
|
188
|
+
# the response includes this header with the value of the server-side
|
189
|
+
# encryption algorithm used when storing this object in Amazon S3 (for
|
190
|
+
# example, AES256, aws:kms).
|
191
191
|
# @return [String]
|
192
192
|
def server_side_encryption
|
193
193
|
data[:server_side_encryption]
|
@@ -217,8 +217,8 @@ module Aws::S3
|
|
217
217
|
end
|
218
218
|
|
219
219
|
# If present, specifies the ID of the Amazon Web Services Key Management
|
220
|
-
# Service (Amazon Web Services KMS) symmetric customer managed
|
221
|
-
#
|
220
|
+
# Service (Amazon Web Services KMS) symmetric customer managed key that
|
221
|
+
# was used for the object.
|
222
222
|
# @return [String]
|
223
223
|
def ssekms_key_id
|
224
224
|
data[:ssekms_key_id]
|
@@ -1028,13 +1028,13 @@ module Aws::S3
|
|
1028
1028
|
# RFC 1321. Amazon S3 uses this header for a message integrity check to
|
1029
1029
|
# ensure that the encryption key was transmitted without error.
|
1030
1030
|
# @option options [String] :ssekms_key_id
|
1031
|
-
# Specifies the ID of the symmetric customer managed
|
1032
|
-
#
|
1033
|
-
#
|
1034
|
-
#
|
1035
|
-
#
|
1036
|
-
#
|
1037
|
-
#
|
1031
|
+
# Specifies the ID of the symmetric customer managed key to use for
|
1032
|
+
# object encryption. All GET and PUT requests for an object protected by
|
1033
|
+
# Amazon Web Services KMS will fail if not made via SSL or using SigV4.
|
1034
|
+
# For information about configuring using any of the officially
|
1035
|
+
# supported Amazon Web Services SDKs and Amazon Web Services CLI, see
|
1036
|
+
# [Specifying the Signature Version in Request Authentication][1] in the
|
1037
|
+
# *Amazon S3 User Guide*.
|
1038
1038
|
#
|
1039
1039
|
#
|
1040
1040
|
#
|
@@ -1277,12 +1277,12 @@ module Aws::S3
|
|
1277
1277
|
# If `x-amz-server-side-encryption` is present and has the value of
|
1278
1278
|
# `aws:kms`, this header specifies the ID of the Amazon Web Services Key
|
1279
1279
|
# Management Service (Amazon Web Services KMS) symmetrical customer
|
1280
|
-
# managed
|
1281
|
-
#
|
1280
|
+
# managed key that was used for the object. If you specify
|
1281
|
+
# `x-amz-server-side-encryption:aws:kms`, but do not provide`
|
1282
1282
|
# x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
|
1283
|
-
# Amazon Web Services managed
|
1284
|
-
#
|
1285
|
-
#
|
1283
|
+
# Amazon Web Services managed key to protect the data. If the KMS key
|
1284
|
+
# does not exist in the same account issuing the command, you must use
|
1285
|
+
# the full ARN and not just the ID.
|
1286
1286
|
# @option options [String] :ssekms_encryption_context
|
1287
1287
|
# Specifies the Amazon Web Services KMS Encryption Context to use for
|
1288
1288
|
# object encryption. The value of this header is a base64-encoded UTF-8
|
@@ -772,13 +772,13 @@ module Aws::S3
|
|
772
772
|
# RFC 1321. Amazon S3 uses this header for a message integrity check to
|
773
773
|
# ensure that the encryption key was transmitted without error.
|
774
774
|
# @option options [String] :ssekms_key_id
|
775
|
-
# Specifies the ID of the symmetric customer managed
|
776
|
-
#
|
777
|
-
#
|
778
|
-
#
|
779
|
-
#
|
780
|
-
#
|
781
|
-
#
|
775
|
+
# Specifies the ID of the symmetric customer managed key to use for
|
776
|
+
# object encryption. All GET and PUT requests for an object protected by
|
777
|
+
# Amazon Web Services KMS will fail if not made via SSL or using SigV4.
|
778
|
+
# For information about configuring using any of the officially
|
779
|
+
# supported Amazon Web Services SDKs and Amazon Web Services CLI, see
|
780
|
+
# [Specifying the Signature Version in Request Authentication][1] in the
|
781
|
+
# *Amazon S3 User Guide*.
|
782
782
|
#
|
783
783
|
#
|
784
784
|
#
|
@@ -1021,12 +1021,12 @@ module Aws::S3
|
|
1021
1021
|
# If `x-amz-server-side-encryption` is present and has the value of
|
1022
1022
|
# `aws:kms`, this header specifies the ID of the Amazon Web Services Key
|
1023
1023
|
# Management Service (Amazon Web Services KMS) symmetrical customer
|
1024
|
-
# managed
|
1025
|
-
#
|
1024
|
+
# managed key that was used for the object. If you specify
|
1025
|
+
# `x-amz-server-side-encryption:aws:kms`, but do not provide`
|
1026
1026
|
# x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
|
1027
|
-
# Amazon Web Services managed
|
1028
|
-
#
|
1029
|
-
#
|
1027
|
+
# Amazon Web Services managed key to protect the data. If the KMS key
|
1028
|
+
# does not exist in the same account issuing the command, you must use
|
1029
|
+
# the full ARN and not just the ID.
|
1030
1030
|
# @option options [String] :ssekms_encryption_context
|
1031
1031
|
# Specifies the Amazon Web Services KMS Encryption Context to use for
|
1032
1032
|
# object encryption. The value of this header is a base64-encoded UTF-8
|
@@ -3,6 +3,7 @@
|
|
3
3
|
require_relative '../arn/access_point_arn'
|
4
4
|
require_relative '../arn/object_lambda_arn'
|
5
5
|
require_relative '../arn/outpost_access_point_arn'
|
6
|
+
require_relative '../arn/multi_region_access_point_arn'
|
6
7
|
|
7
8
|
module Aws
|
8
9
|
module S3
|
@@ -23,6 +24,18 @@ be made. Set to `false` to use the client's region instead.
|
|
23
24
|
resolve_s3_use_arn_region(cfg)
|
24
25
|
end
|
25
26
|
|
27
|
+
option(
|
28
|
+
:s3_disable_multiregion_access_points,
|
29
|
+
default: false,
|
30
|
+
doc_type: 'Boolean',
|
31
|
+
docstring: <<-DOCS) do |cfg|
|
32
|
+
When set to `false` this will option will raise errors when multi-region
|
33
|
+
access point ARNs are used. Multi-region access points can potentially
|
34
|
+
result in cross region requests.
|
35
|
+
DOCS
|
36
|
+
resolve_s3_disable_multiregion_access_points(cfg)
|
37
|
+
end
|
38
|
+
|
26
39
|
# param validator is validate:50
|
27
40
|
# endpoint is build:90 (populates the URI for the first time)
|
28
41
|
# endpoint pattern is build:10
|
@@ -113,8 +126,14 @@ be made. Set to `false` to use the client's region instead.
|
|
113
126
|
|
114
127
|
if !arn.support_dualstack? && context[:use_dualstack_endpoint]
|
115
128
|
raise ArgumentError,
|
116
|
-
'Cannot provide an Outpost Access Point
|
117
|
-
'`:use_dualstack_endpoint` is set to true.'
|
129
|
+
'Cannot provide an Outpost Access Point or Multi-region Access Point ARN'\
|
130
|
+
' when `:use_dualstack_endpoint` is set to true.'
|
131
|
+
end
|
132
|
+
|
133
|
+
if arn.region.empty? && context.config.s3_disable_multiregion_access_points
|
134
|
+
raise ArgumentError,
|
135
|
+
'Cannot provide a Multi-region Access Point ARN with '\
|
136
|
+
'`:s3_disable_multiregion_access_points` set to true'
|
118
137
|
end
|
119
138
|
end
|
120
139
|
end
|
@@ -147,7 +166,9 @@ be made. Set to `false` to use the client's region instead.
|
|
147
166
|
def resolve_arn_type!(arn)
|
148
167
|
case arn.service
|
149
168
|
when 's3'
|
150
|
-
|
169
|
+
arn.region.empty? ?
|
170
|
+
Aws::S3::MultiRegionAccessPointARN.new(arn.to_h) :
|
171
|
+
Aws::S3::AccessPointARN.new(arn.to_h)
|
151
172
|
when 's3-outposts'
|
152
173
|
Aws::S3::OutpostAccessPointARN.new(arn.to_h)
|
153
174
|
when 's3-object-lambda'
|
@@ -174,6 +195,21 @@ be made. Set to `false` to use the client's region instead.
|
|
174
195
|
value
|
175
196
|
end
|
176
197
|
|
198
|
+
def resolve_s3_disable_multiregion_access_points(cfg)
|
199
|
+
value = ENV['AWS_S3_DISABLE_MULTIREGION_ACCESS_POINTS'] ||
|
200
|
+
Aws.shared_config.s3_disable_multiregion_access_points(profile: cfg.profile) ||
|
201
|
+
'false'
|
202
|
+
value = Aws::Util.str_2_bool(value)
|
203
|
+
# Raise if provided value is not true or false
|
204
|
+
if value.nil?
|
205
|
+
raise ArgumentError,
|
206
|
+
'Must provide either `true` or `false` for '\
|
207
|
+
's3_use_arn_region profile option or for '\
|
208
|
+
"ENV['AWS_S3_USE_ARN_REGION']"
|
209
|
+
end
|
210
|
+
value
|
211
|
+
end
|
212
|
+
|
177
213
|
# Remove ARN from the path because we've already set the new host
|
178
214
|
def url_path(path, arn)
|
179
215
|
path = path.sub("/#{Seahorse::Util.uri_escape(arn.to_s)}", '')
|
@@ -208,16 +244,19 @@ be made. Set to `false` to use the client's region instead.
|
|
208
244
|
region = region.gsub('fips-', '').gsub('-fips', '')
|
209
245
|
end
|
210
246
|
|
211
|
-
#
|
212
|
-
|
213
|
-
|
214
|
-
|
215
|
-
|
247
|
+
# use_arn_region does not apply to MRAP (global) arns
|
248
|
+
unless arn.region.empty?
|
249
|
+
# Raise if the ARN and client regions are in different partitions
|
250
|
+
if use_arn_region &&
|
251
|
+
!Aws::Partitions.partition(arn.partition).region?(region)
|
252
|
+
raise Aws::Errors::InvalidARNPartitionError
|
253
|
+
end
|
216
254
|
|
217
|
-
|
218
|
-
|
219
|
-
|
220
|
-
|
255
|
+
# Raise if regions mismatch
|
256
|
+
# Either when it's a fips client or not using the ARN region
|
257
|
+
if (!use_arn_region || fips) && region != arn.region
|
258
|
+
raise Aws::Errors::InvalidARNRegionError
|
259
|
+
end
|
221
260
|
end
|
222
261
|
end
|
223
262
|
end
|
@@ -74,9 +74,17 @@ module Aws
|
|
74
74
|
credentials: context.config.credentials
|
75
75
|
)
|
76
76
|
elsif (arn = context.metadata[:s3_arn])
|
77
|
+
if arn[:arn].is_a?(MultiRegionAccessPointARN)
|
78
|
+
signing_region = '*'
|
79
|
+
signing_algorithm = :sigv4a
|
80
|
+
else
|
81
|
+
signing_region = arn[:resolved_region]
|
82
|
+
signing_algorithm = :sigv4
|
83
|
+
end
|
77
84
|
S3Signer.build_v4_signer(
|
78
85
|
service: arn[:arn].service,
|
79
|
-
|
86
|
+
signing_algorithm: signing_algorithm,
|
87
|
+
region: signing_region,
|
80
88
|
credentials: context.config.credentials
|
81
89
|
)
|
82
90
|
elsif context.operation.name == 'WriteGetObjectResponse'
|
@@ -216,6 +224,7 @@ module Aws
|
|
216
224
|
service: options[:service],
|
217
225
|
region: options[:region],
|
218
226
|
credentials_provider: options[:credentials],
|
227
|
+
signing_algorithm: options.fetch(:signing_algorithm, :sigv4),
|
219
228
|
uri_escape_path: false,
|
220
229
|
unsigned_headers: ['content-length', 'x-amzn-trace-id']
|
221
230
|
)
|
data/lib/aws-sdk-s3/presigner.rb
CHANGED
@@ -231,17 +231,23 @@ module Aws
|
|
231
231
|
end
|
232
232
|
http_req.endpoint.query = query.join('&') unless query.empty?
|
233
233
|
|
234
|
+
signing_algorithm = :sigv4
|
235
|
+
|
234
236
|
# If it's an ARN, get the resolved region and service
|
235
237
|
if (arn = context.metadata[:s3_arn])
|
236
238
|
region = arn[:resolved_region]
|
237
239
|
service = arn[:arn].service
|
240
|
+
region = arn[:arn].is_a?(MultiRegionAccessPointARN) ? '*': arn[:resolved_region]
|
241
|
+
signing_algorithm = arn[:arn].is_a?(MultiRegionAccessPointARN) ? :sigv4a : :sigv4
|
238
242
|
end
|
239
243
|
|
240
244
|
signer = Aws::Sigv4::Signer.new(
|
241
245
|
service: service || 's3',
|
242
246
|
region: region || context.config.region,
|
247
|
+
signing_algorithm: signing_algorithm,
|
243
248
|
credentials_provider: context.config.credentials,
|
244
249
|
unsigned_headers: unsigned_headers,
|
250
|
+
apply_checksum_header: false,
|
245
251
|
uri_escape_path: false
|
246
252
|
)
|
247
253
|
|