aws-sdk-s3 1.103.0 → 1.202.0

data/lib/aws-sdk-s3/plugins/accelerate.rb

@@ -23,67 +23,26 @@ each bucket. [Go here for more information](http://docs.aws.amazon.com/AmazonS3/
           operations = config.api.operation_names - [
             :create_bucket, :list_buckets, :delete_bucket
           ]
-          # Need 2 handlers so that the context can be set for other plugins
-          # and to remove :use_accelerate_endpoint from the params.
           handlers.add(
             OptionHandler, step: :initialize, operations: operations
           )
-          handlers.add(
-            AccelerateHandler, step: :build, priority: 11, operations: operations
-          )
         end
 
         # @api private
         class OptionHandler < Seahorse::Client::Handler
           def call(context)
             # Support client configuration and per-operation configuration
+            # TODO: move this to an options hash and warn here.
             if context.params.is_a?(Hash)
               accelerate = context.params.delete(:use_accelerate_endpoint)
             end
-            accelerate = context.config.use_accelerate_endpoint if accelerate.nil?
-            # Raise if :endpoint and dualstack are both provided
-            if accelerate && !context.config.regional_endpoint
-              raise ArgumentError,
-                    'Cannot use both :use_accelerate_endpoint and :endpoint'
+            if accelerate.nil?
+              accelerate = context.config.use_accelerate_endpoint
             end
             context[:use_accelerate_endpoint] = accelerate
             @handler.call(context)
           end
         end
-
-        # @api private
-        class AccelerateHandler < Seahorse::Client::Handler
-          def call(context)
-            if context.config.regional_endpoint && context[:use_accelerate_endpoint]
-              dualstack = !!context[:use_dualstack_endpoint]
-              use_accelerate_endpoint(context, dualstack)
-            end
-            @handler.call(context)
-          end
-
-          private
-
-          def use_accelerate_endpoint(context, dualstack)
-            bucket_name = context.params[:bucket]
-            validate_bucket_name!(bucket_name)
-            endpoint = URI.parse(context.http_request.endpoint.to_s)
-            endpoint.scheme = 'https'
-            endpoint.port = 443
-            endpoint.host = "#{bucket_name}.s3-accelerate"\
-                            "#{'.dualstack' if dualstack}.amazonaws.com"
-            context.http_request.endpoint = endpoint.to_s
-            # s3 accelerate endpoint doesn't work with 'expect' header
-            context.http_request.headers.delete('expect')
-          end
-
-          def validate_bucket_name!(bucket_name)
-            unless BucketDns.dns_compatible?(bucket_name, _ssl = true)
-              raise ArgumentError,
-                    'Unable to use `use_accelerate_endpoint: true` on buckets '\
-                    'with non-DNS compatible names.'
-            end
-          end
-        end
       end
     end
   end

data/lib/aws-sdk-s3/plugins/access_grants.rb

@@ -0,0 +1,178 @@
+# frozen_string_literal: true
+
+module Aws
+  module S3
+    module Plugins
+      # @api private
+      class AccessGrants < Seahorse::Client::Plugin
+        @s3control =
+          begin
+            require 'aws-sdk-s3control'
+            true
+          rescue LoadError
+            false
+          end
+
+        option(
+          :access_grants,
+          default: false,
+          doc_type: 'Boolean',
+          docstring: <<-DOCS)
+When `true`, the S3 client will use the S3 Access Grants feature to
+authenticate requests. Bucket credentials will be fetched from S3
+Control using the `get_data_access` API.
+          DOCS
+
+        option(:access_grants_credentials_provider,
+          doc_type: 'Aws::S3::AccessGrantsCredentialsProvider',
+          rbs_type: 'untyped',
+          docstring: <<-DOCS) do |_cfg|
+When `access_grants` is `true`, this option can be used to provide
+additional options to the credentials provider, including a privilege
+setting, caching, and fallback behavior.
+          DOCS
+          Aws::S3::AccessGrantsCredentialsProvider.new
+        end
+
+        # @api private
+        class Handler < Seahorse::Client::Handler
+          PERMISSION_MAP = {
+            head_object: 'READ',
+            get_object: 'READ',
+            get_object_acl: 'READ',
+            list_multipart_uploads: 'READ',
+            list_objects_v2: 'READ',
+            list_object_versions: 'READ',
+            list_parts: 'READ',
+            head_bucket: 'READ',
+            get_object_attributes: 'READ',
+            put_object: 'WRITE',
+            put_object_acl: 'WRITE',
+            delete_object: 'WRITE',
+            abort_multipart_upload: 'WRITE',
+            create_multipart_upload: 'WRITE',
+            upload_part: 'WRITE',
+            complete_multipart_upload: 'WRITE',
+            delete_objects: 'WRITE',
+            copy_object: 'READWRITE'
+          }.freeze
+
+          def call(context)
+            provider = context.config.access_grants_credentials_provider
+
+            if access_grants_operation?(context) &&
+               !s3_express_endpoint?(context) &&
+               !credentials_head_bucket_call?(provider)
+              params = context[:endpoint_params]
+              permission = PERMISSION_MAP[context.operation_name]
+
+              key =
+                case context.operation_name
+                when :delete_objects
+                  delete_params = context.params[:delete]
+                  common_prefixes(delete_params[:objects].map { |o| o[:key] })
+                when :copy_object
+                  source_bucket, source_key = params[:copy_source].split('/', 2)
+                  if params[:bucket] != source_bucket
+                    raise ArgumentError,
+                          'source and destination bucket must be the same'
+                  end
+                  common_prefixes([params[:key], source_key])
+                else
+                  params[:key]
+                end
+
+              credentials = provider.access_grants_credentials_for(
+                bucket: params[:bucket],
+                key: key,
+                prefix: params[:prefix],
+                permission: permission
+              )
+              context[:sigv4_credentials] = credentials # Sign will use this
+            end
+
+            with_metric(credentials) { @handler.call(context) }
+          end
+
+          private
+
+          def with_metric(credentials, &block)
+            return block.call unless credentials
+
+            Aws::Plugins::UserAgent.metric('S3_ACCESS_GRANTS', &block)
+          end
+
+          # HeadBucket is a supported call. When fetching credentials,
+          # this plugin is executed again, and becomes recursive.
+          def credentials_head_bucket_call?(provider)
+            provider.instance_variable_get(:@head_bucket_call)
+          end
+
+          def access_grants_operation?(context)
+            params = context[:endpoint_params]
+            params[:bucket] && PERMISSION_MAP[context.operation_name]
+          end
+
+          def s3_express_endpoint?(context)
+            context[:endpoint_properties]['backend'] == 'S3Express'
+          end
+
+          # Return the common prefix of the keys, regardless of the delimiter.
+          # For example, given keys ['foo/bar', 'foo/baz'], the common prefix
+          # is 'foo/ba'.
+          def common_prefixes(keys)
+            return '' if keys.empty?
+
+            first_key = keys[0]
+            common_ancestor = first_key
+            last_prefix = ''
+            keys.each do |k|
+              until common_ancestor.empty?
+                break if k.start_with?(common_ancestor)
+
+                last_index = common_ancestor.rindex('/')
+                return '' if last_index.nil?
+
+                last_prefix = common_ancestor[(last_index + 1)..-1]
+                common_ancestor = common_ancestor[0...last_index]
+              end
+            end
+            new_common_ancestor = "#{common_ancestor}/#{last_prefix}"
+            keys.each do |k|
+              until last_prefix.empty?
+                break if k.start_with?(new_common_ancestor)
+
+                last_prefix = last_prefix[0...-1]
+                new_common_ancestor = "#{common_ancestor}/#{last_prefix}"
+              end
+            end
+            if new_common_ancestor == "#{first_key}/"
+              first_key
+            else
+              new_common_ancestor
+            end
+          end
+        end
+
+        def add_handlers(handlers, config)
+          return unless AccessGrants.s3control? && config.access_grants
+
+          handlers.add(Handler)
+        end
+
+        def after_initialize(client)
+          return unless AccessGrants.s3control? && client.config.access_grants
+
+          provider = client.config.access_grants_credentials_provider
+          provider.s3_client = client unless provider.s3_client
+        end
+
+        class << self
+          def s3control?
+            @s3control
+          end
+        end
+      end
+    end
+  end
+end

data/lib/aws-sdk-s3/plugins/arn.rb

@@ -1,10 +1,5 @@
 # frozen_string_literal: true
 
-require_relative '../arn/access_point_arn'
-require_relative '../arn/object_lambda_arn'
-require_relative '../arn/outpost_access_point_arn'
-require_relative '../arn/multi_region_access_point_arn'
-
 module Aws
   module S3
     module Plugins
@@ -36,150 +31,9 @@ result in cross region requests.
           resolve_s3_disable_multiregion_access_points(cfg)
         end
 
-        # param validator is validate:50
-        # endpoint is build:90 (populates the URI for the first time)
-        # endpoint pattern is build:10
-        def add_handlers(handlers, _config)
-          handlers.add(ARNHandler, step: :validate, priority: 75)
-          handlers.add(UrlHandler)
-        end
-
-        # After extracting out any ARN input, resolve a new URL with it.
-        class UrlHandler < Seahorse::Client::Handler
-          def call(context)
-            if context.metadata[:s3_arn]
-              ARN.resolve_url!(
-                context.http_request.endpoint,
-                context.metadata[:s3_arn][:arn],
-                context.metadata[:s3_arn][:resolved_region],
-                context.metadata[:s3_arn][:fips],
-                context.metadata[:s3_arn][:dualstack],
-                # if regional_endpoint is false, a custom endpoint was provided
-                # in this case, we want to prefix the endpoint using the ARN
-                !context.config.regional_endpoint
-              )
-            end
-            @handler.call(context)
-          end
-        end
-
-        # This plugin will extract out any ARN input and set context for other
-        # plugins to use without having to translate the ARN again.
-        class ARNHandler < Seahorse::Client::Handler
-          def call(context)
-            bucket_member = _bucket_member(context.operation.input.shape)
-            if bucket_member && (bucket = context.params[bucket_member])
-              resolved_region, arn = ARN.resolve_arn!(
-                bucket,
-                context.config.region,
-                context.config.s3_use_arn_region
-              )
-              if arn
-                validate_config!(context, arn)
-
-                fips = false
-                if resolved_region.include?('fips')
-                  fips = true
-                  resolved_region = resolved_region.gsub('fips-', '')
-                                                   .gsub('-fips', '')
-                end
-
-                context.metadata[:s3_arn] = {
-                  arn: arn,
-                  resolved_region: resolved_region,
-                  fips: fips,
-                  dualstack: extract_dualstack_config!(context)
-                }
-              end
-            end
-            @handler.call(context)
-          end
-
-          private
-
-          def _bucket_member(input)
-            input.members.each do |member, ref|
-              return member if ref.shape.name == 'BucketName'
-            end
-            nil
-          end
-
-          # other plugins use dualstack so disable it when we're done
-          def extract_dualstack_config!(context)
-            dualstack = context[:use_dualstack_endpoint]
-            context[:use_dualstack_endpoint] = false if dualstack
-            dualstack
-          end
-
-          def validate_config!(context, arn)
-            if context.config.force_path_style
-              raise ArgumentError,
-                    'Cannot provide an Access Point ARN when '\
-                    '`:force_path_style` is set to true.'
-            end
-
-            if context.config.use_accelerate_endpoint
-              raise ArgumentError,
-                    'Cannot provide an Access Point ARN when '\
-                    '`:use_accelerate_endpoint` is set to true.'
-            end
-
-            if !arn.support_dualstack? && context[:use_dualstack_endpoint]
-              raise ArgumentError,
-                    'Cannot provide an Outpost Access Point or Multi-region Access Point ARN'\
-                    ' when `:use_dualstack_endpoint` is set to true.'
-            end
-
-            if arn.region.empty? && context.config.s3_disable_multiregion_access_points
-              raise ArgumentError,
-                    'Cannot provide a Multi-region Access Point ARN with '\
-                    '`:s3_disable_multiregion_access_points` set to true'
-            end
-          end
-        end
-
         class << self
-          # @api private
-          def resolve_arn!(member_value, region, use_arn_region)
-            if Aws::ARNParser.arn?(member_value)
-              arn = Aws::ARNParser.parse(member_value)
-              s3_arn = resolve_arn_type!(arn)
-              s3_arn.validate_arn!
-              validate_region_config!(s3_arn, region, use_arn_region)
-              region = s3_arn.region if use_arn_region && !region.include?('fips')
-              [region, s3_arn]
-            else
-              [region]
-            end
-          end
-
-          # @api private
-          def resolve_url!(url, arn, region, fips = false, dualstack = false, has_custom_endpoint = false)
-            custom_endpoint = url.host if has_custom_endpoint
-            url.host = arn.host_url(region, fips, dualstack, custom_endpoint)
-            url.path = url_path(url.path, arn)
-            url
-          end
-
           private
 
-          def resolve_arn_type!(arn)
-            case arn.service
-            when 's3'
-              arn.region.empty? ?
-                Aws::S3::MultiRegionAccessPointARN.new(arn.to_h) :
-                Aws::S3::AccessPointARN.new(arn.to_h)
-            when 's3-outposts'
-              Aws::S3::OutpostAccessPointARN.new(arn.to_h)
-            when 's3-object-lambda'
-              Aws::S3::ObjectLambdaARN.new(arn.to_h)
-            else
-              raise ArgumentError,
-                    'Only Access Point, Outposts, and Object Lambdas ARNs '\
-                    'are currently supported.'
-            end
-          end
-
           def resolve_s3_use_arn_region(cfg)
             value = ENV['AWS_S3_USE_ARN_REGION'] ||
                     Aws.shared_config.s3_use_arn_region(profile: cfg.profile) ||
@@ -209,57 +63,6 @@ result in cross region requests.
             end
             value
           end
-
-          # Remove ARN from the path because we've already set the new host
-          def url_path(path, arn)
-            path = path.sub("/#{Seahorse::Util.uri_escape(arn.to_s)}", '')
-                       .sub("/#{arn}", '')
-            "/#{path}" unless path =~ /^\//
-            path
-          end
-
-          def validate_region_config!(arn, region, use_arn_region)
-            if ['s3-external-1', 'aws-global'].include?(region)
-              # These "regions" are not regional endpoints
-              unless use_arn_region
-                raise Aws::Errors::InvalidARNRegionError,
-                      'Configured client region is not a regional endpoint.'
-              end
-              # These "regions" are in the AWS partition
-              # Cannot use ARN region unless it's the same partition
-              unless arn.partition == 'aws'
-                raise Aws::Errors::InvalidARNPartitionError
-              end
-            else
-              if region.include?('fips')
-                # If ARN type doesn't support FIPS but the client region is FIPS
-                unless arn.support_fips?
-                  raise ArgumentError,
-                        'FIPS client regions are not supported for this type '\
-                        'of ARN.'
-                end
-
-                fips = true
-                # Normalize the region so we can compare partition and regions
-                region = region.gsub('fips-', '').gsub('-fips', '')
-              end
-
-              # use_arn_region does not apply to MRAP (global) arns
-              unless arn.region.empty?
-                # Raise if the ARN and client regions are in different partitions
-                if use_arn_region &&
-                   !Aws::Partitions.partition(arn.partition).region?(region)
-                  raise Aws::Errors::InvalidARNPartitionError
-                end
-
-                # Raise if regions mismatch
-                # Either when it's a fips client or not using the ARN region
-                if (!use_arn_region || fips) && region != arn.region
-                  raise Aws::Errors::InvalidARNRegionError
-                end
-              end
-            end
-          end
         end
       end
     end

data/lib/aws-sdk-s3/plugins/bucket_dns.rb

@@ -23,45 +23,10 @@ When set to `true`, the bucket name is always left in the
 request URI and never moved to the host as a sub-domain.
           DOCS
 
-        def add_handlers(handlers, config)
-          handlers.add(Handler) unless config.force_path_style
-        end
-
-        # @api private
-        class Handler < Seahorse::Client::Handler
-
-          def call(context)
-            move_dns_compat_bucket_to_subdomain(context)
-            @handler.call(context)
-          end
-
-          private
-
-          def move_dns_compat_bucket_to_subdomain(context)
-            bucket_name = context.params[:bucket]
-            endpoint = context.http_request.endpoint
-            if bucket_name &&
-               BucketDns.dns_compatible?(bucket_name, https?(endpoint)) &&
-               context.operation_name.to_s != 'get_bucket_location'
-              move_bucket_to_subdomain(bucket_name, endpoint)
-            end
-          end
-
-          def move_bucket_to_subdomain(bucket_name, endpoint)
-            endpoint.host = "#{bucket_name}.#{endpoint.host}"
-            path = endpoint.path.sub("/#{bucket_name}", '')
-            path = "/#{path}" unless path.match(/^\//)
-            endpoint.path = path
-          end
-
-          def https?(uri)
-            uri.scheme == 'https'
-          end
-
-        end
-
+        # These class methods were originally used in a handler in this plugin.
+        # SigV2 legacy signer needs this logic so we keep it here as utility.
+        # New endpoint resolution will check this as a matcher.
         class << self
-
           # @param [String] bucket_name
           # @param [Boolean] ssl
           # @return [Boolean]
@@ -81,7 +46,6 @@ request URI and never moved to the host as a sub-domain.
             bucket_name !~ /(\d+\.){3}\d+/ &&
             bucket_name !~ /[.-]{2}/
           end
-
         end
       end
     end

data/lib/aws-sdk-s3/plugins/bucket_name_restrictions.rb

@@ -13,12 +13,7 @@ module Aws
           def call(context)
             bucket_member = _bucket_member(context.operation.input.shape)
             if bucket_member && (bucket = context.params[bucket_member])
-              _resolved_region, arn = ARN.resolve_arn!(
-                bucket,
-                context.config.region,
-                context.config.s3_use_arn_region
-              )
-              if !arn && bucket.include?('/')
+              if !Aws::ARNParser.arn?(bucket) && bucket.include?('/')
                 raise ArgumentError,
                       'bucket name must not contain a forward-slash (/)'
               end

data/lib/aws-sdk-s3/plugins/checksum_algorithm.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Aws
+  module S3
+    module Plugins
+      # @api private
+      class ChecksumAlgorithm < Seahorse::Client::Plugin
+
+        # S3 GetObject results for whole Multipart Objects contain a checksum
+        # that cannot be validated. These should be skipped by the
+        # ChecksumAlgorithm plugin.
+        class SkipWholeMultipartGetChecksumsHandler < Seahorse::Client::Handler
+          def call(context)
+            context[:http_checksum] ||= {}
+            context[:http_checksum][:skip_on_suffix] = true
+
+            @handler.call(context)
+          end
+        end
+
+        def add_handlers(handlers, _config)
+          handlers.add(
+            SkipWholeMultipartGetChecksumsHandler,
+            step: :initialize,
+            operations: [:get_object]
+          )
+        end
+      end
+    end
+  end
+end

data/lib/aws-sdk-s3/plugins/dualstack.rb

@@ -5,18 +5,8 @@ module Aws
     module Plugins
       # @api private
       class Dualstack < Seahorse::Client::Plugin
-
-        option(:use_dualstack_endpoint,
-          default: false,
-          doc_type: 'Boolean',
-          docstring: <<-DOCS)
-When set to `true`, IPv6-compatible bucket endpoints will be used
-for all operations.
-          DOCS
-
-        def add_handlers(handlers, config)
+        def add_handlers(handlers, _config)
           handlers.add(OptionHandler, step: :initialize)
-          handlers.add(DualstackHandler, step: :build, priority: 11)
         end
 
         # @api private
@@ -27,54 +17,10 @@ for all operations.
               dualstack = context.params.delete(:use_dualstack_endpoint)
             end
             dualstack = context.config.use_dualstack_endpoint if dualstack.nil?
-            # Raise if :endpoint and dualstack are both provided
-            if dualstack && !context.config.regional_endpoint
-              raise ArgumentError,
-                    'Cannot use both :use_dualstack_endpoint and :endpoint'
-            end
             context[:use_dualstack_endpoint] = dualstack
             @handler.call(context)
           end
         end
-
-        # @api private
-        class DualstackHandler < Seahorse::Client::Handler
-          def call(context)
-            if context.config.regional_endpoint && use_dualstack_endpoint?(context)
-              apply_dualstack_endpoint(context)
-            end
-            @handler.call(context)
-          end
-
-          private
-          def apply_dualstack_endpoint(context)
-            bucket_name = context.params[:bucket]
-            region = context.config.region
-            dns_suffix = Aws::Partitions::EndpointProvider.dns_suffix_for(region)
-
-            if use_bucket_dns?(bucket_name, context)
-              host = "#{bucket_name}.s3.dualstack.#{region}.#{dns_suffix}"
-            else
-              host = "s3.dualstack.#{region}.#{dns_suffix}"
-            end
-            endpoint = URI.parse(context.http_request.endpoint.to_s)
-            endpoint.scheme = context.http_request.endpoint.scheme
-            endpoint.port = context.http_request.endpoint.port
-            endpoint.host = host
-            context.http_request.endpoint = endpoint.to_s
-          end
-
-          def use_bucket_dns?(bucket_name, context)
-            ssl = context.http_request.endpoint.scheme == "https"
-            bucket_name && BucketDns.dns_compatible?(bucket_name, ssl) &&
-              !context.config.force_path_style
-          end
-
-          def use_dualstack_endpoint?(context)
-            context[:use_dualstack_endpoint] && !context[:use_accelerate_endpoint]
-          end
-        end
-
       end
     end
   end