aws-sdk-s3 1.122.0 → 1.157.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (85) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +238 -0
  3. data/VERSION +1 -1
  4. data/lib/aws-sdk-s3/access_grants_credentials.rb +57 -0
  5. data/lib/aws-sdk-s3/access_grants_credentials_provider.rb +250 -0
  6. data/lib/aws-sdk-s3/bucket.rb +507 -114
  7. data/lib/aws-sdk-s3/bucket_acl.rb +18 -12
  8. data/lib/aws-sdk-s3/bucket_cors.rb +24 -16
  9. data/lib/aws-sdk-s3/bucket_lifecycle.rb +24 -16
  10. data/lib/aws-sdk-s3/bucket_lifecycle_configuration.rb +24 -16
  11. data/lib/aws-sdk-s3/bucket_logging.rb +25 -12
  12. data/lib/aws-sdk-s3/bucket_notification.rb +12 -6
  13. data/lib/aws-sdk-s3/bucket_policy.rb +70 -18
  14. data/lib/aws-sdk-s3/bucket_region_cache.rb +9 -5
  15. data/lib/aws-sdk-s3/bucket_request_payment.rb +18 -12
  16. data/lib/aws-sdk-s3/bucket_tagging.rb +24 -16
  17. data/lib/aws-sdk-s3/bucket_versioning.rb +42 -32
  18. data/lib/aws-sdk-s3/bucket_website.rb +24 -16
  19. data/lib/aws-sdk-s3/client.rb +6048 -2781
  20. data/lib/aws-sdk-s3/client_api.rb +148 -20
  21. data/lib/aws-sdk-s3/customizations/bucket.rb +3 -1
  22. data/lib/aws-sdk-s3/customizations/errors.rb +16 -3
  23. data/lib/aws-sdk-s3/customizations/object.rb +91 -18
  24. data/lib/aws-sdk-s3/customizations.rb +8 -0
  25. data/lib/aws-sdk-s3/encryption/client.rb +6 -2
  26. data/lib/aws-sdk-s3/encryption/kms_cipher_provider.rb +13 -9
  27. data/lib/aws-sdk-s3/encryptionV2/client.rb +6 -2
  28. data/lib/aws-sdk-s3/encryptionV2/decrypt_handler.rb +1 -0
  29. data/lib/aws-sdk-s3/encryptionV2/kms_cipher_provider.rb +10 -6
  30. data/lib/aws-sdk-s3/endpoint_parameters.rb +44 -0
  31. data/lib/aws-sdk-s3/endpoint_provider.rb +111 -252
  32. data/lib/aws-sdk-s3/endpoints.rb +540 -0
  33. data/lib/aws-sdk-s3/express_credentials.rb +55 -0
  34. data/lib/aws-sdk-s3/express_credentials_provider.rb +59 -0
  35. data/lib/aws-sdk-s3/file_downloader.rb +169 -44
  36. data/lib/aws-sdk-s3/file_uploader.rb +8 -6
  37. data/lib/aws-sdk-s3/multipart_file_uploader.rb +4 -4
  38. data/lib/aws-sdk-s3/multipart_stream_uploader.rb +10 -7
  39. data/lib/aws-sdk-s3/multipart_upload.rb +81 -20
  40. data/lib/aws-sdk-s3/multipart_upload_part.rb +169 -38
  41. data/lib/aws-sdk-s3/object.rb +1571 -261
  42. data/lib/aws-sdk-s3/object_acl.rb +38 -18
  43. data/lib/aws-sdk-s3/object_copier.rb +7 -5
  44. data/lib/aws-sdk-s3/object_multipart_copier.rb +42 -24
  45. data/lib/aws-sdk-s3/object_summary.rb +1422 -276
  46. data/lib/aws-sdk-s3/object_version.rb +344 -47
  47. data/lib/aws-sdk-s3/plugins/access_grants.rb +178 -0
  48. data/lib/aws-sdk-s3/plugins/endpoints.rb +14 -2
  49. data/lib/aws-sdk-s3/plugins/express_session_auth.rb +97 -0
  50. data/lib/aws-sdk-s3/plugins/http_200_errors.rb +53 -16
  51. data/lib/aws-sdk-s3/plugins/location_constraint.rb +3 -1
  52. data/lib/aws-sdk-s3/plugins/md5s.rb +2 -1
  53. data/lib/aws-sdk-s3/plugins/s3_signer.rb +7 -2
  54. data/lib/aws-sdk-s3/presigned_post.rb +52 -43
  55. data/lib/aws-sdk-s3/presigner.rb +8 -4
  56. data/lib/aws-sdk-s3/resource.rb +89 -13
  57. data/lib/aws-sdk-s3/types.rb +4879 -1513
  58. data/lib/aws-sdk-s3.rb +1 -1
  59. data/sig/bucket.rbs +212 -0
  60. data/sig/bucket_acl.rbs +78 -0
  61. data/sig/bucket_cors.rbs +69 -0
  62. data/sig/bucket_lifecycle.rbs +88 -0
  63. data/sig/bucket_lifecycle_configuration.rbs +111 -0
  64. data/sig/bucket_logging.rbs +76 -0
  65. data/sig/bucket_notification.rbs +114 -0
  66. data/sig/bucket_policy.rbs +59 -0
  67. data/sig/bucket_request_payment.rbs +54 -0
  68. data/sig/bucket_tagging.rbs +65 -0
  69. data/sig/bucket_versioning.rbs +77 -0
  70. data/sig/bucket_website.rbs +93 -0
  71. data/sig/client.rbs +2381 -0
  72. data/sig/customizations/bucket.rbs +19 -0
  73. data/sig/customizations/object.rbs +38 -0
  74. data/sig/customizations/object_summary.rbs +35 -0
  75. data/sig/errors.rbs +34 -0
  76. data/sig/multipart_upload.rbs +110 -0
  77. data/sig/multipart_upload_part.rbs +105 -0
  78. data/sig/object.rbs +442 -0
  79. data/sig/object_acl.rbs +86 -0
  80. data/sig/object_summary.rbs +334 -0
  81. data/sig/object_version.rbs +137 -0
  82. data/sig/resource.rbs +127 -0
  83. data/sig/types.rbs +2568 -0
  84. data/sig/waiters.rbs +95 -0
  85. metadata +43 -11
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 577650faab47990cace47684bf3c205a823d7e7ca7bdc97d7e5bb96cf267cdad
4
- data.tar.gz: 2e04bf1db9e56bd2e8c5950e1c747ae8a4e8f8fd0b5426d083f93555f6733b36
3
+ metadata.gz: 39a77f1b089e257fe94bc26a0ca7309479a61cff7f46326243f2d1b002ce2bac
4
+ data.tar.gz: e2dbcc9f6ea92e1097d84130a2cd1c3e1caae305bdeb8b450056872edd2b4f74
5
5
  SHA512:
6
- metadata.gz: 2263d1d14adbf28467b2c0b412408cdd567fdb08a9831985b3ffa32897eb7ff0e4b2b8b7063949161bd7fd5e13528427e29b1995b07a39cb857171063daee50b
7
- data.tar.gz: fda8902905d8e65b464e1f56fd87a79624a3296379fe33e18a3b6bd71914c636f77b0c27a63b81c3b517f6711c9943aed67e975be7bf13b5204c4c8e164eea8a
6
+ metadata.gz: e34240198a44e4e678e0be7ef836318ff899ec61edc29bc2866d432eb6af834a7f81b801ea85ec35e26deec1e59705c1829b22e66093e6591d84dbc966f76e0e
7
+ data.tar.gz: 362065ca01c2d4a9e33cc9beb43afce43fbcb8c593db5785a32c623bbc99fe63471a41d767a1ae91343b94aba7df0e80360c0310c1f07aa052c76d63d07fda09
data/CHANGELOG.md CHANGED
@@ -1,6 +1,244 @@
1
1
  Unreleased Changes
2
2
  ------------------
3
3
 
4
+ 1.157.0 (2024-08-01)
5
+ ------------------
6
+
7
+ * Feature - Support `head_bucket`, `get_object_attributes`, `delete_objects`, and `copy_object` for Access Grants.
8
+
9
+ 1.156.0 (2024-07-02)
10
+ ------------------
11
+
12
+ * Feature - Added response overrides to Head Object requests.
13
+
14
+ 1.155.0 (2024-06-28)
15
+ ------------------
16
+
17
+ * Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
18
+
19
+ 1.154.0 (2024-06-25)
20
+ ------------------
21
+
22
+ * Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
23
+
24
+ 1.153.0 (2024-06-24)
25
+ ------------------
26
+
27
+ * Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
28
+
29
+ 1.152.3 (2024-06-13)
30
+ ------------------
31
+
32
+ * Issue - Handle 200 errors for all S3 operations that do not have streaming responses.
33
+
34
+ 1.152.2 (2024-06-12)
35
+ ------------------
36
+
37
+ * Issue - Revert Handling of 200 errors for all S3 operations.
38
+
39
+ 1.152.1 (2024-06-10)
40
+ ------------------
41
+
42
+ * Issue - Handle 200 errors for all S3 operations that do not have streaming responses.
43
+
44
+ 1.152.0 (2024-06-05)
45
+ ------------------
46
+
47
+ * Feature - Added new params copySource and key to copyObject API for supporting S3 Access Grants plugin. These changes will not change any of the existing S3 API functionality.
48
+
49
+ 1.151.0 (2024-05-14)
50
+ ------------------
51
+
52
+ * Feature - Updated a few x-id in the http uri traits
53
+
54
+ 1.150.0 (2024-05-13)
55
+ ------------------
56
+
57
+ * Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
58
+
59
+ 1.149.1 (2024-05-06)
60
+ ------------------
61
+
62
+ * Issue - Fix bug where destination bucket default encryption was inadvertently overridden by source object encryption.
63
+
64
+ 1.149.0 (2024-04-30)
65
+ ------------------
66
+
67
+ * Feature - Support S3 Access Grants authentication. Access Grants can be enabled with the `access_grants` option, and custom options can be passed into the `access_grants_credentials_provider` option. This feature requires `aws-sdk-s3control` to be installed.
68
+
69
+ * Feature - Add RBS signatures for customizations of S3.
70
+
71
+ 1.148.0 (2024-04-25)
72
+ ------------------
73
+
74
+ * Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
75
+
76
+ 1.147.0 (2024-04-16)
77
+ ------------------
78
+
79
+ * Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
80
+
81
+ * Issue - Omit `ContentType` plugin when generating presigned url.
82
+
83
+ 1.146.1 (2024-03-28)
84
+ ------------------
85
+
86
+ * Issue - Fix bug where thread_count option was not being respected for multipart uploads.
87
+
88
+ 1.146.0 (2024-03-18)
89
+ ------------------
90
+
91
+ * Feature - Fix two issues with response root node names.
92
+
93
+ 1.145.0 (2024-03-15)
94
+ ------------------
95
+
96
+ * Feature - Documentation updates for Amazon S3.
97
+
98
+ 1.144.0 (2024-03-13)
99
+ ------------------
100
+
101
+ * Feature - This release makes the default option for S3 on Outposts request signing to use the SigV4A algorithm when using AWS Common Runtime (CRT).
102
+
103
+ 1.143.1 (2024-03-12)
104
+ ------------------
105
+
106
+ * Issue - Include original part errors in message when aborting multipart upload fails (#2990).
107
+
108
+ 1.143.0 (2024-01-26)
109
+ ------------------
110
+
111
+ * Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
112
+
113
+ 1.142.0 (2023-12-22)
114
+ ------------------
115
+
116
+ * Feature - Added additional examples for some operations.
117
+
118
+ 1.141.0 (2023-11-28)
119
+ ------------------
120
+
121
+ * Feature - Adds support for S3 Express One Zone.
122
+
123
+ * Feature - Support S3 Express authentication and endpoints. Express session auth can be disabled with the `disable_s3_express_session_auth` Client option, the `AWS_S3_DISABLE_EXPRESS_SESSION_AUTH` environment variable, and the `s3_disable_express_session_auth` shared config option. A custom `express_credentials_provider` can be configured onto the Client.
124
+
125
+ 1.140.0 (2023-11-27)
126
+ ------------------
127
+
128
+ * Feature - Adding new params - Key and Prefix, to S3 API operations for supporting S3 Access Grants. Note - These updates will not change any of the existing S3 API functionality.
129
+
130
+ * Issue - Fix thread interruptions in multipart `download_file`, `file_uploader` and `stream_uploader` (#2944).
131
+
132
+ 1.139.0 (2023-11-22)
133
+ ------------------
134
+
135
+ * Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
136
+
137
+ 1.138.0 (2023-11-21)
138
+ ------------------
139
+
140
+ * Feature - Add support for automatic date based partitioning in S3 Server Access Logs.
141
+
142
+ 1.137.0 (2023-11-17)
143
+ ------------------
144
+
145
+ * Feature - Removes all default 0 values for numbers and false values for booleans
146
+
147
+ 1.136.0 (2023-09-26)
148
+ ------------------
149
+
150
+ * Feature - This release adds a new field COMPLETED to the ReplicationStatus Enum. You can now use this field to validate the replication status of S3 objects using the AWS SDK.
151
+
152
+ 1.135.0 (2023-09-20)
153
+ ------------------
154
+
155
+ * Feature - Fix an issue where the SDK can fail to unmarshall response due to NumberFormatException
156
+
157
+ 1.134.0 (2023-08-24)
158
+ ------------------
159
+
160
+ * Feature - Updates to endpoint ruleset tests to address Smithy validation issues.
161
+
162
+ 1.133.0 (2023-08-22)
163
+ ------------------
164
+
165
+ * Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
166
+
167
+ * Feature - Add support for `progress_callback` in `Object#download_file` and improve multi-threaded performance #(2901).
168
+
169
+ 1.132.1 (2023-08-09)
170
+ ------------------
171
+
172
+ * Issue - Add support for disabling checksum validation in `Object#download_file` (#2893).
173
+
174
+ 1.132.0 (2023-07-24)
175
+ ------------------
176
+
177
+ * Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
178
+
179
+ * Feature - Add support for verifying checksums in FileDownloader.
180
+
181
+ 1.131.0 (2023-07-20)
182
+ ------------------
183
+
184
+ * Feature - Improve performance of S3 clients by simplifying and optimizing endpoint resolution.
185
+
186
+ 1.130.0 (2023-07-13)
187
+ ------------------
188
+
189
+ * Feature - S3 Inventory now supports Object Access Control List and Object Owner as available object metadata fields in inventory reports.
190
+
191
+ * Feature - Allow Object multipart copy API to work when requiring a checksum algorithm.
192
+
193
+ * Feature - Allow Object multipart copy API to optionally copy parts as they exist on the source object if it has parts, instead of generating new part ranges, when specifying `use_source_parts: true`.
194
+
195
+ 1.129.0 (2023-07-11)
196
+ ------------------
197
+
198
+ * Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
199
+
200
+ 1.128.0 (2023-07-06)
201
+ ------------------
202
+
203
+ * Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
204
+
205
+ 1.127.0 (2023-06-28)
206
+ ------------------
207
+
208
+ * Feature - The S3 LISTObjects, ListObjectsV2 and ListObjectVersions API now supports a new optional header x-amz-optional-object-attributes. If header contains RestoreStatus as the value, then S3 will include Glacier restore status i.e. isRestoreInProgress and RestoreExpiryDate in List response.
209
+
210
+ * Feature - Select minimum expiration time for presigned urls between the expiration time option and the credential expiration time.
211
+
212
+ 1.126.0 (2023-06-16)
213
+ ------------------
214
+
215
+ * Feature - This release adds SDK support for request-payer request header and request-charged response header in the "GetBucketAccelerateConfiguration", "ListMultipartUploads", "ListObjects", "ListObjectsV2" and "ListObjectVersions" S3 APIs.
216
+
217
+ 1.125.0 (2023-06-15)
218
+ ------------------
219
+
220
+ * Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
221
+
222
+ 1.124.0 (2023-06-13)
223
+ ------------------
224
+
225
+ * Feature - Integrate double encryption feature to SDKs.
226
+
227
+ 1.123.2 (2023-06-12)
228
+ ------------------
229
+
230
+ * Issue - Fix issue when decrypting noncurrent versions of objects when using client side encryption (#2866).
231
+
232
+ 1.123.1 (2023-06-02)
233
+ ------------------
234
+
235
+ * Issue - Fix multipart `download_file` so that it does not download bytes out of range (#2859).
236
+
237
+ 1.123.0 (2023-05-31)
238
+ ------------------
239
+
240
+ * Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
241
+
4
242
  1.122.0 (2023-05-04)
5
243
  ------------------
6
244
 
data/VERSION CHANGED
@@ -1 +1 @@
1
- 1.122.0
1
+ 1.157.0
@@ -0,0 +1,57 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'set'
4
+
5
+ module Aws
6
+ module S3
7
+ # @api private
8
+ class AccessGrantsCredentials
9
+ include CredentialProvider
10
+ include RefreshingCredentials
11
+
12
+ def initialize(options = {})
13
+ @client = options[:client]
14
+ @get_data_access_params = {}
15
+ options.each_pair do |key, value|
16
+ if self.class.get_data_access_options.include?(key)
17
+ @get_data_access_params[key] = value
18
+ end
19
+ end
20
+ @async_refresh = true
21
+ super
22
+ end
23
+
24
+ # @return [S3Control::Client]
25
+ attr_reader :client
26
+
27
+ # @return [String]
28
+ attr_reader :matched_grant_target
29
+
30
+ private
31
+
32
+ def refresh
33
+ c = @client.get_data_access(@get_data_access_params)
34
+ credentials = c.credentials
35
+ @matched_grant_target = c.matched_grant_target
36
+ @credentials = Credentials.new(
37
+ credentials.access_key_id,
38
+ credentials.secret_access_key,
39
+ credentials.session_token
40
+ )
41
+ @expiration = credentials.expiration
42
+ end
43
+
44
+ class << self
45
+
46
+ # @api private
47
+ def get_data_access_options
48
+ @gdao ||= begin
49
+ input = Aws::S3Control::Client.api.operation(:get_data_access).input
50
+ Set.new(input.shape.member_names)
51
+ end
52
+ end
53
+
54
+ end
55
+ end
56
+ end
57
+ end
@@ -0,0 +1,250 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Aws
4
+ module S3
5
+ # @api private
6
+ def self.access_grants_credentials_cache
7
+ @access_grants_credentials_cache ||= LRUCache.new(max_entries: 100)
8
+ end
9
+
10
+ # @api private
11
+ def self.access_grants_account_id_cache
12
+ @access_grants_account_id_cache ||= LRUCache.new(
13
+ max_entries: 100,
14
+ expiration: 60 * 10
15
+ )
16
+ end
17
+
18
+ # Returns Credentials class for S3 Access Grants. Accepts GetDataAccess
19
+ # params and other configuration as options. See
20
+ # {Aws::S3Control::Client#get_data_access} for details.
21
+ class AccessGrantsCredentialsProvider
22
+ # @param [Hash] options
23
+ # @option options [Hash] :s3_control_client_options The S3 Control
24
+ # client options used to create regional S3 Control clients to
25
+ # create the session. Region will be set to the region of the
26
+ # bucket.
27
+ # @option options [Aws::STS::Client] :sts_client The STS client used for
28
+ # fetching the Account ID for the credentials if credentials do not
29
+ # include an Account ID.
30
+ # @option options [Aws::S3::Client] :s3_client The S3 client used for
31
+ # fetching the location of the bucket so that a regional S3 Control
32
+ # client can be created. Defaults to the S3 client from the access
33
+ # grants plugin.
34
+ # @option options [String] :privilege ('Default') The privilege to use
35
+ # when requesting credentials. (see: {Aws::S3Control::Client#get_data_access})
36
+ # @option options [Boolean] :fallback (false) When true, if access is
37
+ # denied, the provider will fall back to the configured credentials.
38
+ # @option options [Boolean] :caching (true) When true, credentials and
39
+ # bucket account ids will be cached.
40
+ # @option options [Callable] :before_refresh Proc called before
41
+ # credentials are refreshed.
42
+ def initialize(options = {})
43
+ @s3_control_options = options.delete(:s3_control_client_options) || {}
44
+ @s3_client = options.delete(:s3_client)
45
+ @sts_client = options.delete(:sts_client)
46
+ @fallback = options.delete(:fallback) || false
47
+ @caching = options.delete(:caching) != false
48
+ @s3_control_clients = {}
49
+ @bucket_region_cache = Aws::S3.bucket_region_cache
50
+ @head_bucket_mutex = Mutex.new
51
+ @head_bucket_call = false
52
+ return unless @caching
53
+
54
+ @credentials_cache = Aws::S3.access_grants_credentials_cache
55
+ @account_id_cache = Aws::S3.access_grants_account_id_cache
56
+ end
57
+
58
+ def access_grants_credentials_for(options = {})
59
+ target = target_prefix(
60
+ options[:bucket],
61
+ options[:key],
62
+ options[:prefix]
63
+ )
64
+ credentials = s3_client.config.credentials.credentials # resolves
65
+
66
+ if @caching
67
+ cached_credentials_for(target, options[:permission], credentials)
68
+ else
69
+ new_credentials_for(target, options[:permission], credentials)
70
+ end
71
+ rescue Aws::S3Control::Errors::AccessDenied
72
+ raise unless @fallback
73
+
74
+ warn 'Access denied for S3 Access Grants. Falling back to ' \
75
+ 'configured credentials.'
76
+ s3_client.config.credentials
77
+ end
78
+
79
+ attr_accessor :s3_client
80
+
81
+ private
82
+
83
+ def s3_control_client(bucket_region)
84
+ @s3_control_clients[bucket_region] ||= begin
85
+ credentials = s3_client.config.credentials
86
+ config = { credentials: credentials }.merge(@s3_control_options)
87
+ Aws::S3Control::Client.new(config.merge(
88
+ region: bucket_region,
89
+ use_fips_endpoint: s3_client.config.use_fips_endpoint,
90
+ use_dualstack_endpoint: s3_client.config.use_dualstack_endpoint
91
+ ))
92
+ end
93
+ end
94
+
95
+ def cached_credentials_for(target, permission, credentials)
96
+ cached_creds = broad_search_credentials_cache_prefix(target, permission, credentials)
97
+ return cached_creds if cached_creds
98
+
99
+ if %w[READ WRITE].include?(permission)
100
+ cached_creds = broad_search_credentials_cache_prefix(target, 'READWRITE', credentials)
101
+ return cached_creds if cached_creds
102
+ end
103
+
104
+ cached_creds = broad_search_credentials_cache_characters(target, permission, credentials)
105
+ return cached_creds if cached_creds
106
+
107
+ if %w[READ WRITE].include?(permission)
108
+ cached_creds = broad_search_credentials_cache_characters(target, 'READWRITE', credentials)
109
+ return cached_creds if cached_creds
110
+ end
111
+
112
+ creds = new_credentials_for(target, permission, credentials)
113
+ if creds.matched_grant_target.end_with?('*')
114
+ # remove /* from the end of the target
115
+ key = credentials_cache_key(creds.matched_grant_target[0...-2], permission, credentials)
116
+ @credentials_cache[key] = creds
117
+ end
118
+
119
+ creds
120
+ end
121
+
122
+ def broad_search_credentials_cache_prefix(target, permission, credentials)
123
+ prefix = target
124
+ while prefix != 's3:'
125
+ key = credentials_cache_key(prefix, permission, credentials)
126
+ return @credentials_cache[key] if @credentials_cache.key?(key)
127
+
128
+ prefix = prefix.split('/', -1)[0..-2].join('/')
129
+ end
130
+ nil
131
+ end
132
+
133
+ def broad_search_credentials_cache_characters(target, permission, credentials)
134
+ prefix = target
135
+ while prefix != 's3://'
136
+ key = credentials_cache_key("#{prefix}*", permission, credentials)
137
+ return @credentials_cache[key] if @credentials_cache.key?(key)
138
+
139
+ prefix = prefix[0..-2]
140
+ end
141
+ nil
142
+ end
143
+
144
+ def new_credentials_for(target, permission, credentials)
145
+ bucket_region = bucket_region_for_access_grants(target)
146
+ client = s3_control_client(bucket_region)
147
+
148
+ AccessGrantsCredentials.new(
149
+ target: target,
150
+ account_id: account_id_for_access_grants(target, credentials),
151
+ permission: permission,
152
+ client: client
153
+ )
154
+ end
155
+
156
+ def account_id_for_access_grants(target, credentials)
157
+ if @caching
158
+ cached_account_id_for(target, credentials)
159
+ else
160
+ new_account_id_for(target, credentials)
161
+ end
162
+ end
163
+
164
+ def cached_account_id_for(target, credentials)
165
+ bucket = bucket_name_from(target)
166
+
167
+ if @account_id_cache.key?(bucket)
168
+ @account_id_cache[bucket]
169
+ else
170
+ @account_id_cache[bucket] = new_account_id_for(target, credentials)
171
+ end
172
+ end
173
+
174
+ # returns the account id associated with the access grants instance
175
+ def new_account_id_for(target, credentials)
176
+ bucket_region = bucket_region_for_access_grants(target)
177
+ s3_control_client = s3_control_client(bucket_region)
178
+ resp = s3_control_client.get_access_grants_instance_for_prefix(
179
+ s3_prefix: target,
180
+ account_id: account_id_for_credentials(bucket_region, credentials)
181
+ )
182
+ ARNParser.parse(resp.access_grants_instance_arn).account_id
183
+ end
184
+
185
+ def bucket_region_for_access_grants(target)
186
+ bucket = bucket_name_from(target)
187
+ # regardless of caching option, bucket region cache is always shared
188
+ cached_bucket_region_for(bucket)
189
+ end
190
+
191
+ def cached_bucket_region_for(bucket)
192
+ if @bucket_region_cache.key?(bucket)
193
+ @bucket_region_cache[bucket]
194
+ else
195
+ @bucket_region_cache[bucket] = new_bucket_region_for(bucket)
196
+ end
197
+ end
198
+
199
+ def new_bucket_region_for(bucket)
200
+ @head_bucket_mutex.synchronize do
201
+ begin
202
+ @head_bucket_call = true
203
+ @s3_client.head_bucket(bucket: bucket).bucket_region
204
+ rescue Aws::S3::Errors::Http301Error => e
205
+ e.data.region
206
+ ensure
207
+ @head_bucket_call = false
208
+ end
209
+ end
210
+ end
211
+
212
+ # returns the account id for the configured credentials
213
+ def account_id_for_credentials(region, credentials)
214
+ # use resolved credentials to check for account id
215
+ if credentials.respond_to?(:account_id) && credentials.account_id &&
216
+ !credentials.account_id.empty?
217
+ credentials.account_id
218
+ else
219
+ @sts_client ||= Aws::STS::Client.new(
220
+ credentials: s3_client.config.credentials,
221
+ region: region,
222
+ use_fips_endpoint: s3_client.config.use_fips_endpoint,
223
+ use_dualstack_endpoint: s3_client.config.use_dualstack_endpoint
224
+ )
225
+ @sts_client.get_caller_identity.account
226
+ end
227
+ end
228
+
229
+ def target_prefix(bucket, key, prefix)
230
+ if key && !key.empty?
231
+ "s3://#{bucket}/#{key}"
232
+ elsif prefix && !prefix.empty?
233
+ "s3://#{bucket}/#{prefix}"
234
+ else
235
+ "s3://#{bucket}/*"
236
+ end
237
+ end
238
+
239
+ def credentials_cache_key(target, permission, credentials)
240
+ "#{credentials.access_key_id}-#{credentials.secret_access_key}" \
241
+ "-#{permission}-#{target}"
242
+ end
243
+
244
+ # extracts bucket name from target prefix
245
+ def bucket_name_from(target)
246
+ URI(target).host
247
+ end
248
+ end
249
+ end
250
+ end