RubyGems - aws-sdk-s3 - Versions diffs - 1.128.0 → 1.199.1 - Mend

aws-sdk-s3 1.128.0 → 1.199.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (95) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +450 -1
data/VERSION +1 -1
data/lib/aws-sdk-s3/access_grants_credentials.rb +57 -0
data/lib/aws-sdk-s3/access_grants_credentials_provider.rb +250 -0
data/lib/aws-sdk-s3/bucket.rb +720 -128
data/lib/aws-sdk-s3/bucket_acl.rb +18 -17
data/lib/aws-sdk-s3/bucket_cors.rb +22 -21
data/lib/aws-sdk-s3/bucket_lifecycle.rb +23 -18
data/lib/aws-sdk-s3/bucket_lifecycle_configuration.rb +76 -19
data/lib/aws-sdk-s3/bucket_logging.rb +21 -14
data/lib/aws-sdk-s3/bucket_notification.rb +6 -6
data/lib/aws-sdk-s3/bucket_policy.rb +65 -20
data/lib/aws-sdk-s3/bucket_region_cache.rb +9 -5
data/lib/aws-sdk-s3/bucket_request_payment.rb +15 -15
data/lib/aws-sdk-s3/bucket_tagging.rb +19 -19
data/lib/aws-sdk-s3/bucket_versioning.rb +41 -41
data/lib/aws-sdk-s3/bucket_website.rb +19 -19
data/lib/aws-sdk-s3/client.rb +9352 -3264
data/lib/aws-sdk-s3/client_api.rb +697 -164
data/lib/aws-sdk-s3/customizations/bucket.rb +1 -1
data/lib/aws-sdk-s3/customizations/errors.rb +16 -3
data/lib/aws-sdk-s3/customizations/object.rb +112 -56
data/lib/aws-sdk-s3/customizations/object_summary.rb +5 -0
data/lib/aws-sdk-s3/customizations/object_version.rb +13 -0
data/lib/aws-sdk-s3/customizations.rb +26 -31
data/lib/aws-sdk-s3/encryption/client.rb +2 -2
data/lib/aws-sdk-s3/encryption/kms_cipher_provider.rb +2 -2
data/lib/aws-sdk-s3/encryptionV2/client.rb +2 -2
data/lib/aws-sdk-s3/encryptionV2/kms_cipher_provider.rb +2 -2
data/lib/aws-sdk-s3/endpoint_parameters.rb +54 -15
data/lib/aws-sdk-s3/endpoint_provider.rb +439 -456
data/lib/aws-sdk-s3/endpoints.rb +629 -1261
data/lib/aws-sdk-s3/errors.rb +58 -0
data/lib/aws-sdk-s3/express_credentials.rb +55 -0
data/lib/aws-sdk-s3/express_credentials_provider.rb +59 -0
data/lib/aws-sdk-s3/file_downloader.rb +156 -69
data/lib/aws-sdk-s3/file_uploader.rb +4 -6
data/lib/aws-sdk-s3/legacy_signer.rb +2 -1
data/lib/aws-sdk-s3/multipart_download_error.rb +8 -0
data/lib/aws-sdk-s3/multipart_file_uploader.rb +56 -69
data/lib/aws-sdk-s3/multipart_stream_uploader.rb +84 -91
data/lib/aws-sdk-s3/multipart_upload.rb +179 -26
data/lib/aws-sdk-s3/multipart_upload_error.rb +3 -4
data/lib/aws-sdk-s3/multipart_upload_part.rb +201 -60
data/lib/aws-sdk-s3/object.rb +2007 -281
data/lib/aws-sdk-s3/object_acl.rb +43 -23
data/lib/aws-sdk-s3/object_copier.rb +1 -1
data/lib/aws-sdk-s3/object_multipart_copier.rb +44 -25
data/lib/aws-sdk-s3/object_summary.rb +1735 -232
data/lib/aws-sdk-s3/object_version.rb +394 -52
data/lib/aws-sdk-s3/plugins/access_grants.rb +178 -0
data/lib/aws-sdk-s3/plugins/checksum_algorithm.rb +31 -0
data/lib/aws-sdk-s3/plugins/endpoints.rb +32 -208
data/lib/aws-sdk-s3/plugins/express_session_auth.rb +88 -0
data/lib/aws-sdk-s3/plugins/http_200_errors.rb +55 -18
data/lib/aws-sdk-s3/plugins/location_constraint.rb +3 -1
data/lib/aws-sdk-s3/plugins/md5s.rb +10 -70
data/lib/aws-sdk-s3/plugins/s3_signer.rb +7 -2
data/lib/aws-sdk-s3/plugins/streaming_retry.rb +5 -7
data/lib/aws-sdk-s3/plugins/url_encoded_keys.rb +2 -1
data/lib/aws-sdk-s3/presigned_post.rb +52 -43
data/lib/aws-sdk-s3/presigner.rb +9 -7
data/lib/aws-sdk-s3/resource.rb +127 -22
data/lib/aws-sdk-s3/transfer_manager.rb +252 -0
data/lib/aws-sdk-s3/types.rb +8068 -1887
data/lib/aws-sdk-s3.rb +35 -31
data/sig/bucket.rbs +231 -0
data/sig/bucket_acl.rbs +78 -0
data/sig/bucket_cors.rbs +69 -0
data/sig/bucket_lifecycle.rbs +88 -0
data/sig/bucket_lifecycle_configuration.rbs +115 -0
data/sig/bucket_logging.rbs +76 -0
data/sig/bucket_notification.rbs +114 -0
data/sig/bucket_policy.rbs +59 -0
data/sig/bucket_request_payment.rbs +54 -0
data/sig/bucket_tagging.rbs +65 -0
data/sig/bucket_versioning.rbs +77 -0
data/sig/bucket_website.rbs +93 -0
data/sig/client.rbs +2584 -0
data/sig/customizations/bucket.rbs +19 -0
data/sig/customizations/object.rbs +38 -0
data/sig/customizations/object_summary.rbs +35 -0
data/sig/errors.rbs +44 -0
data/sig/multipart_upload.rbs +120 -0
data/sig/multipart_upload_part.rbs +109 -0
data/sig/object.rbs +462 -0
data/sig/object_acl.rbs +86 -0
data/sig/object_summary.rbs +345 -0
data/sig/object_version.rbs +143 -0
data/sig/resource.rbs +141 -0
data/sig/types.rbs +2866 -0
data/sig/waiters.rbs +95 -0
metadata +44 -12
data/lib/aws-sdk-s3/plugins/skip_whole_multipart_get_checksums.rb +0 -31

data/lib/aws-sdk-s3/access_grants_credentials_provider.rb ADDED Viewed

@@ -0,0 +1,250 @@
+# frozen_string_literal: true
+module Aws
+  module S3
+    # @api private
+    def self.access_grants_credentials_cache
+      @access_grants_credentials_cache ||= LRUCache.new(max_entries: 100)
+    end
+    # @api private
+    def self.access_grants_account_id_cache
+      @access_grants_account_id_cache ||= LRUCache.new(
+        max_entries: 100,
+        expiration: 60 * 10
+      )
+    end
+    # Returns Credentials class for S3 Access Grants. Accepts GetDataAccess
+    # params and other configuration as options. See
+    # {Aws::S3Control::Client#get_data_access} for details.
+    class AccessGrantsCredentialsProvider
+      # @param [Hash] options
+      # @option options [Hash] :s3_control_client_options The S3 Control
+      #  client options used to create regional S3 Control clients to
+      #  create the session. Region will be set to the region of the
+      #  bucket.
+      # @option options [Aws::STS::Client] :sts_client The STS client used for
+      #  fetching the Account ID for the credentials if credentials do not
+      #  include an Account ID.
+      # @option options [Aws::S3::Client] :s3_client The S3 client used for
+      #  fetching the location of the bucket so that a regional S3 Control
+      #  client can be created. Defaults to the S3 client from the access
+      #  grants plugin.
+      # @option options [String] :privilege ('Default') The privilege to use
+      #  when requesting credentials. (see: {Aws::S3Control::Client#get_data_access})
+      # @option options [Boolean] :fallback (false) When true, if access is
+      #  denied, the provider will fall back to the configured credentials.
+      # @option options [Boolean] :caching (true) When true, credentials and
+      #  bucket account ids will be cached.
+      # @option options [Callable] :before_refresh Proc called before
+      #  credentials are refreshed.
+      def initialize(options = {})
+        @s3_control_options = options.delete(:s3_control_client_options) || {}
+        @s3_client = options.delete(:s3_client)
+        @sts_client = options.delete(:sts_client)
+        @fallback = options.delete(:fallback) || false
+        @caching = options.delete(:caching) != false
+        @s3_control_clients = {}
+        @bucket_region_cache = Aws::S3.bucket_region_cache
+        @head_bucket_mutex = Mutex.new
+        @head_bucket_call = false
+        return unless @caching
+        @credentials_cache = Aws::S3.access_grants_credentials_cache
+        @account_id_cache = Aws::S3.access_grants_account_id_cache
+      end
+      def access_grants_credentials_for(options = {})
+        target = target_prefix(
+          options[:bucket],
+          options[:key],
+          options[:prefix]
+        )
+        credentials = s3_client.config.credentials.credentials # resolves
+        if @caching
+          cached_credentials_for(target, options[:permission], credentials)
+        else
+          new_credentials_for(target, options[:permission], credentials)
+        end
+      rescue Aws::S3Control::Errors::AccessDenied
+        raise unless @fallback
+        warn 'Access denied for S3 Access Grants. Falling back to ' \
+             'configured credentials.'
+        s3_client.config.credentials
+      end
+      attr_accessor :s3_client
+      private
+      def s3_control_client(bucket_region)
+        @s3_control_clients[bucket_region] ||= begin
+          credentials = s3_client.config.credentials
+          config = { credentials: credentials }.merge(@s3_control_options)
+          Aws::S3Control::Client.new(config.merge(
+            region: bucket_region,
+            use_fips_endpoint: s3_client.config.use_fips_endpoint,
+            use_dualstack_endpoint: s3_client.config.use_dualstack_endpoint
+          ))
+        end
+      end
+      def cached_credentials_for(target, permission, credentials)
+        cached_creds = broad_search_credentials_cache_prefix(target, permission, credentials)
+        return cached_creds if cached_creds
+        if %w[READ WRITE].include?(permission)
+          cached_creds = broad_search_credentials_cache_prefix(target, 'READWRITE', credentials)
+          return cached_creds if cached_creds
+        end
+        cached_creds = broad_search_credentials_cache_characters(target, permission, credentials)
+        return cached_creds if cached_creds
+        if %w[READ WRITE].include?(permission)
+          cached_creds = broad_search_credentials_cache_characters(target, 'READWRITE', credentials)
+          return cached_creds if cached_creds
+        end
+        creds = new_credentials_for(target, permission, credentials)
+        if creds.matched_grant_target.end_with?('*')
+          # remove /* from the end of the target
+          key = credentials_cache_key(creds.matched_grant_target[0...-2], permission, credentials)
+          @credentials_cache[key] = creds
+        end
+        creds
+      end
+      def broad_search_credentials_cache_prefix(target, permission, credentials)
+        prefix = target
+        while prefix != 's3:'
+          key = credentials_cache_key(prefix, permission, credentials)
+          return @credentials_cache[key] if @credentials_cache.key?(key)
+          prefix = prefix.split('/', -1)[0..-2].join('/')
+        end
+        nil
+      end
+      def broad_search_credentials_cache_characters(target, permission, credentials)
+        prefix = target
+        while prefix != 's3://'
+          key = credentials_cache_key("#{prefix}*", permission, credentials)
+          return @credentials_cache[key] if @credentials_cache.key?(key)
+          prefix = prefix[0..-2]
+        end
+        nil
+      end
+      def new_credentials_for(target, permission, credentials)
+        bucket_region = bucket_region_for_access_grants(target)
+        client = s3_control_client(bucket_region)
+        AccessGrantsCredentials.new(
+          target: target,
+          account_id: account_id_for_access_grants(target, credentials),
+          permission: permission,
+          client: client
+        )
+      end
+      def account_id_for_access_grants(target, credentials)
+        if @caching
+          cached_account_id_for(target, credentials)
+        else
+          new_account_id_for(target, credentials)
+        end
+      end
+      def cached_account_id_for(target, credentials)
+        bucket = bucket_name_from(target)
+        if @account_id_cache.key?(bucket)
+          @account_id_cache[bucket]
+        else
+          @account_id_cache[bucket] = new_account_id_for(target, credentials)
+        end
+      end
+      # returns the account id associated with the access grants instance
+      def new_account_id_for(target, credentials)
+        bucket_region = bucket_region_for_access_grants(target)
+        s3_control_client = s3_control_client(bucket_region)
+        resp = s3_control_client.get_access_grants_instance_for_prefix(
+          s3_prefix: target,
+          account_id: account_id_for_credentials(bucket_region, credentials)
+        )
+        ARNParser.parse(resp.access_grants_instance_arn).account_id
+      end
+      def bucket_region_for_access_grants(target)
+        bucket = bucket_name_from(target)
+        # regardless of caching option, bucket region cache is always shared
+        cached_bucket_region_for(bucket)
+      end
+      def cached_bucket_region_for(bucket)
+        if @bucket_region_cache.key?(bucket)
+          @bucket_region_cache[bucket]
+        else
+          @bucket_region_cache[bucket] = new_bucket_region_for(bucket)
+        end
+      end
+      def new_bucket_region_for(bucket)
+        @head_bucket_mutex.synchronize do
+          begin
+            @head_bucket_call = true
+            @s3_client.head_bucket(bucket: bucket).bucket_region
+          rescue Aws::S3::Errors::Http301Error => e
+            e.data.region
+          ensure
+            @head_bucket_call = false
+          end
+        end
+      end
+      # returns the account id for the configured credentials
+      def account_id_for_credentials(region, credentials)
+        # use resolved credentials to check for account id
+        if credentials.respond_to?(:account_id) && credentials.account_id &&
+           !credentials.account_id.empty?
+          credentials.account_id
+        else
+          @sts_client ||= Aws::STS::Client.new(
+            credentials: s3_client.config.credentials,
+            region: region,
+            use_fips_endpoint: s3_client.config.use_fips_endpoint,
+            use_dualstack_endpoint: s3_client.config.use_dualstack_endpoint
+          )
+          @sts_client.get_caller_identity.account
+        end
+      end
+      def target_prefix(bucket, key, prefix)
+        if key && !key.empty?
+          "s3://#{bucket}/#{key}"
+        elsif prefix && !prefix.empty?
+          "s3://#{bucket}/#{prefix}"
+        else
+          "s3://#{bucket}/*"
+        end
+      end
+      def credentials_cache_key(target, permission, credentials)
+        "#{credentials.access_key_id}-#{credentials.secret_access_key}" \
+        "-#{permission}-#{target}"
+      end
+      # extracts bucket name from target prefix
+      def bucket_name_from(target)
+        URI(target).host
+      end
+    end
+  end
+end