aws-sdk-s3 1.13.0 → 1.146.1

data/lib/aws-sdk-s3/presigner.rb

@@ -1,27 +1,47 @@
+# frozen_string_literal: true
+
 module Aws
   module S3
-
-    # Allows you to create presigned URLs for S3 operations.
-    #
-    # Example Use:
-    #
-    #      signer = Aws::S3::Presigner.new
-    #      url = signer.presigned_url(:get_object, bucket: "bucket", key: "key")
-    #
     class Presigner
-
       # @api private
       ONE_WEEK = 60 * 60 * 24 * 7
 
       # @api private
       FIFTEEN_MINUTES = 60 * 15
 
+      # @api private
+      BLACKLISTED_HEADERS = [
+        'accept',
+        'amz-sdk-request',
+        'cache-control',
+        'content-length', # due to a ELB bug
+        'expect',
+        'from',
+        'if-match',
+        'if-none-match',
+        'if-modified-since',
+        'if-unmodified-since',
+        'if-range',
+        'max-forwards',
+        'pragma',
+        'proxy-authorization',
+        'referer',
+        'te',
+        'user-agent'
+      ].freeze
+
       # @option options [Client] :client Optionally provide an existing
       #   S3 client
       def initialize(options = {})
         @client = options[:client] || Aws::S3::Client.new
       end
 
+      # Create presigned URLs for S3 operations.
+      #
+      # @example
+      #  signer = Aws::S3::Presigner.new
+      #  url = signer.presigned_url(:get_object, bucket: "bucket", key: "key")
+      #
       # @param [Symbol] method Symbolized method name of the operation you want
       #   to presign.
       #
@@ -29,7 +49,59 @@ module Aws
       #   before the presigned URL expires. Defaults to 15 minutes. As signature
       #   version 4 has a maximum expiry time of one week for presigned URLs,
       #   attempts to set this value to greater than one week (604800) will
-      #   raise an exception.
+      #   raise an exception. The min value of this option and the credentials
+      #   expiration time is used in the presigned URL.
+      #
+      # @option params [Time] :time (Time.now) The starting time for when the
+      #   presigned url becomes active.
+      #
+      # @option params [Boolean] :secure (true) When `false`, a HTTP URL
+      #   is returned instead of the default HTTPS URL.
+      #
+      # @option params [Boolean] :virtual_host (false) When `true`, the
+      #   bucket name will be used as the hostname.
+      #
+      # @option params [Boolean] :use_accelerate_endpoint (false) When `true`,
+      #   Presigner will attempt to use accelerated endpoint.
+      #
+      # @option params [Array<String>] :whitelist_headers ([]) Additional
+      #   headers to be included for the signed request. Certain headers beyond
+      #   the authorization header could, in theory, be changed for various
+      #   reasons (including but not limited to proxies) while in transit and
+      #   after signing. This would lead to signature errors being returned,
+      #   despite no actual problems with signing. (see BLACKLISTED_HEADERS)
+      #
+      # @raise [ArgumentError] Raises an ArgumentError if `:expires_in`
+      #   exceeds one week.
+      #
+      # @return [String] a presigned url
+      def presigned_url(method, params = {})
+        url, _headers = _presigned_request(method, params)
+        url
+      end
+
+      # Allows you to create presigned URL requests for S3 operations. This
+      # method returns a tuple containing the URL and the signed X-amz-* headers
+      # to be used with the presigned url.
+      #
+      # @example
+      #  signer = Aws::S3::Presigner.new
+      #  url, headers = signer.presigned_request(
+      #    :get_object, bucket: "bucket", key: "key"
+      #  )
+      #
+      # @param [Symbol] method Symbolized method name of the operation you want
+      #   to presign.
+      #
+      # @option params [Integer] :expires_in (900) The number of seconds
+      #   before the presigned URL expires. Defaults to 15 minutes. As signature
+      #   version 4 has a maximum expiry time of one week for presigned URLs,
+      #   attempts to set this value to greater than one week (604800) will
+      #   raise an exception. The min value of this option and the credentials
+      #   expiration time is used in the presigned URL.
+      #
+      # @option params [Time] :time (Time.now) The starting time for when the
+      #   presigned url becomes active.
       #
       # @option params [Boolean] :secure (true) When `false`, a HTTP URL
       #   is returned instead of the default HTTPS URL.
@@ -38,37 +110,57 @@ module Aws
       #   bucket name will be used as the hostname. This will cause
       #   the returned URL to be 'http' and not 'https'.
       #
+      # @option params [Boolean] :use_accelerate_endpoint (false) When `true`,
+      #   Presigner will attempt to use accelerated endpoint.
+      #
+      # @option params [Array<String>] :whitelist_headers ([]) Additional
+      #   headers to be included for the signed request. Certain headers beyond
+      #   the authorization header could, in theory, be changed for various
+      #   reasons (including but not limited to proxies) while in transit and
+      #   after signing. This would lead to signature errors being returned,
+      #   despite no actual problems with signing. (see BLACKLISTED_HEADERS)
+      #
       # @raise [ArgumentError] Raises an ArgumentError if `:expires_in`
       #   exceeds one week.
       #
-      def presigned_url(method, params = {})
-        if params[:key].nil? or params[:key] == ''
-          raise ArgumentError, ":key must not be blank"
-        end
-        virtual_host = !!params.delete(:virtual_host)
-        scheme = http_scheme(params, virtual_host)
+      # @return [String, Hash] A tuple with a presigned URL and headers that
+      #   should be included with the request.
+      def presigned_request(method, params = {})
+        _presigned_request(method, params, false)
+      end
+
+      private
+
+      def _presigned_request(method, params, hoist = true)
+        virtual_host = params.delete(:virtual_host)
+        time = params.delete(:time)
+        unsigned_headers = unsigned_headers(params)
+        secure = params.delete(:secure) != false
+        expires_in = expires_in(params)
 
         req = @client.build_request(method, params)
         use_bucket_as_hostname(req) if virtual_host
-        sign_but_dont_send(req, expires_in(params), scheme)
-        req.send_request.data
-      end
+        handle_presigned_url_context(req)
 
-      private
+        x_amz_headers = sign_but_dont_send(
+          req, expires_in, secure, time, unsigned_headers, hoist
+        )
+        [req.send_request.data, x_amz_headers]
+      end
 
-      def http_scheme(params, virtual_host)
-        if params.delete(:secure) == false || virtual_host
-          'http'
-        else
-          @client.config.endpoint.scheme
-        end
+      def unsigned_headers(params)
+        whitelist_headers = params.delete(:whitelist_headers) || []
+        BLACKLISTED_HEADERS - whitelist_headers
       end
 
       def expires_in(params)
-        if expires_in = params.delete(:expires_in)
+        if (expires_in = params.delete(:expires_in))
           if expires_in > ONE_WEEK
-            msg = "expires_in value of #{expires_in} exceeds one-week maximum"
-            raise ArgumentError, msg
+            raise ArgumentError,
+                  "expires_in value of #{expires_in} exceeds one-week maximum."
+          elsif expires_in <= 0
+            raise ArgumentError,
+                  "expires_in value of #{expires_in} cannot be 0 or less."
           end
           expires_in
         else
@@ -77,88 +169,91 @@ module Aws
       end
 
       def use_bucket_as_hostname(req)
-        req.handlers.remove(Plugins::BucketDns::Handler)
-        req.handle do |context|
+        req.handle(priority: 35) do |context|
           uri = context.http_request.endpoint
           uri.host = context.params[:bucket]
           uri.path.sub!("/#{context.params[:bucket]}", '')
-          uri.scheme = 'http'
-          uri.port = 80
+          @handler.call(context)
+        end
+      end
+
+      # Used for excluding presigned_urls from API request count.
+      #
+      # Store context information as early as possible, to allow
+      # handlers to perform decisions based on this flag if need.
+      def handle_presigned_url_context(req)
+        req.handle(step: :initialize, priority: 98) do |context|
+          context[:presigned_url] = true
           @handler.call(context)
         end
       end
 
       # @param [Seahorse::Client::Request] req
-      def sign_but_dont_send(req, expires_in, scheme)
+      def sign_but_dont_send(
+        req, expires_in, secure, time, unsigned_headers, hoist = true
+      )
+        x_amz_headers = {}
 
         http_req = req.context.http_request
 
         req.handlers.remove(Aws::S3::Plugins::S3Signer::LegacyHandler)
-        req.handlers.remove(Aws::S3::Plugins::S3Signer::V4Handler)
+        req.handlers.remove(Aws::Plugins::Sign::Handler)
         req.handlers.remove(Seahorse::Client::Plugins::ContentLength::Handler)
 
-        signer = build_signer(req.context.config)
-
         req.handle(step: :send) do |context|
-
-          if scheme != http_req.endpoint.scheme
-            endpoint = http_req.endpoint.dup
-            endpoint.scheme = scheme
-            endpoint.port = (scheme == 'http' ? 80 : 443)
-            http_req.endpoint = URI.parse(endpoint.to_s)
+          # if an endpoint was not provided, force secure or insecure
+          if context.config.regional_endpoint
+            http_req.endpoint.scheme = secure ? 'https' : 'http'
+            http_req.endpoint.port = secure ? 443 : 80
           end
 
-          # hoist x-amz-* headers to the querystring
           query = http_req.endpoint.query ? http_req.endpoint.query.split('&') : []
-          http_req.headers.keys.each do |key|
-            if key.match(/^x-amz/i)
-              value = Aws::Sigv4::Signer.uri_escape(http_req.headers.delete(key))
+          http_req.headers.each do |key, value|
+            next unless key =~ /^x-amz/i
+
+            if hoist
+              value = Aws::Sigv4::Signer.uri_escape(value)
               key = Aws::Sigv4::Signer.uri_escape(key)
+              # hoist x-amz-* headers to the querystring
+              http_req.headers.delete(key)
               query << "#{key}=#{value}"
+            else
+              x_amz_headers[key] = value
             end
           end
           http_req.endpoint.query = query.join('&') unless query.empty?
 
+          auth_scheme = context[:auth_scheme]
+          scheme_name = auth_scheme['name']
+          region = if scheme_name == 'sigv4a'
+                     auth_scheme['signingRegionSet'].first
+                   else
+                     auth_scheme['signingRegion']
+                   end
+          signer = Aws::Sigv4::Signer.new(
+            service: auth_scheme['signingName'] || 's3',
+            region: context[:sigv4_region] || region || context.config.region,
+            credentials_provider: context[:sigv4_credentials] || context.config.credentials,
+            signing_algorithm: scheme_name.to_sym,
+            uri_escape_path: !!!auth_scheme['disableDoubleEncoding'],
+            unsigned_headers: unsigned_headers,
+            apply_checksum_header: false
+          )
+
           url = signer.presign_url(
             http_method: http_req.http_method,
             url: http_req.endpoint,
             headers: http_req.headers,
             body_digest: 'UNSIGNED-PAYLOAD',
-            expires_in: expires_in
+            expires_in: expires_in,
+            time: time
           ).to_s
 
           Seahorse::Client::Response.new(context: context, data: url)
         end
+        # Return the headers
+        x_amz_headers
       end
-
-      def build_signer(cfg)
-        Aws::Sigv4::Signer.new(
-          service: 's3',
-          region: cfg.region,
-          credentials_provider: cfg.credentials,
-          unsigned_headers: [
-            'cache-control',
-            'content-length', # due to a ELB bug
-            'expect',
-            'max-forwards',
-            'pragma',
-            'te',
-            'if-match',
-            'if-none-match',
-            'if-modified-since',
-            'if-unmodified-since',
-            'if-range',
-            'accept',
-            'proxy-authorization',
-            'from',
-            'referer',
-            'user-agent',
-            'x-amzn-trace-id'
-          ],
-          uri_escape_path: false
-        )
-      end
-
     end
   end
 end

data/lib/aws-sdk-s3/resource.rb

@@ -1,11 +1,25 @@
+# frozen_string_literal: true
+
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
 
 module Aws::S3
+
+  # This class provides a resource oriented interface for S3.
+  # To create a resource object:
+  #
+  #     resource = Aws::S3::Resource.new(region: 'us-west-2')
+  #
+  # You can supply a client object with custom configuration that will be used for all resource operations.
+  # If you do not pass `:client`, a default client will be constructed.
+  #
+  #     client = Aws::S3::Client.new(region: 'us-west-2')
+  #     resource = Aws::S3::Resource.new(client: client)
+  #
   class Resource
 
     # @param options ({})
@@ -27,34 +41,134 @@ module Aws::S3
     #     acl: "private", # accepts private, public-read, public-read-write, authenticated-read
     #     bucket: "BucketName", # required
     #     create_bucket_configuration: {
-    #       location_constraint: "EU", # accepts EU, eu-west-1, us-west-1, us-west-2, ap-south-1, ap-southeast-1, ap-southeast-2, ap-northeast-1, sa-east-1, cn-north-1, eu-central-1
+    #       location_constraint: "af-south-1", # accepts af-south-1, ap-east-1, ap-northeast-1, ap-northeast-2, ap-northeast-3, ap-south-1, ap-south-2, ap-southeast-1, ap-southeast-2, ap-southeast-3, ca-central-1, cn-north-1, cn-northwest-1, EU, eu-central-1, eu-north-1, eu-south-1, eu-south-2, eu-west-1, eu-west-2, eu-west-3, me-south-1, sa-east-1, us-east-2, us-gov-east-1, us-gov-west-1, us-west-1, us-west-2
+    #       location: {
+    #         type: "AvailabilityZone", # accepts AvailabilityZone
+    #         name: "LocationNameAsString",
+    #       },
+    #       bucket: {
+    #         data_redundancy: "SingleAvailabilityZone", # accepts SingleAvailabilityZone
+    #         type: "Directory", # accepts Directory
+    #       },
     #     },
     #     grant_full_control: "GrantFullControl",
     #     grant_read: "GrantRead",
     #     grant_read_acp: "GrantReadACP",
     #     grant_write: "GrantWrite",
     #     grant_write_acp: "GrantWriteACP",
+    #     object_lock_enabled_for_bucket: false,
+    #     object_ownership: "BucketOwnerPreferred", # accepts BucketOwnerPreferred, ObjectWriter, BucketOwnerEnforced
     #   })
     # @param [Hash] options ({})
     # @option options [String] :acl
     #   The canned ACL to apply to the bucket.
+    #
+    #   <note markdown="1"> This functionality is not supported for directory buckets.
+    #
+    #    </note>
     # @option options [required, String] :bucket
+    #   The name of the bucket to create.
+    #
+    #   **General purpose buckets** - For information about bucket naming
+    #   restrictions, see [Bucket naming rules][1] in the *Amazon S3 User
+    #   Guide*.
+    #
+    #   <b>Directory buckets </b> - When you use this operation with a
+    #   directory bucket, you must use path-style requests in the format
+    #   `https://s3express-control.region_code.amazonaws.com/bucket-name `.
+    #   Virtual-hosted-style requests aren't supported. Directory bucket
+    #   names must be unique in the chosen Availability Zone. Bucket names
+    #   must also follow the format ` bucket_base_name--az_id--x-s3` (for
+    #   example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information about
+    #   bucket naming restrictions, see [Directory bucket naming rules][2] in
+    #   the *Amazon S3 User Guide*
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html
+    #   [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
     # @option options [Types::CreateBucketConfiguration] :create_bucket_configuration
+    #   The configuration information for the bucket.
     # @option options [String] :grant_full_control
     #   Allows grantee the read, write, read ACP, and write ACP permissions on
     #   the bucket.
+    #
+    #   <note markdown="1"> This functionality is not supported for directory buckets.
+    #
+    #    </note>
     # @option options [String] :grant_read
     #   Allows grantee to list the objects in the bucket.
+    #
+    #   <note markdown="1"> This functionality is not supported for directory buckets.
+    #
+    #    </note>
     # @option options [String] :grant_read_acp
     #   Allows grantee to read the bucket ACL.
+    #
+    #   <note markdown="1"> This functionality is not supported for directory buckets.
+    #
+    #    </note>
     # @option options [String] :grant_write
-    #   Allows grantee to create, overwrite, and delete any object in the
-    #   bucket.
+    #   Allows grantee to create new objects in the bucket.
+    #
+    #   For the bucket and object owners of existing objects, also allows
+    #   deletions and overwrites of those objects.
+    #
+    #   <note markdown="1"> This functionality is not supported for directory buckets.
+    #
+    #    </note>
     # @option options [String] :grant_write_acp
     #   Allows grantee to write the ACL for the applicable bucket.
+    #
+    #   <note markdown="1"> This functionality is not supported for directory buckets.
+    #
+    #    </note>
+    # @option options [Boolean] :object_lock_enabled_for_bucket
+    #   Specifies whether you want S3 Object Lock to be enabled for the new
+    #   bucket.
+    #
+    #   <note markdown="1"> This functionality is not supported for directory buckets.
+    #
+    #    </note>
+    # @option options [String] :object_ownership
+    #   The container element for object ownership for a bucket's ownership
+    #   controls.
+    #
+    #   `BucketOwnerPreferred` - Objects uploaded to the bucket change
+    #   ownership to the bucket owner if the objects are uploaded with the
+    #   `bucket-owner-full-control` canned ACL.
+    #
+    #   `ObjectWriter` - The uploading account will own the object if the
+    #   object is uploaded with the `bucket-owner-full-control` canned ACL.
+    #
+    #   `BucketOwnerEnforced` - Access control lists (ACLs) are disabled and
+    #   no longer affect permissions. The bucket owner automatically owns and
+    #   has full control over every object in the bucket. The bucket only
+    #   accepts PUT requests that don't specify an ACL or specify bucket
+    #   owner full control ACLs (such as the predefined
+    #   `bucket-owner-full-control` canned ACL or a custom ACL in XML format
+    #   that grants the same permissions).
+    #
+    #   By default, `ObjectOwnership` is set to `BucketOwnerEnforced` and ACLs
+    #   are disabled. We recommend keeping ACLs disabled, except in uncommon
+    #   use cases where you must control access for each object individually.
+    #   For more information about S3 Object Ownership, see [Controlling
+    #   ownership of objects and disabling ACLs for your bucket][1] in the
+    #   *Amazon S3 User Guide*.
+    #
+    #   <note markdown="1"> This functionality is not supported for directory buckets. Directory
+    #   buckets use the bucket owner enforced setting for S3 Object Ownership.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html
     # @return [Bucket]
     def create_bucket(options = {})
-      resp = @client.create_bucket(options)
+      Aws::Plugins::UserAgent.feature('resource') do
+        @client.create_bucket(options)
+      end
       Bucket.new(
         name: options[:bucket],
         client: @client
@@ -80,7 +194,9 @@ module Aws::S3
     def buckets(options = {})
       batches = Enumerator.new do |y|
         batch = []
-        resp = @client.list_buckets(options)
+        resp = Aws::Plugins::UserAgent.feature('resource') do
+          @client.list_buckets(options)
+        end
         resp.data.buckets.each do |b|
           batch << Bucket.new(
             name: b.name,