aws-sdk-s3 1.132.0 → 1.151.0

data/lib/aws-sdk-s3/plugins/express_session_auth.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+module Aws
+  module S3
+    module Plugins
+      # @api private
+      class ExpressSessionAuth < Seahorse::Client::Plugin
+        # This should be s3_disable_express_auth instead
+        # But this is not a built in. We're overwriting the generated value
+        option(:disable_s3_express_session_auth,
+          default: false,
+          doc_type: 'Boolean',
+          docstring: <<-DOCS) do |cfg|
+When `true`, S3 Express session authentication is disabled.
+          DOCS
+          resolve_disable_s3_express_session_auth(cfg)
+        end
+
+        option(:express_credentials_provider,
+          doc_type: 'Aws::S3::ExpressCredentialsProvider',
+          rbs_type: 'untyped',
+          docstring: <<-DOCS) do |_cfg|
+Credential Provider for S3 Express endpoints. Manages credentials
+for different buckets.
+          DOCS
+          Aws::S3::ExpressCredentialsProvider.new
+        end
+
+        # @api private
+        class Handler < Seahorse::Client::Handler
+          def call(context)
+            if (props = context[:endpoint_properties])
+              # S3 Express endpoint - turn off md5 and enable crc32 default
+              if props['backend'] == 'S3Express'
+                if context.operation_name == :put_object || checksum_required?(context)
+                  context[:default_request_checksum_algorithm] = 'CRC32'
+                end
+                context[:s3_express_endpoint] = true
+              end
+
+              # if s3 express auth, use new credentials and sign additional header
+              if context[:auth_scheme]['name'] == 'sigv4-s3express' &&
+                 !context.config.disable_s3_express_session_auth
+                bucket = context.params[:bucket]
+                credentials_provider = context.config.express_credentials_provider
+                credentials = credentials_provider.express_credentials_for(bucket)
+                context[:sigv4_credentials] = credentials # Sign will use this
+              end
+            end
+            @handler.call(context)
+          end
+
+          private
+
+          def checksum_required?(context)
+            context.operation.http_checksum_required ||
+              (context.operation.http_checksum &&
+                context.operation.http_checksum['requestChecksumRequired'])
+          end
+        end
+
+        handler(Handler)
+
+        # Optimization - sets this client as the client to create sessions.
+        def after_initialize(client)
+          provider = client.config.express_credentials_provider
+          provider.client = client unless provider.client
+        end
+
+        class << self
+          private
+
+          def resolve_disable_s3_express_session_auth(cfg)
+            value = ENV['AWS_S3_DISABLE_EXPRESS_SESSION_AUTH'] ||
+                    Aws.shared_config.s3_disable_express_session_auth(profile: cfg.profile) ||
+                    'false'
+            value = Aws::Util.str_2_bool(value)
+            # Raise if provided value is not true or false
+            if value.nil?
+              raise ArgumentError,
+                    'Must provide either `true` or `false` for the '\
+                    '`s3_disable_express_session_auth` profile option or for '\
+                    "ENV['AWS_S3_DISABLE_EXPRESS_SESSION_AUTH']."
+            end
+            value
+          end
+        end
+      end
+    end
+  end
+end

data/lib/aws-sdk-s3/plugins/location_constraint.rb

@@ -22,7 +22,9 @@ module Aws
 
           def populate_location_constraint(params, region)
             params[:create_bucket_configuration] ||= {}
-            params[:create_bucket_configuration][:location_constraint] ||= region
+            unless params[:create_bucket_configuration][:location]
+              params[:create_bucket_configuration][:location_constraint] ||= region
+            end
           end
 
         end

data/lib/aws-sdk-s3/plugins/md5s.rb

@@ -22,7 +22,8 @@ module Aws
           CHUNK_SIZE = 1 * 1024 * 1024 # one MB
 
           def call(context)
-            if !context[:checksum_algorithms] # skip in favor of flexible checksum
+            if !context[:checksum_algorithms] && # skip in favor of flexible checksum
+               !context[:s3_express_endpoint] # s3 express endpoints do not support md5
               body = context.http_request.body
               if body.respond_to?(:size) && body.size > 0
                 context.http_request.headers['Content-Md5'] ||= md5(body)

data/lib/aws-sdk-s3/plugins/s3_signer.rb

@@ -4,6 +4,11 @@ require 'aws-sigv4'
 
 module Aws
   module S3
+    # @api private
+    def self.bucket_region_cache
+      @bucket_region_cache ||= BucketRegionCache.new
+    end
+
     module Plugins
       # This plugin used to have a V4 signer but it was removed in favor of
       # generic Sign plugin that uses endpoint auth scheme.
@@ -51,7 +56,7 @@ module Aws
           private
 
           def check_for_cached_region(context, bucket)
-            cached_region = S3::BUCKET_REGIONS[bucket]
+            cached_region = Aws::S3.bucket_region_cache[bucket]
             if cached_region &&
                cached_region != context.config.region &&
                !S3Signer.custom_endpoint?(context)
@@ -97,7 +102,7 @@ module Aws
           end
 
           def update_bucket_cache(context, actual_region)
-            S3::BUCKET_REGIONS[context.params[:bucket]] = actual_region
+            Aws::S3.bucket_region_cache[context.params[:bucket]] = actual_region
           end
 
           def fips_region?(resp)

data/lib/aws-sdk-s3/presigner.rb

@@ -199,6 +199,8 @@ module Aws
         req.handlers.remove(Aws::S3::Plugins::S3Signer::LegacyHandler)
         req.handlers.remove(Aws::Plugins::Sign::Handler)
         req.handlers.remove(Seahorse::Client::Plugins::ContentLength::Handler)
+        req.handlers.remove(Aws::Rest::ContentTypeHandler)
+        req.handlers.remove(Aws::Plugins::InvocationId::Handler)
 
         req.handle(step: :send) do |context|
           # if an endpoint was not provided, force secure or insecure
@@ -232,8 +234,8 @@ module Aws
                    end
           signer = Aws::Sigv4::Signer.new(
             service: auth_scheme['signingName'] || 's3',
-            region: region || context.config.region,
-            credentials_provider: context.config.credentials,
+            region: context[:sigv4_region] || region || context.config.region,
+            credentials_provider: context[:sigv4_credentials] || context.config.credentials,
             signing_algorithm: scheme_name.to_sym,
             uri_escape_path: !!!auth_scheme['disableDoubleEncoding'],
             unsigned_headers: unsigned_headers,

data/lib/aws-sdk-s3/resource.rb

@@ -41,7 +41,15 @@ module Aws::S3
     #     acl: "private", # accepts private, public-read, public-read-write, authenticated-read
     #     bucket: "BucketName", # required
     #     create_bucket_configuration: {
-    #       location_constraint: "af-south-1", # accepts af-south-1, ap-east-1, ap-northeast-1, ap-northeast-2, ap-northeast-3, ap-south-1, ap-southeast-1, ap-southeast-2, ap-southeast-3, ca-central-1, cn-north-1, cn-northwest-1, EU, eu-central-1, eu-north-1, eu-south-1, eu-west-1, eu-west-2, eu-west-3, me-south-1, sa-east-1, us-east-2, us-gov-east-1, us-gov-west-1, us-west-1, us-west-2, ap-south-2, eu-south-2
+    #       location_constraint: "af-south-1", # accepts af-south-1, ap-east-1, ap-northeast-1, ap-northeast-2, ap-northeast-3, ap-south-1, ap-south-2, ap-southeast-1, ap-southeast-2, ap-southeast-3, ca-central-1, cn-north-1, cn-northwest-1, EU, eu-central-1, eu-north-1, eu-south-1, eu-south-2, eu-west-1, eu-west-2, eu-west-3, me-south-1, sa-east-1, us-east-2, us-gov-east-1, us-gov-west-1, us-west-1, us-west-2
+    #       location: {
+    #         type: "AvailabilityZone", # accepts AvailabilityZone
+    #         name: "LocationNameAsString",
+    #       },
+    #       bucket: {
+    #         data_redundancy: "SingleAvailabilityZone", # accepts SingleAvailabilityZone
+    #         type: "Directory", # accepts Directory
+    #       },
     #     },
     #     grant_full_control: "GrantFullControl",
     #     grant_read: "GrantRead",
@@ -54,44 +62,108 @@ module Aws::S3
     # @param [Hash] options ({})
     # @option options [String] :acl
     #   The canned ACL to apply to the bucket.
+    #
+    #   <note markdown="1"> This functionality is not supported for directory buckets.
+    #
+    #    </note>
     # @option options [required, String] :bucket
     #   The name of the bucket to create.
+    #
+    #   **General purpose buckets** - For information about bucket naming
+    #   restrictions, see [Bucket naming rules][1] in the *Amazon S3 User
+    #   Guide*.
+    #
+    #   <b>Directory buckets </b> - When you use this operation with a
+    #   directory bucket, you must use path-style requests in the format
+    #   `https://s3express-control.region_code.amazonaws.com/bucket-name `.
+    #   Virtual-hosted-style requests aren't supported. Directory bucket
+    #   names must be unique in the chosen Availability Zone. Bucket names
+    #   must also follow the format ` bucket_base_name--az_id--x-s3` (for
+    #   example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information about
+    #   bucket naming restrictions, see [Directory bucket naming rules][2] in
+    #   the *Amazon S3 User Guide*
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html
+    #   [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
     # @option options [Types::CreateBucketConfiguration] :create_bucket_configuration
     #   The configuration information for the bucket.
     # @option options [String] :grant_full_control
     #   Allows grantee the read, write, read ACP, and write ACP permissions on
     #   the bucket.
+    #
+    #   <note markdown="1"> This functionality is not supported for directory buckets.
+    #
+    #    </note>
     # @option options [String] :grant_read
     #   Allows grantee to list the objects in the bucket.
+    #
+    #   <note markdown="1"> This functionality is not supported for directory buckets.
+    #
+    #    </note>
     # @option options [String] :grant_read_acp
     #   Allows grantee to read the bucket ACL.
+    #
+    #   <note markdown="1"> This functionality is not supported for directory buckets.
+    #
+    #    </note>
     # @option options [String] :grant_write
     #   Allows grantee to create new objects in the bucket.
     #
     #   For the bucket and object owners of existing objects, also allows
     #   deletions and overwrites of those objects.
+    #
+    #   <note markdown="1"> This functionality is not supported for directory buckets.
+    #
+    #    </note>
     # @option options [String] :grant_write_acp
     #   Allows grantee to write the ACL for the applicable bucket.
+    #
+    #   <note markdown="1"> This functionality is not supported for directory buckets.
+    #
+    #    </note>
     # @option options [Boolean] :object_lock_enabled_for_bucket
     #   Specifies whether you want S3 Object Lock to be enabled for the new
     #   bucket.
+    #
+    #   <note markdown="1"> This functionality is not supported for directory buckets.
+    #
+    #    </note>
     # @option options [String] :object_ownership
     #   The container element for object ownership for a bucket's ownership
     #   controls.
     #
-    #   BucketOwnerPreferred - Objects uploaded to the bucket change ownership
-    #   to the bucket owner if the objects are uploaded with the
+    #   `BucketOwnerPreferred` - Objects uploaded to the bucket change
+    #   ownership to the bucket owner if the objects are uploaded with the
     #   `bucket-owner-full-control` canned ACL.
     #
-    #   ObjectWriter - The uploading account will own the object if the object
-    #   is uploaded with the `bucket-owner-full-control` canned ACL.
+    #   `ObjectWriter` - The uploading account will own the object if the
+    #   object is uploaded with the `bucket-owner-full-control` canned ACL.
+    #
+    #   `BucketOwnerEnforced` - Access control lists (ACLs) are disabled and
+    #   no longer affect permissions. The bucket owner automatically owns and
+    #   has full control over every object in the bucket. The bucket only
+    #   accepts PUT requests that don't specify an ACL or specify bucket
+    #   owner full control ACLs (such as the predefined
+    #   `bucket-owner-full-control` canned ACL or a custom ACL in XML format
+    #   that grants the same permissions).
+    #
+    #   By default, `ObjectOwnership` is set to `BucketOwnerEnforced` and ACLs
+    #   are disabled. We recommend keeping ACLs disabled, except in uncommon
+    #   use cases where you must control access for each object individually.
+    #   For more information about S3 Object Ownership, see [Controlling
+    #   ownership of objects and disabling ACLs for your bucket][1] in the
+    #   *Amazon S3 User Guide*.
+    #
+    #   <note markdown="1"> This functionality is not supported for directory buckets. Directory
+    #   buckets use the bucket owner enforced setting for S3 Object Ownership.
+    #
+    #    </note>
+    #
+    #
     #
-    #   BucketOwnerEnforced - Access control lists (ACLs) are disabled and no
-    #   longer affect permissions. The bucket owner automatically owns and has
-    #   full control over every object in the bucket. The bucket only accepts
-    #   PUT requests that don't specify an ACL or bucket owner full control
-    #   ACLs, such as the `bucket-owner-full-control` canned ACL or an
-    #   equivalent form of this ACL expressed in the XML format.
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html
     # @return [Bucket]
     def create_bucket(options = {})
       Aws::Plugins::UserAgent.feature('resource') do