aws-sdk-s3 1.147.0 → 1.163.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (66) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +103 -2
  3. data/VERSION +1 -1
  4. data/lib/aws-sdk-s3/access_grants_credentials.rb +57 -0
  5. data/lib/aws-sdk-s3/access_grants_credentials_provider.rb +250 -0
  6. data/lib/aws-sdk-s3/bucket.rb +209 -69
  7. data/lib/aws-sdk-s3/bucket_acl.rb +3 -3
  8. data/lib/aws-sdk-s3/bucket_cors.rb +4 -4
  9. data/lib/aws-sdk-s3/bucket_lifecycle.rb +4 -4
  10. data/lib/aws-sdk-s3/bucket_lifecycle_configuration.rb +4 -4
  11. data/lib/aws-sdk-s3/bucket_logging.rb +3 -3
  12. data/lib/aws-sdk-s3/bucket_notification.rb +3 -3
  13. data/lib/aws-sdk-s3/bucket_policy.rb +4 -4
  14. data/lib/aws-sdk-s3/bucket_region_cache.rb +9 -5
  15. data/lib/aws-sdk-s3/bucket_request_payment.rb +3 -3
  16. data/lib/aws-sdk-s3/bucket_tagging.rb +4 -4
  17. data/lib/aws-sdk-s3/bucket_versioning.rb +5 -5
  18. data/lib/aws-sdk-s3/bucket_website.rb +4 -4
  19. data/lib/aws-sdk-s3/client.rb +1653 -637
  20. data/lib/aws-sdk-s3/client_api.rb +35 -3
  21. data/lib/aws-sdk-s3/customizations/bucket.rb +1 -1
  22. data/lib/aws-sdk-s3/customizations/errors.rb +15 -2
  23. data/lib/aws-sdk-s3/customizations/object.rb +5 -5
  24. data/lib/aws-sdk-s3/customizations.rb +4 -1
  25. data/lib/aws-sdk-s3/encryption/client.rb +2 -2
  26. data/lib/aws-sdk-s3/encryption/kms_cipher_provider.rb +2 -2
  27. data/lib/aws-sdk-s3/encryptionV2/client.rb +2 -2
  28. data/lib/aws-sdk-s3/encryptionV2/kms_cipher_provider.rb +2 -2
  29. data/lib/aws-sdk-s3/endpoint_parameters.rb +8 -0
  30. data/lib/aws-sdk-s3/endpoint_provider.rb +1 -0
  31. data/lib/aws-sdk-s3/endpoints.rb +199 -397
  32. data/lib/aws-sdk-s3/express_credentials_provider.rb +27 -4
  33. data/lib/aws-sdk-s3/file_downloader.rb +1 -1
  34. data/lib/aws-sdk-s3/file_uploader.rb +1 -1
  35. data/lib/aws-sdk-s3/multipart_stream_uploader.rb +1 -1
  36. data/lib/aws-sdk-s3/multipart_upload.rb +24 -4
  37. data/lib/aws-sdk-s3/multipart_upload_part.rb +3 -3
  38. data/lib/aws-sdk-s3/object.rb +394 -137
  39. data/lib/aws-sdk-s3/object_acl.rb +3 -3
  40. data/lib/aws-sdk-s3/object_copier.rb +1 -1
  41. data/lib/aws-sdk-s3/object_multipart_copier.rb +10 -8
  42. data/lib/aws-sdk-s3/object_summary.rb +358 -115
  43. data/lib/aws-sdk-s3/object_version.rb +46 -9
  44. data/lib/aws-sdk-s3/plugins/access_grants.rb +178 -0
  45. data/lib/aws-sdk-s3/plugins/endpoints.rb +10 -1
  46. data/lib/aws-sdk-s3/plugins/express_session_auth.rb +8 -2
  47. data/lib/aws-sdk-s3/plugins/http_200_errors.rb +53 -16
  48. data/lib/aws-sdk-s3/plugins/s3_signer.rb +7 -2
  49. data/lib/aws-sdk-s3/presigner.rb +1 -0
  50. data/lib/aws-sdk-s3/resource.rb +12 -10
  51. data/lib/aws-sdk-s3/types.rb +966 -350
  52. data/lib/aws-sdk-s3.rb +1 -1
  53. data/sig/bucket.rbs +1 -0
  54. data/sig/client.rbs +38 -2
  55. data/sig/customizations/bucket.rbs +19 -0
  56. data/sig/customizations/object.rbs +38 -0
  57. data/sig/customizations/object_summary.rbs +35 -0
  58. data/sig/multipart_upload.rbs +1 -0
  59. data/sig/object.rbs +7 -0
  60. data/sig/object_summary.rbs +1 -0
  61. data/sig/object_version.rbs +6 -0
  62. data/sig/resource.rbs +6 -1
  63. data/sig/types.rbs +25 -2
  64. data/sig/waiters.rbs +12 -0
  65. metadata +12 -7
  66. data/lib/aws-sdk-s3/express_credentials_cache.rb +0 -30
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: a53a99ccca2522053de21bfdf31e17a700464dcc70688283d438b987b1e8098d
4
- data.tar.gz: 2edaadc220c24d5d3493841421b9760c2202e7b14aa78e58eb6bb33554f46650
3
+ metadata.gz: afd4c360870e136ada49d27ff23a992d83e10cf8086d49fa60e4109a83befc49
4
+ data.tar.gz: 74b212aa39f93b6233b2aaa1dfcd647339745c8ad5e54fa26ee341040c27bc22
5
5
  SHA512:
6
- metadata.gz: 822936b8f7a5f6b51baa737b7628ef9e6c584bafca53d648c99684cb6db92b3a6fea98a91ddcce1b2479e7050cccb59045f062cc73f9d889911013684ba7b3df
7
- data.tar.gz: 13107a5c2aa6fb081e943340433a72dabad53ee6800e841eff965662c135aac1307664ea855def95c610421886314148067972e6dd78f1f0dc9510671ccfa331
6
+ metadata.gz: 86ea94d75b351388571d07466ea49d5243f70a31c7688d18047acb746ede2d81703ba5225a58eb221430304de7bb483ca70e6d31eaa89feb3b1b4a12e830cbb6
7
+ data.tar.gz: 1aca70a5ee0e958587aa59e255ef5a2ddbce7e61f466fca44ae482d8703965d0ec30b46e6f58f76c9c97b2590f86a25d34e7aed4c81a59191442461b8641c39b
data/CHANGELOG.md CHANGED
@@ -1,6 +1,108 @@
1
1
  Unreleased Changes
2
2
  ------------------
3
3
 
4
+ 1.163.0 (2024-09-18)
5
+ ------------------
6
+
7
+ * Feature - Added SSE-KMS support for directory buckets.
8
+
9
+ 1.162.0 (2024-09-11)
10
+ ------------------
11
+
12
+ * Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
13
+
14
+ 1.161.0 (2024-09-10)
15
+ ------------------
16
+
17
+ * Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
18
+
19
+ 1.160.0 (2024-09-03)
20
+ ------------------
21
+
22
+ * Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
23
+
24
+ 1.159.0 (2024-08-20)
25
+ ------------------
26
+
27
+ * Feature - Amazon Simple Storage Service / Features : Add support for conditional writes for PutObject and CompleteMultipartUpload APIs.
28
+
29
+ 1.158.0 (2024-08-15)
30
+ ------------------
31
+
32
+ * Feature - Amazon Simple Storage Service / Features : Adds support for pagination in the S3 ListBuckets API.
33
+
34
+ 1.157.0 (2024-08-01)
35
+ ------------------
36
+
37
+ * Feature - Support `head_bucket`, `get_object_attributes`, `delete_objects`, and `copy_object` for Access Grants.
38
+
39
+ 1.156.0 (2024-07-02)
40
+ ------------------
41
+
42
+ * Feature - Added response overrides to Head Object requests.
43
+
44
+ 1.155.0 (2024-06-28)
45
+ ------------------
46
+
47
+ * Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
48
+
49
+ 1.154.0 (2024-06-25)
50
+ ------------------
51
+
52
+ * Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
53
+
54
+ 1.153.0 (2024-06-24)
55
+ ------------------
56
+
57
+ * Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
58
+
59
+ 1.152.3 (2024-06-13)
60
+ ------------------
61
+
62
+ * Issue - Handle 200 errors for all S3 operations that do not have streaming responses.
63
+
64
+ 1.152.2 (2024-06-12)
65
+ ------------------
66
+
67
+ * Issue - Revert Handling of 200 errors for all S3 operations.
68
+
69
+ 1.152.1 (2024-06-10)
70
+ ------------------
71
+
72
+ * Issue - Handle 200 errors for all S3 operations that do not have streaming responses.
73
+
74
+ 1.152.0 (2024-06-05)
75
+ ------------------
76
+
77
+ * Feature - Added new params copySource and key to copyObject API for supporting S3 Access Grants plugin. These changes will not change any of the existing S3 API functionality.
78
+
79
+ 1.151.0 (2024-05-14)
80
+ ------------------
81
+
82
+ * Feature - Updated a few x-id in the http uri traits
83
+
84
+ 1.150.0 (2024-05-13)
85
+ ------------------
86
+
87
+ * Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
88
+
89
+ 1.149.1 (2024-05-06)
90
+ ------------------
91
+
92
+ * Issue - Fix bug where destination bucket default encryption was inadvertently overridden by source object encryption.
93
+
94
+ 1.149.0 (2024-04-30)
95
+ ------------------
96
+
97
+ * Feature - Support S3 Access Grants authentication. Access Grants can be enabled with the `access_grants` option, and custom options can be passed into the `access_grants_credentials_provider` option. This feature requires `aws-sdk-s3control` to be installed.
98
+
99
+ * Feature - Add RBS signatures for customizations of S3.
100
+
101
+ 1.148.0 (2024-04-25)
102
+ ------------------
103
+
104
+ * Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
105
+
4
106
  1.147.0 (2024-04-16)
5
107
  ------------------
6
108
 
@@ -33,7 +135,6 @@ Unreleased Changes
33
135
 
34
136
  * Issue - Include original part errors in message when aborting multipart upload fails (#2990).
35
137
 
36
-
37
138
  1.143.0 (2024-01-26)
38
139
  ------------------
39
140
 
@@ -156,7 +257,7 @@ Unreleased Changes
156
257
  1.123.2 (2023-06-12)
157
258
  ------------------
158
259
 
159
- * Issue - Fix issue when decrypting noncurrent versions of objects when using client side encryption (#2866).
260
+ * Issue - Fix issue when decrypting noncurrent versions of objects when using client side encryption (#2866).
160
261
 
161
262
  1.123.1 (2023-06-02)
162
263
  ------------------
data/VERSION CHANGED
@@ -1 +1 @@
1
- 1.147.0
1
+ 1.163.0
@@ -0,0 +1,57 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'set'
4
+
5
+ module Aws
6
+ module S3
7
+ # @api private
8
+ class AccessGrantsCredentials
9
+ include CredentialProvider
10
+ include RefreshingCredentials
11
+
12
+ def initialize(options = {})
13
+ @client = options[:client]
14
+ @get_data_access_params = {}
15
+ options.each_pair do |key, value|
16
+ if self.class.get_data_access_options.include?(key)
17
+ @get_data_access_params[key] = value
18
+ end
19
+ end
20
+ @async_refresh = true
21
+ super
22
+ end
23
+
24
+ # @return [S3Control::Client]
25
+ attr_reader :client
26
+
27
+ # @return [String]
28
+ attr_reader :matched_grant_target
29
+
30
+ private
31
+
32
+ def refresh
33
+ c = @client.get_data_access(@get_data_access_params)
34
+ credentials = c.credentials
35
+ @matched_grant_target = c.matched_grant_target
36
+ @credentials = Credentials.new(
37
+ credentials.access_key_id,
38
+ credentials.secret_access_key,
39
+ credentials.session_token
40
+ )
41
+ @expiration = credentials.expiration
42
+ end
43
+
44
+ class << self
45
+
46
+ # @api private
47
+ def get_data_access_options
48
+ @gdao ||= begin
49
+ input = Aws::S3Control::Client.api.operation(:get_data_access).input
50
+ Set.new(input.shape.member_names)
51
+ end
52
+ end
53
+
54
+ end
55
+ end
56
+ end
57
+ end
@@ -0,0 +1,250 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Aws
4
+ module S3
5
+ # @api private
6
+ def self.access_grants_credentials_cache
7
+ @access_grants_credentials_cache ||= LRUCache.new(max_entries: 100)
8
+ end
9
+
10
+ # @api private
11
+ def self.access_grants_account_id_cache
12
+ @access_grants_account_id_cache ||= LRUCache.new(
13
+ max_entries: 100,
14
+ expiration: 60 * 10
15
+ )
16
+ end
17
+
18
+ # Returns Credentials class for S3 Access Grants. Accepts GetDataAccess
19
+ # params and other configuration as options. See
20
+ # {Aws::S3Control::Client#get_data_access} for details.
21
+ class AccessGrantsCredentialsProvider
22
+ # @param [Hash] options
23
+ # @option options [Hash] :s3_control_client_options The S3 Control
24
+ # client options used to create regional S3 Control clients to
25
+ # create the session. Region will be set to the region of the
26
+ # bucket.
27
+ # @option options [Aws::STS::Client] :sts_client The STS client used for
28
+ # fetching the Account ID for the credentials if credentials do not
29
+ # include an Account ID.
30
+ # @option options [Aws::S3::Client] :s3_client The S3 client used for
31
+ # fetching the location of the bucket so that a regional S3 Control
32
+ # client can be created. Defaults to the S3 client from the access
33
+ # grants plugin.
34
+ # @option options [String] :privilege ('Default') The privilege to use
35
+ # when requesting credentials. (see: {Aws::S3Control::Client#get_data_access})
36
+ # @option options [Boolean] :fallback (false) When true, if access is
37
+ # denied, the provider will fall back to the configured credentials.
38
+ # @option options [Boolean] :caching (true) When true, credentials and
39
+ # bucket account ids will be cached.
40
+ # @option options [Callable] :before_refresh Proc called before
41
+ # credentials are refreshed.
42
+ def initialize(options = {})
43
+ @s3_control_options = options.delete(:s3_control_client_options) || {}
44
+ @s3_client = options.delete(:s3_client)
45
+ @sts_client = options.delete(:sts_client)
46
+ @fallback = options.delete(:fallback) || false
47
+ @caching = options.delete(:caching) != false
48
+ @s3_control_clients = {}
49
+ @bucket_region_cache = Aws::S3.bucket_region_cache
50
+ @head_bucket_mutex = Mutex.new
51
+ @head_bucket_call = false
52
+ return unless @caching
53
+
54
+ @credentials_cache = Aws::S3.access_grants_credentials_cache
55
+ @account_id_cache = Aws::S3.access_grants_account_id_cache
56
+ end
57
+
58
+ def access_grants_credentials_for(options = {})
59
+ target = target_prefix(
60
+ options[:bucket],
61
+ options[:key],
62
+ options[:prefix]
63
+ )
64
+ credentials = s3_client.config.credentials.credentials # resolves
65
+
66
+ if @caching
67
+ cached_credentials_for(target, options[:permission], credentials)
68
+ else
69
+ new_credentials_for(target, options[:permission], credentials)
70
+ end
71
+ rescue Aws::S3Control::Errors::AccessDenied
72
+ raise unless @fallback
73
+
74
+ warn 'Access denied for S3 Access Grants. Falling back to ' \
75
+ 'configured credentials.'
76
+ s3_client.config.credentials
77
+ end
78
+
79
+ attr_accessor :s3_client
80
+
81
+ private
82
+
83
+ def s3_control_client(bucket_region)
84
+ @s3_control_clients[bucket_region] ||= begin
85
+ credentials = s3_client.config.credentials
86
+ config = { credentials: credentials }.merge(@s3_control_options)
87
+ Aws::S3Control::Client.new(config.merge(
88
+ region: bucket_region,
89
+ use_fips_endpoint: s3_client.config.use_fips_endpoint,
90
+ use_dualstack_endpoint: s3_client.config.use_dualstack_endpoint
91
+ ))
92
+ end
93
+ end
94
+
95
+ def cached_credentials_for(target, permission, credentials)
96
+ cached_creds = broad_search_credentials_cache_prefix(target, permission, credentials)
97
+ return cached_creds if cached_creds
98
+
99
+ if %w[READ WRITE].include?(permission)
100
+ cached_creds = broad_search_credentials_cache_prefix(target, 'READWRITE', credentials)
101
+ return cached_creds if cached_creds
102
+ end
103
+
104
+ cached_creds = broad_search_credentials_cache_characters(target, permission, credentials)
105
+ return cached_creds if cached_creds
106
+
107
+ if %w[READ WRITE].include?(permission)
108
+ cached_creds = broad_search_credentials_cache_characters(target, 'READWRITE', credentials)
109
+ return cached_creds if cached_creds
110
+ end
111
+
112
+ creds = new_credentials_for(target, permission, credentials)
113
+ if creds.matched_grant_target.end_with?('*')
114
+ # remove /* from the end of the target
115
+ key = credentials_cache_key(creds.matched_grant_target[0...-2], permission, credentials)
116
+ @credentials_cache[key] = creds
117
+ end
118
+
119
+ creds
120
+ end
121
+
122
+ def broad_search_credentials_cache_prefix(target, permission, credentials)
123
+ prefix = target
124
+ while prefix != 's3:'
125
+ key = credentials_cache_key(prefix, permission, credentials)
126
+ return @credentials_cache[key] if @credentials_cache.key?(key)
127
+
128
+ prefix = prefix.split('/', -1)[0..-2].join('/')
129
+ end
130
+ nil
131
+ end
132
+
133
+ def broad_search_credentials_cache_characters(target, permission, credentials)
134
+ prefix = target
135
+ while prefix != 's3://'
136
+ key = credentials_cache_key("#{prefix}*", permission, credentials)
137
+ return @credentials_cache[key] if @credentials_cache.key?(key)
138
+
139
+ prefix = prefix[0..-2]
140
+ end
141
+ nil
142
+ end
143
+
144
+ def new_credentials_for(target, permission, credentials)
145
+ bucket_region = bucket_region_for_access_grants(target)
146
+ client = s3_control_client(bucket_region)
147
+
148
+ AccessGrantsCredentials.new(
149
+ target: target,
150
+ account_id: account_id_for_access_grants(target, credentials),
151
+ permission: permission,
152
+ client: client
153
+ )
154
+ end
155
+
156
+ def account_id_for_access_grants(target, credentials)
157
+ if @caching
158
+ cached_account_id_for(target, credentials)
159
+ else
160
+ new_account_id_for(target, credentials)
161
+ end
162
+ end
163
+
164
+ def cached_account_id_for(target, credentials)
165
+ bucket = bucket_name_from(target)
166
+
167
+ if @account_id_cache.key?(bucket)
168
+ @account_id_cache[bucket]
169
+ else
170
+ @account_id_cache[bucket] = new_account_id_for(target, credentials)
171
+ end
172
+ end
173
+
174
+ # returns the account id associated with the access grants instance
175
+ def new_account_id_for(target, credentials)
176
+ bucket_region = bucket_region_for_access_grants(target)
177
+ s3_control_client = s3_control_client(bucket_region)
178
+ resp = s3_control_client.get_access_grants_instance_for_prefix(
179
+ s3_prefix: target,
180
+ account_id: account_id_for_credentials(bucket_region, credentials)
181
+ )
182
+ ARNParser.parse(resp.access_grants_instance_arn).account_id
183
+ end
184
+
185
+ def bucket_region_for_access_grants(target)
186
+ bucket = bucket_name_from(target)
187
+ # regardless of caching option, bucket region cache is always shared
188
+ cached_bucket_region_for(bucket)
189
+ end
190
+
191
+ def cached_bucket_region_for(bucket)
192
+ if @bucket_region_cache.key?(bucket)
193
+ @bucket_region_cache[bucket]
194
+ else
195
+ @bucket_region_cache[bucket] = new_bucket_region_for(bucket)
196
+ end
197
+ end
198
+
199
+ def new_bucket_region_for(bucket)
200
+ @head_bucket_mutex.synchronize do
201
+ begin
202
+ @head_bucket_call = true
203
+ @s3_client.head_bucket(bucket: bucket).bucket_region
204
+ rescue Aws::S3::Errors::Http301Error => e
205
+ e.data.region
206
+ ensure
207
+ @head_bucket_call = false
208
+ end
209
+ end
210
+ end
211
+
212
+ # returns the account id for the configured credentials
213
+ def account_id_for_credentials(region, credentials)
214
+ # use resolved credentials to check for account id
215
+ if credentials.respond_to?(:account_id) && credentials.account_id &&
216
+ !credentials.account_id.empty?
217
+ credentials.account_id
218
+ else
219
+ @sts_client ||= Aws::STS::Client.new(
220
+ credentials: s3_client.config.credentials,
221
+ region: region,
222
+ use_fips_endpoint: s3_client.config.use_fips_endpoint,
223
+ use_dualstack_endpoint: s3_client.config.use_dualstack_endpoint
224
+ )
225
+ @sts_client.get_caller_identity.account
226
+ end
227
+ end
228
+
229
+ def target_prefix(bucket, key, prefix)
230
+ if key && !key.empty?
231
+ "s3://#{bucket}/#{key}"
232
+ elsif prefix && !prefix.empty?
233
+ "s3://#{bucket}/#{prefix}"
234
+ else
235
+ "s3://#{bucket}/*"
236
+ end
237
+ end
238
+
239
+ def credentials_cache_key(target, permission, credentials)
240
+ "#{credentials.access_key_id}-#{credentials.secret_access_key}" \
241
+ "-#{permission}-#{target}"
242
+ end
243
+
244
+ # extracts bucket name from target prefix
245
+ def bucket_name_from(target)
246
+ URI(target).host
247
+ end
248
+ end
249
+ end
250
+ end