aws-sdk-s3 1.36.1 → 1.56.0

data/lib/aws-sdk-s3/object_summary.rb

@@ -38,19 +38,20 @@ module Aws::S3
       @key
     end
 
-    
+    # The date the Object was Last Modified
     # @return [Time]
     def last_modified
       data[:last_modified]
     end
 
-    
+    # The entity tag is an MD5 hash of the object. ETag reflects only
+    # changes to the contents of an object, not its metadata.
     # @return [String]
     def etag
       data[:etag]
     end
 
-    
+    # Size in bytes of the object
     # @return [Integer]
     def size
       data[:size]
@@ -62,7 +63,7 @@ module Aws::S3
       data[:storage_class]
     end
 
-    
+    # The owner of the object
     # @return [Types::Owner]
     def owner
       data[:owner]
@@ -118,10 +119,10 @@ module Aws::S3
     # @option options [Proc] :before_attempt
     # @option options [Proc] :before_wait
     # @return [ObjectSummary]
-    def wait_until_exists(options = {})
+    def wait_until_exists(options = {}, &block)
       options, params = separate_params_and_options(options)
       waiter = Waiters::ObjectExists.new(options)
-      yield_waiter_and_warn(waiter, &Proc.new) if block_given?
+      yield_waiter_and_warn(waiter, &block) if block_given?
       waiter.wait(params.merge(bucket: @bucket_name,
         key: @key))
       ObjectSummary.new({
@@ -137,10 +138,10 @@ module Aws::S3
     # @option options [Proc] :before_attempt
     # @option options [Proc] :before_wait
     # @return [ObjectSummary]
-    def wait_until_not_exists(options = {})
+    def wait_until_not_exists(options = {}, &block)
       options, params = separate_params_and_options(options)
       waiter = Waiters::ObjectNotExists.new(options)
-      yield_waiter_and_warn(waiter, &Proc.new) if block_given?
+      yield_waiter_and_warn(waiter, &block) if block_given?
       waiter.wait(params.merge(bucket: @bucket_name,
         key: @key))
       ObjectSummary.new({
@@ -278,6 +279,7 @@ module Aws::S3
     #     sse_customer_key: "SSECustomerKey",
     #     sse_customer_key_md5: "SSECustomerKeyMD5",
     #     ssekms_key_id: "SSEKMSKeyId",
+    #     ssekms_encryption_context: "SSEKMSEncryptionContext",
     #     copy_source_sse_customer_algorithm: "CopySourceSSECustomerAlgorithm",
     #     copy_source_sse_customer_key: "CopySourceSSECustomerKey",
     #     copy_source_sse_customer_key_md5: "CopySourceSSECustomerKeyMD5",
@@ -362,6 +364,10 @@ module Aws::S3
     #   via SSL or using SigV4. Documentation on configuring any of the
     #   officially supported AWS SDKs and CLI can be found at
     #   http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
+    # @option options [String] :ssekms_encryption_context
+    #   Specifies the AWS KMS Encryption Context to use for object encryption.
+    #   The value of this header is a base64-encoded UTF-8 string holding JSON
+    #   with the encryption context key-value pairs.
     # @option options [String] :copy_source_sse_customer_algorithm
     #   Specifies the algorithm to use when decrypting the source object
     #   (e.g., AES256).
@@ -412,6 +418,8 @@ module Aws::S3
     # @option options [String] :mfa
     #   The concatenation of the authentication device's serial number, a
     #   space, and the value that is displayed on your authentication device.
+    #   Required to permanently delete a versionedobject if versioning is
+    #   configured with MFA Deleteenabled.
     # @option options [String] :version_id
     #   VersionId used to reference a specific version of the object.
     # @option options [String] :request_payer
@@ -543,6 +551,7 @@ module Aws::S3
     #     sse_customer_key: "SSECustomerKey",
     #     sse_customer_key_md5: "SSECustomerKeyMD5",
     #     ssekms_key_id: "SSEKMSKeyId",
+    #     ssekms_encryption_context: "SSEKMSEncryptionContext",
     #     request_payer: "requester", # accepts requester
     #     tagging: "TaggingHeader",
     #     object_lock_mode: "GOVERNANCE", # accepts GOVERNANCE, COMPLIANCE
@@ -605,6 +614,10 @@ module Aws::S3
     #   via SSL or using SigV4. Documentation on configuring any of the
     #   officially supported AWS SDKs and CLI can be found at
     #   http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
+    # @option options [String] :ssekms_encryption_context
+    #   Specifies the AWS KMS Encryption Context to use for object encryption.
+    #   The value of this header is a base64-encoded UTF-8 string holding JSON
+    #   with the encryption context key-value pairs.
     # @option options [String] :request_payer
     #   Confirms that the requester knows that she or he will be charged for
     #   the request. Bucket owners need not specify this parameter in their
@@ -664,6 +677,7 @@ module Aws::S3
     #     sse_customer_key: "SSECustomerKey",
     #     sse_customer_key_md5: "SSECustomerKeyMD5",
     #     ssekms_key_id: "SSEKMSKeyId",
+    #     ssekms_encryption_context: "SSEKMSEncryptionContext",
     #     request_payer: "requester", # accepts requester
     #     tagging: "TaggingHeader",
     #     object_lock_mode: "GOVERNANCE", # accepts GOVERNANCE, COMPLIANCE
@@ -672,29 +686,77 @@ module Aws::S3
     #   })
     # @param [Hash] options ({})
     # @option options [String] :acl
-    #   The canned ACL to apply to the object.
+    #   The canned ACL to apply to the object. For more information, see
+    #   [Canned ACL][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#CannedACL
     # @option options [String, IO] :body
     #   Object data.
     # @option options [String] :cache_control
-    #   Specifies caching behavior along the request/reply chain.
+    #   Can be used to specify caching behavior along the request/reply chain.
+    #   For more information, see
+    #   [http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9][1].
+    #
+    #
+    #
+    #   [1]: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9
     # @option options [String] :content_disposition
-    #   Specifies presentational information for the object.
+    #   Specifies presentational information for the object. For more
+    #   information, see
+    #   [http://www.w3.org/Protocols/rfc2616/rfc2616-sec19.html#sec19.5.1][1].
+    #
+    #
+    #
+    #   [1]: http://www.w3.org/Protocols/rfc2616/rfc2616-sec19.html#sec19.5.1
     # @option options [String] :content_encoding
     #   Specifies what content encodings have been applied to the object and
     #   thus what decoding mechanisms must be applied to obtain the media-type
-    #   referenced by the Content-Type header field.
+    #   referenced by the Content-Type header field. For more information, see
+    #   [http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.11][1].
+    #
+    #
+    #
+    #   [1]: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.11
     # @option options [String] :content_language
     #   The language the content is in.
     # @option options [Integer] :content_length
     #   Size of the body in bytes. This parameter is useful when the size of
-    #   the body cannot be determined automatically.
+    #   the body cannot be determined automatically. For more information, see
+    #   [http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.13][1].
+    #
+    #
+    #
+    #   [1]: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.13
     # @option options [String] :content_md5
-    #   The base64-encoded 128-bit MD5 digest of the part data. This parameter
-    #   is auto-populated when using the command from the CLI
+    #   The base64-encoded 128-bit MD5 digest of the message (without the
+    #   headers) according to RFC 1864. This header can be used as a message
+    #   integrity check to verify that the data is the same data that was
+    #   originally sent. Although it is optional, we recommend using the
+    #   Content-MD5 mechanism as an end-to-end integrity check. For more
+    #   information about REST request authentication, see [REST
+    #   Authentication][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html
     # @option options [String] :content_type
-    #   A standard MIME type describing the format of the object data.
+    #   A standard MIME type describing the format of the contents. For more
+    #   information, see
+    #   [http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.17][1].
+    #
+    #
+    #
+    #   [1]: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.17
     # @option options [Time,DateTime,Date,Integer,String] :expires
-    #   The date and time at which the object is no longer cacheable.
+    #   The date and time at which the object is no longer cacheable. For more
+    #   information, see
+    #   [http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.21][1].
+    #
+    #
+    #
+    #   [1]: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.21
     # @option options [String] :grant_full_control
     #   Gives the grantee READ, READ\_ACP, and WRITE\_ACP permissions on the
     #   object.
@@ -710,11 +772,32 @@ module Aws::S3
     #   The Server-side encryption algorithm used when storing this object in
     #   S3 (e.g., AES256, aws:kms).
     # @option options [String] :storage_class
-    #   The type of storage to use for the object. Defaults to 'STANDARD'.
+    #   If you don't specify, Standard is the default storage class. Amazon
+    #   S3 supports other storage classes.
     # @option options [String] :website_redirect_location
     #   If the bucket is configured as a website, redirects requests for this
     #   object to another object in the same bucket or to an external URL.
-    #   Amazon S3 stores the value of this header in the object metadata.
+    #   Amazon S3 stores the value of this header in the object metadata. For
+    #   information about object metadata, see .
+    #
+    #   In the following example, the request header sets the redirect to an
+    #   object (anotherPage.html) in the same bucket:
+    #
+    #   `x-amz-website-redirect-location: /anotherPage.html`
+    #
+    #   In the following example, the request header sets the object redirect
+    #   to another website:
+    #
+    #   `x-amz-website-redirect-location: http://www.example.com/`
+    #
+    #   For more information about website hosting in Amazon S3, see [Hosting
+    #   Websites on Amazon S3][1] and [How to Configure Website Page
+    #   Redirects][2].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteHosting.html
+    #   [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/how-to-page-redirect.html
     # @option options [String] :sse_customer_algorithm
     #   Specifies the algorithm to use to when encrypting the object (e.g.,
     #   AES256).
@@ -729,11 +812,20 @@ module Aws::S3
     #   RFC 1321. Amazon S3 uses this header for a message integrity check to
     #   ensure the encryption key was transmitted without error.
     # @option options [String] :ssekms_key_id
-    #   Specifies the AWS KMS key ID to use for object encryption. All GET and
-    #   PUT requests for an object protected by AWS KMS will fail if not made
-    #   via SSL or using SigV4. Documentation on configuring any of the
-    #   officially supported AWS SDKs and CLI can be found at
-    #   http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
+    #   If the x-amz-server-side-encryption is present and has the value of
+    #   aws:kms, this header specifies the ID of the AWS Key Management
+    #   Service (AWS KMS) customer master key (CMK) that was used for the
+    #   object.
+    #
+    #   If the value of x-amz-server-side-encryption is aws:kms, this header
+    #   specifies the ID of the AWS KMS CMK that will be used for the object.
+    #   If you specify x-amz-server-side-encryption:aws:kms, but do not
+    #   provide x-amz-server-side-encryption-aws-kms-key-id, Amazon S3 uses
+    #   the AWS managed CMK in AWS to protect the data.
+    # @option options [String] :ssekms_encryption_context
+    #   Specifies the AWS KMS Encryption Context to use for object encryption.
+    #   The value of this header is a base64-encoded UTF-8 string holding JSON
+    #   with the encryption context key-value pairs.
     # @option options [String] :request_payer
     #   Confirms that the requester knows that she or he will be charged for
     #   the request. Bucket owners need not specify this parameter in their
@@ -748,7 +840,12 @@ module Aws::S3
     # @option options [Time,DateTime,Date,Integer,String] :object_lock_retain_until_date
     #   The date and time when you want this object's Object Lock to expire.
     # @option options [String] :object_lock_legal_hold_status
-    #   The Legal Hold status that you want to apply to the specified object.
+    #   Specifies whether a legal hold will be applied to this object. For
+    #   more information about S3 Object Lock, see [Object Lock][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock.html
     # @return [Types::PutObjectOutput]
     def put(options = {})
       options = options.merge(
@@ -848,6 +945,7 @@ module Aws::S3
     #   })
     # @param [Hash] options ({})
     # @option options [String] :version_id
+    #   VersionId used to reference a specific version of the object.
     # @option options [Types::RestoreRequest] :restore_request
     #   Container for restore job parameters.
     # @option options [String] :request_payer
@@ -990,6 +1088,8 @@ module Aws::S3
       # @option options [String] :mfa
       #   The concatenation of the authentication device's serial number, a
       #   space, and the value that is displayed on your authentication device.
+      #   Required to permanently delete a versioned object if versioning is
+      #   configured with MFA Delete enabled.
       # @option options [String] :request_payer
       #   Confirms that the requester knows that she or he will be charged for
       #   the request. Bucket owners need not specify this parameter in their

data/lib/aws-sdk-s3/object_version.rb

@@ -46,7 +46,7 @@ module Aws::S3
       @id
     end
 
-    
+    # The entity tag is an MD5 hash of that version of the object
     # @return [String]
     def etag
       data[:etag]
@@ -89,7 +89,7 @@ module Aws::S3
       data[:last_modified]
     end
 
-    
+    # Specifies the Owner of the object.
     # @return [Types::Owner]
     def owner
       data[:owner]
@@ -233,6 +233,8 @@ module Aws::S3
     # @option options [String] :mfa
     #   The concatenation of the authentication device's serial number, a
     #   space, and the value that is displayed on your authentication device.
+    #   Required to permanently delete a versionedobject if versioning is
+    #   configured with MFA Deleteenabled.
     # @option options [String] :request_payer
     #   Confirms that the requester knows that she or he will be charged for
     #   the request. Bucket owners need not specify this parameter in their
@@ -475,6 +477,8 @@ module Aws::S3
       # @option options [String] :mfa
       #   The concatenation of the authentication device's serial number, a
       #   space, and the value that is displayed on your authentication device.
+      #   Required to permanently delete a versioned object if versioning is
+      #   configured with MFA Delete enabled.
       # @option options [String] :request_payer
       #   Confirms that the requester knows that she or he will be charged for
       #   the request. Bucket owners need not specify this parameter in their

data/lib/aws-sdk-s3/plugins/iad_regional_endpoint.rb

@@ -0,0 +1,59 @@
+module Aws
+  module S3
+    module Plugins
+
+      class IADRegionalEndpoint < Seahorse::Client::Plugin
+        
+        option(:s3_us_east_1_regional_endpoint,
+          default: 'legacy',
+          doc_type: String,
+          docstring: <<-DOCS) do |cfg|
+Passing in `regional` to enable regional endpoint for S3's `us-east-1`
+region. Defaults to `legacy` mode using global endpoint.
+          DOCS
+          resolve_iad_regional_endpoint(cfg)
+        end
+
+        def add_handlers(handlers, config)
+          if config.region == 'us-east-1'
+            handlers.add(Handler)
+          end
+        end
+
+        # @api private
+        class Handler < Seahorse::Client::Handler
+
+          def call(context)
+            # keep legacy global endpoint pattern by default
+            if context.config.s3_us_east_1_regional_endpoint == 'legacy'
+              context.http_request.endpoint.host = IADRegionalEndpoint.legacy_host(
+                context.http_request.endpoint.host)
+            end
+            @handler.call(context)
+          end
+
+        end
+
+        def self.legacy_host(host)
+          host.sub(".us-east-1", '')
+        end
+
+        private
+
+        def self.resolve_iad_regional_endpoint(cfg)
+          mode = ENV['AWS_S3_US_EAST_1_REGIONAL_ENDPOINT'] ||
+            Aws.shared_config.s3_us_east_1_regional_endpoint(profile: cfg.profile) ||
+            'legacy'
+          unless %w(legacy regional).include?(mode)
+            raise ArgumentError, "expected :s3_us_east_1_regional_endpoint or"\
+              " ENV['AWS_S3_US_EAST_1_REGIONAL_ENDPOINT'] to be `legacy` or"\
+              " `regional`."
+          end
+          mode
+        end
+
+      end
+
+    end
+  end
+end

data/lib/aws-sdk-s3/plugins/md5s.rb

@@ -1,5 +1,4 @@
 require 'openssl'
-require 'base64'
 
 module Aws
   module S3
@@ -37,13 +36,13 @@ module Aws
           # @return [String<MD5>]
           def md5(value)
             if (File === value || Tempfile === value) && !value.path.nil? && File.exist?(value.path)
-              Base64.encode64(OpenSSL::Digest::MD5.file(value).digest).strip
+              OpenSSL::Digest::MD5.file(value).base64digest
             elsif value.respond_to?(:read)
               md5 = OpenSSL::Digest::MD5.new
               update_in_chunks(md5, value)
-              Base64.encode64(md5.digest).strip
+              md5.base64digest
             else
-              Base64.encode64(OpenSSL::Digest::MD5.digest(value)).strip
+              OpenSSL::Digest::MD5.digest(value).base64digest
             end
           end
 

data/lib/aws-sdk-s3/plugins/s3_signer.rb

@@ -17,6 +17,8 @@ module Aws
         end
 
         option(:sigv4_region) do |cfg|
+          raise Aws::Errors::MissingRegionError if cfg.region.nil?
+
           Aws::Partitions::EndpointProvider.signing_region(cfg.region, 's3')
         end
 

data/lib/aws-sdk-s3/presigned_post.rb

@@ -585,6 +585,10 @@ module Aws
         else
           url.path = '/' + @bucket_name
         end
+        if @bucket_region == 'us-east-1'
+          # keep legacy behavior by default
+          url.host = Plugins::IADRegionalEndpoint.legacy_host(url.host)
+        end
         url.to_s
       end
 

data/lib/aws-sdk-s3/presigner.rb

@@ -16,6 +16,25 @@ module Aws
       # @api private
       FIFTEEN_MINUTES = 60 * 15
 
+      BLACKLISTED_HEADERS = [
+        'accept',
+        'cache-control',
+        'content-length', # due to a ELB bug
+        'expect',
+        'from',
+        'if-match',
+        'if-none-match',
+        'if-modified-since',
+        'if-unmodified-since',
+        'if-range',
+        'max-forwards',
+        'pragma',
+        'proxy-authorization',
+        'referer',
+        'te',
+        'user-agent'
+      ].freeze
+
       # @option options [Client] :client Optionally provide an existing
       #   S3 client
       def initialize(options = {})
@@ -31,6 +50,9 @@ module Aws
       #   attempts to set this value to greater than one week (604800) will
       #   raise an exception.
       #
+      # @option params [Time] :time (Time.now) The starting time for when the
+      #   presigned url becomes active.
+      #
       # @option params [Boolean] :secure (true) When `false`, a HTTP URL
       #   is returned instead of the default HTTPS URL.
       #
@@ -38,8 +60,15 @@ module Aws
       #   bucket name will be used as the hostname. This will cause
       #   the returned URL to be 'http' and not 'https'.
       #
-      # @option params [Boolean] :use_accelerate_endpoint (false) When `true`, Presigner
-      #   will attempt to use accelerated endpoint
+      # @option params [Boolean] :use_accelerate_endpoint (false) When `true`,
+      #   Presigner will attempt to use accelerated endpoint.
+      #
+      # @option params [Array<String>] :whitelist_headers ([]) Additional
+      #   headers to be included for the signed request. Certain headers beyond
+      #   the authorization header could, in theory, be changed for various
+      #   reasons (including but not limited to proxies) while in transit and
+      #   after signing. This would lead to signature errors being returned,
+      #   despite no actual problems with signing. (see BLACKLISTED_HEADERS)
       #
       # @raise [ArgumentError] Raises an ArgumentError if `:expires_in`
       #   exceeds one week.
@@ -49,11 +78,15 @@ module Aws
           raise ArgumentError, ":key must not be blank"
         end
         virtual_host = !!params.delete(:virtual_host)
+        time = params.delete(:time)
+        whitelisted_headers = params.delete(:whitelist_headers) || []
+        unsigned_headers = BLACKLISTED_HEADERS - whitelisted_headers
         scheme = http_scheme(params, virtual_host)
 
         req = @client.build_request(method, params)
         use_bucket_as_hostname(req) if virtual_host
-        sign_but_dont_send(req, expires_in(params), scheme)
+
+        sign_but_dont_send(req, expires_in(params), scheme, time, unsigned_headers)
         req.send_request.data
       end
 
@@ -68,7 +101,7 @@ module Aws
       end
 
       def expires_in(params)
-        if expires_in = params.delete(:expires_in)
+        if (expires_in = params.delete(:expires_in))
           if expires_in > ONE_WEEK
             msg = "expires_in value of #{expires_in} exceeds one-week maximum"
             raise ArgumentError, msg
@@ -92,17 +125,16 @@ module Aws
       end
 
       # @param [Seahorse::Client::Request] req
-      def sign_but_dont_send(req, expires_in, scheme)
-
+      def sign_but_dont_send(req, expires_in, scheme, time, unsigned_headers)
         http_req = req.context.http_request
 
         req.handlers.remove(Aws::S3::Plugins::S3Signer::LegacyHandler)
         req.handlers.remove(Aws::S3::Plugins::S3Signer::V4Handler)
         req.handlers.remove(Seahorse::Client::Plugins::ContentLength::Handler)
 
-        signer = build_signer(req.context.config)
-        req.context[:presigned_url] = true
+        signer = build_signer(req.context.config, unsigned_headers)
 
+        req.context[:presigned_url] = true
         req.handle(step: :send) do |context|
 
           if scheme != http_req.endpoint.scheme
@@ -128,41 +160,23 @@ module Aws
             url: http_req.endpoint,
             headers: http_req.headers,
             body_digest: 'UNSIGNED-PAYLOAD',
-            expires_in: expires_in
+            expires_in: expires_in,
+            time: time
           ).to_s
 
           Seahorse::Client::Response.new(context: context, data: url)
         end
       end
 
-      def build_signer(cfg)
+      def build_signer(cfg, unsigned_headers)
         Aws::Sigv4::Signer.new(
           service: 's3',
           region: cfg.region,
           credentials_provider: cfg.credentials,
-          unsigned_headers: [
-            'cache-control',
-            'content-length', # due to a ELB bug
-            'expect',
-            'max-forwards',
-            'pragma',
-            'te',
-            'if-match',
-            'if-none-match',
-            'if-modified-since',
-            'if-unmodified-since',
-            'if-range',
-            'accept',
-            'proxy-authorization',
-            'from',
-            'referer',
-            'user-agent',
-            'x-amzn-trace-id'
-          ],
+          unsigned_headers: unsigned_headers,
           uri_escape_path: false
         )
       end
-
     end
   end
 end

data/lib/aws-sdk-s3/resource.rb

@@ -40,7 +40,9 @@ module Aws::S3
     # @option options [String] :acl
     #   The canned ACL to apply to the bucket.
     # @option options [required, String] :bucket
+    #   The name of the bucket to create.
     # @option options [Types::CreateBucketConfiguration] :create_bucket_configuration
+    #   The configuration information for the bucket.
     # @option options [String] :grant_full_control
     #   Allows grantee the read, write, read ACP, and write ACP permissions on
     #   the bucket.