aws-sdk-s3 1.78.0 → 1.87.0

data/lib/aws-sdk-s3/object_version.rb

@@ -234,6 +234,7 @@ module Aws::S3
     #     mfa: "MFA",
     #     request_payer: "requester", # accepts requester
     #     bypass_governance_retention: false,
+    #     expected_bucket_owner: "AccountId",
     #   })
     # @param [Hash] options ({})
     # @option options [String] :mfa
@@ -254,6 +255,10 @@ module Aws::S3
     # @option options [Boolean] :bypass_governance_retention
     #   Indicates whether S3 Object Lock should bypass Governance-mode
     #   restrictions to process this operation.
+    # @option options [String] :expected_bucket_owner
+    #   The account id of the expected bucket owner. If the bucket is owned by
+    #   a different account, the request will fail with an HTTP `403 (Access
+    #   Denied)` error.
     # @return [Types::DeleteObjectOutput]
     def delete(options = {})
       options = options.merge(
@@ -284,6 +289,7 @@ module Aws::S3
     #     sse_customer_key_md5: "SSECustomerKeyMD5",
     #     request_payer: "requester", # accepts requester
     #     part_number: 1,
+    #     expected_bucket_owner: "AccountId",
     #   })
     # @param [Hash] options ({})
     # @option options [String] :if_match
@@ -331,7 +337,7 @@ module Aws::S3
     #   encrypting data. This value is used to store the object and then it is
     #   discarded; Amazon S3 does not store the encryption key. The key must
     #   be appropriate for use with the algorithm specified in the
-    #   `x-amz-server-side​-encryption​-customer-algorithm` header.
+    #   `x-amz-server-side-encryption-customer-algorithm` header.
     # @option options [String] :sse_customer_key_md5
     #   Specifies the 128-bit MD5 digest of the encryption key according to
     #   RFC 1321. Amazon S3 uses this header for a message integrity check to
@@ -351,6 +357,10 @@ module Aws::S3
     #   between 1 and 10,000. Effectively performs a 'ranged' GET request
     #   for the part specified. Useful for downloading just a part of an
     #   object.
+    # @option options [String] :expected_bucket_owner
+    #   The account id of the expected bucket owner. If the bucket is owned by
+    #   a different account, the request will fail with an HTTP `403 (Access
+    #   Denied)` error.
     # @return [Types::GetObjectOutput]
     def get(options = {}, &block)
       options = options.merge(
@@ -375,6 +385,7 @@ module Aws::S3
     #     sse_customer_key_md5: "SSECustomerKeyMD5",
     #     request_payer: "requester", # accepts requester
     #     part_number: 1,
+    #     expected_bucket_owner: "AccountId",
     #   })
     # @param [Hash] options ({})
     # @option options [String] :if_match
@@ -392,12 +403,16 @@ module Aws::S3
     # @option options [String] :range
     #   Downloads the specified range bytes of an object. For more information
     #   about the HTTP Range header, see
-    #   [http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.35]().
+    #   [http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.35][1].
     #
     #   <note markdown="1"> Amazon S3 doesn't support retrieving multiple ranges of data per
     #   `GET` request.
     #
     #    </note>
+    #
+    #
+    #
+    #   [1]: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.35
     # @option options [String] :sse_customer_algorithm
     #   Specifies the algorithm to use to when encrypting the object (for
     #   example, AES256).
@@ -406,7 +421,7 @@ module Aws::S3
     #   encrypting data. This value is used to store the object and then it is
     #   discarded; Amazon S3 does not store the encryption key. The key must
     #   be appropriate for use with the algorithm specified in the
-    #   `x-amz-server-side​-encryption​-customer-algorithm` header.
+    #   `x-amz-server-side-encryption-customer-algorithm` header.
     # @option options [String] :sse_customer_key_md5
     #   Specifies the 128-bit MD5 digest of the encryption key according to
     #   RFC 1321. Amazon S3 uses this header for a message integrity check to
@@ -426,6 +441,10 @@ module Aws::S3
     #   between 1 and 10,000. Effectively performs a 'ranged' HEAD request
     #   for the part specified. Useful querying about the size of the part and
     #   the number of parts in this object.
+    # @option options [String] :expected_bucket_owner
+    #   The account id of the expected bucket owner. If the bucket is owned by
+    #   a different account, the request will fail with an HTTP `403 (Access
+    #   Denied)` error.
     # @return [Types::HeadObjectOutput]
     def head(options = {})
       options = options.merge(
@@ -504,6 +523,7 @@ module Aws::S3
       #     mfa: "MFA",
       #     request_payer: "requester", # accepts requester
       #     bypass_governance_retention: false,
+      #     expected_bucket_owner: "AccountId",
       #   })
       # @param options ({})
       # @option options [String] :mfa
@@ -525,6 +545,10 @@ module Aws::S3
       #   Specifies whether you want to delete this object even if it has a
       #   Governance-type Object Lock in place. You must have sufficient
       #   permissions to perform this operation.
+      # @option options [String] :expected_bucket_owner
+      #   The account id of the expected bucket owner. If the bucket is owned by
+      #   a different account, the request will fail with an HTTP `403 (Access
+      #   Denied)` error.
       # @return [void]
       def batch_delete!(options = {})
         batch_enum.each do |batch|

data/lib/aws-sdk-s3/plugins/arn.rb

@@ -0,0 +1,187 @@
+# frozen_string_literal: true
+
+require_relative '../arn/access_point_arn'
+require_relative '../arn/outpost_access_point_arn'
+
+module Aws
+  module S3
+    module Plugins
+      # When an accesspoint ARN is provided for :bucket in S3 operations, this
+      # plugin resolves the request endpoint from the ARN when possible.
+      # @api private
+      class ARN < Seahorse::Client::Plugin
+        option(
+          :s3_use_arn_region,
+          default: true,
+          doc_type: 'Boolean',
+          docstring: <<-DOCS) do |cfg|
+For S3 ARNs passed into the `:bucket` parameter, this option will
+use the region in the ARN, allowing for cross-region requests to
+be made. Set to `false` to use the client's region instead.
+          DOCS
+          resolve_s3_use_arn_region(cfg)
+        end
+
+        def add_handlers(handlers, _config)
+          handlers.add(Handler)
+        end
+
+        class Handler < Seahorse::Client::Handler
+          def call(context)
+            bucket_member = _bucket_member(context.operation.input.shape)
+            if bucket_member && (bucket = context.params[bucket_member])
+              resolved_region, arn = ARN.resolve_arn!(
+                bucket,
+                context.config.region,
+                context.config.s3_use_arn_region
+              )
+              if arn
+                validate_config!(context, arn)
+
+                ARN.resolve_url!(
+                  context.http_request.endpoint,
+                  arn,
+                  resolved_region,
+                  extract_dualstack_config!(context)
+                )
+              end
+            end
+            @handler.call(context)
+          end
+
+          private
+
+          def _bucket_member(input)
+            input.members.each do |member, ref|
+              return member if ref.shape.name == 'BucketName'
+            end
+            nil
+          end
+
+          # other plugins use dualstack so disable it when we're done
+          def extract_dualstack_config!(context)
+            dualstack = context[:use_dualstack_endpoint]
+            context[:use_dualstack_endpoint] = false if dualstack
+            dualstack
+          end
+
+          def validate_config!(context, arn)
+            unless context.config.regional_endpoint
+              raise ArgumentError,
+                    'Cannot provide both an Access Point ARN and setting '\
+                    ':endpoint.'
+            end
+
+            if context.config.force_path_style
+              raise ArgumentError,
+                    'Cannot provide both an Access Point ARN and setting '\
+                    ':force_path_style to true.'
+            end
+
+            if context.config.use_accelerate_endpoint
+              raise ArgumentError,
+                    'Cannot provide both an Access Point ARN and setting '\
+                    ':use_accelerate_endpoint to true.'
+            end
+
+            if !arn.support_dualstack? && context[:use_dualstack_endpoint]
+              raise ArgumentError,
+                    'Cannot provide both an Outpost Access Point ARN and '\
+                    'setting :use_dualstack_endpoint to true.'
+            end
+          end
+        end
+
+        class << self
+          # @api private
+          def resolve_arn!(member_value, region, use_arn_region)
+            if Aws::ARNParser.arn?(member_value)
+              arn = Aws::ARNParser.parse(member_value)
+              if arn.resource.start_with?('accesspoint')
+                s3_arn = Aws::S3::AccessPointARN.new(arn.to_h)
+              elsif arn.resource.start_with?('outpost')
+                s3_arn = Aws::S3::OutpostAccessPointARN.new(arn.to_h)
+              else
+                raise ArgumentError,
+                      'Only Access Point and Outpost Access Point type ARNs '\
+                      'are currently supported.'
+              end
+              s3_arn.validate_arn!
+              validate_region_config!(s3_arn, region, use_arn_region)
+              region = s3_arn.region if use_arn_region
+              [region, s3_arn]
+            else
+              [region]
+            end
+          end
+
+          # @api private
+          def resolve_url!(url, arn, region, dualstack = false)
+            url.host = arn.host_url(region, dualstack)
+            url.path = url_path(url.path, arn)
+            url
+          end
+
+          private
+
+          def resolve_s3_use_arn_region(cfg)
+            value = ENV['AWS_S3_USE_ARN_REGION'] ||
+                    Aws.shared_config.s3_use_arn_region(profile: cfg.profile) ||
+                    'true'
+            value = Aws::Util.str_2_bool(value)
+            # Raise if provided value is not true or false
+            if value.nil?
+              raise ArgumentError,
+                    'Must provide either `true` or `false` for '\
+                    's3_use_arn_region profile option or for '\
+                    "ENV['AWS_S3_USE_ARN_REGION']"
+            end
+            value
+          end
+
+          # Remove ARN from the path since it was substituted already
+          # This only works because accesspoints care about the URL
+          def url_path(path, arn)
+            path = path.sub("/#{Seahorse::Util.uri_escape(arn.to_s)}", '')
+                       .sub("/#{arn}", '')
+            "/#{path}" unless path =~ /^\//
+            path
+          end
+
+          def validate_region_config!(arn, region, use_arn_region)
+            fips = arn.support_fips?
+
+            # s3-external-1 is specific just to s3 and not part of partitions
+            # aws-global is a partition region
+            unless arn.partition == 'aws' &&
+                   (region == 's3-external-1' || region == 'aws-global')
+              if !fips && arn.region.include?('fips')
+                raise ArgumentError,
+                      'FIPS region ARNs are not supported for this type of ARN.'
+              end
+
+              if !fips && !use_arn_region && region.include?('fips')
+                raise ArgumentError,
+                      'FIPS client regions are not supported for this type of '\
+                      'ARN without s3_use_arn_region.'
+              end
+
+              # if it's a fips region, attempt to normalize it
+              if fips || use_arn_region
+                region = region.gsub('fips-', '').gsub('-fips', '')
+              end
+              if use_arn_region &&
+                 !Aws::Partitions.partition(arn.partition).region?(region)
+                raise Aws::Errors::InvalidARNPartitionError
+              end
+
+              if !use_arn_region && region != arn.region
+                raise Aws::Errors::InvalidARNRegionError
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/aws-sdk-s3/plugins/bucket_dns.rb

@@ -73,8 +73,6 @@ request URI and never moved to the host as a sub-domain.
             end
           end
 
-          # Checks for a valid RFC-3986 host name
-          # @see https://tools.ietf.org/html/rfc3986#section-3.2.2
           # @param [String] bucket_name
           # @return [Boolean]
           def valid_subdomain?(bucket_name)

data/lib/aws-sdk-s3/plugins/bucket_name_restrictions.rb

@@ -13,7 +13,7 @@ module Aws
           def call(context)
             bucket_member = _bucket_member(context.operation.input.shape)
             if bucket_member && (bucket = context.params[bucket_member])
-              _resolved_bucket, _resolved_region, arn = BucketARN.resolve_arn!(
+              _resolved_region, arn = ARN.resolve_arn!(
                 bucket,
                 context.config.region,
                 context.config.s3_use_arn_region

data/lib/aws-sdk-s3/plugins/iad_regional_endpoint.rb

@@ -28,8 +28,13 @@ region. Defaults to `legacy` mode using global endpoint.
           def call(context)
             # keep legacy global endpoint pattern by default
             if context.config.s3_us_east_1_regional_endpoint == 'legacy'
-              context.http_request.endpoint.host = IADRegionalEndpoint.legacy_host(
-                context.http_request.endpoint.host)
+              host = context.http_request.endpoint.host
+              # if it's an ARN, don't touch the endpoint at all
+              # TODO this should use context.metadata[:s3_arn] later
+              unless host.include?('.s3-outposts.') || host.include?('.s3-accesspoint.')
+                legacy_host = IADRegionalEndpoint.legacy_host(host)
+                context.http_request.endpoint.host = legacy_host
+              end
             end
             @handler.call(context)
           end

data/lib/aws-sdk-s3/plugins/s3_signer.rb

@@ -12,12 +12,14 @@ module Aws
 
         option(:sigv4_signer) do |cfg|
           S3Signer.build_v4_signer(
+            service: 's3',
             region: cfg.sigv4_region,
             credentials: cfg.credentials
           )
         end
 
         option(:sigv4_region) do |cfg|
+          # S3 removes core's signature_v4 plugin that checks for this
           raise Aws::Errors::MissingRegionError if cfg.region.nil?
 
           Aws::Partitions::EndpointProvider.signing_region(cfg.region, 's3')
@@ -67,11 +69,26 @@ module Aws
             if context[:cached_sigv4_region] &&
                context[:cached_sigv4_region] != context.config.sigv4_signer.region
               S3Signer.build_v4_signer(
+                service: 's3',
                 region: context[:cached_sigv4_region],
                 credentials: context.config.credentials
               )
             else
-              context.config.sigv4_signer
+              resolved_region, arn = ARN.resolve_arn!(
+                context.params[:bucket],
+                context.config.sigv4_signer.region,
+                context.config.s3_use_arn_region
+              )
+
+              if arn
+                S3Signer.build_v4_signer(
+                  service: arn.service,
+                  region: resolved_region,
+                  credentials: context.config.credentials
+                )
+              else
+                context.config.sigv4_signer
+              end
             end
           end
         end
@@ -90,7 +107,9 @@ module Aws
           def check_for_cached_region(context, bucket)
             cached_region = S3::BUCKET_REGIONS[bucket]
             if cached_region && cached_region != context.config.region
-              context.http_request.endpoint.host = S3Signer.new_hostname(context, cached_region)
+              context.http_request.endpoint.host = S3Signer.new_hostname(
+                context, cached_region
+              )
               context[:cached_sigv4_region] = cached_region
             end
           end
@@ -150,11 +169,14 @@ module Aws
 
           def resign_with_new_region(context, actual_region)
             context.http_response.body.truncate(0)
-            context.http_request.endpoint.host = S3Signer.new_hostname(context, actual_region)
+            context.http_request.endpoint.host = S3Signer.new_hostname(
+              context, actual_region
+            )
             context.metadata[:redirect_region] = actual_region
             Aws::Plugins::SignatureV4.apply_signature(
               context: context,
               signer: S3Signer.build_v4_signer(
+                service: 's3',
                 region: actual_region,
                 credentials: context.config.credentials
               )
@@ -189,7 +211,7 @@ module Aws
           # @api private
           def build_v4_signer(options = {})
             Aws::Sigv4::Signer.new(
-              service: 's3',
+              service: options[:service],
               region: options[:region],
               credentials_provider: options[:credentials],
               uri_escape_path: false,
@@ -200,7 +222,7 @@ module Aws
           def new_hostname(context, region)
             # Check to see if the bucket is actually an ARN and resolve it
             # Otherwise it will retry with the ARN as the bucket name.
-            resolved_bucket, resolved_region, arn = BucketARN.resolve_arn!(
+            resolved_region, arn = ARN.resolve_arn!(
               context.params[:bucket],
               region,
               context.config.s3_use_arn_region
@@ -210,9 +232,9 @@ module Aws
             )
 
             if arn
-              BucketARN.resolve_url!(uri, arn).host
+              ARN.resolve_url!(uri, arn).host
             else
-              resolved_bucket + '.' + uri.host
+              "#{context.params[:bucket]}.#{uri.host}"
             end
           end
         end

data/lib/aws-sdk-s3/presigned_post.rb

@@ -237,6 +237,7 @@ module Aws
         @bucket_region = bucket_region
         @bucket_name = bucket_name
         @accelerate = !!options.delete(:use_accelerate_endpoint)
+        options.delete(:url) if @accelerate # resource methods pass url
         @url = options.delete(:url) || bucket_url
         @fields = {}
         @key_set = false

data/lib/aws-sdk-s3/presigner.rb

@@ -12,6 +12,7 @@ module Aws
       # @api private
       BLACKLISTED_HEADERS = [
         'accept',
+        'amz-sdk-request',
         'cache-control',
         'content-length', # due to a ELB bug
         'expect',
@@ -195,7 +196,7 @@ module Aws
         req.handlers.remove(Aws::S3::Plugins::S3Signer::V4Handler)
         req.handlers.remove(Seahorse::Client::Plugins::ContentLength::Handler)
 
-        signer = build_signer(req.context.config, unsigned_headers)
+        signer = build_signer(req.context, unsigned_headers)
 
         req.handle(step: :send) do |context|
           if scheme != http_req.endpoint.scheme
@@ -239,14 +240,27 @@ module Aws
         x_amz_headers
       end
 
-      def build_signer(cfg, unsigned_headers)
-        Aws::Sigv4::Signer.new(
+      def build_signer(context, unsigned_headers)
+        signer_opts = {
           service: 's3',
-          region: cfg.region,
-          credentials_provider: cfg.credentials,
+          region: context.config.region,
+          credentials_provider: context.config.credentials,
           unsigned_headers: unsigned_headers,
           uri_escape_path: false
+        }
+
+        resolved_region, arn = Aws::S3::Plugins::ARN.resolve_arn!(
+          context.params[:bucket],
+          context.config.sigv4_signer.region,
+          context.config.s3_use_arn_region
         )
+
+        if arn
+          signer_opts[:region] = resolved_region
+          signer_opts[:service] = arn.service
+        end
+
+        Aws::Sigv4::Signer.new(signer_opts)
       end
     end
   end