aws-sdk-s3 1.88.1 → 1.105.1

data/lib/aws-sdk-s3/plugins/arn.rb

@@ -1,7 +1,9 @@
 # frozen_string_literal: true
 
 require_relative '../arn/access_point_arn'
+require_relative '../arn/object_lambda_arn'
 require_relative '../arn/outpost_access_point_arn'
+require_relative '../arn/multi_region_access_point_arn'
 
 module Aws
   module S3
@@ -22,9 +24,21 @@ be made. Set to `false` to use the client's region instead.
           resolve_s3_use_arn_region(cfg)
         end
 
-        # param validator is validate:50 (required to add account_id from arn)
+        option(
+          :s3_disable_multiregion_access_points,
+          default: false,
+          doc_type: 'Boolean',
+          docstring: <<-DOCS) do |cfg|
+When set to `false` this will option will raise errors when multi-region
+access point ARNs are used.  Multi-region access points can potentially
+result in cross region requests.
+        DOCS
+          resolve_s3_disable_multiregion_access_points(cfg)
+        end
+
+        # param validator is validate:50
         # endpoint is build:90 (populates the URI for the first time)
-        # endpoint pattern is build:10 (prefix account id to host)
+        # endpoint pattern is build:10
         def add_handlers(handlers, _config)
           handlers.add(ARNHandler, step: :validate, priority: 75)
           handlers.add(UrlHandler)
@@ -38,6 +52,7 @@ be made. Set to `false` to use the client's region instead.
                 context.http_request.endpoint,
                 context.metadata[:s3_arn][:arn],
                 context.metadata[:s3_arn][:resolved_region],
+                context.metadata[:s3_arn][:fips],
                 context.metadata[:s3_arn][:dualstack],
                 # if regional_endpoint is false, a custom endpoint was provided
                 # in this case, we want to prefix the endpoint using the ARN
@@ -65,6 +80,7 @@ be made. Set to `false` to use the client's region instead.
                 context.metadata[:s3_arn] = {
                   arn: arn,
                   resolved_region: resolved_region,
+                  fips: context.config.use_fips_endpoint,
                   dualstack: extract_dualstack_config!(context)
                 }
               end
@@ -103,8 +119,21 @@ be made. Set to `false` to use the client's region instead.
 
             if !arn.support_dualstack? && context[:use_dualstack_endpoint]
               raise ArgumentError,
-                    'Cannot provide an Outpost Access Point ARN when '\
-                    '`:use_dualstack_endpoint` is set to true.'
+                    'Cannot provide an Outpost Access Point, Object Lambda, '\
+                    'or Multi-region Access Point ARN'\
+                    ' when `:use_dualstack_endpoint` is set to true.'
+            end
+
+            if arn.region.empty? && context.config.s3_disable_multiregion_access_points
+              raise ArgumentError,
+                    'Cannot provide a Multi-region Access Point ARN with '\
+                    '`:s3_disable_multiregion_access_points` set to true'
+            end
+
+            if context.config.use_fips_endpoint && !arn.support_fips?
+              raise ArgumentError,
+                    'FIPS client regions are not supported for this type '\
+                    'of ARN.'
             end
           end
         end
@@ -114,15 +143,7 @@ be made. Set to `false` to use the client's region instead.
           def resolve_arn!(member_value, region, use_arn_region)
             if Aws::ARNParser.arn?(member_value)
               arn = Aws::ARNParser.parse(member_value)
-              if arn.resource.start_with?('accesspoint')
-                s3_arn = Aws::S3::AccessPointARN.new(arn.to_h)
-              elsif arn.resource.start_with?('outpost')
-                s3_arn = Aws::S3::OutpostAccessPointARN.new(arn.to_h)
-              else
-                raise ArgumentError,
-                      'Only Access Point and Outpost Access Point type ARNs '\
-                      'are currently supported.'
-              end
+              s3_arn = resolve_arn_type!(arn)
               s3_arn.validate_arn!
               validate_region_config!(s3_arn, region, use_arn_region)
               region = s3_arn.region if use_arn_region
@@ -133,15 +154,32 @@ be made. Set to `false` to use the client's region instead.
           end
 
           # @api private
-          def resolve_url!(url, arn, region, dualstack = false, has_custom_endpoint = false)
+          def resolve_url!(url, arn, region, fips = false, dualstack = false, has_custom_endpoint = false)
             custom_endpoint = url.host if has_custom_endpoint
-            url.host = arn.host_url(region, dualstack, custom_endpoint)
+            url.host = arn.host_url(region, fips, dualstack, custom_endpoint)
             url.path = url_path(url.path, arn)
             url
           end
 
           private
 
+          def resolve_arn_type!(arn)
+            case arn.service
+            when 's3'
+              arn.region.empty? ?
+                Aws::S3::MultiRegionAccessPointARN.new(arn.to_h) :
+                Aws::S3::AccessPointARN.new(arn.to_h)
+            when 's3-outposts'
+              Aws::S3::OutpostAccessPointARN.new(arn.to_h)
+            when 's3-object-lambda'
+              Aws::S3::ObjectLambdaARN.new(arn.to_h)
+            else
+              raise ArgumentError,
+                    'Only Access Point, Outposts, and Object Lambdas ARNs '\
+                    'are currently supported.'
+            end
+          end
+
           def resolve_s3_use_arn_region(cfg)
             value = ENV['AWS_S3_USE_ARN_REGION'] ||
                     Aws.shared_config.s3_use_arn_region(profile: cfg.profile) ||
@@ -157,8 +195,22 @@ be made. Set to `false` to use the client's region instead.
             value
           end
 
-          # Remove ARN from the path since it was substituted already
-          # This only works because accesspoints care about the URL
+          def resolve_s3_disable_multiregion_access_points(cfg)
+            value = ENV['AWS_S3_DISABLE_MULTIREGION_ACCESS_POINTS'] ||
+              Aws.shared_config.s3_disable_multiregion_access_points(profile: cfg.profile) ||
+              'false'
+            value = Aws::Util.str_2_bool(value)
+            # Raise if provided value is not true or false
+            if value.nil?
+              raise ArgumentError,
+                    'Must provide either `true` or `false` for '\
+                    's3_use_arn_region profile option or for '\
+                    "ENV['AWS_S3_USE_ARN_REGION']"
+            end
+            value
+          end
+
+          # Remove ARN from the path because we've already set the new host
           def url_path(path, arn)
             path = path.sub("/#{Seahorse::Util.uri_escape(arn.to_s)}", '')
                        .sub("/#{arn}", '')
@@ -167,34 +219,31 @@ be made. Set to `false` to use the client's region instead.
           end
 
           def validate_region_config!(arn, region, use_arn_region)
-            fips = arn.support_fips?
-
-            # s3-external-1 is specific just to s3 and not part of partitions
-            # aws-global is a partition region
-            unless arn.partition == 'aws' &&
-                   (region == 's3-external-1' || region == 'aws-global')
-              if !fips && arn.region.include?('fips')
-                raise ArgumentError,
-                      'FIPS region ARNs are not supported for this type of ARN.'
-              end
-
-              if !fips && !use_arn_region && region.include?('fips')
-                raise ArgumentError,
-                      'FIPS client regions are not supported for this type of '\
-                      'ARN without `:s3_use_arn_region`.'
+            if ['s3-external-1', 'aws-global'].include?(region)
+              # These "regions" are not regional endpoints
+              unless use_arn_region
+                raise Aws::Errors::InvalidARNRegionError,
+                      'Configured client region is not a regional endpoint.'
               end
-
-              # if it's a fips region, attempt to normalize it
-              if fips || use_arn_region
-                region = region.gsub('fips-', '').gsub('-fips', '')
-              end
-              if use_arn_region &&
-                 !Aws::Partitions.partition(arn.partition).region?(region)
+              # These "regions" are in the AWS partition
+              # Cannot use ARN region unless it's the same partition
+              unless arn.partition == 'aws'
                 raise Aws::Errors::InvalidARNPartitionError
               end
-
-              if !use_arn_region && region != arn.region
-                raise Aws::Errors::InvalidARNRegionError
+            else
+              # use_arn_region does not apply to MRAP (global) arns
+              unless arn.region.empty?
+                # Raise if the ARN and client regions are in different partitions
+                if use_arn_region &&
+                   !Aws::Partitions.partition(arn.partition).region?(region)
+                  raise Aws::Errors::InvalidARNPartitionError
+                end
+
+                # Raise if regions mismatch
+                # Either when it's a fips client or not using the ARN region
+                if !use_arn_region && region != arn.region
+                  raise Aws::Errors::InvalidARNRegionError
+                end
               end
             end
           end

data/lib/aws-sdk-s3/plugins/bucket_dns.rb

@@ -24,7 +24,7 @@ request URI and never moved to the host as a sub-domain.
           DOCS
 
         def add_handlers(handlers, config)
-          handlers.add(Handler) unless config.force_path_style
+          handlers.add(Handler, priority: 48) unless config.force_path_style
         end
 
         # @api private

data/lib/aws-sdk-s3/plugins/dualstack.rb

@@ -5,18 +5,9 @@ module Aws
     module Plugins
       # @api private
       class Dualstack < Seahorse::Client::Plugin
-
-        option(:use_dualstack_endpoint,
-          default: false,
-          doc_type: 'Boolean',
-          docstring: <<-DOCS)
-When set to `true`, IPv6-compatible bucket endpoints will be used
-for all operations.
-          DOCS
-
         def add_handlers(handlers, config)
           handlers.add(OptionHandler, step: :initialize)
-          handlers.add(DualstackHandler, step: :build, priority: 11)
+          handlers.add(DualstackHandler, step: :build, priority: 49)
         end
 
         # @api private
@@ -40,38 +31,41 @@ for all operations.
         # @api private
         class DualstackHandler < Seahorse::Client::Handler
           def call(context)
-            if context.config.regional_endpoint && use_dualstack_endpoint?(context)
+            # only rewrite the endpoint if it's not a custom endpoint
+            # accelerate/ARN already handle dualstack cases, so ignore these
+            # check to see if dualstack is on but configured off via operation
+            if context.config.regional_endpoint &&
+               use_dualstack_endpoint?(context)
               apply_dualstack_endpoint(context)
             end
             @handler.call(context)
           end
 
           private
-          def apply_dualstack_endpoint(context)
-            bucket_name = context.params[:bucket]
-            region = context.config.region
-            dns_suffix = Aws::Partitions::EndpointProvider.dns_suffix_for(region)
 
-            if use_bucket_dns?(bucket_name, context)
-              host = "#{bucket_name}.s3.dualstack.#{region}.#{dns_suffix}"
-            else
-              host = "s3.dualstack.#{region}.#{dns_suffix}"
-            end
+          def apply_dualstack_endpoint(context)
+            new_endpoint = Aws::Partitions::EndpointProvider.resolve(
+              context.config.region,
+              's3',
+              'regional',
+              {
+                dualstack: context[:use_dualstack_endpoint],
+                fips: context.config.use_fips_endpoint
+              }
+            )
             endpoint = URI.parse(context.http_request.endpoint.to_s)
-            endpoint.scheme = context.http_request.endpoint.scheme
-            endpoint.port = context.http_request.endpoint.port
-            endpoint.host = host
-            context.http_request.endpoint = endpoint.to_s
-          end
-
-          def use_bucket_dns?(bucket_name, context)
-            ssl = context.http_request.endpoint.scheme == "https"
-            bucket_name && BucketDns.dns_compatible?(bucket_name, ssl) &&
-              !context.config.force_path_style
+            endpoint.host = URI.parse(new_endpoint).host
+            context.http_request.endpoint = endpoint
           end
 
           def use_dualstack_endpoint?(context)
-            context[:use_dualstack_endpoint] && !context[:use_accelerate_endpoint]
+            # case when dualstack is turned off via operation
+            (context[:use_dualstack_endpoint] ||
+              context.config.use_dualstack_endpoint) &&
+              # accelerate plugin already applies dualstack
+              !context[:use_accelerate_endpoint] &&
+              # arns handle dualstack
+              !context.metadata[:s3_arn]
           end
         end
 

data/lib/aws-sdk-s3/plugins/get_bucket_location_fix.rb

@@ -11,7 +11,7 @@ module Aws
             @handler.call(context).on(200) do |response|
               response.data = S3::Types::GetBucketLocationOutput.new
               xml = context.http_response.body_contents
-              matches = xml.match(/>(.+?)<\/LocationConstraint>/)
+              matches = xml.match(/<LocationConstraint.*?>(.+?)<\/LocationConstraint>/)
               response.data[:location_constraint] = matches ? matches[1] : ''
             end
           end

data/lib/aws-sdk-s3/plugins/iad_regional_endpoint.rb

@@ -10,14 +10,15 @@ module Aws
           default: 'legacy',
           doc_type: String,
           docstring: <<-DOCS) do |cfg|
-Passing in `regional` to enable regional endpoint for S3's `us-east-1`
-region. Defaults to `legacy` mode using global endpoint.
+Pass in `regional` to enable the `us-east-1` regional endpoint.
+Defaults to `legacy` mode which uses the global endpoint.
           DOCS
           resolve_iad_regional_endpoint(cfg)
         end
 
         def add_handlers(handlers, config)
-          if config.region == 'us-east-1'
+          # only modify non-custom endpoints
+          if config.regional_endpoint && config.region == 'us-east-1'
             handlers.add(Handler)
           end
         end
@@ -26,14 +27,14 @@ region. Defaults to `legacy` mode using global endpoint.
         class Handler < Seahorse::Client::Handler
 
           def call(context)
-            # keep legacy global endpoint pattern by default
-            if context.config.s3_us_east_1_regional_endpoint == 'legacy'
+            # WriteGetObjectResponse does not have a global endpoint
+            # ARNs are regionalized, so don't touch those either.
+            if context.operation.name != 'WriteGetObjectResponse' &&
+               context.config.s3_us_east_1_regional_endpoint == 'legacy' &&
+               !context.metadata[:s3_arn]
               host = context.http_request.endpoint.host
-              # if it's an ARN, don't touch the endpoint at all
-              unless context.metadata[:s3_arn]
-                legacy_host = IADRegionalEndpoint.legacy_host(host)
-                context.http_request.endpoint.host = legacy_host
-              end
+              legacy_host = IADRegionalEndpoint.legacy_host(host)
+              context.http_request.endpoint.host = legacy_host
             end
             @handler.call(context)
           end

data/lib/aws-sdk-s3/plugins/object_lambda_endpoint.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Aws
+  module S3
+    module Plugins
+      # WriteGetObjectResponse is called from Lambda after a data transform.
+      # If there is no custom endpoint, we change the endpoint from s3 to
+      # s3-object-lambda just for this operation.
+      class ObjectLambdaEndpoint < Seahorse::Client::Plugin
+        class Handler < Seahorse::Client::Handler
+          def call(context)
+            if context.config.regional_endpoint
+              host = context.http_request.endpoint.host
+              host = host.sub('s3.', 's3-object-lambda.')
+              context.http_request.endpoint.host = host
+            end
+            @handler.call(context)
+          end
+        end
+
+        handler(Handler, operations: [:write_get_object_response])
+      end
+    end
+  end
+end

data/lib/aws-sdk-s3/plugins/s3_signer.rb

@@ -22,7 +22,9 @@ module Aws
           # S3 removes core's signature_v4 plugin that checks for this
           raise Aws::Errors::MissingRegionError if cfg.region.nil?
 
-          Aws::Partitions::EndpointProvider.signing_region(cfg.region, 's3')
+          Aws::Partitions::EndpointProvider.signing_region(
+            cfg.region, 's3'
+          )
         end
 
         def add_handlers(handlers, cfg)
@@ -74,9 +76,23 @@ module Aws
                 credentials: context.config.credentials
               )
             elsif (arn = context.metadata[:s3_arn])
+              if arn[:arn].is_a?(MultiRegionAccessPointARN)
+                signing_region = '*'
+                signing_algorithm = :sigv4a
+              else
+                signing_region = arn[:resolved_region]
+                signing_algorithm = :sigv4
+              end
               S3Signer.build_v4_signer(
                 service: arn[:arn].service,
-                region: arn[:resolved_region],
+                signing_algorithm: signing_algorithm,
+                region: signing_region,
+                credentials: context.config.credentials
+              )
+            elsif context.operation.name == 'WriteGetObjectResponse'
+              S3Signer.build_v4_signer(
+                service: 's3-object-lambda',
+                region: context.config.sigv4_region,
                 credentials: context.config.credentials
               )
             else
@@ -148,7 +164,12 @@ module Aws
 
           def custom_endpoint?(resp)
             resolved_suffix = Aws::Partitions::EndpointProvider.dns_suffix_for(
-              resp.context.config.region
+              resp.context.config.region,
+              's3',
+              {
+                dualstack: resp.context[:use_dualstack_endpoint],
+                fips: resp.context.config.use_fips_endpoint
+              }
             )
             !resp.context.http_request.endpoint.hostname.include?(resolved_suffix)
           end
@@ -210,6 +231,7 @@ module Aws
               service: options[:service],
               region: options[:region],
               credentials_provider: options[:credentials],
+              signing_algorithm: options.fetch(:signing_algorithm, :sigv4),
               uri_escape_path: false,
               unsigned_headers: ['content-length', 'x-amzn-trace-id']
             )
@@ -219,12 +241,20 @@ module Aws
           # Otherwise it will retry with the ARN as the bucket name.
           def new_hostname(context, region)
             uri = URI.parse(
-              Aws::Partitions::EndpointProvider.resolve(region, 's3')
+              Aws::Partitions::EndpointProvider.resolve(
+                region, 's3', 'regional',
+                {
+                  dualstack: context[:use_dualstack_endpoint],
+                  fips: context.config.use_fips_endpoint
+                }
+              )
             )
 
             if (arn = context.metadata[:s3_arn])
               # Retry with the response region and not the ARN resolved one
-              ARN.resolve_url!(uri, arn[:arn], region).host
+              ARN.resolve_url!(
+                uri, arn[:arn], region, arn[:fips], arn[:dualstack]
+              ).host
             else
               "#{context.params[:bucket]}.#{uri.host}"
             end

data/lib/aws-sdk-s3/presigner.rb

@@ -58,8 +58,7 @@ module Aws
       #   is returned instead of the default HTTPS URL.
       #
       # @option params [Boolean] :virtual_host (false) When `true`, the
-      #   bucket name will be used as the hostname. This will cause
-      #   the returned URL to be 'http' and not 'https'.
+      #   bucket name will be used as the hostname.
       #
       # @option params [Boolean] :use_accelerate_endpoint (false) When `true`,
       #   Presigner will attempt to use accelerated endpoint.
@@ -139,6 +138,7 @@ module Aws
 
         req = @client.build_request(method, params)
         use_bucket_as_hostname(req) if virtual_host
+        handle_presigned_url_context(req)
 
         x_amz_headers = sign_but_dont_send(
           req, expires_in, scheme, time, unsigned_headers, hoist
@@ -184,6 +184,17 @@ module Aws
         end
       end
 
+      # Used for excluding presigned_urls from API request count.
+      #
+      # Store context information as early as possible, to allow
+      # handlers to perform decisions based on this flag if need.
+      def handle_presigned_url_context(req)
+        req.handle(step: :initialize, priority: 98) do |context|
+          context[:presigned_url] = true
+          @handler.call(context)
+        end
+      end
+
       # @param [Seahorse::Client::Request] req
       def sign_but_dont_send(
         req, expires_in, scheme, time, unsigned_headers, hoist = true
@@ -220,17 +231,23 @@ module Aws
           end
           http_req.endpoint.query = query.join('&') unless query.empty?
 
+          signing_algorithm = :sigv4
+
           # If it's an ARN, get the resolved region and service
           if (arn = context.metadata[:s3_arn])
             region = arn[:resolved_region]
             service = arn[:arn].service
+            region = arn[:arn].is_a?(MultiRegionAccessPointARN) ? '*': arn[:resolved_region]
+            signing_algorithm = arn[:arn].is_a?(MultiRegionAccessPointARN) ? :sigv4a : :sigv4
           end
 
           signer = Aws::Sigv4::Signer.new(
             service: service || 's3',
             region: region || context.config.region,
+            signing_algorithm: signing_algorithm,
             credentials_provider: context.config.credentials,
             unsigned_headers: unsigned_headers,
+            apply_checksum_header: false,
             uri_escape_path: false
           )
 
@@ -243,9 +260,6 @@ module Aws
             time: time
           ).to_s
 
-          # Used for excluding presigned_urls from API request count
-          context[:presigned_url] = true
-
           Seahorse::Client::Response.new(context: context, data: url)
         end
         # Return the headers

data/lib/aws-sdk-s3/resource.rb

@@ -3,7 +3,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
 
@@ -65,8 +65,10 @@ module Aws::S3
     # @option options [String] :grant_read_acp
     #   Allows grantee to read the bucket ACL.
     # @option options [String] :grant_write
-    #   Allows grantee to create, overwrite, and delete any object in the
-    #   bucket.
+    #   Allows grantee to create new objects in the bucket.
+    #
+    #   For the bucket and object owners of existing objects, also allows
+    #   deletions and overwrites of those objects.
     # @option options [String] :grant_write_acp
     #   Allows grantee to write the ACL for the applicable bucket.
     # @option options [Boolean] :object_lock_enabled_for_bucket