aws-sdk 1.0.3 → 1.0.4

data/lib/aws/ec2/request.rb

@@ -13,6 +13,7 @@
 
 require 'aws/http/request'
 require 'aws/authorize_v2'
+require 'aws/authorize_with_session_token'
 
 module AWS
   class EC2
@@ -21,6 +22,7 @@ module AWS
     class Request < AWS::Http::Request
 
       include AuthorizeV2
+      include AuthorizeWithSessionToken
 
     end
   end

data/lib/aws/option_grammar.rb

@@ -164,6 +164,25 @@ module AWS
         end
       end
 
+      # @private
+      module Pattern
+
+#         def validate value, context = nil
+#           unless value =~ regex
+#             raise format_error("value to match #{regex}", context)
+#           end
+#         end
+#       
+#         def self.apply option, regex
+#           option.extend(self)
+#           MetaUtils.extend_method(option, :regex) { regex }
+#         end
+
+        def self.apply *args
+        end
+
+      end
+
       # @private
       module ListMethods
 
@@ -333,7 +352,9 @@ module AWS
         value
       end
 
-      def required?; false; end
+      def required?
+        false
+      end
 
       def format_error(expected, context = nil)
         context = context_description(context)

data/lib/aws/policy.rb

@@ -84,7 +84,7 @@ module AWS
       if opts.has_key?(:id) or opts.has_key?("Id")
         @id = opts[:id] || opts["Id"]
       else
-        @id = UUIDTools::UUID.timestamp_create.to_s
+        @id = UUIDTools::UUID.timestamp_create.to_s.tr('-','')
       end
       if opts.has_key?(:version) or opts.has_key?("Version")
         @version = opts[:version] || opts["Version"]
@@ -119,8 +119,8 @@ module AWS
     end
     protected :hash_without_ids 
 
-    # Returns a hash representation of the policy; the
-    # following statements are equivalent:
+    # Returns a hash representation of the policy. The following
+    # statements are equivalent:
     #
     #   policy.to_h.to_json
     #   policy.to_json
@@ -744,7 +744,7 @@ module AWS
       #   Policy#deny to add conditions to a statement.
       # @see S3::Client
       def initialize(opts = {})
-        self.sid = UUIDTools::UUID.timestamp_create.to_s
+        self.sid = UUIDTools::UUID.timestamp_create.to_s.tr('-','')
         self.conditions = ConditionBlock.new
 
         parse_options(opts)
@@ -777,6 +777,8 @@ module AWS
           "Resource" => resource_arns,
           "Condition" => (conditions.to_h if conditions)
         }
+        stmt.delete("Condition") if !conditions || conditions.to_h.empty?
+        stmt.delete("Principal") unless principals_hash
         if !translated_actions || translated_actions.empty?
           stmt["NotAction"] = translated_excluded_actions
         else

data/lib/aws/response.rb

@@ -44,12 +44,19 @@ module AWS
 
     # @param [Http::Request] http_request
     # @param [Http::Response] http_request
-    def initialize http_request = nil, http_response = nil
+    def initialize http_request = nil, http_response = nil, &block
       @http_request = http_request
       @http_response = http_response
+      @request_builder = block
+      rebuild_request if @request_builder && !http_request
     end
 
-    # @return [Boolean] Teturns true unless there is a response error.
+    # Rebuilds the HTTP request using the block passed to the initializer
+    def rebuild_request
+      @http_request = @request_builder.call
+    end
+
+    # @return [Boolean] Returns true unless there is a response error.
     def successful?
       error.nil?
     end

data/lib/aws/s3/client.rb

@@ -16,6 +16,7 @@ require 'aws/http/response'
 require 'aws/base_client'
 require 'aws/s3/errors'
 require 'aws/s3/data_options'
+require 'aws/uri_escape'
 require 'aws/s3/access_control_list'
 require 'aws/s3/policy'
 require 'aws/s3/client/xml'
@@ -84,6 +85,7 @@ module AWS
       }
 
       include DataOptions
+      include UriEscape
 
       configure_client
 
@@ -786,10 +788,13 @@ module AWS
       ) do
 
         configure_request do |req, options|
-          # TODO : validate presence of copy source
           # TODO : validate metadata directive COPY / REPLACE
           # TODO : validate storage class STANDARD / REDUCED_REDUNDANCY
           # TODO : add validations for storage class in other places used
+          validate!(:copy_source, options[:copy_source]) do
+            "may not be blank" if options[:copy_source].to_s.empty?
+          end
+          options = options.merge(:copy_source => escape_path(options[:copy_source]))
           super(req, options)
           req.canned_acl = options[:acl]
           req.metadata = options[:metadata]

data/lib/aws/s3/object_metadata.rb

@@ -34,20 +34,51 @@ module AWS
       # @return [S3Object]
       attr_reader :object
 
-      # Returns the value for the given name stored in the S3Objects
+      # Returns the value for the given name stored in the S3Object's
       # metadata:
       #
       #   bucket.objects['myobject'].metadata['purpose']
       #   # returns nil if the given metadata key has not been set
       #
+      # @param [String,Symbol] name The name of the metadata field to
+      #   get.
+      #
       # @return [String,nil] Returns the metadata for the given name.
       def [] name
         to_h[name.to_s]
       end
 
+      # Changes the value of the given name stored in the S3Object's
+      # metadata:
+      #
+      #   object = bucket.object['myobject']
+      #   object.metadata['purpose'] = 'research'
+      #   object.metadata['purpose']               # => 'research'
+      #
+      # @note The name and value of each metadata field must conform
+      #   to US-ASCII.
+      #
+      # @param [String,Symbol] name The name of the metadata field to
+      #   set.
+      #
+      # @param [String] value The new value of the metadata field.
+      #
+      # @return [String,nil] Returns the value that was set.
+      def []= name, value
+        raise "cannot change the metadata of an object version; "+
+          "use S3Object#write to create a new version with different metadata" if
+          @version_id
+        metadata = to_h.dup
+        metadata[name.to_s] = value
+        object.copy_from(object.key,
+                         :metadata => metadata)
+        value
+      end
+
       # Proxies the method to {#[]}.
       # @return (see #[])
-      def method_missing name
+      def method_missing name, *args, &blk
+        return super if !args.empty? || blk
         self[name]
       end
 

data/lib/aws/s3/request.rb

@@ -174,6 +174,10 @@ module AWS
       end
 
       def add_authorization!(signer)
+        if signer.respond_to?(:session_token) and
+            token = signer.session_token
+          headers["x-amz-security-token"] = token
+        end
         signature = URI.escape(signer.sign(string_to_sign, 'sha1'))
         headers["authorization"] = "AWS #{signer.access_key_id}:#{signature}"
       end

data/lib/aws/s3/s3_object.rb

@@ -229,10 +229,12 @@ module AWS
       #
       # @option options [Hash] :metadata A hash of metadata to be
       #   included with the object.  These will be sent to S3 as
-      #   headers prefixed with +x-amz-meta+.
+      #   headers prefixed with +x-amz-meta+.  Each name, value pair
+      #   must conform to US-ASCII.
+      #
+      # @option options [Symbol] :acl (private) A canned access
+      #   control policy.  Valid values are:
       #
-      # @option options [Symbol] :acl A canned access control
-      #   policy.  Valid values are:
       #   * +:private+
       #   * +:public_read+
       #   * +:public_read_write+
@@ -333,10 +335,12 @@ module AWS
       #
       # @option options [Hash] :metadata A hash of metadata to be
       #   included with the object.  These will be sent to S3 as
-      #   headers prefixed with +x-amz-meta+.
+      #   headers prefixed with +x-amz-meta+.  Each name, value pair
+      #   must conform to US-ASCII.
+      #
+      # @option options [Symbol] :acl (private) A canned access
+      #   control policy.  Valid values are:
       #
-      # @option options [Symbol] :acl A canned access control
-      #   policy.  Valid values are:
       #   * +:private+
       #   * +:public_read+
       #   * +:public_read_write+
@@ -344,9 +348,9 @@ module AWS
       #   * +:bucket_owner_read+
       #   * +:bucket_owner_full_control+
       #
-      # @option options [Boolean] :reduced_redundancy If true,
-      #   Reduced Redundancy Storage will be enabled for the
-      #   uploaded object.
+      # @option options [Boolean] :reduced_redundancy (false) If true,
+      #   Reduced Redundancy Storage will be enabled for the uploaded
+      #   object.
       #
       # @option options :cache_control [String] Can be used to specify
       #   caching behavior.  See
@@ -403,18 +407,36 @@ module AWS
       # metadata of the object when copying.
       #
       # @param [Mixed] source
+      #
       # @param [Hash] options
+      #
       # @option options [String] :bucket_name The name of the bucket
       #   the source object can be found in.  Defaults to the current
       #   object's bucket.
-      # @option options [Bucket] :bucket The bucket the source object can 
-      #   be found in.  Defaults to the current object's bucket.
-      # @option options [Hash] :metadata A hash of metadata to save with
-      #   the copied object.  When blank, the sources metadata is copied.
+      #
+      # @option options [Bucket] :bucket The bucket the source object
+      #   can be found in.  Defaults to the current object's bucket.
+      #
+      # @option options [Hash] :metadata A hash of metadata to save
+      #   with the copied object.  Each name, value pair must conform
+      #   to US-ASCII.  When blank, the sources metadata is copied.
+      #
       # @option options [Boolean] :reduced_redundancy (false) If true the
       #   object is stored with reduced redundancy in S3 for a lower cost.
-      # @option options [String] :version_id (nil) Causes the copy to 
+      #
+      # @option options [String] :version_id (nil) Causes the copy to
       #   read a specific version of the source object.
+      #
+      # @option options [Symbol] :acl (private) A canned access
+      #   control policy.  Valid values are:
+      #
+      #   * +:private+
+      #   * +:public_read+
+      #   * +:public_read_write+
+      #   * +:authenticated_read+
+      #   * +:bucket_owner_read+
+      #   * +:bucket_owner_full_control+
+      #
       # @return [nil]
       def copy_from source, options = {}
 
@@ -441,10 +463,14 @@ module AWS
           copy_opts[:metadata_directive] = 'COPY'
         end
 
+        copy_opts[:acl] = options[:acl] if options[:acl]
         copy_opts[:version_id] = options[:version_id] if options[:version_id]
 
-        copy_opts[:storage_class] = 'REDUCED_REDUNDANCY' if
-          options[:reduced_redundancy]
+        if options[:reduced_redundancy]
+          copy_opts[:storage_class] = 'REDUCED_REDUNDANCY'
+        else
+          copy_opts[:storage_class] = 'STANDARD'
+        end
 
         client.copy_object(copy_opts)
 
@@ -460,16 +486,24 @@ module AWS
       #
       # @param [S3Object,String] target An S3Object, or a string key of
       #   and object to copy to.
+      #
       # @param [Hash] options
+      #
       # @option options [String] :bucket_name The name of the bucket
       #   the object should be copied into.  Defaults to the current object's
       #   bucket.
+      #
       # @option options [Bucket] :bucket The bucket the target object
       #   should be copied into. Defaults to the current object's bucket.
-      # @option options [Hash] :metadata A hash of metadata to save with
-      #   the copied object.  When blank, the sources metadata is copied.
-      # @option options [Boolean] :reduced_redundancy (false) If true the
-      #   object is stored with reduced redundancy in S3 for a lower cost.
+      #
+      # @option options [Hash] :metadata A hash of metadata to save
+      #   with the copied object.  Each name, value pair must conform
+      #   to US-ASCII.  When blank, the sources metadata is copied.
+      #
+      # @option options [Boolean] :reduced_redundancy (false) If true
+      #   the object is stored with reduced redundancy in S3 for a
+      #   lower cost.
+      #
       # @return (see #copy_from)
       def copy_to target, options = {}
 
@@ -689,6 +723,23 @@ module AWS
         PresignedPost.new(bucket, options.merge(:key => key))
       end
 
+      # @note Changing the storage class of an object incurs a COPY
+      #   operation.
+      #
+      # Changes the storage class of the object to enable or disable
+      # Reduced Redundancy Storage (RRS).
+      #
+      # @param [true,false] value If this is true, the object will be
+      #   copied in place and stored with reduced redundancy at a
+      #   lower cost.  Otherwise, the object will be copied and stored
+      #   with the standard storage class.
+      #
+      # @return [true,false] The +value+ parameter.
+      def reduced_redundancy= value
+        copy_from(key, :reduced_redundancy => value)
+        value
+      end
+
       # @private
       private
       def build_uri(secure, request)

data/lib/aws/sns/request.rb

@@ -13,6 +13,7 @@
 
 require 'aws/http/request'
 require 'aws/authorize_v2'
+require 'aws/authorize_with_session_token'
 
 module AWS
   class SNS
@@ -21,6 +22,7 @@ module AWS
     class Request < AWS::Http::Request
 
       include AuthorizeV2
+      include AuthorizeWithSessionToken
 
     end
   end

data/lib/aws/sqs/request.rb

@@ -13,6 +13,7 @@
 
 require 'aws/http/request'
 require 'aws/authorize_v2'
+require 'aws/authorize_with_session_token'
 
 module AWS
   class SQS
@@ -21,7 +22,8 @@ module AWS
     class Request < AWS::Http::Request
 
       include AuthorizeV2
-      
+      include AuthorizeWithSessionToken
+
       def path
         full_url.path
       end

data/lib/aws/sts.rb

@@ -0,0 +1,143 @@
+# Copyright 2011 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+#     http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+
+require 'aws/service_interface'
+require 'aws/sts/client'
+require 'aws/sts/session'
+require 'aws/sts/federated_session'
+require 'aws/sts/policy'
+
+module AWS
+
+  # This class is a starting point for working with the AWS Security
+  # Token Service.  The AWS Security Token Service is a web service
+  # that enables you to request temporary, limited-privilege
+  # credentials for users that you authenticate (federated users), or
+  # IAM users.
+  #
+  # @example Getting temporary credentials and using them to make an EC2 request
+  #   sts = AWS::STS.new(:access_key_id => "LONG_TERM_KEY",
+  #                      :secret_access_key => "LONG_TERM_SECRET")
+  #   session = AWS::STS.new.new_session(:duration => 60*60)
+  #   ec2 = AWS::EC2.new(session.credentials)
+  #   ec2.instances.to_a
+  #
+  # @example Getting temporary credentials with restricted permissions
+  #   policy = AWS::STS::Policy.new
+  #   policy.allow(:actions => ["s3:*", "ec2:*"],
+  #                :resources => :any)
+  #   session = sts.new_federated_session("TemporaryUser", :policy => policy)
+  #   ec2 = AWS::EC2.new(session.credentials)
+  #   ec2.instances.to_a
+  #
+  class STS
+
+    include ServiceInterface
+
+    # Returns a set of temporary credentials for an AWS account or IAM
+    # User. The credentials consist of an Access Key ID, a Secret
+    # Access Key, and a security token. These credentials are valid
+    # for the specified duration only. The session duration for IAM
+    # users can be between one and 36 hours, with a default of 12
+    # hours. The session duration for AWS account owners is restricted
+    # to one hour.
+    #
+    # @param [Hash] opts Options for getting temporary credentials.
+    #
+    # @option opts [Integer] :duration The duration, in seconds, that
+    #   the session should last. Acceptable durations for IAM user
+    #   sessions range from 3600s (one hour) to 129600s (36 hours),
+    #   with 43200s (12 hours) as the default. Sessions for AWS
+    #   account owners are restricted to a maximum of 3600s (one
+    #   hour).
+    #
+    # @return [Session]
+    def new_session(opts = {})
+      get_session(:get_session_token, opts) do |resp, session_opts|
+        Session.new(session_opts)
+      end
+    end
+
+    # Returns a set of temporary credentials for a federated user with
+    # the user name and policy specified in the request. The
+    # credentials consist of an Access Key ID, a Secret Access Key,
+    # and a security token. The credentials are valid for the
+    # specified duration, between one and 36 hours.
+    #
+    # The federated user who holds these credentials has only those
+    # permissions allowed by intersection of the specified policy and
+    # any resource or user policies that apply to the caller of the
+    # GetFederationToken API. For more information about how token
+    # permissions work, see
+    # {http://docs.amazonwebservices.com/IAM/latest/UserGuide/TokenPermissions.html
+    # Controlling Token Permissions} in Using AWS Identity and Access
+    # Management.
+    #
+    # @param [String] name The name of the federated user associated
+    #   with the session.  Must be between 2 and 32 characters in
+    #   length.
+    #
+    # @param [Hash] opts Options for getting temporary credentials.
+    #
+    # @option opts [Integer] :duration The duration, in seconds, that
+    #   the session should last. Acceptable durations for federation
+    #   sessions range from 3600s (one hour) to 129600s (36 hours),
+    #   with 43200s (12 hours) as the default.
+    #
+    # @option opts [String, AWS::STS::Policy] :policy A policy
+    #   specifying the permissions to associate with the session. The
+    #   caller can delegate their own permissions by specifying a
+    #   policy for the session, and both policies will be checked when
+    #   a service call is made. In other words, permissions of the
+    #   session credentials are the intersection of the policy
+    #   specified in the API and the policies associated with the user
+    #   who issued the session.
+    #
+    # @return [FederatedSession]
+    def new_federated_session(name, opts = {})
+      opts = opts.merge(:name => name)
+      case
+      when opts[:policy].kind_of?(String) || !opts[:policy]
+        # leave it alone
+      when opts[:policy].respond_to?(:to_json)
+        opts[:policy] = opts[:policy].to_json
+      end
+      get_session(:get_federation_token, opts) do |resp, session_opts|
+        session_opts.merge!(:user_id => resp.federated_user.federated_user_id,
+                            :user_arn => resp.federated_user.arn,
+                            :packed_policy_size => resp.packed_policy_size)
+        FederatedSession.new(session_opts)
+      end
+    end
+
+    # @private
+    protected
+    def get_session(method, opts = {})
+      opts[:duration_seconds] = opts.delete(:duration) if
+        opts[:duration]
+      resp = client.send(method, opts)
+      credentials = resp.credentials
+      session_opts = {
+        :credentials => {
+          :access_key_id => credentials.access_key_id,
+          :secret_access_key => credentials.secret_access_key,
+          :session_token => credentials.session_token
+        },
+        :expires_at => credentials.expiration
+      }
+      yield(resp, session_opts)
+    end
+
+  end
+
+end