fog-aws 3.13.0 → 3.14.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ab92d854133f8f95eaba87c66785ece83b06a57407d1bf627fe11c13d4e33f32
-  data.tar.gz: 39cfdea2adfae9a873d4530fba16913c68883fd523bd26aa3319e551de6b4292
+  metadata.gz: c8af574874772df5b7a7e51819b23f554543472c6cef0b4ff86addac3b0c24b7
+  data.tar.gz: f5171df32eec2c204d27ce7ac7ef361d5b7bc9c0761b6b95efd347b977deb97c
 SHA512:
-  metadata.gz: d32989087bd5bd8081a8a2b1247d1699314f5c2ea8e3be5ce2d7086c7a918b29468afd34f7ef279cc49d42c92f3907cadb82744cbf99a2828d117733ac1cea83
-  data.tar.gz: ae8d28913f81216fbfbbb6336794fde5809e5f779ec6ea812e064b0d2accc4d1acb199895a579901ad67f6e02a878ead320b8ec438029d7fba1b51f0f4ea416a
+  metadata.gz: 0526c83e1825435460136d7afa5f2467e88de9171ed64fcbe0fc75871ffd2564435b310f54585de0e24e2dbb38d36fa969952c0da98787e6d43fb8128950ad36
+  data.tar.gz: b9282f04b1b59446ab5781154932461d9230e6ef58dde2d573dd8bc488722faa02e54b77a376bda9e1ab8391a673c44bd975f24be9e1ade9ec7b30f1b817c70f

data/CHANGELOG.md

@@ -1,6 +1,26 @@
 # Changelog
 
-## [v3.13.0](https://github.com/fog/fog-aws/tree/v3.12.0) (2022-02-12)
+## [v3.14.0](https://github.com/fog/fog-aws/tree/v3.14.0) (2022-05-09)
+
+[Full Changelog](https://github.com/fog/fog-aws/compare/v3.13.0...HEAD)
+
+**Closed issues:**
+
+- Add a special note to the documentation around the danger of using directory.get [\#633](https://github.com/fog/fog-aws/issues/633)
+
+**Merged pull requests:**
+
+- RDD tags issue in AWS GovCloud Account regions. [\#643](https://github.com/fog/fog-aws/pull/643) ([svavhal](https://github.com/svavhal))
+- Create codeql.yml [\#641](https://github.com/fog/fog-aws/pull/641) ([naveensrinivasan](https://github.com/naveensrinivasan))
+- chore\(deps\): Included dependency review [\#640](https://github.com/fog/fog-aws/pull/640) ([naveensrinivasan](https://github.com/naveensrinivasan))
+- Bump actions/stale from 4 to 5 [\#639](https://github.com/fog/fog-aws/pull/639) ([dependabot[bot]](https://github.com/apps/dependabot))
+- Set permissions for GitHub actions [\#638](https://github.com/fog/fog-aws/pull/638) ([naveensrinivasan](https://github.com/naveensrinivasan))
+- Add option to control IAM credential refresh [\#637](https://github.com/fog/fog-aws/pull/637) ([gl-gh-hchouraria](https://github.com/gl-gh-hchouraria))
+- Add warning messages around directories.get [\#636](https://github.com/fog/fog-aws/pull/636) ([orrin-naylor-instacart](https://github.com/orrin-naylor-instacart))
+- Bump actions/checkout from 2.4.0 to 3 [\#632](https://github.com/fog/fog-aws/pull/632) ([dependabot[bot]](https://github.com/apps/dependabot))
+- Add Ruby 3.1 to the CI matrix [\#631](https://github.com/fog/fog-aws/pull/631) ([petergoldstein](https://github.com/petergoldstein))
+
+## [v3.13.0](https://github.com/fog/fog-aws/tree/v3.13.0) (2022-02-13)
 
 [Full Changelog](https://github.com/fog/fog-aws/compare/v3.12.0...v3.13.0)
 

data/README.md

@@ -98,6 +98,7 @@ file = directory.files.create(key: 'user/1/Gemfile', body: File.open('Gemfile'),
 directory = s3.directories.get('gaudi-portal-dev', prefix: 'user/1/')
 directory.files
 ```
+**Warning!** `s3.directories.get` retrieves and caches meta data for the first 10,000 objects in the bucket, which can be very expensive. When possible use `s3.directories.new`.
 
 #### Generating a URL for a file:
 
@@ -105,6 +106,48 @@ directory.files
 directory.files.new(key: 'user/1/Gemfile').url(Time.now + 60)
 ```
 
+##### Controlling credential refresh time with IAM authentication
+
+When using IAM authentication with
+[temporary security credentials](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html),
+generated S3 pre-signed URLs
+[only last as long as the temporary credential](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ShareObjectPreSignedURL.html).
+
+Generating the URLs in the following manner will return a URL
+that will not last as long as its requested expiration time if
+the remainder of the authentication token lifetime was shorter.
+
+```ruby
+s3 = Fog::Storage.new(provider: 'AWS', use_iam_auth: true)
+directory = s3.directories.get('gaudi-portal-dev', prefix: 'user/1/')
+
+directory.files.new(key: 'user/1/Gemfile').url(Time.now + 60)
+```
+
+By default the temporary credentials in use are refreshed only within the last
+15 seconds of its expiration time. The URL requested with 60 seconds lifetime
+using the above example will only remain valid for 15 seconds in the worst case.
+
+The problem can be avoided by refreshing the token early and often,
+by setting configuration `aws_credentials_refresh_threshold_seconds` (default: 15)
+which controls the time when the refresh must occur. It is expressed in seconds
+before the temporary credential's expiration time.
+
+The following example can ensure pre-signed URLs last as long as 60 seconds
+by automatically refreshing the credentials when its remainder lifetime
+is lower than 60 seconds:
+
+```ruby
+s3 = Fog::Storage.new(
+  provider: 'AWS',
+  use_iam_auth: true,
+  aws_credentials_refresh_threshold_seconds: 60
+)
+directory = s3.directories.get('gaudi-portal-dev', prefix: 'user/1/')
+
+directory.files.new(key: 'user/1/Gemfile').url(Time.now + 60)
+```
+
 #### Copying a file
 
 ```ruby

data/lib/fog/aws/credential_fetcher.rb

@@ -123,10 +123,17 @@ module Fog
 
         private
 
+        # When defined, 'aws_credentials_refresh_threshold_seconds' controls
+        # when the credential needs to be refreshed, expressed in seconds before
+        # the current credential's expiration time
+        def credentials_refresh_threshold
+          @aws_credentials_refresh_threshold_seconds || 15
+        end
+
         def credentials_expired?
           @use_iam_profile &&
             (!@aws_credentials_expire_at ||
-             (@aws_credentials_expire_at && Fog::Time.now > @aws_credentials_expire_at - 15)) #new credentials become available from around 5 minutes before expiration time
+             (@aws_credentials_expire_at && Fog::Time.now > @aws_credentials_expire_at - credentials_refresh_threshold)) #new credentials become available from around 5 minutes before expiration time
         end
 
         def refresh_credentials

data/lib/fog/aws/models/storage/directories.rb

@@ -11,6 +11,7 @@ module Fog
           load(data)
         end
 
+        # Warning! This retrieves and caches meta data for the first 10,000 objects in the bucket, which can be very expensive. When possible use directories.new
         def get(key, options = {})
           remap_attributes(options, {
             :delimiter  => 'delimiter',

data/lib/fog/aws/requests/rds/add_tags_to_resource.rb

@@ -12,28 +12,30 @@ module Fog
         #   * body<~Hash>:
         def add_tags_to_resource(rds_id, tags)
           keys    = tags.keys.sort
-          values  = keys.map {|key| tags[key]}
+          values  = keys.map { |key| tags[key] }
+          resource_name = "arn:aws:rds:#{@region}:#{owner_id}:db:#{rds_id}"
+          %w[us-gov-west-1 us-gov-east-1].include?(@region) ? resource_name.insert(7, '-us-gov') : resource_name
           request({
-              'Action'        => 'AddTagsToResource',
-              'ResourceName'  => "arn:aws:rds:#{@region}:#{owner_id}:db:#{rds_id}",
-              :parser         => Fog::Parsers::AWS::RDS::Base.new,
-            }.merge(Fog::AWS.indexed_param('Tags.member.%d.Key', keys)).
-              merge(Fog::AWS.indexed_param('Tags.member.%d.Value', values)))
+            'Action' => 'AddTagsToResource',
+            'ResourceName' => resource_name,
+            :parser => Fog::Parsers::AWS::RDS::Base.new
+          }.merge(Fog::AWS.indexed_param('Tags.member.%d.Key', keys))
+              .merge(Fog::AWS.indexed_param('Tags.member.%d.Value', values)))
         end
       end
 
       class Mock
         def add_tags_to_resource(rds_id, tags)
           response = Excon::Response.new
-          if server = self.data[:servers][rds_id]
-            self.data[:tags][rds_id].merge! tags
+          if server = data[:servers][rds_id]
+            data[:tags][rds_id].merge! tags
             response.status = 200
             response.body = {
-              "ResponseMetadata"=>{ "RequestId"=> Fog::AWS::Mock.request_id }
+              'ResponseMetadata' => { 'RequestId' => Fog::AWS::Mock.request_id }
             }
             response
           else
-            raise Fog::AWS::RDS::NotFound.new("DBInstance #{rds_id} not found")
+            raise Fog::AWS::RDS::NotFound, "DBInstance #{rds_id} not found"
           end
         end
       end

data/lib/fog/aws/requests/rds/list_tags_for_resource.rb

@@ -11,11 +11,14 @@ module Fog
         # ==== Returns
         # * response<~Excon::Response>:
         #   * body<~Hash>:
+
         def list_tags_for_resource(rds_id)
+          resource_name = "arn:aws:rds:#{@region}:#{owner_id}:db:#{rds_id}"
+          %w[us-gov-west-1 us-gov-east-1].include?(@region) ? resource_name.insert(7, '-us-gov') : resource_name
           request(
-            'Action'        => 'ListTagsForResource',
-            'ResourceName'  => "arn:aws:rds:#{@region}:#{owner_id}:db:#{rds_id}",
-            :parser         => Fog::Parsers::AWS::RDS::TagListParser.new
+            'Action' => 'ListTagsForResource',
+            'ResourceName' => resource_name,
+            :parser => Fog::Parsers::AWS::RDS::TagListParser.new
           )
         end
       end
@@ -23,15 +26,15 @@ module Fog
       class Mock
         def list_tags_for_resource(rds_id)
           response = Excon::Response.new
-          if server = self.data[:servers][rds_id]
+          if server = data[:servers][rds_id]
             response.status = 200
             response.body = {
-              "ListTagsForResourceResult" =>
-                {"TagList" =>  self.data[:tags][rds_id]}
+              'ListTagsForResourceResult' =>
+                { 'TagList' => data[:tags][rds_id] }
             }
             response
           else
-            raise Fog::AWS::RDS::NotFound.new("DBInstance #{rds_id} not found")
+            raise Fog::AWS::RDS::NotFound, "DBInstance #{rds_id} not found"
           end
         end
       end

data/lib/fog/aws/requests/rds/remove_tags_from_resource.rb

@@ -11,11 +11,12 @@ module Fog
         # * response<~Excon::Response>:
         #   * body<~Hash>:
         def remove_tags_from_resource(rds_id, keys)
+          resource_name = "arn:aws:rds:#{@region}:#{owner_id}:db:#{rds_id}"
+          %w[us-gov-west-1 us-gov-east-1].include?(@region) ? resource_name.insert(7, '-us-gov') : resource_name
           request(
-            { 'Action'        => 'RemoveTagsFromResource',
-              'ResourceName'  => "arn:aws:rds:#{@region}:#{owner_id}:db:#{rds_id}",
-              :parser         => Fog::Parsers::AWS::RDS::Base.new,
-            }.merge(Fog::AWS.indexed_param('TagKeys.member.%d', keys))
+            { 'Action' => 'RemoveTagsFromResource',
+              'ResourceName' => resource_name,
+              :parser => Fog::Parsers::AWS::RDS::Base.new }.merge(Fog::AWS.indexed_param('TagKeys.member.%d', keys))
           )
         end
       end
@@ -23,15 +24,15 @@ module Fog
       class Mock
         def remove_tags_from_resource(rds_id, keys)
           response = Excon::Response.new
-          if server = self.data[:servers][rds_id]
-            keys.each {|key| self.data[:tags][rds_id].delete key}
+          if server = data[:servers][rds_id]
+            keys.each { |key| data[:tags][rds_id].delete key }
             response.status = 200
             response.body = {
-              "ResponseMetadata"=>{ "RequestId"=> Fog::AWS::Mock.request_id }
+              'ResponseMetadata' => { 'RequestId' => Fog::AWS::Mock.request_id }
             }
             response
           else
-            raise Fog::AWS::RDS::NotFound.new("DBInstance #{rds_id} not found")
+            raise Fog::AWS::RDS::NotFound, "DBInstance #{rds_id} not found"
           end
         end
       end

data/lib/fog/aws/storage.rb

@@ -46,7 +46,7 @@ module Fog
       ]
 
       requires :aws_access_key_id, :aws_secret_access_key
-      recognizes :endpoint, :region, :host, :port, :scheme, :persistent, :use_iam_profile, :aws_session_token, :aws_credentials_expire_at, :path_style, :acceleration, :instrumentor, :instrumentor_name, :aws_signature_version, :enable_signature_v4_streaming, :virtual_host, :cname, :max_put_chunk_size, :max_copy_chunk_size
+      recognizes :endpoint, :region, :host, :port, :scheme, :persistent, :use_iam_profile, :aws_session_token, :aws_credentials_expire_at, :path_style, :acceleration, :instrumentor, :instrumentor_name, :aws_signature_version, :enable_signature_v4_streaming, :virtual_host, :cname, :max_put_chunk_size, :max_copy_chunk_size, :aws_credentials_refresh_threshold_seconds
 
       secrets    :aws_secret_access_key, :hmac
 
@@ -500,6 +500,8 @@ module Fog
         end
 
         def setup_credentials(options)
+          @aws_credentials_refresh_threshold_seconds = options[:aws_credentials_refresh_threshold_seconds]
+
           @aws_access_key_id = options[:aws_access_key_id]
           @aws_secret_access_key = options[:aws_secret_access_key]
           @aws_session_token     = options[:aws_session_token]
@@ -577,6 +579,8 @@ module Fog
 
 
         def setup_credentials(options)
+          @aws_credentials_refresh_threshold_seconds = options[:aws_credentials_refresh_threshold_seconds]
+
           @aws_access_key_id     = options[:aws_access_key_id]
           @aws_secret_access_key = options[:aws_secret_access_key]
           @aws_session_token     = options[:aws_session_token]

data/lib/fog/aws/version.rb

@@ -1,5 +1,5 @@
 module Fog
   module AWS
-    VERSION = "3.13.0"
+    VERSION = "3.14.0"
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: fog-aws
 version: !ruby/object:Gem::Version
-  version: 3.13.0
+  version: 3.14.0
 platform: ruby
 authors:
 - Josh Lane
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-02-13 00:00:00.000000000 Z
+date: 2022-05-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler