AWS SDK

rev. ba98f30b52e51c6e715b0ae469e7a2e988c27d9a

Files changed:

tmp-codegen-diff/aws-sdk/README.md

@@ -1,1 +57,57 @@

 <!--
 IMPORTANT:
 This README file is auto-generated by the build system in smithy-lang/smithy-rs.
 To update it, edit the `aws/SDK_README.md.hb` Handlebars template in that repository.
 -->
-6
 # The AWS SDK for Rust [![Docs](https://img.shields.io/badge/docs-blue)](https://awslabs.github.io/aws-sdk-rust/) ![MSRV](https://img.shields.io/badge/msrv-1.86.0-red) [![Usage Guide](https://img.shields.io/badge/Developer_Guide-blue)](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/welcome.html)
-8
 This repo contains the AWS SDK for Rust and its [public roadmap](https://github.com/orgs/awslabs/projects/50/views/1).
-10
 The SDK is code generated from [Smithy models](https://smithy.io/2.0/index.html) that represent each AWS service.
 The code used to generate the SDK can be found in [smithy-rs](https://github.com/smithy-lang/smithy-rs).
-13
 ## Getting Started with the SDK
-15
 > Examples are available for many services and operations, check out the [examples folder](./examples).

-17
 > For a step-by-step guide including several advanced use cases, check out the [Developer Guide](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/welcome.html).
-19
 The SDK provides one crate per AWS service. You must add [Tokio](https://crates.io/crates/tokio) as a dependency within your Rust project to execute asynchronous code.
-21
 . Create a new Rust project: `cargo new sdk-example`
 . Add dependencies to DynamoDB and Tokio to your **Cargo.toml** file:
-24
     ```toml
     [dependencies]
     aws-config = { version= "1.8.4", features = ["behavior-version-latest"] }
     aws-config = { version= "1.8.3", features = ["behavior-version-latest"] }
     aws-sdk-dynamodb = "0.0.0-local"
     tokio = { version = "1", features = ["full"] }
     ```
-31
 . Provide your AWS credentials with the default credential provider chain, which currently looks in:
    - Environment variables: `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_REGION`
    - The default credentials files located in `~/.aws/config` and `~/.aws/credentials` (location can vary per platform)
    - Web Identity Token credentials from the environment or container (including EKS)
    - ECS Container Credentials (IAM roles for tasks)
    - EC2 Instance Metadata Service (IAM Roles attached to instance)

↧ Expand context

-38
 . Make a request using DynamoDB
-40
 ```rust
 use aws_sdk_dynamodb::{Client, Error};
-43
 #[tokio::main]
 async fn main() -> Result<(), Error> {
     let shared_config = aws_config::load_from_env().await;
     let client = Client::new(&shared_config);
     let req = client.list_tables().limit(10);
     let resp = req.send().await?;
     println!("Current DynamoDB tables: {:?}", resp.table_names);
     Ok(())
-52
+}
 ```
-54
 ### Prerequisites
-56
 In order to use the SDK, you must already have Rust and Cargo installed. If you don't, [these instructions](https://doc.rust-lang.org/book/ch01-01-installation.html) describe how to install Rust and Cargo.

tmp-codegen-diff/aws-sdk/sdk/aws-config/Cargo.toml

@@ -1,1 +157,157 @@

 # Code generated by software.amazon.smithy.rust.codegen.smithy-rs. DO NOT EDIT.
 [package]
 name = "aws-config"
 version = "1.8.4"
 version = "1.8.3"
 authors = ["AWS Rust SDK Team <aws-sdk-rust@amazon.com>", "Russell Cohen <rcoh@amazon.com>"]
 description = "AWS SDK config and credential provider implementations."
 edition = "2021"
 exclude = ["test-data/*", "integration-tests/*"]
 license = "Apache-2.0"
 repository = "https://github.com/smithy-lang/smithy-rs"
 [package.metadata.docs.rs]
 all-features = true
 targets = ["x86_64-unknown-linux-gnu"]
 cargo-args = ["-Zunstable-options", "-Zrustdoc-scrape-examples"]
 rustdoc-args = ["--cfg", "docsrs"]
-16
 [package.metadata.smithy-rs-release-tooling]
 stable = true
 [package.metadata.cargo-udeps.ignore]
 normal = ["proc-macro2"]
-21
 [features]
 behavior-version-latest = []
 credentials-process = ["tokio/process"]
 default = ["default-https-client", "rt-tokio", "credentials-process", "sso"]
 rt-tokio = ["aws-smithy-async/rt-tokio", "aws-smithy-runtime/rt-tokio", "tokio/rt"]
 client-hyper = ["aws-smithy-runtime/default-https-client"]
 rustls = ["client-hyper"]
 default-https-client = ["aws-smithy-runtime/default-https-client"]
 sso = ["dep:aws-sdk-sso", "dep:aws-sdk-ssooidc", "dep:ring", "dep:hex", "dep:zeroize", "aws-smithy-runtime-api/http-auth"]
 test-util = ["aws-runtime/test-util"]
 allow-compilation = []
-33
 [dependencies]
 bytes = "1.1.0"
 http = "1"
 url = "2.5.4"
 fastrand = "2.3.0"
-39
 [dependencies.aws-credential-types]
 path = "../aws-credential-types"
 features = ["test-util"]
 version = "1.2.5"
 version = "1.2.4"
-44
 [dependencies.aws-runtime]
 path = "../aws-runtime"
 version = "1.5.10"
 version = "1.5.9"
-48
 [dependencies.aws-sdk-sts]
 path = "../sts"
 default-features = false
 version = "0.0.0-local"
-53
 [dependencies.aws-smithy-async]
 path = "../aws-smithy-async"
 version = "1.2.5"
-57
 [dependencies.aws-smithy-http]
 path = "../aws-smithy-http"
 version = "0.62.3"
-61
 [dependencies.aws-smithy-json]
 path = "../aws-smithy-json"
 version = "0.61.4"
-65
 [dependencies.aws-smithy-runtime]
 path = "../aws-smithy-runtime"
 features = ["client"]
 version = "1.8.6"
 version = "1.8.5"
-70
 [dependencies.aws-smithy-runtime-api]
 path = "../aws-smithy-runtime-api"
 features = ["client"]
 version = "1.8.7"
 version = "1.8.5"
-75
 [dependencies.aws-smithy-types]
 path = "../aws-smithy-types"
 version = "1.3.2"
-79
 [dependencies.aws-types]
 path = "../aws-types"
 version = "1.3.8"
-83
 [dependencies.time]
 version = "0.3.4"
 features = ["parsing"]
-87
 [dependencies.tokio]
 version = "1.13.1"
 features = ["sync"]
-91
 [dependencies.tracing]
 version = "0.1"
-94
 [dependencies.aws-sdk-sso]
 path = "../sso"
 default-features = false
 optional = true
 version = "0.0.0-local"
-100
 [dependencies.ring]
 version = "0.17.5"
 optional = true
-104
 [dependencies.hex]
 version = "0.4.3"
 optional = true
-108
 [dependencies.zeroize]
 version = "1"
 optional = true
-112
 [dependencies.aws-sdk-ssooidc]
 path = "../ssooidc"
 default-features = false
 optional = true
 version = "0.0.0-local"
-118
 [dev-dependencies]
 tracing-test = "0.2.4"
 serde_json = "1"
-122
 [dev-dependencies.aws-smithy-async]
 path = "../aws-smithy-async"
 features = ["rt-tokio", "test-util"]
 version = "1.2.5"
-127
 [dev-dependencies.aws-smithy-runtime]
 path = "../aws-smithy-runtime"
 features = ["client", "test-util"]
 version = "1.8.5"
-+
 [dev-dependencies.aws-smithy-http-client]
 path = "../aws-smithy-http-client"
 features = ["default-client", "test-util"]
 version = "1.0.6"
-137
 [dev-dependencies.aws-smithy-runtime]
 path = "../aws-smithy-runtime"
 features = ["client", "test-util"]
 version = "1.8.6"
--
 [dev-dependencies.aws-smithy-runtime-api]
 path = "../aws-smithy-runtime-api"
 features = ["test-util"]
 version = "1.8.7"
 version = "1.8.5"
-142
 [dev-dependencies.futures-util]
 version = "0.3.29"
 default-features = false
-146
 [dev-dependencies.tracing-subscriber]
 version = "0.3.16"
 features = ["fmt", "json"]
-150
 [dev-dependencies.tokio]

↧ Expand context

 version = "1.23.1"
 features = ["full", "test-util"]
-154
 [dev-dependencies.serde]
 version = "1"
 features = ["derive"]

tmp-codegen-diff/aws-sdk/sdk/aws-config/fuzz/Cargo.toml

@@ -1,1 +30,30 @@

↥ Expand context

 # Code generated by software.amazon.smithy.rust.codegen.smithy-rs. DO NOT EDIT.
 [[bin]]
 name = "profile-parser"
 path = "fuzz_targets/profile-parser.rs"
 test = false
 doc = false
-7
 [package]
 name = "aws-types-fuzz"
 version = "0.0.0"
 authors = ["Automatically generated"]
 publish = false

 edition = "2021"
-14
 [package.metadata]
 cargo-fuzz = true
-17
 [dependencies]
 libfuzzer-sys = "=0.4.7"
-20
 [dependencies.aws-config]
 path = ".."
 version = "1.8.4"
 version = "1.8.3"
-24
 [dependencies.aws-types]
 path = "../../../sdk/build/aws-sdk/sdk/aws-types"
 version = "1.3.8"
-28
 [workspace]
 members = ["."]

tmp-codegen-diff/aws-sdk/sdk/aws-config/src/credential_process.rs

@@ -1,1 +43,42 @@

↥ Expand context

  * SPDX-License-Identifier: Apache-2.0
  */
-5
 #![cfg(feature = "credentials-process")]
-7
 //! Credentials Provider for external process
-9
 use crate::json_credentials::{json_parse_loop, InvalidJsonCredentials};
 use crate::sensitive_command::CommandWithSensitiveArgs;
 use aws_credential_types::attributes::AccountId;
 use aws_credential_types::credential_feature::AwsCredentialFeature;
 use aws_credential_types::provider::{self, error::CredentialsError, future, ProvideCredentials};
 use aws_credential_types::Credentials;
 use aws_smithy_json::deserialize::Token;
 use std::borrow::Cow;
 use std::process::Command;
 use std::time::SystemTime;
 use time::format_description::well_known::Rfc3339;
 use time::OffsetDateTime;
-21
 /// External process credentials provider

↧ Expand context

 ///
 /// This credentials provider runs a configured external process and parses
 /// its output to retrieve credentials.
 ///
 /// The external process must exit with status 0 and output the following
 /// JSON format to `stdout` to provide credentials:
 ///
 /// ```json
 /// {
 ///     "Version:" 1,
 ///     "AccessKeyId": "access key id",
 ///     "SecretAccessKey": "secret access key",
 ///     "SessionToken": "session token",
 ///     "Expiration": "time that the expiration will expire"
 /// }
 /// ```
 ///
 /// The `Version` must be set to 1. `AccessKeyId` and `SecretAccessKey` are always required.
 /// `SessionToken` must be set if a session token is associated with the `AccessKeyId`.
 /// The `Expiration` is optional, and must be given in the RFC 3339 date time format (e.g.,

@@ -96,95 +168,162 @@

↥ Expand context

         };
         let output = tokio::process::Command::from(command)
             .output()
             .await
             .map_err(|e| {
                 CredentialsError::provider_error(format!(
                     "Error retrieving credentials from external process: {}",
-102
+                    e
                 ))
             })?;
-105
         // Security: command arguments can be logged at trace level
         tracing::trace!(command = ?self.command, status = ?output.status, "executed command (unredacted)");
-108
         if !output.status.success() {
             let reason =
                 std::str::from_utf8(&output.stderr).unwrap_or("could not decode stderr as UTF-8");
             return Err(CredentialsError::provider_error(format!(
                 "Error retrieving credentials: external process exited with code {}. Stderr: {}",
                 output.status, reason

             )));
-116
+        }
-117
         let output = std::str::from_utf8(&output.stdout).map_err(|e| {
             CredentialsError::provider_error(format!(
                 "Error retrieving credentials from external process: could not decode output as UTF-8: {}",
-121
+                e
             ))
         })?;
-124
         parse_credential_process_json_credentials(output, self.profile_account_id.as_ref())
             .map(|mut creds| {
                 creds
                     .get_property_mut_or_default::<Vec<AwsCredentialFeature>>()
                     .push(AwsCredentialFeature::CredentialsProcess);
                 creds
             })
             .map_err(|invalid| {
         parse_credential_process_json_credentials(output, self.profile_account_id.as_ref()).map_err(
             |invalid| {
                 CredentialsError::provider_error(format!(
                 "Error retrieving credentials from external process, could not parse response: {}",
                 invalid
             ))
             })
             },
-+
+        )
-133
+    }
-134
+}
-135
 #[derive(Debug, Default)]
 pub(crate) struct Builder {
     command: Option<CommandWithSensitiveArgs<String>>,
     profile_account_id: Option<AccountId>,
-140
+}
-141
 impl Builder {

↧ Expand context

     pub(crate) fn command(mut self, command: CommandWithSensitiveArgs<String>) -> Self {
         self.command = Some(command);
         self
-146
+    }
-147
     #[allow(dead_code)] // only used in unit tests
     pub(crate) fn account_id(mut self, account_id: impl Into<AccountId>) -> Self {
         self.set_account_id(Some(account_id.into()));
         self
-152
+    }
-153
     pub(crate) fn set_account_id(&mut self, account_id: Option<AccountId>) {
         self.profile_account_id = account_id;
-156
+    }
-157
     pub(crate) fn build(self) -> CredentialProcessProvider {
         CredentialProcessProvider {
             command: self.command.expect("should be set"),
             profile_account_id: self.profile_account_id,
-162
+        }

@@ -243,237 +303,296 @@

↥ Expand context

     let access_key_id = access_key_id.ok_or(InvalidJsonCredentials::MissingField("AccessKeyId"))?;
     let secret_access_key =
         secret_access_key.ok_or(InvalidJsonCredentials::MissingField("SecretAccessKey"))?;
     let expiration = expiration.map(parse_expiration).transpose()?;
     if expiration.is_none() {
         tracing::debug!("no expiration provided for credentials provider credentials. these credentials will never be refreshed.")
-243
+    }
     let mut builder = Credentials::builder()
         .access_key_id(access_key_id)
         .secret_access_key(secret_access_key)
         .provider_name("CredentialProcess");
     builder.set_session_token(session_token.map(String::from));
     builder.set_expiry(expiration);
     builder.set_account_id(account_id.map(AccountId::from));
     Ok(builder.build())
-252
+}
-253
 fn parse_expiration(expiration: impl AsRef<str>) -> Result<SystemTime, InvalidJsonCredentials> {
     OffsetDateTime::parse(expiration.as_ref(), &Rfc3339)
         .map(SystemTime::from)

         .map_err(|err| InvalidJsonCredentials::InvalidField {
             field: "Expiration",
             err: err.into(),
         })
-261
+}
-262
 #[cfg(test)]
 mod test {
     use crate::credential_process::CredentialProcessProvider;
     use crate::sensitive_command::CommandWithSensitiveArgs;
     use aws_credential_types::credential_feature::AwsCredentialFeature;
     use aws_credential_types::provider::ProvideCredentials;
     use std::time::{Duration, SystemTime};
     use time::format_description::well_known::Rfc3339;
     use time::OffsetDateTime;
     use tokio::time::timeout;
-272
     // TODO(https://github.com/awslabs/aws-sdk-rust/issues/1117) This test is ignored on Windows because it uses Unix-style paths
     #[tokio::test]
     #[cfg_attr(windows, ignore)]
     async fn test_credential_process() {

↧ Expand context

         let provider = CredentialProcessProvider::new(String::from(
             r#"echo '{ "Version": 1, "AccessKeyId": "ASIARTESTID", "SecretAccessKey": "TESTSECRETKEY", "SessionToken": "TESTSESSIONTOKEN", "AccountId": "123456789001", "Expiration": "2022-05-02T18:36:00+00:00" }'"#,
         ));
         let creds = provider.provide_credentials().await.expect("valid creds");
         assert_eq!(creds.access_key_id(), "ASIARTESTID");
         assert_eq!(creds.secret_access_key(), "TESTSECRETKEY");
         assert_eq!(creds.session_token(), Some("TESTSESSIONTOKEN"));
         assert_eq!(creds.account_id().unwrap().as_str(), "123456789001");
         assert_eq!(
             creds.expiry(),
             Some(
                 SystemTime::try_from(
                     OffsetDateTime::parse("2022-05-02T18:36:00+00:00", &Rfc3339)
                         .expect("static datetime")
-291
+                )
                 .expect("static datetime")
-293
+            )
         );
-295
+    }
-296

@@ -319,312 +364,342 @@

↥ Expand context

     async fn credentials_process_timeouts() {
         let provider = CredentialProcessProvider::new(String::from("sleep 1000"));
         let _creds = timeout(Duration::from_millis(1), provider.provide_credentials())
             .await
             .expect_err("timeout forced");
-317
+    }
-318
     #[tokio::test]
     async fn credentials_with_fallback_account_id() {
         let provider = CredentialProcessProvider::builder()
             .command(CommandWithSensitiveArgs::new(String::from(
                 r#"echo '{ "Version": 1, "AccessKeyId": "ASIARTESTID", "SecretAccessKey": "TESTSECRETKEY" }'"#,
             )))
             .account_id("012345678901")
             .build();
         let creds = provider.provide_credentials().await.unwrap();
         assert_eq!("012345678901", creds.account_id().unwrap().as_str());
-329
+    }
-330
     #[tokio::test]

     async fn fallback_account_id_shadowed_by_account_id_in_process_output() {
         let provider = CredentialProcessProvider::builder()
             .command(CommandWithSensitiveArgs::new(String::from(
                 r#"echo '{ "Version": 1, "AccessKeyId": "ASIARTESTID", "SecretAccessKey": "TESTSECRETKEY", "AccountId": "111122223333" }'"#,
             )))
             .account_id("012345678901")
             .build();
         let creds = provider.provide_credentials().await.unwrap();
         assert_eq!("111122223333", creds.account_id().unwrap().as_str());
-341
+    }
--
     #[tokio::test]
     async fn credential_feature() {
         let provider = CredentialProcessProvider::builder()
             .command(CommandWithSensitiveArgs::new(String::from(
                 r#"echo '{ "Version": 1, "AccessKeyId": "ASIARTESTID", "SecretAccessKey": "TESTSECRETKEY", "AccountId": "111122223333" }'"#,
             )))
             .account_id("012345678901")
             .build();
         let creds = provider.provide_credentials().await.unwrap();
         assert_eq!(
             &vec![AwsCredentialFeature::CredentialsProcess],
             creds.get_property::<Vec<AwsCredentialFeature>>().unwrap()
         );
--
+    }
-342
+}

tmp-codegen-diff/aws-sdk/sdk/aws-config/src/environment/credentials.rs

@@ -1,1 +148,142 @@

 /*
  * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  * SPDX-License-Identifier: Apache-2.0
  */
-5
 use std::env::VarError;
-7
 use aws_credential_types::attributes::AccountId;
 use aws_credential_types::credential_feature::AwsCredentialFeature;
 use aws_credential_types::provider::{self, error::CredentialsError, future, ProvideCredentials};
 use aws_credential_types::Credentials;
 use aws_types::os_shim_internal::Env;
-12
 /// Load Credentials from Environment Variables
 ///
 /// `EnvironmentVariableCredentialsProvider` uses the following variables:
 /// - `AWS_ACCESS_KEY_ID`
 /// - `AWS_SECRET_ACCESS_KEY` with fallback to `SECRET_ACCESS_KEY`
 /// - `AWS_SESSION_TOKEN` (optional)
 /// - `AWS_ACCOUNT_ID` (optional)
 #[derive(Debug, Clone)]
 pub struct EnvironmentVariableCredentialsProvider {
     env: Env,
-23
+}
-24
 impl EnvironmentVariableCredentialsProvider {
     fn credentials(&self) -> provider::Result {
         let access_key = self
             .env
             .get("AWS_ACCESS_KEY_ID")
             .and_then(err_if_blank)
             .map_err(to_cred_error)?;
         let secret_key = self
             .env
             .get("AWS_SECRET_ACCESS_KEY")
             .and_then(err_if_blank)
             .or_else(|_| self.env.get("SECRET_ACCESS_KEY"))
             .and_then(err_if_blank)
             .map_err(to_cred_error)?;
         let session_token =
             self.env
                 .get("AWS_SESSION_TOKEN")
                 .ok()
                 .and_then(|token| match token.trim() {
                     "" => None,
                     s => Some(s.to_string()),
                 });
         let account_id =
             self.env
                 .get("AWS_ACCOUNT_ID")
                 .ok()
                 .and_then(|account_id| match account_id.trim() {
                     "" => None,
                     s => Some(AccountId::from(s)),
                 });
         let mut builder = Credentials::builder()
             .access_key_id(access_key)
             .secret_access_key(secret_key)
             .provider_name(ENV_PROVIDER);
         builder.set_session_token(session_token);
         builder.set_account_id(account_id);
         let mut creds = builder.build();
         creds
             .get_property_mut_or_default::<Vec<AwsCredentialFeature>>()
             .push(AwsCredentialFeature::CredentialsEnvVars);
         Ok(creds)
         Ok(builder.build())
-62
+    }
-63
+}
-64
 impl EnvironmentVariableCredentialsProvider {
     /// Create a `EnvironmentVariableCredentialsProvider`
     pub fn new() -> Self {
         Self::new_with_env(Env::real())
-69
+    }
-70
     /// Create a new `EnvironmentVariableCredentialsProvider` with `Env` overridden
     ///
     /// This function is intended for tests that mock out the process environment.
     pub(crate) fn new_with_env(env: Env) -> Self {
         Self { env }
-76
+    }
-77
+}
-78
 impl Default for EnvironmentVariableCredentialsProvider {
     fn default() -> Self {
         Self::new()
-82
+    }
-83
+}
-84
 const ENV_PROVIDER: &str = "EnvironmentVariable";
-86
 impl ProvideCredentials for EnvironmentVariableCredentialsProvider {
     fn provide_credentials<'a>(&'a self) -> future::ProvideCredentials<'a>
     where
         Self: 'a,
-91
+    {
         future::ProvideCredentials::ready(self.credentials())
-93
+    }
-94
+}
-95
 fn to_cred_error(err: VarError) -> CredentialsError {
     match err {
         VarError::NotPresent => CredentialsError::not_loaded("environment variable not set"),
         e @ VarError::NotUnicode(_) => CredentialsError::unhandled(e),
-100
+    }
-101
+}
-102
 fn err_if_blank(value: String) -> Result<String, VarError> {
     if value.trim().is_empty() {
         Err(VarError::NotPresent)
     } else {
         Ok(value)
-108
+    }
-109
+}
-110
 #[cfg(test)]
 mod test {
     use aws_credential_types::credential_feature::AwsCredentialFeature;
     use aws_credential_types::provider::{error::CredentialsError, ProvideCredentials};
     use aws_types::os_shim_internal::Env;
     use futures_util::FutureExt;
-116
     use super::EnvironmentVariableCredentialsProvider;
-118
     fn make_provider(vars: &[(&str, &str)]) -> EnvironmentVariableCredentialsProvider {
         EnvironmentVariableCredentialsProvider {
             env: Env::from_slice(vars),
-122
+        }

↧ Expand context

-123
+    }
-124
     #[test]
     fn valid_no_token() {
         let provider = make_provider(&[
             ("AWS_ACCESS_KEY_ID", "access"),
             ("AWS_SECRET_ACCESS_KEY", "secret"),
         ]);
         let creds = provider
             .provide_credentials()
             .now_or_never()
             .unwrap()
             .expect("valid credentials");
         assert_eq!(creds.session_token(), None);
         assert_eq!(creds.access_key_id(), "access");
         assert_eq!(creds.secret_access_key(), "secret");
-139
+    }
-140
     #[test]
     fn valid_with_token() {

@@ -229,223 +285,259 @@

↥ Expand context

             .expect_err("no credentials defined");
         assert!(matches!(err, CredentialsError::CredentialsNotLoaded { .. }));
-225
+    }
-226
     #[test]
     fn empty_keys_env_vars() {
         for [access_key_value, secret_key_value] in &[
             &["", ""],
             &[" ", ""],
             &["access", ""],
             &["", " "],
             &[" ", " "],
             &["access", " "],
             &["", "secret"],
             &[" ", "secret"],
         ] {
             let provider = make_provider(&[
                 ("AWS_ACCESS_KEY_ID", access_key_value),
                 ("AWS_SECRET_ACCESS_KEY", secret_key_value),
             ]);

-243
             let err = provider
                 .provide_credentials()
                 .now_or_never()
                 .unwrap()
                 .expect_err("no credentials defined");
             assert!(matches!(err, CredentialsError::CredentialsNotLoaded { .. }));
-250
+        }
-251
+    }
-252
     #[test]
     fn credentials_feature() {
         let provider = make_provider(&[
             ("AWS_ACCESS_KEY_ID", "access"),
             ("AWS_SECRET_ACCESS_KEY", "secret"),
             ("SECRET_ACCESS_KEY", "secret"),
             ("AWS_SESSION_TOKEN", "token"),
         ]);
--
         let creds = provider
             .provide_credentials()
             .now_or_never()
             .unwrap()
             .expect("valid credentials");
         assert_eq!(
             &vec![AwsCredentialFeature::CredentialsEnvVars],
             creds.get_property::<Vec<AwsCredentialFeature>>().unwrap()
         );
--
+    }
--
     #[test]
     fn real_environment() {
         let provider = EnvironmentVariableCredentialsProvider::new();
         // we don't know what's in the env, just make sure it doesn't crash.
         let _fut = provider.provide_credentials();
-258
+    }
-259
+}

tmp-codegen-diff/aws-sdk/sdk/aws-config/src/http_credential_provider.rs

@@ -1,1 +97,87 @@

↥ Expand context

  */
-5
 //! Generalized HTTP credential provider. Currently, this cannot be used directly and can only
 //! be used via the ECS credential provider.
 //!
 //! Future work will stabilize this interface and enable it to be used directly.
-10
 use crate::json_credentials::{parse_json_credentials, JsonCredentials, RefreshableCredentials};
 use crate::provider_config::ProviderConfig;
 use aws_credential_types::attributes::AccountId;
 use aws_credential_types::credential_feature::AwsCredentialFeature;
 use aws_credential_types::provider::{self, error::CredentialsError};
 use aws_credential_types::Credentials;
 use aws_smithy_runtime::client::metrics::MetricsRuntimePlugin;
 use aws_smithy_runtime::client::orchestrator::operation::Operation;
 use aws_smithy_runtime::client::retries::classifiers::{
     HttpStatusCodeClassifier, TransientErrorClassifier,
 };
 use aws_smithy_runtime_api::client::http::HttpConnectorSettings;
 use aws_smithy_runtime_api::client::interceptors::context::{Error, InterceptorContext};
 use aws_smithy_runtime_api::client::orchestrator::{
     HttpResponse, Metadata, OrchestratorError, SensitiveOutput,
 };
 use aws_smithy_runtime_api::client::result::SdkError;
 use aws_smithy_runtime_api::client::retries::classifiers::ClassifyRetry;
 use aws_smithy_runtime_api::client::retries::classifiers::RetryAction;
 use aws_smithy_runtime_api::client::runtime_plugin::StaticRuntimePlugin;
 use aws_smithy_types::body::SdkBody;
 use aws_smithy_types::config_bag::Layer;
 use aws_smithy_types::retry::RetryConfig;
 use aws_smithy_types::timeout::TimeoutConfig;
 use http::header::{ACCEPT, AUTHORIZATION};
 use http::HeaderValue;
 use std::time::Duration;
-37
 const DEFAULT_READ_TIMEOUT: Duration = Duration::from_secs(5);
 const DEFAULT_CONNECT_TIMEOUT: Duration = Duration::from_secs(2);
-40
 #[derive(Debug)]
 struct HttpProviderAuth {
     auth: Option<HeaderValue>,
-44
+}
-45
 #[derive(Debug)]
 pub(crate) struct HttpCredentialProvider {
     operation: Operation<HttpProviderAuth, Credentials, CredentialsError>,
-49
+}
-50
 impl HttpCredentialProvider {
     pub(crate) fn builder() -> Builder {
         Builder::default()
-54
+    }
-55
     pub(crate) async fn credentials(&self, auth: Option<HeaderValue>) -> provider::Result {
         let credentials =
             self.operation
                 .invoke(HttpProviderAuth { auth })
                 .await
                 .map(|mut creds| {
                     creds
                         .get_property_mut_or_default::<Vec<AwsCredentialFeature>>()
                         .push(AwsCredentialFeature::CredentialsHttp);
                     creds
                 });
         let credentials = self.operation.invoke(HttpProviderAuth { auth }).await;
         match credentials {
             Ok(creds) => Ok(creds),
             Err(SdkError::ServiceError(context)) => Err(context.into_err()),
             Err(other) => Err(CredentialsError::unhandled(other)),
-62
+        }
-63
+    }
-64
+}
-65
 #[derive(Default)]
 pub(crate) struct Builder {

↧ Expand context

     provider_config: Option<ProviderConfig>,
     http_connector_settings: Option<HttpConnectorSettings>,
-70
+}
-71
 impl Builder {
     pub(crate) fn configure(mut self, provider_config: &ProviderConfig) -> Self {
         self.provider_config = Some(provider_config.clone());
         self
-76
+    }
-77
     pub(crate) fn http_connector_settings(
         mut self,
         http_connector_settings: HttpConnectorSettings,
     ) -> Self {
         self.http_connector_settings = Some(http_connector_settings);
         self
-84
+    }
-85
     pub(crate) fn build(
         self,

@@ -216,206 +276,265 @@

↥ Expand context

 impl ClassifyRetry for HttpCredentialRetryClassifier {
     fn name(&self) -> &'static str {
         "HttpCredentialRetryClassifier"
-209
+    }
-210
     fn classify_retry(&self, ctx: &InterceptorContext) -> RetryAction {
         let output_or_error = ctx.output_or_error();
         let error = match output_or_error {
             Some(Ok(_)) | None => return RetryAction::NoActionIndicated,
             Some(Err(err)) => err,
         };
-217
         // Retry non-parseable 200 responses
         if let Some((err, status)) = error
             .as_operation_error()
             .and_then(|err| err.downcast_ref::<CredentialsError>())
             .zip(ctx.response().map(HttpResponse::status))
-223
+        {
             if matches!(err, CredentialsError::Unhandled { .. }) && status.is_success() {
                 return RetryAction::server_error();

-226
+            }
-227
+        }
-228
         RetryAction::NoActionIndicated
-230
+    }
-231
+}
-232
 #[cfg(test)]
 mod test {
     use super::*;
     use aws_credential_types::credential_feature::AwsCredentialFeature;
     use aws_credential_types::provider::error::CredentialsError;
     use aws_smithy_http_client::test_util::{ReplayEvent, StaticReplayClient};
     use aws_smithy_types::body::SdkBody;
     use http::{Request, Response, Uri};
     use std::time::SystemTime;
-241
     async fn provide_creds(
         http_client: StaticReplayClient,
     ) -> Result<Credentials, CredentialsError> {
         let provider_config = ProviderConfig::default().with_http_client(http_client.clone());

↧ Expand context

         let provider = HttpCredentialProvider::builder()
             .configure(&provider_config)
             .build("test", "http://localhost:1234/", "/some-creds");
         provider.credentials(None).await
-250
+    }
-251
     fn successful_req_resp() -> ReplayEvent {
         ReplayEvent::new(
             Request::builder()
                 .uri(Uri::from_static("http://localhost:1234/some-creds"))
                 .body(SdkBody::empty())
                 .unwrap(),
             Response::builder()
                 .status(200)
                 .body(SdkBody::from(
                     r#"{
                         "AccessKeyId" : "MUA...",
                         "SecretAccessKey" : "/7PC5om....",
                         "Token" : "AQoDY....=",
                         "Expiration" : "2016-02-25T06:03:31Z"

@@ -330,319 +370,349 @@

↥ Expand context

             successful_req_resp(),
         ]);
         let creds = provide_creds(http_client.clone()).await.expect("success");
         assert_eq!("MUA...", creds.access_key_id());
         http_client.assert_requests_match(&[]);
-324
+    }
-325
     #[tokio::test]
     async fn explicit_error_not_retryable() {
         let http_client = StaticReplayClient::new(vec![ReplayEvent::new(
             Request::builder()
                 .uri(Uri::from_static("http://localhost:1234/some-creds"))
                 .body(SdkBody::empty())
                 .unwrap(),
             Response::builder()
                 .status(400)
                 .body(SdkBody::from(
                     r#"{ "Code": "Error", "Message": "There was a problem, it was your fault" }"#,
                 ))
                 .unwrap(),

         )]);
         let err = provide_creds(http_client.clone())
             .await
             .expect_err("it should fail");
         assert!(
             matches!(err, CredentialsError::ProviderError { .. }),
             "should be CredentialsError::ProviderError: {err}",
         );
         http_client.assert_requests_match(&[]);
-348
+    }
--
     #[tokio::test]
     async fn credentials_feature() {
         let http_client = StaticReplayClient::new(vec![successful_req_resp()]);
         let creds = provide_creds(http_client.clone()).await.expect("success");
         assert_eq!(
             &vec![AwsCredentialFeature::CredentialsHttp],
             creds.get_property::<Vec<AwsCredentialFeature>>().unwrap()
         );
--
+    }
-349
+}

tmp-codegen-diff/aws-sdk/sdk/aws-config/src/imds/client.rs

@@ -625,625 +769,765 @@

↥ Expand context

             match status {
                 _ if status.is_server_error() => RetryAction::server_error(),
                 // 401 indicates that the token has expired, this is retryable
                 _ if status.as_u16() == 401 => RetryAction::server_error(),
                 // This catch-all includes successful responses that fail to parse. These should not be retried.
                 _ => RetryAction::NoActionIndicated,
-631
+            }
         } else if self.retry_connect_timeouts {
             RetryAction::server_error()
         } else {
             // This is the default behavior.
             // Don't retry timeouts for IMDS, or else it will take ~30 seconds for the default
             // credentials provider chain to fail to provide credentials.
             // Also don't retry non-responses.
             RetryAction::NoActionIndicated
-640
+        }
-641
+    }
-642
+}
-643
 #[cfg(test)]

 pub(crate) mod test {
     use crate::imds::client::{Client, EndpointMode, ImdsResponseRetryClassifier};
     use crate::provider_config::ProviderConfig;
     use aws_smithy_async::rt::sleep::TokioSleep;
     use aws_smithy_async::test_util::{instant_time_and_sleep, InstantSleep};
     use aws_smithy_http_client::test_util::{capture_request, ReplayEvent, StaticReplayClient};
     use aws_smithy_runtime::test_util::capture_test_logs::capture_test_logs;
     use aws_smithy_runtime_api::client::interceptors::context::{
         Input, InterceptorContext, Output,
     };
     use aws_smithy_runtime_api::client::orchestrator::OrchestratorError;
     use aws_smithy_runtime_api::client::orchestrator::{HttpRequest, HttpResponse};
     use aws_smithy_runtime_api::client::orchestrator::{
         HttpRequest, HttpResponse, OrchestratorError,
     };
     use aws_smithy_runtime_api::client::result::ConnectorError;
     use aws_smithy_runtime_api::client::retries::classifiers::{
         ClassifyRetry, RetryAction, SharedRetryClassifier,
     };
     use aws_smithy_types::body::SdkBody;
     use aws_smithy_types::error::display::DisplayErrorContext;
     use aws_types::os_shim_internal::{Env, Fs};
     use http::header::USER_AGENT;
     use http::Uri;
     use serde::Deserialize;
     use std::collections::HashMap;
     use std::error::Error;
     use std::io;
     use std::time::SystemTime;
     use std::time::{Duration, UNIX_EPOCH};
     use tracing_test::traced_test;
-674
     macro_rules! assert_full_error_contains {
         ($err:expr, $contains:expr) => {
             let err = $err;
             let message = format!(
                 "{}",
                 aws_smithy_types::error::display::DisplayErrorContext(&err)
             );
             assert!(
                 message.contains($contains),
                 "Error message '{message}' didn't contain text '{}'",
                 $contains
             );
         };
-688
+    }
-689
     const TOKEN_A: &str = "AQAEAFTNrA4eEGx0AQgJ1arIq_Cc-t4tWt3fB0Hd8RKhXlKc5ccvhg==";
     const TOKEN_B: &str = "alternatetoken==";
-692
     /// Create a simple token request
     pub(crate) fn token_request(base: &str, ttl: u32) -> HttpRequest {
         http::Request::builder()
             .uri(format!("{}/latest/api/token", base))
             .header("x-aws-ec2-metadata-token-ttl-seconds", ttl)
             .method("PUT")
             .body(SdkBody::empty())
             .unwrap()
             .try_into()
             .unwrap()
-702
+    }
-703
     /// Create a simple token response
     pub(crate) fn token_response(ttl: u32, token: &'static str) -> HttpResponse {
         HttpResponse::try_from(
             http::Response::builder()
                 .status(200)
                 .header("X-aws-ec2-metadata-token-ttl-seconds", ttl)
                 .body(SdkBody::from(token))
                 .unwrap(),
-711
+        )
         .unwrap()
-713
+    }
-714
     /// Create a simple IMDS request
     pub(crate) fn imds_request(path: &'static str, token: &str) -> HttpRequest {
         http::Request::builder()
             .uri(Uri::from_static(path))
             .method("GET")
             .header("x-aws-ec2-metadata-token", token)
             .body(SdkBody::empty())
             .unwrap()
             .try_into()
             .unwrap()
-724
+    }
-725
     /// Create a simple IMDS response
     pub(crate) fn imds_response(body: &'static str) -> HttpResponse {
         HttpResponse::try_from(
             http::Response::builder()
                 .status(200)
                 .body(SdkBody::from(body))
                 .unwrap(),
-732
+        )
         .unwrap()
-734
+    }
-735
     /// Create an IMDS client with an underlying [StaticReplayClient]
     pub(crate) fn make_imds_client(http_client: &StaticReplayClient) -> super::Client {
         tokio::time::pause();
         super::Client::builder()
             .configure(
                 &ProviderConfig::no_configuration()
                     .with_sleep_impl(InstantSleep::unlogged())
                     .with_http_client(http_client.clone()),
-743
+            )
             .build()
-745
+    }

↧ Expand context

-746
     fn mock_imds_client(events: Vec<ReplayEvent>) -> (Client, StaticReplayClient) {
         let http_client = StaticReplayClient::new(events);
         let client = make_imds_client(&http_client);
         (client, http_client)
-751
+    }
-752
     #[tokio::test]
     async fn client_caches_token() {
         let (client, http_client) = mock_imds_client(vec![
             ReplayEvent::new(
                 token_request("http://169.254.169.254", 21600),
                 token_response(21600, TOKEN_A),
             ),
             ReplayEvent::new(
                 imds_request("http://169.254.169.254/latest/metadata", TOKEN_A),
                 imds_response(r#"test-imds-output"#),
             ),
             ReplayEvent::new(
                 imds_request("http://169.254.169.254/latest/metadata2", TOKEN_A),

tmp-codegen-diff/aws-sdk/sdk/aws-config/src/imds/credentials.rs

@@ -1,1 +45,44 @@

↥ Expand context

 /*
  * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  * SPDX-License-Identifier: Apache-2.0
  */

-5
 //! IMDSv2 Credentials Provider
 //!
 //! # Important
 //! This credential provider will NOT fallback to IMDSv1. Ensure that IMDSv2 is enabled on your instances.
-10
 use super::client::error::ImdsError;
 use crate::imds::{self, Client};
 use crate::json_credentials::{parse_json_credentials, JsonCredentials, RefreshableCredentials};
 use crate::provider_config::ProviderConfig;
 use aws_credential_types::credential_feature::AwsCredentialFeature;
 use aws_credential_types::provider::{self, error::CredentialsError, future, ProvideCredentials};
 use aws_credential_types::Credentials;
 use aws_smithy_async::time::SharedTimeSource;
 use aws_types::os_shim_internal::Env;
 use std::borrow::Cow;
 use std::error::Error as StdError;
 use std::fmt;
 use std::sync::{Arc, RwLock};
 use std::time::{Duration, SystemTime};
-24

↧ Expand context

 const CREDENTIAL_EXPIRATION_INTERVAL: Duration = Duration::from_secs(10 * 60);
 const WARNING_FOR_EXTENDING_CREDENTIALS_EXPIRY: &str =
     "Attempting credential expiration extension due to a credential service availability issue. \
     A refresh of these credentials will be attempted again within the next";
-29
 #[derive(Debug)]
 struct ImdsCommunicationError {
     source: Box<dyn StdError + Send + Sync + 'static>,
-33
+}
-34
 impl fmt::Display for ImdsCommunicationError {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         write!(f, "could not communicate with IMDS")
-38
+    }
-39
+}
-40
 impl StdError for ImdsCommunicationError {
     fn source(&self) -> Option<&(dyn StdError + 'static)> {
         Some(self.source.as_ref())
-44
+    }

@@ -243,242 +330,322 @@

↥ Expand context

                 let _ = account_id;
                 let expiration = self.maybe_extend_expiration(expiration);
                 let creds = Credentials::new(
                     access_key_id,
                     secret_access_key,
                     Some(session_token.to_string()),
                     expiration.into(),
                     "IMDSv2",
                 );
                 *self.last_retrieved_credentials.write().unwrap() = Some(creds.clone());
                 Ok(creds)
-253
+            }
             Ok(JsonCredentials::Error { code, message })
                 if code == codes::ASSUME_ROLE_UNAUTHORIZED_ACCESS =>
-256
+            {
                 Err(CredentialsError::invalid_configuration(format!(
                     "Incorrect IMDS/IAM configuration: [{}] {}. \
                         Hint: Does this role have a trust relationship with EC2?",
                     code, message
                 )))

-262
+            }
             Ok(JsonCredentials::Error { code, message }) => {
                 Err(CredentialsError::provider_error(format!(
                     "Error retrieving credentials from IMDS: {} {}",
                     code, message
                 )))
-268
+            }
             // got bad data from IMDS, should not occur during normal operation:
             Err(invalid) => Err(CredentialsError::unhandled(invalid)),
-271
+        }
         .map(|mut creds| {
             creds
                 .get_property_mut_or_default::<Vec<AwsCredentialFeature>>()
                 .push(AwsCredentialFeature::CredentialsImds);
             creds
         })
-272
+    }
-273
     async fn credentials(&self) -> provider::Result {
         match self.retrieve_credentials().await {
             creds @ Ok(_) => creds,
             // Any failure while retrieving credentials MUST NOT impede use of existing credentials.
             err => match &*self.last_retrieved_credentials.read().unwrap() {
                 Some(creds) => Ok(creds.clone()),
                 _ => err,
             },
-282
+        }
-283
+    }
-284
+}
-285
 #[cfg(test)]
 mod test {
     use super::*;
     use crate::imds::client::test::{
         imds_request, imds_response, make_imds_client, token_request, token_response,
     };
     use crate::provider_config::ProviderConfig;
     use aws_credential_types::credential_feature::AwsCredentialFeature;
     use aws_credential_types::provider::ProvideCredentials;
     use aws_smithy_async::test_util::instant_time_and_sleep;
     use aws_smithy_http_client::test_util::{ReplayEvent, StaticReplayClient};
     use aws_smithy_types::body::SdkBody;
     use std::time::{Duration, UNIX_EPOCH};
     use tracing_test::traced_test;
-299
     const TOKEN_A: &str = "token_a";
-301
     #[tokio::test]

↧ Expand context

     async fn profile_is_not_cached() {
         let http_client = StaticReplayClient::new(vec![
             ReplayEvent::new(
                 token_request("http://169.254.169.254", 21600),
                 token_response(21600, TOKEN_A),
             ),
             ReplayEvent::new(
                 imds_request("http://169.254.169.254/latest/meta-data/iam/security-credentials/", TOKEN_A),
                 imds_response(r#"profile-name"#),
             ),
             ReplayEvent::new(
                 imds_request("http://169.254.169.254/latest/meta-data/iam/security-credentials/profile-name", TOKEN_A),
                 imds_response("{\n  \"Code\" : \"Success\",\n  \"LastUpdated\" : \"2021-09-20T21:42:26Z\",\n  \"Type\" : \"AWS-HMAC\",\n  \"AccessKeyId\" : \"ASIARTEST\",\n  \"SecretAccessKey\" : \"testsecret\",\n  \"Token\" : \"testtoken\",\n  \"Expiration\" : \"2021-09-21T04:16:53Z\"\n}"),
             ),
             ReplayEvent::new(
                 imds_request("http://169.254.169.254/latest/meta-data/iam/security-credentials/", TOKEN_A),
                 imds_response(r#"different-profile"#),
             ),
             ReplayEvent::new(
                 imds_request("http://169.254.169.254/latest/meta-data/iam/security-credentials/different-profile", TOKEN_A),

@@ -510,502 +575,532 @@

↥ Expand context

                 ReplayEvent::new(
                     token_request("http://169.254.169.254", 21600),
                     token_response(21600, TOKEN_A),
                 ),
                 ReplayEvent::new(
                     imds_request("http://169.254.169.254/latest/meta-data/iam/security-credentials/", TOKEN_A),
                     imds_response(r#"profile-name"#),
                 ),
                 ReplayEvent::new(
                     imds_request("http://169.254.169.254/latest/meta-data/iam/security-credentials/profile-name", TOKEN_A),
                     imds_response("{\n  \"Code\" : \"Success\",\n  \"LastUpdated\" : \"2021-09-20T21:42:26Z\",\n  \"Type\" : \"AWS-HMAC\",\n  \"AccessKeyId\" : \"ASIARTEST\",\n  \"SecretAccessKey\" : \"testsecret\",\n  \"Token\" : \"testtoken\",\n  \"Expiration\" : \"2021-09-21T04:16:53Z\"\n}"),
                 ),
                 // The following request/response pair corresponds to the second call to `provide_credentials`.
                 // During the call, IMDS returns response code 500.
                 ReplayEvent::new(
                     imds_request("http://169.254.169.254/latest/meta-data/iam/security-credentials/", TOKEN_A),
                     http::Response::builder().status(500).body(SdkBody::empty()).unwrap(),
                 ),
             ]);
         let provider = ImdsCredentialsProvider::builder()

             .imds_client(make_imds_client(&http_client))
             .configure(&ProviderConfig::no_configuration())
             .build();
         let creds1 = provider.provide_credentials().await.expect("valid creds");
         assert_eq!(creds1.access_key_id(), "ASIARTEST");
         // `creds1` should be returned as fallback credentials and assigned to `creds2`
         let creds2 = provider.provide_credentials().await.expect("valid creds");
         assert_eq!(creds1, creds2);
         http_client.assert_requests_match(&[]);
-531
+    }
--
     #[tokio::test]
     async fn credentials_feature() {
         let http_client = StaticReplayClient::new(vec![
             ReplayEvent::new(
                 token_request("http://169.254.169.254", 21600),
                 token_response(21600, TOKEN_A),
             ),
             ReplayEvent::new(
                 imds_request("http://169.254.169.254/latest/meta-data/iam/security-credentials/", TOKEN_A),
                 imds_response(r#"profile-name"#),
             ),
             ReplayEvent::new(
                 imds_request("http://169.254.169.254/latest/meta-data/iam/security-credentials/profile-name", TOKEN_A),
                 imds_response("{\n  \"Code\" : \"Success\",\n  \"LastUpdated\" : \"2021-09-20T21:42:26Z\",\n  \"Type\" : \"AWS-HMAC\",\n  \"AccessKeyId\" : \"ASIARTEST\",\n  \"SecretAccessKey\" : \"testsecret\",\n  \"Token\" : \"testtoken\",\n  \"Expiration\" : \"2021-09-21T04:16:53Z\"\n}"),
             ),
             ReplayEvent::new(
                 imds_request("http://169.254.169.254/latest/meta-data/iam/security-credentials/", TOKEN_A),
                 imds_response(r#"different-profile"#),
             ),
             ReplayEvent::new(
                 imds_request("http://169.254.169.254/latest/meta-data/iam/security-credentials/different-profile", TOKEN_A),
                 imds_response("{\n  \"Code\" : \"Success\",\n  \"LastUpdated\" : \"2021-09-20T21:42:26Z\",\n  \"Type\" : \"AWS-HMAC\",\n  \"AccessKeyId\" : \"ASIARTEST2\",\n  \"SecretAccessKey\" : \"testsecret\",\n  \"Token\" : \"testtoken\",\n  \"Expiration\" : \"2021-09-21T04:16:53Z\"\n}"),
             ),
         ]);
         let client = ImdsCredentialsProvider::builder()
             .imds_client(make_imds_client(&http_client))
             .configure(&ProviderConfig::no_configuration())
             .build();
         let creds = client.provide_credentials().await.expect("valid creds");
         assert_eq!(
             &vec![AwsCredentialFeature::CredentialsImds],
             creds.get_property::<Vec<AwsCredentialFeature>>().unwrap()
         );
--
+    }
-532
+}

tmp-codegen-diff/aws-sdk/sdk/aws-config/src/lib.rs

@@ -867,867 +1033,1024 @@

↥ Expand context

             let request_min_compression_size_bytes =
                 if self.request_min_compression_size_bytes.is_some() {
                     self.request_min_compression_size_bytes
                 } else {
                     request_min_compression_size_bytes::request_min_compression_size_bytes_provider(
                         &conf,
-873
+                    )
                     .await
                 };
-876
             let base_config = timeout_config::default_provider()
                 .configure(&conf)
                 .timeout_config()
                 .await;
             let mut timeout_config = self
                 .timeout_config
                 .unwrap_or_else(|| TimeoutConfig::builder().build());
             timeout_config.take_defaults_from(&base_config);
-885
             let credentials_provider = match self.credentials_provider {

                 TriStateOption::Set(provider) => Some(provider),
                 TriStateOption::NotSet => {
                     let mut builder =
                         credentials::DefaultCredentialsChain::builder().configure(conf.clone());
                     builder.set_region(region.clone());
                     Some(SharedCredentialsProvider::new(builder.build().await))
-893
+                }
                 TriStateOption::ExplicitlyUnset => None,
             };
-896
             let token_provider = match self.token_provider {
                 Some(provider) => Some(provider),
                 None => {
                     #[cfg(feature = "sso")]
-+
+                    {
                         let mut builder =
                             crate::default_provider::token::DefaultTokenChain::builder()
                                 .configure(conf.clone());
                         builder.set_region(region.clone());
                         Some(SharedTokenProvider::new(builder.build().await))
-+
+                    }
                     #[cfg(not(feature = "sso"))]
-+
+                    {
                         None
-+
+                    }
-+
+                }
             };
-+
             let profiles = conf.profile().await;
             let service_config = EnvServiceConfig {
                 env: conf.env(),
                 env_config_sections: profiles.cloned().unwrap_or_default(),
             };
             let mut builder = SdkConfig::builder()
                 .region(region.clone())
                 .region(region)
                 .retry_config(retry_config)
                 .timeout_config(timeout_config)
                 .time_source(time_source)
                 .service_config(service_config);
-926
             // If an endpoint URL is set programmatically, then our work is done.
             let endpoint_url = if self.endpoint_url.is_some() {
                 builder.insert_origin("endpoint_url", Origin::shared_config());
                 self.endpoint_url
             } else {
                 // Otherwise, check to see if we should ignore EP URLs set in the environment.
                 let ignore_configured_endpoint_urls =
                     ignore_ep::ignore_configured_endpoint_urls_provider(&conf)
                         .await
                         .unwrap_or_default();
-937
                 if ignore_configured_endpoint_urls {
                     // If yes, log a trace and return `None`.
                     tracing::trace!(
                         "`ignore_configured_endpoint_urls` is set, any endpoint URLs configured in the environment will be ignored. \
                         NOTE: Endpoint URLs set programmatically WILL still be respected"
                     );
                     None
                 } else {
                     // Otherwise, attempt to resolve one.
                     let (v, origin) = endpoint_url::endpoint_url_provider_with_origin(&conf).await;
                     builder.insert_origin("endpoint_url", origin);
-949
+                    v
-950
+                }
             };
-952
             let token_provider = match self.token_provider {
                 Some(provider) => {
                     builder.insert_origin("token_provider", Origin::shared_config());
                     Some(provider)
--
+                }
                 None => {
                     #[cfg(feature = "sso")]
--
+                    {
                         let mut builder =
                             crate::default_provider::token::DefaultTokenChain::builder()
                                 .configure(conf.clone());
                         builder.set_region(region);
                         Some(SharedTokenProvider::new(builder.build().await))
--
+                    }
                     #[cfg(not(feature = "sso"))]
--
+                    {
                         None
--
+                    }
                     // Not setting `Origin` in this arm, and that's good for now as long as we know
                     // it's not programmatically set in the shared config.
                     // We can consider adding `Origin::Default` if needed.
--
+                }
             };
--
             builder.set_endpoint_url(endpoint_url);
             builder.set_behavior_version(self.behavior_version);
             builder.set_http_client(self.http_client);
             builder.set_app_name(app_name);
-957
             let identity_cache = match self.identity_cache {
                 None => match self.behavior_version {
                     #[allow(deprecated)]
                     Some(bv) if bv.is_at_least(BehaviorVersion::v2024_03_28()) => {
                         Some(IdentityCache::lazy().build())
-963
+                    }
                     _ => None,
                 },
                 Some(user_cache) => Some(user_cache),
             };
-968
             let request_checksum_calculation =
                 if let Some(request_checksum_calculation) = self.request_checksum_calculation {
                     Some(request_checksum_calculation)
                 } else {
                     checksums::request_checksum_calculation_provider(&conf).await
                 };
-975
             let response_checksum_validation =
                 if let Some(response_checksum_validation) = self.response_checksum_validation {
                     Some(response_checksum_validation)
                 } else {
                     checksums::response_checksum_validation_provider(&conf).await
                 };
-982
             let account_id_endpoint_mode =
                 if let Some(acccount_id_endpoint_mode) = self.account_id_endpoint_mode {
                     Some(acccount_id_endpoint_mode)
                 } else {
                     account_id_endpoint_mode::account_id_endpoint_mode_provider(&conf).await
                 };
-989
             let auth_scheme_preference =
                 if let Some(auth_scheme_preference) = self.auth_scheme_preference {
                     builder.insert_origin("auth_scheme_preference", Origin::shared_config());
                     Some(auth_scheme_preference)
                 } else {
                     auth_scheme_preference::auth_scheme_preference_provider(&conf).await
                     // Not setting `Origin` in this arm, and that's good for now as long as we know
                     // it's not programmatically set in the shared config.
                 };
-996
             builder.set_request_checksum_calculation(request_checksum_calculation);
             builder.set_response_checksum_validation(response_checksum_validation);
             builder.set_identity_cache(identity_cache);
             builder.set_credentials_provider(credentials_provider);
             builder.set_token_provider(token_provider);
             builder.set_sleep_impl(sleep_impl);
             builder.set_use_fips(use_fips);
             builder.set_use_dual_stack(use_dual_stack);

↧ Expand context

             builder.set_disable_request_compression(disable_request_compression);
             builder.set_request_min_compression_size_bytes(request_min_compression_size_bytes);
             builder.set_stalled_stream_protection(self.stalled_stream_protection_config);
             builder.set_account_id_endpoint_mode(account_id_endpoint_mode);
             builder.set_auth_scheme_preference(auth_scheme_preference);
             builder.build()
-1011
+        }
-1012
+    }
-1013
     #[cfg(test)]
     impl ConfigLoader {
         pub(crate) fn env(mut self, env: Env) -> Self {
             self.env = Some(env);
             self
-1019
+        }
-1020
         pub(crate) fn fs(mut self, fs: Fs) -> Self {
             self.fs = Some(fs);
             self
-1024
+        }

tmp-codegen-diff/aws-sdk/sdk/aws-config/src/profile/credentials.rs

@@ -1,1 +61,60 @@

↥ Expand context

 /*
  * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  * SPDX-License-Identifier: Apache-2.0
  */
-5
 //! Profile File Based Credential Providers
 //!
 //! Profile file based providers combine two pieces:
 //!
 //! 1. Parsing and resolution of the assume role chain
 //! 2. A user-modifiable hashmap of provider name to provider.
 //!
 //! Profile file based providers first determine the chain of providers that will be used to load
 //! credentials. After determining and validating this chain, a `Vec` of providers will be created.
 //!
 //! Each subsequent provider will provide boostrap providers to the next provider in order to load
 //! the final credentials.
 //!
 //! This module contains two sub modules:
 //! - `repr` which contains an abstract representation of a provider chain and the logic to

 //!   build it from `~/.aws/credentials` and `~/.aws/config`.
 //! - `exec` which contains a chain representation of providers to implement passing bootstrapped credentials
 //!   through a series of providers.
-24
 use crate::profile::cell::ErrorTakingOnceCell;
 #[allow(deprecated)]
 use crate::profile::profile_file::ProfileFiles;
 use crate::profile::Profile;
 use crate::profile::ProfileFileLoadError;
 use crate::provider_config::ProviderConfig;
 use aws_credential_types::credential_feature::AwsCredentialFeature;
 use aws_credential_types::{
     provider::{self, error::CredentialsError, future, ProvideCredentials},
     Credentials,
 };
 use aws_smithy_types::error::display::DisplayErrorContext;
 use std::borrow::Cow;
 use std::collections::HashMap;
 use std::error::Error;
 use std::fmt::{Display, Formatter};
 use std::sync::Arc;

↧ Expand context

 use tracing::Instrument;
-42
 mod exec;
 pub(crate) mod repr;
-45
 /// AWS Profile based credentials provider
 ///
 /// This credentials provider will load credentials from `~/.aws/config` and `~/.aws/credentials`.
 /// The locations of these files are configurable via environment variables, see [below](#location-of-profile-files).
 ///
 /// Generally, this will be constructed via the default provider chain, however, it can be manually
 /// constructed with the builder:
 /// ```rust,no_run
 /// use aws_config::profile::ProfileFileCredentialsProvider;
 /// let provider = ProfileFileCredentialsProvider::builder().build();
 /// ```
 ///
 /// _Note: Profile providers, when called, will load and parse the profile from the file system
 /// only once. Parsed file contents will be cached indefinitely._
 ///

@@ -160,159 +225,219 @@

↥ Expand context

             .get_or_init(
-160
+                {
                     let config = self.config.clone();
                     move || async move {
                         match build_provider_chain(config.clone()).await {
                             Ok(chain) => Ok(ChainProvider {
                                 config: config.clone(),
                                 chain: Some(Arc::new(chain)),
                             }),
                             Err(err) => match err {
                                 ProfileFileError::NoProfilesDefined
                                 | ProfileFileError::ProfileDidNotContainCredentials { .. } => {
                                     Ok(ChainProvider {
                                         config: config.clone(),
                                         chain: None,
                                     })
-175
+                                }
                                 _ => Err(CredentialsError::invalid_configuration(format!(
                                     "ProfileFile provider could not be built: {}",
                                     &err

                                 ))),
                             },
-181
+                        }
-182
+                    }
                 },
                 CredentialsError::unhandled(
                     "profile file credentials provider initialization error already taken",
                 ),
-187
+            )
             .await?;
         inner_provider.provide_credentials().await.map(|mut creds| {
             creds
                 .get_property_mut_or_default::<Vec<AwsCredentialFeature>>()
                 .push(AwsCredentialFeature::CredentialsProfile);
             creds
         })
         inner_provider.provide_credentials().await
-190
+    }
-191
+}
-192
 impl ProvideCredentials for ProfileFileCredentialsProvider {
     fn provide_credentials<'a>(&'a self) -> future::ProvideCredentials<'a>
     where
         Self: 'a,
-197
+    {
         future::ProvideCredentials::new(self.load_credentials())
-199
+    }

↧ Expand context

-200
+}
-201
 /// An Error building a Credential source from an AWS Profile
 #[derive(Debug)]
 #[non_exhaustive]
 pub enum ProfileFileError {
     /// The profile was not a valid AWS profile
     #[non_exhaustive]
     InvalidProfile(ProfileFileLoadError),
-209
     /// No profiles existed (the profile was empty)
     #[non_exhaustive]
     NoProfilesDefined,
-213
     /// The profile did not contain any credential information
     #[non_exhaustive]
     ProfileDidNotContainCredentials {
         /// The name of the profile
         profile: String,
     },

@@ -605,599 +801,767 @@

↥ Expand context

     make_test!(retry_on_error);
     make_test!(invalid_config);
     make_test!(region_override);
     // TODO(https://github.com/awslabs/aws-sdk-rust/issues/1117) This test is disabled on Windows because it uses Unix-style paths
     #[cfg(all(feature = "credentials-process", not(windows)))]
     make_test!(credential_process);
     // TODO(https://github.com/awslabs/aws-sdk-rust/issues/1117) This test is disabled on Windows because it uses Unix-style paths
     #[cfg(all(feature = "credentials-process", not(windows)))]
     make_test!(credential_process_failure);
     // TODO(https://github.com/awslabs/aws-sdk-rust/issues/1117) This test is disabled on Windows because it uses Unix-style paths
     #[cfg(all(feature = "credentials-process", not(windows)))]
     make_test!(credential_process_account_id_fallback);
     #[cfg(feature = "credentials-process")]
     make_test!(credential_process_invalid);
     #[cfg(feature = "sso")]
     make_test!(sso_credentials);
     #[cfg(feature = "sso")]
     make_test!(sso_override_global_env_url);
     #[cfg(feature = "sso")]
     make_test!(sso_token);

-619
     make_test!(assume_role_override_global_env_url);
     make_test!(assume_role_override_service_env_url);
     make_test!(assume_role_override_global_profile_url);
     make_test!(assume_role_override_service_profile_url);
-624
+}
-625
 #[cfg(all(test, feature = "sso"))]
 mod sso_tests {
     use crate::{profile::credentials::Builder, provider_config::ProviderConfig};
     use aws_credential_types::credential_feature::AwsCredentialFeature;
     use aws_credential_types::provider::ProvideCredentials;
     use aws_sdk_sso::config::RuntimeComponents;
     use aws_smithy_runtime_api::client::{
         http::{
             HttpClient, HttpConnector, HttpConnectorFuture, HttpConnectorSettings,
             SharedHttpConnector,
         },
         orchestrator::{HttpRequest, HttpResponse},
     };
     use aws_smithy_types::body::SdkBody;
     use aws_types::os_shim_internal::{Env, Fs};
     use std::collections::HashMap;
-641
     #[derive(Debug)]
     struct ClientInner {
         expected_token: &'static str,
--
+    }
     impl HttpConnector for ClientInner {
         fn call(&self, request: HttpRequest) -> HttpConnectorFuture {
             assert_eq!(
                 self.expected_token,
                 request.headers().get("x-amz-sso_bearer_token").unwrap()
             );
             HttpConnectorFuture::ready(Ok(HttpResponse::new(
     // TODO(https://github.com/awslabs/aws-sdk-rust/issues/1117) This test is ignored on Windows because it uses Unix-style paths
     #[cfg_attr(windows, ignore)]
     // In order to preserve the SSO token cache, the inner provider must only
     // be created once, rather than once per credential resolution.
     #[tokio::test]
     async fn create_inner_provider_exactly_once() {
         #[derive(Debug)]
         struct ClientInner {
             expected_token: &'static str,
-+
+        }
         impl HttpConnector for ClientInner {
             fn call(&self, request: HttpRequest) -> HttpConnectorFuture {
                 assert_eq!(
                     self.expected_token,
                     request.headers().get("x-amz-sso_bearer_token").unwrap()
                 );
                 HttpConnectorFuture::ready(Ok(HttpResponse::new(
 .try_into().unwrap(),
                     SdkBody::from("{\"roleCredentials\":{\"accessKeyId\":\"ASIARTESTID\",\"secretAccessKey\":\"TESTSECRETKEY\",\"sessionToken\":\"TESTSESSIONTOKEN\",\"expiration\": 1651516560000}}"),
                 )))
-+
+            }
-663
+        }
--
+    }
     #[derive(Debug)]
     struct Client {
         inner: SharedHttpConnector,
--
+    }
     impl Client {
         fn new(expected_token: &'static str) -> Self {
             Self {
                 inner: SharedHttpConnector::new(ClientInner { expected_token }),
         #[derive(Debug)]
         struct Client {
             inner: SharedHttpConnector,
-+
+        }
         impl Client {
             fn new(expected_token: &'static str) -> Self {
                 Self {
                     inner: SharedHttpConnector::new(ClientInner { expected_token }),
-+
+                }
-673
+            }
-674
+        }
--
+    }
     impl HttpClient for Client {
         fn http_connector(
             &self,
             _settings: &HttpConnectorSettings,
             _components: &RuntimeComponents,
         ) -> SharedHttpConnector {
             self.inner.clone()
         impl HttpClient for Client {
             fn http_connector(
                 &self,
                 _settings: &HttpConnectorSettings,
                 _components: &RuntimeComponents,
             ) -> SharedHttpConnector {
                 self.inner.clone()
-+
+            }
-683
+        }
--
+    }
-684
     fn create_test_fs() -> Fs {
         Fs::from_map({
         let fs = Fs::from_map({
             let mut map = HashMap::new();
             map.insert(
                 "/home/.aws/config".to_string(),
                 br#"
 [profile default]
 sso_session = dev
 sso_account_id = 012345678901
 sso_role_name = SampleRole
 region = us-east-1
-695
 [sso-session dev]
 sso_region = us-east-1
 sso_start_url = https://d-abc123.awsapps.com/start
                 "#
                 .to_vec(),
             );
             map.insert(
                 "/home/.aws/sso/cache/34c6fceca75e456f25e7e99531e2425c6c1de443.json".to_string(),
                 br#"
-705
+                {
                     "accessToken": "secret-access-token",
                     "expiresAt": "2199-11-14T04:05:45Z",
                     "refreshToken": "secret-refresh-token",
                     "clientId": "ABCDEFG323242423121312312312312312",
                     "clientSecret": "ABCDE123",
                     "registrationExpiresAt": "2199-03-06T19:53:17Z",
                     "region": "us-east-1",
                     "startUrl": "https://d-abc123.awsapps.com/start"
-714
+                }
                 "#
                 .to_vec(),
             );
             map
         })
--
+    }
--
     // TODO(https://github.com/awslabs/aws-sdk-rust/issues/1117) This test is ignored on Windows because it uses Unix-style paths
     #[cfg_attr(windows, ignore)]
     // In order to preserve the SSO token cache, the inner provider must only
     // be created once, rather than once per credential resolution.
     #[tokio::test]
     async fn create_inner_provider_exactly_once() {
         let fs = create_test_fs();
--
         });
         let provider_config = ProviderConfig::empty()
             .with_fs(fs.clone())
             .with_env(Env::from_slice(&[("HOME", "/home")]))
             .with_http_client(Client::new("secret-access-token"));
         let provider = Builder::default().configure(&provider_config).build();
-725
         let first_creds = provider.provide_credentials().await.unwrap();
-727
         // Write to the token cache with an access token that won't match the fake client's
         // expected access token, and thus, won't return SSO credentials.
         fs.write(
             "/home/.aws/sso/cache/34c6fceca75e456f25e7e99531e2425c6c1de443.json",
             r#"
-733
+            {
                 "accessToken": "NEW!!secret-access-token",
                 "expiresAt": "2199-11-14T04:05:45Z",
                 "refreshToken": "secret-refresh-token",
                 "clientId": "ABCDEFG323242423121312312312312312",
                 "clientSecret": "ABCDE123",
                 "registrationExpiresAt": "2199-03-06T19:53:17Z",
                 "region": "us-east-1",
                 "startUrl": "https://d-abc123.awsapps.com/start"
-742
+            }
             "#,
-744
+        )
         .await
         .unwrap();
-747
         // Loading credentials will still work since the SSOTokenProvider should have only
         // been created once, and thus, the correct token is still in an in-memory cache.
         let second_creds = provider
             .provide_credentials()
             .await
             .expect("used cached token instead of loading from the file system");
         assert_eq!(first_creds, second_creds);
-755
         // Now create a new provider, which should use the new cached token value from the file system
         // since it won't have the in-memory cache. We do this just to verify that the FS mutation above
         // actually worked correctly.
         let provider_config = ProviderConfig::empty()
             .with_fs(fs.clone())
             .with_env(Env::from_slice(&[("HOME", "/home")]))
             .with_http_client(Client::new("NEW!!secret-access-token"));
         let provider = Builder::default().configure(&provider_config).build();
         let third_creds = provider.provide_credentials().await.unwrap();
         assert_eq!(second_creds, third_creds);
-766
+    }
--
     #[cfg_attr(windows, ignore)]
     #[tokio::test]
     async fn credential_feature() {
         let fs = create_test_fs();
--
         let provider_config = ProviderConfig::empty()
             .with_fs(fs.clone())
             .with_env(Env::from_slice(&[("HOME", "/home")]))
             .with_http_client(Client::new("secret-access-token"));
         let provider = Builder::default().configure(&provider_config).build();
--
         let creds = provider.provide_credentials().await.unwrap();
--
         assert_eq!(
             &vec![
                 AwsCredentialFeature::CredentialsSso,
                 AwsCredentialFeature::CredentialsProfile
             ],
             creds.get_property::<Vec<AwsCredentialFeature>>().unwrap()
--
+        )
--
+    }
-767
+}

tmp-codegen-diff/aws-sdk/sdk/aws-config/src/sso/credentials.rs

@@ -1,1 +47,46 @@

↥ Expand context

 /*
  * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  * SPDX-License-Identifier: Apache-2.0
  */
-5
 //! SSO Credentials Provider

 //!
 //! This credentials provider enables loading credentials from `~/.aws/sso/cache`. For more information,
 //! see [Using AWS SSO Credentials](https://docs.aws.amazon.com/toolkit-for-vscode/latest/userguide/sso-credentials.html)
 //!
 //! This provider is included automatically when profiles are loaded.
-12
 use super::cache::load_cached_token;
 use crate::identity::IdentityCache;
 use crate::provider_config::ProviderConfig;
 use crate::sso::SsoTokenProvider;
 use aws_credential_types::credential_feature::AwsCredentialFeature;
 use aws_credential_types::provider::{self, error::CredentialsError, future, ProvideCredentials};
 use aws_credential_types::Credentials;
 use aws_sdk_sso::types::RoleCredentials;
 use aws_sdk_sso::Client as SsoClient;
 use aws_smithy_async::time::SharedTimeSource;
 use aws_smithy_types::DateTime;
 use aws_types::os_shim_internal::{Env, Fs};
 use aws_types::region::Region;
 use aws_types::SdkConfig;
-26

↧ Expand context

 /// SSO Credentials Provider
 ///
 /// _Note: This provider is part of the default credentials chain and is integrated with the profile-file provider._
 ///
 /// This credentials provider will use cached SSO tokens stored in `~/.aws/sso/cache/<hash>.json`.
 /// Two different values will be tried for `<hash>` in order:
 /// 1. The configured [`session_name`](Builder::session_name).
 /// 2. The configured [`start_url`](Builder::start_url).
 #[derive(Debug)]
 pub struct SsoCredentialsProvider {
     fs: Fs,
     env: Env,
     sso_provider_config: SsoProviderConfig,
     sdk_config: SdkConfig,
     token_provider: Option<SsoTokenProvider>,
     time_source: SharedTimeSource,
-43
+}
-44
 impl SsoCredentialsProvider {
     /// Creates a builder for [`SsoCredentialsProvider`]

@@ -62,61 +127,120 @@

↥ Expand context

                     .configure(&provider_config.client_config())
                     .start_url(&sso_provider_config.start_url)
                     .session_name(session_name)
                     .region(sso_provider_config.region.clone())
                     .build_with(env.clone(), fs.clone()),
-66
+            )
         } else {
             None
         };
-70
         SsoCredentialsProvider {
             fs,
             env,
             sso_provider_config,
             sdk_config: provider_config.client_config(),
             token_provider,
             time_source: provider_config.time_source(),
-78
+        }
-79
+    }
-80

     async fn credentials(&self) -> provider::Result {
         load_sso_credentials(
             &self.sso_provider_config,
             &self.sdk_config,
             self.token_provider.as_ref(),
             &self.env,
             &self.fs,
             self.time_source.clone(),
-89
+        )
         .await
         .map(|mut creds| {
             creds
                 .get_property_mut_or_default::<Vec<AwsCredentialFeature>>()
                 .push(AwsCredentialFeature::CredentialsSso);
             creds
         })
-91
+    }
-92
+}
-93
 impl ProvideCredentials for SsoCredentialsProvider {
     fn provide_credentials<'a>(&'a self) -> future::ProvideCredentials<'a>
     where
         Self: 'a,
-98
+    {
         future::ProvideCredentials::new(self.credentials())
-100
+    }

↧ Expand context

-101
+}
-102
 /// Builder for [`SsoCredentialsProvider`]
 #[derive(Default, Debug, Clone)]
 pub struct Builder {
     provider_config: Option<ProviderConfig>,
     account_id: Option<String>,
     region: Option<Region>,
     role_name: Option<String>,
     start_url: Option<String>,
     session_name: Option<String>,
-112
+}
-113
 impl Builder {
     /// Create a new builder for [`SsoCredentialsProvider`]
     pub fn new() -> Self {
         Self::default()
-118
+    }
-119
     /// Override the configuration used for this provider

tmp-codegen-diff/aws-sdk/sdk/aws-config/src/sts/assume_role.rs

@@ -1,1 +38,37 @@

 /*
  * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  * SPDX-License-Identifier: Apache-2.0
  */
-5
 //! Assume credentials for a role through the AWS Security Token Service (STS).
-7
 use aws_credential_types::credential_feature::AwsCredentialFeature;
 use aws_credential_types::provider::{
     self, error::CredentialsError, future, ProvideCredentials, SharedCredentialsProvider,
 };
 use aws_sdk_sts::operation::assume_role::builders::AssumeRoleFluentBuilder;
 use aws_sdk_sts::operation::assume_role::AssumeRoleError;
 use aws_sdk_sts::types::PolicyDescriptorType;
 use aws_sdk_sts::Client as StsClient;
 use aws_smithy_runtime::client::identity::IdentityCache;
 use aws_smithy_runtime_api::client::result::SdkError;
 use aws_smithy_types::error::display::DisplayErrorContext;

↧ Expand context

 use aws_types::region::Region;
 use aws_types::SdkConfig;
 use std::time::Duration;
 use tracing::Instrument;
-22
 /// Credentials provider that uses credentials provided by another provider to assume a role
 /// through the AWS Security Token Service (STS).
 ///
 /// When asked to provide credentials, this provider will first invoke the inner credentials
 /// provider to get AWS credentials for STS. Then, it will call STS to get assumed credentials for
 /// the desired role.
 ///
 /// # Examples
 /// Create an AssumeRoleProvider explicitly set to us-east-2 that utilizes the default credentials chain.
 /// ```no_run
 /// use aws_config::sts::AssumeRoleProvider;
 /// use aws_types::region::Region;
 /// # async fn docs() {
 /// let provider = AssumeRoleProvider::builder("arn:aws:iam::123456789012:role/demo")
 ///   .region(Region::from_static("us-east-2"))

@@ -259,258 +374,365 @@

↥ Expand context

             .set_duration_seconds(self.session_length.map(|dur| dur.as_secs() as i32));
-259
         AssumeRoleProvider {
             inner: Inner { fluent_builder },
-262
+        }
-263
+    }
-264
     /// Build a credentials provider for this role authorized by the given `provider`.
     pub async fn build_from_provider(
         mut self,
         provider: impl ProvideCredentials + 'static,
     ) -> AssumeRoleProvider {
         let conf = match self.sdk_config {
             Some(conf) => conf,
             None => crate::load_defaults(crate::BehaviorVersion::latest()).await,
         };
         let conf = conf
             .into_builder()
             .credentials_provider(SharedCredentialsProvider::new(provider))
             .build();

         self.sdk_config = Some(conf);
         self.build().await
-280
+    }
-281
+}
-282
 impl Inner {
     async fn credentials(&self) -> provider::Result {
         tracing::debug!("retrieving assumed credentials");
-286
         let assumed = self.fluent_builder.clone().send().in_current_span().await;
         let assumed = match assumed {
         match assumed {
             Ok(assumed) => {
                 tracing::debug!(
                     access_key_id = ?assumed.credentials.as_ref().map(|c| &c.access_key_id),
                     "obtained assumed credentials"
                 );
                 super::util::into_credentials(
                     assumed.credentials,
                     assumed.assumed_role_user,
                     "AssumeRoleProvider",
-298
+                )
-299
+            }
             Err(SdkError::ServiceError(ref context))
                 if matches!(
                     context.err(),
                     AssumeRoleError::RegionDisabledException(_)
                         | AssumeRoleError::MalformedPolicyDocumentException(_)
                 ) =>
-306
+            {
                 Err(CredentialsError::invalid_configuration(
                     assumed.err().unwrap(),
                 ))
-310
+            }
             Err(SdkError::ServiceError(ref context)) => {
                 tracing::warn!(error = %DisplayErrorContext(context.err()), "STS refused to grant assume role");
                 Err(CredentialsError::provider_error(assumed.err().unwrap()))
-314
+            }
             Err(err) => Err(CredentialsError::provider_error(err)),
         };
--
         assumed.map(|mut creds| {
             creds
                 .get_property_mut_or_default::<Vec<AwsCredentialFeature>>()
                 .push(AwsCredentialFeature::CredentialsStsAssumeRole);
             creds
         })
-+
+        }
-317
+    }
-318
+}
-319
 impl ProvideCredentials for AssumeRoleProvider {
     fn provide_credentials<'a>(&'a self) -> future::ProvideCredentials<'a>
     where
         Self: 'a,
-324
+    {
         future::ProvideCredentials::new(
             self.inner
                 .credentials()
                 .instrument(tracing::debug_span!("assume_role")),
-329
+        )
-330
+    }
-331
+}
-332
 #[cfg(test)]
 mod test {
     use crate::sts::AssumeRoleProvider;
     use aws_credential_types::credential_feature::AwsCredentialFeature;
     use aws_credential_types::credential_fn::provide_credentials_fn;
     use aws_credential_types::provider::{ProvideCredentials, SharedCredentialsProvider};
     use aws_credential_types::Credentials;
     use aws_smithy_async::rt::sleep::{SharedAsyncSleep, TokioSleep};
     use aws_smithy_async::test_util::instant_time_and_sleep;
     use aws_smithy_async::time::StaticTimeSource;
     use aws_smithy_http_client::test_util::{capture_request, ReplayEvent, StaticReplayClient};
     use aws_smithy_runtime::test_util::capture_test_logs::capture_test_logs;
     use aws_smithy_runtime_api::client::behavior_version::BehaviorVersion;
     use aws_smithy_types::body::SdkBody;

↧ Expand context

     use aws_types::os_shim_internal::Env;
     use aws_types::region::Region;
     use aws_types::SdkConfig;
     use http::header::AUTHORIZATION;
     use std::time::{Duration, UNIX_EPOCH};
-351
     #[tokio::test]
     async fn configures_session_length() {
         let (http_client, request) = capture_request(None);
         let sdk_config = SdkConfig::builder()
             .sleep_impl(SharedAsyncSleep::new(TokioSleep::new()))
             .time_source(StaticTimeSource::new(
                 UNIX_EPOCH + Duration::from_secs(1234567890 - 120),
             ))
             .http_client(http_client)
             .region(Region::from_static("this-will-be-overridden"))
             .behavior_version(crate::BehaviorVersion::latest())
             .build();
         let provider = AssumeRoleProvider::builder("myrole")
             .configure(&sdk_config)

@@ -425,416 +566,515 @@

↥ Expand context

                 .unwrap(),
         ));
         let conf = crate::defaults(BehaviorVersion::latest())
             .env(Env::from_slice(&[
                 ("AWS_ACCESS_KEY_ID", "123-key"),
                 ("AWS_SECRET_ACCESS_KEY", "456"),
                 ("AWS_REGION", "us-west-17"),
             ]))
             .use_dual_stack(true)
             .use_fips(true)
             .time_source(StaticTimeSource::from_secs(1234567890))
             .http_client(http_client)
             .load()
             .await;
         let provider = AssumeRoleProvider::builder("role")
             .configure(&conf)
             .build()
             .await;
         let _ = dbg!(provider.provide_credentials().await);
         let req = request.expect_request();

         let auth_header = req.headers().get(AUTHORIZATION).unwrap().to_string();
         let expect = "Credential=123-key/20090213/us-west-17/sts/aws4_request";
         assert!(
             auth_header.contains(expect),
             "Expected header to contain {expect} but it was {auth_header}"
         );
         // ensure that FIPS & DualStack are also respected
         assert_eq!("https://sts-fips.us-west-17.api.aws/", req.uri())
-444
+    }
-445
     fn create_test_http_client() -> StaticReplayClient {
         StaticReplayClient::new(vec![
     #[tokio::test]
     async fn provider_does_not_cache_credentials_by_default() {
         let http_client = StaticReplayClient::new(vec![
             ReplayEvent::new(http::Request::new(SdkBody::from("request body")),
             http::Response::builder().status(200).body(SdkBody::from(
                 "<AssumeRoleResponse xmlns=\"https://sts.amazonaws.com/doc/2011-06-15/\">\n  <AssumeRoleResult>\n    <AssumedRoleUser>\n      <AssumedRoleId>AROAR42TAWARILN3MNKUT:assume-role-from-profile-1632246085998</AssumedRoleId>\n      <Arn>arn:aws:sts::130633740322:assumed-role/assume-provider-test/assume-role-from-profile-1632246085998</Arn>\n    </AssumedRoleUser>\n    <Credentials>\n      <AccessKeyId>ASIARCORRECT</AccessKeyId>\n      <SecretAccessKey>secretkeycorrect</SecretAccessKey>\n      <SessionToken>tokencorrect</SessionToken>\n      <Expiration>2009-02-13T23:31:30Z</Expiration>\n    </Credentials>\n  </AssumeRoleResult>\n  <ResponseMetadata>\n    <RequestId>d9d47248-fd55-4686-ad7c-0fb7cd1cddd7</RequestId>\n  </ResponseMetadata>\n</AssumeRoleResponse>\n"
             )).unwrap()),
             ReplayEvent::new(http::Request::new(SdkBody::from("request body")),
             http::Response::builder().status(200).body(SdkBody::from(
                 "<AssumeRoleResponse xmlns=\"https://sts.amazonaws.com/doc/2011-06-15/\">\n  <AssumeRoleResult>\n    <AssumedRoleUser>\n      <AssumedRoleId>AROAR42TAWARILN3MNKUT:assume-role-from-profile-1632246085998</AssumedRoleId>\n      <Arn>arn:aws:sts::130633740322:assumed-role/assume-provider-test/assume-role-from-profile-1632246085998</Arn>\n    </AssumedRoleUser>\n    <Credentials>\n      <AccessKeyId>ASIARCORRECT</AccessKeyId>\n      <SecretAccessKey>TESTSECRET</SecretAccessKey>\n      <SessionToken>tokencorrect</SessionToken>\n      <Expiration>2009-02-13T23:33:30Z</Expiration>\n    </Credentials>\n  </AssumeRoleResult>\n  <ResponseMetadata>\n    <RequestId>c2e971c2-702d-4124-9b1f-1670febbea18</RequestId>\n  </ResponseMetadata>\n</AssumeRoleResponse>\n"
             )).unwrap()),
         ])
--
+    }
--
     #[tokio::test]
     async fn provider_does_not_cache_credentials_by_default() {
         let http_client = create_test_http_client();
         ]);
-458
         let (testing_time_source, sleep) = instant_time_and_sleep(
             UNIX_EPOCH + Duration::from_secs(1234567890 - 120), // 1234567890 since UNIX_EPOCH is 2009-02-13T23:31:30Z
         );
-462
         let sdk_config = SdkConfig::builder()
             .sleep_impl(SharedAsyncSleep::new(sleep))
             .time_source(testing_time_source.clone())
             .http_client(http_client)
             .behavior_version(crate::BehaviorVersion::latest())
             .build();
         let credentials_list = std::sync::Arc::new(std::sync::Mutex::new(vec![
             Credentials::new(
                 "test",
                 "test",
                 None,
                 Some(UNIX_EPOCH + Duration::from_secs(1234567890 + 1)),
                 "test",
             ),
             Credentials::new(
                 "test",
                 "test",
                 None,
                 Some(UNIX_EPOCH + Duration::from_secs(1234567890 + 120)),
                 "test",
             ),
         ]));
         let credentials_list_cloned = credentials_list.clone();
         let provider = AssumeRoleProvider::builder("myrole")
             .configure(&sdk_config)
             .region(Region::new("us-east-1"))
             .build_from_provider(provide_credentials_fn(move || {
                 let list = credentials_list.clone();
                 async move {
                     let next = list.lock().unwrap().remove(0);
                     Ok(next)
-494
+                }
             }))
             .await;
-497
         let creds_first = provider
             .provide_credentials()
             .await
             .expect("should return valid credentials");
-502
         // After time has been advanced by 120 seconds, the first credentials _could_ still be valid
         // if `LazyCredentialsCache` were used, but the provider uses `NoCredentialsCache` by default
         // so the first credentials will not be used.
         testing_time_source.advance(Duration::from_secs(120));
-507
         let creds_second = provider
             .provide_credentials()
             .await
             .expect("should return the second credentials");
         assert_ne!(creds_first, creds_second);
         assert!(credentials_list_cloned.lock().unwrap().is_empty());
-514
+    }
--
     #[tokio::test]
     async fn credentials_feature() {
         let http_client = create_test_http_client();
--
         let (testing_time_source, sleep) = instant_time_and_sleep(
             UNIX_EPOCH + Duration::from_secs(1234567890), // 1234567890 since UNIX_EPOCH is 2009-02-13T23:31:30Z
         );
--
         let sdk_config = SdkConfig::builder()
             .sleep_impl(SharedAsyncSleep::new(sleep))
             .time_source(testing_time_source.clone())
             .http_client(http_client)
             .behavior_version(crate::BehaviorVersion::latest())
             .build();
         let credentials = Credentials::new(
             "test",
             "test",
             None,
             Some(UNIX_EPOCH + Duration::from_secs(1234567890 + 1)),
             "test",
         );
         let provider = AssumeRoleProvider::builder("myrole")
             .configure(&sdk_config)
             .region(Region::new("us-east-1"))
             .build_from_provider(credentials)
             .await;
--
         let creds = provider
             .provide_credentials()
             .await
             .expect("should return valid credentials");
--
         assert_eq!(
             &vec![AwsCredentialFeature::CredentialsStsAssumeRole],
             creds.get_property::<Vec<AwsCredentialFeature>>().unwrap()
--
+        )
--
+    }
-515
+}

tmp-codegen-diff/aws-sdk/sdk/aws-config/src/web_identity_token.rs

@@ -36,36 +96,95 @@

↥ Expand context

 //! 2. As a source profile for another role:
 //!
 //!   ```ini
 //!   [profile default]
 //!   role_arn = arn:aws:iam::123456789:role/RoleA
 //!   source_profile = base
 //!
 //!   [profile base]
 //!   role_arn = arn:aws:iam::123456789012:role/s3-reader
 //!   web_identity_token_file = /token.jwt
 //!   ```
 //!
 //! # Examples
 //! Web Identity Token providers are part of the [default chain](crate::default_provider::credentials).
 //! However, they may be directly constructed if you don't want to use the default provider chain.
 //! Unless overridden with [`static_configuration`](Builder::static_configuration), the provider will
 //! load configuration from environment variables.
 //!
 //! ```no_run
 //! # async fn test() {

 //! use aws_config::web_identity_token::WebIdentityTokenCredentialsProvider;
 //! use aws_config::provider_config::ProviderConfig;
 //! let provider = WebIdentityTokenCredentialsProvider::builder()
 //!     .configure(&ProviderConfig::with_default_region().await)
 //!     .build();
 //! # }
 //! ```
-63
 use crate::provider_config::ProviderConfig;
 use crate::sts;
 use aws_credential_types::credential_feature::AwsCredentialFeature;
 use aws_credential_types::provider::{self, error::CredentialsError, future, ProvideCredentials};
 use aws_sdk_sts::{types::PolicyDescriptorType, Client as StsClient};
 use aws_smithy_async::time::SharedTimeSource;
 use aws_smithy_types::error::display::DisplayErrorContext;
 use aws_types::os_shim_internal::{Env, Fs};
-71
 use std::borrow::Cow;
 use std::path::{Path, PathBuf};
-74
 const ENV_VAR_TOKEN_FILE: &str = "AWS_WEB_IDENTITY_TOKEN_FILE";

↧ Expand context

 const ENV_VAR_ROLE_ARN: &str = "AWS_ROLE_ARN";
 const ENV_VAR_SESSION_NAME: &str = "AWS_ROLE_SESSION_NAME";
-78
 /// Credential provider to load credentials from Web Identity Tokens
 ///
 /// See Module documentation for more details
 #[derive(Debug)]
 pub struct WebIdentityTokenCredentialsProvider {
     source: Source,
     time_source: SharedTimeSource,
     fs: Fs,
     sts_client: StsClient,
     policy: Option<String>,
     policy_arns: Option<Vec<PolicyDescriptorType>>,
-90
+}
-91
 impl WebIdentityTokenCredentialsProvider {
     /// Builder for this credentials provider
     pub fn builder() -> Builder {
         Builder::default()

@@ -134,133 +199,192 @@

↥ Expand context

                 })?;
                 let role_arn = env.get(ENV_VAR_ROLE_ARN).map_err(|_| {
                     CredentialsError::invalid_configuration(
                         "AWS_ROLE_ARN environment variable must be set",
-137
+                    )
                 })?;
                 let session_name = env.get(ENV_VAR_SESSION_NAME).unwrap_or_else(|_| {
                     sts::util::default_session_name("web-identity-token", self.time_source.now())
                 });
                 Ok(Cow::Owned(StaticConfiguration {
                     web_identity_token_file: token_file.into(),
                     role_arn,
                     session_name,
                 }))
-147
+            }
             Source::Static(conf) => Ok(Cow::Borrowed(conf)),
-149
+        }
-150
+    }
     async fn credentials(&self) -> provider::Result {
         let conf = self.source()?;

         load_credentials(
             &self.fs,
             &self.sts_client,
             self.policy.clone(),
             self.policy_arns.clone(),
             &conf.web_identity_token_file,
             &conf.role_arn,
             &conf.session_name,
-161
+        )
         .await
         .map(|mut creds| {
             creds
                 .get_property_mut_or_default::<Vec<AwsCredentialFeature>>()
                 .push(AwsCredentialFeature::CredentialsProfileStsWebIdToken);
             creds
         })
-163
+    }
-164
+}
-165
 /// Builder for [`WebIdentityTokenCredentialsProvider`].
 #[derive(Debug, Default)]
 pub struct Builder {
     source: Option<Source>,
     config: Option<ProviderConfig>,
     policy: Option<String>,
     policy_arns: Option<Vec<PolicyDescriptorType>>,

↧ Expand context

-173
+}
-174
 impl Builder {
     /// Configure generic options of the [WebIdentityTokenCredentialsProvider]
     ///
     /// # Examples
     /// ```no_run
     /// # async fn test() {
     /// use aws_config::web_identity_token::WebIdentityTokenCredentialsProvider;
     /// use aws_config::provider_config::ProviderConfig;
     /// let provider = WebIdentityTokenCredentialsProvider::builder()
     ///     .configure(&ProviderConfig::with_default_region().await)
     ///     .build();
     /// # }
     /// ```
     pub fn configure(mut self, provider_config: &ProviderConfig) -> Self {
         self.config = Some(provider_config.clone());
         self
-191
+    }
-192

tmp-codegen-diff/aws-sdk/sdk/aws-credential-types/Cargo.toml

@@ -1,1 +49,49 @@

 # Code generated by software.amazon.smithy.rust.codegen.smithy-rs. DO NOT EDIT.
 [package]
 name = "aws-credential-types"
 version = "1.2.5"
 version = "1.2.4"
 authors = ["AWS Rust SDK Team <aws-sdk-rust@amazon.com>"]
 description = "Types for AWS SDK credentials."
 edition = "2021"
 license = "Apache-2.0"
 repository = "https://github.com/smithy-lang/smithy-rs"
 [package.metadata.docs.rs]
 all-features = true
 targets = ["x86_64-unknown-linux-gnu"]
 cargo-args = ["-Zunstable-options", "-Zrustdoc-scrape-examples"]
 rustdoc-args = ["--cfg", "docsrs"]
-15
 [package.metadata.smithy-rs-release-tooling]
 stable = true
-18
 [features]
 hardcoded-credentials = []
 test-util = ["aws-smithy-runtime-api/test-util"]
-22
 [dependencies]
 zeroize = "1.7.0"
-25
 [dependencies.aws-smithy-async]
 path = "../aws-smithy-async"
 version = "1.2.5"
-29
 [dependencies.aws-smithy-types]
 path = "../aws-smithy-types"
 version = "1.3.2"
-33
 [dependencies.aws-smithy-runtime-api]
 path = "../aws-smithy-runtime-api"
 features = ["client", "http-auth"]
 version = "1.8.7"
 version = "1.8.5"
-38
 [dev-dependencies]
 async-trait = "0.1.74"
-41
 [dev-dependencies.aws-smithy-runtime-api]
 path = "../aws-smithy-runtime-api"
 features = ["test-util"]
 version = "1.8.7"
 version = "1.8.5"
-46
 [dev-dependencies.tokio]
 version = "1.23.1"
 features = ["full", "test-util", "rt"]

tmp-codegen-diff/aws-sdk/sdk/aws-credential-types/src/credential_feature.rs

@@ -1,0 +54,0 @@

 /*
  * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  * SPDX-License-Identifier: Apache-2.0
  */
--
 use aws_smithy_types::config_bag::{Storable, StoreAppend};
--
 /// IDs for the credential related features that may be used in the AWS SDK
 #[non_exhaustive]
 #[derive(Clone, Debug, Eq, PartialEq)]
 pub enum AwsCredentialFeature {
     /// An operation called using credentials resolved from code, cli parameters, session object, or client instance
     CredentialsCode,
     /// An operation called using credentials resolved from environment variables
     CredentialsEnvVars,
     /// An operation called using credentials resolved from environment variables for assuming a role with STS using a web identity token
     CredentialsEnvVarsStsWebIdToken,
     /// An operation called using credentials resolved from STS using assume role
     CredentialsStsAssumeRole,
     /// An operation called using credentials resolved from STS using assume role with SAML
     CredentialsStsAssumeRoleSaml,
     /// An operation called using credentials resolved from STS using assume role with web identity
     CredentialsStsAssumeRoleWebId,
     /// An operation called using credentials resolved from STS using a federation token
     CredentialsStsFederationToken,
     /// An operation called using credentials resolved from STS using a session token
     CredentialsStsSessionToken,
     /// An operation called using credentials resolved from a config file(s) profile with static credentials
     CredentialsProfile,
     /// An operation called using credentials resolved from a source profile in a config file(s) profile
     CredentialsProfileSourceProfile,
     /// An operation called using credentials resolved from a named provider in a config file(s) profile
     CredentialsProfileNamedProvider,
     /// An operation called using credentials resolved from configuration for assuming a role with STS using web identity token in a config file(s) profile
     CredentialsProfileStsWebIdToken,
     /// An operation called using credentials resolved from an SSO session in a config file(s) profile
     CredentialsProfileSso,
     /// An operation called using credentials resolved from an SSO session
     CredentialsSso,
     /// An operation called using credentials resolved from a process in a config file(s) profile
     CredentialsProfileProcess,
     /// An operation called using credentials resolved from a process
     CredentialsProcess,
     /// An operation called using credentials resolved from an HTTP endpoint
     CredentialsHttp,
     /// An operation called using credentials resolved from the instance metadata service (IMDS)
     CredentialsImds,
     /// An operation called using a Bearer token resolved from service-specific environment variables
     BearerServiceEnvVars,
--
+}
--
 impl Storable for AwsCredentialFeature {
     type Storer = StoreAppend<Self>;
--
+}

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

1 1	`/*`
2 2	`* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.`
3 3	`* SPDX-License-Identifier: Apache-2.0`