Merge pull request #2332 from aws/staging/75906e71-438e-4286-88ad-6604908f570d

Pull request: release <- staging/75906e71-438e-4286-88ad-6604908f570d

Author: aws-sdk-java-automation

.changes/2.19.19.json

@@ -0,0 +1,36 @@
+{
+    "version": "2.19.19",
+    "date": "2023-01-18",
+    "entries": [
+        {
+            "type": "feature",
+            "category": "AWS WAFV2",
+            "contributor": "",
+            "description": "Improved the visibility of the guidance for updating AWS WAF resources, such as web ACLs and rule groups."
+        },
+        {
+            "type": "feature",
+            "category": "Amazon CloudWatch",
+            "contributor": "",
+            "description": "Enable cross-account streams in CloudWatch Metric Streams via Observability Access Manager."
+        },
+        {
+            "type": "feature",
+            "category": "Amazon Elastic File System",
+            "contributor": "",
+            "description": "Documentation updates for EFS access points limit increase"
+        },
+        {
+            "type": "feature",
+            "category": "Amazon Interactive Video Service Chat",
+            "contributor": "",
+            "description": "Updates the range for a Chat Room's maximumMessageRatePerSecond field."
+        },
+        {
+            "type": "feature",
+            "category": "AWS SDK for Java v2",
+            "contributor": "",
+            "description": "Updated endpoint and partition metadata."
+        }
+    ]
+}

CHANGELOG.md

@@ -1,3 +1,24 @@
+# __2.19.19__ __2023-01-18__
+## __AWS SDK for Java v2__
+  - ### Features
+    - Updated endpoint and partition metadata.
+
+## __AWS WAFV2__
+  - ### Features
+    - Improved the visibility of the guidance for updating AWS WAF resources, such as web ACLs and rule groups.
+
+## __Amazon CloudWatch__
+  - ### Features
+    - Enable cross-account streams in CloudWatch Metric Streams via Observability Access Manager.
+
+## __Amazon Elastic File System__
+  - ### Features
+    - Documentation updates for EFS access points limit increase
+
+## __Amazon Interactive Video Service Chat__
+  - ### Features
+    - Updates the range for a Chat Room's maximumMessageRatePerSecond field.
+
 # __2.19.18__ __2023-01-17__
 ## __AWS Cloud9__
   - ### Features

README.md

@@ -52,7 +52,7 @@ To automatically manage module versions (currently all modules have the same ver
     <dependency>
       <groupId>software.amazon.awssdk</groupId>
       <artifactId>bom</artifactId>
-      <version>2.19.18</version>
+      <version>2.19.19</version>
       <type>pom</type>
       <scope>import</scope>
     </dependency>
@@ -86,12 +86,12 @@ Alternatively you can add dependencies for the specific services you use only:
 <dependency>
   <groupId>software.amazon.awssdk</groupId>
   <artifactId>ec2</artifactId>
-  <version>2.19.18</version>
+  <version>2.19.19</version>
 </dependency>
 <dependency>
   <groupId>software.amazon.awssdk</groupId>
   <artifactId>s3</artifactId>
-  <version>2.19.18</version>
+  <version>2.19.19</version>
 </dependency>
 ```
 
@@ -103,7 +103,7 @@ You can import the whole SDK into your project (includes *ALL* services). Please
 <dependency>
   <groupId>software.amazon.awssdk</groupId>
   <artifactId>aws-sdk-java</artifactId>
-  <version>2.19.18</version>
+  <version>2.19.19</version>
 </dependency>
 ```
 

archetypes/archetype-app-quickstart/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>archetypes</artifactId>
         <groupId>software.amazon.awssdk</groupId>
-        <version>2.19.18</version>
+        <version>2.19.19</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 

archetypes/archetype-lambda/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>archetypes</artifactId>
         <groupId>software.amazon.awssdk</groupId>
-        <version>2.19.18</version>
+        <version>2.19.19</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
     <artifactId>archetype-lambda</artifactId>

archetypes/archetype-tools/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>archetypes</artifactId>
         <groupId>software.amazon.awssdk</groupId>
-        <version>2.19.18</version>
+        <version>2.19.19</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 

archetypes/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>aws-sdk-java-pom</artifactId>
         <groupId>software.amazon.awssdk</groupId>
-        <version>2.19.18</version>
+        <version>2.19.19</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
     <artifactId>archetypes</artifactId>

aws-sdk-java/pom.xml

@@ -17,7 +17,7 @@
     <parent>
         <groupId>software.amazon.awssdk</groupId>
         <artifactId>aws-sdk-java-pom</artifactId>
-        <version>2.19.18</version>
+        <version>2.19.19</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
     <artifactId>aws-sdk-java</artifactId>

bom-internal/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>aws-sdk-java-pom</artifactId>
         <groupId>software.amazon.awssdk</groupId>
-        <version>2.19.18</version>
+        <version>2.19.19</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 

bom/pom.xml

@@ -17,7 +17,7 @@
     <parent>
         <groupId>software.amazon.awssdk</groupId>
         <artifactId>aws-sdk-java-pom</artifactId>
-        <version>2.19.18</version>
+        <version>2.19.19</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
     <artifactId>bom</artifactId>

bundle/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <groupId>software.amazon.awssdk</groupId>
         <artifactId>aws-sdk-java-pom</artifactId>
-        <version>2.19.18</version>
+        <version>2.19.19</version>
     </parent>
     <artifactId>bundle</artifactId>
     <packaging>jar</packaging>

codegen-lite-maven-plugin/pom.xml

@@ -22,7 +22,7 @@
     <parent>
         <groupId>software.amazon.awssdk</groupId>
         <artifactId>aws-sdk-java-pom</artifactId>
-        <version>2.19.18</version>
+        <version>2.19.19</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
     <artifactId>codegen-lite-maven-plugin</artifactId>

codegen-lite/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <groupId>software.amazon.awssdk</groupId>
         <artifactId>aws-sdk-java-pom</artifactId>
-        <version>2.19.18</version>
+        <version>2.19.19</version>
     </parent>
     <artifactId>codegen-lite</artifactId>
     <name>AWS Java SDK :: Code Generator Lite</name>

codegen-maven-plugin/pom.xml

@@ -22,7 +22,7 @@
     <parent>
         <groupId>software.amazon.awssdk</groupId>
         <artifactId>aws-sdk-java-pom</artifactId>
-        <version>2.19.18</version>
+        <version>2.19.19</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
     <artifactId>codegen-maven-plugin</artifactId>

codegen/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <groupId>software.amazon.awssdk</groupId>
         <artifactId>aws-sdk-java-pom</artifactId>
-        <version>2.19.18</version>
+        <version>2.19.19</version>
     </parent>
     <artifactId>codegen</artifactId>
     <name>AWS Java SDK :: Code Generator</name>

core/annotations/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>core</artifactId>
         <groupId>software.amazon.awssdk</groupId>
-        <version>2.19.18</version>
+        <version>2.19.19</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 

core/arns/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>core</artifactId>
         <groupId>software.amazon.awssdk</groupId>
-        <version>2.19.18</version>
+        <version>2.19.19</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 

core/auth-crt/pom.xml

@@ -22,7 +22,7 @@
     <parent>
         <groupId>software.amazon.awssdk</groupId>
         <artifactId>core</artifactId>
-        <version>2.19.18</version>
+        <version>2.19.19</version>
     </parent>
 
     <artifactId>auth-crt</artifactId>

core/auth/pom.xml

@@ -22,7 +22,7 @@
     <parent>
         <groupId>software.amazon.awssdk</groupId>
         <artifactId>core</artifactId>
-        <version>2.19.18</version>
+        <version>2.19.19</version>
     </parent>
 
     <artifactId>auth</artifactId>

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/ContainerCredentialsProvider.java

@@ -15,17 +15,17 @@
 
 package software.amazon.awssdk.auth.credentials;
 
-import static java.util.Collections.unmodifiableSet;
-
 import java.io.IOException;
+import java.net.InetAddress;
 import java.net.URI;
+import java.net.UnknownHostException;
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
 import java.util.Arrays;
 import java.util.HashMap;
-import java.util.HashSet;
 import java.util.Map;
-import java.util.Set;
+import java.util.Objects;
+import java.util.function.Predicate;
 import software.amazon.awssdk.annotations.SdkPublicApi;
 import software.amazon.awssdk.auth.credentials.internal.ContainerCredentialsRetryPolicy;
 import software.amazon.awssdk.auth.credentials.internal.HttpCredentialsLoader;
@@ -65,7 +65,9 @@
 public final class ContainerCredentialsProvider
     implements HttpCredentialsProvider,
                ToCopyableBuilder<ContainerCredentialsProvider.Builder, ContainerCredentialsProvider> {
-    private static final Set<String> ALLOWED_HOSTS = unmodifiableSet(new HashSet<>(Arrays.asList("localhost", "127.0.0.1")));
+    private static final Predicate<InetAddress> IS_LOOPBACK_ADDRESS = InetAddress::isLoopbackAddress;
+    private static final Predicate<InetAddress> ALLOWED_HOSTS_RULES = IS_LOOPBACK_ADDRESS;
+    private static final String HTTPS = "https";
 
     private final String endpoint;
     private final HttpCredentialsLoader httpCredentialsLoader;
@@ -207,18 +209,49 @@ private URI createUri(String relativeUri) {
 
         private URI createGenericContainerUrl() {
             URI uri = URI.create(SdkSystemSetting.AWS_CONTAINER_CREDENTIALS_FULL_URI.getStringValueOrThrow());
-            if (!ALLOWED_HOSTS.contains(uri.getHost())) {
+            if (!isHttps(uri) && !isAllowedHost(uri.getHost())) {
                 String envVarName = SdkSystemSetting.AWS_CONTAINER_CREDENTIALS_FULL_URI.environmentVariable();
                 throw SdkClientException.builder()
-                                        .message(String.format("The full URI (%s) contained within environment " +
-                                                               "variable %s has an invalid host. Host can only be one of [%s].",
-                                                               uri,
-                                                               envVarName,
-                                                               String.join(",", ALLOWED_HOSTS)))
+                                        .message(String.format("The full URI (%s) contained within environment variable " +
+                                                               "%s has an invalid host. Host should resolve to a loopback " +
+                                                               "address or have the full URI be HTTPS.",
+                                                               uri, envVarName))
                                         .build();
             }
             return uri;
         }
+
+        private boolean isHttps(URI endpoint) {
+            return Objects.equals(HTTPS, endpoint.getScheme());
+        }
+
+        /**
+         * Determines if the addresses for a given host are resolved to a loopback address.
+         * <p>
+         *     This is a best-effort in determining what address a host will be resolved to. DNS caching might be disabled,
+         *     or could expire between this check and when the API is invoked.
+         * </p>
+         * @param host The name or IP address of the host.
+         * @return A boolean specifying whether the host is allowed as an endpoint for credentials loading.
+         */
+        private boolean isAllowedHost(String host) {
+            try {
+                InetAddress[] addresses = InetAddress.getAllByName(host);
+
+                return addresses.length > 0 && Arrays.stream(addresses)
+                                                     .allMatch(this::matchesAllowedHostRules);
+
+            } catch (UnknownHostException e) {
+                throw SdkClientException.builder()
+                                        .cause(e)
+                                        .message(String.format("host (%s) could not be resolved to an IP address.", host))
+                                        .build();
+            }
+        }
+
+        private boolean matchesAllowedHostRules(InetAddress inetAddress) {
+            return ALLOWED_HOSTS_RULES.test(inetAddress);
+        }
     }
 
     /**

core/auth/src/test/java/software/amazon/awssdk/auth/credentials/ContainerCredentialsEndpointProviderTest.java

@@ -71,9 +71,49 @@ public void theLoopbackAddressIsAlsoAcceptable() throws IOException {
         assertThat(sut.endpoint().toString(), equalTo(fullUri));
     }
 
+    @Test
+    public void theLoopbackIpv6AddressIsAlsoAcceptable() throws IOException {
+        String fullUri = "http://[::1]:9851/endpoint";
+        helper.set(AWS_CONTAINER_CREDENTIALS_FULL_URI.environmentVariable(), fullUri);
+
+        assertThat(sut.endpoint().toString(), equalTo(fullUri));
+    }
+
+    @Test
+    public void anyHttpsAddressIsAlsoAcceptable() throws IOException {
+        String fullUri = "https://192.168.10.120:9851/endpoint";
+        helper.set(AWS_CONTAINER_CREDENTIALS_FULL_URI.environmentVariable(), fullUri);
+
+        assertThat(sut.endpoint().toString(), equalTo(fullUri));
+    }
+
+    @Test
+    public void anyHttpsIpv6AddressIsAlsoAcceptable() throws IOException {
+        String fullUri = "https://[::FFFF:152.16.24.123]/endpoint";
+        helper.set(AWS_CONTAINER_CREDENTIALS_FULL_URI.environmentVariable(), fullUri);
+
+        assertThat(sut.endpoint().toString(), equalTo(fullUri));
+    }
+
+    @Test(expected = SdkClientException.class)
+    public void nonLoopbackAddressIsNotAcceptable() throws IOException {
+        String fullUri = "http://192.168.10.120:9851/endpoint";
+        helper.set(AWS_CONTAINER_CREDENTIALS_FULL_URI.environmentVariable(), fullUri);
+
+        assertThat(sut.endpoint().toString(), equalTo(fullUri));
+    }
+
+    @Test(expected = SdkClientException.class)
+    public void nonLoopbackIpv6AddressIsNotAcceptable() throws IOException {
+        String fullUri = "http://[::FFFF:152.16.24.123]/endpoint";
+        helper.set(AWS_CONTAINER_CREDENTIALS_FULL_URI.environmentVariable(), fullUri);
+
+        assertThat(sut.endpoint().toString(), equalTo(fullUri));
+    }
+
     @Test(expected = SdkClientException.class)
     public void onlyLocalHostAddressesAreValid() throws IOException {
-        helper.set(AWS_CONTAINER_CREDENTIALS_FULL_URI.environmentVariable(), "https://google.com/endpoint");
+        helper.set(AWS_CONTAINER_CREDENTIALS_FULL_URI.environmentVariable(), "http://google.com/endpoint");
         sut.endpoint();
     }
 

core/aws-core/pom.xml

@@ -22,7 +22,7 @@
     <parent>
         <groupId>software.amazon.awssdk</groupId>
         <artifactId>core</artifactId>
-        <version>2.19.18</version>
+        <version>2.19.19</version>
     </parent>
 
     <artifactId>aws-core</artifactId>

core/endpoints-spi/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>core</artifactId>
         <groupId>software.amazon.awssdk</groupId>
-        <version>2.19.18</version>
+        <version>2.19.19</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>