fix(client-s3): defer endpoint validations to ruleset

Author: kuhe

Makefile

@@ -41,7 +41,7 @@ test-integration: bundles
 	make test-endpoints
 
 test-endpoints:
-	npx jest -c ./tests/endpoints-2.0/jest.config.js --bail --watch --verbose false
+	npx jest -c ./tests/endpoints-2.0/jest.config.js --bail --verbose false
 
 test-e2e: bundles
 	yarn g:vitest run -c vitest.config.e2e.ts --retry=4

clients/client-s3/src/S3Client.ts

@@ -755,9 +755,9 @@ export interface ClientDefaults extends Partial<__SmithyConfiguration<__HttpHand
   signingEscapePath?: boolean;
 
   /**
-   * Whether to override the request region with the region inferred from requested resource's ARN. Defaults to false.
+   * Whether to override the request region with the region inferred from requested resource's ARN. Defaults to undefined.
    */
-  useArnRegion?: boolean | Provider<boolean>;
+  useArnRegion?: boolean | undefined | Provider<boolean | undefined>;
   /**
    * The internal function that inject utilities to runtime-specific stream to help users consume the data
    * @internal

clients/client-s3/src/models/models_0.ts

@@ -1,6 +1,5 @@
 // smithy-typescript generated code
 import { ExceptionOptionType as __ExceptionOptionType, SENSITIVE_STRING } from "@smithy/smithy-client";
-
 import { StreamingBlobTypes } from "@smithy/types";
 
 import { S3ServiceException as __BaseException } from "./S3ServiceException";

clients/client-s3/src/models/models_1.ts

@@ -1,6 +1,5 @@
 // smithy-typescript generated code
 import { ExceptionOptionType as __ExceptionOptionType, SENSITIVE_STRING } from "@smithy/smithy-client";
-
 import { StreamingBlobTypes } from "@smithy/types";
 
 import {
@@ -41,7 +40,6 @@ import {
   Tag,
   TransitionDefaultMinimumObjectSize,
 } from "./models_0";
-
 import { S3ServiceException as __BaseException } from "./S3ServiceException";
 
 /**

clients/client-s3/src/protocols/Aws_restXml.ts

@@ -2,11 +2,7 @@
 import { loadRestXmlErrorCode, parseXmlBody as parseBody, parseXmlErrorBody as parseErrorBody } from "@aws-sdk/core";
 import { XmlNode as __XmlNode, XmlText as __XmlText } from "@aws-sdk/xml-builder";
 import { requestBuilder as rb } from "@smithy/core";
-import {
-  HttpRequest as __HttpRequest,
-  HttpResponse as __HttpResponse,
-  isValidHostname as __isValidHostname,
-} from "@smithy/protocol-http";
+import { HttpRequest as __HttpRequest, HttpResponse as __HttpResponse } from "@smithy/protocol-http";
 import {
   collectBody,
   dateToUtcString as __dateToUtcString,
@@ -3215,18 +3211,6 @@ export const se_WriteGetObjectResponseCommand = async (
     contents = input.Body;
     body = contents;
   }
-  let { hostname: resolvedHostname } = await context.endpoint();
-  if (context.disableHostPrefix !== true) {
-    resolvedHostname = "{RequestRoute}." + resolvedHostname;
-    if (input.RequestRoute === undefined) {
-      throw new Error("Empty value provided for input host prefix: RequestRoute.");
-    }
-    resolvedHostname = resolvedHostname.replace("{RequestRoute}", input.RequestRoute!);
-    if (!__isValidHostname(resolvedHostname)) {
-      throw new Error("ValidationError: prefixed hostname must be hostname compatible.");
-    }
-  }
-  b.hn(resolvedHostname);
   b.m("POST").h(headers).b(body);
   return b.build();
 };

clients/client-s3/src/runtimeConfig.shared.ts

@@ -43,7 +43,7 @@ export const getRuntimeConfig = (config: S3ClientConfig) => {
     signerConstructor: config?.signerConstructor ?? SignatureV4MultiRegion,
     signingEscapePath: config?.signingEscapePath ?? false,
     urlParser: config?.urlParser ?? parseUrl,
-    useArnRegion: config?.useArnRegion ?? false,
+    useArnRegion: config?.useArnRegion ?? undefined,
     utf8Decoder: config?.utf8Decoder ?? fromUtf8,
     utf8Encoder: config?.utf8Encoder ?? toUtf8,
   };

codegen/smithy-aws-typescript-codegen/src/main/java/software/amazon/smithy/aws/typescript/codegen/AddS3Config.java

@@ -224,7 +224,7 @@ public Model preprocessModel(Model model, TypeScriptSettings settings) {
 
         Model builtModel = modelBuilder.addShapes(inputShapes).build();
         if (hasRuleset) {
-            ModelTransformer.create().mapShapes(
+            return ModelTransformer.create().mapShapes(
                 builtModel, AddS3Config::removeHostPrefixTrait
             );
         }
@@ -246,9 +246,9 @@ public void addConfigInterfaceFields(
             .write("signingEscapePath?: boolean;\n");
         writer.writeDocs(
                 "Whether to override the request region with the region inferred from requested resource's ARN."
-                    + " Defaults to false.")
+                    + " Defaults to undefined.")
             .addImport("Provider", "Provider", TypeScriptDependency.SMITHY_TYPES)
-            .write("useArnRegion?: boolean | Provider<boolean>;");
+            .write("useArnRegion?: boolean | undefined | Provider<boolean | undefined>;");
     }
 
     @Override
@@ -266,7 +266,7 @@ public Map<String, Consumer<TypeScriptWriter>> getRuntimeConfigWriters(
                         writer.write("false");
                     },
                     "useArnRegion", writer -> {
-                        writer.write("false");
+                        writer.write("undefined");
                     }
                 );
             case NODE:

packages/middleware-bucket-endpoint/src/NodeUseArnRegionConfigOptions.ts

@@ -7,11 +7,15 @@ export const NODE_USE_ARN_REGION_INI_NAME = "s3_use_arn_region";
 /**
  * Config to load useArnRegion from environment variables and shared INI files
  *
- * @api private
+ * @internal
  */
-export const NODE_USE_ARN_REGION_CONFIG_OPTIONS: LoadedConfigSelectors<boolean> = {
+export const NODE_USE_ARN_REGION_CONFIG_OPTIONS: LoadedConfigSelectors<boolean | undefined> = {
   environmentVariableSelector: (env: NodeJS.ProcessEnv) =>
     booleanSelector(env, NODE_USE_ARN_REGION_ENV_NAME, SelectorType.ENV),
   configFileSelector: (profile) => booleanSelector(profile, NODE_USE_ARN_REGION_INI_NAME, SelectorType.CONFIG),
-  default: false,
+  /**
+   * useArnRegion has specific behavior when undefined instead of false.
+   * We therefore use undefined as the default value instead of false.
+   */
+  default: undefined,
 };

packages/middleware-bucket-endpoint/src/bucketHostname.ts

@@ -14,11 +14,9 @@ import {
   validateCustomEndpoint,
   validateDNSHostLabel,
   validateMrapAlias,
-  validateNoDualstack,
   validateNoFIPS,
   validateOutpostService,
   validatePartition,
-  validateRegion,
   validateRegionalClient,
   validateS3Service,
   validateService,
@@ -121,14 +119,6 @@ const getEndpointFromObjectLambdaArn = ({
 }): BucketHostname => {
   const { accountId, region, service } = bucketName;
   validateRegionalClient(clientRegion);
-  validateRegion(region, {
-    useArnRegion,
-    clientRegion,
-    clientSigningRegion,
-    allowFipsRegion: true,
-    useFipsEndpoint: fipsEndpoint,
-  });
-  validateNoDualstack(dualstackEndpoint);
   const DNSHostLabel = `${accesspointName}-${accountId}`;
   validateDNSHostLabel(DNSHostLabel, { tlsCompatible });
 
@@ -155,7 +145,6 @@ const getEndpointFromMRAPArn = ({
     throw new Error("SDK is attempting to use a MRAP ARN. Please enable to feature.");
   }
   validateMrapAlias(mrapAlias);
-  validateNoDualstack(dualstackEndpoint);
   return {
     bucketEndpoint: true,
     hostname: `${mrapAlias}${isCustomEndpoint ? "" : `.accesspoint.s3-global`}.${hostnameSuffix}`,
@@ -178,14 +167,12 @@ const getEndpointFromOutpostArn = ({
 }: ArnHostnameParams & { outpostId: string; accesspointName: string; hostnameSuffix: string }): BucketHostname => {
   // if this is an Outpost ARN
   validateRegionalClient(clientRegion);
-  validateRegion(bucketName.region, { useArnRegion, clientRegion, clientSigningRegion, useFipsEndpoint: fipsEndpoint });
   const DNSHostLabel = `${accesspointName}-${bucketName.accountId}`;
   validateDNSHostLabel(DNSHostLabel, { tlsCompatible });
   const endpointRegion = useArnRegion ? bucketName.region : clientRegion;
   const signingRegion = useArnRegion ? bucketName.region : clientSigningRegion;
   validateOutpostService(bucketName.service);
   validateDNSHostLabel(outpostId, { tlsCompatible });
-  validateNoDualstack(dualstackEndpoint);
   validateNoFIPS(fipsEndpoint);
   const hostnamePrefix = `${DNSHostLabel}.${outpostId}`;
   return {
@@ -210,13 +197,6 @@ const getEndpointFromAccessPointArn = ({
 }: ArnHostnameParams & { accesspointName: string; hostnameSuffix: string }): BucketHostname => {
   // construct endpoint from Accesspoint ARN
   validateRegionalClient(clientRegion);
-  validateRegion(bucketName.region, {
-    useArnRegion,
-    clientRegion,
-    clientSigningRegion,
-    allowFipsRegion: true,
-    useFipsEndpoint: fipsEndpoint,
-  });
   const hostnamePrefix = `${accesspointName}-${bucketName.accountId}`;
   validateDNSHostLabel(hostnamePrefix, { tlsCompatible });
   const endpointRegion = useArnRegion ? bucketName.region : clientRegion;

packages/middleware-bucket-endpoint/src/bucketHostnameUtils.ts

@@ -111,10 +111,14 @@ export const validatePartition = (partition: string, options: { clientPartition:
 };
 
 /**
+ * (Previous to deprecation)
  * validate region value inferred from ARN. If `options.useArnRegion` is set, it validates the region is not a FIPS
  * region. If `options.useArnRegion` is unset, it validates the region is equal to `options.clientRegion` or
  * `options.clientSigningRegion`.
+ *
  * @internal
+ *
+ * @deprecated validation is deferred to the endpoint ruleset.
  */
 export const validateRegion = (
   region: string,
@@ -125,28 +129,9 @@ export const validateRegion = (
     clientSigningRegion: string;
     useFipsEndpoint: boolean;
   }
-) => {
-  if (region === "") {
-    throw new Error("ARN region is empty");
-  }
-  if (options.useFipsEndpoint) {
-    if (!options.allowFipsRegion) {
-      throw new Error("FIPS region is not supported");
-    } else if (!isEqualRegions(region, options.clientRegion)) {
-      throw new Error(`Client FIPS region ${options.clientRegion} doesn't match region ${region} in ARN`);
-    }
-  }
-  if (
-    !options.useArnRegion &&
-    !isEqualRegions(region, options.clientRegion || "") &&
-    !isEqualRegions(region, options.clientSigningRegion || "")
-  ) {
-    throw new Error(`Region in ARN is incompatible, got ${region} but expected ${options.clientRegion}`);
-  }
-};
+) => {};
 
 /**
- *
  * @param region
  */
 export const validateRegionalClient = (region: string) => {
@@ -231,13 +216,12 @@ export const getArnResources = (
 };
 
 /**
- * Throw if dual stack configuration is set to true.
+ * (Prior to deprecation) Throw if dual stack configuration is set to true.
  * @internal
+ *
+ * @deprecated validation deferred to endpoints ruleset.
  */
-export const validateNoDualstack = (dualstackEndpoint?: boolean) => {
-  if (dualstackEndpoint)
-    throw new Error("Dualstack endpoint is not supported with Outpost or Multi-region Access Point ARN.");
-};
+export const validateNoDualstack = (dualstackEndpoint?: boolean) => {};
 
 /**
  * Validate fips endpoint is not set up.