Merge branch 'master' into forbid-new-connections-once-aexited

cepedus · web-flow · commit 1dd91f790989 · 2025-09-09T19:20:14.000+02:00
diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml
@@ -124,4 +124,4 @@ jobs:
         REF_NAME: ${{ github.ref_name }}
     - name: Publish distribution 📦 to PyPI
       # yamllint disable-line rule:line-length
-      uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc  # v1.12.4
+      uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # v1.13.0
diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml
@@ -21,7 +21,7 @@ jobs:
         persist-credentials: false
     - name: Install uv
       # yamllint disable-line rule:line-length
-      uses: astral-sh/setup-uv@4959332f0f014c5280e7eac8b70c90cb574c9f9b  # v6.6.0
+      uses: astral-sh/setup-uv@557e51de59eb14aaaba2ed9621916900a91d50c6  # v6.6.1
       with:
         # yamllint disable-line rule:line-length
         enable-cache: | # zizmor: ignore[cache-poisoning] cache is disabled when publishing to prevent poisoning
diff --git a/.github/workflows/reusable-test.yml b/.github/workflows/reusable-test.yml
@@ -46,7 +46,7 @@ jobs:
         submodules: true
     - name: Install uv
       # yamllint disable-line rule:line-length
-      uses: astral-sh/setup-uv@4959332f0f014c5280e7eac8b70c90cb574c9f9b  # v6.6.0
+      uses: astral-sh/setup-uv@557e51de59eb14aaaba2ed9621916900a91d50c6  # v6.6.1
       with:
         python-version: ${{ inputs.python-version }}
         enable-cache: ${{ inputs.enable-cache }}
@@ -68,7 +68,7 @@ jobs:
         uv run make mototest
     - name: Upload coverage to Codecov
       # yamllint disable-line rule:line-length
-      uses: codecov/codecov-action@fdcc8476540edceab3de004e990f80d881c6cc00  # v5.5.0
+      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7  # v5.5.1
       with:
         token: ${{ secrets.codecov-token }}  # not required for public repos
         files: ./coverage.xml
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -22,7 +22,7 @@ jobs:
     timeout-minutes: 5
 
     steps:
-    - uses: actions/stale@v9
+    - uses: actions/stale@v10
       with:
         stale-issue-message: >-
           This issue has been marked as stale because it has been inactive for
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -17,7 +17,7 @@ repos:
     args: [--fix]
   - id: ruff-format
 - repo: https://github.com/astral-sh/uv-pre-commit
-  rev: 0.8.11
+  rev: 0.8.15
   hooks:
   - id: uv-lock
 - repo: https://github.com/adrienverge/yamllint
diff --git a/aiobotocore/credentials.py b/aiobotocore/credentials.py
@@ -5,8 +5,9 @@
 from copy import deepcopy
 
 import botocore.compat
+import dateutil.parser
 from botocore import UNSIGNED
-from botocore.compat import compat_shell_split
+from botocore.compat import compat_shell_split, total_seconds
 from botocore.config import Config
 from botocore.credentials import (
     _DEFAULT_ADVISORY_REFRESH_TIMEOUT,
@@ -1048,7 +1049,16 @@ async def _get_credentials(self):
                 initial_token_data = self._token_provider.load_token()
                 token = (await initial_token_data.get_frozen_token()).token
             else:
-                token = self._token_loader(self._start_url)['accessToken']
+                token_dict = self._token_loader(self._start_url)
+                token = token_dict['accessToken']
+
+                # raise an UnauthorizedSSOTokenError if the loaded legacy token
+                # is expired to save a call to GetRoleCredentials with an
+                # expired token.
+                expiration = dateutil.parser.parse(token_dict['expiresAt'])
+                remaining = total_seconds(expiration - self._time_fetcher())
+                if remaining <= 0:
+                    raise UnauthorizedSSOTokenError()
 
             kwargs = {
                 'roleName': self._role_name,
diff --git a/aiobotocore/discovery.py b/aiobotocore/discovery.py
@@ -33,7 +33,8 @@ async def describe_endpoint(self, **kwargs):
         if not self._always_discover and not discovery_required:
             # Discovery set to only run on required operations
             logger.debug(
-                f'Optional discovery disabled. Skipping discovery for Operation: {operation}'
+                'Optional discovery disabled. Skipping discovery for Operation: %s',
+                operation,
             )
             return None
 
diff --git a/aiobotocore/httpchecksum.py b/aiobotocore/httpchecksum.py
@@ -196,8 +196,8 @@ async def handle_checksum_body(
         return
 
     logger.debug(
-        f'Skipping checksum validation. Response did not contain one of the '
-        f'following algorithms: {algorithms}.'
+        'Skipping checksum validation. Response did not contain one of the following algorithms: %s.',
+        algorithms,
     )
 
 
diff --git a/aiobotocore/regions.py b/aiobotocore/regions.py
@@ -27,7 +27,7 @@ async def construct_endpoint(
             operation_model, call_args, request_context
         )
         LOG.debug(
-            f'Calling endpoint provider with parameters: {provider_params}'
+            'Calling endpoint provider with parameters: %s', provider_params
         )
         try:
             provider_result = self._provider.resolve_endpoint(
@@ -41,10 +41,14 @@ async def construct_endpoint(
                 raise
             else:
                 raise botocore_exception from ex
-        LOG.debug(f'Endpoint provider result: {provider_result.url}')
+        LOG.debug('Endpoint provider result: %s', provider_result.url)
 
         # The endpoint provider does not support non-secure transport.
-        if not self._use_ssl and provider_result.url.startswith('https://'):
+        if (
+            not self._use_ssl
+            and provider_result.url.startswith('https://')
+            and 'Endpoint' not in provider_params
+        ):
             provider_result = provider_result._replace(
                 url=f'http://{provider_result.url[8:]}'
             )
diff --git a/aiobotocore/session.py b/aiobotocore/session.py
@@ -191,8 +191,9 @@ async def _create_client(
                 aws_session_token, aws_account_id
             ):
                 logger.debug(
-                    f"Ignoring the following credential-related values which were set without "
-                    f"an access key id and secret key on the session or client: {ignored_credentials}"
+                    "Ignoring the following credential-related values which were set without "
+                    "an access key id and secret key on the session or client: %s",
+                    ignored_credentials,
                 )
             credentials = await self.get_credentials()
         auth_token = self.get_auth_token()
diff --git a/aiobotocore/signers.py b/aiobotocore/signers.py
@@ -2,6 +2,7 @@
 
 import botocore
 import botocore.auth
+from botocore.compat import get_current_datetime
 from botocore.exceptions import ParamValidationError, UnknownClientMethodError
 from botocore.signers import (
     RequestSigner,
@@ -157,6 +158,10 @@ async def get_auth_instance(
             return auth
 
         credentials = request_credentials or self._credentials
+        if credentials and (
+            cred_method := getattr(credentials, 'method', None)
+        ):
+            self.check_and_register_feature_id(cred_method)
         if getattr(cls, "REQUIRES_IDENTITY_CACHE", None) is True:
             cache = kwargs["identity_cache"]
             key = kwargs["cache_key"]
@@ -368,7 +373,7 @@ async def generate_presigned_post(
         policy = {}
 
         # Create an expiration date for the policy
-        datetime_now = datetime.datetime.utcnow()
+        datetime_now = get_current_datetime()
         expire_date = datetime_now + datetime.timedelta(seconds=expires_in)
         policy['expiration'] = expire_date.strftime(botocore.auth.ISO8601)
 
diff --git a/aiobotocore/tokens.py b/aiobotocore/tokens.py
@@ -125,7 +125,7 @@ async def _refresh_access_token(self, token):
 
         expiry = dateutil.parser.parse(token["registrationExpiresAt"])
         if total_seconds(expiry - self._now()) <= 0:
-            logger.info(f"SSO token registration expired at {expiry}")
+            logger.info("SSO token registration expired at %s", expiry)
             return None
 
         try:
@@ -137,10 +137,10 @@ async def _refresh_access_token(self, token):
     async def _refresher(self):
         start_url = self._sso_config["sso_start_url"]
         session_name = self._sso_config["session_name"]
-        logger.info(f"Loading cached SSO token for {session_name}")
+        logger.info("Loading cached SSO token for %s", session_name)
         token_dict = self._token_loader(start_url, session_name=session_name)
         expiration = dateutil.parser.parse(token_dict["expiresAt"])
-        logger.debug(f"Cached SSO token expires at {expiration}")
+        logger.debug("Cached SSO token expires at %s", expiration)
 
         remaining = total_seconds(expiration - self._now())
         if remaining < self._REFRESH_WINDOW:
diff --git a/aiobotocore/utils.py b/aiobotocore/utils.py
@@ -486,16 +486,21 @@ async def redirect_from_error(
 
         if new_region is None:
             logger.debug(
-                f"S3 client configured for region {client_region} but the "
-                f"bucket {bucket} is not in that region and the proper region "
-                "could not be automatically determined."
+                "S3 client configured for region %s but the "
+                "bucket %s is not in that region and the proper region "
+                "could not be automatically determined.",
+                client_region,
+                bucket,
             )
             return
 
         logger.debug(
-            f"S3 client configured for region {client_region} but the bucket {bucket} "
-            f"is in region {new_region}; Please configure the proper region to "
-            f"avoid multiple unnecessary redirects and signing attempts."
+            "S3 client configured for region %s but the bucket %s "
+            "is in region %s; Please configure the proper region to "
+            "avoid multiple unnecessary redirects and signing attempts.",
+            client_region,
+            bucket,
+            new_region,
         )
         # Adding the new region to _cache will make construct_endpoint() to
         # use the new region as value for the AWS::Region builtin parameter.
@@ -622,16 +627,21 @@ async def redirect_from_error(
 
         if new_region is None:
             logger.debug(
-                f"S3 client configured for region {client_region} but the bucket {bucket} is not "
+                "S3 client configured for region %s but the bucket %s is not "
                 "in that region and the proper region could not be "
-                "automatically determined."
+                "automatically determined.",
+                client_region,
+                bucket,
             )
             return
 
         logger.debug(
-            f"S3 client configured for region {client_region} but the bucket {bucket} is in region"
-            f" {new_region}; Please configure the proper region to avoid multiple "
-            "unnecessary redirects and signing attempts."
+            "S3 client configured for region %s but the bucket %s is in region"
+            " %s; Please configure the proper region to avoid multiple "
+            "unnecessary redirects and signing attempts.",
+            client_region,
+            bucket,
+            new_region,
         )
         endpoint = self._endpoint_resolver.resolve('s3', new_region)
         endpoint = endpoint['endpoint_url']
diff --git a/pyproject.toml b/pyproject.toml
@@ -32,7 +32,7 @@ dynamic = ["version", "readme"]
 dependencies = [
     "aiohttp >= 3.9.2, < 4.0.0",
     "aioitertools >= 0.5.1, < 1.0.0",
-    "botocore >= 1.39.9, < 1.39.12", # NOTE: When updating, always keep `project.optional-dependencies` aligned
+    "botocore >= 1.40.15, < 1.40.19", # NOTE: When updating, always keep `project.optional-dependencies` aligned
     "python-dateutil >= 2.1, < 3.0.0",
     "jmespath >= 0.7.1, < 2.0.0",
     "multidict >= 6.0.0, < 7.0.0",
@@ -41,10 +41,10 @@ dependencies = [
 
 [project.optional-dependencies]
 awscli = [
-    "awscli >= 1.41.9, < 1.41.12",
+    "awscli >= 1.42.15, < 1.42.19",
 ]
 boto3 = [
-    "boto3 >= 1.39.9, < 1.39.12",
+    "boto3 >= 1.40.15, < 1.40.19",
 ]
 httpx = [
     "httpx >= 0.25.1, < 0.29"
@@ -145,10 +145,17 @@ indent-width = 4
 target-version = "py39"
 
 [tool.ruff.lint]
-# Enable Pyflakes (`F`) and a subset of the pycodestyle (`E`)  codes by default.
 # Unlike Flake8, Ruff doesn't enable pycodestyle warnings (`W`) or
 # McCabe complexity (`C901`) by default.
-select = ["E4", "E7", "E9", "F", "I", "UP"]
+select = [
+    "E4", # pycodestyle
+    "E7", # pycodestyle
+    "E9", # pycodestyle
+    "F", # Pyflakes
+    "I", # Import sorting
+    "UP", # PyUpgrade
+    "G", # Log formatting
+]
 ignore = []
 
 # Allow fix for all enabled rules (when `--fix`) is provided.
diff --git a/tests/botocore_tests/unit/test_credentials.py b/tests/botocore_tests/unit/test_credentials.py
@@ -1089,14 +1089,18 @@ async def ssl_credential_fetcher_setup():
         self.start_url = 'https://d-92671207e4.awsapps.com/start'
         self.role_name = 'test-role'
         self.account_id = '1234567890'
-        self.access_token = 'some.sso.token'
+        self.access_token = {
+            'accessToken': 'some.sso.token',
+            'expiresAt': '2018-10-18T22:26:40Z',
+        }
         # This is just an arbitrary point in time we can pin to
         self.now = datetime(2008, 9, 23, 12, 26, 40, tzinfo=tzutc())
         # The SSO endpoint uses ms whereas the OIDC endpoint uses seconds
         self.now_timestamp = 1222172800000
+        self.mock_time_fetcher = mock.Mock(return_value=self.now)
 
         self.loader = mock.Mock(spec=SSOTokenLoader)
-        self.loader.return_value = {'accessToken': self.access_token}
+        self.loader.return_value = self.access_token
         self.fetcher = AioSSOCredentialFetcher(
             self.start_url,
             self.sso_region,
@@ -1105,11 +1109,13 @@ async def ssl_credential_fetcher_setup():
             self.mock_session.create_client,
             token_loader=self.loader,
             cache=self.cache,
+            time_fetcher=self.mock_time_fetcher,
         )
 
         tc = TestCase()
         self.assertEqual = tc.assertEqual
         self.assertRaises = tc.assertRaises
+        self.assertFalse = tc.assertFalse
         yield self
 
 
@@ -1292,7 +1298,7 @@ async def test_sso_credential_fetcher_can_fetch_credentials(
     expected_params = {
         'roleName': self.role_name,
         'accountId': self.account_id,
-        'accessToken': self.access_token,
+        'accessToken': self.access_token['accessToken'],
     }
     expected_response = {
         'roleCredentials': {
@@ -1334,7 +1340,7 @@ async def test_sso_cred_fetcher_raises_helpful_message_on_unauthorized_exception
     expected_params = {
         'roleName': self.role_name,
         'accountId': self.account_id,
-        'accessToken': self.access_token,
+        'accessToken': self.access_token['accessToken'],
     }
     self.stubber.add_client_error(
         'get_role_credentials',
@@ -1346,6 +1352,31 @@ async def test_sso_cred_fetcher_raises_helpful_message_on_unauthorized_exception
             await self.fetcher.fetch_credentials()
 
 
+async def test_sso_cred_fetcher_expired_legacy_token_has_expected_behavior(
+    ssl_credential_fetcher_setup,
+):
+    self = ssl_credential_fetcher_setup
+    # Mock the current time to be in the future after the access token has expired
+    now = datetime(2018, 10, 19, 12, 26, 40, tzinfo=tzutc())
+    mock_client = mock.AsyncMock()
+    create_mock_client = mock.Mock(return_value=mock_client)
+    fetcher = AioSSOCredentialFetcher(
+        self.start_url,
+        self.sso_region,
+        self.role_name,
+        self.account_id,
+        create_mock_client,
+        token_loader=self.loader,
+        cache=self.cache,
+        time_fetcher=mock.Mock(return_value=now),
+    )
+    # since the cached token is expired, an UnauthorizedSSOTokenError should be
+    # raised and GetRoleCredentials should not be called.
+    with self.assertRaises(botocore.exceptions.UnauthorizedSSOTokenError):
+        await fetcher.fetch_credentials()
+    self.assertFalse(mock_client.get_role_credentials.called)
+
+
 # from TestSSOProvider
 @pytest.fixture
 async def sso_provider_setup():
diff --git a/tests/botocore_tests/unit/test_signers.py b/tests/botocore_tests/unit/test_signers.py
@@ -44,7 +44,7 @@ async def test_signers_generate_db_auth_token(rds_client):
     clock = datetime.datetime(2016, 11, 7, 17, 39, 33, tzinfo=timezone.utc)
 
     with mock.patch('datetime.datetime') as dt:
-        dt.utcnow.return_value = clock
+        dt.now.return_value = clock
         result = await aiobotocore.signers.generate_db_auth_token(
             rds_client, hostname, port, username
         )
diff --git a/tests/test_patches.py b/tests/test_patches.py
diff --git a/uv.lock b/uv.lock

Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,8 @@ async def describe_endpoint(self, **kwargs):`
`33`	`33`	`if not self._always_discover and not discovery_required:`
`34`	`34`	`# Discovery set to only run on required operations`
`35`	`35`	`logger.debug(`
`36`		`- f'Optional discovery disabled. Skipping discovery for Operation: {operation}'`
	`36`	`+ 'Optional discovery disabled. Skipping discovery for Operation: %s',`
	`37`	`+ operation,`
`37`	`38`	`)`
`38`	`39`	`return None`
`39`	`40`
Original file line number	Diff line number	Diff line change
`@@ -196,8 +196,8 @@ async def handle_checksum_body(`
`196`	`196`	`return`
`197`	`197`
`198`	`198`	`logger.debug(`
`199`		`- f'Skipping checksum validation. Response did not contain one of the '`
`200`		`- f'following algorithms: {algorithms}.'`
	`199`	`+ 'Skipping checksum validation. Response did not contain one of the following algorithms: %s.',`
	`200`	`+ algorithms,`
`201`	`201`	`)`
`202`	`202`
`203`	`203`