U M8cJ@sddlZddlZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddl Z ddlZddlZddlmZddlmZmZddlZddlmZddlmZddlZddlZddlZddlmZddlm Z ddlm!Z!dd lm"Z"dd lm#Z#dd lm$Z$dd lm%Z%dd lm&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2m3Z3ddl4m5Z5m6Z6m7Z7m8Z8m9Z9m:Z:m;Z;mZ>m?Z?m@Z@mAZAmBZBmCZCmDZDmEZEmFZFmGZGmHZHmIZImJZJmKZKeLeMZNdZOdZPdZQdZRdZSe TdZUeDe9e7e8fZVdgZWdddddddddddd d!d"d#d$d%d&d'd(d)d*d+d,d-d.d/d0d1d2d3d4d2d5d6d7d8d9d9d%d&d*d:d;dd?d@d7dAdBdBdCd=dDdEdFd:dGdHdId>dJdKdLdMdNdOdOdPd/dGdQIZXe jTdRe jYdSZZdTdUZ[dVdWZ\dXdYZ]dZd[Z^d\d]Z_d^d_Z`d`daZadbdcZbdddeZcddgdhZddidjZeGdkdldlefZgGdmdndnefZhGdodpdpZiGdqdrdreiZjGdsdtdtZkGdudvdveiZlddxdyZmdzd{Zneofd|d}Zpd~dZqeSfddZreSfddZsddZtddZuddZvdddZwdddZxddZyddZzGdddZ{GdddZ|ddZ}ddZ~ddZddZddZddZdddZdddZddZddZddZddZdddZdddZddZddZGdddZGdddZGdddeZGdddZGdddZGdddZGddÄdÃZGddńdŃZGddDŽdeZGddɄdɃZdd˄Zdd̈́ZddτZddd҄ZddԄZddքZdd؄ZddڄZGdd܄d܃ZGddބdރZGdddZddZGdddZdS)N)Path) getproxies proxy_bypass)tzutc)LocationParseError)HEX_PAT)IPV4_PAT)IPV6_ADDRZ_PAT)IPV6_PAT)LS32_PAT)UNRESERVED_PAT) ZONE_ID_PAT)HAS_CRTIPV4_RE IPV6_ADDRZ_RE MD5_AVAILABLEUNSAFE_URL_CHARS OrderedDictget_md5get_tzinfo_optionsjsonquoteurlparseurlsplit urlunsplit zip_longest) ClientErrorConfigNotFoundConnectionClosedErrorConnectTimeoutErrorEndpointConnectionErrorHTTPClientErrorInvalidDNSNameError!InvalidEndpointConfigurationErrorInvalidExpressionErrorInvalidHostLabelErrorInvalidIMDSEndpointErrorInvalidIMDSEndpointModeErrorInvalidRegionErrorMetadataRetrievalErrorMissingDependencyExceptionReadTimeoutErrorSSOTokenLoadErrorUnsupportedOutpostResourceError*UnsupportedS3AccesspointConfigurationErrorUnsupportedS3ArnErrorUnsupportedS3ConfigurationErrorUnsupportedS3ControlArnError&UnsupportedS3ControlConfigurationErrorzhttp://169.254.169.254/zhttp://[fd00:ec2::254]/)ipv4ipv6z-._~z-z0-9][a-z0-9\-]*[a-z0-9] dualstackzalexa-for-businessZ mediatailorZpricingZ sagemakerz api-gatewayzapplication-auto-scalingZ appstreamz auto-scalingzauto-scaling-plansz cost-explorerz cloudhsm-v2zcloudsearch-domainzcognito-identity-providerzconfig-servicezcost-and-usage-report-serviceziot-data-planeziot-jobs-data-planezmediastore-dataz data-pipelinez device-farmziot-1click-devices-servicezdirect-connectzapplication-discovery-servicezdatabase-migration-servicezdirectory-servicezdynamodb-streamszelastic-beanstalkZefszelastic-load-balancingZemrzelastic-transcoderzelastic-load-balancing-v2Zseszmarketplace-entitlement-servicezelasticsearch-serviceZ eventbridgeziot-1click-projectszkinesis-analyticsz kinesis-videozlex-model-building-servicezlex-runtime-servicezcloudwatch-logszmachine-learningzmarketplace-commerce-analyticszmarketplace-meteringz migration-hubZ cloudwatchZmturkZ opsworkscmzresource-groups-tagging-apizroute-53zroute-53-domainszsagemaker-runtimeZsimpledbzsecrets-managerZserverlessapplicationrepositoryzservice-catalogsfnzstorage-gateway)IZa4bZalexaforbusinesszapi.mediatailorz api.pricingz api.sagemakerZ apigatewayzapplication-autoscalingZ appstream2Z autoscalingzautoscaling-plansZceZ cloudhsmv2Zcloudsearchdomainz cognito-idpconfigcurzdata.iotz data.jobs.iotzdata.mediastoreZ datapipelineZ devicefarmzdevices.iot1clickZ directconnectZ discoveryZdmsZdsZdynamodbstreamsZelasticbeanstalkZelasticfilesystemZelasticloadbalancingZelasticmapreduceZelastictranscoderZelbZelbv2emailzentitlement.marketplaceeseventszcloudwatch-eventsziot-dataz iot-jobs-dataziot1click-devicesziot1click-projectsZkinesisanalyticsZ kinesisvideoz lex-modelsz lex-runtimeZlogsZmachinelearningzmarketplace-entitlementZmarketplacecommerceanalyticszmetering.marketplaceZmeteringmarketplaceZmghz models.lexZ monitoringzmturk-requesterz opsworks-cmzprojects.iot1clickZresourcegroupstaggingapiZroute53Zroute53domainsz runtime.lexzruntime.sagemakerZsdbZsecretsmanagerZserverlessrepoZservicecatalogZstatesZ stepfunctionsZstoragegatewayzstreams.dynamodbZtaggingz^X-Amz-Checksum-([a-z0-9]*)$)flagscCs,t|tr|St|tr$|dkSdSdS)z~Ensures a boolean value if a string or boolean is provided For strings, the value for True/False is case insensitive trueFN) isinstanceboolstrlowervalrE2/tmp/pip-unpacked-wheel-ozje0y8b/botocore/utils.pyensure_booleans    rGcCsL|d}|dk r:|}|tkr6|td}tf||S|drHdSdS)zResolving IMDS endpoint mode to either IPv6 or IPv4. ec2_metadata_service_endpoint_mode takes precedence over imds_use_ipv6. "ec2_metadata_service_endpoint_modeN)modeZ valid_modesZ imds_use_ipv6r5r4)get_config_variablerBMETADATA_ENDPOINT_MODESr')sessionZ endpoint_modeZlendpoint_modeZerror_msg_kwargsrErErFresolve_imds_endpoint_modes  rMcCs2t|do0|jddo0|jddko0|jdkS)zDetermines if the provided shape is the special header type jsonvalue. :type shape: botocore.shape :param shape: Shape to be inspected for the jsonvalue trait. :return: True if this type is a jsonvalue, False otherwise :rtype: Bool serializationZ jsonvalueFlocationheaderstring)hasattrrNget type_name)shaperErErFis_json_value_headers  rVcCs@|dkr dSt|tjjr"||kS|dd|DkSdS)z&Case-insensitive check for header key.NFcSsg|] }|qSrErB).0keyrErErF szhas_header..)r?botocore awsrequestZ HeadersDictrBkeys) header_nameheadersrErErF has_headers r`cCsD|jd|jd|j}|dd}|dd}tdd|}|S)zvReturns the module name for a service This is the value used in both the documentation and client class name ZserviceAbbreviationZserviceFullNameZAmazonZAWSz\W+)metadatarSZ service_namereplaceresub)Z service_modelnamerErErFget_service_module_names  rgcCs|sdSt|S)N/)remove_dot_segmentspathrErErFnormalize_url_pathsrlcCs|dkr |St|SdS)zLReturns None if val is None, otherwise ensure value converted to booleanN)rGrCrErErFnormalize_booleansrmcCs|sdS|d}g}|D]0}|r|dkr|dkr@|rJ|q||q|ddkr^d}nd}|ddkrx|rxd}nd}|d||S)Nrarh.z..r)splitpopappendjoin)urlZ input_urlZ output_listxfirstlastrErErFris"     ricCs6|r |dkrt|ddD]}||krt|dqdS)Nrn expression)[]*)r$)ryinvalidrErErFvalidate_jmespath_for_set:s   r~TcCs||r t||dd}|dt|dkr2|dnd}}|sHt|d|rp||kr\i||<t||||ddS|||<dS)Nrnr3rrarxF)is_first)r~rplenr$set_value_from_jmespath)sourceryvaluerbits current_key remainderrErErFrEs  " rcCs|di}|ddk}|S)z9Determine if request is intended for an MRAP accesspoint.s3_accesspointregionrarS)contextr is_globalrErErFis_global_accesspointcs rc@seZdZdZdS)_RetriesExceededErrorz@Internal exception used when the number of retries are exceeded.N)__name__ __module__ __qualname____doc__rErErErFrjsrc@seZdZddZdS)BadIMDSRequestErrorcCs ||_dSNrequestselfrrErErF__init__qszBadIMDSRequestError.__init__N)rrrrrErErErFrpsrc@seZdZeZdZdZededddfddZ ddZ d d Z d d Z d dZ dddZddZddZddZddZddZdddZdS) IMDSFetcherzlatest/api/tokenZ21600r3NcCs||_||_|dkri}||||_||_|dkr>tj}|dd |_ |j dk|_ ||_ t j j|jt|jd|_dS)NZAWS_EC2_METADATA_DISABLEDfalser>)timeoutproxies)_timeout _num_attempts_select_base_url _base_url_configosenvironcopyrSrB _disabled _user_agentr[ httpsessionURLLib3Sessionget_environ_proxies_session)rr num_attemptsbase_urlenv user_agentr8rErErFr{s   zIMDSFetcher.__init__cCs|jSr)rrrErErF get_base_urlszIMDSFetcher.get_base_urlcCs|dkr i}|ddk}|d}|r6|r6tdd}|tkrH|}n|rR|}n|r\t}nt}td|t|st|d|S)NrHr5ec2_metadata_service_endpointzFCustom endpoint and IMDS_USE_IPV6 are both set. Using custom endpoint.zIMDS ENDPOINT: %s)endpoint)rSloggerwarningMETADATA_BASE_URLMETADATA_BASE_URL_IPv6debug is_valid_urir&)rrr8Z requires_ipv6Zcustom_metadata_endpointZchosen_base_urlrErErFrs*   zIMDSFetcher._select_base_urlcCs,d}|jr|jdsd}|j||S)Nrarh)rendswith)rrkseprErErF_construct_urlszIMDSFetcher._construct_urlc Cs.|||j}d|ji}||tjjd||d}t|j D]}zN|j | }|j dkrp|jWS|j dkrWdS|j dkrt|WqDtk rYdStk r}ztjd||dd W5d}~XYqDtk r&}z(t|jd trt||d nW5d}~XYqDXqDdS) Nz$x-aws-ec2-metadata-token-ttl-secondsPUTmethodrtr_)iii)iOCaught retryable HTTP exception while making metadata service request to %s: %sTexc_infoerror)rr)_assert_enabledr _TOKEN_PATH _TOKEN_TTL_add_user_agentr[r\ AWSRequestrangerrsendprepare status_codetextrr+RETRYABLE_HTTP_ERRORSrrr!r?kwargsrSrr&)rrtr_riresponseerErErF_fetch_metadata_tokensD       z!IMDSFetcher._fetch_metadata_tokenc Cs||dkr|j}||}i}|dk r4||d<||t|jD]r}z8tjjd||d}|j | }||s|WSWqHt k r} zt jd|| ddW5d} ~ XYqHXqH|dS)aZMake a get request to the Instance Metadata Service. :type url_path: str :param url_path: The path component of the URL to make a get request. This arg is appended to the base_url that was provided in the initializer. :type retry_func: callable :param retry_func: A function that takes the response as an argument and determines if it needs to retry. By default empty and non 200 OK responses are retried. :type token: str :param token: Metadata token to send along with GET requests to IMDS. Nzx-aws-ec2-metadata-tokenGETrrTr)r_default_retryrrrrr[r\rrrrrrr_RETRIES_EXCEEDED_ERROR_CLS) rurl_path retry_functokenrtr_rrrrrErErF _get_requests4  zIMDSFetcher._get_requestcCs|jdk r|j|d<dS)Nz User-Agent)r)rr_rErErFr s zIMDSFetcher._add_user_agentcCs|jrtd|dS)Nz)Access to EC2 metadata has been disabled.)rrrrrrErErFrs zIMDSFetcher._assert_enabledcCs||p||Sr_is_non_ok_response _is_emptyrrrErErFrszIMDSFetcher._default_retrycCs"|jdkr|j|ddddSdS)Nrznon-200Tlog_bodyF)r_log_imds_responserrErErFrs zIMDSFetcher._is_non_ok_responsecCs|js|j|ddddSdS)Nzno bodyTrF)contentrrrErErFrszIMDSFetcher._is_emptyFcCs>d}||j|jg}|r*|d7}||jtj|f|dS)NzHMetadata service returned %s response with status code of %s for url: %sz, content body: %s)rrtrrrrr)rrZ reason_to_logrZ statementZ logger_argsrErErFr#s zIMDSFetcher._log_imds_response)N)F)rrrrrrr DEFAULT_METADATA_SERVICE_TIMEOUTrrrrrrrrrrrrrrErErErFrus* $ *rc@s`eZdZdZddddgZddZdd d Zdd d Zd dZddZ ddZ ddZ ddZ dS)InstanceMetadataFetcherz*latest/meta-data/iam/security-credentials/ AccessKeyIdSecretAccessKeyToken Expirationc Csz~|}||}|||}||rZ||d|d|d|dd}|||WSd|krvd|krvtd|iWSWnR|jk rtd |jYn0t k r}ztd |j W5d}~XYnXiS) Nrrrr) role_nameZ access_keyZ secret_keyr expiry_timeCodeMessagez7Error response received when retrievingcredentials: %s.\Max number of attempts exceeded (%s) when attempting to retrieve data from metadata service.zBad IMDS request: %s) r _get_iam_role_get_credentials_contains_all_credential_fields_evaluate_expirationrrrrrr)rrr credentialsrrErErFretrieve_iam_role_credentials8s6       z5InstanceMetadataFetcher.retrieve_iam_role_credentialsNcCs|j|j|j|djSNrrr)r _URL_PATH_needs_retry_for_role_namer)rrrErErFras z%InstanceMetadataFetcher._get_iam_rolecCs$|j|j||j|d}t|jSr)rr_needs_retry_for_credentialsrloadsr)rrrrrErErFrhs z(InstanceMetadataFetcher._get_credentialscCs:zt|jWdStk r4||dYdSXdS)NFz invalid jsonT)rrr ValueErrorrrrErErF_is_invalid_jsonps   z(InstanceMetadataFetcher._is_invalid_jsoncCs||p||SrrrrErErFrxsz2InstanceMetadataFetcher._needs_retry_for_role_namecCs||p||p||Sr)rrrrrErErFr{s  z4InstanceMetadataFetcher._needs_retry_for_credentialscCs*|jD]}||krtd|dSqdS)Nz3Retrieved credentials is missing required field: %sFT)_REQUIRED_CREDENTIAL_FIELDSrr)rrfieldrErErFrs z7InstanceMetadataFetcher._contains_all_credential_fieldsc Cs|d}|dkrdSztj|d}|jdd}tdd}||}tj}tj|d}||}||kr||} | d|d<t d|dd d Wn(t k rt d |dYnXdS) Nrz%Y-%m-%dT%H:%M:%SZZec2_credential_refresh_windowiXx)secondszAttempting credential expiration extension due to a credential service availability issue. A refresh of these credentials will be attempted again within the next <z.0fz minutes.zUnable to parse expiry_time in ) rSdatetimestrptimerrandomrandintutcnow timedeltastrftimerinforr) rrZ expirationZrefresh_intervaljitterZrefresh_interval_with_jitter current_timeZrefresh_offsetZextension_timeZnew_timerErErFrs>    z,InstanceMetadataFetcher._evaluate_expiration)N)N) rrrrrrrrrrrrrrErErErFr/s)   rc@s6eZdZd ddZddZddZdd Zd d ZdS) IMDSRegionProviderNcCs$||_|dkrtj}||_||_dS)aUInitialize IMDSRegionProvider. :type session: :class:`botocore.session.Session` :param session: The session is needed to look up configuration for how to contact the instance metadata service. Specifically the whether or not it should use the IMDS region at all, and if so how to configure the timeout and number of attempts to reach the service. :type environ: None or dict :param environ: A dictionary of environment variables to use. If ``None`` is the argument then ``os.environ`` will be used by default. :type fecther: :class:`botocore.utils.InstanceMetadataRegionFetcher` :param fetcher: The class to actually handle the fetching of the region from the IMDS. If not provided a default one will be created. N)rrr_environ_fetcher)rrLrfetcherrErErFrs zIMDSRegionProvider.__init__cCs |}|S)z#Provide the region value from IMDS.)_get_instance_metadata_region)rZinstance_regionrErErFprovideszIMDSRegionProvider.providecCs|}|}|Sr) _get_fetcherretrieve_region)rrrrErErFrsz0IMDSRegionProvider._get_instance_metadata_regioncCs|jdkr||_|jSr)r_create_fetcherrrErErFrs  zIMDSRegionProvider._get_fetchercCsN|jd}|jd}|jdt|jd}t|||j|j|d}|S)NZmetadata_service_timeoutZmetadata_service_num_attemptsr)rrH)rrrrr8)rrJrMInstanceMetadataRegionFetcherr r)rZmetadata_timeoutZmetadata_num_attemptsZ imds_configrrErErFrs*z"IMDSRegionProvider._create_fetcher)NN)rrrrrrrrrErErErFr s  r c@s eZdZdZddZddZdS)rz-latest/meta-data/placement/availability-zone/cCs8z|}|WS|jk r2td|jYnXdS)aRGet the current region from the instance metadata service. :rvalue: str :returns: The region the current instance is running in or None if the instance metadata service cannot be contacted or does not give a valid response. :rtype: None or str :returns: Returns the region as a string if it is configured to use IMDS as a region source. Otherwise returns ``None``. It will also return ``None`` if it fails to get the region from IMDS due to exhausting its retries or not being able to connect. rN) _get_regionrrrr)rrrErErFrs  z-InstanceMetadataRegionFetcher.retrieve_regioncCs2|}|j|j|j|d}|j}|dd}|S)Nrro)rrrrr)rrrZavailability_zonerrErErFrs z)InstanceMetadataRegionFetcher._get_regionN)rrrrrrrErErErFrsrFcCs|D]}t||trH||kr:||kr:t||||q||||<qt||tr|r||krt||tr||||q||||<q||||<qdS)zGiven two dict, merge the second dict into the first. The dicts can have arbitrary nesting. :param append_lists: If true, instead of clobbering a list with the new value, append all of the new values onto the original list. N)r?dict merge_dictslistextend)Zdict1Zdict2Z append_listsrYrErErFrsrcCs"i}|D]}||||<q|S)zDCopies the given dictionary ensuring all keys are lowercase strings.rW)originalrrYrErErFlowercase_dict1src CsVz2|| }|}t|W5QRWSQRXWntk rPt|dYnXdS)Nrj)readparse_key_val_file_contentsOSErrorr)filename_openfcontentsrErErFparse_key_val_file9s   r$cCsHi}|D]6}d|krq |dd\}}|}|}|||<q |S)N=r3) splitlinesrpstrip)r#finallinerYrDrErErFrBs  rcCsg}t|dr|}n|}|D]V\}}t|trZ|D] }|t|dt|q6q |t|dt|q d|S)afUrlencode a dict or list into a string. This is similar to urllib.urlencode except that: * It uses quote, and not quote_plus * It has a default list of safe chars that don't need to be encoded, which matches what AWS services expect. If any value in the input ``mapping`` is a list type, then each list element wil be serialized. This is the equivalent to ``urlencode``'s ``doseq=True`` argument. This function should be preferred over the stdlib ``urlencode()`` function. :param mapping: Either a dict to urlencode or a list of ``(key, value)`` pairs. itemsr%&)rRr*r?rrrpercent_encoders)mappingsafeZ encoded_pairspairsrYrelementrErErFpercent_encode_sequenceQs    r1cCs6t|ttfst|}t|ts*|d}t||dS)aUrlencodes a string. Whereas percent_encode_sequence handles taking a dict/sequence and producing a percent encoded string, this function deals only with taking a string (not a dict/sequence) and percent encoding it. If given the binary type, will simply URL encode it. If given the text type, will produce the binary type by UTF-8 encoding the text. If given something else, will convert it to the text type first. utf-8)r.)r?bytesrAencoder) input_strr.rErErFr,ws   r,c Cst|ttfrtj||Sztjt||WSttfk rLYnXztjj |dt idWSttfk r}ztd|d|W5d}~XYnXdS)z.Parse timestamp with pluggable tzinfo options.GMT)ZtzinfoszInvalid timestamp "z": N) r?intfloatr fromtimestamp TypeErrorrdateutilparserparserrtzinforrErErF_parse_timestamp_with_tzinfosr@c CsbtD]J}zt||WStk rN}ztjd|j|dW5d}~XYqXqtd|dS)zParse a timestamp into a datetime object. Supported formats: * iso8601 * rfc822 * epoch (value is an integer) This will return a ``datetime.datetime`` object. z2Unable to parse timestamp with "%s" timezone info.rNz4Unable to calculate correct timezone offset for "%s")rr@rrrr RuntimeErrorr>rErErFparse_timestamps rBcCsDt|tjr|}nt|}|jdkr4|jtd}n |t}|S)aConverted the passed in value to a datetime object with tzinfo. This function can be used to normalize all timestamp inputs. This function accepts a number of different types of inputs, but will always return a datetime.datetime object with time zone information. The input param ``value`` can be one of several types: * A datetime object (both naive and aware) * An integer representing the epoch time (can also be a string of the integer, i.e '0', instead of 0). The epoch time is considered to be UTC. * An iso8601 formatted timestamp. This does not need to be a complete timestamp, it can contain just the date portion without the time component. The returned value will be a datetime object that will have tzinfo. If no timezone info was provided in the input value, then UTC is assumed, not local time. Nr?)r?rrBr?rcr astimezone)rZ datetime_objrErErFparse_to_aware_datetimes   rEcCs~tddd}|jdkr2|dkr&t}|j|d}|jdd||}t|dr\|S|j|j|j ddddS) awCalculate the timestamp based on the given datetime instance. :type dt: datetime :param dt: A datetime object to be converted into timestamp :type default_timezone: tzinfo :param default_timezone: If it is provided as None, we treat it as tzutc(). But it is only used when dt is a naive datetime. :returns: The timestamp r3NrC total_secondsii@B) rr?rrc utcoffsetrRrG microsecondsrdays)dtZdefault_timezoneepochdrErErFdatetime2timestamps    rOcsBt}tfdddD]}||q|r6|S|SdS)aCalculate a sha256 checksum. This method will calculate the sha256 checksum of a file like object. Note that this method will iterate through the entire file contents. The caller is responsible for ensuring the proper starting position of the file and ``seek()``'ing the file back to its starting location if other consumers need to read from the file like object. :param body: Any file like object. The file must be opened in binary mode such that a ``.read()`` call returns bytes. :param as_hex: If True, then the hex digest is returned. If False, then the digest (as binary bytes) is returned. :returns: The sha256 checksum cs dSNrrEbodyrErFz"calculate_sha256..rVN)hashlibsha256iterupdate hexdigestdigest)rTZas_hexchecksumchunkrErSrFcalculate_sha256s  r_csg}dtj}tfdddD]}|||q"|sJ|dSt|dkrg}t|D]2\}}|dk r||||qb||qb|}qJt |d dS) a\Calculate a tree hash checksum. For more information see: http://docs.aws.amazon.com/amazonglacier/latest/dev/checksum-calculations.html :param body: Any file like object. This has the same constraints as the ``body`` param in calculate_sha256 :rtype: str :returns: The hex version of the calculated tree hash rQcs SrrRrErTZrequired_chunk_sizerErFrU)rVz%calculate_tree_hash..rVr3Nrascii) rWrXrYrrr\r[r _in_pairsbinasciihexlifydecode)rTchunksrXr^Z new_chunksrvsecondrEr`rFcalculate_tree_hashs   rhcCst|}t||Sr)rYr)iterableZ shared_iterrErErFrb9s rbc@s eZdZdZddZddZdS)CachedPropertyzA read only property that caches the initially computed value. This descriptor will only call the provided ``fget`` function once. Subsequent access to this property will return the cached value. cCs ||_dSr)_fget)rfgetrErErFrRszCachedProperty.__init__cCs,|dkr |S||}||j|jj<|SdSr)rk__dict__r)robjclsZcomputed_valuerErErF__get__Us  zCachedProperty.__get__N)rrrrrrprErErErFrjJsrjc@sDeZdZdZdddZddZddd Zd d Zd d ZddZ dS)ArgumentGeneratoraGenerate sample input based on a shape model. This class contains a ``generate_skeleton`` method that will take an input/output shape (created from ``botocore.model``) and generate a sample dictionary corresponding to the input/output shape. The specific values used are place holder values. For strings either an empty string or the member name can be used, for numbers 0 or 0.0 is used. The intended usage of this class is to generate the *shape* of the input structure. This can be useful for operations that have complex input shapes. This allows a user to just fill in the necessary data instead of worrying about the specific structure of the input arguments. Example usage:: s = botocore.session.get_session() ddb = s.get_service_model('dynamodb') arg_gen = ArgumentGenerator() sample_input = arg_gen.generate_skeleton( ddb.operation_model('CreateTable').input_shape) print("Sample input for dynamodb.CreateTable: %s" % sample_input) FcCs ||_dSr)_use_member_names)rZuse_member_namesrErErFryszArgumentGenerator.__init__cCsg}|||S)zGenerate a sample input. :type shape: ``botocore.model.Shape`` :param shape: The input shape. :return: The generated skeleton input corresponding to the provided input shape. )_generate_skeleton)rrUstackrErErFgenerate_skeleton|s z#ArgumentGenerator.generate_skeletonracCs||jz|jdkr(|||WS|jdkrB|||WS|jdkr\|||WS|jdkr|jrt|W|S|jrt |jWfSW`dS|jdkrWNdS|jdkrW|S|f||}||j|<|Sr)tuplesortedr*Z_instance_cacherS)rargsr cache_keyZ kwarg_itemsresultfunc func_namerErF _cache_guards   z$instance_cache.._cache_guard)r functoolswraps)rrrErrFinstance_cachess rcKsht|jjd}dd|D}d}t|dkrB|d|d7}|d7}|dkrVdSt||d d dS) z?Switches the current s3 endpoint with an S3 Accelerate endpointrncSsg|]}|tkr|qSrES3_ACCELERATE_WHITELISTrXprErErFrZsz-switch_host_s3_accelerate..zhttps://s3-accelerate.r amazonaws.com)Z ListBuckets CreateBucketZ DeleteBucketNF)use_new_scheme)rrtrrprrs _switch_hosts)rZoperation_namerrrrErErFswitch_host_s3_accelerates rcCs2t|jd}||r.||}t||dS)zBSwitches the host using a parameter value from a JSON request bodyr2N)rrdatarerSr)r param_nameZ request_json new_endpointrErErFswitch_host_with_params rcCst|j||}||_dSr)_get_new_endpointrt)rrrfinal_endpointrErErFrs rcCsVt|}t|}|j}|r |j}||j|j|jdf}t|}td|d||SNrazUpdating URI from  to )rrrrkrrrr)Zoriginal_endpointrrZnew_endpoint_componentsZoriginal_endpoint_componentsrZfinal_endpoint_componentsrrErErFrsrcCsR|D]H}||kr@t||tr@t||tr@t||||q||||<qdS)zDeeply two dictionaries, overriding existing keys in the base. :param base: The base dictionary which will be merged into. :param extra: The dictionary to merge into the base. Keys from this dictionary will take precedence. N)r?r deep_merge)baseextrarYrErErFrs  rcCs|ddS)zcTranslate the form used for event emitters. :param service_id: The service_id to convert.  -)rcrB)Z service_idrErErFhyphenize_service_idsrc@sLeZdZdZdddZdddZddZd d Zd d Zd dZ ddZ dS)S3RegionRedirectorv2a Updated version of S3RegionRedirector for use when EndpointRulesetResolver is in use for endpoint resolution. This class is considered private and subject to abrupt breaking changes or removal without prior announcement. Please do not use it directly. NcCs|pi|_t||_dSr)_cacheweakrefproxy_clientrZendpoint_bridgeclientcacherErErFrs zS3RegionRedirectorv2.__init__cCsFtd|p|jjj}|d|j|d|j|d|jdS)Nz(Registering S3 region redirector handlerneeds-retry.s3before-parameter-build.s3zbefore-endpoint-resolution.s3) rrrmetar<registerredirect_from_errorannotate_request_contextredirect_from_cacher event_emitterZemitterrErErFrs zS3RegionRedirectorv2.registercKs|dkr dS|didi}t|dr>tddS|drVtddS|dd i}|d }|dd i}|d ko|jd k} |d ko|jdkod|dik} |dkod|k} |ddk o|djdk} |dk} t| | | | | gsdS|ddd}|dd}|||}|dkrFtd||fdStd|||f||j |<|j j }|j ||ddd|dd}| |d|j|d<d|ddd<|jd}|dk r||}|\}}||dd<|ddi||dd<dS)  An S3 request sent to the wrong region will return an error that contains the endpoint the request should be sent to. This handler will add the redirect information to the signing context and then redirect the request. Nr s3_redirectbucketzBS3 request was previously for an Accesspoint ARN, not redirecting. redirected6S3 request was previously redirected, not redirecting.r3ErrorrResponseMetadataZ301Z400 HeadObject HeadBucketx-amz-bucket-region HTTPHeadersAuthorizationHeaderMalformedRegionri-i.i3PermanentRedirect client_regionS3 client configured for region %s but the bucket %s is not in that region and the proper region could not be automatically determined.S3 client configured for region %s but the bucket %s is in region %s; Please configure the proper region to avoid multiple unnecessary redirects and signing attempts.params)Zoperation_modelZ call_argsrequest_contextrtTZ authSchemes auth_typesigning)rS ArnParseris_arnrrrfranyget_bucket_regionrrZ_ruleset_resolverconstruct_endpointset_request_urlrtZ propertiesZauth_schemes_to_signing_ctx)r request_dictr operationrZ redirect_ctxr error_coderesponse_metadatais_special_head_objectis_special_head_bucketis_wrong_signing_regionis_redirect_statusis_permanent_redirectrr new_regionZ ep_resolverZep_infoZ auth_schemesZ auth_inforsigning_contextrErErFrs            z(S3RegionRedirectorv2.redirect_from_errorc Cs|d}|dd}d|kr$|dS|didd}|dk rD|Sz|jj|d}|dd}Wn0tk r}z|jdd}W5d}~XYnX|dd}|S a. There are multiple potential sources for the new region to redirect to, but they aren't all universally available for use. This will try to find region from response elements, but will fall back to calling HEAD on the bucket if all else fails. :param bucket: The bucket to find the region for. This is necessary if the region is not available in the error response. :param response: A response representing a service request that failed due to incorrect region configuration. r3rrrrrN)BucketrSrZ head_bucketrrrrrZservice_responseresponse_headersrr_rrErErFrhs    z&S3RegionRedirectorv2.get_bucket_regioncKs t||dS)z Splice a new endpoint into an existing URL. Note that some endpoints from the the endpoint provider have a path component which will be discarded by this function. F)r)rold_urlrrrErErFrsz$S3RegionRedirectorv2.set_request_urlcKs4|d}|dk r0||jkr0|j|}||d<dS)a If a bucket name has been redirected before, it is in the cache. This handler will update the AWS::Region endpoint resolver builtin param to use the region from cache instead of the client region to avoid the redirect. rNz AWS::Region)rSr)rbuiltinsrrrrrErErFrs  z(S3RegionRedirectorv2.redirect_from_cachecKs|d}d||d|d<dS)zStore the bucket name in context for later use when redirecting. The bucket name may be an access point ARN or alias. rF)rrrrNr)rrrrrrErErFrs  z-S3RegionRedirectorv2.annotate_request_context)N)N) rrrrrrrrrrrrErErErFrs  l! rc@sLeZdZdZdddZdddZddZd d Zd d Zd dZ ddZ dS)S3RegionRedirectorzThis handler has been replaced by S3RegionRedirectorv2. The original version remains in place for any third-party libraries that import it. NcCs:||_||_|jdkri|_t||_tjdtddS)NzThe S3RegionRedirector class has been deprecated for a new internal replacement. A future version of botocore may remove this class.category)_endpoint_resolverrrrrwarningswarn FutureWarningrrErErFrs  zS3RegionRedirector.__init__cCs<|p |jjj}|d|j|d|j|d|jdS)Nrzbefore-call.s3r)rrr<rrrrrrErErFrszS3RegionRedirector.registercKs|dkr dS||dir,tddS|didrLtddS|ddi}|d}|dd i}|d ko|jd k}|d ko|jd kod |dik} |dkod|k} |ddk o|djdk} |dk} t|| | | | gsdS|ddd} |dd}|| |}|dkraccesspoint|outpost)[/:](?P.+)$zc^(?P[a-zA-Z0-9\-]{1,63})[/:]accesspoint[/:](?P[a-zA-Z0-9\-]{1,63}$)rNcCs||_|dkrt|_dSr _arn_parserrrr$rErErFrszS3ArnParamHandler.__init__cCs|d|jdS)Nrr handle_arnrrrErErFrszS3ArnParamHandler.registercKs`|j|jkrdS||}|dkr&dS|ddkrB||||n|ddkr\||||dS)N resource_type accesspointoutpost)rf_BLACKLISTED_OPERATIONS"_get_arn_details_from_bucket_param_store_accesspoint_store_outpost)rrmodelrr arn_detailsrErErFr+s    zS3ArnParamHandler.handle_arncCsHd|krDz&|d}|j|}||||WStk rBYnXdS)Nr)r(r"_add_resource_type_and_namer)rrr!r5rErErFr1s  z4S3ArnParamHandler._get_arn_details_from_bucket_paramcCs@|j|d}|r2|d|d<|d|d<n t|ddS)Nr r- resource_name)r!)_RESOURCE_REGEXrgroupr/)rr!r5rrErErFr6s z-S3ArnParamHandler._add_resource_type_and_namecCs8|d|d<|d|d|d|d|dd|d<dS) Nr7rrrrr)rfrrrrrrErrrr5rErErFr2s z$S3ArnParamHandler._store_accesspointcCsd|d}|j|}|s"t|d|d}||d<|d||d|d|d|d d |d <dS) Nr7)r7accesspoint_namer outpost_namerrrr)r<rfrrrrr)_OUTPOST_RESOURCE_REGEXrr-r9)rrrr5r7rr;rErErFr3s   z S3ArnParamHandler._store_outpost)N)rrrrdrr8r=r0rrr+r1r6r2r3rErErErFr&|s   r&c@seZdZdZdZd7ddZddZd d Zd d Zd dZ ddZ ddZ ddZ ddZ ddZddZddZddZdd Zd!d"Zd#d$Zd%d&Zd'd(Zd)d*Zd+d,Zd-d.Zd/d0Zed1d2Zed3d4Zed5d6ZdS)8S3EndpointSetterawsrNFcCsF||_||_||_||_|dkr&i|_||_||_|dkrB|j|_dSrr_region _s3_config_use_fips_endpoint _endpoint_url _partition_DEFAULT_PARTITIONrendpoint_resolverr s3_configrruse_fips_endpointrErErFrs zS3EndpointSetter.__init__cCs.|d|j|d|j|d|jdS)Nzbefore-sign.s3zchoose-signer.s3z%before-call.s3.WriteGetObjectResponse)r set_endpoint set_signer#update_endpoint_to_s3_object_lambdar,rErErFrs zS3EndpointSetter.registercKsh|jrtdd||d|jr&dS|j}|d|j}dj|d|dd}t|d|d |d<dS) NzOS3 client does not support accelerate endpoints for S3 Object Lambda operationsmsgs3-object-lambdazhttps://{host_prefix}{hostname} host_prefixr)rQrrtF) _use_accelerate_endpointr0_override_signing_namerDrrrAformatr)rrrrresolverresolvedrrErErFrMs" z4S3EndpointSetter.update_endpoint_to_s3_object_lambdacKs||rL||||||||}|||||dS|jrz|jrht d|j dt fd|i||j r|j fd|i|dS)Nz{Client is configured to use the FIPS psuedo region for "%s", but S3 Accelerate does not have any FIPS compatible endpoints.rNr) _use_accesspoint_endpoint_validate_accesspoint_supported_validate_fips_supported_validate_global_regions(_resolve_region_for_accesspoint_endpoint._resolve_signing_name_for_accesspoint_endpoint_switch_to_accesspoint_endpointrRrCr0rAr_s3_addressing_handler)rrrrrErErFrK s(      zS3EndpointSetter.set_endpointcCs d|jkSrrrrErErFrW%sz*S3EndpointSetter._use_accesspoint_endpointcCs|js dSd|jddkr(tdhdd|jdkrFtd|jd|jdd}||jkr|jdd std |j|fddS) Nfipsrr,Invalid ARN, FIPS region not allowed in ARN.rNr<zhClient is configured to use the FIPS psuedo-region "%s", but outpost ARNs do not support FIPS endpoints.use_arn_regionTzClient is configured to use the FIPS psuedo-region for "%s", but the access-point ARN provided is for the "%s" region. For clients using a FIPS psuedo-region calls to access-point ARNs in another region are not allowed.)rCrr.rArBrSrrZaccesspoint_regionrErErFrY(s( z)S3EndpointSetter._validate_fips_supportedcCs0|jddrdS|jdkr,td|jddS)NrbT)z aws-globalz s3-external-1zClient is configured to use the global psuedo-region "%s". When providing access-point ARNs a regional endpoint must be specified.rN)rBrSrAr.rrErErFrZHs z)S3EndpointSetter._validate_global_regionscCs|jrtdd|jdd}||jkrD sz.) rBrSrDrrrrprsetall)rrr feature_partsrErErFrR# s       z)S3EndpointSetter._use_accelerate_endpointcCs"|jr dS|jd}|r|SdS)NvirtualZaddressing_style)rRrBrS)rZconfigured_addressing_stylerErErF_addressing_styleF s  z"S3EndpointSetter._addressing_stylecCsH|jdkrtdtS|jdks,|jdk r:tddStdtS)Nrz'Using S3 virtual host style addressing.rkzUsing S3 path style addressing.zSDefaulting to S3 virtual host style addressing with path style addressing fallback.)rrrrrDrrrErErFr^R s   z'S3EndpointSetter._s3_addressing_handler)NNNNF)rrrrFrurrrMrKrWrYrZrXrer[rLr\r]rhrkrlrprirmrqrfrSrjrRrr^rErErErFr>sF   &        " r>c@seZdZdZdZedZd6ddZdd Z d d Z d d Z ddZ ddZ ddZddZddZddZddZddZddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd*d+Zd,d-Zd.d/Zd0d1Zd2d3Zd4d5ZdS)7S3ControlEndpointSetterr?rz^[a-zA-Z0-9\-]{1,63}$NFcCsF||_||_||_||_|dkr&i|_||_||_|dkrB|j|_dSrr@rGrErErFrp s z S3ControlEndpointSetter.__init__cCs|d|jdS)Nzbefore-sign.s3-control)rrKr,rErErFr sz S3ControlEndpointSetter.registercKs|||r@||||}|||||||n8||rx||||d| |j }| ||dSNro) _use_endpoint_from_arn_details-_validate_endpoint_from_arn_details_supported _resolve_region_from_arn_details&_resolve_signing_name_from_arn_details"_resolve_endpoint_from_arn_details_add_headers_from_arn_details_use_endpoint_from_outpost_id#_validate_outpost_redirection_validrS_construct_outpost_endpointrA_update_request_netloc)rrrr new_netlocrErErFrK s          z$S3ControlEndpointSetter.set_endpointcCs d|jkS)Nr5r_rrErErFr sz6S3ControlEndpointSetter._use_endpoint_from_arn_detailscCs d|jkS)N outpost_idr_rrErErFr sz5S3ControlEndpointSetter._use_endpoint_from_outpost_idcCsd|jddkr(t|jdddd|jddsf|jdd}||jkrfd ||jf}t|d |jdd }||jkrtd |j|fd |jd rtdd d|jdkr||dS)Nr`r5rrrar!rOrbFzpThe use_arn_region configuration is disabled but received arn for "%s" when the client is configured to use "%s"rNrzClient is configured for "%s" partition, but arn provided is for "%s" partition. The client and arn partition must be the same.r7S3 control client does not support accelerate endpointsr<)rr1rBrSrAr2rEr)rr arn_region error_msgZrequest_partionrErErFr s2     zES3ControlEndpointSetter._validate_endpoint_from_arn_details_supportedcCs|jdrtdddS)NrdzPClient does not support s3 dualstack configuration when an outpost is specified.rN)rBrSr2rrErErFr s z;S3ControlEndpointSetter._validate_outpost_redirection_validcCs2|jddr,|jdd}||||S|jS)NrbFr5r)rBrSrrfrA)rrrrErErFr s  z8S3ControlEndpointSetter._resolve_region_from_arn_detailscCs|jdd}||||S)Nr5rrg)rrZ arn_servicerErErFr s z>S3ControlEndpointSetter._resolve_signing_name_from_arn_detailscCs|||}|||dSr) _resolve_netloc_from_arn_detailsr)rrrrrErErFr s z:S3ControlEndpointSetter._resolve_endpoint_from_arn_detailscCsDt|j}t|j||j|jdf}td|jd|||_dSr)rrtrrrkrrr)rrrrjZarn_details_endpointrErErFr s  z.S3ControlEndpointSetter._update_request_netloccCs0|jd}d|kr||S|d}|||S)Nr5r<r)rr_construct_s3_control_endpoint)rrrr5rrErErFr s   z8S3ControlEndpointSetter._resolve_netloc_from_arn_detailscCs |j|Sr)_HOST_LABEL_REGEXr)rlabelrErErF_is_valid_host_label sz,S3ControlEndpointSetter._is_valid_host_labelcGs"|D]}||st|dqdS)N)r)rr%)rlabelsrrErErF_validate_host_labels s z-S3ControlEndpointSetter._validate_host_labelscCs\||||jr(t|jj}||g}n*|dg}||||}|||g||S)Nz s3-control)rrDrr_add_dualstackrqr_construct_netloc)rrrrnrrvrErErFr s     z6S3ControlEndpointSetter._construct_s3_control_endpointcCs@|||jrt|jjSd|||g}||||Sr)rrDrrrq _add_fipsr)rrrrErErFr s   z3S3ControlEndpointSetter._construct_outpost_endpointcCs d|S)Nrn)rsrrrErErFr sz)S3ControlEndpointSetter._construct_netloccCs|jr|dd|d<dS)Nrz-fipsrsrrErErFr sz!S3ControlEndpointSetter._add_fipscCs|jdr|ddS)Nrdr6)rBrSrrrrErErFr s z&S3ControlEndpointSetter._add_dualstackcCs,|jd|}|j}|r(d|kr(|d}|SrwrxryrErErFrq s z'S3ControlEndpointSetter._get_dns_suffixcCs$|jdi}||d<||jd<dSrzr{r|rErErFrf& sz0S3ControlEndpointSetter._override_signing_regioncCs$|jdi}||d<||jd<dSr}r{)rrr~rrErErFrS/ sz.S3ControlEndpointSetter._override_signing_namecCs(|jd}|d}|r$|||dS)Nr5r<)rrS_add_outpost_id_header)rrr5r<rErErFr8 s  z5S3ControlEndpointSetter._add_headers_from_arn_detailscCs||jd<dS)Nzx-amz-outpost-id)r_)rrr<rErErFr> sz.S3ControlEndpointSetter._add_outpost_id_header)NNNNF) rrrrFrurdrrrrrKrrrrrrrrrrrrrrrrrqrfrSrrrErErErFrk s@          rc@seZdZdZedZdddZddZdd Z d d Z d d Z ddZ ddZ ddZddZddZddZddZddZdS)S3ControlArnParamHandlerzThis handler has been replaced by S3ControlArnParamHandlerv2. The original version remains in place for any third-party importers. z[/:]NcCs(||_|dkrt|_tjdtddS)NzThe S3ControlArnParamHandler class has been deprecated for a new internal replacement. A future version of botocore may remove this class.r )r(rrrrr)rErErFrI sz!S3ControlArnParamHandler.__init__cCs|d|jdS)Nz!before-parameter-build.s3-controlr*r,rErErFrT sz!S3ControlArnParamHandler.registercKs:|jdkr||||n||||||||dS)N)rZListRegionalBuckets)rf_handle_outpost_id_param_handle_name_param_handle_bucket_param)rrr4rrrErErFr+Z s z#S3ControlArnParamHandler.handle_arncCsX||kr dSz0||}|j|}||d<|||d<|WStk rRYdSXdS)Nr resources)r(r"_split_resourcer)rrrr!r5rErErF_get_arn_details_from_paramd s z4S3ControlArnParamHandler._get_arn_details_from_paramcCs|j|dS)Nr )_RESOURCE_SPLIT_REGEXrp)rr5rErErFrp sz(S3ControlArnParamHandler._split_resourcecCsD|d}d|kr8|d|kr8d|d}t|d|d||d<dS)NrZ AccountIdzGAccount ID in arn does not match the AccountId parameter provided: "%s"rr)r1)rrr5Z account_idrrErErF_override_account_id_params sz3S3ControlArnParamHandler._override_account_id_paramcCsd|kr dS|d|d<dS)NZ OutpostIdrrE)rrr4rrErErFr sz1S3ControlArnParamHandler._handle_outpost_id_paramcCsX|jdkrdS||d}|dkr&dS||r@||||nd}t|d|ddSNZCreateAccessPointNamez4The Name parameter does not support the provided ARNrr)rfr_is_outpost_accesspoint_store_outpost_accesspointr1rrr4rr5rrErErFr s   z+S3ControlArnParamHandler._handle_name_paramcCs@|ddkrdS|d}t|dkr(dS|ddko>|dd kS) NrroFrrrr/rr.rrr5rrErErFr s   z0S3ControlArnParamHandler._is_outpost_accesspointcCsD||||dd}||d<||d<|dd|d<||d<dS)Nrrrr;r3r<r5r)rrrr5r;rErErFr s   z3S3ControlArnParamHandler._store_outpost_accesspointcCsJ||d}|dkrdS||r2||||nd}t|d|ddSNrz6The Bucket parameter does not support the provided ARNrr)r_is_outpost_bucket_store_outpost_bucketr1rrErErFr s  z-S3ControlArnParamHandler._handle_bucket_paramcCs@|ddkrdS|d}t|dkr(dS|ddko>|dd kS) NrroFrrrr/rrrrrErErFr s   z+S3ControlArnParamHandler._is_outpost_bucketcCsD||||dd}||d<||d<|dd|d<||d<dS)Nrrrrr3r<r5r)rrrr5rrErErFr s   z.S3ControlArnParamHandler._store_outpost_bucket)N)rrrrrdrrrrr+rrrrrrrrrrrErErErFrB s       rc@sReZdZdZdddZddZddZd d Zd d Zd dZ ddZ ddZ dS)S3ControlArnParamHandlerv2aUpdated version of S3ControlArnParamHandler for use when EndpointRulesetResolver is in use for endpoint resolution. This class is considered private and subject to abrupt breaking changes or removal without prior announcement. Please do not use it directly. NcCs||_|dkrt|_dSrr'r)rErErFr sz#S3ControlArnParamHandlerv2.__init__cCs|d|jdS)Nz%before-endpoint-resolution.s3-controlr*r,rErErFr sz#S3ControlArnParamHandlerv2.registercCsl|jdkrdS||d}|dkr&dS||||||rT||||nd}t|d|ddSr)rfr_raise_for_fips_pseudo_region_raise_for_accelerate_endpointrrr1rrErErFr s     z-S3ControlArnParamHandlerv2._handle_name_paramcCs|||dSrrr:rErErFr sz5S3ControlArnParamHandlerv2._store_outpost_accesspointcCs^||d}|dkrdS||||||rF||||nd}t|d|ddSr)rrrrrr1rrErErFr s    z/S3ControlArnParamHandlerv2._handle_bucket_paramcCs|||dSrrr:rErErFr sz0S3ControlArnParamHandlerv2._store_outpost_bucketcCs0|d}|ds|dr,t|ddddS)Nrzfips-rrar)r#rr1)rr5rrErErFr s z8S3ControlArnParamHandlerv2._raise_for_fips_pseudo_regioncCs&|djp i}|dr"tdddS)N client_configrrrN)rrSr2)rrrIrErErFr s  z9S3ControlArnParamHandlerv2._raise_for_accelerate_endpoint)N) rrrrrrrrrrrrrErErErFr s  rc@sreZdZdZdZdZdZeddgZdej fdd Z dd d Z d d Z ddZ ddZdddZddZddZdS)ContainerMetadataFetcherrrr3z 169.254.170.2 localhostz 127.0.0.1NcCs(|dkrtjj|jd}||_||_dS)N)r)r[rrTIMEOUT_SECONDSr_sleep)rrLsleeprErErFr s z!ContainerMetadataFetcher.__init__cCs|||||S)zRetrieve JSON metadata from container metadata. :type full_url: str :param full_url: The full URL of the metadata service. This should include the scheme as well, e.g "http://localhost:123/foo" )_validate_allowed_url_retrieve_credentials)rfull_urlr_rErErFretrieve_full_uri$ s z*ContainerMetadataFetcher.retrieve_full_uricCs:tj|}||j}|s6td|jd|jfdS)NzGUnsupported host '%s'. Can only retrieve metadata from these hosts: %sz, )r[compatr_check_if_whitelisted_hostrrrs_ALLOWED_HOSTS)rrparsedZis_whitelisted_hostrErErFr0 s  z.ContainerMetadataFetcher._validate_allowed_urlcCs||jkrdSdS)NTF)r)rrrErErFr: s z3ContainerMetadataFetcher._check_if_whitelisted_hostcCs||}||S)zRetrieve JSON metadata from ECS metadata. :type relative_uri: str :param relative_uri: A relative URI, e.g "/foo/bar?id=123" :return: The parsed JSON response. )rr)r relative_urirrErErF retrieve_uri? s z%ContainerMetadataFetcher.retrieve_uric Csddi}|dk r||d}z||||jWStk r}z4tjd|dd||j|d7}||jkrrW5d}~XYqXqdS)NAcceptzapplication/jsonrzAReceived error when attempting to retrieve container metadata: %sTrr3) rZ _get_responserr)rrr SLEEP_TIMERETRY_ATTEMPTS)rr extra_headersr_attemptsrrErErFrK s(   z.ContainerMetadataFetcher._retrieve_credentialsc Csztjj}|d||d}|j|}|jd}|jdkrRt d|j|fdzt |WWSt k rd}t d||t |dYnXWn4tk r} zd | }t |dW5d} ~ XYnXdS) Nrrr2rz4Received non 200 response (%s) from ECS metadata: %srz8Unable to parse JSON returned from ECS metadata servicesz%s:%sz;Received error when attempting to retrieve ECS metadata: %s)r[r\rrrrrrerr)rrrrrr) rrr_rrrrZ response_textrrrErErFra s0  z&ContainerMetadataFetcher._get_responsecCsd|j|S)Nzhttp://) IP_ADDRESS)rrrErErFr} sz!ContainerMetadataFetcher.full_url)N)N)rrrrrrrrtimerrrrrrrrrrErErErFr s    rcCst|r iStSdSr)should_bypass_proxiesrrtrErErFr src Cs8ztt|jrWdSWnttjfk r2YnXdS)z: Returns whether we should bypass proxies or not. TF)rrrr:socketgaierrorrrErErFr s  rc Cs|sdSz t|WSttfk r*YnXt|drt|drz0|}|dd|}||||WStjk rYnXdS)Nrseektellr)rAttributeErrorr:rRrrioUnsupportedOperation)rTZorig_posZ end_file_posrErErFdetermine_content_length s     r ISO-8859-1cCsJ|d}|sdStj}||d<|d}|dk r:|Sd|krF|SdS)zReturns encodings from given HTTP Header Dict. :param headers: dictionary to extract encoding from. :param default: default encoding if the content-type is text z content-typeNcharsetr)rSr:messager get_param)r_default content_typerrrErErFget_encoding_from_headers s   rcKs0t|ttfrt|}nt|}t|dS)Nra)r?r3 bytearray_calculate_md5_from_bytes_calculate_md5_from_filebase64 b64encodere)rTrZ binary_md5rErErF calculate_md5 s rcCst|}|Sr)rr\)Z body_bytesmd5rErErFr srcsB}t}tfdddD]}||q ||S)Ncs dSrPrRrEfileobjrErFrU rVz*_calculate_md5_from_file..rV)rrrYrZrr\)rZstart_positionrr^rErrFr s   rcKs|d}|d}|didi}|d}|r>|dkr>dS|D]}t|rBdSqBtr|dk rd|krt|f|}||dd<dS) z1Only add a Content-MD5 if the system supports it.r_rTrr]Zrequest_algorithmzconditional-md5Nz Content-MD5)rSCHECKSUM_HEADER_PATTERNrrr)rrr_rTZchecksum_contextZchecksum_algorithmrPZ md5_digestrErErFconditionally_calculate_md5 s    rc@s eZdZefddZddZdS)FileWebIdentityTokenLoadercCs||_||_dSr)_web_identity_token_pathr!)rZweb_identity_token_pathr!rErErFr sz#FileWebIdentityTokenLoader.__init__c Cs,||j}|W5QRSQRXdSr)r!rr)rZ token_filerErErF__call__ sz#FileWebIdentityTokenLoader.__call__N)rrropenrrrErErErFr s rc@s2eZdZd ddZddZd ddZd dd ZdS) SSOTokenLoaderNcCs|dkr i}||_dSr)r)rrrErErFr szSSOTokenLoader.__init__cCs$|}|dk r|}t|dS)Nr2)rWsha1r4r[)r start_url session_namer5rErErF_generate_cache_key sz"SSOTokenLoader._generate_cache_keycCs|||}||j|<dSr)rr)rrrrrrErErF save_token s zSSOTokenLoader.save_tokencCs|||}td|||jkrL|}|dk r6|}d|d}t|d|j|}d|ksfd|kr|d|d}t|d|S)NzChecking for cached token at: z Token for z does not existrZ accessTokenZ expiresAtz is invalid)rrrrr,)rrrrrfrrrErErFr s       zSSOTokenLoader.__call__)N)N)N)rrrrrrrrErErErFr s  rc@s@eZdZdZdZdddZddZdd Zd d Zdd d Z dS)EventbridgeSignerSetterr?rNcCs||_||_||_dSr)rrArD)rrHrrrErErFr) sz EventbridgeSignerSetter.__init__cCs |d|j|d|jdS)Nz'before-parameter-build.events.PutEventszbefore-call.events.PutEvents)rcheck_for_global_endpointset_endpoint_urlr,rErErFr. sz EventbridgeSignerSetter.registercKs6d|kr2|d}td|dd|||d<dS)Neventbridge_endpointzRewriting URL from rtr)rrrrErErFr7 sz(EventbridgeSignerSetter.set_endpoint_urlc Ks|d}|dkrdSt|dkr,tddts:tdd|d}d}|dk rl|jr`tdd|jrldg}|jdkrtd |}|j |krtd d|j ||d }n|j}||d <d |d<dS)NZ EndpointIdrz+EndpointId must not be a zero length stringrNzqUsing EndpointId requires an additional dependency. You will need to pip install botocore[crt] before proceeding.rz>FIPS is not supported with EventBridge multi-region endpoints.r6https://z-EndpointId is not a valid hostname component.endpoint_variant_tagsrZv4ar) rSrr#rr*rJrdrDrr_get_global_endpoint) rrrrrr8rrZresolved_endpointrErErFr= sB     z1EventbridgeSignerSetter.check_for_global_endpointcCsN|j}||j}|dkr |j}|j||d}|dkr<|j}d|d|dS)Nrrz.endpoint.events.rh)rZget_partition_for_regionrArFrtru)rrrrUrrvrErErFri s z,EventbridgeSignerSetter._get_global_endpoint)NN)N) rrrrFrurrrrrrErErErFr% s  ,rcCs|dkr dSt|}|jdr*|jdkr.dS|jd}|ddkrJdS|dd }t|tt|krndStd d |DS) zDoes the URL match the S3 Accelerate endpoint scheme? Virtual host naming style with bucket names in the netloc part of the URL are not allowed by this function. NFr)httpshttprnrrr3rcss|]}|tkVqdSrrrrErErFr sz'is_s3_accelerate_url..)rrrrrprrr)rtZ url_partsrrrErErFis_s3_accelerate_urlx s    rc@sreZdZdZejejddddZedfddZ d d Z d d Z d dZ ddZ ddZddZdddZdS) JSONFileCachezJSON file cache. This provides a dict like interface that stores JSON serializable objects. The objects are serialized to JSON and stored in a file. These values can be retrieved at a later time. ~z.awsZbotorNcCs||_|dkr|j}||_dSr) _working_dir_default_dumps_dumps)rZ working_dirZ dumps_funcrErErFr szJSONFileCache.__init__cCstj||jdS)N)r)rdumps_serialize_if_needed)rrnrErErFr  szJSONFileCache._default_dumpscCs||}tj|Sr)_convert_cache_keyrrkisfile)rr actual_keyrErErF __contains__ s zJSONFileCache.__contains__c Cs\||}z,t|}t|W5QRWSQRXWn ttfk rVt|YnXdS)z Retrieve value from a cache key.N)rrrloadrrKeyError)rrrr"rErErF __getitem__ s   "zJSONFileCache.__getitem__cCs@||}zt|}|Wntk r:t|YnXdSr)rrunlinkFileNotFoundErrorr)rrrZkey_pathrErErF __delitem__ s   zJSONFileCache.__delitem__c Cs||}z||}Wn&ttfk r>td|YnXtj|jsZt|jt t |tj tj Bdd}| ||W5QRXdS)Nz3Value cannot be cached, must be JSON serializable: iw)rr r:rrrkisdirr makedirsfdopenrO_WRONLYO_CREATtruncatewrite)rrrZfull_keyZ file_contentr"rErErF __setitem__ s    zJSONFileCache.__setitem__cCstj|j|d}|S)Nz.json)rrkrsr )rr full_pathrErErFr sz JSONFileCache._convert_cache_keyFcCs&t|tjr"|r|S|dS|S)Nz%Y-%m-%dT%H:%M:%S%Z)r?r isoformatr)rrZisorErErFr  s   z"JSONFileCache._serialize_if_needed)F)rrrrrrk expanduserrsZ CACHE_DIRrr rrrr rr rErErErFr s r)T)F)N)F)N)N)T)T)r)rrcr email.messager:rrWrloggingrrrdrrrrpathlibrurllib.requestrrZdateutil.parserr;Z dateutil.tzrZurllib3.exceptionsrr[Zbotocore.awsrequestZbotocore.httpsessionZbotocore.compatrrr r r r r rrrrrrrrrrrrrrZbotocore.exceptionsrrrrr r!r"r#r$r%r&r'r(r)r*r+r,r-r.r/r0r1r2 getLoggerrrrrrrKZ SAFE_CHARSrrrrZ EVENT_ALIASESrrrGrMrVr`rgrlrmrir~rr Exceptionrrrrr rrrrr$rr1r,r@rBrErOr_rhrbrjrqrrrrrrrrrrrrrrrrrr rrrr&r>rrrrrrrrrrrrrrrrrrErErErF s          @d  N    ;?&   & -  !d   @!  E4UXMm   !S!