B ㊇c~@sdZddlZddlZddlZddlmZddlmZmZddl m Z m Z ddl m Z ddlmZddlmZmZmZmZmZmZmZmZmZmZmZmZmZmZdd lm Z m!Z!e"e#Z$d Z%d iiZ&Gd d d Z'Gddde'Z(Gddde)eZ*GdddZ+dS)zResolves regions and endpoints. This module implements endpoint resolution, including resolving endpoints for a given service and region and resolving the available endpoints for a service in a specific AWS partition. N)Enum)UNSIGNED xform_name)AUTH_TYPE_MAPSHAS_CRT)CRT_SUPPORTED_AUTH_TYPES)EndpointProvider)EndpointProviderErrorEndpointVariantError!InvalidEndpointConfigurationErrorInvalidHostLabelErrorMissingDependencyException NoRegionErrorParamValidationError$UnknownEndpointResolutionBuiltInNameUnknownRegionErrorUnknownSignatureVersionError*UnsupportedS3AccesspointConfigurationErrorUnsupportedS3ConfigurationErrorUnsupportedS3ControlArnError&UnsupportedS3ControlConfigurationError)ensure_booleaninstance_cachez{service}.{region}.{dnsSuffix} endpointsc@s,eZdZdZd ddZddZd d d ZdS) BaseEndpointResolverz3Resolves regions and endpoints. Must be subclassed.NcCstdS)a7Resolves an endpoint for a service and region combination. :type service_name: string :param service_name: Name of the service to resolve an endpoint for (e.g., s3) :type region_name: string :param region_name: Region/endpoint name to resolve (e.g., us-east-1) if no region is provided, the first found partition-wide endpoint will be used if available. :rtype: dict :return: Returns a dict containing the following keys: - partition: (string, required) Resolved partition name - endpointName: (string, required) Resolved endpoint name - hostname: (string, required) Hostname to use for this endpoint - sslCommonName: (string) sslCommonName to use for this endpoint. - credentialScope: (dict) Signature version 4 credential scope - region: (string) region name override when signing. - service: (string) service name override when signing. - signatureVersions: (list) A list of possible signature versions, including s3, v4, v2, and s3v4 - protocols: (list) A list of supported protocols (e.g., http, https) - ...: Other keys may be included as well based on the metadata N)NotImplementedError)self service_name region_namerk/private/var/folders/8c/hx9_v10d5x38qmnzt13b7b8j1k3n5b/T/pip-target-x6xd5gna/lib/python/botocore/regions.pyconstruct_endpoint6sz'BaseEndpointResolver.construct_endpointcCstdS)zLists the partitions available to the endpoint resolver. :return: Returns a list of partition names (e.g., ["aws", "aws-cn"]). N)r)rrrr get_available_partitionsSsz-BaseEndpointResolver.get_available_partitionsawsFcCstdS)aLists the endpoint names of a particular partition. :type service_name: string :param service_name: Name of a service to list endpoint for (e.g., s3) :type partition_name: string :param partition_name: Name of the partition to limit endpoints to. (e.g., aws for the public AWS endpoints, aws-cn for AWS China endpoints, aws-us-gov for AWS GovCloud (US) Endpoints, etc. :type allow_non_regional: bool :param allow_non_regional: Set to True to include endpoints that are not regional endpoints (e.g., s3-external-1, fips-us-gov-west-1, etc). :return: Returns a list of endpoint names (e.g., ["us-east-1"]). N)r)rrpartition_nameallow_non_regionalrrr get_available_endpointsZsz,BaseEndpointResolver.get_available_endpoints)N)r#F)__name__ __module__ __qualname____doc__r!r"r&rrrr r3s rc@seZdZdZddgZd%ddZd&dd Zd d Zd'd dZd(ddZ d)ddZ ddZ d*ddZ ddZ ddZddZddZdd Zd!d"Zd#d$Zd S)+EndpointResolverz7Resolves endpoints based on partition endpoint metadatazaws-isoz aws-iso-bFcCs d|krtd||_||_dS)a :type endpoint_data: dict :param endpoint_data: A dict of partition data. :type uses_builtin_data: boolean :param uses_builtin_data: Whether the endpoint data originates in the package's data directory. partitionsz%Missing "partitions" in endpoint dataN) ValueError_endpoint_datauses_builtin_data)r endpoint_datar/rrr __init__us zEndpointResolver.__init__r#cCsBx<|jdD].}|d|krq |d}||kr0q ||dSWdS)Nr, partitionservicesr)r.)rrr$r2r3rrr get_service_endpoints_datas z+EndpointResolver.get_service_endpoints_datacCs*g}x |jdD]}||dqW|S)Nr,r2)r.append)rresultr2rrr r"sz)EndpointResolver.get_available_partitionsNc Csg}x|jdD]}|d|kr"q|d}||kr4q||d}xR|D]J} | |dk} |r~| r~||| |} | r|| qF|s| rF|| qFWqW|S)Nr,r2r3rregions)r._retrieve_variant_datar5) rrr$r%endpoint_variant_tagsr6r2r3Zservice_endpoints endpoint_nameZis_regional_endpointZ variant_datarrr r&s$      z(EndpointResolver.get_available_endpointscCsXxR|jdD]D}|d|kr |rH||d|}|rPd|krP|dSq |dSq WdS)Nr,r2defaults dnsSuffix)r.r8get)rr$r9r2variantrrr get_partition_dns_suffixs    z)EndpointResolver.get_partition_dns_suffixc Cs|dkr|r|dkrd}|dk rld}x"|jdD]}|d|kr0|}q0W|dk rh||||||d}|SdSx@|jdD]2}|r|d|jkrqx||||||}|rx|SqxWdS)Ns3z us-east-1r,r2T)r._endpoint_for_partition!_UNSUPPORTED_DUALSTACK_PARTITIONS) rrrr$use_dualstack_endpointuse_fips_endpointZvalid_partitionr2r6rrr r!s@  z#EndpointResolver.construct_endpointcCs8x&|jdD]}|||r |dSq Wt|dddS)Nr,r2z,No partition found for provided region_name.)r error_msg)r. _region_matchr)rrr2rrr get_partition_for_regions   z)EndpointResolver.get_partition_for_regionc Cs|d}|r,||jkr,d|}tdg|d|d|t} |dkr\d| krV| d}nt||| |||d} || dkr|jf| S|||s|r| d} | d d } | r| std ||| | | d <|jf| Std |||jf| SdS)Nr2z@Dualstack endpoints are currently not supported for %s partition dualstack)tagsrEr3ZpartitionEndpoint)r2r service_datar:rCrDrZisRegionalizedTz'Using partition endpoint for %s, %s: %sr:z*Creating a regex based endpoint for %s, %s) rBr r=DEFAULT_SERVICE_DATAr_resolverFLOGdebug) rr2rrrCrDZforce_partitionr$rErJZresolve_kwargsZpartition_endpointZis_regionalizedrrr rAsH        z(EndpointResolver._endpoint_for_partitioncCs0||dkrdSd|kr,t|d|SdS)Nr7TZ regionRegexF)recompilematch)rr2rrrr rF9s  zEndpointResolver._region_matchcCs>|dg}x,|D]$}t|dt|kr|}|SqWdS)NvariantsrI)r=setcopy)rr0rIrRr>r6rrr r8@s   z'EndpointResolver._retrieve_variant_datacCs$g}|r|d|r |d|S)NrHZfips)r5)rrCrDrIrrr _create_tag_listGs   z!EndpointResolver._create_tag_listcCs8i}x.|||gD] }|||}|r|||qW|S)N)r8 _merge_keys)rrIr0service_defaultspartition_defaultsr6rRr>rrr _resolve_variantOs  z!EndpointResolver._resolve_variantc Cs$|di|i}|dr,td||di}|di} |||} | r|| ||| } | ikrd|d|} t| | d||| n|} d| kr|d| d<|d | d <|| d <||| || | ||| d ||| d| d <d | kr ||| d ||| d| d <| S) Nr deprecatedz5Client is configured with the deprecated endpoint: %sr;zEndpoint does not exist for z in region )rIrEr<r2Z endpointNamehostnameZ sslCommonName)r=rMwarningrUrYr rV_expand_template) rr2rrJr:rCrDr0rWrXrIr6rErrr rLYsJ            zEndpointResolver._resolvecCs&x |D]}||kr||||<qWdS)Nr)r from_datar6keyrrr rVs zEndpointResolver._merge_keyscCs|j|||dS)N)serviceregionr<)format)rr2templaterr:r<rrr r]sz!EndpointResolver._expand_template)F)r#)r#FN)N)NNFF)F)r'r(r)r*rBr1r4r"r&r?r!rGrArFr8rUrYrLrVr]rrrr r+ps,      , : Br+c@s8eZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d S) EndpointResolverBuiltinsz AWS::Regionz AWS::UseFIPSzAWS::UseDualStackzAWS::STS::UseGlobalEndpointzAWS::S3::UseGlobalEndpointzAWS::S3::AcceleratezAWS::S3::ForcePathStylezAWS::S3::UseArnRegionzAWS::S3Control::UseArnRegionz'AWS::S3::DisableMultiRegionAccessPointsz SDK::EndpointN)r'r(r)Z AWS_REGIONZ AWS_USE_FIPSZAWS_USE_DUALSTACKZAWS_STS_USE_GLOBAL_ENDPOINTZAWS_S3_USE_GLOBAL_ENDPOINTZAWS_S3_ACCELERATEZAWS_S3_FORCE_PATH_STYLEZAWS_S3_USE_ARN_REGIONZAWS_S3CONTROL_USE_ARN_REGIONZAWS_S3_DISABLE_MRAPZ SDK_ENDPOINTrrrr rdsrdc@seZdZdZd$ddZddZdd Zd d Zd d ZddZ ddZ ddZ e ddZ e ddZe ddZddZddZddZd d!Zd"d#ZdS)%EndpointRulesetResolverz5Resolves endpoints using a service's endpoint rulesetTNc CsHt||d|_|jjj|_||_||_||_||_||_ ||_ i|_ dS)N)Z ruleset_datapartition_data) r _providerZruleset parameters_param_definitions_service_model _builtins_client_context_event_emitter_use_ssl_requested_auth_schemeZ_instance_cache) rZendpoint_ruleset_datarfZ service_modelbuiltinsZclient_contextZ event_emitterZuse_sslZrequested_auth_schemerrr r1s   z EndpointRulesetResolver.__init__c Cs|dkr i}|dkri}||||}td|y|jjf|}Wn@tk r}z"|||}|dkrpn||Wdd}~XYnXtd|j|js|j dr|j d|jddd}|j dd |j Dd }|S) zAInvokes the provider with params defined in the service's rulesetNz-Calling endpoint provider with parameters: %szEndpoint provider result: %szhttps://zhttp://)urlcSsi|]\}}|d|qS)rr).0r_valrrr sz>EndpointRulesetResolver.construct_endpoint..)headers) _get_provider_paramsrMrNrgZresolve_endpointr #ruleset_error_to_botocore_exceptionrrrn startswith_replacervitems)roperation_model call_argsrequest_contextprovider_paramsZprovider_resultexZbotocore_exceptionrrr r!s2   z*EndpointRulesetResolver.construct_endpointc Cspi}||||}xX|jD]J\}}|j|||d}|dkrX|jdk rX|j|j|d}|dk r|||<qW|S)aResolve a value for each parameter defined in the service's ruleset The resolution order for parameter values is: 1. Operation-specific static context values from the service definition 2. Operation-specific dynamic context values from API parameters 3. Client-specific context parameters 4. Built-in values such as region, FIPS usage, ... ) param_namer|r}N) builtin_namerp)_get_customized_builtinsrir{_resolve_param_from_contextbuiltin_resolve_param_as_builtin) rr|r}r~rcustomized_builtinsrZ param_defZ param_valrrr rws   z,EndpointRulesetResolver._get_provider_paramscCs<|||}|dk r|S||||}|dk r2|S||S)N)&_resolve_param_as_static_context_param'_resolve_param_as_dynamic_context_param&_resolve_param_as_client_context_param)rrr|r}ZstaticZdynamicrrr r5s z3EndpointRulesetResolver._resolve_param_from_contextcCs||}||S)N)_get_static_context_paramsr=)rrr|Zstatic_ctx_paramsrrr rDs z>EndpointRulesetResolver._resolve_param_as_static_context_paramcCs(||}||kr$||}||SdS)N)_get_dynamic_context_paramsr=)rrr|r}Zdynamic_ctx_params member_namerrr rJs z?EndpointRulesetResolver._resolve_param_as_dynamic_context_paramcCs(|}||kr$||}|j|SdS)N)_get_client_context_paramsrlr=)rrZclient_ctx_paramsZclient_ctx_varnamerrr rRsz>EndpointRulesetResolver._resolve_param_as_client_context_paramcCs"|tjkrt|d||S)N)name)rd __members__valuesrr=)rrrprrr rXs z1EndpointRulesetResolver._resolve_param_as_builtincCsdd|jDS)z=Mapping of param names to static param value for an operationcSsi|]}|j|jqSr)valuer)rsparamrrr ru`szFEndpointRulesetResolver._get_static_context_params..)Zstatic_context_parameters)rr|rrr r]sz2EndpointRulesetResolver._get_static_context_paramscCsdd|jDS)z7Mapping of param names to member names for an operationcSsi|]}|j|jqSr)rr)rsrrrr ruhszGEndpointRulesetResolver._get_dynamic_context_params..)Zcontext_parameters)rr|rrr resz3EndpointRulesetResolver._get_dynamic_context_paramscCsdd|jjDS)z7Mapping of param names to client configuration variablecSsi|]}t|j|jqSr)rr)rsrrrr rupszFEndpointRulesetResolver._get_client_context_params..)rjZclient_context_parameters)rrrr rmsz2EndpointRulesetResolver._get_client_context_paramscCs6|jj}t|j}|jjd|||||d|S)Nzbefore-endpoint-resolution.%s)rpmodelparamscontext)rj service_idZ hyphenizerTrkrmemit)rr|r}r~rrrrr rus  z0EndpointRulesetResolver._get_customized_builtinscst|trt|dkrtdtdddd|DjjtkrPdifSfdd|D}jd k ryt fd d |D\}}Wnt k rd ifSXn|yt d d |D\}}Wn`t k r d }dd|D}t st dd |D}|r t ddntd|dYnXi}d|kr>|d|d<n,d|krjt|ddkrj|dd|d<d|kr|j|ddd|krt|d|d<td|d||||fS)aConvert an Endpoint's authSchemes property to a signing_context dict :type auth_schemes: list :param auth_schemes: A list of dictionaries taken from the ``authSchemes`` property of an Endpoint object returned by ``EndpointProvider``. :rtype: str, dict :return: Tuple of auth type string (to be used in ``request_context['auth_type']``) and signing context dict (for use in ``request_context['signing']``). rz&auth_schemes must be a non-empty list.z_Selecting from endpoint provider's list of auth schemes: %s. User selected auth scheme is: "%s"z, cSsg|]}d|ddqS)"r)r=)rssrrr szGEndpointRulesetResolver.auth_schemes_to_signing_ctx..nonecs"g|]}|d|diqS)r)_strip_sig_prefix)rsscheme)rrr rsNc3s*|]"}j|drj|fVqdS)rN)._does_botocore_authname_match_ruleset_authnamero)rsr)rrr szFEndpointRulesetResolver.auth_schemes_to_signing_ctx..css&|]}|dtkr|d|fVqdS)rN)r)rsrrrr rsFcSsg|] }|dqS)rr)rsrrrr rscss|]}|tkVqdS)N)r)rsrrrr rszbThis operation requires an additional dependency. Use pip install botocore[crt] before proceeding.)msg)Zsignature_versionZ signingRegionraZsigningRegionSetZ signingName)Z signing_nameZdisableDoubleEncodingz?Selected auth type "%s" as "%s" with signing context params: %sr) isinstancelistlen TypeErrorrMrNjoinrornext StopIterationranyr rupdater)rZ auth_schemesrrZfixable_with_crtZauth_type_optionsZsigning_contextr)rr auth_schemes_to_signing_ctxsd            z3EndpointRulesetResolver.auth_schemes_to_signing_ctxcCs|dr|ddS|S)z6Normalize auth type names by removing any "sig" prefixsigN)ry)rZ auth_namerrr rsz)EndpointRulesetResolver._strip_sig_prefixcCs>||}|dd}|dkr6|dr6|dd}||kS)a\ Whether a valid string provided as signature_version parameter for client construction refers to the same auth methods as a string returned by the endpoint ruleset provider. This accounts for: * The ruleset prefixes auth names with "sig" * The s3 and s3control rulesets don't distinguish between v4[a] and s3v4[a] signers * The v2, v3, and HMAC v1 based signers (s3, s3-*) are botocore legacy features and do not exist in the rulesets * Only characters up to the first dash are considered Example matches: * v4, sigv4 * v4, v4 * s3v4, sigv4 * s3v7, sigv7 (hypothetical example) * s3v4a, sigv4a * s3v4-query, sigv4 Example mismatches: * v4a, sigv4 * s3, sigv4 * s3-presign-post, sigv4 -rr@N)rsplitry)rZbotonameZrsnamerrr rs   zFEndpointRulesetResolver._does_botocore_authname_match_ruleset_authnamecCsz|jd}|dkrdS|drXy|dd}Wntk rL|}YnXt|dS|jj}|dkr|dksx|d krt|d S|d s|d s|d s|ds|ds|drt |d S| drt |dS|dkrB|dr |d}t ||dS|ds$|dr.t |d S|dkrBt |dS|dkrv|drbt|d S|dkrvt|d SdS)zAttempts to translate ruleset errors to pre-existing botocore exception types by string matching exception strings. rNzInvalid region in ARN: `)labelr@z/S3 Object Lambda does not support S3 Acceleratez#Accelerate cannot be used with FIPS)rzS3 Outposts does not supportzS3 MRAP does not supportz!S3 Object Lambda does not supportzAccess Points do not supportzInvalid configuration:z#Client was configured for partitionz invalid arn:)reportZ s3controlz Invalid ARN:ZBucket)arnrz!AccountId is required but not seteventszUInvalid Configuration: FIPS is not supported with EventBridge multi-region endpoints.z&EndpointId must be a valid host label.)kwargsr=ryr IndexErrorr rjrrrlowerrrrr )rZruleset_exceptionrrrrrrrr rx sN                        z;EndpointRulesetResolver.ruleset_error_to_botocore_exception)TN)r'r(r)r*r1r!rwrrrrrrrrrrrrrrxrrrr res$  2!   a re),r*rTloggingrOenumrZbotocorerrZ botocore.authrrZ botocore.crtrZbotocore.endpoint_providerrZbotocore.exceptionsr r r r r rrrrrrrrrZbotocore.utilsrr getLoggerr'rMZDEFAULT_URI_TEMPLATErKrr+strrdrerrrr s&   @ =: