B ㊇cJ@sddlZddlZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddl Z ddlZddlZddlmZddlmZmZddlZddlmZddlmZddlZddlZddlZddlmZddlm Z ddlm!Z!dd lm"Z"dd lm#Z#dd lm$Z$dd lm%Z%dd lm&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2m3Z3ddl4m5Z5m6Z6m7Z7m8Z8m9Z9m:Z:m;Z;mZ>m?Z?m@Z@mAZAmBZBmCZCmDZDmEZEmFZFmGZGmHZHmIZImJZJmKZKeLeMZNdZOdZPdZQdZRdZSe TdZUeDe9e7e8fZVdgZWdddddddddddd d!d"d#d$d%d&d'd(d)d*d+d,d-d.d/d0d1d2d3d4d2d5d6d7d8d9d9d%d&d*d:d;dd?d@d7dAdBdBdCd=dDdEdFd:dGdHdId>dJdKdLdMdNdOdOdPd/dGdQIZXe jTdRe jYdSZZdTdUZ[dVdWZ\dXdYZ]dZd[Z^d\d]Z_d^d_Z`d`daZadbdcZbdddeZcddgdhZddidjZeGdkdldlefZgGdmdndnefZhGdodpdpZiGdqdrdreiZjGdsdtdtZkGdudvdveiZlddxdyZmdzd{Zneofd|d}Zpd~dZqeSfddZreSfddZsddZtddZuddZvdddZwdddZxddZyddZzGdddZ{GdddZ|ddZ}ddZ~ddZddZddZddZdddZdddZddZddZddZddZdddZdddZddZddZGdddZGdddZGdddeZGdddZGdddZGdddZGddÄdÃZGddńdŃZGddDŽdeZGddɄdɃZdd˄Zdd̈́ZddτZddd҄ZddԄZddքZdd؄ZddڄZGdd܄d܃ZGddބdރZGdddZddZGdddZdS)N)Path) getproxies proxy_bypass)tzutc)LocationParseError)HEX_PAT)IPV4_PAT)IPV6_ADDRZ_PAT)IPV6_PAT)LS32_PAT)UNRESERVED_PAT) ZONE_ID_PAT)HAS_CRTIPV4_RE IPV6_ADDRZ_RE MD5_AVAILABLEUNSAFE_URL_CHARS OrderedDictget_md5get_tzinfo_optionsjsonquoteurlparseurlsplit urlunsplit zip_longest) ClientErrorConfigNotFoundConnectionClosedErrorConnectTimeoutErrorEndpointConnectionErrorHTTPClientErrorInvalidDNSNameError!InvalidEndpointConfigurationErrorInvalidExpressionErrorInvalidHostLabelErrorInvalidIMDSEndpointErrorInvalidIMDSEndpointModeErrorInvalidRegionErrorMetadataRetrievalErrorMissingDependencyExceptionReadTimeoutErrorSSOTokenLoadErrorUnsupportedOutpostResourceError*UnsupportedS3AccesspointConfigurationErrorUnsupportedS3ArnErrorUnsupportedS3ConfigurationErrorUnsupportedS3ControlArnError&UnsupportedS3ControlConfigurationErrorzhttp://169.254.169.254/zhttp://[fd00:ec2::254]/)ipv4ipv6z-._~z-z0-9][a-z0-9\-]*[a-z0-9] dualstackzalexa-for-businessZ mediatailorZpricingZ sagemakerz api-gatewayzapplication-auto-scalingZ appstreamz auto-scalingzauto-scaling-plansz cost-explorerz cloudhsm-v2zcloudsearch-domainzcognito-identity-providerzconfig-servicezcost-and-usage-report-serviceziot-data-planeziot-jobs-data-planezmediastore-dataz data-pipelinez device-farmziot-1click-devices-servicezdirect-connectzapplication-discovery-servicezdatabase-migration-servicezdirectory-servicezdynamodb-streamszelastic-beanstalkZefszelastic-load-balancingZemrzelastic-transcoderzelastic-load-balancing-v2Zseszmarketplace-entitlement-servicezelasticsearch-serviceZ eventbridgeziot-1click-projectszkinesis-analyticsz kinesis-videozlex-model-building-servicezlex-runtime-servicezcloudwatch-logszmachine-learningzmarketplace-commerce-analyticszmarketplace-meteringz migration-hubZ cloudwatchZmturkZ opsworkscmzresource-groups-tagging-apizroute-53zroute-53-domainszsagemaker-runtimeZsimpledbzsecrets-managerZserverlessapplicationrepositoryzservice-catalogsfnzstorage-gateway)IZa4bZalexaforbusinesszapi.mediatailorz api.pricingz api.sagemakerZ apigatewayzapplication-autoscalingZ appstream2Z autoscalingzautoscaling-plansZceZ cloudhsmv2Zcloudsearchdomainz cognito-idpconfigcurzdata.iotz data.jobs.iotzdata.mediastoreZ datapipelineZ devicefarmzdevices.iot1clickZ directconnectZ discoveryZdmsZdsZdynamodbstreamsZelasticbeanstalkZelasticfilesystemZelasticloadbalancingZelasticmapreduceZelastictranscoderZelbZelbv2emailzentitlement.marketplaceeseventszcloudwatch-eventsziot-dataz iot-jobs-dataziot1click-devicesziot1click-projectsZkinesisanalyticsZ kinesisvideoz lex-modelsz lex-runtimeZlogsZmachinelearningzmarketplace-entitlementZmarketplacecommerceanalyticszmetering.marketplaceZmeteringmarketplaceZmghz models.lexZ monitoringzmturk-requesterz opsworks-cmzprojects.iot1clickZresourcegroupstaggingapiZroute53Zroute53domainsz runtime.lexzruntime.sagemakerZsdbZsecretsmanagerZserverlessrepoZservicecatalogZstatesZ stepfunctionsZstoragegatewayzstreams.dynamodbZtaggingz^X-Amz-Checksum-([a-z0-9]*)$)flagscCs,t|tr|St|tr$|dkSdSdS)z~Ensures a boolean value if a string or boolean is provided For strings, the value for True/False is case insensitive trueFN) isinstanceboolstrlower)valrDi/private/var/folders/8c/hx9_v10d5x38qmnzt13b7b8j1k3n5b/T/pip-target-x6xd5gna/lib/python/botocore/utils.pyensure_booleans    rFcCsL|d}|dk r:|}|tkr6|td}tf||S|drHdSdS)zResolving IMDS endpoint mode to either IPv6 or IPv4. ec2_metadata_service_endpoint_mode takes precedence over imds_use_ipv6. "ec2_metadata_service_endpoint_modeN)modeZ valid_modesZ imds_use_ipv6r5r4)get_config_variablerBMETADATA_ENDPOINT_MODESr')sessionZ endpoint_modeZlendpoint_modeZerror_msg_kwargsrDrDrEresolve_imds_endpoint_modes  rLcCs2t|do0|jddo0|jddko0|jdkS)zDetermines if the provided shape is the special header type jsonvalue. :type shape: botocore.shape :param shape: Shape to be inspected for the jsonvalue trait. :return: True if this type is a jsonvalue, False otherwise :rtype: Bool serializationZ jsonvalueFlocationheaderstring)hasattrrMget type_name)shaperDrDrEis_json_value_headers rUcCs@|dkr dSt|tjjr"||kS|dd|DkSdS)z&Case-insensitive check for header key.NFcSsg|] }|qSrD)rB).0keyrDrDrE szhas_header..)r?botocore awsrequestZ HeadersDictrBkeys) header_nameheadersrDrDrE has_headers r^cCsD|jd|jd|j}|dd}|dd}tdd|}|S)zvReturns the module name for a service This is the value used in both the documentation and client class name ZserviceAbbreviationZserviceFullNameZAmazonZAWSz\W+)metadatarR service_namereplaceresub)Z service_modelnamerDrDrEget_service_module_names   rfcCs|sdSt|S)N/)remove_dot_segments)pathrDrDrEnormalize_url_pathsrjcCs|dkr |St|SdS)zLReturns None if val is None, otherwise ensure value converted to booleanN)rF)rCrDrDrEnormalize_booleansrkcCs|sdS|d}g}x8|D]0}|r|dkr|dkrB|rL|q||qW|ddkrbd}nd}|ddkr||r|d}nd}|d||S)Nr_rg.z..r)splitpopappendjoin)urlZ input_urlZ output_listxfirstlastrDrDrErhs"     rhcCs:|r |dkrt|dxdD]}||krt|dqWdS)Nrl) expression)[]*)r$)rvinvalidrDrDrEvalidate_jmespath_for_set:s    r{TcCs||r t||dd}|dt|dkr2|dnd}}|sHt|d|rp||kr\i||<t||||ddS|||<dS)Nrlr3rr_)rvF)is_first)r{rnlenr$set_value_from_jmespath)sourcervvaluer|bits current_key remainderrDrDrEr~Es " r~cCs|di}|ddk}|S)z9Determine if request is intended for an MRAP accesspoint.s3_accesspointregionr_)rR)contextr is_globalrDrDrEis_global_accesspointcs rc@seZdZdZdS)_RetriesExceededErrorz@Internal exception used when the number of retries are exceeded.N)__name__ __module__ __qualname____doc__rDrDrDrErjsrc@seZdZddZdS)BadIMDSRequestErrorcCs ||_dS)N)request)selfrrDrDrE__init__qszBadIMDSRequestError.__init__N)rrrrrDrDrDrErpsrc@seZdZeZdZdZededddfddZ ddZ d d Z d d Z d dZ dddZddZddZddZddZddZdddZdS) IMDSFetcherzlatest/api/tokenZ21600r3NcCs||_||_|dkri}||||_||_|dkr>tj}|dd |_ |j dk|_ ||_ t j j|jt|jd|_dS)NZAWS_EC2_METADATA_DISABLEDfalser>)timeoutproxies)_timeout _num_attempts_select_base_url _base_url_configosenvironcopyrRrB _disabled _user_agentrY httpsessionURLLib3Sessionget_environ_proxies_session)rr num_attemptsbase_urlenv user_agentr8rDrDrEr{s   zIMDSFetcher.__init__cCs|jS)N)r)rrDrDrE get_base_urlszIMDSFetcher.get_base_urlcCs|dkr i}|ddk}|d}|r6|r6tdd}|tkrH|}n|rR|}n|r\t}nt}td|t|st|d|S)NrGr5ec2_metadata_service_endpointzFCustom endpoint and IMDS_USE_IPV6 are both set. Using custom endpoint.zIMDS ENDPOINT: %s)endpoint)rRloggerwarningMETADATA_BASE_URLMETADATA_BASE_URL_IPv6debug is_valid_urir&)rrr8Z requires_ipv6Zcustom_metadata_endpointZchosen_base_urlrDrDrErs&  zIMDSFetcher._select_base_urlcCs,d}|jr|jdsd}|j||S)Nr_rg)rendswith)rriseprDrDrE_construct_urlszIMDSFetcher._construct_urlc Cs$|||j}d|ji}||tjjd||d}xt|j D]}yD|j | }|j dkrl|jS|j dkrzdS|j dkrt|WqFtk rdStk r}ztjd||dd Wdd}~XYqFtk r}z(t|jd trt||d nWdd}~XYqFXqFWdS) Nz$x-aws-ec2-metadata-token-ttl-secondsPUT)methodrrr])iii)izOCaught retryable HTTP exception while making metadata service request to %s: %sT)exc_infoerror)rr)_assert_enabledr _TOKEN_PATH _TOKEN_TTL_add_user_agentrYrZ AWSRequestrangerrsendprepare status_codetextrr+RETRYABLE_HTTP_ERRORSrrr!r?kwargsrRrr&)rrrr]riresponseerDrDrE_fetch_metadata_tokens8        z!IMDSFetcher._fetch_metadata_tokenc Cs||dkr|j}||}i}|dk r4||d<||xzt|jD]l}y2tjjd||d}|j | }||s~|SWqJt k r} zt jd|| ddWdd} ~ XYqJXqJW|dS)aZMake a get request to the Instance Metadata Service. :type url_path: str :param url_path: The path component of the URL to make a get request. This arg is appended to the base_url that was provided in the initializer. :type retry_func: callable :param retry_func: A function that takes the response as an argument and determines if it needs to retry. By default empty and non 200 OK responses are retried. :type token: str :param token: Metadata token to send along with GET requests to IMDS. Nzx-aws-ec2-metadata-tokenGET)rrrr]zOCaught retryable HTTP exception while making metadata service request to %s: %sT)r)r_default_retryrrrrrYrZrrrrrrr_RETRIES_EXCEEDED_ERROR_CLS) rurl_path retry_functokenrrr]rrrrrDrDrE _get_requests,   zIMDSFetcher._get_requestcCs|jdk r|j|d<dS)Nz User-Agent)r)rr]rDrDrEr s zIMDSFetcher._add_user_agentcCs|jrtd|dS)Nz)Access to EC2 metadata has been disabled.)rrrr)rrDrDrErs zIMDSFetcher._assert_enabledcCs||p||S)N)_is_non_ok_response _is_empty)rrrDrDrErszIMDSFetcher._default_retrycCs"|jdkr|j|ddddSdS)Nrznon-200T)log_bodyF)r_log_imds_response)rrrDrDrErs zIMDSFetcher._is_non_ok_responsecCs|js|j|ddddSdS)Nzno bodyT)rF)contentr)rrrDrDrErszIMDSFetcher._is_emptyFcCs>d}||j|jg}|r*|d7}||jtj|f|dS)NzHMetadata service returned %s response with status code of %s for url: %sz, content body: %s)rrrrprrr)rrZ reason_to_logrZ statementZ logger_argsrDrDrEr#s  zIMDSFetcher._log_imds_response)N)F)rrrrrrr DEFAULT_METADATA_SERVICE_TIMEOUTrrrrrrrrrrrrrrDrDrDrErus( $ *rc@s`eZdZdZddddgZddZdd d Zdd d Zd dZddZ ddZ ddZ ddZ dS)InstanceMetadataFetcherz*latest/meta-data/iam/security-credentials/ AccessKeyIdSecretAccessKeyToken Expirationc Csyz|}||}|||}||rX||d|d|d|dd}|||Sd|krtd|krttd|iSWnR|jk rtd |jYn0t k r}ztd |j Wdd}~XYnXiS) Nrrrr) role_nameZ access_keyZ secret_keyr expiry_timeCodeMessagez7Error response received when retrievingcredentials: %s.z\Max number of attempts exceeded (%s) when attempting to retrieve data from metadata service.zBad IMDS request: %s) r _get_iam_role_get_credentials_contains_all_credential_fields_evaluate_expirationrrrrrr)rrr credentialsrrDrDrEretrieve_iam_role_credentials8s0        z5InstanceMetadataFetcher.retrieve_iam_role_credentialsNcCs|j|j|j|djS)N)rrr)r _URL_PATH_needs_retry_for_role_namer)rrrDrDrErasz%InstanceMetadataFetcher._get_iam_rolecCs$|j|j||j|d}t|jS)N)rrr)rr_needs_retry_for_credentialsrloadsr)rrrrrDrDrErhs z(InstanceMetadataFetcher._get_credentialscCs6yt|jdStk r0||ddSXdS)NFz invalid jsonT)rrr ValueErrorr)rrrDrDrE_is_invalid_jsonps   z(InstanceMetadataFetcher._is_invalid_jsoncCs||p||S)N)rr)rrrDrDrErxsz2InstanceMetadataFetcher._needs_retry_for_role_namecCs||p||p||S)N)rrr)rrrDrDrEr{s  z4InstanceMetadataFetcher._needs_retry_for_credentialscCs,x&|jD]}||krtd|dSqWdS)Nz3Retrieved credentials is missing required field: %sFT)_REQUIRED_CREDENTIAL_FIELDSrr)rrfieldrDrDrErs z7InstanceMetadataFetcher._contains_all_credential_fieldsc Cs|d}|dkrdSytj|d}|jdd}tdd}||}tj}tj|d}||}||kr||} | d|d<t d|dd d Wn(t k rt d |dYnXdS) Nrz%Y-%m-%dT%H:%M:%SZZec2_credential_refresh_windowiXx)secondszAttempting credential expiration extension due to a credential service availability issue. A refresh of these credentials will be attempted again within the next <z.0fz minutes.zUnable to parse expiry_time in ) rRdatetimestrptimerrandomrandintutcnow timedeltastrftimerinforr) rrZ expirationZrefresh_intervaljitterZrefresh_interval_with_jitter current_timeZrefresh_offsetZextension_timeZnew_timerDrDrErs.    z,InstanceMetadataFetcher._evaluate_expiration)N)N) rrrrrrrrrrrrrrDrDrDrEr/s)   rc@s6eZdZd ddZddZddZdd Zd d ZdS) IMDSRegionProviderNcCs$||_|dkrtj}||_||_dS)aUInitialize IMDSRegionProvider. :type session: :class:`botocore.session.Session` :param session: The session is needed to look up configuration for how to contact the instance metadata service. Specifically the whether or not it should use the IMDS region at all, and if so how to configure the timeout and number of attempts to reach the service. :type environ: None or dict :param environ: A dictionary of environment variables to use. If ``None`` is the argument then ``os.environ`` will be used by default. :type fecther: :class:`botocore.utils.InstanceMetadataRegionFetcher` :param fetcher: The class to actually handle the fetching of the region from the IMDS. If not provided a default one will be created. N)rrr_environ_fetcher)rrKrfetcherrDrDrErs zIMDSRegionProvider.__init__cCs |}|S)z#Provide the region value from IMDS.)_get_instance_metadata_region)rZinstance_regionrDrDrEprovideszIMDSRegionProvider.providecCs|}|}|S)N) _get_fetcherretrieve_region)rrrrDrDrErsz0IMDSRegionProvider._get_instance_metadata_regioncCs|jdkr||_|jS)N)r_create_fetcher)rrDrDrErs  zIMDSRegionProvider._get_fetchercCsN|jd}|jd}|jdt|jd}t|||j|j|d}|S)NZmetadata_service_timeoutZmetadata_service_num_attemptsr)rrG)rrrrr8)rrIrLInstanceMetadataRegionFetcherrr)rZmetadata_timeoutZmetadata_num_attemptsZ imds_configrrDrDrErs z"IMDSRegionProvider._create_fetcher)NN)rrrrrrrrrDrDrDrErs  rc@s eZdZdZddZddZdS)rz-latest/meta-data/placement/availability-zone/cCs6y |}|S|jk r0td|jYnXdS)aRGet the current region from the instance metadata service. :rvalue: str :returns: The region the current instance is running in or None if the instance metadata service cannot be contacted or does not give a valid response. :rtype: None or str :returns: Returns the region as a string if it is configured to use IMDS as a region source. Otherwise returns ``None``. It will also return ``None`` if it fails to get the region from IMDS due to exhausting its retries or not being able to connect. z\Max number of attempts exceeded (%s) when attempting to retrieve data from metadata service.N) _get_regionrrrr)rrrDrDrErs z-InstanceMetadataRegionFetcher.retrieve_regioncCs2|}|j|j|j|d}|j}|dd}|S)N)rrrrm)rrrrr)rrrZavailability_zonerrDrDrErs z)InstanceMetadataRegionFetcher._get_regionN)rrrrrrrDrDrDrErsrFcCsx|D]}t||trJ||kr<||krz"calculate_sha256..r>N)hashlibsha256iterupdate hexdigestdigest)r<Zas_hexchecksumchunkrD)r<rEcalculate_sha256s rGcsg}dtj}x.tfdddD]}|||q$W|sN|dSxXt|dkrg}x>t|D]2\}}|dk r||||qj||qjW|}qPWt |d dS) a\Calculate a tree hash checksum. For more information see: http://docs.aws.amazon.com/amazonglacier/latest/dev/checksum-calculations.html :param body: Any file like object. This has the same constraints as the ``body`` param in calculate_sha256 :rtype: str :returns: The hex version of the calculated tree hash ics S)N)r rD)r<required_chunk_sizerDrEr=)r>z%calculate_tree_hash..r>r3Nrascii) r?r@rArprDrCr} _in_pairsbinasciihexlifydecode)r<chunksr@rFZ new_chunksrtsecondrD)r<rHrEcalculate_tree_hashs rPcCst|}t||S)N)rAr)iterableZ shared_iterrDrDrErJ9s rJc@s eZdZdZddZddZdS)CachedPropertyzA read only property that caches the initially computed value. This descriptor will only call the provided ``fget`` function once. Subsequent access to this property will return the cached value. cCs ||_dS)N)_fget)rfgetrDrDrErRszCachedProperty.__init__cCs,|dkr |S||}||j|jj<|SdS)N)rS__dict__r)robjclsZcomputed_valuerDrDrE__get__Us  zCachedProperty.__get__N)rrrrrrXrDrDrDrErRJsrRc@sDeZdZdZdddZddZddd Zd d Zd d ZddZ dS)ArgumentGeneratoraGenerate sample input based on a shape model. This class contains a ``generate_skeleton`` method that will take an input/output shape (created from ``botocore.model``) and generate a sample dictionary corresponding to the input/output shape. The specific values used are place holder values. For strings either an empty string or the member name can be used, for numbers 0 or 0.0 is used. The intended usage of this class is to generate the *shape* of the input structure. This can be useful for operations that have complex input shapes. This allows a user to just fill in the necessary data instead of worrying about the specific structure of the input arguments. Example usage:: s = botocore.session.get_session() ddb = s.get_service_model('dynamodb') arg_gen = ArgumentGenerator() sample_input = arg_gen.generate_skeleton( ddb.operation_model('CreateTable').input_shape) print("Sample input for dynamodb.CreateTable: %s" % sample_input) FcCs ||_dS)N)_use_member_names)rZuse_member_namesrDrDrEryszArgumentGenerator.__init__cCsg}|||S)zGenerate a sample input. :type shape: ``botocore.model.Shape`` :param shape: The input shape. :return: The generated skeleton input corresponding to the provided input shape. )_generate_skeleton)rrTstackrDrDrEgenerate_skeleton|s z#ArgumentGenerator.generate_skeletonr_cCs||jz|jdkr$|||S|jdkr:|||S|jdkrP|||S|jdkrz|jrd|S|jrvt |jSdS|jdkrdS|jdkrd S|jd krd S|jd krt d dddddSWd| XdS)NZ structurermaprPr_)integerlongr)r&doublegbooleanT timestampir3) rprerS_generate_type_structure_generate_type_list_generate_type_maprZenumrchoicerro)rrTr\rerDrDrEr[s.             z$ArgumentGenerator._generate_skeletoncCsJ||jdkriSt}x*|jD]\}}|j|||d||<q&W|S)Nr3)re)countrermembersrr[)rrTr\Zskeleton member_nameZ member_shaperDrDrErdsz*ArgumentGenerator._generate_type_structurecCs$d}|jr|jj}||j||gS)Nr_)rZmemberrer[)rrTr\rerDrDrEresz%ArgumentGenerator._generate_type_listcCs0|j}|j}|jdksttd|||fgS)NrPZKeyName)rWrrSAssertionErrorrr[)rrTr\Z key_shapeZ value_shaperDrDrErfs z$ArgumentGenerator._generate_type_mapN)F)r_) rrrrrr]r[rdrerfrDrDrDrErY^s    rYcCs.t|rdSdt|jd}t|dk S)NFrwrx)r intersectionrhostnamermatch) endpoint_urlrorDrDrEis_valid_ipv6_endpoint_urls rrcCst|j}t|dk S)N)rrorrp)rqrorDrDrEis_valid_ipv4_endpoint_urls rscCsht|rdSt|}|j}|dkr(dSt|dkr8dS|ddkrP|dd}tdtj}||S)zVerify the endpoint_url is valid. :type endpoint_url: string :param endpoint_url: An endpoint_url. Must have at least a scheme and a hostname. :return: True if the endpoint url is valid. False otherwise. FNrmrlz;^((?!-)[A-Z\d-]{1,63}(?|S|f||}||j|<|S)N)tuplesortedrZ_instance_cacherR)rargsr cache_keyZ kwarg_itemsresult)func func_namerDrE _cache_guards   z$instance_cache.._cache_guard)r functoolswraps)rrrD)rrrEinstance_cachess rcKsht|jjd}dd|D}d}t|dkrB|d|d7}|d7}|dkrVdSt||d d dS) z?Switches the current s3 endpoint with an S3 Accelerate endpointrlcSsg|]}|tkr|qSrD)S3_ACCELERATE_WHITELIST)rVprDrDrErXsz-switch_host_s3_accelerate..zhttps://s3-accelerate.rz amazonaws.com)Z ListBuckets CreateBucketZ DeleteBucketNF)use_new_scheme)rrrrrnr}rq _switch_hosts)rZoperation_namerrwrrDrDrEswitch_host_s3_accelerates rcCs2t|jd}||r.||}t||dS)zBSwitches the host using a parameter value from a JSON request bodyzutf-8N)rrdatarMrRr)r param_nameZ request_json new_endpointrDrDrEswitch_host_with_params rcCst|j||}||_dS)N)_get_new_endpointrr)rrrfinal_endpointrDrDrErs rcCsVt|}t|}|j}|r |j}||j|j|jdf}t|}td|d||S)Nr_zUpdating URI from z to )rrrrirrrr)Zoriginal_endpointrrZnew_endpoint_componentsZoriginal_endpoint_componentsrZfinal_endpoint_componentsrrDrDrErsrcCsVxP|D]H}||krBt||trBt||trBt||||q||||<qWdS)zDeeply two dictionaries, overriding existing keys in the base. :param base: The base dictionary which will be merged into. :param extra: The dictionary to merge into the base. Keys from this dictionary will take precedence. N)r?r deep_merge)baseextrarWrDrDrErs rcCs|ddS)zcTranslate the form used for event emitters. :param service_id: The service_id to convert.  -)rbrB)Z service_idrDrDrEhyphenize_service_idsrc@sLeZdZdZdddZdddZddZd d Zd d Zd dZ ddZ dS)S3RegionRedirectorv2a Updated version of S3RegionRedirector for use when EndpointRulesetResolver is in use for endpoint resolution. This class is considered private and subject to abrupt breaking changes or removal without prior announcement. Please do not use it directly. NcCs|pi|_t||_dS)N)_cacheweakrefproxy_client)rendpoint_bridgeclientcacherDrDrErs zS3RegionRedirectorv2.__init__cCsFtd|p|jjj}|d|j|d|j|d|jdS)Nz(Registering S3 region redirector handlerzneeds-retry.s3zbefore-parameter-build.s3zbefore-endpoint-resolution.s3) rrrmetar<registerredirect_from_errorannotate_request_contextredirect_from_cache)r event_emitteremitterrDrDrErs  zS3RegionRedirectorv2.registercKs|dkr dS|didi}t|dr>tddS|drVtddS|dd i}|d }|dd i}|d ko|jd k} |d ko|jdkod|dik} |dkod|k} |ddk o|djdk} |dk} t| | | | | gsdS|ddd}|dd}|||}|dkrFtd||fdStd|||f||j |<|j j }|j ||ddd|dd}| |d|j|d<d|ddd<|jd}|dk r||}|\}}||dd<|ddi||dd<dS) a An S3 request sent to the wrong region will return an error that contains the endpoint the request should be sent to. This handler will add the redirect information to the signing context and then redirect the request. Nr s3_redirectbucketzBS3 request was previously for an Accesspoint ARN, not redirecting. redirectedz6S3 request was previously redirected, not redirecting.r3ErrorrResponseMetadata)301400 HeadObject HeadBucketzx-amz-bucket-region HTTPHeadersAuthorizationHeaderMalformedRegionr)i-i.i3PermanentRedirect client_regionzS3 client configured for region %s but the bucket %s is not in that region and the proper region could not be automatically determined.zS3 client configured for region %s but the bucket %s is in region %s; Please configure the proper region to avoid multiple unnecessary redirects and signing attempts.params)Zoperation_model call_argsrequest_contextrrTZ authSchemes auth_typesigning)rR ArnParseris_arnrrreranyget_bucket_regionrrZ_ruleset_resolverconstruct_endpointset_request_urlrr propertiesZauth_schemes_to_signing_ctx)r request_dictr operationrZ redirect_ctxr error_coderesponse_metadatais_special_head_objectis_special_head_bucketis_wrong_signing_regionis_redirect_statusis_permanent_redirectrr new_regionZ ep_resolverZep_infoZ auth_schemesZ auth_inforsigning_contextrDrDrErsv            z(S3RegionRedirectorv2.redirect_from_errorc Cs|d}|dd}d|kr$|dS|didd}|dk rD|Sy|jj|d}|dd}Wn0tk r}z|jdd}Wdd}~XYnX|dd}|S) a. There are multiple potential sources for the new region to redirect to, but they aren't all universally available for use. This will try to find region from response elements, but will fall back to calling HEAD on the bucket if all else fails. :param bucket: The bucket to find the region for. This is necessary if the region is not available in the error response. :param response: A response representing a service request that failed due to incorrect region configuration. r3rrzx-amz-bucket-regionrrN)Bucket)rRr head_bucketrr)rrrservice_responseresponse_headersrr]rrDrDrErhs    z&S3RegionRedirectorv2.get_bucket_regioncKs t||dS)z Splice a new endpoint into an existing URL. Note that some endpoints from the the endpoint provider have a path component which will be discarded by this function. F)r)rold_urlrrrDrDrErsz$S3RegionRedirectorv2.set_request_urlcKs4|d}|dk r0||jkr0|j|}||d<dS)a If a bucket name has been redirected before, it is in the cache. This handler will update the AWS::Region endpoint resolver builtin param to use the region from cache instead of the client region to avoid the redirect. rNz AWS::Region)rRr)rbuiltinsrrrrrDrDrErs  z(S3RegionRedirectorv2.redirect_from_cachecKs|d}d||d|d<dS)zStore the bucket name in context for later use when redirecting. The bucket name may be an access point ARN or alias. rF)rrrrN)rR)rrrrrrDrDrErs z-S3RegionRedirectorv2.annotate_request_context)N)N) rrrrrrrrrrrrDrDrDrErs  l! rc@sLeZdZdZdddZdddZddZd d Zd d Zd dZ ddZ dS)S3RegionRedirectorzThis handler has been replaced by S3RegionRedirectorv2. The original version remains in place for any third-party libraries that import it. NcCs:||_||_|jdkri|_t||_tjdtddS)NzThe S3RegionRedirector class has been deprecated for a new internal replacement. A future version of botocore may remove this class.)category)_endpoint_resolverrrrrwarningswarn FutureWarning)rrrrrDrDrErs  zS3RegionRedirector.__init__cCs<|p |jjj}|d|j|d|j|d|jdS)Nzneeds-retry.s3zbefore-call.s3zbefore-parameter-build.s3)rrr<rrrr)rrrrDrDrErszS3RegionRedirector.registercKs|dkr dS||dir,tddS|didrLtddS|ddi}|d}|dd i}|d ko|jd k}|d ko|jd kod |dik} |dkod|k} |ddk o|djdk} |dk} t|| | | | gsdS|ddd} |dd}|| |}|dkraccesspoint|outpost)[/:](?P.+)$zc^(?P[a-zA-Z0-9\-]{1,63})[/:]accesspoint[/:](?P[a-zA-Z0-9\-]{1,63}$)rNcCs||_|dkrt|_dS)N) _arn_parserr)rrrDrDrErszS3ArnParamHandler.__init__cCs|d|jdS)Nzbefore-parameter-build.s3)r handle_arn)rrrDrDrErszS3ArnParamHandler.registercKs`|j|jkrdS||}|dkr&dS|ddkrB||||n|ddkr\||||dS)N resource_type accesspointoutpost)re_BLACKLISTED_OPERATIONS"_get_arn_details_from_bucket_param_store_accesspoint_store_outpost)rrmodelrr arn_detailsrDrDrErs    zS3ArnParamHandler.handle_arncCsFd|krBy$|d}|j|}||||Stk r@YnXdS)Nr)rr_add_resource_type_and_namer)rrrrrDrDrErs  z4S3ArnParamHandler._get_arn_details_from_bucket_paramcCs@|j|d}|r2|d|d<|d|d<n t|ddS)Nrr resource_name)r)_RESOURCE_REGEXrpgroupr/)rrrrprDrDrEr s z-S3ArnParamHandler._add_resource_type_and_namecCs8|d|d<|d|d|d|d|dd|d<dS) Nr rrrrr)rerrrrrrD)rrrrrDrDrErs  z$S3ArnParamHandler._store_accesspointcCsd|d}|j|}|s"t|d|d}||d<|d||d|d|d|d d |d <dS) Nr )r accesspoint_namer outpost_namerrrr)rrerrrrr)_OUTPOST_RESOURCE_REGEXrpr-r )rrrrr rpr rDrDrErs   z S3ArnParamHandler._store_outpost)N)rrrrcrur rrrrrrr rrrDrDrDrEr|s   rc@seZdZdZdZd7ddZddZd d Zd d Zd dZ ddZ ddZ ddZ ddZ ddZddZddZddZdd Zd!d"Zd#d$Zd%d&Zd'd(Zd)d*Zd+d,Zd-d.Zd/d0Zed1d2Zed3d4Zed5d6ZdS)8S3EndpointSetterawsz amazonaws.comNFcCsF||_||_||_||_|dkr&i|_||_||_|dkrB|j|_dS)N)r_region _s3_config_use_fips_endpoint _endpoint_url _partition_DEFAULT_PARTITION)rendpoint_resolverr s3_configrqruse_fips_endpointrDrDrErs zS3EndpointSetter.__init__cCs.|d|j|d|j|d|jdS)Nzbefore-sign.s3zchoose-signer.s3z%before-call.s3.WriteGetObjectResponse)r set_endpoint set_signer#update_endpoint_to_s3_object_lambda)rrrDrDrErs zS3EndpointSetter.registercKsh|jrtdd||d|jr&dS|j}|d|j}dj|d|dd}t|d|d |d<dS) NzOS3 client does not support accelerate endpoints for S3 Object Lambda operations)msgzs3-object-lambdazhttps://{host_prefix}{hostname} host_prefixro)rrorrF) _use_accelerate_endpointr0_override_signing_namerrrrformatr)rrrrresolverresolvedrrDrDrErs   z4S3EndpointSetter.update_endpoint_to_s3_object_lambdacKs||rL||||||||}|||||dS|jrz|jrht d|j dt fd|i||j r|j fd|i|dS)Nz{Client is configured to use the FIPS psuedo region for "%s", but S3 Accelerate does not have any FIPS compatible endpoints.)rr) _use_accesspoint_endpoint_validate_accesspoint_supported_validate_fips_supported_validate_global_regions(_resolve_region_for_accesspoint_endpoint._resolve_signing_name_for_accesspoint_endpoint_switch_to_accesspoint_endpointr rr0rr_s3_addressing_handler)rrrrzrDrDrEr s"       zS3EndpointSetter.set_endpointcCs d|jkS)Nr)r)rrrDrDrEr%%sz*S3EndpointSetter._use_accesspoint_endpointcCs|js dSd|jddkr(tdhdd|jdkrFtd|jd|jdd}||jkr|jdd std |j|fddS) Nfipsrrz,Invalid ARN, FIPS region not allowed in ARN.)rrzhClient is configured to use the FIPS psuedo-region "%s", but outpost ARNs do not support FIPS endpoints.use_arn_regionTzClient is configured to use the FIPS psuedo-region for "%s", but the access-point ARN provided is for the "%s" region. For clients using a FIPS psuedo-region calls to access-point ARNs in another region are not allowed.)rrr.rrrR)rraccesspoint_regionrDrDrEr'(s   z)S3EndpointSetter._validate_fips_supportedcCs0|jddrdS|jdkr,td|jddS)Nr.T)z aws-globalz s3-external-1zClient is configured to use the global psuedo-region "%s". When providing access-point ARNs a regional endpoint must be specified.)r)rrRrr.)rrrDrDrEr(Hs  z)S3EndpointSetter._validate_global_regionscCs|jrtdd|jdd}||jkr)rrzr$r?rDrDrEr; s  z S3EndpointSetter._get_dns_suffixcCs$|jdi}||d<||jd<dS)Nrr)rrR)rrrzrrDrDrEr2 sz)S3EndpointSetter._override_signing_regioncCs |di}||d<||d<dS)Nr signing_name)rR)rrrArrDrDrEr! s z'S3EndpointSetter._override_signing_namecCs|jdrdS|jdkrdSt|jj}|ds8dS|d}|ddkrRdS|dd }t|tt|krvdSt d d |DS) Nuse_accelerate_endpointTFz amazonaws.comrlrz s3-accelerater3css|]}|tkVqdS)N)r)rVrrDrDrE D sz.) rrRrrrrrnr}setall)rrrw feature_partsrDrDrEr # s       z)S3EndpointSetter._use_accelerate_endpointcCs"|jr dS|jd}|r|SdS)NvirtualZaddressing_style)r rrR)rZconfigured_addressing_stylerDrDrE_addressing_styleF s  z"S3EndpointSetter._addressing_stylecCsH|jdkrtdtS|jdks,|jdk r:tddStdtS)NrHz'Using S3 virtual host style addressing.rizUsing S3 path style addressing.zSDefaulting to S3 virtual host style addressing with path style addressing fallback.)rIrrrrr)rrDrDrEr,R s   z'S3EndpointSetter._s3_addressing_handler)NNNNF)rrrrr>rrrrr%r'r(r&r1r)rr*r+r3r6r7r:r4r8r;r2r!rRr rIr,rDrDrDrErs>   &       # rc@seZdZdZdZedZd6ddZdd Z d d Z d d Z ddZ ddZ ddZddZddZddZddZddZddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd*d+Zd,d-Zd.d/Zd0d1Zd2d3Zd4d5ZdS)7S3ControlEndpointSetterrz amazonaws.comz^[a-zA-Z0-9\-]{1,63}$NFcCsF||_||_||_||_|dkr&i|_||_||_|dkrB|j|_dS)N)rrrrrrr)rrrrrqrrrDrDrErp s z S3ControlEndpointSetter.__init__cCs|d|jdS)Nzbefore-sign.s3-control)rr)rrrDrDrEr sz S3ControlEndpointSetter.registercKs|||r@||||}|||||||n8||rx||||d| |j }| ||dS)Nz s3-outposts) _use_endpoint_from_arn_details-_validate_endpoint_from_arn_details_supported _resolve_region_from_arn_details&_resolve_signing_name_from_arn_details"_resolve_endpoint_from_arn_details_add_headers_from_arn_details_use_endpoint_from_outpost_id#_validate_outpost_redirection_validr!_construct_outpost_endpointr_update_request_netloc)rrrrz new_netlocrDrDrEr s          z$S3ControlEndpointSetter.set_endpointcCs d|jkS)Nr)r)rrrDrDrErK sz6S3ControlEndpointSetter._use_endpoint_from_arn_detailscCs d|jkS)N outpost_id)r)rrrDrDrErQ sz5S3ControlEndpointSetter._use_endpoint_from_outpost_idcCsd|jddkr(t|jdddd|jddsf|jdd}||jkrfd ||jf}t|d |jdd }||jkrtd |j|fd |jd rtdd d|jdkr||dS)Nr-rrr z,Invalid ARN, FIPS region not allowed in ARN.)rrr.FzpThe use_arn_region configuration is disabled but received arn for "%s" when the client is configured to use "%s")rrzClient is configured for "%s" partition, but arn provided is for "%s" partition. The client and arn partition must be the same.rBz7S3 control client does not support accelerate endpointsr)rr1rrRrr2rrR)rr arn_region error_msgZrequest_partionrDrDrErL s(      zES3ControlEndpointSetter._validate_endpoint_from_arn_details_supportedcCs|jdrtdddS)Nr0zPClient does not support s3 dualstack configuration when an outpost is specified.)r)rrRr2)rrrDrDrErR s z;S3ControlEndpointSetter._validate_outpost_redirection_validcCs2|jddr,|jdd}||||S|jS)Nr.Frr)rrRrr2r)rrrWrDrDrErM s  z8S3ControlEndpointSetter._resolve_region_from_arn_detailscCs|jdd}||||S)Nrr)rr!)rrZ arn_servicerDrDrErN s z>S3ControlEndpointSetter._resolve_signing_name_from_arn_detailscCs|||}|||dS)N) _resolve_netloc_from_arn_detailsrT)rrrzrUrDrDrErO sz:S3ControlEndpointSetter._resolve_endpoint_from_arn_detailscCsDt|j}t|j||j|jdf}td|jd|||_dS)Nr_zUpdating URI from z to )rrrrrrirrr)rrrUr5Zarn_details_endpointrDrDrErT s z.S3ControlEndpointSetter._update_request_netloccCs0|jd}d|kr||S|d}|||S)Nrrr)rrS_construct_s3_control_endpoint)rrrzrrrDrDrErY s   z8S3ControlEndpointSetter._resolve_netloc_from_arn_detailscCs |j|S)N)_HOST_LABEL_REGEXrp)rlabelrDrDrE_is_valid_host_label sz,S3ControlEndpointSetter._is_valid_host_labelcGs&x |D]}||st|dqWdS)N)r\)r]r%)rlabelsr\rDrDrE_validate_host_labels s  z-S3ControlEndpointSetter._validate_host_labelscCs\||||jr(t|jj}||g}n*|dg}||||}|||g||S)Nz s3-control)r_rrr_add_dualstackr;r _construct_netloc)rrzrr9rr?rDrDrErZ s     z6S3ControlEndpointSetter._construct_s3_control_endpointcCs@|||jrt|jjSd|||g}||||S)Nz s3-outposts)r_rrrr; _add_fipsra)rrzrrDrDrErS s    z3S3ControlEndpointSetter._construct_outpost_endpointcCs d|S)Nrl)rq)rrrDrDrEra sz)S3ControlEndpointSetter._construct_netloccCs|jr|dd|d<dS)Nrz-fips)r)rrrDrDrErb sz!S3ControlEndpointSetter._add_fipscCs|jdr|ddS)Nr0r6)rrRrp)rrrDrDrEr` s z&S3ControlEndpointSetter._add_dualstackcCs,|jd|}|j}|r(d|kr(|d}|S)Nrr@)rrr>)rrzr$r?rDrDrEr; s  z'S3ControlEndpointSetter._get_dns_suffixcCs$|jdi}||d<||jd<dS)Nrr)rrR)rrrzrrDrDrEr2& sz0S3ControlEndpointSetter._override_signing_regioncCs$|jdi}||d<||jd<dS)NrrA)rrR)rrrArrDrDrEr!/ sz.S3ControlEndpointSetter._override_signing_namecCs(|jd}|d}|r$|||dS)Nrr)rrR_add_outpost_id_header)rrrrrDrDrErP8 s  z5S3ControlEndpointSetter._add_headers_from_arn_detailscCs||jd<dS)Nzx-amz-outpost-id)r])rrrrDrDrErc> sz.S3ControlEndpointSetter._add_outpost_id_header)NNNNF) rrrrr>rcrur[rrrrKrQrLrRrMrNrOrTrYr]r_rZrSrarbr`r;r2r!rPrcrDrDrDrErJk s>          rJc@seZdZdZedZdddZddZdd Z d d Z d d Z ddZ ddZ ddZddZddZddZddZddZdS)S3ControlArnParamHandlerzThis handler has been replaced by S3ControlArnParamHandlerv2. The original version remains in place for any third-party importers. z[/:]NcCs(||_|dkrt|_tjdtddS)NzThe S3ControlArnParamHandler class has been deprecated for a new internal replacement. A future version of botocore may remove this class.)r)rrrrr)rrrDrDrErI s z!S3ControlArnParamHandler.__init__cCs|d|jdS)Nz!before-parameter-build.s3-control)rr)rrrDrDrErT sz!S3ControlArnParamHandler.registercKs:|jdkr||||n||||||||dS)N)rZListRegionalBuckets)re_handle_outpost_id_param_handle_name_param_handle_bucket_param)rrrrrrDrDrErZ s z#S3ControlArnParamHandler.handle_arncCsT||kr dSy.||}|j|}||d<|||d<|Stk rNdSXdS)Nr  resources)rr_split_resourcer)rrrrrrDrDrE_get_arn_details_from_paramd s z4S3ControlArnParamHandler._get_arn_details_from_paramcCs|j|dS)Nr)_RESOURCE_SPLIT_REGEXrn)rrrDrDrErip sz(S3ControlArnParamHandler._split_resourcecCsD|d}d|kr8|d|kr8d|d}t|d|d||d<dS)NrZ AccountIdzGAccount ID in arn does not match the AccountId parameter provided: "%s"r )rr)r1)rrrZ account_idrXrDrDrE_override_account_id_params s z3S3ControlArnParamHandler._override_account_id_paramcCsd|kr dS|d|d<dS)NZ OutpostIdrVrD)rrrrrDrDrEre sz1S3ControlArnParamHandler._handle_outpost_id_paramcCsX|jdkrdS||d}|dkr&dS||r@||||nd}t|d|ddS)NCreateAccessPointNamez4The Name parameter does not support the provided ARNr )rr)rerj_is_outpost_accesspoint_store_outpost_accesspointr1)rrrrrrXrDrDrErf s   z+S3ControlArnParamHandler._handle_name_paramcCs@|ddkrdS|d}t|dkr(dS|ddko>|dd kS) Nrz s3-outpostsFrhrrrrr)r})rrrhrDrDrEro s   z0S3ControlArnParamHandler._is_outpost_accesspointcCsD||||dd}||d<||d<|dd|d<||d<dS)Nrhr|rnr r3rr)rl)rrrrr rDrDrErp s   z3S3ControlArnParamHandler._store_outpost_accesspointcCsJ||d}|dkrdS||r2||||nd}t|d|ddS)Nrz6The Bucket parameter does not support the provided ARNr )rr)rj_is_outpost_bucket_store_outpost_bucketr1)rrrrrrXrDrDrErg s  z-S3ControlArnParamHandler._handle_bucket_paramcCs@|ddkrdS|d}t|dkr(dS|ddko>|dd kS) Nrz s3-outpostsFrhrrrrr)r})rrrhrDrDrErq s   z+S3ControlArnParamHandler._is_outpost_bucketcCsD||||dd}||d<||d<|dd|d<||d<dS)Nrhr|rrr3rr)rl)rrrrrrDrDrErr s   z.S3ControlArnParamHandler._store_outpost_bucket)N)rrrrrcrurkrrrrjrirlrerfrorprgrqrrrDrDrDrErdB s       rdc@sReZdZdZdddZddZddZd d Zd d Zd dZ ddZ ddZ dS)S3ControlArnParamHandlerv2aUpdated version of S3ControlArnParamHandler for use when EndpointRulesetResolver is in use for endpoint resolution. This class is considered private and subject to abrupt breaking changes or removal without prior announcement. Please do not use it directly. NcCs||_|dkrt|_dS)N)rr)rrrDrDrEr sz#S3ControlArnParamHandlerv2.__init__cCs|d|jdS)Nz%before-endpoint-resolution.s3-control)rr)rrrDrDrEr sz#S3ControlArnParamHandlerv2.registercCsl|jdkrdS||d}|dkr&dS||||||rT||||nd}t|d|ddS)Nrmrnz4The Name parameter does not support the provided ARNr )rr)rerj_raise_for_fips_pseudo_region_raise_for_accelerate_endpointrorpr1)rrrrrrXrDrDrErf s     z-S3ControlArnParamHandlerv2._handle_name_paramcCs|||dS)N)rl)rrrrrDrDrErp sz5S3ControlArnParamHandlerv2._store_outpost_accesspointcCs^||d}|dkrdS||||||rF||||nd}t|d|ddS)Nrz6The Bucket parameter does not support the provided ARNr )rr)rjrtrurqrrr1)rrrrrrXrDrDrErg s    z/S3ControlArnParamHandlerv2._handle_bucket_paramcCs|||dS)N)rl)rrrrrDrDrErr sz0S3ControlArnParamHandlerv2._store_outpost_bucketcCs0|d}|ds|dr,t|ddddS)Nrzfips-r z,Invalid ARN, FIPS region not allowed in ARN.)rr)rrr1)rrrWrDrDrErt s z8S3ControlArnParamHandlerv2._raise_for_fips_pseudo_regioncCs&|djp i}|dr"tdddS)N client_configrBz7S3 control client does not support accelerate endpoints)r)rrRr2)rrrrDrDrEru s z9S3ControlArnParamHandlerv2._raise_for_accelerate_endpoint)N) rrrrrrrfrprgrrrtrurDrDrDrErs s  rsc@sreZdZdZdZdZdZeddgZdej fdd Z dd d Z d d Z ddZ ddZdddZddZddZdS)ContainerMetadataFetcherrr|r3z 169.254.170.2 localhostz 127.0.0.1NcCs(|dkrtjj|jd}||_||_dS)N)r)rYrrTIMEOUT_SECONDSr_sleep)rrKsleeprDrDrEr s  z!ContainerMetadataFetcher.__init__cCs|||||S)zRetrieve JSON metadata from container metadata. :type full_url: str :param full_url: The full URL of the metadata service. This should include the scheme as well, e.g "http://localhost:123/foo" )_validate_allowed_url_retrieve_credentials)rfull_urlr]rDrDrEretrieve_full_uri$ s z*ContainerMetadataFetcher.retrieve_full_uricCs:tj|}||j}|s6td|jd|jfdS)NzGUnsupported host '%s'. Can only retrieve metadata from these hosts: %sz, )rYcompatr_check_if_whitelisted_hostrorrq_ALLOWED_HOSTS)rr~parsedZis_whitelisted_hostrDrDrEr|0 s   z.ContainerMetadataFetcher._validate_allowed_urlcCs||jkrdSdS)NTF)r)rrrDrDrEr: s z3ContainerMetadataFetcher._check_if_whitelisted_hostcCs||}||S)zRetrieve JSON metadata from ECS metadata. :type relative_uri: str :param relative_uri: A relative URI, e.g "/foo/bar?id=123" :return: The parsed JSON response. )r~r})r relative_urir~rDrDrE retrieve_uri? s z%ContainerMetadataFetcher.retrieve_uric Csddi}|dk r||d}xhy||||jStk r}z4tjd|dd||j|d7}||jkrrWdd}~XYq Xq WdS)NAcceptzapplication/jsonrzAReceived error when attempting to retrieve container metadata: %sT)rr3) rB _get_responseryr)rrrz SLEEP_TIMERETRY_ATTEMPTS)rr~ extra_headersr]ZattemptsrrDrDrEr}K s"    z.ContainerMetadataFetcher._retrieve_credentialsc Csytjj}|d||d}|j|}|jd}|jdkrRt d|j|fdy t |St k rd}t d||t |dYnXWn4tk r} zd | }t |dWdd} ~ XYnXdS) Nr)rrrr]zutf-8rz4Received non 200 response (%s) from ECS metadata: %s)rXz8Unable to parse JSON returned from ECS metadata servicesz%s:%sz;Received error when attempting to retrieve ECS metadata: %s)rYrZrrrrrrMrr)rrrrrr) rr~r]rrrrZ response_textrXrrDrDrEra s&   z&ContainerMetadataFetcher._get_responsecCsd|j|S)Nzhttp://) IP_ADDRESS)rrrDrDrEr~} sz!ContainerMetadataFetcher.full_url)N)N)rrrryrrrrtimer{rrr|rrr}rr~rDrDrDrErw s    rwcCst|r iStSdS)N)should_bypass_proxiesr)rrrDrDrEr src Cs6ytt|jrdSWnttjfk r0YnXdS)z: Returns whether we should bypass proxies or not. TF)rrrr(socketgaierror)rrrDrDrEr s rc Cs|sdSyt|Sttfk r(YnXt|drt|dry.|}|dd|}||||Stjk rYnXdS)Nrseektellr)r}AttributeErrorr(rQrrioUnsupportedOperation)r<Zorig_posZ end_file_posrDrDrEdetermine_content_length s   r ISO-8859-1cCsJ|d}|sdStj}||d<|d}|dk r:|Sd|krF|SdS)zReturns encodings from given HTTP Header Dict. :param headers: dictionary to extract encoding from. :param default: default encoding if the content-type is text z content-typeNcharsetr)rRr:messager get_param)r]default content_typerrrDrDrEget_encoding_from_headers s   rcKs0t|ttfrt|}nt|}t|dS)NrI)r?r! bytearray_calculate_md5_from_bytes_calculate_md5_from_filebase64 b64encoderM)r<rZ binary_md5rDrDrE calculate_md5 s rcCst|}|S)N)rrD)Z body_bytesmd5rDrDrEr srcsF}t}x$tfdddD]}||q"W||S)Ncs dS)Ni)r rD)fileobjrDrEr= r>z*_calculate_md5_from_file..r>)rrrArBrrD)rZstart_positionrrFrD)rrEr s  rcKs|d}|d}|didi}|d}|r>|dkr>dSx|D]}t|rDdSqDWtr|dk rd|krt|f|}||dd<dS) z1Only add a Content-MD5 if the system supports it.r]r<rrEZrequest_algorithmzconditional-md5Nz Content-MD5)rRCHECKSUM_HEADER_PATTERNrprr)rrr]r<Zchecksum_contextZchecksum_algorithmrOZ md5_digestrDrDrEconditionally_calculate_md5 s     rc@s eZdZefddZddZdS)FileWebIdentityTokenLoadercCs||_||_dS)N)_web_identity_token_pathr)rZweb_identity_token_pathrrDrDrEr sz#FileWebIdentityTokenLoader.__init__c Cs ||j }|SQRXdS)N)rrr )rZ token_filerDrDrE__call__ sz#FileWebIdentityTokenLoader.__call__N)rrropenrrrDrDrDrEr s rc@s2eZdZd ddZddZd ddZd dd ZdS) SSOTokenLoaderNcCs|dkr i}||_dS)N)r)rrrDrDrEr szSSOTokenLoader.__init__cCs$|}|dk r|}t|dS)Nzutf-8)r?sha1r"rC)r start_url session_namer#rDrDrE_generate_cache_key sz"SSOTokenLoader._generate_cache_keycCs|||}||j|<dS)N)rr)rrrrrrDrDrE save_token s zSSOTokenLoader.save_tokencCs|||}td|||jkrL|}|dk r6|}d|d}t|d|j|}d|ksfd|kr|d|d}t|d|S)NzChecking for cached token at: z Token for z does not exist)rXZ accessTokenZ expiresAtz is invalid)rrrrr,)rrrrrerXrrDrDrEr s       zSSOTokenLoader.__call__)N)N)N)rrrrrrrrDrDrDrEr s  rc@s@eZdZdZdZdddZddZdd Zd d Zdd d Z dS)EventbridgeSignerSetterrz amazonaws.comNcCs||_||_||_dS)N)rrr)rrrrqrDrDrEr) sz EventbridgeSignerSetter.__init__cCs |d|j|d|jdS)Nz'before-parameter-build.events.PutEventszbefore-call.events.PutEvents)rcheck_for_global_endpointset_endpoint_url)rrrDrDrEr. s z EventbridgeSignerSetter.registercKs6d|kr2|d}td|dd|||d<dS)Neventbridge_endpointzRewriting URL from rrz to )rr)rrrrrrDrDrEr7 sz(EventbridgeSignerSetter.set_endpoint_urlc Ks|d}|dkrdSt|dkr,tddts:tdd|d}d}|dk rl|jr`tdd|jrldg}|jdkrtd |}|j |krtd d|j ||d }n|j}||d <d |d<dS)NZ EndpointIdrz+EndpointId must not be a zero length string)rzqUsing EndpointId requires an additional dependency. You will need to pip install botocore[crt] before proceeding.rvz>FIPS is not supported with EventBridge multi-region endpoints.r6zhttps://z-EndpointId is not a valid hostname component.)endpoint_variant_tagsrZv4ar) rRr}r#rr*rr0rrro_get_global_endpoint) rrrrrr8rrwZresolved_endpointrDrDrEr= s6      z1EventbridgeSignerSetter.check_for_global_endpointcCsN|j}||j}|dkr |j}|j||d}|dkr<|j}d|d|dS)N)rzhttps://z.endpoint.events.rg)rZget_partition_for_regionrrr=r>)rrrr#rr?rDrDrEri s  z,EventbridgeSignerSetter._get_global_endpoint)NN)N) rrrrr>rrrrrrDrDrDrEr% s  ,rcCs|dkr dSt|}|jdr*|jdkr.dS|jd}|ddkrJdS|dd }t|tt|krndStd d |DS) zDoes the URL match the S3 Accelerate endpoint scheme? Virtual host naming style with bucket names in the netloc part of the URL are not allowed by this function. NFz amazonaws.com)httpshttprlrz s3-accelerater3rCcss|]}|tkVqdS)N)r)rVrrDrDrErD sz'is_s3_accelerate_url..)rrrrrnr}rErF)rrZ url_partsrwrGrDrDrEis_s3_accelerate_urlx s    rc@sreZdZdZejejddddZedfddZ d d Z d d Z d dZ ddZ ddZddZdddZdS) JSONFileCachezJSON file cache. This provides a dict like interface that stores JSON serializable objects. The objects are serialized to JSON and stored in a file. These values can be retrieved at a later time. ~z.awsZbotorNcCs||_|dkr|j}||_dS)N) _working_dir_default_dumps_dumps)rZ working_dirZ dumps_funcrDrDrEr szJSONFileCache.__init__cCstj||jdS)N)r)rdumps_serialize_if_needed)rrVrDrDrEr szJSONFileCache._default_dumpscCs||}tj|S)N)_convert_cache_keyrriisfile)rr actual_keyrDrDrE __contains__ s zJSONFileCache.__contains__c CsN||}yt| }t|SQRXWn ttfk rHt|YnXdS)z Retrieve value from a cache key.N)rrrloadrrKeyError)rrrrrDrDrE __getitem__ s   zJSONFileCache.__getitem__cCs@||}yt|}|Wntk r:t|YnXdS)N)rrunlinkFileNotFoundErrorr)rrrZkey_pathrDrDrE __delitem__ s   zJSONFileCache.__delitem__c Cs||}y||}Wn&ttfk r>td|YnXtj|jsZt|jt t |tj tj Bdd}| ||WdQRXdS)Nz3Value cannot be cached, must be JSON serializable: iw)rrr(rrriisdirrmakedirsfdopenrO_WRONLYO_CREATtruncatewrite)rrrZfull_keyZ file_contentrrDrDrE __setitem__ s  zJSONFileCache.__setitem__cCstj|j|d}|S)Nz.json)rrirqr)rr full_pathrDrDrEr sz JSONFileCache._convert_cache_keyFcCs&t|tjr"|r|S|dS|S)Nz%Y-%m-%dT%H:%M:%S%Z)r?r isoformatr)rrZisorDrDrEr s   z"JSONFileCache._serialize_if_needed)F)rrrrrri expanduserrqZ CACHE_DIRrrrrrrrrrDrDrDrEr s r)T)F)N)F)N)N)T)T)r)rrKr email.messager:rr?rloggingrrrcrrrrpathlibrurllib.requestrrZdateutil.parserr)Z dateutil.tzrZurllib3.exceptionsrrYZbotocore.awsrequestZbotocore.httpsessionZbotocore.compatrrr r r r r rrrrrrrrrrrrrrZbotocore.exceptionsrrrrr r!r"r#r$r%r&r'r(r)r*r+r,r-r.r/r0r1r2 getLoggerrrrrrrJZ SAFE_CHARSrur~rrZ EVENT_ALIASESrvrrFrLrUr^rfrjrkrhr{r~r Exceptionrrrrrrrr rrr r rr-r/r2r;rGrPrJrRrYrrrsryrr{rrrrrrrrrrrrrrrrrrrJrdrsrwrrrrrrrrrrrrrrDrDrDrE s          @d       ;?&   & -  !d   ?!  E4UXMm   !S!