o "`^h @sd ddlZddlZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddl Z ddlZddlZddlmZddlmZddlmZddlmZmZddlZddlmZddlmZddlZddlZddl Zddl!m"Z"dd l!m#Z#dd l!m$Z$dd l!m%Z%dd l!m&Z&dd l!m'Z'ddl!m(Z(ddl!m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2m3Z3m4Z4m5Z5m6Z6ddl7m8Z8m9Z9m:Z:m;Z;mZ>m?Z?m@Z@mAZAmBZBmCZCmDZDmEZEmFZFmGZGmHZHmIZImJZJmKZKmLZLmMZMmNZNeOePZQdZRdZSdZTdZUdZVe WdZXeGed?d@dAdBdCdDdEdFdGdHdIdJdKdLdMdNdOdPdQdRdSdTdOdUdVdWdXdYdZid[d\d]d^d_d^d`d5dad7dbd?dcdddedfdgdhdidjdkdldmdndodpdqdZdrdsdtdudvduidwdxdydjdzd{d|d}d~ddddddddddddlddddddddddddddddIddZ[e jWde j\dZ]ddZ^ddZ_ddZ`ddZaddZbddZcddZdddZeddZfdVddZgddZhGdddeiZjGdddeiZkGdddZlGdddelZmGdddZnGdddelZodWddZpddZqerfdd„ZsddĄZteVfddƄZueVfddȄZvddʄZwdd̄Zxdd΄ZyddЄZzdXdd҄Z{dWddԄZ|ddքZ}dd؄Z~GddڄdڃZGdd܄d܃ZddބZddZddZddZddZddZ dXddZ dXddZddZddZddZddZddZdVddZdVddZddZddZGdddZGdddeZGdddZGdddZGdddZGd d d eZGd d d ZGd ddZGdddZGdddZGdddZGdddeZGdddZddZddZddZdYd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd*d+Zd,d-Zd.d/Zd0d1ZGd2d3d3ZGd4d5d5ZGd6d7d7Zd8d9ZGd:d;d;Zd<d=ZddiZiddd d!d>d?d$d%d&d'd(d)d*d+d,d-d.d/d0d1d2d3d:d;d@dAdszhas_header..)rubotocore awsrequest HeadersDictrxkeys) header_nameheadersr{r{r| has_headers rcCsD|jd|jd|j}|dd}|dd}tdd|}|S)zvReturns the module name for a service This is the value used in both the documentation and client class name serviceAbbreviationserviceFullNameAmazonAWSz\W+)metadatar service_namereplaceresub) service_modelnamer{r{r|get_service_module_names  rcCs|sdSt|S)N/)remove_dot_segmentspathr{r{r|normalize_url_pathsrcCs|dur|St|S)zLReturns None if val is None, otherwise ensure value converted to booleanN)r}ryr{r{r|normalize_booleansrcCs|sdS|d}g}|D]}|r%|dkr%|dkr |r|q ||q |ddkr/d}nd}|ddkr<|rr?) role_name access_key secret_keyr( expiry_timeCodeMessagez7Error response received when retrievingcredentials: %s.\Max number of attempts exceeded (%s) when attempting to retrieve data from metadata service.zBad IMDS request: %s) r! _get_iam_role_get_credentials_contains_all_credential_fields_evaluate_expirationrrr%rrr)rr(r@ credentialsr r{r{r|retrieve_iam_role_credentialsAs<     z5InstanceMetadataFetcher.retrieve_iam_role_credentialsNcCs|j|j|j|djSNr&r'r()r) _URL_PATH_needs_retry_for_role_namer)rr(r{r{r|rGjsz%InstanceMetadataFetcher._get_iam_rolecCs$|j|j||j|d}t|jSrM)r)rO_needs_retry_for_credentialsrloadsr)rr@r(rr{r{r|rHqs  z(InstanceMetadataFetcher._get_credentialscCs4z t|jWdSty||dYdSw)NFz invalid jsonT)rrRr ValueErrorr4r0r{r{r|_is_invalid_jsonys   z(InstanceMetadataFetcher._is_invalid_jsoncCr,rr-r0r{r{r|rPr1z2InstanceMetadataFetcher._needs_retry_for_role_namecCs||p||p||Sr)r.r/rUr0r{r{r|rQs z4InstanceMetadataFetcher._needs_retry_for_credentialscCs*|jD]}||vrtd|dSqdS)Nz3Retrieved credentials is missing required field: %sFT)_REQUIRED_CREDENTIAL_FIELDSrr)rrKfieldr{r{r|rIs z7InstanceMetadataFetcher._contains_all_credential_fieldsc Cs|d}|dur dSzHtj|d}|jdd}tdd}||}tj}tj|d}||}||krQ||} | d|d<t d|dd d WdSWdSt ygt d |dYdSw) NrCz%Y-%m-%dT%H:%M:%SZec2_credential_refresh_windowiXxsecondszAttempting credential expiration extension due to a credential service availability issue. A refresh of these credentials will be attempted again within the next <z.0fz minutes.zUnable to parse expiry_time in ) rrstrptimerrandomrandintutcnow timedeltastrftimerinforTr) rrK expirationrefresh_intervaljitterrefresh_interval_with_jitter current_timerefresh_offsetextension_timenew_timer{r{r|rJsB       z,InstanceMetadataFetcher._evaluate_expirationr) rrrrOrVrLrGrHrUrPrQrIrJr{r{r{r|r;8s )  r;c@s6eZdZd ddZddZddZdd Zd d ZdS) IMDSRegionProviderNcCs$||_|dur tj}||_||_dS)aUInitialize IMDSRegionProvider. :type session: :class:`botocore.session.Session` :param session: The session is needed to look up configuration for how to contact the instance metadata service. Specifically the whether or not it should use the IMDS region at all, and if so how to configure the timeout and number of attempts to reach the service. :type environ: None or dict :param environ: A dictionary of environment variables to use. If ``None`` is the argument then ``os.environ`` will be used by default. :type fecther: :class:`botocore.utils.InstanceMetadataRegionFetcher` :param fetcher: The class to actually handle the fetching of the region from the IMDS. If not provided a default one will be created. N)rrr_environ_fetcher)rrrfetcherr{r{r|rs  zIMDSRegionProvider.__init__cCs |}|S)z#Provide the region value from IMDS.)_get_instance_metadata_region)rinstance_regionr{r{r|provideszIMDSRegionProvider.providecCs|}|}|Sr) _get_fetcherretrieve_region)rrorr{r{r|rpsz0IMDSRegionProvider._get_instance_metadata_regioncCs|jdur ||_|jSr)rn_create_fetcherrr{r{r|rss  zIMDSRegionProvider._get_fetchercCsX|jd}|jd}|jdt|j|jdd}t|||j|j|d}|S)Nmetadata_service_timeoutmetadata_service_num_attemptsrr)rr~r)rrrrrC)rrrInstanceMetadataRegionFetcherrmr)rmetadata_timeoutmetadata_num_attempts imds_configror{r{r|rus0 z"IMDSRegionProvider._create_fetcherNN)rrrrrrrprsrur{r{r{r|rls   rlc@ eZdZdZddZddZdS)rxz-latest/meta-data/placement/availability-zone/cCs4z|}|WS|jytd|jYdSw)aRGet the current region from the instance metadata service. :rvalue: str :returns: The region the current instance is running in or None if the instance metadata service cannot be contacted or does not give a valid response. :rtype: None or str :returns: Returns the region as a string if it is configured to use IMDS as a region source. Otherwise returns ``None``. It will also return ``None`` if it fails to get the region from IMDS due to exhausting its retries or not being able to connect. rFN) _get_regionr%rrr)rrr{r{r|rts z-InstanceMetadataRegionFetcher.retrieve_regioncCs2|}|j|j|j|d}|j}|dd}|S)NrNr)r!r)rOr$r)rr(ravailability_zonerr{r{r|r~s z)InstanceMetadataRegionFetcher._get_regionN)rrrrOrtr~r{r{r{r|rxs rxFcCs|D]M}t||tr$||vr||vrt||||q||||<qt||trI|rI||vrBt||trB||||q||||<q||||<qdS)zGiven two dict, merge the second dict into the first. The dicts can have arbitrary nesting. :param append_lists: If true, instead of clobbering a list with the new value, append all of the new values onto the original list. N)rudict merge_dictslistextend)dict1dict2 append_listsrr{r{r|r srcCs"i}|D] }||||<q|S)zDCopies the given dictionary ensuring all keys are lowercase strings.r)originalrrr{r{r|lowercase_dict=srcCsZz ||}|}t|WdWS1swYWdSty,t|dw)Nr)readparse_key_val_file_contentsOSErrorr)filename_openfcontentsr{r{r|parse_key_val_fileEs (  rcCsHi}|D]}d|vr q|dd\}}|}|}|||<q|S)N=r5) splitlinesrstrip)rfinallinerrzr{r{r|rNs  rcCsg}t|dr |}n|}|D]+\}}t|tr-|D]}|t|dt|qq|t|dt|qd|S)afUrlencode a dict or list into a string. This is similar to urllib.urlencode except that: * It uses quote, and not quote_plus * It has a default list of safe chars that don't need to be encoded, which matches what AWS services expect. If any value in the input ``mapping`` is a list type, then each list element wil be serialized. This is the equivalent to ``urlencode``'s ``doseq=True`` argument. This function should be preferred over the stdlib ``urlencode()`` function. :param mapping: Either a dict to urlencode or a list of ``(key, value)`` pairs. itemsr&)rrrurrpercent_encoder)mappingsafe encoded_pairspairsrrelementr{r{r|percent_encode_sequence]s     rcCs6t|ttfs t|}t|ts|d}t||dS)aUrlencodes a string. Whereas percent_encode_sequence handles taking a dict/sequence and producing a percent encoded string, this function deals only with taking a string (not a dict/sequence) and percent encoding it. If given the binary type, will simply URL encode it. If given the text type, will produce the binary type by UTF-8 encoding the text. If given something else, will convert it to the text type first. utf-8)r)rubytesrwencoder) input_strrr{r{r|rs     rc Cs6tjddddddtd}||}|tj|dS)aParse numerical epoch timestamps (seconds since 1970) into a ``datetime.datetime`` in UTC using ``datetime.timedelta``. This is intended as fallback when ``fromtimestamp`` raises ``OverflowError`` or ``OSError``. :type value: float or int :param value: The Unix timestamps as number. :type tzinfo: callable :param tzinfo: A ``datetime.tzinfo`` class or compatible callable. r5rtzinforZ)rr astimezonera)rr epoch_zeroepoch_zero_localizedr{r{r|_epoch_seconds_to_datetimes rc Cst|ttfrtj||Sz tjt||WSttfy%Ynwz tjj |dt idWSttfyJ}z td|d|d}~ww)z.Parse timestamp with pluggable tzinfo options.GMT)tzinfoszInvalid timestamp "z": N) ruintfloatr fromtimestamp TypeErrorrTdateutilparserparser)rrr r{r{r|_parse_timestamp_with_tzinfosrc Cst}|D]'}zt||WSttfy,}ztjd|j|dWYd}~qd}~wwzt|}Wn tt fy>Yn.wz|D] }t ||dWSWnttfyk}ztjd|j|dWYd}~nd}~wwt d|d)zParse a timestamp into a datetime object. Supported formats: * iso8601 * rfc822 * epoch (value is an integer) This will return a ``datetime.datetime`` object. z2Unable to parse timestamp with "%s" timezone info.rNrzHUnable to parse timestamp using fallback method with "%s" timezone info.z1Unable to calculate correct timezone offset for "") rrr OverflowErrorrrrrrrTr RuntimeError)rtzinfo_optionsrr  numeric_valuer{r{r|parse_timestamps@   rcCsDt|tr|}nt|}|jdur|jtd}|S|t}|S)aConverted the passed in value to a datetime object with tzinfo. This function can be used to normalize all timestamp inputs. This function accepts a number of different types of inputs, but will always return a datetime.datetime object with time zone information. The input param ``value`` can be one of several types: * A datetime object (both naive and aware) * An integer representing the epoch time (can also be a string of the integer, i.e '0', instead of 0). The epoch time is considered to be UTC. * An iso8601 formatted timestamp. This does not need to be a complete timestamp, it can contain just the date portion without the time component. The returned value will be a datetime object that will have tzinfo. If no timezone info was provided in the input value, then UTC is assumed, not local time. Nr)ru_DatetimeClassrrrrr)r datetime_objr{r{r|parse_to_aware_datetimes   rcCsRtddd}|jdur|durt}|j|d}|jdd||}|S)awCalculate the timestamp based on the given datetime instance. :type dt: datetime :param dt: A datetime object to be converted into timestamp :type default_timezone: tzinfo :param default_timezone: If it is provided as None, we treat it as tzutc(). But it is only used when dt is a naive datetime. :returns: The timestamp rr5Nr)rrrr utcoffset total_seconds)dtdefault_timezoneepochdr{r{r|datetime2timestamps  rcs>t}tfdddD]}||q |r|S|S)aCalculate a sha256 checksum. This method will calculate the sha256 checksum of a file like object. Note that this method will iterate through the entire file contents. The caller is responsible for ensuring the proper starting position of the file and ``seek()``'ing the file back to its starting location if other consumers need to read from the file like object. :param body: Any file like object. The file must be opened in binary mode such that a ``.read()`` call returns bytes. :param as_hex: If True, then the hex digest is returned. If False, then the digest (as binary bytes) is returned. :returns: The sha256 checksum c dSNrr{bodyr{r|> z"calculate_sha256..)hashlibsha256iterupdate hexdigestdigest)ras_hexchecksumchunkr{rr|calculate_sha256+s  rcsg}dtj}tfdddD] }|||q|s%|dSt|dkrSg}t|D]\}}|durE||||q1||q1|}t|dks+t |d dS) a\Calculate a tree hash checksum. For more information see: http://docs.aws.amazon.com/amazonglacier/latest/dev/checksum-calculations.html :param body: Any file like object. This has the same constraints as the ``body`` param in calculate_sha256 :rtype: str :returns: The hex version of the calculated tree hash rcs Srrr{rrequired_chunk_sizer{r|rWrz%calculate_tree_hash..rr5Nrascii) rrrrrrr _in_pairsbinasciihexlifydecode)rchunksrr new_chunksrsecondr{rr|calculate_tree_hashFs      rcCst|}t||Sr)rr)iterable shared_iterr{r{r|rgs rc@r})CachedPropertyzA read only property that caches the initially computed value. This descriptor will only call the provided ``fget`` function once. Subsequent access to this property will return the cached value. cCrr)_fget)rfgetr{r{r|rrzCachedProperty.__init__cCs(|dur|S||}||j|jj<|Sr)r__dict__r)robjclscomputed_valuer{r{r|__get__s  zCachedProperty.__get__N)rrrrrrr{r{r{r|rxs rc@sDeZdZdZdddZddZddd Zd d Zd d ZddZ dS)ArgumentGeneratoraGenerate sample input based on a shape model. This class contains a ``generate_skeleton`` method that will take an input/output shape (created from ``botocore.model``) and generate a sample dictionary corresponding to the input/output shape. The specific values used are place holder values. For strings either an empty string or the member name can be used, for numbers 0 or 0.0 is used. The intended usage of this class is to generate the *shape* of the input structure. This can be useful for operations that have complex input shapes. This allows a user to just fill in the necessary data instead of worrying about the specific structure of the input arguments. Example usage:: s = botocore.session.get_session() ddb = s.get_service_model('dynamodb') arg_gen = ArgumentGenerator() sample_input = arg_gen.generate_skeleton( ddb.operation_model('CreateTable').input_shape) print("Sample input for dynamodb.CreateTable: %s" % sample_input) FcCrr)_use_member_names)ruse_member_namesr{r{r|rrzArgumentGenerator.__init__cCsg}|||S)zGenerate a sample input. :type shape: ``botocore.model.Shape`` :param shape: The input shape. :return: The generated skeleton input corresponding to the provided input shape. )_generate_skeleton)rrstackr{r{r|generate_skeletons z#ArgumentGenerator.generate_skeletonrcCs>||jz|jdkr|||W|S|jdkr'|||W|S|jdkr7|||W|S|jdkr[|jrF|W|S|jrTt |jW|SW|dS|jdvrgW|dS|jdvrsW|d S|jd krW|d S|jd krt d dddddW|SW|dS|w)N structurermaprr)integerlongr)rdoublegbooleanT timestamprr5) rrr_generate_type_structurer_generate_type_list_generate_type_maprenumr^choicerrrrrr{r{r|rsD                    z$ArgumentGenerator._generate_skeletoncCsF||jdkr iSt}|jD]\}}|j|||d||<q|S)Nr5)r)countrrmembersrr)rrrskeleton member_name member_shaper{r{r|rs z*ArgumentGenerator._generate_type_structurecCs$d}|jr |jj}||j||gS)Nr)rmemberrrrr{r{r|rs z%ArgumentGenerator._generate_type_listcCs0|j}|j}|jdks Jtd|||fgS)NrKeyName)rrrrr)rrr key_shape value_shaper{r{r|rsz$ArgumentGenerator._generate_type_mapNr9)r) rrrrrrrrrrr{r{r{r|rs   rcCs.t|rdSdt|jd}t|duS)NFrr)r intersectionrhostnamermatch endpoint_urlr r{r{r|is_valid_ipv6_endpoint_urls r cCst|j}t|duSr)rr rr r r{r{r|is_valid_ipv4_endpoint_urls rcCsht|rdSt|}|j}|durdSt|dkrdS|ddkr(|dd}tdtj}||S)zVerify the endpoint_url is valid. :type endpoint_url: string :param endpoint_url: An endpoint_url. Must have at least a scheme and a hostname. :return: True if the endpoint url is valid. False otherwise. FNrrz;^((?!-)[A-Z\d-]{1,63}(?        r!cCs |jdS)Nz ?location)rrrr{r{r|r' r'cs"jtfdd}|S)aMethod decorator for caching method calls to a single instance. **This is not a general purpose caching decorator.** In order to use this, you *must* provide an ``_instance_cache`` attribute on the instance. This decorator is used to cache method calls. The cache is only scoped to a single instance though such that multiple instances will maintain their own cache. In order to keep things simple, this decorator requires that you provide an ``_instance_cache`` attribute on your instance. csb|f}|rtt|}||f}|j|}|dur|S|g|Ri|}||j|<|Sr)tuplesortedr_instance_cacher)rargsr cache_key kwarg_itemsresultfunc func_namer{r| _cache_guards   z$instance_cache.._cache_guard)r functoolswraps)r:r<r{r9r|instance_caches r?cfdd}|S)a Version of functools.lru_cache that stores a weak reference to ``self``. Serves the same purpose as :py:func:`instance_cache` but uses Python's functools implementation which offers ``max_size`` and ``typed`` properties. lru_cache is a global cache even when used on a method. The cache's reference to ``self`` will prevent garbace collection of the object. This wrapper around functools.lru_cache replaces the reference to ``self`` with a weak reference to not interfere with garbage collection. cs>tjifddtfdd}j|_|S)Ncs|g|Ri|Srr{)weakref_to_selfr5r)r:r{r|func_with_weakrefsz=lru_cache_weakref..wrapper..func_with_weakrefcst|g|Ri|Sr)weakrefref)rr5r)rBr{r|innersz1lru_cache_weakref..wrapper..inner)r= lru_cacher> cache_info)r:rE cache_args cache_kwargs)r:rBr|wrappers z"lru_cache_weakref..wrapperr{)rIrJrKr{rHr|lru_cache_weakrefs  rLcKsht|jjd}dd|D}d}t|dkr!|d|d7}|d7}|dvr+dSt||d d dS) z?Switches the current s3 endpoint with an S3 Accelerate endpointrcSsg|]}|tvr|qSr{S3_ACCELERATE_WHITELISTrpr{r{r|rsz-switch_host_s3_accelerate..zhttps://s3-accelerate.r amazonaws.com) ListBuckets CreateBucket DeleteBucketNF)use_new_scheme)rrr(rrr _switch_hosts)roperation_namerrrr{r{r|switch_host_s3_accelerates rXcCs6t|jd}||r||}t||dSdS)zBSwitches the host using a parameter value from a JSON request bodyrN)rrRdatarrrV)r param_name request_json new_endpointr{r{r|switch_host_with_params  r]cCst|j||}||_dSr)_get_new_endpointr)rr\rUfinal_endpointr{r{r|rVs rVcCsVt|}t|}|j}|r|j}||j|j|jdf}t|}td|d||SNrzUpdating URI from  to )rr*r(rr+rrr)original_endpointr\rUnew_endpoint_componentsoriginal_endpoint_componentsr*final_endpoint_componentsr_r{r{r|r^sr^cCsR|D]$}||vr t||tr t||tr t||||q||||<qdS)zDeeply two dictionaries, overriding existing keys in the base. :param base: The base dictionary which will be merged into. :param extra: The dictionary to merge into the base. Keys from this dictionary will take precedence. N)rur deep_merge)baseextrarr{r{r|rfs  rfcCs|ddS)zcTranslate the form used for event emitters. :param service_id: The service_id to convert.  -)rrx) service_idr{r{r|hyphenize_service_id'srlc@s,eZdZdZdZddZddZddZd S) IdentityCachezBase IdentityCache implementation for storing and retrieving highly accessed credentials. This class is not intended to be instantiated in user code. base_identity_cachecC||_||_dSr_client_credential_clsrclientcredential_clsr{r{r|r8 zIdentityCache.__init__cKs2|jdi|}|}|jj|||jddd}|S)N- )r refresh_usingr advisory_timeoutmandatory_timeoutr{)build_refresh_callbackrrcreate_from_metadataMETHOD)rrcallbackrcredential_entryr{r{r|get_credentials<szIdentityCache.get_credentialscKst)zCallback to be implemented by subclasses. Returns a set of metadata to be converted into a new credential instance. )NotImplementedError)rr{r{r|r|Hsz$IdentityCache.build_refresh_callbackN)rrrrr~rrr|r{r{r{r|rm/s  rmcsJeZdZdZdZddZejddfddZd d Z dd d Z Z S)S3ExpressIdentityCachezS3Express IdentityCache for retrieving and storing credentials from CreateSession calls. This class is not intended to be instantiated in user code. s3expresscCrorrprsr{r{r|rZrvzS3ExpressIdentityCache.__init__d)maxsizecstj|dS)Nbucket)superr)rr __class__r{r|r^sz&S3ExpressIdentityCache.get_credentialscr@)NcsBjjd}|d}j|ddd}|d|d|d|d S) NBucket Credentialsr?T)isor<r= SessionToken)rArBr(rC)rqcreate_session_serialize_if_needed)rcredsrdrrr{r| refreshercsz@S3ExpressIdentityCache.build_refresh_callback..refresherr{)rrrr{rr|r|bs z-S3ExpressIdentityCache.build_refresh_callbackFcC$t|tr|r |S|dS|SNz%Y-%m-%dT%H:%M:%S%Zrur isoformatrbrrrr{r{r|rr  z+S3ExpressIdentityCache._serialize_if_neededr9) rrrrr~rr=rFrr|r __classcell__r{r{rr|rQs rc@s0eZdZd ddZd ddZddZdd ZdS) S3ExpressIdentityResolverNcCs*t||_|durt|j|}||_dSr)rCproxyrqr_cache)rrtrucacher{r{r|r{s   z"S3ExpressIdentityResolver.__init__cCs8td|p |jjj}|d|j|d|jdS)Nz'Registering S3Express Identity Resolverbefore-call.s3before-sign.s3)rrrqmetarXregisterapply_signing_cache_keyresolve_s3express_identityr event_emitteremitterr{r{r|rs z"S3ExpressIdentityResolver.registercKs^|di}|dd}|did}|dkr+|dur-|di||dd<dSdSdS)Nendpoint_propertiesbackend input_paramsr S3Expresssigningr6)r setdefault)rparamsrrrrrr{r{r|rs   z1S3ExpressIdentityResolver.apply_signing_cache_keyc Ksl|jdi}|d}|dkr0|dr2|j|d<d|vr4|jdidid |d<dSdSdSdS) Nr signing_namerz v4-s3expressidentity_cacher6 s3_redirectrr)rr startswithr) rrrrr"request_signerrWrsigning_contextr{r{r|rs     z4S3ExpressIdentityResolver.resolve_s3express_identityr)rrrrrrrr{r{r{r|rzs    rc@LeZdZdZdddZdddZddZd d Zd d Zd dZ ddZ dS)S3RegionRedirectorv2a Updated version of S3RegionRedirector for use when EndpointRulesetResolver is in use for endpoint resolution. This class is considered private and subject to abrupt breaking changes or removal without prior announcement. Please do not use it directly. NcCs|pi|_t||_dSr)rrCrrqrendpoint_bridgertrr{r{r|rs zS3RegionRedirectorv2.__init__cCsFtd|p |jjj}|d|j|d|j|d|jdS)Nz(Registering S3 region redirector handlerneeds-retry.s3before-parameter-build.s3zbefore-endpoint-resolution.s3) rrrqrrXrredirect_from_errorannotate_request_contextredirect_from_cacherr{r{r|rs zS3RegionRedirectorv2.registerc Ks|durdS|didi}t|drtddS|dr+tddS|dd i}|d }|dd i}|d voH|jd k} |d voY|jdkoYd|div} |dkoad|v} |dduon|djdv} |dk} t| | | | | gs~dS|ddd}|dd}|||}|durtd|d|ddStd|d|d|d||j |<|j j }|j ||ddd|dd}| |d|j|d<d|ddd<|jd }|dur ||}|\}}||dd!<i|dd"i||dd"<dS)# An S3 request sent to the wrong region will return an error that contains the endpoint the request should be sent to. This handler will add the redirect information to the signing context and then redirect the request. NrrrzBS3 request was previously for an Accesspoint ARN, not redirecting. redirected6S3 request was previously redirected, not redirecting.r5ErrorrDResponseMetadata301400 HeadObject HeadBucketx-amz-bucket-region HTTPHeadersAuthorizationHeaderMalformedRegionri-i.i3PermanentRedirect client_region S3 client configured for region  but the bucket S is not in that region and the proper region could not be automatically determined. is in region b; Please configure the proper region to avoid multiple unnecessary redirects and signing attempts.r)operation_model call_argsrequest_contextrT authSchemes auth_typer)r ArnParseris_arnrrrranyget_bucket_regionrrq_ruleset_resolverconstruct_endpointset_request_urlr propertiesauth_schemes_to_signing_ctx)r request_dictr operationr redirect_ctxr error_coderesponse_metadatais_special_head_objectis_special_head_bucketis_wrong_signing_regionis_redirect_statusis_permanent_redirectrr new_region ep_resolverep_info auth_schemes auth_inforrr{r{r|rs            z(S3RegionRedirectorv2.redirect_from_errorc C|d}|dd}d|vr|dS|didd}|dur"|Sz|jj|d}|dd}WntyJ}z |jdd}WYd}~nd}~ww|dd}|S a. There are multiple potential sources for the new region to redirect to, but they aren't all universally available for use. This will try to find region from response elements, but will fall back to calling HEAD on the bucket if all else fails. :param bucket: The bucket to find the region for. This is necessary if the region is not available in the error response. :param response: A response representing a service request that failed due to incorrect region configuration. r5rrrrrNrrrq head_bucketrrrrrservice_responseresponse_headersrrr r{r{r|r,   z&S3RegionRedirectorv2.get_bucket_regioncKs t||dS)z Splice a new endpoint into an existing URL. Note that some endpoints from the the endpoint provider have a path component which will be discarded by this function. F)r^)rold_urlr\rr{r{r|rMs z$S3RegionRedirectorv2.set_request_urlcKs<|d}|dur||jvr|j|}||d<dSdSdS)a If a bucket name has been redirected before, it is in the cache. This handler will update the AWS::Region endpoint resolver builtin param to use the region from cache instead of the client region to avoid the redirect. rNz AWS::Region)rr)rbuiltinsrrrrr{r{r|rUs   z(S3RegionRedirectorv2.redirect_from_cachecKs|d}d||d|d<dS)zStore the bucket name in context for later use when redirecting. The bucket name may be an access point ARN or alias. rF)rrrrNr)rrrrrr{r{r|ras z-S3RegionRedirectorv2.annotate_request_contextr) rrrrrrrrrrrr{r{r{r|rs   k! rc@r)S3RegionRedirectorzThis handler has been replaced by S3RegionRedirectorv2. The original version remains in place for any third-party libraries that import it. NcCs:||_||_|jduri|_t||_tjdtddS)NzThe S3RegionRedirector class has been deprecated for a new internal replacement. A future version of botocore may remove this class.category)_endpoint_resolverrrCrrqwarningswarn FutureWarningrr{r{r|rrs   zS3RegionRedirector.__init__cCs<|p|jjj}|d|j|d|j|d|jdS)Nrrr)rqrrXrrrrrr{r{r|rszS3RegionRedirector.registerc Ks|durdS||dirtddS|didr&tddS|ddi}|d}|dd i}|d voC|jd k}|d voT|jd koTd |div} |dko\d|v} |dduoi|djdv} |dk} t|| | | | gsydS|ddd} |dd}|| |}|durtd|d| ddStd|d| d|d|j d|}|d}|| |d}||dd<||j | <| ||dd|dd<dS) rNrz=S3 request was previously to an accesspoint, not redirecting. s3_redirectedrr5rrDrrrrrrrrrrrrrrrrrrrs3r )rrrT) _is_s3_accesspointrrrrrrrrresolverr)rrrrrrrrrrrrrrrrrrr{r{r|rs       z&S3RegionRedirector.redirect_from_errorc Crrrrr{r{r|rrz$S3RegionRedirector.get_bucket_regioncKs8|didd}|durt|d|d|d<dSdS)NrrrF)rr^rrrrrr{r{r|rsz"S3RegionRedirector.set_request_urlcKsH||rdS|d}|j|}|dur||d<dSd|i|d<dS)z This handler retrieves a given bucket's signing context from the cache and adds it into the request context. Nrrr)rrr)rrrrrrr{r{r|r s    z&S3RegionRedirector.redirect_from_cachecCsd|vSNrr{)rrr{r{r|rsz%S3RegionRedirector._is_s3_accesspointr) rrrrrrrrrrrr{r{r{r|rms  ^! rc@s eZdZdS)InvalidArnExceptionN)rrrr{r{r{r|r sr c@s eZdZddZeddZdS)rcCsL|dd}t|dkrtd|d|d|d|d|d |dd S) N:zProvided ARN: zE must be of the format: arn:partition:service:region:account:resourcer5r%r) partitionserviceraccountresource)rrr )rarn arn_partsr{r{r| parse_arn$s   zArnParser.parse_arncCsDt|tr |ds dSt}z||WdSty!YdSw)Nzarn:FT)rurwrrrr )r arn_parserr{r{r|r3s  zArnParser.is_arnN)rrrr staticmethodrr{r{r{r|r#src@s`eZdZedZedZdgZdddZddZ d d Z d d Z d dZ ddZ ddZdS)S3ArnParamHandlerzA^(?Paccesspoint|outpost)[/:](?P.+)$zc^(?P[a-zA-Z0-9\-]{1,63})[/:]accesspoint[/:](?P[a-zA-Z0-9\-]{1,63}$)rSNcC||_|dur t|_dSdSr _arn_parserrrrr{r{r|rI zS3ArnParamHandler.__init__cC|d|jdS)Nrr handle_arnrrr{r{r|rNzS3ArnParamHandler.registercKsf|j|jvrdS||}|durdS|ddkr"||||dS|ddkr1||||dSdS)N resource_type accesspointoutpost)r_BLACKLISTED_OPERATIONS"_get_arn_details_from_bucket_param_store_accesspoint_store_outpost)rrmodelrr arn_detailsr{r{r|r Qs    zS3ArnParamHandler.handle_arncCsHd|vr"z|d}|j|}||||WSty!YdSwdS)Nr)rr_add_resource_type_and_namer )rrrr+r{r{r|r'\s   z4S3ArnParamHandler._get_arn_details_from_bucket_paramcCs>|j|d}|r|d|d<|d|d<dSt|d)Nrr# resource_name)r)_RESOURCE_REGEXr groupr1)rrr+r r{r{r|r,gs  z-S3ArnParamHandler._add_resource_type_and_namecCs8|d|d<|d|d|d|d|dd|d<dS) Nr-rrrrr)rrrrrrr{rrrr+r{r{r|r(os z$S3ArnParamHandler._store_accesspointcCsd|d}|j|}|st|d|d}||d<|d||d|d|d|d d |d <dS) Nr-)r-accesspoint_namer outpost_namerrrr)r2rrrrrr)_OUTPOST_RESOURCE_REGEXr r/r/)rrrr+r-r r1r{r{r|r)s   z S3ArnParamHandler._store_outpostr)rrrrrr.r3r&rrr r'r,r(r)r{r{r{r|r?s    rc@seZdZdZdZ     d7ddZddZd d Zd d Zd dZ ddZ ddZ ddZ ddZ ddZddZddZddZdd Zd!d"Zd#d$Zd%d&Zd'd(Zd)d*Zd+d,Zd-d.Zd/d0Zed1d2Zed3d4Zed5d6ZdS)8S3EndpointSetterawsrQNFcCJ||_||_||_||_|duri|_||_||_|dur#|j|_dSdSrr_region _s3_config_use_fips_endpoint _endpoint_url _partition_DEFAULT_PARTITIONrendpoint_resolverr s3_configr ruse_fips_endpointr{r{r|rs  zS3EndpointSetter.__init__cCs.|d|j|d|j|d|jdS)Nrzchoose-signer.s3z%before-call.s3.WriteGetObjectResponse)r set_endpoint set_signer#update_endpoint_to_s3_object_lambdar!r{r{r|rs zS3EndpointSetter.registercKsh|jrtdd||d|jrdS|j}|d|j}dj|d|dd}t|d|d |d<dS) NzOS3 client does not support accelerate endpoints for S3 Object Lambda operationsmsgs3-object-lambdazhttps://{host_prefix}{hostname} host_prefixr )rHr rF) _use_accelerate_endpointr2_override_signing_namer;rrr8formatr^)rrrrresolverresolvedr\r{r{r|rDs  z4S3EndpointSetter.update_endpoint_to_s3_object_lambdacKs||r&||||||||}|||||dS|jr?|jr6t d|j ddt dd|i||j rN|j dd|i|dSdS)Nz8Client is configured to use the FIPS psuedo region for "zA", but S3 Accelerate does not have any FIPS compatible endpoints.rErr{) _use_accesspoint_endpoint_validate_accesspoint_supported_validate_fips_supported_validate_global_regions(_resolve_region_for_accesspoint_endpoint._resolve_signing_name_for_accesspoint_endpoint_switch_to_accesspoint_endpointrIr:r2r8rX_s3_addressing_handler)rrrrr{r{r|rBs*      zS3EndpointSetter.set_endpointcC d|jvSr rrr{r{r|rNrz*S3EndpointSetter._use_accesspoint_endpointcCs|jsdSd|jddvrtdhdd|jdvr%td|jdd|jdd}||jkrE|jd d sGtd |jd |d ddSdS)Nfipsrr,Invalid ARN, FIPS region not allowed in ARN.rEr2z4Client is configured to use the FIPS psuedo-region "z2", but outpost ARNs do not support FIPS endpoints.use_arn_regionTz8Client is configured to use the FIPS psuedo-region for "z1", but the access-point ARN provided is for the "zn" region. For clients using a FIPS psuedo-region calls to access-point ARNs in another region are not allowed.)r:rr0r8r9rrraccesspoint_regionr{r{r|rPs,  z)S3EndpointSetter._validate_fips_supportedcCs4|jddr dS|jdvrtd|jdddS)NrZT)z aws-globalz s3-external-1z6Client is configured to use the global psuedo-region "zJ". When providing access-point ARNs a regional endpoint must be specified.rE)r9rr8r0rr{r{r|rQ s z)S3EndpointSetter._validate_global_regionscCs|jrtdd|jdd}||jkr!td|jd|dd|jdd}|d kr8|jd r8td d|jdd }|rM|jd rMtd d||dS)NzZClient does not support s3 accelerate configuration when an access-point ARN is specified.rErrClient is configured for "z3" partition, but access-point ARN provided is for "zE" partition. The client and access-point partition must be the same.rrGuse_dualstack_endpointzjClient does not support s3 dualstack configuration when an S3 Object Lambda access point ARN is specified.r2zTClient does not support s3 dualstack configuration when an outpost ARN is specified.)rIr0rr<rr9_validate_mrap_s3_config)rrrequest_partition s3_servicer2r{r{r|rO s0  z0S3EndpointSetter._validate_accesspoint_supportedcCs>t|jsdS|jdrtdd|jdrtdddS)N$s3_disable_multiregion_access_pointszCInvalid configuration, Multi-Region Access Point ARNs are disabled.rEr^zeClient does not support s3 dualstack configuration when a Multi-Region Access Point ARN is specified.)rrr9rr0rr{r{r|r_: s   z)S3EndpointSetter._validate_mrap_s3_configcCsNt|jr||d|jS|jddr$|jdd}||||S|jS)NrrZTrr)rr_override_signing_regionr9rr8r[r{r{r|rRL s   z9S3EndpointSetter._resolve_region_for_accesspoint_endpointcKst|r trdStdddS)Ns3v4azzUsing S3 with an MRAP arn requires an additional dependency. You will need to pip install botocore[crt] before proceeding.rE)rrr,)rrrr{r{r|rCY szS3EndpointSetter.set_signercCs |jdd}||j|dS)NrrrrJ)rraccesspoint_servicer{r{r|rSd sz?S3EndpointSetter._resolve_signing_name_for_accesspoint_endpointcCsXt|j}t|j||j|||j|j|jdf}t d|jd|||_dSr`) rrrr* _get_netlocr_get_accesspoint_pathrr+rr)rrroriginal_componentsaccesspoint_endpointr{r{r|rTh s    z0S3EndpointSetter._switch_to_accesspoint_endpointcCst|r ||S|||Sr)r_get_mrap_netloc_get_accesspoint_netloc)rrrr{r{r|rgz s  zS3EndpointSetter._get_netloccCs\|d}d}|dg}|jrt|jj}||n|d}|d|||gd|S)Nrz s3-globalrrr$r)r;rr(rr_get_partition_dns_suffixr)rrrrmrap_netloc_componentsendpoint_url_netlocrr{r{r|rk s    z!S3EndpointSetter._get_mrap_netlocc Cs|d}d|d|dg}|d}|jr*|r||t|jj}||n>|r6|dg}||n|ddkrH|d|}||n |d |}|||jd r^|d ||| |gd |S) Nrz{}-{}rrr2 s3-outpostsrrGzs3-accesspointr^r8r) rKrr;rrr(r_inject_fips_if_neededr9_get_dns_suffixr) rrrraccesspoint_netloc_componentsr2ro outpost_host componentr{r{r|rl s6            z(S3EndpointSetter._get_accesspoint_netloccCs|jr|dS|S)N-fipsr:)rrurr{r{r|rq s z'S3EndpointSetter._inject_fips_if_neededcCs"|dd}|d|ddpdS)Nrrrrr5)r)r original_pathrrr{r{r|rh s z&S3EndpointSetter._get_accesspoint_pathcCs|j|}|dur |j}|Sr)rget_partition_dns_suffix_DEFAULT_DNS_SUFFIX)rpartition_name dns_suffixr{r{r|rm s z*S3EndpointSetter._get_partition_dns_suffixcC,|jd|}|j}|rd|vr|d}|SNr dnsSuffixrrrzrrrMr|r{r{r|rr  z S3EndpointSetter._get_dns_suffixcC$|jdi}||d<||jd<dSNrrrrrrrrr{r{r|rc z)S3EndpointSetter._override_signing_regioncCs |di}||d<||d<dSNrrr)rrrrr{r{r|rJ s  z'S3EndpointSetter._override_signing_namecCs|jdrdS|jdurdSt|jj}|dsdS|d}|ddkr)dS|dd }t|tt|kr;dSt d d |DS) Nuse_accelerate_endpointTFrQrr s3-accelerater5cs|]}|tvVqdSrrMrOr{r{r|  z.) r9rr;rr(rrrsetall)rr(r feature_partsr{r{r|rI s       z)S3EndpointSetter._use_accelerate_endpointcCs"|jrdS|jd}|r|SdS)Nvirtualaddressing_style)rIr9r)rconfigured_addressing_styler{r{r|_addressing_style s  z"S3EndpointSetter._addressing_stylecCsH|jdkr tdtS|jdks|jdurtddStdtS)Nrz'Using S3 virtual host style addressing.rzUsing S3 path style addressing.zSDefaulting to S3 virtual host style addressing with path style addressing fallback.)rrrr!r;r$rr{r{r|rU s   z'S3EndpointSetter._s3_addressing_handlerNNNNF)rrrr=rzrrrDrBrNrPrQrOr_rRrCrSrTrgrkrlrqrhrmrrrcrJrrIrrUr{r{r{r|r4sH  %       "  r4c@seZdZdZdZedZ     d6ddZdd Z d d Z d d Z ddZ ddZ ddZddZddZddZddZddZddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd*d+Zd,d-Zd.d/Zd0d1Zd2d3Zd4d5ZdS)7S3ControlEndpointSetterr5rQz^[a-zA-Z0-9\-]{1,63}$NFcCr6rr7r>r{r{r|r0 s  z S3ControlEndpointSetter.__init__cCr)Nzbefore-sign.s3-control)rrBr!r{r{r|rD r"z S3ControlEndpointSetter.registercKs||r!||||}|||||||dS||r?||||d| |j }| ||dSdSNrp) _use_endpoint_from_arn_details-_validate_endpoint_from_arn_details_supported _resolve_region_from_arn_details&_resolve_signing_name_from_arn_details"_resolve_endpoint_from_arn_details_add_headers_from_arn_details_use_endpoint_from_outpost_id#_validate_outpost_redirection_validrJ_construct_outpost_endpointr8_update_request_netloc)rrrr new_netlocr{r{r|rBG s         z$S3ControlEndpointSetter.set_endpointcCrV)Nr+rWrr{r{r|rT rz6S3ControlEndpointSetter._use_endpoint_from_arn_detailscCrV)N outpost_idrWrr{r{r|rW rz5S3ControlEndpointSetter._use_endpoint_from_outpost_idcCsd|jddvrt|jdddd|jdds6|jdd}||jkr6d |d |jd }t|d |jdd }||jkrOtd|jd|dd |jdrZtdd d|jdvrh||dSdS)NrXr+rrrYrrFrZFzCThe use_arn_region configuration is disabled but received arn for "z(" when the client is configured to use "rrErr]z&" partition, but arn provided is for "z;" partition. The client and arn partition must be the same.r7S3 control client does not support accelerate endpointsr2)rr3r9rr8r4r<r)rr arn_regionr+request_partionr{r{r|rZ s:      zES3ControlEndpointSetter._validate_endpoint_from_arn_details_supportedcCs|jdr tdddS)Nr^zPClient does not support s3 dualstack configuration when an outpost is specified.rE)r9rr4rr{r{r|ry s z;S3ControlEndpointSetter._validate_outpost_redirection_validcCs2|jddr|jdd}||||S|jS)NrZFr+r)r9rrrcr8)rrrr{r{r|r s  z8S3ControlEndpointSetter._resolve_region_from_arn_detailscCs|jdd}||||S)Nr+rre)rr arn_servicer{r{r|r s z>S3ControlEndpointSetter._resolve_signing_name_from_arn_detailscCs|||}|||dSr) _resolve_netloc_from_arn_detailsr)rrrrr{r{r|r sz:S3ControlEndpointSetter._resolve_endpoint_from_arn_detailscCsDt|j}t|j||j|jdf}td|jd|||_dSr`)rrrr*rr+rr)rrrriarn_details_endpointr{r{r|r s   z.S3ControlEndpointSetter._update_request_netloccCs0|jd}d|vr||S|d}|||S)Nr+r2r)rr_construct_s3_control_endpoint)rrrr+rr{r{r|r s   z8S3ControlEndpointSetter._resolve_netloc_from_arn_detailscCs |j|Sr)_HOST_LABEL_REGEXr )rlabelr{r{r|_is_valid_host_label r1z,S3ControlEndpointSetter._is_valid_host_labelcGs"|D] }||st|dqdS)N)r)rr')rlabelsrr{r{r|_validate_host_labels s   z-S3ControlEndpointSetter._validate_host_labelscCs\||||jrt|jj}||g}n|dg}||||}|||g||S)N s3-control)rr;rr(_add_dualstackrrr_construct_netloc)rrrror(r|r{r{r|r s      z6S3ControlEndpointSetter._construct_s3_control_endpointcCs@|||jrt|jjSd|||g}||||Sr)rr;rr(rr _add_fipsr)rrr(r{r{r|r s    z3S3ControlEndpointSetter._construct_outpost_endpointcCs d|S)Nr)rrr(r{r{r|r rz)S3ControlEndpointSetter._construct_netloccCs|jr |dd|d<dSdS)Nrrvrwrr{r{r|r sz!S3ControlEndpointSetter._add_fipscCs|jdr |ddSdS)Nr^r8)r9rrrr{r{r|r s z&S3ControlEndpointSetter._add_dualstackcCr}r~rrr{r{r|rr rz'S3ControlEndpointSetter._get_dns_suffixcCrrrrr{r{r|rc rz0S3ControlEndpointSetter._override_signing_regioncCrrr)rrrrr{r{r|rJ rz.S3ControlEndpointSetter._override_signing_namecCs,|jd}|d}|r|||dSdS)Nr+r2)rr_add_outpost_id_header)rrr+r2r{r{r|r s  z5S3ControlEndpointSetter._add_headers_from_arn_detailscCs||jd<dS)Nzx-amz-outpost-id)r)rrr2r{r{r|r sz.S3ControlEndpointSetter._add_outpost_id_headerr) rrrr=rzrrrrrrBrrrrrrrrrrrrrrrrrrrcrJrrr{r{r{r|r+ sB         rc@seZdZdZedZdddZddZdd Z d d Z d d Z ddZ ddZ ddZddZddZddZddZddZdS)S3ControlArnParamHandlerzThis handler has been replaced by S3ControlArnParamHandlerv2. The original version remains in place for any third-party importers. z[/:]NcCs(||_|dur t|_tjdtddS)NzThe S3ControlArnParamHandler class has been deprecated for a new internal replacement. A future version of botocore may remove this class.r)rrrrrrr{r{r|r s z!S3ControlArnParamHandler.__init__cCr)Nz!before-parameter-build.s3-controlrr!r{r{r|r z!S3ControlArnParamHandler.registercKs<|jdvr||||dS||||||||dS)N)rSListRegionalBuckets)r_handle_outpost_id_param_handle_name_param_handle_bucket_param)rrr*rrr{r{r|r  s z#S3ControlArnParamHandler.handle_arncCsR||vrdSz||}|j|}||d<|||d<|WSty(YdSw)Nr resources)rr_split_resourcer )rrrZrr+r{r{r|_get_arn_details_from_param# s  z4S3ControlArnParamHandler._get_arn_details_from_paramcCs|j|dS)Nr)_RESOURCE_SPLIT_REGEXr)rr+r{r{r|r/ z(S3ControlArnParamHandler._split_resourcecCsF|d}d|vr|d|krd|d}t|d|d||d<dS)Nr AccountIdzGAccount ID in arn does not match the AccountId parameter provided: "{}"rr)rKr3)rrr+ account_idr+r{r{r|_override_account_id_param2 s  z3S3ControlArnParamHandler._override_account_id_paramcCsd|vrdS|d|d<dS)N OutpostIdrr{)rrr*rr{r{r|r? sz1S3ControlArnParamHandler._handle_outpost_id_paramcCsV|jdkrdS||d}|durdS||r!||||dSd}t|d|dNCreateAccessPointNamez4The Name parameter does not support the provided ARNrr)rr_is_outpost_accesspoint_store_outpost_accesspointr3rrr*rr+r+r{r{r|rD s   z+S3ControlArnParamHandler._handle_name_paramcC@|ddkrdS|d}t|dkrdS|ddko|dd kS) NrrpFrrrr%r%r$rrr+rr{r{r|rT  z0S3ControlArnParamHandler._is_outpost_accesspointcCD||||dd}||d<||d<|dd|d<||d<dS)Nrrrr1r5r2r+r)rrrr+r1r{r{r|r]   z3S3ControlArnParamHandler._store_outpost_accesspointcCsH||d}|dur dS||r||||dSd}t|d|dNrz6The Bucket parameter does not support the provided ARNrr)r_is_outpost_bucket_store_outpost_bucketr3rr{r{r|re s  z-S3ControlArnParamHandler._handle_bucket_paramcCr) NrrpFrrrr%r%rrrr{r{r|rt rz+S3ControlArnParamHandler._is_outpost_bucketcCr)Nrrrrr5r2r+r)rrrr+rr{r{r|r} rz.S3ControlArnParamHandler._store_outpost_bucketr)rrrrrrrrrr rrrrrrrrrrr{r{r{r|r s         rc@sReZdZdZdddZddZddZd d Zd d Zd dZ ddZ ddZ dS)S3ControlArnParamHandlerv2aUpdated version of S3ControlArnParamHandler for use when EndpointRulesetResolver is in use for endpoint resolution. This class is considered private and subject to abrupt breaking changes or removal without prior announcement. Please do not use it directly. NcCrrrrr{r{r|r rz#S3ControlArnParamHandlerv2.__init__cCr)Nz%before-endpoint-resolution.s3-controlrr!r{r{r|r rz#S3ControlArnParamHandlerv2.registercCsj|jdkrdS||d}|durdS||||||r+||||dSd}t|d|dr)rr_raise_for_fips_pseudo_region_raise_for_accelerate_endpointrrr3rr{r{r|r s     z-S3ControlArnParamHandlerv2._handle_name_paramcC|||dSrrr0r{r{r|r rz5S3ControlArnParamHandlerv2._store_outpost_accesspointcCs\||d}|dur dS||||||r$||||dSd}t|d|dr)rrrrrr3rr{r{r|r s    z/S3ControlArnParamHandlerv2._handle_bucket_paramcCrrrr0r{r{r|r rz0S3ControlArnParamHandlerv2._store_outpost_bucketcCs0|d}|ds|drt|ddddS)Nrzfips-rrYr)rrr3)rr+rr{r{r|r sz8S3ControlArnParamHandlerv2._raise_for_fips_pseudo_regioncCs&|djpi}|drtdddS)N client_configrrrE)rrr4)rrr@r{r{r|r s  z9S3ControlArnParamHandlerv2._raise_for_accelerate_endpointr) rrrrrrrrrrrrr{r{r{r|r s  rc@s|eZdZdZdZdZdZedddgZdej fd d Z dd d Z d dZ ddZ ddZddZdddZddZddZdS)ContainerMetadataFetcherr%rr5z 169.254.170.2z169.254.170.23z fd00:ec2::23 localhostNcCs(|dur tjj|jd}||_||_dS)N)r)rrrTIMEOUT_SECONDSr_sleep)rrsleepr{r{r|r s  z!ContainerMetadataFetcher.__init__cCs|||||S)zRetrieve JSON metadata from container metadata. :type full_url: str :param full_url: The full URL of the metadata service. This should include the scheme as well, e.g "http://localhost:123/foo" )_validate_allowed_url_retrieve_credentials)rfull_urlrr{r{r|retrieve_full_uri s z*ContainerMetadataFetcher.retrieve_full_uricCsNtj|}||jrdS||j}|s%td|jdd|jdS)NzUnsupported host 'zN'. Can only retrieve metadata from a loopback address or one of these hosts: z, ) rcompatr_is_loopback_addressr _check_if_whitelisted_hostrTr_ALLOWED_HOSTS)rrparsedis_whitelisted_hostr{r{r|r s     z.ContainerMetadataFetcher._validate_allowed_urlcCs&zt|}|jWStyYdSw)NF)r is_loopbackrT)rr ipr{r{r|r s  z-ContainerMetadataFetcher._is_loopback_addresscCs||jvrdSdS)NTF)r)rr.r{r{r|r s z3ContainerMetadataFetcher._check_if_whitelisted_hostcCs||}||S)zRetrieve JSON metadata from container metadata. :type relative_uri: str :param relative_uri: A relative URI, e.g "/foo/bar?id=123" :return: The parsed JSON response. )rr)r relative_urirr{r{r| retrieve_uri s z%ContainerMetadataFetcher.retrieve_uric Csddi}|dur ||d} z ||||jWStyC}ztjd|dd||j|d7}||jkr9WYd}~nd}~wwq)NAcceptzapplication/jsonrTzAReceived error when attempting to retrieve container metadata: %srr5) r _get_responserr+rrr SLEEP_TIMERETRY_ATTEMPTS)rr extra_headersrattemptsr r{r{r|r s.    z.ContainerMetadataFetcher._retrieve_credentialsc CszGtjj}|d||d}|j|}|jd}|jdkr+t d|jd|dzt |WWSt yGd}t d ||t |dwty]} z d | }t |dd} ~ ww) Nr"r rr zReceived non 200 response z from container metadata: r*z>Unable to parse JSON returned from container metadata servicesz%s:%sz?Received error when attempting to retrieve container metadata: )rrrrrrr5rrr+rrRrTrrr) rrrrrrr response_textr+r r{r{r|r, s4      z&ContainerMetadataFetcher._get_responsecCsd|j|S)Nzhttp://) IP_ADDRESS)rrr{r{r|rF rz!ContainerMetadataFetcher.full_urlr)rrrrrrrrtimerrrrrrrrrrr{r{r{r|r s&     rcCst|riStSr)should_bypass_proxiesrrr{r{r|rJ src Cs6z tt|jr WdSWdSttjfyYdSw)z: Returns whether we should bypass proxies or not. TF)rrr(rsocketgaierrorrr{r{r|rQ s rc Cs|sdSzt|WSttfyYnwt|drCt|drCz|}|dd|}||||WStjyBYdSwdS)Nrseektellr%)rAttributeErrorrrrrioUnsupportedOperation)rorig_pos end_file_posr{r{r|determine_content_lengthf s&    r ISO-8859-1cCsJ|d}|s dStj}||d<|d}|dur|Sd|vr#|SdS)zReturns encodings from given HTTP Header Dict. :param headers: dictionary to extract encoding from. :param default: default encoding if the content-type is text z content-typeNcharsetr)rrUmessagerE get_param)rdefault content_typerrr{r{r|get_encoding_from_headers s   r cKs0t|ttfr t|}nt|}t|dS)Nr)rur bytearray_calculate_md5_from_bytes_calculate_md5_from_filebase64 b64encoder)rr binary_md5r{r{r| calculate_md5 s rcCst|}|Sr)rr) body_bytesmd5r{r{r|r  sr csB}t}tfdddD]}||q||S)Ncrrrr{fileobjr{r|r rz*_calculate_md5_from_file..r)rrrrrr)rstart_positionrrr{rr|r  s   r cCs"|didi}|ddkS)Nrrrrr)rrr{r{r|_is_s3express_request s rcCs2|d}d|vr dS|D] }t|rdSq dS)Nr Content-MD5TF)CHECKSUM_HEADER_PATTERNr )rrrr{r{r|_has_checksum_header s rcKs0t|st|fi|t|fi|dSdSr)rconditionally_calculate_md5conditionally_enable_crc32)rrr{r{r| conditionally_calculate_checksum srcKsb|didi}|d}t|r+|ddur-|dvr/ddddd i|dd<dSdSdSdS) Nrrrequest_algorithmr)Nconditional-md5crc32rzx-amz-checksum-crc32) algorithminr)rr)rrchecksum_contextchecksum_algorithmr{r{r|r s  rcKs|d}|didi}|d}|r|dkrdSt|r!dSt|r'dStr=|dur?t|fi|}||dd<dSdSdS) z1Only add a Content-MD5 if the system supports it.rrrrrNrr)rrrrr)rrrr#r$ md5_digestr{r{r|r s   rc@s eZdZefddZddZdS)FileWebIdentityTokenLoadercCror)_web_identity_token_pathr)rweb_identity_token_pathrr{r{r|r rvz#FileWebIdentityTokenLoader.__init__cCs8||j }|WdS1swYdSr)rr'r)r token_filer{r{r|__call__ s$z#FileWebIdentityTokenLoader.__call__N)rrropenrr*r{r{r{r|r& s  r&c@s2eZdZd ddZddZd ddZd dd ZdS) SSOTokenLoaderNcCs|duri}||_dSr)r)rrr{r{r|r  zSSOTokenLoader.__init__cCs$|}|dur|}t|dS)Nr)rsha1rr)r start_url session_namerr{r{r|_generate_cache_key sz"SSOTokenLoader._generate_cache_keycCs|||}||j|<dSr)r1r)rr/r(r0r6r{r{r| save_token s zSSOTokenLoader.save_tokencCs|||}td|||jvr&|}|dur|}d|d}t|d|j|}d|vs3d|vr>d|d}t|d|S)NzChecking for cached token at: z Token for z does not existr* accessToken expiresAtz is invalid)r1rrrr.)rr/r0r6rr+r(r{r{r|r* s       zSSOTokenLoader.__call__r)rrrrr1r2r*r{r{r{r|r, s   r,c@s@eZdZdZdZdddZddZdd Zd d Zdd d Z dS)EventbridgeSignerSetterr5rQNcCs||_||_||_dSr)rr8r;)rr?rr r{r{r|r# s z EventbridgeSignerSetter.__init__cCs |d|j|d|jdS)Nz'before-parameter-build.events.PutEventszbefore-call.events.PutEvents)rcheck_for_global_endpointset_endpoint_urlr!r{r{r|r( sz EventbridgeSignerSetter.registercKs:d|vr|d}td|dd|||d<dSdS)Neventbridge_endpointzRewriting URL from rra)rrrr{r{r|r71 s  z(EventbridgeSignerSetter.set_endpoint_urlc Ks|d}|dur dSt|dkrtddtstdd|d}d}|dur6|jr0tdd|jr6dg}|jdurTtd |}|j |krLtd d|j ||d }n|j}||d <d |d<dS)N EndpointIdrz+EndpointId must not be a zero length stringrEzqUsing EndpointId requires an additional dependency. You will need to pip install botocore[crt] before proceeding.rz>FIPS is not supported with EventBridge multi-region endpoints.r8https://z-EndpointId is not a valid hostname component.endpoint_variant_tagsr8v4ar) rrr%rr,rAr^r;rr _get_global_endpoint) rrrrrrCr<rresolved_endpointr{r{r|r67 s@      z1EventbridgeSignerSetter.check_for_global_endpointcCsN|j}||j}|dur|j}|j||d}|dur|j}d|d|dS)Nr;r:z.endpoint.events.r)rget_partition_for_regionr8r=ryrz)rrr<rLrr|r{r{r|r>c s z,EventbridgeSignerSetter._get_global_endpointr|r) rrrr=rzrrr7r6r>r{r{r{r|r5 s  ,r5cCs|durdSt|}|jdr|jdvrdS|jd}|ddkr%dS|dd }t|tt|kr7dStd d |DS) zDoes the URL match the S3 Accelerate endpoint scheme? Virtual host naming style with bucket names in the netloc part of the URL are not allowed by this function. NFrQ)httpshttprrrr5rcsrrrMrOr{r{r|r rz'is_s3_accelerate_url..)rr(rr*rrrr)r url_partsrrr{r{r|is_s3_accelerate_urlr s    rDc@sreZdZdZejejddddZedfddZ d d Z d d Z d dZ ddZ ddZddZdddZdS) JSONFileCachezJSON file cache. This provides a dict like interface that stores JSON serializable objects. The objects are serialized to JSON and stored in a file. These values can be retrieved at a later time. ~z.awsbotorNcCs||_|dur |j}||_dSr) _working_dir_default_dumps_dumps)r working_dir dumps_funcr{r{r|r s zJSONFileCache.__init__cCstj||jdS)N)r)rdumpsr)rrr{r{r|rI rzJSONFileCache._default_dumpscCs||}tj|Sr)_convert_cache_keyrrisfile)rr6 actual_keyr{r{r| __contains__ s  zJSONFileCache.__contains__c Cs`||}zt|}t|WdWS1swYWdSttfy/t|w)z Retrieve value from a cache key.N)rNr+rloadrrTKeyError)rr6rPrr{r{r| __getitem__ s  (zJSONFileCache.__getitem__cCs8||}z t|}|WdStyt|wr)rNrunlinkFileNotFoundErrorrS)rr6rPkey_pathr{r{r| __delitem__ s  zJSONFileCache.__delitem__c Cs||}z||}Wnttfytd|wtj|js*t|jt t |tj tj Bdd}| ||WddS1sNwYdS)Nz3Value cannot be cached, must be JSON serializable: iw)rNrJrrTrrisdirrHmakedirsfdopenr+O_WRONLYO_CREATtruncatewrite)rr6rfull_key file_contentrr{r{r| __setitem__ s&   "zJSONFileCache.__setitem__cCstj|j|d}|S)Nz.json)rrrrH)rr6 full_pathr{r{r|rN sz JSONFileCache._convert_cache_keyFcCrrrrr{r{r|r rz"JSONFileCache._serialize_if_neededr9)rrrrrr expanduserr CACHE_DIRrrIrQrTrXrcrNrr{r{r{r|rE s rEcCs|durdS|dS)NFz--x-s3)rrr{r{r|is_s3express_bucket r-rgappmeshzapp-meshzds-datazdirectory-service-dataglobalacceleratorzglobal-acceleratorziotevents-dataziot-events-data ioteventsz iot-events iotwirelessz iot-wirelesskinesisanalyticsv2zkinesis-analytics-v2z lexv2-modelsz lex-models-v2z lexv2-runtimezlex-runtime-v2z sms-voicezpinpoint-sms-voice s3controlrzservice-catalog-appregistry)rhrjrkrmzservicecatalog-appregistryrprq)Tr9r)r)rrr email.messagerUr=rrloggingrr^rrrrrCr ipaddressrpathlibrurllib.requestrrdateutil.parserr dateutil.tzrurllib3.exceptionsrrbotocore.awsrequestbotocore.httpsessionbotocore.compatr r r r r rrrrrrrrrrrrrrrrbotocore.exceptionsrrr r!r"r#r$r%r&r'r(r)r*r+r,r-r.r/r0r1r2r3r4 getLoggerrrr:rrr SAFE_CHARSrrrrN EVENT_ALIASESrrr}rrrrrrrrrr Exceptionrrrr;rlrxrrr+rrrrrrrrrrrrrrr rrrrrr$r!r'r?rLrXr]rVr^rfrlrmrrrrrTr rrr4rrrrrrrr rr r rrrrrr&r,r5rDrErgSERVICE_NAME_ALIASES.CLIENT_NAME_TO_HYPHENIZED_SERVICE_ID_OVERRIDESr{r{r{r|s             @d        !"#$%&'()*+,-./0123456789:;<=>?@ABCDEL    DB &   &0 - !d   @!  ")0D3UWM w          ! S! E       !"#$%&'()*+,-./012345