U

KD�g-X
�@s�dd
lZdd
l
Z
dd
lZdd
lZdd
lZdd
lZdd
lZdd
lZddlm	Z	
ddl
mZ
ddlm
Z

ddlmZ
ddlmZmZ
dd
lZdd
lZddlmZ
ddlmZmZ
dd	lmZ
dd
lmZmZmZmZm Z m!Z!m"Z"m#Z#m$Z$
ddl%m&Z&
ddl'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/
e�0e1�
Z2e	d
ddddgdd�Z3dZ4dZ5dUdd�
Z6Gdd�d�Z7dd�Z8dd�Z9dd�Z:dVd!d"�
Z;d#d$�Z<d%d&�Z=d'd(�Z>Gd)d*�d*�Z?Gd+d,�d,e?�Z@Gd-d.�d.e@�ZAGd/d0�d0�ZBGd1d2�d2eB�ZCGd3d4�d4eC�ZDGd5d6�d6eC�ZEGd7d8�d8�ZFGd9d:�d:eF�ZGGd;d<�d<eF�ZHGd=d>�d>eF�ZIGd?d@�d@eF�ZJGdAdB�dBeF�ZKGdCdD�dDeF�ZLGdEdF�dFeF�ZMGdGdH�dHeF�ZNGdIdJ�dJeF�ZOGdKdL�dL�ZPGdMdN�dNeF�ZQGdOdP�dP�ZRGdQdR�dReB�ZSGdSdT�dTeF�ZTd
S)W�N)
�
namedtuple)
�deepcopy)
�sha1�
�parse)�tzlocal�tzutc)
�UNSIGNED)�compat_shell_split�
total_seconds)
�Config)	�ConfigNotFound�CredentialRetrievalError�InfiniteLoopConfigError�InvalidConfigError�MetadataRetrievalError�PartialCredentialsError�RefreshWithMFAUnsupportedError�UnauthorizedSSOTokenError�UnknownCredentialError)
�SSOTokenProvider)�	ArnParser�ContainerMetadataFetcher�FileWebIdentityTokenLoader�InstanceMetadataFetcher�
JSONFileCache�SSOTokenLoader�parse_key_val_file�resolve_imds_endpoint_mode�ReadOnlyCredentials�
access_key�
secret_key�token�
account_id�
N)
�defaultsiX�c	s
��d
�
pd}��d�
}��d�
}��
��d
�
dk	}��d�
t��
t��d�
d�}|
dkr^i}
t�}t�}	tt||��	�|d	�d
�
}
t
�|
|d�}t�f
dd
�t�|�|
|t
||	|
g�
|d�}||g}
|j||d�}t�t�|	|
g}|
||}|�
r
|�|�

t�d�

t|d�
}|S)z�Create a default credential resolver.

    This creates a pre-configured credential resolver
    that includes the default lookup chain for
    credentials.

    �profile�defaultZmetadata_service_timeoutZmetadata_service_num_attemptsN�ec2_metadata_service_endpoint�ec2_metadata_v1_disabled)r)Z"ec2_metadata_service_endpoint_modeZec2_credential_refresh_windowr*)�timeout�num_attempts�
user_agent�config)
�iam_role_fetcher)�cache�region_namec
s�jSr$)
�full_config��
�sessionr3�A/opt/cppython/lib/python3.8/site-packages/botocore/credentials.py�<lambda>p�z,create_credential_resolver.<locals>.<lambda>)�load_config�client_creatorr0�profile_name�credential_sourcer�profile_provider_builder�r;�disable_env_varszWSkipping environment variable credential check because profile name was explicitly set.�
�	providers)�get_config_variableZinstance_variables�getr�!_DEFAULT_ADVISORY_REFRESH_TIMEOUT�EnvProvider�ContainerProvider�InstanceMetadataProviderrr-�ProfileProviderBuilder�AssumeRoleProvider�_get_client_creator�CanonicalNameCredentialSourcerrA�OriginalEC2Provider�BotoProvider�remove�logger�debug�CredentialResolver)r5r0r1r;Zmetadata_timeoutr,r?Zimds_configZenv_providerZcontainer_providerZinstance_metadata_providerr=�assume_role_providerZpre_profile�profile_providersZpost_profilerA�resolverr3r4r6�create_credential_resolverDs|





�
�

��








��	
�






��
�

�


�


�

rUc@sLeZ
dZd
Zddd�
Zddd�
Zdd	�Zd
d�Zdd
�Zdd�Z	dd�Z
dS)rHa�
This class handles the creation of profile based providers.

    NOTE: This class is only intended for internal use.

    This class handles the creation and ordering of the various credential
    providers that primarly source their configuration from the shared config.
    This is needed to enable sharing between the default credential chain and
    the source profile chain created by the assume role provider.
    NcCs|
|_||_
||_||_dSr$)�_session�_cache�_region_name�_sso_token_cache)�selfr5r0r1Zsso_token_cacher3r3r6�__init__�s


zProfileProviderBuilder.__init__FcCs.|�|
|�|�
|
�
|�|
�
|�|
�
|�|
�
gSr$)�_create_web_identity_provider�_create_sso_provider�"_create_shared_credential_provider�_create_process_provider�_create_config_provider�rZr;r?r3r3r6rA�s

�


�z ProfileProviderBuilder.providerscst|
�f
d
d�d�S)Nc
s�jj
Sr$�rVr2r3�
rZr3r6r7�r8zAProfileProviderBuilder._create_process_provider.<locals>.<lambda>)r;r9)
�ProcessProvider�rZr;r3rcr6r_�s



�z/ProfileProviderBuilder._create_process_providercCs|j�
d
�
}t|
|d�S)NZcredentials_file)r;�creds_filename)rVrB�SharedCredentialProvider)rZr;Zcredential_filer3r3r6r^�s




�z9ProfileProviderBuilder._create_shared_credential_providercCs|j�
d
�
}t|
|d�S)N�config_file)r;�config_filename)rVrB�ConfigProvider)rZr;rhr3r3r6r`�s




�z.ProfileProviderBuilder._create_config_providercs&t�f
d
d�t
�j�j��j|
|d�S)Nc
s�jj
Sr$rbr3rcr3r6r7�r8zFProfileProviderBuilder._create_web_identity_provider.<locals>.<lambda>)r9r:r0r;r?)�!AssumeRoleWithWebIdentityProviderrJrVrXrWrar3rcr6r\�s




�

�z4ProfileProviderBuilder._create_web_identity_providercs2t�f
d
d��j
j|
�j�jt�j
�j|
d�d�S)Nc
s�jj
Sr$rbr3rcr3r6r7�r8z=ProfileProviderBuilder._create_sso_provider.<locals>.<lambda>)r0r;)r9r:r;r0�token_cache�token_provider)�SSOProviderrV�
create_clientrWrYrrer3rcr6r]�s










��z+ProfileProviderBuilder._create_sso_provider)NNN)
F)�__name__�
__module__�__qualname__�__doc__r[rAr_r^r`r\r]r3r3r3r6rH�s
�

rHc
Cst|�
}
|
�
�Sr$)rU�load_credentials)r5rTr3r3r6�get_credentials�s

rucCstj�
t��
Sr$)�datetime�nowrr3r3r3r6�
_local_now�s
rxc

Cst|t
j
�r|St|�
Sr$)�
isinstancervr)
�valuer3r3r6�_parse_if_needed�s


r{FcCs&t|t
j
�r"|
r|��S|�d
�
S|S)Nz%Y-%m-%dT%H:%M:%S%Z)ryrv�	isoformat�strftime)rz�isor3r3r6�_serialize_if_needed
s






rcs��
fd
d�}|S)Nc
s"d
�i
}|jf|
�

�
j
|f
|�
S)Nr1)�updatero)�service_name�kwargsZcreate_client_kwargs�r1r5r3r6r:	
s


z+_get_client_creator.<locals>.client_creatorr3)r5r1r:r3r�r6rJ
s
rJcs��
fd
d�}|S)Ncs6�jf�
�
}|d
}
|
d|
d|
dt
|
d�
d�S)N�Credentials�AccessKeyId�SecretAccessKey�SessionToken�
Expiration)r r!r"�expiry_time)�assume_roler)�response�credentials��client�paramsr3r6�refresh
s





�z-create_assume_role_refresher.<locals>.refreshr3)r�r�r�r3r�r6�create_assume_role_refresher
s
r�c
CsGd
d�d�}
|
|�
S)Nc@seZ
dZd
d�Zdd�ZdS)z/create_mfa_serial_refresher.<locals>._RefreshercSs|
|_d
|_
dS)NF)�_refresh�_has_been_called)rZr�r3r3r6r[#
s

z8create_mfa_serial_refresher.<locals>._Refresher.__init__c

Ss|jrt
��
d
|_|��S�NT)r�rr�rcr3r3r6�__call__'
s


z8create_mfa_serial_refresher.<locals>._Refresher.__call__N)rprqrrr[r�r3r3r3r6�
_Refresher"
s
r�r3)Zactual_refreshr�r3r3r6�create_mfa_serial_refresher!
s
r�c@s2eZ
dZd
Zddd�
Zdd�Zdd�Zd	d
�ZdS)r�a�

    Holds the credentials needed to authenticate requests.

    :param str access_key: The access key part of the credentials.
    :param str secret_key: The secret key part of the credentials.
    :param str token: The security token, valid only for session credentials.
    :param str method: A string which identifies where the credentials
        were found.
    :param str account_id: (optional) An account ID associated with the credentials.
    NcCs6|
|_||_
||_|dkrd
}||_||_|��
dS)N�explicit)r r!r"�methodr#�
_normalize)rZr r!r"r�r#r3r3r6r[?
s




zCredentials.__init__c

Cs$tj
�|j�
|_tj
�|j�
|_dSr$)�botocore�compat�ensure_unicoder r!rcr3r3r6r�M
s
zCredentials._normalizec

Cst|j
|j|j|j�Sr$)rr r!r"r#rcr3r3r6�get_frozen_credentialsW
s

�z"Credentials.get_frozen_credentialscs��
fd
d�}|S)Ncst�
�d�Sr$)
�getattrr3��
property_namerZr3r6�get_property]
s
z7Credentials.get_deferred_property.<locals>.get_propertyr3)rZr�r�r3r�r6�get_deferred_property\
s
z!Credentials.get_deferred_property)NNN)rprqrrrsr[r�r�r�r3r3r3r6r�3
s
�

r�c@s�eZ
dZd
ZeZeZedddfdd�
Z	dd�Z
ed%dd�
�
Ze
d	d
��
Zejdd
��
Ze
dd
��
Zejdd
��
Ze
dd��
Zejdd��
Ze
dd��
Zejdd��
Zdd�Zd&dd�
Zdd�Zdd�Zdd�Zedd ��
Zd!d"�Zd#d$�ZdS)'�RefreshableCredentialsa�
    Holds the credentials needed to authenticate requests. In addition, it
    knows how to refresh itself.

    :param str access_key: The access key part of the credentials.
    :param str secret_key: The secret key part of the credentials.
    :param str token: The security token, valid only for session credentials.
    :param datetime expiry_time: The expiration time of the credentials.
    :param function refresh_using: Callback function to refresh the credentials.
    :param str method: A string which identifies where the credentials
        were found.
    :param function time_fetcher: Callback function to retrieve current time.
    NcCsr||_|
|_
||_||_|
|_||_||_t��|_	||_
t|
|||
�|_|�
�
|dk	r`||_|	dk	rn|	|_dSr$)�_refresh_using�_access_key�_secret_key�_token�_account_id�_expiry_time�
_time_fetcher�	threading�Lock�
_refresh_lockr�r�_frozen_credentialsr��_advisory_refresh_timeout�_mandatory_refresh_timeout)rZr r!r"r��
refresh_usingr��time_fetcher�advisory_timeout�mandatory_timeoutr#r3r3r6r[y
s(











�



zRefreshableCredentials.__init__c

Cs$tj
�|j�
|_tj
�|j�
|_dSr$)r�r�r�r�r�rcr3r3r6r��
s

z!RefreshableCredentials._normalizecCsbi}|dk	r||d
<|dk	r$||d<|f|
d|
d|
d|�|
d�
|||
�
d�
d�|��
}|S)	Nr�r�r r!r"r�r#)r r!r"r�r�r�r#)�_expiry_datetimerC)�cls�metadatar�r�r�r�r��instancer3r3r6�create_from_metadata�
s"	










��
z+RefreshableCredentials.create_from_metadatac

Cs|��
|j
S�
z�Warning: Using this property can lead to race conditions if you
        access another property subsequently along the refresh boundary.
        Please use get_frozen_credentials instead.
        )r�r�rcr3r3r6r �
s
z!RefreshableCredentials.access_keycCs
|
|_dSr$)
r��rZrzr3r3r6r �
sc

Cs|��
|j
Sr�)r�r�rcr3r3r6r!�
s
z!RefreshableCredentials.secret_keycCs
|
|_dSr$)
r�r�r3r3r6r!�
sc

Cs|��
|j
Sr�)r�r�rcr3r3r6r"�
s
zRefreshableCredentials.tokencCs
|
|_dSr$)
r�r�r3r3r6r"�
sc

Cs|��
|j
Sr�)r�r�rcr3r3r6r#�
s
z!RefreshableCredentials.account_idcCs
|
|_dSr$)
r�r�r3r3r6r#�
sc
Cs|j|�
�}
t|
�
Sr$)r�r�r)rZ�deltar3r3r6�_seconds_remaining�
s

z)RefreshableCredentials._seconds_remainingcCs:|jd
krdS|
d
kr|j
}
|��|
kr,dSt�d�

dS)a�Check if a refresh is needed.

        A refresh is needed if the expiry time associated
        with the temporary credentials is less than the
        provided ``refresh_in``.  If ``time_delta`` is not
        provided, ``self.advisory_refresh_needed`` will be used.

        For example, if your temporary credentials expire
        in 10 minutes and the provided ``refresh_in`` is
        ``15 * 60``, then this function will return ``True``.

        :type refresh_in: int
        :param refresh_in: The number of seconds before the
            credentials expire in which refresh attempts should
            be made.

        :return: True if refresh needed, False otherwise.

        NFz!Credentials need to be refreshed.T)r�r�r�rOrP�rZ�
refresh_inr3r3r6�refresh_needed�
s




z%RefreshableCredentials.refresh_neededc

Cs|jd
d�
S)Nr
)
r�)
r�rcr3r3r6�_is_expiredsz"RefreshableCredentials._is_expiredc
	Cs�|�|j
�
sdS|j�d
�
r`z4|�|j
�
s2W�$dS|�|j�
}
|j|
d�

W�dS|j��
XnD|�|j�
r�|j�,
|�|j�
s�W5QR�dS|jdd�

W5QRXdS)NF)
�is_mandatoryT)r�r�r��acquire�releaser��_protected_refresh)rZZis_mandatory_refreshr3r3r6r�s"





�




zRefreshableCredentials._refreshcCs�z|��}Wn8t
k
rD


|
r$d
nd}tjd|dd�
|
r>�YdSX|�|�

t|j|j|j|j	�|_
|��r�d}t�|�

t|�
�
dS)N�	mandatoryZadvisoryzARefreshing temporary credentials failed during %s refresh period.T�
�exc_infozLCredentials were refreshed, but the refreshed credentials are still expired.)
r��	ExceptionrO�warning�_set_from_datarr�r�r�r�r�r��RuntimeError)rZr�r�Zperiod_name�msgr3r3r6r�3s0





�



��

z)RefreshableCredentials._protected_refreshc

Cst|�
Sr$r)
Ztime_strr3r3r6r�Zsz'RefreshableCredentials._expiry_datetimecs�d
dddg}�s|}n�f
dd�|D�
}|rHd}t|j
|d�|�
d	��
�d
|_�d|_�d|_t�d�
|_��d
�
|_	t
�d|j�
|��
dS)Nr r!r"r�c
sg|]}
|
�kr|
�qSr3r3)�.0�
k�
�datar3r6�
<listcomp>csz9RefreshableCredentials._set_from_data.<locals>.<listcomp>z7Credential refresh failed, response did not contain: %s�, ��provider�	error_msgr#z(Retrieved credentials will expire at: %s)
rr��joinr r!r"rr�rCr#rOrPr�)rZr�Z
expected_keysZmissing_keys�messager3r�r6r�^s(






�








�z%RefreshableCredentials._set_from_datac

Cs|��
|j
S)
a�Return immutable credentials.

        The ``access_key``, ``secret_key``, and ``token`` properties
        on this class will always check and refresh credentials if
        needed before returning the particular credentials.

        This has an edge case where you can get inconsistent
        credentials.  Imagine this:

            # Current creds are "t1"
            tmp.access_key  ---> expired? no, so return t1.access_key
            # ---- time is now expired, creds need refreshing to "t2" ----
            tmp.secret_key  ---> expired? yes, refresh and return t2.secret_key

        This means we're using the access key from t1 with the secret key
        from t2.  To fix this issue, you can request a frozen credential object
        which is guaranteed not to change.

        The frozen credentials returned from this method should be used
        immediately and then discarded.  The typical usage pattern would
        be::

            creds = RefreshableCredentials(...)
            some_code = SomeSignerObject()
            # I'm about to sign the request.
            # The frozen credentials are only used for the
            # duration of generate_presigned_url and will be
            # immediately thrown away.
            request = some_code.sign_some_request(
                with_credentials=creds.get_frozen_credentials())
            print("Signed request:", request)

        )r�r�rcr3r3r6r�vs"
z-RefreshableCredentials.get_frozen_credentials)NN)
N)rprqrrrsrDr��"_DEFAULT_MANDATORY_REFRESH_TIMEOUTr�rxr[r��classmethodr��propertyr �setterr!r"r#r�r�r�r�r��staticmethodr�r�r�r3r3r3r6r�c
sL




�

�
















"'

r�cs.eZ
dZd
Zef
dd�
Zd�f
dd�	Z�ZS)�DeferredRefreshableCredentialszyRefreshable credentials that don't require initial credentials.

    refresh_using will be called upon first access.
    cCsD|
|_d|_
d|_d|_d|_d|_||_t��|_	||_
d|_dSr$)r�r�r�r�r�r�r�r�r�r�r�r�)rZr�r�r�r3r3r6r[�s










z'DeferredRefreshableCredentials.__init__Ncs|jdkrd
St
��|
�
Sr�)r��superr�r��
�	__class__r3r6r��s



z-DeferredRefreshableCredentials.refresh_needed)
N)rprqrrrsrxr[r��
__classcell__r3r3r�r6r��s
r�c@sZeZ
dZd
Zddd�
Zdd�Zdd�Zd	d
�Zdd�Zd
d�Z	dd�Z
dd�Zdd�ZdS)�CachedCredentialFetcherr&NcCs4|
dkri}
|
|_|�
�|_|dkr*|j}||_dSr$)rW�_create_cache_key�
_cache_key�DEFAULT_EXPIRY_WINDOW_SECONDS�_expiry_window_seconds)rZr0�expiry_window_secondsr3r3r6r[�s







z CachedCredentialFetcher.__init__c

Cstd
�
�
dS)Nz_create_cache_key()�
�NotImplementedErrorrcr3r3r6r��s
z)CachedCredentialFetcher._create_cache_keycCs"|
�d
d��t
jd�}
|
�dd�S)N�
:�
_�
/)�replace�os�sep)rZ�filenamer3r3r6�_make_file_safe�s
z'CachedCredentialFetcher._make_file_safec

Cstd
�
�
dS)Nz_get_credentials()r�rcr3r3r6�_get_credentials�s
z(CachedCredentialFetcher._get_credentialsc

Cs|��Sr$)
�_get_cached_credentialsrcr3r3r6�fetch_credentials�s
z)CachedCredentialFetcher.fetch_credentialsc
Csl|��}
|
d
kr$|�
�}
|�|
�

n
t�d�

|
d}t|ddd�}|d|d|d	||�d
�
d�}|S)z�Get up-to-date credentials.

        This will check the cache for up-to-date credentials, calling assume
        role if none are available.
        Nz*Credentials for role retrieved from cache.r�r�T)
r~r�r�r��	AccountId�r r!r"r�r#)�_load_from_cacher��_write_to_cacherOrPrrC)rZr��creds�
expirationr�r3r3r6r��s








�z/CachedCredentialFetcher._get_cached_credentialsc
Cs8|j|j
kr4t|j
|j�
}
|�|
�
s*|
St�d
�

dS)Nz6Credentials were found in cache, but they are expired.)r�rWrr�rOrP)rZr�r3r3r6r��s





�z(CachedCredentialFetcher._load_from_cachecCst|
�
|j
|j<dSr$)rrWr�)rZr�r3r3r6r��s
z'CachedCredentialFetcher._write_to_cachecCs(t|
d
d�
}t
|t��
}||jkS)z!Check if credentials are expired.r�r�)r{rrxr�)rZr�Zend_time�secondsr3r3r6r��s

z#CachedCredentialFetcher._is_expired)NN)
rprqrrr�r[r�r�r�r�r�r�r�r�r3r3r3r6r��s

	r�cs6eZ
dZd
�f
dd�	Zdd�Zdd�Zdd	�Z�ZS)�BaseAssumeRoleCredentialFetcherNcsf|
|_||_
|dkri|_n
t|�
|_|j
|jd
<|j�d�
|_d|_|jsT|��
t��	||�
dS)NZRoleArn�RoleSessionNameF)
�_client_creatorZ	_role_arn�_assume_kwargsrrC�_role_session_name�_using_default_session_name�_generate_assume_role_namer�r[)rZr:�role_arn�
extra_argsr0r�r�r3r6r[�s






z(BaseAssumeRoleCredentialFetcher.__init__c

Cs*d
tt
�
��
��|_|j|jd<d|_dS)Nzbotocore-session-r�T)�int�timer
r

r
rcr3r3r6r
s


z:BaseAssumeRoleCredentialFetcher._generate_assume_role_namec
CsZt|j
�
}
|jr|
d
=d|
kr0t�|
d�
|
d<tj|
dd�}
t|
�d�
�
��}|�	|�
S)��Create a predictable cache key for the current configuration.

        The cache key is intended to be compatible with file names.
        r��PolicyT)
�	sort_keys�utf-8)
rr

r
�json�loads�dumpsr�encode�	hexdigestr��rZ�argsZ
argument_hashr3r3r6r�s



z1BaseAssumeRoleCredentialFetcher._create_cache_keycCsR|
�d
i��d�
}t
�|�
r>t
�}|�|�
d}||
dd<nt�d|���

dS)NZAssumedRoleUserZArn�accountr�r�z'Unable to extract account ID from Arn: )rCrZis_arnZ	parse_arnrOrP)rZr�r
Z
arn_parserr#r3r3r6�_add_account_id_to_response0s





z;BaseAssumeRoleCredentialFetcher._add_account_id_to_response)NNN)rprqrrr[r
r�r
r�r3r3r�r6r��s

�r�cs6eZ
dZd
�f
dd�	Zdd�Zdd�Zdd	�Z�ZS)�AssumeRoleCredentialFetcherNcs8||_||_
|j
d
krtj|_
t�j|
||||d�
d
S)a�
        :type client_creator: callable
        :param client_creator: A callable that creates a client taking
            arguments like ``Session.create_client``.

        :type source_credentials: Credentials
        :param source_credentials: The credentials to use to create the
            client for the call to AssumeRole.

        :type role_arn: str
        :param role_arn: The ARN of the role to be assumed.

        :type extra_args: dict
        :param extra_args: Any additional arguments to add to the assume
            role request using the format of the botocore operation.
            Possible keys include, but may not be limited to,
            DurationSeconds, Policy, SerialNumber, ExternalId and
            RoleSessionName.

        :type mfa_prompter: callable
        :param mfa_prompter: A callable that returns input provided by the
            user (i.e raw_input, getpass.getpass, etc.).

        :type cache: dict
        :param cache: An object that supports ``__getitem__``,
            ``__setitem__``, and ``__contains__``.  An example of this is
            the ``JSONFileCache`` class in aws-cli.

        :type expiry_window_seconds: int
        :param expiry_window_seconds: The amount of time, in seconds,
        N�r
r0r�)�_source_credentials�
_mfa_prompter�getpassr�r[)rZr:�source_credentialsr
r
�mfa_prompterr0r�r�r3r6r[;s)








�z$AssumeRoleCredentialFetcher.__init__c
Cs*|��}
|�
�}|jf|
�
}|�|�

|S)
�'Get credentials by calling assume role.)�_assume_role_kwargs�_create_clientr�r
)rZr�r�r�r3r3r6r�qs





z,AssumeRoleCredentialFetcher._get_credentialsc
CsXt|j
�
}
|
�d
�
}|dk	r:d|�d�}|�|�
}||
d<|
�d�
}|dk	rT||
d<|
S)�AGet the arguments for assume role based on current configuration.�SerialNumberNzEnter MFA code for z: Z	TokenCode�DurationSeconds)rr

rCr
)rZ�assume_role_kwargs�
mfa_serial�promptZ
token_code�duration_secondsr3r3r6r
ys







z/AssumeRoleCredentialFetcher._assume_role_kwargsc
Cs"|j�
�}
|jd
|
j|
j|
jd�S)z2Create an STS client using the source credentials.�sts)�aws_access_key_id�aws_secret_access_key�aws_session_token)r
r�r
r r!r")rZZfrozen_credentialsr3r3r6r
�s





�z*AssumeRoleCredentialFetcher._create_client)NNNN)rprqrrr[r�r
r
r�r3r3r�r6r
:s


�6r
cs.eZ
dZd�f
dd�	Zdd�Zdd�Z�ZS)	�*AssumeRoleWithWebIdentityCredentialFetcherNcs ||_t
�j|
||||d
�
dS)aG
        :type client_creator: callable
        :param client_creator: A callable that creates a client taking
            arguments like ``Session.create_client``.

        :type web_identity_token_loader: callable
        :param web_identity_token_loader: A callable that takes no arguments
        and returns a web identity token str.

        :type role_arn: str
        :param role_arn: The ARN of the role to be assumed.

        :type extra_args: dict
        :param extra_args: Any additional arguments to add to the assume
            role request using the format of the botocore operation.
            Possible keys include, but may not be limited to,
            DurationSeconds, Policy, SerialNumber, ExternalId and
            RoleSessionName.

        :type cache: dict
        :param cache: An object that supports ``__getitem__``,
            ``__setitem__``, and ``__contains__``.  An example of this is
            the ``JSONFileCache`` class in aws-cli.

        :type expiry_window_seconds: int
        :param expiry_window_seconds: The amount of time, in seconds,
        r
N)�_web_identity_token_loaderr�r[)rZr:�web_identity_token_loaderr
r
r0r�r�r3r6r[�s$




�z3AssumeRoleWithWebIdentityCredentialFetcher.__init__c
Cs:|��}
t
td
�
}|jd|d�}|jf|
�
}|�|�

|S)r
)
�signature_versionr'
�
r.)r
rr	r
Zassume_role_with_web_identityr
)rZr�r.r�r�r3r3r6r��s





z;AssumeRoleWithWebIdentityCredentialFetcher._get_credentialsc
Cst|j
�
}
|��}||
d
<|
S)r 
ZWebIdentityToken)rr

r,
)rZr#
Zidentity_tokenr3r3r6r
�s


z>AssumeRoleWithWebIdentityCredentialFetcher._assume_role_kwargs)NNN)rprqrrr[r�r
r�r3r3r�r6r+
�s

�.r+
c@s.eZ
dZd
Zd
Zddd�
Zdd�Zdd�Zd
S)	�CredentialProviderNcCs
|
|_dSr$r4)rZr5r3r3r6r[�s
zCredentialProvider.__init__c


Csd
S)a~
        Loads the credentials from their source & sets them on the object.

        Subclasses should implement this method (by reading from disk, the
        environment, the network or wherever), returning ``True`` if they were
        found & loaded.

        If not found, this method should return ``False``, indictating that the
        ``CredentialResolver`` should fall back to the next available method.

        The default implementation does nothing, assuming the user has set the
        ``access_key/secret_key/token`` themselves.

        :returns: Whether credentials were found & set
        :rtype: Credentials
        Tr3rcr3r3r6�load�szCredentialProvider.loadc	GsHg}|D]:}z|�|
|�

Wqt
k
r@


t|j|d
��
YqXq|S)N�r�Zcred_var)�append�KeyErrorr�METHOD)rZ�mappingZ	key_names�foundZkey_namer3r3r6�_extract_creds_from_mapping�s






�z.CredentialProvider._extract_creds_from_mapping)
N)rprqrrr5
�CANONICAL_NAMEr[r1
r8
r3r3r3r6r0
�s

r0
c@sNeZ
dZd
Zejf
dd�
Zdd�Zdd�Ze	dd	��
Z
e	d
d��
Zdd
�ZdS)rdzcustom-processcCs|
|_||_
d|_||_dSr$)�
_profile_name�_load_config�_loaded_config�_popen)rZr;r9�popenr3r3r6r[s



zProcessProvider.__init__c
sl�
j��dkrdS�
�
��
}
|
�d
�
dk	rDt�|
��
fdd��
j�St|
d|
d|
�d�
�
j|
�d�
d�S)	Nr�cs
�
���
Sr$)
�_retrieve_credentials_usingr3��credential_processrZr3r6r7r8z&ProcessProvider.load.<locals>.<lambda>r r!r"r#)r r!r"r�r#)�_credential_processr?
rCr�r�r5
r�)rZZ
creds_dictr3r@
r6r1
s"








�




�zProcessProvider.loadc	
Cs�t|
�
}|j
|tjtjd
�}|��\}}|jdkrFt|j|�d�
d��
t	j
j�|�d�
�
}|�
dd�}|dkr�t|jd|�d	�d��
z,|d
|d|�
d�
|�
d
�
|�|�
d�WStk
r�
}
zt|jd|��d��
W5d}~XYnXdS)N)�stdout�stderrr
r
r��Versionz<Version key not provided>�
zUnsupported version 'z8' for credential process provider, supported versions: 1r�r�r�r�r�z"Missing required key in response: )r
r=
�
subprocess�PIPE�communicate�
returncoderr5
�decoder�r�r

r
rC�_get_account_idr4
)	rZrA
Zprocess_list�
prC
rD
�parsed�version�
er3r3r6r?
's>

�



�




�



�


�z+ProcessProvider._retrieve_credentials_usingc

Cs|j�
d
�
S)NrA
)�profile_configrCrcr3r3r6rB
Ksz#ProcessProvider._credential_processc
Cs0|jdkr|�
�|_|j�d
i��|ji�}
|
S�N�profiles)r<
r;
rCr:
)rZrQ
r3r3r6rQ
Os




�zProcessProvider.profile_configcCs|
�d
�
}|p|j
�d�
S)Nr��aws_account_id)rCrQ
)rZrN
r#r3r3r6rL
Xs


zProcessProvider._get_account_idN)
rprqrrr5
rG
�Popenr[r1
r?
r�rB
rQ
rL
r3r3r3r6rd	s
$



rdc@s$eZ
dZd
ZdZdd�Zdd�ZdS)rGziam-roleZEc2InstanceMetadatacCs
|
|_dSr$)
�
_role_fetcher)rZr/r3r3r6r[as
z!InstanceMetadataProvider.__init__c
Cs>|j}
|
�
�}|sdSt�d
|d�
tj||j|
j
d�}|S)Nz#Found credentials from IAM Role: %s�	role_name�r�r�)rV
Zretrieve_iam_role_credentialsrO�infor�r�r5
)rZ�fetcherr�r�r3r3r6r1
ds




�


�zInstanceMetadataProvider.loadN)rprqrrr5
r9
r[r1
r3r3r3r6rG]s

rGc@sNeZ
dZd
ZdZdZdZddgZdZdZ	dd
d�
Z
dd
�Zdd�Zdd�Z
d	S)rE�env�EnvironmentZAWS_ACCESS_KEY_IDZAWS_SECRET_ACCESS_KEYZAWS_SECURITY_TOKENZAWS_SESSION_TOKENZAWS_CREDENTIAL_EXPIRATIONZAWS_ACCOUNT_IDNcCs$|
d
krtj
}
|
|_
|�|�
|_d
S)a�


        :param environ: The environment variables (defaults to
            ``os.environ`` if no value is provided).
        :param mapping: An optional mapping of variable names to
            environment variable names.  Use this if you want to
            change the mapping of access_key->AWS_ACCESS_KEY_ID, etc.
            The dict can have up to 5 keys:
            * ``access_key``
            * ``secret_key``
            * ``token``
            * ``expiry_time``
            * ``account_id``
        N)r��environ�_build_mapping�_mapping)rZr]
r6
r3r3r6r[�s


zEnvProvider.__init__cCs�i}|
dkr@|j|d
<|j
|d<|j|d<|j|d<|j|d<nv|
�d
|j�|d
<|
�d|j
�|d<|
�d|j�|d<t|dt�s�|dg
|d<|
�d|j�|d<|
�d|j�|d<|S)Nr r!r"r�r#)�
ACCESS_KEY�
SECRET_KEY�TOKENS�EXPIRY_TIME�
ACCOUNT_IDrCry�list)rZr6
Zvar_mappingr3r3r6r^
�s6









�
�



�
�zEnvProvider._build_mappingc
	Cs�|j�
|jd
d�}
|
r�t�d�

|��}|dd�
}|d}|dk	rtt|�
}t|d
|d|d	|||j|d
d�St	|d
|d|d	|j|d
d�SdSdS)
zK
        Search for credentials in explicit environment variables.
        r �z+Found credentials in environment variables.F)
�require_expiryr�Nr!r"r#)r�r�r#�r�r#)
r]
rCr_
rOrY
�_create_credentials_fetcherrr�r5
r�)rZr rZ
r�r�r3r3r6r1
�s2














�





�zEnvProvider.loadc
s(|j�
|j
�|j�d��
�fdd�	}
|
S)NTc
s�i}
���
d
d�}|s(t
��
d
d��
||
d
<���
dd�}|sTt
��
dd��
||
d<d|
d<�
dD] }��|d�}|rl||
d<
q�qld|
d<���
dd�}|r�||
d<|r�|s�t
��
dd��
d|
d<���
dd�}|r�||
d<|
S)Nr rf
r2
r!r"r�r#)rCr)rg
r�r r!Z
token_env_varr"r�r#�r]
r6
r�r3r6r��sF



�


�










�


zBEnvProvider._create_credentials_fetcher.<locals>.fetch_credentials)
T)r_
r5
r]
)rZr�r3rj
r6ri
�s



(z'EnvProvider._create_credentials_fetcher)NN)rprqrrr5
r9
r`
ra
rb
rc
rd
r[r^
r1
ri
r3r3r3r6rEzs






#rEc@s2eZ
dZd
ZdZdZdZdZddd�
Zd	d
�Z	dS)rLzec2-credentials-fileZ	Ec2Config�AWS_CREDENTIAL_FILEZAWSAccessKeyIdZAWSSecretKeyNcCs*|
dkrtj
}
|dkrt}|
|_||_dSr$)r�r]
r�_environ�_parser)rZr]
�parserr3r3r6r[s





zOriginalEC2Provider.__init__c
Cshd
|jkr`t
j�|jd
�
}
|�|
�
}|j|krdt�d�

||j}||j}t	|||j
d�SndSdS)zN
        Search for a credential file used by original EC2 CLI tools.
        rk
z)Found credentials in AWS_CREDENTIAL_FILE.�
r�N)rl
r��path�
expanduserrm
r`
rOrY
ra
r�r5
)rZ�	full_pathr�r r!r3r3r6r1
s


�








zOriginalEC2Provider.load)NN)
rprqrrr5
r9
Z
CRED_FILE_ENVr`
ra
r[r1
r3r3r3r6rLs




rLc@sJeZ
dZd
ZdZdZdZddgZdZdd	d
�
Z	dd�Z
d
d�Zdd�ZdS)rgzshared-credentials-fileZSharedCredentialsr(
r)
�aws_security_tokenr*
rT
NcCs2|
|_|dkrd
}||_
|dkr(tjj}||_dS)Nr()�_creds_filenamer:
r��configloader�raw_config_parse�_ini_parser)rZrfr;�
ini_parserr3r3r6r[7s






z!SharedCredentialProvider.__init__c
Cs�z|�|j
�
}
Wntk
r&


YdSX|j|
kr�|
|j}|j|kr�t�d
|j
�
|�||j|j�\}}|�	|�
}|�
|�
}t||||j|d�SdS)Nz0Found credentials in shared credentials file: %srh
)
rw
rt
r
r:
r`
rOrY
r8
ra
�_get_session_tokenrL
r�r5
)rZZavailable_credsr.r r!r"r#r3r3r6r1
@s2












�
�








�zSharedCredentialProvider.loadcCs$|jD]}||
kr|
|
SqdSr$�
rb
)rZr.Ztoken_envvarr3r3r6ry
Ys



z+SharedCredentialProvider._get_session_tokencCs|
�|j
�
Sr$�rCrd
�rZr.r3r3r6rL
^s
z(SharedCredentialProvider._get_account_id)NN)
rprqrrr5
r9
r`
ra
rb
rd
r[r1
ry
rL
r3r3r3r6rg+s




	rgc@sNeZ
dZd
ZdZdZdZdZddgZdZ	dd
d�
Z
dd
�Zdd�Zdd�Z
d	S)rjz0INI based config provider with profile sections.zconfig-fileZSharedConfigr(
r)
rs
r*
rT
NcCs&|
|_||_
|d
krtjj}||_d
S)a


        :param config_filename: The session configuration scoped to the current
            profile.  This is available via ``session.config``.
        :param profile_name: The name of the current profile.
        :param config_parser: A config parser callable.

        N)�_config_filenamer:
r�ru
r9�_config_parser)rZrir;Z
config_parserr3r3r6r[ps
	



zConfigProvider.__init__c
Cs�z|�|j
�
}
Wntk
r&


Yd
SX|j|
dkr�|
d|j}|j|kr�t�d|j
�
|�||j|j�\}}|�	|�
}|�
|�
}t||||j|d�Snd
Sd
S)zr
        If there is are credentials in the configuration associated with
        the session, use those.
        NrS
z$Credentials found in config file: %srh
)
r~
r}
r
r:
r`
rOrY
r8
ra
ry
rL
r�r5
)rZr2rQ
r r!r"r#r3r3r6r1
s4









�
�








�zConfigProvider.loadcCs$|jD]}||
kr|
|
SqdSr$rz
)rZrQ
Z
token_namer3r3r6ry
�s



z!ConfigProvider._get_session_tokencCs|
�|j
�
Sr$r{
r|
r3r3r6rL
�s
zConfigProvider._get_account_id)
N)rprqrrrsr5
r9
r`
ra
rb
rd
r[r1
ry
rL
r3r3r3r6rjbs




rjc@s:eZ
dZd
ZdZdZddgZdZdZd
d	d
�
Z	dd�Z
dS)rMzboto-configZBoto2ConfigZBOTO_CONFIGz
/etc/boto.cfgz~/.botor(
r)
NcCs.|
dkrtj
}
|dkrtjj}|
|_||_dSr$)r�r]
r�ru
rv
rl
rw
)rZr]
rx
r3r3r6r[�s





zBotoProvider.__init__c
	Cs�|j|j
kr|j
|jg
}
n|j}
|
D]|}z|�|�
}Wntk
rP


Yq&YnXd
|kr&|d
}|j|kr&t�d|�
|�||j|j	�\}}t
|||jd�
Sq&dS)z;
        Look for credentials in boto config file.
        r�z)Found credentials in boto config file: %sro
N)�BOTO_CONFIG_ENVrl
�DEFAULT_CONFIG_FILENAMESrw
r
r`
rOrY
r8
ra
r�r5
)rZZpotential_locationsr�r.r�r r!r3r3r6r1
�s2











�
�
�zBotoProvider.load)NN)rprqrrr5
r9
r
r�
r`
ra
r[r1
r3r3r3r6rM�s





rMc@s�eZ
dZd
ZdZdZdZdZejddfdd�
Z	dd	�Z
d
d�Zdd
�Zdd�Z
dd�Zdd�Zdd�Zdd�Zdd�Zdd�Zdd�Zdd�ZdS) rI�assume-roleNr
�web_identity_token_filer&cCs>||_|
|_
||_||_||_i|_||_||_|jg
|_d
S)a�
        :type load_config: callable
        :param load_config: A function that accepts no arguments, and
            when called, will return the full configuration dictionary
            for the session (``session.full_config``).

        :type client_creator: callable
        :param client_creator: A factory function that will create
            a client when called.  Has the same interface as
            ``botocore.session.Session.create_client``.

        :type cache: dict
        :param cache: An object that supports ``__getitem__``,
            ``__setitem__``, and ``__contains__``.  An example
            of this is the ``JSONFileCache`` class in the CLI.

        :type profile_name: str
        :param profile_name: The name of the profile.

        :type prompter: callable
        :param prompter: A callable that returns input provided
            by the user (i.e raw_input, getpass.getpass, etc.).

        :type credential_sourcer: CanonicalNameCredentialSourcer
        :param credential_sourcer: A credential provider that takes a
            configuration, which is used to provide the source credentials
            for the STS call.
        N)	r0r;
r
r:
�	_prompterr<
�_credential_sourcer�_profile_provider_builder�_visited_profiles)rZr9r:r0r;Zprompterr<r=r3r3r6r[�s+





zAssumeRoleProvider.__init__c
Cs@|��|_
|j
�d
i�}
|
�|ji�}|�|�
r<|�|j�
SdSrR
)r;
r<
rCr:
�_has_assume_role_config_vars�_load_creds_via_assume_role)rZrS
r'r3r3r6r1
!s







zAssumeRoleProvider.loadcCs|j|
ko|j
|
kSr$)�ROLE_CONFIG_VAR�WEB_IDENTITY_TOKE_FILE_VAR�rZr'r3r3r6r�
(s
�z/AssumeRoleProvider._has_assume_role_config_varscCs�|�|
�
}|�
||
�}i}|�d
�
}|dk	r4||d<|�d�
}|dk	rN||d<|�d�
}|dk	rh||d<|�d�
}|dk	r�||d<t|j||d	||j|jd
�}	|	j}
|dk	r�t|
�
}
t	|j
|
td�S)N�role_session_namer��external_idZ
ExternalIdr$
r!
r&
r"
r
)r:r
r
r
r
r0)r�r�r�)�_get_role_config�_resolve_source_credentialsrCr
r
r�
r0r�r�r�r5
rx)rZr;�role_configr
r
r�
r�
r$
r&
rZ
Z	refresherr3r3r6r�
3sD



�


















�




�z.AssumeRoleProvider._load_creds_via_assume_rolecCs
|j�
d
i�}||
}|�
d�
}|d}|�
d�
}|�
d�
}|�
d�
}|�
d�
}	|�
d�
}
||||	||d	�}|
d
k	r�zt|
�
|d<Wntk
r�


YnX|d
k	r�|d
k	r�td|
�d�d
�
�
nB|d
kr�|d
kr�t|jdd��
n"|d
k	r�|�|
|�
n|�|
|�
|S)z?Retrieves and validates the role configuration for the profile.rS
�source_profiler
�credential_sourcer$
r�
r�
r&
)r
r�
r$
r�
r�
r�
N�
The profile "z5" contains both source_profile and credential_source.�
r�z#source_profile or credential_sourcer2
)	r<
rCr
�
ValueErrorrrr5
�_validate_credential_source�_validate_source_profile)rZr;rS
r'r�
r
r�
r$
r�
r�
r&
r�
r3r3r6r�
_sD

















�	





�


�
z#AssumeRoleProvider._get_role_configcCsJ|jdkr"t
d
|�d|
�d�d�
�
|j�|�
sFt
d|�d|
�d�d�
�
dS)NzThe credential_source "z" is specified in profile "z)", but no source provider was configured.r�
zThe credential source "z" referenced in profile "z" is not valid.)r�
r�is_supported)rZZparent_profiler�
r3r3r6r�
�s


�
�z.AssumeRoleProvider._validate_credential_sourcecCst|�
|
�
|�|
�
g�
Sr$)�any�_has_static_credentialsr�
r�
r3r3r6�_source_profile_has_credentials�s


��z2AssumeRoleProvider._source_profile_has_credentialscCsv|j�
d
i�}||kr.td|�d|
�d�d�
�
||}||jkrDdS||
krZt||jd��
|�|�
srt||jd��
dS)NrS
zThe source_profile "z" referenced in the profile "z" does not exist.r�
)r�
Zvisited_profiles)r<
rCrr�
rr�
)rZZparent_profile_nameZsource_profile_namerS
r�
r3r3r6r�
�s$

�




�




�z+AssumeRoleProvider._validate_source_profilecsd
dg}t�f
dd�|D�
�
S)Nr)
r(
c
3s|]}
|
�kV
qdSr$r3)r�Z
static_key�
r'r3r6�	<genexpr>�sz=AssumeRoleProvider._has_static_credentials.<locals>.<genexpr>)
r�
)rZr'Zstatic_keysr3r�
r6r�
�s

z*AssumeRoleProvider._has_static_credentialscCs<|
�d
�
}|dk	r|�
||�S|
d}|j�|�

|�|�
S)Nr�
r�
)rC� _resolve_credentials_from_sourcer�
r3
�!_resolve_credentials_from_profile)rZr�
r;r�
r�
r3r3r6r�
�s




�

z.AssumeRoleProvider._resolve_source_credentialscCs�|j�
d
i�}||
}|�|�
r0|js0|�|�
S|�|�
sD|�|�
s�|jj|
dd�}t|�
}|��}|dkr~d}t	||
d�
�
|S|�
|
�
S)NrS
Tr>z.The source profile "%s" must have credentials.r�
)r<
rCr�
r�
�(_resolve_static_credentials_from_profiler�
rArQrtrr�
)rZr;rS
r'rSZ
profile_chainr��
error_messager3r3r6r�
�s4

��


��

�

�
�z4AssumeRoleProvider._resolve_credentials_from_profilec
CsXzt|
d
|
d|
�
d�
d�WStk
rR
}
zt|jt|�
d��
W5d}~XYnXdS)Nr(
r)
r*
)r r!r"r2
)r�rCr4
rr5
�str)rZr'rP
r3r3r6r�
�s




�

�z;AssumeRoleProvider._resolve_static_credentials_from_profilecCs*|j�
|
�
}|dkr&t|
d
|��d��
|S)Nz@No credentials found in credential_source referenced in profile r�)r�
r
r)rZr�
r;r�r3r3r6r�
s
�

�z3AssumeRoleProvider._resolve_credentials_from_source)rprqrrr5
r9
r�
r�
ZEXPIRY_WINDOW_SECONDSr
r[r1
r�
r�
r�
r�
r�
r�
r�
r�
r�
r�
r�
r3r3r3r6rI�s*




�
>,1&!rIc@sReZ
dZd
ZdZdddd�Zddd	�
Zd
d�Zdd
�Zdd�Z	dd�Z
dd�ZdS)rkzassume-role-with-web-identityNZAWS_WEB_IDENTITY_TOKEN_FILEZAWS_ROLE_SESSION_NAMEZAWS_ROLE_ARN)r�
r�
r
FcCs:||_|
|_
||_||_d|_||_|dkr0t}||_dSr$)r0r;
r
r:
�_profile_config�_disable_env_varsr�_token_loader_cls)rZr9r:r;r0r?Ztoken_loader_clsr3r3r6r[%s	







z*AssumeRoleWithWebIdentityProvider.__init__c

Cs|��Sr$)
�_assume_role_with_web_identityrcr3r3r6r1
8s
z&AssumeRoleWithWebIdentityProvider.loadcCs:|jdkr.|�
�}|�d
i�}|�|ji�|_|j�|
�
SrR
)r�
r;
rCr:
)rZ�key�
loaded_configrS
r3r3r6�_get_profile_config;s






z5AssumeRoleWithWebIdentityProvider._get_profile_configcCs2|jr
dS|j
�|
�
}|r.|tjkr.tj|SdSr$)r�
�_CONFIG_TO_ENV_VARrCr�r]
)rZr�
Zenv_keyr3r3r6�_get_env_configBs






z1AssumeRoleWithWebIdentityProvider._get_env_configcCs |�|
�
}|dk	r|S|�
|
�
Sr$)r�
r�
)rZr�
Z	env_valuer3r3r6�_get_configJs




z-AssumeRoleWithWebIdentityProvider._get_configc
Cs||�d
�
}
|
sdS|�
|
�
}|�d�
}|s8d}t|d�
�
i}|�d�
}|dk	rV||d<t|j||||jd�}t|j|jd�S)	Nr�
r
z�The provided profile or the current environment is configured to assume role with web identity but has no role ARN configured. Ensure that the profile has the role_arnconfiguration set or the AWS_ROLE_ARN env var is set.r�
r�
r�)r:r-
r
r
r0rX
)	r�
r�
rr+
r
r0r�r5
r�)rZZ
token_path�token_loaderr
r�r
r�
rZ
r3r3r6r�
Ps0







�









�


�z@AssumeRoleWithWebIdentityProvider._assume_role_with_web_identity)NFN)rprqrrr5
r9
r�
r[r1
r�
r�
r�
r�
r3r3r3r6rks



�

�
rkc@s<eZ
dZd
d�Zdd�Zdd�Zdd�Zd	d
�Zdd�Zd
S)rKcCs
|
|_dSr$�
�
_providers�rZrAr3r3r6r[vs
z'CanonicalNameCredentialSourcer.__init__cCs|
d
d�|jD�
kS)aL
Validates a given source name.

        :type source_name: str
        :param source_name: The value of credential_source in the config
            file. This is the canonical name of the credential provider.

        :rtype: bool
        :returns: True if the credential provider is supported,
            False otherwise.
        c
Ssg|]
}
|
j�qSr3)
r9
�r�rM
r3r3r6r��sz?CanonicalNameCredentialSourcer.is_supported.<locals>.<listcomp>r�
)rZ�source_namer3r3r6r�
ysz+CanonicalNameCredentialSourcer.is_supportedcCs$|�|
�
}t
|t�r|��S|��S)
a
Loads source credentials based on the provided configuration.

        :type source_name: str
        :param source_name: The value of credential_source in the config
            file. This is the canonical name of the credential provider.

        :rtype: Credentials
        )�
_get_providerryrQrtr1
)rZr�
�sourcer3r3r6r
�s	




z1CanonicalNameCredentialSourcer.source_credentialscCsV|�|
�
}|
�
�d
kr@|�d�
}|dk	r@|dkr4|St||g�
S|dkrRt|
d�
�
|S)a#
Return a credential provider by its canonical name.

        :type canonical_name: str
        :param canonical_name: The canonical name of the provider.

        :raises UnknownCredentialError: Raised if no
            credential provider by the provided name
            is found.
        )ZsharedconfigZsharedcredentialsr�
N�
�name)�_get_provider_by_canonical_name�lower�_get_provider_by_methodrQr)rZ�canonical_namer�rRr3r3r6r�
�s







z,CanonicalNameCredentialSourcer._get_providercCs2|jD]&}|j
}|r|��|
��kr|
Sqd
S)z�Return a credential provider by its canonical name.

        This function is strict, it does not attempt to address
        compatibility issues.
        N)r�
r9
r�
)rZr�
r�r�
r3r3r6r�
�s


z>CanonicalNameCredentialSourcer._get_provider_by_canonical_namecCs"|jD]}|j
|
kr|
Sqd
S)z0Return a credential provider by its METHOD name.N)r�
r5
)rZr�r�r3r3r6r�
�s



z6CanonicalNameCredentialSourcer._get_provider_by_methodN)	rprqrrr[r�
r
r�
r�
r�
r3r3r3r6rKus

&rKc@s^eZ
dZd
ZdZdZdZdZdZddd	�
Z	d
d�Z
dd
�Zdd�Zdd�Z
dd�Zdd�ZdS)rFzcontainer-roleZEcsContainerZ&AWS_CONTAINER_CREDENTIALS_RELATIVE_URIZ"AWS_CONTAINER_CREDENTIALS_FULL_URIZ!AWS_CONTAINER_AUTHORIZATION_TOKENZ&AWS_CONTAINER_AUTHORIZATION_TOKEN_FILENcCs,|
dkrtj
}
|dkrt�}|
|_||_dSr$)r�r]
rrl
�_fetcher)rZr]
rZ
r3r3r6r[�s





zContainerProvider.__init__c

Cs$|j|j
ks|j|j
kr |��SdSr$)�ENV_VARrl
�ENV_VAR_FULL�_retrieve_or_failrcr3r3r6r1
�s
zContainerProvider.loadc

Csl|��r|j
�|j|j�
}
n|j|j}
|�|
�
}|�}t|d
|d|d|jt	|d�
||�
d�
d�S)Nr r!r"r�r#)r r!r"r�r�r�r#)�_provided_relative_urir�
�full_urlrl
r�
r�
�_create_fetcherr�r5
r{rC)rZ�full_urirZ
r�r3r3r6r�
�s













�z#ContainerProvider._retrieve_or_failc
	Cspd}
|j|j
kr:|j
|j}t|�
�}|��}
W5QRXn|j|j
krR|j
|j}
|
dk	rl|�|
�

d
|
i
SdS)N�
Authorization)�ENV_VAR_AUTH_TOKEN_FILErl
�open�read�ENV_VAR_AUTH_TOKEN�_validate_auth_token)rZ�
auth_tokenZauth_token_file_pathZ
token_filer3r3r6�_build_headers�s











z ContainerProvider._build_headerscCsd
|
ksd|
krtd�
�
dS)N�

�

z,Auth token value is not a legal header value)
r�
)rZr�
r3r3r6r�
s

z&ContainerProvider._validate_auth_tokencs��
fd
d�}|S)Nc
s�z�
��}�
j
j�|d
�}
WnDtk
r`
}
z&tjd|dd�
t�
jt|�
d��
W5d}~XYnX|
d|
d|
d|
d	|
�	d
�
d�S)N)
�headersz'Error retrieving container metadata: %sTr�r�r�r��Tokenr�r�r�)
r�
r�
Zretrieve_full_urirrOrPrr5
r�
rC)r�
r�rP
�r�
rZr3r6�fetch_credss,



�


�
�



�z6ContainerProvider._create_fetcher.<locals>.fetch_credsr3)rZr�
r
r�r�
r3r�
r6r�
s
z!ContainerProvider._create_fetcherc

Cs|j|j
kSr$)r�
rl
rcr3r3r6r�
s
z(ContainerProvider._provided_relative_uri)NN)rprqrrr5
r9
r�
r�
r�
r�
r[r1
r�
r�
r�
r�
r�
r3r3r3r6rF�s






rFc@sDeZ
dZd
d�Zdd�Zdd�Zdd�Zd	d
�Zdd�Zd
d�Z	dS)rQcCs
|
|_d
S)zQ

        :param providers: A list of ``CredentialProvider`` instances.

        Nr@r�
r3r3r6r[!szCredentialResolver.__init__cCsLzd
d�|jD�
�
|
�
}Wntk
r8


t|
d�
�
YnX|j�||�
dS)a=
        Inserts a new instance of ``CredentialProvider`` into the chain that
        will be tried before an existing one.

        :param name: The short name of the credentials you'd like to insert the
            new credentials before. (ex. ``env`` or ``config``). Existing names
            & ordering can be discovered via ``self.available_methods``.
        :type name: string

        :param cred_instance: An instance of the new ``Credentials`` object
            you'd like to add to the chain.
        :type cred_instance: A subclass of ``Credentials``
        c
Ssg|]
}
|
j�qSr3�
r5
r�
r3r3r6r�8sz4CredentialResolver.insert_before.<locals>.<listcomp>r�
N)rA�indexr�
r�insert�rZr�
Zcredential_provider�offsetr3r3r6�
insert_before)s




z CredentialResolver.insert_beforecCs |�|
�
}|j
�|d
|�
dS)a9
        Inserts a new type of ``Credentials`` instance into the chain that will
        be tried after an existing one.

        :param name: The short name of the credentials you'd like to insert the
            new credentials after. (ex. ``env`` or ``config``). Existing names
            & ordering can be discovered via ``self.available_methods``.
        :type name: string

        :param cred_instance: An instance of the new ``Credentials`` object
            you'd like to add to the chain.
        :type cred_instance: A subclass of ``Credentials``
        rF
N)�_get_provider_offsetrAr�
r�
r3r3r6�insert_after=s

zCredentialResolver.insert_aftercCs6d
d�|jD�
}|
|krdS|�
|
�
}|j�|�

dS)z�
        Removes a given ``Credentials`` instance from the chain.

        :param name: The short name of the credentials instance to remove.
        :type name: string
        c
Ssg|]
}
|
j�qSr3r�
r�
r3r3r6r�Usz-CredentialResolver.remove.<locals>.<listcomp>N)rAr�
�pop)rZr�
Zavailable_methodsr�
r3r3r6rNNs



zCredentialResolver.removecCs|j|�
|
�
S)
z�Return a credential provider by name.

        :type name: str
        :param name: The name of the provider.

        :raises UnknownCredentialError: Raised if no
            credential provider by the provided name
            is found.
        )rAr�
�rZr�
r3r3r6�get_provider]s
zCredentialResolver.get_providercCs<zd
d�|jD�
�
|
�
WStk
r6


t|
d�
�
YnXdS)Nc
Ssg|]
}
|
j�qSr3r�
r�
r3r3r6r�ksz;CredentialResolver._get_provider_offset.<locals>.<listcomp>r�
)rAr�
r�
rr�
r3r3r6r�
is



z'CredentialResolver._get_provider_offsetc
Cs6|jD]*}
t
�d
|
j�
|
��}|dk	r|
SqdS)zw
        Goes through the credentials chain, returning the first ``Credentials``
        that could be loaded.
        zLooking for credentials via: %sN)rArOrPr5
r1
)rZr�r�r3r3r6rtos





z#CredentialResolver.load_credentialsN)
rprqrrr[r�
r�
rNr�
r�
rtr3r3r3r6rQ s
rQcs:eZ
dZd
Zd�f
dd�	Zdd�Zdd�Zd	d
�Z�ZS)�SSOCredentialFetcherz%Y-%m-%dT%H:%M:%SZNcsB||_||_
||_||_|
|_||_|	|_|
|_t��	||�
dSr$)
r
�_sso_region�
_role_namer��
_start_url�
_token_loader�_token_provider�_sso_session_namer�r[)rZ�	start_url�
sso_regionrW
r#r:r�
r0r�rm�sso_session_namer�r3r6r[�s








zSSOCredentialFetcher.__init__c
CsV|j|j
d
�}
|jr |j|
d<n
|j|
d<tj|
ddd�}
t|
�d�
�
��}|�	|�
S)r	
)�roleName�	accountIdZsessionNameZstartUrlT)�
,r�)r
�
separatorsr
)
r�
r�r�
r�
r

r
rr
r
r�r
r3r3r6r��s
�



z&SSOCredentialFetcher._create_cache_keycCs$|
d
}tj�
|t��}|�|j�
S)Ng@�@)rv�
fromtimestamprr}�_UTC_DATE_FORMAT)rZZtimestamp_msZtimestamp_seconds�	timestampr3r3r6�_parse_timestamp�s

z%SSOCredentialFetcher._parse_timestampc
Cs�tt
|jd
�}
|jd|
d�}|jr8|j��}|��j}n|�|j	�
d}|j
|j|d�}z|jf|�
}Wn|j
jk
r�


t��
YnX|d}d|d|d|d	|�|d
�
|jd�d�}|S)
z4Get credentials by calling SSO get role credentials.)r.
r1�ssor/
�accessToken)r�
r�
r�
ZroleCredentialsZaccessKeyIdZsecretAccessKeyZsessionTokenr�)r�r�r�r�r�)ZProviderTyper�)rr	r�
r
r�
Z
load_tokenZget_frozen_tokenr"r�
r�
r�
r�Zget_role_credentials�
exceptionsZUnauthorizedExceptionrr�
)rZr.r�Zinitial_token_datar"r�r�r�r3r3r6r��s6

�





�







��
z%SSOCredentialFetcher._get_credentials)NNNNN)	rprqrrr�
r[r�r�
r�r�r3r3r�r6r�
�s
	



�r�
c@s\eZ
dZd
Zej�ej�ddd
d��
ZdZ	dZ
e	e
Zddd	�
Zd
d�Z
dd
�Zdd�ZdS)rnr�
�
~z.awsr0)�
sso_role_name�sso_account_id)�
sso_start_urlr�
NcCsF|dkrt|j
�
}||_||_|dkr*i}||_|
|_||_||_dSr$)r�_SSO_TOKEN_CACHE_DIR�_token_cacher�
r0r;
r
r:
)rZr9r:r;r0rlrmr3r3r6r[�s	









zSSOProvider.__init__c
s�|��}
|
�
d
i�}|j}|�
|ji��|
�
di�}t�f
dd�|jD�
�
rPdS|��|�\}}i}g}|j|}	|	D]$}
|
|kr�||
||
<qv|�|
�

qv|r�d�|�
}t	d|�d|��d�
�
|S)	NrS
�sso_sessionsc
3s|]}
|
�kV
qdSr$r3)r��
c�
rQ
r3r6r�

	s
z/SSOProvider._load_sso_config.<locals>.<genexpr>r�r�
zB" is configured to use SSO but is missing required configuration: r�
)
r;
rCr:
�all�_PROFILE_REQUIRED_CONFIG_VARS�_resolve_sso_session_reference�_ALL_REQUIRED_CONFIG_VARSr3
r�r)rZr�
rS
r;r�
Zresolved_configZ
extra_reqsr.Zmissing_config_varsZall_required_configs�
config_var�missingr3r�
r6�_load_sso_config	s4





�
�








�zSSOProvider._load_sso_configc	Cs�|
�d
�
}|dkr|
dfS||kr8d|�d�}t
|d�
�
|
��}||}|��D]F\}}|�||�|kr�d|�d||�d|�d	�}t
|d�
�
|||<qP|d
fS)N�sso_sessionr3z+The specified sso-session does not exist: "�
"r�
zThe value for z" is inconsistent between profile (z) and sso-session (z).)
r
)rCr�copy�items)	rZrQ
r�
r�
r�r.r5r�
�valr3r3r6r�
)	s







�



z*SSOProvider._resolve_sso_session_referencec
Csx|��}
|
sdS|
d
|
d|
d|
d|j
t|jd�
|jd�}d|
kr^|
d|d<|j|d	<tf|�
}t|j|j	d
�S)Nr�
r�
r�
r�
)
r0)r�
r�
rW
r#r:r�
r0r
r�
rmrX
)
rr
rr�
r0r�
r�
r�r5
r�)rZZ
sso_configZfetcher_kwargsZsso_fetcherr3r3r6r1
@	s&









�	





�zSSOProvider.load)NNN)rprqrrr5
r�rp
rq
r�r�
r�
Z_SSO_REQUIRED_CONFIG_VARSr�
r[rr�
r1
r3r3r3r6rn�s

��	

�
$rn)NN)
F)Urvr
r

�loggingr�rG
r�r
�collectionsrrr�hashlibrZdateutil.parserrZdateutil.tzrrZbotocore.compatr�Zbotocore.configloaderr	r
rZbotocore.configrZbotocore.exceptionsr
rrrrrrrrZbotocore.tokensrZbotocore.utilsrrrrrrrr�	getLoggerrprOrr�rDrUrHrurxr{rrJr�r�r�r�r�r�r�r
r+
r0
rdrGrErLrgrjrMrIrkrKrFrQr�
rnr3r3r3r6�<module>s�















,
(





�

`M
	0;H>\

�E.T#7E-JYXSd[