o

<&�a�@
�@sXdd
lZdd
l
Z
dd
lZdd
lZdd
lZdd
lZdd
lZdd
lZddlm	Z	
ddl
mZ
ddlm
Z

ddlmZ
ddlmZ
ddlmZmZ
dd
lZdd
lZddlmZ
dd	lmZ
dd
lmZ
ddlmZ
ddlmZ
dd
lmZ
ddlm Z 
ddlm!Z!
ddlm"Z"
ddlm#Z#
ddlm$Z$
ddlm%Z%
ddlm&Z&
ddl'm(Z(m)Z)
ddl'm*Z*
ddl'm+Z+
ddl'm,Z,
ddl'm-Z-
e�.e/�
Z0e	dgd�
�Z1d]dd�
Z2Gdd�de3�Z4d d!�Z5d"d#�Z6d$d%�Z7d^d'd(�
Z8d)d*�Z9d+d,�Z:d-d.�Z;Gd/d0�d0e3�Z<Gd1d2�d2e3�Z=Gd3d4�d4e=�Z>Gd5d6�d6e>�Z?Gd7d8�d8e3�Z@Gd9d:�d:e@�ZAGd;d<�d<eA�ZBGd=d>�d>eA�ZCGd?d@�d@e3�ZDGdAdB�dBeD�ZEGdCdD�dDeD�ZFGdEdF�dFeD�ZGGdGdH�dHeD�ZHGdIdJ�dJeD�ZIGdKdL�dLeD�ZJGdMdN�dNeD�ZKGdOdP�dPeD�ZLGdQdR�dReD�ZMGdSdT�dTe3�ZNGdUdV�dVeD�ZOGdWdX�dXe3�ZPGdYdZ�dZe@�ZQGd[d\�d\eD�ZRd
S)_�N)
�
namedtuple)
�deepcopy)
�sha1)
�Path�
�parse)�tzlocal�tzutc)
�UNSIGNED)
�
total_seconds)
�compat_shell_split)
�Config)
�UnknownCredentialError)
�PartialCredentialsError)
�ConfigNotFound)
�InvalidConfigError)
�InfiniteLoopConfigError)
�RefreshWithMFAUnsupportedError)
�MetadataRetrievalError)
�CredentialRetrievalError)
�UnauthorizedSSOTokenError)�InstanceMetadataFetcher�parse_key_val_file)
�ContainerMetadataFetcher)
�FileWebIdentityTokenLoader)
�SSOTokenLoader)
�resolve_imds_endpoint_mode�ReadOnlyCredentials��
access_key�
secret_key�tokenc	s
��d
�
pd}��d�
}��d�
}��
��d
�
du
}��d�
t��
d�}|
dur*i}
t�}t�}	tt||���|d�d	�
}
t	�|
|d
�}t
�f
dd�t�|�|
|t||	|
g�
|d
�}||g}
|j
||d�}t�t�|	|
g}|
||}|r|�|�

t�d�

t|d�
}|S)z�Create a default credential resolver.

    This creates a pre-configured credential resolver
    that includes the default lookup chain for
    credentials.

    �profile�default�metadata_service_timeout�metadata_service_num_attemptsN�ec2_metadata_service_endpoint)r&�"ec2_metadata_service_endpoint_mode)�timeout�num_attempts�
user_agent�config)
�iam_role_fetcher)�cache�region_namec
s�jS�
N)
�full_config��
�sessionr1�6/usr/lib/python3/dist-packages/botocore/credentials.py�<lambda>]sz,create_credential_resolver.<locals>.<lambda>)�load_config�client_creatorr-�profile_name�credential_sourcer�profile_provider_builder�r8�disable_env_varszWSkipping environment variable credential check because profile name was explicitly set.�
�	providers)�get_config_variable�instance_variables�getr�EnvProvider�ContainerProvider�InstanceMetadataProviderrr*�ProfileProviderBuilder�AssumeRoleProvider�_get_client_creator�CanonicalNameCredentialSourcerr>�OriginalEC2Provider�BotoProvider�remove�logger�debug�CredentialResolver)r3r-r.r8�metadata_timeoutr)r<�imds_config�env_provider�container_provider�instance_metadata_providerr:�assume_role_provider�pre_profile�profile_providers�post_profiler>�resolverr1r2r4�create_credential_resolver9sl





�
��







��
�






��
�

�


�




rYc@sPeZ
dZd
Z		ddd�
Zddd�
Zdd	�Zd
d�Zdd
�Zdd�Z	dd�Z
dS)rEa�
This class handles the creation of profile based providers.

    NOTE: This class is only intended for internal use.

    This class handles the creation and ordering of the various credential
    providers that primarly source their configuration from the shared config.
    This is needed to enable sharing between the default credential chain and
    the source profile chain created by the assume role provider.
    NcCs|
|_||_
||_||_dSr/)�_session�_cache�_region_name�_sso_token_cache)�selfr3r-r.�sso_token_cacher1r1r4�__init__�s



zProfileProviderBuilder.__init__FcCs.|�|
|�|�
|
�
|�|
�
|�|
�
|�|
�
gSr/)�_create_web_identity_provider�_create_sso_provider�"_create_shared_credential_provider�_create_process_provider�_create_config_provider�r^r8r<r1r1r4r>�s
�


�z ProfileProviderBuilder.providerscst|
�f
d
d�d�S)Nc
��jj
Sr/�rZr0r1�
r^r1r4r5��zAProfileProviderBuilder._create_process_provider.<locals>.<lambda>)r8r6)
�ProcessProvider�r^r8r1rir4rd�s



�z/ProfileProviderBuilder._create_process_providercC�|j�
d
�
}t|
|d�S)N�credentials_file)r8�creds_filename)rZr?�SharedCredentialProvider)r^r8�credential_filer1r1r4rc��




�z9ProfileProviderBuilder._create_shared_credential_providercCrm)N�config_file)r8�config_filename)rZr?�ConfigProvider)r^r8rsr1r1r4re�rrz.ProfileProviderBuilder._create_config_providercs&t�f
d
d�t
�j�j��j|
|d�S)Nc
rgr/rhr1rir1r4r5�rjzFProfileProviderBuilder._create_web_identity_provider.<locals>.<lambda>)r6r7r-r8r<)�!AssumeRoleWithWebIdentityProviderrGrZr\r[rfr1rir4ra�s




�

�z4ProfileProviderBuilder._create_web_identity_providercs"t�f
d
d��j
j|
�j�jd�S)Nc
rgr/rhr1rir1r4r5�rjz=ProfileProviderBuilder._create_sso_provider.<locals>.<lambda>)r6r7r8r-�token_cache)�SSOProviderrZ�
create_clientr[r]rlr1rir4rb�s






�z+ProfileProviderBuilder._create_sso_provider�NNN�
F)�__name__�
__module__�__qualname__�__doc__r`r>rdrcrerarbr1r1r1r4rE�s
	

�

rEc
Cst|�
}
|
�
�Sr/)rY�load_credentials)r3rXr1r1r4�get_credentials�s

r�cCstj�
t��
Sr/)�datetime�nowrr1r1r1r4�
_local_now��
r�c

Cst|t
j
�r|St|�
Sr/)�
isinstancer�r)
�valuer1r1r4�_parse_if_needed�s


r�FcCs&t|t
j
�r|
r|��S|�d
�
S|S)Nz%Y-%m-%dT%H:%M:%S%Z)r�r��	isoformat�strftime)r��isor1r1r4�_serialize_if_needed�s






r�c���
fd
d�}|S)Nc
s*d
�i
}|jdi|
�
�

�
j
|f
i|�
�
S)Nr.r1)�updatery)�service_name�kwargs�create_client_kwargs�r.r3r1r4r7�s�
z+_get_client_creator.<locals>.client_creatorr1)r3r.r7r1r�r4rG�s
rGcr�)Ncs:�jdi�
�
�
}|d
}
|
d|
d|
dt
|
d�
d�S)N�Credentials�AccessKeyId�SecretAccessKey�SessionToken�
Expiration�rr r!�expiry_timer1)�assume_roler�)�response�credentials��client�paramsr1r4�refresh�s





�z-create_assume_role_refresher.<locals>.refreshr1)r�r�r�r1r�r4�create_assume_role_refresher�s
r�c
CsGd
d�dt�}
|
|�
S)Nc@seZ
dZd
d�Zdd�ZdS)z/create_mfa_serial_refresher.<locals>._RefreshercSs|
|_d
|_
dS)NF)�_refresh�_has_been_called)r^r�r1r1r4r`
s


z8create_mfa_serial_refresher.<locals>._Refresher.__init__c

Ss|jrt
��
d
|_|��S�NT)r�rr�rir1r1r4�__call__
s


z8create_mfa_serial_refresher.<locals>._Refresher.__call__N)r|r}r~r`r�r1r1r1r4�
_Refresher
s
r�)
�object)�actual_refreshr�r1r1r4�create_mfa_serial_refresher
sr�c@sheZ
dZd
Zej�ej�dddd��
Zedfdd�
Z	d	d
�Z
dd�Zd
d�Zdd�Z
dd�Zdd�ZdS)�
JSONFileCachez�JSON file cache.
    This provides a dict like interface that stores JSON serializable
    objects.
    The objects are serialized to JSON and stored in a file.  These
    values can be retrieved at a later time.
    �
~�.aws�botor-NcCs|
|_|dur
|j
}||_dSr/)�_working_dir�_default_dumps�_dumps)r^�working_dir�
dumps_funcr1r1r4r`!
s




zJSONFileCache.__init__cCstj
|
td
�S)N)
r#)�json�dumpsr�)r^�objr1r1r4r�'
r�zJSONFileCache._default_dumpscCs|�|
�
}t
j�|�
Sr/)�_convert_cache_key�os�path�isfile)r^�	cache_key�
actual_keyr1r1r4�__contains__*
s


zJSONFileCache.__contains__c
Csb|�|
�
}zt
|�
�}t�|�
Wd
�
WS1sw



Y
Wd
Stttfy0


t|
�
�
w)z Retrieve value from a cache key.N)r��openr��load�OSError�
ValueError�IOError�KeyError)r^r�r��
fr1r1r4�__getitem__.
s




(�
�zJSONFileCache.__getitem__cCs8|�|
�
}zt
|�
}|��
WdSty


t|
�
�
wr/)r�r�unlink�FileNotFoundErrorr�)r^r�r��key_pathr1r1r4�__delitem__7
s






�zJSONFileCache.__delitem__c	Cs�|�|
�
}z|�
|�
}Wnttfy


td
|�
�
wtj�|j�
s)t�|j�

t�	t�
|tjtjBd�d��}|�
�
|�|�

Wd�
dS1sMw



Y
dS)Nz5Value cannot be cached, must be JSON serializable: %si�
�
w)r�r��	TypeErrorr�r�r��isdirr��makedirs�fdopenr��O_WRONLY�O_CREAT�truncate�write)r^r�r��full_key�file_contentr�r1r1r4�__setitem__?
s&






��



�
�


"�zJSONFileCache.__setitem__cCstj
�|j|
d
�}|S)Nz.json)r�r��joinr�)r^r��	full_pathr1r1r4r�M
s

z JSONFileCache._convert_cache_key)r|r}r~rr�r��
expanduserr��	CACHE_DIRr`r�r�r�r�r�r�r1r1r1r4r�
s
	r�c@s.eZ
dZd
Z		d	dd�
Zdd�Zdd�ZdS)
r�a\

    Holds the credentials needed to authenticate requests.

    :ivar access_key: The access key part of the credentials.
    :ivar secret_key: The secret key part of the credentials.
    :ivar token: The security token, valid only for session credentials.
    :ivar method: A string which identifies where the credentials
        were found.
    NcCs0|
|_||_
||_|durd
}||_|��
dS)N�explicit)rr r!�method�
_normalize)r^rr r!r�r1r1r4r`]
s



zCredentials.__init__c

C�$tj
�|j�
|_tj
�|j�
|_dSr/)�botocore�compat�ensure_unicoderr rir1r1r4r�i
s
zCredentials._normalizec

Cst|j
|j|j�Sr/)rrr r!rir1r1r4�get_frozen_credentialss
s


�z"Credentials.get_frozen_credentials�NN)r|r}r~rr`r�r�r1r1r1r4r�R
s



�
r�c@s�eZ
dZd
ZdZdZef
dd�
Zdd�Ze	dd	��
Z
ed
d��
Zej
dd��
Zed
d��
Zej
dd��
Zedd��
Zej
dd��
Zdd�Zd$dd�
Zdd�Zdd�Zdd�Zedd��
Zd d!�Zd"d#�ZdS)%�RefreshableCredentialsa�

    Holds the credentials needed to authenticate requests. In addition, it
    knows how to refresh itself.

    :ivar access_key: The access key part of the credentials.
    :ivar secret_key: The secret key part of the credentials.
    :ivar token: The security token, valid only for session credentials.
    :ivar method: A string which identifies where the credentials
        were found.
    �iXcCsN||_|
|_
||_||_||_||_t��|_||_	t
|
||�|_|��
dSr/)
�_refresh_using�_access_key�_secret_key�_token�_expiry_time�
_time_fetcher�	threading�Lock�
_refresh_lockr�r�_frozen_credentialsr�)r^rr r!r��
refresh_usingr��time_fetcherr1r1r4r`�
s









�zRefreshableCredentials.__init__c

Cr�r/)r�r�r�r�r�rir1r1r4r��
s

z!RefreshableCredentials._normalizecCs.||
d
|
d|
d|�|
d�
||d�}|S)Nrr r!r�)rr r!r�r�r�)
�_expiry_datetime)�cls�metadatar�r��instancer1r1r4�create_from_metadata�
s





�z+RefreshableCredentials.create_from_metadatac

C�|��
|j
S�
z�Warning: Using this property can lead to race conditions if you
        access another property subsequently along the refresh boundary.
        Please use get_frozen_credentials instead.
        )r�r�rir1r1r4r�
�
z!RefreshableCredentials.access_keycC�
|
|_dSr/)
r��r^r�r1r1r4r�
�
c

Cr�r�)r�r�rir1r1r4r �
r�z!RefreshableCredentials.secret_keycCr�r/)
r�r�r1r1r4r �
r�c

Cr�r�)r�r�rir1r1r4r!�
r�zRefreshableCredentials.tokencCr�r/)
r�r�r1r1r4r!�
r�c
Cs|j|�
�}
t|
�
Sr/)r�r�r)r^�deltar1r1r4�_seconds_remaining�
s

z)RefreshableCredentials._seconds_remainingNcCs:|jd
urdS|
d
ur|j
}
|��|
krdSt�d�

dS)a�Check if a refresh is needed.

        A refresh is needed if the expiry time associated
        with the temporary credentials is less than the
        provided ``refresh_in``.  If ``time_delta`` is not
        provided, ``self.advisory_refresh_needed`` will be used.

        For example, if your temporary credentials expire
        in 10 minutes and the provided ``refresh_in`` is
        ``15 * 60``, then this function will return ``True``.

        :type refresh_in: int
        :param refresh_in: The number of seconds before the
            credentials expire in which refresh attempts should
            be made.

        :return: True if refresh needed, False otherwise.

        NFz!Credentials need to be refreshed.T)r��_advisory_refresh_timeoutr�rLrM�r^�
refresh_inr1r1r4�refresh_needed�
s




z%RefreshableCredentials.refresh_neededc

Cs|jd
d�
S)Nr
)
r�)
r
rir1r1r4�_is_expired�
sz"RefreshableCredentials._is_expiredc
Cs�|�|j
�
sdS|j�d
�
r7z"|�|j
�
sW|j��
dS|�|j�
}
|j|
d�

W|j��
dS|j��
w|�|j�
rh|j�
|�|j�
sP	Wd�
dS|jdd�

Wd�
dS1saw



Y
dSdS)NF)
�is_mandatoryT)r
r�r��acquire�release�_mandatory_refresh_timeout�_protected_refresh)r^�is_mandatory_refreshr1r1r4r��
s*



�
�



�"��zRefreshableCredentials._refreshcCs�z|��}Wnt
y!


|
rd
n
d}tjd|dd�
|
r�YdSw|�|�

t|j|j|j�|_	|�
�r@d}t�|�

t|�
�
dS)N�	mandatory�advisoryzARefreshing temporary credentials failed during %s refresh period.T�
�exc_infozLCredentials were refreshed, but the refreshed credentials are still expired.)r��	ExceptionrL�warning�_set_from_datarr�r�r�r�r

�RuntimeError)r^r
r��period_name�msgr1r1r4r
s(



��


�

�z)RefreshableCredentials._protected_refreshc

Cst|�
Sr/r)
�time_strr1r1r4r�9sz'RefreshableCredentials._expiry_datetimecs�gd
�
}�s	|}n	�f
dd�|D�
}|r"d}t|j
|d�|�
d��
�d|_�d|_�d	|_t�d
�
|_t�	d|j�
|�
�
dS)Nr�c
sg|]}
|
�v
r|
�qSr1r1)�.0�
k�
�datar1r4�
<listcomp>Bsz9RefreshableCredentials._set_from_data.<locals>.<listcomp>z7Credential refresh failed, response did not contain: %s�, ��provider�	error_msgrr r!r�z(Retrieved credentials will expire at: %s)rr�r�rr r!rr�rLrMr�)r^r
�
expected_keys�missing_keys�messager1r
r4r
=s$






�







�z%RefreshableCredentials._set_from_datac

Cr�)
a�Return immutable credentials.

        The ``access_key``, ``secret_key``, and ``token`` properties
        on this class will always check and refresh credentials if
        needed before returning the particular credentials.

        This has an edge case where you can get inconsistent
        credentials.  Imagine this:

            # Current creds are "t1"
            tmp.access_key  ---> expired? no, so return t1.access_key
            # ---- time is now expired, creds need refreshing to "t2" ----
            tmp.secret_key  ---> expired? yes, refresh and return t2.secret_key

        This means we're using the access key from t1 with the secret key
        from t2.  To fix this issue, you can request a frozen credential object
        which is guaranteed not to change.

        The frozen credentials returned from this method should be used
        immediately and then discarded.  The typical usage pattern would
        be::

            creds = RefreshableCredentials(...)
            some_code = SomeSignerObject()
            # I'm about to sign the request.
            # The frozen credentials are only used for the
            # duration of generate_presigned_url and will be
            # immediately thrown away.
            request = some_code.sign_some_request(
                with_credentials=creds.get_frozen_credentials())
            print("Signed request:", request)

        )r�r�rir1r1r4r�Ss"
z-RefreshableCredentials.get_frozen_credentialsr/)r|r}r~rr�r
r�r`r��classmethodr��propertyr�setterr r!r�r
r

r�r
�staticmethodr�r
r�r1r1r1r4r�y
s<

�














"!

r�cs.eZ
dZd
Zef
dd�
Zd�f
dd�	Z�ZS)�DeferredRefreshableCredentialszyRefreshable credentials that don't require initial credentials.

    refresh_using will be called upon first access.
    cCs>|
|_d|_
d|_d|_d|_||_t��|_||_	d|_
dSr/)r�r�r�r�r�r�r�r�r�r�r�)r^r�r�r�r1r1r4r`~s










z'DeferredRefreshableCredentials.__init__Ncs|jdurd
St
t|��|
�
Sr�)r��superr#
r
r��
�	__class__r1r4r
�s






�z-DeferredRefreshableCredentials.refresh_neededr/)r|r}r~rr�r`r
�
__classcell__r1r1r%
r4r#
ys
r#
c@sZeZ
dZd
Zddd�
Zdd�Zdd�Zd	d
�Zdd�Zd
d�Z	dd�Z
dd�Zdd�ZdS)�CachedCredentialFetcherr�NcCs4|
duri}
|
|_|�
�|_|dur|j}||_dSr/)r[�_create_cache_key�
_cache_key�DEFAULT_EXPIRY_WINDOW_SECONDS�_expiry_window_seconds)r^r-�expiry_window_secondsr1r1r4r`�s








z CachedCredentialFetcher.__init__c

C�td
�
�
)Nz_create_cache_key()�
�NotImplementedErrorrir1r1r4r)
��
z)CachedCredentialFetcher._create_cache_keycCs$|
�d
d��t
jjd�}
|
�dd�S)N�
:�
_�
/)�replacer�r��sep)r^�filenamer1r1r4�_make_file_safe�s
z'CachedCredentialFetcher._make_file_safec

Cr.
)Nz_get_credentials()r/
rir1r1r4�_get_credentials�r1
z(CachedCredentialFetcher._get_credentialsc

C�|��Sr/)
�_get_cached_credentialsrir1r1r4�fetch_credentials�r1
z)CachedCredentialFetcher.fetch_credentialsc
Cs`|��}
|
d
ur|�
�}
|�|
�

nt�d�

|
d}t|ddd�}|d|d|d	|d
�S)z�Get up-to-date credentials.

        This will check the cache for up-to-date credentials, calling assume
        role if none are available.
        Nz*Credentials for role retrieved from cache.r�r�T)
r�r�r�r�r�)�_load_from_cacher9
�_write_to_cacherLrMr�)r^r��creds�
expirationr1r1r4r;
�s







�z/CachedCredentialFetcher._get_cached_credentialsc
Cs8|j|j
vrt|j
|j�
}
|�|
�
s|
St�d
�

dS)Nz6Credentials were found in cache, but they are expired.)r*
r[rr

rLrM)r^r?
r1r1r4r=
�s





�z(CachedCredentialFetcher._load_from_cachecCst|
�
|j
|j<dSr/)rr[r*
)r^r�r1r1r4r>
�s
z'CachedCredentialFetcher._write_to_cachecCs(t|
d
d�
}t
|t��
}||jkS)z!Check if credentials are expired.r�r�)r�rr�r,
)r^r��end_time�secondsr1r1r4r

�s


z#CachedCredentialFetcher._is_expiredr�)
r|r}r~r+
r`r)
r8
r9
r<
r;
r=
r>
r

r1r1r1r4r(
�s

	r(
cs2eZ
dZ	
	
d�f
dd�	Zdd�Zdd�Z�ZS)	�BaseAssumeRoleCredentialFetcherNcsj|
|_||_
|duri|_nt|�
|_|j
|jd
<|j�d�
|_d|_|js*|��
tt	|��
||�
dS)N�RoleArn�RoleSessionNameF)�_client_creator�	_role_arn�_assume_kwargsrrA�_role_session_name�_using_default_session_name�_generate_assume_role_namer$
rC
r`)r^r7�role_arn�
extra_argsr-r-
r%
r1r4r`�s








�z(BaseAssumeRoleCredentialFetcher.__init__c

Cs(d
tt
�
��
|_|j|jd<d|_dS)Nzbotocore-session-%srE
T)�int�timerI
rH
rJ
rir1r1r4rK
�s



z:BaseAssumeRoleCredentialFetcher._generate_assume_role_namec
CsZt|j
�
}
|jr|
d
=d|
vrt�|
d�
|
d<tj|
dd�}
t|
�d�
�
��}|�	|�
S)��Create a predictable cache key for the current configuration.

        The cache key is intended to be compatible with file names.
        rE
�PolicyT)
�	sort_keys�utf-8)
rrH
rJ
r��loadsr�r�encode�	hexdigestr8
�r^�args�
argument_hashr1r1r4r)
�s




z1BaseAssumeRoleCredentialFetcher._create_cache_keyrz)r|r}r~r`rK
r)
r'
r1r1r%
r4rC
�s

�rC
cs:eZ
dZ	
	
d
�f
dd�	Zdd�Zdd�Zdd	�Z�ZS)�AssumeRoleCredentialFetcherNcs<||_||_
|j
d
urtj|_
tt|�j|
||||d�
d
S)a�
        :type client_creator: callable
        :param client_creator: A callable that creates a client taking
            arguments like ``Session.create_client``.

        :type source_credentials: Credentials
        :param source_credentials: The credentials to use to create the
            client for the call to AssumeRole.

        :type role_arn: str
        :param role_arn: The ARN of the role to be assumed.

        :type extra_args: dict
        :param extra_args: Any additional arguments to add to the assume
            role request using the format of the botocore operation.
            Possible keys include, but may not be limited to,
            DurationSeconds, Policy, SerialNumber, ExternalId and
            RoleSessionName.

        :type mfa_prompter: callable
        :param mfa_prompter: A callable that returns input provided by the
            user (i.e raw_input, getpass.getpass, etc.).

        :type cache: dict
        :param cache: An object that supports ``__getitem__``,
            ``__setitem__``, and ``__contains__``.  An example of this is
            the ``JSONFileCache`` class in aws-cli.

        :type expiry_window_seconds: int
        :param expiry_window_seconds: The amount of time, in seconds,
        N�rM
r-r-
)�_source_credentials�
_mfa_prompter�getpassr$
rZ
r`)r^r7�source_credentialsrL
rM
�mfa_prompterr-r-
r%
r1r4r`s"







�z$AssumeRoleCredentialFetcher.__init__c
Cs |��}
|�
�}|jdi|
�
�
S)�'Get credentials by calling assume role.Nr1)�_assume_role_kwargs�_create_clientr�)r^r�r�r1r1r4r9
4s

z,AssumeRoleCredentialFetcher._get_credentialsc
CsTt|j
�
}
|
�d
�
}|du
rd|}|�|�
}||
d<|
�d�
}|du
r(||
d<|
S)�AGet the arguments for assume role based on current configuration.�SerialNumberNzEnter MFA code for %s: �	TokenCode�DurationSeconds)rrH
rAr]
)r^�assume_role_kwargs�
mfa_serial�prompt�
token_code�duration_secondsr1r1r4rb
:s







z/AssumeRoleCredentialFetcher._assume_role_kwargsc
Cs"|j�
�}
|jd
|
j|
j|
jd�S)z2Create an STS client using the source credentials.�sts)�aws_access_key_id�aws_secret_access_key�aws_session_token)r\
r�rF
rr r!)r^�frozen_credentialsr1r1r4rc
Ls





�z*AssumeRoleCredentialFetcher._create_client)NNNN)r|r}r~r`r9
rb
rc
r'
r1r1r%
r4rZ
s
�,rZ
cs0eZ
dZ	
d�f
dd�	Zdd�Zdd�Z�ZS)	�*AssumeRoleWithWebIdentityCredentialFetcherNcs$||_t
t|�j|
||||d
�
dS)aG
        :type client_creator: callable
        :param client_creator: A callable that creates a client taking
            arguments like ``Session.create_client``.

        :type web_identity_token_loader: callable
        :param web_identity_token_loader: A callable that takes no arguments
        and returns a web identity token str.

        :type role_arn: str
        :param role_arn: The ARN of the role to be assumed.

        :type extra_args: dict
        :param extra_args: Any additional arguments to add to the assume
            role request using the format of the botocore operation.
            Possible keys include, but may not be limited to,
            DurationSeconds, Policy, SerialNumber, ExternalId and
            RoleSessionName.

        :type cache: dict
        :param cache: An object that supports ``__getitem__``,
            ``__setitem__``, and ``__contains__``.  An example of this is
            the ``JSONFileCache`` class in aws-cli.

        :type expiry_window_seconds: int
        :param expiry_window_seconds: The amount of time, in seconds,
        r[
N)�_web_identity_token_loaderr$
rr
r`)r^r7�web_identity_token_loaderrL
rM
r-r-
r%
r1r4r`Zs




�z3AssumeRoleWithWebIdentityCredentialFetcher.__init__c
Cs0|��}
t
td
�
}|jd|d�}|jdi|
�
�
S)ra
)
�signature_versionrm
�
r+Nr1)rb
r
r
rF
�assume_role_with_web_identity)r^r�r+r�r1r1r4r9
~s


z;AssumeRoleWithWebIdentityCredentialFetcher._get_credentialsc
Cst|j
�
}
|��}||
d
<|
S)rd
�WebIdentityToken)rrH
rs
)r^rh
�identity_tokenr1r1r4rb
�s


z>AssumeRoleWithWebIdentityCredentialFetcher._assume_role_kwargsrz)r|r}r~r`r9
rb
r'
r1r1r%
r4rr
Ws
�$	rr
c@s.eZ
dZd
Zd
Zddd�
Zdd�Zdd�Zd
S)	�CredentialProviderNcCr�r/r2)r^r3r1r1r4r`��

zCredentialProvider.__init__c


Csd
S)a~
        Loads the credentials from their source & sets them on the object.

        Subclasses should implement this method (by reading from disk, the
        environment, the network or wherever), returning ``True`` if they were
        found & loaded.

        If not found, this method should return ``False``, indictating that the
        ``CredentialResolver`` should fall back to the next available method.

        The default implementation does nothing, assuming the user has set the
        ``access_key/secret_key/token`` themselves.

        :returns: Whether credentials were found & set
        :rtype: Credentials
        Tr1rir1r1r4r��szCredentialProvider.loadc	Gs@g}|D]}z	|�|
|�

Wqt
y


t|j|d
��
w|S)N�r
�cred_var)�appendr�r�METHOD)r^�mapping�	key_names�found�key_namer1r1r4�_extract_creds_from_mapping�s






��z.CredentialProvider._extract_creds_from_mappingr/)r|r}r~r
�CANONICAL_NAMEr`r�r�
r1r1r1r4rz
�s
rz
c@s:eZ
dZd
Zejf
dd�
Zdd�Zdd�Ze	dd	��
Z
d
S)rkzcustom-processcCs|
|_||_
d|_||_dSr/)�
_profile_name�_load_config�_loaded_config�_popen)r^r8r6�popenr1r1r4r`�s




zProcessProvider.__init__c
sd�
j��dur	dS�
�
��
}
|
�d
�
du
r"t�|
��
fdd��
j�St|
d|
d|
�d�
�
jd�S)Nr�cs
�
���
Sr/)
�_retrieve_credentials_usingr1��credential_processr^r1r4r5�s
z&ProcessProvider.load.<locals>.<lambda>rr r!)rr r!r�)�_credential_processr�
rAr�r�r
r�)r^�
creds_dictr1r�
r4r��s 








�



�zProcessProvider.loadc	
Cs�t|
�
}|j
|tjtjd
�}|��\}}|jdkr#t|j|�d�
d��
t	j
j�|�d�
�
}|�
dd�}|dkr@t|jd|d��
z|d	|d
|�
d�
|�
d�
d
�WStyg
}
z	t|jd|d��
d}~w
w)N)�stdout�stderrr
rS
r
�Versionz<Version key not provided>�
zOUnsupported version '%s' for credential process provider, supported versions: 1r�r�r�r�r�z$Missing required key in response: %s)rr�
�
subprocess�PIPE�communicate�
returncoderr
�decoder�r�r�rT
rAr�)	r^r�
�process_list�
pr�
r�
�parsed�version�
er1r1r4r�
�s@


�



�





��


�


���z+ProcessProvider._retrieve_credentials_usingc
Cs6|jdur
|�
�|_|j�d
i��|ji�}
|
�d�
S)N�profilesr�
)r�
r�
rAr�
)r^�profile_configr1r1r4r�
�s




�

�
z#ProcessProvider._credential_processN)r|r}r~r
r�
�Popenr`r�r�
r 
r�
r1r1r1r4rk�s
rkc@s$eZ
dZd
ZdZdd�Zdd�ZdS)rDziam-role�Ec2InstanceMetadatacCr�r/)
�
_role_fetcher)r^r,r1r1r4r`r{
z!InstanceMetadataProvider.__init__c
Cs>|j}
|
�
�}|sdSt�d
|d�
tj||j|
j
d�}|S)Nz#Found credentials from IAM Role: %s�	role_name�r�r�)r�
�retrieve_iam_role_credentialsrLrMr�r�r
)r^�fetcherr�r?
r1r1r4r�
s




�


�zInstanceMetadataProvider.loadN)r|r}r~r
r�
r`r�r1r1r1r4rDs


rDc@sJeZ
dZd
ZdZdZdZddgZdZdd	d
�
Z	dd�Z
d
d�Zdd�ZdS)rB�env�Environment�AWS_ACCESS_KEY_ID�AWS_SECRET_ACCESS_KEY�AWS_SECURITY_TOKEN�AWS_SESSION_TOKEN�AWS_CREDENTIAL_EXPIRATIONNcCs$|
d
urtj
}
|
|_
|�|�
|_d
S)a�


        :param environ: The environment variables (defaults to
            ``os.environ`` if no value is provided).
        :param mapping: An optional mapping of variable names to
            environment variable names.  Use this if you want to
            change the mapping of access_key->AWS_ACCESS_KEY_ID, etc.
            The dict can have up to 3 keys: ``access_key``, ``secret_key``,
            ``session_token``.
        N)r��environ�_build_mapping�_mapping)r^r�
r�
r1r1r4r`)s


zEnvProvider.__init__cCs�i}|
dur|j|d
<|j
|d<|j|d<|j|d<|S|
�d
|j�|d
<|
�d|j
�|d<|
�d|j�|d<t|dt�sE|dg
|d<|
�d|j�|d<|S)Nrr r!r�)�
ACCESS_KEY�
SECRET_KEY�TOKENS�EXPIRY_TIMErAr��list)r^r�
�var_mappingr1r1r4r�
9s,







�
�
�
�


�zEnvProvider._build_mappingc
Cs�|j�
|jd
d�}
|
rFt�d�

|��}|dd�
}|d}|du
r7t|�
}t|d
|d|d	|||jd
�St	|d
|d|d	|jd�SdS)zK
        Search for credentials in explicit environment variables.
        r�z+Found credentials in environment variables.F)
�require_expiryr�Nr r!)r�r��
r�)
r�
rAr�
rL�info�_create_credentials_fetcherrr�r
r�)r^rr�
r�r�r1r1r4r�Os$










�


�zEnvProvider.loadc
s(|j�
|j
�|j�d��
�fdd�	}
|
S)NTc
s�i}
���
d
d�}|st
��
d
d��
||
d
<���
dd�}|s*t
��
dd��
||
d<d|
d<�
dD]}��|d�}|rF||
d<
n
q6d|
d<���
dd�}|rY||
d<|re|set
��
dd��
|
S)Nrr�
r|
r r!r�)rAr)r�
r�rr �
token_env_varr!r��r�
r�
r�r1r4r<
ps:



�


�




�





�zBEnvProvider._create_credentials_fetcher.<locals>.fetch_credentials)
T)r�
r
r�
)r^r<
r1r�
r4r�
ks



 z'EnvProvider._create_credentials_fetcherr�)
r|r}r~r
r�
r�
r�
r�
r�
r`r�
r�r�
r1r1r1r4rBs





rBc@s2eZ
dZd
ZdZdZdZdZddd�
Zd	d
�Z	dS)rIzec2-credentials-file�	Ec2Config�AWS_CREDENTIAL_FILE�AWSAccessKeyId�AWSSecretKeyNcCs*|
durtj
}
|dur
t}|
|_||_dSr/)r�r�
r�_environ�_parser)r^r�
�parserr1r1r4r`�s






zOriginalEC2Provider.__init__c
Csfd
|jvr1t
j�|jd
�
}
|�|
�
}|j|vr/t�d�

||j}||j}t	|||j
d�SdSdS)zN
        Search for a credential file used by original EC2 CLI tools.
        r�
z)Found credentials in AWS_CREDENTIAL_FILE.r�
N)r�
r�r�r�r�
r�
rLr�
r�
r�r
)r^r�r?
rr r1r1r4r��s


�








�zOriginalEC2Provider.loadr�)
r|r}r~r
r�
�
CRED_FILE_ENVr�
r�
r`r�r1r1r1r4rI�s




rIc@s>eZ
dZd
ZdZdZdZddgZddd	�
Zd
d�Z	dd
�Z
dS)rpzshared-credentials-file�SharedCredentialsrn
ro
�aws_security_tokenrp
NcCs2|
|_|dur	d
}||_
|durtjj}||_dS)Nr#)�_creds_filenamer�
r��configloader�raw_config_parse�_ini_parser)r^ror8�
ini_parserr1r1r4r`�s







z!SharedCredentialProvider.__init__c
Cs�z|�|j
�
}
Wn
ty


YdSw|j|
vrB|
|j}|j|vrDt�d
|j
�
|�||j|j�\}}|�	|�
}t
||||jd�SdSdS)Nz0Found credentials in shared credentials file: %sr�
)r�
r�
rr�
r�
rLr�
r�
r�
�_get_session_tokenr�r
)r^�available_credsr+rr r!r1r1r4r��s(



�






�

�


��zSharedCredentialProvider.loadcC�$|jD]}||
vr|
|
SqdSr/�
r�
)r^r+�token_envvarr1r1r4r�
��




��z+SharedCredentialProvider._get_session_tokenr�)r|r}r~r
r�
r�
r�
r�
r`r�r�
r1r1r1r4rp�s



	rpc@sBeZ
dZd
ZdZdZdZdZddgZdd	d
�
Z	dd�Z
d
d�ZdS)ruz0INI based config provider with profile sections.zconfig-file�SharedConfigrn
ro
r�
rp
NcCs&|
|_||_
|d
urtjj}||_d
S)a


        :param config_filename: The session configuration scoped to the current
            profile.  This is available via ``session.config``.
        :param profile_name: The name of the current profile.
        :param config_parser: A config parser callable.

        N)�_config_filenamer�
r�r�
r6�_config_parser)r^rtr8�
config_parserr1r1r4r`�s
	




zConfigProvider.__init__c
Cs�z|�|j
�
}
Wn
ty


Yd
Sw|j|
dvrH|
d|j}|j|vrFt�d|j
�
|�||j|j�\}}|�	|�
}t
||||jd�Sd
Sd
S)zr
        If there is are credentials in the configuration associated with
        the session, use those.
        Nr�
z$Credentials found in config file: %sr�
)r�
r�
rr�
r�
rLr�
r�
r�
r�
r�r
)r^r0r�
rr r!r1r1r4r��s(


�




�

�


��	zConfigProvider.loadcCr�
r/r�
)r^r�
�
token_namer1r1r4r�
r�
z!ConfigProvider._get_session_tokenr/)r|r}r~rr
r�
r�
r�
r�
r`r�r�
r1r1r1r4ru�s




ruc@s:eZ
dZd
ZdZdZddgZdZdZd
d	d
�
Z	dd�Z
dS)rJzboto-config�Boto2Config�BOTO_CONFIGz
/etc/boto.cfgz~/.botorn
ro
NcCs.|
durtj
}
|durtjj}|
|_||_dSr/)r�r�
r�r�
r�
r�
r�
)r^r�
r�
r1r1r4r`s






zBotoProvider.__init__c
	Cs�|j|j
vr|j
|jg
}
n|j}
|
D];}z|�|�
}Wn	ty%


Yqwd
|vrN|d
}|j|vrNt�d|�
|�||j|j	�\}}t
|||jd�
SqdS)z;
        Look for credentials in boto config file.
        r�z)Found credentials in boto config file: %sr�
N)�BOTO_CONFIG_ENVr�
�DEFAULT_CONFIG_FILENAMESr�
rr�
rLr�
r�
r�
r�r
)r^�potential_locationsr7
r+r�rr r1r1r4r�'s.




�




�

�

���zBotoProvider.loadr�)r|r}r~r
r�
r�
r�
r�
r�
r`r�r1r1r1r4rJs





rJc@s�eZ
dZd
ZdZdZdZdZejddfdd�
Z	dd	�Z
d
d�Zdd
�Zdd�Z
dd�Zdd�Zdd�Zdd�Zdd�Zdd�Zdd�Zdd�ZdS) rF�assume-roleNrL
�web_identity_token_filer�cCs>||_|
|_
||_||_||_i|_||_||_|jg
|_d
S)a�
        :type load_config: callable
        :param load_config: A function that accepts no arguments, and
            when called, will return the full configuration dictionary
            for the session (``session.full_config``).

        :type client_creator: callable
        :param client_creator: A factory function that will create
            a client when called.  Has the same interface as
            ``botocore.session.Session.create_client``.

        :type cache: dict
        :param cache: An object that supports ``__getitem__``,
            ``__setitem__``, and ``__contains__``.  An example
            of this is the ``JSONFileCache`` class in the CLI.

        :type profile_name: str
        :param profile_name: The name of the profile.

        :type prompter: callable
        :param prompter: A callable that returns input provided
            by the user (i.e raw_input, getpass.getpass, etc.).

        :type credential_sourcer: CanonicalNameCredentialSourcer
        :param credential_sourcer: A credential provider that takes a
            configuration, which is used to provide the source credentials
            for the STS call.
        N)	r-r�
rF
r�
�	_prompterr�
�_credential_sourcer�_profile_provider_builder�_visited_profiles)r^r6r7r-r8�prompterr9r:r1r1r4r`Os$





zAssumeRoleProvider.__init__c
Cs@|��|_
|j
�d
i�}
|
�|ji�}|�|�
r|�|j�
SdS�Nr�
)r�
r�
rAr�
�_has_assume_role_config_vars�_load_creds_via_assume_role)r^r�
r"r1r1r4r��s






�zAssumeRoleProvider.loadcCs|j|
vo	|j
|
v
Sr/)�ROLE_CONFIG_VAR�WEB_IDENTITY_TOKE_FILE_VAR�r^r"r1r1r4r�
�s
�z/AssumeRoleProvider._has_assume_role_config_varscCs�|�|
�
}|�
||
�}i}|�d
�
}|du
r||d<|�d�
}|du
r'||d<|�d�
}|du
r4||d<|�d�
}|du
rA||d<t|j||d	||j|jd
�}	|	j}
|du
r[t|
�
}
t	|j
|
td�S)N�role_session_namerE
�external_id�
ExternalIdri
re
rl
rg
rL
)r7r_
rL
rM
r`
r-)r�r�r�)�_get_role_config�_resolve_source_credentialsrArZ
rF
r�
r-r<
r�r#
r
r�)r^r8�role_configr_
rM
r�
r�
ri
rl
r�
�	refresherr1r1r4r�
�sB



�


















�




�z.AssumeRoleProvider._load_creds_via_assume_rolecCs�|j�
d
i�}||
}|�
d�
}|d}|�
d�
}|�
d�
}|�
d�
}|�
d�
}	|�
d�
}
||||	||d	�}|
d
u
rLzt|
�
|d<Wn	tyK


Yn
w|d
u
r[|d
u
r[td|
d�
�
|d
urj|d
urjt|jd
d��
|d
u
rv|�|
|�
|S|�|
|�
|S)z?Retrieves and validates the role configuration for the profile.r�
�source_profilerL
�credential_sourceri
r�
r�
rl
)rL
r�
ri
r�
r�
r�
NzDThe profile "%s" contains both source_profile and credential_source.�
r
z#source_profile or credential_sourcer|
)	r�
rArN
r�rrr
�_validate_credential_source�_validate_source_profile)r^r8r�
r"r�
rL
r�
ri
r�
r�
rl
r�
r1r1r4r�
�sP

















�	



�

��


�

��z#AssumeRoleProvider._get_role_configcCs>|jdurt
d
||
fd�
�
|j�|�
st
d||
fd�
�
dS)Nz_The credential_source "%s" is specified in profile "%s", but no source provider was configured.r�
zCThe credential source "%s" referenced in profile "%s" is not valid.)r�
r�is_supported)r^�parent_profiler�
r1r1r4r�
�s



���


���z.AssumeRoleProvider._validate_credential_sourcecCst|�
|
�
|�|
�
g�
Sr/)�any�_has_static_credentialsr�
r�
r1r1r4�_source_profile_has_credentialss


�z2AssumeRoleProvider._source_profile_has_credentialscCsp|j�
d
i�}||v
rtd||
fd�
�
||}||jv
rdS||
kr*t||jd��
|�|�
s6t||jd��
dS)Nr�
zFThe source_profile "%s" referenced in the profile "%s" does not exist.r�
)r�
�visited_profiles)r�
rArr�
rr�
)r^�parent_profile_name�source_profile_namer�
r�
r1r1r4r�
s,

���




�




��z+AssumeRoleProvider._validate_source_profilecsd
dg}t�f
dd�|D�
�
S)Nro
rn
c
3s�|]}
|
�vV
qdSr/r1)r
�
static_key�
r"r1r4�	<genexpr>0��z=AssumeRoleProvider._has_static_credentials.<locals>.<genexpr>)
r�
)r^r"�static_keysr1r�
r4r�
.s

z*AssumeRoleProvider._has_static_credentialscCs<|
�d
�
}|du
r|�
||�S|
d}|j�|�

|�|�
S)Nr�
r�
)rA� _resolve_credentials_from_sourcer�
r~
�!_resolve_credentials_from_profile)r^r�
r8r�
r�
r1r1r4r�
2s




�


z.AssumeRoleProvider._resolve_source_credentialscCs�|j�
d
i�}||
}|�|�
r|js|�|�
S|�|�
s"|�|�
sA|jj|
dd�}t|�
}|��}|dur?d}t	||
d�
�
|S|�
|
�
S)Nr�
Tr;z.The source profile "%s" must have credentials.r�
)r�
rAr�
r�
�(_resolve_static_credentials_from_profiler�
r>rNr�rr�
)r^r8r�
r"rV�
profile_chainr��
error_messager1r1r4r=s.



�



�

�

�
�
z4AssumeRoleProvider._resolve_credentials_from_profilec
CsJzt|
d
|
d|
�
d�
d�WSty$
}
z	t|jt|�
d��
d}~w
w)Nrn
ro
rp
rr|
)r�rAr�rr
�str)r^r"r�
r1r1r4r[s




�


���z;AssumeRoleProvider._resolve_static_credentials_from_profilecCs(|j�
|
�
}|durt|
d
|d��
|S)NzBNo credentials found in credential_source referenced in profile %sr
)r�
r_
r)r^r�
r8r�r1r1r4rfs
�


��z3AssumeRoleProvider._resolve_credentials_from_source)r|r}r~r
r�
r�
r�
�EXPIRY_WINDOW_SECONDSr^
r`r�r�
r�
r�
r�
r�
r�
r�
r�
rrrr1r1r1r4rF@s*




�7
,2
&rFc@sXeZ
dZd
ZdZdddd�Z			ddd	�
Zd
d�Zdd
�Zdd�Z	dd�Z
dd�ZdS)rvzassume-role-with-web-identityN�AWS_WEB_IDENTITY_TOKEN_FILE�AWS_ROLE_SESSION_NAME�AWS_ROLE_ARN)r�
r�
rL
FcCs:||_|
|_
||_||_d|_||_|durt}||_dSr/)r-r�
rF
r�
�_profile_config�_disable_env_varsr�_token_loader_cls)r^r6r7r8r-r<�token_loader_clsr1r1r4r`~s	








z*AssumeRoleWithWebIdentityProvider.__init__c

Cr:
r/)
�_assume_role_with_web_identityrir1r1r4r��r1
z&AssumeRoleWithWebIdentityProvider.loadcCs:|jdur|�
�}|�d
i�}|�|ji�|_|j�|
�
Sr�
)r
r�
rAr�
)r^�key�
loaded_configr�
r1r1r4�_get_profile_config�s






z5AssumeRoleWithWebIdentityProvider._get_profile_configcCs2|jrdS|j
�|
�
}|r|tjvrtj|SdSr/)r�_CONFIG_TO_ENV_VARrAr�r�
)r^r�env_keyr1r1r4�_get_env_config�s






z1AssumeRoleWithWebIdentityProvider._get_env_configcCs |�|
�
}|du
r|S|�
|
�
Sr/)rr)r^r�	env_valuer1r1r4�_get_config�s





z-AssumeRoleWithWebIdentityProvider._get_configc
Cs||�d
�
}
|
s	dS|�
|
�
}|�d�
}|sd}t|d�
�
i}|�d�
}|du
r+||d<t|j||||jd�}t|j|jd�S)	Nr�
rL
z�The provided profile or the current environment is configured to assume role with web identity but has no role ARN configured. Ensure that the profile has the role_arnconfiguration set or the AWS_ROLE_ARN env var is set.r�
r�
rE
)r7rt
rL
rM
r-r�
)	rrrrr
rF
r-r#
r
r<
)r^�
token_path�token_loaderrL
r
rM
r�
r�
r1r1r4r�s0







�









�


�z@AssumeRoleWithWebIdentityProvider._assume_role_with_web_identity)NFN)r|r}r~r
r�
rr`r�rrrrr1r1r1r4rvus 



�


�rvc@s<eZ
dZd
d�Zdd�Zdd�Zdd�Zd	d
�Zdd�Zd
S)rHcCr�r/�
�
_providers�r^r>r1r1r4r`�r{
z'CanonicalNameCredentialSourcer.__init__cCs|
d
d�|jD�
vS)aL
Validates a given source name.

        :type source_name: str
        :param source_name: The value of credential_source in the config
            file. This is the canonical name of the credential provider.

        :rtype: bool
        :returns: True if the credential provider is supported,
            False otherwise.
        c
S�g|]}
|
j�qSr1)
r�
�r
r�
r1r1r4r
��z?CanonicalNameCredentialSourcer.is_supported.<locals>.<listcomp>r)r^�source_namer1r1r4r�
�sz+CanonicalNameCredentialSourcer.is_supportedcCs$|�|
�
}t
|t�r|��S|��S)
a
Loads source credentials based on the provided configuration.

        :type source_name: str
        :param source_name: The value of credential_source in the config
            file. This is the canonical name of the credential provider.

        :rtype: Credentials
        )�
_get_providerr�rNr�r�)r^r"�sourcer1r1r4r_
�s
	



z1CanonicalNameCredentialSourcer.source_credentialscCsV|�|
�
}|
�
�d
vr |�d�
}|du
r |dur|St||g�
S|dur)t|
d�
�
|S)a#
Return a credential provider by its canonical name.

        :type canonical_name: str
        :param canonical_name: The canonical name of the provider.

        :raises UnknownCredentialError: Raised if no
            credential provider by the provided name
            is found.
        )�sharedconfig�sharedcredentialsr�
N�
�name)�_get_provider_by_canonical_name�lower�_get_provider_by_methodrNr)r^�canonical_namer
rTr1r1r4r#�s







z,CanonicalNameCredentialSourcer._get_providercCs2|jD]}|j
}|r|��|
��kr|
Sqd
S)z�Return a credential provider by its canonical name.

        This function is strict, it does not attempt to address
        compatibility issues.
        N)rr�
r*)r^r,r
r(r1r1r4r)s


��z>CanonicalNameCredentialSourcer._get_provider_by_canonical_namecCs"|jD]}|j
|
kr|
Sqd
S)z0Return a credential provider by its METHOD name.N)rr
)r^r�r
r1r1r4r+s




��z6CanonicalNameCredentialSourcer._get_provider_by_methodN)	r|r}r~r`r�
r_
r#r)r+r1r1r1r4rH�s

&rHc@sReZ
dZd
ZdZdZdZdZddd�
Zd	d
�Z	dd�Z
d
d�Zdd�Zdd�Z
dS)rCzcontainer-role�EcsContainer�&AWS_CONTAINER_CREDENTIALS_RELATIVE_URI�"AWS_CONTAINER_CREDENTIALS_FULL_URI�!AWS_CONTAINER_AUTHORIZATION_TOKENNcCs,|
durtj
}
|durt�}|
|_||_dSr/)r�r�
rr�
�_fetcher)r^r�
r�
r1r1r4r`-s






zContainerProvider.__init__c

Cs$|j|j
vs|j|j
vr|��SdSr/)�ENV_VARr�
�ENV_VAR_FULL�_retrieve_or_failrir1r1r4r�5s
�zContainerProvider.loadc
Csn|��r|j
�|j|j�
}
n|j|j}
|��}|�|
|�}|�}t|d
|d|d|j	t
|d�
|d�S)Nrr r!r�)rr r!r�r�r�)�_provided_relative_urir1�full_urlr�
r2r3�_build_headers�_create_fetcherr�r
r�)r^�full_uri�headersr�
r?
r1r1r4r4;s












�z#ContainerProvider._retrieve_or_failc
Cs"|j�
|j�
}
|
du
rd
|
i
SdS)N�
Authorization)r�
rA�ENV_VAR_AUTH_TOKEN)r^�
auth_tokenr1r1r4r7Ls


��z ContainerProvider._build_headerscs��
�fd
d�}|S)Nc
snz
�jj
��
d
�}Wnty'
}

ztjd|
dd�
t�jt|
�
d��
d}
~
w
w|d|d|d|d	d
�S)N)
r:z'Error retrieving container metadata: %sTr

r
r�r��Tokenr�r�)r1�retrieve_full_urirrLrMrr
r)r�r�
�r9r:r^r1r4�fetch_credsTs$



�

�
���


�z6ContainerProvider._create_fetcher.<locals>.fetch_credsr1)r^r9r:rAr1r@r4r8Ss
z!ContainerProvider._create_fetcherc

Cs|j|j
vSr/)r2r�
rir1r1r4r5fs
z(ContainerProvider._provided_relative_urir�)r|r}r~r
r�
r2r3r<r`r�r4r7r8r5r1r1r1r4rC&s





rCc@sDeZ
dZd
d�Zdd�Zdd�Zdd�Zd	d
�Zdd�Zd
d�Z	dS)rNcCs
|
|_d
S)zQ

        :param providers: A list of ``CredentialProvider`` instances.

        Nr=rr1r1r4r`ks
zCredentialResolver.__init__cCsFz
d
d�|jD�
�
|
�
}Wnty


t|
d�
�
w|j�||�
dS)a=
        Inserts a new instance of ``CredentialProvider`` into the chain that
        will be tried before an existing one.

        :param name: The short name of the credentials you'd like to insert the
            new credentials before. (ex. ``env`` or ``config``). Existing names
            & ordering can be discovered via ``self.available_methods``.
        :type name: string

        :param cred_instance: An instance of the new ``Credentials`` object
            you'd like to add to the chain.
        :type cred_instance: A subclass of ``Credentials``
        c
Srr1�
r
r r1r1r4r
�r!z4CredentialResolver.insert_before.<locals>.<listcomp>r'N)r>�indexr�r�insert�r^r(�credential_provider�offsetr1r1r4�
insert_beforess



�z CredentialResolver.insert_beforecCs |�|
�
}|j
�|d
|�
dS)a9
        Inserts a new type of ``Credentials`` instance into the chain that will
        be tried after an existing one.

        :param name: The short name of the credentials you'd like to insert the
            new credentials after. (ex. ``env`` or ``config``). Existing names
            & ordering can be discovered via ``self.available_methods``.
        :type name: string

        :param cred_instance: An instance of the new ``Credentials`` object
            you'd like to add to the chain.
        :type cred_instance: A subclass of ``Credentials``
        r�
N)�_get_provider_offsetr>rDrEr1r1r4�insert_after�s

zCredentialResolver.insert_aftercCs6d
d�|jD�
}|
|v
rdS|�
|
�
}|j�|�

dS)z�
        Removes a given ``Credentials`` instance from the chain.

        :param name: The short name of the credentials instance to remove.
        :type name: string
        c
Srr1rBr r1r1r4r
�r!z-CredentialResolver.remove.<locals>.<listcomp>N)r>rC�pop)r^r(�available_methodsrGr1r1r4rK�s



zCredentialResolver.removecCs|j|�
|
�
S)
z�Return a credential provider by name.

        :type name: str
        :param name: The name of the provider.

        :raises UnknownCredentialError: Raised if no
            credential provider by the provided name
            is found.
        )r>rI�r^r(r1r1r4�get_provider�s
zCredentialResolver.get_providercCs2zd
d�|jD�
�
|
�
WSty


t|
d�
�
w)Nc
Srr1rBr r1r1r4r
�r!z;CredentialResolver._get_provider_offset.<locals>.<listcomp>r')r>rCr�rrMr1r1r4rI�s





�z'CredentialResolver._get_provider_offsetc
Cs6|jD]}
t
�d
|
j�
|
��}|du
r|
SqdS)zw
        Goes through the credentials chain, returning the first ``Credentials``
        that could be loaded.
        zLooking for credentials via: %sN)r>rLrMr
r�)r^r
r?
r1r1r4r��s




�	z#CredentialResolver.load_credentialsN)
r|r}r~r`rHrJrKrNrIr�r1r1r1r4rNjs
rNcs>eZ
dZd
Z		d�f
dd�	Zdd�Zdd�Zd	d
�Z�ZS)�SSOCredentialFetcherz%Y-%m-%dT%H:%M:%SZNc		s:||_||_
||_||_|
|_||_tt|��||�
dSr/)	rF
�_sso_region�
_role_name�_account_id�
_start_url�
_token_loaderr$
rOr`)	r^�	start_url�
sso_regionr�
�
account_idr7rr-r-
r%
r1r4r`�s







�zSSOCredentialFetcher.__init__c
Cs>|j|j
|jd
�}
tj|
ddd�}
t|
�d�
�
��}|�|�
S)rP
)�startUrl�roleName�	accountIdT)�
,r2
)rR
�
separatorsrS
)	rSrQrRr�r�rrU
rV
r8
rW
r1r1r4r)
�s

�



z&SSOCredentialFetcher._create_cache_keycCs$|
d
}tj�
|t��}|�|j�
S)Ng@�@)r��
fromtimestampr	r��_UTC_DATE_FORMAT)r^�timestamp_ms�timestamp_seconds�	timestampr1r1r4�_parse_timestamp�s

z%SSOCredentialFetcher._parse_timestampc
Cs�tt
|jd
�}
|jd|
d�}|j|j|�|j�
d�}z
|jd
i|�
�
}Wn|j	j
y0


t��
w|d}d|d|d|d|�|d	�
d
�d�}|S)z4Get credentials by calling SSO get role credentials.)ru
r.�ssorv
)rYrZ�accessToken�roleCredentials�accessKeyId�secretAccessKey�sessionTokenr@
)r�r�r�r�)�ProviderTyper�Nr1)
r
r
rPrF
rQrRrTrS�get_role_credentials�
exceptions�UnauthorizedExceptionrrb)r^r+r�r�r�r�r1r1r4r9
�s.

�


�


�


��	z%SSOCredentialFetcher._get_credentialsrz)	r|r}r~r^r`r)
rbr9
r'
r1r1r%
r4rO�s

�
rOc@sNeZ
dZd
Zej�ej�ddd
d��
Zgd�
Z		d
dd�
Z
d	d
�Zdd�ZdS)rxrcr�r�r-)�
sso_start_urlrV�
sso_role_name�sso_account_idNcCs@|dur	t|j
�
}||_|duri}||_|
|_||_||_dSr/)r��_SSO_TOKEN_CACHE_DIR�_token_cacher-r�
rF
r�
)r^r6r7r8r-rwr1r1r4r`#s









zSSOProvider.__init__c
s�|��}
|
�
d
i�}|j}|�
|ji��t�f
dd�|jD�
�
r"dSi}g}|jD]}|�vr6�|||<q)|�|�

q)|rLd�|�
}td||fd�
�
|S)Nr�
c
3s�|]}
|
�v
V
qdSr/r1)r
�
c�
r�
r1r4r5r
z/SSOProvider._load_sso_config.<locals>.<genexpr>r
zSThe profile "%s" is configured to use SSO but is missing required configuration: %sr�
)r�
rAr�
�all�_SSO_CONFIG_VARSr~
r�r)r^rr�
r8r+�missing_config_vars�
config_var�missingr1rsr4�_load_sso_config/s(













��zSSOProvider._load_sso_configc
	CsR|��}
|
sdSt
|
d
|
d|
d|
d|jt|jd�
|jd�}t|j|jd�S)NrmrVrnro)
r-)rr-r�
)	ryrOrF
rrqr-r#
r
r<
)r^�
sso_config�sso_fetcherr1r1r4r�Ks 










�


�zSSOProvider.loadr�)
r|r}r~r
r�r�r�r�rprur`ryr�r1r1r1r4rxs

�
�rxr�r{)SrO
r��loggingr�r^
r�r�r�
�collectionsr�copyr�hashlibr�pathlibr�dateutil.parserr�dateutil.tzrr	�botocore.configloaderr��botocore.compatr
rr�botocore.configr
�botocore.exceptionsrrrrrrrrr�botocore.utilsrrrrrr�	getLoggerr|rLrrYr�rEr�r�r�r�rGr�r�r�r�r�r#
r(
rC
rZ
rr
rz
rkrDrBrIrprurJrFrvrHrCrNrOrxr1r1r1r4�<module>
s�


































�
VD
;'E1
P
�9-Ft"*7*7YXDdH