U n/e+@sddlZddlZddlZddlZddlZddlZddlmZddlm Z ddl Z ddl m Z ddl m Z ddlmZddlmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2m3Z3m4Z4m5Z5ddl6m7Z7dd l8m9Z9dd l:m;Z;dd lm?Z?m@Z@eAeBZCdAd dZDGddde'ZEddZFddZGddZHeHZIGdddeZJGddde)ZKGdddeKZLGdddeZMGdd d eeMZNGd!d"d"eeNZOGd#d$d$eNZPGd%d&d&e&ZQGd'd(d(e!ZRGd)d*d*e ZSGd+d,d,e$ZTGd-d.d.e+ZUGd/d0d0eZVGd1d2d2eZWGd3d4d4eZXGd5d6d6eZYGd7d8d8eZZGd9d:d:eZ[Gd;d<dd>eMZ]Gd?d@d@e,Z^dS)BN)deepcopy)sha1)UNSIGNED)compat_shell_split)Config)%!_DEFAULT_ADVISORY_REFRESH_TIMEOUTAssumeRoleCredentialFetcherAssumeRoleProvider!AssumeRoleWithWebIdentityProviderBaseAssumeRoleCredentialFetcher BotoProviderCachedCredentialFetcherCanonicalNameCredentialSourcerConfigNotFoundConfigProviderContainerMetadataFetcherContainerProviderCredentialResolverCredentialRetrievalError Credentials EnvProviderInstanceMetadataProviderInvalidConfigErrorMetadataRetrievalErrorOriginalEC2ProviderPartialCredentialsErrorProcessProviderProfileProviderBuilderReadOnlyCredentialsRefreshableCredentialsRefreshWithMFAUnsupportedErrorSharedCredentialProvider SSOProviderSSOTokenLoaderUnauthorizedSSOTokenErrorUnknownCredentialError_get_client_creator _local_now_parse_if_needed_serialize_if_neededparseresolve_imds_endpoint_mode)tzutc)resolve_awaitable) AioConfig)AioSSOTokenProvider)AioContainerMetadataFetcherAioInstanceMetadataFetcherc sdp d}d}d}ddk }dttd}|dkrVi}t}t} tt|| |dd } t ||d } t fd d t |||t || | g| d } || g} | j||d}tt| | g}| ||}|r||tdt|d}|S)zCreate a default credential resolver. This creates a pre-configured credential resolver that includes the default lookup chain for credentials. profiledefaultZmetadata_service_timeoutZmetadata_service_num_attemptsNec2_metadata_service_endpoint)r4Z"ec2_metadata_service_endpoint_modeZec2_credential_refresh_window)timeout num_attempts user_agentconfig)Ziam_role_fetcher)cache region_namecsjSN) full_configsessionr=;/tmp/pip-unpacked-wheel-8mnez3y6/aiobotocore/credentials.pyiz,create_credential_resolver..) load_configclient_creatorr9 profile_nameZcredential_sourcerprofile_provider_builderrEdisable_env_varszWSkipping environment variable credential check because profile name was explicitly set.) providers)get_config_variableZinstance_variablesgetr+rAioEnvProviderAioContainerProviderAioInstanceMetadataProviderr1r7AioProfileProviderBuilderAioAssumeRoleProviderr&!AioCanonicalNameCredentialSourcerrIAioOriginalEC2ProviderAioBotoProviderremoveloggerdebugAioCredentialResolver)r?r9r:rEZmetadata_timeoutr6rHZ imds_configZ env_providerZcontainer_providerZinstance_metadata_providerrFassume_role_providerZ pre_profileprofile_providersZ post_profilerIresolverr=r>r@create_credential_resolverBsv         r[c@s4eZdZddZddZddZddZd d Zd S) rOcst|fdddS)NcsjjSr;_sessionr<r=selfr=r@rArBzDAioProfileProviderBuilder._create_process_provider..)rErC)AioProcessProviderr_rEr=r^r@_create_process_providers z2AioProfileProviderBuilder._create_process_providercCs|jd}t||dS)NZcredentials_file)rEZcreds_filename)r]rJAioSharedCredentialProvider)r_rEZcredential_filer=r=r@"_create_shared_credential_providers  z.)rCrDr9rErH)$AioAssumeRoleWithWebIdentityProviderr&r]Z _region_name_cache)r_rErHr=r^r@_create_web_identity_providers z7AioProfileProviderBuilder._create_web_identity_providerc s2tfddjj|jjtjj|ddS)NcsjjSr;r\r=r^r=r@rArBz@AioProfileProviderBuilder._create_sso_provider..)r9rE)rCrDrEr9Z token_cachetoken_provider)AioSSOProviderr]Z create_clientriZ_sso_token_cacher/rar=r^r@_create_sso_providers z.AioProfileProviderBuilder._create_sso_providerN)__name__ __module__ __qualname__rbrdrgrjrmr=r=r=r@rOs  rOcst|}|IdHSr;)r[load_credentials)r?rZr=r=r@get_credentialssrrcsfdd}|S)Nc sZ4IdH}|jfIdH}W5QIdHRX|d}|d|d|dt|ddS)Nr AccessKeyIdSecretAccessKey SessionToken Expiration access_key secret_keytoken expiry_time) assume_roler))stsresponse credentialsclientparamsr=r@refreshs" z-create_assume_role_refresher..refreshr=)rrrr=rr@create_assume_role_refreshers rcCsGddd}||jS)Nc@seZdZddZddZdS)z/create_mfa_serial_refresher.._RefreshercSs||_d|_dS)NF)_refresh_has_been_called)r_rr=r=r@__init__sz8create_mfa_serial_refresher.._Refresher.__init__cs |jr td|_|IdHSNT)rr rr^r=r=r@callsz4create_mfa_serial_refresher.._Refresher.callN)rnrorprrr=r=r=r@ _Refreshersr)r)Zactual_refreshrr=r=r@create_mfa_serial_refreshersrc@seZdZddZdS)AioCredentialscst|j|j|jSr;)rrxryrzr^r=r=r@get_frozen_credentialss z%AioCredentials.get_frozen_credentialsN)rnrorprr=r=r=r@rsrcseZdZfddZeddZejddZeddZejddZed d Zejd d Zd d Z ddZ ddZ Z S)AioRefreshableCredentialscstj||t|_dSr;)superrasyncioLock _refresh_lockr_argskwargs __class__r=r@rsz"AioRefreshableCredentials.__init__cCstd|jSNzAmissing call to self._refresh. Use get_frozen_credentials instead)NotImplementedError _access_keyr^r=r=r@rxsz$AioRefreshableCredentials.access_keycCs ||_dSr;)rr_valuer=r=r@rxscCstd|jSr)r _secret_keyr^r=r=r@rysz$AioRefreshableCredentials.secret_keycCs ||_dSr;)rrr=r=r@ryscCstd|jSr)r_tokenr^r=r=r@rz szAioRefreshableCredentials.tokencCs ||_dSr;)rrr=r=r@rz)sc s||jsdS|js|j4IdHT||jsJW5QIdHRdS||j}|j|dIdHW5QIdHRdSQIdHRXn^||jr|j4IdH8||jsW5QIdHRdS|jddIdHW5QIdHRXdS)N) is_mandatoryT)refresh_neededZ_advisory_refresh_timeoutrlockedZ_mandatory_refresh_timeout_protected_refresh)r_Zis_mandatory_refreshr=r=r@r-s$    "  z"AioRefreshableCredentials._refreshcszt|IdH}Wn8tk rN|r.dnd}tjd|dd|rHYdSX||t|j|j|j |_ | rd}t|t |dS)N mandatoryZadvisoryzARefreshing temporary credentials failed during %s refresh period.Texc_infozLCredentials were refreshed, but the refreshed credentials are still expired.) r-_refresh_using ExceptionrUwarningZ_set_from_datarrrr_frozen_credentialsZ _is_expired RuntimeError)r_rmetadataZ period_namemsgr=r=r@rFs.   z,AioRefreshableCredentials._protected_refreshcs|IdH|jSr;)rrr^r=r=r@rgsz0AioRefreshableCredentials.get_frozen_credentials) rnrorprpropertyrxsetterryrzrrr __classcell__r=r=rr@rs        !rcs*eZdZefddZdfdd ZZS)!AioDeferredRefreshableCredentialscCs>||_d|_d|_d|_d|_||_t|_||_ d|_ dSr;) rrrrZ _expiry_timeZ _time_fetcherrrrmethodr)r_ refresh_usingr time_fetcherr=r=r@rms z*AioDeferredRefreshableCredentials.__init__Ncs|jdkrdSt|Sr)rrr)r_Z refresh_inrr=r@rxs z0AioDeferredRefreshableCredentials.refresh_needed)N)rnrorpr'rrrr=r=rr@rls rc@s$eZdZddZddZddZdS)AioCachedCredentialFetchercs tddS)Nz_get_credentials())rr^r=r=r@_get_credentialssz+AioCachedCredentialFetcher._get_credentialscs|IdHSr;)_get_cached_credentialsr^r=r=r@fetch_credentialssz,AioCachedCredentialFetcher.fetch_credentialscsf|}|dkr*|IdH}||n td|d}t|ddd}|d|d|d |d S) zGet up-to-date credentials. This will check the cache for up-to-date credentials, calling assume role if none are available. Nz*Credentials for role retrieved from cache.rrvT)Zisorsrtrurw)Z_load_from_cacherZ_write_to_cacherUrVr))r_r~creds expirationr=r=r@rs  z2AioCachedCredentialFetcher._get_cached_credentialsN)rnrorprrrr=r=r=r@r~src@s eZdZdS)"AioBaseAssumeRoleCredentialFetcherN)rnrorpr=r=r=r@rsrc@seZdZddZddZdS)AioAssumeRoleCredentialFetcherc sX|}|IdH}|4IdH&}|jf|IdHW5QIdHRSQIdHRXdS)'Get credentials by calling assume role.N)_assume_role_kwargs_create_clientr|)r_rrr}r=r=r@rsz/AioAssumeRoleCredentialFetcher._get_credentialscs(|jIdH}|jd|j|j|jdS)z2Create an STS client using the source credentials.Nr})aws_access_key_idaws_secret_access_keyaws_session_token)Z_source_credentialsr_client_creatorrxryrz)r_Zfrozen_credentialsr=r=r@rsz-AioAssumeRoleCredentialFetcher._create_clientN)rnrorprrr=r=r=r@rsrcs.eZdZdfdd ZddZddZZS) -AioAssumeRoleWithWebIdentityCredentialFetcherNcs ||_tj|||||ddS)N) extra_argsr9expiry_window_seconds)_web_identity_token_loaderrr)r_rDweb_identity_token_loaderrole_arnrr9rrr=r@rs z6AioAssumeRoleWithWebIdentityCredentialFetcher.__init__c s^|}ttd}|jd|d4IdH&}|jf|IdHW5QIdHRSQIdHRXdS)r)signature_versionr}r8N)rr.rrZassume_role_with_web_identity)r_rr8rr=r=r@rs z>AioAssumeRoleWithWebIdentityCredentialFetcher._get_credentialscCst|j}|}||d<|S)zAGet the arguments for assume role based on current configuration.ZWebIdentityToken)rZ_assume_kwargsr)r_Zassume_role_kwargsZidentity_tokenr=r=r@rs zAAioAssumeRoleWithWebIdentityCredentialFetcher._assume_role_kwargs)NNN)rnrorprrrrr=r=rr@rs  rcs4eZdZejdfdd ZddZddZZS)r`)popencstj||d|idS)Nr)rr)r_rrrrr=r@rszAioProcessProvider.__init__csjjdkrdSIdH}|ddk rJt|fddjSt|d|d|djdS)Nr{cs Sr;)_retrieve_credentials_usingr=credential_processr_r=r@rArBz)AioProcessProvider.load..rxryrz)rxryrzr)Z_credential_processrrKrcreate_from_metadataMETHODr)r_Z creds_dictr=rr@loads  zAioProcessProvider.loadc st|}|j|tjtjdIdH}|IdH\}}|jdkrTt|j|ddt j j |d}| dd}|dkrt|jd|d dz$|d |d | d | d dWStk r}zt|jd|dW5d}~XYnXdS)N)stdoutstderrrutf-8provider error_msgVersionzzUnsupported version 'z8' for credential process provider, supported versions: 1rsrtrurvrwz"Missing required key in response: )rZ_popen subprocessPIPE communicate returncoderrdecodebotocorecompatjsonloadsrKKeyError) r_rZ process_listprrparsedversioner=r=r@rs<   z.AioProcessProvider._retrieve_credentials_using) rnrorprZcreate_subprocess_execrrrrr=r=rr@r`sr`c@seZdZddZdS)rNcsD|j}|IdH}|sdStd|dtj||j|jd}|S)Nz#Found credentials from IAM Role: %s role_namerr)Z _role_fetcherZretrieve_iam_role_credentialsrUinforrr)r_fetcherrrr=r=r@r sz AioInstanceMetadataProvider.loadNrnrorprr=r=r=r@rNsrNc@seZdZddZdS)rLcs|j|jdd}|rtd|}|dd}|d}|dk rnt|}t|d|d|d|||jd St |d|d|d|jd SdSdS) Nrxz+Found credentials in environment variables.F)Zrequire_expiryr{ryrz)rrr) environrK_mappingrUrZ_create_credentials_fetcherr*rrr)r_rxrrr{r=r=r@r2s.   zAioEnvProvider.loadNrr=r=r=r@rL1srLc@seZdZddZdS)rRcshd|jkr`tj|jd}||}|j|krdtd||j}||j}t |||j dSndSdS)NZAWS_CREDENTIAL_FILEz)Found credentials in AWS_CREDENTIAL_FILE.r) _environospath expanduser_parser ACCESS_KEYrUr SECRET_KEYrr)r_ full_pathrrxryr=r=r@rQs      zAioOriginalEC2Provider.loadNrr=r=r=r@rRPsrRc@seZdZddZdS)rccsz||j}Wntk r&YdSX|j|kr||j}|j|krtd|j|||j|j\}}| |}t ||||j dSdS)Nz0Found credentials in shared credentials file: %sr) _ini_parserZ_creds_filenamer _profile_namerrUr_extract_creds_from_mappingr_get_session_tokenrr)r_Zavailable_credsr8rxryrzr=r=r@rds.    z AioSharedCredentialProvider.loadNrr=r=r=r@rccsrcc@seZdZddZdS)rfcsz||j}Wntk r&YdSX|j|dkr|d|j}|j|krtd|j|||j|j\}}| |}t ||||j dSndSdS)Nprofilesz$Credentials found in config file: %sr) Z_config_parserZ_config_filenamerrrrUrrrrrr)r_r<Zprofile_configrxryrzr=r=r@rzs0  zAioConfigProvider.loadNrr=r=r=r@rfysrfc@seZdZddZdS)rSc s|j|jkr|j|jg}n|j}|D]|}z||}Wntk rPYq&YnXd|kr&|d}|j|kr&td||||j|j \}}t |||j dSq&dS)Nrz)Found credentials in boto config file: %sr) ZBOTO_CONFIG_ENVrZDEFAULT_CONFIG_FILENAMESrrrrUrrrrr)r_Zpotential_locationsfilenamer8rrxryr=r=r@rs2   zAioBotoProvider.loadNrr=r=r=r@rSsrSc@s<eZdZddZddZddZddZd d Zd d Zd S)rPcsF||_|jdi}||ji}||rB||jIdHSdS)Nr)Z _load_config_loaded_configrKr_has_assume_role_config_vars_load_creds_via_assume_role)r_rr2r=r=r@rs   zAioAssumeRoleProvider.loadc s||}|||IdH}i}|d}|dk r:||d<|d}|dk rT||d<|d}|dk rn||d<|d}|dk r||d<t|j||d ||j|jd } | j} |dk rt| } t |j | t d S) Nrole_session_nameRoleSessionName external_idZ ExternalId mfa_serialZ SerialNumberduration_secondsZDurationSecondsr)rDsource_credentialsrrZ mfa_prompterr9)rrr) Z_get_role_config_resolve_source_credentialsrKrrZ _prompterr9rrrrr') r_rE role_configrrrrrrrZ refresherr=r=r@rsD      z1AioAssumeRoleProvider._load_creds_via_assume_rolecsH|d}|dk r$|||IdHS|d}|j|||IdHS)Ncredential_sourcesource_profile)rK _resolve_credentials_from_sourceZ_visited_profilesappend!_resolve_credentials_from_profile)r_r rEr r r=r=r@rs   z1AioAssumeRoleProvider._resolve_source_credentialscs|jdi}||}||r0|js0||S||sD||s|jj|dd}t|}|IdH}|dkrd}t ||d|S| |IdHS)NrTrGz.The source profile "%s" must have credentials.r) rrKZ_has_static_credentialsZ_profile_provider_builder(_resolve_static_credentials_from_profilerrIrWrqrr)r_rErr2rYZ profile_chainr error_messager=r=r@rs4 z7AioAssumeRoleProvider._resolve_credentials_from_profilec CsXzt|d|d|ddWStk rR}zt|jt|dW5d}~XYnXdS)Nrrr)rxryrz)rZcred_var)rrKrrrstr)r_r2rr=r=r@rsz>AioAssumeRoleProvider._resolve_static_credentials_from_profilecs.|j|IdH}|dkr*t|d|d|S)NzBNo credentials found in credential_source referenced in profile %sr)Z_credential_sourcerrr)r_r rErr=r=r@r s z6AioAssumeRoleProvider._resolve_credentials_from_sourceN) rnrorprrrrrr r=r=r=r@rPs ,  rPc@seZdZddZddZdS)rhcs|IdHSr;)_assume_role_with_web_identityr^r=r=r@r%sz)AioAssumeRoleWithWebIdentityProvider.loadcs||d}|sdS||}|d}|s8d}t|di}|d}|dk rV||d<t|j||||jd}t|j|jdS) NZweb_identity_token_filerzThe provided profile or the current environment is configured to assume role with web identity but has no role ARN configured. Ensure that the profile has the role_arnconfiguration set or the AWS_ROLE_ARN env var is set.rrr)rDrrrr9r) Z _get_configZ_token_loader_clsrrrr9rrr)r_Z token_path token_loaderrrrrrr=r=r@r(s0      zCAioAssumeRoleWithWebIdentityProvider._assume_role_with_web_identityN)rnrorprrr=r=r=r@rh$srhc@seZdZddZddZdS)rQcs0||}t|tr"|IdHS|IdHS)aLoads source credentials based on the provided configuration. :type source_name: str :param source_name: The value of credential_source in the config file. This is the canonical name of the credential provider. :rtype: Credentials N) _get_provider isinstancerWrqr)r_Z source_namesourcer=r=r@rNs  z4AioCanonicalNameCredentialSourcer.source_credentialscCsV||}|dkr@|d}|dk r@|dkr4|St||gS|dkrRt|d|S)a#Return a credential provider by its canonical name. :type canonical_name: str :param canonical_name: The canonical name of the provider. :raises UnknownCredentialError: Raised if no credential provider by the provided name is found. )Z sharedconfigZsharedcredentialsz assume-roleN)name)Z_get_provider_by_canonical_namelowerZ_get_provider_by_methodrWr%)r_canonical_namerrXr=r=r@r\s     z/AioCanonicalNameCredentialSourcer._get_providerN)rnrorprrr=r=r=r@rQMsrQcs4eZdZfddZddZddZddZZS) rMcs&tj||t|jtr"t|_dSr;)rrr_fetcherrr0rrr=r@rs zAioContainerProvider.__init__cs*|j|jks|j|jkr&|IdHSdSr;)ENV_VARr ENV_VAR_FULL_retrieve_or_failr^r=r=r@rszAioContainerProvider.loadcst|r|j|j|j}n |j|j}|}|||}|IdH}t|d|d|d|j t |d|dS)Nrxryrzr{)rxryrzrr{r) Z_provided_relative_urirfull_urlrrrZ_build_headers_create_fetcherrrr()r_full_uriheadersrrr=r=r@rs    z&AioContainerProvider._retrieve_or_failcsfdd}|S)Nc s~zjjdIdH}WnDtk r^}z&tjd|ddtjt|dW5d}~XYnX|d|d|d|d d S) N)r"z'Error retrieving container metadata: %sTrrrsrtTokenrvrw)rZretrieve_full_urirrUrVrrr)r~rr!r"r_r=r@ fetch_credss(z9AioContainerProvider._create_fetcher..fetch_credsr=)r_r!r"r%r=r$r@r sz$AioContainerProvider._create_fetcher)rnrorprrrr rr=r=rr@rMs rMc@seZdZddZdS)rWcs<|jD]0}td|j|IdH}|dk r|SqdS)zw Goes through the credentials chain, returning the first ``Credentials`` that could be loaded. zLooking for credentials via: %sN)rIrUrVrr)r_rrr=r=r@rqs   z&AioCredentialResolver.load_credentialsN)rnrorprqr=r=r=r@rWsrWcs:eZdZdZd fdd ZddZddZd d ZZS) AioSSOCredentialFetcherz%Y-%m-%dT%H:%M:%SZNc sB||_||_||_||_||_||_| |_| |_t ||dSr;) r _sso_region _role_name _account_id _start_url _token_loader_token_provider_sso_session_namerr) r_ start_url sso_regionr account_idrDrr9rrksso_session_namerr=r@rs z AioSSOCredentialFetcher.__init__cCsV|j|jd}|jr |j|d<n |j|d<tj|ddd}t|d}| |S)N)roleName accountIdZ sessionNameZstartUrlT),:) sort_keys separatorsr) r(r)r-r*rdumpsrencode hexdigestZ_make_file_safe)r_rZ argument_hashr=r=r@_create_cache_keys  z)AioSSOCredentialFetcher._create_cache_keycCs$|d}tj|t}||jS)Ng@@)datetime fromtimestampr,strftime_UTC_DATE_FORMAT)r_Z timestamp_msZtimestamp_seconds timestampr=r=r@_parse_timestampsz(AioSSOCredentialFetcher._parse_timestampc stt|jd}|jd|d4IdH}|jrH|j}|IdHj}n||j d}|j |j |d}z|j f|IdH}Wn|j jk rtYnX|d}d|d|d |d ||d d d }|W5QIdHRSQIdHRXdS)z4Get credentials by calling SSO get role credentials.)rr:ZssorN accessToken)r2r3rBZroleCredentialsZ accessKeyIdZsecretAccessKeyZ sessionTokenr)rsrtrurv)Z ProviderTyper)rrr'rr,Z load_tokenZget_frozen_tokenrzr+r*r(r)Zget_role_credentials exceptionsZUnauthorizedExceptionr$rA)r_r8rZinitial_token_datarzrr~rr=r=r@rs8   z(AioSSOCredentialFetcher._get_credentials)NNNNN) rnrorpr?rr;rArrr=r=rr@r&s r&c@seZdZddZdS)rlcsx|}|sdS|d|d|d|d|jt|jd|jd}d|kr^|d|d<|j|d <tf|}t|j|j d S) NZ sso_start_urlr/Z sso_role_nameZsso_account_id)r9)r.r/rr0rDrr9Z sso_sessionr1rkr) Z_load_sso_configrr#Z _token_cacher9r,r&rrr)r_Z sso_configZfetcher_kwargsZ sso_fetcherr=r=r@r"s&     zAioSSOProvider.loadNrr=r=r=r@rl!srl)NN)_rr<rloggingrrcopyrhashlibrZbotocore.compatrrrZbotocore.configrZbotocore.credentialsrrr r r r r rrrrrrrrrrrrrrrrrrr r!r"r#r$r%r&r'r(r)r*r+Z dateutil.tzr,Zaiobotocore._helpersr-Zaiobotocore.configr.Zaiobotocore.tokensr/Zaiobotocore.utilsr0r1 getLoggerrnrUr[rOrrrrZcreate_aio_mfa_serial_refresherrrrrrrrr`rNrLrRrcrfrSrPrhrQrMrWr&rlr=r=r=r@sj     '      [/m   )<y)64T