o ,&a@sddlZddlZddlZddlZddlmZddlmZmZddl Z ddl Z ddl m Z ddl Z ddlmZmZmZmZmZmZmZmZmZmZmZddlmZddlmZmZddlmZe e!Z"d Z#d Z$d Z%d Z&gd Z'dZ(ddZ)ddZ*Gddde+Z,Gddde,Z-Gddde,Z.Gddde,Z/Gddde/Z0Gddde/Z1Gdd d e1Z2Gd!d"d"e/Z3Gd#d$d$e,Z4Gd%d&d&e4Z5Gd'd(d(e4Z6e-e.e.e4e5e6e3d)Z7erdd*l8m9Z9e7:e9dSe7:e/e1e0e2d+dS),N formatdate)sha1sha256) itemgetter) encodebytesensure_unicode HTTPHeadersjsonparse_qsquotesixunquoteurlsplit urlunsplitHAS_CRT)NoCredentialsError)normalize_url_pathpercent_encode_sequence) MD5_AVAILABLE@e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855iz%Y-%m-%dT%H:%M:%SZz%Y%m%dT%H%M%SZ)expectz user-agentzx-amzn-trace-idzUNSIGNED-PAYLOADcCsFt|}|j}ddd}|jdur!|j||jkr!d||jf}|S)NPi)httphttpsz%s:%d)rhostnameportgetscheme)url url_partshost default_portsr#//usr/lib/python3/dist-packages/botocore/auth.py_host_from_url7s r%cCs@|j}t|tjrt|d}|St|tjrt|}|SNutf-8)data isinstancer binary_typer loadsdecode string_types)requestr(r#r#r$_get_body_as_dictHs  r/c@eZdZdZddZdS) BaseSignerFcCstd)Nadd_auth)NotImplementedErrorselfr.r#r#r$r2XszBaseSigner.add_authN)__name__ __module__ __qualname__REQUIRES_REGIONr2r#r#r#r$r1Us r1c@s(eZdZdZddZddZddZdS) SigV2Authz+ Sign a request with Signature V2. cC ||_dSN credentialsr5r>r#r#r$__init__a zSigV2Auth.__init__cCstdt|j}|j}t|dkrd}d|j|j|f}tj |j j dt d}g}t|D]*}|dkr7q0t||} t| ddd } t| dd d } || d | q0d |} || 7}td ||| dt|d} | | fS)Nz$Calculating signature using v2 auth.r/z %s %s %s r' digestmod Signaturesafez-_~=&zString to sign: %s)loggerdebugrrpathlenmethodnetlochmacnewr> secret_keyencodersortedr text_typer appendjoinupdatebase64 b64encodedigeststripr,)r5r.paramssplitrMstring_to_signlhmacpairskeyvalue quoted_key quoted_valueqsb64r#r#r$calc_signatureds4      zSigV2Auth.calc_signaturecCs|jdurt|jr|j}n|j}|jj|d<d|d<d|d<ttt|d<|jj r4|jj |d<| ||\}}||d<|S) NAWSAccessKeyId2SignatureVersion HmacSHA256SignatureMethod Timestamp SecurityTokenrE) r>rr(r^ access_keytimestrftimeISO8601gmtimetokenri)r5r.r^rg signaturer#r#r$r2s   zSigV2Auth.add_authN)r6r7r8__doc__r@rir2r#r#r#r$r:\s  r:c@seZdZddZddZdS) SigV3AuthcCr;r<r=r?r#r#r$r@rAzSigV3Auth.__init__cCs|jdurtd|jvr|jd=tdd|jd<|jjr-d|jvr&|jd=|jj|jd<tj|jjdt d}| |jddt |  }d|jjd|df}d |jvra|jd =||jd <dS) NDateTusegmtX-Amz-Security-Tokenr'rCz6AWS3-HTTPS AWSAccessKeyId=%s,Algorithm=%s,Signature=%srmzX-Amzn-Authorization)r>rheadersrrvrQrRrSrTrrYrr\r]rqr,)r5r.new_hmacencoded_signaturerwr#r#r$r2s,    zSigV3Auth.add_authN)r6r7r8r@r2r#r#r#r$rys ryc@seZdZdZdZddZd/ddZdd Zd d Zd d Z ddZ ddZ ddZ ddZ ddZddZddZddZddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd*d+Zd,d-Zd.S)0 SigV4Authz+ Sign a request with Signature V4. TcCs||_||_||_dSr<)r> _region_name _service_namer5r> service_name region_namer#r#r$r@s zSigV4Auth.__init__FcCs<|rt||dt}|St||dt}|Sr&)rQrRrTr hexdigestr\)r5rcmsghexsigr#r#r$_signs zSigV4Auth._signcCsLt}|jD]\}}|}|tvr|||<qd|vr$t|j|d<|S)zk Select the headers from the request that need to be included in the StringToSign. r!)r r~itemslowerSIGNED_HEADERS_BLACKLISTr%r)r5r. header_mapnamerdlnamer#r#r$headers_to_signszSigV4Auth.headers_to_signcCs"|jr ||jS|t|jSr<)r^_canonical_query_string_params_canonical_query_string_urlrrr4r#r#r$canonical_query_strings z SigV4Auth.canonical_query_stringcCsng}|D]}t||}|t|ddt|ddfqg}t|D] \}}|d||fq"d|}|S)Nz-_.~rG%s=%srJ)strrWr rUrX)r5r^ key_val_pairsrcrdsorted_key_valsrr#r#r$rs   z(SigV4Auth._canonical_query_string_paramsc Cstd}|jr8g}|jdD]}|d\}}}|||fq g}t|D] \}}|d||fq%d|}|S)NrFrJrIr)queryr_ partitionrWrUrX) r5partsrrpairrc_rdrr#r#r$rs z%SigV4Auth._canonical_query_string_urlcsXg}tt|}|D]}dfdd||D}|d|t|fq d|S)a  Return the headers that need to be included in the StringToSign in their canonical form by converting all header keys to lower case, sorting them in alphabetical order and then joining them into a string, separated by newlines. ,c3s|]}|VqdSr<) _header_value.0vr5r#r$ sz.SigV4Auth.canonical_headers..%s:%s )rUsetrXget_allrWr)r5rr~sorted_header_namesrcrdr#rr$canonical_headerss  zSigV4Auth.canonical_headerscCsd|S)N )rXr_)r5rdr#r#r$rszSigV4Auth._header_valuecCs tddt|D}d|S)NcSsg|]}|qSr#)rr])rnr#r#r$ z,SigV4Auth.signed_headers..;)rUrrX)r5rr~r#r#r$signed_headerss zSigV4Auth.signed_headerscCs||stS|j}|r7t|dr7|}t|jt}t }t |dD]}| |q$| }| ||S|r?t | StS)Nseek)_should_sha256_sign_payloadUNSIGNED_PAYLOADbodyhasattrtell functoolspartialreadPAYLOAD_BUFFERriterrYrrEMPTY_SHA256_HASH)r5r. request_bodypositionread_chunksizechecksumchunk hex_checksumr#r#r$payloads"    zSigV4Auth.payloadcCs|jdsdS|jddS)NrTpayload_signing_enabled)r startswithcontextrr4r#r#r$r6s z%SigV4Auth._should_sha256_sign_payloadcCs|jg}|t|jj}|||||||}|| |d|| |d|j vr>|j d}n| |}||d |S)NrX-Amz-Content-SHA256)rOupper_normalize_url_pathrrrMrWrrrrr~rrX)r5r.crrMr body_checksumr#r#r$canonical_request@s        zSigV4Auth.canonical_requestcCstt|dd}|S)Nz/~rG)r r)r5rMnormalized_pathr#r#r$rOszSigV4Auth._normalize_url_pathcCsN|jjg}||jddd||j||j|dd|SN timestampr aws4_requestrB)r>rqrWrrrrXr5r.scoper#r#r$rSs     zSigV4Auth.scopecCsHg}||jddd||j||j|dd|Sr)rWrrrrXrr#r#r$credential_scope[s     zSigV4Auth.credential_scopecCsHdg}||jd||||t|dd|S)z Return the canonical StringToSign as well as a dict containing the original version of all headers that were included in the StringToSign. AWS4-HMAC-SHA256rr'r)rWrrrrTrrX)r5r.rstsr#r#r$r`cs  zSigV4Auth.string_to_signcCsd|jj}|d|d|jddd}|||j}|||j}||d}|j||ddS) NAWS4r'rrrrT)r)r>rSrrTrrr)r5r`r.rck_datek_region k_service k_signingr#r#r$rwos zSigV4Auth.signaturecCs|jdurttj}|t|jd<||||}t dt d|| ||}t d|| ||}t d|| ||dS)Nrz$Calculating signature using v4 auth.zCanonicalRequest: %sStringToSign: %sz Signature: %s)r>rdatetimeutcnowrsSIGV4_TIMESTAMPr_modify_request_before_signingrrKrLr`rw_inject_signature_to_request)r5r. datetime_nowrr`rwr#r#r$r2xs          zSigV4Auth.add_authcCsPd||g}||}|d|||d|d||jd<|S)NzAWS4-HMAC-SHA256 Credential=%szSignedHeaders=%sz Signature=%sz, Authorization)rrrWrrXr~)r5r.rwauth_strrr#r#r$rs  z&SigV4Auth._inject_signature_to_requestcCsvd|jvr |jd=|||jjr"d|jvr|jd=|jj|jd<|jdds9d|jvr2|jd=t|jd<dSdS)Nrr}rTr)r~_set_necessary_date_headersr>rvrrrr4r#r#r$rs    z(SigV4Auth._modify_request_before_signingcCsd|jvr.|jd=tj|jdt}ttt| |jd<d|jvr,|jd=dSdSd|jvr7|jd=|jd|jd<dS)Nrzr X-Amz-Date) r~rstrptimerrrintcalendartimegm timetuple)r5r.datetime_timestampr#r#r$rs     z%SigV4Auth._set_necessary_date_headersN)F)r6r7r8rxr9r@rrrrrrrrrrrrrrr`rwr2rrrr#r#r#r$rs0      rcs0eZdZfddZfddZddZZS) S3SigV4Authcs6tt||d|jvr|jd=|||jd<dS)Nr)superrrr~rr4 __class__r#r$rs z*S3SigV4Auth._modify_request_before_signingcsx|jd}t|dd}|duri}|dd}|dur|S|jdr)d|jvr+dS|jddr4dStt||S) N client_configs3rrz Content-MD5Thas_streaming_inputF) rrgetattrrrr~rrr)r5r.r s3_config sign_payloadrr#r$rs     z'S3SigV4Auth._should_sha256_sign_payloadcC|Sr<r#r5rMr#r#r$rzS3SigV4Auth._normalize_url_path)r6r7r8rrr __classcell__r#r#rr$rs  "rcs4eZdZdZeffdd ZddZddZZS)SigV4QueryAuthcstt||||||_dSr<)rrr@_expires)r5r>rrexpiresrr#r$r@s zSigV4QueryAuth.__init__c Cs|jd}d}||kr|jd=|||}d|||jd|j|d}|jjdur3|jj|d<t |j }t ddt |j d d D}|jrT||ji|_d }|jrc|t|d |_|rkt|d }|t|} |} | d | d| d| | df} t| |_ dS)N content-typez0application/x-www-form-urlencoded; charset=utf-8rr)zX-Amz-AlgorithmzX-Amz-Credentialrz X-Amz-ExpireszX-Amz-SignedHeadersr}cSsg|] \}}||dfqSrr#)rkrr#r#r$r szASigV4QueryAuth._modify_request_before_signing..T)keep_blank_valuesrFrJr)r~rrrrrrr>rvrrdictr rrr^rYr(r/rr) r5r. content_typeblacklisted_content_typer auth_paramsr query_dictoperation_paramsnew_query_stringp new_url_partsr#r#r$rsF       z-SigV4QueryAuth._modify_request_before_signingcCs|jd|7_dS)Nz&X-Amz-Signature=%s)rr5r.rwr#r#r$r*sz+SigV4QueryAuth._inject_signature_to_request)r6r7r8DEFAULT_EXPIRESr@rrrr#r#rr$rs @rc@s eZdZdZddZddZdS)S3SigV4QueryAuthaS3 SigV4 auth using query parameters. This signer will sign a request using query parameters and signature version 4, i.e a "presigned url" signer. Based off of: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html cCrr<r#rr#r#r$r<rz$S3SigV4QueryAuth._normalize_url_pathcCstSr<)rr4r#r#r$r@szS3SigV4QueryAuth.payloadN)r6r7r8rxrrr#r#r#r$r1s rc@r0)S3SigV4PostAuthz Presigns a s3 post Implementation doc here: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-UsingHTTPPOST.html cCsNtj}|t|jd<i}|jdddur|jd}i}g}|jdddur;|jd}|dddur;|d}||d<d|d<|||d<|jd|d<|ddi|d||i|d|jdi|jj dur|jj |d <|d |jj it t |d d |d <||d ||d <||jd<||jd<dS) Nrs3-presign-post-fieldss3-presign-post-policy conditionsrzx-amz-algorithmzx-amz-credentialz x-amz-datex-amz-security-tokenr'policyzx-amz-signature)rrrsrrrrrWr>rvrZr[r dumpsrTr,rw)r5r.rfieldsrrr#r#r$r2Os:      zS3SigV4PostAuth.add_authNr6r7r8rxr2r#r#r#r$rHs rc@s|eZdZgdZdddZddZddZd d Zd d Zdd dZ  dddZ  dddZ ddZ ddZ ddZdS) HmacV1Auth)$ accelerateaclcorsdefaultObjectAcllocationlogging partNumberrrequestPaymenttorrent versioning versionIdversionswebsiteuploadsuploadIdzresponse-content-typezresponse-content-languagezresponse-expireszresponse-cache-controlzresponse-content-dispositionzresponse-content-encodingdelete lifecycletaggingrestore storageClass notification replicationr% analyticsmetrics inventoryselectz select-typez object-lockNcCr;r<r=rr#r#r$r@rAzHmacV1Auth.__init__cCs>tj|jjdtd}||dt| dS)Nr'rC) rQrRr>rSrTrrYrr\r]r,)r5r`rr#r#r$ sign_strings zHmacV1Auth.sign_stringcCsgd}g}d|vr |d=||d<|D])}d}|D]}|}||dur6||kr6|||d}q|s>|dqd|S)N) content-md5rdaterzFTrFr) _get_daterrWr]rX)r5r~interesting_headershoiihfoundrclkr#r#r$canonical_standard_headerss"   z%HmacV1Auth.canonical_standard_headerscCsg}i}|D] }|}||dur&|dr&ddd||D||<qt|}|D] }|d|||fq/d|S)Nx-amz-rcss|]}|VqdSr<)r]rr#r#r$rsz6HmacV1Auth.canonical_custom_headers..rr)rrrXrrUkeysrW)r5r~r=custom_headersrcr@sorted_header_keysr#r#r$canonical_custom_headerss      z#HmacV1Auth.canonical_custom_headerscCs$t|dkr|S|dt|dfS)z( TODO: Do we need this? rr)rNr)r5nvr#r#r$ unquote_vs zHmacV1Auth.unquote_vcs|dur|}n|j}|jrC|jd}dd|D}fdd|D}t|dkrC|jtdddd|D}|d7}|d|7}|S) NrJcSsg|]}|ddqS)rIr)r_rar#r#r$rrz1HmacV1Auth.canonical_resource..cs$g|]}|djvr|qSr) QSAOfInterestrHrIrr#r$rsr)rccSsg|]}d|qS)rI)rXrIr#r#r$rs?)rMrr_rNsortrrX)r5r_ auth_pathbufqsar#rr$canonical_resources   zHmacV1Auth.canonical_resourcecCsN|d}|||d7}||}|r||d7}||j||d7}|S)NrrN)rrArFrQ)r5rOr_r~rrNcsrDr#r#r$canonical_strings   zHmacV1Auth.canonical_stringcCsB|jjr |d=|jj|d<|j||||d}td|||S)NrrRr)r>rvrTrKrLr8)r5rOr_r~rrNr`r#r#r$ get_signatures   zHmacV1Auth.get_signaturecCsX|jdurttdt|j}td|j|j|j||j|j d}| ||dS)Nz(Calculating signature using hmacv1 auth.zHTTP request method: %srR) r>rrKrLrrrOrUr~rN_inject_signature)r5r.r_rwr#r#r$r2s    zHmacV1Auth.add_authcCs tddS)NTr{rrr#r#r$r;rAzHmacV1Auth._get_datecCs,d|jvr |jd=d|jj|f|jd<dS)Nrz AWS %s:%s)r~r>rqrr#r#r$rVs  zHmacV1Auth._inject_signature)NNr<)r6r7r8rKr@r8rArFrHrQrTrUr2r;rVr#r#r#r$rvs"       rc@s0eZdZdZdZefddZddZddZd S) HmacV1QueryAuthz Generates a presigned request for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html #RESTAuthenticationQueryStringAuth rcCs||_||_dSr<)r>r)r5r>rr#r#r$r@ s zHmacV1QueryAuth.__init__cCstttt|jSr<)rrrrrrr#r#r$r;szHmacV1QueryAuth._get_datec Csi}|jj|d<||d<|jD]"}|}|dkr!|jd|d<q|ds*|dvr1|j|||<qt|}t|j}|drGd|d|f}|d |d |d ||d f}t||_dS) NrjrErzExpiresrB)r9rz%s&%srrrr) r>rqr~rrrrrr) r5r.rwr  header_keyr@rrrr#r#r$rVs    z!HmacV1QueryAuth._inject_signatureN)r6r7r8rxrr@r;rVr#r#r#r$rWs   rWc@r0)HmacV1PostAuthz Generates a presigned post for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingHTTPPOST.html cCsi}|jdddur|jd}i}g}|jdddur.|jd}|dddur.|d}||d<|jj|d<|jjdurM|jj|d<|d|jjitt | d d|d<| |d|d<||jd<||jd<dS) Nrrrrjrr'rrw) rrr>rqrvrWrZr[r rrTr,r8)r5r.rrrr#r#r$r2:s,      zHmacV1PostAuth.add_authNrr#r#r#r$r[2s r[)v2v3v3httpsrzs3-queryzs3-presign-postzs3v4-presign-post)CRT_AUTH_TYPE_MAPS)v4zv4-querys3v4z s3v4-query);rZrrr email.utilsrhashlibrrrQr#operatorrrrbotocore.compatrrr r r r r rrrrbotocore.exceptionsrbotocore.utilsrrr getLoggerr6rKrrrtrrrr%r/objectr1r:ryrrrrrrrWr[AUTH_TYPE_MAPSbotocore.crt.authr_rYr#r#r#r$sl   4    >/P. 2'