U C^ @sddlZddlZddlmZddlmZddlZddlZddlmZddl m Z ddl Z ddl Z ddl Z ddlZddlmZddlmZmZddlmZdd lmZmZmZmZdd lmZdd lmZdd lmZdd lmZddlmZddlmZee Z!dZ"dZ#dZ$dZ%dddgZ&dZ'Gddde(Z)Gddde)Z*Gddde)Z+Gddde)Z,Gd d!d!e,Z-Gd"d#d#e,Z.Gd$d%d%e.Z/Gd&d'd'e,Z0Gd(d)d)e)Z1Gd*d+d+e1Z2Gd,d-d-e1Z3e*e,e.e+e+e1e2e3e-e/e0d. Z4dS)/N)sha256)sha1 formatdate) itemgetter)NoCredentialsError)normalize_url_pathpercent_encode_sequence) HTTPHeaders)quoteunquoteurlsplitparse_qs) urlunsplit) encodebytes)six)json) MD5_AVAILABLE)ensure_unicodeZ@e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855iz%Y-%m-%dT%H:%M:%SZz%Y%m%dT%H%M%SZexpectz user-agentzx-amzn-trace-idzUNSIGNED-PAYLOADc@seZdZdZddZdS) BaseSignerFcCs tddS)Nadd_auth)NotImplementedErrorselfrequestr3/tmp/pip-install-6_kvzl1k/botocore/botocore/auth.pyr<szBaseSigner.add_authN)__name__ __module__ __qualname__REQUIRES_REGIONrrrrrr9src@s(eZdZdZddZddZddZdS) SigV2Authz+ Sign a request with Signature V2. cCs ||_dSN credentialsrr%rrr__init__EszSigV2Auth.__init__c Cstdt|j}|j}t|dkr*d}d|j|j|f}tj |j j dt d}g}t|D]J}|dkrnq`t||} |t| ddd d t| dd d q`d |} || 7}td ||| dt|d} | | fS)Nz$Calculating signature using v2 auth.r/z %s %s %s utf-8 digestmod Signaturesafe=z-_~&zString to sign: %s)loggerdebugr urlpathlenmethodnetlochmacnewr% secret_keyencodersortedr text_typeappendr joinupdatebase64 b64encodedigeststripdecode) rrparamssplitr5string_to_signZlhmacpairskeyvalueqsZb64rrrcalc_signatureHs4      zSigV2Auth.calc_signaturecCs|jdkrt|jr|j}n|j}|jj|d<d|d<d|d<ttt|d<|jj rf|jj |d<| ||\}}||d<|S) NAWSAccessKeyId2ZSignatureVersion HmacSHA256ZSignatureMethodZ TimestampZ SecurityTokenr,) r%rdatarG access_keytimestrftimeISO8601gmtimetokenrN)rrrGrM signaturerrrrds   zSigV2Auth.add_authN)rrr __doc__r'rNrrrrrr"@sr"c@seZdZddZddZdS) SigV3AuthcCs ||_dSr#r$r&rrrr'~szSigV3Auth.__init__cCs|jdkrtd|jkr |jd=tdd|jd<|jjrXd|jkrJ|jd=|jj|jd<tj|jjdt d}| |jddt |  }d|jjd|df}d |jkr|jd =||jd <dS) NDateTusegmtX-Amz-Security-Tokenr)r*z6AWS3-HTTPS AWSAccessKeyId=%s,Algorithm=%s,Signature=%srQzX-Amzn-Authorization)r%rheadersrrXr9r:r;r<rrArrDrErSrF)rrnew_hmacZencoded_signaturerYrrrrs,    zSigV3Auth.add_authN)rrr r'rrrrrr[}sr[c@seZdZdZdZddZd1ddZdd Zd d Zd d Z ddZ ddZ ddZ ddZ ddZddZddZddZddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd*d+Zd,d-Zd.d/Zd0S)2 SigV4Authz+ Sign a request with Signature V4. TcCs||_||_||_dSr#)r% _region_name _service_namerr% service_name region_namerrrr'szSigV4Auth.__init__FcCs:|rt||dt}nt||dt}|SNr))r9r:r<r hexdigestrD)rrKmsghexsigrrr_signszSigV4Auth._signcCsRt}|jD] \}}|}|tkr|||<qd|krN||j|d<|S)zk Select the headers from the request that need to be included in the StringToSign. host)r r`itemslowerSIGNED_HEADERS_BLACKLIST_canonical_hostr4)rrZ header_mapnamerLlnamerrrheaders_to_signs zSigV4Auth.headers_to_signcsDt|ddd}tfdd|Dr2jSjdddS) NPi)httphttpsc3s&|]\}}j|koj|kVqdSr#)schemeport).0ryrz url_partsrr sz,SigV4Auth._canonical_host..@)r anyrohostnamer8rsplit)rr4Z default_portsrr|rrrs zSigV4Auth._canonical_hostcCs&|jr||jS|t|jSdSr#)rG_canonical_query_string_params_canonical_query_string_urlr r4rrrrcanonical_query_strings z SigV4Auth.canonical_query_stringc CsNg}t|D]2}t||}|dt|ddt|ddfq d|}|S)N%s=%sz-_.~r.r1)r=strr?r r@)rrGlparamrLZcqsrrrrs    z(SigV4Auth._canonical_query_string_paramsc Cstd}|jrpg}|jdD]"}|d\}}}|||fqg}t|D]\}}|d||fqJd|}|S)Nr-r1r0r)queryrH partitionr?r=r@) rpartsrZ key_val_pairspairrK_rLZsorted_key_valsrrrrs z%SigV4Auth._canonical_query_string_urlcs\g}tt|}|D]<}dfddt||D}|d|t|fqd|S)a  Return the headers that need to be included in the StringToSign in their canonical form by converting all header keys to lower case, sorting them in alphabetical order and then joining them into a string, separated by newlines. ,c3s|]}|VqdSr#) _header_valuer{vrrrr~sz.SigV4Auth.canonical_headers..%s:%s )r=setr@get_allr?r)rrur`Zsorted_header_namesrKrLrrrcanonical_headerss  zSigV4Auth.canonical_headerscCsd|S)N )r@rH)rrLrrrrszSigV4Auth._header_valuecCs$ddt|D}t|}d|S)NcSsg|]}d|qS)z%s)rprE)r{nrrr sz,SigV4Auth.signed_headers..;)rr=r@)rrurrrrsigned_headersszSigV4Auth.signed_headerscCs||stS|j}|rnt|drn|}t|jt}t }t |dD]}| |qH| }| ||S|r~t | StSdS)Nseek)_should_sha256_sign_payloadUNSIGNED_PAYLOADbodyhasattrtell functoolspartialreadPAYLOAD_BUFFERriterrArirEMPTY_SHA256_HASH)rr request_bodypositionZread_chunksizeZchecksumchunkZ hex_checksumrrrpayload s"    zSigV4Auth.payloadcCs|jdsdS|jddS)NrxTpayload_signing_enabled)r4 startswithcontextgetrrrrr!s z%SigV4Auth._should_sha256_sign_payloadcCs|jg}|t|jj}|||||||}|| |d|| |d|j kr||j d}n | |}||d |S)NrX-Amz-Content-SHA256)r7upper_normalize_url_pathr r4r5r?rrurrr`rr@)rrZcrr5ruZ body_checksumrrrcanonical_request+s       zSigV4Auth.canonical_requestcCstt|dd}|S)Nz/~r.)r r)rr5Znormalized_pathrrrr:szSigV4Auth._normalize_url_pathcCsN|jjg}||jddd||j||j|dd|SN timestampr aws4_requestr()r%rSr?rrcrdr@rrscoperrrr>s     zSigV4Auth.scopecCsHg}||jddd||j||j|dd|Sr)r?rrcrdr@rrrrcredential_scopeFs    zSigV4Auth.credential_scopecCsHdg}||jd||||t|dd|S)z Return the canonical StringToSign as well as a dict containing the original version of all headers that were included in the StringToSign. AWS4-HMAC-SHA256rr)r)r?rrrr<rir@)rrrstsrrrrINs zSigV4Auth.string_to_signcCsd|jj}|d|d|jddd}|||j}|||j}||d}|j||ddS) NZAWS4r)rrrrT)rk)r%r;rmr<rrcrd)rrIrrKZk_dateZk_regionZ k_serviceZ k_signingrrrrYZs zSigV4Auth.signaturecCs|jdkrttj}|t|jd<||||}t dt d|| ||}t d|| ||}t d|| ||dS)Nrz$Calculating signature using v4 auth.zCanonicalRequest: %sStringToSign: %sz Signature: %s)r%rdatetimeutcnowrUSIGV4_TIMESTAMPr_modify_request_before_signingrr2r3rIrY_inject_signature_to_request)rr datetime_nowrrIrYrrrrcs          zSigV4Auth.add_authcCsPd||g}||}|d|||d|d||jd<|S)NzAWS4-HMAC-SHA256 Credential=%szSignedHeaders=%sz Signature=%sz, Authorization)rrur?rr@r`)rrrYrrurrrrus  z&SigV4Auth._inject_signature_to_requestcCsrd|jkr|jd=|||jjrDd|jkr6|jd=|jj|jd<|jddsnd|jkrd|jd=t|jd<dS)Nrr_rTr)r`_set_necessary_date_headersr%rXrrrrrrrr}s    z(SigV4Auth._modify_request_before_signingcCs|d|jkrV|jd=tj|jdt}ttt| |jd<d|jkrx|jd=n"d|jkrh|jd=|jd|jd<dS)Nr\r X-Amz-Date) r`rstrptimerrrintcalendartimegm timetuple)rrZdatetime_timestamprrrrs     z%SigV4Auth._set_necessary_date_headersN)F)rrr rZr!r'rmrurrrrrrrrrrrrrrrIrYrrrrrrrrrbs0       rbcs0eZdZfddZfddZddZZS) S3SigV4Authcs6tt||d|jkr"|jd=|||jd<dS)Nr)superrrr`rr __class__rrrs z*S3SigV4Auth._modify_request_before_signingcsx|jd}t|dd}|dkr$i}|dd}|dk r<|S|jdrRd|jkrVdS|jddrhdStt||S) N client_configs3rrxz Content-MD5TZhas_streaming_inputF) rrgetattrr4rr`rrr)rrrZ s3_configZ sign_payloadrrrrs    z'S3SigV4Auth._should_sha256_sign_payloadcCs|Sr#rrr5rrrrszS3SigV4Auth._normalize_url_path)rrr rrr __classcell__rrrrrs  "rcs<eZdZdZeffdd ZddZddZdd ZZS) SigV4QueryAuthcstt||||||_dSr#)rrr'_expires)rr%rfrgexpiresrrrr'szSigV4QueryAuth.__init__c Cs|jd}d}||kr |jd=|||}d|||jd|j|d}|jjdk rf|jj|d<t |j }t ddt |j d d D}d }|jr|||d |_|rt|d }|t|} |} | d | d| d| | df} t| |_ dS)N content-typez0application/x-www-form-urlencoded; charset=utf-8rr)zX-Amz-AlgorithmzX-Amz-Credentialrz X-Amz-ExpireszX-Amz-SignedHeadersr_cSsg|]\}}||dfqSrr)r{krrrrrszASigV4QueryAuth._modify_request_before_signing..T)keep_blank_valuesr-r1rr)r`rrrurrrr%rXr r4dictrrrorRrA_get_body_as_dictr r) rr content_typeZblacklisted_content_typerZ auth_paramsr} query_dictZoperation_paramsnew_query_stringp new_url_partsrrrrs@       z-SigV4QueryAuth._modify_request_before_signingcCs>|j}t|tjr$t|d}nt|tjr:t|}|Srh)rR isinstancer binary_typerloadsrF string_types)rrrRrrrrs    z SigV4QueryAuth._get_body_as_dictcCs|jd|7_dS)Nz&X-Amz-Signature=%s)r4rrrYrrrrsz+SigV4QueryAuth._inject_signature_to_request) rrr DEFAULT_EXPIRESr'rrrrrrrrrs = rc@s eZdZdZddZddZdS)S3SigV4QueryAuthaS3 SigV4 auth using query parameters. This signer will sign a request using query parameters and signature version 4, i.e a "presigned url" signer. Based off of: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html cCs|Sr#rrrrrr0sz$S3SigV4QueryAuth._normalize_url_pathcCstSr#)rrrrrr4szS3SigV4QueryAuth.payloadN)rrr rZrrrrrrr%s rc@seZdZdZddZdS)S3SigV4PostAuthz Presigns a s3 post Implementation doc here: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-UsingHTTPPOST.html cCsPtj}|t|jd<i}|jdddk r:|jd}i}g}|jdddk rv|jd}|dddk rv|d}||d<d|d<|||d<|jd|d<|ddi|d||i|d|jdi|jj dk r|jj |d <|d |jj it t |d d |d <||d ||d <||jd<||jd<dS) Nrs3-presign-post-fieldss3-presign-post-policy conditionsrzx-amz-algorithmzx-amz-credentialz x-amz-datex-amz-security-tokenr)policyzx-amz-signature)rrrUrrrrr?r%rXrBrCrdumpsr<rFrY)rrrfieldsrrrrrrCs:     zS3SigV4PostAuth.add_authNrrr rZrrrrrr<src#@seZdZddddddddd d d d d ddddddddddddddddd ddd d!d"g#Zd:d$d%Zd&d'Zd(d)Zd*d+Zd,d-Zd;d.d/Z d HmacV1AuthZ accelerateZaclZcorsZdefaultObjectAcllocationloggingZ partNumberrZrequestPaymentZtorrentZ versioningZ versionIdversionsZwebsiteZuploadsZuploadIdzresponse-content-typezresponse-content-languagezresponse-expireszresponse-cache-controlzresponse-content-dispositionzresponse-content-encodingdeleteZ lifecycleZtaggingZrestoreZ storageClassZ notificationZ replicationZ analyticsZmetricsZ inventoryselectz select-typeNcCs ||_dSr#r$rerrrr'yszHmacV1Auth.__init__cCs>tj|jjdtd}||dt| dS)Nr)r*) r9r:r%r;r<rrArrDrErF)rrIrarrr sign_string|s zHmacV1Auth.sign_stringcCsdddg}g}d|kr|d=||d<|D]R}d}|D]6}|}||dk r8||kr8|||d}q8|s,|dq,d|S) N content-md5rdater\FTr-r) _get_daterpr?rEr@)rr`Zinteresting_headershoiZihfoundrKlkrrrcanonical_standard_headerss   z%HmacV1Auth.canonical_standard_headerscCsg}i}|D]@}|}||dk r |dr ddd||D||<q t|}|D]}|d|||fq^d|S)Nx-amz-rcss|]}|VqdSr#)rErrrrr~sz6HmacV1Auth.canonical_custom_headers..rr)rprr@rr=keysr?)rr`rcustom_headersrKrZsorted_header_keysrrrcanonical_custom_headerss    z#HmacV1Auth.canonical_custom_headerscCs(t|dkr|S|dt|dfSdS)z( TODO: Do we need this? rrN)r6r )rnvrrr unquote_vs zHmacV1Auth.unquote_vcs|dk r|}n|j}|jr|jd}dd|D}fdd|D}t|dkr|jtdddd|D}|d7}|d|7}|S) Nr1cSsg|]}|ddqS)r0r)rHr{arrrrsz1HmacV1Auth.canonical_resource..cs$g|]}|djkr|qSr) QSAOfInterestrrrrrrsr)rKcSsg|]}d|qS)r0)r@rrrrrs?)r5rrHr6sortrr@)rrH auth_pathbufZqsarrrcanonical_resources   zHmacV1Auth.canonical_resourcecCsN|d}|||d7}||}|r8||d7}||j||d7}|S)Nrr)rrr r)rr7rHr`rrcsr rrrcanonical_strings   zHmacV1Auth.canonical_stringcCsB|jjr|d=|jj|d<|j||||d}td|||S)Nrrr)r%rXrr2r3r)rr7rHr`rrrIrrr get_signatures  zHmacV1Auth.get_signaturecCsX|jdkrttdt|j}td|j|j|j||j|j d}| ||dS)Nz(Calculating signature using hmacv1 auth.zHTTP request method: %sr) r%rr2r3r r4r7rr`r_inject_signature)rrrHrYrrrrs    zHmacV1Auth.add_authcCs tddS)NTr]rrrrrrszHmacV1Auth._get_datecCs,d|jkr|jd=d|jj|f|jd<dS)Nrz AWS %s:%s)r`r%rSrrrrrs zHmacV1Auth._inject_signature)NN)N)NN)NN)rrr rr'rrr rrrrrrrrrrrrjs`     rc@s0eZdZdZdZefddZddZddZd S) HmacV1QueryAuthz Generates a presigned request for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html #RESTAuthenticationQueryStringAuth rcCs||_||_dSr#)r%r)rr%rrrrr'szHmacV1QueryAuth.__init__cCstttt|jSr#)rrrTrrrrrrszHmacV1QueryAuth._get_datec Csi}|jj|d<||d<|jD]D}|}|dkrB|jd|d<q|dsT|dkr|j|||<qt|}t|j}|drd|d|f}|d |d |d ||d f}t||_dS) NrOr,r\ZExpiresr )rrz%s&%srrrr) r%rSr`rprr r r4r) rrrYrZ header_keyrrrrrrrrs   z!HmacV1QueryAuth._inject_signatureN)rrr rZrr'rrrrrrrs   rc@seZdZdZddZdS)HmacV1PostAuthz Generates a presigned post for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingHTTPPOST.html cCsi}|jdddk r |jd}i}g}|jdddk r\|jd}|dddk r\|d}||d<|jj|d<|jjdk r|jj|d<|d|jjitt | d d|d<| |d|d<||jd<||jd<dS) NrrrrOrr)rrY) rrr%rSrXr?rBrCrrr<rFr)rrrrrrrrr.s,      zHmacV1PostAuth.add_authNrrrrrr&sr) Zv2Zv4zv4-queryZv3Zv3httpsrzs3-queryzs3-presign-postZs3v4z s3v4-queryzs3v4-presign-post)5rBrhashlibrrr9r email.utilsroperatorrrrTrrZbotocore.exceptionsrZbotocore.utilsrr Zbotocore.compatr r r r rrrrrr getLoggerrr2rrrVrrqrobjectrr"r[rbrrrrrrrZAUTH_TYPE_MAPSrrrrst             =/Y. 2)