B “äî\Њã @sðddlZddlZddlmZddlmZddlZddlZddlmZddl m Z ddl Z ddl Z ddl Z ddlZddlmZddlmZmZddlmZdd lmZmZmZmZdd lmZdd lmZdd lmZdd lmZddlmZddlmZe e ¡Z!dZ"dZ#dZ$dZ%dddgZ&dZ'Gdd„de(ƒZ)Gdd„de)ƒZ*Gdd„de)ƒZ+Gdd„de)ƒZ,Gd d!„d!e,ƒZ-Gd"d#„d#e,ƒZ.Gd$d%„d%e.ƒZ/Gd&d'„d'e,ƒZ0Gd(d)„d)e)ƒZ1Gd*d+„d+e1ƒZ2Gd,d-„d-e1ƒZ3e*e,e.e+e+e1e2e3e-e/e0d.œ Z4dS)/éN)Úsha256)Úsha1)Ú formatdate)Ú itemgetter)ÚNoCredentialsError)Únormalize_url_pathÚpercent_encode_sequence)Ú HTTPHeaders)ÚquoteÚunquoteÚurlsplitÚparse_qs)Ú urlunsplit)Ú encodebytes)Úsix)Újson)Ú MD5_AVAILABLE)Úensure_unicodeZ@e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855iz%Y-%m-%dT%H:%M:%SZz%Y%m%dT%H%M%SZÚexpectz user-agentzx-amzn-trace-idzUNSIGNED-PAYLOADc@seZdZdZdd„ZdS)Ú BaseSignerFcCs tdƒ‚dS)NÚadd_auth)ÚNotImplementedError)ÚselfÚrequest©rú1/tmp/pip-build-uw_ogi45/botocore/botocore/auth.pyr<szBaseSigner.add_authN)Ú__name__Ú __module__Ú __qualname__ÚREQUIRES_REGIONrrrrrr9src@s(eZdZdZdd„Zdd„Zdd„ZdS) Ú SigV2Authz+ Sign a request with Signature V2. cCs ||_dS)N)Ú credentials)rr!rrrÚ__init__EszSigV2Auth.__init__c Csþt d¡t|jƒ}|j}t|ƒdkr*d}d|j|j|f}tj |j j   d¡t d}g}xVt|ƒD]J}|dkrpqbt ||¡} | t|  d¡dd d t|   d¡d d ¡qbWd  |¡} || 7}t d |¡| |  d¡¡t | ¡¡ ¡ d¡} | | fS)Nz$Calculating signature using v2 auth.rú/z %s %s %s zutf-8)Ú digestmodÚ SignatureÚ)Úsafeú=z-_~ú&zString to sign: %s)ÚloggerÚdebugr ÚurlÚpathÚlenÚmethodÚnetlocÚhmacÚnewr!Ú secret_keyÚencoderÚsortedrÚ text_typeÚappendr ÚjoinÚupdateÚbase64Ú b64encodeÚdigestÚstripÚdecode) rrÚparamsÚsplitr-Ústring_to_signZlhmacÚpairsÚkeyÚvalueÚqsZb64rrrÚcalc_signatureHs.     zSigV2Auth.calc_signaturecCs‚|jdkrt‚|jr|j}n|j}|jj|d<d|d<d|d<t tt ¡¡|d<|jj rf|jj |d<|  ||¡\}}||d<|S) NÚAWSAccessKeyIdÚ2ZSignatureVersionÚ HmacSHA256ZSignatureMethodZ TimestampZ SecurityTokenr%) r!rÚdatar?Ú access_keyÚtimeÚstrftimeÚISO8601ÚgmtimeÚtokenrF)rrr?rEÚ signaturerrrrds   zSigV2Auth.add_authN)rrrÚ__doc__r"rFrrrrrr @sr c@seZdZdd„Zdd„ZdS)Ú SigV3AuthcCs ||_dS)N)r!)rr!rrrr"~szSigV3Auth.__init__cCsÎ|jdkrt‚d|jkr |jd=tdd|jd<|jjrXd|jkrJ|jd=|jj|jd<tj|jj d¡t d}|  |jd d¡¡t |  ¡ƒ  ¡}d|jjd| d¡f}d |jkrÀ|jd =||jd <dS) NÚDateT)ÚusegmtzX-Amz-Security-Tokenzutf-8)r$z6AWS3-HTTPS AWSAccessKeyId=%s,Algorithm=%s,Signature=%srIzX-Amzn-Authorization)r!rÚheadersrrPr1r2r3r4rr9rr<r=rKr>)rrÚnew_hmacZencoded_signaturerQrrrrs&    zSigV3Auth.add_authN)rrrr"rrrrrrS}srSc@sÆeZdZdZdZdd„Zd1dd„Zdd „Zd d „Zd d „Z dd„Z dd„Z dd„Z dd„Z dd„Zdd„Zdd„Zdd„Zdd„Zd d!„Zd"d#„Zd$d%„Zd&d'„Zd(d)„Zd*d+„Zd,d-„Zd.d/„Zd0S)2Ú SigV4Authz+ Sign a request with Signature V4. TcCs||_||_||_dS)N)r!Ú _region_nameÚ _service_name)rr!Ú service_nameÚ region_namerrrr"szSigV4Auth.__init__FcCs:|rt || d¡t¡ ¡}nt || d¡t¡ ¡}|S)Nzutf-8)r1r2r4rÚ hexdigestr<)rrCÚmsgÚhexÚsigrrrÚ_sign¥szSigV4Auth._signcCsVtƒ}x.|j ¡D] \}}| ¡}|tkr|||<qWd|krR| |j¡ ¡|d<|S)zk Select the headers from the request that need to be included in the StringToSign. Úhost)r rVÚitemsÚlowerÚSIGNED_HEADERS_BLACKLISTÚ_canonical_hostr,)rrZ header_mapÚnamerDÚlnamerrrÚheaders_to_sign¬s zSigV4Auth.headers_to_signcsDt|ƒ‰dddœ}t‡fdd„| ¡Dƒƒr2ˆjSˆj dd¡dS) NéPi»)ÚhttpÚhttpsc3s&|]\}}ˆj|koˆj|kVqdS)N)ÚschemeÚport)Ú.0rmrn)Ú url_partsrrú Äsz,SigV4Auth._canonical_host..ú@ééÿÿÿÿ)r ÚanyrcÚhostnamer0Úrsplit)rr,Z default_portsr)rprrf¾s zSigV4Auth._canonical_hostcCs&|jr| |j¡S| t|jƒ¡SdS)N)r?Ú_canonical_query_string_paramsÚ_canonical_query_string_urlr r,)rrrrrÚcanonical_query_stringËs z SigV4Auth.canonical_query_stringc CsRg}x>t|ƒD]2}t||ƒ}| dt|ddt|ddf¡qWd |¡}|S)Nz%s=%sz-_.~)r'r))r5Ústrr7r r8)rr?ÚlÚparamrDZcqsrrrrxÕs  z(SigV4Auth._canonical_query_string_paramsc Cs|d}|jrxg}x2|j d¡D]"}| d¡\}}}| ||f¡qWg}x&t|ƒD]\}}| d||f¡qPWd |¡}|S)Nr&r)r(z%s=%s)Úqueryr@Ú partitionr7r5r8) rÚpartsrzZ key_val_pairsÚpairrCÚ_rDZsorted_key_valsrrrryÞs z%SigV4Auth._canonical_query_string_urlcs`g}tt|ƒƒ}xD|D]<}d ‡fdd„t| |¡ƒDƒ¡}| d|t|ƒf¡qWd |¡S)a  Return the headers that need to be included in the StringToSign in their canonical form by converting all header keys to lower case, sorting them in alphabetical order and then joining them into a string, separated by newlines. ú,c3s|]}ˆ |¡VqdS)N)Ú _header_value)roÚv)rrrrqøsz.SigV4Auth.canonical_headers..z%s:%sÚ )r5Úsetr8Úget_allr7r)rrirVZsorted_header_namesrCrDr)rrÚcanonical_headersîs  zSigV4Auth.canonical_headerscCsd | ¡¡S)Nú )r8r@)rrDrrrr„ýszSigV4Auth._header_valuecCs$dd„t|ƒDƒ}t|ƒ}d |¡S)NcSsg|]}d| ¡ ¡‘qS)z%s)rdr=)roÚnrrrú sz,SigV4Auth.signed_headers..ú;)r‡r5r8)rrir|rrrÚsigned_headersszSigV4Auth.signed_headerscCsŠ| |¡stS|j}|rrt|dƒrr| ¡}t |jt¡}t ƒ}xt |dƒD]}|  |¡qJW|  ¡}|  |¡|S|r‚t |ƒ  ¡StSdS)NÚseekó)Ú_should_sha256_sign_payloadÚUNSIGNED_PAYLOADÚbodyÚhasattrÚtellÚ functoolsÚpartialÚreadÚPAYLOAD_BUFFERrÚiterr9r]rÚEMPTY_SHA256_HASH)rrÚ request_bodyÚpositionZread_chunksizeZchecksumÚchunkZ hex_checksumrrrÚpayload s    zSigV4Auth.payloadcCs|j d¡sdS|j dd¡S)NrlTÚpayload_signing_enabled)r,Ú startswithÚcontextÚget)rrrrrr‘!s z%SigV4Auth._should_sha256_sign_payloadcCsš|j ¡g}| t|jƒj¡}| |¡| | |¡¡| |¡}| |  |¡d¡| |  |¡¡d|j kr||j d}n |  |¡}| |¡d  |¡S)Nr†zX-Amz-Content-SHA256)r/ÚupperÚ_normalize_url_pathr r,r-r7rzrir‰rŽrVrŸr8)rrÚcrr-riZ body_checksumrrrÚcanonical_request+s       zSigV4Auth.canonical_requestcCstt|ƒdd}|S)Nz/~)r')r r)rr-Znormalized_pathrrrr¥:szSigV4Auth._normalize_url_pathcCsN|jjg}| |jddd…¡| |j¡| |j¡| d¡d |¡S)NÚ timestampréÚ aws4_requestr#)r!rKr7r¢rYrZr8)rrÚscoperrrr«>s     zSigV4Auth.scopecCsHg}| |jddd…¡| |j¡| |j¡| d¡d |¡S)Nr¨rr©rªr#)r7r¢rYrZr8)rrr«rrrÚcredential_scopeFs    zSigV4Auth.credential_scopecCsHdg}| |jd¡| | |¡¡| t| d¡ƒ ¡¡d |¡S)z¬ Return the canonical StringToSign as well as a dict containing the original version of all headers that were included in the StringToSign. zAWS4-HMAC-SHA256r¨zutf-8r†)r7r¢r¬rr4r]r8)rrr§ÚstsrrrrANs zSigV4Auth.string_to_signcCsd|jj}| d| d¡|jddd…¡}| ||j¡}| ||j¡}| |d¡}|j||ddS) NZAWS4zutf-8r¨rr©rªT)r_)r!r3rar4r¢rYrZ)rrArrCZk_dateZk_regionZ k_serviceZ k_signingrrrrQZs zSigV4Auth.signaturecCs’|jdkrt‚tj ¡}| t¡|jd<| |¡| |¡}t   d¡t   d|¡|  ||¡}t   d|¡|  ||¡}t   d|¡|  ||¡dS)Nr¨z$Calculating signature using v4 auth.zCanonicalRequest: %szStringToSign: %sz Signature: %s)r!rÚdatetimeÚutcnowrMÚSIGV4_TIMESTAMPr¢Ú_modify_request_before_signingr§r*r+rArQÚ_inject_signature_to_request)rrÚ datetime_nowr§rArQrrrrcs          zSigV4Auth.add_authcCsPd| |¡g}| |¡}| d| |¡¡| d|¡d |¡|jd<|S)NzAWS4-HMAC-SHA256 Credential=%szSignedHeaders=%sz Signature=%sz, Ú Authorization)r«rir7rŽr8rV)rrrQr|rirrrr²us  z&SigV4Auth._inject_signature_to_requestcCsrd|jkr|jd=| |¡|jjrDd|jkr6|jd=|jj|jd<|j dd¡snd|jkrd|jd=t|jd<dS)Nr´zX-Amz-Security-Tokenr TzX-Amz-Content-SHA256)rVÚ_set_necessary_date_headersr!rPr¢r£r’)rrrrrr±}s    z(SigV4Auth._modify_request_before_signingcCs|d|jkrV|jd=tj |jdt¡}ttt |  ¡¡ƒƒ|jd<d|jkrx|jd=n"d|jkrh|jd=|jd|jd<dS)NrTr¨z X-Amz-Date) rVr®Ústrptimer¢r°rÚintÚcalendarÚtimegmÚ timetuple)rrZdatetime_timestamprrrrµ‹s    z%SigV4Auth._set_necessary_date_headersN)F)rrrrRrr"rarirfrzrxryr‰r„rŽrŸr‘r§r¥r«r¬rArQrr²r±rµrrrrrX—s0       rXcsHeZdZ‡fdd„Z‡fdd„Z‡fdd„Z‡fdd„Zd d „Z‡ZS) Ú S3SigV4Authcstt|ƒ |||¡||_dS)N)Úsuperr»r"Ú_default_region_name)rr!r[r\)Ú __class__rrr"žs  zS3SigV4Auth.__init__cs2|j di¡}| d|j¡|_tt|ƒ |¡dS)NZsigningZregion)r¢r£r½rYr¼r»r)rrZsigning_context)r¾rrr£s zS3SigV4Auth.add_authcs6tt|ƒ |¡d|jkr"|jd=| |¡|jd<dS)NzX-Amz-Content-SHA256)r¼r»r±rVrŸ)rr)r¾rrr±«s z*S3SigV4Auth._modify_request_before_signingcsx|j d¡}t|ddƒ}|dkr$i}| dd¡}|dk r<|S|j d¡rRd|jkrVdS|j dd¡rhdStt|ƒ |¡S) NÚ client_configÚs3r rlz Content-MD5TZhas_streaming_inputF) r¢r£Úgetattrr,r¡rVr¼r»r‘)rrr¿Z s3_configZ sign_payload)r¾rrr‘²s     z'S3SigV4Auth._should_sha256_sign_payloadcCs|S)Nr)rr-rrrr¥ÔszS3SigV4Auth._normalize_url_path) rrrr"rr±r‘r¥Ú __classcell__rr)r¾rr»s     "r»cs<eZdZdZef‡fdd„ Zdd„Zdd„Zdd „Z‡ZS) ÚSigV4QueryAuthicstt|ƒ |||¡||_dS)N)r¼rÃr"Ú_expires)rr!r[r\Úexpires)r¾rrr"ÜszSigV4QueryAuth.__init__c Csü|j d¡}d}||kr |jd=| | |¡¡}d| |¡|jd|j|dœ}|jjdk rf|jj|d<t |j ƒ}t dd„t |j d d  ¡Dƒƒ}d }|jr°| | |¡¡d |_|rÀt|ƒd }|t|ƒ} |} | d | d| d| | df} t| ƒ|_ dS)Nz content-typez0application/x-www-form-urlencoded; charset=utf-8zAWS4-HMAC-SHA256r¨)zX-Amz-AlgorithmzX-Amz-Credentialz X-Amz-Datez X-Amz-ExpireszX-Amz-SignedHeaderszX-Amz-Security-TokencSsg|]\}}||df‘qS)rr)roÚkr…rrrrŒszASigV4QueryAuth._modify_request_before_signing..T)Úkeep_blank_valuesr&r)rrséé)rVr£rŽrir«r¢rÄr!rPr r,Údictr r~rcrJr9Ú_get_body_as_dictrr) rrÚ content_typeZblacklisted_content_typerŽZ auth_paramsrpÚ query_dictZoperation_paramsÚnew_query_stringÚpÚ new_url_partsrrrr±âs6      z-SigV4QueryAuth._modify_request_before_signingcCs>|j}t|tjƒr$t | d¡¡}nt|tjƒr:t |¡}|S)Nzutf-8)rJÚ isinstancerÚ binary_typerÚloadsr>Ú string_types)rrrJrrrrËs    z SigV4QueryAuth._get_body_as_dictcCs|jd|7_dS)Nz&X-Amz-Signature=%s)r,)rrrQrrrr²+sz+SigV4QueryAuth._inject_signature_to_request) rrrÚDEFAULT_EXPIRESr"r±rËr²rÂrr)r¾rrÃÙs = rÃc@s eZdZdZdd„Zdd„ZdS)ÚS3SigV4QueryAuthaS3 SigV4 auth using query parameters. This signer will sign a request using query parameters and signature version 4, i.e a "presigned url" signer. Based off of: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html cCs|S)Nr)rr-rrrr¥=sz$S3SigV4QueryAuth._normalize_url_pathcCstS)N)r’)rrrrrrŸAszS3SigV4QueryAuth.payloadN)rrrrRr¥rŸrrrrrÖ2s rÖc@seZdZdZdd„ZdS)ÚS3SigV4PostAuthz† Presigns a s3 post Implementation doc here: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-UsingHTTPPOST.html cCsPtj ¡}| t¡|jd<i}|j dd¡dk r:|jd}i}g}|j dd¡dk rv|jd}| dd¡dk rv|d}||d<d|d<| |¡|d<|jd|d<| ddi¡| d| |¡i¡| d|jdi¡|jj dk r|jj |d <| d |jj i¡t   t   |¡ d ¡¡ d ¡|d <| |d |¡|d <||jd<||jd<dS) Nr¨zs3-presign-post-fieldszs3-presign-post-policyÚ conditionszAWS4-HMAC-SHA256zx-amz-algorithmzx-amz-credentialz x-amz-datezx-amz-security-tokenzutf-8Úpolicyzx-amz-signature)r®r¯rMr°r¢r£r«r7r!rPr:r;rÚdumpsr4r>rQ)rrr³ÚfieldsrÙrØrrrrPs4     zS3SigV4PostAuth.add_authN)rrrrRrrrrrr×Isr×c#@s¶eZdZddddddddd d d d d ddddddddddddddddd ddd d!d"g#Zd:d$d%„Zd&d'„Zd(d)„Zd*d+„Zd,d-„Zd;d.d/„Z dÚ HmacV1AuthZ accelerateZaclZcorsZdefaultObjectAclÚlocationÚloggingZ partNumberrÙZrequestPaymentZtorrentZ versioningZ versionIdÚversionsZwebsiteZuploadsZuploadIdzresponse-content-typezresponse-content-languagezresponse-expireszresponse-cache-controlzresponse-content-dispositionzresponse-content-encodingÚdeleteZ lifecycleZtaggingZrestoreZ storageClassZ notificationZ replicationZ analyticsZmetricsZ inventoryÚselectz select-typeNcCs ||_dS)N)r!)rr!r[r\rrrr"†szHmacV1Auth.__init__cCs>tj|jj d¡td}| | d¡¡t| ¡ƒ  ¡  d¡S)Nzutf-8)r$) r1r2r!r3r4rr9rr<r=r>)rrArWrrrÚ sign_string‰szHmacV1Auth.sign_stringcCs’dddg}g}d|kr|d=| ¡|d<x^|D]V}d}x>|D]6}| ¡}||dk r<||kr<| || ¡¡d}q.z%s:%sr†)rdr¡r8rˆr5Úkeysr7)rrVråÚcustom_headersrCrçZsorted_header_keysrrrÚcanonical_custom_headers s      z#HmacV1Auth.canonical_custom_headerscCs(t|ƒdkr|S|dt|dƒfSdS)z( TODO: Do we need this? rsrN)r.r )rÚnvrrrÚ unquote_v®s zHmacV1Auth.unquote_vcsŠ|dk r|}n|j}|jr†|j d¡}dd„|Dƒ}‡fdd„|Dƒ}t|ƒdkr†|jtdƒddd„|Dƒ}|d7}|d |¡7}|S) Nr)cSsg|]}| dd¡‘qS)r(rs)r@)roÚarrrrŒÆsz1HmacV1Auth.canonical_resource..cs$g|]}|dˆjkrˆ |¡‘qS)r)Ú QSAOfInterestrí)rorî)rrrrŒÇsr)rCcSsg|]}d |¡‘qS)r()r8)rorîrrrrŒËsú?)r-r~r@r.Úsortrr8)rr@Ú auth_pathÚbufZqsar)rrÚcanonical_resource·s   zHmacV1Auth.canonical_resourcecCsN| ¡d}|| |¡d7}| |¡}|r8||d7}||j||d7}|S)Nr†)rò)r¤rèrërô)rr/r@rVrÅròÚcsrêrrrÚcanonical_stringÐs   zHmacV1Auth.canonical_stringcCsB|jjr|d=|jj|d<|j||||d}t d|¡| |¡S)Nzx-amz-security-token)ròzStringToSign: %s)r!rPrör*r+râ)rr/r@rVrÅròrArrrÚ get_signatureÚs  zHmacV1Auth.get_signaturecCsX|jdkrt‚t d¡t|jƒ}t d|j¡|j|j||j|j d}|  ||¡dS)Nz(Calculating signature using hmacv1 auth.zHTTP request method: %s)rò) r!rr*r+r r,r/r÷rVròÚ_inject_signature)rrr@rQrrrræs     zHmacV1Auth.add_authcCs tddS)NT)rU)r)rrrrräñszHmacV1Auth._get_datecCs,d|jkr|jd=d|jj|f|jd<dS)Nr´z AWS %s:%s)rVr!rK)rrrQrrrrøôs zHmacV1Auth._inject_signature)NN)N)NN)NN)rrrrïr"rârèrërírôrör÷rrärørrrrrÜws0      rÜc@s0eZdZdZdZefdd„Zdd„Zdd„Zd S) ÚHmacV1QueryAuthzÁ Generates a presigned request for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html #RESTAuthenticationQueryStringAuth icCs||_||_dS)N)r!rÄ)rr!rÅrrrr" szHmacV1QueryAuth.__init__cCsttt ¡t|jƒƒƒS)N)r{r·rLrÄ)rrrrräszHmacV1QueryAuth._get_datec Cs¾i}|jj|d<||d<xN|jD]D}| ¡}|dkrD|jd|d<q | d¡sV|dkr |j|||<q Wt|ƒ}t|jƒ}|dr’d|d|f}|d |d |d ||d f}t|ƒ|_dS) NrGr%rTZExpireszx-amz-)z content-md5z content-typeéz%s&%srrsrÈrÉ) r!rKrVrdr¡rr r,r) rrrQrÍZ header_keyrçrÎrÏrÐrrrrøs   z!HmacV1QueryAuth._inject_signatureN)rrrrRrÕr"rärørrrrrùs   rùc@seZdZdZdd„ZdS)ÚHmacV1PostAuthz‘ Generates a presigned post for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingHTTPPOST.html cCsäi}|j dd¡dk r |jd}i}g}|j dd¡dk r\|jd}| dd¡dk r\|d}||d<|jj|d<|jjdk rš|jj|d<| d|jji¡t t  |¡  d¡¡  d¡|d<|  |d¡|d<||jd<||jd<dS) Nzs3-presign-post-fieldszs3-presign-post-policyrØrGzx-amz-security-tokenzutf-8rÙrQ) r¢r£r!rKrPr7r:r;rrÚr4r>râ)rrrÛrÙrØrrrr;s&      zHmacV1PostAuth.add_authN)rrrrRrrrrrrû3srû) Zv2Zv4zv4-queryZv3Zv3httpsrÀzs3-queryzs3-presign-postZs3v4z s3v4-queryzs3v4-presign-post)5r:r®Úhashlibrrr1rÞÚ email.utilsrÚoperatorrr–rLr¸rZbotocore.exceptionsrZbotocore.utilsrrZbotocore.compatr r r r r rrrrrÚ getLoggerrr*r›r™rNr°rer’Úobjectrr rSrXr»rÃrÖr×rÜrùrûZAUTH_TYPE_MAPSrrrrÚsn             =<Y. 2)