B \=l@sddlZddlZddlZddlZddlZddlZddlmZmZddl m Z m Z ddl m Z ddl mZddl mZddlmZmZGdd d eZGd d d eZd d ZdddZGdddeZddZdddZddZdddZddZdS) N)six OrderedDict)create_request_objectprepare_request_dict)UnknownSignatureVersionError)UnknownClientMethodError) UnsupportedSignatureVersionError) fix_s3_hostdatetime2timestampc@speZdZdZddZeddZeddZedd Zdd d Z dddZ ddZ dddZ e Z dddZd S) RequestSignera0 An object to sign requests before they go out over the wire using one of the authentication mechanisms defined in ``auth.py``. This class fires two events scoped to a service and operation name: * choose-signer: Allows overriding the auth signer name. * before-sign: Allows mutating the request before signing. Together these events allow for customization of the request signing pipeline, including overrides, request path manipulation, and disabling signing per operation. :type service_id: botocore.model.ServiceId :param service_id: The service id for the service, e.g. ``S3`` :type region_name: string :param region_name: Name of the service region, e.g. ``us-east-1`` :type signing_name: string :param signing_name: Service signing name. This is usually the same as the service name, but can differ. E.g. ``emr`` vs. ``elasticmapreduce``. :type signature_version: string :param signature_version: Signature name like ``v4``. :type credentials: :py:class:`~botocore.credentials.Credentials` :param credentials: User credentials with which to sign requests. :type event_emitter: :py:class:`~botocore.hooks.BaseEventHooks` :param event_emitter: Extension mechanism to fire events. cCs.||_||_||_||_||_t||_dS)N) _region_name _signing_name_signature_version _credentials _service_idweakrefproxy_event_emitter)selfZ service_id region_name signing_namesignature_version credentialsZ event_emitterr4/tmp/pip-build-uw_ogi45/botocore/botocore/signers.py__init__>s zRequestSigner.__init__cCs|jS)N)r )rrrrrIszRequestSigner.region_namecCs|jS)N)r)rrrrrMszRequestSigner.signature_versioncCs|jS)N)r )rrrrrQszRequestSigner.signing_nameNcKs |||S)N)sign)roperation_namerequestkwargsrrrhandlerUszRequestSigner.handlerstandardc Cs|dkr|j}|dkr|j}||||j}|jjd|j||||j|||d|t j kr|||d}|dk r|||d<y|j f|} Wn:t k r} z|dkrt |dn| Wdd} ~ XYnX| |dS)a<Sign a request before it goes out over the wire. :type operation_name: string :param operation_name: The name of the current operation, e.g. ``ListBuckets``. :type request: AWSRequest :param request: The request object to be sent over the wire. :type region_name: str :param region_name: The region to sign the request for. :type signing_type: str :param signing_type: The type of signing to perform. This can be one of three possible values: * 'standard' - This should be used for most requests. * 'presign-url' - This should be used when pre-signing a request. * 'presign-post' - This should be used when pre-signing an S3 post. :type expires_in: int :param expires_in: The number of seconds the presigned url is valid for. This parameter is only valid for signing type 'presign-url'. :type signing_name: str :param signing_name: The name to use for the service when signing. Nzbefore-sign.{0}.{1})rrrrrequest_signerr)rrrexpiresr!)r)r r _choose_signercontextremitformatr hyphenizebotocoreUNSIGNEDget_auth_instancerrZadd_auth) rrrr signing_type expires_inrrrautherrrr\s6    zRequestSigner.signc Csddd}||d}|j}|tjk r8||s8||7}|jjd|j ||j |j ||d\}}|dk r|}|tjk r||s||7}|S)ai Allow setting the signature version via the choose-signer event. A value of `botocore.UNSIGNED` means no signing will be performed. :param operation_name: The operation to sign. :param signing_type: The type of signing that the signer is to be used for. :return: The signature version to sign with. z -presign-postz-query)z presign-postz presign-urlzchoose-signer.{0}.{1})rrrr%N) getrr)r*endswithrZemit_until_responser'rr(r r ) rrr,r%Zsigning_type_suffix_mapsuffixrr responserrrr$s$       zRequestSigner._choose_signercKs|dkr|j}tjj|}|dkr.t|dd}|jdk rF|j}||d<|jrx|j dkrhtj ||d<||d<|f|}|S)a Get an auth instance which can be used to sign a request using the given signature version. :type signing_name: string :param signing_name: Service signing name. This is usually the same as the service name, but can differ. E.g. ``emr`` vs. ``elasticmapreduce``. :type region_name: string :param region_name: Name of the service region, e.g. ``us-east-1`` :type signature_version: string :param signature_version: Signature name like ``v4``. :rtype: :py:class:`~botocore.auth.BaseSigner` :return: Auth instance to sign a request. N)rrrZ service_name) rr)r.ZAUTH_TYPE_MAPSr1rrZget_frozen_credentialsZREQUIRES_REGIONr exceptionsZ NoRegionError)rrrrrclsZfrozen_credentialsr.rrrr+s"     zRequestSigner.get_auth_instancecCs*t|}||||d||||jS)aGenerates a presigned url :type request_dict: dict :param request_dict: The prepared request dictionary returned by ``botocore.awsrequest.prepare_request_dict()`` :type operation_name: str :param operation_name: The operation being signed. :type expires_in: int :param expires_in: The number of seconds the presigned url is valid for. By default it expires in an hour (3600 seconds) :type region_name: string :param region_name: The region name to sign the presigned url. :type signing_name: str :param signing_name: The name to use for the service when signing. :returns: The presigned url z presign-url)rrprepareurl)r request_dictrr-rrrrrrgenerate_presigned_urls   z$RequestSigner.generate_presigned_url)NN)Nr!NN)N)r7NN)__name__ __module__ __qualname____doc__rpropertyrrrr rr$r+Zget_authr;rrrrr s!     B& +r c@s<eZdZdZddZd ddZddZdd d Zd d ZdS)CloudFrontSigneraA signer to create a signed CloudFront URL. First you create a cloudfront signer based on a normalized RSA signer:: import rsa def rsa_signer(message): private_key = open('private_key.pem', 'r').read() return rsa.sign( message, rsa.PrivateKey.load_pkcs1(private_key.encode('utf8')), 'SHA-1') # CloudFront requires SHA-1 hash cf_signer = CloudFrontSigner(key_id, rsa_signer) To sign with a canned policy:: signed_url = cf_signer.generate_signed_url( url, date_less_than=datetime(2015, 12, 1)) To sign with a custom policy:: signed_url = cf_signer.generate_signed_url(url, policy=my_policy) cCs||_||_dS)aCreate a CloudFrontSigner. :type key_id: str :param key_id: The CloudFront Key Pair ID :type rsa_signer: callable :param rsa_signer: An RSA signer. Its only input parameter will be the message to be signed, and its output will be the signed content as a binary string. The hash algorithm needed by CloudFront is SHA-1. N)key_id rsa_signer)rrBrCrrrr*s zCloudFrontSigner.__init__NcCs|dk r|dk s |dkr,|dkr,d}t||dk r@|||}t|tjrV|d}|dk rrdtt|g}nd|| dg}| |}| d|| dd|j g| ||S)aCreates a signed CloudFront URL based on given parameters. :type url: str :param url: The URL of the protected object :type date_less_than: datetime :param date_less_than: The URL will expire after that date and time :type policy: str :param policy: The custom policy, possibly built by self.build_policy() :rtype: str :return: The signed URL. Nz=Need to provide either date_less_than or policy, but not bothutf8z Expires=%sz Policy=%sz Signature=%szKey-Pair-Id=%s) ValueError build_policy isinstancer text_typeencodeintr _url_b64encodedecoderCextendrB _build_url)rr9date_less_thanpolicyr/params signaturerrrr;9s     z'CloudFrontSigner.generate_presigned_urlcCs"d|kr dnd}||d|S)N?&)join)rbase_urlZ extra_params separatorrrrrN\szCloudFrontSigner._build_urlc Cstt|}tdd|ii}|rr?rr;rNrFrKrrrrrAs  # (rAcKs t|d<dS)Ngenerate_db_auth_token)rm)class_attributesrrrradd_generate_db_auth_tokensroc Csp|}|dkr|jj}d|d}ddi|dd}d}d |||f} t|| |jjd||d d d } | t|dS) aGenerates an auth token used to connect to a db with IAM credentials. :type DBHostname: str :param DBHostname: The hostname of the database to connect to. :type Port: int :param Port: The port number the database is listening on. :type DBUsername: str :param DBUsername: The username to log in as. :type Region: str :param Region: The region the database is in. If None, the client region will be used. :return: A presigned url which can be used as an auth token. Nconnect)ZActionZDBUserrXr0GET)Zurl_pathZ query_stringheadersbodymethodzhttps://z%s%s:%sizrds-db)rr:rr-r)metarr_request_signerr;len) rZ DBHostnameZPortZ DBUsernameZRegionZregionrQr:scheme endpoint_urlZ presigned_urlrrrrms"   rmc@seZdZddZdddZdS)S3PostPresignercCs ||_dS)N)rv)rr"rrrrszS3PostPresigner.__init__Nc Cs|dkr i}|dkrg}i}tj}|tj|d}|tjj|d<g|d<x|D]} |d| qVWt|} || j d<|| j d<|j d| |d| j |d S) aGenerates the url and the form fields used for a presigned s3 post :type request_dict: dict :param request_dict: The prepared request dictionary returned by ``botocore.awsrequest.prepare_request_dict()`` :type fields: dict :param fields: A dictionary of prefilled form fields to build on top of. :type conditions: list :param conditions: A list of conditions to include in the policy. Each element can be either a list or a structure. For example: [ {"acl": "public-read"}, {"bucket": "mybucket"}, ["starts-with", "$key", "mykey"] ] :type expires_in: int :param expires_in: The number of seconds the presigned post is valid for. :type region_name: string :param region_name: The region name to sign the presigned post to. :rtype: dict :returns: A dictionary with two elements: ``url`` and ``fields``. Url is the url to post to. Fields is a dictionary filled with the form fields and respective values to use when submitting the post. For example: {'url': 'https://mybucket.s3.amazonaws.com 'fields': {'acl': 'public-read', 'key': 'mykey', 'signature': 'mysignature', 'policy': 'mybase64 encoded policy'} } N)secondsZ expiration conditionszs3-presign-post-fieldszs3-presign-post-policyZ PutObjectz presign-post)r9fields) datetimeutcnow timedeltastrftimer)r.ZISO8601appendrr%rvrr9) rr:r~r}r-rrPZ datetime_nowZ expire_daterbrrrrgenerate_presigned_posts"*     z'S3PostPresigner.generate_presigned_post)NNr{N)r<r=r>rrrrrrrzsrzcKs t|d<dS)Nr;)r;)rnrrrradd_generate_presigned_urlsrcCs|}|}|dkri}|}|}dt|d} |j} |j} y|j|} Wntk rbt|dYnX|jj| } | || | }| || }|dk r||d<t ||jj | d| j ||| dS)axGenerate a presigned url given a client, its method, and arguments :type ClientMethod: string :param ClientMethod: The client method to presign for :type Params: dict :param Params: The parameters normally passed to ``ClientMethod``. :type ExpiresIn: int :param ExpiresIn: The number of seconds the presigned url is valid for. By default it expires in an hour (3600 seconds) :type HttpMethod: string :param HttpMethod: The http method to use on the generated url. By default, the http method is whatever is used in the method's model. :returns: The presigned url NT)is_presign_requestuse_global_endpoint) method_namert)ryr%)r:r-r)_should_use_global_endpointrv _serializerZ_PY_TO_OP_NAMEKeyErrorrru service_modeloperation_modelZ_emit_api_paramsserialize_to_requestrryr;)rZ ClientMethodZParams ExpiresInZ HttpMethodZ client_methodrQr-Z http_methodr%r" serializerrrr:rrrr;s4 r;cKs t|d<dS)Nr)r)rnrrrradd_generate_presigned_postVsrcCs|}|}|}|} |} |dkr i}| dkr,g} t|j} |j} |jjd} | d|i| }t||jjdt |dd| d|i| dr| d d |dt d gn| d |i||d <| j ||| | d S) a Builds the url and the form fields used for a presigned s3 post :type Bucket: string :param Bucket: The name of the bucket to presign the post to. Note that bucket related conditions should not be included in the ``conditions`` parameter. :type Key: string :param Key: Key name, optionally add ${filename} to the end to attach the submitted filename. Note that key related conditions and fields are filled out for you and should not be included in the ``Fields`` or ``Conditions`` parameter. :type Fields: dict :param Fields: A dictionary of prefilled form fields to build on top of. Elements that may be included are acl, Cache-Control, Content-Type, Content-Disposition, Content-Encoding, Expires, success_action_redirect, redirect, success_action_status, and x-amz-meta-. Note that if a particular element is included in the fields dictionary it will not be automatically added to the conditions list. You must specify a condition for the element as well. :type Conditions: list :param Conditions: A list of conditions to include in the policy. Each element can be either a list or a structure. For example: [ {"acl": "public-read"}, ["content-length-range", 2, 5], ["starts-with", "$success_action_redirect", ""] ] Conditions that are included may pertain to acl, content-length-range, Cache-Control, Content-Type, Content-Disposition, Content-Encoding, Expires, success_action_redirect, redirect, success_action_status, and/or x-amz-meta-. Note that if you include a condition, you must specify the a valid value in the fields dictionary as well. A value will not be added automatically to the fields dictionary based on the conditions. :type ExpiresIn: int :param ExpiresIn: The number of seconds the presigned post is valid for. :rtype: dict :returns: A dictionary with two elements: ``url`` and ``fields``. Url is the url to post to. Fields is a dictionary filled with the form fields and respective values to use when submitting the post. For example: {'url': 'https://mybucket.s3.amazonaws.com 'fields': {'acl': 'public-read', 'key': 'mykey', 'signature': 'mysignature', 'policy': 'mybase64 encoded policy'} } NZ CreateBucketBucketT)rr)ryr%bucketz ${filename}z starts-withz$keykey)r:r~r}r-)rzrvrrurrrrryrrr2rwr)rrZKeyZFieldsZ Conditionsrrrr~r}r-Zpost_presignerrrr:rrrrZs6@    rcCs6d}|jjjdk r$|jjjdd}|jjdko4| S)NFuse_dualstack_endpointZaws)ruconfigZs3r1 partition)clientrrrrrs   r)N)NrN)NNr)rrr^rir)Z botocore.authZbotocore.compatrrZbotocore.awsrequestrrZbotocore.exceptionsrrrZbotocore.utilsr r objectr rArormrzrr;rrrrrrr s0   w~ 3L > r