U ._ @sddlZddlZddlmZddlmZddlZddlZddlmZddl m Z ddl Z ddl Z ddl Z ddlZddlmZddlmZmZddlmZdd lmZmZmZmZdd lmZdd lmZdd lmZdd lmZddlmZddlmZee Z!dZ"dZ#dZ$dZ%dddgZ&dZ'Gddde(Z)Gddde)Z*Gddde)Z+Gddde)Z,Gd d!d!e,Z-Gd"d#d#e,Z.Gd$d%d%e.Z/Gd&d'd'e,Z0Gd(d)d)e)Z1Gd*d+d+e1Z2Gd,d-d-e1Z3e*e,e.e+e+e1e2e3e-e/e0d. Z4dS)/N)sha256)sha1 formatdate) itemgetter)NoCredentialsError)normalize_url_pathpercent_encode_sequence) HTTPHeaders)quoteunquoteurlsplitparse_qs) urlunsplit) encodebytes)six)json) MD5_AVAILABLE)ensure_unicodeZ@e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855iz%Y-%m-%dT%H:%M:%SZz%Y%m%dT%H%M%SZexpectz user-agentzx-amzn-trace-idzUNSIGNED-PAYLOADc@seZdZdZddZdS) BaseSignerFcCs tddS)Nadd_auth)NotImplementedErrorselfrequestre/private/var/folders/2d/2jcwkxfx4hj39rq32sgz27wh9m_5lk/T/pip-unpacked-wheel-r09gmim7/botocore/auth.pyr<szBaseSigner.add_authN)__name__ __module__ __qualname__REQUIRES_REGIONrrrrrr9src@s(eZdZdZddZddZddZdS) SigV2Authz+ Sign a request with Signature V2. cCs ||_dSN credentialsrr%rrr__init__EszSigV2Auth.__init__c Cstdt|j}|j}t|dkr*d}d|j|j|f}tj |j j dt d}g}t|D]J}|dkrnq`t||} |t| ddd d t| dd d q`d |} || 7}td ||| dt|d} | | fS)Nz$Calculating signature using v2 auth.r/z %s %s %s utf-8 digestmod Signaturesafe=z-_~&zString to sign: %s)loggerdebugr urlpathlenmethodnetlochmacnewr% secret_keyencodersortedr text_typeappendr joinupdatebase64 b64encodedigeststripdecode) rrparamssplitr5string_to_signZlhmacpairskeyvalueqsZb64rrrcalc_signatureHs4      zSigV2Auth.calc_signaturecCs|jdkrt|jr|j}n|j}|jj|d<d|d<d|d<ttt|d<|jj rf|jj |d<| ||\}}||d<|S) NAWSAccessKeyId2ZSignatureVersion HmacSHA256ZSignatureMethod TimestampZ SecurityTokenr,) r%rdatarG access_keytimestrftimeISO8601gmtimetokenrN)rrrGrM signaturerrrrds   zSigV2Auth.add_authN)rrr __doc__r'rNrrrrrr"@sr"c@seZdZddZddZdS) SigV3AuthcCs ||_dSr#r$r&rrrr'~szSigV3Auth.__init__cCs|jdkrtd|jkr |jd=tdd|jd<|jjrXd|jkrJ|jd=|jj|jd<tj|jjdt d}| |jddt |  }d|jjd|df}d |jkr|jd =||jd <dS) NDateTusegmtX-Amz-Security-Tokenr)r*z6AWS3-HTTPS AWSAccessKeyId=%s,Algorithm=%s,Signature=%srQzX-Amzn-Authorization)r%rheadersrrYr9r:r;r<rrArrDrErTrF)rrnew_hmacZencoded_signaturerZrrrrs,    zSigV3Auth.add_authN)rrr r'rrrrrr\}sr\c@seZdZdZdZddZd1ddZdd Zd d Zd d Z ddZ ddZ ddZ ddZ ddZddZddZddZddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd*d+Zd,d-Zd.d/Zd0S)2 SigV4Authz+ Sign a request with Signature V4. TcCs||_||_||_dSr#)r% _region_name _service_namerr% service_name region_namerrrr'szSigV4Auth.__init__FcCs:|rt||dt}nt||dt}|SNr))r9r:r<r hexdigestrD)rrKmsghexsigrrr_signszSigV4Auth._signcCsRt}|jD] \}}|}|tkr|||<qd|krN||j|d<|S)zk Select the headers from the request that need to be included in the StringToSign. host)r raitemslowerSIGNED_HEADERS_BLACKLIST_canonical_hostr4)rrZ header_mapnamerLlnamerrrheaders_to_signs zSigV4Auth.headers_to_signcsDt|ddd}tfdd|Dr2jSjdddS) NPi)httphttpsc3s&|]\}}j|koj|kVqdSr#)schemeport).0rzr{ url_partsrr sz,SigV4Auth._canonical_host..@)r anyrphostnamer8rsplit)rr4Z default_portsrr}rrss zSigV4Auth._canonical_hostcCs&|jr||jS|t|jSdSr#)rG_canonical_query_string_params_canonical_query_string_urlr r4rrrrcanonical_query_strings z SigV4Auth.canonical_query_stringc CsNg}t|D]2}t||}|dt|ddt|ddfq d|}|S)N%s=%sz-_.~r.r1)r=strr?r r@)rrGlparamrLZcqsrrrrs    z(SigV4Auth._canonical_query_string_paramsc Cstd}|jrpg}|jdD]"}|d\}}}|||fqg}t|D]\}}|d||fqJd|}|S)Nr-r1r0r)queryrH partitionr?r=r@) rpartsrZ key_val_pairspairrK_rLZsorted_key_valsrrrrs z%SigV4Auth._canonical_query_string_urlcs\g}tt|}|D]<}dfddt||D}|d|t|fqd|S)a  Return the headers that need to be included in the StringToSign in their canonical form by converting all header keys to lower case, sorting them in alphabetical order and then joining them into a string, separated by newlines. ,c3s|]}|VqdSr#) _header_valuer|vrrrrsz.SigV4Auth.canonical_headers..%s:%s )r=setr@get_allr?r)rrvraZsorted_header_namesrKrLrrrcanonical_headerss  zSigV4Auth.canonical_headerscCsd|S)N )r@rH)rrLrrrrszSigV4Auth._header_valuecCs$ddt|D}t|}d|S)NcSsg|]}d|qS)z%s)rqrE)r|nrrr sz,SigV4Auth.signed_headers..;)rr=r@)rrvrrrrsigned_headersszSigV4Auth.signed_headerscCs||stS|j}|rnt|drn|}t|jt}t }t |dD]}| |qH| }| ||S|r~t | StSdS)Nseek)_should_sha256_sign_payloadUNSIGNED_PAYLOADbodyhasattrtell functoolspartialreadPAYLOAD_BUFFERriterrArjrEMPTY_SHA256_HASH)rr request_bodypositionZread_chunksizeZchecksumchunkZ hex_checksumrrrpayload s"    zSigV4Auth.payloadcCs|jdsdS|jddS)NryTpayload_signing_enabled)r4 startswithcontextgetrrrrr!s z%SigV4Auth._should_sha256_sign_payloadcCs|jg}|t|jj}|||||||}|| |d|| |d|j kr||j d}n | |}||d |S)NrX-Amz-Content-SHA256)r7upper_normalize_url_pathr r4r5r?rrvrrrarr@)rrZcrr5rvZ body_checksumrrrcanonical_request+s       zSigV4Auth.canonical_requestcCstt|dd}|S)Nz/~r.)r r)rr5Znormalized_pathrrrr:szSigV4Auth._normalize_url_pathcCsN|jjg}||jddd||j||j|dd|SN timestampr aws4_requestr()r%rTr?rrdrer@rrscoperrrr>s     zSigV4Auth.scopecCsHg}||jddd||j||j|dd|Sr)r?rrdrer@rrrrcredential_scopeFs    zSigV4Auth.credential_scopecCsHdg}||jd||||t|dd|S)z Return the canonical StringToSign as well as a dict containing the original version of all headers that were included in the StringToSign. AWS4-HMAC-SHA256rr)r)r?rrrr<rjr@)rrrstsrrrrINs zSigV4Auth.string_to_signcCsd|jj}|d|d|jddd}|||j}|||j}||d}|j||ddS) NZAWS4r)rrrrT)rl)r%r;rnr<rrdre)rrIrrKZk_dateZk_regionZ k_serviceZ k_signingrrrrZZs zSigV4Auth.signaturecCs|jdkrttj}|t|jd<||||}t dt d|| ||}t d|| ||}t d|| ||dS)Nrz$Calculating signature using v4 auth.zCanonicalRequest: %sStringToSign: %sz Signature: %s)r%rdatetimeutcnowrVSIGV4_TIMESTAMPr_modify_request_before_signingrr2r3rIrZ_inject_signature_to_request)rr datetime_nowrrIrZrrrrcs          zSigV4Auth.add_authcCsPd||g}||}|d|||d|d||jd<|S)NzAWS4-HMAC-SHA256 Credential=%szSignedHeaders=%sz Signature=%sz, Authorization)rrvr?rr@ra)rrrZrrvrrrrus  z&SigV4Auth._inject_signature_to_requestcCsrd|jkr|jd=|||jjrDd|jkr6|jd=|jj|jd<|jddsnd|jkrd|jd=t|jd<dS)Nrr`rTr)ra_set_necessary_date_headersr%rYrrrrrrrr}s    z(SigV4Auth._modify_request_before_signingcCs|d|jkrV|jd=tj|jdt}ttt| |jd<d|jkrx|jd=n"d|jkrh|jd=|jd|jd<dS)Nr]r X-Amz-Date) rarstrptimerrrintcalendartimegm timetuple)rrZdatetime_timestamprrrrs     z%SigV4Auth._set_necessary_date_headersN)F)rrr r[r!r'rnrvrsrrrrrrrrrrrrrIrZrrrrrrrrrcs0       rccs0eZdZfddZfddZddZZS) S3SigV4Authcs6tt||d|jkr"|jd=|||jd<dS)Nr)superrrrarr __class__rrrs z*S3SigV4Auth._modify_request_before_signingcsx|jd}t|dd}|dkr$i}|dd}|dk r<|S|jdrRd|jkrVdS|jddrhdStt||S) N client_configs3rryz Content-MD5TZhas_streaming_inputF) rrgetattrr4rrarrr)rrrZ s3_configZ sign_payloadrrrrs    z'S3SigV4Auth._should_sha256_sign_payloadcCs|Sr#rrr5rrrrszS3SigV4Auth._normalize_url_path)rrr rrr __classcell__rrrrrs  "rcs<eZdZdZeffdd ZddZddZdd ZZS) SigV4QueryAuthcstt||||||_dSr#)rrr'_expires)rr%rgrhexpiresrrrr'szSigV4QueryAuth.__init__c Cs|jd}d}||kr |jd=|||}d|||jd|j|d}|jjdk rf|jj|d<t |j }t ddt |j d d D}d }|jr|||d |_|rt|d }|t|} |} | d | d| d| | df} t| |_ dS)N content-typez0application/x-www-form-urlencoded; charset=utf-8rr)zX-Amz-AlgorithmzX-Amz-Credentialrz X-Amz-ExpireszX-Amz-SignedHeadersr`cSsg|]\}}||dfqSrr)r|krrrrrszASigV4QueryAuth._modify_request_before_signing..T)keep_blank_valuesr-r1rr)rarrrvrrrr%rYr r4dictrrrprSrA_get_body_as_dictr r) rr content_typeZblacklisted_content_typerZ auth_paramsr~ query_dictZoperation_paramsnew_query_stringp new_url_partsrrrrs@       z-SigV4QueryAuth._modify_request_before_signingcCs>|j}t|tjr$t|d}nt|tjr:t|}|Sri)rS isinstancer binary_typerloadsrF string_types)rrrSrrrrs    z SigV4QueryAuth._get_body_as_dictcCs|jd|7_dS)Nz&X-Amz-Signature=%s)r4rrrZrrrrsz+SigV4QueryAuth._inject_signature_to_request) rrr DEFAULT_EXPIRESr'rrrrrrrrrs = rc@s eZdZdZddZddZdS)S3SigV4QueryAuthaS3 SigV4 auth using query parameters. This signer will sign a request using query parameters and signature version 4, i.e a "presigned url" signer. Based off of: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html cCs|Sr#rrrrrr0sz$S3SigV4QueryAuth._normalize_url_pathcCstSr#)rrrrrr4szS3SigV4QueryAuth.payloadN)rrr r[rrrrrrr%s rc@seZdZdZddZdS)S3SigV4PostAuthz Presigns a s3 post Implementation doc here: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-UsingHTTPPOST.html cCsPtj}|t|jd<i}|jdddk r:|jd}i}g}|jdddk rv|jd}|dddk rv|d}||d<d|d<|||d<|jd|d<|ddi|d||i|d|jdi|jj dk r|jj |d <|d |jj it t |d d |d <||d ||d <||jd<||jd<dS) Nrs3-presign-post-fieldss3-presign-post-policy conditionsrzx-amz-algorithmzx-amz-credentialz x-amz-datex-amz-security-tokenr)policyzx-amz-signature)rrrVrrrrr?r%rYrBrCrdumpsr<rFrZ)rrrfieldsrrrrrrCs:     zS3SigV4PostAuth.add_authNrrr r[rrrrrr<src#@seZdZddddddddd d d d d ddddddddddddddddd ddd d!d"g#Zd:d$d%Zd&d'Zd(d)Zd*d+Zd,d-Zd;d.d/Z d HmacV1AuthZ accelerateZaclZcorsZdefaultObjectAcllocationloggingZ partNumberrZrequestPaymentZtorrentZ versioningZ versionIdversionsZwebsiteZuploadsZuploadIdzresponse-content-typezresponse-content-languagezresponse-expireszresponse-cache-controlzresponse-content-dispositionzresponse-content-encodingdeleteZ lifecycleZtaggingrestoreZ storageClassZ notificationZ replicationZ analyticsZmetricsZ inventoryselectz select-typeNcCs ||_dSr#r$rfrrrr'yszHmacV1Auth.__init__cCs>tj|jjdtd}||dt| dS)Nr)r*) r9r:r%r;r<rrArrDrErF)rrIrbrrr sign_string|s zHmacV1Auth.sign_stringcCsdddg}g}d|kr|d=||d<|D]R}d}|D]6}|}||dk r8||kr8|||d}q8|s,|dq,d|S) N content-md5rdater]FTr-r) _get_daterqr?rEr@)rraZinteresting_headershoiZihfoundrKlkrrrcanonical_standard_headerss   z%HmacV1Auth.canonical_standard_headerscCsg}i}|D]@}|}||dk r |dr ddd||D||<q t|}|D]}|d|||fq^d|S)Nx-amz-rcss|]}|VqdSr#)rErrrrrsz6HmacV1Auth.canonical_custom_headers..rr)rqrr@rr=keysr?)rrarcustom_headersrKr Zsorted_header_keysrrrcanonical_custom_headerss    z#HmacV1Auth.canonical_custom_headerscCs(t|dkr|S|dt|dfSdS)z( TODO: Do we need this? rrN)r6r )rnvrrr unquote_vs zHmacV1Auth.unquote_vcs|dk r|}n|j}|jr|jd}dd|D}fdd|D}t|dkr|jtdddd|D}|d7}|d|7}|S) Nr1cSsg|]}|ddqS)r0r)rHr|arrrrsz1HmacV1Auth.canonical_resource..cs$g|]}|djkr|qSr) QSAOfInterestrrrrrrsr)rKcSsg|]}d|qS)r0)r@rrrrrs?)r5rrHr6sortrr@)rrH auth_pathbufZqsarrrcanonical_resources   zHmacV1Auth.canonical_resourcecCsN|d}|||d7}||}|r8||d7}||j||d7}|S)Nrr)rr rr)rr7rHrarrcsr rrrcanonical_strings   zHmacV1Auth.canonical_stringcCsB|jjr|d=|jj|d<|j||||d}td|||S)Nrrr)r%rYrr2r3r)rr7rHrarrrIrrr get_signatures  zHmacV1Auth.get_signaturecCsX|jdkrttdt|j}td|j|j|j||j|j d}| ||dS)Nz(Calculating signature using hmacv1 auth.zHTTP request method: %sr) r%rr2r3r r4r7rrar_inject_signature)rrrHrZrrrrs    zHmacV1Auth.add_authcCs tddS)NTr^rrrrrrszHmacV1Auth._get_datecCs,d|jkr|jd=d|jj|f|jd<dS)Nrz AWS %s:%s)rar%rTrrrrrs zHmacV1Auth._inject_signature)NN)N)NN)NN)rrr rr'rr rrrrrrrrrrrrrjs`     rc@s0eZdZdZdZefddZddZddZd S) HmacV1QueryAuthz Generates a presigned request for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html #RESTAuthenticationQueryStringAuth rcCs||_||_dSr#)r%r)rr%rrrrr'szHmacV1QueryAuth.__init__cCstttt|jSr#)rrrUrrrrrrszHmacV1QueryAuth._get_datec Csi}|jj|d<||d<|jD]D}|}|dkrB|jd|d<q|dsT|dkr|j|||<qt|}t|j}|drd|d|f}|d |d |d ||d f}t||_dS) NrOr,r]ZExpiresr )rrz%s&%srrrr) r%rTrarqrr r r4r) rrrZrZ header_keyr rrrrrrrs   z!HmacV1QueryAuth._inject_signatureN)rrr r[rr'rrrrrrrs   rc@seZdZdZddZdS)HmacV1PostAuthz Generates a presigned post for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingHTTPPOST.html cCsi}|jdddk r |jd}i}g}|jdddk r\|jd}|dddk r\|d}||d<|jj|d<|jjdk r|jj|d<|d|jjitt | d d|d<| |d|d<||jd<||jd<dS) NrrrrOrr)rrZ) rrr%rTrYr?rBrCrrr<rFr)rrrrrrrrr.s,      zHmacV1PostAuth.add_authNrrrrrr &sr ) Zv2Zv4zv4-queryZv3Zv3httpsrzs3-queryzs3-presign-postZs3v4z s3v4-queryzs3v4-presign-post)5rBrhashlibrrr9r email.utilsroperatorrrrUrrZbotocore.exceptionsrZbotocore.utilsrr Zbotocore.compatr r r r rrrrrr getLoggerrr2rrrWrrrrobjectrr"r\rcrrrrrrr ZAUTH_TYPE_MAPSrrrrst             =/Y. 2)