B ݁[Њ @sddlZddlZddlmZddlmZddlZddlZddlmZddl m Z ddl Z ddl Z ddl Z ddlZddlmZddlmZmZddlmZdd lmZmZmZmZdd lmZdd lmZdd lmZdd lmZddlmZddlmZee Z!dZ"dZ#dZ$dZ%dddgZ&dZ'Gddde(Z)Gddde)Z*Gddde)Z+Gddde)Z,Gd d!d!e,Z-Gd"d#d#e,Z.Gd$d%d%e.Z/Gd&d'd'e,Z0Gd(d)d)e)Z1Gd*d+d+e1Z2Gd,d-d-e1Z3e*e,e.e+e+e1e2e3e-e/e0d. Z4dS)/N)sha256)sha1) formatdate) itemgetter)NoCredentialsError)normalize_url_pathpercent_encode_sequence) HTTPHeaders)quoteunquoteurlsplitparse_qs) urlunsplit) encodebytes)six)json) MD5_AVAILABLE)ensure_unicodeZ@e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855iz%Y-%m-%dT%H:%M:%SZz%Y%m%dT%H%M%SZZexpectz user-agentzx-amzn-trace-idzUNSIGNED-PAYLOADc@seZdZdZddZdS) BaseSignerFcCs tddS)Nadd_auth)NotImplementedError)selfrequestrN/Users/kashii/Desktop/Projects/Workshops/worker-safety/lambda/botocore/auth.pyr<szBaseSigner.add_authN)__name__ __module__ __qualname__REQUIRES_REGIONrrrrrr9src@s(eZdZdZddZddZddZdS) SigV2Authz+ Sign a request with Signature V2. cCs ||_dS)N) credentials)rr rrr__init__EszSigV2Auth.__init__c Cstdt|j}|j}t|dkr*d}d|j|j|f}tj |j j dt d}g}xVt|D]J}|dkrpqbt||} |t| ddd d t| dd d qbWd |} || 7}td ||| dt|d} | | fS)Nz$Calculating signature using v2 auth.r/z %s %s %s zutf-8) digestmod Signature)safe=z-_~&zString to sign: %s)loggerdebugr urlpathlenmethodnetlochmacnewr secret_keyencodersortedr text_typeappendr joinupdatebase64 b64encodedigeststripdecode) rrparamssplitr,string_to_signZlhmacpairskeyvalueqsZb64rrrcalc_signatureHs.     zSigV2Auth.calc_signaturecCs|jdkrt|jr|j}n|j}|jj|d<d|d<d|d<ttt|d<|jj rf|jj |d<| ||\}}||d<|S) NAWSAccessKeyId2ZSignatureVersion HmacSHA256ZSignatureMethodZ TimestampZ SecurityTokenr$) r rdatar> access_keytimestrftimeISO8601gmtimetokenrE)rrr>rD signaturerrrrds   zSigV2Auth.add_authN)rrr__doc__r!rErrrrrr@src@seZdZddZddZdS) SigV3AuthcCs ||_dS)N)r )rr rrrr!~szSigV3Auth.__init__cCs|jdkrtd|jkr |jd=tdd|jd<|jjrXd|jkrJ|jd=|jj|jd<tj|jjdt d}| |jddt |  }d|jjd|df}d |jkr|jd =||jd <dS) NDateT)usegmtzX-Amz-Security-Tokenzutf-8)r#z6AWS3-HTTPS AWSAccessKeyId=%s,Algorithm=%s,Signature=%srHzX-Amzn-Authorization)r rheadersrrOr0r1r2r3rr8rr;r<rJr=)rrnew_hmacZencoded_signaturerPrrrrs&    zSigV3Auth.add_authN)rrrr!rrrrrrR}srRc@seZdZdZdZddZd1ddZdd Zd d Zd d Z ddZ ddZ ddZ ddZ ddZddZddZddZddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd*d+Zd,d-Zd.d/Zd0S)2 SigV4Authz+ Sign a request with Signature V4. TcCs||_||_||_dS)N)r _region_name _service_name)rr service_name region_namerrrr!szSigV4Auth.__init__FcCs:|rt||dt}nt||dt}|S)Nzutf-8)r0r1r3r hexdigestr;)rrBmsghexsigrrr_signszSigV4Auth._signcCsVt}x.|jD] \}}|}|tkr|||<qWd|krR||j|d<|S)zk Select the headers from the request that need to be included in the StringToSign. host)r rUitemslowerSIGNED_HEADERS_BLACKLIST_canonical_hostr+)rrZ header_mapnamerClnamerrrheaders_to_signs zSigV4Auth.headers_to_signcsDt|ddd}tfdd|Dr2jSjdddS) NPi)httphttpsc3s&|]\}}j|koj|kVqdS)N)schemeport).0rlrm) url_partsrr sz,SigV4Auth._canonical_host..@)r anyrbhostnamer/rsplit)rr+Z default_portsr)rorres zSigV4Auth._canonical_hostcCs&|jr||jS|t|jSdS)N)r>_canonical_query_string_params_canonical_query_string_urlr r+)rrrrrcanonical_query_strings z SigV4Auth.canonical_query_stringc CsRg}x>t|D]2}t||}|dt|ddt|ddfqWd|}|S)Nz%s=%sz-_.~)r&r()r4strr6r r7)rr>lparamrCZcqsrrrrws  z(SigV4Auth._canonical_query_string_paramsc Cs|d}|jrxg}x2|jdD]"}|d\}}}|||fqWg}x&t|D]\}}|d||fqPWd|}|S)Nr%r(r'z%s=%s)queryr? partitionr6r4r7) rpartsryZ key_val_pairspairrB_rCZsorted_key_valsrrrrxs z%SigV4Auth._canonical_query_string_urlcs`g}tt|}xD|D]<}dfddt||D}|d|t|fqWd|S)a  Return the headers that need to be included in the StringToSign in their canonical form by converting all header keys to lower case, sorting them in alphabetical order and then joining them into a string, separated by newlines. ,c3s|]}|VqdS)N) _header_value)rnv)rrrrpsz.SigV4Auth.canonical_headers..z%s:%s )r4setr7get_allr6r)rrhrUZsorted_header_namesrBrCr)rrcanonical_headerss  zSigV4Auth.canonical_headerscCsd|S)N )r7r?)rrCrrrrszSigV4Auth._header_valuecCs$ddt|D}t|}d|S)NcSsg|]}d|qS)z%s)rcr<)rnnrrr sz,SigV4Auth.signed_headers..;)rr4r7)rrhr{rrrsigned_headersszSigV4Auth.signed_headerscCs||stS|j}|rrt|drr|}t|jt}t }xt |dD]}| |qJW| }| ||S|rt | StSdS)Nseek)_should_sha256_sign_payloadUNSIGNED_PAYLOADbodyhasattrtell functoolspartialreadPAYLOAD_BUFFERriterr8r\rEMPTY_SHA256_HASH)rrZ request_bodypositionZread_chunksizechecksumchunkZ hex_checksumrrrpayload s    zSigV4Auth.payloadcCs|jdsdS|jddS)NrkTpayload_signing_enabled)r+ startswithcontextget)rrrrrr!s z%SigV4Auth._should_sha256_sign_payloadcCs|jg}|t|jj}|||||||}|| |d|| |d|j kr||j d}n | |}||d |S)NrzX-Amz-Content-SHA256)r.upper_normalize_url_pathr r+r,r6ryrhrrrUrr7)rrZcrr,rhZ body_checksumrrrcanonical_request+s       zSigV4Auth.canonical_requestcCstt|dd}|S)Nz/~)r&)r r)rr,Znormalized_pathrrrr:szSigV4Auth._normalize_url_pathcCsN|jjg}||jddd||j||j|dd|S)N timestampr aws4_requestr")r rJr6rrXrYr7)rrscoperrrr>s     zSigV4Auth.scopecCsHg}||jddd||j||j|dd|S)Nrrrrr")r6rrXrYr7)rrrrrrcredential_scopeFs    zSigV4Auth.credential_scopecCsHdg}||jd||||t|dd|S)z Return the canonical StringToSign as well as a dict containing the original version of all headers that were included in the StringToSign. zAWS4-HMAC-SHA256rzutf-8r)r6rrrr3r\r7)rrrstsrrrr@Ns zSigV4Auth.string_to_signcCsd|jj}|d|d|jddd}|||j}|||j}||d}|j||ddS) NZAWS4zutf-8rrrrT)r^)r r2r`r3rrXrY)rr@rrBZk_dateZk_regionZ k_serviceZ k_signingrrrrPZs zSigV4Auth.signaturecCs|jdkrttj}|t|jd<||||}t dt d|| ||}t d|| ||}t d|| ||dS)Nrz$Calculating signature using v4 auth.zCanonicalRequest: %szStringToSign: %sz Signature: %s)r rdatetimeutcnowrLSIGV4_TIMESTAMPr_modify_request_before_signingrr)r*r@rP_inject_signature_to_request)rr datetime_nowrr@rPrrrrcs          zSigV4Auth.add_authcCsPd||g}||}|d|||d|d||jd<|S)NzAWS4-HMAC-SHA256 Credential=%szSignedHeaders=%sz Signature=%sz, Authorization)rrhr6rr7rU)rrrPr{rhrrrrus  z&SigV4Auth._inject_signature_to_requestcCsrd|jkr|jd=|||jjrDd|jkr6|jd=|jj|jd<|jddsnd|jkrd|jd=t|jd<dS)NrzX-Amz-Security-TokenrTzX-Amz-Content-SHA256)rU_set_necessary_date_headersr rOrrr)rrrrrr}s    z(SigV4Auth._modify_request_before_signingcCs|d|jkrV|jd=tj|jdt}ttt| |jd<d|jkrx|jd=n"d|jkrh|jd=|jd|jd<dS)NrSrz X-Amz-Date) rUrstrptimerrrintcalendartimegm timetuple)rrZdatetime_timestamprrrrs    z%SigV4Auth._set_necessary_date_headersN)F)rrrrQrr!r`rhreryrwrxrrrrrrrrrr@rPrrrrrrrrrWs0       rWcsHeZdZfddZfddZfddZfddZd d ZZS) S3SigV4Authcstt||||||_dS)N)superrr!_default_region_name)rr rZr[) __class__rrr!s  zS3SigV4Auth.__init__cs2|jdi}|d|j|_tt||dS)Nsigningregion)rrrrXrrr)rrsigning_context)rrrrs zS3SigV4Auth.add_authcs6tt||d|jkr"|jd=|||jd<dS)NzX-Amz-Content-SHA256)rrrrUr)rr)rrrrs z*S3SigV4Auth._modify_request_before_signingcsx|jd}t|dd}|dkr$i}|dd}|dk r<|S|jdrRd|jkrVdS|jddrhdStt||S) N client_configs3rrkz Content-MD5Thas_streaming_inputF) rrgetattrr+rrUrrr)rrr s3_configZ sign_payload)rrrrs     z'S3SigV4Auth._should_sha256_sign_payloadcCs|S)Nr)rr,rrrrszS3SigV4Auth._normalize_url_path) rrrr!rrrr __classcell__rr)rrrs     "rcs<eZdZdZeffdd ZddZddZdd ZZS) SigV4QueryAuthicstt||||||_dS)N)rrr!_expires)rr rZr[expires)rrrr!szSigV4QueryAuth.__init__c Cs|jd}d}||kr |jd=|||}d|||jd|j|d}|jjdk rf|jj|d<t |j }t ddt |j d d D}d }|jr|||d |_|rt|d }|t|} |} | d | d| d| | df} t| |_ dS)Nz content-typez0application/x-www-form-urlencoded; charset=utf-8zAWS4-HMAC-SHA256r)zX-Amz-AlgorithmzX-Amz-Credentialz X-Amz-Datez X-Amz-ExpireszX-Amz-SignedHeaderszX-Amz-Security-TokencSsg|]\}}||dfqS)rr)rnkrrrrrszASigV4QueryAuth._modify_request_before_signing..T)keep_blank_valuesr%r(rrr)rUrrrhrrrr rOr r+dictr r}rbrIr8_get_body_as_dictrr) rr content_typeZblacklisted_content_typerZ auth_paramsro query_dictZoperation_paramsnew_query_stringp new_url_partsrrrrs6      z-SigV4QueryAuth._modify_request_before_signingcCs>|j}t|tjr$t|d}nt|tjr:t|}|S)Nzutf-8)rI isinstancer binary_typerloadsr= string_types)rrrIrrrrs    z SigV4QueryAuth._get_body_as_dictcCs|jd|7_dS)Nz&X-Amz-Signature=%s)r+)rrrPrrrr+sz+SigV4QueryAuth._inject_signature_to_request) rrrDEFAULT_EXPIRESr!rrrrrr)rrrs = rc@s eZdZdZddZddZdS)S3SigV4QueryAuthaS3 SigV4 auth using query parameters. This signer will sign a request using query parameters and signature version 4, i.e a "presigned url" signer. Based off of: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html cCs|S)Nr)rr,rrrr=sz$S3SigV4QueryAuth._normalize_url_pathcCstS)N)r)rrrrrrAszS3SigV4QueryAuth.payloadN)rrrrQrrrrrrr2s rc@seZdZdZddZdS)S3SigV4PostAuthz Presigns a s3 post Implementation doc here: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-UsingHTTPPOST.html cCsPtj}|t|jd<i}|jdddk r:|jd}i}g}|jdddk rv|jd}|dddk rv|d}||d<d|d<|||d<|jd|d<|ddi|d||i|d|jdi|jj dk r|jj |d <|d |jj it t |d d |d <||d ||d <||jd<||jd<dS) Nrzs3-presign-post-fieldszs3-presign-post-policy conditionszAWS4-HMAC-SHA256zx-amz-algorithmzx-amz-credentialz x-amz-datezx-amz-security-tokenzutf-8policyzx-amz-signature)rrrLrrrrr6r rOr9r:rdumpsr3r=rP)rrrfieldsrrrrrrPs4     zS3SigV4PostAuth.add_authN)rrrrQrrrrrrIsrc#@seZdZddddddddd d d d d ddddddddddddddddd ddd d!d"g#Zd:d$d%Zd&d'Zd(d)Zd*d+Zd,d-Zd;d.d/Z d HmacV1Auth accelerateZaclZcorsZdefaultObjectAcllocationloggingZ partNumberrZrequestPaymentZtorrentZ versioningZ versionIdZversionsZwebsiteZuploadsZuploadIdzresponse-content-typezresponse-content-languagezresponse-expireszresponse-cache-controlzresponse-content-dispositionzresponse-content-encodingdeleteZ lifecycletaggingZrestoreZ storageClassZ notificationZ replicationZ analyticsZmetricsZ inventoryselectz select-typeNcCs ||_dS)N)r )rr rZr[rrrr!szHmacV1Auth.__init__cCs>tj|jjdtd}||dt| dS)Nzutf-8)r#) r0r1r r2r3rr8rr;r<r=)rr@rVrrr sign_stringszHmacV1Auth.sign_stringcCsdddg}g}d|kr|d=||d<x^|D]V}d}x>|D]6}|}||dk r<||kr<|||d}q.z%s:%sr)rcrr7rr4keysr6)rrUrcustom_headersrBrZsorted_header_keysrrrcanonical_custom_headerss      z#HmacV1Auth.canonical_custom_headerscCs(t|dkr|S|dt|dfSdS)z( TODO: Do we need this? rrrN)r-r )rnvrrr unquote_vs zHmacV1Auth.unquote_vcs|dk r|}n|j}|jr|jd}dd|D}fdd|D}t|dkr|jtdddd|D}|d7}|d|7}|S) Nr(cSsg|]}|ddqS)r'rr)r?)rnarrrrsz1HmacV1Auth.canonical_resource..cs$g|]}|djkr|qS)r) QSAOfInterestr)rnr)rrrrsr)rBcSsg|]}d|qS)r')r7)rnrrrrrs?)r,r}r?r-sortrr7)rr? auth_pathbufZqsar)rrcanonical_resources   zHmacV1Auth.canonical_resourcecCsN|d}|||d7}||}|r8||d7}||j||d7}|S)Nr)r)rrrr)rr.r?rUrrcsrrrrcanonical_strings   zHmacV1Auth.canonical_stringcCsB|jjr|d=|jj|d<|j||||d}td|||S)Nzx-amz-security-token)rzStringToSign: %s)r rOrr)r*r)rr.r?rUrrr@rrr get_signatures  zHmacV1Auth.get_signaturecCsX|jdkrttdt|j}td|j|j|j||j|j d}| ||dS)Nz(Calculating signature using hmacv1 auth.zHTTP request method: %s)r) r rr)r*r r+r.rrUr_inject_signature)rrr?rPrrrrs     zHmacV1Auth.add_authcCs tddS)NT)rT)r)rrrrrszHmacV1Auth._get_datecCs,d|jkr|jd=d|jj|f|jd<dS)Nrz AWS %s:%s)rUr rJ)rrrPrrrrs zHmacV1Auth._inject_signature)NN)N)NN)NN)rrrrr!rrrrrrrrrrrrrrrws0      rc@s0eZdZdZdZefddZddZddZd S) HmacV1QueryAuthz Generates a presigned request for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html #RESTAuthenticationQueryStringAuth icCs||_||_dS)N)r r)rr rrrrr! szHmacV1QueryAuth.__init__cCstttt|jS)N)rzrrKr)rrrrrszHmacV1QueryAuth._get_datec Csi}|jj|d<||d<xN|jD]D}|}|dkrD|jd|d<q |dsV|dkr |j|||<q Wt|}t|j}|drd|d|f}|d |d |d ||d f}t||_dS) NrFr$rSZExpireszx-amz-)z content-md5z content-typez%s&%srrrrr) r rJrUrcrrr r+r) rrrPrZ header_keyrrrrrrrrs   z!HmacV1QueryAuth._inject_signatureN)rrrrQrr!rrrrrrrs   rc@seZdZdZddZdS)HmacV1PostAuthz Generates a presigned post for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingHTTPPOST.html cCsi}|jdddk r |jd}i}g}|jdddk r\|jd}|dddk r\|d}||d<|jj|d<|jjdk r|jj|d<|d|jjitt | d d|d<| |d|d<||jd<||jd<dS) Nzs3-presign-post-fieldszs3-presign-post-policyrrFzx-amz-security-tokenzutf-8rrP) rrr rJrOr6r9r:rrr3r=r)rrrrrrrrr;s&      zHmacV1PostAuth.add_authN)rrrrQrrrrrr3sr) Zv2v4zv4-queryZv3Zv3httpsrzs3-queryzs3-presign-posts3v4z s3v4-queryzs3v4-presign-post)5r9rhashlibrrr0r email.utilsroperatorrrrKrrbotocore.exceptionsrbotocore.utilsrrbotocore.compatr r r r r rrrrr getLoggerrr)rrrMrrdrobjectrrrRrWrrrrrrrAUTH_TYPE_MAPSrrrrsn             =<Y. 2)