B -<`–ˆã @sðddlZddlZddlmZddlmZddlZddlZddlmZddl m Z ddl Z ddl Z ddl Z ddlZddlmZddlmZmZddlmZdd lmZmZmZmZdd lmZdd lmZdd lmZdd lmZddlmZddlmZe e ¡Z!dZ"dZ#dZ$dZ%dddgZ&dZ'Gdd„de(ƒZ)Gdd„de)ƒZ*Gdd„de)ƒZ+Gdd„de)ƒZ,Gd d!„d!e,ƒZ-Gd"d#„d#e,ƒZ.Gd$d%„d%e.ƒZ/Gd&d'„d'e,ƒZ0Gd(d)„d)e)ƒZ1Gd*d+„d+e1ƒZ2Gd,d-„d-e1ƒZ3e*e,e.e+e+e1e2e3e-e/e0d.œ Z4dS)/éN)Úsha256)Úsha1)Ú formatdate)Ú itemgetter)ÚNoCredentialsError)Únormalize_url_pathÚpercent_encode_sequence)Ú HTTPHeaders)ÚquoteÚunquoteÚurlsplitÚparse_qs)Ú urlunsplit)Ú encodebytes)Úsix)Újson)Ú MD5_AVAILABLE)Úensure_unicodeZ@e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855iz%Y-%m-%dT%H:%M:%SZz%Y%m%dT%H%M%SZÚexpectz user-agentzx-amzn-trace-idzUNSIGNED-PAYLOADc@seZdZdZdd„ZdS)Ú BaseSignerFcCs tdƒ‚dS)NÚadd_auth)ÚNotImplementedError)ÚselfÚrequest©rú4/tmp/pip-target-7cdyy134/lib/python/botocore/auth.pyr<szBaseSigner.add_authN)Ú__name__Ú __module__Ú __qualname__ÚREQUIRES_REGIONrrrrrr9src@s(eZdZdZdd„Zdd„Zdd„ZdS) Ú SigV2Authz+ Sign a request with Signature V2. cCs ||_dS)N)Ú credentials)rr!rrrÚ__init__EszSigV2Auth.__init__c Csþt d¡t|jƒ}|j}t|ƒdkr*d}d|j|j|f}tj |j j   d¡t d}g}xVt|ƒD]J}|dkrpqbt ||¡} | t|  d¡dd d t|   d¡d d ¡qbWd  |¡} || 7}t d |¡| |  d¡¡t | ¡¡ ¡ d¡} | | fS)Nz$Calculating signature using v2 auth.rú/z %s %s %s zutf-8)Ú digestmodÚ SignatureÚ)Úsafeú=z-_~ú&zString to sign: %s)ÚloggerÚdebugr ÚurlÚpathÚlenÚmethodÚnetlocÚhmacÚnewr!Ú secret_keyÚencoderÚsortedrÚ text_typeÚappendr ÚjoinÚupdateÚbase64Ú b64encodeÚdigestÚstripÚdecode) rrÚparamsÚsplitr-Ústring_to_signZlhmacÚpairsÚkeyÚvalueÚqsZb64rrrÚcalc_signatureHs.     zSigV2Auth.calc_signaturecCs‚|jdkrt‚|jr|j}n|j}|jj|d<d|d<d|d<t tt ¡¡|d<|jj rf|jj |d<|  ||¡\}}||d<|S) NÚAWSAccessKeyIdÚ2ZSignatureVersionÚ HmacSHA256ZSignatureMethodÚ TimestampZ SecurityTokenr%) r!rÚdatar?Ú access_keyÚtimeÚstrftimeÚISO8601ÚgmtimeÚtokenrF)rrr?rEÚ signaturerrrrds   zSigV2Auth.add_authN)rrrÚ__doc__r"rFrrrrrr @sr c@seZdZdd„Zdd„ZdS)Ú SigV3AuthcCs ||_dS)N)r!)rr!rrrr"~szSigV3Auth.__init__cCsÎ|jdkrt‚d|jkr |jd=tdd|jd<|jjrXd|jkrJ|jd=|jj|jd<tj|jj d¡t d}|  |jd d¡¡t |  ¡ƒ  ¡}d|jjd| d¡f}d |jkrÀ|jd =||jd <dS) NÚDateT)ÚusegmtzX-Amz-Security-Tokenzutf-8)r$z6AWS3-HTTPS AWSAccessKeyId=%s,Algorithm=%s,Signature=%srIzX-Amzn-Authorization)r!rÚheadersrrQr1r2r3r4rr9rr<r=rLr>)rrÚnew_hmacZencoded_signaturerRrrrrs&    zSigV3Auth.add_authN)rrrr"rrrrrrT}srTc@sÆeZdZdZdZdd„Zd1dd„Zdd „Zd d „Zd d „Z dd„Z dd„Z dd„Z dd„Z dd„Zdd„Zdd„Zdd„Zdd„Zd d!„Zd"d#„Zd$d%„Zd&d'„Zd(d)„Zd*d+„Zd,d-„Zd.d/„Zd0S)2Ú SigV4Authz+ Sign a request with Signature V4. TcCs||_||_||_dS)N)r!Ú _region_nameÚ _service_name)rr!Ú service_nameÚ region_namerrrr"szSigV4Auth.__init__FcCs:|rt || d¡t¡ ¡}nt || d¡t¡ ¡}|S)Nzutf-8)r1r2r4rÚ hexdigestr<)rrCÚmsgÚhexÚsigrrrÚ_sign¥szSigV4Auth._signcCsVtƒ}x.|j ¡D] \}}| ¡}|tkr|||<qWd|krR| |j¡ ¡|d<|S)zk Select the headers from the request that need to be included in the StringToSign. Úhost)r rWÚitemsÚlowerÚSIGNED_HEADERS_BLACKLISTÚ_canonical_hostr,)rrZ header_mapÚnamerDÚlnamerrrÚheaders_to_sign¬s zSigV4Auth.headers_to_signcsDt|ƒ‰dddœ}t‡fdd„| ¡Dƒƒr2ˆjSˆj dd¡dS) NéPi»)ÚhttpÚhttpsc3s&|]\}}ˆj|koˆj|kVqdS)N)ÚschemeÚport)Ú.0rnro)Ú url_partsrrú Äsz,SigV4Auth._canonical_host..ú@ééÿÿÿÿ)r ÚanyrdÚhostnamer0Úrsplit)rr,Z default_portsr)rqrrg¾s zSigV4Auth._canonical_hostcCs&|jr| |j¡S| t|jƒ¡SdS)N)r?Ú_canonical_query_string_paramsÚ_canonical_query_string_urlr r,)rrrrrÚcanonical_query_stringËs z SigV4Auth.canonical_query_stringc CsRg}x>t|ƒD]2}t||ƒ}| dt|ddt|ddf¡qWd |¡}|S)Nz%s=%sz-_.~)r'r))r5Ústrr7r r8)rr?ÚlÚparamrDZcqsrrrryÕs  z(SigV4Auth._canonical_query_string_paramsc Cs|d}|jrxg}x2|j d¡D]"}| d¡\}}}| ||f¡qWg}x&t|ƒD]\}}| d||f¡qPWd |¡}|S)Nr&r)r(z%s=%s)Úqueryr@Ú partitionr7r5r8) rÚpartsr{Z key_val_pairsÚpairrCÚ_rDZsorted_key_valsrrrrzÞs z%SigV4Auth._canonical_query_string_urlcs`g}tt|ƒƒ}xD|D]<}d ‡fdd„t| |¡ƒDƒ¡}| d|t|ƒf¡qWd |¡S)a  Return the headers that need to be included in the StringToSign in their canonical form by converting all header keys to lower case, sorting them in alphabetical order and then joining them into a string, separated by newlines. ú,c3s|]}ˆ |¡VqdS)N)Ú _header_value)rpÚv)rrrrrøsz.SigV4Auth.canonical_headers..z%s:%sÚ )r5Úsetr8Úget_allr7r)rrjrWZsorted_header_namesrCrDr)rrÚcanonical_headersîs  zSigV4Auth.canonical_headerscCsd | ¡¡S)Nú )r8r@)rrDrrrr…ýszSigV4Auth._header_valuecCs$dd„t|ƒDƒ}t|ƒ}d |¡S)NcSsg|]}d| ¡ ¡‘qS)z%s)rer=)rpÚnrrrú sz,SigV4Auth.signed_headers..ú;)rˆr5r8)rrjr}rrrÚsigned_headersszSigV4Auth.signed_headerscCsŠ| |¡stS|j}|rrt|dƒrr| ¡}t |jt¡}t ƒ}xt |dƒD]}|  |¡qJW|  ¡}|  |¡|S|r‚t |ƒ  ¡StSdS)NÚseekó)Ú_should_sha256_sign_payloadÚUNSIGNED_PAYLOADÚbodyÚhasattrÚtellÚ functoolsÚpartialÚreadÚPAYLOAD_BUFFERrÚiterr9r^rÚEMPTY_SHA256_HASH)rrÚ request_bodyÚpositionZread_chunksizeZchecksumÚchunkZ hex_checksumrrrÚpayload s    zSigV4Auth.payloadcCs|j d¡sdS|j dd¡S)NrmTÚpayload_signing_enabled)r,Ú startswithÚcontextÚget)rrrrrr’!s z%SigV4Auth._should_sha256_sign_payloadcCsš|j ¡g}| t|jƒj¡}| |¡| | |¡¡| |¡}| |  |¡d¡| |  |¡¡d|j kr||j d}n |  |¡}| |¡d  |¡S)Nr‡zX-Amz-Content-SHA256)r/ÚupperÚ_normalize_url_pathr r,r-r7r{rjrŠrrWr r8)rrZcrr-rjZ body_checksumrrrÚcanonical_request+s       zSigV4Auth.canonical_requestcCstt|ƒdd}|S)Nz/~)r')r r)rr-Znormalized_pathrrrr¦:szSigV4Auth._normalize_url_pathcCsN|jjg}| |jddd…¡| |j¡| |j¡| d¡d |¡S)NÚ timestampréÚ aws4_requestr#)r!rLr7r£rZr[r8)rrÚscoperrrr«>s     zSigV4Auth.scopecCsHg}| |jddd…¡| |j¡| |j¡| d¡d |¡S)Nr¨rr©rªr#)r7r£rZr[r8)rrr«rrrÚcredential_scopeFs    zSigV4Auth.credential_scopecCsHdg}| |jd¡| | |¡¡| t| d¡ƒ ¡¡d |¡S)z¬ Return the canonical StringToSign as well as a dict containing the original version of all headers that were included in the StringToSign. zAWS4-HMAC-SHA256r¨zutf-8r‡)r7r£r¬rr4r^r8)rrr§ÚstsrrrrANs zSigV4Auth.string_to_signcCsd|jj}| d| d¡|jddd…¡}| ||j¡}| ||j¡}| |d¡}|j||ddS) NZAWS4zutf-8r¨rr©rªT)r`)r!r3rbr4r£rZr[)rrArrCZk_dateZk_regionZ k_serviceZ k_signingrrrrRZs zSigV4Auth.signaturecCs’|jdkrt‚tj ¡}| t¡|jd<| |¡| |¡}t   d¡t   d|¡|  ||¡}t   d|¡|  ||¡}t   d|¡|  ||¡dS)Nr¨z$Calculating signature using v4 auth.zCanonicalRequest: %szStringToSign: %sz Signature: %s)r!rÚdatetimeÚutcnowrNÚSIGV4_TIMESTAMPr£Ú_modify_request_before_signingr§r*r+rArRÚ_inject_signature_to_request)rrÚ datetime_nowr§rArRrrrrcs          zSigV4Auth.add_authcCsPd| |¡g}| |¡}| d| |¡¡| d|¡d |¡|jd<|S)NzAWS4-HMAC-SHA256 Credential=%szSignedHeaders=%sz Signature=%sz, Ú Authorization)r«rjr7rr8rW)rrrRr}rjrrrr²us  z&SigV4Auth._inject_signature_to_requestcCsrd|jkr|jd=| |¡|jjrDd|jkr6|jd=|jj|jd<|j dd¡snd|jkrd|jd=t|jd<dS)Nr´zX-Amz-Security-Tokenr¡TzX-Amz-Content-SHA256)rWÚ_set_necessary_date_headersr!rQr£r¤r“)rrrrrr±}s    z(SigV4Auth._modify_request_before_signingcCs|d|jkrV|jd=tj |jdt¡}ttt |  ¡¡ƒƒ|jd<d|jkrx|jd=n"d|jkrh|jd=|jd|jd<dS)NrUr¨z X-Amz-Date) rWr®Ústrptimer£r°rÚintÚcalendarÚtimegmÚ timetuple)rrZdatetime_timestamprrrrµ‹s    z%SigV4Auth._set_necessary_date_headersN)F)rrrrSrr"rbrjrgr{ryrzrŠr…rr r’r§r¦r«r¬rArRrr²r±rµrrrrrY—s0       rYcs0eZdZ‡fdd„Z‡fdd„Zdd„Z‡ZS)Ú S3SigV4Authcs6tt|ƒ |¡d|jkr"|jd=| |¡|jd<dS)NzX-Amz-Content-SHA256)Úsuperr»r±rWr )rr)Ú __class__rrr±žs z*S3SigV4Auth._modify_request_before_signingcsx|j d¡}t|ddƒ}|dkr$i}| dd¡}|dk r<|S|j d¡rRd|jkrVdS|j dd¡rhdStt|ƒ |¡S) NÚ client_configÚs3r¡rmz Content-MD5TZhas_streaming_inputF) r£r¤Úgetattrr,r¢rWr¼r»r’)rrr¾Z s3_configZ sign_payload)r½rrr’¥s     z'S3SigV4Auth._should_sha256_sign_payloadcCs|S)Nr)rr-rrrr¦ÇszS3SigV4Auth._normalize_url_path)rrrr±r’r¦Ú __classcell__rr)r½rr»s  "r»cs<eZdZdZef‡fdd„ Zdd„Zdd„Zdd „Z‡ZS) ÚSigV4QueryAuthicstt|ƒ |||¡||_dS)N)r¼rÂr"Ú_expires)rr!r\r]Úexpires)r½rrr"ÏszSigV4QueryAuth.__init__c Csü|j d¡}d}||kr |jd=| | |¡¡}d| |¡|jd|j|dœ}|jjdk rf|jj|d<t |j ƒ}t dd„t |j d d  ¡Dƒƒ}d }|jr°| | |¡¡d |_|rÀt|ƒd }|t|ƒ} |} | d | d| d| | df} t| ƒ|_ dS)Nz content-typez0application/x-www-form-urlencoded; charset=utf-8zAWS4-HMAC-SHA256r¨)zX-Amz-AlgorithmzX-Amz-Credentialz X-Amz-Datez X-Amz-ExpireszX-Amz-SignedHeaderszX-Amz-Security-TokencSsg|]\}}||df‘qS)rr)rpÚkr†rrrrôszASigV4QueryAuth._modify_request_before_signing..T)Úkeep_blank_valuesr&r)rrtéé)rWr¤rrjr«r£rÃr!rQr r,Údictr rrdrKr9Ú_get_body_as_dictrr) rrÚ content_typeZblacklisted_content_typerZ auth_paramsrqÚ query_dictZoperation_paramsÚnew_query_stringÚpÚ new_url_partsrrrr±Õs6      z-SigV4QueryAuth._modify_request_before_signingcCs>|j}t|tjƒr$t | d¡¡}nt|tjƒr:t |¡}|S)Nzutf-8)rKÚ isinstancerÚ binary_typerÚloadsr>Ú string_types)rrrKrrrrÊs    z SigV4QueryAuth._get_body_as_dictcCs|jd|7_dS)Nz&X-Amz-Signature=%s)r,)rrrRrrrr²sz+SigV4QueryAuth._inject_signature_to_request) rrrÚDEFAULT_EXPIRESr"r±rÊr²rÁrr)r½rrÂÌs = rÂc@s eZdZdZdd„Zdd„ZdS)ÚS3SigV4QueryAuthaS3 SigV4 auth using query parameters. This signer will sign a request using query parameters and signature version 4, i.e a "presigned url" signer. Based off of: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html cCs|S)Nr)rr-rrrr¦0sz$S3SigV4QueryAuth._normalize_url_pathcCstS)N)r“)rrrrrr 4szS3SigV4QueryAuth.payloadN)rrrrSr¦r rrrrrÕ%s rÕc@seZdZdZdd„ZdS)ÚS3SigV4PostAuthz† Presigns a s3 post Implementation doc here: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-UsingHTTPPOST.html cCsPtj ¡}| t¡|jd<i}|j dd¡dk r:|jd}i}g}|j dd¡dk rv|jd}| dd¡dk rv|d}||d<d|d<| |¡|d<|jd|d<| ddi¡| d| |¡i¡| d|jdi¡|jj dk r|jj |d <| d |jj i¡t   t   |¡ d ¡¡ d ¡|d <| |d |¡|d <||jd<||jd<dS) Nr¨zs3-presign-post-fieldszs3-presign-post-policyÚ conditionszAWS4-HMAC-SHA256zx-amz-algorithmzx-amz-credentialz x-amz-datezx-amz-security-tokenzutf-8Úpolicyzx-amz-signature)r®r¯rNr°r£r¤r«r7r!rQr:r;rÚdumpsr4r>rR)rrr³ÚfieldsrØr×rrrrCs4     zS3SigV4PostAuth.add_authN)rrrrSrrrrrrÖ<srÖc#@s¶eZdZddddddddd d d d d ddddddddddddddddd ddd d!d"g#Zd:d$d%„Zd&d'„Zd(d)„Zd*d+„Zd,d-„Zd;d.d/„Z dÚ HmacV1AuthZ accelerateZaclZcorsZdefaultObjectAclÚlocationÚloggingZ partNumberrØZrequestPaymentZtorrentZ versioningZ versionIdÚversionsZwebsiteZuploadsZuploadIdzresponse-content-typezresponse-content-languagezresponse-expireszresponse-cache-controlzresponse-content-dispositionzresponse-content-encodingÚdeleteZ lifecycleZtaggingÚrestoreZ storageClassZ notificationZ replicationZ analyticsZmetricsZ inventoryÚselectz select-typeNcCs ||_dS)N)r!)rr!r\r]rrrr"yszHmacV1Auth.__init__cCs>tj|jj d¡td}| | d¡¡t| ¡ƒ  ¡  d¡S)Nzutf-8)r$) r1r2r!r3r4rr9rr<r=r>)rrArXrrrÚ sign_string|szHmacV1Auth.sign_stringcCs’dddg}g}d|kr|d=| ¡|d<x^|D]V}d}x>|D]6}| ¡}||dk r<||kr<| || ¡¡d}q.z%s:%sr‡)rer¢r8r‰r5Úkeysr7)rrWråÚcustom_headersrCrçZsorted_header_keysrrrÚcanonical_custom_headers“s      z#HmacV1Auth.canonical_custom_headerscCs(t|ƒdkr|S|dt|dƒfSdS)z( TODO: Do we need this? rtrN)r.r )rÚnvrrrÚ unquote_v¡s zHmacV1Auth.unquote_vcsŠ|dk r|}n|j}|jr†|j d¡}dd„|Dƒ}‡fdd„|Dƒ}t|ƒdkr†|jtdƒddd„|Dƒ}|d7}|d |¡7}|S) Nr)cSsg|]}| dd¡‘qS)r(rt)r@)rpÚarrrr¹sz1HmacV1Auth.canonical_resource..cs$g|]}|dˆjkrˆ |¡‘qS)r)Ú QSAOfInterestrí)rprî)rrrrºsr)rCcSsg|]}d |¡‘qS)r()r8)rprîrrrr¾sú?)r-rr@r.Úsortrr8)rr@Ú auth_pathÚbufZqsar)rrÚcanonical_resourceªs   zHmacV1Auth.canonical_resourcecCsN| ¡d}|| |¡d7}| |¡}|r8||d7}||j||d7}|S)Nr‡)rò)r¥rèrërô)rr/r@rWrÄròÚcsrêrrrÚcanonical_stringÃs   zHmacV1Auth.canonical_stringcCsB|jjr|d=|jj|d<|j||||d}t d|¡| |¡S)Nzx-amz-security-token)ròzStringToSign: %s)r!rQrör*r+râ)rr/r@rWrÄròrArrrÚ get_signatureÍs  zHmacV1Auth.get_signaturecCsX|jdkrt‚t d¡t|jƒ}t d|j¡|j|j||j|j d}|  ||¡dS)Nz(Calculating signature using hmacv1 auth.zHTTP request method: %s)rò) r!rr*r+r r,r/r÷rWròÚ_inject_signature)rrr@rRrrrrÙs     zHmacV1Auth.add_authcCs tddS)NT)rV)r)rrrrrääszHmacV1Auth._get_datecCs,d|jkr|jd=d|jj|f|jd<dS)Nr´z AWS %s:%s)rWr!rL)rrrRrrrrøçs zHmacV1Auth._inject_signature)NN)N)NN)NN)rrrrïr"rârèrërírôrör÷rrärørrrrrÛjs0      rÛc@s0eZdZdZdZefdd„Zdd„Zdd„Zd S) ÚHmacV1QueryAuthzÁ Generates a presigned request for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html #RESTAuthenticationQueryStringAuth icCs||_||_dS)N)r!rÃ)rr!rÄrrrr"szHmacV1QueryAuth.__init__cCsttt ¡t|jƒƒƒS)N)r|r·rMrÃ)rrrrräszHmacV1QueryAuth._get_datec Cs¾i}|jj|d<||d<xN|jD]D}| ¡}|dkrD|jd|d<q | d¡sV|dkr |j|||<q Wt|ƒ}t|jƒ}|dr’d|d|f}|d |d |d ||d f}t|ƒ|_dS) NrGr%rUZExpireszx-amz-)z content-md5z content-typeéz%s&%srrtrÇrÈ) r!rLrWrer¢rr r,r) rrrRrÌZ header_keyrçrÍrÎrÏrrrrøs   z!HmacV1QueryAuth._inject_signatureN)rrrrSrÔr"rärørrrrrùôs   rùc@seZdZdZdd„ZdS)ÚHmacV1PostAuthz‘ Generates a presigned post for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingHTTPPOST.html cCsäi}|j dd¡dk r |jd}i}g}|j dd¡dk r\|jd}| dd¡dk r\|d}||d<|jj|d<|jjdk rš|jj|d<| d|jji¡t t  |¡  d¡¡  d¡|d<|  |d¡|d<||jd<||jd<dS) Nzs3-presign-post-fieldszs3-presign-post-policyr×rGzx-amz-security-tokenzutf-8rØrR) r£r¤r!rLrQr7r:r;rrÙr4r>râ)rrrÚrØr×rrrr.s&      zHmacV1PostAuth.add_authN)rrrrSrrrrrrû&srû) Zv2Zv4zv4-queryZv3Zv3httpsr¿zs3-queryzs3-presign-postZs3v4z s3v4-queryzs3v4-presign-post)5r:r®Úhashlibrrr1rÝÚ email.utilsrÚoperatorrr—rMr¸rZbotocore.exceptionsrZbotocore.utilsrrZbotocore.compatr r r r r rrrrrÚ getLoggerrr*rœršrOr°rfr“Úobjectrr rTrYr»rÂrÕrÖrÛrùrûZAUTH_TYPE_MAPSrrrrÚsn             =/Y. 2)