o ?c @s&ddlZddlZddlZddlZddlZddlZddlZddlZddlm Z ddl m Z ddl m Z mZddlmZddlmZmZmZmZmZmZmZmZmZddlmZmZddlmZm Z m!Z!dd lm"Z"e#e$Z%d Z&d Z'd Z(d Z)gdZ*dZ+dZ,ddZ-ddZ.GdddZ/Gddde/Z0Gddde/Z1Gddde/Z2Gddde/Z3Gdd d e3Z4Gd!d"d"e3Z5Gd#d$d$e5Z6Gd%d&d&e3Z7Gd'd(d(e/Z8Gd)d*d*e8Z9Gd+d,d,e8Z:Gd-d.d.e0Z;e1e2e2e8e9e:e7e;d/ZZ>edSe credentialsr6rDr$r$r%r@}rAzSigV2Auth.__init__cCs tdt|j}|j}t|dkrd}|jd|jd|d}tj |j j dt d}g}t|D])}|dkr;q4t||} t| ddd } t| dd d } || d | q4d |} || 7}td ||| dt|d} | | fS)Nz$Calculating signature using v2 auth.r/ r( digestmod Signaturesafez-_~=&zString to sign: %s)loggerdebugrr!pathlenmethodnetlochmacnewrD secret_keyencodersortedr/r appendjoinupdatebase64 b64encodedigeststripr.)r6r0paramssplitrRstring_to_signZlhmacpairskeyvalueZ quoted_keyZ quoted_valueqsZb64r$r$r%calc_signatures.       zSigV2Auth.calc_signaturecCs|jdurt|jr|j}n|j}|jj|d<d|d<d|d<ttt|d<|jj r4|jj |d<| ||\}}||d<|S) NAWSAccessKeyId2ZSignatureVersionZ HmacSHA256ZSignatureMethod TimestampZ SecurityTokenrJ) rDrr)rb access_keytimestrftimeISO8601gmtimetokenri)r6r0rbrh signaturer$r$r%r3s   zSigV2Auth.add_authN)r7r8r9__doc__r@rir3r$r$r$r%rBxs  rBc@seZdZddZddZdS) SigV3AuthcCr=r>rCrEr$r$r%r@rAzSigV3Auth.__init__cCs|jdurtd|jvr|jd=tdd|jd<|jjr-d|jvr&|jd=|jj|jd<tj|jjdt d}| |jddt |  }d|jjd|d}d |jvrb|jd =||jd <dS) NDateTusegmtX-Amz-Security-Tokenr(rHzAWS3-HTTPS AWSAccessKeyId=z ,Algorithm=HmacSHA256,Signature=zX-Amzn-Authorization)rDrheadersrrrrVrWrXrYrr]r r`rarmr.)r6r0new_hmacZencoded_signaturersr$r$r%r3s*     zSigV3Auth.add_authN)r7r8r9r@r3r$r$r$r%rus ruc@seZdZdZdZddZd1ddZdd Zd d Zd d Z ddZ ddZ ddZ ddZ ddZddZddZddZddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd*d+Zd,d-Zd.d/Zd0S)2 SigV4Authz+ Sign a request with Signature V4. TcCs||_||_||_dSr>)rD _region_name _service_namer6rD service_name region_namer$r$r%r@s zSigV4Auth.__init__FcCs<|rt||dt}|St||dt}|Sr')rVrWrYr hexdigestr`)r6rfmsghexsigr$r$r%_signs zSigV4Auth._signcCsLt}|jD]\}}|}|tvr|||<qd|vr$t|j|d<|S)zk Select the headers from the request that need to be included in the StringToSign. r#)r rzitemslowerSIGNED_HEADERS_BLACKLISTr&r!)r6r0Z header_mapnamerglnamer$r$r%headers_to_signszSigV4Auth.headers_to_signcCs"|jr ||jS|t|jSr>)rb_canonical_query_string_params_canonical_query_string_urlrr!r5r$r$r%canonical_query_strings z SigV4Auth.canonical_query_stringcCs~g}t|tr |}|D]\}}|t|ddtt|ddfq g}t|D]\}}||d|q)d|}|S)Nz-_.~rLrNrO)r*rrr[r r/rZr\)r6rb key_val_pairsrfrgsorted_key_valsrr$r$r%rs   z(SigV4Auth._canonical_query_string_paramsc Csvd}|jr9g}|jdD]}|d\}}}|||fq g}t|D]\}}||d|q%d|}|S)NrKrOrN)queryrc partitionr[rZr\) r6partsrrpairrf_rgrr$r$r%rs z%SigV4Auth._canonical_query_string_urlcsZg}tt|}|D]}dfdd||D}||dt|q d|S)a  Return the headers that need to be included in the StringToSign in their canonical form by converting all header keys to lower case, sorting them in alphabetical order and then joining them into a string, separated by newlines. ,c3s|]}|VqdSr>) _header_value.0vr6r$r% ,s  z.SigV4Auth.canonical_headers..:rG)rZsetr\get_allr[r )r6rrzZsorted_header_namesrfrgr$rr%canonical_headers"s  zSigV4Auth.canonical_headerscCsd|S)N )r\rc)r6rgr$r$r%r2szSigV4Auth._header_valuecCs tddt|D}d|S)Ncss|] }|VqdSr>)rra)rnr$r$r%r;sz+SigV4Auth.signed_headers..;)rZrr\)r6rrzr$r$r%signed_headers:s zSigV4Auth.signed_headerscCs0|jdi}|d}t|to|ddkS)Nchecksumrequest_algorithmintrailer)contextrr*dict)r6r0checksum_context algorithmr$r$r%_is_streaming_checksum_payload>s z(SigV4Auth._is_streaming_checksum_payloadcCs||rtS||stS|j}|r>t|dr>|}t|j t }t }t |dD]}| |q+|}|||S|rFt |StS)Nseek)r"STREAMING_UNSIGNED_PAYLOAD_TRAILER_should_sha256_sign_payloadUNSIGNED_PAYLOADbodyhasattrtell functoolspartialreadPAYLOAD_BUFFERriterr]rrEMPTY_SHA256_HASH)r6r0 request_bodypositionZread_chunksizerchunkZ hex_checksumr$r$r%payloadCs&     zSigV4Auth.payloadcCs|jdsdS|jddS)NrTpayload_signing_enabled)r! startswithrrr5r$r$r%r]s z%SigV4Auth._should_sha256_sign_payloadcCs|jg}|t|jj}|||||||}|| |d|| |d|j vr>|j d}n| |}||d |S)NrGX-Amz-Content-SHA256)rTupper_normalize_url_pathrr!rRr[rrrrrzrr\)r6r0crrRrZ body_checksumr$r$r%canonical_requestgs        zSigV4Auth.canonical_requestcCstt|dd}|S)Nz/~rL)r r)r6rRZnormalized_pathr$r$r%rvszSigV4Auth._normalize_url_pathcCsN|jjg}||jddd||j||j|dd|SN timestampr aws4_requestrF)rDrmr[rr}r~r\r6r0scoper$r$r%rzs     zSigV4Auth.scopecCsHg}||jddd||j||j|dd|Sr)r[rr}r~r\rr$r$r%credential_scopes     zSigV4Auth.credential_scopecCsHdg}||jd||||t|dd|S)z Return the canonical StringToSign as well as a dict containing the original version of all headers that were included in the StringToSign. AWS4-HMAC-SHA256rr(rG)r[rrrrYrr\)r6r0rstsr$r$r%rds  zSigV4Auth.string_to_signcCsd|jj}|d||jddd}|||j}|||j}||d}|j||ddS)NZAWS4rrrrT)r)rDrXrrYrr}r~)r6rdr0rfZk_dateZk_regionZ k_serviceZ k_signingr$r$r%rss zSigV4Auth.signaturecCs|jdurttj}|t|jd<||||}t dt d|| ||}t d|| ||}t d|| ||dS)Nrz$Calculating signature using v4 auth.zCanonicalRequest: %sStringToSign: %sz Signature: %s)rDrdatetimeutcnowroSIGV4_TIMESTAMPr_modify_request_before_signingrrPrQrdrs_inject_signature_to_request)r6r0 datetime_nowrrdrsr$r$r%r3s          zSigV4Auth.add_authcCsRd||g}||}|d|||d|d||jd<|S)NzAWS4-HMAC-SHA256 Credential=%szSignedHeaders=z Signature=%sz, Authorization)rrr[rr\rz)r6r0rsauth_strrr$r$r%rs z&SigV4Auth._inject_signature_to_requestcCsvd|jvr |jd=|||jjr"d|jvr|jd=|jj|jd<|jdds9d|jvr2|jd=t|jd<dSdS)NrryrTr)rz_set_necessary_date_headersrDrrrrrr5r$r$r%rs    z(SigV4Auth._modify_request_before_signingcCsd|jvr.|jd=tj|jdt}ttt| |jd<d|jvr,|jd=dSdSd|jvr7|jd=|jd|jd<dS)Nrvr X-Amz-Date) rzrstrptimerrrintcalendartimegm timetuple)r6r0Zdatetime_timestampr$r$r%rs     z%SigV4Auth._set_necessary_date_headersN)F)r7r8r9rtr:r@rrrrrrrrrrrrrrrrdrsr3rrrr$r$r$r%r|s2      r|cs0eZdZfddZfddZddZZS) S3SigV4Authcs2t|d|jvr|jd=|||jd<dS)Nr)superrrzrr5 __class__r$r%rs  z*S3SigV4Auth._modify_request_before_signingcs|jd}t|dd}|duri}|dd}|dur|Sd}|jdi}|d}t|tr<|ddkr<|d }|jd rG||jvrId S|jd d rRd St |S)N client_configs3rz Content-MD5rrrheaderrrTZhas_streaming_inputF) rrgetattrr*rr!rrzrr)r6r0rZ s3_configZ sign_payloadZchecksum_headerrrrr$r%rs(      z'S3SigV4Auth._should_sha256_sign_payloadcC|Sr>r$r6rRr$r$r%rzS3SigV4Auth._normalize_url_path)r7r8r9rrr __classcell__r$r$rr%rs  )rcs4eZdZdZeffdd ZddZddZZS)SigV4QueryAuthcst|||||_dSr>)rr@_expires)r6rDrrexpiresrr$r%r@s zSigV4QueryAuth.__init__c Cs|jd}d}||kr|jd=|||}d|||jd|j|d}|jjdur3|jj|d<t |j }t |j dd}d d | D}|jrT||ji|_d } |jrc|t|d |_|rkt|d } | t|} |} | d | d| d| | df} t| |_ dS)N content-typez0application/x-www-form-urlencoded; charset=utf-8rr)zX-Amz-AlgorithmzX-Amz-Credentialrz X-Amz-ExpireszX-Amz-SignedHeadersryT)keep_blank_valuescSsi|] \}}||dqSrr$)rkrr$r$r% <szASigV4QueryAuth._modify_request_before_signing..rKrOr)rzrrrrrrrDrrrr!r rrrbr]r)r1rr) r6r0 content_typeZblacklisted_content_typerZ auth_paramsr"Zquery_string_parts query_dictZoperation_paramsnew_query_stringp new_url_partsr$r$r%rs>       z-SigV4QueryAuth._modify_request_before_signingcCs|jd|7_dS)Nz&X-Amz-Signature=%s)r!)r6r0rsr$r$r%r^sz+SigV4QueryAuth._inject_signature_to_request)r7r8r9DEFAULT_EXPIRESr@rrrr$r$rr%rs Arc@s eZdZdZddZddZdS)S3SigV4QueryAuthaS3 SigV4 auth using query parameters. This signer will sign a request using query parameters and signature version 4, i.e a "presigned url" signer. Based off of: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html cCrr>r$rr$r$r%rqrz$S3SigV4QueryAuth._normalize_url_pathcCstSr>)rr5r$r$r%ruszS3SigV4QueryAuth.payloadN)r7r8r9rtrrr$r$r$r%res rc@eZdZdZddZdS)S3SigV4PostAuthz Presigns a s3 post Implementation doc here: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-UsingHTTPPOST.html cCsNtj}|t|jd<i}|jdddur|jd}i}g}|jdddur;|jd}|dddur;|d}||d<d|d<|||d<|jd|d<|ddi|d||i|d|jdi|jj dur|jj |d <|d |jj it t |d d |d <||d ||d <||jd<||jd<dS) Nrs3-presign-post-fieldss3-presign-post-policy conditionsrzx-amz-algorithmzx-amz-credentialz x-amz-datex-amz-security-tokenr(policyzx-amz-signature)rrrorrrrr[rDrrr^r_r,dumpsrYr.rs)r6r0rfieldsrrr$r$r%r3s:      zS3SigV4PostAuth.add_authNr7r8r9rtr3r$r$r$r%r} rc@sxeZdZgdZdddZddZddZd d Zd d Zdd dZ dddZ dddZ ddZ ddZ ddZdS) HmacV1Auth)$Z accelerateZaclZcorsZdefaultObjectAcllocationloggingZ partNumberrrequestPaymentZtorrentZ versioningZ versionIdversionsZwebsiteZuploadsZuploadIdzresponse-content-typezresponse-content-languagezresponse-expireszresponse-cache-controlzresponse-content-dispositionzresponse-content-encodingdeleteZ lifecycleZtaggingrestoreZ storageClassZ notificationZ replicationrZ analyticsZmetricsZ inventoryselectz select-typez object-lockNcCr=r>rCrr$r$r%r@rAzHmacV1Auth.__init__cCs>tj|jjdtd}||dt| dS)Nr(rH) rVrWrDrXrYrr]r r`rar.)r6rdr{r$r$r% sign_strings zHmacV1Auth.sign_stringcCsgd}g}d|vr |d=||d<|D])}d}|D]}|}||dur6||kr6|||d}q|s>|dqd|S)N) content-md5rdatervFTrKrG) _get_daterr[rar\)r6rzZinteresting_headershoiZihfoundrflkr$r$r%canonical_standard_headerss"   z%HmacV1Auth.canonical_standard_headerscCsg}i}|D] }|}||dur&|dr&ddd||D||<qt|}|D]}||d||q/d|S)Nx-amz-rcss|]}|VqdSr>)rarr$r$r%rs z6HmacV1Auth.canonical_custom_headers..rrG)rrr\rrZkeysr[)r6rzrcustom_headersrfrZsorted_header_keysr$r$r%canonical_custom_headerss      z#HmacV1Auth.canonical_custom_headerscCs$t|dkr|S|dt|dfS)z( TODO: Do we need this? rr)rSr)r6nvr$r$r% unquote_vs zHmacV1Auth.unquote_vcs|dur|}n|j}|jrC|jd}dd|D}fdd|D}t|dkrC|jtdddd|D}|d7}|d|7}|S) NrOcSsg|]}|ddqS)rNr)rcrar$r$r% sz1HmacV1Auth.canonical_resource..cs$g|]}|djvr|qSr) QSAOfInterestr r!rr$r%r#s r)rfcSsg|]}d|qS)rN)r\r!r$r$r%r#s?)rRrrcrSsortrr\)r6rc auth_pathbufZqsar$rr%canonical_resource s    zHmacV1Auth.canonical_resourcecCsN|d}|||d7}||}|r||d7}||j||d7}|S)NrGr')rrrr))r6rTrcrzrr'csrr$r$r%canonical_string$s   zHmacV1Auth.canonical_stringcCsB|jjr |d=|jj|d<|j||||d}td|||S)Nrr*r)rDrrr,rPrQr)r6rTrcrzrr'rdr$r$r% get_signature/s   zHmacV1Auth.get_signaturecCsX|jdurttdt|j}td|j|j|j||j|j d}| ||dS)Nz(Calculating signature using hmacv1 auth.zHTTP request method: %sr*) rDrrPrQrr!rTr-rzr'_inject_signature)r6r0rcrsr$r$r%r3;s   zHmacV1Auth.add_authcCs tddS)NTrwrrr$r$r%rFrAzHmacV1Auth._get_datecCs4d|jvr |jd=d|jjd|}||jd<dS)NrzAWS r)rzrDrm)r6r0rs auth_headerr$r$r%r.Is zHmacV1Auth._inject_signature)NNr>)r7r8r9r$r@rrrr r)r,r-r3rr.r$r$r$r%r s '     r c@s0eZdZdZdZefddZddZddZd S) HmacV1QueryAuthz Generates a presigned request for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html #RESTAuthenticationQueryStringAuth rcCs||_||_dSr>)rDr)r6rDrr$r$r%r@ds zHmacV1QueryAuth.__init__cCstttt|jSr>)r/rrnrrr$r$r%rhszHmacV1QueryAuth._get_datec Csi}|jj|d<||d<|jD]"}|}|dkr!|jd|d<q|ds*|dvr1|j|||<qt|}t|j}|drH|dd|}|d |d |d ||d f}t||_dS) NrjrJrvZExpiresr)rrrOrrrr) rDrmrzrrrrr!r) r6r0rsrZ header_keyrrrrr$r$r%r.ks    z!HmacV1QueryAuth._inject_signatureN)r7r8r9rtrr@rr.r$r$r$r%r0Ws   r0c@r)HmacV1PostAuthz Generates a presigned post for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingHTTPPOST.html cCsi}|jdddur|jd}i}g}|jdddur.|jd}|dddur.|d}||d<|jj|d<|jjdurM|jj|d<|d|jjitt | d d|d<| |d|d<||jd<||jd<dS) Nrrrrjrr(rrs) rrrDrmrrr[r^r_r,rrYr.r)r6r0rrrr$r$r%r3s,      zHmacV1PostAuth.add_authNr r$r$r$r%r2s r2c@r) BearerAuthz Performs bearer token authorization by placing the bearer token in the Authorization header as specified by Section 2.1 of RFC 6750. https://datatracker.ietf.org/doc/html/rfc6750#section-2.1 cCs>|jdurtd|jj}d|jvr|jd=||jd<dS)NzBearer r)r?rrrrz)r6r0r/r$r$r%r3s  zBearerAuth.add_authNr r$r$r$r%r3r r3)v2Zv3Zv3httpsrzs3-queryzs3-presign-postzs3v4-presign-postZbearer)CRT_AUTH_TYPE_MAPS)Zv4zv4-queryZs3v4z s3v4-query)@r^rrrrVr,r rncollections.abcr email.utilsrhashlibrroperatorrZbotocore.compatrr r r r r rrrZbotocore.exceptionsrrZbotocore.utilsrrrr getLoggerr7rPrrrprrrrr&r1r2r<rBrur|rrrrr r0r2r3ZAUTH_TYPE_MAPSZbotocore.crt.authr5r]r$r$r$r%s|    ,     =6Q0+5(