B ㊇c @s&ddlZddlZddlZddlZddlZddlZddlZddlZddlm Z ddl m Z ddl m Z mZddlmZddlmZmZmZmZmZmZmZmZmZddlmZmZddlmZm Z m!Z!dd lm"Z"e#e$Z%d Z&d Z'd Z(d Z)dddgZ*dZ+dZ,ddZ-ddZ.GdddZ/Gddde/Z0Gddde/Z1Gddde/Z2Gdd d e/Z3Gd!d"d"e3Z4Gd#d$d$e3Z5Gd%d&d&e5Z6Gd'd(d(e3Z7Gd)d*d*e/Z8Gd+d,d,e8Z9Gd-d.d.e8Z:Gd/d0d0e0Z;e1e2e2e8e9e:e7e;d1ZZ>ene-sz.SigV4Auth.canonical_headers..:r>)rOsetrQget_allrPr )r2r~rmZsorted_header_namesr[r\r#)r2r$canonical_headers"s  zSigV4Auth.canonical_headerscCsd|S)N )rQrX)r2r\r#r#r$r2szSigV4Auth._header_valuecCs tddt|D}d|S)Ncss|]}|VqdS)N)rzrV)rnr#r#r$r;sz+SigV4Auth.signed_headers..;)rOrrQ)r2r~rmr#r#r$signed_headers:szSigV4Auth.signed_headerscCs0|jdi}|d}t|to.|ddkS)Nchecksumrequest_algorithmintrailer)contextrr'dict)r2r-checksum_context algorithmr#r#r$_is_streaming_checksum_payload>s z(SigV4Auth._is_streaming_checksum_payloadcCs||rtS||stS|j}|rt|dr|}t|j t }t }xt |dD]}| |qXW|}|||S|rt |StSdS)Nseek)r"STREAMING_UNSIGNED_PAYLOAD_TRAILER_should_sha256_sign_payloadUNSIGNED_PAYLOADbodyhasattrtell functoolspartialreadPAYLOAD_BUFFERriterrRrtrEMPTY_SHA256_HASH)r2r- request_bodypositionZread_chunksizerchunkZ hex_checksumr#r#r$payloadCs$     zSigV4Auth.payloadcCs|jdsdS|jddS)NrTpayload_signing_enabled)r startswithrr)r2r-r#r#r$r]s z%SigV4Auth._should_sha256_sign_payloadcCs|jg}|t|jj}|||||||}|| |d|| |d|j kr||j d}n | |}||d |S)Nr>zX-Amz-Content-SHA256)rIupper_normalize_url_pathrr rGrPrr~rrrmrrQ)r2r-crrGr~Z body_checksumr#r#r$canonical_requestgs       zSigV4Auth.canonical_requestcCstt|dd}|S)Nz/~)rB)r r)r2rGZnormalized_pathr#r#r$rvszSigV4Auth._normalize_url_pathcCsN|jjg}||jddd||j||j|dd|S)N timestampr aws4_requestr=)r<rbrPrrprqrQ)r2r-scoper#r#r$rzs     zSigV4Auth.scopecCsHg}||jddd||j||j|dd|S)Nrrrrr=)rPrrprqrQ)r2r-rr#r#r$credential_scopes    zSigV4Auth.credential_scopecCsHdg}||jd||||t|dd|S)z Return the canonical StringToSign as well as a dict containing the original version of all headers that were included in the StringToSign. zAWS4-HMAC-SHA256rzutf-8r>)rPrrrrNrtrQ)r2r-rstsr#r#r$rYs zSigV4Auth.string_to_signcCsd|jj}|d||jddd}|||j}|||j}||d}|j||ddS)NZAWS4rrrrT)rv)r<rMrxrNrrprq)r2rYr-r[Zk_dateZk_regionZ k_serviceZ k_signingr#r#r$rhs  zSigV4Auth.signaturecCs|jdkrttj}|t|jd<||||}t dt d|| ||}t d|| ||}t d|| ||dS)Nrz$Calculating signature using v4 auth.zCanonicalRequest: %szStringToSign: %sz Signature: %s)r<rdatetimeutcnowrdSIGV4_TIMESTAMPr_modify_request_before_signingrrErFrYrh_inject_signature_to_request)r2r- datetime_nowrrYrhr#r#r$r0s          zSigV4Auth.add_authcCsRd||g}||}|d|||d|d||jd<|S)NzAWS4-HMAC-SHA256 Credential=%szSignedHeaders=z Signature=%sz, Authorization)rr~rPrrQrm)r2r-rhauth_strr~r#r#r$rs z&SigV4Auth._inject_signature_to_requestcCsrd|jkr|jd=|||jjrDd|jkr6|jd=|jj|jd<|jddsnd|jkrd|jd=t|jd<dS)NrzX-Amz-Security-TokenrTzX-Amz-Content-SHA256)rm_set_necessary_date_headersr<rgrrr)r2r-r#r#r$rs    z(SigV4Auth._modify_request_before_signingcCs|d|jkrV|jd=tj|jdt}ttt| |jd<d|jkrx|jd=n"d|jkrh|jd=|jd|jd<dS)Nrkrz X-Amz-Date) rmrstrptimerrrintcalendartimegm timetuple)r2r-Zdatetime_timestampr#r#r$rs    z%SigV4Auth._set_necessary_date_headersN)F)r3r4r5rir6r:rxr~rrrrrrrrrrrrrrYrhr0rrrr#r#r#r$ros0      rocs0eZdZfddZfddZddZZS) S3SigV4Authcs2t|d|jkr|jd=|||jd<dS)NzX-Amz-Content-SHA256)superrrmr)r2r-) __class__r#r$rs  z*S3SigV4Auth._modify_request_before_signingcs|jd}t|dd}|dkr$i}|dd}|dk r<|Sd}|jdi}|d}t|trx|ddkrx|d }|jd r||jkrd S|jd d rd St |S)N client_configs3rz Content-MD5rrrheaderr|rTZhas_streaming_inputF) rrgetattrr'rr rrmrr)r2r-rZ s3_configZ sign_payloadZchecksum_headerrr)rr#r$rs$      z'S3SigV4Auth._should_sha256_sign_payloadcCs|S)Nr#)r2rGr#r#r$rszS3SigV4Auth._normalize_url_path)r3r4r5rrr __classcell__r#r#)rr$rs  )rcs4eZdZdZeffdd ZddZddZZS)SigV4QueryAuthicst|||||_dS)N)rr:_expires)r2r<rrrsexpires)rr#r$r:szSigV4QueryAuth.__init__c Cs|jd}d}||kr |jd=|||}d|||jd|j|d}|jjdk rf|jj|d<t |j }t |j dd}d d | D}|jr||ji|_d } |jr|t|d |_|rt|d } | t|} |} | d | d| d| | df} t| |_ dS)Nz content-typez0application/x-www-form-urlencoded; charset=utf-8zAWS4-HMAC-SHA256r)zX-Amz-AlgorithmzX-Amz-Credentialz X-Amz-Datez X-Amz-ExpireszX-Amz-SignedHeaderszX-Amz-Security-TokenT)keep_blank_valuescSsi|]\}}|d|qS)rr#)rkrr#r#r$ <szASigV4QueryAuth._modify_request_before_signing..rArDr)rmrrr~rrrr<rgrr r rryrWrRr&r.rr) r2r- content_typeZblacklisted_content_typerZ auth_paramsr!Zquery_string_parts query_dictZoperation_paramsnew_query_stringp new_url_partsr#r#r$rs8       z-SigV4QueryAuth._modify_request_before_signingcCs|jd|7_dS)Nz&X-Amz-Signature=%s)r )r2r-rhr#r#r$r^sz+SigV4QueryAuth._inject_signature_to_request)r3r4r5DEFAULT_EXPIRESr:rrrr#r#)rr$rsArc@s eZdZdZddZddZdS)S3SigV4QueryAuthaS3 SigV4 auth using query parameters. This signer will sign a request using query parameters and signature version 4, i.e a "presigned url" signer. Based off of: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html cCs|S)Nr#)r2rGr#r#r$rqsz$S3SigV4QueryAuth._normalize_url_pathcCstS)N)r)r2r-r#r#r$ruszS3SigV4QueryAuth.payloadN)r3r4r5rirrr#r#r#r$res rc@seZdZdZddZdS)S3SigV4PostAuthz Presigns a s3 post Implementation doc here: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-UsingHTTPPOST.html cCsPtj}|t|jd<i}|jdddk r:|jd}i}g}|jdddk rv|jd}|dddk rv|d}||d<d|d<|||d<|jd|d<|ddi|d||i|d|jdi|jj dk r|jj |d <|d |jj it t |d d |d <||d ||d <||jd<||jd<dS) Nrzs3-presign-post-fieldszs3-presign-post-policy conditionszAWS4-HMAC-SHA256zx-amz-algorithmzx-amz-credentialz x-amz-datezx-amz-security-tokenzutf-8policyzx-amz-signature)rrrdrrrrrPr<rgrSrTr)dumpsrNr+rh)r2r-rfieldsrrr#r#r$r0s6      zS3SigV4PostAuth.add_authN)r3r4r5rir0r#r#r#r$r}src$@seZdZddddddddd d d d d ddddddddddddddddd ddd d!d"d#g$Zd;d%d&Zd'd(Zd)d*Zd+d,Zd-d.Zdd3d4Z d5d6Z d7d8Z d9d:Zd$S)? HmacV1AuthZ accelerateZaclZcorsZdefaultObjectAcllocationloggingZ partNumberrZrequestPaymentZtorrentZ versioningZ versionIdversionsZwebsiteZuploadsZuploadIdzresponse-content-typezresponse-content-languagezresponse-expireszresponse-cache-controlzresponse-content-dispositionzresponse-content-encodingdeleteZ lifecycleZtaggingrestoreZ storageClassZ notificationZ replicationZ analyticsZmetricsZ inventoryselectz select-typez object-lockNcCs ||_dS)N)r<)r2r<rrrsr#r#r$r:szHmacV1Auth.__init__cCs>tj|jjdtd}||dt| dS)Nzutf-8)r?) rKrLr<rMrNrrRr rUrVr+)r2rYrnr#r#r$ sign_stringszHmacV1Auth.sign_stringcCsdddg}g}d|kr|d=||d<x^|D]V}d}x>|D]6}|}||dk r<||kr<|||d}q) _get_daterzrPrVrQ)r2rmZinteresting_headershoiZihfoundr[lkr#r#r$canonical_standard_headerss    z%HmacV1Auth.canonical_standard_headerscCsg}i}xH|D]@}|}||dk r|drddd||D||<qWt|}x$|D]}||d||qdWd|S)Nzx-amz-rcss|]}|VqdS)N)rV)rrr#r#r$rsz6HmacV1Auth.canonical_custom_headers..rr>)rzrrQrrOkeysrP)r2rmrcustom_headersr[rZsorted_header_keysr#r#r$canonical_custom_headerss     z#HmacV1Auth.canonical_custom_headerscCs(t|dkr|S|dt|dfSdS)z( TODO: Do we need this? rrN)rHr )r2nvr#r#r$ unquote_vs zHmacV1Auth.unquote_vcs|dk r|}n|j}|jr|jd}dd|D}fdd|D}t|dkr|jtdddd|D}|d7}|d|7}|S) NrDcSsg|]}|ddqS)rCr)rX)rar#r#r$ sz1HmacV1Auth.canonical_resource..cs$g|]}|djkr|qS)r) QSAOfInterestr)rr)r2r#r$rsr)r[cSsg|]}d|qS)rC)rQ)rrr#r#r$rs?)rGrrXrHsortrrQ)r2rX auth_pathbufZqsar#)r2r$canonical_resource s   zHmacV1Auth.canonical_resourcecCsN|d}|||d7}||}|r8||d7}||j||d7}|S)Nr>)r)rrrr)r2rIrXrmrrcsrr#r#r$canonical_string$s   zHmacV1Auth.canonical_stringcCsB|jjr|d=|jj|d<|j||||d}td|||S)Nzx-amz-security-token)rzStringToSign: %s)r<rgrrErFr)r2rIrXrmrrrYr#r#r$ get_signature/s  zHmacV1Auth.get_signaturecCsX|jdkrttdt|j}td|j|j|j||j|j d}| ||dS)Nz(Calculating signature using hmacv1 auth.zHTTP request method: %s)r) r<rrErFrr rIrrmr_inject_signature)r2r-rXrhr#r#r$r0;s   zHmacV1Auth.add_authcCs tddS)NT)rl)r)r2r#r#r$rFszHmacV1Auth._get_datecCs4d|jkr|jd=d|jjd|}||jd<dS)NrzAWS r)rmr<rb)r2r-rh auth_headerr#r#r$rIs zHmacV1Auth._inject_signature)NN)N)NN)NN)r3r4r5rr:rrrrrrrr0rrr#r#r#r$rs^    rc@s0eZdZdZdZefddZddZddZd S) HmacV1QueryAuthz Generates a presigned request for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html #RESTAuthenticationQueryStringAuth icCs||_||_dS)N)r<r)r2r<rr#r#r$r:dszHmacV1QueryAuth.__init__cCstttt|jS)N)r,rrcr)r2r#r#r$rhszHmacV1QueryAuth._get_datec Csi}|jj|d<||d<xN|jD]D}|}|dkrD|jd|d<q |dsV|dkr |j|||<q Wt|}t|j}|dr|dd|}|d |d |d ||d f}t||_dS) Nr_r@rkZExpireszx-amz-)z content-md5z content-typerDrrrr) r<rbrmrzrrrr r) r2r-rhrZ header_keyrrrrr#r#r$rks     z!HmacV1QueryAuth._inject_signatureN)r3r4r5rirr:rrr#r#r#r$rWs   rc@seZdZdZddZdS)HmacV1PostAuthz Generates a presigned post for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingHTTPPOST.html cCsi}|jdddk r |jd}i}g}|jdddk r\|jd}|dddk r\|d}||d<|jj|d<|jjdk r|jj|d<|d|jjitt | d d|d<| |d|d<||jd<||jd<dS) Nzs3-presign-post-fieldszs3-presign-post-policyrr_zx-amz-security-tokenzutf-8rrh) rrr<rbrgrPrSrTr)rrNr+r)r2r-rrrr#r#r$r0s(       zHmacV1PostAuth.add_authN)r3r4r5rir0r#r#r#r$r sr c@seZdZdZddZdS) BearerAuthz Performs bearer token authorization by placing the bearer token in the Authorization header as specified by Section 2.1 of RFC 6750. https://datatracker.ietf.org/doc/html/rfc6750#section-2.1 cCs>|jdkrtd|jj}d|jkr0|jd=||jd<dS)NzBearer r)r9rrgrm)r2r-rr#r#r$r0s   zBearerAuth.add_authN)r3r4r5rir0r#r#r#r$r sr )v2Zv3Zv3httpsrzs3-queryzs3-presign-postzs3v4-presign-postZbearer)CRT_AUTH_TYPE_MAPS)Zv4zv4-queryZs3v4z s3v4-query)@rSrrrrKr)rrccollections.abcr email.utilsrhashlibrroperatorrZbotocore.compatrrr r r r r rrZbotocore.exceptionsrrZbotocore.utilsrrrr getLoggerr3rErrrerr{rrr%r.r/r8r;rjrorrrrrrr r ZAUTH_TYPE_MAPSZbotocore.crt.authr rRr#r#r#r$sv   ,     =6Q0+5(