a 97a‰ã@sðddlZddlZddlZddlZddlmZddlmZmZddl Z ddl m Z ddl Z ddl mZddlZddlmZmZmZmZmZmZmZmZmZmZmZmZddlmZddlm Z m!Z!e  "e#¡Z$d Z%d Z&d Z'd Z(gd ¢Z)dZ*dd„Z+dd„Z,Gdd„de-ƒZ.Gdd„de.ƒZ/Gdd„de.ƒZ0Gdd„de.ƒZ1Gdd„de1ƒZ2Gdd„de1ƒZ3Gdd „d e3ƒZ4Gd!d"„d"e1ƒZ5Gd#d$„d$e.ƒZ6Gd%d&„d&e6ƒZ7Gd'd(„d(e6ƒZ8e/e0e0e6e7e8e5d)œZ9erØdd*l:m;Z;e9 |j}t|tjƒr$t | d¡¡}nt|tjƒr:t |¡}|S©Núutf-8)ÚdataÚ isinstancerÚ binary_typer ÚloadsÚdecodeÚ string_types)Úrequestr'r"r"r#Ú_get_body_as_dictEs    r.c@seZdZdZdd„ZdS)Ú BaseSignerFcCs tdƒ‚dS)NÚadd_auth)ÚNotImplementedError©Úselfr-r"r"r#r0UszBaseSigner.add_authN)Ú__name__Ú __module__Ú __qualname__ÚREQUIRES_REGIONr0r"r"r"r#r/Rsr/c@s(eZdZdZdd„Zdd„Zdd„ZdS) Ú SigV2Authz+ Sign a request with Signature V2. cCs ||_dS©N©Ú credentials©r3r;r"r"r#Ú__init__^szSigV2Auth.__init__c Csút d¡t|jƒ}|j}t|ƒdkr*d}d|j|j|f}tj |j j   d¡t d}g}t|ƒD]J}|dkrnq`t ||¡} | t|  d¡dd d t|   d¡d d ¡q`d  |¡} || 7}t d |¡| |  d¡¡t | ¡¡ ¡ d¡} | | fS)Nz$Calculating signature using v2 auth.rú/z %s %s %s r&©Ú digestmodÚ SignatureÚ©Úsafeú=z-_~ú&zString to sign: %s)ÚloggerÚdebugrrÚpathÚlenÚmethodÚnetlocÚhmacÚnewr;Ú secret_keyÚencoderÚsortedrÚ text_typeÚappendr ÚjoinÚupdateÚbase64Ú b64encodeÚdigestÚstripr+) r3r-ÚparamsÚsplitrIÚstring_to_signZlhmacÚpairsÚkeyÚvalueÚqsZb64r"r"r#Úcalc_signatureas4   þÿ ÿ  zSigV2Auth.calc_signaturecCs„|jdurtƒ‚|jr|j}n|j}|jj|d<d|d<d|d<t tt ¡¡|d<|jj rh|jj |d<|  ||¡\}}||d<|S) NÚAWSAccessKeyIdÚ2ZSignatureVersionÚ HmacSHA256ZSignatureMethodÚ TimestampZ SecurityTokenrA) r;rr'rZÚ access_keyÚtimeÚstrftimeÚISO8601ÚgmtimeÚtokenra)r3r-rZr`Ú signaturer"r"r#r0}s   zSigV2Auth.add_authN)r4r5r6Ú__doc__r=rar0r"r"r"r#r8Ysr8c@seZdZdd„Zdd„ZdS)Ú SigV3AuthcCs ||_dSr9r:r<r"r"r#r=—szSigV3Auth.__init__cCsÐ|jdurtƒ‚d|jvr"|jd=tdd|jd<|jjrZd|jvrL|jd=|jj|jd<tj|jj d¡t d}|  |jd d¡¡t |  ¡ƒ  ¡}d|jjd| d¡f}d |jvrÂ|jd =||jd <dS) NÚDateT©ÚusegmtúX-Amz-Security-Tokenr&r?z6AWS3-HTTPS AWSAccessKeyId=%s,Algorithm=%s,Signature=%srdzX-Amzn-Authorization)r;rÚheadersrrkrMrNrOrPrrUrrXrYrfr+)r3r-Únew_hmacZencoded_signaturerlr"r"r#r0šs,   ÿÿÿ zSigV3Auth.add_authN)r4r5r6r=r0r"r"r"r#rn–srnc@s¾eZdZdZdZdd„Zd/dd„Zdd „Zd d „Zd d „Z dd„Z dd„Z dd„Z dd„Z dd„Zdd„Zdd„Zdd„Zdd„Zd d!„Zd"d#„Zd$d%„Zd&d'„Zd(d)„Zd*d+„Zd,d-„Zd.S)0Ú SigV4Authz+ Sign a request with Signature V4. TcCs||_||_||_dSr9)r;Ú _region_nameÚ _service_name©r3r;Ú service_nameÚ region_namer"r"r#r=¶szSigV4Auth.__init__FcCs:|rt || d¡t¡ ¡}nt || d¡t¡ ¡}|Sr%)rMrNrPrÚ hexdigestrX)r3r^ÚmsgÚhexÚsigr"r"r#Ú_sign¾szSigV4Auth._signcCsLtƒ}|j ¡D] \}}| ¡}|tvr|||<qd|vrHt|jƒ|d<|S)zk Select the headers from the request that need to be included in the StringToSign. r!)r rsÚitemsÚlowerÚSIGNED_HEADERS_BLACKLISTr$r)r3r-Z header_mapÚnamer_Úlnamer"r"r#Úheaders_to_signÅs zSigV4Auth.headers_to_signcCs&|jr| |j¡S| t|jƒ¡SdSr9)rZÚ_canonical_query_string_paramsÚ_canonical_query_string_urlrrr2r"r"r#Úcanonical_query_stringÕs z SigV4Auth.canonical_query_stringcCsng}|D].}t||ƒ}| t|ddt|ddf¡qg}t|ƒD]\}}| d||f¡qDd |¡}|S)Nz-_.~rCú%s=%srF)ÚstrrSr rQrT)r3rZÚ key_val_pairsr^r_Úsorted_key_valsrˆr"r"r#r†ßs  ÿ z(SigV4Auth._canonical_query_string_paramsc Cstd}|jrpg}|j d¡D]"}| d¡\}}}| ||f¡qg}t|ƒD]\}}| d||f¡qJd |¡}|S)NrBrFrEr‰)Úqueryr[Ú partitionrSrQrT) r3Úpartsrˆr‹Úpairr^Ú_r_rŒr"r"r#r‡îs z%SigV4Auth._canonical_query_string_urlcsXg}tt|ƒƒ}|D]8}d ‡fdd„| |¡Dƒ¡}| d|t|ƒf¡qd |¡S)a  Return the headers that need to be included in the StringToSign in their canonical form by converting all header keys to lower case, sorting them in alphabetical order and then joining them into a string, separated by newlines. ú,c3s|]}ˆ |¡VqdSr9)Ú _header_value©Ú.0Úv©r3r"r#Ú óz.SigV4Auth.canonical_headers..ú%s:%sÚ )rQÚsetrTÚget_allrSr )r3r…rsZsorted_header_namesr^r_r"r—r#Úcanonical_headersþs ÿzSigV4Auth.canonical_headerscCsd | ¡¡S)Nú )rTr[)r3r_r"r"r#r“ szSigV4Auth._header_valuecCs$dd„t|ƒDƒ}t|ƒ}d |¡S)NcSsg|]}d| ¡ ¡‘qS)z%s)rrY)r•Únr"r"r#Ú r™z,SigV4Auth.signed_headers..ú;)rœrQrT)r3r…Úlr"r"r#Úsigned_headersszSigV4Auth.signed_headerscCs†| |¡stS|j}|rnt|dƒrn| ¡}t |jt¡}t ƒ}t |dƒD]}|  |¡qH|  ¡}|  |¡|S|r~t |ƒ  ¡StSdS)NÚseekr™)Ú_should_sha256_sign_payloadÚUNSIGNED_PAYLOADÚbodyÚhasattrÚtellÚ functoolsÚpartialÚreadÚPAYLOAD_BUFFERrÚiterrUr{r¥ÚEMPTY_SHA256_HASH)r3r-Ú request_bodyÚpositionZread_chunksizeZchecksumÚchunkZ hex_checksumr"r"r#Úpayloads" ÿ   zSigV4Auth.payloadcCs|j d¡sdS|j dd¡S)NrTÚpayload_signing_enabled)rÚ startswithÚcontextrr2r"r"r#r¦1s z%SigV4Auth._should_sha256_sign_payloadcCsš|j ¡g}| t|jƒj¡}| |¡| | |¡¡| |¡}| |  |¡d¡| |  |¡¡d|j vr||j d}n |  |¡}| |¡d  |¡S)Nr›úX-Amz-Content-SHA256)rKÚupperÚ_normalize_url_pathrrrIrSrˆr…ržr¤rsr´rT)r3r-ZcrrIr…Z body_checksumr"r"r#Úcanonical_request;s       zSigV4Auth.canonical_requestcCstt|ƒdd}|S)Nz/~rC)r r)r3rIZnormalized_pathr"r"r#rºJszSigV4Auth._normalize_url_pathcCsN|jjg}| |jddd…¡| |j¡| |j¡| d¡d |¡S©NÚ timestampréÚ aws4_requestr>)r;rfrSr·rvrwrT©r3r-Úscoper"r"r#rÁNs     zSigV4Auth.scopecCsHg}| |jddd…¡| |j¡| |j¡| d¡d |¡Sr¼)rSr·rvrwrTrÀr"r"r#Úcredential_scopeVs    zSigV4Auth.credential_scopecCsHdg}| |jd¡| | |¡¡| t| d¡ƒ ¡¡d |¡S)z¬ Return the canonical StringToSign as well as a dict containing the original version of all headers that were included in the StringToSign. úAWS4-HMAC-SHA256r½r&r›)rSr·rÂrrPr{rT)r3r-r»Ústsr"r"r#r\^s zSigV4Auth.string_to_signcCsd|jj}| d| d¡|jddd…¡}| ||j¡}| ||j¡}| |d¡}|j||ddS) NZAWS4r&r½rr¾r¿T)r})r;rOrrPr·rvrw)r3r\r-r^Zk_dateZk_regionZ k_serviceZ k_signingr"r"r#rljsÿ zSigV4Auth.signaturecCs”|jdurtƒ‚tj ¡}| t¡|jd<| |¡| |¡}t   d¡t   d|¡|  ||¡}t   d|¡|  ||¡}t   d|¡|  ||¡dS)Nr½z$Calculating signature using v4 auth.zCanonicalRequest: %súStringToSign: %sz Signature: %s)r;rÚdatetimeÚutcnowrhÚSIGV4_TIMESTAMPr·Ú_modify_request_before_signingr»rGrHr\rlÚ_inject_signature_to_request)r3r-Ú datetime_nowr»r\rlr"r"r#r0ss          zSigV4Auth.add_authcCsPd| |¡g}| |¡}| d| |¡¡| d|¡d |¡|jd<|S)NzAWS4-HMAC-SHA256 Credential=%szSignedHeaders=%sz Signature=%sz, Ú Authorization)rÁr…rSr¤rTrs)r3r-rlr£r…r"r"r#rÊ…s  z&SigV4Auth._inject_signature_to_requestcCsrd|jvr|jd=| |¡|jjrDd|jvr6|jd=|jj|jd<|j dd¡snd|jvrd|jd=t|jd<dS)NrÌrrrµTr¸)rsÚ_set_necessary_date_headersr;rkr·rr§r2r"r"r#rÉs    z(SigV4Auth._modify_request_before_signingcCs|d|jvrV|jd=tj |jdt¡}ttt |  ¡¡ƒƒ|jd<d|jvrx|jd=n"d|jvrh|jd=|jd|jd<dS)Nror½ú X-Amz-Date) rsrÆÚstrptimer·rÈrÚintÚcalendarÚtimegmÚ timetuple)r3r-Zdatetime_timestampr"r"r#rÍ›s  ÿÿ    z%SigV4Auth._set_necessary_date_headersN)F)r4r5r6rmr7r=rr…rˆr†r‡ržr“r¤r´r¦r»rºrÁrÂr\rlr0rÊrÉrÍr"r"r"r#ru°s.     rucs0eZdZ‡fdd„Z‡fdd„Zdd„Z‡ZS)Ú S3SigV4Authcs6tt|ƒ |¡d|jvr"|jd=| |¡|jd<dS)Nr¸)ÚsuperrÔrÉrsr´r2©Ú __class__r"r#rÉ®s z*S3SigV4Auth._modify_request_before_signingcsx|j d¡}t|ddƒ}|dur$i}| dd¡}|dur<|S|j d¡rRd|jvrVdS|j dd¡rhdStt|ƒ |¡S) NÚ client_configÚs3rµrz Content-MD5TZhas_streaming_inputF) r·rÚgetattrrr¶rsrÕrÔr¦)r3r-rØZ s3_configZ sign_payloadrÖr"r#r¦µs    ÿz'S3SigV4Auth._should_sha256_sign_payloadcCs|Sr9r"©r3rIr"r"r#rº×szS3SigV4Auth._normalize_url_path)r4r5r6rÉr¦rºÚ __classcell__r"r"rÖr#rÔ­s  "rÔcs4eZdZdZef‡fdd„ Zdd„Zdd„Z‡ZS)ÚSigV4QueryAuthécstt|ƒ |||¡||_dSr9)rÕrÝr=Ú_expires)r3r;ryrzÚexpiresrÖr"r#r=ßsÿzSigV4QueryAuth.__init__c Csú|j d¡}d}||kr |jd=| | |¡¡}d| |¡|jd|j|dœ}|jjdurf|jj|d<t |j ƒ}t dd„t |j d d  ¡Dƒƒ}d }|jr®| t|ƒ¡d |_|r¾t|ƒd }|t|ƒ} |} | d | d| d| | df} t| ƒ|_ dS)Nú content-typez0application/x-www-form-urlencoded; charset=utf-8rÃr½)zX-Amz-AlgorithmzX-Amz-CredentialrÎz X-Amz-ExpireszX-Amz-SignedHeadersrrcSsg|]\}}||df‘qS©rr")r•Úkr–r"r"r#r¡r™zASigV4QueryAuth._modify_request_before_signing..T)Úkeep_blank_valuesrBrFrééé)rsrr¤r…rÁr·rßr;rkrrÚdictr rr€r'rUr.rr) r3r-Ú content_typeZblacklisted_content_typer¤Z auth_paramsr Ú query_dictZoperation_paramsÚnew_query_stringÚpÚ new_url_partsr"r"r#rÉås@ ÿû   ÿÿ  ÿ z-SigV4QueryAuth._modify_request_before_signingcCs|jd|7_dS)Nz&X-Amz-Signature=%s)r©r3r-rlr"r"r#rÊ"sz+SigV4QueryAuth._inject_signature_to_request)r4r5r6ÚDEFAULT_EXPIRESr=rÉrÊrÜr"r"rÖr#rÝÜs ÿ=rÝc@s eZdZdZdd„Zdd„ZdS)ÚS3SigV4QueryAuthaS3 SigV4 auth using query parameters. This signer will sign a request using query parameters and signature version 4, i.e a "presigned url" signer. Based off of: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html cCs|Sr9r"rÛr"r"r#rº4sz$S3SigV4QueryAuth._normalize_url_pathcCstSr9)r§r2r"r"r#r´8szS3SigV4QueryAuth.payloadN)r4r5r6rmrºr´r"r"r"r#rð)s rðc@seZdZdZdd„ZdS)ÚS3SigV4PostAuthz† Presigns a s3 post Implementation doc here: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-UsingHTTPPOST.html cCsPtj ¡}| t¡|jd<i}|j dd¡dur:|jd}i}g}|j dd¡durv|jd}| dd¡durv|d}||d<d|d<| |¡|d<|jd|d<| ddi¡| d| |¡i¡| d|jdi¡|jj dur|jj |d <| d |jj i¡t   t   |¡ d ¡¡ d ¡|d <| |d |¡|d <||jd<||jd<dS) Nr½ús3-presign-post-fieldsús3-presign-post-policyÚ conditionsrÃzx-amz-algorithmzx-amz-credentialz x-amz-dateúx-amz-security-tokenr&Úpolicyzx-amz-signature)rÆrÇrhrÈr·rrÁrSr;rkrVrWr ÚdumpsrPr+rl)r3r-rËÚfieldsrörôr"r"r#r0Gs:    ÿÿ zS3SigV4PostAuth.add_authN©r4r5r6rmr0r"r"r"r#rñ@srñc@steZdZgd¢Zddd„Zdd„Zdd„Zd d „Zd d „Zdd d„Z ddd„Z ddd„Z dd„Z dd„Z dd„ZdS)Ú HmacV1Auth)#Z accelerateZaclZcorsZdefaultObjectAclÚlocationÚloggingZ partNumberröÚrequestPaymentZtorrentZ versioningZ versionIdÚversionsZwebsiteZuploadsZuploadIdzresponse-content-typezresponse-content-languagezresponse-expireszresponse-cache-controlzresponse-content-dispositionzresponse-content-encodingÚdeleteZ lifecycleZtaggingÚrestoreZ storageClassZ notificationZ replicationrýZ analyticsZmetricsZ inventoryÚselectz select-typeNcCs ||_dSr9r:rxr"r"r#r=}szHmacV1Auth.__init__cCs>tj|jj d¡td}| | d¡¡t| ¡ƒ  ¡  d¡S)Nr&r?) rMrNr;rOrPrrUrrXrYr+)r3r\rtr"r"r#Ú sign_string€s ÿzHmacV1Auth.sign_stringcCsˆgd¢}g}d|vr|d=| ¡|d<|D]R}d}|D]6}| ¡}||dur6||kr6| || ¡¡d}q6|s*| d¡q*d |¡S)N)ú content-md5ráÚdateroFTrBr›)Ú _get_daterrSrYrT)r3rsZinteresting_headersÚhoiZihÚfoundr^Úlkr"r"r#Úcanonical_standard_headers†s  z%HmacV1Auth.canonical_standard_headerscCs„g}i}|D]@}| ¡}||dur | d¡r d dd„| |¡Dƒ¡||<q t| ¡ƒ}|D]}| d|||f¡q^d |¡S)Núx-amz-r’css|]}| ¡VqdSr9)rYr”r"r"r#r˜žr™z6HmacV1Auth.canonical_custom_headers..ršr›)rr¶rTrrQÚkeysrS)r3rsrÚcustom_headersr^rZsorted_header_keysr"r"r#Úcanonical_custom_headers—s   ÿ z#HmacV1Auth.canonical_custom_headerscCs(t|ƒdkr|S|dt|dƒfSdS)z( TODO: Do we need this? rårN)rJr)r3Únvr"r"r#Ú unquote_v¥s zHmacV1Auth.unquote_vcsŠ|dur|}n|j}|jr†|j d¡}dd„|Dƒ}‡fdd„|Dƒ}t|ƒdkr†|jtdƒddd„|Dƒ}|d7}|d |¡7}|S) NrFcSsg|]}| dd¡‘qS)rErå)r[©r•Úar"r"r#r¡½r™z1HmacV1Auth.canonical_resource..cs$g|]}|dˆjvrˆ |¡‘qSrâ)Ú QSAOfInterestrrr—r"r#r¡¾sÿr)r^cSsg|]}d |¡‘qS)rE)rTrr"r"r#r¡Âr™ú?)rIrr[rJÚsortrrT)r3r[Ú auth_pathÚbufZqsar"r—r#Úcanonical_resource®s   zHmacV1Auth.canonical_resourcecCsN| ¡d}|| |¡d7}| |¡}|r8||d7}||j||d7}|S)Nr›©r)r¹r r r)r3rKr[rsràrÚcsr r"r"r#Úcanonical_stringÇs   zHmacV1Auth.canonical_stringcCsB|jjr|d=|jj|d<|j||||d}t d|¡| |¡S)NrõrrÅ)r;rkrrGrHr)r3rKr[rsràrr\r"r"r#Ú get_signatureÑs ý zHmacV1Auth.get_signaturecCsX|jdurt‚t d¡t|jƒ}t d|j¡|j|j||j|j d}|  ||¡dS)Nz(Calculating signature using hmacv1 auth.zHTTP request method: %sr) r;rrGrHrrrKrrsrÚ_inject_signature)r3r-r[rlr"r"r#r0Ýs    þzHmacV1Auth.add_authcCs tddS)NTrprr—r"r"r#rèszHmacV1Auth._get_datecCs,d|jvr|jd=d|jj|f|jd<dS)NrÌz AWS %s:%s)rsr;rfrîr"r"r#rës ÿzHmacV1Auth._inject_signature)NN)N)NN)NN)r4r5r6rr=rr r rrrrr0rrr"r"r"r#rúns   ÿ ÿ  rúc@s0eZdZdZdZefdd„Zdd„Zdd„Zd S) ÚHmacV1QueryAuthzÁ Generates a presigned request for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html #RESTAuthenticationQueryStringAuth rÞcCs||_||_dSr9)r;rß)r3r;ràr"r"r#r=szHmacV1QueryAuth.__init__cCsttt ¡t|jƒƒƒSr9)rŠrÐrgrßr—r"r"r#rszHmacV1QueryAuth._get_datec Csºi}|jj|d<||d<|jD]D}| ¡}|dkrB|jd|d<q| d¡sT|dvr|j|||<qt|ƒ}t|jƒ}|drŽd|d|f}|d |d |d ||d f}t|ƒ|_dS) NrbrAroZExpiresr )rráéz%s&%srrårærç) r;rfrsrr¶rrrr) r3r-rlrêZ header_keyrrërìrír"r"r#r s   z!HmacV1QueryAuth._inject_signatureN)r4r5r6rmrïr=rrr"r"r"r#røs   rc@seZdZdZdd„ZdS)ÚHmacV1PostAuthz‘ Generates a presigned post for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingHTTPPOST.html cCsäi}|j dd¡dur |jd}i}g}|j dd¡dur\|jd}| dd¡dur\|d}||d<|jj|d<|jjdurš|jj|d<| d|jji¡t t  |¡  d¡¡  d¡|d<|  |d¡|d<||jd<||jd<dS) Nròrórôrbrõr&rörl) r·rr;rfrkrSrVrWr r÷rPr+r)r3r-rørörôr"r"r#r02s,     ÿÿ zHmacV1PostAuth.add_authNrùr"r"r"r#r*sr)Zv2Zv3Zv3httpsrÙzs3-queryzs3-presign-postzs3v4-presign-post)ÚCRT_AUTH_TYPE_MAPS)Zv4zv4-queryZs3v4z s3v4-query)=rVrÑrÆr«Ú email.utilsrÚhashlibrrrMÚiorrüÚoperatorrrgZbotocore.compatrr r r r r rrrrrrZbotocore.exceptionsrZbotocore.utilsrrÚ getLoggerr4rGr°r®rirÈr‚r§r$r.Úobjectr/r8rnrurÔrÝrðrñrúrrZAUTH_TYPE_MAPSZbotocore.crt.authr rUr"r"r"r#Úsj   8  ÿ =~/M. 2'ù   ü