3 B\Њ @sddlZddlZddlmZddlmZddlZddlZddlmZddl m Z ddl Z ddl Z ddl Z ddlZddlmZddlmZmZddlmZdd lmZmZmZmZdd lmZdd lmZdd lmZdd lmZddlmZddlmZeje Z!dZ"d/Z#dZ$dZ%dddgZ&dZ'Gddde(Z)Gddde)Z*Gddde)Z+Gddde)Z,Gd d!d!e,Z-Gd"d#d#e,Z.Gd$d%d%e.Z/Gd&d'd'e,Z0Gd(d)d)e)Z1Gd*d+d+e1Z2Gd,d-d-e1Z3e*e,e.e+e+e1e2e3e-e/e0d. Z4dS)0N)sha256)sha1) formatdate) itemgetter)NoCredentialsError)normalize_url_pathpercent_encode_sequence) HTTPHeaders)quoteunquoteurlsplitparse_qs) urlunsplit) encodebytes)six)json) MD5_AVAILABLE)ensure_unicodeZ@e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855iz%Y-%m-%dT%H:%M:%SZz%Y%m%dT%H%M%SZexpectz user-agentzx-amzn-trace-idzUNSIGNED-PAYLOADc@seZdZdZddZdS) BaseSignerFcCs tddS)Nadd_auth)NotImplementedError)selfrequestrg/private/var/folders/pf/wv4htv3x0qs2c2mp0dnn0kchsvlck3/T/pip-install-emcbgzcf/botocore/botocore/auth.pyr<szBaseSigner.add_authN)__name__ __module__ __qualname__REQUIRES_REGIONrrrrrr9src@s(eZdZdZddZddZddZdS) SigV2Authz+ Sign a request with Signature V2. cCs ||_dS)N) credentials)rr!rrr__init__EszSigV2Auth.__init__c Cstjdt|j}|j}t|dkr*d}d|j|j|f}tj |j j j dt d}g}xVt|D]J}|dkrpqbtj||} |jt|j ddd d t| j dd d qbWd j|} || 7}tjd ||j|j dtj|jjjd} | | fS)Nz$Calculating signature using v2 auth.r/z %s %s %s zutf-8) digestmod Signature)safe=z-_~&zString to sign: %s)loggerdebugr urlpathlenmethodnetlochmacnewr! secret_keyencodersortedr text_typeappendr joinupdatebase64 b64encodedigeststripdecode) rrparamssplitr-string_to_signZlhmacpairskeyvalueqsZb64rrrcalc_signatureHs.     zSigV2Auth.calc_signaturecCs|jdkrt|jr|j}n|j}|jj|d<d|d<d|d<tjttj|d<|jj rf|jj |d<|j ||\}}||d<|S) NAWSAccessKeyId2ZSignatureVersion HmacSHA256ZSignatureMethodZ TimestampZ SecurityTokenr%) r!rdatar? access_keytimestrftimeISO8601gmtimetokenrF)rrr?rE signaturerrrrds   zSigV2Auth.add_authN)rrr__doc__r"rFrrrrrr @sr c@seZdZddZddZdS) SigV3AuthcCs ||_dS)N)r!)rr!rrrr"~szSigV3Auth.__init__cCs|jdkrtd|jkr |jd=tdd|jd<|jjrXd|jkrJ|jd=|jj|jd<tj|jjjdt d}|j |jdjdt |j j }d|jjd|jdf}d |jkr|jd =||jd <dS) NDateT)usegmtzX-Amz-Security-Tokenzutf-8)r$z6AWS3-HTTPS AWSAccessKeyId=%s,Algorithm=%s,Signature=%srIzX-Amzn-Authorization)r!rheadersrrPr1r2r3r4rr9rr<r=rKr>)rrnew_hmacZencoded_signaturerQrrrrs&    zSigV3Auth.add_authN)rrrr"rrrrrrS}srSc@seZdZdZdZddZd1ddZdd Zd d Zd d Z ddZ ddZ ddZ ddZ ddZddZddZddZddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd*d+Zd,d-Zd.d/Zd0S)2 SigV4Authz+ Sign a request with Signature V4. TcCs||_||_||_dS)N)r! _region_name _service_name)rr! service_name region_namerrrr"szSigV4Auth.__init__FcCs:|rtj||jdtj}ntj||jdtj}|S)Nzutf-8)r1r2r4r hexdigestr<)rrCmsghexsigrrr_signszSigV4Auth._signcCsVt}x.|jjD] \}}|j}|tkr|||<qWd|krR|j|jj|d<|S)zk Select the headers from the request that need to be included in the StringToSign. host)r rVitemslowerSIGNED_HEADERS_BLACKLIST_canonical_hostr,)rrZ header_mapnamerDlnamerrrheaders_to_signs zSigV4Auth.headers_to_signcsDt|ddd}tfdd|jDr2jSjjdddS) NPi)httphttpsc3s&|]\}}j|koj|kVqdS)N)schemeport).0rmrn) url_partsrr sz,SigV4Auth._canonical_host..@)r anyrchostnamer0rsplit)rr,Z default_portsr)rprrfs zSigV4Auth._canonical_hostcCs&|jr|j|jS|jt|jSdS)N)r?_canonical_query_string_params_canonical_query_string_urlr r,)rrrrrcanonical_query_strings z SigV4Auth.canonical_query_stringcCsRg}x>t|D]2}t||}|jdt|ddt|ddfqWdj|}|S)Nz%s=%sz-_.~)r'r))r5strr7r r8)rr?lparamrDZcqsrrrrxs  z(SigV4Auth._canonical_query_string_paramsc Cs|d}|jrxg}x2|jjdD]"}|jd\}}}|j||fqWg}x&t|D]\}}|jd||fqPWdj|}|S)Nr&r)r(z%s=%s)queryr@ partitionr7r5r8) rpartsrzZ key_val_pairspairrC_rDZsorted_key_valsrrrrys z%SigV4Auth._canonical_query_string_urlcs`g}tt|}xD|D]<}djfddt|j|D}|jd|t|fqWdj|S)a  Return the headers that need to be included in the StringToSign in their canonical form by converting all header keys to lower case, sorting them in alphabetical order and then joining them into a string, separated by newlines. ,c3s|]}j|VqdS)N) _header_value)rov)rrrrqsz.SigV4Auth.canonical_headers..z%s:%s )r5setr8get_allr7r)rrirVZsorted_header_namesrCrDr)rrcanonical_headerss  zSigV4Auth.canonical_headerscCsdj|jS)N )r8r@)rrDrrrrszSigV4Auth._header_valuecCs$ddt|D}t|}dj|S)NcSsg|]}d|jjqS)z%s)rdr=)ronrrr sz,SigV4Auth.signed_headers..;)rr5r8)rrir|rrrsigned_headersszSigV4Auth.signed_headerscCs|j|stS|j}|rrt|drr|j}tj|jt}t }xt |dD]}|j |qJW|j }|j ||S|rt |j StSdS)Nseek)_should_sha256_sign_payloadUNSIGNED_PAYLOADbodyhasattrtell functoolspartialreadPAYLOAD_BUFFERriterr9r]rEMPTY_SHA256_HASH)rr request_bodypositionZread_chunksizeZchecksumchunkZ hex_checksumrrrpayload s    zSigV4Auth.payloadcCs|jjdsdS|jjddS)NrlTpayload_signing_enabled)r, startswithcontextget)rrrrrr!s z%SigV4Auth._should_sha256_sign_payloadcCs|jjg}|jt|jj}|j||j|j||j|}|j|j |d|j|j |d|j kr||j d}n |j |}|j|dj |S)NrzX-Amz-Content-SHA256)r/upper_normalize_url_pathr r,r-r7rzrirrrVrr8)rrZcrr-riZ body_checksumrrrcanonical_request+s       zSigV4Auth.canonical_requestcCstt|dd}|S)Nz/~)r')r r)rr-Znormalized_pathrrrr:szSigV4Auth._normalize_url_pathcCsN|jjg}|j|jddd|j|j|j|j|jddj|S)N timestampr aws4_requestr#)r!rKr7rrYrZr8)rrscoperrrr>s     zSigV4Auth.scopecCsHg}|j|jddd|j|j|j|j|jddj|S)Nrrrrr#)r7rrYrZr8)rrrrrrcredential_scopeFs    zSigV4Auth.credential_scopecCsHdg}|j|jd|j|j||jt|jdjdj|S)z Return the canonical StringToSign as well as a dict containing the original version of all headers that were included in the StringToSign. zAWS4-HMAC-SHA256rzutf-8r)r7rrrr4r]r8)rrrstsrrrrANs zSigV4Auth.string_to_signcCsd|jj}|jd|jd|jddd}|j||j}|j||j}|j|d}|j||ddS) NZAWS4zutf-8rrrrT)r_)r!r3rar4rrYrZ)rrArrCZk_dateZk_regionZ k_serviceZ k_signingrrrrQZs zSigV4Auth.signaturecCs|jdkrttjj}|jt|jd<|j||j|}t j dt j d||j ||}t j d||j ||}t j d||j ||dS)Nrz$Calculating signature using v4 auth.zCanonicalRequest: %szStringToSign: %sz Signature: %s)r!rdatetimeutcnowrMSIGV4_TIMESTAMPr_modify_request_before_signingrr*r+rArQ_inject_signature_to_request)rr datetime_nowrrArQrrrrcs          zSigV4Auth.add_authcCsPd|j|g}|j|}|jd|j||jd|dj||jd<|S)NzAWS4-HMAC-SHA256 Credential=%szSignedHeaders=%sz Signature=%sz, Authorization)rrir7rr8rV)rrrQr|rirrrrus  z&SigV4Auth._inject_signature_to_requestcCsrd|jkr|jd=|j||jjrDd|jkr6|jd=|jj|jd<|jjddsnd|jkrd|jd=t|jd<dS)NrzX-Amz-Security-TokenrTzX-Amz-Content-SHA256)rV_set_necessary_date_headersr!rPrrr)rrrrrr}s    z(SigV4Auth._modify_request_before_signingcCs|d|jkrV|jd=tjj|jdt}tttj|j |jd<d|jkrx|jd=n"d|jkrh|jd=|jd|jd<dS)NrTrz X-Amz-Date) rVrstrptimerrrintcalendartimegm timetuple)rrZdatetime_timestamprrrrs    z%SigV4Auth._set_necessary_date_headersN)F)rrrrRrr"rarirfrzrxryrrrrrrrrrrArQrrrrrrrrrXs0       rXcsHeZdZfddZfddZfddZfddZd d ZZS) S3SigV4Authcstt|j|||||_dS)N)superrr"_default_region_name)rr!r[r\) __class__rrr"s  zS3SigV4Auth.__init__cs2|jjdi}|jd|j|_tt|j|dS)NZsigningZregion)rrrrYrrr)rrZsigning_context)rrrrs zS3SigV4Auth.add_authcs6tt|j|d|jkr"|jd=|j||jd<dS)NzX-Amz-Content-SHA256)rrrrVr)rr)rrrrs z*S3SigV4Auth._modify_request_before_signingcsz|jjd}t|dd}|dkr$i}|jdd}|dk r<|S|jjd sTd|jkrXdS|jjddrjdStt|j|S) N client_configs3rrlz Content-MD5TZhas_streaming_inputF) rrgetattrr,rrVrrr)rrrZ s3_configZ sign_payload)rrrrs    z'S3SigV4Auth._should_sha256_sign_payloadcCs|S)Nr)rr-rrrrszS3SigV4Auth._normalize_url_path) rrrr"rrrr __classcell__rr)rrrs     "rcs<eZdZdZeffdd ZddZddZdd ZZS) SigV4QueryAuthicstt|j|||||_dS)N)rrr"_expires)rr!r[r\expires)rrrr"szSigV4QueryAuth.__init__c Cs|jjd}d}||kr |jd=|j|j|}d|j||jd|j|d}|jjdk rf|jj|d<t |j }t ddt |j d d jD}d }|jr|j|j|d |_|rt|d }|t|} |} | d | d| d| | df} t| |_ dS)Nz content-typez0application/x-www-form-urlencoded; charset=utf-8zAWS4-HMAC-SHA256r)zX-Amz-AlgorithmzX-Amz-Credentialz X-Amz-Datez X-Amz-ExpireszX-Amz-SignedHeaderszX-Amz-Security-TokencSsg|]\}}||dfqS)rr)rokrrrrrszASigV4QueryAuth._modify_request_before_signing..T)keep_blank_valuesr&r)rrs)rVrrrirrrr!rPr r,dictr r~rcrJr9_get_body_as_dictrr) rr content_typeZblacklisted_content_typerZ auth_paramsrp query_dictZoperation_paramsnew_query_stringp new_url_partsrrrrs6      z-SigV4QueryAuth._modify_request_before_signingcCs>|j}t|tjr$tj|jd}nt|tjr:tj|}|S)Nzutf-8)rJ isinstancer binary_typerloadsr> string_types)rrrJrrrrs    z SigV4QueryAuth._get_body_as_dictcCs|jd|7_dS)Nz&X-Amz-Signature=%s)r,)rrrQrrrr+sz+SigV4QueryAuth._inject_signature_to_request) rrrDEFAULT_EXPIRESr"rrrrrr)rrrs = rc@s eZdZdZddZddZdS)S3SigV4QueryAuthaS3 SigV4 auth using query parameters. This signer will sign a request using query parameters and signature version 4, i.e a "presigned url" signer. Based off of: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html cCs|S)Nr)rr-rrrr=sz$S3SigV4QueryAuth._normalize_url_pathcCstS)N)r)rrrrrrAszS3SigV4QueryAuth.payloadN)rrrrRrrrrrrr2s rc@seZdZdZddZdS)S3SigV4PostAuthz Presigns a s3 post Implementation doc here: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-UsingHTTPPOST.html cCsPtjj}|jt|jd<i}|jjdddk r:|jd}i}g}|jjdddk rv|jd}|jdddk rv|d}||d<d|d<|j||d<|jd|d<|jddi|jd|j|i|jd|jdi|jj dk r|jj |d <|jd |jj it j t j |jd jd |d <|j|d ||d <||jd<||jd<dS) Nrzs3-presign-post-fieldszs3-presign-post-policy conditionszAWS4-HMAC-SHA256zx-amz-algorithmzx-amz-credentialz x-amz-datezx-amz-security-tokenzutf-8policyzx-amz-signature)rrrMrrrrr7r!rPr:r;rdumpsr4r>rQ)rrrfieldsrrrrrrPs4     zS3SigV4PostAuth.add_authN)rrrrRrrrrrrIsrc#@seZdZddddddddd d d d d ddddddddddddddddd ddd d!d"g#Zd:d$d%Zd&d'Zd(d)Zd*d+Zd,d-Zd;d.d/Z d HmacV1AuthZ accelerateZaclZcorsZdefaultObjectAcllocationloggingZ partNumberrZrequestPaymentZtorrentZ versioningZ versionIdversionsZwebsiteZuploadsZuploadIdzresponse-content-typezresponse-content-languagezresponse-expireszresponse-cache-controlzresponse-content-dispositionzresponse-content-encodingdeleteZ lifecycleZtaggingZrestoreZ storageClassZ notificationZ replicationZ analyticsZmetricsZ inventoryselectz select-typeNcCs ||_dS)N)r!)rr!r[r\rrrr"szHmacV1Auth.__init__cCs>tj|jjjdtd}|j|jdt|jj j dS)Nzutf-8)r$) r1r2r!r3r4rr9rr<r=r>)rrArWrrr sign_stringszHmacV1Auth.sign_stringcCsdddg}g}d|kr|d=|j|d<x^|D]V}d}x>|D]6}|j}||dk r<||kr<|j||jd}q.z%s:%sr)rdrr8rr5keysr7)rrVrcustom_headersrCrZsorted_header_keysrrrcanonical_custom_headerss      z#HmacV1Auth.canonical_custom_headerscCs(t|dkr|S|dt|dfSdS)z( TODO: Do we need this? rsrN)r.r )rnvrrr unquote_vs zHmacV1Auth.unquote_vcs|dk r|}n|j}|jr|jjd}dd|D}fdd|D}t|dkr|jtdddd|D}|d7}|dj|7}|S) Nr)cSsg|]}|jddqS)r(rs)r@)roarrrrsz1HmacV1Auth.canonical_resource..cs$g|]}|djkrj|qS)r) QSAOfInterestr)ror)rrrrsr)rCcSsg|]}dj|qS)r()r8)rorrrrrs?)r-r~r@r.sortrr8)rr@ auth_pathbufZqsar)rrcanonical_resources   zHmacV1Auth.canonical_resourcecCsN|jd}||j|d7}|j|}|r8||d7}||j||d7}|S)Nr)r)rrrr)rr/r@rVrrcsrrrrcanonical_strings   zHmacV1Auth.canonical_stringcCsB|jjr|d=|jj|d<|j||||d}tjd||j|S)Nzx-amz-security-token)rzStringToSign: %s)r!rPrr*r+r)rr/r@rVrrrArrr get_signatures  zHmacV1Auth.get_signaturecCsX|jdkrttjdt|j}tjd|j|j|j||j|j d}|j ||dS)Nz(Calculating signature using hmacv1 auth.zHTTP request method: %s)r) r!rr*r+r r,r/rrVr_inject_signature)rrr@rQrrrrs     zHmacV1Auth.add_authcCs tddS)NT)rU)r)rrrrrszHmacV1Auth._get_datecCs,d|jkr|jd=d|jj|f|jd<dS)Nrz AWS %s:%s)rVr!rK)rrrQrrrrs zHmacV1Auth._inject_signature)NN)N)NN)NN)rrrrr"rrrrrrrrrrrrrrrws0      rc@s0eZdZdZdZefddZddZddZd S) HmacV1QueryAuthz Generates a presigned request for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html #RESTAuthenticationQueryStringAuth icCs||_||_dS)N)r!r)rr!rrrrr" szHmacV1QueryAuth.__init__cCstttjt|jS)N)r{rrLr)rrrrrszHmacV1QueryAuth._get_datec Csi}|jj|d<||d<xN|jD]D}|j}|dkrD|jd|d<q |jdsV|dkr |j|||<q Wt|}t|j}|drd |d|f}|d |d |d ||d f}t||_dS)NrGr%rTZExpireszx-amz- content-md5 content-typez%s&%srrsrr)rr) r!rKrVrdrrr r,r) rrrQrZ header_keyrrrrrrrrs     z!HmacV1QueryAuth._inject_signatureN)rrrrRrr"rrrrrrrs   rc@seZdZdZddZdS)HmacV1PostAuthz Generates a presigned post for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingHTTPPOST.html cCsi}|jjdddk r |jd}i}g}|jjdddk r\|jd}|jdddk r\|d}||d<|jj|d<|jjdk r|jj|d<|jd|jjitjtj |j dj d|d<|j |d|d<||jd<||jd<dS) Nzs3-presign-post-fieldszs3-presign-post-policyrrGzx-amz-security-tokenzutf-8rrQ) rrr!rKrPr7r:r;rrr4r>r)rrrrrrrrr;s&      zHmacV1PostAuth.add_authN)rrrrRrrrrrr3sr) Zv2Zv4zv4-queryZv3Zv3httpsrzs3-queryzs3-presign-postZs3v4z s3v4-queryzs3v4-presign-posti)5r:rhashlibrrr1r email.utilsroperatorrrrLrrZbotocore.exceptionsrZbotocore.utilsrrZbotocore.compatr r r r r rrrrr getLoggerrr*rrrNrrerobjectrr rSrXrrrrrrrZAUTH_TYPE_MAPSrrrrsn             =<Y. 2)