U ³.¬b®Œã@sddlZddlZddlZddlZddlZddlZddlZddlZddlm Z ddl m Z ddl m Z mZddlmZddlmZmZmZmZmZmZmZmZmZddlmZddlmZmZm Z dd lm!Z!e "e#¡Z$d Z%d Z&d Z'd Z(dddgZ)dZ*dZ+dd„Z,dd„Z-Gdd„dƒZ.Gdd„de.ƒZ/Gdd„de.ƒZ0Gdd„de.ƒZ1Gdd „d e1ƒZ2Gd!d"„d"e1ƒZ3Gd#d$„d$e3ƒZ4Gd%d&„d&e1ƒZ5Gd'd(„d(e.ƒZ6Gd)d*„d*e6ƒZ7Gd+d,„d,e6ƒZ8e/e0e0e6e7e8e5d-œZ9erèdd.l:m;Z;e9 r#r#r$r?«szSigV3Auth.__init__cCsÒ|jdkrtƒ‚d|jkr"|jd=tdd|jd<|jjrZd|jkrL|jd=|jj|jd<tj|jj d¡t d}|  |jd d¡¡t |  ¡ƒ  ¡}d|jj›d| d¡›}d |jkrÄ|jd =||jd <dS) NÚDateT©ÚusegmtúX-Amz-Security-Tokenr'rBzAWS3-HTTPS AWSAccessKeyId=z ,Algorithm=HmacSHA256,Signature=zX-Amzn-Authorization)r=rÚheadersrrkrPrQrRrSrrWr rZr[rfr-)r5r/Únew_hmacZencoded_signaturerlr#r#r$r2®s(    ÿÿ zSigV3Auth.add_authN)r6r7r8r?r2r#r#r#r$rnªsrnc@sÆeZdZdZdZdd„Zd1dd„Zdd „Zd d „Zd d „Z dd„Z dd„Z dd„Z dd„Z dd„Zdd„Zdd„Zdd„Zdd„Zd d!„Zd"d#„Zd$d%„Zd&d'„Zd(d)„Zd*d+„Zd,d-„Zd.d/„Zd0S)2Ú SigV4Authz+ Sign a request with Signature V4. TcCs||_||_||_dSr;)r=Ú _region_nameÚ _service_name©r5r=Ú service_nameÚ region_namer#r#r$r?ÍszSigV4Auth.__init__FcCs:|rt || d¡t¡ ¡}nt || d¡t¡ ¡}|Sr&)rPrQrSrÚ hexdigestrZ)r5r`ÚmsgÚhexÚsigr#r#r$Ú_signÕszSigV4Auth._signcCsLtƒ}|j ¡D] \}}| ¡}|tkr|||<qd|krHt|jƒ|d<|S)zk Select the headers from the request that need to be included in the StringToSign. r")r rsÚitemsÚlowerÚSIGNED_HEADERS_BLACKLISTr%r )r5r/Z header_mapÚnameraÚlnamer#r#r$Úheaders_to_signÜs zSigV4Auth.headers_to_signcCs&|jr| |j¡S| t|jƒ¡SdSr;)r\Ú_canonical_query_string_paramsÚ_canonical_query_string_urlrr r4r#r#r$Úcanonical_query_stringìs z SigV4Auth.canonical_query_stringcCs~g}t|tƒr| ¡}|D]*\}}| t|ddtt|ƒddf¡qg}t|ƒD]\}}| |›d|›¡qRd |¡}|S)Nz-_.~rFrHrI)r)rr€rUr r.rTrV)r5r\Ú key_val_pairsr`raÚsorted_key_valsrˆr#r#r$r†ös  ÿ z(SigV4Auth._canonical_query_string_paramsc Csvd}|jrrg}|j d¡D]"}| d¡\}}}| ||f¡qg}t|ƒD]\}}| |›d|›¡qJd |¡}|S)NrErIrH)Úqueryr]Ú partitionrUrTrV) r5Úpartsrˆr‰Úpairr`Ú_rarŠr#r#r$r‡s z%SigV4Auth._canonical_query_string_urlcsZg}tt|ƒƒ}|D]:}d ‡fdd„| |¡Dƒ¡}| |›dt|ƒ›¡qd |¡S)a  Return the headers that need to be included in the StringToSign in their canonical form by converting all header keys to lower case, sorting them in alphabetical order and then joining them into a string, separated by newlines. ú,c3s|]}ˆ |¡VqdSr;)Ú _header_value©Ú.0Úv©r5r#r$Ú !sz.SigV4Auth.canonical_headers..ú:rA)rTÚsetrVÚget_allrUr )r5r…rsZsorted_header_namesr`rar#r•r$Úcanonical_headerss ÿzSigV4Auth.canonical_headerscCsd | ¡¡S)Nú )rVr])r5rar#r#r$r‘'szSigV4Auth._header_valuecCs tdd„t|ƒDƒƒ}d |¡S)Ncss|]}| ¡ ¡VqdSr;)rr[)r“Únr#r#r$r–0sz+SigV4Auth.signed_headers..ú;)rTr˜rV)r5r…rsr#r#r$Úsigned_headers/szSigV4Auth.signed_headerscCs0|j di¡}| d¡}t|tƒo.| d¡dkS)NÚchecksumÚrequest_algorithmÚinÚtrailer)Úcontextrr)Údict)r5r/Úchecksum_contextÚ algorithmr#r#r$Ú_is_streaming_checksum_payload3s z(SigV4Auth._is_streaming_checksum_payloadcCs”| |¡rtS| |¡stS|j}|r|t|dƒr|| ¡}t |j t ¡}t ƒ}t |dƒD]}|  |¡qV| ¡}| |¡|S|rŒt |ƒ ¡StSdS)NÚseekó)r§Ú"STREAMING_UNSIGNED_PAYLOAD_TRAILERÚ_should_sha256_sign_payloadÚUNSIGNED_PAYLOADÚbodyÚhasattrÚtellÚ functoolsÚpartialÚreadÚPAYLOAD_BUFFERrÚiterrWr{r¨ÚEMPTY_SHA256_HASH)r5r/Ú request_bodyÚpositionZread_chunksizerŸÚchunkZ hex_checksumr#r#r$Úpayload8s(  ÿ   zSigV4Auth.payloadcCs|j d¡sdS|j dd¡S)NrTÚpayload_signing_enabled)r Ú startswithr£rr4r#r#r$r«Rs z%SigV4Auth._should_sha256_sign_payloadcCsš|j ¡g}| t|jƒj¡}| |¡| | |¡¡| |¡}| |  |¡d¡| |  |¡¡d|j kr||j d}n |  |¡}| |¡d  |¡S)NrAúX-Amz-Content-SHA256)rNÚupperÚ_normalize_url_pathrr rLrUrˆr…ršržrsr¹rV)r5r/ZcrrLr…Z body_checksumr#r#r$Úcanonical_request\s       zSigV4Auth.canonical_requestcCstt|ƒdd}|S)Nz/~rF)r r)r5rLZnormalized_pathr#r#r$r¾kszSigV4Auth._normalize_url_pathcCsN|jjg}| |jddd…¡| |j¡| |j¡| d¡d |¡S©NÚ timestampréÚ aws4_requestr@)r=rfrUr£rvrwrV©r5r/Úscoper#r#r$rÅos     zSigV4Auth.scopecCsHg}| |jddd…¡| |j¡| |j¡| d¡d |¡SrÀ)rUr£rvrwrVrÄr#r#r$Úcredential_scopews    zSigV4Auth.credential_scopecCsHdg}| |jd¡| | |¡¡| t| d¡ƒ ¡¡d |¡S)z¬ Return the canonical StringToSign as well as a dict containing the original version of all headers that were included in the StringToSign. úAWS4-HMAC-SHA256rÁr'rA)rUr£rÆrrSr{rV)r5r/r¿Ústsr#r#r$r^s zSigV4Auth.string_to_signcCsd|jj}| d|› ¡|jddd…¡}| ||j¡}| ||j¡}| |d¡}|j||ddS)NZAWS4rÁrrÂrÃT)r})r=rRrrSr£rvrw)r5r^r/r`Zk_dateZk_regionZ k_serviceZ k_signingr#r#r$rl‹s ÿ zSigV4Auth.signaturecCs”|jdkrtƒ‚tj ¡}| t¡|jd<| |¡| |¡}t   d¡t   d|¡|  ||¡}t   d|¡|  ||¡}t   d|¡|  ||¡dS)NrÁz$Calculating signature using v4 auth.zCanonicalRequest: %súStringToSign: %sz Signature: %s)r=rÚdatetimeÚutcnowrhÚSIGV4_TIMESTAMPr£Ú_modify_request_before_signingr¿rJrKr^rlÚ_inject_signature_to_request)r5r/Ú datetime_nowr¿r^rlr#r#r$r2•s          zSigV4Auth.add_authcCsRd| |¡g}| |¡}| d| |¡›¡| d|¡d |¡|jd<|S)NzAWS4-HMAC-SHA256 Credential=%szSignedHeaders=z Signature=%sz, Ú Authorization)rÅr…rUržrVrs)r5r/rlÚauth_strr…r#r#r$rΧs ÿz&SigV4Auth._inject_signature_to_requestcCsrd|jkr|jd=| |¡|jjrDd|jkr6|jd=|jj|jd<|j dd¡snd|jkrd|jd=t|jd<dS)NrÐrrrºTr¼)rsÚ_set_necessary_date_headersr=rkr£rr¬r4r#r#r$rͱs    z(SigV4Auth._modify_request_before_signingcCs|d|jkrV|jd=tj |jdt¡}ttt |  ¡¡ƒƒ|jd<d|jkrx|jd=n"d|jkrh|jd=|jd|jd<dS)NrorÁú X-Amz-Date) rsrÊÚstrptimer£rÌrÚintÚcalendarÚtimegmÚ timetuple)r5r/Zdatetime_timestampr#r#r$rÒ¿s ÿÿ    z%SigV4Auth._set_necessary_date_headersN)F)r6r7r8rmr9r?rr…rˆr†r‡ršr‘ržr§r¹r«r¿r¾rÅrÆr^rlr2rÎrÍrÒr#r#r#r$ruÆs0      rucs0eZdZ‡fdd„Z‡fdd„Zdd„Z‡ZS)Ú S3SigV4Authcs2tƒ |¡d|jkr|jd=| |¡|jd<dS)Nr¼)ÚsuperrÍrsr¹r4©Ú __class__r#r$rÍÔs  z*S3SigV4Auth._modify_request_before_signingcs°|j d¡}t|ddƒ}|dkr$i}| dd¡}|dk r<|Sd}|j di¡}| d¡}t|tƒrx| d¡dkrx|d }|j d ¡rŽ||jkr’d S|j d d ¡r¤d Stƒ  |¡S)NÚ client_configÚs3rºz Content-MD5rŸr r¡ÚheaderrƒrTZhas_streaming_inputF) r£rÚgetattrr)r¤r r»rsrÚr«)r5r/rÝZ s3_configZ sign_payloadZchecksum_headerr¥r¦rÛr#r$r«Ûs(     ÿþz'S3SigV4Auth._should_sha256_sign_payloadcCs|Sr;r#©r5rLr#r#r$r¾szS3SigV4Auth._normalize_url_path)r6r7r8rÍr«r¾Ú __classcell__r#r#rÛr$rÙÓs  )rÙcs4eZdZdZef‡fdd„ Zdd„Zdd„Z‡ZS)ÚSigV4QueryAuthécstƒ |||¡||_dSr;)rÚr?Ú_expires)r5r=ryrzÚexpiresrÛr#r$r? szSigV4QueryAuth.__init__c Cs|j d¡}d}||kr |jd=| | |¡¡}d| |¡|jd|j|dœ}|jjdk rf|jj|d<t |j ƒ}t |j dd}d d „|  ¡Dƒ}|jr¨| |j¡i|_d } |jrÆ| t|ƒ¡d |_|rÖt|ƒd } | ›t|ƒ›} |} | d | d| d| | df} t| ƒ|_ dS)Nú content-typez0application/x-www-form-urlencoded; charset=utf-8rÇrÁ)zX-Amz-AlgorithmzX-Amz-CredentialrÓz X-Amz-ExpireszX-Amz-SignedHeadersrrT)Úkeep_blank_valuescSsi|]\}}||d“qS©rr#)r“Úkr”r#r#r$Ú 1szASigV4QueryAuth._modify_request_before_signing..rErIrééé)rsrržr…rÅr£rår=rkrr r r‹r€r\rWr(r0rr) r5r/Ú content_typeZblacklisted_content_typeržZ auth_paramsr!Zquery_string_partsÚ query_dictZoperation_paramsÚnew_query_stringÚpÚ new_url_partsr#r#r$rÍs> ÿû     ÿ z-SigV4QueryAuth._modify_request_before_signingcCs|jd|7_dS)Nz&X-Amz-Signature=%s)r )r5r/rlr#r#r$rÎSsz+SigV4QueryAuth._inject_signature_to_request)r6r7r8ÚDEFAULT_EXPIRESr?rÍrÎrâr#r#rÛr$rã s ÿArãc@s eZdZdZdd„Zdd„ZdS)ÚS3SigV4QueryAuthaS3 SigV4 auth using query parameters. This signer will sign a request using query parameters and signature version 4, i.e a "presigned url" signer. Based off of: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html cCs|Sr;r#rár#r#r$r¾fsz$S3SigV4QueryAuth._normalize_url_pathcCstSr;)r¬r4r#r#r$r¹jszS3SigV4QueryAuth.payloadN)r6r7r8rmr¾r¹r#r#r#r$rõZs rõc@seZdZdZdd„ZdS)ÚS3SigV4PostAuthz† Presigns a s3 post Implementation doc here: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-UsingHTTPPOST.html cCsPtj ¡}| t¡|jd<i}|j dd¡dk r:|jd}i}g}|j dd¡dk rv|jd}| dd¡dk rv|d}||d<d|d<| |¡|d<|jd|d<| ddi¡| d| |¡i¡| d|jdi¡|jj dk r|jj |d <| d |jj i¡t   t   |¡ d ¡¡ d ¡|d <| |d |¡|d <||jd<||jd<dS) NrÁús3-presign-post-fieldsús3-presign-post-policyÚ conditionsrÇzx-amz-algorithmzx-amz-credentialz x-amz-dateúx-amz-security-tokenr'Úpolicyzx-amz-signature)rÊrËrhrÌr£rrÅrUr=rkrXrYr+ÚdumpsrSr-rl)r5r/rÏÚfieldsrûrùr#r#r$r2zs:    ÿþ zS3SigV4PostAuth.add_authN©r6r7r8rmr2r#r#r#r$rörsröc$@s¸eZdZddddddddd d d d d ddddddddddddddddd ddd d!d"d#g$Zd;d%d&„Zd'd(„Zd)d*„Zd+d,„Zd-d.„Zdd3d4„Z d5d6„Z d7d8„Z d9d:„Zd$S)?Ú HmacV1AuthZ accelerateZaclZcorsZdefaultObjectAclÚlocationÚloggingZ partNumberrûZrequestPaymentZtorrentZ versioningZ versionIdÚversionsZwebsiteZuploadsZuploadIdzresponse-content-typezresponse-content-languagezresponse-expireszresponse-cache-controlzresponse-content-dispositionzresponse-content-encodingÚdeleteZ lifecycleZtaggingÚrestoreZ storageClassZ notificationZ replicationZ analyticsZmetricsZ inventoryÚselectz select-typez object-lockNcCs ||_dSr;r<rxr#r#r$r?ÌszHmacV1Auth.__init__cCs>tj|jj d¡td}| | d¡¡t| ¡ƒ  ¡  d¡S)Nr'rB) rPrQr=rRrSrrWr rZr[r-)r5r^rtr#r#r$Ú sign_stringÏs  ÿzHmacV1Auth.sign_stringcCsŠdddg}g}d|kr|d=| ¡|d<|D]R}d}|D]6}| ¡}||dk r8||kr8| || ¡¡d}q8|s,| d¡q,d |¡S) Nú content-md5rçÚdateroFTrErA)Ú _get_daterrUr[rV)r5rsZinteresting_headersÚhoiZihÚfoundr`Úlkr#r#r$Úcanonical_standard_headersÖs   z%HmacV1Auth.canonical_standard_headerscCs†g}i}|D]@}| ¡}||dk r | d¡r d dd„| |¡Dƒ¡||<q t| ¡ƒ}|D]}| |›d||›¡q^d |¡S)Núx-amz-rcss|]}| ¡VqdSr;)r[r’r#r#r$r–îsz6HmacV1Auth.canonical_custom_headers..r—rA)rr»rVr™rTÚkeysrU)r5rsr Úcustom_headersr`r Zsorted_header_keysr#r#r$Úcanonical_custom_headersçs   ÿ z#HmacV1Auth.canonical_custom_headerscCs(t|ƒdkr|S|dt|dƒfSdS)z( TODO: Do we need this? rìrN)rMr)r5Únvr#r#r$Ú unquote_vös zHmacV1Auth.unquote_vcsŠ|dk r|}n|j}|jr†|j d¡}dd„|Dƒ}‡fdd„|Dƒ}t|ƒdkr†|jtdƒddd„|Dƒ}|d7}|d |¡7}|S) NrIcSsg|]}| dd¡‘qS)rHrì)r]©r“Úar#r#r$Ú sz1HmacV1Auth.canonical_resource..cs$g|]}|dˆjkrˆ |¡‘qSré)Ú QSAOfInterestrrr•r#r$rsr)r`cSsg|]}d |¡‘qS)rH)rVrr#r#r$rsú?)rLr‹r]rMÚsortrrV)r5r]Ú auth_pathÚbufZqsar#r•r$Úcanonical_resourceÿs   ÿ zHmacV1Auth.canonical_resourcecCsN| ¡d}|| |¡d7}| |¡}|r8||d7}||j||d7}|S)NrA©r)r½r rr)r5rNr]rsrærÚcsrr#r#r$Úcanonical_strings   zHmacV1Auth.canonical_stringcCsB|jjr|d=|jj|d<|j||||d}t d|¡| |¡S)NrúrrÉ)r=rkrrJrKr)r5rNr]rsrærr^r#r#r$Ú get_signature$s ÿ zHmacV1Auth.get_signaturecCsX|jdkrt‚t d¡t|jƒ}t d|j¡|j|j||j|j d}|  ||¡dS)Nz(Calculating signature using hmacv1 auth.zHTTP request method: %sr) r=rrJrKrr rNr rsrÚ_inject_signature)r5r/r]rlr#r#r$r20s   ÿzHmacV1Auth.add_authcCs tddS)NTrprr•r#r#r$r ;szHmacV1Auth._get_datecCs4d|jkr|jd=d|jj›d|›}||jd<dS)NrÐzAWS r—)rsr=rf)r5r/rlÚ auth_headerr#r#r$r!>s zHmacV1Auth._inject_signature)NN)N)NN)NN)r6r7r8rr?rr rrrrr r2r r!r#r#r#r$rÿ¢shÜ'  ÿ ÿ  rÿc@s0eZdZdZdZefdd„Zdd„Zdd„Zd S) ÚHmacV1QueryAuthzÁ Generates a presigned request for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html #RESTAuthenticationQueryStringAuth räcCs||_||_dSr;)r=rå)r5r=rær#r#r$r?YszHmacV1QueryAuth.__init__cCsttt ¡t|jƒƒƒSr;)r.rÕrgrår•r#r#r$r ]szHmacV1QueryAuth._get_datec Cs¼i}|jj|d<||d<|jD]D}| ¡}|dkrB|jd|d<q| d¡sT|dkr|j|||<qt|ƒ}t|jƒ}|dr|d›d|›}|d |d |d ||d f}t|ƒ|_dS) NrdrDroZExpiresr)rrçérIrrìrírî) r=rfrsrr»rrr r) r5r/rlrðZ header_keyr rñròrór#r#r$r!`s   z!HmacV1QueryAuth._inject_signatureN)r6r7r8rmrôr?r r!r#r#r#r$r#Ls   r#c@seZdZdZdd„ZdS)ÚHmacV1PostAuthz‘ Generates a presigned post for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingHTTPPOST.html cCsäi}|j dd¡dk r |jd}i}g}|j dd¡dk r\|jd}| dd¡dk r\|d}||d<|jj|d<|jjdk rš|jj|d<| d|jji¡t t  |¡  d¡¡  d¡|d<|  |d¡|d<||jd<||jd<dS) Nr÷rørùrdrúr'rûrl) r£rr=rfrkrUrXrYr+rürSr-r)r5r/rýrûrùr#r#r$r2Šs,     ÿþ zHmacV1PostAuth.add_authNrþr#r#r#r$r%sr%)Zv2Zv3Zv3httpsrÞzs3-queryzs3-presign-postzs3v4-presign-post)ÚCRT_AUTH_TYPE_MAPS)Zv4zv4-queryZs3v4z s3v4-query)=rXrÖrÊr°rPr+rrgÚcollections.abcrÚ email.utilsrÚhashlibrrÚoperatorrZbotocore.compatrr r r r r rrrZbotocore.exceptionsrZbotocore.utilsrrrrÚ getLoggerr6rJrµr³rirÌr‚r¬rªr%r0r1r:rnrurÙrãrõrörÿr#r%ZAUTH_TYPE_MAPSZbotocore.crt.authr&rWr#r#r#r$Úsz   ,   ÿý =6Q0+5)ù   üÿ