Pe ddlZddlZddlZddlZddlZddlZddlZddlZddlm Z ddl m Z ddl m Z mZddlmZddlmZmZmZmZmZmZmZmZmZddlmZmZddlmZm Z m!Z!dd lm"Z"ejFe$Z%d Z&d Z'd Z(d Z)gdZ*dZ+dZ,dZ-dZ.GddZ/Gdde/Z0Gdde/Z1Gdde/Z2Gdde/Z3Gdde3Z4Gdd e4Z5Gd!d"e5Z6Gd#d$e5Z7Gd%d&e3Z8Gd'd(e8Z9Gd)d*e3Z:Gd+d,e/Z;Gd-d.e;Z<Gd/d0e;Z=Gd1d2e0Z>e1e2e2e;ed3 Z?erdd4l@mAZAe?jeAye?je3e8e4e9d5y)6N)Mapping formatdate)sha1sha256) itemgetter) HAS_CRT HTTPHeaders encodebytesensure_unicodeparse_qsquoteunquoteurlsplit urlunsplit)NoAuthTokenErrorNoCredentialsError)is_valid_ipv6_endpoint_urlnormalize_url_pathpercent_encode_sequence) MD5_AVAILABLE@e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855iz%Y-%m-%dT%H:%M:%SZz%Y%m%dT%H%M%SZ)expectz user-agentzx-amzn-trace-idzUNSIGNED-PAYLOADz"STREAMING-UNSIGNED-PAYLOAD-TRAILERct|}|j}t|rd|d}ddd}|j9|j|j |j k7rd||jfz}|S)N[]Pi)httphttpsz%s:%d)rhostnamerportgetscheme)url url_partshost default_portss //usr/lib/python3/dist-packages/botocore/auth.py_host_from_urlr)Fs{  I   D!#&4&{M~~! >>]..y/?/?@ @dINN33D Kc|j}t|tr&tj|j d}|St|t rtj|}|SNutf-8)data isinstancebytesjsonloadsdecodestr)requestr.s r(_get_body_as_dictr6YsT <r?r@rBrIrCr*r(rErEnsN%r*rEc"eZdZdZdZdZdZy) SigV2Authz+ Sign a request with Signature V2. c||_yrG credentialsr=rNs r(rIzSigV2Auth.__init__} &r*cPtjdt|j}|j}t |dk(rd}|j d|jd|d}tj|jjjdt}g}t|D]d}|dk(r t||} t!|jdd } t!| jdd } |j#| d | fd j%|} || z }tjd ||j'|jdt)j*|j-j/j1d} | | fS)Nz$Calculating signature using v2 auth.r/ r- digestmod Signaturesafez-_~=&zString to sign: %s)loggerdebugrr$pathlenmethodnetlochmacnewrN secret_keyencodersortedr4rappendjoinupdatebase64 b64encodedigeststripr3)r=r5paramssplitr^string_to_signlhmacpairskeyvalue quoted_key quoted_valueqsb64s r(calc_signaturezSigV2Auth.calc_signaturesj ;<%zz t9>D#NN+2ell^2dV2F    ' ' . .w 76 &> 9Ck!s $Eszz'2: ^**734u||~.446==gFCyr*c|j t|jr |j}n |j}|jj|d<d|d<d|d<t j tt j|d<|jjr|jj|d<|j||\}}||d<|S) NAWSAccessKeyId2SignatureVersion HmacSHA256SignatureMethod Timestamp SecurityTokenrV) rNrr.rn access_keytimestrftimeISO8601gmtimetokenry)r=r5rnrw signatures r(r:zSigV2Auth.add_auths    #$& & <<\\F^^F#'#3#3#>#> %(!"$0 !"mmGT[[]C{    ! !&*&6&6&<&r?r@__doc__rIryr:rCr*r(rKrKxs'8r*rKceZdZdZdZy) SigV3Authc||_yrGrMrOs r(rIzSigV3Auth.__init__rPr*c|j td|jvr |jd=td|jd<|jjr>d|jvr |jd=|jj|jd<t j |jjjdt}|j|jdjdt|jj}d|jjd|jd}d |jvr |jd =||jd <y) NDateTusegmtX-Amz-Security-Tokenr-rTzAWS3-HTTPS AWSAccessKeyId=z ,Algorithm=HmacSHA256,Signature=zX-Amzn-Authorization)rNrheadersrrrbrcrdrerrir rlrmrr3)r=r5new_hmacencoded_signaturers r(r:zSigV3Auth.add_authsL    #$& & W__ $'",D"9    ! !%8OO$:;6:6F6F6L6LGOO2 388    ' ' . .w 76  /66w?@'(9:@@B()9)9)D)D(EF..?.F.Fw.O-P R  "W__ 4 672;./r*N)r>r?r@rIr:rCr*r(rrs '>66w~~F F33HW[[4IJ Jr*c :g}t|tr|j}|D]7\}}|jt |dt t |df9g}t |D]\}}|j|d|dj|}|S)Nz-_.~rXrZr[)r/rrrgrr4rfrh)r=rn key_val_pairsrsrtsorted_key_valsrs r(rz(SigV4Auth._canonical_query_string_paramss fg &\\^F  JC  s(%E *HI  !/ 5JC  " "cU!E7#3 4 5!$/!:%%r*c.d}|jrg}|jjdD]*}|jd\}}}|j||f,g}t |D]\}}|j|d|dj |}|S)NrWr[rZ)queryro partitionrgrfrh) r=partsrrpairrs_rtrs r(rz%SigV4Auth._canonical_query_string_urls!# ;;M ))#. 3 $s 3 Q$$c5\2 3!O%]3 9 U&&#aw'78 9%(XXo%> "%%r*cg}tt|}|D]J}djfd|j|D}|j |dt |Ldj|S)a  Return the headers that need to be included in the StringToSign in their canonical form by converting all header keys to lower case, sorting them in alphabetical order and then joining them into a string, separated by newlines. ,c3@K|]}j|ywrG) _header_value).0vr=s r( z.SigV4Auth.canonical_headers..,s!*+""1%s:rS)rfsetrhget_allrgr )r=rrsorted_header_namesrsrts` r(canonical_headerszSigV4Auth.canonical_headers"s$S%9:& =CHH/>/F/Fs/KE NNcU!N5$9#:; <  = yy!!r*c@dj|jS)N )rhro)r=rts r(rzSigV4Auth._header_value2s xx &&r*cZtdt|D}dj|S)Nc3XK|]"}|jj$ywrG)rrm)rns r(rz+SigV4Auth.signed_headers..;sIq*Is(*;)rfrrh)r=rrs r(signed_headerszSigV4Auth.signed_headers:s&IC4HIIxx  r*c|jjdi}|jd}t|txr|jddk(S)Nchecksumrequest_algorithmintrailer)contextr"r/dict)r=r5checksum_context algorithms r(_is_streaming_checksum_payloadz(SigV4Auth._is_streaming_checksum_payload>sJ"??..z2>$(()<= )T*Oy}}T/Bi/OOr*c|j|rtS|j|stS|j}|rt |dr|j }tj|jt}t}t|dD]}|j||j}|j||S|rt|jSt S)Nseekr*)r"STREAMING_UNSIGNED_PAYLOAD_TRAILER_should_sha256_sign_payloadUNSIGNED_PAYLOADbodyhasattrtell functoolspartialreadPAYLOAD_BUFFERriterrirrEMPTY_SHA256_HASH)r=r5 request_bodypositionread_chunksizerchunk hex_checksums r(payloadzSigV4Auth.payloadCs  . .w 75 511':$ #|| GL&9#((*H&..!!>NxHnc2 '& '#--/L   h '  ,'113 3$ $r*cr|jjdsy|jjddS)NrTpayload_signing_enabled)r$ startswithrr"r<s r(rz%SigV4Auth._should_sha256_sign_payload]s1{{%%g. ""#>r*c|j ttjj}|j t |j d<|j||j|}tjdtjd||j||}tjd||j||}tjd||j||y)Nrz$Calculating signature using v4 auth.zCanonicalRequest: %sStringToSign: %sz Signature: %s)rNrdatetimeutcnowrSIGV4_TIMESTAMPr_modify_request_before_signingrr\r]rpr_inject_signature_to_request)r=r5 datetime_nowrrprs r(r:zSigV4Auth.add_auths    #$& &((//1 '3'<'<_'M $ ++G4 227; ;< ,.?@,,W6GH (.9NN>7;  %y1 ))'9=r*cd|j|zg}|j|}|jd|j||jd|zdj ||j d<|S)NzAWS4-HMAC-SHA256 Credential=%szSignedHeaders=z Signature=%sz, Authorization)rrrgrrhr)r=r5rauth_strrs r(r z&SigV4Auth._inject_signature_to_requestsy4tzz'7JJK..w7T00AB C  23+/99X+>(r*cd|jvr |jd=|j||jjr>d|jvr |jd=|jj|jd<|jj dds/d|jvr |jd=t |jd<yy)NrrrTr)r_set_necessary_date_headersrNrrr"rr<s r(r z(SigV4Auth._modify_request_before_signings goo -0 ((1    ! !%8OO$:;6:6F6F6L6LGOO2 3""#r?r@rrArIrrrrrrrrrrrrrrrrprr:r r rrCr*r(rrsO* K&"& " '!P %4D  ?>$ GIr*rc.eZdZfdZfdZdZxZS) S3SigV4Authct||d|jvr |jd=|j||jd<y)Nr)superr rrr=r5 __class__s r(r z*S3SigV4Auth._modify_request_before_signingsA .w7 !W__ 4 6726,,w2G./r*c|jjd}t|dd}|i}|jdd}||Sd}|jjdi}|jd}t|tr|jddk(r|d }|j j d r||jvry |jjd d ry t|%|S)N client_configs3rz Content-MD5rrrheaderrrThas_streaming_inputF) rr"getattrr/rr$rrrr) r=r5r# s3_config sign_payloadchecksum_headerrrr!s r(rz'S3SigV4Auth._should_sha256_sign_payloads ++O< M46   I!}}%>E  #  ("??..z2>$(()<= i &9==+>(+J'/O &&w/goo5 ??  4e <w27;;r*c|SrGrCr=r^s r(rzS3SigV4Auth._normalize_url_path r*)r>r?r@r rr __classcell__r!s@r(rrsH'r?r@REQUIRES_IDENTITY_CACHErIr:r r.r/s@r(r1r1s". "88r*r1ceZdZdZdZy)S3ExpressPostAuthTctjj}|jt|jd<i}|jj dd|jd}i}g}|jj dd&|jd}|j dd|d}||d<d|d<|j ||d<|jd|d<|jddi|jd|j |i|jd|jdi|jj@|jj|d <|jd |jjitjtj|jd jd |d <|j!|d ||d <||jd<||jd<y) Nrs3-presign-post-fieldss3-presign-post-policy conditionsrx-amz-algorithmx-amz-credential x-amz-dateX-Amz-S3session-Tokenr-policyx-amz-signaturer r rr rr"rrgrNrrjrkr1dumpsrer3rr=r5rfieldsrBr=s r(r:zS3ExpressPostAuth.add_auth,s((//1 '3'<'<_'M $ ??  7 > J__%=>F ??  7 > J__%=>Fzz,-9#L1 )|$6 !%)ZZ%8!"&{;|,.@AB-tzz'/BCD<)EFG    ! ! -.2.>.>.D.DF* +   ($*:*:*@*@A  "++ JJv  % %g . &/ x%)NN6(3CW$M !4:014:01r*N)r>r?r@r7r:rCr*r(r9r9)s "';r*r9cDeZdZdZdZedfd ZdZdZdZdZ xZ S) S3ExpressQueryAuthi,T)expiresc:t|||||||_y)N)r4rrI_expires)r=rNrrr4rJr!s r(rIzS3ExpressQueryAuth.__init__Zs,    )    r*cN|jjd}d}||k(r |jd=|j|j|}d|j ||j d|j |d}|jj|jj|d<t|j}t|jd}|jD cic] \}} || d  } }} |jr"| j|ji|_d } |j r!| jt#|d |_| rt%| d z} | t%|} |} | d | d | d | | df}t'||_ ycc} }w)N content-type0application/x-www-form-urlencoded; charset=utf-8rrzX-Amz-AlgorithmzX-Amz-Credentialrz X-Amz-ExpireszX-Amz-SignedHeadersrATkeep_blank_valuesrrWr[rr"rrrrrMrNrrr$r rrrnrir.r6rr)r=r5 content_typeblocklisted_content_typer auth_paramsr%query_string_partskr query_dictoperation_paramsnew_query_stringp new_url_partss r(r z1S3ExpressQueryAuth._modify_request_before_signingks**>: > ! 3 3/ ,,T-A-A'-JK 2 $ 7 3!//+6!]]#1      ! ! -373C3C3I3IK/ 0W[[) &iooN*<*B*B*DE$!Qa1gE E >>   gnn -GN <<   /8 9GL 6zBSH  !8!E F G  1qtQqT+;QqTB  / AF,F!c4|xjd|zz c_yNz&X-Amz-Signature=%sr$r=r5rs r(r z/S3ExpressQueryAuth._inject_signature_to_request  ,y88 r*c|SrGrCr,s r(rz&S3ExpressQueryAuth._normalize_url_pathr-r*ctSrGrr<s r(rzS3ExpressQueryAuth.payload  r*) r>r?r@DEFAULT_EXPIRESr7rIr r rrr.r/s@r(rIrIVs-O"  "?0B9  r*rIc2eZdZdZeffd ZdZdZxZS)SigV4QueryAuthc6t||||||_yrGrL)r=rNrrrJr!s r(rIzSigV4QueryAuth.__init__s lK@ r*cN|jjd}d}||k(r |jd=|j|j|}d|j ||j d|j |d}|jj|jj|d<t|j}t|jd}|jD cic] \}} || d  } }} |jr"| j|ji|_d } |j r!| jt#|d |_| rt%| d z} | t%|} |} | d | d | d | | df}t'||_ ycc} }w)NrOrPrrrQrTrRrrWr[rTrUrVrW)r=r5rXblacklisted_content_typerrZr%r[r\rr]r^r_r`ras r(r z-SigV4QueryAuth._modify_request_before_signings**>: > ! 3 3/ ,,T-A-A'-JK 2 $ 7 3!//+6!]]#1      ! ! -262B2B2H2HK. /W[[) &iooN*<*B*B*DE$!Qa1gE E >>   gnn -GN <<   /8 9GL 6zBSH  !8!E F G  1qtQqT+;QqTB  / AFrbc4|xjd|zz c_yrdrerfs r(r z+SigV4QueryAuth._inject_signature_to_requestrgr*)r>r?r@rlrIr r r.r/s@r(rnrnsO?N ?0B9r*rnceZdZdZdZdZy)S3SigV4QueryAuthaS3 SigV4 auth using query parameters. This signer will sign a request using query parameters and signature version 4, i.e a "presigned url" signer. Based off of: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html c|SrGrCr,s r(rz$S3SigV4QueryAuth._normalize_url_pathr-r*ctSrGrjr<s r(rzS3SigV4QueryAuth.payloadrkr*N)r>r?r@rrrrCr*r(rurus  r*ruceZdZdZdZy)S3SigV4PostAuthz Presigns a s3 post Implementation doc here: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-UsingHTTPPOST.html ctjj}|jt|jd<i}|jj dd|jd}i}g}|jj dd&|jd}|j dd|d}||d<d|d<|j ||d<|jd|d<|jddi|jd|j |i|jd|jdi|jj@|jj|d <|jd |jjitjtj|jd jd |d <|j!|d ||d <||jd<||jd<y) Nrr;r<r=rr>r?r@x-amz-security-tokenr-rBrCrDrFs r(r:zS3SigV4PostAuth.add_auth/s((//1 '3'<'<_'M $ ??  7 > J__%=>F ??  7 > J__%=>Fzz,-9#L1 )|$6 !%)ZZ%8!"&{;|,.@AB-tzz'/BCD<)EFG    ! ! --1-=-=-C-CF) *   5t7G7G7M7MN O"++ JJv  % %g . &/ x%)NN6(3CW$M !4:014:01r*Nr>r?r@rr:rCr*r(ryry's %;r*rycbeZdZgdZddZdZdZdZdZddZ dd Z dd Z d Z d Z d Zy) HmacV1Auth)$ accelerateaclcorsdefaultObjectAcllocationlogging partNumberrBrequestPaymenttorrent versioning versionIdversionswebsiteuploadsuploadIdzresponse-content-typezresponse-content-languagezresponse-expireszresponse-cache-controlzresponse-content-dispositionzresponse-content-encodingdelete lifecycletaggingrestore storageClass notification replicationr analyticsmetrics inventoryselectz select-typez object-lockNc||_yrGrMrs r(rIzHmacV1Auth.__init__rPr*c*tj|jjj dt }|j |j dt|jjjdS)Nr-rT) rbrcrNrdrerrir rlrmr3)r=rprs r( sign_stringzHmacV1Auth.sign_stringsk88    ' ' . .w 74  --g678??,-335<.s2&' 2srrS)rrrhrrfkeysrg)r=rrcustom_headersrsrsorted_header_keyss r(canonical_custom_headersz#HmacV1Auth.canonical_custom_headerss CBs|'==*),2+2??3+?2*N2&  $N$7$7$9:% 7C JJ#as 345 6 7yy~r*cHt|dk(r|S|dt|dfS)z( TODO: Do we need this? rTr)r_r)r=nvs r( unquote_vzHmacV1Auth.unquote_vs+ r7a<IqE72a5>* *r*c||}n |j}|jr|jjd}|Dcgc]}|jdd}}|Dcgc]%}|d|jvs|j |'}}t |dkDrR|j td|Dcgc]}dj|}}|dz }|dj|z }|Scc}wcc}wcc}w)Nr[rZrTr)rs?) r^rro QSAOfInterestrr_sortrrh)r=ro auth_pathbufqsaas r(canonical_resourcezHmacV1Auth.canonical_resources  C**C ;;++##C(C,/0q1773?0C0+.&'!A$$:L:L2Lq!C3x!|Z]+,/0qsxx{00s sxx}$ 1 1sC*C/3C/5C4c|jdz}||j|dzz }|j|}|r||dzz }||j||z }|S)NrSr)rrrr)r=r`rorrJrcsrs r(canonical_stringzHmacV1Auth.canonical_stringso\\^d " d--g6==66w?  .4' 'B d%%ey%AA r*c|jjr|d=|jj|d<|j||||}tj d||j |S)Nr{rr)rNrrr\r]r)r=r`rorrJrrps r( get_signaturezHmacV1Auth.get_signaturess    ! !./.2.>.>.D.DG* +.. E7i/   (.9//r*cF|jttjdt |j }tjd|j |j|j ||j|j}|j||y)Nz(Calculating signature using hmacv1 auth.zHTTP request method: %sr) rNrr\r]rr$r`rrr_inject_signature)r=r5rors r(r:zHmacV1Auth.add_auths    #$ $ ?@% .?&& NNE7??g>O>O'  w 2r*ctdS)NTrrr=s r(rzHmacV1Auth._get_dates &&r*cd|jvr |jd=d|jjd|}||jd<y)NrzAWS r)rrNr)r=r5r auth_headers r(rzHmacV1Auth._inject_signaturesI goo -0T--8899+F +6(r*)NNrG)r>r?r@rrIrrrrrrrr:rrrCr*r(r~r~WsN%MN'F" +6?C ?C 0 3' 7r*r~c*eZdZdZdZefdZdZdZy)HmacV1QueryAuthz Generates a presigned request for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html #RESTAuthenticationQueryStringAuth roc ||_||_yrG)rNrM)r=rNrJs r(rIzHmacV1QueryAuth.__init__ s& r*cztttjt|jzSrG)r4rrrMrs r(rzHmacV1QueryAuth._get_dates&3tyy{S%77899r*ci}|jj|d<||d<|jD]R}|j}|dk(r|jd|d<+|j ds|dvsA|j|||<Tt |}t |j}|dr |dd|}|d |d |d ||d f}t||_y) Nr{rVrExpiresr)rrOr[rrTrUrV) rNrrrrrrr$r) r=r5rr] header_keyrr_r`ras r(rz!HmacV1QueryAuth._inject_signatures '+'7'7'B'B #$"+ ;!// 5J!!#BV#(/(? 9%x(B3-")!4 2 5 3:> W[[ ! Q4#$A$q)9(:; 1qtQqT+;QqTB  / r*N)r>r?r@rrlrIrrrCr*r(rrs O,; :0r*rceZdZdZdZy)HmacV1PostAuthz Generates a presigned post for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingHTTPPOST.html ci}|jjdd|jd}i}g}|jjdd&|jd}|jdd|d}||d<|jj|d<|jj@|jj|d<|j d|jjit jtj|jdjd|d<|j|d|d<||jd<||jd<y) Nr;r<r=r{r{r-rBr) rr"rNrrrgrjrkr1rErer3r)r=r5rGrBr=s r(r:zHmacV1PostAuth.add_auth>sX ??  7 > J__%=>F ??  7 > J__%=>Fzz,-9#L1 )|#'#3#3#>#>    ! ! --1-=-=-C-CF) *   5t7G7G7M7MN O"++ JJv  % %g . &/ x#..vh/?@{4:014:01r*Nr|rCr*r(rr5s ;r*rceZdZdZdZy) BearerAuthz Performs bearer token authorization by placing the bearer token in the Authorization header as specified by Section 2.1 of RFC 6750. https://datatracker.ietf.org/doc/html/rfc6750#section-2.1 c|j td|jj}d|jvr |jd=||jd<y)NzBearer r)rHrrr)r=r5rs r(r:zBearerAuth.add_authesR ?? ""$ $ 5 567 goo -0+6(r*Nr|rCr*r(rr]s 7r*r) v2v3v3httpsr$zs3-queryzs3-presign-postzs3v4-presign-postz v4-s3expresszv4-s3express-queryzv4-s3express-presign-postbearer)CRT_AUTH_TYPE_MAPS)v4zv4-querys3v4z s3v4-query)Crjrr rrbr1rrcollections.abcr email.utilsrhashlibrroperatorrbotocore.compatr r r r r rrrrbotocore.exceptionsrrbotocore.utilsrrrr getLoggerr>r\rrrr rrrr)r6r8rErKrrrr1r9rIrnruryr~rrrAUTH_TYPE_MAPSbotocore.crt.authrrirCr*r(rs  #"    E*   8 $G  " &%I"& ..%*%: :z< <8JI JIZ3)3l8K8**; *;Ze e PN9YN9b ~ 0-;i-;`f7f7R20j20j%;Z%;P77&   %(!,!2  4,-&*  r*