HEX

File: //usr/lib/python3/dist-packages/botocore/__pycache__/auth.cpython-310.pyc
o

,&�a��@s�ddlZddlZddlZddlZddlmZddlmZmZddl	Z	ddl
Z
ddlmZddl
Z
ddlmZmZmZmZmZmZmZmZmZmZmZddlmZddlmZmZddlmZe
� e!�Z"d	Z#d
Z$dZ%dZ&gd
�Z'dZ(dd�Z)dd�Z*Gdd�de+�Z,Gdd�de,�Z-Gdd�de,�Z.Gdd�de,�Z/Gdd�de/�Z0Gdd�de/�Z1Gdd �d e1�Z2Gd!d"�d"e/�Z3Gd#d$�d$e,�Z4Gd%d&�d&e4�Z5Gd'd(�d(e4�Z6e-e.e.e4e5e6e3d)�Z7er�dd*l8m9Z9e7�:e9�dSe7�:e/e1e0e2d+��dS),�N��
formatdate)�sha1�sha256)�
itemgetter)�encodebytes�ensure_unicode�HTTPHeaders�json�parse_qs�quote�six�unquote�urlsplit�
urlunsplit�HAS_CRT)�NoCredentialsError)�normalize_url_path�percent_encode_sequence)�
MD5_AVAILABLE�@e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855iz%Y-%m-%dT%H:%M:%SZz%Y%m%dT%H%M%SZ)�expectz
user-agentzx-amzn-trace-idzUNSIGNED-PAYLOADcCsFt|�}|j}ddd�}|jdur!|j|�|j�kr!d||jf}|S)N�Pi�)�http�httpsz%s:%d)r�hostname�port�get�scheme)�url�	url_parts�host�
default_ports�r#�//usr/lib/python3/dist-packages/botocore/auth.py�_host_from_url7s�
r%cCs@|j}t|tj�rt�|�d��}|St|tj�rt�|�}|S�N�utf-8)�data�
isinstancer
�binary_typer
�loads�decode�string_types)�requestr(r#r#r$�_get_body_as_dictHs�
r/c@�eZdZdZdd�ZdS)�
BaseSignerFcCstd��)N�add_auth)�NotImplementedError��selfr.r#r#r$r2XszBaseSigner.add_authN)�__name__�
__module__�__qualname__�REQUIRES_REGIONr2r#r#r#r$r1Usr1c@s(eZdZdZdd�Zdd�Zdd�ZdS)	�	SigV2Authz+
    Sign a request with Signature V2.
    cC�
||_dS�N��credentials�r5r>r#r#r$�__init__a�
zSigV2Auth.__init__cCst�d�t|j�}|j}t|�dkrd}d|j|j|f}tj	|j
j�d�t
d�}g}t|�D]*}|dkr7q0t�||�}	t|�d�dd	�}
t|	�d�d
d	�}|�|
�d|���q0d�|�}||7}t�d
|�|�|�d��t�|������d�}
||
fS)Nz$Calculating signature using v2 auth.r�/z	%s
%s
%s
r'��	digestmod�	Signature���safez-_~�=�&zString to sign: %s)�logger�debugrr�path�len�method�netloc�hmac�newr>�
secret_key�encoder�sortedr
�	text_typer�append�join�update�base64�	b64encode�digest�stripr,)r5r.�params�splitrM�string_to_sign�lhmac�pairs�key�value�
quoted_key�quoted_value�qs�b64r#r#r$�calc_signatureds4

��
zSigV2Auth.calc_signaturecCs�|jdurt��|jr|j}n|j}|jj|d<d|d<d|d<t�tt���|d<|jj	r4|jj	|d<|�
||�\}}||d<|S)	N�AWSAccessKeyId�2�SignatureVersion�
HmacSHA256�SignatureMethod�	Timestamp�
SecurityTokenrE)r>rr(r^�
access_key�time�strftime�ISO8601�gmtime�tokenri)r5r.r^rg�	signaturer#r#r$r2�s
zSigV2Auth.add_authN)r6r7r8�__doc__r@rir2r#r#r#r$r:\s
r:c@seZdZdd�Zdd�ZdS)�	SigV3AuthcCr;r<r=r?r#r#r$r@�rAzSigV3Auth.__init__cCs�|jdurt��d|jvr|jd=tdd�|jd<|jjr-d|jvr&|jd=|jj|jd<tj|jj�d�t	d�}|�
|jd�d��t|����
�}d|jjd|�d�f}d	|jvra|jd	=||jd	<dS)
N�DateT��usegmt�X-Amz-Security-Tokenr'rCz6AWS3-HTTPS AWSAccessKeyId=%s,Algorithm=%s,Signature=%srmzX-Amzn-Authorization)r>r�headersrrvrQrRrSrTrrYrr\r]rqr,)r5r.�new_hmac�encoded_signaturerwr#r#r$r2�s,


���
zSigV3Auth.add_authN)r6r7r8r@r2r#r#r#r$ry�sryc@s�eZdZdZdZdd�Zd/dd�Zdd	�Zd
d�Zdd
�Z	dd�Z
dd�Zdd�Zdd�Z
dd�Zdd�Zdd�Zdd�Zdd�Zd d!�Zd"d#�Zd$d%�Zd&d'�Zd(d)�Zd*d+�Zd,d-�Zd.S)0�	SigV4Authz+
    Sign a request with Signature V4.
    TcCs||_||_||_dSr<)r>�_region_name�
_service_name�r5r>�service_name�region_namer#r#r$r@�s
zSigV4Auth.__init__FcCs<|rt�||�d�t���}|St�||�d�t���}|Sr&)rQrRrTr�	hexdigestr\)r5rc�msg�hex�sigr#r#r$�_sign�s
�zSigV4Auth._signcCsLt�}|j��D]\}}|��}|tvr|||<qd|vr$t|j�|d<|S)zk
        Select the headers from the request that need to be included
        in the StringToSign.
        r!)r	r~�items�lower�SIGNED_HEADERS_BLACKLISTr%r)r5r.�
header_map�namerd�lnamer#r#r$�headers_to_sign�s�zSigV4Auth.headers_to_signcCs"|jr	|�|j�S|�t|j��Sr<)r^�_canonical_query_string_params�_canonical_query_string_urlrrr4r#r#r$�canonical_query_string�sz SigV4Auth.canonical_query_stringcCsng}|D]}t||�}|�t|dd�t|dd�f�qg}t|�D]
\}}|�d||f�q"d�|�}|S)Nz-_.~rG�%s=%srJ)�strrWrrUrX)r5r^�
key_val_pairsrcrd�sorted_key_valsr�r#r#r$r��s
�
z(SigV4Auth._canonical_query_string_paramsc	Cstd}|jr8g}|j�d�D]}|�d�\}}}|�||f�q
g}t|�D]
\}}|�d||f�q%d�|�}|S)NrFrJrIr�)�queryr_�	partitionrWrUrX)	r5�partsr�r��pairrc�_rdr�r#r#r$r��s
z%SigV4Auth._canonical_query_string_urlcsXg}tt|��}|D]}d��fdd�|�|�D��}|�d|t|�f�q
d�|�S)a

        Return the headers that need to be included in the StringToSign
        in their canonical form by converting all header keys to lower
        case, sorting them in alphabetical order and then joining
        them into a string, separated by newlines.
        �,c3s�|]}��|�VqdSr<)�
_header_value��.0�v�r5r#r$�	<genexpr>s�z.SigV4Auth.canonical_headers.<locals>.<genexpr>�%s:%s�
)rU�setrX�get_allrWr)r5r�r~�sorted_header_namesrcrdr#r�r$�canonical_headerss�
zSigV4Auth.canonical_headerscCsd�|���S)N� )rXr_)r5rdr#r#r$r�szSigV4Auth._header_valuecCs tdd�t|�D��}d�|�S)NcSsg|]}|�����qSr#)r�r])r��nr#r#r$�
<listcomp>�z,SigV4Auth.signed_headers.<locals>.<listcomp>�;)rUr�rX)r5r�r~r#r#r$�signed_headerss�
zSigV4Auth.signed_headerscCs�|�|�stS|j}|r7t|d�r7|��}t�|jt�}t	�}t
|d�D]}|�|�q$|��}|�
|�|S|r?t	|���StS)N�seek�)�_should_sha256_sign_payload�UNSIGNED_PAYLOAD�body�hasattr�tell�	functools�partial�read�PAYLOAD_BUFFERr�iterrYr�r��EMPTY_SHA256_HASH)r5r.�request_body�position�read_chunksize�checksum�chunk�hex_checksumr#r#r$�payloads"
�
zSigV4Auth.payloadcCs|j�d�sdS|j�dd�S)NrT�payload_signing_enabled)r�
startswith�contextrr4r#r#r$r�6sz%SigV4Auth._should_sha256_sign_payloadcCs�|j��g}|�t|j�j�}|�|�|�|�|��|�|�}|�|�	|�d�|�|�
|��d|jvr>|jd}n|�|�}|�|�d�
|�S)Nr��X-Amz-Content-SHA256)rO�upper�_normalize_url_pathrrrMrWr�r�r�r�r~r�rX)r5r.�crrMr��
body_checksumr#r#r$�canonical_request@s





zSigV4Auth.canonical_requestcCstt|�dd�}|S)Nz/~rG)rr)r5rM�normalized_pathr#r#r$r�OszSigV4Auth._normalize_url_pathcCsN|jjg}|�|jddd��|�|j�|�|j�|�d�d�|�S�N�	timestampr��aws4_requestrB)r>rqrWr�r�r�rX�r5r.�scoper#r#r$r�Ss


zSigV4Auth.scopecCsHg}|�|jddd��|�|j�|�|j�|�d�d�|�Sr�)rWr�r�r�rXr�r#r#r$�credential_scope[s

zSigV4Auth.credential_scopecCsHdg}|�|jd�|�|�|��|�t|�d�����d�|�S)z�
        Return the canonical StringToSign as well as a dict
        containing the original version of all headers that
        were included in the StringToSign.
        �AWS4-HMAC-SHA256r�r'r�)rWr�r�rrTr�rX)r5r.r��stsr#r#r$r`cs

zSigV4Auth.string_to_signcCsd|jj}|�d|�d�|jddd��}|�||j�}|�||j�}|�|d�}|j||dd�S)	N�AWS4r'r�rr�r�T)r�)r>rSr�rTr�r�r�)r5r`r.rc�k_date�k_region�	k_service�	k_signingr#r#r$rwos�zSigV4Auth.signaturecCs�|jdurt��tj��}|�t�|jd<|�|�|�|�}t	�
d�t	�
d|�|�||�}t	�
d|�|�||�}t	�
d|�|�
||�dS)Nr�z$Calculating signature using v4 auth.zCanonicalRequest:
%s�StringToSign:
%sz
Signature:
%s)r>r�datetime�utcnowrs�SIGV4_TIMESTAMPr��_modify_request_before_signingr�rKrLr`rw�_inject_signature_to_request)r5r.�datetime_nowr�r`rwr#r#r$r2xs




zSigV4Auth.add_authcCsPd|�|�g}|�|�}|�d|�|��|�d|�d�|�|jd<|S)NzAWS4-HMAC-SHA256 Credential=%szSignedHeaders=%szSignature=%sz, �
Authorization)r�r�rWr�rXr~)r5r.rw�auth_strr�r#r#r$r��s
z&SigV4Auth._inject_signature_to_requestcCsvd|jvr	|jd=|�|�|jjr"d|jvr|jd=|jj|jd<|j�dd�s9d|jvr2|jd=t|jd<dSdS)Nr�r}r�Tr�)r~�_set_necessary_date_headersr>rvr�rr�r4r#r#r$r��s



�z(SigV4Auth._modify_request_before_signingcCs�d|jvr.|jd=tj�|jdt�}ttt�|�	����|jd<d|jvr,|jd=dSdSd|jvr7|jd=|jd|jd<dS)Nrzr��
X-Amz-Date)
r~r��strptimer�r�r�int�calendar�timegm�	timetuple)r5r.�datetime_timestampr#r#r$r��s

�
�
�
z%SigV4Auth._set_necessary_date_headersN)F)r6r7r8rxr9r@r�r�r�r�r�r�r�r�r�r�r�r�r�r�r`rwr2r�r�r�r#r#r#r$r��s0


	r�cs0eZdZ�fdd�Z�fdd�Zdd�Z�ZS)�S3SigV4Authcs6tt|��|�d|jvr|jd=|�|�|jd<dS)Nr�)�superr�r�r~r�r4��	__class__r#r$r��s
z*S3SigV4Auth._modify_request_before_signingcsx|j�d�}t|dd�}|duri}|�dd�}|dur|S|j�d�r)d|jvr+dS|j�dd�r4dStt|��|�S)	N�
client_config�s3r�rzContent-MD5T�has_streaming_inputF)	r�r�getattrrr�r~r�r�r�)r5r.r��	s3_config�sign_payloadr�r#r$r��s
z'S3SigV4Auth._should_sha256_sign_payloadcC�|Sr<r#�r5rMr#r#r$r���zS3SigV4Auth._normalize_url_path)r6r7r8r�r�r��
__classcell__r#r#r�r$r��s"r�cs4eZdZdZef�fdd�	Zdd�Zdd�Z�ZS)�SigV4QueryAuth�cstt|��|||�||_dSr<)r�r�r@�_expires)r5r>r�r��expiresr�r#r$r@�s�
zSigV4QueryAuth.__init__cCs|j�d�}d}||kr|jd=|�|�|��}d|�|�|jd|j|d�}|jjdur3|jj|d<t	|j
�}tdd�t|j
d	d
���D��}|jrT|�|j�i|_d}|jrc|�t|��d|_|rkt|�d}|t|�}	|}
|
d
|
d|
d|	|
df}t|�|_
dS)N�content-typez0application/x-www-form-urlencoded; charset=utf-8r�r�)zX-Amz-AlgorithmzX-Amz-Credentialr�z
X-Amz-ExpireszX-Amz-SignedHeadersr}cSsg|]
\}}||df�qS�rr#)r��kr�r#r#r$r�	szASigV4QueryAuth._modify_request_before_signing.<locals>.<listcomp>T)�keep_blank_valuesrFrJr���)r~rr�r�r�r�r�r>rvrr�dictrr�r�r^rYr(r/rr)r5r.�content_type�blacklisted_content_typer��auth_paramsr �
query_dict�operation_params�new_query_string�p�
new_url_partsr#r#r$r��sF��
���
z-SigV4QueryAuth._modify_request_before_signingcCs|jd|7_dS)Nz&X-Amz-Signature=%s)r�r5r.rwr#r#r$r�*sz+SigV4QueryAuth._inject_signature_to_request)r6r7r8�DEFAULT_EXPIRESr@r�r�r�r#r#r�r$r��s�@r�c@s eZdZdZdd�Zdd�ZdS)�S3SigV4QueryAuthaS3 SigV4 auth using query parameters.

    This signer will sign a request using query parameters and signature
    version 4, i.e a "presigned url" signer.

    Based off of:

    http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html

    cCr�r<r#r�r#r#r$r�<r�z$S3SigV4QueryAuth._normalize_url_pathcCstSr<)r�r4r#r#r$r�@szS3SigV4QueryAuth.payloadN)r6r7r8rxr�r�r#r#r#r$r1s
rc@r0)�S3SigV4PostAuthz�
    Presigns a s3 post

    Implementation doc here:
    http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-UsingHTTPPOST.html
    cCsNtj��}|�t�|jd<i}|j�dd�dur|jd}i}g}|j�dd�dur;|jd}|�dd�dur;|d}||d<d|d<|�|�|d<|jd|d<|�ddi�|�d|�|�i�|�d|jdi�|jj	dur�|jj	|d	<|�d	|jj	i�t
�t�
|��d
���d
�|d<|�|d|�|d<||jd<||jd<dS)
Nr��s3-presign-post-fields�s3-presign-post-policy�
conditionsr�zx-amz-algorithmzx-amz-credentialz
x-amz-date�x-amz-security-tokenr'�policyzx-amz-signature)r�r�rsr�r�rr�rWr>rvrZr[r
�dumpsrTr,rw)r5r.r��fieldsrrr#r#r$r2Os:


��
zS3SigV4PostAuth.add_authN�r6r7r8rxr2r#r#r#r$rHsrc@s|eZdZgd�Zddd�Zdd�Zdd�Zd	d
�Zdd�Zdd
d�Z			ddd�Z
		ddd�Zdd�Zdd�Z
dd�ZdS)�
HmacV1Auth)$�
accelerate�acl�cors�defaultObjectAcl�location�logging�
partNumberr�requestPayment�torrent�
versioning�	versionId�versions�website�uploads�uploadIdzresponse-content-typezresponse-content-languagezresponse-expireszresponse-cache-controlzresponse-content-dispositionzresponse-content-encoding�delete�	lifecycle�tagging�restore�storageClass�notification�replicationr%�	analytics�metrics�	inventory�selectzselect-typezobject-lockNcCr;r<r=r�r#r#r$r@�rAzHmacV1Auth.__init__cCs>tj|jj�d�td�}|�|�d��t|����	��
d�S)Nr'rC)rQrRr>rSrTrrYrr\r]r,)r5r`rr#r#r$�sign_string�s
�zHmacV1Auth.sign_stringcCs�gd�}g}d|vr
|d=|��|d<|D])}d}|D]}|��}||dur6||kr6|�||���d}q|s>|�d�qd�|�S)N)�content-md5r�daterzFTrFr�)�	_get_dater�rWr]rX)r5r~�interesting_headers�hoi�ih�foundrc�lkr#r#r$�canonical_standard_headers�s"�
�
z%HmacV1Auth.canonical_standard_headerscCs�g}i}|D] }|��}||dur&|�d�r&d�dd�|�|�D��||<qt|���}|D]
}|�d|||f�q/d�|�S)N�x-amz-r�css�|]}|��VqdSr<)r]r�r#r#r$r��s�z6HmacV1Auth.canonical_custom_headers.<locals>.<genexpr>r�r�)r�r�rXr�rU�keysrW)r5r~r=�custom_headersrcr@�sorted_header_keysr#r#r$�canonical_custom_headers�s

��
z#HmacV1Auth.canonical_custom_headerscCs$t|�dkr|S|dt|d�fS)z(
        TODO: Do we need this?
        rr)rNr)r5�nvr#r#r$�	unquote_v�szHmacV1Auth.unquote_vcs�|dur|}n|j}|jrC|j�d�}dd�|D�}�fdd�|D�}t|�dkrC|jtd�d�dd�|D�}|d7}|d�|�7}|S)	NrJcSsg|]}|�dd��qS)rIr)r_�r��ar#r#r$r��r�z1HmacV1Auth.canonical_resource.<locals>.<listcomp>cs$g|]}|d�jvr��|��qSr)�
QSAOfInterestrHrIr�r#r$r��s�r)rccSsg|]}d�|��qS)rI)rXrIr#r#r$r��s�?)rMr�r_rN�sortrrX)r5r_�	auth_path�buf�qsar#r�r$�canonical_resource�s	zHmacV1Auth.canonical_resourcecCsN|��d}||�|�d7}|�|�}|r||d7}||j||d�7}|S)Nr��rN)r�rArFrQ)r5rOr_r~rrN�csrDr#r#r$�canonical_string�s
zHmacV1Auth.canonical_stringcCsB|jjr
|d=|jj|d<|j||||d�}t�d|�|�|�S)NrrRr�)r>rvrTrKrLr8)r5rOr_r~rrNr`r#r#r$�
get_signature�s�
zHmacV1Auth.get_signaturecCsX|jdurt�t�d�t|j�}t�d|j�|j|j||j|j	d�}|�
||�dS)Nz(Calculating signature using hmacv1 auth.zHTTP request method: %srR)r>rrKrLrrrOrUr~rN�_inject_signature)r5r.r_rwr#r#r$r2�s



�zHmacV1Auth.add_authcCs
tdd�S)NTr{rr�r#r#r$r;�rAzHmacV1Auth._get_datecCs,d|jvr	|jd=d|jj|f|jd<dS)Nr�z	AWS %s:%s)r~r>rqrr#r#r$rV�s
�zHmacV1Auth._inject_signature)NNr<)r6r7r8rKr@r8rArFrHrQrTrUr2r;rVr#r#r#r$rvs"

	
�

�rc@s0eZdZdZdZefdd�Zdd�Zdd�Zd	S)
�HmacV1QueryAuthz�
    Generates a presigned request for s3.

    Spec from this document:

    http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html
    #RESTAuthenticationQueryStringAuth

    r�cCs||_||_dSr<)r>r�)r5r>rr#r#r$r@s
zHmacV1QueryAuth.__init__cCsttt��t|j���Sr<)r�r�rrr�r�r#r#r$r;szHmacV1QueryAuth._get_datec	Cs�i}|jj|d<||d<|jD]"}|��}|dkr!|jd|d<q|�d�s*|dvr1|j|||<qt|�}t|j�}|drGd|d|f}|d	|d
|d||df}t|�|_dS)
NrjrErz�ExpiresrB)r9r�z%s&%srrrr)	r>rqr~r�r�rrrr)	r5r.rwr�
header_keyr@rrrr#r#r$rVs 
�
z!HmacV1QueryAuth._inject_signatureN)r6r7r8rxrr@r;rVr#r#r#r$rWs	rWc@r0)�HmacV1PostAuthz�
    Generates a presigned post for s3.

    Spec from this document:

    http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingHTTPPOST.html
    cCs�i}|j�dd�dur|jd}i}g}|j�dd�dur.|jd}|�dd�dur.|d}||d<|jj|d<|jjdurM|jj|d<|�d|jji�t�t�	|��
d���d�|d<|�|d�|d<||jd<||jd<dS)	Nrrrrjrr'rrw)
r�rr>rqrvrWrZr[r
rrTr,r8)r5r.rrrr#r#r$r2:s,

��
zHmacV1PostAuth.add_authNrr#r#r#r$r[2sr[)�v2�v3�v3httpsr�zs3-queryzs3-presign-postzs3v4-presign-post)�CRT_AUTH_TYPE_MAPS)�v4zv4-query�s3v4z
s3v4-query);rZr�r�r��email.utilsr�hashlibrrrQr#�operatorrrr�botocore.compatrrr	r
rrr
rrrr�botocore.exceptionsr�botocore.utilsrrr�	getLoggerr6rKr�r�rtr�r�r�r%r/�objectr1r:ryr�r�r�rrrrWr[�AUTH_TYPE_MAPS�botocore.crt.authr_rYr#r#r#r$�<module>sl
4
�
>/P.2'��