U EZh_ @s|ddlZddlZddlZddlZddlZddlZddlZddlZddlm Z ddl m Z ddl m Z mZddlmZddlmZmZmZmZmZmZmZmZmZddlmZmZmZmZddl m!Z!m"Z"m#Z#dd lm$Z$e%e&Z'd Z(d Z)d Z*d Z+ddddgZ,dZ-dZ.ddZ/ddZ0GdddZ1Gddde1Z2Gddde1Z3Gddde1Z4Gd d!d!e1Z5Gd"d#d#e5Z6Gd$d%d%e6Z7Gd&d'd'e7Z8Gd(d)d)e7Z9Gd*d+d+e5Z:Gd,d-d-e:Z;Gd.d/d/e5ZGd4d5d5e=Z?Gd6d7d7e2Z@d8d9ZAe3e4e4e=e>e?ed?d@dAZFdS)BN)Mapping formatdate)sha1sha256) itemgetter) HAS_CRT HTTPHeaders encodebytesensure_unicodeparse_qsquoteunquoteurlsplit urlunsplit)NoAuthTokenErrorNoCredentialsErrorUnknownSignatureVersionError UnsupportedSignatureVersionError)is_valid_ipv6_endpoint_urlnormalize_url_pathpercent_encode_sequence) MD5_AVAILABLEZ@e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855iz%Y-%m-%dT%H:%M:%SZz%Y%m%dT%H%M%SZexpectztransfer-encodingz user-agentzx-amzn-trace-idzUNSIGNED-PAYLOADz"STREAMING-UNSIGNED-PAYLOAD-TRAILERcCsZt|}|j}t|r"d|d}ddd}|jdk rV|j||jkrVd||jf}|S)N[]Pi)httphttpsz%s:%d)rhostnamerportgetscheme)url url_partshostZ default_portsr&T/home/aprabhat/apps/x.techxrdev.in/venv/lib/python3.8/site-packages/botocore/auth.py_host_from_urlLs  r(cCs:|j}t|tr"t|d}nt|tr6t|}|SNutf-8)data isinstancebytesjsonloadsdecodestr)requestr+r&r&r'_get_body_as_dict_s    r3c@seZdZdZdZddZdS) BaseSignerFcCs tddS)Nadd_auth)NotImplementedErrorselfr2r&r&r'r5pszBaseSigner.add_authN)__name__ __module__ __qualname__REQUIRES_REGIONREQUIRES_TOKENr5r&r&r&r'r4lsr4c@seZdZdZddZdS) TokenSignerTcCs ||_dSN) auth_token)r8r@r&r&r'__init__zszTokenSigner.__init__N)r9r:r;r=rAr&r&r&r'r>tsr>c@s(eZdZdZddZddZddZdS) SigV2Authz+ Sign a request with Signature V2. cCs ||_dSr? credentialsr8rDr&r&r'rAszSigV2Auth.__init__cCs tdt|j}|j}t|dkr*d}|jd|jd|d}tj |j j dt d}g}t|D]R}|dkrvqht||} t| ddd } t| dd d } || d | qhd |} || 7}td ||| dt|d} | | fS)Nz$Calculating signature using v2 auth.r/ r* digestmod Signaturesafez-_~=&zString to sign: %s)loggerdebugrr#pathlenmethodnetlochmacnewrD secret_keyencodersortedr1r appendjoinupdatebase64 b64encodedigeststripr0)r8r2paramssplitrRstring_to_signZlhmacpairskeyvalueZ quoted_keyZ quoted_valueqsZb64r&r&r'calc_signatures0        zSigV2Auth.calc_signaturecCs|jdkrt|jr|j}n|j}|jj|d<d|d<d|d<ttt|d<|jj rh|jj |d<| ||\}}||d<|S) NAWSAccessKeyId2ZSignatureVersionZ HmacSHA256ZSignatureMethod TimestampZ SecurityTokenrJ) rDrr+rb access_keytimestrftimeISO8601gmtimetokenri)r8r2rbrh signaturer&r&r'r5s   zSigV2Auth.add_authN)r9r:r;__doc__rArir5r&r&r&r'rB~srBc@seZdZddZddZdS) SigV3AuthcCs ||_dSr?rCrEr&r&r'rAszSigV3Auth.__init__cCs|jdkrtd|jkr"|jd=tdd|jd<|jjrZd|jkrL|jd=|jj|jd<tj|jjdt d}| |jddt |  }d|jjd|d}d |jkr|jd =||jd <dS) NDateTusegmtX-Amz-Security-Tokenr*rHzAWS3-HTTPS AWSAccessKeyId=z ,Algorithm=HmacSHA256,Signature=zX-Amzn-Authorization)rDrheadersrrrrVrWrXrYrr]r r`rarmr0)r8r2new_hmacZencoded_signaturersr&r&r'r5s(     zSigV3Auth.add_authN)r9r:r;rAr5r&r&r&r'rusruc@seZdZdZdZddZd1ddZdd Zd d Zd d Z ddZ ddZ ddZ ddZ ddZddZddZddZddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd*d+Zd,d-Zd.d/Zd0S)2 SigV4Authz+ Sign a request with Signature V4. TcCs||_||_||_dSr?)rD _region_name _service_namer8rD service_name region_namer&r&r'rAszSigV4Auth.__init__FcCs:|rt||dt}nt||dt}|Sr))rVrWrYr hexdigestr`)r8rfmsghexsigr&r&r'_signszSigV4Auth._signcCsLt}|jD] \}}|}|tkr|||<qd|krHt|j|d<|S)zk Select the headers from the request that need to be included in the StringToSign. r%)r rzitemslowerSIGNED_HEADERS_BLACKLISTr(r#)r8r2Z header_mapnamerglnamer&r&r'headers_to_signs zSigV4Auth.headers_to_signcCs&|jr||jS|t|jSdSr?)rb_canonical_query_string_params_canonical_query_string_urlrr#r7r&r&r'canonical_query_strings z SigV4Auth.canonical_query_stringcCs~g}t|tr|}|D]*\}}|t|ddtt|ddfqg}t|D]\}}||d|qRd|}|S)Nz-_.~rLrNrO)r,rrr[r r1rZr\)r8rb key_val_pairsrfrgsorted_key_valsrr&r&r'rs   z(SigV4Auth._canonical_query_string_paramsc Csvd}|jrrg}|jdD]"}|d\}}}|||fqg}t|D]\}}||d|qJd|}|S)NrKrOrN)queryrc partitionr[rZr\) r8partsrrpairrf_rgrr&r&r'rs z%SigV4Auth._canonical_query_string_urlcsZg}tt|}|D]:}dfdd||D}||dt|qd|S)a  Return the headers that need to be included in the StringToSign in their canonical form by converting all header keys to lower case, sorting them in alphabetical order and then joining them into a string, separated by newlines. ,c3s|]}|VqdSr?) _header_value.0vr8r&r' 2sz.SigV4Auth.canonical_headers..:rG)rZsetr\get_allr[r )r8rrzZsorted_header_namesrfrgr&rr'canonical_headers(s zSigV4Auth.canonical_headerscCsd|S)N )r\rc)r8rgr&r&r'r8szSigV4Auth._header_valuecCs tddt|D}d|S)Ncss|]}|VqdSr?)rra)rnr&r&r'rAsz+SigV4Auth.signed_headers..;)rZrr\)r8rrzr&r&r'signed_headers@szSigV4Auth.signed_headerscCs0|jdi}|d}t|to.|ddkS)Nchecksumrequest_algorithmintrailer)contextr!r,dict)r8r2checksum_context algorithmr&r&r'_is_streaming_checksum_payloadDs z(SigV4Auth._is_streaming_checksum_payloadcCs||rtS||stS|j}|r|t|dr||}t|j t }t }t |dD]}| |qV|}|||S|rt |StSdS)Nseek)r"STREAMING_UNSIGNED_PAYLOAD_TRAILER_should_sha256_sign_payloadUNSIGNED_PAYLOADbodyhasattrtell functoolspartialreadPAYLOAD_BUFFERriterr]rrEMPTY_SHA256_HASH)r8r2 request_bodypositionZread_chunksizerchunkZ hex_checksumr&r&r'payloadIs(     zSigV4Auth.payloadcCs|jdsdS|jddS)NrTpayload_signing_enabled)r# startswithrr!r7r&r&r'rcs z%SigV4Auth._should_sha256_sign_payloadcCs|jg}|t|jj}|||||||}|| |d|| |d|j kr||j d}n | |}||d |S)NrGX-Amz-Content-SHA256)rTupper_normalize_url_pathrr#rRr[rrrrrzrr\)r8r2crrRrZ body_checksumr&r&r'canonical_requestms       zSigV4Auth.canonical_requestcCstt|dd}|S)Nz/~rL)r r)r8rRZnormalized_pathr&r&r'r|szSigV4Auth._normalize_url_pathcCsN|jjg}||jddd||j||j|dd|SN timestampr aws4_requestrF)rDrmr[rr}r~r\r8r2scoper&r&r'rs     zSigV4Auth.scopecCsHg}||jddd||j||j|dd|Sr)r[rr}r~r\rr&r&r'credential_scopes    zSigV4Auth.credential_scopecCsHdg}||jd||||t|dd|S)z Return the canonical StringToSign as well as a dict containing the original version of all headers that were included in the StringToSign. AWS4-HMAC-SHA256rr*rG)r[rrrrYrr\)r8r2rstsr&r&r'rds zSigV4Auth.string_to_signcCsd|jj}|d||jddd}|||j}|||j}||d}|j||ddS)NZAWS4rrrrT)r)rDrXrrYrr}r~)r8rdr2rfZk_dateZk_regionZ k_serviceZ k_signingr&r&r'rss  zSigV4Auth.signaturecCs|jdkrttj}|t|jd<||||}t dt d|| ||}t d|| ||}t d|| ||dS)Nrz$Calculating signature using v4 auth.zCanonicalRequest: %szStringToSign: %sz Signature: %s)rDrdatetimeutcnowroSIGV4_TIMESTAMPr_modify_request_before_signingrrPrQrdrs_inject_signature_to_request)r8r2 datetime_nowrrdrsr&r&r'r5s          zSigV4Auth.add_authcCsVd||g}||}|d|||d|d||jd<|S)NzAWS4-HMAC-SHA256 Credential=zSignedHeaders=z Signature=z, Authorization)rrr[rr\rz)r8r2rsauth_strrr&r&r'rs z&SigV4Auth._inject_signature_to_requestcCsrd|jkr|jd=|||jjrDd|jkr6|jd=|jj|jd<|jddsnd|jkrd|jd=t|jd<dS)NrryrTr)rz_set_necessary_date_headersrDrrrr!rr7r&r&r'rs    z(SigV4Auth._modify_request_before_signingcCs|d|jkrV|jd=tj|jdt}ttt| |jd<d|jkrx|jd=n"d|jkrh|jd=|jd|jd<dS)Nrvr X-Amz-Date) rzrstrptimerrrintcalendartimegm timetuple)r8r2Zdatetime_timestampr&r&r'rs     z%SigV4Auth._set_necessary_date_headersN)F)r9r:r;rtr<rArrrrrrrrrrrrrrrrdrsr5rrrr&r&r&r'r|s0      r|cs0eZdZfddZfddZddZZS) S3SigV4Authcs2t|d|jkr|jd=|||jd<dS)Nr)superrrzrr7 __class__r&r'rs  z*S3SigV4Auth._modify_request_before_signingcs|jd}t|dd}|dkr$i}|dd}|dk r<|Sd}|jdi}|d}t|trx|ddkrx|d }|jd r||jkrd S|jd d rd St |S)N client_configs3rz Content-MD5rrrheaderrrTZhas_streaming_inputF) rr!getattrr,rr#rrzrr)r8r2rZ s3_configZ sign_payloadZchecksum_headerrrrr&r'rs(     z'S3SigV4Auth._should_sha256_sign_payloadcCs|Sr?r&r8rRr&r&r'rszS3SigV4Auth._normalize_url_path)r9r:r;rrr __classcell__r&r&rr'rs  )rcs8eZdZdZfddZfddZfddZZS) S3ExpressAuthTcst|||||_dSr?)rrAZ_identity_cache)r8rDrridentity_cacherr&r'rAszS3ExpressAuth.__init__cst|dSr?)rr5r7rr&r'r5#szS3ExpressAuth.add_authcs:t|d|jkr$|jj|jd<d|jkr6|jd=dS)Nzx-amz-s3session-tokenry)rrrzrDrrr7rr&r'r&s    z,S3ExpressAuth._modify_request_before_signing)r9r:r;REQUIRES_IDENTITY_CACHErAr5rrr&r&rr'rs  rc@seZdZdZddZdS)S3ExpressPostAuthTcCsPtj}|t|jd<i}|jdddk r:|jd}i}g}|jdddk rv|jd}|dddk rv|d}||d<d|d<|||d<|jd|d<|ddi|d||i|d|jdi|jj dk r|jj |d <|d |jj it t |d d |d <||d ||d <||jd<||jd<dS) Nrs3-presign-post-fieldss3-presign-post-policy conditionsrx-amz-algorithmx-amz-credential x-amz-dateX-Amz-S3session-Tokenr*policyx-amz-signaturerrrorrr!rr[rDrrr^r_r.dumpsrYr0rsr8r2rfieldsrrr&r&r'r52s>      zS3ExpressPostAuth.add_authN)r9r:r;rr5r&r&r&r'r/srcsJeZdZdZdZedfdd ZddZdd Zd d Zd d Z Z S)S3ExpressQueryAuthi,T)expirescstj||||d||_dS)N)rrrA_expires)r8rDrrrrrr&r'rA`s zS3ExpressQueryAuth.__init__c Cs|jd}d}||kr |jd=|||}d|||jd|j|d}|jjdk rf|jj|d<t |j }t |j dd}d d | D}|jr||ji|_d } |jr|t|d |_|rt|d } | t|} |} | d | d| d| | df} t| |_ dS)N content-type0application/x-www-form-urlencoded; charset=utf-8rrzX-Amz-AlgorithmzX-Amz-Credentialrz X-Amz-ExpireszX-Amz-SignedHeadersrTkeep_blank_valuescSsi|]\}}||dqSrr&rkrr&r&r' szES3ExpressQueryAuth._modify_request_before_signing..rKrOrrzr!rrrrrrDrrrr#r rrrbr]r+r3rr) r8r2 content_typeZblocklisted_content_typer auth_paramsr$query_string_parts query_dictoperation_paramsnew_query_stringp new_url_partsr&r&r'rqs>       z1S3ExpressQueryAuth._modify_request_before_signingcCs|jd|7_dSNz&X-Amz-Signature=r#r8r2rsr&r&r'rsz/S3ExpressQueryAuth._inject_signature_to_requestcCs|Sr?r&rr&r&r'rsz&S3ExpressQueryAuth._normalize_url_pathcCstSr?rr7r&r&r'rszS3ExpressQueryAuth.payload) r9r:r;DEFAULT_EXPIRESrrArrrrrr&r&rr'r\s Arcs4eZdZdZeffdd ZddZddZZS)SigV4QueryAuthcst|||||_dSr?r)r8rDrrrrr&r'rAszSigV4QueryAuth.__init__c Cs|jd}d}||kr |jd=|||}d|||jd|j|d}|jjdk rf|jj|d<t |j }t |j dd}d d | D}|jr||ji|_d } |jr|t|d |_|rt|d } | t|} |} | d | d| d| | df} t| |_ dS)NrrrrrryTrcSsi|]\}}||dqSrr&rr&r&r'rszASigV4QueryAuth._modify_request_before_signing..rKrOrrr r r ) r8r2r Zblacklisted_content_typerr r$rrrrrrr&r&r'rs>       z-SigV4QueryAuth._modify_request_before_signingcCs|jd|7_dSrrrr&r&r'rsz+SigV4QueryAuth._inject_signature_to_request)r9r:r;rrArrrr&r&rr'rs Arc@s eZdZdZddZddZdS)S3SigV4QueryAuthaS3 SigV4 auth using query parameters. This signer will sign a request using query parameters and signature version 4, i.e a "presigned url" signer. Based off of: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html cCs|Sr?r&rr&r&r'r!sz$S3SigV4QueryAuth._normalize_url_pathcCstSr?rr7r&r&r'r%szS3SigV4QueryAuth.payloadN)r9r:r;rtrrr&r&r&r'rs rc@seZdZdZddZdS)S3SigV4PostAuthz Presigns a s3 post Implementation doc here: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-UsingHTTPPOST.html cCsPtj}|t|jd<i}|jdddk r:|jd}i}g}|jdddk rv|jd}|dddk rv|d}||d<d|d<|||d<|jd|d<|ddi|d||i|d|jdi|jj dk r|jj |d <|d |jj it t |d d |d <||d ||d <||jd<||jd<dS) Nrrrrrrrrx-amz-security-tokenr*rrrrr&r&r'r55s:     zS3SigV4PostAuth.add_authNr9r:r;rtr5r&r&r&r'r-src$@seZdZddddddddd d d d d ddddddddddddddddd ddd d!d"d#g$Zd;d%d&Zd'd(Zd)d*Zd+d,Zd-d.Zdd3d4Z d5d6Z d7d8Z d9d:Zd$S)? HmacV1AuthZ accelerateZaclZcorsZdefaultObjectAcllocationloggingZ partNumberrZrequestPaymentZtorrentZ versioningZ versionIdversionsZwebsiteZuploadsZuploadIdzresponse-content-typezresponse-content-languagezresponse-expireszresponse-cache-controlzresponse-content-dispositionzresponse-content-encodingdeleteZ lifecycleZtaggingZrestoreZ storageClassZ notificationZ replicationZ analyticsZmetricsZ inventoryselectz select-typez object-lockNcCs ||_dSr?rCrr&r&r'rAszHmacV1Auth.__init__cCs>tj|jjdtd}||dt| dS)Nr*rH) rVrWrDrXrYrr]r r`rar0)r8rdr{r&r&r' sign_strings  zHmacV1Auth.sign_stringcCsdddg}g}d|kr|d=||d<|D]R}d}|D]6}|}||dk r8||kr8|||d}q8|s,|dq,d|S) N content-md5rdatervFTrKrG) _get_daterr[rar\)r8rzZinteresting_headershoiZihfoundrflkr&r&r'canonical_standard_headerss   z%HmacV1Auth.canonical_standard_headerscCsg}i}|D]@}|}||dk r |dr ddd||D||<q t|}|D]}||d||q^d|S)Nx-amz-rcss|]}|VqdSr?)rarr&r&r'rsz6HmacV1Auth.canonical_custom_headers..rrG)rrr\rrZkeysr[)r8rzr)custom_headersrfr+Zsorted_header_keysr&r&r'canonical_custom_headerss    z#HmacV1Auth.canonical_custom_headerscCs(t|dkr|S|dt|dfSdS)z( TODO: Do we need this? rrN)rSr)r8nvr&r&r' unquote_vs zHmacV1Auth.unquote_vcs|dk r|}n|j}|jr|jd}dd|D}fdd|D}t|dkr|jtdddd|D}|d7}|d|7}|S) NrOcSsg|]}|ddqS)rNr)rcrar&r&r' sz1HmacV1Auth.canonical_resource..cs$g|]}|djkr|qSr) QSAOfInterestr2r3rr&r'r5sr)rfcSsg|]}d|qS)rN)r\r3r&r&r'r5s?)rRrrcrSsortrr\)r8rc auth_pathbufZqsar&rr'canonical_resources    zHmacV1Auth.canonical_resourcecCsN|d}|||d7}||}|r8||d7}||j||d7}|S)NrGr9)rr,r0r;)r8rTrcrzrr9csr/r&r&r'canonical_strings   zHmacV1Auth.canonical_stringcCsF|jjr|d=|jj|d<|j||||d}td|||S)Nrr<zStringToSign: )rDrrr>rPrQr%)r8rTrcrzrr9rdr&r&r' get_signatures zHmacV1Auth.get_signaturecCs\|jdkrttdt|j}td|j|j|j||j|j d}| ||dS)Nz(Calculating signature using hmacv1 auth.zHTTP request method: r<) rDrrPrQrr#rTr?rzr9_inject_signature)r8r2rcrsr&r&r'r5s   zHmacV1Auth.add_authcCs tddS)NTrwrrr&r&r'r(szHmacV1Auth._get_datecCs4d|jkr|jd=d|jjd|}||jd<dS)NrzAWS r)rzrDrm)r8r2rs auth_headerr&r&r'r@s zHmacV1Auth._inject_signature)NN)N)NN)NN)r9r:r;r6rAr%r,r0r2r;r>r?r5r(r@r&r&r&r'r]sh'    rc@s0eZdZdZdZefddZddZddZd S) HmacV1QueryAuthz Generates a presigned request for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html #RESTAuthenticationQueryStringAuth rcCs||_||_dSr?)rDr)r8rDrr&r&r'rAszHmacV1QueryAuth.__init__cCstttt|jSr?)r1rrnrrr&r&r'r(szHmacV1QueryAuth._get_datec Csi}|jj|d<||d<|jD]D}|}|dkrB|jd|d<q|dsT|dkr|j|||<qt|}t|j}|dr|dd|}|d |d |d ||d f}t||_dS) NrjrJrvZExpiresr-)r&rrOrrr r ) rDrmrzrrrrr#r) r8r2rsrZ header_keyr+rrrr&r&r'r@s   z!HmacV1QueryAuth._inject_signatureN)r9r:r;rtrrAr(r@r&r&r&r'rBs   rBc@seZdZdZddZdS)HmacV1PostAuthz Generates a presigned post for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingHTTPPOST.html cCsi}|jdddk r |jd}i}g}|jdddk r\|jd}|dddk r\|d}||d<|jj|d<|jjdk r|jj|d<|d|jjitt | d d|d<| |d|d<||jd<||jd<dS) Nrrrrjrr*rrs) rr!rDrmrrr[r^r_r.rrYr0r%)r8r2rrrr&r&r'r5Ds,      zHmacV1PostAuth.add_authNrr&r&r&r'rD;srDc@seZdZdZddZdS) BearerAuthz Performs bearer token authorization by placing the bearer token in the Authorization header as specified by Section 2.1 of RFC 6750. https://datatracker.ietf.org/doc/html/rfc6750#section-2.1 cCs>|jdkrtd|jj}d|jkr0|jd=||jd<dS)NzBearer r)r@rrrrz)r8r2rAr&r&r'r5ks   zBearerAuth.add_authNrr&r&r&r'rEcsrEcCsX|D]D}|dkrt|S|tkr>t|}|tkrH|Sqt|dqt|ddS)Nsmithy.api#noAuth)signature_version)AUTH_TYPE_TO_SIGNATURE_VERSIONAUTH_TYPE_MAPSrr)Z auth_traitZ auth_typerGr&r&r'resolve_auth_typeus   rJ) Zv2Zv3Zv3httpsrzs3-queryzs3-presign-postzs3v4-presign-postz v4-s3expresszv4-s3express-queryzv4-s3express-presign-postbearer)CRT_AUTH_TYPE_MAPS)v4zv4-queryZs3v4z s3v4-queryrMZv4arKnone)zaws.auth#sigv4zaws.auth#sigv4azsmithy.api#httpBearerAuthrF)Gr^rrrrVr.r!rncollections.abcr email.utilsrhashlibrroperatorrZbotocore.compatrr r r r r rrrZbotocore.exceptionsrrrrZbotocore.utilsrrrr getLoggerr9rPrrrprrrrr(r3r4r>rBrur|rrrrrrrrrBrDrErJrIZbotocore.crt.authrLr]rHr&r&r&r's   ,     =6-hQ0*5(