MgF ddlZddlZddlZddlZddlZddlZddlZddlZddlm Z ddl m Z ddl m Z mZddlmZddlmZmZmZmZmZmZmZmZmZddlmZmZmZmZddl m!Z!m"Z"m#Z#dd lm$Z$ejJe&Z'd Z(d Z)d Z*d Z+gdZ,dZ-dZ.dZ/dZ0GddZ1Gdde1Z2Gdde1Z3Gdde1Z4Gdde1Z5Gdde5Z6Gdd e6Z7Gd!d"e7Z8Gd#d$e7Z9Gd%d&e5Z:Gd'd(e:Z;Gd)d*e5Z<Gd+d,e1Z=Gd-d.e=Z>Gd/d0e=Z?Gd1d2e2Z@d3ZAe3e4e4e=e>e?e>]..y/?/?@ @dINN33D Kc|j}t|tr&tj|j d}|St|t rtj|}|SNutf-8)data isinstancebytesjsonloadsdecodestr)requestr0s r*_get_body_as_dictr8^sT <D#NN+2ell^2dV2F    ' ' . .w 76 &>Ck!s $Eszz'2: ^**734u||~.446==gFCyr,c|j t|jr |j}n |j}|jj|d<d|d<d|d<t j tt j|d<|jjr|jj|d<|j||\}}||d<|S) NAWSAccessKeyId2SignatureVersion HmacSHA256SignatureMethod Timestamp SecurityTokenrX) rPrr0rp access_keytimestrftimeISO8601gmtimetokenr{)r?r7rpry signatures r*r<zSigV2Auth.add_auths    #$& & <<\\F^^F#'#3#3#>#> %(!"$0 !"mmGT[[]C{    ! !&*&6&6&<&d|jvr |jd=|jj|jd<t j |jjjdt}|j|jdjdt|jj}d|jjd|jd}d |jvr |jd =||jd <y) NDateTusegmtX-Amz-Security-Tokenr/rVzAWS3-HTTPS AWSAccessKeyId=z ,Algorithm=HmacSHA256,Signature=zX-Amzn-Authorization)rPrheadersrrrdrerfrgrrkr rnrorr5)r?r7new_hmacencoded_signaturers r*r<zSigV3Auth.add_authsL    #$& & W__ $'",D"9    ! !%8OO$:;6:6F6F6L6LGOO2 388    ' ' . .w 76  /66w?@'(9:@@B()9)9)D)D(EF..?.F.Fw.O-P R  "W__ 4 672;./r,N)r@rArBrKr<rEr,r*rrs 's r*canonical_query_stringz SigV4Auth.canonical_query_strings: >>66w~~F F33HW[[4IJ Jr,c :g}t|tr|j}|D]7\}}|jt |dt t |df9g}t |D]\}}|j|d|dj|}|S)Nz-_.~rZr\r])r1rrrirr6rhrj)r?rp key_val_pairsrurvsorted_key_valsrs r*rz(SigV4Auth._canonical_query_string_paramss fg &\\^F JC  s(%E *HI !!/JC  " "cU!E7#3 40!$/!:%%r,c.d}|jrg}|jjdD]*}|jd\}}}|j||f,g}t |D]\}}|j|d|dj |}|S)NrYr]r\)queryrq partitionrirhrj) r?partsrrpairru_rvrs r*rz%SigV4Auth._canonical_query_string_urls!# ;;M ))#. $s 3 Q$$c5\2/!O%]3 U&&#aw'784%(XXo%> "%%r,cg}tt|}|D]J}djfd|j|D}|j |dt |Ldj|S)a  Return the headers that need to be included in the StringToSign in their canonical form by converting all header keys to lower case, sorting them in alphabetical order and then joining them into a string, separated by newlines. ,c3@K|]}j|ywrI) _header_value).0vr?s r* z.SigV4Auth.canonical_headers..1s!/K!""1%/Ks:rU)rhsetrjget_allrir )r?rrsorted_header_namesrurvs` r*canonical_headerszSigV4Auth.canonical_headers'sz$S%9:&CHH/>/F/Fs/KE NNcU!N5$9#:; < ' yy!!r,c@dj|jS)N )rjrq)r?rvs r*rzSigV4Auth._header_value7s xx &&r,cZtdt|D}dj|S)Nc3XK|]"}|jj$ywrI)rro)rns r*rz+SigV4Auth.signed_headers..@s I4Hq*4Hs(*;)rhrrj)r?rrs r*signed_headerszSigV4Auth.signed_headers?s&IC4HIIxx  r,c|jjdi}|jd}t|txr|jddk(S)Nchecksumrequest_algorithmintrailer)contextr$r1dict)r?r7checksum_context algorithms r*_is_streaming_checksum_payloadz(SigV4Auth._is_streaming_checksum_payloadCsJ"??..z2>$(()<= )T*Oy}}T/Bi/OOr,c|j|rtS|j|stS|j}|rt |dr|j }tj|jt}t}t|dD]}|j||j}|j||S|rt|jSt S)Nseekr,)r"STREAMING_UNSIGNED_PAYLOAD_TRAILER_should_sha256_sign_payloadUNSIGNED_PAYLOADbodyhasattrtell functoolspartialreadPAYLOAD_BUFFERriterrkrrEMPTY_SHA256_HASH)r?r7 request_bodypositionread_chunksizerchunk hex_checksums r*payloadzSigV4Auth.payloadHs  . .w 75 511':$ #|| GL&9#((*H&..!!>NxHnc2&3#--/L   h '  ,'113 3$ $r,cr|jjdsy|jjddS)Nr!Tpayload_signing_enabled)r& startswithrr$r>s r*rz%SigV4Auth._should_sha256_sign_payloadbs1{{%%g. ""#>r,c|j ttjj}|j t |j d<|j||j|}tjdtjd||j||}tjd||j||}tjd||j||y)Nrz$Calculating signature using v4 auth.zCanonicalRequest: %szStringToSign: %sz Signature: %s)rPrdatetimeutcnowrSIGV4_TIMESTAMPr_modify_request_before_signingrr^r_rrr_inject_signature_to_request)r?r7 datetime_nowrrrrs r*r<zSigV4Auth.add_auths    #$& &((//1 '3'<'<_'M $ ++G4 227; ;< ,.?@,,W6GH (.9NN>7;  %y1 ))'9=r,cd|j|g}|j|}|jd|j||jd|dj ||j d<|S)NzAWS4-HMAC-SHA256 Credential=zSignedHeaders=z Signature=z, Authorization)rrrirrjr)r?r7rauth_strrs r*rz&SigV4Auth._inject_signature_to_requests~24::g3F2GHI..w7T00AB C  *YK01+/99X+>(r,cd|jvr |jd=|j||jjr>d|jvr |jd=|jj|jd<|jj dds/d|jvr |jd=t |jd<yy)NrrrTr)r_set_necessary_date_headersrPrrr$rr>s r*r z(SigV4Auth._modify_request_before_signings goo -0 ((1    ! !%8OO$:;6:6F6F6L6LGOO2 3""#$ GIr,rc.eZdZfdZfdZdZxZS) S3SigV4Authct||d|jvr |jd=|j||jd<y)Nr)superr rrr?r7 __class__s r*r z*S3SigV4Auth._modify_request_before_signingsA .w7 !W__ 4 6726,,w2G./r,c|jjd}t|dd}|i}|jdd}||Sd}|jjdi}|jd}t|tr|jddk(r|d }|j j d r||jvry |jjd d ry t|%|S)N client_configs3rz Content-MD5rrrheaderrr!Thas_streaming_inputF) rr$getattrr1rr&rrr r) r?r7r$ s3_config sign_payloadchecksum_headerrrr"s r*rz'S3SigV4Auth._should_sha256_sign_payloads ++O< M46   I!}}%>E  #  ("??..z2>$(()<= i &9==+>(+J'/O &&w/goo5 ??  4e <w27;;r,c|SrIrEr?r`s r*rzS3SigV4Auth._normalize_url_path r,)r@rArBr rr __classcell__r"s@r*rrsH's r*r<zS3ExpressPostAuth.add_auth1s((//1 '3'<'<_'M $ ??  7 > J__%=>F ??  7 > J__%=>Fzz,-9#L1 )|$6 !%)ZZ%8!"&{;|,.@AB-tzz'/BCD<)EFG    ! ! -.2.>.>.D.DF* +   ($*:*:*@*@A  "++ JJv  % %g . &/ x%)NN6(3CW$M !4:014:01r,N)r@rArBr8r<rEr,r*r:r:.s "';r,r:cDeZdZdZdZedfd ZdZdZdZdZ xZ S) S3ExpressQueryAuthi,T)expiresc:t|||||||_y)N)r5r rK_expires)r?rPrrr5rKr"s r*rKzS3ExpressQueryAuth.__init___s,    )    r,cN|jjd}d}||k(r |jd=|j|j|}d|j ||j d|j |d}|jj|jj|d<t|j}t|jd}|jD cic] \}} || d  } }} |jr"| j|ji|_d } |j r!| jt#|d |_| rt%| d z} | t%|} |} | d | d | d | | df}t'||_ ycc} }w)N content-type0application/x-www-form-urlencoded; charset=utf-8rrzX-Amz-AlgorithmzX-Amz-Credentialrz X-Amz-ExpireszX-Amz-SignedHeadersrBTkeep_blank_valuesrrYr]rr$rrrrrNrPrrr&r rrrprkr0r8rr)r?r7 content_typeblocklisted_content_typer auth_paramsr'query_string_partskr query_dictoperation_paramsnew_query_stringp new_url_partss r*r z1S3ExpressQueryAuth._modify_request_before_signingps**>: > ! 3 3/ ,,T-A-A'-JK 2 $ 7 3!//+6!]]#1      ! ! -373C3C3I3IK/ 0W[[) &iooN*<*B*B*DE*D$!Qa1g*D E >>   gnn -GN <<   /8 9GL 6zBSH  !8!E F G  1qtQqT+;QqTB  / AF,F!c4|xjd|z c_yNz&X-Amz-Signature=r&r?r7rs r*rz/S3ExpressQueryAuth._inject_signature_to_request  *9+66 r,c|SrIrEr-s r*rz&S3ExpressQueryAuth._normalize_url_pathr.r,ctSrIrr>s r*rzS3ExpressQueryAuth.payload  r,) r@rArBDEFAULT_EXPIRESr8rKr rrrr/r0s@r*rJrJ[s-O"  "?0B7  r,rJc2eZdZdZeffd ZdZdZxZS)SigV4QueryAuthc6t||||||_yrIrM)r?rPrrrKr"s r*rKzSigV4QueryAuth.__init__s lK@ r,cN|jjd}d}||k(r |jd=|j|j|}d|j ||j d|j |d}|jj|jj|d<t|j}t|jd}|jD cic] \}} || d  } }} |jr"| j|ji|_d } |j r!| jt#|d |_| rt%| d z} | t%|} |} | d | d | d | | df}t'||_ ycc} }w)NrPrQrrrRrTrSrrYr]rUrVrWrX)r?r7rYblacklisted_content_typerr[r'r\r]rr^r_r`rarbs r*r z-SigV4QueryAuth._modify_request_before_signings**>: > ! 3 3/ ,,T-A-A'-JK 2 $ 7 3!//+6!]]#1      ! ! -262B2B2H2HK. /W[[) &iooN*<*B*B*DE*D$!Qa1g*D E >>   gnn -GN <<   /8 9GL 6zBSH  !8!E F G  1qtQqT+;QqTB  / AFrcc4|xjd|z c_yrerfrgs r*rz+SigV4QueryAuth._inject_signature_to_request rhr,)r@rArBrmrKr rr/r0s@r*rorosO?N ?0B7r,roceZdZdZdZdZy)S3SigV4QueryAuthaS3 SigV4 auth using query parameters. This signer will sign a request using query parameters and signature version 4, i.e a "presigned url" signer. Based off of: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html c|SrIrEr-s r*rz$S3SigV4QueryAuth._normalize_url_path r.r,ctSrIrkr>s r*rzS3SigV4QueryAuth.payload$rlr,N)r@rArBrrrrEr,r*rvrvs  r,rvceZdZdZdZy)S3SigV4PostAuthz Presigns a s3 post Implementation doc here: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-UsingHTTPPOST.html ctjj}|jt|jd<i}|jj dd|jd}i}g}|jj dd&|jd}|j dd|d}||d<d|d<|j ||d<|jd|d<|jddi|jd|j |i|jd|jdi|jj@|jj|d <|jd |jjitjtj|jd jd |d <|j!|d ||d <||jd<||jd<y) Nrr<r=r>rr?r@rAx-amz-security-tokenr/rCrDrErGs r*r<zS3SigV4PostAuth.add_auth4s((//1 '3'<'<_'M $ ??  7 > J__%=>F ??  7 > J__%=>Fzz,-9#L1 )|$6 !%)ZZ%8!"&{;|,.@AB-tzz'/BCD<)EFG    ! ! --1-=-=-C-CF) *   5t7G7G7M7MN O"++ JJv  % %g . &/ x%)NN6(3CW$M !4:014:01r,Nr@rArBrr<rEr,r*rzrz,s %;r,rzcbeZdZgdZddZdZdZdZdZddZ dd Z dd Z d Z d Z d Zy) HmacV1Auth)$ accelerateaclcorsdefaultObjectAcllocationlogging partNumberrCrequestPaymenttorrent versioning versionIdversionswebsiteuploadsuploadIdzresponse-content-typezresponse-content-languagezresponse-expireszresponse-cache-controlzresponse-content-dispositionzresponse-content-encodingdelete lifecycletaggingrestore storageClass notification replicationr analyticsmetrics inventoryselectz select-typez object-lockNc||_yrIrOrs r*rKzHmacV1Auth.__init__rRr,c*tj|jjj dt }|j |j dt|jjjdS)Nr/rV) rdrerPrfrgrrkr rnror5)r?rrrs r* sign_stringzHmacV1Auth.sign_stringsk88    ' ' . .w 74  --g678??,-335<.s2+?a +?srrU)rrrjrrhkeysri)r?rrcustom_headersrursorted_header_keyss r*canonical_custom_headersz#HmacV1Auth.canonical_custom_headerssCBs|'==*),2+2??3+?2*N2& $N$7$7$9:%C JJ#as 345 6&yy~r,cHt|dk(r|S|dt|dfS)z( TODO: Do we need this? rUr)rar)r?nvs r* unquote_vzHmacV1Auth.unquote_vs+ r7a<IqE72a5>* *r,c||}n |j}|jr|jjd}|Dcgc]}|jdd}}|Dcgc]%}|d|jvs|j |'}}t |dkDrR|j td|Dcgc]}dj|}}|dz }|dj|z }|Scc}wcc}wcc}w)Nr]r\rUr)ru?) r`rrq QSAOfInterestrrasortrrj)r?rq auth_pathbufqsaas r*canonical_resourcezHmacV1Auth.canonical_resources  C**C ;;++##C(C,/0Cq1773?CC0+.+.a!A$$:L:L2Lq!3 3x!|Z]+,/0Cqsxx{C0s sxx}$ 1 1sC*C/3C/5C4c|jdz}||j|dzz }|j|}|r||dzz }||j||z }|S)NrUr)rrrr)r?rbrqrrKrcsrs r*canonical_stringzHmacV1Auth.canonical_stringso\\^d " d--g6==66w?  .4' 'B d%%ey%AA r,c|jjr|d=|jj|d<|j||||}tj d||j |S)Nr|rzStringToSign: )rPrrr^r_r)r?rbrqrrKrrrs r* get_signaturezHmacV1Auth.get_signaturesx    ! !./.2.>.>.D.DG* +.. E7i/   ~&678//r,cJ|jttjdt |j }tjd|j |j|j ||j|j}|j||y)Nz(Calculating signature using hmacv1 auth.zHTTP request method: r) rPrr^r_rr&rbrrr_inject_signature)r?r7rqrs r*r<zHmacV1Auth.add_auths    #$ $ ?@% ,W^^,<=>&& NNE7??g>O>O'  w 2r,ctdS)NTrrr?s r*rzHmacV1Auth._get_dates &&r,cd|jvr |jd=d|jjd|}||jd<y)NrzAWS r)rrPr)r?r7r auth_headers r*rzHmacV1Auth._inject_signaturesI goo -0T--8899+F +6(r,)NNrI)r@rArBrrKrrrrrrrr<rrrEr,r*rr\sN%MN'F" +6?C ?C 0 3' 7r,rc*eZdZdZdZefdZdZdZy)HmacV1QueryAuthz Generates a presigned request for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html #RESTAuthenticationQueryStringAuth rpc ||_||_yrI)rPrN)r?rPrKs r*rKzHmacV1QueryAuth.__init__s& r,cztttjt|jzSrI)r6rrrNrs r*rzHmacV1QueryAuth._get_dates&3tyy{S%77899r,ci}|jj|d<||d<|jD]R}|j}|dk(r|jd|d<+|j ds|dvsA|j|||<Tt |}t |j}|dr |dd|}|d |d |d ||d f}t||_y) Nr}rXrExpiresr)rrPr]rrUrVrW) rPrrrrrrr&r) r?r7rr^ header_keyrr`rarbs r*rz!HmacV1QueryAuth._inject_signatures '+'7'7'B'B #$"+ ;!//J!!#BV#(/(? 9%x(B3-")!4 2* 3:> W[[ ! Q4#$A$q)9(:; 1qtQqT+;QqTB  / r,N)r@rArBrrmrKrrrEr,r*rrs O,; :0r,rceZdZdZdZy)HmacV1PostAuthz Generates a presigned post for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingHTTPPOST.html ci}|jjdd|jd}i}g}|jjdd&|jd}|jdd|d}||d<|jj|d<|jj@|jj|d<|j d|jjit jtj|jdjd|d<|j|d|d<||jd<||jd<y) Nr<r=r>r}r|r/rCr) rr$rPrrrirlrmr3rFrgr5r)r?r7rHrCr>s r*r<zHmacV1PostAuth.add_authCsX ??  7 > J__%=>F ??  7 > J__%=>Fzz,-9#L1 )|#'#3#3#>#>    ! ! --1-=-=-C-CF) *   5t7G7G7M7MN O"++ JJv  % %g . &/ x#..vh/?@{4:014:01r,Nr}rEr,r*rr:s ;r,rceZdZdZdZy) BearerAuthz Performs bearer token authorization by placing the bearer token in the Authorization header as specified by Section 2.1 of RFC 6750. https://datatracker.ietf.org/doc/html/rfc6750#section-2.1 c|j td|jj}d|jvr |jd=||jd<y)NzBearer r)rJrrr)r?r7rs r*r<zBearerAuth.add_authjsR ?? ""$ $ 5 567 goo -0+6(r,Nr}rEr,r*rrbs 7r,rc|D];}|dk(r t|cS|tvrt|}|tvs-|cSt|t|)Nsmithy.api#noAuth)signature_version)AUTH_TYPE_TO_SIGNATURE_VERSIONAUTH_TYPE_MAPSrr) auth_trait auth_typers r*resolve_auth_typertsZ + +1)< < 8 8 >y I  N2((.K K  +Z HHr,) v2v3v3httpsr%zs3-queryzs3-presign-postzs3v4-presign-postz v4-s3expresszv4-s3express-queryzv4-s3express-presign-postbearer)CRT_AUTH_TYPE_MAPS)v4zv4-querys3v4z s3v4-queryrv4arnone)zaws.auth#sigv4zaws.auth#sigv4azsmithy.api#httpBearerAuthr)Grlrr rrdr3rrcollections.abcr email.utilsrhashlibrroperatorrbotocore.compatr r r r r rrrrbotocore.exceptionsrrrrbotocore.utilsrrrr getLoggerr@r^rrrr rrrr+r8r:rGrMrrrr2r:rJrorvrzrrrrrrbotocore.crt.authrrkrrEr,r*rs  #"     *   8 $G  " &%I"& ..%*%: :z< <8JI JIZ3)3l8K8**; *;Ze e PN7YN7b ~ 0-;i-;`f7f7R20j20j%;Z%;P77$ I   %(!,!2  4,-&*  !) "r,