o i @sddlZddlZddlZddlZddlZddlZddlZddlZddlm Z ddl m Z ddl m Z mZddlmZddlmZmZmZmZmZmZmZmZmZmZmZddlmZmZm Z m!Z!ddl"m#Z#m$Z$m%Z%e&e'Z(d Z)d Z*d Z+d Z,gd Z-dZ.dZ/ddZ0ddZ1GdddZ2Gddde2Z3Gddde2Z4Gddde2Z5Gddde2Z6Gddde6Z7Gd d!d!e7Z8Gd"d#d#e8Z9Gd$d%d%e8Z:Gd&d'd'e6Z;Gd(d)d)e;ZGd.d/d/e>Z?Gd0d1d1e>Z@Gd2d3d3e3ZAd4d5ZBd6d7ZCe4e5e5e>e?e@e=e8e:e9eAd8 ZDer+dd9lEmFZFeDGeFn eDGe6e;e7ed?ZHd@dAeHIDZJdS)BN)Mapping formatdate)sha1sha256) itemgetter) HAS_CRT MD5_AVAILABLE HTTPHeaders encodebytesensure_unicodeget_current_datetimeparse_qsquoteunquoteurlsplit urlunsplit)NoAuthTokenErrorNoCredentialsErrorUnknownSignatureVersionError UnsupportedSignatureVersionError)is_valid_ipv6_endpoint_urlnormalize_url_pathpercent_encode_sequenceZ@e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855iz%Y-%m-%dT%H:%M:%SZz%Y%m%dT%H%M%SZ)expectztransfer-encodingz user-agentzx-amzn-trace-idzUNSIGNED-PAYLOADz"STREAMING-UNSIGNED-PAYLOAD-TRAILERcCs\t|}|j}t|rd|d}ddd}|jdur,|j||jkr,|d|j}|S)N[]Pi)httphttps:)rhostnamerportgetscheme)url url_partshostZ default_portsr(D/home/app/Keep/.python/lib/python3.10/site-packages/botocore/auth.py_host_from_urlJs  r*cCs<|j}t|trt|d}|St|trt|}|SNutf-8)data isinstancebytesjsonloadsdecodestr)requestr-r(r(r)_get_body_as_dict]s  r5c@seZdZdZdZddZdS) BaseSignerFcCstd)Nadd_auth)NotImplementedErrorselfr4r(r(r)r7nszBaseSigner.add_authN)__name__ __module__ __qualname__REQUIRES_REGIONREQUIRES_TOKENr7r(r(r(r)r6js r6c@seZdZdZ ddZdS) TokenSignerTcC ||_dSN) auth_token)r:rCr(r(r)__init__x zTokenSigner.__init__N)r;r<r=r?rDr(r(r(r)r@rs r@c@s(eZdZdZddZddZddZdS) SigV2Authz+ Sign a request with Signature V2. cCrArB credentialsr:rHr(r(r)rDrEzSigV2Auth.__init__cCs tdt|j}|j}t|dkrd}|jd|jd|d}tj |j j dt d}g}t|D])}|dkr;q4t||} t| ddd } t| dd d } || d | q4d |} || 7}td ||| dt|d} | | fS)Nz$Calculating signature using v2 auth.r/ r, digestmod Signaturesafez-_~=&zString to sign: %s)loggerdebugrr%pathlenmethodnetlochmacnewrH secret_keyencodersortedr3rappendjoinupdatebase64 b64encodedigeststripr2)r:r4paramssplitrVstring_to_signZlhmacpairskeyvalueZ quoted_keyZ quoted_valueqsZb64r(r(r)calc_signatures.       zSigV2Auth.calc_signaturecCs|jdurt|jr|j}n|j}|jj|d<d|d<d|d<ttt|d<|jj r4|jj |d<| ||\}}||d<|S) NAWSAccessKeyId2ZSignatureVersionZ HmacSHA256ZSignatureMethod TimestampZ SecurityTokenrN) rHrr-rf access_keytimestrftimeISO8601gmtimetokenrm)r:r4rfrl signaturer(r(r)r7s   zSigV2Auth.add_authN)r;r<r=__doc__rDrmr7r(r(r(r)rF|s  rFc@seZdZddZddZdS) SigV3AuthcCrArBrGrIr(r(r)rDrEzSigV3Auth.__init__cCs|jdurtd|jvr|jd=tdd|jd<|jjr-d|jvr&|jd=|jj|jd<tj|jjdt d}| |jddt |  }d|jjd|d}d |jvrb|jd =||jd <dS) NDateTusegmtX-Amz-Security-Tokenr,rLzAWS3-HTTPS AWSAccessKeyId=z ,Algorithm=HmacSHA256,Signature=zX-Amzn-Authorization)rHrheadersrrvrZr[r\r]rrar rdrerqr2)r:r4new_hmacZencoded_signaturerwr(r(r)r7s*     zSigV3Auth.add_authN)r;r<r=rDr7r(r(r(r)rys ryc@seZdZdZdZddZd1ddZdd Zd d Zd d Z ddZ ddZ ddZ ddZ ddZddZddZddZddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd*d+Zd,d-Zd.d/Zd0S)2 SigV4Authz+ Sign a request with Signature V4. TcCs||_||_||_dSrB)rH _region_name _service_namer:rH service_name region_namer(r(r)rDs zSigV4Auth.__init__FcCs<|rt||dt}|St||dt}|Sr+)rZr[r]r hexdigestrd)r:rjmsghexsigr(r(r)_signs zSigV4Auth._signcCsLt}|jD]\}}|}|tvr|||<qd|vr$t|j|d<|S)zk Select the headers from the request that need to be included in the StringToSign. r')r r~itemslowerSIGNED_HEADERS_BLACKLISTr*r%)r:r4Z header_mapnamerklnamer(r(r)headers_to_signszSigV4Auth.headers_to_signcCs"|jr ||jS|t|jSrB)rf_canonical_query_string_params_canonical_query_string_urlrr%r9r(r(r)canonical_query_strings z SigV4Auth.canonical_query_stringcCs~g}t|tr |}|D]\}}|t|ddtt|ddfq g}t|D]\}}||d|q)d|}|S)Nz-_.~rPrRrS)r.rrr_rr3r^r`)r:rf key_val_pairsrjrksorted_key_valsrr(r(r)rs   z(SigV4Auth._canonical_query_string_paramsc Csvd}|jr9g}|jdD]}|d\}}}|||fq g}t|D]\}}||d|q%d|}|S)NrOrSrR)queryrg partitionr_r^r`) r:partsrrpairrj_rkrr(r(r)rs z%SigV4Auth._canonical_query_string_urlcsZg}tt|}|D]}dfdd||D}||dt|q d|S)a  Return the headers that need to be included in the StringToSign in their canonical form by converting all header keys to lower case, sorting them in alphabetical order and then joining them into a string, separated by newlines. ,c3s|]}|VqdSrB) _header_value.0vr:r(r) 0s  z.SigV4Auth.canonical_headers..r rK)r^setr`get_allr_r )r:rr~Zsorted_header_namesrjrkr(rr)canonical_headers&s  zSigV4Auth.canonical_headerscCsd|S)N )r`rg)r:rkr(r(r)r6szSigV4Auth._header_valuecCs tddt|D}d|S)Ncss|] }|VqdSrB)rre)rnr(r(r)r?sz+SigV4Auth.signed_headers..;)r^rr`)r:rr~r(r(r)signed_headers>s zSigV4Auth.signed_headerscCs0|jdi}|d}t|to|ddkS)Nchecksumrequest_algorithmintrailer)contextr#r.dict)r:r4checksum_context algorithmr(r(r)_is_streaming_checksum_payloadBs z(SigV4Auth._is_streaming_checksum_payloadcCs||rtS||stS|j}|r>t|dr>|}t|j t }t }t |dD]}| |q+|}|||S|rFt |StS)Nseek)r"STREAMING_UNSIGNED_PAYLOAD_TRAILER_should_sha256_sign_payloadUNSIGNED_PAYLOADbodyhasattrtell functoolspartialreadPAYLOAD_BUFFERriterrarrEMPTY_SHA256_HASH)r:r4 request_bodypositionZread_chunksizerchunkZ hex_checksumr(r(r)payloadGs&     zSigV4Auth.payloadcCs|jdsdS|jddS)NrTpayload_signing_enabled)r% startswithrr#r9r(r(r)ras z%SigV4Auth._should_sha256_sign_payloadcCs|jg}|t|jj}|||||||}|| |d|| |d|j vr>|j d}n| |}||d |S)NrKX-Amz-Content-SHA256)rXupper_normalize_url_pathrr%rVr_rrrrr~rr`)r:r4crrVrZ body_checksumr(r(r)canonical_requestks        zSigV4Auth.canonical_requestcCstt|dd}|S)Nz/~rP)rr)r:rVZnormalized_pathr(r(r)rzszSigV4Auth._normalize_url_pathcCsN|jjg}||jddd||j||j|dd|SN timestampr aws4_requestrJ)rHrqr_rrrr`r:r4scoper(r(r)r~s     zSigV4Auth.scopecCsHg}||jddd||j||j|dd|Sr)r_rrrr`rr(r(r)credential_scopes     zSigV4Auth.credential_scopecCsHdg}||jd||||t|dd|S)z Return the canonical StringToSign as well as a dict containing the original version of all headers that were included in the StringToSign. AWS4-HMAC-SHA256rr,rK)r_rrrr]rr`)r:r4rstsr(r(r)rhs  zSigV4Auth.string_to_signcCsd|jj}|d||jddd}|||j}|||j}||d}|j||ddS)NZAWS4rrrrT)r)rHr\rr]rrr)r:rhr4rjZk_dateZk_regionZ k_serviceZ k_signingr(r(r)rws zSigV4Auth.signaturecCs|jdurtt}|t|jd<||||}t dt d|| ||}t d|| ||}t d|| ||dS)Nrz$Calculating signature using v4 auth.zCanonicalRequest: %sStringToSign: %sz Signature: %s) rHrr rsSIGV4_TIMESTAMPr_modify_request_before_signingrrTrUrhrw_inject_signature_to_request)r:r4 datetime_nowrrhrwr(r(r)r7s         zSigV4Auth.add_authcCsVd||g}||}|d|||d|d||jd<|S)NzAWS4-HMAC-SHA256 Credential=zSignedHeaders=z Signature=, Authorization)rrr_rr`r~)r:r4rwauth_strrr(r(r)rs z&SigV4Auth._inject_signature_to_requestcCsvd|jvr |jd=|||jjr"d|jvr|jd=|jj|jd<|jdds9d|jvr2|jd=t|jd<dSdS)Nrr}rTr)r~_set_necessary_date_headersrHrvrr#rr9r(r(r)rs    z(SigV4Auth._modify_request_before_signingcCsd|jvr.|jd=tj|jdt}ttt| |jd<d|jvr,|jd=dSdSd|jvr7|jd=|jd|jd<dS)Nrzr X-Amz-Date) r~datetimestrptimerrrintcalendartimegm timetuple)r:r4Zdatetime_timestampr(r(r)rs     z%SigV4Auth._set_necessary_date_headersN)F)r;r<r=rxr>rDrrrrrrrrrrrrrrrrhrwr7rrrr(r(r(r)rs2      rcs0eZdZfddZfddZddZZS) S3SigV4Authcs2t|d|jvr|jd=|||jd<dS)Nr)superrr~rr9 __class__r(r)rs  z*S3SigV4Auth._modify_request_before_signingcs|jd}t|dd}|duri}|dd}|dur|Sd}|jdi}|d}t|tr<|ddkr<|d }|jd rG||jvrId S|jd d rRd St |S)N client_configs3rz Content-MD5rrrheaderrrTZhas_streaming_inputF) rr#getattrr.rr%rr~rr)r:r4rZ s3_configZ sign_payloadZchecksum_headerrrrr(r)rs&       z'S3SigV4Auth._should_sha256_sign_payloadcC|SrBr(r:rVr(r(r)rzS3SigV4Auth._normalize_url_path)r;r<r=rrr __classcell__r(r(rr)rs  )rcs8eZdZdZfddZfddZfddZZS) S3ExpressAuthTct|||||_dSrB)rrDZ_identity_cache)r:rHrridentity_cacherr(r)rD zS3ExpressAuth.__init__cst|dSrB)rr7r9rr(r)r7!szS3ExpressAuth.add_authcs>t|d|jvr|jj|jd<d|jvr|jd=dSdS)Nzx-amz-s3session-tokenr})rrr~rHrvr9rr(r)r$s    z,S3ExpressAuth._modify_request_before_signing)r;r<r=REQUIRES_IDENTITY_CACHErDr7rrr(r(rr)rs   rc@eZdZdZddZdS)S3ExpressPostAuthTcCJt}|t|jd<i}|jdddur|jd}i}g}|jdddur9|jd}|dddur9|d}||d<d|d<|||d<|jd|d<|ddi|d||i|d|jdi|jjdur|jj|d <|d |jjit t | d d |d <||d ||d <||jd<||jd<dS) Nrs3-presign-post-fieldss3-presign-post-policy conditionsrx-amz-algorithmx-amz-credential x-amz-dateX-Amz-S3session-Tokenr,policyx-amz-signaturer rsrrr#rr_rHrvrbrcr0dumpsr]r2rwr:r4rfieldsrrr(r(r)r70s>      zS3ExpressPostAuth.add_authN)r;r<r=rr7r(r(r(r)r-s rcsJeZdZdZdZedfdd ZddZdd Zd d Zd d Z Z S)S3ExpressQueryAuthi,T)expirescstj||||d||_dS)N)rrrD_expires)r:rHrrrrrr(r)rD^s  zS3ExpressQueryAuth.__init__c C|jd}d}||kr|jd=|||}d|||jd|j|d}|jjdur3|jj|d<t |j }t |j dd}d d | D}|jrT||ji|_d } |jrc|t|d |_|rkt|d } | t|} |} | d | d| d| | df} t| |_ dS)N content-type0application/x-www-form-urlencoded; charset=utf-8rrzX-Amz-AlgorithmzX-Amz-Credentialrz X-Amz-ExpireszX-Amz-SignedHeadersrTkeep_blank_valuescSi|] \}}||dqSrr(rkrr(r(r) zES3ExpressQueryAuth._modify_request_before_signing..rOrSrr~r#rrrrrrHrvrr%rrrrfrar-r5rr) r:r4 content_typeZblocklisted_content_typer auth_paramsr&query_string_parts query_dictoperation_paramsnew_query_stringp new_url_partsr(r(r)ro>       z1S3ExpressQueryAuth._modify_request_before_signingcC|jd|7_dSNz&X-Amz-Signature=r%r:r4rwr(r(r)rz/S3ExpressQueryAuth._inject_signature_to_requestcCrrBr(rr(r(r)rrz&S3ExpressQueryAuth._normalize_url_pathcCtSrBrr9r(r(r)rzS3ExpressQueryAuth.payload) r;r<r=DEFAULT_EXPIRESrrDrrrrrr(r(rr)rZs Arcs4eZdZdZeffdd ZddZddZZS)SigV4QueryAuthcrrBr)r:rHrrrrr(r)rDrzSigV4QueryAuth.__init__c Cr )Nr r rrr r}Tr cSrrr(rr(r(r)rrzASigV4QueryAuth._modify_request_before_signing..rOrSrrrrr) r:r4rZblacklisted_content_typerrr&rrrrrr r(r(r)rr!z-SigV4QueryAuth._modify_request_before_signingcCr"r#r$r%r(r(r)r r&z+SigV4QueryAuth._inject_signature_to_request)r;r<r=r*rDrrrr(r(rr)r+s Ar+c@s eZdZdZddZddZdS)S3SigV4QueryAuthaS3 SigV4 auth using query parameters. This signer will sign a request using query parameters and signature version 4, i.e a "presigned url" signer. Based off of: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html cCrrBr(rr(r(r)rrz$S3SigV4QueryAuth._normalize_url_pathcCr'rBr(r9r(r(r)r#r)zS3SigV4QueryAuth.payloadN)r;r<r=rxrrr(r(r(r)r-s r-c@r)S3SigV4PostAuthz Presigns a s3 post Implementation doc here: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-UsingHTTPPOST.html cCr) Nrrrrrrrrx-amz-security-tokenr,rrrrr(r(r)r73s:     zS3SigV4PostAuth.add_authNr;r<r=rxr7r(r(r(r)r.+ r.c@sxeZdZgdZdddZddZddZd d Zd d Zdd dZ dddZ dddZ ddZ ddZ ddZdS) HmacV1Auth)$Z accelerateZaclZcorsZdefaultObjectAcllocationloggingZ partNumberrrequestPaymentZtorrentZ versioningZ versionIdversionsZwebsiteZuploadsZuploadIdzresponse-content-typezresponse-content-languagezresponse-expireszresponse-cache-controlzresponse-content-dispositionzresponse-content-encodingdeleteZ lifecycleZtaggingrestoreZ storageClassZ notificationZ replicationr5Z analyticsZmetricsZ inventoryselectz select-typez object-lockNcCrArBrGrr(r(r)rDrEzHmacV1Auth.__init__cCs>tj|jjdtd}||dt| dS)Nr,rL) rZr[rHr\r]rrar rdrer2)r:rhrr(r(r) sign_strings zHmacV1Auth.sign_stringcCsgd}g}d|vr |d=||d<|D])}d}|D]}|}||dur6||kr6|||d}q|s>|dqd|S)N) content-md5r daterzFTrOrK) _get_daterr_rer`)r:r~Zinteresting_headershoiZihfoundrjlkr(r(r)canonical_standard_headerss"   z%HmacV1Auth.canonical_standard_headerscCsg}i}|D] }|}||dur&|dr&ddd||D||<qt|}|D]}||d||q/d|S)Nx-amz-rcss|]}|VqdSrB)rerr(r(r)rs z6HmacV1Auth.canonical_custom_headers..r rK)rrr`rr^keysr_)r:r~r>custom_headersrjr@Zsorted_header_keysr(r(r)canonical_custom_headerss      z#HmacV1Auth.canonical_custom_headerscCs$t|dkr|S|dt|dfS)z( TODO: Do we need this? rr)rWr)r:nvr(r(r) unquote_vs zHmacV1Auth.unquote_vcs|dur|}n|j}|jrC|jd}dd|D}fdd|D}t|dkrC|jtdddd|D}|d7}|d|7}|S) NrScSsg|]}|ddqS)rRrrgrar(r(r) sz1HmacV1Auth.canonical_resource..cs$g|]}|djvr|qSr) QSAOfInterestrGrIrr(r)rKsr)rjcSsg|]}d|qS)rR)r`rIr(r(r)rKs?)rVrrgrWsortrr`)r:rg auth_pathbufZqsar(rr)canonical_resources    zHmacV1Auth.canonical_resourcecCsN|d}|||d7}||}|r||d7}||j||d7}|S)NrKrO)rrArErQ)r:rXrgr~rrOcsrDr(r(r)canonical_strings   zHmacV1Auth.canonical_stringcCsB|jjr |d=|jj|d<|j||||d}td|||S)Nr/rRr)rHrvrTrTrUr:)r:rXrgr~rrOrhr(r(r) get_signatures   zHmacV1Auth.get_signaturecCsX|jdurttdt|j}td|j|j|j||j|j d}| ||dS)Nz(Calculating signature using hmacv1 auth.zHTTP request method: %srR) rHrrTrUrr%rXrUr~rO_inject_signature)r:r4rgrwr(r(r)r7s   zHmacV1Auth.add_authcCs tddS)NTr{rrr(r(r)r=rEzHmacV1Auth._get_datecCs4d|jvr |jd=d|jjd|}||jd<dS)NrzAWS r )r~rHrq)r:r4rw auth_headerr(r(r)rVs zHmacV1Auth._inject_signature)NNrB)r;r<r=rLrDr:rArErGrQrTrUr7r=rVr(r(r(r)r2[s '     r2c@s0eZdZdZdZefddZddZddZd S) HmacV1QueryAuthz Generates a presigned request for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html #RESTAuthenticationQueryStringAuth r,cCs||_||_dSrB)rHr)r:rHrr(r(r)rDs zHmacV1QueryAuth.__init__cCstttt|jSrB)r3rrrrrr(r(r)r=szHmacV1QueryAuth._get_datec Csi}|jj|d<||d<|jD]"}|}|dkr!|jd|d<q|ds*|dvr1|j|||<qt|}t|j}|drH|dd|}|d |d |d ||d f}t||_dS) NrnrNrzZExpiresrB)r;r rSrrrr) rHrqr~rrrrr%r) r:r4rwrZ header_keyr@rrr r(r(r)rVs    z!HmacV1QueryAuth._inject_signatureN)r;r<r=rxr*rDr=rVr(r(r(r)rXs   rXc@r)HmacV1PostAuthz Generates a presigned post for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingHTTPPOST.html cCsi}|jdddur|jd}i}g}|jdddur.|jd}|dddur.|d}||d<|jj|d<|jjdurM|jj|d<|d|jjitt | d d|d<| |d|d<||jd<||jd<dS) Nrrrrnr/r,rrw) rr#rHrqrvr_rbrcr0rr]r2r:)r:r4rrrr(r(r)r7Bs,      zHmacV1PostAuth.add_authNr0r(r(r(r)rZ9s rZc@r) BearerAuthz Performs bearer token authorization by placing the bearer token in the Authorization header as specified by Section 2.1 of RFC 6750. https://datatracker.ietf.org/doc/html/rfc6750#section-2.1 cCs>|jdurtd|jj}d|jvr|jd=||jd<dS)NzBearer r)rCrrvr~)r:r4rWr(r(r)r7is  zBearerAuth.add_authNr0r(r(r(r)r[ar1r[cCsR|D]!}|dkrt|S|tvrt|}|tvr|Sqt|dt|d)Nsmithy.api#noAuthsignature_version)AUTH_TYPE_TO_SIGNATURE_VERSIONAUTH_TYPE_MAPSrr)Z auth_traitZ auth_typer^r(r(r)resolve_auth_typess   racsdd|Ddd|D}|rtd||}fddt|D}|D]}|dkr4t|St|}|tvrA|Sq(tdt d) NcSsg|] }|ddqS#rHrr$r(r(r)rKrz2resolve_auth_scheme_preference..cSsg|]}|tvr|qSr()AUTH_PREF_TO_SIGNATURE_VERSIONrer(r(r)rK z/Unsupported auth schemes in preference list: %rcsg|]}|vr|qSr(r(reZservice_supportedr(r)rKrgZnoAuthrr]) rTrUrfromkeysrfr#r`rr`r^)Zpreference_listZ auth_options unsupportedcombinedZprioritized_schemesr$ sig_versionr(rhr)resolve_auth_scheme_preferences,    rm) v2Zv3Zv3httpsrzs3-queryzs3-presign-postzs3v4-presign-postz v4-s3expresszv4-s3express-queryzv4-s3express-presign-postbearer)CRT_AUTH_TYPE_MAPS)v4zv4-queryZs3v4z s3v4-queryrqZv4aronone)zaws.auth#sigv4zaws.auth#sigv4azsmithy.api#httpBearerAuthr\cCs i|] \}}|dd|qSrbrH)rZ auth_schemerlr(r(r)rsr)KrbrrrrZr0r4rrcollections.abcr email.utilsrhashlibrroperatorrZbotocore.compatrr r r r r rrrrrZbotocore.exceptionsrrrrZbotocore.utilsrrr getLoggerr;rTrrrtrrrrr*r5r6r@rFryrrrrrr+r-r.r2rXrZr[rarmr`Zbotocore.crt.authrprar_rrfr(r(r(r)s    4    =6-hQ0*5( !