o NDi @sddlZddlZddlZddlZddlZddlZddlZddlZddlm Z ddl m Z ddl m Z mZddlmZddlmZmZmZmZmZmZmZmZmZmZddlmZmZmZm Z ddl!m"Z"m#Z#m$Z$e%e&Z'd Z(d Z)d Z*d Z+gd Z,dZ-dZ.ddZ/ddZ0GdddZ1Gddde1Z2Gddde1Z3Gddde1Z4Gddde1Z5Gddde5Z6Gd d!d!e6Z7Gd"d#d#e7Z8Gd$d%d%e7Z9Gd&d'd'e5Z:Gd(d)d)e:Z;Gd*d+d+e5ZGd0d1d1e=Z?Gd2d3d3e2Z@d4d5ZAd6d7ZBe3e4e4e=e>e?ed?ZGd@dAeGHDZIdS)BN)Mapping formatdate)sha1sha256) itemgetter) HAS_CRT MD5_AVAILABLE HTTPHeaders encodebytesensure_unicodeparse_qsquoteunquoteurlsplit urlunsplit)NoAuthTokenErrorNoCredentialsErrorUnknownSignatureVersionError UnsupportedSignatureVersionError)is_valid_ipv6_endpoint_urlnormalize_url_pathpercent_encode_sequence@e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855iz%Y-%m-%dT%H:%M:%SZz%Y%m%dT%H%M%SZ)expectztransfer-encodingz user-agentzx-amzn-trace-idzUNSIGNED-PAYLOADz"STREAMING-UNSIGNED-PAYLOAD-TRAILERcCs\t|}|j}t|rd|d}ddd}|jdur,|j||jkr,|d|j}|S)N[]Pi)httphttps:)rhostnamerportgetscheme)url url_partshost default_portsr)F/var/www/Datamplify/venv/lib/python3.10/site-packages/botocore/auth.py_host_from_urlIs  r+cCs<|j}t|trt|d}|St|trt|}|SNutf-8)data isinstancebytesjsonloadsdecodestr)requestr.r)r)r*_get_body_as_dict\s  r6c@seZdZdZdZddZdS) BaseSignerFcCstd)Nadd_auth)NotImplementedErrorselfr5r)r)r*r8mszBaseSigner.add_authN)__name__ __module__ __qualname__REQUIRES_REGIONREQUIRES_TOKENr8r)r)r)r*r7is r7c@seZdZdZ ddZdS) TokenSignerTcC ||_dSN) auth_token)r;rDr)r)r*__init__w zTokenSigner.__init__N)r<r=r>r@rEr)r)r)r*rAqs rAc@s(eZdZdZddZddZddZdS) SigV2Authz+ Sign a request with Signature V2. cCrBrC credentialsr;rIr)r)r*rErFzSigV2Auth.__init__cCs tdt|j}|j}t|dkrd}|jd|jd|d}tj |j j dt d}g}t|D])}|dkr;q4t||} t| ddd } t| dd d } || d | q4d |} || 7}td ||| dt|d} | | fS)Nz$Calculating signature using v2 auth.r/ r- digestmod Signaturesafez-_~=&zString to sign: %s)loggerdebugrr%pathlenmethodnetlochmacnewrI secret_keyencodersortedr4rappendjoinupdatebase64 b64encodedigeststripr3)r;r5paramssplitrWstring_to_signlhmacpairskeyvalue quoted_key quoted_valueqsb64r)r)r*calc_signatures.       zSigV2Auth.calc_signaturecCs|jdurt|jr|j}n|j}|jj|d<d|d<d|d<ttt|d<|jj r4|jj |d<| ||\}}||d<|S) NAWSAccessKeyId2SignatureVersion HmacSHA256SignatureMethod Timestamp SecurityTokenrO) rIrr.rg access_keytimestrftimeISO8601gmtimetokenrr)r;r5rgrp signaturer)r)r*r8s   zSigV2Auth.add_authN)r<r=r>__doc__rErrr8r)r)r)r*rG{s  rGc@seZdZddZddZdS) SigV3AuthcCrBrCrHrJr)r)r*rErFzSigV3Auth.__init__cCs|jdurtd|jvr|jd=tdd|jd<|jjr-d|jvr&|jd=|jj|jd<tj|jjdt d}| |jddt |  }d|jjd|d}d |jvrb|jd =||jd <dS) NDateTusegmtX-Amz-Security-Tokenr-rMzAWS3-HTTPS AWSAccessKeyId=z ,Algorithm=HmacSHA256,Signature=zX-Amzn-Authorization)rIrheadersrrr[r\r]r^rrbr rerfrzr3)r;r5new_hmacencoded_signaturerr)r)r*r8s*     zSigV3Auth.add_authN)r<r=r>rEr8r)r)r)r*rs rc@seZdZdZdZddZd1ddZdd Zd d Zd d Z ddZ ddZ ddZ ddZ ddZddZddZddZddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd*d+Zd,d-Zd.d/Zd0S)2 SigV4Authz+ Sign a request with Signature V4. TcCs||_||_||_dSrC)rI _region_name _service_namer;rI service_name region_namer)r)r*rEs zSigV4Auth.__init__FcCs<|rt||dt}|St||dt}|Sr,)r[r\r^r hexdigestre)r;rlmsghexsigr)r)r*_signs zSigV4Auth._signcCsLt}|jD]\}}|}|tvr|||<qd|vr$t|j|d<|S)zk Select the headers from the request that need to be included in the StringToSign. r')r ritemslowerSIGNED_HEADERS_BLACKLISTr+r%)r;r5 header_mapnamermlnamer)r)r*headers_to_signszSigV4Auth.headers_to_signcCs"|jr ||jS|t|jSrC)rg_canonical_query_string_params_canonical_query_string_urlrr%r:r)r)r*canonical_query_strings z SigV4Auth.canonical_query_stringcCs~g}t|tr |}|D]\}}|t|ddtt|ddfq g}t|D]\}}||d|q)d|}|S)Nz-_.~rQrSrT)r/rrr`rr4r_ra)r;rg key_val_pairsrlrmsorted_key_valsrr)r)r*rs   z(SigV4Auth._canonical_query_string_paramsc Csvd}|jr9g}|jdD]}|d\}}}|||fq g}t|D]\}}||d|q%d|}|S)NrPrTrS)queryrh partitionr`r_ra) r;partsrrpairrl_rmrr)r)r*rs z%SigV4Auth._canonical_query_string_urlcsZg}tt|}|D]}dfdd||D}||dt|q d|S)a  Return the headers that need to be included in the StringToSign in their canonical form by converting all header keys to lower case, sorting them in alphabetical order and then joining them into a string, separated by newlines. ,c3s|]}|VqdSrC) _header_value.0vr;r)r* /s  z.SigV4Auth.canonical_headers..r rL)r_setraget_allr`r )r;rrsorted_header_namesrlrmr)rr*canonical_headers%s  zSigV4Auth.canonical_headerscCsd|S)N )rarh)r;rmr)r)r*r5szSigV4Auth._header_valuecCs tddt|D}d|S)Ncss|] }|VqdSrC)rrf)rnr)r)r*r>sz+SigV4Auth.signed_headers..;)r_rra)r;rrr)r)r*signed_headers=s zSigV4Auth.signed_headerscCs0|jdi}|d}t|to|ddkS)Nchecksumrequest_algorithmintrailer)contextr#r/dict)r;r5checksum_context algorithmr)r)r*_is_streaming_checksum_payloadAs z(SigV4Auth._is_streaming_checksum_payloadcCs||rtS||stS|j}|r>t|dr>|}t|j t }t }t |dD]}| |q+|}|||S|rFt |StS)Nseek)r"STREAMING_UNSIGNED_PAYLOAD_TRAILER_should_sha256_sign_payloadUNSIGNED_PAYLOADbodyhasattrtell functoolspartialreadPAYLOAD_BUFFERriterrbrrEMPTY_SHA256_HASH)r;r5 request_bodypositionread_chunksizerchunk hex_checksumr)r)r*payloadFs&     zSigV4Auth.payloadcCs|jdsdS|jddS)NrTpayload_signing_enabled)r% startswithrr#r:r)r)r*r`s z%SigV4Auth._should_sha256_sign_payloadcCs|jg}|t|jj}|||||||}|| |d|| |d|j vr>|j d}n| |}||d |S)NrLX-Amz-Content-SHA256)rYupper_normalize_url_pathrr%rWr`rrrrrrra)r;r5crrWr body_checksumr)r)r*canonical_requestjs        zSigV4Auth.canonical_requestcCstt|dd}|S)Nz/~rQ)rr)r;rWnormalized_pathr)r)r*ryszSigV4Auth._normalize_url_pathcCsN|jjg}||jddd||j||j|dd|SN timestampr aws4_requestrK)rIrzr`rrrrar;r5scoper)r)r*r}s     zSigV4Auth.scopecCsHg}||jddd||j||j|dd|Sr)r`rrrrarr)r)r*credential_scopes     zSigV4Auth.credential_scopecCsHdg}||jd||||t|dd|S)z Return the canonical StringToSign as well as a dict containing the original version of all headers that were included in the StringToSign. AWS4-HMAC-SHA256rr-rL)r`rrrr^rra)r;r5rstsr)r)r*ris  zSigV4Auth.string_to_signcCsd|jj}|d||jddd}|||j}|||j}||d}|j||ddS)NAWS4rrrrT)r)rIr]rr^rrr)r;rir5rlk_datek_region k_service k_signingr)r)r*rs zSigV4Auth.signaturecCs|jdurttj}|t|jd<||||}t dt d|| ||}t d|| ||}t d|| ||dS)Nrz$Calculating signature using v4 auth.zCanonicalRequest: %szStringToSign: %sz Signature: %s)rIrdatetimeutcnowr|SIGV4_TIMESTAMPr_modify_request_before_signingrrUrVrir_inject_signature_to_request)r;r5 datetime_nowrrirr)r)r*r8s          zSigV4Auth.add_authcCsVd||g}||}|d|||d|d||jd<|S)NzAWS4-HMAC-SHA256 Credential=zSignedHeaders=z Signature=, Authorization)rrr`rrar)r;r5rauth_strrr)r)r*rs z&SigV4Auth._inject_signature_to_requestcCsvd|jvr |jd=|||jjr"d|jvr|jd=|jj|jd<|jdds9d|jvr2|jd=t|jd<dSdS)NrrrTr)r_set_necessary_date_headersrIrrr#rr:r)r)r*rs    z(SigV4Auth._modify_request_before_signingcCsd|jvr.|jd=tj|jdt}ttt| |jd<d|jvr,|jd=dSdSd|jvr7|jd=|jd|jd<dS)Nrr X-Amz-Date) rrstrptimerrrintcalendartimegm timetuple)r;r5datetime_timestampr)r)r*rs     z%SigV4Auth._set_necessary_date_headersN)F)r<r=r>rr?rErrrrrrrrrrrrrrrrirr8rrrr)r)r)r*rs2      rcs0eZdZfddZfddZddZZS) S3SigV4Authcs2t|d|jvr|jd=|||jd<dS)Nr)superrrrr: __class__r)r*rs  z*S3SigV4Auth._modify_request_before_signingcs|jd}t|dd}|duri}|dd}|dur|Sd}|jdi}|d}t|tr<|ddkr<|d }|jd rG||jvrId S|jd d rRd St |S)N client_configs3rz Content-MD5rrrheaderrrThas_streaming_inputF) rr#getattrr/rr%rrrr)r;r5r s3_config sign_payloadchecksum_headerrrrr)r*rs&       z'S3SigV4Auth._should_sha256_sign_payloadcC|SrCr)r;rWr)r)r*rzS3SigV4Auth._normalize_url_path)r<r=r>rrr __classcell__r)r)rr*rs  )rcs8eZdZdZfddZfddZfddZZS) S3ExpressAuthTct|||||_dSrC)rrE_identity_cache)r;rIrridentity_cacherr)r*rE zS3ExpressAuth.__init__cst|dSrC)rr8r:rr)r*r8 szS3ExpressAuth.add_authcs>t|d|jvr|jj|jd<d|jvr|jd=dSdS)Nzx-amz-s3session-tokenr)rrrrIrr:rr)r*r#s    z,S3ExpressAuth._modify_request_before_signing)r<r=r>REQUIRES_IDENTITY_CACHErEr8rr r)r)rr*r s   r c@eZdZdZddZdS)S3ExpressPostAuthTcCNtj}|t|jd<i}|jdddur|jd}i}g}|jdddur;|jd}|dddur;|d}||d<d|d<|||d<|jd|d<|ddi|d||i|d|jdi|jj dur|jj |d <|d |jj it t |d d |d <||d ||d <||jd<||jd<dS) Nrs3-presign-post-fieldss3-presign-post-policy conditionsrx-amz-algorithmx-amz-credential x-amz-dateX-Amz-S3session-Tokenr-policyx-amz-signaturerrr|rrr#rr`rIrrcrdr1dumpsr^r3rr;r5rfieldsrrr)r)r*r8/s>       zS3ExpressPostAuth.add_authN)r<r=r>rr8r)r)r)r*r,s rcsJeZdZdZdZedfdd ZddZdd Zd d Zd d Z Z S)S3ExpressQueryAuthi,T)expirescstj||||d||_dS)N)r rrE_expires)r;rIrrr r!rr)r*rE]s  zS3ExpressQueryAuth.__init__c C|jd}d}||kr|jd=|||}d|||jd|j|d}|jjdur3|jj|d<t |j }t |j dd}d d | D}|jrT||ji|_d } |jrc|t|d |_|rkt|d } | t|} |} | d | d| d| | df} t| |_ dS)N content-type0application/x-www-form-urlencoded; charset=utf-8rrzX-Amz-AlgorithmzX-Amz-Credentialrz X-Amz-ExpireszX-Amz-SignedHeadersrTkeep_blank_valuescSi|] \}}||dqSrr)rkrr)r)r* zES3ExpressQueryAuth._modify_request_before_signing..rPrTrrr#rrrrr#rIrrr%r rrrgrbr.r6rr) r;r5 content_typeblocklisted_content_typer auth_paramsr&query_string_parts query_dictoperation_paramsnew_query_stringp new_url_partsr)r)r*rn>       z1S3ExpressQueryAuth._modify_request_before_signingcC|jd|7_dSNz&X-Amz-Signature=r%r;r5rr)r)r*rz/S3ExpressQueryAuth._inject_signature_to_requestcCrrCr)rr)r)r*rrz&S3ExpressQueryAuth._normalize_url_pathcCtSrCrr:r)r)r*rzS3ExpressQueryAuth.payload) r<r=r>DEFAULT_EXPIRESrrErrrrr r)r)rr*r Ys Ar cs4eZdZdZeffdd ZddZddZZS)SigV4QueryAuthcr rCr")r;rIrrr!rr)r*rErzSigV4QueryAuth.__init__c Cr$)Nr%r&rrr'rTr(cSr*r+r)r,r)r)r*r.r/zASigV4QueryAuth._modify_request_before_signing..rPrTrr0r1r2r3) r;r5r4blacklisted_content_typerr6r&r7r8r9r:r;r<r)r)r*rr=z-SigV4QueryAuth._modify_request_before_signingcCr>r?r@rAr)r)r*r rBz+SigV4QueryAuth._inject_signature_to_request)r<r=r>rFrErrr r)r)rr*rGs ArGc@s eZdZdZddZddZdS)S3SigV4QueryAuthaS3 SigV4 auth using query parameters. This signer will sign a request using query parameters and signature version 4, i.e a "presigned url" signer. Based off of: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html cCrrCr)rr)r)r*rrz$S3SigV4QueryAuth._normalize_url_pathcCrCrCrDr:r)r)r*r"rEzS3SigV4QueryAuth.payloadN)r<r=r>rrrr)r)r)r*rJs rJc@r)S3SigV4PostAuthz Presigns a s3 post Implementation doc here: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-UsingHTTPPOST.html cCr) Nrrrrrrrrx-amz-security-tokenr-rrrrr)r)r*r82s:      zS3SigV4PostAuth.add_authNr<r=r>rr8r)r)r)r*rK* rKc@sxeZdZgdZdddZddZddZd d Zd d Zdd dZ dddZ dddZ ddZ ddZ ddZdS) HmacV1Auth)$ accelerateaclcorsdefaultObjectAcllocationlogging partNumberrrequestPaymenttorrent versioning versionIdversionswebsiteuploadsuploadIdzresponse-content-typezresponse-content-languagezresponse-expireszresponse-cache-controlzresponse-content-dispositionzresponse-content-encodingdelete lifecycletaggingrestore storageClass notification replicationrW analyticsmetrics inventoryselectz select-typez object-lockNcCrBrCrHrr)r)r*rErFzHmacV1Auth.__init__cCs>tj|jjdtd}||dt| dS)Nr-rM) r[r\rIr]r^rrbr rerfr3)r;rirr)r)r* sign_strings zHmacV1Auth.sign_stringcCsgd}g}d|vr |d=||d<|D])}d}|D]}|}||dur6||kr6|||d}q|s>|dqd|S)N) content-md5r%daterFTrPrL) _get_daterr`rfra)r;rinteresting_headershoiihfoundrllkr)r)r*canonical_standard_headerss"   z%HmacV1Auth.canonical_standard_headerscCsg}i}|D] }|}||dur&|dr&ddd||D||<qt|}|D]}||d||q/d|S)Nx-amz-rcss|]}|VqdSrC)rfrr)r)r*rs z6HmacV1Auth.canonical_custom_headers..r rL)rrrarr_keysr`)r;rrocustom_headersrlrrsorted_header_keysr)r)r*canonical_custom_headerss      z#HmacV1Auth.canonical_custom_headerscCs$t|dkr|S|dt|dfS)z( TODO: Do we need this? r0r)rXr)r;nvr)r)r* unquote_vs zHmacV1Auth.unquote_vcs|dur|}n|j}|jrC|jd}dd|D}fdd|D}t|dkrC|jtdddd|D}|d7}|d|7}|S) NrTcSsg|]}|ddqS)rSr0rhrar)r)r* sz1HmacV1Auth.canonical_resource..cs$g|]}|djvr|qSr+) QSAOfInterestrzr|rr)r*r~sr)rlcSsg|]}d|qS)rS)rar|r)r)r*r~s?)rWrrhrXsortrra)r;rh auth_pathbufqsar)rr*canonical_resources    zHmacV1Auth.canonical_resourcecCsN|d}|||d7}||}|r||d7}||j||d7}|S)NrLr)rrsrxr)r;rYrhrr!rcsrvr)r)r*canonical_strings   zHmacV1Auth.canonical_stringcCsF|jjr |d=|jj|d<|j||||d}td|||S)NrLrzStringToSign: )rIrrrUrVrj)r;rYrhrr!rrir)r)r* get_signatures  zHmacV1Auth.get_signaturecCs\|jdurttdt|j}td|j|j|j||j|j d}| ||dS)Nz(Calculating signature using hmacv1 auth.zHTTP request method: r) rIrrUrVrr%rYrrr_inject_signature)r;r5rhrr)r)r*r8s   zHmacV1Auth.add_authcCs tddS)NTrrrr)r)r*rmrFzHmacV1Auth._get_datecCs4d|jvr |jd=d|jjd|}||jd<dS)NrzAWS r )rrIrz)r;r5r auth_headerr)r)r*rs zHmacV1Auth._inject_signature)NNrC)r<r=r>rrErjrsrxrzrrrr8rmrr)r)r)r*rOZs '     rOc@s0eZdZdZdZefddZddZddZd S) HmacV1QueryAuthz Generates a presigned request for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html #RESTAuthenticationQueryStringAuth rHcCs||_||_dSrC)rIr#)r;rIr!r)r)r*rEs zHmacV1QueryAuth.__init__cCstttt|jSrC)r4rr{r#rr)r)r*rmszHmacV1QueryAuth._get_datec Csi}|jj|d<||d<|jD]"}|}|dkr!|jd|d<q|ds*|dvr1|j|||<qt|}t|j}|drH|dd|}|d |d |d ||d f}t||_dS) NrsrOrExpiresrt)rkr%rTrr0r1r2) rIrzrrrrrr%r) r;r5rr8 header_keyrrr:r;r<r)r)r*rs    z!HmacV1QueryAuth._inject_signatureN)r<r=r>rrFrErmrr)r)r)r*rs   rc@r)HmacV1PostAuthz Generates a presigned post for s3. Spec from this document: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingHTTPPOST.html cCsi}|jdddur|jd}i}g}|jdddur.|jd}|dddur.|d}||d<|jj|d<|jjdurM|jj|d<|d|jjitt | d d|d<| |d|d<||jd<||jd<dS) NrrrrsrLr-rr) rr#rIrzrr`rcrdr1rr^r3rj)r;r5rrrr)r)r*r8As,      zHmacV1PostAuth.add_authNrMr)r)r)r*r8s rc@r) BearerAuthz Performs bearer token authorization by placing the bearer token in the Authorization header as specified by Section 2.1 of RFC 6750. https://datatracker.ietf.org/doc/html/rfc6750#section-2.1 cCs>|jdurtd|jj}d|jvr|jd=||jd<dS)NzBearer r)rDrrr)r;r5rr)r)r*r8hs  zBearerAuth.add_authNrMr)r)r)r*r`rNrcCsR|D]!}|dkrt|S|tvrt|}|tvr|Sqt|dt|d)Nsmithy.api#noAuthsignature_version)AUTH_TYPE_TO_SIGNATURE_VERSIONAUTH_TYPE_MAPSrr) auth_trait auth_typerr)r)r*resolve_auth_typers   rcsdd|Ddd|D}|rtdd||}fddt|D}|D]}|dkr9t|St|}|tvrF|Sq-tdt d) NcSsg|] }|ddqS#r{rr$r)r)r*r~r/z2resolve_auth_scheme_preference..cSsg|]}|tvr|qSr))AUTH_PREF_TO_SIGNATURE_VERSIONrr)r)r*r~ z-Unsupported auth schemes in preference list: rcsg|]}|vr|qSr)r)rservice_supportedr)r*r~rnoAuthr) rUrVrarfromkeysrr#rrr_)preference_list auth_options unsupportedcombinedprioritized_schemesr$ sig_versionr)rr*resolve_auth_scheme_preferences,    r) v2v3v3httpsrzs3-queryzs3-presign-postzs3v4-presign-postz v4-s3expresszv4-s3express-queryzv4-s3express-presign-postbearer)CRT_AUTH_TYPE_MAPS)v4zv4-querys3v4z s3v4-queryrv4arnone)zaws.auth#sigv4zaws.auth#sigv4azsmithy.api#httpBearerAuthrcCs i|] \}}|dd|qSrr{)r auth_schemerr)r)r*r.sr.)Jrcrrrr[r1rUr{collections.abcr email.utilsrhashlibrroperatorrbotocore.compatrr r r r r rrrrbotocore.exceptionsrrrrbotocore.utilsrrr getLoggerr<rUrrr}rrrrr+r6r7rArGrrrr rr rGrJrKrOrrrrrrbotocore.crt.authrrbrrrr)r)r)r*s    0    =6-hQ0*5( !