o NDiņ@s ddlZddlZddlZddlZddlZddlZddlmZmZddl m Z ddl m Z m Z mZmZddlmZddlmZmZmZGdddZGd d d Zd d Zd dZd%ddZ d&ddZ d&ddZ d&ddZGdddZddZ d'ddZ dd Z! d(d!d"Z"d#d$Z#dS))N)create_request_objectprepare_request_dict) OrderedDict)ParamValidationErrorUnknownClientMethodErrorUnknownSignatureVersionError UnsupportedSignatureVersionError)FrozenAuthToken) ArnParserdatetime2timestamp fix_s3_hostc@seZdZdZ dddZeddZeddZed d Zdd d Z   dddZ ddZ ddZ  dddZ e Z   dddZdS) RequestSignera0 An object to sign requests before they go out over the wire using one of the authentication mechanisms defined in ``auth.py``. This class fires two events scoped to a service and operation name: * choose-signer: Allows overriding the auth signer name. * before-sign: Allows mutating the request before signing. Together these events allow for customization of the request signing pipeline, including overrides, request path manipulation, and disabling signing per operation. :type service_id: botocore.model.ServiceId :param service_id: The service id for the service, e.g. ``S3`` :type region_name: string :param region_name: Name of the service region, e.g. ``us-east-1`` :type signing_name: string :param signing_name: Service signing name. This is usually the same as the service name, but can differ. E.g. ``emr`` vs. ``elasticmapreduce``. :type signature_version: string :param signature_version: Signature name like ``v4``. :type credentials: :py:class:`~botocore.credentials.Credentials` :param credentials: User credentials with which to sign requests. :type event_emitter: :py:class:`~botocore.hooks.BaseEventHooks` :param event_emitter: Extension mechanism to fire events. NcCs4||_||_||_||_||_||_t||_dSN) _region_name _signing_name_signature_version _credentials _auth_token _service_idweakrefproxy_event_emitter)self service_id region_name signing_namesignature_version credentials event_emitter auth_tokenr I/var/www/Datamplify/venv/lib/python3.10/site-packages/botocore/signers.py__init__Gs zRequestSigner.__init__cC|jSr)rrr r r!r[zRequestSigner.region_namecCr#r)rr$r r r!r_r%zRequestSigner.signature_versioncCr#r)rr$r r r!rcr%zRequestSigner.signing_namecKs |||Sr)sign)roperation_namerequestkwargsr r r!handlergs zRequestSigner.handlerstandardc CsR|}|dur |j}|dur|j}||||j}|jjd|jd||||j|||d|tj kr|||d} |durB|| d<|j di} |sV| drV| d| d <| d ra| d | d <| d rl| d | d <| d dur~| | | d | d z |j di| } Wnt y} z |dkrt|d| d} ~ ww| |dSdS)a<Sign a request before it goes out over the wire. :type operation_name: string :param operation_name: The name of the current operation, e.g. ``ListBuckets``. :type request: AWSRequest :param request: The request object to be sent over the wire. :type region_name: str :param region_name: The region to sign the request for. :type signing_type: str :param signing_type: The type of signing to perform. This can be one of three possible values: * 'standard' - This should be used for most requests. * 'presign-url' - This should be used when pre-signing a request. * 'presign-post' - This should be used when pre-signing an S3 post. :type expires_in: int :param expires_in: The number of seconds the presigned url is valid for. This parameter is only valid for signing type 'presign-url'. :type signing_name: str :param signing_name: The name to use for the service when signing. Nz before-sign..)r(rrrrequest_signerr')rrrexpiressigningregionrrrequest_credentialsidentity_cache cache_keyr+rr )rr_choose_signercontextremitr hyphenizebotocoreUNSIGNEDget_resolve_identity_cacheget_auth_instancerradd_auth) rr'r(r signing_type expires_inrexplicit_region_namerr)signing_contextauther r r!r&nsf#     zRequestSigner.signcCs||d<||d<dS)Nr2r3r )rr)cacher3r r r!r<s z%RequestSigner._resolve_identity_cachec Csddd}||d}|dp|j}|di}|d|j}|d|j} |tjur5||s5||7}|jjd |j d ||| ||d \} } | d ur_| }|tjur_||s_||7}|S) ai Allow setting the signature version via the choose-signer event. A value of `botocore.UNSIGNED` means no signing will be performed. :param operation_name: The operation to sign. :param signing_type: The type of signing that the signer is to be used for. :return: The signature version to sign with. z -presign-postz-query) presign-post presign-url auth_typer/rr0zchoose-signer.r,)rrrr6N) r;rrrr9r:endswithremit_until_responserr8) rr'r?r6signing_type_suffix_mapsuffixrr/rrr*responser r r!r5s4      zRequestSigner._choose_signerc Ks|dur|j}tjj|}|durt|d|jdur4|jr+t|jt s+|j }n|j}||}|S|p8|j } t |dddurQ|d} |d} | | } |d=d} | dur[| } | |d<|jrt|jdurltj||d<||d <|d i|}|S) a Get an auth instance which can be used to sign a request using the given signature version. :type signing_name: string :param signing_name: Service signing name. This is usually the same as the service name, but can differ. E.g. ``emr`` vs. ``elasticmapreduce``. :type region_name: string :param region_name: Name of the service region, e.g. ``us-east-1`` :type signature_version: string :param signature_version: Signature name like ``v4``. :rtype: :py:class:`~botocore.auth.BaseSigner` :return: Auth instance to sign a request. Nr4TREQUIRES_IDENTITY_CACHEr2r3rr service_namer )rr9rCAUTH_TYPE_MAPSr;rREQUIRES_TOKENr isinstancer get_frozen_tokenrgetattrget_credentialsget_frozen_credentialsREQUIRES_REGIONr exceptions NoRegionError) rrrrr1r)cls frozen_tokenrCrrEkeyfrozen_credentialsr r r!r=s@      zRequestSigner.get_auth_instancecCs*t|}||||d||||jS)aGenerates a presigned url :type request_dict: dict :param request_dict: The prepared request dictionary returned by ``botocore.awsrequest.prepare_request_dict()`` :type operation_name: str :param operation_name: The operation being signed. :type expires_in: int :param expires_in: The number of seconds the presigned url is valid for. By default it expires in an hour (3600 seconds) :type region_name: string :param region_name: The region name to sign the presigned url. :type signing_name: str :param signing_name: The name to use for the service when signing. :returns: The presigned url rG)rr&prepareurl)r request_dictr'r@rrr(r r r!generate_presigned_urlEs z$RequestSigner.generate_presigned_urlrNN)Nr+NN)r_NN)__name__ __module__ __qualname____doc__r"propertyrrrr*r&r<r5r=get_authrcr r r r!r $s4*       \4 Er c@s>eZdZdZddZd ddZddZ d d d Zd d ZdS)CloudFrontSigneraA signer to create a signed CloudFront URL. First you create a cloudfront signer based on a normalized RSA signer:: import rsa def rsa_signer(message): private_key = open('private_key.pem', 'r').read() return rsa.sign( message, rsa.PrivateKey.load_pkcs1(private_key.encode('utf8')), 'SHA-1') # CloudFront requires SHA-1 hash cf_signer = CloudFrontSigner(key_id, rsa_signer) To sign with a canned policy:: signed_url = cf_signer.generate_signed_url( url, date_less_than=datetime(2015, 12, 1)) To sign with a custom policy:: signed_url = cf_signer.generate_signed_url(url, policy=my_policy) cCs||_||_dS)aCreate a CloudFrontSigner. :type key_id: str :param key_id: The CloudFront Key Pair ID :type rsa_signer: callable :param rsa_signer: An RSA signer. Its only input parameter will be the message to be signed, and its output will be the signed content as a binary string. The hash algorithm needed by CloudFront is SHA-1. N)key_id rsa_signer)rrlrmr r r!r"s zCloudFrontSigner.__init__Nc Cs|duo|du}|duo|du}|s|rd}t||dur$|||}t|tr.|d}|dur=dtt|g}n d||dg}| |}| d||dd|j g| ||S)aCreates a signed CloudFront URL based on given parameters. :type url: str :param url: The URL of the protected object :type date_less_than: datetime :param date_less_than: The URL will expire after that date and time :type policy: str :param policy: The custom policy, possibly built by self.build_policy() :rtype: str :return: The signed URL. Nz=Need to provide either date_less_than or policy, but not bothutf8zExpires=zPolicy=z Signature=z Key-Pair-Id=) ValueError build_policyrSstrencodeintr _url_b64encodedecodermextendrl _build_url) rradate_less_thanpolicyboth_args_suppliedneither_arg_suppliedrDparams signaturer r r!rcs&      z'CloudFrontSigner.generate_presigned_urlcCs"d|vrdnd}||d|S)N?&)join)rbase_url extra_params separatorr r r!rwszCloudFrontSigner._build_urlc Cstt|}tdd|ii}|rd|vr|d7}d|i|d<|r,tt|}d|i|d<d|fd |fg}d t|gi}tj|d d S) a0A helper to build policy. :type resource: str :param resource: The URL or the stream filename of the protected object :type date_less_than: datetime :param date_less_than: The URL will expire after the time has passed :type date_greater_than: datetime :param date_greater_than: The URL will not be valid until this time :type ip_address: str :param ip_address: Use 'x.x.x.x' for an IP, or 'x.x.x.x/x' for a subnet :rtype: str :return: The policy in a compact string. DateLessThanz AWS:EpochTime/z/32z AWS:SourceIp IpAddressDateGreaterThanResource Condition Statement),:) separators)rsr rjsondumps) rresourcerxdate_greater_than ip_addressmoment conditionordered_payload custom_policyr r r!rps    zCloudFrontSigner.build_policycCs"t|ddddddS)N+-=_/~)base64 b64encodereplace)rdatar r r!rts zCloudFrontSigner._url_b64encoderd) rerfrgrhr"rcrwrprtr r r r!rkps & *rkcK t|d<dS)Ngenerate_db_auth_token)rclass_attributesr)r r r!add_generate_db_auth_token rcKst|d<t|d<dS)Ngenerate_db_connect_auth_token$generate_db_connect_admin_auth_token)#dsql_generate_db_connect_auth_token)dsql_generate_db_connect_admin_auth_tokenrr r r!'add_dsql_generate_db_auth_token_methodss rc Cst|}|dur |jj}d|d}ddi|dd}d}||d |} t|| |jjd||d d d } | t|dS) aGenerates an auth token used to connect to a db with IAM credentials. :type DBHostname: str :param DBHostname: The hostname of the database to connect to. :type Port: int :param Port: The port number the database is listening on. :type DBUsername: str :param DBUsername: The username to log in as. :type Region: str :param Region: The region the database is in. If None, the client region will be used. :return: A presigned url which can be used as an auth token. Nconnect)ActionDBUserrrHGETurl_path query_stringheadersbodymethodhttps://rzrds-dbr'rbrr@r)metarr_request_signerrclen) r DBHostnamePort DBUsernameRegionr0r|rbscheme endpoint_url presigned_urlr r r!rs. rrc Csd}||vrtd|dd|d|dur|jj}ddid |id d }d }||}t|||jj||||d d} | t|dS)a&Generate a DSQL database token for an arbitrary action. :type Hostname: str :param Hostname: The DSQL endpoint host name. :type Action: str :param Action: Action to perform on the cluster (DbConnectAdmin or DbConnect). :type Region: str :param Region: The AWS region where the DSQL Cluster is hosted. If None, the client region will be used. :type ExpiresIn: int :param ExpiresIn: The token expiry duration in seconds (default is 900 seconds). :return: A presigned url which can be used as an auth token. ) DbConnectDbConnectAdminz Received z! for action but expected one of: z, )reportNrrHrrrrdsqlr)rrrrrrrcr) rHostnamerr ExpiresInpossible_actionsrbrrrr r r!_dsql_generate_db_auth_token9s2  rcCt||d||S)aGenerate a DSQL database token for the "DbConnect" action. :type Hostname: str :param Hostname: The DSQL endpoint host name. :type Region: str :param Region: The AWS region where the DSQL Cluster is hosted. If None, the client region will be used. :type ExpiresIn: int :param ExpiresIn: The token expiry duration in seconds (default is 900 seconds). :return: A presigned url which can be used as an auth token. rrrrrrr r r!rl rcCr)aGenerate a DSQL database token for the "DbConnectAdmin" action. :type Hostname: str :param Hostname: The DSQL endpoint host name. :type Region: str :param Region: The AWS region where the DSQL Cluster is hosted. If None, the client region will be used. :type ExpiresIn: int :param ExpiresIn: The token expiry duration in seconds (default is 900 seconds). :return: A presigned url which can be used as an auth token. rrrr r r!rrrc@s&eZdZddZ    dddZdS)S3PostPresignercCs ||_dSr)r)rr-r r r!r"s zS3PostPresigner.__init__Nr_c Cs|duri}|dur g}i}tj}|tj|d}|tjj|d<g|d<|D] } |d| q*t|} || j d<|| j d<|j d| |d| j |d S) aGenerates the url and the form fields used for a presigned s3 post :type request_dict: dict :param request_dict: The prepared request dictionary returned by ``botocore.awsrequest.prepare_request_dict()`` :type fields: dict :param fields: A dictionary of prefilled form fields to build on top of. :type conditions: list :param conditions: A list of conditions to include in the policy. Each element can be either a list or a structure. For example: .. code:: python [ {"acl": "public-read"}, {"bucket": "amzn-s3-demo-bucket"}, ["starts-with", "$key", "mykey"] ] :type expires_in: int :param expires_in: The number of seconds the presigned post is valid for. :type region_name: string :param region_name: The region name to sign the presigned post to. :rtype: dict :returns: A dictionary with two elements: ``url`` and ``fields``. Url is the url to post to. Fields is a dictionary filled with the form fields and respective values to use when submitting the post. For example: .. code:: python { 'url': 'https://amzn-s3-demo-bucket.s3.amazonaws.com', 'fields': { 'acl': 'public-read', 'key': 'mykey', 'signature': 'mysignature', 'policy': 'mybase64 encoded policy' } } N)seconds expiration conditionszs3-presign-post-fieldszs3-presign-post-policy PutObjectrF)rafields) datetimeutcnow timedeltastrftimer9rCISO8601appendrr6rr&ra) rrbrrr@rry datetime_now expire_daterr(r r r!generate_presigned_posts$7    z'S3PostPresigner.generate_presigned_post)NNr_N)rerfrgr"rr r r r!rsrcKr)Nrc)rcrr r r!add_generate_presigned_urlrrr_cCs|}|}|dur i}|}|}dt|d} |j} z|j|} Wn ty+t|dw|jj| } |j|| | d}t | dd} |j | || | d\}}}|j || || |d d }|durd||d <| j||| d S) axGenerate a presigned url given a client, its method, and arguments :type ClientMethod: string :param ClientMethod: The client method to presign for :type Params: dict :param Params: The parameters normally passed to ``ClientMethod``. :type ExpiresIn: int :param ExpiresIn: The number of seconds the presigned url is valid for. By default it expires in an hour (3600 seconds) :type HttpMethod: string :param HttpMethod: The http method to use on the generated url. By default, the http method is whatever is used in the method's model. :returns: The presigned url NTis_presign_requestuse_global_endpoint) method_name api_paramsoperation_modelr6BucketrHignore_signing_regionFrrrr6rset_user_agent_headerr)rbr@r')_should_use_global_endpointr_PY_TO_OP_NAMEKeyErrorrr service_modelr_emit_api_paramsr is_arnr;_resolve_endpoint_ruleset_convert_to_request_dictrc)r ClientMethodParamsr HttpMethod client_methodr|r@ http_methodr6r-r'r bucket_is_arnradditional_headers propertiesrbr r r!rcs^   rccKr)Nr)rrr r r!add_generate_presigned_postCrrcCs|}|}|}|} |} |duri}n|}| durg} dt|d} t|j} |jjd} |jd|i| | d}t | dd}|j | || | d\}}}|j || || |d d }| d |i|d ru| d d|dtd  gn| d|i||d<| j||| | dS)aw Builds the url and the form fields used for a presigned s3 post :type Bucket: string :param Bucket: The name of the bucket to presign the post to. Note that bucket related conditions should not be included in the ``conditions`` parameter. :type Key: string :param Key: Key name, optionally add ${filename} to the end to attach the submitted filename. Note that key related conditions and fields are filled out for you and should not be included in the ``Fields`` or ``Conditions`` parameter. :type Fields: dict :param Fields: A dictionary of prefilled form fields to build on top of. Elements that may be included are acl, Cache-Control, Content-Type, Content-Disposition, Content-Encoding, Expires, success_action_redirect, redirect, success_action_status, and x-amz-meta-. Note that if a particular element is included in the fields dictionary it will not be automatically added to the conditions list. You must specify a condition for the element as well. :type Conditions: list :param Conditions: A list of conditions to include in the policy. Each element can be either a list or a structure. For example: .. code:: python [ {"acl": "public-read"}, ["content-length-range", 2, 5], ["starts-with", "$success_action_redirect", ""] ] Conditions that are included may pertain to acl, content-length-range, Cache-Control, Content-Type, Content-Disposition, Content-Encoding, Expires, success_action_redirect, redirect, success_action_status, and/or x-amz-meta-. Note that if you include a condition, you must specify a valid value in the fields dictionary as well. A value will not be added automatically to the fields dictionary based on the conditions. :type ExpiresIn: int :param ExpiresIn: The number of seconds the presigned post is valid for. :rtype: dict :returns: A dictionary with two elements: ``url`` and ``fields``. Url is the url to post to. Fields is a dictionary filled with the form fields and respective values to use when submitting the post. For example: .. code:: python { 'url': 'https://amzn-s3-demo-bucket.s3.amazonaws.com', 'fields': { 'acl': 'public-read', 'key': 'mykey', 'signature': 'mysignature', 'policy': 'mybase64 encoded policy' } } NTr CreateBucketrrrHrFrbucketz ${filename}z starts-withz$keyr])rbrrr@)copyrrrrrrrr rr;rrrrJrr)rrKeyFields Conditionsrrr]rrr@r6post_presignerrr|rrrrrbr r r!rGsdH   rcCsd|jjdkrdS|jjj}|r0|ddrdS|ddkr'|jjjdkr'dS|ddkr0dSd S) NawsFuse_dualstack_endpointus_east_1_regional_endpointregionalz us-east-1addressing_stylevirtualT)r partitionconfigs3r;r)client s3_configr r r!rs   rr)Nr)Nr_N)NNr_)$rrrrr9 botocore.authbotocore.awsrequestrrbotocore.compatrbotocore.exceptionsrrrrbotocore.tokensr botocore.utilsr r r r rkrrrrrrrrrcrrrr r r r!sD   N 7 4  Z O