/JfxddlZddlZddlZddlZddlZddlZddlmZmZddl m Z ddl m Z m Z mZddlmZmZddlmZGddZGd d Zd Zdd ZGd dZdZ ddZdZ ddZdZdS)N)create_request_objectprepare_request_dict) OrderedDict)UnknownClientMethodErrorUnknownSignatureVersionError UnsupportedSignatureVersionError) ArnParserdatetime2timestamp) fix_s3_hostceZdZdZ ddZedZedZedZddZ dd Z d Z d Z dd Z e Z ddZdS) RequestSignera0 An object to sign requests before they go out over the wire using one of the authentication mechanisms defined in ``auth.py``. This class fires two events scoped to a service and operation name: * choose-signer: Allows overriding the auth signer name. * before-sign: Allows mutating the request before signing. Together these events allow for customization of the request signing pipeline, including overrides, request path manipulation, and disabling signing per operation. :type service_id: botocore.model.ServiceId :param service_id: The service id for the service, e.g. ``S3`` :type region_name: string :param region_name: Name of the service region, e.g. ``us-east-1`` :type signing_name: string :param signing_name: Service signing name. This is usually the same as the service name, but can differ. E.g. ``emr`` vs. ``elasticmapreduce``. :type signature_version: string :param signature_version: Signature name like ``v4``. :type credentials: :py:class:`~botocore.credentials.Credentials` :param credentials: User credentials with which to sign requests. :type event_emitter: :py:class:`~botocore.hooks.BaseEventHooks` :param event_emitter: Extension mechanism to fire events. Nc||_||_||_||_||_||_t j||_dSN) _region_name _signing_name_signature_version _credentials _auth_token _service_idweakrefproxy_event_emitter)self service_id region_name signing_namesignature_version credentials event_emitter auth_tokens S/home/alex/cs2snipeproduction/venv/lib/python3.11/site-packages/botocore/signers.py__init__zRequestSigner.__init__DsN()"3'%%&mM::c|jSr)rrs r!rzRequestSigner.region_nameXs   r#c|jSr)rr%s r!rzRequestSigner.signature_version\s &&r#c|jSr)rr%s r!rzRequestSigner.signing_name`s !!r#c .|||Sr)sign)roperation_namerequestkwargss r!handlerzRequestSigner.handlerds yy111r#standardc N|}||j}||j}||||j}|jd|j||||j||||tj kr|||d} ||| d<|j di} |s | dr | d| d<| d r | d | d <| d r | d | d <| d #| | | d | d  |j di| } n*#t$r} |d krt|| d} ~ wwxYw| |dSdS)a<Sign a request before it goes out over the wire. :type operation_name: string :param operation_name: The name of the current operation, e.g. ``ListBuckets``. :type request: AWSRequest :param request: The request object to be sent over the wire. :type region_name: str :param region_name: The region to sign the request for. :type signing_type: str :param signing_type: The type of signing to perform. This can be one of three possible values: * 'standard' - This should be used for most requests. * 'presign-url' - This should be used when pre-signing a request. * 'presign-post' - This should be used when pre-signing an S3 post. :type expires_in: int :param expires_in: The number of seconds the presigned url is valid for. This parameter is only valid for signing type 'presign-url'. :type signing_name: str :param signing_name: The name to use for the service when signing. Nzbefore-sign.{}.{})r+rrrrequest_signerr*)rrrexpiressigningregionrrrequest_credentialsidentity_cache cache_keyr.r)rr_choose_signercontextremitformatr hyphenizebotocoreUNSIGNEDget_resolve_identity_cacheget_auth_instancerradd_auth) rr*r+r signing_type expires_inrexplicit_region_namerr,signing_contextauthes r!r)zRequestSigner.signksBF +  +K  -L // L'/      & & **,,n  %)/) !   1 1 1 ,*%6F %$.y!%o11)R@@O' BO,?,?,I,I B(7(A}%"">22 I)8)H~&""#899 0?)1,-""#344@,,#$45#K0  -t-7777/   :--:*;G   MM' " " " " "C 2 1s E$$ F .FF c||d<||d<dS)Nr5r6r8)rr,cacher6s r!rAz%RequestSigner._resolve_identity_caches#( '{r#cNddd}||d}|dp|j}|di}|d|j}|d|j} |tjur||s||z }|jd |j ||| || \} } | *| }|tjur||s||z }|S) ai Allow setting the signature version via the choose-signer event. A value of `botocore.UNSIGNED` means no signing will be performed. :param operation_name: The operation to sign. :param signing_type: The type of signing that the signer is to be used for. :return: The signature version to sign with. z -presign-postz-query) presign-post presign-url auth_typer2rr3zchoose-signer.{}.{})rrrr:) r@rrrr>r?endswithremit_until_responser<rr=) rr*rDr:signing_type_suffix_mapsuffixrr2rrr-responses r!r9zRequestSigner._choose_signersY,## # ),,\2>>$KK 44O8O++i,,{{>43EFF kk(D,=>> X%6 6 6%..v66 7  '  /CC ! ( ( **,,n  &#/D     ( "):::)226::;"V+!  r#c 2||j}tjj|}|t ||jdur/d}|j|j}||}|S|p|j } t|dddur(|d} |d} | | } |d=d} | | } | |d<|j r/|jtj||d<||d <|d i|}|S) a Get an auth instance which can be used to sign a request using the given signature version. :type signing_name: string :param signing_name: Service signing name. This is usually the same as the service name, but can differ. E.g. ``emr`` vs. ``elasticmapreduce``. :type region_name: string :param region_name: Name of the service region, e.g. ``us-east-1`` :type signature_version: string :param signature_version: Signature name like ``v4``. :rtype: :py:class:`~botocore.auth.BaseSigner` :return: Auth instance to sign a request. Nr7TREQUIRES_IDENTITY_CACHEr5r6rr service_namer8)rr>rHAUTH_TYPE_MAPSr@rREQUIRES_TOKENrget_frozen_tokenrgetattrget_credentialsget_frozen_credentialsREQUIRES_REGIONr exceptions NoRegionError) rrrrr4r,cls frozen_tokenrHrrKkeyfrozen_credentialss r!rBzRequestSigner.get_auth_instancesc4  $ $ 7 m*../@AA ;."3    % %L+#/@@BB 3|$$DK)>T-> 314 8 8D @ @+,E%C//44K{# "  "!,!C!C!E!E  2}   2 ()77999$/F= !%1F> "s}}V}} r#ct|}||||d||||jS)aGenerates a presigned url :type request_dict: dict :param request_dict: The prepared request dictionary returned by ``botocore.awsrequest.prepare_request_dict()`` :type operation_name: str :param operation_name: The operation being signed. :type expires_in: int :param expires_in: The number of seconds the presigned url is valid for. By default it expires in an hour (3600 seconds) :type region_name: string :param region_name: The region name to sign the presigned url. :type signing_name: str :param signing_name: The name to use for the service when signing. :returns: The presigned url rN)rr)prepareurl)r request_dictr*rErrr+s r!generate_presigned_urlz$RequestSigner.generate_presigned_urlCsS:( 55           {r#rNN)Nr.NN)rfNN)__name__ __module__ __qualname____doc__r"propertyrrrr-r)rAr9rBget_authrkr8r#r!r r !s&  T;;;;(!!X!''X'""X"2222\#\#\#\#|(((0!0!0!l ????D!H  ((((((r#r c6eZdZdZdZddZdZ ddZdZdS) CloudFrontSigneraA signer to create a signed CloudFront URL. First you create a cloudfront signer based on a normalized RSA signer:: import rsa def rsa_signer(message): private_key = open('private_key.pem', 'r').read() return rsa.sign( message, rsa.PrivateKey.load_pkcs1(private_key.encode('utf8')), 'SHA-1') # CloudFront requires SHA-1 hash cf_signer = CloudFrontSigner(key_id, rsa_signer) To sign with a canned policy:: signed_url = cf_signer.generate_signed_url( url, date_less_than=datetime(2015, 12, 1)) To sign with a custom policy:: signed_url = cf_signer.generate_signed_url(url, policy=my_policy) c"||_||_dS)aCreate a CloudFrontSigner. :type key_id: str :param key_id: The CloudFront Key Pair ID :type rsa_signer: callable :param rsa_signer: An RSA signer. Its only input parameter will be the message to be signed, and its output will be the signed content as a binary string. The hash algorithm needed by CloudFront is SHA-1. N)key_id rsa_signer)rrvrws r!r"zCloudFrontSigner.__init__s $r#NcT|duo|du}|duo|du}|s|rd}t|||||}t|tr|d}|!dt t |zg}n,d||dzg}| |}| d||dd|j g| ||S)aCreates a signed CloudFront URL based on given parameters. :type url: str :param url: The URL of the protected object :type date_less_than: datetime :param date_less_than: The URL will expire after that date and time :type policy: str :param policy: The custom policy, possibly built by self.build_policy() :rtype: str :return: The signed URL. Nz=Need to provide either date_less_than or policy, but not bothutf8z Expires=%sz Policy=%sz Signature=z Key-Pair-Id=) ValueError build_policy isinstancestrencodeintr _url_b64encodedecoderwextendrv _build_url) rridate_less_thanpolicyboth_args_suppliedneither_arg_suppliedrIparams signatures r!rkz'CloudFrontSigner.generate_presigned_urlsQ,47NF$>??F,;V+DI' (&1K3KL${?'C'C&DE z-J????r#ctj|ddddddS)N+-=_/~)base64 b64encodereplace)rdatas r!rzCloudFrontSigner._url_b64encodesD  T " " WT4 WT4 WT4  r#rl) rmrnrorpr"rkrr{rr8r#r!rtrtns. % % %$,$,$,$,L=== LP(@(@(@(@T     r#rtc t|d<dS)Ngenerate_db_auth_token)rclass_attributesr,s r!add_generate_db_auth_tokenr1G-...r#c|}| |jj}d|d}ddi|dd}d}||d |} t|| |jd||d d } | t |dS) aGenerates an auth token used to connect to a db with IAM credentials. :type DBHostname: str :param DBHostname: The hostname of the database to connect to. :type Port: int :param Port: The port number the database is listening on. :type DBUsername: str :param DBUsername: The username to log in as. :type Region: str :param Region: The region the database is in. If None, the client region will be used. :return: A presigned url which can be used as an auth token. Nconnect)ActionDBUserrrOGET)url_path query_stringheadersbodymethodzhttps://rizrds-db)r*rjrrEr)metarr_request_signerrklen) r DBHostnamePort DBUsernameRegionr3rrjscheme endpoint_url presigned_urls r!rrs$F ~&F  LF1j11411L|444(?? ! @M V ''r#c$eZdZdZ ddZdS)S3PostPresignerc||_dSr)r)rr0s r!r"zS3PostPresigner.__init__/s-r#Nrfc|i}|g}i}tj}|tj|z}|tjj|d<g|d<|D]} |d| t|} || j d<|| j d<|j d| |d| j |d S) aGenerates the url and the form fields used for a presigned s3 post :type request_dict: dict :param request_dict: The prepared request dictionary returned by ``botocore.awsrequest.prepare_request_dict()`` :type fields: dict :param fields: A dictionary of prefilled form fields to build on top of. :type conditions: list :param conditions: A list of conditions to include in the policy. Each element can be either a list or a structure. For example: [ {"acl": "public-read"}, {"bucket": "mybucket"}, ["starts-with", "$key", "mykey"] ] :type expires_in: int :param expires_in: The number of seconds the presigned post is valid for. :type region_name: string :param region_name: The region name to sign the presigned post to. :rtype: dict :returns: A dictionary with two elements: ``url`` and ``fields``. Url is the url to post to. Fields is a dictionary filled with the form fields and respective values to use when submitting the post. For example: {'url': 'https://mybucket.s3.amazonaws.com 'fields': {'acl': 'public-read', 'key': 'mykey', 'signature': 'mysignature', 'policy': 'mybase64 encoded policy'} } N)seconds expiration conditionszs3-presign-post-fieldszs3-presign-post-policy PutObjectrM)rifields) datetimeutcnow timedeltastrftimer>rHISO8601appendrr:rr)ri) rrjrrrErr datetime_now expire_daterr+s r!generate_presigned_postz'S3PostPresigner.generate_presigned_post2s^ >F  J (//11 "X%7 %K%K%KK *33HM4IJJ| "|# 3 3I < ' ' 2 2 2 2( 554:014:01 !! +~   {f555r#)NNrfN)rmrnror"rr8r#r!rr.sK...  K6K6K6K6K6K6r#rc t|d<dS)Nrk)rkrs r!add_generate_presigned_urlrrr#rfc|}|}|i}|}|}dt|d} |j} |j|} n#t$rt |wxYw|jj| } ||| | }tj | dd} | | || | \}}}| || || |d }|||d <| ||| S) axGenerate a presigned url given a client, its method, and arguments :type ClientMethod: string :param ClientMethod: The client method to presign for :type Params: dict :param Params: The parameters normally passed to ``ClientMethod``. :type ExpiresIn: int :param ExpiresIn: The number of seconds the presigned url is valid for. By default it expires in an hour (3600 seconds) :type HttpMethod: string :param HttpMethod: The http method to use on the generated url. By default, the http method is whatever is used in the method's model. :returns: The presigned url NTis_presign_requestuse_global_endpoint) method_name api_paramsoperation_modelr:BucketrOignore_signing_regionFrrrr:rset_user_agent_headerr)rjrEr*)_should_use_global_endpointr_PY_TO_OP_NAMEKeyErrorrr service_modelr_emit_api_paramsr is_arnr@_resolve_endpoint_ruleset_convert_to_request_dictrk)r ClientMethodParams ExpiresIn HttpMethod client_methodrrE http_methodr:r0r*r bucket_is_arnradditional_headers propertiesrjs r!rkrks,!M F ~JK":4@@G )NB,]; BBB&=AAAABi-==nMMO  " "'#F $VZZ"%=%=>>M &&#00 '   00'!"# 1L!, X  0 0!% 1  s 5Ac t|d<dS)Nr)rrs r!add_generate_presigned_postrs2I.///r#c |}|}|}|} |} |i}n|}| g} dt|d} t|j} |jjd} |d|i| | }tj | dd}| | || | \}}}| || || |d }| d |i|d r/| d d|dtd  gn| d|i||d<| ||| | S)a Builds the url and the form fields used for a presigned s3 post :type Bucket: string :param Bucket: The name of the bucket to presign the post to. Note that bucket related conditions should not be included in the ``conditions`` parameter. :type Key: string :param Key: Key name, optionally add ${filename} to the end to attach the submitted filename. Note that key related conditions and fields are filled out for you and should not be included in the ``Fields`` or ``Conditions`` parameter. :type Fields: dict :param Fields: A dictionary of prefilled form fields to build on top of. Elements that may be included are acl, Cache-Control, Content-Type, Content-Disposition, Content-Encoding, Expires, success_action_redirect, redirect, success_action_status, and x-amz-meta-. Note that if a particular element is included in the fields dictionary it will not be automatically added to the conditions list. You must specify a condition for the element as well. :type Conditions: list :param Conditions: A list of conditions to include in the policy. Each element can be either a list or a structure. For example: [ {"acl": "public-read"}, ["content-length-range", 2, 5], ["starts-with", "$success_action_redirect", ""] ] Conditions that are included may pertain to acl, content-length-range, Cache-Control, Content-Type, Content-Disposition, Content-Encoding, Expires, success_action_redirect, redirect, success_action_status, and/or x-amz-meta-. Note that if you include a condition, you must specify the a valid value in the fields dictionary as well. A value will not be added automatically to the fields dictionary based on the conditions. :type ExpiresIn: int :param ExpiresIn: The number of seconds the presigned post is valid for. :rtype: dict :returns: A dictionary with two elements: ``url`` and ``fields``. Url is the url to post to. Fields is a dictionary filled with the form fields and respective values to use when submitting the post. For example: {'url': 'https://mybucket.s3.amazonaws.com 'fields': {'acl': 'public-read', 'key': 'mykey', 'signature': 'mysignature', 'policy': 'mybase64 encoded policy'} } NTr CreateBucketrrrOrFrbucketz ${filename}z starts-withz$keyrd)rjrrrE)copyrrrrrrrr rr@rrrrQrr)rrKeyFields ConditionsrrrdrrrEr:post_presignerrrrrrrrjs r!rrsBF C FJJ ~ #:4@@G %T%9::Ni-==nMMO  " "f%'#F $VZZ"%=%=>>M &&#00 '   00'!"# 1Lx())) ||M""(=K]9K9K8K6K2LMNNNN5#,'''F5M  1 1! 2  r#c|jjdkrdS|jjj}|rc|ddrdS|ddkr|jjjdkrdS|ddkrdSd S) NawsFuse_dualstack_endpointus_east_1_regional_endpointregionalz us-east-1addressing_stylevirtualT)r partitionconfigs3r@r)client s3_configs r!rr_s {%%u "%I  ==15 9 9 5 MM7 8 8J F F ".+==5 ==+ , , 9 95 4r#r)NrfN)NNrf)rrrrr> botocore.authbotocore.awsrequestrrbotocore.compatrbotocore.exceptionsrrrbotocore.utilsr r r r rtrrrrrkrrrr8r#r!rs  KKKKKKKK'''''' 98888888'&&&&&JJJJJJJJZ C C C C C C C C LHHH3(3(3(3(lO6O6O6O6O6O6O6O6dHHH AELLLL^JJJ @DEEEEPr#