o ȷeV@sdZddlZddlZddlZddlZddlZddlZddlZddlZddl m Z ddl Z ddl Z ddl Z ddlmZmZmZmZddlmZddlmZzddlmZddlmZWneyiddlZdZYnwgd Zgd ZGd d d eZGd ddeeZGdddeeZGdddeeZ GdddeeZ!GdddeeZ"GdddeeZ#Gddde#eZ$GdddeZ%GdddeZ&Gdd d e&eZ'Gd!d"d"e&eZ(Gd#d$d$e&eZ)Gd%d&d&e)eZ*d-d'd(Z+d)d*Z,d+d,Z-dS).z/ Handles authentication required to AWS and GS N) formatdate)urllib encodebytes parse_qs_safeurlparse) AuthHandler)BotoClientError)sha1)sha256)z-ap-northeast-1z.ap-northeast-1z-ap-southeast-1z.ap-southeast-1z-ap-southeast-2z.ap-southeast-2z -eu-west-1z .eu-west-1z -external-1z .external-1z -sa-east-1z .sa-east-1z -us-east-1z .us-east-1z-us-gov-west-1z.us-gov-west-1z -us-west-1z .us-west-1z -us-west-2z .us-west-2) z.cn-z .eu-centralz -eu-centralz.ap-northeast-2z-ap-northeast-2z .ap-south-1z -ap-south-1z .us-east-2z -us-east-2z -ca-centralz .ca-centralz .eu-west-2z -eu-west-2c@sHeZdZdZddZddZddZdd Zd d Zd d Z ddZ dS)HmacKeyszKey based Auth handler helper.cCs2|jdus |jdurtj||_||dSN) access_key secret_keyboto auth_handlerNotReadyToAuthenticatehostupdate_providerselfrconfigproviderr@/var/www/ideatree/venv/lib/python3.10/site-packages/boto/auth.py__init__es zHmacKeys.__init__cCsL||_tj|jjdtd|_tr!tj|jjdtd|_dSd|_dSNutf-8) digestmod) _providerhmacnewrencodesha_hmacr _hmac_256rrrrrrks zHmacKeys.update_providercCs|jrdSdS)N HmacSHA256HmacSHA1)r$rrrr algorithmuszHmacKeys.algorithmcCs(|jrt}nt}tj|jjd|dSr)r$r r"rr rrr!)rrrrr _get_hmac{s zHmacKeys._get_hmaccCs.|}||dt|dSNr)r*updater!rdigestdecodestrip)rstring_to_signnew_hmacrrr sign_stringszHmacKeys.sign_stringcCst|j}|d=|d=|S)Nr#r$)copy__dict__)r pickled_dictrrr __getstate__s zHmacKeys.__getstate__cCs||_||jdSr )r4rr)rdctrrr __setstate__szHmacKeys.__setstate__N) __name__ __module__ __qualname____doc__rrr)r*r2r6r8rrrrr bs  r cs.eZdZdZdgZfddZddZZS)AnonAuthHandlerz( Implements Anonymous requests. anoncstt||||dSr )superr=rr __class__rrrszAnonAuthHandler.__init__cKsdSr r)r http_requestkwargsrrradd_authszAnonAuthHandler.add_auth)r9r:r;r< capabilityrrD __classcell__rrr@rr=s  r=c8eZdZdZddgZddZfddZdd ZZS) HmacAuthV1Handlerz: Implements the HMAC request signing used by S3 and GS.zhmac-v1s3cC*t||||t||||d|_dSr rrr r$rrrrr zHmacAuthV1Handler.__init__ctt||d|_dSr )r?rHrr$r%r@rrr z!HmacAuthV1Handler.update_providerc Ks|j}|j}|j}d|vrtdd|d<|jjr"|jj}|jj||<tj |||d|j}tj d|| |}|jj } d| |jj|f} tj d| | |d<dS)NDateTusegmtStringToSign: %s%s %s:%s Signature: %s Authorization)headersmethod auth_pathrrsecurity_tokensecurity_token_headerrutilscanonical_stringlogdebugr2 auth_headerr ) rrBrCrVrWrXkeyr0b64_hmacauth_hdrauthrrrrDs$    zHmacAuthV1Handler.add_auth r9r:r;r<rErrrDrFrrr@rrHs  rHcrG) HmacAuthV2HandlerzJ Implements the simplified HMAC authorization used by CloudFront. zhmac-v2 cloudfrontcCrJr rKrrrrrrLzHmacAuthV2Handler.__init__crMr )r?rerr$r%r@rrrrNz!HmacAuthV2Handler.update_providercKsh|j}d|vrtdd|d<|jjr|jj}|jj||<||d}|jj}d||jj|f|d<dS)NrOTrPrSrU)rVrrrYrZr2r_r )rrBrCrVr`rarbrrrrDs  zHmacAuthV2Handler.add_authrdrrr@rres  rec@s(eZdZdZgdZddZddZdS)HmacAuthV3Handlerz@Implements the new Version 3 HMAC authorization used by Route53.)zhmac-v3route53sescC$t||||t||||dSr rrr rrrrrzHmacAuthV3Handler.__init__cKsr|j}d|vrtdd|d<|jjr|jj}|jj||<||d}d|jj}|d||f7}||d<dS)NrOTrPzAWS3-HTTPS AWSAccessKeyId=%s,zAlgorithm=%s,Signature=%sX-Amzn-Authorization)rVrrrYrZr2r r))rrBrCrVr`rasrrrrDs   zHmacAuthV3Handler.add_authN)r9r:r;r<rErrDrrrrrgs  rgc@s>eZdZdZdgZddZddZddZd d Zd d Z d S)HmacAuthV3HTTPHandlerzK Implements the new Version 3 HMAC authorization used by DynamoDB. z hmac-v3-httpcCrjr rkrrrrrrlzHmacAuthV3HTTPHandler.__init__cCs<d|ji}|jD]\}}|}|dr|||<q |S)k Select the headers from the request that need to be included in the StringToSign. Hostx-amz)rrVitemslower startswith)rrBheaders_to_signnamevaluelnamerrrrvs  z%HmacAuthV3HTTPHandler.headers_to_signcs tfddD}d|S)  Return the headers that need to be included in the StringToSign in their canonical form by converting all header keys to lower case, sorting them in alphabetical order and then joining them into a string, separated by newlines. cs(g|]}d||fqS)%s:%srtr/.0nrvrr s   z;HmacAuthV3HTTPHandler.canonical_headers.. sortedjoinrrvlrrrcanonical_headerss  z'HmacAuthV3HTTPHandler.canonical_headerscCs8||}||}d|j|jd|d|jg}||fS) Return the canonical StringToSign as well as a dict containing the original version of all headers that were included in the StringToSign. r)rvrrrWrXbody)rrBrvrr0rrrr0s  z$HmacAuthV3HTTPHandler.string_to_signcKsd|jvr |jd=tdd|jd<|jjr|jj|jd<||\}}tjd|t| d }| |}d|jj }|d | 7}|d d |7}|d |7}||jd<d S)z Add AWS3 authentication to a request. :type req: :class`boto.connection.HTTPRequest` :param req: The HTTPRequest object. rmTrP X-Amz-DateX-Amz-Security-TokenrRrzAWS3 AWSAccessKeyId=%s,z Algorithm=%s,zSignedHeaders=%s,; Signature=%sN)rVrrrYr0rr]r^r r!r-r2r r)r)rreqrCr0rv hash_valuerarnrrrrD,s    zHmacAuthV3HTTPHandler.add_authN) r9r:r;r<rErrvrr0rDrrrrros  roc@seZdZdZdgZ d+ddZd,ddZd d Zd d Zd dZ ddZ ddZ ddZ ddZ ddZddZddZddZdd Zd!d"Zd#d$Zd%d&Zd'd(Zd)d*ZdS)-HmacAuthV4Handlerz: Implements the new Version 4 HMAC authorization. hmac-v4NcCs0t||||t||||||_||_dSr )rrr service_name region_name)rrrrrrrrrrLs zHmacAuthV4Handler.__init__FcCsPt|ts |d}|rt||dt}|St||dt}|Sr+) isinstancebytesr!rr r hexdigestr-)rr`msghexsigrrr_signVs  zHmacAuthV4Handler._signcCsr||j|}|jdr|jd}d|i}|jD]\}}|}|dr6t|tr2| d}|||<q|S)rprqrrr) host_headerrrVgetrsrtrurrr.rrBhost_header_valuervrwrxryrrrrv`s     z!HmacAuthV4Handler.headers_to_signcCs8|j}|jdk}|dkr|r|dkr|r|Sd||fSNhttpsPir{)portprotocolrrrBrsecurerrrrqs   zHmacAuthV4Handler.host_headercCsbt|j}g}|D] }tj|j|}|tjj |dddtjj |ddq d |S)Nrsafe=-_~&) rparamskeysrr[get_utf8_valueappendrparsequoter)rrBparameter_namespairspnamepvalrrr query_stringxs zHmacAuthV4Handler.query_stringc Csh|jdkrdSg}t|jD] }tj|j|}|dtjj |ddtjj |ddfqd |S)NPOSTr%s=%s-_.~rr) rWrrrr[rrrrrrrrBrparamrxrrrcanonical_query_strings  z(HmacAuthV4Handler.canonical_query_stringcCsjg}|D])}|}t||}d|vr|}n d|}|d||fqdt|S)rz" r{r)rtr/strrsplitrr)rrv canonicalheaderc_name raw_valuec_valuerrrrs   z#HmacAuthV4Handler.canonical_headerscCs dd|D}t|}d|S)NcSg|] }d|qSz%sr|r}rrrrz4HmacAuthV4Handler.signed_headers..rrrrrrsigned_headerss z HmacAuthV4Handler.signed_headerscCsF|j}t|dd}tj|}t|dkr!|dr!|d7}|S)N\/) rX posixpathnormpathreplacerrrlenendswith)rrBpath normalizedencodedrrr canonical_uris  zHmacAuthV4Handler.canonical_uricCsN|j}t|drt|drtjj|tddSt|ts!|d}t| S)Nseekread)hash_algorithmrr) rhasattrrr[ compute_hashr rrr!r)rrBrrrrpayloads    zHmacAuthV4Handler.payloadcCst|jg}||||||||}|||d||||||d |S)Nr) rWupperrrrrvrrrr)rrBcrrvrrrcanonical_requests   z#HmacAuthV4Handler.canonical_requestcCsB|jjg}||j||j||j|dd|S)N aws4_requestr)rr r timestamprrr)rrBscoperrrrs      zHmacAuthV4Handler.scopecCs |dS)N.)rrrrrrsplit_host_partss z"HmacAuthV4Handler.split_host_partscCsj||}|jdur|j}|St|dkr/|ddkrd}|St|dkr)d}|S|d}|S|d}|S)Nrzus-govz us-gov-west-1 us-east-1r)rrr)rrpartsrrrrdetermine_region_names    z'HmacAuthV4Handler.determine_region_namecCs*||}|jdur|j}|S|d}|S)Nr)rr)rrrrrrrdetermine_service_names  z(HmacAuthV4Handler.determine_service_namecCstg}|jddd|_||j||j}||j}||_||_||j||j|dd|S)Nrrrr) rVrrrrrrrr)rrBrrrrrrcredential_scopes       z"HmacAuthV4Handler.credential_scopecCsHdg}||jd||||t|dd|S)rAWS4-HMAC-SHA256rrr)rrVrr r!rr)rrBrstsrrrr0s  z HmacAuthV4Handler.string_to_signcCsX|jj}|d|d|j}|||j}|||j}||d}|j||ddS)NAWS4rrT)r)rrrr!rrr)rrBr0r`k_datek_region k_service k_signingrrr signatures zHmacAuthV4Handler.signaturec Ksbd|jvr |jd=tj}|d|jd<|jjr!|jj|jd<||}|}d|vr3||d}|rM|jdkrM||_d|jd<t t |j|jd <n|j d d |_ |r`|j d ||_ | |}tjd ||||}tjd ||||}tjd|||} d||g} | d|| | d|d| |jd<dS)z Add AWS4 authentication to a request. :type req: :class`boto.connection.HTTPRequest` :param req: The HTTPRequest object. rm%Y%m%dT%H%M%SZrr unmangled_reqr0application/x-www-form-urlencoded; charset=UTF-8 Content-TypeContent-Length?rzCanonicalRequest: %srRrTzAWS4-HMAC-SHA256 Credential=%szSignedHeaders=%sr,rUN)rVdatetimeutcnowstrftimerrYrrWrrrrrrrr]r^r0rrvrrrr) rrrCnowqs qs_to_postrr0rrvrrrrrDs8         zHmacAuthV4Handler.add_auth)NN)F)r9r:r;r<rErrrvrrrrrrrrrrrrrr0rrDrrrrrEs.        rcseZdZdZdgZfddZddZddZd d Zd d Z d dZ ddZ ddZ ddZ fddZfddZdddZZS)S3HmacAuthV4HandlerzN Implements a variant of Version 4 HMAC authorization specific to S3. hmac-v4-s3cs2tt|j|i||jr||j|_dSdSr )r?rrrclean_region_name)rargsrCr@rrrOszS3HmacAuthV4Handler.__init__cCs|dr |ddS|S)Ns3-r)ru)rrrrrrUs  z%S3HmacAuthV4Handler.clean_region_namecCs0tj|j}tj|j}tjj|dd}|S)Nz/~r)rrrrunquoter)rrBrunquotedrrrrr[sz!S3HmacAuthV4Handler.canonical_uric CsZg}t|jD] }tj|j|}|dtjj|ddtjj|ddfqd |S)Nrrrr) rrrr[rrrrrrrrrrres z*S3HmacAuthV4Handler.canonical_query_stringcCs<|j}|jdk}|dkr|r|dkr|r|jSd|j|fSr)rrrrrrrrps  zS3HmacAuthV4Handler.host_headercCsF||j|}d|i}|jD]\}}|}|dvr |||<q|S)rprq) authorization)rrrVrsrtrrrrrvwsz#S3HmacAuthV4Handler.headers_to_signcCs||}|jdur|j}|St|dkr$||d}|dkr"d}|Stt|D]'\}}|}|dkrD|| }|dkrAd}|S|drQ||}|Sq*|S)NrrrIr amazonawsr)rrrr enumeratereversedrtru)rrrroffsetpartrrrrs.    z)S3HmacAuthV4Handler.determine_region_namecCsdS)NrIrrrrrrsz*S3HmacAuthV4Handler.determine_service_namec Cst|}tj|j}|j|_|jduri|_n|j}||_|j}t|dd}| D]\}}t |t t frEt |dkrE|d||<q.|j||S)z| Returns a copy of the request object with fixed ``auth_path/params`` attributes from the original. NT)keep_blank_valuesrr)r3rrrrXrrqueryrrsrlisttuplerr,) rr modified_req parsed_path copy_paramsraw_qs existing_qsr`rxrrrmangle_path_and_paramss&      z*S3HmacAuthV4Handler.mangle_path_and_paramscs&|jdr |jdStt||S)Nx-amz-content-sha256)rVrr?rr)rrBr@rrrs  zS3HmacAuthV4Handler.payloadc s^d|jvrd|jvr|jd|jd<n|||jd<||}tt|j|fd|i|S)Nr_sha256r)rVpoprrr?rrD)rrrC updated_reqr@rrrDs   zS3HmacAuthV4Handler.add_authNc Cs|dur tjd}||j}||j}dd|jj|dd||f||dd}|jjr6|jj|d<| |}t d d |D}d ||d <|j |||} d | d ddd} ||jd<||| } ||| } | |j d<d|j|j|jtj|j fS)z Presign a request using SigV4 query params. Takes in an HTTP request and an expiration time in seconds and returns a URL. http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html Nrrz%s/%s/%s/%s/aws4_requestrr)zX-Amz-AlgorithmzX-Amz-Credentialrz X-Amz-ExpiresX-Amz-SignedHeadersrcSrrr|r}rrrrrz/S3HmacAuthV4Handler.presign..rrrz UNSIGNED-PAYLOADrzX-Amz-Signaturez %s://%s%s?%s)rrrrrrrr rYrvrrrr,rrrVr0rrrrr urlencode) rrexpiresiso_dateregionservicerrvrrrrrrrpresigns<            zS3HmacAuthV4Handler.presignr )r9r:r;r<rErrrrrrvrrrrrDr$rFrrr@rrIs   - *  rc@s.eZdZdZdgZddZddZddZd S) STSAnonHandlerz Provides pure query construction (no actual signing). Used for making anonymous STS request for operations like ``assume_role_with_web_identity``. zsts-anoncCs tj|Sr )rrr)rrxrrr _escape_value4s zSTSAnonHandler._escape_valuec Csbt|}|jdddg}|D]}tj||}||d||dqd |S)NcS|Sr rtxrrr=z4STSAnonHandler._build_query_string..r`rrr) rrsortrr[rrr&r.r)rrrrr`valrrr_build_query_string;s   z"STSAnonHandler._build_query_stringcKs4|j}||j}tjd|d|d<||_dS)Nzquery_string in body: %sz!application/x-www-form-urlencodedr)rVr0rrr]r^r)rrBrCrVrrrrrDDs zSTSAnonHandler.add_authN)r9r:r;r<rEr&r0rDrrrrr%*s  r%c@seZdZdZddZdS)QuerySignatureHelperzy Helper for Query signature based Auth handler. Concrete sub class need to implement _calc_sigature method. cKs|j}|j}|jj|d<|j|d<tj|d<||j|j |j |j \}}tj d||f|j dkrPd|d<|dtj||_tt|j|jd <dSd |_|jd d |_|jd |dtj||_dS) NAWSAccessKeyIdSignatureVersion Timestampquery_string: %s Signature: %srrr &Signature=rrrr)rVrrr r3rr[get_ts_calc_signaturerWrXrr]r^rr quote_plusrrrrr)rrBrCrVrrrrrrrDWs*      zQuerySignatureHelper.add_authN)r9r:r;r<rDrrrrr1Ps r1c@s"eZdZdZdZdgZddZdS)QuerySignatureV0AuthHandlerzProvides Signature V0 Signingrzsign-v0c Gstjd|}|d|d}||d|}|jdddg}|D]}tj ||}| |dt j |q*d |} | t|fS) Nzusing _calc_signature_0Actionr4rcSst||Sr )cmprt)r*yrrrr+zz=QuerySignatureV0AuthHandler._calc_signature..)r<rr)rr]r^r*r,r!rr.r[rrrrrrbase64 b64encoder-) rrrrrnrrr`r/rrrrr8ts  z+QuerySignatureV0AuthHandler._calc_signatureNr9r:r;r<r3rEr8rrrrr:ns  r:c@s,eZdZdZdZddgZddZddZd S) QuerySignatureV1AuthHandlerz5 Provides Query Signature V1 Authentication. rzsign-v1mturkcOs:tj|g|Ri|tj|g|Ri|d|_dSr )r1rrr$)rrkwrrrrs z$QuerySignatureV1AuthHandler.__init__c Gstjd|}t|}|jdddg}|D]$}||dtj ||}||| |dt j |qd|}|t|fS)Nzusing _calc_signature_1cSr'r r(r)rrrr+r,z=QuerySignatureV1AuthHandler._calc_signature..r-rrr)rr]r^r*rrr.r,r!r[rrrrrrr?r@r-) rrrrrrr`r/rrrrr8s    z+QuerySignatureV1AuthHandler._calc_signatureN)r9r:r;r<r3rErr8rrrrrBs  rBc@s$eZdZdZdZgdZddZdS)QuerySignatureV2AuthHandlerz+Provides Query Signature V2 Authentication.) zsign-v2ec2rGemrfpsecssdbiamrdssnssqscloudformationc Cstjdd|||f}|}||d<|jjr#|jj|d<t| }g}|D]} tj || } | t jj| dddt jj| ddq-d |} tjd | || 7}tjd |||d t|} tjd t| tjd| | | fS)Nzusing _calc_signature_2z %s %s %s SignatureMethod SecurityTokenrrrrrzquery string: %szstring_to_sign: %srz len(b64)=%dzbase64 encoded digest: %s)rr]r^rtr*r)rrYrrr[rrrrrrr,r!r?r@r-r) rrverbr server_namer0rrrr`r/rb64rrrr8s,     z+QuerySignatureV2AuthHandler._calc_signatureNrArrrrrEs  rEc@seZdZdZdgZddZdS)POSTPathQSV2AuthHandlerz Query Signature V2 Authentication relocating signed query into the path and allowing POST requests with Content-Types. mwscKs|jj|jd<|j|jd<tj|jd<||j|j|j |j \}}tj d||f|jdkrGt t|j|jd<|jdd|jd<nd |_|jd d |_|jd |d tj||_dS) Nr2r3r4r5rrrz text/plainrrrr6)rr rr3rr[r7r8rWrXrr]r^rrrrVrrrrrr9)rrrCrrrrrrDs&       z POSTPathQSV2AuthHandler.add_authN)r9r:r;r<rErDrrrrrVs rVc Csg}tjt|}|D]}z |||||Wq tjjy#Yq w|s=|}dd|D}tjdt |t |f|dS)aFinds an AuthHandler that is ready to authenticate. Lists through all the registered AuthHandlers to find one that is willing to handle for the requested capabilities, config and provider. :type host: string :param host: The name of the host :type config: :param config: :type provider: :param provider: Returns: An implementation of AuthHandler. Raises: boto.exception.NoAuthHandlerFound cSsg|]}|jqSr)r9)r~handlerrrrrr>z$get_auth_handler..zYNo handler was ready to authenticate. %d handlers were checked. %s Check your credentialsr) rplugin get_pluginrrrr exceptionNoAuthHandlerFoundrr) rrrrequested_capabilityready_handlers auth_handlersrXchecked_handlersnamesrrrget_auth_handlers"rbcfdd}|S)Ncsjtjddr dgStjdddrdgSt|dr1t|jddr1tD] }||jj vr0dgSq#|S) N EC2_USE_SIGV4FrrG use-sigv4r"endpointr) osenvironrrrrgetattrr" SIGV4_DETECTrf)rtestfuncrr_wrapper s   z(detect_potential_sigv4.._wrapperrrmrnrrlrdetect_potential_sigv4 s rpcrc)Ncstjddr dgStjdddrdgStdsStD] }|jvr,dgSq j}jdr<jdr@d|}t |j }| d sS| d sSS| d r\St fd d t DrkStdrwjrwSdgS)N S3_USE_SIGV4FrrIrerzhttp://zhttps://z amazonaws.comzamazonaws.com.cnzs3.amazonaws.comc3s|]}|jvVqdSr )r)r~rkr(rr Asz=detect_potential_s3sigv4.._wrapper..r>)rgrhrrrrrjrrurnetlocranyS3_AUTH_DETECTr>)rrkrrsrlr(rrn"s6        z*detect_potential_s3sigv4.._wrapperrrorrlrdetect_potential_s3sigv4!s )rvr ).r<r?rboto.auth_handlerboto.exception boto.plugin boto.utilsr3r email.utilsrrrgr boto.compatrrrrrrhashlibr r"r ImportErrorrurjobjectr r=rHrergrorrr%r1r:rBrErVrbrprvrrrrsZ     1#Kb& 2