o

*we�t�@s�dd
lZdd
l
Z
dd
lZdd
lZdd
lZdd
lZddlmZmZ
ddl	m
Z

ddlmZm
Z
mZ
ddlmZmZ
ddlmZ
Gdd�d�ZGd	d
�d
�Zdd�Zdd
d�
ZGdd�d�Zdd�Z	
ddd�
Zdd�Z	ddd�
Zdd�Zd
S)�N)�create_request_object�prepare_request_dict)
�OrderedDict)�UnknownClientMethodError�UnknownSignatureVersionError� UnsupportedSignatureVersionError)�	ArnParser�datetime2timestamp)
�fix_s3_hostc@s�eZ
dZd
Z	ddd�
Zedd��
Zedd��
Zed	d
��
Zddd�
Z			
		ddd�
Z
dd�Z	ddd�
ZeZ
			ddd�
ZdS)�
RequestSignera0
    An object to sign requests before they go out over the wire using
    one of the authentication mechanisms defined in ``auth.py``. This
    class fires two events scoped to a service and operation name:

    * choose-signer: Allows overriding the auth signer name.
    * before-sign: Allows mutating the request before signing.

    Together these events allow for customization of the request
    signing pipeline, including overrides, request path manipulation,
    and disabling signing per operation.


    :type service_id: botocore.model.ServiceId
    :param service_id: The service id for the service, e.g. ``S3``

    :type region_name: string
    :param region_name: Name of the service region, e.g. ``us-east-1``

    :type signing_name: string
    :param signing_name: Service signing name. This is usually the
                         same as the service name, but can differ. E.g.
                         ``emr`` vs. ``elasticmapreduce``.

    :type signature_version: string
    :param signature_version: Signature name like ``v4``.

    :type credentials: :py:class:`~botocore.credentials.Credentials`
    :param credentials: User credentials with which to sign requests.

    :type event_emitter: :py:class:`~botocore.hooks.BaseEventHooks`
    :param event_emitter: Extension mechanism to fire events.
    NcCs4||_||_
||_||_||_|
|_t�|�
|_dS�
N)	�_region_name�
_signing_name�_signature_version�_credentials�_auth_token�_service_id�weakref�proxy�_event_emitter)�self�
service_id�region_name�signing_name�signature_version�credentials�
event_emitter�
auth_token�r�I/home/arjun/projects/env/lib/python3.10/site-packages/botocore/signers.py�__init__Ds





zRequestSigner.__init__c


C�|jSr)
r
�
rrrrrX�zRequestSigner.region_namec


Cr!r)
rr"rrrr\r#zRequestSigner.signature_versionc


Cr!r)
rr"rrrr`r#zRequestSigner.signing_namecKs|�|
|�Sr)
�sign)r�operation_name�request�kwargsrrr�handlerdszRequestSigner.handler�standardc

Cs
|}|d
ur	|j}|d
ur|j
}|�|
||j�}|jjd�|j��|
�|||j|||
d�
|t	j
kr�|||d�}	|d
u
r@||	d<|j�di�}
|sT|
�d�
rT|
d|	d<|
�d	�
r_|
d	|	d	<z
|jdi|	�
�
}Wnt
y�
}
z|d
krzt|d�
�
|�
d
}~w
w|�|�

d
Sd
S)
a<Sign a request before it goes out over the wire.

        :type operation_name: string
        :param operation_name: The name of the current operation, e.g.
                               ``ListBuckets``.
        :type request: AWSRequest
        :param request: The request object to be sent over the wire.

        :type region_name: str
        :param region_name: The region to sign the request for.

        :type signing_type: str
        :param signing_type: The type of signing to perform. This can be one of
            three possible values:

            * 'standard'     - This should be used for most requests.
            * 'presign-url'  - This should be used when pre-signing a request.
            * 'presign-post' - This should be used when pre-signing an S3 post.

        :type expires_in: int
        :param expires_in: The number of seconds the presigned url is valid
            for. This parameter is only valid for signing type 'presign-url'.

        :type signing_name: str
        :param signing_name: The name to use for the service when signing.
        Nzbefore-sign.{}.{})r&rrr�request_signerr%)rrr�expires�signing�regionrrr)�
rr)r
r�_choose_signer�contextr�emit�formatr�	hyphenize�botocore�UNSIGNED�get�get_auth_instancerr�add_auth)
rr%r&r�signing_type�
expires_inr�explicit_region_namerr'�signing_context�auth�
errrr$ksV#



�


�




�


�












����zRequestSigner.signcCs�d
dd�}|�|d�}|�d�
p|j
}|�di�}|�d|j�}|�d|j�}	|tju
r5|�|�
s5||7}|jjd	�	|j
��|
�||	||d
�\}
}|du
r]|}|tju
r]|�|�
s]||7}|S)ai

        Allow setting the signature version via the choose-signer event.
        A value of `botocore.UNSIGNED` means no signing will be performed.

        :param operation_name: The operation to sign.
        :param signing_type: The type of signing that the signer is to be used
            for.
        :return: The signature version to sign with.
        z
-presign-postz-query)�presign-post�presign-url��	auth_typer,rr-zchoose-signer.{}.{})rrrr0N)r6rrr
r4r5�endswithr�emit_until_responser2rr3)rr%r9r0�signing_type_suffix_map�suffixrr,rrr(�responserrrr/�s8
�




�


�



�



�zRequestSigner._choose_signerc	Ks�|d
ur|j}t
jj�|�
}|d
urt|d�
�
|jdur.d
}|jd
u
r(|j��}||�
}|Sd
}|j	d
u
r:|j	�
�}||d<|jrS|jd
urKt
j
���
||d<|
|d<|di|�
�
}|S)a�
        Get an auth instance which can be used to sign a request
        using the given signature version.

        :type signing_name: string
        :param signing_name: Service signing name. This is usually the
                             same as the service name, but can differ. E.g.
                             ``emr`` vs. ``elasticmapreduce``.

        :type region_name: string
        :param region_name: Name of the service region, e.g. ``us-east-1``

        :type signature_version: string
        :param signature_version: Signature name like ``v4``.

        :rtype: :py:class:`~botocore.auth.BaseSigner`
        :return: Auth instance to sign a request.
        Nr.Trr�service_namer)rr4r=�AUTH_TYPE_MAPSr6r�REQUIRES_TOKENr�get_frozen_tokenr�get_frozen_credentials�REQUIRES_REGIONr
�
exceptions�
NoRegionError)	rrrrr'�cls�frozen_tokenr=�frozen_credentialsrrrr7�s0



�





















zRequestSigner.get_auth_instance�cCs*t|
�
}|�
|||d
||�
|��
|jS)a�Generates a presigned url

        :type request_dict: dict
        :param request_dict: The prepared request dictionary returned by
            ``botocore.awsrequest.prepare_request_dict()``

        :type operation_name: str
        :param operation_name: The operation being signed.

        :type expires_in: int
        :param expires_in: The number of seconds the presigned url is valid
            for. By default it expires in an hour (3600 seconds)

        :type region_name: string
        :param region_name: The region name to sign the presigned url.

        :type signing_name: str
        :param signing_name: The name to use for the service when signing.

        :returns: The presigned url
        r@)rr$�prepare�url)r�request_dictr%r:rrr&rrr�generate_presigned_url)
s






�	
z$RequestSigner.generate_presigned_urlr�NN)Nr)NN)rSNN)�__name__�
__module__�__qualname__�__doc__r �propertyrrrr(r$r/r7�get_authrWrrrrr!s0
*
�










�T3
�6

�rc@s>eZ
dZd
Zdd�Zd
dd�
Zdd�Z	d
d	d
�
Zdd�ZdS)�CloudFrontSignera�A signer to create a signed CloudFront URL.

    First you create a cloudfront signer based on a normalized RSA signer::

        import rsa
        def rsa_signer(message):
            private_key = open('private_key.pem', 'r').read()
            return rsa.sign(
                message,
                rsa.PrivateKey.load_pkcs1(private_key.encode('utf8')),
                'SHA-1')  # CloudFront requires SHA-1 hash
        cf_signer = CloudFrontSigner(key_id, rsa_signer)

    To sign with a canned policy::

        signed_url = cf_signer.generate_signed_url(
            url, date_less_than=datetime(2015, 12, 1))

    To sign with a custom policy::

        signed_url = cf_signer.generate_signed_url(url, policy=my_policy)
    cCs|
|_||_
d
S)a�
Create a CloudFrontSigner.

        :type key_id: str
        :param key_id: The CloudFront Key Pair ID

        :type rsa_signer: callable
        :param rsa_signer: An RSA signer.
               Its only input parameter will be the message to be signed,
               and its output will be the signed content as a binary string.
               The hash algorithm needed by CloudFront is SHA-1.
        N)�key_id�
rsa_signer)rr`rarrrr l
s

zCloudFrontSigner.__init__Nc	Cs�|d
u
o|d
u
}|d
uo|d
u}|s|rd}t|�
�
|d
u
r$|�
|
|�}t|t�r.|�d�
}|d
u
r<dtt|�
�
g
}nd|�|�
�d�
g
}|�	|�
}|�
d|�|�
�d�
��d|j��g�

|�|
|�S)a�
Creates a signed CloudFront URL based on given parameters.

        :type url: str
        :param url: The URL of the protected object

        :type date_less_than: datetime
        :param date_less_than: The URL will expire after that date and time

        :type policy: str
        :param policy: The custom policy, possibly built by self.build_policy()

        :rtype: str
        :return: The signed URL.
        Nz=Need to provide either date_less_than or policy, but not both�utf8z
Expires=%sz	Policy=%sz
Signature=zKey-Pair-Id=)
�
ValueError�build_policy�
isinstance�str�encode�intr	�_url_b64encode�decodera�extendr`�
_build_url)	rrU�date_less_than�policy�both_args_supplied�neither_arg_suppliedr>�params�	signaturerrrrW{
s&















��z'CloudFrontSigner.generate_presigned_urlcCs"d
|
vrdn
d
}|
|d�|�
S)N�
?�
&)
�join)r�base_url�extra_params�	separatorrrrrl�
s

zCloudFrontSigner._build_urlc	Cs�tt
|�
�
}td
d|i
i
�
}|rd|v
r|d7}d|i
|d<|r,tt
|�
�
}d|i
|d<d|
fd	|fg}d
t|�
g
i
}tj|dd�S)
a0A helper to build policy.

        :type resource: str
        :param resource: The URL or the stream filename of the protected object

        :type date_less_than: datetime
        :param date_less_than: The URL will expire after the time has passed

        :type date_greater_than: datetime
        :param date_greater_than: The URL will not be valid until this time

        :type ip_address: str
        :param ip_address: Use 'x.x.x.x' for an IP, or 'x.x.x.x/x' for a subnet

        :rtype: str
        :return: The policy in a compact string.
        �DateLessThanz
AWS:EpochTime�
/z/32zAWS:SourceIp�	IpAddress�DateGreaterThan�Resource�	Condition�	Statement)�
,�
:)
�
separators)rhr	r�json�dumps)	r�resourcerm�date_greater_than�
ip_address�moment�	condition�ordered_payload�
custom_policyrrrrd�
s










zCloudFrontSigner.build_policycCs"t�
|
�
�d
d��dd��dd�S)N�
+�
-�
=�
_�
/�
~)�base64�	b64encode�replace)r�datarrrri�
s



�zCloudFrontSigner._url_b64encoderX)	rYrZr[r\r rWrlrdrirrrrr_T
s

&
�*r_c
K�t|d
<dS)N�generate_db_auth_token)
r���class_attributesr'rrr�add_generate_db_auth_token�
�
r�cCst|}|d
ur
|jj
}d|d�}ddi|dd�}d}|�|
�d	|��}	t||	�
|jjd||d
dd�}
|
t|�
d
�S)
aGenerates an auth token used to connect to a db with IAM credentials.

    :type DBHostname: str
    :param DBHostname: The hostname of the database to connect to.

    :type Port: int
    :param Port: The port number the database is listening on.

    :type DBUsername: str
    :param DBUsername: The username to log in as.

    :type Region: str
    :param Region: The region the database is in. If None, the client
        region will be used.

    :return: A presigned url which can be used as an auth token.
    N�connect)�Action�DBUserrzrA�GET)�url_path�query_string�headers�body�methodzhttps://r�i�zrds-db)r%rVrr:r)�metarr�_request_signerrW�len)r�
DBHostname�Port�
DBUsername�Regionr-rqrV�scheme�endpoint_url�
presigned_urlrrrr��
s.


�



�








�r�c@s&eZ
dZd
d�Z				ddd�
ZdS)�S3PostPresignercCs
|
|_dSr)
r�)rr*rrrr s

zS3PostPresigner.__init__NrScCs�|d
uri}|d
urg}i}tj�
�}|tj|d�
}|�tjj�
|d<g|d<|D]	}	|d�|	�

q*t|
�
}
||
j	d<||
j	d<|j
�d|
|d�
|
j|d	�S)
a�Generates the url and the form fields used for a presigned s3 post

        :type request_dict: dict
        :param request_dict: The prepared request dictionary returned by
            ``botocore.awsrequest.prepare_request_dict()``

        :type fields: dict
        :param fields: A dictionary of prefilled form fields to build on top
            of.

        :type conditions: list
        :param conditions: A list of conditions to include in the policy. Each
            element can be either a list or a structure. For example:
            [
             {"acl": "public-read"},
             {"bucket": "mybucket"},
             ["starts-with", "$key", "mykey"]
            ]

        :type expires_in: int
        :param expires_in: The number of seconds the presigned post is valid
            for.

        :type region_name: string
        :param region_name: The region name to sign the presigned post to.

        :rtype: dict
        :returns: A dictionary with two elements: ``url`` and ``fields``.
            Url is the url to post to. Fields is a dictionary filled with
            the form fields and respective values to use when submitting the
            post. For example:

            {'url': 'https://mybucket.s3.amazonaws.com
             'fields': {'acl': 'public-read',
                        'key': 'mykey',
                        'signature': 'mysignature',
                        'policy': 'mybase64 encoded policy'}
            }
        N)
�seconds�
expiration�
conditionszs3-presign-post-fieldszs3-presign-post-policy�	PutObjectr?)rU�fields)
�datetime�utcnow�	timedelta�strftimer4r=�ISO8601�appendrr0r�r$rU)rrVr�r�r:rrn�datetime_now�expire_dater�r&rrr�generate_presigned_posts$/











�z'S3PostPresigner.generate_presigned_post)NNrSN)rYrZr[r r�rrrrr�s



�r�c
Kr�)NrW)
rWr�rrr�add_generate_presigned_urlfr�r�rScCs�|
}|}|d
ur
i}|}|}dt|�
d�}	|j
}
z|j|}Wnty+


t|d�
�
w|jj�|�
}|j|||	d�}t	�
|�dd��
}
|j|||	|
d�\}}|j
||||	|d	d
�}|d
u
rc||d<|
j|||d�S)
axGenerate a presigned url given a client, its method, and arguments

    :type ClientMethod: string
    :param ClientMethod: The client method to presign for

    :type Params: dict
    :param Params: The parameters normally passed to
        ``ClientMethod``.

    :type ExpiresIn: int
    :param ExpiresIn: The number of seconds the presigned url is valid
        for. By default it expires in an hour (3600 seconds)

    :type HttpMethod: string
    :param HttpMethod: The http method to use on the generated url. By
        default, the http method is whatever is used in the method's model.

    :returns: The presigned url
    NT��is_presign_request�use_global_endpoint)
�method_name��
api_params�operation_modelr0�BucketrA�
�ignore_signing_regionF�r�r�r�r0r��set_user_agent_headerr�)rVr:r%)�_should_use_global_endpointr��_PY_TO_OP_NAME�KeyErrorrr��
service_modelr��_emit_api_paramsr�is_arnr6�_resolve_endpoint_ruleset�_convert_to_request_dictrW)r�ClientMethod�Params�	ExpiresIn�
HttpMethod�
client_methodrqr:�http_methodr0r*r%r��
bucket_is_arnr��additional_headersrVrrrrWjsV





�



�



�





�





�




�rWc
Kr�)Nr�)
r�r�rrr�add_generate_presigned_post�r�r�cCs
|
}|}|}|}	|}
|d
uri}n|��}|	d
urg}	dt
|�
d�}t|j�
}|jj�d�
}
|jd|i
|
|d�}t�	|�
dd��
}|j|
|||d�\}}|j||
|||d	d
�}|	�
d|i
�

|�d�
rt|	�
d
d|d
td�
�g�

n|	�
d|i
�

||d<|j|||	|
d�S)a�	Builds the url and the form fields used for a presigned s3 post

    :type Bucket: string
    :param Bucket: The name of the bucket to presign the post to. Note that
        bucket related conditions should not be included in the
        ``conditions`` parameter.

    :type Key: string
    :param Key: Key name, optionally add ${filename} to the end to
        attach the submitted filename. Note that key related conditions and
        fields are filled out for you and should not be included in the
        ``Fields`` or ``Conditions`` parameter.

    :type Fields: dict
    :param Fields: A dictionary of prefilled form fields to build on top
        of. Elements that may be included are acl, Cache-Control,
        Content-Type, Content-Disposition, Content-Encoding, Expires,
        success_action_redirect, redirect, success_action_status,
        and x-amz-meta-.

        Note that if a particular element is included in the fields
        dictionary it will not be automatically added to the conditions
        list. You must specify a condition for the element as well.

    :type Conditions: list
    :param Conditions: A list of conditions to include in the policy. Each
        element can be either a list or a structure. For example:

        [
         {"acl": "public-read"},
         ["content-length-range", 2, 5],
         ["starts-with", "$success_action_redirect", ""]
        ]

        Conditions that are included may pertain to acl,
        content-length-range, Cache-Control, Content-Type,
        Content-Disposition, Content-Encoding, Expires,
        success_action_redirect, redirect, success_action_status,
        and/or x-amz-meta-.

        Note that if you include a condition, you must specify
        the a valid value in the fields dictionary as well. A value will
        not be added automatically to the fields dictionary based on the
        conditions.

    :type ExpiresIn: int
    :param ExpiresIn: The number of seconds the presigned post
        is valid for.

    :rtype: dict
    :returns: A dictionary with two elements: ``url`` and ``fields``.
        Url is the url to post to. Fields is a dictionary filled with
        the form fields and respective values to use when submitting the
        post. For example:

        {'url': 'https://mybucket.s3.amazonaws.com
         'fields': {'acl': 'public-read',
                    'key': 'mykey',
                    'signature': 'mysignature',
                    'policy': 'mybase64 encoded policy'}
        }
    NTr��CreateBucketr�r�rAr�Fr��bucketz${filename}zstarts-withz$key�key)rVr�r�r:)�copyr�r�r�r�r�r�r�rr�r6r�r�r�rCr�r�)rr��Key�Fields�
Conditionsr�r�r�r�r�r:r0�post_presignerr�rqr�r�r�rVrrrr��s\A






�




�





�





�

 




�r�c
CsR|jj
d
krdS|jjj}
|
r'|
�dd�rdS|
�d�
dkr'|jjjdkr'dSdS)N�awsF�use_dualstack_endpoint�us_east_1_regional_endpoint�regionalz	us-east-1T)r��	partition�config�s3r6r)�client�	s3_configrrrr�=s








r�r)NrSN)NNrS)r�r�r�rr4�
botocore.auth�botocore.awsrequestrr�botocore.compatr�botocore.exceptionsrrr�botocore.utilsrr	r
rr_r�r�r�r�rWr�r�r�rrrr�<module>
s6






5
6R
�K
�