�

/�;f���n�dd
lZdd
l
Z
dd
lZdd
lZdd
lZdd
lZdd
lZdd
lZddlm	Z	
ddl
mZ
ddlm
Z
mZ
ddlmZ
ddlmZmZmZmZmZmZmZmZmZ
ddlmZmZ
ddlmZm Z m!Z!
dd	lm"Z"
ej#e$�
�
Z%d
Z&dZ'dZ(d
Z)gd�
Z*dZ+dZ,d�Z-d�Z.Gd�d��Z/Gd�de/��Z0Gd�de/��Z1Gd�de/��Z2Gd�de/��Z3Gd�de3��Z4Gd�d e4��Z5Gd!�d"e5��Z6Gd#�d$e5��Z7Gd%�d&e3��Z8Gd'�d(e8��Z9Gd)�d*e3��Z:Gd+�d,e/��Z;Gd-�d.e;��Z<Gd/�d0e;��Z=Gd1�d2e0��Z>e1e2e2e;e<e=e:e5e7e6e>d3�Z?erdd4l@mAZA
e?�BeA�
�

d
Se?�Be3e8e4e9d5��
�

d
S)6�N)
�Mapping�
�
formatdate)�sha1�sha256)
�
itemgetter)	�HAS_CRT�HTTPHeaders�encodebytes�ensure_unicode�parse_qs�quote�unquote�urlsplit�
urlunsplit)�NoAuthTokenError�NoCredentialsError)�is_valid_ipv6_endpoint_url�normalize_url_path�percent_encode_sequence)
�
MD5_AVAILABLE�@e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855iz%Y-%m-%dT%H:%M:%SZz%Y%m%dT%H%M%SZ)�expectz
user-agentzx-amzn-trace-idzUNSIGNED-PAYLOADz"STREAMING-UNSIGNED-PAYLOAD-TRAILERc
���t
|�
�
}
|
j
}t|�
�
rd
|�d�}ddd�}|
j�/|
j|�|
j�
�
krd||
jfz}|S)N�
[�
]�Pi�
)�http�httpsz%s:%d)r�hostnamer�port�get�scheme)�url�	url_parts�host�
default_portss    �@/opt/alt/python311/lib/python3.11/site-packages/botocore/auth.py�_host_from_urlr)Fs���
��
�
�I���D�!�#�&�&�
��4�{�{�{������M��~�!��>�]�.�.�y�/?�@�@�@�@��d�I�N�3�3�D��K�c
���|j}
t|
t��r(tj|
�d
�
�
�
�
}
n)t|
t��rtj|
�
�
}
|
S�N�utf-8)�data�
isinstance�bytes�json�loads�decode�str)�requestr.s  r(�_get_body_as_dictr6Ys`��
�<�D��$���� ��z�$�+�+�g�.�.�/�/���	�D�#�	�	�
 ��z�$�����Kr*c
��eZ
dZd
Zd
Zd�ZdS)�
BaseSignerFc� �t
d
�
�
�
)N�add_auth)
�NotImplementedError��selfr5s  r(r:zBaseSigner.add_authjs��!�*�-�-�-r*N)�__name__�
__module__�__qualname__�REQUIRES_REGION�REQUIRES_TOKENr:�r*r(r8r8fs-�������O��N�
.�
.�
.�
.�
.r*r8c
��eZ
dZd
Z	d�ZdS)�TokenSignerTc��|
|_dS�
N)
�
auth_token)r=rHs  r(�__init__zTokenSigner.__init__ts
��$����r*N)r>r?r@rBrIrCr*r(rErEns-�������N��
%�
%�
%�
%�
%r*rEc
�$�eZ
dZd
Zd�Zd�Zd�ZdS)�	SigV2Authz+
    Sign a request with Signature V2.
    c��|
|_dSrG�
�credentials�r=rNs  r(rIzSigV2Auth.__init__}���&����r*c��t�
d
�
�

t|
j�
�
}|j}t|�
�
dkrd}|
j�d|j�d|�d�}tj	|j
j�d�
�
t���}g}t|�
�
D]�}|dkr
�	t||�
�
}	t!|�d�
�
d�	��}
t!|	�d�
�
d
�	��}|�|
�d|���
�

��d�|�
�
}||z
}t�
d
|��
|�|�d�
�
�
�

t)j|����
�
����d�
�
}
||
fS)Nz$Calculating signature using v2 auth.r�
/�

r-�
�	digestmod�	Signature��
�safez-_~�
=�
&zString to sign: %s)�logger�debugrr$�path�len�method�netloc�hmac�newrN�
secret_key�encoder�sortedr4r�append�join�update�base64�	b64encode�digest�stripr3)r=r5�params�splitr^�string_to_sign�lhmac�pairs�key�value�
quoted_key�quoted_value�qs�b64s              r(�calc_signaturezSigV2Auth.calc_signature�s�
�����;�<�<�<����%�%���z���t�9�9�
�>�>��D�#�N�F�F�e�l�F�F�d�F�F�F������'�.�.�w�7�7�6�
�
�
�����&�>�>�		9�		9�C��k�!�!����s��$�$�E��s�z�z�'�2�2��<�<�<�J� ����g�!6�!6�U�C�C�C�L��L�L�J�7�7��7�7�8�8�8�8�
�X�X�e�_�_���"������)�>�:�:�:�
���^�*�*�7�3�3�4�4�4���u�|�|�~�~�.�.�4�4�6�6�=�=�g�F�F���C�y�r*c�\
�|j�t���
|
jr|
j}n|
j}|jj|d
<d|d<d|d<tjttj����|d<|jj	r|jj	|d<|�
|
|��\}}||d<|
S)	N�AWSAccessKeyId�
2�SignatureVersion�
HmacSHA256�SignatureMethod�	Timestamp�
SecurityTokenrV)rNrr.rn�
access_key�time�strftime�ISO8601�gmtime�tokenry)r=r5rnrw�	signatures     r(r:zSigV2Auth.add_auth�s�����#�$�&�&�&��<�	$��\�F�F��^�F�#'�#3�#>��� �%(��!�"�$0�� �!�"�m�G�T�[�]�]�C�C��{����!�
	=�&*�&6�&<�F�?�#��+�+�G�V�<�<�
��I�'��{���r*N)r>r?r@�__doc__rIryr:rCr*r(rKrKxsK��������
'�
'�
'����8����r*rKc
��eZ
dZd
�Zd�ZdS)�	SigV3Authc��|
|_dSrGrMrOs  r(rIzSigV3Auth.__init__�rPr*c��|j�t���
d
|
jvr|
jd
=td��
�
|
jd
<|jjr%d|
jvr|
jd=|jj|
jd<tj|jj�d�
�
t���}|�
|
jd
�d�
�
�
�

t|����
�
�
��}d|jj�d|�d�
�
��}d	|
jvr|
jd	=||
jd	<dS)
N�DateT�
�usegmt�X-Amz-Security-Tokenr-rTzAWS3-HTTPS AWSAccessKeyId=z ,Algorithm=HmacSHA256,Signature=zX-Amzn-Authorization)rNr�headersrr�rbrcrdrerrirrlrmr�r3)r=r5�new_hmac�encoded_signaturer�s     r(r:zSigV3Auth.add_auth�sd
����#�$�&�&�&��W�_�$�$����'�",�D�"9�"9�"9�������!�	M
�%���8�8��O�$:�;�6:�6F�6L�G�O�2�3��8���'�.�.�w�7�7�6�
�
�
��	������/�6�6�w�?�?�@�@�@�'����(9�(9�:�:�@�@�B�B��

R
��)9�)D�

R
�

R
�.?�.F�.F�w�.O�.O�

R
�

R
�	�"�W�_�4�4��� 6�7�2;���.�/�/�/r*N)r>r?r@rIr:rCr*r(r�r��s2������
'�
'�
'�<�<�<�<�<r*r�c��eZ
dZd
ZdZd�Zdd�
Zd�Zd�Zd�Z	d	�Z
d
�Zd�Zd�Z
d
�Zd�Zd�Zd�Zd�Zd�Zd�Zd�Zd�Zd�Zd�Zd�Zd�ZdS)�	SigV4Authz+
    Sign a request with Signature V4.
    Tc�0�|
|_||_
||_dSrG)rN�_region_name�
_service_name�r=rN�service_name�region_names    r(rIzSigV4Auth.__init__�s"��&���(���)����r*Fc�
�|rAt
j
|
|�d
�
�
t�����}n@t
j
|
|�d
�
�
t�����}|Sr,)rbrcrer�	hexdigestrl)r=rs�msg�hex�sigs     r(�_signzSigV4Auth._sign�sh���	F
��(�3��
�
�7� 3� 3�V�<�<�F�F�H�H�C�C��(�3��
�
�7� 3� 3�V�<�<�C�C�E�E�C��
r*c���t
��}|
j
���D]'\}}|���}|tv
r|||<�(d
|v
rt|
j�
�
|d
<|S)zk
        Select the headers from the request that need to be included
        in the StringToSign.
        r&)r
r��items�lower�SIGNED_HEADERS_BLACKLISTr)r$)r=r5�
header_map�namert�lnames      r(�headers_to_signzSigV4Auth.headers_to_sign�sy��
!�]�]�
�"�?�0�0�2�2�	*�	*�K�D�%��J�J�L�L�E��4�4�4�$)�
�5�!����#�#�"0���!<�!<�J�v���r*c��|
jr|�
|
j�
�
S|�t|
j�
�
�
�
SrG)rn�_canonical_query_string_params�_canonical_query_string_urlrr$r<s  r(�canonical_query_stringz SigV4Auth.canonical_query_string�sC��
�>�	K
��6�6�w�~�F�F�F��3�3�H�W�[�4I�4I�J�J�Jr*c	�|
�g}t
|
t��r|
���}
|
D]G\}}|�t	|d
���t	t|�
�
d
���f�
�

�Hg}t
|�
�
D]\}}|�|�d|���
�

� d�|�
�
}|S)Nz-_.~rXrZr[)r/rr�rgrr4rfrh)r=rn�
key_val_pairsrsrt�sorted_key_valsr�s       r(r�z(SigV4Auth._canonical_query_string_params

s����
��f�g�&�&�
	$��\�\�^�^�F� �	�	�J�C��� � ��s��(�(�(�%��E�
�
��*H�*H�*H�I�
�
�
�
���!��/�/�
	5�
	5�J�C���"�"�c�#3�#3�E�#3�#3�4�4�4�4�!$���/�!:�!:��%�%r*c�B
�d
}|
jr�g}|
j�
d�
�
D]2}|�d�
�
\}}}|�||f�
�

�3g}t	|�
�
D]\}}|�|�d|���
�

� d�|�
�
}|S)NrWr[rZ)�queryro�	partitionrgrfrh)	r=�partsr�r��pairrs�
_rtr�s	         r(r�z%SigV4Auth._canonical_query_string_url
s���!#���;�	?��M���)�)�#�.�.�
3�
3�� $���s� 3� 3�
��Q���$�$�c�5�\�2�2�2�2� �O�%�]�3�3�

9�

9�
��U��&�&�#�'7�'7��'7�'7�8�8�8�8�%(�X�X�o�%>�%>�"�%�%r*c�*
��g}t
t|
�
�
�
�
}|D]]}d
��f
d�|
�|�
�
D���
�
}|�|�dt|�
�
���
�

�^d�|�
�
S)a


        Return the headers that need to be included in the StringToSign
        in their canonical form by converting all header keys to lower
        case, sorting them in alphabetical order and then joining
        them into a string, separated by newlines.
        �
,c
3�B�
K
�|]}
��|
�
�
V�

�dSrG)
�
_header_value)�.0�
vr=s  �r(�	<genexpr>z.SigV4Auth.canonical_headers.<locals>.<genexpr>,
sB�������*+��"�"�1�%�%������r*�
:rS)rf�setrh�get_allrgr)r=r�r��sorted_header_namesrsrts`     r(�canonical_headerszSigV4Auth.canonical_headers"
s������$�S��%9�%9�:�:��&�	=�	=�C��H�H�����/>�/F�/F�s�/K�/K������E�
�N�N�c�;�;�N�5�$9�$9�;�;�<�<�<�<��y�y��!�!�!r*c�P�d
�|
�
���
�
S)N�
 )rhro)r=rts  r(r�zSigV4Auth._header_value2
s���x�x����
�
�&�&�&r*c�x�t
d
�t|
�
�
D���
�
}d�|�
�
S)Nc
3�bK
�|]*}
|
����
��V�

�+dSrG)r�rm)r��
ns  r(r�z+SigV4Auth.signed_headers.<locals>.<genexpr>;
s4����I�I�q��������*�*�I�I�I�I�I�Ir*�
;)rfr�rh)r=r�r�s   r(�signed_headerszSigV4Auth.signed_headers:
s8���I�I�C��4H�4H�I�I�I�I�I���x�x�� � � r*c��|
j�
d
i��}|�
d�
�
}t|t��o|�
d�
�
dkS)N�checksum�request_algorithm�in�trailer)�contextr"r/�dict)r=r5�checksum_context�	algorithms    r(�_is_streaming_checksum_payloadz(SigV4Auth._is_streaming_checksum_payload>
sT��"�?�.�.�z�2�>�>��$�(�(�)<�=�=�	��)�T�*�*�O�y�}�}�T�/B�/B�i�/O�Or*c� �|�|
�
�
rtS|�|
�
�
stS|
j}|r�t|d
��r�|���}tj|j	t��}t��}t|d��D]}|�
|�
�

�|���}|�|�
�

|S|r!t|�
�
���St S)N�seekr*)r��"STREAMING_UNSIGNED_PAYLOAD_TRAILER�_should_sha256_sign_payload�UNSIGNED_PAYLOAD�body�hasattr�tell�	functools�partial�read�PAYLOAD_BUFFERr�iterrir�r��EMPTY_SHA256_HASH)r=r5�request_body�position�read_chunksizer��chunk�hex_checksums        r(�payloadzSigV4Auth.payloadC
s
���.�.�w�7�7�	$�5�5��1�1�'�:�:�	$�$�#��|���	%�G�L�&�9�9�	%�#�(�(�*�*�H�&�.��!�>���N��x�x�H��n�c�2�2�

'�

'������&�&�&�&�#�-�-�/�/�L����h�'�'�'���
�	%��,�'�'�1�1�3�3�3�$�$r*c�p�|
j�
d
�
�
sdS|
j�dd��S)NrT�payload_signing_enabled)r$�
startswithr�r"r<s  r(r�z%SigV4Auth._should_sha256_sign_payload]
s:���{�%�%�g�.�.�
	��4�
��"�"�#<�d�C�C�Cr*c��|
j�
��g
}|�t|
j�
�
j�
�
}|�|�
�

|�|�|
�
�
�
�

|�|
�
�
}|�|�	|�
�
d
z�
�

|�|�
|�
�
�
�

d|
jvr|
jd}n|�|
�
�
}|�|�
�

d
�
|�
�
S)NrS�X-Amz-Content-SHA256)r`�upper�_normalize_url_pathrr$r^rgr�r�r�r�r�r�rh)r=r5�crr^r��
body_checksums      r(�canonical_requestzSigV4Auth.canonical_requestg
s
���n�"�"�$�$�
%���'�'����(=�(=�(B�C�C��
�	�	�$����
�	�	�$�-�-�g�6�6�7�7�7��.�.�w�7�7��
�	�	�$�(�(��9�9�D�@�A�A�A�
�	�	�$�%�%�o�6�6�7�7�7�!�W�_�4�4�#�O�,B�C�M�M� �L�L��1�1�M�
�	�	�-� � � ��y�y��}�}�r*c�B�t
t|
�
�
d
���}|S)Nz/~rX)rr)r=r^�normalized_paths   r(r�zSigV4Auth._normalize_url_pathv
s#��� 2�4� 8� 8�t�D�D�D���r*c�(
�|jj
g
}|�|
jd
dd��
�

|�|j�
�

|�|j�
�

|�d�
�

d�|�
�
S�N�	timestampr��aws4_requestrR)rNr�rgr�r�r�rh�r=r5�scopes   r(r�zSigV4Auth.scopez
s~���!�,�-��
���W�_�[�1�!�A�#�6�7�7�7�
���T�&�'�'�'�
���T�'�(�(�(�
���^�$�$�$��x�x����r*c�
�g}|�|
j
d
dd��
�

|�|j�
�

|�|j�
�

|�d�
�

d�|�
�
Sr�)rgr�r�r�rhr�s   r(�credential_scopezSigV4Auth.credential_scope�
su����
���W�_�[�1�!�A�#�6�7�7�7�
���T�&�'�'�'�
���T�'�(�(�(�
���^�$�$�$��x�x����r*c�P
�d
g
}|�|
j
d�
�

|�|�|
�
�
�
�

|�t|�d�
�
�
�
����
�

d�|�
�
S)z�
        Return the canonical StringToSign as well as a dict
        containing the original version of all headers that
        were included in the StringToSign.
        �AWS4-HMAC-SHA256r�r-rS)rgr�r�rrer�rh)r=r5r��stss    r(rpzSigV4Auth.string_to_sign�
s���"�"���
�
�7�?�;�/�0�0�0��
�
�4�(�(��1�1�2�2�2��
�
�6�+�2�2�7�;�;�<�<�F�F�H�H�I�I�I��y�y��~�~�r*c�^
�|jj
}|�d
|�����|jddd���}|�||j��}|�||j��}|�|d��}|�||
d���S)N�AWS4r�rr�r�T)
r�)rNrdr�rer�r�r�)r=rpr5rs�k_date�k_region�	k_service�	k_signings        r(r�zSigV4Auth.signature�
s�����)�����
�C�\�\�!�!�#�#�W�_�[�%A�!�A�#�%F�
�
���:�:�f�d�&7�8�8���J�J�x��);�<�<�	��J�J�y�.�9�9�	��z�z�)�^��z�>�>�>r*c�^�|j�t���
tj���}|�t
�
�
|
jd
<|�|
�
�

|�|
�
�
}t�
d�
�

t�
d|��
|�|
|��}t�
d|��
|�||
��}t�
d|��
|�
|
|��
dS)Nr�z$Calculating signature using v4 auth.zCanonicalRequest:
%s�StringToSign:
%sz
Signature:
%s)rNr�datetime�utcnowr��SIGV4_TIMESTAMPr��_modify_request_before_signingr�r\r]rpr��_inject_signature_to_request)r=r5�datetime_nowr�rpr�s      r(r:zSigV4Auth.add_auth�
s
����#�$�&�&�&��(�/�/�1�1��'3�'<�'<�_�'M�'M����$�	
�+�+�G�4�4�4� �2�2�7�;�;�����;�<�<�<����,�.?�@�@�@��,�,�W�6G�H�H�����(�.�9�9�9��N�N�>�7�;�;�	����%�y�1�1�1��)�)�'�9�=�=�=�=�=r*c�"
�d
|�|
�
�
zg
}|�
|
�
�
}|�d|�|�
�
���
�

|�d|z�
�

d�|�
�
|
jd<|
S)NzAWS4-HMAC-SHA256 Credential=%szSignedHeaders=zSignature=%sz, �
Authorization)r�r�rgr�rhr�)r=r5r��auth_strr�s     r(r

z&SigV4Auth._inject_signature_to_request�
s���4�t�z�z�'�7J�7J�J�K���.�.�w�7�7�����C�T�0�0��A�A�C�C�	
�	
�	
�	�����2�3�3�3�+/�9�9�X�+>�+>����(��r*c�.
�d
|
jvr|
jd
=|�
|
�
�

|jjr%d|
jvr|
jd=|jj|
jd<|
j�dd��s"d|
jvr|
jd=t|
jd<dSdS)Nr
r�r�Tr�)r��_set_necessary_date_headersrNr�r�r"r�r<s  r(r
z(SigV4Auth._modify_request_before_signing�
s����g�o�-�-����0��(�(��1�1�1���!�	M
�%���8�8��O�$:�;�6:�6F�6L�G�O�2�3���"�"�#<�d�C�C�	G
�%���8�8��O�$:�;�6F�G�O�2�3�3�3�	G
�	G
r*c�
�d
|
jvr�|
jd
=tj
�|
jdt��}tt
tj|�	���
�
�
�
�
�
|
jd
<d|
jvr
|
jd=dSdSd|
jvr|
jd=|
jd|
jd<dS)Nr�r��
X-Amz-Date)
r�r	
�strptimer�r
r�int�calendar�timegm�	timetuple)r=r5�datetime_timestamps   r(r
z%SigV4Auth._set_necessary_date_headers�
s����W�_�$�$����'�!)�!2�!;�!;����,�o�"�"��'1��H�O�$6�$@�$@�$B�$B�C�C�D�D�'�'�G�O�F�#��w��.�.��O�L�1�1�1�/�.��w��.�.��O�L�1�,3�O�K�,H�G�O�L�)�)�)r*N)
F)r>r?r@r�rArIr�r�r�r�r�r�r�r�r�r�r�r�r�r�r�rpr�r:r

r
r
rCr*r(r�r��s�
���������O�*�*�*�������� K
�K
�K
�&�&�&�"&�&�&� "�"�"� '�'�'�!�!�!�P
�P
�P
�
%�%�%�4D
�D
�D
�
�
�
����������
�
�
�?�?�?�>�>�>�$���G
�G
�G
�I
�I
�I
�I
�I
r*r�c�.��eZ
dZ�f
d
�Z�f
d�Zd�Z�x
ZS)�S3SigV4Authc��
�t
���
|
�
�

d
|
jvr|
jd
=|�|
�
�
|
jd
<dS)Nr�)�superr
r�r��r=r5�	__class__s  �r(r
z*S3SigV4Auth._modify_request_before_signing�
sR���
���.�.�w�7�7�7�!�W�_�4�4��� 6�7�26�,�,�w�2G�2G���.�/�/�/r*c�,�
�|
j�
d
�
�
}t|dd��}|�i}|�
dd��}|�|Sd}|
j�
di��}|�
d�
�
}t|t��r!|�
d�
�
dkr|d	}|
j�d
�
�
r	||
jv
rdS|
j�
dd
��rd
St���	|
�
�
S)N�
client_config�s3r�zContent-MD5r�r�r��headerr�rT�has_streaming_inputF)
r�r"�getattrr/r�r$r�r�r
r�)	r=r5r#
�	s3_config�sign_payload�checksum_headerr�r�r!
s	        �r(r�z'S3SigV4Auth._should_sha256_sign_payload�
s%
��� ��+�+�O�<�<�
��M�4��6�6�	����I�!�}�}�%>��E�E���#���(��"�?�.�.�z�2�>�>��$�(�(�)<�=�=�	��i��&�&�
	0�9�=�=��+>�+>�(�+J�+J�'��/�O���&�&�w�/�/�	��g�o�5�5��4��?���4�e�<�<�
	��5��w�w�2�2�7�;�;�;r*c
��|
SrGrC�r=r^s  r(r�zS3SigV4Auth._normalize_url_path����r*)r>r?r@r
r�r��
__classcell__�
r!
s
@r(r
r
�
sf�������H
�H
�H
�H
�H
�'<�'<�'<�'<�'<�R
������r*r
c�6��eZ
dZd
Z�f
d�Z�f
d�Z�f
d�Z�x
ZS)�
S3ExpressAuthTc
�\�
�t
���
|
||��
||_dSrG)r
rI�_identity_cache)r=rNr�r��identity_cacher!
s     �r(rIzS3ExpressAuth.__init__s/���	������l�K�@�@�@�-����r*c�J�
�t
���
|
�
�

dSrG)r
r:r 
s  �r(r:zS3ExpressAuth.add_auths!���
������!�!�!�!�!r*c��
�t
���
|
�
�

d
|
jv
r|jj|
jd
<d|
jvr
|
jd=dSdS)Nzx-amz-s3session-tokenr�)r
r
r�rNr�r 
s  �r(r
z,S3ExpressAuth._modify_request_before_signing sa���
���.�.�w�7�7�7�"�'�/�9�9�7;�7G�7M�G�O�3�4�!�W�_�4�4��� 6�7�7�7�5�4r*)r>r?r@�REQUIRES_IDENTITY_CACHErIr:r
r.
r/
s
@r(r1
r1
sp�������"��.�.�.�.�.�
"�
"�
"�
"�
"�8�8�8�8�8�8�8�8�8r*r1
c
��eZ
dZd
Zd�ZdS)�S3ExpressPostAuthTc��tj�
��}|�t�
�
|
jd
<i}|
j�dd���
|
jd}i}g}|
j�dd���+|
jd}|�dd���|d}||d<d|d<|�|
�
�
|d<|
jd
|d<|�ddi
�
�

|�d|�|
�
�
i
�
�

|�d|
jd
i
�
�

|jj	�0|jj	|d	<|�d	|jj	i
�
�

tjtj
|�
�
�d
�
�
�
�
�d
�
�
|d<|�|d|
��|d<||
jd<||
jd<dS)
Nr��s3-presign-post-fields�s3-presign-post-policy�
conditionsr��x-amz-algorithm�x-amz-credential�
x-amz-date�X-Amz-S3session-Tokenr-�policy�x-amz-signature�r	
r

r�r
r�r"r�rgrNr�rjrkr1�dumpsrer3r��r=r5r
�fieldsrB
r=
s      r(r:zS3ExpressPostAuth.add_auth,s���(�/�/�1�1��'3�'<�'<�_�'M�'M����$����?���7��>�>�J��_�%=�>�F����
��?���7��>�>�J��_�%=�>�F��z�z�,��-�-�9�#�L�1�
�)��|��$6�� �!�%)�Z�Z��%8�%8��!�"�&��{�;��|�����,�.@�A�B�B�B����-�t�z�z�'�/B�/B�C�D�D�D����<����)E�F�G�G�G���!�-�.2�.>�.D�F�*�+����(�$�*:�*@�A�
�
�
�
"�+��J�v���%�%�g�.�.�
�
�
�&��/�/�	�x��%)�N�N�6�(�3C�W�$M�$M�� �!�4:���0�1�4:���0�1�1�1r*N)r>r?r@r7
r:rCr*r(r9
r9
)s)������"��';�';�';�';�';r*r9
c�D��eZ
dZd
ZdZed�
�f
d�
Zd�Zd�Zd�Zd�Z	�x
Z
S)	�S3ExpressQueryAuthi,
T)
�expiresc�`�
�t
���
|
|||�
��
||_dS)N)
r4
�r
rI�_expires)r=rNr�r�r4
rJ
r!
s      �r(rIzS3ExpressQueryAuth.__init__Zs?���	��������)�		�	
�	
�	
� ��
�
�
r*c�2�|
j�
d
�
�
}d}||kr|
jd
=|�|�|
�
�
�
�
}d|�|
�
�
|
jd|j|d�}|jj�|jj|d<t|
j
�
�
}t|jd���}d	�|�
��D��}|
jr!|�|
j�
�

i|
_d
}	|
jr)|�t#|
�
�
�
�

d
|
_|rt%|�
�
dz}	|	�t%|�
�
��}
|}|d|d
|d|
|df}t'|�
�
|
_
dS)N�content-type�0application/x-www-form-urlencoded; charset=utf-8r�r��zX-Amz-AlgorithmzX-Amz-Credentialr
z
X-Amz-ExpireszX-Amz-SignedHeadersrA
T�
�keep_blank_valuesc
�&�i|]\}
}|
|d��S�
rrC�r��
kr�s   r(�
<dictcomp>zES3ExpressQueryAuth._modify_request_before_signing.<locals>.<dictcomp>��"��E�E�E�$�!�Q�a��1��E�E�Er*rWr[r�
���r�r"r�r�r�r�rM
rNr�rr$r
r�r�rnrir.r6rr)
r=r5�content_type�blocklisted_content_typer��auth_paramsr%�query_string_parts�
query_dict�operation_params�new_query_string�
p�
new_url_partss
             r(r
z1S3ExpressQueryAuth._modify_request_before_signingks�
����*�*�>�:�:��>�	!��3�3�3����/�
�,�,�T�-A�-A�'�-J�-J�K�K�� 2� $�
�
�7� 3� 3�!�/�+�6�!�]�#1�
�
����!�-�37�3C�3I�K�/�0��W�[�)�)�	�&�i�o��N�N�N��E�E�*<�*B�*B�*D�*D�E�E�E�
��>�	 ����g�n�-�-�-��G�N����<�	�
���/��8�8�9�9�9��G�L��
	I
�6�z�B�B�S�H���G�!8��!E�!E�G�G�	�
�
��1��q��t�Q�q�T�+;�Q�q�T�B�
� ��/�/����r*c�,�|
x
jd
|zz
c_dS�Nz&X-Amz-Signature=%s�
r$�r=r5r�s   r(r

z/S3ExpressQueryAuth._inject_signature_to_request����	���,�y�8�8����r*c
��|
SrGrCr,
s  r(r�z&S3ExpressQueryAuth._normalize_url_path�r-
r*c
��tSrG�
r�r<s  r(r�zS3ExpressQueryAuth.payload��
��
 �r*)r>r?r@�DEFAULT_EXPIRESr7
rIr
r

r�r�r.
r/
s
@r(rI
rI
Vs���������O�"�� � � � � � � � �"?0�?0�?0�B9�9�9���� � � � � � � r*rI
c�2��eZ
dZd
Zef
�f
d�	Zd�Zd�Z�x
ZS)�SigV4QueryAuth�c�\�
�t
���
|
||��
||_dSrGrL
)r=rNr�r�rJ
r!
s     �r(rIzSigV4QueryAuth.__init__�s,���	������l�K�@�@�@���
�
�
r*c�2�|
j�
d
�
�
}d}||kr|
jd
=|�|�|
�
�
�
�
}d|�|
�
�
|
jd|j|d�}|jj�|jj|d<t|
j
�
�
}t|jd���}d	�|�
��D��}|
jr!|�|
j�
�

i|
_d
}	|
jr)|�t#|
�
�
�
�

d
|
_|rt%|�
�
dz}	|	�t%|�
�
��}
|}|d|d
|d|
|df}t'|�
�
|
_
dS)NrO
rP
r�r�rQ
r�TrR
c
�&�i|]\}
}|
|d��SrU
rCrV
s   r(rX
zASigV4QueryAuth._modify_request_before_signing.<locals>.<dictcomp>�rY
r*rWr[rrZ
r[
r\
r]
)
r=r5r^
�blacklisted_content_typer�r`
r%ra
rb
rc
rd
re
rf
s
             r(r
z-SigV4QueryAuth._modify_request_before_signing�s�
����*�*�>�:�:��>�	!��3�3�3����/�
�,�,�T�-A�-A�'�-J�-J�K�K�� 2� $�
�
�7� 3� 3�!�/�+�6�!�]�#1�
�
����!�-�26�2B�2H�K�.�/��W�[�)�)�	�&�i�o��N�N�N��E�E�*<�*B�*B�*D�*D�E�E�E�
��>�	 ����g�n�-�-�-��G�N����<�	�
���/��8�8�9�9�9��G�L��
	I
�6�z�B�B�S�H���G�!8��!E�!E�G�G�	�
�
��1��q��t�Q�q�T�+;�Q�q�T�B�
� ��/�/����r*c�,�|
x
jd
|zz
c_dSrh
ri
rj
s   r(r

z+SigV4QueryAuth._inject_signature_to_requestrk
r*)r>r?r@rp
rIr
r

r.
r/
s
@r(rr
rr
�sg��������O�?N
� � � � � � �?0�?0�?0�B9�9�9�9�9�9�9r*rr
c
��eZ
dZd
Zd�Zd�ZdS)�S3SigV4QueryAutha
S3 SigV4 auth using query parameters.

    This signer will sign a request using query parameters and signature
    version 4, i.e a "presigned url" signer.

    Based off of:

    http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html

    c
��|
SrGrCr,
s  r(r�z$S3SigV4QueryAuth._normalize_url_pathr-
r*c
��tSrGrn
r<s  r(r�zS3SigV4QueryAuth.payloadro
r*N)r>r?r@r�r�r�rCr*r(rz
rz
s<������	�	���� � � � � r*rz
c
��eZ
dZd
Zd�ZdS)�S3SigV4PostAuthz�
    Presigns a s3 post

    Implementation doc here:
    http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-UsingHTTPPOST.html
    c��tj�
��}|�t�
�
|
jd
<i}|
j�dd���
|
jd}i}g}|
j�dd���+|
jd}|�dd���|d}||d<d|d<|�|
�
�
|d<|
jd
|d<|�ddi
�
�

|�d|�|
�
�
i
�
�

|�d|
jd
i
�
�

|jj	�0|jj	|d	<|�d	|jj	i
�
�

tjtj
|�
�
�d
�
�
�
�
�d
�
�
|d<|�|d|
��|d<||
jd<||
jd<dS)
Nr�r;
r<
r=
r�r>
r?
r@
�x-amz-security-tokenr-rB
rC
rD
rF
s      r(r:zS3SigV4PostAuth.add_auth/s���(�/�/�1�1��'3�'<�'<�_�'M�'M����$����?���7��>�>�J��_�%=�>�F����
��?���7��>�>�J��_�%=�>�F��z�z�,��-�-�9�#�L�1�
�)��|��$6�� �!�%)�Z�Z��%8�%8��!�"�&��{�;��|�����,�.@�A�B�B�B����-�t�z�z�'�/B�/B�C�D�D�D����<����)E�F�G�G�G���!�-�-1�-=�-C�F�)�*����5�t�7G�7M�N�O�O�O�"�+��J�v���%�%�g�.�.�
�
�
�&��/�/�	�x��%)�N�N�6�(�3C�W�$M�$M�� �!�4:���0�1�4:���0�1�1�1r*N�r>r?r@r�r:rCr*r(r~
r~
's-��������%;�%;�%;�%;�%;r*r~
c�d�eZ
dZgd
�
Zdd�
Zd�Zd�Zd�Zd�Zdd�
Z		dd	�
Z
	dd
�
Zd�Zd�Z
d
�ZdS)�
HmacV1Auth)$�
accelerate�acl�cors�defaultObjectAcl�location�logging�
partNumberrB
�requestPayment�torrent�
versioning�	versionId�versions�website�uploads�uploadIdzresponse-content-typezresponse-content-languagezresponse-expireszresponse-cache-controlzresponse-content-dispositionzresponse-content-encoding�delete�	lifecycle�tagging�restore�storageClass�notification�replicationr�
�	analytics�metrics�	inventory�selectzselect-typezobject-lockNc��|
|_dSrGrMr�s    r(rIzHmacV1Auth.__init__�rPr*c�N
�t
j
|jj�d
�
�
t
���}|�|
�d
�
�
�
�

t|����
�
�	���
d
�
�
S)Nr-rT)rbrcrNrdrerrirrlrmr3)r=rpr�s   r(�sign_stringzHmacV1Auth.sign_string�s����8���'�.�.�w�7�7�4�
�
�
��	����-�-�g�6�6�7�7�7��8�?�?�,�,�-�-�3�3�5�5�<�<�W�E�E�Er*c�\
�gd
�
}g}d|
vr|
d=|���|
d<|D]q}d}|
D]S}|�
��}|
|�5||kr/|�|
|����
�

d}�T|s|�d�
�

�rd�|�
�
S)N)�content-md5rO
�dater�FTrWrS)�	_get_dater�rgrmrh)r=r��interesting_headers�hoi�ih�foundrs�lks        r(�canonical_standard_headersz%HmacV1Auth.canonical_standard_headers�s���E�E�E�����W�������.�.�*�*����%�	�	�B��E��
!�
!���Y�Y�[�[���3�<�+��b����J�J�w�s�|�1�1�3�3�4�4�4� �E���

��
�
�2������y�y��~�~�r*c�
�g}i}|
D]h}|���}|
|�J|�
d
�
�
r5d�d�|
�|�
�
D���
�
||<�it	|����
�
}|D]"}|�|�d||���
�

�#d�|�
�
S)N�x-amz-r�c
3�>K
�|]}
|
���V�

�dSrG)
rm)r�r�s  r(r�z6HmacV1Auth.canonical_custom_headers.<locals>.<genexpr>�s;����2�2�&'�
���	�	�2�2�2�2�2�2r*r�rS)r�r�rhr�rf�keysrg)r=r�r�
�custom_headersrsr�
�sorted_header_keyss       r(�canonical_custom_headersz#HmacV1Auth.canonical_custom_headers�s��������	�	�C������B��s�|�'��=�=��*�*��),���2�2�+2�?�?�3�+?�+?�2�2�2�*�*�N�2�&��$�N�$7�$7�$9�$9�:�:��%�
	7�
	7�C��J�J�#�5�5��s� 3�5�5�6�6�6�6��y�y��~�~�r*c�f�t
|
�
�
d
kr|
S|
dt|
d
�
�
fS)z(
        TODO: Do we need this?
        rZ
r)r_r)r=�nvs  r(�	unquote_vzHmacV1Auth.unquote_v�s1���r�7�7�a�<�<��I��q�E�7�2�a�5�>�>�*�*r*c�T
��|�|}n|
j}|
j
r�|
j
�d
�
�
}d�|D��}�f
d�|D��}t|�
�
dkrL|�td�
�
��
�

d�|D��}|dz
}|d
�|�
�
z
}|S)Nr[c
�:�g|]}
|
�dd
����S)rZrZ
)
ro�r��
as  r(�
<listcomp>z1HmacV1Auth.canonical_resource.<locals>.<listcomp>�s$��0�0�0�q�1�7�7�3�
�?�?�0�0�0r*c
�X�
�g|]&}
|
d�jv���
|
�
�
��'SrU
)�
QSAOfInterestr�
)r�r�
r=s  �r(r�
z1HmacV1Auth.canonical_resource.<locals>.<listcomp>�s=������&'�!�A�$�$�:L�2L�2L����q�!�!�2L�2L�2Lr*r)
rsc
�8�g|]}
d�|
�
�
��S)
rZ)
rhr�
s  r(r�
z1HmacV1Auth.canonical_resource.<locals>.<listcomp>�s"��0�0�0�q�s�x�x�
�{�{�0�0�0r*�
?)r^r�ror_�sortrrh)r=ro�	auth_path�buf�qsas`    r(�canonical_resourcezHmacV1Auth.canonical_resource�s����� ��C�C��*�C��;�
	%��+�#�#�C�(�(�C�0�0�C�0�0�0�C�����+.����C��3�x�x�!�|�|����Z�
�]�]��+�+�+�0�0�C�0�0�0���s�
���s�x�x��}�}�$���
r*c���|
���d
z}||�
|�
�
d
zz
}|�|�
�
}|r||d
zz
}||�||���z
}|S)NrS�
r�
)r�r�
r�
r�
)r=r`ror�rJ
r�
�csr�
s        r(�canonical_stringzHmacV1Auth.canonical_string�s���\�\�^�^�d�
"��
�d�-�-�g�6�6��=�=���6�6�w�?�?���
	(��.�4�'�'�B�
�d�%�%�e�y�%�A�A�A���	r*c���|jj
r|d
=|jj
|d
<|�|
|||���}t�d|��
|�|�
�
S)Nr�
r�
r
)rNr�r�
r\r]r�
)r=r`ror�rJ
r�
rps       r(�
get_signaturezHmacV1Auth.get_signature�s{����!�	E
��.�/�.2�.>�.D�G�*�+��.�.��E�7�i�/�
�
��	���(�.�9�9�9�����/�/�/r*c�:
�|j�t�
t�d
�
�

t	|
j�
�
}t�d|
j��
|�|
j||
j|
j	���}|�
|
|��
dS)Nz(Calculating signature using hmacv1 auth.zHTTP request method: %sr�
)rNrr\r]rr$r`r�
r�r�
�_inject_signature)r=r5ror�s    r(r:zHmacV1Auth.add_auth�s�����#�$�$����?�@�@�@����%�%�����.���?�?�?��&�&��N�E�7�?�g�>O�'�
�
�	�	
���w�	�2�2�2�2�2r*c
�"�t
d
��
�
S)NTr�r�
r=s
 r(r�
zHmacV1Auth._get_date�s����&�&�&�&r*c�`�d
|
jvr|
jd
=d|j
j�d|��}||
jd
<dS)Nr
zAWS r�)r�rNr�)r=r5r��auth_headers    r(r�
zHmacV1Auth._inject_signature�sH���g�o�-�-����0�F�T�-�8�F�F�9�F�F��+6����(�(�(r*)NNrG)r>r?r@r�
rIr�
r�
r�
r�
r�
r�
r�
r:r�
r�
rCr*r(r�
r�
Ws�������%�%�%�M�N

'�
'�
'�
'�F
�F
�F
����"
�
�
�+�+�+�����6?C
�	�	�	�	�?C
�
0�
0�
0�
0�	3�	3�	3�
'�
'�
'�7�7�7�7�7r*r�
c�,�eZ
dZd
ZdZef
d�
Zd�Zd�ZdS)�HmacV1QueryAuthz�
    Generates a presigned request for s3.

    Spec from this document:

    http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html
    #RESTAuthenticationQueryStringAuth

    rs
c�"�|
|_||_
dSrG)rNrM
)r=rNrJ
s   r(rIzHmacV1QueryAuth.__init__
s��&�����
�
�
r*c
��t
ttj��t|j�
�
z�
�
�
�
SrG)r4r
r�rM
r�
s
 r(r�
zHmacV1QueryAuth._get_dates-���3�t�y�{�{�S���%7�%7�7�8�8�9�9�9r*c��
�i}|jj
|d
<||d<|
jD]V}|���}|dkr|
jd|d<�-|�d�
�
s|dvr|
j|||<�Wt|�
�
}t
|
j�
�
}|dr
|d�d|��}|d	|d
|d||df}t|�
�
|
_dS)
Nr{rVr��Expiresr�
)r�
rO
�r[rrZ
r[
r\
)	rNr�r�r�r�rrr$r)	r=r5r�rb
�
header_keyr�
rd
re
rf
s	         r(r�
z!HmacV1QueryAuth._inject_signatures
���
�'+�'7�'B�
�#�$�"+�
�;��!�/�
	5�
	5�J��!�!�#�#�B��V�#�#�(/���(?�
�9�%�%����x�(�(�
5�B�3�-�-�")���!4�
�2���3�:�>�>��
�W�[�!�!�
��Q�4�	<�#$�A�$�;�;�)9�;�;���1��q��t�Q�q�T�+;�Q�q�T�B�
� ��/�/����r*N)r>r?r@r�rp
rIr�
r�
rCr*r(r�
r�
sZ���������O�,;� � � � �
:�
:�
:�0�0�0�0�0r*r�
c
��eZ
dZd
Zd�ZdS)�HmacV1PostAuthz�
    Generates a presigned post for s3.

    Spec from this document:

    http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingHTTPPOST.html
    c��i}|
j�
d
d���
|
jd
}i}g}|
j�
dd���+|
jd}|�
dd���|d}||d<|jj|d<|jj�0|jj|d<|�d|jji
�
�

t
jtj	|�
�
�
d�
�
�
�
�d�
�
|d<|�|d�
�
|d<||
jd
<||
jd<dS)	Nr;
r<
r=
r{r�
r-rB
r�)
r�r"rNr�r�rgrjrkr1rE
rer3r�
)r=r5rG
rB
r=
s     r(r:zHmacV1PostAuth.add_auth>sT
�����?���7��>�>�J��_�%=�>�F����
��?���7��>�>�J��_�%=�>�F��z�z�,��-�-�9�#�L�1�
�)��|��#'�#3�#>��� ���!�-�-1�-=�-C�F�)�*����5�t�7G�7M�N�O�O�O�"�+��J�v���%�%�g�.�.�
�
�
�&��/�/�	�x��#�.�.�v�h�/?�@�@��{��4:���0�1�4:���0�1�1�1r*Nr�
rCr*r(r�
r�
5s-��������;�;�;�;�;r*r�
c
��eZ
dZd
Zd�ZdS)�
BearerAuthz�
    Performs bearer token authorization by placing the bearer token in the
    Authorization header as specified by Section 2.1 of RFC 6750.

    https://datatracker.ietf.org/doc/html/rfc6750#section-2.1
    c��|j�t���
d
|jj��}d|
jvr|
jd=||
jd<dS)NzBearer r
)rHrr�r�)r=r5r�
s   r(r:zBearerAuth.add_authesQ���?�"�"�$�$�$�7��� 5�7�7���g�o�-�-����0�+6����(�(�(r*Nr�
rCr*r(r�
r�
]s-��������7�7�7�7�7r*r�
)�v2�v3�v3httpsr$
zs3-queryzs3-presign-postzs3v4-presign-postzv4-s3expresszv4-s3express-queryzv4-s3express-presign-post�bearer)
�CRT_AUTH_TYPE_MAPS)�v4zv4-query�s3v4z
s3v4-query)Crjr
r	
r�rbr1r�
r��collections.abcr�email.utilsr�hashlibrr�operatorr�botocore.compatr	r
rrr
rrrr�botocore.exceptionsrr�botocore.utilsrrrr�	getLoggerr>r\r�r�r�r
r�r�r�r)r6r8rErKr�r�r
r1
r9
rI
rr
rz
r~
r�
r�
r�
r�
�AUTH_TYPE_MAPS�botocore.crt.authr�
rirCr*r(�<module>r�

sK�


�
�
�
�
�����������������������������#�#�#�#�#�#�"�"�"�"�"�"� � � � � � � � �������

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�
E
�D�D�D�D�D�D�D�
�
�
�
�
�
�
�
�
�
�
*�)�)�)�)�)�
��	�8�	$�	$��G
�
���
��"������
&��%I�"�
�
�
�&

�

�

�
.�
.�
.�
.�
.�
.�
.�
.�
%�
%�
%�
%�
%�*�
%�
%�
%�:
�:
�:
�:
�:
�
�:
�:
�:
�z

<�
<�
<�
<�
<�
�
<�
<�
<�8J
I
�J
I
�J
I
�J
I
�J
I
�
�J
I
�J
I
�J
I
�Z3
�3
�3
�3
�3
�)�3
�3
�3
�l

8�
8�
8�
8�
8�K�
8�
8�
8�**
;�*
;�*
;�*
;�*
;�
�*
;�*
;�*
;�Z
e

 �e

 �e

 �e

 �e

 ��e

 �e

 �e

 �PN

9�N

9�N

9�N

9�N

9�Y�N

9�N

9�N

9�b
 �
 �
 �
 �
 �~�
 �
 �
 �0-
;�-
;�-
;�-
;�-
;�i�-
;�-
;�-
;�`
f
7�f
7�f
7�f
7�f
7��f
7�f
7�f
7�R2
0�2
0�2
0�2
0�2
0�j�2
0�2
0�2
0�j
%
;�%
;�%
;�%
;�%
;�Z�%
;�%
;�%
;�P

7�
7�
7�
7�
7��
7�
7�
7�&�
��
��%�(�!�,�!2������
�4�4�4�4�4�4����,�-�-�-�-�-�����&��*�		
�	
�����r*