HEX
Server: nginx/1.24.0
System: Linux webserver 6.8.0-85-generic #85-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep 18 15:26:59 UTC 2025 x86_64
User: wpuser (1002)
PHP: 8.3.6
Disabled: NONE
$ pwd: /lib/python3/dist-packages/botocore/__pycache__/
Upload Files
File: //lib/python3/dist-packages/botocore/__pycache__/signers.cpython-312.pyc
�

P��e�w����ddlZddlZddlZddlZddlZddlZddlmZmZddl	m
Z
ddlmZm
Z
mZddlmZmZddlmZGd�d�ZGd	�d
�Zd�Zdd�ZGd
�d�Zd�Z	dd�Zd�Z	dd�Zd�Zy)�N)�create_request_object�prepare_request_dict)�OrderedDict)�UnknownClientMethodError�UnknownSignatureVersionError� UnsupportedSignatureVersionError)�	ArnParser�datetime2timestamp)�fix_s3_hostc��eZdZdZ	d
d�Zed��Zed��Zed��Zdd�Z					dd�Z
d	�Zd
�Z	d
d�Z
e
Z			dd�Zy)�
RequestSignera0
    An object to sign requests before they go out over the wire using
    one of the authentication mechanisms defined in ``auth.py``. This
    class fires two events scoped to a service and operation name:

    * choose-signer: Allows overriding the auth signer name.
    * before-sign: Allows mutating the request before signing.

    Together these events allow for customization of the request
    signing pipeline, including overrides, request path manipulation,
    and disabling signing per operation.


    :type service_id: botocore.model.ServiceId
    :param service_id: The service id for the service, e.g. ``S3``

    :type region_name: string
    :param region_name: Name of the service region, e.g. ``us-east-1``

    :type signing_name: string
    :param signing_name: Service signing name. This is usually the
                         same as the service name, but can differ. E.g.
                         ``emr`` vs. ``elasticmapreduce``.

    :type signature_version: string
    :param signature_version: Signature name like ``v4``.

    :type credentials: :py:class:`~botocore.credentials.Credentials`
    :param credentials: User credentials with which to sign requests.

    :type event_emitter: :py:class:`~botocore.hooks.BaseEventHooks`
    :param event_emitter: Extension mechanism to fire events.
    Nc��||_||_||_||_||_||_t
j|�|_y�N)	�_region_name�
_signing_name�_signature_version�_credentials�_auth_token�_service_id�weakref�proxy�_event_emitter)�self�
service_id�region_name�signing_name�signature_version�credentials�
event_emitter�
auth_tokens        �2/usr/lib/python3/dist-packages/botocore/signers.py�__init__zRequestSigner.__init__DsG��(���)���"3���'���%���%���&�m�m�M�:���c��|jSr)r�rs r!rzRequestSigner.region_nameXs��� � � r#c��|jSr)rr%s r!rzRequestSigner.signature_version\s���&�&�&r#c��|jSr)rr%s r!rzRequestSigner.signing_name`s���!�!�!r#c�&�|j||�Sr)�sign)r�operation_name�request�kwargss    r!�handlerzRequestSigner.handlerds��
�y�y���1�1r#c	���|}|�|j}|�|j}|j|||j�}|jjdj
|jj�|�|||j|||��|tjk7r�|||d�}	|�||	d<|jjdi�}
|s|
jd�r|
d|	d<|
jd	�r|
d	|	d	<|
jd
��|j|	|
d
|
d�	|jdi|	��}|j!|�yy#t$r}|dk7rt|�
��|�d}~wwxYw)a<Sign a request before it goes out over the wire.

        :type operation_name: string
        :param operation_name: The name of the current operation, e.g.
                               ``ListBuckets``.
        :type request: AWSRequest
        :param request: The request object to be sent over the wire.

        :type region_name: str
        :param region_name: The region to sign the request for.

        :type signing_type: str
        :param signing_type: The type of signing to perform. This can be one of
            three possible values:

            * 'standard'     - This should be used for most requests.
            * 'presign-url'  - This should be used when pre-signing a request.
            * 'presign-post' - This should be used when pre-signing an S3 post.

        :type expires_in: int
        :param expires_in: The number of seconds the presigned url is valid
            for. This parameter is only valid for signing type 'presign-url'.

        :type signing_name: str
        :param signing_name: The name to use for the service when signing.
        Nzbefore-sign.{}.{})r+rrr�request_signerr*)rrr�expires�signing�regionrr�identity_cache�	cache_key�standard�r�)rr�_choose_signer�contextr�emit�formatr�	hyphenize�botocore�UNSIGNED�get�_resolve_identity_cache�get_auth_instancerr�add_auth)
rr*r+r�signing_type�
expires_inr�explicit_region_namerr,�signing_context�auth�es
             r!r)zRequestSigner.signks���F +�����+�+�K����-�-�L� �/�/��L�'�/�/�
��
	
��� � ��&�&�� � �*�*�,�n�
��%��)�)�/��)�	!�
	
��� 1� 1�1� ,�*�%6��F�
�%�$.��y�!�%�o�o�1�1�)�R�@�O�'�O�,?�,?��,I�(7��(A��}�%��"�"�>�2�)8��)H��~�&��"�"�#3�4�@��,�,��#�$4�5�#�K�0��

�-�t�-�-�7��7��
�M�M�'�"�;2��*0�
��:�-�:�*;����G��

�s�+E�	E1�E,�,E1c��||d<||d<y)Nr3r4r7)rr,�cacher4s    r!r@z%RequestSigner._resolve_identity_cache�s��#(��� �'��{�r#c�D�ddd�}|j|d�}|jd�xs|j}|jdi�}|jd|j�}|jd|j�}	|tj
ur|j
|�s||z
}|jjd	j|jj�|�||	||�
�\}
}|�*|}|tj
ur|j
|�s||z
}|S)ai
        Allow setting the signature version via the choose-signer event.
        A value of `botocore.UNSIGNED` means no signing will be performed.

        :param operation_name: The operation to sign.
        :param signing_type: The type of signing that the signer is to be used
            for.
        :return: The signature version to sign with.
        z
-presign-postz-query)�presign-post�presign-url��	auth_typer1rr2zchoose-signer.{}.{})rrrr9)r?rrrr=r>�endswithr�emit_until_responser;rr<)rr*rCr9�signing_type_suffix_map�suffixrr1rrr-�responses            r!r8zRequestSigner._choose_signer�s3��,�#�#
��)�,�,�\�2�>��$�K�K��4�O��8O�8O���+�+�i��,���{�{�>�4�3E�3E�F���k�k�(�D�,=�,=�>���X�%6�%6�6�%�.�.�v�6���'�� �/�/�C�C�!�(�(�� � �*�*�,�n�
�&�#�/��D�
������ (��"��):�):�:�)�2�2�6�:�!�V�+�!� � r#c�D�|�|j}tjjj	|�}|�t|���|jdur2d}|j�|jj�}||�}|S|j}t|dd�dur|d}	|d}
|	j|
�}|d=d}|�|j�}||d<|jr4|j�tjj!��||d<||d	<|d
i|��}|S)a�
        Get an auth instance which can be used to sign a request
        using the given signature version.

        :type signing_name: string
        :param signing_name: Service signing name. This is usually the
                             same as the service name, but can differ. E.g.
                             ``emr`` vs. ``elasticmapreduce``.

        :type region_name: string
        :param region_name: Name of the service region, e.g. ``us-east-1``

        :type signature_version: string
        :param signature_version: Signature name like ``v4``.

        :rtype: :py:class:`~botocore.auth.BaseSigner`
        :return: Auth instance to sign a request.
        Nr6T�REQUIRES_IDENTITY_CACHEr3r4rr�service_namer7)rr=rG�AUTH_TYPE_MAPSr?r�REQUIRES_TOKENr�get_frozen_tokenr�getattr�get_credentials�get_frozen_credentials�REQUIRES_REGIONr�
exceptions�
NoRegionError)rrrrr,�cls�frozen_tokenrGrrJ�key�frozen_credentialss            r!rAzRequestSigner.get_auth_instance�sI��*�$� $� 7� 7���m�m�*�*�.�.�/@�A���;�.�"3��
�����%��L����+�#�/�/�@�@�B���|�$�D��K��'�'���3�1�4�8�D�@��+�,�E���%�C��/�/��4�K��{�#�"���"�!,�!C�!C�!E�� 2��}������ � �(��)�)�7�7�9�9�$/�F�=�!�%1�F�>�"��}�V�}���r#c�|�t|�}|j|||d||�|j�|jS)a�Generates a presigned url

        :type request_dict: dict
        :param request_dict: The prepared request dictionary returned by
            ``botocore.awsrequest.prepare_request_dict()``

        :type operation_name: str
        :param operation_name: The operation being signed.

        :type expires_in: int
        :param expires_in: The number of seconds the presigned url is valid
            for. By default it expires in an hour (3600 seconds)

        :type region_name: string
        :param region_name: The region name to sign the presigned url.

        :type signing_name: str
        :param signing_name: The name to use for the service when signing.

        :returns: The presigned url
        rM)rr)�prepare�url)r�request_dictr*rDrrr+s       r!�generate_presigned_urlz$RequestSigner.generate_presigned_url:sB��:(��5���	�	�������
	
�	�����{�{�r#r�NN)Nr5NN)�NN)�__name__�
__module__�__qualname__�__doc__r"�propertyrrrr-r)r@r8rA�get_authrir7r#r!r
r
!s��� �T�;�(�!��!��'��'��"��"�2�����X#�t(�0!�f<@�:�z!�H����
(r#r
c�4�eZdZdZd�Zdd�Zd�Z	dd�Zd�Zy)	�CloudFrontSignera�A signer to create a signed CloudFront URL.

    First you create a cloudfront signer based on a normalized RSA signer::

        import rsa
        def rsa_signer(message):
            private_key = open('private_key.pem', 'r').read()
            return rsa.sign(
                message,
                rsa.PrivateKey.load_pkcs1(private_key.encode('utf8')),
                'SHA-1')  # CloudFront requires SHA-1 hash
        cf_signer = CloudFrontSigner(key_id, rsa_signer)

    To sign with a canned policy::

        signed_url = cf_signer.generate_signed_url(
            url, date_less_than=datetime(2015, 12, 1))

    To sign with a custom policy::

        signed_url = cf_signer.generate_signed_url(url, policy=my_policy)
    c� �||_||_y)a�Create a CloudFrontSigner.

        :type key_id: str
        :param key_id: The CloudFront Key Pair ID

        :type rsa_signer: callable
        :param rsa_signer: An RSA signer.
               Its only input parameter will be the message to be signed,
               and its output will be the signed content as a binary string.
               The hash algorithm needed by CloudFront is SHA-1.
        N)�key_id�
rsa_signer)rrurvs   r!r"zCloudFrontSigner.__init__}s�����$��r#Nc��|duxr|du}|duxr|du}|s|r
d}t|��|�|j||�}t|t�r|j	d�}|�dtt
|��zg}n$d|j|�jd�zg}|j|�}|jd|j|�jd���d|j��g�|j||�S)a�Creates a signed CloudFront URL based on given parameters.

        :type url: str
        :param url: The URL of the protected object

        :type date_less_than: datetime
        :param date_less_than: The URL will expire after that date and time

        :type policy: str
        :param policy: The custom policy, possibly built by self.build_policy()

        :rtype: str
        :return: The signed URL.
        Nz=Need to provide either date_less_than or policy, but not both�utf8z
Expires=%sz	Policy=%sz
Signature=zKey-Pair-Id=)
�
ValueError�build_policy�
isinstance�str�encode�intr
�_url_b64encode�decoderv�extendru�
_build_url)	rrg�date_less_than�policy�both_args_supplied�neither_arg_suppliedrH�params�	signatures	         r!riz'CloudFrontSigner.generate_presigned_url�s��,�4�7�N�F�$�<N��-��5�H�&�D�.���!5�O�A��Q�-���%��&�&�s�N�;�F��f�c�"��]�]�6�*�F��%�"�S�);�N�)K�%L�L�M�F�!�D�$7�$7��$?�$F�$F�v�$N�N�O�F��O�O�F�+�	��
�
��T�0�0��;�B�B�6�J�K�L��t�{�{�m�,�
�	
����s�F�+�+r#c�@�d|vrdnd}||zdj|�zS)N�?�&)�join)r�base_url�extra_params�	separators    r!r�zCloudFrontSigner._build_url�s(���(�?�C��	��)�#�c�h�h�|�&<�<�<r#c��tt|��}tdd|ii�}|rd|vr|dz
}d|i|d<|rtt|��}d|i|d<d|fd	|fg}d
t|�gi}tj|d��S)
a0A helper to build policy.

        :type resource: str
        :param resource: The URL or the stream filename of the protected object

        :type date_less_than: datetime
        :param date_less_than: The URL will expire after the time has passed

        :type date_greater_than: datetime
        :param date_greater_than: The URL will not be valid until this time

        :type ip_address: str
        :param ip_address: Use 'x.x.x.x' for an IP, or 'x.x.x.x/x' for a subnet

        :rtype: str
        :return: The policy in a compact string.
        �DateLessThanz
AWS:EpochTime�/z/32zAWS:SourceIp�	IpAddress�DateGreaterThan�Resource�	Condition�	Statement)�,�:)�
separators)r~r
r�json�dumps)	r�resourcer��date_greater_than�
ip_address�moment�	condition�ordered_payload�
custom_policys	         r!rzzCloudFrontSigner.build_policy�s���:�'��7�8����/�6�1J� K�L�	���*�$��e�#�
�&4�j�%A�I�k�"���+�,=�>�?�F�,;�V�+D�I�'�(�&��1�K��3K�L��$�{�?�'C�&D�E�
��z�z�-�J�?�?r#c��tj|�jdd�jdd�jdd�S)N�+�-�=�_�/�~)�base64�	b64encode�replace)r�datas  r!rzCloudFrontSigner._url_b64encode�s;��
���T�"�
�W�T�4�
 �
�W�T�4�
 �
�W�T�4�
 �		
r#rj)	rlrmrnror"rir�rzrr7r#r!rsrses*���.
%�$,�L=�
LP�(@�T
r#rsc��t|d<y)N�generate_db_auth_token)r���class_attributesr,s  r!�add_generate_db_auth_tokenr�����1G��-�.r#c���|}|�|jj}d|d�}ddi|dd�}d}|�|�d	|��}	t||	�|jj	d||d
d��}
|
t|�dS)
aGenerates an auth token used to connect to a db with IAM credentials.

    :type DBHostname: str
    :param DBHostname: The hostname of the database to connect to.

    :type Port: int
    :param Port: The port number the database is listening on.

    :type DBUsername: str
    :param DBUsername: The username to log in as.

    :type Region: str
    :param Region: The region the database is in. If None, the client
        region will be used.

    :return: A presigned url which can be used as an auth token.
    N�connect)�Action�DBUserr�rN�GET)�url_path�query_string�headers�body�methodzhttps://r�i�zrds-db)r*rhrrDr)�metarr�_request_signerri�len)r�
DBHostname�Port�
DBUsername�Regionr2r�rh�scheme�endpoint_url�
presigned_urls           r!r�r��s���$�F�
�~����&�&�����F�������L��F��X�j�\��4�&�1�L���|�4��(�(�?�?� �!����@��M���V���'�'r#c�"�eZdZd�Z				dd�Zy)�S3PostPresignerc��||_yr)r�)rr/s  r!r"zS3PostPresigner.__init__&s
��-��r#Nc���|�i}|�g}i}tjj�}|tj|��z}|jtj
j�|d<g|d<|D]}	|dj|	��t|�}
||
jd<||
jd<|jjd|
|d�|
j|d�S)	a�Generates the url and the form fields used for a presigned s3 post

        :type request_dict: dict
        :param request_dict: The prepared request dictionary returned by
            ``botocore.awsrequest.prepare_request_dict()``

        :type fields: dict
        :param fields: A dictionary of prefilled form fields to build on top
            of.

        :type conditions: list
        :param conditions: A list of conditions to include in the policy. Each
            element can be either a list or a structure. For example:
            [
             {"acl": "public-read"},
             {"bucket": "mybucket"},
             ["starts-with", "$key", "mykey"]
            ]

        :type expires_in: int
        :param expires_in: The number of seconds the presigned post is valid
            for.

        :type region_name: string
        :param region_name: The region name to sign the presigned post to.

        :rtype: dict
        :returns: A dictionary with two elements: ``url`` and ``fields``.
            Url is the url to post to. Fields is a dictionary filled with
            the form fields and respective values to use when submitting the
            post. For example:

            {'url': 'https://mybucket.s3.amazonaws.com
             'fields': {'acl': 'public-read',
                        'key': 'mykey',
                        'signature': 'mysignature',
                        'policy': 'mybase64 encoded policy'}
            }
        )�seconds�
expiration�
conditionszs3-presign-post-fieldszs3-presign-post-policy�	PutObjectrL)rg�fields)
�datetime�utcnow�	timedelta�strftimer=rG�ISO8601�appendrr9r�r)rg)rrhr�r�rDrr��datetime_now�expire_dater�r+s           r!�generate_presigned_postz'S3PostPresigner.generate_presigned_post)s���^�>��F����J��� �(�(�/�/�1��"�X�%7�%7�
�%K�K��*�3�3�H�M�M�4I�4I�J��|�� "��|��#�	3�I��<� �'�'�	�2�	3�(��5��4:����0�1�4:����0�1����!�!���+�~�	
��{�{�f�5�5r#)NNrkN)rlrmrnr"r�r7r#r!r�r�%s��.�����
K6r#r�c��t|d<y)Nri)rir�s  r!�add_generate_presigned_urlr�wr�r#c���|}|}|�i}|}|}dt|�d�}	|j}
	|j|}|j
jj|�}|j|||	��}tj|jdd��}
|j|||	|
��\}}}|j||||	|d�	�}|�||d
<|
j|||��S#t$r
t	|���wxYw)axGenerate a presigned url given a client, its method, and arguments

    :type ClientMethod: string
    :param ClientMethod: The client method to presign for

    :type Params: dict
    :param Params: The parameters normally passed to
        ``ClientMethod``.

    :type ExpiresIn: int
    :param ExpiresIn: The number of seconds the presigned url is valid
        for. By default it expires in an hour (3600 seconds)

    :type HttpMethod: string
    :param HttpMethod: The http method to use on the generated url. By
        default, the http method is whatever is used in the method's model.

    :returns: The presigned url
    T��is_presign_request�use_global_endpoint)�method_name��
api_params�operation_modelr9�BucketrN��ignore_signing_regionF�r�r�r�r9r��set_user_agent_headerr�)rhrDr*)�_should_use_global_endpointr��_PY_TO_OP_NAME�KeyErrorrr��
service_modelr��_emit_api_paramsr	�is_arnr?�_resolve_endpoint_ruleset�_convert_to_request_dictri)r�ClientMethod�Params�	ExpiresIn�
HttpMethod�
client_methodr�rD�http_methodr9r/r*r��
bucket_is_arnr��additional_headers�
propertiesrhs                  r!riri{s]��,!�M�
�F�
�~����J��K�"�:�4�@��G�
�)�)�N�B��,�,�]�;���i�i�-�-�=�=�n�M�O�
�
"�
"��'��#��F�
�$�$�V�Z�Z��"�%=�>�M�
	
�&�&����#0�0�		'�	�	�����0�0��'�!��"�#�
1��L���!,��X���0�0�!��%�1����G�B�&�=�A�A�B�s�C!�!C7c��t|d<y)Nr�)r�r�s  r!�add_generate_presigned_postr��s��2I��.�/r#c	��|}|}|}|}	|}
|�i}n|j�}|	�g}	dt|�d�}t|j�}|jj
j
d�}
|jd|i|
|��}tj|jdd��}|j|
|||��\}}}|j||
|||d	�
�}|	jd|i�|jd�r"|	jd
d|dtd�g�n|	jd|i�||d<|j!|||	|
��S)a�	Builds the url and the form fields used for a presigned s3 post

    :type Bucket: string
    :param Bucket: The name of the bucket to presign the post to. Note that
        bucket related conditions should not be included in the
        ``conditions`` parameter.

    :type Key: string
    :param Key: Key name, optionally add ${filename} to the end to
        attach the submitted filename. Note that key related conditions and
        fields are filled out for you and should not be included in the
        ``Fields`` or ``Conditions`` parameter.

    :type Fields: dict
    :param Fields: A dictionary of prefilled form fields to build on top
        of. Elements that may be included are acl, Cache-Control,
        Content-Type, Content-Disposition, Content-Encoding, Expires,
        success_action_redirect, redirect, success_action_status,
        and x-amz-meta-.

        Note that if a particular element is included in the fields
        dictionary it will not be automatically added to the conditions
        list. You must specify a condition for the element as well.

    :type Conditions: list
    :param Conditions: A list of conditions to include in the policy. Each
        element can be either a list or a structure. For example:

        [
         {"acl": "public-read"},
         ["content-length-range", 2, 5],
         ["starts-with", "$success_action_redirect", ""]
        ]

        Conditions that are included may pertain to acl,
        content-length-range, Cache-Control, Content-Type,
        Content-Disposition, Content-Encoding, Expires,
        success_action_redirect, redirect, success_action_status,
        and/or x-amz-meta-.

        Note that if you include a condition, you must specify
        the a valid value in the fields dictionary as well. A value will
        not be added automatically to the fields dictionary based on the
        conditions.

    :type ExpiresIn: int
    :param ExpiresIn: The number of seconds the presigned post
        is valid for.

    :rtype: dict
    :returns: A dictionary with two elements: ``url`` and ``fields``.
        Url is the url to post to. Fields is a dictionary filled with
        the form fields and respective values to use when submitting the
        post. For example:

        {'url': 'https://mybucket.s3.amazonaws.com
         'fields': {'acl': 'public-read',
                    'key': 'mykey',
                    'signature': 'mysignature',
                    'policy': 'mybase64 encoded policy'}
        }
    NTr��CreateBucketr�r�rNr�Fr��bucketz${filename}zstarts-withz$keyrc)rhr�r�rD)�copyr�r�r�r�r�r�r�r	r�r?r�r�r�rPr�r�)rr��Key�Fields�
Conditionsr�r�rcr�r�rDr9�post_presignerr�r�r�r�r�r�rhs                    r!r�r��s���B�F�

�C�
�F��J��J�
�~�����������
�#�:�4�@��G�
%�T�%9�%9�:�N��i�i�-�-�=�=�n�M�O�
�
"�
"��f�%�'��#��F�
�$�$�V�Z�Z��"�%=�>�M�
	
�&�&����#0�0�		'�	�	�����0�0��'�!��"�#�
1��L����x��(�)��|�|�M�"����=�&�#�6K��]�9K�8K�2L�M�N����5�#�,�'��F�5�M��1�1�!����	2��r#c�<�|jjdk7ry|jjj}|r`|j	dd�ry|j	d�dk(r$|jjj
dk(ry|j	d�dk(ryy	)
N�awsF�use_dualstack_endpoint�us_east_1_regional_endpoint�regionalz	us-east-1�addressing_style�virtualT)r��	partition�config�s3r?r)�client�	s3_configs  r!r�r�Vs���
�{�{����%�����"�"�%�%�I���=�=�1�5�9���M�M�7�8�J�F����"�"�.�.�+�=���=�=�+�,�	�9��r#r)NrkN)NNrk)r�r�r�rr=�
botocore.auth�botocore.awsrequestrr�botocore.compatr�botocore.exceptionsrrr�botocore.utilsr	r
rr
rsr�r�r�r�rir�r�r�r7r#r!�<module>rs���������K�'���
9�'�A�A�H
C
�C
�LH�3(�lO6�O6�dH�
AE�L�^J�
@D�E�Pr#
@ Telegram