| Index: third_party/gsutil/boto/boto/auth.py
|
| diff --git a/third_party/gsutil/boto/boto/auth.py b/third_party/gsutil/boto/boto/auth.py
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..91c486407792f84c5b8c0f827a3bf23bde43b4f2
|
| --- /dev/null
|
| +++ b/third_party/gsutil/boto/boto/auth.py
|
| @@ -0,0 +1,682 @@
|
| +# Copyright 2010 Google Inc.
|
| +# Copyright (c) 2011 Mitch Garnaat http://garnaat.org/
|
| +# Copyright (c) 2011, Eucalyptus Systems, Inc.
|
| +#
|
| +# Permission is hereby granted, free of charge, to any person obtaining a
|
| +# copy of this software and associated documentation files (the
|
| +# "Software"), to deal in the Software without restriction, including
|
| +# without limitation the rights to use, copy, modify, merge, publish, dis-
|
| +# tribute, sublicense, and/or sell copies of the Software, and to permit
|
| +# persons to whom the Software is furnished to do so, subject to the fol-
|
| +# lowing conditions:
|
| +#
|
| +# The above copyright notice and this permission notice shall be included
|
| +# in all copies or substantial portions of the Software.
|
| +#
|
| +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
|
| +# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABIL-
|
| +# ITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT
|
| +# SHALL THE AUTHOR BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
|
| +# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
| +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
|
| +# IN THE SOFTWARE.
|
| +
|
| +
|
| +"""
|
| +Handles authentication required to AWS and GS
|
| +"""
|
| +
|
| +import base64
|
| +import boto
|
| +import boto.auth_handler
|
| +import boto.exception
|
| +import boto.plugin
|
| +import boto.utils
|
| +import hmac
|
| +import sys
|
| +import urllib
|
| +import time
|
| +import datetime
|
| +import copy
|
| +from email.utils import formatdate
|
| +
|
| +from boto.auth_handler import AuthHandler
|
| +from boto.exception import BotoClientError
|
| +#
|
| +# the following is necessary because of the incompatibilities
|
| +# between Python 2.4, 2.5, and 2.6 as well as the fact that some
|
| +# people running 2.4 have installed hashlib as a separate module
|
| +# this fix was provided by boto user mccormix.
|
| +# see: http://code.google.com/p/boto/issues/detail?id=172
|
| +# for more details.
|
| +#
|
| +try:
|
| + from hashlib import sha1 as sha
|
| + from hashlib import sha256 as sha256
|
| +
|
| + if sys.version[:3] == "2.4":
|
| + # we are using an hmac that expects a .new() method.
|
| + class Faker:
|
| + def __init__(self, which):
|
| + self.which = which
|
| + self.digest_size = self.which().digest_size
|
| +
|
| + def new(self, *args, **kwargs):
|
| + return self.which(*args, **kwargs)
|
| +
|
| + sha = Faker(sha)
|
| + sha256 = Faker(sha256)
|
| +
|
| +except ImportError:
|
| + import sha
|
| + sha256 = None
|
| +
|
| +
|
| +class HmacKeys(object):
|
| + """Key based Auth handler helper."""
|
| +
|
| + def __init__(self, host, config, provider):
|
| + if provider.access_key is None or provider.secret_key is None:
|
| + raise boto.auth_handler.NotReadyToAuthenticate()
|
| + self.host = host
|
| + self.update_provider(provider)
|
| +
|
| + def update_provider(self, provider):
|
| + self._provider = provider
|
| + self._hmac = hmac.new(self._provider.secret_key, digestmod=sha)
|
| + if sha256:
|
| + self._hmac_256 = hmac.new(self._provider.secret_key,
|
| + digestmod=sha256)
|
| + else:
|
| + self._hmac_256 = None
|
| +
|
| + def algorithm(self):
|
| + if self._hmac_256:
|
| + return 'HmacSHA256'
|
| + else:
|
| + return 'HmacSHA1'
|
| +
|
| + def _get_hmac(self):
|
| + if self._hmac_256:
|
| + digestmod = sha256
|
| + else:
|
| + digestmod = sha
|
| + return hmac.new(self._provider.secret_key,
|
| + digestmod=digestmod)
|
| +
|
| + def sign_string(self, string_to_sign):
|
| + new_hmac = self._get_hmac()
|
| + new_hmac.update(string_to_sign)
|
| + return base64.encodestring(new_hmac.digest()).strip()
|
| +
|
| + def __getstate__(self):
|
| + pickled_dict = copy.copy(self.__dict__)
|
| + del pickled_dict['_hmac']
|
| + del pickled_dict['_hmac_256']
|
| + return pickled_dict
|
| +
|
| + def __setstate__(self, dct):
|
| + self.__dict__ = dct
|
| + self.update_provider(self._provider)
|
| +
|
| +
|
| +class AnonAuthHandler(AuthHandler, HmacKeys):
|
| + """
|
| + Implements Anonymous requests.
|
| + """
|
| +
|
| + capability = ['anon']
|
| +
|
| + def __init__(self, host, config, provider):
|
| + AuthHandler.__init__(self, host, config, provider)
|
| +
|
| + def add_auth(self, http_request, **kwargs):
|
| + pass
|
| +
|
| +
|
| +class HmacAuthV1Handler(AuthHandler, HmacKeys):
|
| + """ Implements the HMAC request signing used by S3 and GS."""
|
| +
|
| + capability = ['hmac-v1', 's3']
|
| +
|
| + def __init__(self, host, config, provider):
|
| + AuthHandler.__init__(self, host, config, provider)
|
| + HmacKeys.__init__(self, host, config, provider)
|
| + self._hmac_256 = None
|
| +
|
| + def update_provider(self, provider):
|
| + super(HmacAuthV1Handler, self).update_provider(provider)
|
| + self._hmac_256 = None
|
| +
|
| + def add_auth(self, http_request, **kwargs):
|
| + headers = http_request.headers
|
| + method = http_request.method
|
| + auth_path = http_request.auth_path
|
| + if 'Date' not in headers:
|
| + headers['Date'] = formatdate(usegmt=True)
|
| +
|
| + if self._provider.security_token:
|
| + key = self._provider.security_token_header
|
| + headers[key] = self._provider.security_token
|
| + string_to_sign = boto.utils.canonical_string(method, auth_path,
|
| + headers, None,
|
| + self._provider)
|
| + boto.log.debug('StringToSign:\n%s' % string_to_sign)
|
| + b64_hmac = self.sign_string(string_to_sign)
|
| + auth_hdr = self._provider.auth_header
|
| + headers['Authorization'] = ("%s %s:%s" %
|
| + (auth_hdr,
|
| + self._provider.access_key, b64_hmac))
|
| +
|
| +
|
| +class HmacAuthV2Handler(AuthHandler, HmacKeys):
|
| + """
|
| + Implements the simplified HMAC authorization used by CloudFront.
|
| + """
|
| + capability = ['hmac-v2', 'cloudfront']
|
| +
|
| + def __init__(self, host, config, provider):
|
| + AuthHandler.__init__(self, host, config, provider)
|
| + HmacKeys.__init__(self, host, config, provider)
|
| + self._hmac_256 = None
|
| +
|
| + def update_provider(self, provider):
|
| + super(HmacAuthV2Handler, self).update_provider(provider)
|
| + self._hmac_256 = None
|
| +
|
| + def add_auth(self, http_request, **kwargs):
|
| + headers = http_request.headers
|
| + if 'Date' not in headers:
|
| + headers['Date'] = formatdate(usegmt=True)
|
| + if self._provider.security_token:
|
| + key = self._provider.security_token_header
|
| + headers[key] = self._provider.security_token
|
| +
|
| + b64_hmac = self.sign_string(headers['Date'])
|
| + auth_hdr = self._provider.auth_header
|
| + headers['Authorization'] = ("%s %s:%s" %
|
| + (auth_hdr,
|
| + self._provider.access_key, b64_hmac))
|
| +
|
| +
|
| +class HmacAuthV3Handler(AuthHandler, HmacKeys):
|
| + """Implements the new Version 3 HMAC authorization used by Route53."""
|
| +
|
| + capability = ['hmac-v3', 'route53', 'ses']
|
| +
|
| + def __init__(self, host, config, provider):
|
| + AuthHandler.__init__(self, host, config, provider)
|
| + HmacKeys.__init__(self, host, config, provider)
|
| +
|
| + def add_auth(self, http_request, **kwargs):
|
| + headers = http_request.headers
|
| + if 'Date' not in headers:
|
| + headers['Date'] = formatdate(usegmt=True)
|
| +
|
| + if self._provider.security_token:
|
| + key = self._provider.security_token_header
|
| + headers[key] = self._provider.security_token
|
| +
|
| + b64_hmac = self.sign_string(headers['Date'])
|
| + s = "AWS3-HTTPS AWSAccessKeyId=%s," % self._provider.access_key
|
| + s += "Algorithm=%s,Signature=%s" % (self.algorithm(), b64_hmac)
|
| + headers['X-Amzn-Authorization'] = s
|
| +
|
| +
|
| +class HmacAuthV3HTTPHandler(AuthHandler, HmacKeys):
|
| + """
|
| + Implements the new Version 3 HMAC authorization used by DynamoDB.
|
| + """
|
| +
|
| + capability = ['hmac-v3-http']
|
| +
|
| + def __init__(self, host, config, provider):
|
| + AuthHandler.__init__(self, host, config, provider)
|
| + HmacKeys.__init__(self, host, config, provider)
|
| +
|
| + def headers_to_sign(self, http_request):
|
| + """
|
| + Select the headers from the request that need to be included
|
| + in the StringToSign.
|
| + """
|
| + headers_to_sign = {}
|
| + headers_to_sign = {'Host': self.host}
|
| + for name, value in http_request.headers.items():
|
| + lname = name.lower()
|
| + if lname.startswith('x-amz'):
|
| + headers_to_sign[name] = value
|
| + return headers_to_sign
|
| +
|
| + def canonical_headers(self, headers_to_sign):
|
| + """
|
| + Return the headers that need to be included in the StringToSign
|
| + in their canonical form by converting all header keys to lower
|
| + case, sorting them in alphabetical order and then joining
|
| + them into a string, separated by newlines.
|
| + """
|
| + l = sorted(['%s:%s' % (n.lower().strip(),
|
| + headers_to_sign[n].strip()) for n in headers_to_sign])
|
| + return '\n'.join(l)
|
| +
|
| + def string_to_sign(self, http_request):
|
| + """
|
| + Return the canonical StringToSign as well as a dict
|
| + containing the original version of all headers that
|
| + were included in the StringToSign.
|
| + """
|
| + headers_to_sign = self.headers_to_sign(http_request)
|
| + canonical_headers = self.canonical_headers(headers_to_sign)
|
| + string_to_sign = '\n'.join([http_request.method,
|
| + http_request.auth_path,
|
| + '',
|
| + canonical_headers,
|
| + '',
|
| + http_request.body])
|
| + return string_to_sign, headers_to_sign
|
| +
|
| + def add_auth(self, req, **kwargs):
|
| + """
|
| + Add AWS3 authentication to a request.
|
| +
|
| + :type req: :class`boto.connection.HTTPRequest`
|
| + :param req: The HTTPRequest object.
|
| + """
|
| + # This could be a retry. Make sure the previous
|
| + # authorization header is removed first.
|
| + if 'X-Amzn-Authorization' in req.headers:
|
| + del req.headers['X-Amzn-Authorization']
|
| + req.headers['X-Amz-Date'] = formatdate(usegmt=True)
|
| + if self._provider.security_token:
|
| + req.headers['X-Amz-Security-Token'] = self._provider.security_token
|
| + string_to_sign, headers_to_sign = self.string_to_sign(req)
|
| + boto.log.debug('StringToSign:\n%s' % string_to_sign)
|
| + hash_value = sha256(string_to_sign).digest()
|
| + b64_hmac = self.sign_string(hash_value)
|
| + s = "AWS3 AWSAccessKeyId=%s," % self._provider.access_key
|
| + s += "Algorithm=%s," % self.algorithm()
|
| + s += "SignedHeaders=%s," % ';'.join(headers_to_sign)
|
| + s += "Signature=%s" % b64_hmac
|
| + req.headers['X-Amzn-Authorization'] = s
|
| +
|
| +
|
| +class HmacAuthV4Handler(AuthHandler, HmacKeys):
|
| + """
|
| + Implements the new Version 4 HMAC authorization.
|
| + """
|
| +
|
| + capability = ['hmac-v4']
|
| +
|
| + def __init__(self, host, config, provider,
|
| + service_name=None, region_name=None):
|
| + AuthHandler.__init__(self, host, config, provider)
|
| + HmacKeys.__init__(self, host, config, provider)
|
| + # You can set the service_name and region_name to override the
|
| + # values which would otherwise come from the endpoint, e.g.
|
| + # <service>.<region>.amazonaws.com.
|
| + self.service_name = service_name
|
| + self.region_name = region_name
|
| +
|
| + def _sign(self, key, msg, hex=False):
|
| + if hex:
|
| + sig = hmac.new(key, msg.encode('utf-8'), sha256).hexdigest()
|
| + else:
|
| + sig = hmac.new(key, msg.encode('utf-8'), sha256).digest()
|
| + return sig
|
| +
|
| + def headers_to_sign(self, http_request):
|
| + """
|
| + Select the headers from the request that need to be included
|
| + in the StringToSign.
|
| + """
|
| + headers_to_sign = {}
|
| + headers_to_sign = {'Host': self.host}
|
| + for name, value in http_request.headers.items():
|
| + lname = name.lower()
|
| + if lname.startswith('x-amz'):
|
| + headers_to_sign[name] = value
|
| + return headers_to_sign
|
| +
|
| + def query_string(self, http_request):
|
| + parameter_names = sorted(http_request.params.keys())
|
| + pairs = []
|
| + for pname in parameter_names:
|
| + pval = str(http_request.params[pname]).encode('utf-8')
|
| + pairs.append(urllib.quote(pname, safe='') + '=' +
|
| + urllib.quote(pval, safe='-_~'))
|
| + return '&'.join(pairs)
|
| +
|
| + def canonical_query_string(self, http_request):
|
| + # POST requests pass parameters in through the
|
| + # http_request.body field.
|
| + if http_request.method == 'POST':
|
| + return ""
|
| + l = []
|
| + for param in sorted(http_request.params):
|
| + value = str(http_request.params[param])
|
| + l.append('%s=%s' % (urllib.quote(param, safe='-_.~'),
|
| + urllib.quote(value, safe='-_.~')))
|
| + return '&'.join(l)
|
| +
|
| + def canonical_headers(self, headers_to_sign):
|
| + """
|
| + Return the headers that need to be included in the StringToSign
|
| + in their canonical form by converting all header keys to lower
|
| + case, sorting them in alphabetical order and then joining
|
| + them into a string, separated by newlines.
|
| + """
|
| + l = sorted(['%s:%s' % (n.lower().strip(),
|
| + ' '.join(headers_to_sign[n].strip().split()))
|
| + for n in headers_to_sign])
|
| + return '\n'.join(l)
|
| +
|
| + def signed_headers(self, headers_to_sign):
|
| + l = ['%s' % n.lower().strip() for n in headers_to_sign]
|
| + l = sorted(l)
|
| + return ';'.join(l)
|
| +
|
| + def canonical_uri(self, http_request):
|
| + return http_request.auth_path
|
| +
|
| + def payload(self, http_request):
|
| + body = http_request.body
|
| + # If the body is a file like object, we can use
|
| + # boto.utils.compute_hash, which will avoid reading
|
| + # the entire body into memory.
|
| + if hasattr(body, 'seek') and hasattr(body, 'read'):
|
| + return boto.utils.compute_hash(body, hash_algorithm=sha256)[0]
|
| + return sha256(http_request.body).hexdigest()
|
| +
|
| + def canonical_request(self, http_request):
|
| + cr = [http_request.method.upper()]
|
| + cr.append(self.canonical_uri(http_request))
|
| + cr.append(self.canonical_query_string(http_request))
|
| + headers_to_sign = self.headers_to_sign(http_request)
|
| + cr.append(self.canonical_headers(headers_to_sign) + '\n')
|
| + cr.append(self.signed_headers(headers_to_sign))
|
| + cr.append(self.payload(http_request))
|
| + return '\n'.join(cr)
|
| +
|
| + def scope(self, http_request):
|
| + scope = [self._provider.access_key]
|
| + scope.append(http_request.timestamp)
|
| + scope.append(http_request.region_name)
|
| + scope.append(http_request.service_name)
|
| + scope.append('aws4_request')
|
| + return '/'.join(scope)
|
| +
|
| + def credential_scope(self, http_request):
|
| + scope = []
|
| + http_request.timestamp = http_request.headers['X-Amz-Date'][0:8]
|
| + scope.append(http_request.timestamp)
|
| + # The service_name and region_name either come from:
|
| + # * The service_name/region_name attrs or (if these values are None)
|
| + # * parsed from the endpoint <service>.<region>.amazonaws.com.
|
| + parts = http_request.host.split('.')
|
| + if self.region_name is not None:
|
| + region_name = self.region_name
|
| + else:
|
| + if len(parts) == 3:
|
| + region_name = 'us-east-1'
|
| + else:
|
| + region_name = parts[1]
|
| + if self.service_name is not None:
|
| + service_name = self.service_name
|
| + else:
|
| + service_name = parts[0]
|
| +
|
| + http_request.service_name = service_name
|
| + http_request.region_name = region_name
|
| +
|
| + scope.append(http_request.region_name)
|
| + scope.append(http_request.service_name)
|
| + scope.append('aws4_request')
|
| + return '/'.join(scope)
|
| +
|
| + def string_to_sign(self, http_request, canonical_request):
|
| + """
|
| + Return the canonical StringToSign as well as a dict
|
| + containing the original version of all headers that
|
| + were included in the StringToSign.
|
| + """
|
| + sts = ['AWS4-HMAC-SHA256']
|
| + sts.append(http_request.headers['X-Amz-Date'])
|
| + sts.append(self.credential_scope(http_request))
|
| + sts.append(sha256(canonical_request).hexdigest())
|
| + return '\n'.join(sts)
|
| +
|
| + def signature(self, http_request, string_to_sign):
|
| + key = self._provider.secret_key
|
| + k_date = self._sign(('AWS4' + key).encode('utf-8'),
|
| + http_request.timestamp)
|
| + k_region = self._sign(k_date, http_request.region_name)
|
| + k_service = self._sign(k_region, http_request.service_name)
|
| + k_signing = self._sign(k_service, 'aws4_request')
|
| + return self._sign(k_signing, string_to_sign, hex=True)
|
| +
|
| + def add_auth(self, req, **kwargs):
|
| + """
|
| + Add AWS4 authentication to a request.
|
| +
|
| + :type req: :class`boto.connection.HTTPRequest`
|
| + :param req: The HTTPRequest object.
|
| + """
|
| + # This could be a retry. Make sure the previous
|
| + # authorization header is removed first.
|
| + if 'X-Amzn-Authorization' in req.headers:
|
| + del req.headers['X-Amzn-Authorization']
|
| + now = datetime.datetime.utcnow()
|
| + req.headers['X-Amz-Date'] = now.strftime('%Y%m%dT%H%M%SZ')
|
| + if self._provider.security_token:
|
| + req.headers['X-Amz-Security-Token'] = self._provider.security_token
|
| + qs = self.query_string(req)
|
| + if qs and req.method == 'POST':
|
| + # Stash request parameters into post body
|
| + # before we generate the signature.
|
| + req.body = qs
|
| + req.headers['Content-Type'] = 'application/x-www-form-urlencoded; charset=UTF-8'
|
| + req.headers['Content-Length'] = str(len(req.body))
|
| + else:
|
| + # Safe to modify req.path here since
|
| + # the signature will use req.auth_path.
|
| + req.path = req.path.split('?')[0]
|
| + req.path = req.path + '?' + qs
|
| + canonical_request = self.canonical_request(req)
|
| + boto.log.debug('CanonicalRequest:\n%s' % canonical_request)
|
| + string_to_sign = self.string_to_sign(req, canonical_request)
|
| + boto.log.debug('StringToSign:\n%s' % string_to_sign)
|
| + signature = self.signature(req, string_to_sign)
|
| + boto.log.debug('Signature:\n%s' % signature)
|
| + headers_to_sign = self.headers_to_sign(req)
|
| + l = ['AWS4-HMAC-SHA256 Credential=%s' % self.scope(req)]
|
| + l.append('SignedHeaders=%s' % self.signed_headers(headers_to_sign))
|
| + l.append('Signature=%s' % signature)
|
| + req.headers['Authorization'] = ','.join(l)
|
| +
|
| +
|
| +class QuerySignatureHelper(HmacKeys):
|
| + """
|
| + Helper for Query signature based Auth handler.
|
| +
|
| + Concrete sub class need to implement _calc_sigature method.
|
| + """
|
| +
|
| + def add_auth(self, http_request, **kwargs):
|
| + headers = http_request.headers
|
| + params = http_request.params
|
| + params['AWSAccessKeyId'] = self._provider.access_key
|
| + params['SignatureVersion'] = self.SignatureVersion
|
| + params['Timestamp'] = boto.utils.get_ts()
|
| + qs, signature = self._calc_signature(
|
| + http_request.params, http_request.method,
|
| + http_request.auth_path, http_request.host)
|
| + boto.log.debug('query_string: %s Signature: %s' % (qs, signature))
|
| + if http_request.method == 'POST':
|
| + headers['Content-Type'] = 'application/x-www-form-urlencoded; charset=UTF-8'
|
| + http_request.body = qs + '&Signature=' + urllib.quote_plus(signature)
|
| + http_request.headers['Content-Length'] = str(len(http_request.body))
|
| + else:
|
| + http_request.body = ''
|
| + # if this is a retried request, the qs from the previous try will
|
| + # already be there, we need to get rid of that and rebuild it
|
| + http_request.path = http_request.path.split('?')[0]
|
| + http_request.path = (http_request.path + '?' + qs +
|
| + '&Signature=' + urllib.quote_plus(signature))
|
| +
|
| +
|
| +class QuerySignatureV0AuthHandler(QuerySignatureHelper, AuthHandler):
|
| + """Provides Signature V0 Signing"""
|
| +
|
| + SignatureVersion = 0
|
| + capability = ['sign-v0']
|
| +
|
| + def _calc_signature(self, params, *args):
|
| + boto.log.debug('using _calc_signature_0')
|
| + hmac = self._get_hmac()
|
| + s = params['Action'] + params['Timestamp']
|
| + hmac.update(s)
|
| + keys = params.keys()
|
| + keys.sort(cmp=lambda x, y: cmp(x.lower(), y.lower()))
|
| + pairs = []
|
| + for key in keys:
|
| + val = boto.utils.get_utf8_value(params[key])
|
| + pairs.append(key + '=' + urllib.quote(val))
|
| + qs = '&'.join(pairs)
|
| + return (qs, base64.b64encode(hmac.digest()))
|
| +
|
| +
|
| +class QuerySignatureV1AuthHandler(QuerySignatureHelper, AuthHandler):
|
| + """
|
| + Provides Query Signature V1 Authentication.
|
| + """
|
| +
|
| + SignatureVersion = 1
|
| + capability = ['sign-v1', 'mturk']
|
| +
|
| + def __init__(self, *args, **kw):
|
| + QuerySignatureHelper.__init__(self, *args, **kw)
|
| + AuthHandler.__init__(self, *args, **kw)
|
| + self._hmac_256 = None
|
| +
|
| + def _calc_signature(self, params, *args):
|
| + boto.log.debug('using _calc_signature_1')
|
| + hmac = self._get_hmac()
|
| + keys = params.keys()
|
| + keys.sort(cmp=lambda x, y: cmp(x.lower(), y.lower()))
|
| + pairs = []
|
| + for key in keys:
|
| + hmac.update(key)
|
| + val = boto.utils.get_utf8_value(params[key])
|
| + hmac.update(val)
|
| + pairs.append(key + '=' + urllib.quote(val))
|
| + qs = '&'.join(pairs)
|
| + return (qs, base64.b64encode(hmac.digest()))
|
| +
|
| +
|
| +class QuerySignatureV2AuthHandler(QuerySignatureHelper, AuthHandler):
|
| + """Provides Query Signature V2 Authentication."""
|
| +
|
| + SignatureVersion = 2
|
| + capability = ['sign-v2', 'ec2', 'ec2', 'emr', 'fps', 'ecs',
|
| + 'sdb', 'iam', 'rds', 'sns', 'sqs', 'cloudformation']
|
| +
|
| + def _calc_signature(self, params, verb, path, server_name):
|
| + boto.log.debug('using _calc_signature_2')
|
| + string_to_sign = '%s\n%s\n%s\n' % (verb, server_name.lower(), path)
|
| + hmac = self._get_hmac()
|
| + params['SignatureMethod'] = self.algorithm()
|
| + if self._provider.security_token:
|
| + params['SecurityToken'] = self._provider.security_token
|
| + keys = sorted(params.keys())
|
| + pairs = []
|
| + for key in keys:
|
| + val = boto.utils.get_utf8_value(params[key])
|
| + pairs.append(urllib.quote(key, safe='') + '=' +
|
| + urllib.quote(val, safe='-_~'))
|
| + qs = '&'.join(pairs)
|
| + boto.log.debug('query string: %s' % qs)
|
| + string_to_sign += qs
|
| + boto.log.debug('string_to_sign: %s' % string_to_sign)
|
| + hmac.update(string_to_sign)
|
| + b64 = base64.b64encode(hmac.digest())
|
| + boto.log.debug('len(b64)=%d' % len(b64))
|
| + boto.log.debug('base64 encoded digest: %s' % b64)
|
| + return (qs, b64)
|
| +
|
| +
|
| +class POSTPathQSV2AuthHandler(QuerySignatureV2AuthHandler, AuthHandler):
|
| + """
|
| + Query Signature V2 Authentication relocating signed query
|
| + into the path and allowing POST requests with Content-Types.
|
| + """
|
| +
|
| + capability = ['mws']
|
| +
|
| + def add_auth(self, req, **kwargs):
|
| + req.params['AWSAccessKeyId'] = self._provider.access_key
|
| + req.params['SignatureVersion'] = self.SignatureVersion
|
| + req.params['Timestamp'] = boto.utils.get_ts()
|
| + qs, signature = self._calc_signature(req.params, req.method,
|
| + req.auth_path, req.host)
|
| + boto.log.debug('query_string: %s Signature: %s' % (qs, signature))
|
| + if req.method == 'POST':
|
| + req.headers['Content-Length'] = str(len(req.body))
|
| + req.headers['Content-Type'] = req.headers.get('Content-Type',
|
| + 'text/plain')
|
| + else:
|
| + req.body = ''
|
| + # if this is a retried req, the qs from the previous try will
|
| + # already be there, we need to get rid of that and rebuild it
|
| + req.path = req.path.split('?')[0]
|
| + req.path = (req.path + '?' + qs +
|
| + '&Signature=' + urllib.quote_plus(signature))
|
| +
|
| +
|
| +def get_auth_handler(host, config, provider, requested_capability=None):
|
| + """Finds an AuthHandler that is ready to authenticate.
|
| +
|
| + Lists through all the registered AuthHandlers to find one that is willing
|
| + to handle for the requested capabilities, config and provider.
|
| +
|
| + :type host: string
|
| + :param host: The name of the host
|
| +
|
| + :type config:
|
| + :param config:
|
| +
|
| + :type provider:
|
| + :param provider:
|
| +
|
| + Returns:
|
| + An implementation of AuthHandler.
|
| +
|
| + Raises:
|
| + boto.exception.NoAuthHandlerFound
|
| + """
|
| + ready_handlers = []
|
| + auth_handlers = boto.plugin.get_plugin(AuthHandler, requested_capability)
|
| + total_handlers = len(auth_handlers)
|
| + for handler in auth_handlers:
|
| + try:
|
| + ready_handlers.append(handler(host, config, provider))
|
| + except boto.auth_handler.NotReadyToAuthenticate:
|
| + pass
|
| +
|
| + if not ready_handlers:
|
| + checked_handlers = auth_handlers
|
| + names = [handler.__name__ for handler in checked_handlers]
|
| + raise boto.exception.NoAuthHandlerFound(
|
| + 'No handler was ready to authenticate. %d handlers were checked.'
|
| + ' %s '
|
| + 'Check your credentials' % (len(names), str(names)))
|
| +
|
| + # We select the last ready auth handler that was loaded, to allow users to
|
| + # customize how auth works in environments where there are shared boto
|
| + # config files (e.g., /etc/boto.cfg and ~/.boto): The more general,
|
| + # system-wide shared configs should be loaded first, and the user's
|
| + # customizations loaded last. That way, for example, the system-wide
|
| + # config might include a plugin_directory that includes a service account
|
| + # auth plugin shared by all users of a Google Compute Engine instance
|
| + # (allowing sharing of non-user data between various services), and the
|
| + # user could override this with a .boto config that includes user-specific
|
| + # credentials (for access to user data).
|
| + return ready_handlers[-1]
|
|
|
Chromium Code Reviews
Issue 12317103:
Added gsutil to depot tools (Closed)
Base URL: https://chromium.googlesource.com/chromium/tools/depot_tools.git@master