U mah f @sXddlZddlZddlZddlZddlZddlZddlZddlZddlZ ddl m Z ddl m Z ddlmZddlmZddlmZddlmZddlmZejjZd Zd d Zd d ZddZeejejfZddZddZ e!dddddgZ"ddZ#d+ddZ$dZ%d Z&e&ddddddddddddf d!d"Z'd#d$Z(efd%d&Z)d'd(Z*d)d*Z+dS),N) exceptions)requests)_helpers)_DEFAULT_UNIVERSE_DOMAIN)_NOW)_UTC) DEFAULT_RETRYz[https://googleapis.dev/python/google-api-core/latest/auth.html#setting-up-a-service-accountcCs(t|tjjjs$tdt|tdS)aiRaise AttributeError if the credentials are unsigned. :type credentials: :class:`google.auth.credentials.Signing` :param credentials: The credentials used to create a private key for signing text. :raises: :exc:`AttributeError` if credentials is not an instance of :class:`google.auth.credentials.Signing`. zyou need a private key to sign credentials.the credentials you are currently using {} just contains a token. see {} for more details.N) isinstancegoogleauth credentialsZSigningAttributeErrorformattypeSERVICE_ACCOUNT_URL)r rA/tmp/pip-unpacked-wheel-asmaws5f/google/cloud/storage/_signing.pyensure_signed_credentials/s rcCs4t|||d}t|}|j}|||dS)aGets query parameters for creating a signed URL. :type credentials: :class:`google.auth.credentials.Signing` :param credentials: The credentials used to create a private key for signing text. :type expiration: int or long :param expiration: When the signed URL should expire. :type string_to_sign: str :param string_to_sign: The string to be signed by the credentials. :raises: :exc:`AttributeError` if credentials is not an instance of :class:`google.auth.credentials.Signing`. :rtype: dict :returns: Query parameters matching the signing credentials with a signed payload. asciiZGoogleAccessIdZExpires Signature)r sign_bytesencodebase64 b64encode signer_email)r expirationstring_to_signsignature_bytes signatureZservice_account_namerrrget_signed_query_params_v2Bs r cCsXt|tjrtt}||}t|tjr:t|}|d}t|tsTtdt ||S)a Convert 'expiration' to a number of seconds in the future. :type expiration: Union[Integer, datetime.datetime, datetime.timedelta] :param expiration: Point in time when the signed URL should expire. If a ``datetime`` instance is passed without an explicit ``tzinfo`` set, it will be assumed to be ``UTC``. :raises: :exc:`TypeError` when expiration is not a valid type. :rtype: int :returns: a timestamp as an absolute number of seconds since epoch. i@B=Expected an integer timestamp, datetime, or timedelta. Got %s) r datetime timedeltarrrZ_microseconds_from_datetimeint TypeErrorr)rnowZmicrosrrrget_expiration_seconds_v2as    r'cCst|tstdt|tt}t|tr0|}t|tjr\|jdkrT|j t j d}||}t|tj rtt| }|tkrtdt|S)aVConvert 'expiration' to a number of seconds offset from the current time. :type expiration: Union[Integer, datetime.datetime, datetime.timedelta] :param expiration: Point in time when the signed URL should expire. If a ``datetime`` instance is passed without an explicit ``tzinfo`` set, it will be assumed to be ``UTC``. :raises: :exc:`TypeError` when expiration is not a valid type. :raises: :exc:`ValueError` when expiration is too large. :rtype: Integer :returns: seconds in the future when the signed URL will expire r!Ntzinfoz.Max allowed expiration interval is seven days )r _EXPIRATION_TYPESr%rrrr$r"r)replacerUTCr# total_seconds SEVEN_DAYS ValueError)rr&secondsrrrget_expiration_seconds_v4s$      r1cCs|dkrg}nt|tr$t|}|s0ggfStt}|D]0\}}|}d| }|| |q>t dd|D}dd|D}||fS)amCanonicalize headers for signing. See: https://cloud.google.com/storage/docs/access-control/signed-urls#about-canonical-extension-headers :type headers: Union[dict|List(Tuple(str,str))] :param headers: (Optional) Additional HTTP headers to be included as part of the signed URLs. See: https://cloud.google.com/storage/docs/xml-api/reference-headers Requests using the signed URL *must* pass the specified header (name and value) with each request for the URL. :rtype: str :returns: List of headers, normalized / sortted per the URL refernced above. N css |]\}}|d|fVqdS),N)join).0keyvalrrr sz(get_canonical_headers..cSsg|]}dj|qS)z{}:{})r)r5itemrrr sz)get_canonical_headers..) r dictlistitems collections defaultdictlowerstripr4splitappendsorted)headers normalizedr6r7ordered_headerscanonical_headersrrrget_canonical_headerss     rI _Canonicalmethodresourcequery_parametersrEcCsvt|\}}|dkr"d}|d|dkr8t||g|Stdd|D}tj|}|d|}t||||S)ahCanonicalize method, resource per the V2 spec. :type method: str :param method: The HTTP verb that will be used when requesting the URL. Defaults to ``'GET'``. If method is ``'RESUMABLE'`` then the signature will additionally contain the `x-goog-resumable` header, and the method changed to POST. See the signed URL docs regarding this flow: https://cloud.google.com/storage/docs/access-control/signed-urls :type resource: str :param resource: A pointer to a specific resource (typically, ``/bucket-name/path/to/blob.txt``). :type query_parameters: dict :param query_parameters: (Optional) Additional query parameters to be included as part of the signed URLs. See: https://cloud.google.com/storage/docs/xml-api/reference-headers#query :type headers: Union[dict|List(Tuple(str,str))] :param headers: (Optional) Additional HTTP headers to be included as part of the signed URLs. See: https://cloud.google.com/storage/docs/xml-api/reference-headers Requests using the signed URL *must* pass the specified header (name and value) with each request for the URL. :rtype: :class:_Canonical :returns: Canonical method, resource, query_parameters, and headers. RESUMABLEPOSTzx-goog-resumable:startNcss*|]"\}}||r|pdfVqdS)N)r@rAr5r6valuerrrr8sz"canonicalize_v2..?)rIrCrJrDr=urllibparse urlencode)rKrLrMrE_Z normalized_qpZ encoded_qpZcanonical_resourcerrrcanonicalize_v2s   rXrPGETcCst|}t||| | }|j|p d|p&dt|g}||j||jd|}| rv| rvt || | |}| ||d}n t |||}|dk r||d<|dk r||d<| dk r| |d<| |j t |}dj||tj|d S) aGenerate a V2 signed URL to provide query-string auth'n to a resource. .. note:: Assumes ``credentials`` implements the :class:`google.auth.credentials.Signing` interface. Also assumes ``credentials`` has a ``signer_email`` property which identifies the credentials. .. note:: If you are on Google Compute Engine, you can't generate a signed URL. If you'd like to be able to generate a signed URL from GCE, you can use a standard service account from a JSON file rather than a GCE service account. See headers [reference](https://cloud.google.com/storage/docs/reference-headers) for more details on optional arguments. :type credentials: :class:`google.auth.credentials.Signing` :param credentials: Credentials object with an associated private key to sign text. :type resource: str :param resource: A pointer to a specific resource (typically, ``/bucket-name/path/to/blob.txt``). Caller should have already URL-encoded the value. :type expiration: Union[Integer, datetime.datetime, datetime.timedelta] :param expiration: Point in time when the signed URL should expire. If a ``datetime`` instance is passed without an explicit ``tzinfo`` set, it will be assumed to be ``UTC``. :type api_access_endpoint: str :param api_access_endpoint: (Optional) URI base. Defaults to empty string. :type method: str :param method: The HTTP verb that will be used when requesting the URL. Defaults to ``'GET'``. If method is ``'RESUMABLE'`` then the signature will additionally contain the `x-goog-resumable` header, and the method changed to POST. See the signed URL docs regarding this flow: https://cloud.google.com/storage/docs/access-control/signed-urls :type content_md5: str :param content_md5: (Optional) The MD5 hash of the object referenced by ``resource``. :type content_type: str :param content_type: (Optional) The content type of the object referenced by ``resource``. :type response_type: str :param response_type: (Optional) Content type of responses to requests for the signed URL. Ignored if content_type is set on object/blob metadata. :type response_disposition: str :param response_disposition: (Optional) Content disposition of responses to requests for the signed URL. :type generation: str :param generation: (Optional) A value that indicates which generation of the resource to fetch. :type headers: Union[dict|List(Tuple(str,str))] :param headers: (Optional) Additional HTTP headers to be included as part of the signed URLs. See: https://cloud.google.com/storage/docs/xml-api/reference-headers Requests using the signed URL *must* pass the specified header (name and value) with each request for the URL. :type service_account_email: str :param service_account_email: (Optional) E-mail address of the service account. :type access_token: str :param access_token: (Optional) Access token for a service account. :type query_parameters: dict :param query_parameters: (Optional) Additional query parameters to be included as part of the signed URLs. See: https://cloud.google.com/storage/docs/xml-api/reference-headers#query :raises: :exc:`TypeError` when expiration is not a valid type. :raises: :exc:`AttributeError` if credentials is not an instance of :class:`google.auth.credentials.Signing`. :rtype: str :returns: A signed URL you can use to access the resource until expiration. rP rNresponse-content-typeresponse-content-disposition generationz"{endpoint}{resource}?{querystring})ZendpointrLZ querystring)r'rXrKstrextendrErCrLr4 _sign_messager updaterMrDr=rrTrUrV)r rLrapi_access_endpointrK content_md5 content_type response_typeresponse_dispositionr]rErMservice_account_email access_tokenuniverse_domainZexpiration_stamp canonicalZelements_to_signrrZsigned_query_paramsZsorted_signed_query_paramsrrrgenerate_signed_url_v2sNn      rki: zhttps://storage.googleapis.comc%CsJt|}|dkrt\}}n|}|dd}| }| r8| sFt||j}|d}|d|}| dkrji} |dk rz|| d<|dk r|| d<dd| D}d |krtj|j| d <|d krd }d | d<t | \}}d |d}d dd|D}| dkri} ndd| D} d| d<|| d<|| d<|| d<|| d<|dk rT|| d<|dk rf|| d<| dk rx| | d<t | }t |}d|kr|d}nd}||||||g}d |}t|d} d||| g}!d |!}"| r| rt|"| | |}#t|#}$t|$d}#n ||"d}$t|$d}#d ||||#S)!a/Generate a V4 signed URL to provide query-string auth'n to a resource. .. note:: Assumes ``credentials`` implements the :class:`google.auth.credentials.Signing` interface. Also assumes ``credentials`` has a ``signer_email`` property which identifies the credentials. .. note:: If you are on Google Compute Engine, you can't generate a signed URL. If you'd like to be able to generate a signed URL from GCE,you can use a standard service account from a JSON file rather than a GCE service account. See headers [reference](https://cloud.google.com/storage/docs/reference-headers) for more details on optional arguments. :type credentials: :class:`google.auth.credentials.Signing` :param credentials: Credentials object with an associated private key to sign text. That credentials must provide signer_email only if service_account_email and access_token are not passed. :type resource: str :param resource: A pointer to a specific resource (typically, ``/bucket-name/path/to/blob.txt``). Caller should have already URL-encoded the value. :type expiration: Union[Integer, datetime.datetime, datetime.timedelta] :param expiration: Point in time when the signed URL should expire. If a ``datetime`` instance is passed without an explicit ``tzinfo`` set, it will be assumed to be ``UTC``. :type api_access_endpoint: str :param api_access_endpoint: URI base. Defaults to "https://storage.googleapis.com/" :type method: str :param method: The HTTP verb that will be used when requesting the URL. Defaults to ``'GET'``. If method is ``'RESUMABLE'`` then the signature will additionally contain the `x-goog-resumable` header, and the method changed to POST. See the signed URL docs regarding this flow: https://cloud.google.com/storage/docs/access-control/signed-urls :type content_md5: str :param content_md5: (Optional) The MD5 hash of the object referenced by ``resource``. :type content_type: str :param content_type: (Optional) The content type of the object referenced by ``resource``. :type response_type: str :param response_type: (Optional) Content type of responses to requests for the signed URL. Ignored if content_type is set on object/blob metadata. :type response_disposition: str :param response_disposition: (Optional) Content disposition of responses to requests for the signed URL. :type generation: str :param generation: (Optional) A value that indicates which generation of the resource to fetch. :type headers: dict :param headers: (Optional) Additional HTTP headers to be included as part of the signed URLs. See: https://cloud.google.com/storage/docs/xml-api/reference-headers Requests using the signed URL *must* pass the specified header (name and value) with each request for the URL. :type query_parameters: dict :param query_parameters: (Optional) Additional query parameters to be included as part of the signed URLs. See: https://cloud.google.com/storage/docs/xml-api/reference-headers#query :type service_account_email: str :param service_account_email: (Optional) E-mail address of the service account. :type access_token: str :param access_token: (Optional) Access token for a service account. :raises: :exc:`TypeError` when expiration is not a valid type. :raises: :exc:`AttributeError` if credentials is not an instance of :class:`google.auth.credentials.Signing`. :rtype: str :returns: A signed URL you can use to access the resource until expiration. Nz/auto/storage/goog4_request/z Content-Typez Content-MD5cSsg|] }|qSr)r@)r5r6rrrr:6sz*generate_signed_url_v4..hostHostrNrOstartzx-goog-resumablerZ;cSsg|] \}}|qSrr)r5r6rWrrrr:BscSsi|]\}}||pdqS)rPrrQrrr Gsz*generate_signed_url_v4..zGOOG4-RSA-SHA256zX-Goog-AlgorithmzX-Goog-Credentialz X-Goog-DatezX-Goog-ExpireszX-Goog-SignedHeadersr[r\r]zx-goog-content-sha256zUNSIGNED-PAYLOADrz{}{}?{}&X-Goog-Signature={})r1get_v4_now_dtstampsrrrTrUurlparsenetlocupperrIr4r= _url_encoder;hashlibsha256r hexdigestr`r b64decodebinasciihexlifydecoderr)%r rLrrbrKrcrdrerfr]rErMrgrhriZ_request_timestampZexpiration_secondsZrequest_timestamp datestampZ client_emailZcredential_scopeZ credential header_namesrHrGZcanonical_header_stringZsigned_headersZcanonical_query_stringZlowercased_headerspayloadZcanonical_elementsZcanonical_requestZcanonical_request_hashZstring_elementsrrrrrrgenerate_signed_url_v4sr                rcCs0ttjdd}|d}|d}||fS)z~Get current timestamp and datestamp in V4 valid format. :rtype: str, str :returns: Current timestamp, datestamp. Nr(z%Y%m%dT%H%M%SZz%Y%m%d)rrr+strftimedate)r& timestamprrrrrss rsc st|}dd|d|dd|ddtdt|d itfd d }t }||}|}|j t j j krtd |jt|jd }|d S)aSigns a message. :type message: str :param message: The message to be signed. :type access_token: str :param access_token: Access token for a service account. :type service_account_email: str :param service_account_email: E-mail address of the service account. :raises: :exc:`TransportError` if an `access_token` is unauthorized. :rtype: str :returns: The signature of the message. rOzhttps://iamcredentials.z/v1/projects/-/serviceAccounts/z:signBlob?alt=jsonzBearer zapplication/json) Authorizationz Content-typerzutf-8csd}|S)N)urlrKbodyrEr)responserrErKrequestrrrretriable_requestsz(_sign_message..retriable_requestz%Error calling the IAM signBytes API: Z signedBlob)r _to_bytesjsondumpsrrr~rRequestrstatushttpclientOKrZTransportErrordataloads) messagerhrgrirretrycallrrrrrr`s$  r`cCs dd|D}dt|S)zEncode query params into URL. :type query_params: dict :param query_params: Query params to be encoded. :rtype: str :returns: URL encoded query params. cSs&g|]\}}t|dt|qS)=) _quote_param)r5namerRrrrr:sz_url_encode..&)r=r4rD)Z query_paramsparamsrrrrws rwcCs"t|tst|}tjj|ddS)zQuote query param. :type param: Any :param param: Query param to be encoded. :rtype: str :returns: URL encoded query param. ~)safe)r bytesr^rTrUquote)paramrrrrs r) rPrYNNNNNNNNNN),rr|r>r"rxrrrTZgoogle.auth.credentialsr Z google.authrZgoogle.auth.transportrZ google.cloudrZgoogle.cloud.storage._helpersrrrZgoogle.cloud.storage.retryrutcnowZNOWrrr r'r$r#r*r1rI namedtuplerJrXrkr.ZDEFAULT_ENDPOINTrrsr`rwrrrrrs       &% 6 ! ^ 5