File: //usr/local/CyberPanel/lib64/python3.10/site-packages/google/auth/__pycache__/aws.cpython-310.pyc
o
�������h�������������������������@���s>���d�Z�d�d�l�Z�d�d�l�m�Z���d�d�l�Z�d�d�l�Z�d�d�l�m�Z���d�d�l Z d�d�l
Z
d�d�l�Z�d�d�l�Z�d�d�l
m�Z���d�d�l�Z�d�d�l�m�Z���d�d�l�m�Z���d�d�l�m�Z���d�d�l�m�Z���d�d l�m�Z���d
Z�d�Z�d�Z�d
Z�d�Z�d�Z�G�d�d���d�e���Z�d�d���Z�d�d���Z d�d���Z!d�i�f�d�d���Z"e�G�d�d���d�����Z#G�d�d���d�e�j$d���Z%G�d d!��d!e%��Z&G�d"d#��d#e�j'��Z'd�S�)$a ���AWS Credentials and AWS Signature V4 Request Signer.
This module provides credentials to access Google Cloud resources from Amazon
Web Services (AWS) workloads. These credentials are recommended over the
use of service account credentials in AWS as they do not involve the management
of long-live service account private keys.
AWS Credentials are initialized using external_account arguments which are
typically loaded from the external credentials JSON file.
This module also provides a definition for an abstract AWS security credentials supplier.
This supplier can be implemented to return valid AWS security credentials and an AWS region
and used to create AWS credentials. The credentials will then call the
supplier instead of using pre-defined methods such as calling the EC2 metadata endpoints.
This module also provides a basic implementation of the
`AWS Signature Version 4`_ request signing algorithm.
AWS Credentials use serialized signed requests to the
`AWS STS GetCallerIdentity`_ API that can be exchanged for Google access tokens
via the GCP STS endpoint.
.. _AWS Signature Version 4: https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
.. _AWS STS GetCallerIdentity: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html
�����N)�� dataclass)���Optional)���urljoin)���_helpers)���environment_vars)��
exceptions)���external_accountz�AWS4-HMAC-SHA256��aws4_requestz�x-amz-security-tokenz
x-amz-datezNhttps://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15��300c��������������������@���s&���e�Z�d�Z�d�Z�d�d���Z�d�i�f�d�d���Z�d�S�)��
RequestSignerz�Implements an AWS request signer based on the AWS Signature Version 4 signing
process.
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
c��������������������C���s
���|�|�_�d�S�)�z�Instantiates an AWS request signer used to compute authenticated signed
requests to AWS APIs based on the AWS Signature Version 4 signing process.
Args:
region_name (str): The AWS region to use.
N)���_region_name)���self��region_name��r�����E/usr/local/CyberPanel/lib/python3.10/site-packages/google/auth/aws.py��__init__R���s����
�z�RequestSigner.__init__��c����������������
���C���s����|�p�i�}�t�j���|���}�t�j���t�|�t���|�j�������}�|�j�r�|�j�d�k�r$t �
d�����t�|�j�|�j�p+d�t�|�j
��|�|�j�|�|�|�d���}�|���d���|�j�d���} d�|�v�rL|���d���| t�<�|�D�]�}
|�|
��| |
<�qN|�j�d�u�ra|�j�| t�<�|�|�| d ��}�|�rm|�|�d
<�|�S�)�a;���Generates the signed request for the provided HTTP request for calling
an AWS API. This follows the steps described at:
https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html
Args:
aws_security_credentials (AWSSecurityCredentials): The AWS security credentials.
url (str): The AWS service URL containing the canonical URI and
query string.
method (str): The HTTP method used to call this API.
request_payload (Optional[str]): The optional request payload if
available.
additional_headers (Optional[Mapping[str, str]]): The optional
additional headers needed for the requested AWS API.
Returns:
Mapping[str, str]: The AWS signed request dictionary object.
��httpsz�Invalid AWS service URL��/)���host�
canonical_uri��canonical_querystring��method��region��aws_security_credentials��request_payload��additional_headers��authorization_header)��
Authorizationr������amz_dateN����urlr������headers��data)���urllib��parse��urlparser����� posixpath��normpath��path��hostname��schemer������InvalidResource�#_generate_authentication_header_map��_get_canonical_querystring��queryr������get��_AWS_DATE_HEADER�
session_token��_AWS_SECURITY_TOKEN_HEADER)�r
���r����r!���r����r����r������uri��normalized_uri�
header_mapr"�����key��signed_requestr����r����r������get_request_options\���s<���������������
�����������������������������������
�
���������z!RequestSigner.get_request_optionsN)���__name__�
__module__��__qualname__��__doc__r����r9���r����r����r����r����r����L���s����������������r����c��������������������C���s����t�j���|���}�i�}�|�D�](}�t�j�j�|�d�d���}�g�|�|�<�|�|���D�]�}�|�|�����t�j�j�|�d�d�������q�|�|���������q
t�|�������}�|�������g�}�|�D�]�}�|�|���D�]�}�|���d���|�|�������qGqAd�� |���S�)�a����Generates the canonical query string given a raw query string.
Logic is based on
https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
Args:
query (str): The raw query string.
Returns:
str: The canonical query string.
z�-_.~)���safez�{}={}��&)
r$���r%�����parse_qs��quote��append��sort��list��keys��format��join)�r/�����querystring��querystring_encoded_mapr7���� quote_key��item��sorted_keys��querystring_encoded_pairsr����r����r����r.�������s$�������������������������������������
�r.���c��������������������C���s����t���|�|���d���t�j�������S�)�z�Creates the HMAC-SHA256 hash of the provided message using the provided
key.
Args:
key (str): The HMAC-SHA256 key to use.
msg (str): The message to hash.
Returns:
str: The computed hash bytes.
��utf-8)���hmac��new��encode��hashlib��sha256��digest)�r7�����msgr����r����r������_sign����s������rV���c��������������������C���s6���t�d�|�����d���|���}�t�|�|���}�t�|�|���}�t�|�d���}�|�S�)�a����Calculates the signing key used to calculate the signature for
AWS Signature Version 4 based on:
https://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html
Args:
key (str): The AWS secret access key.
date_stamp (str): The '%Y%m%d' date format.
region_name (str): The AWS region.
service_name (str): The AWS service name, eg. sts.
Returns:
str: The signing key bytes.
��AWS4rN���r ���)�rV���rQ���)�r7����
date_stampr������service_name��k_date��k_region� k_service� k_signingr����r����r������_get_signing_key����s
�����
�
�
���r^���r����c����������������
���C���sh���|���d���d���}�t�����} | ��d���}
| ��d���}�i�}�|�D�]
}
|�|
��|�|
����<�q�|�j�d�u�r.|�j�|�t�<�|�|�d�<�d�|�v�r:|
|�t�<�d�}�t�|�� ����}�|��
����|�D�]�}
d ��|�|
|�|
����}�qHd
��|���}�t
��|�p^d���d���������}�d���|�|�|�|�|�|���}�d
��|�|�|�t���}�d���t�|
|�t
��|���d�����������}�t�|�j�|�|�|���}�t���|�|���d���t
j�������}�d���t�|�j�|�|�|���}�d�|�i�}�d�|�v�r�|
|�d�<�|�S�)�a���Generates the authentication header map needed for generating the AWS
Signature Version 4 signed request.
Args:
host (str): The AWS service URL hostname.
canonical_uri (str): The AWS service URL path name.
canonical_querystring (str): The AWS service URL query string.
method (str): The HTTP method used to call this API.
region (str): The AWS region.
aws_security_credentials (AWSSecurityCredentials): The AWS security credentials.
request_payload (Optional[str]): The optional request payload if
available.
additional_headers (Optional[Mapping[str, str]]): The optional
additional headers needed for the requested AWS API.
Returns:
Mapping[str, str]: The AWS authentication header dictionary object.
This contains the x-amz-date and authorization header information.
��.r����z�%Y%m%dT%H%M%SZz�%Y%m%dNr������dater����z�{}{}:{}
��;rN���z�{}
{}
{}
{}
{}
{}z�{}/{}/{}/{}z�{}
{}
{}
{}z3{} Credential={}/{}, SignedHeaders={}, Signature={}r����r����)���splitr������utcnow��strftime��lowerr2���r3���r1���rD���rE���rC���rF���rG���rR���rS���rQ���� hexdigest��_AWS_REQUEST_TYPE��_AWS_ALGORITHMr^�����secret_access_keyrO���rP����
access_key_id)�r����r����r����r����r����r����r����r����rY�����current_timer����rX�����full_headersr7�����canonical_headers��header_keys��signed_headers��payload_hash��canonical_request��credential_scope��string_to_sign��signing_key� signaturer������authentication_headerr����r����r����r-�������sx�������
�
�������
�������������������������
���
�������������������� ������������������
�����������������������������������r-���c��������������������@���s2���e�Z�d�Z�U�d�Z�e�e�d�<�e�e�d�<�d�Z�e�e���e�d�<�d�S�)���AwsSecurityCredentialsa����A class that models AWS security credentials with an optional session token.
Attributes:
access_key_id (str): The AWS security credentials access key id.
secret_access_key (str): The AWS security credentials secret access key.
session_token (Optional[str]): The optional AWS security credentials session token. This should be set when using temporary credentials.
rj���ri���Nr2���)�r:���r;���r<���r=�����str��__annotations__r2���r����r����r����r����r����rw���[���s
���
���������rw���c��������������������@���s,���e�Z�d�Z�d�Z�e�j�d�d�����Z�e�j�d�d�����Z�d�S�)���AwsSecurityCredentialsSupplieraC���Base class for AWS security credential suppliers. This can be implemented with custom logic to retrieve
AWS security credentials to exchange for a Google Cloud access token. The AWS external account credential does
not cache the AWS security credentials, so caching logic should be added in the implementation.
c��������������������C��������t�d�����)�a����Returns the AWS security credentials for the requested context.
.. warning: This is not cached by the calling Google credential, so caching logic should be implemented in the supplier.
Args:
context (google.auth.externalaccount.SupplierContext): The context object
containing information about the requested audience and subject token type.
request (google.auth.transport.Request): The object used to make
HTTP requests.
Raises:
google.auth.exceptions.RefreshError: If an error is encountered during
security credential retrieval logic.
Returns:
AwsSecurityCredentials: The requested AWS security credentials.
r��������NotImplementedError��r
�����context��requestr����r����r������get_aws_security_credentialsp���s������z;AwsSecurityCredentialsSupplier.get_aws_security_credentialsc��������������������C���r{���)�a&���Returns the AWS region for the requested context.
Args:
context (google.auth.externalaccount.SupplierContext): The context object
containing information about the requested audience and subject token type.
request (google.auth.transport.Request): The object used to make
HTTP requests.
Raises:
google.auth.exceptions.RefreshError: If an error is encountered during
region retrieval logic.
Returns:
str: The AWS region.
r����r|���r~���r����r����r������get_aws_region����s������z-AwsSecurityCredentialsSupplier.get_aws_regionN)�r:���r;���r<���r=�����abc��abstractmethodr����r����r����r����r����r����rz���j���s����������
�����rz���)�� metaclassc��������������������@���sT���e�Z�d�Z�d�Z�d�d���Z�e���e���d�d�����Z�e���e���d�d�����Z d�d ��Z
d
d���Z�d�d
��Z�d�S�)��&_DefaultAwsSecurityCredentialsSupplierz�Default implementation of AWS security credentials supplier. Supports retrieving
credentials and region via EC2 metadata endpoints and environment variables.
c��������������������C���s(���|���d���|�_�|���d���|�_�|���d���|�_�d�S�)�N�
region_urlr!�����imdsv2_session_token_url)�r0�����_region_url��_security_credentials_url��_imdsv2_session_token_url)�r
�����credential_sourcer����r����r����r��������s
�����������
�z/_DefaultAwsSecurityCredentialsSupplier.__init__c������������ �������C���s����t�j���t�j���}�t�j���t�j���}�t�j���t�j���}�|�r�|�r�t�|�|�|���S�|���|���}�|�� |�|���}�|��
|�|�|���}�t�|���d���|���d���|���d�����S�)�N��AccessKeyId��SecretAccessKey��Token)���os��environr0���r������AWS_ACCESS_KEY_ID��AWS_SECRET_ACCESS_KEY��AWS_SESSION_TOKENrw�����_get_imdsv2_session_token��_get_metadata_role_name�"_get_metadata_security_credentials) r
���r���r������env_aws_access_key_id��env_aws_secret_access_key��env_aws_session_token��imdsv2_session_token� role_name��credentialsr����r����r����r��������s&���������������������
�������������������zC_DefaultAwsSecurityCredentialsSupplier.get_aws_security_credentialsc��������������������C���s����t�j���t�j���}�|�d�u�r
|�S�t�j���t�j���}�|�d�u�r�|�S�|�j�s"t���d�����d�}�|�� |���}�|�d�u�r1d�|�i�}�|�|�j�d�|�d���}�t
|�j�d���rE|�j���d���n�|�j�}�|�j
t�j�k�rVt���d���|�������|�d�d�����S�) Nz�Unable to determine AWS region��X-aws-ec2-metadata-token��GETr �����decoderN���z!Unable to retrieve AWS region: {}���)�r����r����r0���r�����
AWS_REGION��AWS_DEFAULT_REGIONr����r������RefreshErrorr������hasattrr#���r������status��http_client��OKrF���)�r
���r���r������env_aws_regionr"���r������response�
response_bodyr����r����r����r��������s,�����������������
���
�������
�����������������z5_DefaultAwsSecurityCredentialsSupplier.get_aws_regionc��������������������C���sR���|�d�u�r'|�j�d�u�r'd�t�i�}�|�|�j�d�|�d���}�|�j�t�j�k�r$t���d���|�j�������|�j�S�d�S�)�Nz$X-aws-ec2-metadata-token-ttl-seconds��PUTr ���z(Unable to retrieve AWS Session Token: {}) r�����!_IMDSV2_SESSION_TOKEN_TTL_SECONDSr����r����r����r����r����rF���r#���)�r
���r����r"�����imdsv2_session_token_responser����r����r����r��������s��������������������������������z@_DefaultAwsSecurityCredentialsSupplier._get_imdsv2_session_tokenc��������������������C���sx���d�d�i�}�|�d�u�r�|�|�d�<�|�d���|�j�|���d�|�d���}�t�|�j�d���r$|�j���d ��n�|�j�}�|�j�t�j�k�r5t�� d
��|�������t
��|���}�|�S�)�aJ���Retrieves the AWS security credentials required for signing AWS
requests from the AWS metadata server.
Args:
request (google.auth.transport.Request): A callable used to make
HTTP requests.
role_name (str): The AWS role name required by the AWS metadata
server security_credentials endpoint in order to return the
credentials.
imdsv2_session_token (str): The AWS IMDSv2 session token to be added as a
header in the requests to AWS metadata endpoint.
Returns:
Mapping[str, str]: The AWS metadata server security credentials
response.
Raises:
google.auth.exceptions.RefreshError: If an error occurs while
retrieving the AWS security credentials.
z�Content-Typez�application/jsonNr����z�{}/{}r����r ���r����rN���z/Unable to retrieve AWS security credentials: {})�rF���r����r����r#���r����r����r����r����r����r������json��loads)�r
���r����r����r����r"���r����r������credentials_responser����r����r����r��������s$�������������������
��������������
���zI_DefaultAwsSecurityCredentialsSupplier._get_metadata_security_credentialsc��������������������C���sv���|�j�d�u�r
t���d�����d�}�|�d�u�r�d�|�i�}�|�|�j�d�|�d���}�t�|�j�d���r(|�j���d���n�|�j�}�|�j�t�j�k�r9t���d�� |�������|�S�) a����Retrieves the AWS role currently attached to the current AWS
workload by querying the AWS metadata server. This is needed for the
AWS metadata server security credentials endpoint in order to retrieve
the AWS security credentials needed to sign requests to AWS APIs.
Args:
request (google.auth.transport.Request): A callable used to make
HTTP requests.
imdsv2_session_token (str): The AWS IMDSv2 session token to be added as a
header in the requests to AWS metadata endpoint.
Returns:
str: The AWS role name.
Raises:
google.auth.exceptions.RefreshError: If an error occurs while
retrieving the AWS role name.
NzIUnable to determine the AWS metadata server security credentials endpointr����r����r ���r����rN���z#Unable to retrieve AWS role name {})
r����r����r����r����r#���r����r����r����r����rF���)�r
���r����r����r"���r����r����r����r����r����r����0���s&���
�������������������
�����������������z>_DefaultAwsSecurityCredentialsSupplier._get_metadata_role_nameN)
r:���r;���r<���r=���r����r������copy_docstringrz���r����r����r����r����r����r����r����r����r����r��������s������������
���
��&���1r����c������������������������sr���e�Z�d�Z�d�Z�e�j�d�d�f���f�d�d�� Z�d�d���Z���f�d�d���Z�d d
��Z ��f�d�d���Z
e���f�d
d�����Z�e���f�d�d�����Z
����Z�S�)���Credentialsz�AWS external account credentials.
This is used to exchange serialized AWS signature v4 signed requests to
AWS STS GetCallerIdentity service for Google access tokens.
Nc������������������������s����t�t�|���j�|�|�|�|�|�d���|�������|�d�u�r�|�d�u�r�t���d�����|�d�u�r*|�d�u�r*t���d�����|�r3|�|�_�t�|�_�nE|���d���p9d�}�t |���|�_�|���d���|�_�t
��d�|���} | rT| ����\�}
}�n�d \�}
}�|
d
k�sa|�j�d�u�rft��
d�����|�d�u�spt�|���d�k�rxt���d
��|�������|�|�_�d�|�_�d�S�)�u� ��Instantiates an AWS workload external account credentials object.
Args:
audience (str): The STS audience field.
subject_token_type (str): The subject token type based on the Oauth2.0 token exchange spec.
Expected values include::
“urn:ietf:params:aws:token-type:aws4_request”
token_url (Optional [str]): The STS endpoint URL. If not provided, will default to "https://sts.googleapis.com/v1/token".
credential_source (Optional [Mapping]): The credential source dictionary used
to provide instructions on how to retrieve external credential to be exchanged for Google access tokens.
Either a credential source or an AWS security credentials supplier must be provided.
Example credential_source for AWS credential::
{
"environment_id": "aws1",
"regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15",
"region_url": "http://169.254.169.254/latest/meta-data/placement/availability-zone",
"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials",
imdsv2_session_token_url": "http://169.254.169.254/latest/api/token"
}
aws_security_credentials_supplier (Optional [AwsSecurityCredentialsSupplier]): Optional AWS security credentials supplier.
This will be called to supply valid AWS security credentails which will then
be exchanged for Google access tokens. Either an AWS security credentials supplier
or a credential source must be provided.
args (List): Optional positional arguments passed into the underlying :meth:`~external_account.Credentials.__init__` method.
kwargs (Mapping): Optional keyword arguments passed into the underlying :meth:`~external_account.Credentials.__init__` method.
Raises:
google.auth.exceptions.RefreshError: If an error is encountered during
access token retrieval logic.
ValueError: For invalid parameters.
.. note:: Typically one of the helper constructors
:meth:`from_file` or
:meth:`from_info` are used instead of calling the constructor directly.
)���audience��subject_token_type� token_urlr����NzPA valid credential source or AWS security credentials supplier must be provided.z]AWS credential cannot have both a credential source and an AWS security credentials supplier.��environment_idr������regional_cred_verification_urlz�^(aws)([\d]+)$)�NN��awsz)No valid AWS 'credential_source' provided�����z7aws version '{}' is not supported in the current build.)���superr����r����r������InvalidValue�"_aws_security_credentials_supplier�1_DEFAULT_AWS_REGIONAL_CREDENTIAL_VERIFICATION_URL��_cred_verification_urlr0���r������re��match��groupsr,�����intrF�����_target_resource��_request_signer)�r
���r����r����r����r�����!aws_security_credentials_supplier��args��kwargsr������matches��env_id��env_version��� __class__r����r����r����e���sZ���
2��������������������������������������������������������������������������������������
�z�Credentials.__init__c��������������������C���s����|�j�d�u�r�|�j���|�j�|���|�_�t�|�j���|�_�|�j���|�j�|���}�|�j���|�|�j�� d�|�j���d���}�|��
d���}�|�j�|�d�<�i�}�|��
d���|�d�<�|��
d���|�d�<�g�|�d�<�|�����D�]�}�|�d����
|�|�|���d�������qLt�j���t�j�|�d d
d�����S�)�ai���Retrieves the subject token using the credential_source object.
The subject token is a serialized `AWS GetCallerIdentity signed request`_.
The logic is summarized as:
Retrieve the AWS region from the AWS_REGION or AWS_DEFAULT_REGION
environment variable or from the AWS metadata server availability-zone
if not found in the environment variable.
Check AWS credentials in environment variables. If not found, retrieve
from the AWS metadata server security-credentials endpoint.
When retrieving AWS credentials from the metadata server
security-credentials endpoint, the AWS role needs to be determined by
calling the security-credentials endpoint without any argument. Then the
credentials can be retrieved via: security-credentials/role_name
Generate the signed request to AWS STS GetCallerIdentity action.
Inject x-goog-cloud-target-resource into header and serialize the
signed request. This will be the subject-token to pass to GCP STS.
.. _AWS GetCallerIdentity signed request:
https://cloud.google.com/iam/docs/access-resources-aws#exchange-token
Args:
request (google.auth.transport.Request): A callable used to make
HTTP requests.
Returns:
str: The retrieved subject token.
Nz�{region}��POSTr"���z�x-goog-cloud-target-resourcer!���r����)�r7�����value)���,��:T)��
separators� sort_keys)�r����r����r������_supplier_context��_regionr����r����r9���r������replacer0���r����rE���rB���r$���r%���rA���r������dumps)�r
���r����r������request_options��request_headers��aws_signed_reqr7���r����r����r������retrieve_subject_token����s4���
#������������������������
�
�����������������������z"Credentials.retrieve_subject_tokenc������������������������s*���t�t�|�������}�d�|�d�<�|�����r�d�|�d�<�|�S�)�Nr������source��programmatic)�r����r������_create_default_metrics_options��_has_custom_supplier)�r
�����metrics_optionsr����r����r����r����&���s
�������������z+Credentials._create_default_metrics_optionsc��������������������C���s
���|�j�d�u�S�)�N)���_credential_source)�r
���r����r����r����r����-���s����
�z Credentials._has_custom_supplierc������������������������s*���t�t�|�������}�|�����r�|���d�|�j�i�����|�S�)�Nr����)�r����r������_constructor_argsr������updater����)�r
���r����r����r����r����r����0���s������������������z�Credentials._constructor_argsc������������������������s0���|���d���}�|���d�|�i�����t�t�|���j�|�f�i�|�����S�)�a����Creates an AWS Credentials instance from parsed external account info.
Args:
info (Mapping[str, str]): The AWS external account info in Google
format.
kwargs: Additional arguments to pass to the constructor.
Returns:
google.auth.aws.Credentials: The constructed credentials.
Raises:
ValueError: For invalid parameters.
r����)�r0���r����r����r����� from_info)���cls��infor����r����r����r����r����r����;���s������������������z�Credentials.from_infoc������������������������s����t�t�|���j�|�f�i�|�����S�)�aH���Creates an AWS Credentials instance from an external account json file.
Args:
filename (str): The path to the AWS external account json file.
kwargs: Additional arguments to pass to the constructor.
Returns:
google.auth.aws.Credentials: The constructed credentials.
)�r����r����� from_file)�r������filenamer����r����r����r����r����R���s������z�Credentials.from_file)�r:���r;���r<���r=���r������_DEFAULT_TOKEN_URLr����r����r����r����r������classmethodr����r�����
__classcell__r����r����r����r����r����_���s��������� �������j�W������������r����)(r=���r������dataclassesr����rR���rO�����http.client��clientr����r����r����r'���r������typingr����r$�����urllib.parser������google.authr����r����r����r����rh���rg���r3���r1���r����r������objectr����r.���rV���r^���r-���rw�����ABCMetarz���r����r����r����r����r����r������<module>����sJ������������������������������������������������������V�$������
��r�����/��G