# -*- coding: utf-8 -*- import hmac from hashlib import sha1 as sha py3k = False try: from urlparse import urlparse, unquote from base64 import encodestring except: py3k = True from urllib.parse import urlparse, unquote from base64 import encodebytes as encodestring from email.utils import formatdate from requests.auth import AuthBase class S3Auth(AuthBase): """Attaches AWS Authentication to the given Request object.""" service_base_url = 's3.amazonaws.com' # List of Query String Arguments of Interest special_params = [ 'acl', 'location', 'logging', 'partNumber', 'policy', 'requestPayment', 'torrent', 'versioning', 'versionId', 'versions', 'website', 'uploads', 'uploadId', 'response-content-type', 'response-content-language', 'response-expires', 'response-cache-control', 'delete', 'lifecycle', 'response-content-disposition', 'response-content-encoding', 'tagging', 'notification', 'cors' ] def __init__(self, access_key, secret_key, service_url=None): if service_url: self.service_base_url = service_url self.access_key = str(access_key) self.secret_key = str(secret_key) def __call__(self, r): # Create date header if it is not created yet. if 'date' not in r.headers and 'x-amz-date' not in r.headers: r.headers['date'] = formatdate( timeval=None, localtime=False, usegmt=True) signature = self.get_signature(r) if py3k: signature = signature.decode('utf-8') r.headers['Authorization'] = 'AWS %s:%s' % (self.access_key, signature) return r def get_signature(self, r): canonical_string = self.get_canonical_string( r.url, r.headers, r.method) if py3k: key = self.secret_key.encode('utf-8') msg = canonical_string.encode('utf-8') else: key = self.secret_key msg = canonical_string h = hmac.new(key, msg, digestmod=sha) return encodestring(h.digest()).strip() def get_canonical_string(self, url, headers, method): parsedurl = urlparse(url) objectkey = parsedurl.path[1:] query_args = sorted(parsedurl.query.split('&')) bucket = parsedurl.netloc[:-len(self.service_base_url)] if len(bucket) > 1: # remove last dot bucket = bucket[:-1] interesting_headers = { 'content-md5': '', 'content-type': '', 'date': ''} for key in headers: lk = key.lower() try: lk = lk.decode('utf-8') except: pass if headers[key] and (lk in interesting_headers.keys() or lk.startswith('x-amz-')): interesting_headers[lk] = headers[key].strip() # If x-amz-date is used it supersedes the date header. if not py3k: if 'x-amz-date' in interesting_headers: interesting_headers['date'] = '' else: if 'x-amz-date' in interesting_headers: interesting_headers['date'] = '' buf = '%s\n' % method for key in sorted(interesting_headers.keys()): val = interesting_headers[key] if key.startswith('x-amz-'): buf += '%s:%s\n' % (key, val) else: buf += '%s\n' % val # append the bucket if it exists if bucket != '': buf += '/%s' % bucket # add the objectkey. even if it doesn't exist, add the slash buf += '/%s' % objectkey params_found = False # handle special query string arguments for q in query_args: k = q.split('=')[0] if k in self.special_params: buf += '&' if params_found else '?' params_found = True try: k, v = q.split('=', 1) except ValueError: buf += q else: # Riak CS multipart upload ids look like this, `TFDSheOgTxC2Tsh1qVK73A==`, # is should be escaped to be included as part of a query string. # # A requests mp upload part request may look like # resp = requests.put( # 'https://url_here', # params={ # 'partNumber': 1, # 'uploadId': 'TFDSheOgTxC2Tsh1qVK73A==' # }, # data='some data', # auth=S3Auth('access_key', 'secret_key') # ) # # Requests automatically escapes the values in the `params` dict, so now # our uploadId is `TFDSheOgTxC2Tsh1qVK73A%3D%3D`, # if we sign the request with the encoded value the signature will # not be valid, we'll get 403 Access Denied. # So we unquote, this is no-op if the value isn't encoded. buf += '{key}={value}'.format(key=k, value=unquote(v)) return buf