. 0h f ddlZddlZddlZddlZddlZddlZddlZddlZddlZ ddl m Z ddl m Z ddlmZddlmZddlmZddlmZddlmZejjZd Zd Zd Zd ZeejejfZd ZdZ ej!dgdZ"dZ# ddZ$dZ%dZ&e&ddddddddddddf dZ'dZ(efdZ)dZ*dZ+dS)N) exceptions)requests)_helpers)_DEFAULT_UNIVERSE_DOMAIN)_NOW)_UTC) DEFAULT_RETRYz[https://googleapis.dev/python/google-api-core/latest/auth.html#setting-up-a-service-accountct|tjjjs5t dt|tdS)aiRaise AttributeError if the credentials are unsigned. :type credentials: :class:`google.auth.credentials.Signing` :param credentials: The credentials used to create a private key for signing text. :raises: :exc:`AttributeError` if credentials is not an instance of :class:`google.auth.credentials.Signing`. zyou need a private key to sign credentials.the credentials you are currently using {} just contains a token. see {} for more details.N) isinstancegoogleauth credentialsSigningAttributeErrorformattypeSERVICE_ACCOUNT_URL)rs X/var/www/html/nourish/venv/lib/python3.11/site-packages/google/cloud/storage/_signing.pyensure_signed_credentialsr/sY k6;#:#B C C  vd;//1DEE      ct|||d}tj|}|j}|||dS)aGets query parameters for creating a signed URL. :type credentials: :class:`google.auth.credentials.Signing` :param credentials: The credentials used to create a private key for signing text. :type expiration: int or long :param expiration: When the signed URL should expire. :type string_to_sign: str :param string_to_sign: The string to be signed by the credentials. :raises: :exc:`AttributeError` if credentials is not an instance of :class:`google.auth.credentials.Signing`. :rtype: dict :returns: Query parameters matching the signing credentials with a signed payload. asciiGoogleAccessIdExpires Signature)r sign_bytesencodebase64 b64encode signer_email)r expirationstring_to_signsignature_bytes signatureservice_account_names rget_signed_query_params_v2r'Bsd(k***!,,^-B-B7-K-KLLO 11I&3.  rc:t|tjrtt}||z}t|tjrt j|}|dz}t|tstdt|z|S)a Convert 'expiration' to a number of seconds in the future. :type expiration: Union[Integer, datetime.datetime, datetime.timedelta] :param expiration: Point in time when the signed URL should expire. If a ``datetime`` instance is passed without an explicit ``tzinfo`` set, it will be assumed to be ``UTC``. :raises: :exc:`TypeError` when expiration is not a valid type. :rtype: int :returns: a timestamp as an absolute number of seconds since epoch. i@B=Expected an integer timestamp, datetime, or timedelta. Got %s) r datetime timedeltarrr_microseconds_from_datetimeint TypeErrorr)r"nowmicross rget_expiration_seconds_v2r1as*h011&4jj:% *h/00%5jAAu_ j# & &  "&z"2"2 3    rc t|tstdt|zt t }t|t r|}t|tjr,|j | tj }||z }t|tj r!t | }|tkrtdt|S)aVConvert 'expiration' to a number of seconds offset from the current time. :type expiration: Union[Integer, datetime.datetime, datetime.timedelta] :param expiration: Point in time when the signed URL should expire. If a ``datetime`` instance is passed without an explicit ``tzinfo`` set, it will be assumed to be ``UTC``. :raises: :exc:`TypeError` when expiration is not a valid type. :raises: :exc:`ValueError` when expiration is too large. :rtype: Integer :returns: seconds in the future when the signed URL will expire r)Ntzinfoz.Max allowed expiration interval is seven days )r _EXPIRATION_TYPESr.rrrr-r*r4replacerUTCr+ total_seconds SEVEN_DAYS ValueError)r"r/secondss rget_expiration_seconds_v4r<s j"3 4 4  "&z"2"2 3   t**C*c""*h/00&   $#++8<+@@J#% *h0112j..0011V*VVWWW Nrc |g}n6t|tr!t|}|sggfSt jt}|D]m\}}|}d| }|| |ntd|D}d|D}||fS)amCanonicalize headers for signing. See: https://cloud.google.com/storage/docs/access-control/signed-urls#about-canonical-extension-headers :type headers: Union[dict|List(Tuple(str,str))] :param headers: (Optional) Additional HTTP headers to be included as part of the signed URLs. See: https://cloud.google.com/storage/docs/xml-api/reference-headers Requests using the signed URL *must* pass the specified header (name and value) with each request for the URL. :rtype: str :returns: List of headers, normalized / sortted per the URL refernced above. N c3JK|]\}}|d|fVdS),N)join).0keyvals r z(get_canonical_headers..s5UUhc3c388C==1UUUUUUrc"g|] }dj| S)z{}:{})r)rBitems r z)get_canonical_headers..s!KKK4.KKKr) r dictlistitems collections defaultdictlowerstriprAsplitappendsorted)headers normalizedrCrDordered_headerscanonical_headerss rget_canonical_headersrWs" GT " "(w}}'' 2v (..J$$Siikk!!hhsyy{{##3s####UU*BRBRBTBTUUUUUOKK?KKK o --r _Canonical)methodresourcequery_parametersrScNt|\}}|dkrd}|d|t||g|Std|D}t j|}|d|}t||||S)ahCanonicalize method, resource per the V2 spec. :type method: str :param method: The HTTP verb that will be used when requesting the URL. Defaults to ``'GET'``. If method is ``'RESUMABLE'`` then the signature will additionally contain the `x-goog-resumable` header, and the method changed to POST. See the signed URL docs regarding this flow: https://cloud.google.com/storage/docs/access-control/signed-urls :type resource: str :param resource: A pointer to a specific resource (typically, ``/bucket-name/path/to/blob.txt``). :type query_parameters: dict :param query_parameters: (Optional) Additional query parameters to be included as part of the signed URLs. See: https://cloud.google.com/storage/docs/xml-api/reference-headers#query :type headers: Union[dict|List(Tuple(str,str))] :param headers: (Optional) Additional HTTP headers to be included as part of the signed URLs. See: https://cloud.google.com/storage/docs/xml-api/reference-headers Requests using the signed URL *must* pass the specified header (name and value) with each request for the URL. :rtype: :class:_Canonical :returns: Canonical method, resource, query_parameters, and headers. RESUMABLEPOSTzx-goog-resumable:startNc3tK|]3\}}||r|pdfV4dS)N)rNrOrBrCvalues rrEz"canonicalize_v2..sY C e- 34r?)rWrQrXrRrKurllibparse urlencode)rYrZr[rS_ normalized_qp encoded_qpcanonical_resources rcanonicalize_v2rks@'w//JGQ /000&(B888*0022M'' 66J$33z33 f0- I IIrr`GETctt|}t||| | }|j|pd|pdt|g}||j||jd|}| r| rt|| | |}| ||d}nt|||}|||d<|||d<| | |d<| |j t|}d||t j| S) aGenerate a V2 signed URL to provide query-string auth'n to a resource. .. note:: Assumes ``credentials`` implements the :class:`google.auth.credentials.Signing` interface. Also assumes ``credentials`` has a ``signer_email`` property which identifies the credentials. .. note:: If you are on Google Compute Engine, you can't generate a signed URL. If you'd like to be able to generate a signed URL from GCE, you can use a standard service account from a JSON file rather than a GCE service account. See headers [reference](https://cloud.google.com/storage/docs/reference-headers) for more details on optional arguments. :type credentials: :class:`google.auth.credentials.Signing` :param credentials: Credentials object with an associated private key to sign text. :type resource: str :param resource: A pointer to a specific resource (typically, ``/bucket-name/path/to/blob.txt``). Caller should have already URL-encoded the value. :type expiration: Union[Integer, datetime.datetime, datetime.timedelta] :param expiration: Point in time when the signed URL should expire. If a ``datetime`` instance is passed without an explicit ``tzinfo`` set, it will be assumed to be ``UTC``. :type api_access_endpoint: str :param api_access_endpoint: (Optional) URI base. Defaults to empty string. :type method: str :param method: The HTTP verb that will be used when requesting the URL. Defaults to ``'GET'``. If method is ``'RESUMABLE'`` then the signature will additionally contain the `x-goog-resumable` header, and the method changed to POST. See the signed URL docs regarding this flow: https://cloud.google.com/storage/docs/access-control/signed-urls :type content_md5: str :param content_md5: (Optional) The MD5 hash of the object referenced by ``resource``. :type content_type: str :param content_type: (Optional) The content type of the object referenced by ``resource``. :type response_type: str :param response_type: (Optional) Content type of responses to requests for the signed URL. Ignored if content_type is set on object/blob metadata. :type response_disposition: str :param response_disposition: (Optional) Content disposition of responses to requests for the signed URL. :type generation: str :param generation: (Optional) A value that indicates which generation of the resource to fetch. :type headers: Union[dict|List(Tuple(str,str))] :param headers: (Optional) Additional HTTP headers to be included as part of the signed URLs. See: https://cloud.google.com/storage/docs/xml-api/reference-headers Requests using the signed URL *must* pass the specified header (name and value) with each request for the URL. :type service_account_email: str :param service_account_email: (Optional) E-mail address of the service account. :type access_token: str :param access_token: (Optional) Access token for a service account. :type query_parameters: dict :param query_parameters: (Optional) Additional query parameters to be included as part of the signed URLs. See: https://cloud.google.com/storage/docs/xml-api/reference-headers#query :raises: :exc:`TypeError` when expiration is not a valid type. :raises: :exc:`AttributeError` if credentials is not an instance of :class:`google.auth.credentials.Signing`. :rtype: str :returns: A signed URL you can use to access the resource until expiration. r` rNresponse-content-typeresponse-content-disposition generationz"{endpoint}{resource}?{querystring})endpointrZ querystring)r1rkrYstrextendrSrQrZrA _sign_messager'updater[rRrKrrdrerf)rrZr"api_access_endpointrY content_md5 content_type response_typeresponse_dispositionrqrSr[service_account_email access_tokenuniverse_domainexpiration_stamp canonicalelements_to_signr#r%signed_query_paramssorted_signed_query_paramss rgenerate_signed_url_v2rs\1<<2BGLLI r   I-...I.///YY/00N   -  ! L*?  4'"   9 )>   7D34'>R:;,6L)y9:::!'(;(A(A(C(C!D!D 0 6 6$L**+EFF 7  ri: zhttps://storage.googleapis.comcbt|}|t\}}n |}|dd}| }| r| st||j}|d}|d|}| i} ||| d<||| d<d| D}d|vr'tj|j| d <|d krd }d | d <t| \}}d |dz}d d|D}| i} nd| D} d| d<|| d<|| d<|| d<|| d<||| d<||| d<| | | d<t| }t|}d|vr |d}nd}||||||g}d |}tj|d} d||| g}!d |!}"| rP| rNt%|"| | |}#t'j|#}$t+j|$d}#nO||"d}$t+j|$d}#d||||#S)a/Generate a V4 signed URL to provide query-string auth'n to a resource. .. note:: Assumes ``credentials`` implements the :class:`google.auth.credentials.Signing` interface. Also assumes ``credentials`` has a ``signer_email`` property which identifies the credentials. .. note:: If you are on Google Compute Engine, you can't generate a signed URL. If you'd like to be able to generate a signed URL from GCE,you can use a standard service account from a JSON file rather than a GCE service account. See headers [reference](https://cloud.google.com/storage/docs/reference-headers) for more details on optional arguments. :type credentials: :class:`google.auth.credentials.Signing` :param credentials: Credentials object with an associated private key to sign text. That credentials must provide signer_email only if service_account_email and access_token are not passed. :type resource: str :param resource: A pointer to a specific resource (typically, ``/bucket-name/path/to/blob.txt``). Caller should have already URL-encoded the value. :type expiration: Union[Integer, datetime.datetime, datetime.timedelta] :param expiration: Point in time when the signed URL should expire. If a ``datetime`` instance is passed without an explicit ``tzinfo`` set, it will be assumed to be ``UTC``. :type api_access_endpoint: str :param api_access_endpoint: URI base. Defaults to "https://storage.googleapis.com/" :type method: str :param method: The HTTP verb that will be used when requesting the URL. Defaults to ``'GET'``. If method is ``'RESUMABLE'`` then the signature will additionally contain the `x-goog-resumable` header, and the method changed to POST. See the signed URL docs regarding this flow: https://cloud.google.com/storage/docs/access-control/signed-urls :type content_md5: str :param content_md5: (Optional) The MD5 hash of the object referenced by ``resource``. :type content_type: str :param content_type: (Optional) The content type of the object referenced by ``resource``. :type response_type: str :param response_type: (Optional) Content type of responses to requests for the signed URL. Ignored if content_type is set on object/blob metadata. :type response_disposition: str :param response_disposition: (Optional) Content disposition of responses to requests for the signed URL. :type generation: str :param generation: (Optional) A value that indicates which generation of the resource to fetch. :type headers: dict :param headers: (Optional) Additional HTTP headers to be included as part of the signed URLs. See: https://cloud.google.com/storage/docs/xml-api/reference-headers Requests using the signed URL *must* pass the specified header (name and value) with each request for the URL. :type query_parameters: dict :param query_parameters: (Optional) Additional query parameters to be included as part of the signed URLs. See: https://cloud.google.com/storage/docs/xml-api/reference-headers#query :type service_account_email: str :param service_account_email: (Optional) E-mail address of the service account. :type access_token: str :param access_token: (Optional) Access token for a service account. :raises: :exc:`TypeError` when expiration is not a valid type. :raises: :exc:`AttributeError` if credentials is not an instance of :class:`google.auth.credentials.Signing`. :rtype: str :returns: A signed URL you can use to access the resource until expiration. Nz/auto/storage/goog4_request/z Content-Typez Content-MD5c6g|]}|S)rN)rBrCs rrHz*generate_signed_url_v4..6s 333CCIIKK333rhostHostr]r^startzx-goog-resumablern;cg|]\}}|Srr)rBrCrgs rrHz*generate_signed_url_v4..BsAAAvsAsAAArci|] \}}||pd S)r`rras r z*generate_signed_url_v4..Gs"XXXeC"XXXrzGOOG4-RSA-SHA256zX-Goog-AlgorithmzX-Goog-Credentialz X-Goog-DatezX-Goog-ExpireszX-Goog-SignedHeadersrorprqzx-goog-content-sha256zUNSIGNED-PAYLOADrz{}{}?{}&X-Goog-Signature={})r<get_v4_now_dtstampsrr!rdreurlparsenetlocupperrWrArK _url_encoderIhashlibsha256r hexdigestrvr b64decodebinasciihexlifydecoderr)%rrZr"rxrYryrzr{r|rqrSr[r}r~r_request_timestampexpiration_secondsrequest_timestamp datestamp client_emailcredential_scope credential header_namesrVrUcanonical_header_stringsigned_headerscanonical_query_stringlowercased_headerspayloadcanonical_elementscanonical_requestcanonical_request_hashstring_elementsr#r%r$s% rgenerate_signed_url_v4rsd3:>>!':'<'<$99.&rr* )L 040!+..."/ #@@@ 55#355J".!, 337333L \!! ,//0CDDK ||~~$$&-"#)>w)G)G& #$$t+XXAAAAABBNXX?O?U?U?W?WXXX+='(,6()&7]#);%&/=+, 4A01';O78)3&()9::o.."444$%<=$   "455$^  ))ikk  O YY//NF-F! L*?  !*955$_55<.retriable_requests 7s6gNNNrz%Error calling the IAM signBytes API: signedBlob)r _to_bytesjsondumpsrr rrRequestr statushttpclientOKrTransportErrordataloads)messager~r}rrretrycallrrrrSrYrrs @@@@@rrvrvs90 ))G F }O } }Ti } } }C"\1*G :y&"27";";"B"B7"K"KL M MD  G E 5" # #DtvvH$+.((' CHM C C    :hm**733 4 4D  rcd|D}dt|S)zEncode query params into URL. :type query_params: dict :param query_params: Query params to be encoded. :rtype: str :returns: URL encoded query params. cVg|]&\}}t|dt|'S)=) _quote_param)rBnamerbs rrHz_url_encode..sJ D%   55 U 3 355r&)rKrArR) query_paramsparamss rrrsF'--//F 88F6NN # ##rct|tst|}tj|dS)zQuote query param. :type param: Any :param param: Query param to be encoded. :rtype: str :returns: URL encoded query param. ~)safe)r bytesrtrdrequote)params rrrs< eU # #E  <  e#  . ..r) r`rlNNNNNNNNNN),rrrLr*rrrrdgoogle.auth.credentialsr google.authrgoogle.auth.transportr google.cloudrgoogle.cloud.storage._helpersrrrgoogle.cloud.storage.retryr utcnowNOWrrr'r1r-r+r5r<rW namedtuplerXrkrr9DEFAULT_ENDPOINTrrrvrrrrrrsi   """"""******!!!!!!BBBBBB............444444 -    &>>(+X-?@###L".".".J$[ #GGG /J/J/Jl  ]]]]@ 3)  !ZZZZz    - 2222j$$$" / / / / /r