U d/eS@sdZddlZddlZddlZddlZddlZddlZddlZddlm Z m Z ddl m Z ddl mZddlmZmZddlmZddlZddlZddlmZdd lmZdd lmZmZmZdd lmZm Z d d l!m"Z"e#e dd$Z%e#e dd$Z&e#e d d$Z'ddZ(d9ddZ)ddZ*GdddZ+Gddde+Z,Gddde+Z-Gdd d e+Z.Gd!d"d"e+Z/Gd#d$d$e+Z0Gd%d&d&e+Z1d'd(Z2d)d*Z3Gd+d,d,e+Z4Gd-d.d.e+Z5Gd/d0d0e+Z6Gd1d2d2e+Z7Gd3d4d4e7Z8Gd5d6d6e7Z9Gd7d8d8e+Z:dS):zCredential providers.N)ABCMetaabstractmethod) timedelta)Path) urlencodeurlsplit) ElementTree) sha256_hash) sign_v4_sts)from_iso8601utc to_amz_dateutcnow)findfindtext) Credentials)minutes)days)hourscCsTt|}t||}t|d}tt|dd}tt|ddt|ddt|dd|S)z&Parse data containing credentials XML.r ExpirationT AccessKeyIdSecretAccessKeyZ SessionToken)r fromstringrr rr)datanameelementZ expirationr?/tmp/pip-unpacked-wheel-xery97c7/minio/credentials/providers.py_parse_credentials/s      r cCs4|j||||d}|jdkr0t|d|j|S)z.Wrapper of urlopen() handles HTTP status code.bodyheaders)z failed with HTTP status code )urlopenstatus ValueError) http_clientmethodurlr"r#resrrr_urlopen=s r.cCs$tjdp"tjdp"ttS)z Return current user home folder.HOMEZ UserProfile)osenvirongetstrrhomerrrr_user_home_dirEs    r5c@s eZdZdZeZeddZdS)ProviderzCredential retriever.cCsdS)z1Retrieve credentials and its expiry if available.NrselfrrrretrieveRszProvider.retrieveN)__name__ __module__ __qualname____doc__r __metaclass__rr9rrrrr6Nsr6c@s"eZdZdZdddZddZdS) AssumeRoleProviderz Assume-role credential provider.rNc Cs||_||_||_|pd|_| p>tjtjddddddgdd |_d d t|t krT|nt d } |rj|| d <|rv|| d<|r|| d<| r| | d<t | |_ t |j |_ t|} | |_| j|_| jdkr| jdks| jdkr| jdkr| j|_d|_dS)N皙?totalbackoff_factorstatus_forcelistretriesZ AssumeRole 2011-06-15ActionVersionDurationSecondsRoleArnRoleSessionNamePolicyZ ExternalIdhttpPhttpsi) _sts_endpoint _access_key _secret_key_regionurllib3 PoolManagerRetry _http_clientr3_DEFAULT_DURATION_SECONDSr_bodyr _content_sha256r_urlnetloc_hostschemeporthostname _credentials) r8 sts_endpoint access_key secret_keyduration_secondspolicyZregionrole_arnrole_session_nameZ external_idr* query_paramsr,rrr__init__ZsT      zAssumeRoleProvider.__init__cCs~|jr|js|jSt}td|j|jd|jt|dt|j |j |j |}t |j d|j|j|d}t|jd|_|jS)Retrieve credentials.POSTz!application/x-www-form-urlencoded)z Content-TypeHostz X-Amz-Dater!ZAssumeRoleResult)ri is_expiredr r rcr[rer rrYrZrbr.r_rXrar rdecode)r8Zutctimer#r-rrrr9s6 zAssumeRoleProvider.retrieve)rNNNNNNr:r;r<r=rrr9rrrrr?Ws 0r?c@s eZdZdZddZddZdS)ChainedProviderzChained credential provider.cCs||_d|_d|_dSN) _providers _providerri)r8Z providersrrrrrszChainedProvider.__init__c Cs|jr|js|jS|jrFz|j|_|jWStk rDYnX|jD]6}z||_||_|jWStk rYqLXqLtddS)z4Retrieve credentials from one of available provider.z'All providers fail to fetch credentialsN)rirvr|r9r)r{)r8providerrrrr9s     zChainedProvider.retrieveNrxrrrrrysryc@seZdZdZddZdS)EnvAWSProviderz3Credential provider from AWS environment variables.cCs>ttjdptjdtjdp.tjdtjddS)rsZAWS_ACCESS_KEY_IDZAWS_ACCESS_KEYZAWS_SECRET_ACCESS_KEYZAWS_SECRET_KEYZAWS_SESSION_TOKEN)rkrl session_tokenrr0r1r2r7rrrr9s     zEnvAWSProvider.retrieveNr:r;r<r=r9rrrrr~sr~c@seZdZdZddZdS)EnvMinioProviderz5Credential provider from MinIO environment variables.cCsttjdtjddS)rsZMINIO_ACCESS_KEYZMINIO_SECRET_KEY)rkrlrr7rrrr9s  zEnvMinioProvider.retrieveNrrrrrrsrc@s"eZdZdZdddZddZdS)AWSConfigProviderz-Credential provider from AWS credential file.NcCs>|p tjdp tjtdd|_|p6tjdp6d|_dS)NZAWS_SHARED_CREDENTIALS_FILEz.aws credentialsZ AWS_PROFILEdefault)r0r1r2pathjoinr5 _filename_profile)r8filenameZprofilerrrrrs  zAWSConfigProvider.__init__cCst}||j|j|jddd}|j|jddd}|j|jddd}|sftd|jd|j|std|jd|jt|||d S) z1Retrieve credentials from AWS configuration file.Zaws_access_key_idN)fallbackZaws_secret_access_keyZaws_session_tokenz%access key does not exist in profile z in AWS credential file z%secret key does not exist in profile )r) configparser ConfigParserreadrr2rr)r)r8parserrkrlrrrrr9s< zAWSConfigProvider.retrieve)NNrxrrrrrs rc@s"eZdZdZdddZddZdS)MinioClientConfigProviderz9Credential provider from MinIO Client configuration file.NcCs@|p"tjttjdkrdndd|_|p8tjdp8d|_ dS)Nwin32Zmcz.mcz config.jsonZ MINIO_ALIASZs3) r0rrr5sysplatformrr1r2_alias)r8raliasrrrrr sz"MinioClientConfigProvider.__init__c Cszt|jdd}t|}W5QRX|dp8|d}|sNtd|j||j}|svtd|jd|jt|d|d WStt fk r}ztd |j|W5d }~XYnXd S) z?Retrieve credential value from MinIO client configuration file.utf-8encodinghostsaliaseszinvalid configuration in file zalias z- not found in MinIO clientconfiguration file Z accessKeyZ secretKeyerror in reading file N) openrjsonloadr2r)rrIOErrorOSError)r8Z conf_fileconfigrcredsexcrrrr9+s(   z"MinioClientConfigProvider.retrieve)NNrxrrrrrs rc Cstj|j}z@tddt|dD}|D]}t|j s.t |dq.Wn6tj k r}zt d|d|W5d}~XYnXdS)z3Check whether host in url points only to localhost.css|]}|ddVqdS)rNr).0inforrr Fsz'_check_loopback_host..Nz is not loopback only hostzHost z is not loopback address) r\util parse_urlhostsetsocket getaddrinfo ipaddress ip_address is_loopbackr)gaierror)r,raddrsaddrrrrr_check_loopback_hostBs rc Cspz4t|dd}|ddW5QRWSQRXWn6ttfk rj}ztd||W5d}~XYnXdS)z'Read and return content of token file. rr0) access_token expires_inrN)rrrrr))Z token_filefilerrrr_get_jwt_tokenNs &rc@s*eZdZdZd ddZddZddZdS) IamAwsProviderz7Credential provider using IAM roles for Amazon EC2/ECS.NcCs||_|p(tjtjddddddgdd|_tjd |_tjd |_ tjd |_ tjd |_ tjd |_ |j r|j dsd|j |_ tjd|_d|_dS)NrArBrCrDrErFrGrKZAWS_WEB_IDENTITY_TOKEN_FILEZ AWS_REGIONZ AWS_ROLE_ARNZAWS_ROLE_SESSION_NAMEZ&AWS_CONTAINER_CREDENTIALS_RELATIVE_URI/Z"AWS_CONTAINER_CREDENTIALS_FULL_URI)_custom_endpointr\r]r^r_r0r1r2 _token_file _aws_region _role_arn_role_session_name _relative_uri startswith _full_uriri)r8Zcustom_endpointr*rrrrrZs&  zIamAwsProvider.__init__cCszt|jd|}t|j}|dddkrLt|d|dd|dt|d|d<t|d|d |d |dS) z Fetch credentials from EC2/ECS. GETZCodeZSuccessz failed with code z message MessagerrrToken) r.r_rloadsrr2r)r r)r8r,r-rrrrfetchos zIamAwsProvider.fetchcsjrjsjSj}jrn|s>d}jr>djd}tfdd|jjjd}| _jSj r|sdj }njj r|sj }t |nP|sd}t jd |}|jd d }|std ||d |dd7}|_jS)z.Retrieve credentials from WebIdentity/EC2/ECS.zhttps://sts.amazonaws.comz https://sts.z.amazonaws.comcs tjSrz)rrrr7rrz)IamAwsProvider.retrieve..)rorpr*zhttp://169.254.170.2zAhttp://169.254.169.254/latest/meta-data/iam/security-credentials/rr z%no IAM roles attached to EC2 service rr )rirvrrrWebIdentityProviderrrr_r9rrrr.rrwsplitr)stripr)r8r,r}r-Z role_namesrr7rr9sD     zIamAwsProvider.retrieve)NN)r:r;r<r=rrrr9rrrrrWs rc@s"eZdZdZdddZddZdS)LdapIdentityProviderz9Credential provider using AssumeRoleWithLDAPIdentity API.NcCsL|dtdd||d|_|p>tjtjddddd d gd d |_d|_dS) N?ZAssumeRoleWithLDAPIdentityrM)rOrPZ LDAPUsernameZ LDAPPasswordrArBrCrDrErFrGrK)rrXr\r]r^r_ri)r8rjZ ldap_usernameZ ldap_passwordr*rrrrrs zLdapIdentityProvider.__init__cCs>|jr|js|jSt|jd|j}t|jd|_|jS)rsrtZ AssumeRoleWithLDAPIdentityResultrirvr.r_rXr rrwr8r-rrrr9szLdapIdentityProvider.retrieve)Nrxrrrrrs rc@s"eZdZdZdddZddZdS)StaticProviderzFixed credential provider.NcCst||||_dSrz)rri)r8rkrlrrrrrrszStaticProvider.__init__cCs|jS)zReturn passed credentials.)rir7rrrr9szStaticProvider.retrieve)Nrxrrrrrs rc@s:eZdZdZeZd ddZeddZdd Z d d Z dS) WebIdentityClientGrantsProviderzABase class for WebIdentity and ClientGrants credentials provider.rNcCsT||_||_||_||_||_||_|pFtjtjddddddgdd|_ d|_ dS) NrArBrCrDrErFrGrK) _jwt_provider_funcrX_duration_seconds_policyrrr\r]r^r_ri)r8jwt_provider_funcrjrmrnrorpr*rrrrrs z(WebIdentityClientGrantsProvider.__init__cCsdS)z-Check if derived class deal with WebIdentity.Nrr7rrr_is_web_identitysz0WebIdentityClientGrantsProvider._is_web_identitycCs4|jr |j}|tkrtS|dkr$|S|tkr0tS|S)z"Get DurationSeconds optimal value.r)r_MAX_DURATION_SECONDS_MIN_DURATION_SECONDS)r8Zexpiryrrr_get_duration_secondssz5WebIdentityClientGrantsProvider._get_duration_secondscCs |jr|js|jS|}ddi}|t|dd}|rLt||d<|jr\|j|d<|rd|d<|d |d <|j r|j |d <|j r|j ntt  d d |d<nd|d<|d |d<|j dt|}t|jd|}t|j|rdnd|_|jS)rsrPrMrrrQrTZAssumeRoleWithWebIdentityrOrZWebIdentityTokenrR.r@rSZAssumeRoleWithClientGrantsrrrtZAssumeRoleWithWebIdentityResultZ AssumeRoleWithClientGrantsResult)rirvrrintr2r3rrrrtimereplacerXrr.r_r rrw)r8Zjwtrqrmr,r-rrrr9s>    z(WebIdentityClientGrantsProvider.retrieve)rNNNN) r:r;r<r=rr>rrrrrr9rrrrrs  rcs*eZdZdZdfdd ZddZZS) ClientGrantsProviderz9Credential provider using AssumeRoleWithClientGrants API.rNcstj|||||ddS)N)r*)superrr)r8rrjrmrnr* __class__rrrrCszClientGrantsProvider.__init__cCsdS)NFrr7rrrrLsz%ClientGrantsProvider._is_web_identity)rNN)r:r;r<r=rrr __classcell__rrrrr@s  rc@seZdZdZddZdS)rz8Credential provider using AssumeRoleWithWebIdentity API.cCsdS)NTrr7rrrrSsz$WebIdentityProvider._is_web_identityN)r:r;r<r=rrrrrrPsrc@s"eZdZdZdddZddZdS) CertificateIdentityProviderz8Credential provider using AssumeRoleWithCertificate API.NrcCst|jdkrtdt||o"|kr(ntd|dtddt|tkrJ|ntd|_|ptj d|d |||pvt tj d d d d ddgdd|_ d|_dS)NrWz!STS endpoint scheme must be HTTPSz;either cert/key file or custom http_client must be providedrZAssumeRoleWithCertificaterMrN CERT_REQUIREDrArBrCrDrErFrG)maxsize cert_file cert_reqskey_file key_passwordca_certsrL)rrfr)boolrr3r`rXr\r]certifiwherer^r_ri)r8rjrrrrrmr*rrrrrZs>    z$CertificateIdentityProvider.__init__cCs>|jr|js|jSt|jd|j}t|jd|_|jS)rsrtZAssumeRoleWithCertificateResultrrrrrr9sz$CertificateIdentityProvider.retrieve)NNNNrNrxrrrrrWs )r)NN);r=rrrr0rrrabcrrdatetimerpathlibr urllib.parserrZ xml.etreerrr\Z minio.helpersr Z minio.signerr Z minio.timer r r Z minio.xmlrrrrr total_secondsrrr`r r.r5r6r?ryr~rrrrrrrrrrrrrrrrsR         V! 2%  Z* Z