>h f ddlZddlZddlZddlZddlZddlZddlZddlZddlZ ddl m Z ddl m Z ddlmZddlmZddlmZddlmZddlmZejj,Zd Zd Zd Zd Zeejej:fZd ZdZ ejBdgdZ"dZ# ddZ$dZ%dZ&e&ddddddddddddf dZ'dZ(efdZ)dZ*dZ+y)N) exceptions)requests)_helpers)_DEFAULT_UNIVERSE_DOMAIN)_NOW)_UTC) DEFAULT_RETRYz[https://googleapis.dev/python/google-api-core/latest/auth.html#setting-up-a-service-accountct|tjjjs(t dj t|ty)aiRaise AttributeError if the credentials are unsigned. :type credentials: :class:`google.auth.credentials.Signing` :param credentials: The credentials used to create a private key for signing text. :raises: :exc:`AttributeError` if credentials is not an instance of :class:`google.auth.credentials.Signing`. zyou need a private key to sign credentials.the credentials you are currently using {} just contains a token. see {} for more details.N) isinstancegoogleauth credentialsSigningAttributeErrorformattypeSERVICE_ACCOUNT_URL)rs a/var/www/html/DP/alpha_backend/venv/lib/python3.12/site-packages/google/cloud/storage/_signing.pyensure_signed_credentialsr/sJ k6;;#:#:#B#B C vd;/1DE    Dct||j|jd}tj|}|j }|||dS)aGets query parameters for creating a signed URL. :type credentials: :class:`google.auth.credentials.Signing` :param credentials: The credentials used to create a private key for signing text. :type expiration: int or long :param expiration: When the signed URL should expire. :type string_to_sign: str :param string_to_sign: The string to be signed by the credentials. :raises: :exc:`AttributeError` if credentials is not an instance of :class:`google.auth.credentials.Signing`. :rtype: dict :returns: Query parameters matching the signing credentials with a signed payload. asciiGoogleAccessIdExpires Signature)r sign_bytesencodebase64 b64encode signer_email)r expirationstring_to_signsignature_bytes signatureservice_account_names rget_signed_query_params_v2r'BsV(k*!,,^-B-B7-KLO  1I&33. rct|tjrtt}||z}t|tjrt j |}|dz}t|tstdt|z|S)a Convert 'expiration' to a number of seconds in the future. :type expiration: Union[Integer, datetime.datetime, datetime.timedelta] :param expiration: Point in time when the signed URL should expire. If a ``datetime`` instance is passed without an explicit ``tzinfo`` set, it will be assumed to be ``UTC``. :raises: :exc:`TypeError` when expiration is not a valid type. :rtype: int :returns: a timestamp as an absolute number of seconds since epoch. i@B=Expected an integer timestamp, datetime, or timedelta. Got %s) r datetime timedeltarrr_microseconds_from_datetimeint TypeErrorr)r"nowmicross rget_expiration_seconds_v2r1as*h0014j:% *h//055jAu_ j# & "&z"2 3   rct|tstdt|zt t }t|t r|}t|tjr1|j |jtj}||z }t|tjrt |j}tkDrtdt|S)aVConvert 'expiration' to a number of seconds offset from the current time. :type expiration: Union[Integer, datetime.datetime, datetime.timedelta] :param expiration: Point in time when the signed URL should expire. If a ``datetime`` instance is passed without an explicit ``tzinfo`` set, it will be assumed to be ``UTC``. :raises: :exc:`TypeError` when expiration is not a valid type. :raises: :exc:`ValueError` when expiration is too large. :rtype: Integer :returns: seconds in the future when the signed URL will expire r)tzinfoz.Max allowed expiration interval is seven days )r _EXPIRATION_TYPESr.rrrr-r*r4replacerUTCr+ total_seconds SEVEN_DAYS ValueError)r"r/secondss rget_expiration_seconds_v4r<s j"3 4 "&z"2 3  t*C*c"*h//0    $#++8<<+@J#% *h001j..01I*VWW Nrc|g}n)t|trt|j}|sggfSt j t}|D]V\}}|j j}dj|j}||j|Xtd|jD}|Dcgc]}dj|}}||fScc}w)amCanonicalize headers for signing. See: https://cloud.google.com/storage/docs/access-control/signed-urls#about-canonical-extension-headers :type headers: Union[dict|List(Tuple(str,str))] :param headers: (Optional) Additional HTTP headers to be included as part of the signed URLs. See: https://cloud.google.com/storage/docs/xml-api/reference-headers Requests using the signed URL *must* pass the specified header (name and value) with each request for the URL. :rtype: str :returns: List of headers, normalized / sortted per the URL refernced above.  c3HK|]\}}|dj|fyw),N)join).0keyvals r z(get_canonical_headers..s$UBThc3c388C=1BTs "z{}:{}) r dictlistitems collections defaultdictlowerstriprAsplitappendsortedr)headers normalizedrCrDordered_headersitemcanonical_headerss rget_canonical_headersrUs" GT "w}}' 2v ((.JSiik!hhsyy{#3s# U*BRBRBTUUO;JK?4.?K o --Ls C) _Canonical)methodresourcequery_parametersrPct|\}}|dk(rd}|jd|t||g|Std|j D}t j j|}|d|}t||||S)ahCanonicalize method, resource per the V2 spec. :type method: str :param method: The HTTP verb that will be used when requesting the URL. Defaults to ``'GET'``. If method is ``'RESUMABLE'`` then the signature will additionally contain the `x-goog-resumable` header, and the method changed to POST. See the signed URL docs regarding this flow: https://cloud.google.com/storage/docs/access-control/signed-urls :type resource: str :param resource: A pointer to a specific resource (typically, ``/bucket-name/path/to/blob.txt``). :type query_parameters: dict :param query_parameters: (Optional) Additional query parameters to be included as part of the signed URLs. See: https://cloud.google.com/storage/docs/xml-api/reference-headers#query :type headers: Union[dict|List(Tuple(str,str))] :param headers: (Optional) Additional HTTP headers to be included as part of the signed URLs. See: https://cloud.google.com/storage/docs/xml-api/reference-headers Requests using the signed URL *must* pass the specified header (name and value) with each request for the URL. :rtype: :class:_Canonical :returns: Canonical method, resource, query_parameters, and headers. RESUMABLEPOSTzx-goog-resumable:startc3rK|]/\}}|j|xr|jxsdf1yw)N)rKrL)rBrCvalues rrEz"canonicalize_v2..s72JC e- 342s57?)rUrNrVrOrHurllibparse urlencode)rWrXrYrP_ normalized_qp encoded_qpcanonical_resources rcanonicalize_v2rhs@'w/JGQ /0&(B88*002M'' 6J$:Qzl3 f0- IIrGETcDt|}t||| | }|j|xsd|xsdt|g}|j |j |j |jdj|}| r| rt|| | |}| ||d}n t|||}|||d<|||d<| | |d<|j|jt|j}dj||t j"j%|S) aGenerate a V2 signed URL to provide query-string auth'n to a resource. .. note:: Assumes ``credentials`` implements the :class:`google.auth.credentials.Signing` interface. Also assumes ``credentials`` has a ``signer_email`` property which identifies the credentials. .. note:: If you are on Google Compute Engine, you can't generate a signed URL. If you'd like to be able to generate a signed URL from GCE, you can use a standard service account from a JSON file rather than a GCE service account. See headers [reference](https://cloud.google.com/storage/docs/reference-headers) for more details on optional arguments. :type credentials: :class:`google.auth.credentials.Signing` :param credentials: Credentials object with an associated private key to sign text. :type resource: str :param resource: A pointer to a specific resource (typically, ``/bucket-name/path/to/blob.txt``). Caller should have already URL-encoded the value. :type expiration: Union[Integer, datetime.datetime, datetime.timedelta] :param expiration: Point in time when the signed URL should expire. If a ``datetime`` instance is passed without an explicit ``tzinfo`` set, it will be assumed to be ``UTC``. :type api_access_endpoint: str :param api_access_endpoint: (Optional) URI base. Defaults to empty string. :type method: str :param method: The HTTP verb that will be used when requesting the URL. Defaults to ``'GET'``. If method is ``'RESUMABLE'`` then the signature will additionally contain the `x-goog-resumable` header, and the method changed to POST. See the signed URL docs regarding this flow: https://cloud.google.com/storage/docs/access-control/signed-urls :type content_md5: str :param content_md5: (Optional) The MD5 hash of the object referenced by ``resource``. :type content_type: str :param content_type: (Optional) The content type of the object referenced by ``resource``. :type response_type: str :param response_type: (Optional) Content type of responses to requests for the signed URL. Ignored if content_type is set on object/blob metadata. :type response_disposition: str :param response_disposition: (Optional) Content disposition of responses to requests for the signed URL. :type generation: str :param generation: (Optional) A value that indicates which generation of the resource to fetch. :type headers: Union[dict|List(Tuple(str,str))] :param headers: (Optional) Additional HTTP headers to be included as part of the signed URLs. See: https://cloud.google.com/storage/docs/xml-api/reference-headers Requests using the signed URL *must* pass the specified header (name and value) with each request for the URL. :type service_account_email: str :param service_account_email: (Optional) E-mail address of the service account. :type access_token: str :param access_token: (Optional) Access token for a service account. :type query_parameters: dict :param query_parameters: (Optional) Additional query parameters to be included as part of the signed URLs. See: https://cloud.google.com/storage/docs/xml-api/reference-headers#query :raises: :exc:`TypeError` when expiration is not a valid type. :raises: :exc:`AttributeError` if credentials is not an instance of :class:`google.auth.credentials.Signing`. :rtype: str :returns: A signed URL you can use to access the resource until expiration. r^ rresponse-content-typeresponse-content-disposition generationz"{endpoint}{resource}?{querystring})endpointrX querystring)r1rhrWstrextendrPrNrXrA _sign_messager'updaterYrOrHrrarbrc)rrXr"api_access_endpointrW content_md5 content_type response_typeresponse_dispositionrnrPrYservice_account_email access_tokenuniverse_domainexpiration_stamp canonicalelements_to_signr#r%signed_query_paramssorted_signed_query_paramss rgenerate_signed_url_v2rs]\1<2BGLI r   I--.I../YY/0N -! L*? 4'"  9 )>  7D34'>R:;,6L)y99:!'(;(A(A(C!D 0 6 6$LL**+EF 7 ri: zhttps://storage.googleapis.comc<t|}|t\}}n|}|dd}| }| r| st||j}|d}|d|}| i} ||| d<||| d<| Dcgc]}|j }}d|vr,t j j|j| d<|jd k(rd }d | d <t| \}}d j|d z}dj|Dcgc]\}}| c}}}| i} n'| jDcic] \}}||xsd} }}d| d<|| d<|| d<|| d<|| d<||| d<||| d<| | | d<t| }t|}d|vr|d} nd} |||||| g}!d j|!}"tj |"j#dj%}#d|||#g}$d j|$}%| rJ| rHt'|%| | |}&t)j*|&}'t-j.|'j1d}&nD|j3|%j#d}'t-j.|'j1d}&dj5||||&Scc}wcc}}wcc}}w)a/Generate a V4 signed URL to provide query-string auth'n to a resource. .. note:: Assumes ``credentials`` implements the :class:`google.auth.credentials.Signing` interface. Also assumes ``credentials`` has a ``signer_email`` property which identifies the credentials. .. note:: If you are on Google Compute Engine, you can't generate a signed URL. If you'd like to be able to generate a signed URL from GCE,you can use a standard service account from a JSON file rather than a GCE service account. See headers [reference](https://cloud.google.com/storage/docs/reference-headers) for more details on optional arguments. :type credentials: :class:`google.auth.credentials.Signing` :param credentials: Credentials object with an associated private key to sign text. That credentials must provide signer_email only if service_account_email and access_token are not passed. :type resource: str :param resource: A pointer to a specific resource (typically, ``/bucket-name/path/to/blob.txt``). Caller should have already URL-encoded the value. :type expiration: Union[Integer, datetime.datetime, datetime.timedelta] :param expiration: Point in time when the signed URL should expire. If a ``datetime`` instance is passed without an explicit ``tzinfo`` set, it will be assumed to be ``UTC``. :type api_access_endpoint: str :param api_access_endpoint: URI base. Defaults to "https://storage.googleapis.com/" :type method: str :param method: The HTTP verb that will be used when requesting the URL. Defaults to ``'GET'``. If method is ``'RESUMABLE'`` then the signature will additionally contain the `x-goog-resumable` header, and the method changed to POST. See the signed URL docs regarding this flow: https://cloud.google.com/storage/docs/access-control/signed-urls :type content_md5: str :param content_md5: (Optional) The MD5 hash of the object referenced by ``resource``. :type content_type: str :param content_type: (Optional) The content type of the object referenced by ``resource``. :type response_type: str :param response_type: (Optional) Content type of responses to requests for the signed URL. Ignored if content_type is set on object/blob metadata. :type response_disposition: str :param response_disposition: (Optional) Content disposition of responses to requests for the signed URL. :type generation: str :param generation: (Optional) A value that indicates which generation of the resource to fetch. :type headers: dict :param headers: (Optional) Additional HTTP headers to be included as part of the signed URLs. See: https://cloud.google.com/storage/docs/xml-api/reference-headers Requests using the signed URL *must* pass the specified header (name and value) with each request for the URL. :type query_parameters: dict :param query_parameters: (Optional) Additional query parameters to be included as part of the signed URLs. See: https://cloud.google.com/storage/docs/xml-api/reference-headers#query :type service_account_email: str :param service_account_email: (Optional) E-mail address of the service account. :type access_token: str :param access_token: (Optional) Access token for a service account. :raises: :exc:`TypeError` when expiration is not a valid type. :raises: :exc:`AttributeError` if credentials is not an instance of :class:`google.auth.credentials.Signing`. :rtype: str :returns: A signed URL you can use to access the resource until expiration. Nz/auto/storage/goog4_request/z Content-Typez Content-MD5hostHostr[r\startzx-goog-resumablerk;r^zGOOG4-RSA-SHA256zX-Goog-AlgorithmzX-Goog-Credentialz X-Goog-DatezX-Goog-ExpireszX-Goog-SignedHeadersrlrmrnzx-goog-content-sha256zUNSIGNED-PAYLOADrz{}{}?{}&X-Goog-Signature={})r<get_v4_now_dtstampsrr!rKrarburlparsenetlocupperrUrArH _url_encoderFhashlibsha256r hexdigestrsr b64decodebinasciihexlifydecoderr)(rrXr"rurWrvrwrxryrnrPrYrzr{r|_request_timestampexpiration_secondsrequest_timestamp datestamp client_emailcredential_scope credentialrC header_namesrTrRcanonical_header_stringrdsigned_headersr_canonical_query_stringlowercased_headerspayloadcanonical_elementscanonical_requestcanonical_request_hashstring_elementsr#r%r$s( rgenerate_signed_url_v4rsGd3:>!':'<$9.&r* )L 4!+."// #$?@ >#3"45J".!, +237CCIIK7L3 \! ,,//0CDKK ||~$&-"#)>w)G& #$t+XXAvsAsABN?O?U?U?WX?WeC",?WX+='(,6()&7]#);%&/=+, 4A01';O78)3&()9:o."44$%<=$   "45$^^  )ik  O YY/N-! L*? !**95$$_5<.retriable_requestss6gNrz%Error calling the IAM signBytes API: signedBlob)r _to_bytesjsondumpsrr rrRequestr statushttpclientOKrTransportErrordataloads)messager{rzr|rretrycallrrrrPrWrrs @@@@@rrsrss0  )G F #O#44STiSjj| }C"\1*G ::y&"2"27";"B"B7"KL MD G E " #DvH$++..(''3HMM? C   ::hmm**73 4D  rc |jDcgc]\}}t|dt| }}}djt|Scc}}w)zEncode query params into URL. :type query_params: dict :param query_params: Query params to be encoded. :rtype: str :returns: URL encoded query params. =&)rH _quote_paramrArO) query_paramsnamer_paramss rrrsb(--//KD%   a U 345/  88F6N ## s#Aczt|ts t|}tjj |dS)zQuote query param. :type param: Any :param param: Query param to be encoded. :rtype: str :returns: URL encoded query param. ~)safe)r bytesrqrarbquote)params rrrs1 eU #E  <<  e#  ..r) r^riNNNNNNNNNN),rrrIr*rrrragoogle.auth.credentialsr google.authrgoogle.auth.transportr google.cloudrgoogle.cloud.storage._helpersrrrgoogle.cloud.storage.retryr utcnowNOWrrr'r1r-r+r5r<rU namedtuplerVrhrr9DEFAULT_ENDPOINTrrrsrrrrrrs/  "*!B..4 -  &>>(++X-?-?@#L".J$[ # #G /Jl  ]@ 3)  !Zz  - 2j$" /r