diff env/lib/python3.7/site-packages/boto/auth.py @ 0:26e78fe6e8c4 draft

"planemo upload commit c699937486c35866861690329de38ec1a5d9f783"
author shellac
date Sat, 02 May 2020 07:14:21 -0400
parents
children
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/env/lib/python3.7/site-packages/boto/auth.py	Sat May 02 07:14:21 2020 -0400
@@ -0,0 +1,1099 @@
+# Copyright 2010 Google Inc.
+# Copyright (c) 2011 Mitch Garnaat http://garnaat.org/
+# Copyright (c) 2011, Eucalyptus Systems, Inc.
+#
+# Permission is hereby granted, free of charge, to any person obtaining a
+# copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish, dis-
+# tribute, sublicense, and/or sell copies of the Software, and to permit
+# persons to whom the Software is furnished to do so, subject to the fol-
+# lowing conditions:
+#
+# The above copyright notice and this permission notice shall be included
+# in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABIL-
+# ITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT
+# SHALL THE AUTHOR BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+
+
+"""
+Handles authentication required to AWS and GS
+"""
+
+import base64
+import boto
+import boto.auth_handler
+import boto.exception
+import boto.plugin
+import boto.utils
+import copy
+import datetime
+from email.utils import formatdate
+import hmac
+import os
+import posixpath
+
+from boto.compat import urllib, encodebytes, parse_qs_safe, urlparse
+from boto.auth_handler import AuthHandler
+from boto.exception import BotoClientError
+
+try:
+    from hashlib import sha1 as sha
+    from hashlib import sha256 as sha256
+except ImportError:
+    import sha
+    sha256 = None
+
+
+# Region detection strings to determine if SigV2 should be used
+# by default
+S3_AUTH_DETECT = [
+    '-ap-northeast-1',
+    '.ap-northeast-1',
+    '-ap-southeast-1',
+    '.ap-southeast-1',
+    '-ap-southeast-2',
+    '.ap-southeast-2',
+    '-eu-west-1',
+    '.eu-west-1',
+    '-external-1',
+    '.external-1',
+    '-sa-east-1',
+    '.sa-east-1',
+    '-us-east-1',
+    '.us-east-1',
+    '-us-gov-west-1',
+    '.us-gov-west-1',
+    '-us-west-1',
+    '.us-west-1',
+    '-us-west-2',
+    '.us-west-2'
+]
+
+
+SIGV4_DETECT = [
+    '.cn-',
+    # In eu-central and ap-northeast-2 we support both host styles for S3
+    '.eu-central',
+    '-eu-central',
+    '.ap-northeast-2',
+    '-ap-northeast-2',
+    '.ap-south-1',
+    '-ap-south-1',
+    '.us-east-2',
+    '-us-east-2',
+    '-ca-central',
+    '.ca-central',
+    '.eu-west-2',
+    '-eu-west-2',
+]
+
+
+class HmacKeys(object):
+    """Key based Auth handler helper."""
+
+    def __init__(self, host, config, provider):
+        if provider.access_key is None or provider.secret_key is None:
+            raise boto.auth_handler.NotReadyToAuthenticate()
+        self.host = host
+        self.update_provider(provider)
+
+    def update_provider(self, provider):
+        self._provider = provider
+        self._hmac = hmac.new(self._provider.secret_key.encode('utf-8'),
+                              digestmod=sha)
+        if sha256:
+            self._hmac_256 = hmac.new(self._provider.secret_key.encode('utf-8'),
+                                      digestmod=sha256)
+        else:
+            self._hmac_256 = None
+
+    def algorithm(self):
+        if self._hmac_256:
+            return 'HmacSHA256'
+        else:
+            return 'HmacSHA1'
+
+    def _get_hmac(self):
+        if self._hmac_256:
+            digestmod = sha256
+        else:
+            digestmod = sha
+        return hmac.new(self._provider.secret_key.encode('utf-8'),
+                        digestmod=digestmod)
+
+    def sign_string(self, string_to_sign):
+        new_hmac = self._get_hmac()
+        new_hmac.update(string_to_sign.encode('utf-8'))
+        return encodebytes(new_hmac.digest()).decode('utf-8').strip()
+
+    def __getstate__(self):
+        pickled_dict = copy.copy(self.__dict__)
+        del pickled_dict['_hmac']
+        del pickled_dict['_hmac_256']
+        return pickled_dict
+
+    def __setstate__(self, dct):
+        self.__dict__ = dct
+        self.update_provider(self._provider)
+
+
+class AnonAuthHandler(AuthHandler, HmacKeys):
+    """
+    Implements Anonymous requests.
+    """
+
+    capability = ['anon']
+
+    def __init__(self, host, config, provider):
+        super(AnonAuthHandler, self).__init__(host, config, provider)
+
+    def add_auth(self, http_request, **kwargs):
+        pass
+
+
+class HmacAuthV1Handler(AuthHandler, HmacKeys):
+    """    Implements the HMAC request signing used by S3 and GS."""
+
+    capability = ['hmac-v1', 's3']
+
+    def __init__(self, host, config, provider):
+        AuthHandler.__init__(self, host, config, provider)
+        HmacKeys.__init__(self, host, config, provider)
+        self._hmac_256 = None
+
+    def update_provider(self, provider):
+        super(HmacAuthV1Handler, self).update_provider(provider)
+        self._hmac_256 = None
+
+    def add_auth(self, http_request, **kwargs):
+        headers = http_request.headers
+        method = http_request.method
+        auth_path = http_request.auth_path
+        if 'Date' not in headers:
+            headers['Date'] = formatdate(usegmt=True)
+
+        if self._provider.security_token:
+            key = self._provider.security_token_header
+            headers[key] = self._provider.security_token
+        string_to_sign = boto.utils.canonical_string(method, auth_path,
+                                                     headers, None,
+                                                     self._provider)
+        boto.log.debug('StringToSign:\n%s' % string_to_sign)
+        b64_hmac = self.sign_string(string_to_sign)
+        auth_hdr = self._provider.auth_header
+        auth = ("%s %s:%s" % (auth_hdr, self._provider.access_key, b64_hmac))
+        boto.log.debug('Signature:\n%s' % auth)
+        headers['Authorization'] = auth
+
+
+class HmacAuthV2Handler(AuthHandler, HmacKeys):
+    """
+    Implements the simplified HMAC authorization used by CloudFront.
+    """
+    capability = ['hmac-v2', 'cloudfront']
+
+    def __init__(self, host, config, provider):
+        AuthHandler.__init__(self, host, config, provider)
+        HmacKeys.__init__(self, host, config, provider)
+        self._hmac_256 = None
+
+    def update_provider(self, provider):
+        super(HmacAuthV2Handler, self).update_provider(provider)
+        self._hmac_256 = None
+
+    def add_auth(self, http_request, **kwargs):
+        headers = http_request.headers
+        if 'Date' not in headers:
+            headers['Date'] = formatdate(usegmt=True)
+        if self._provider.security_token:
+            key = self._provider.security_token_header
+            headers[key] = self._provider.security_token
+
+        b64_hmac = self.sign_string(headers['Date'])
+        auth_hdr = self._provider.auth_header
+        headers['Authorization'] = ("%s %s:%s" %
+                                    (auth_hdr,
+                                     self._provider.access_key, b64_hmac))
+
+
+class HmacAuthV3Handler(AuthHandler, HmacKeys):
+    """Implements the new Version 3 HMAC authorization used by Route53."""
+
+    capability = ['hmac-v3', 'route53', 'ses']
+
+    def __init__(self, host, config, provider):
+        AuthHandler.__init__(self, host, config, provider)
+        HmacKeys.__init__(self, host, config, provider)
+
+    def add_auth(self, http_request, **kwargs):
+        headers = http_request.headers
+        if 'Date' not in headers:
+            headers['Date'] = formatdate(usegmt=True)
+
+        if self._provider.security_token:
+            key = self._provider.security_token_header
+            headers[key] = self._provider.security_token
+
+        b64_hmac = self.sign_string(headers['Date'])
+        s = "AWS3-HTTPS AWSAccessKeyId=%s," % self._provider.access_key
+        s += "Algorithm=%s,Signature=%s" % (self.algorithm(), b64_hmac)
+        headers['X-Amzn-Authorization'] = s
+
+
+class HmacAuthV3HTTPHandler(AuthHandler, HmacKeys):
+    """
+    Implements the new Version 3 HMAC authorization used by DynamoDB.
+    """
+
+    capability = ['hmac-v3-http']
+
+    def __init__(self, host, config, provider):
+        AuthHandler.__init__(self, host, config, provider)
+        HmacKeys.__init__(self, host, config, provider)
+
+    def headers_to_sign(self, http_request):
+        """
+        Select the headers from the request that need to be included
+        in the StringToSign.
+        """
+        headers_to_sign = {'Host': self.host}
+        for name, value in http_request.headers.items():
+            lname = name.lower()
+            if lname.startswith('x-amz'):
+                headers_to_sign[name] = value
+        return headers_to_sign
+
+    def canonical_headers(self, headers_to_sign):
+        """
+        Return the headers that need to be included in the StringToSign
+        in their canonical form by converting all header keys to lower
+        case, sorting them in alphabetical order and then joining
+        them into a string, separated by newlines.
+        """
+        l = sorted(['%s:%s' % (n.lower().strip(),
+                    headers_to_sign[n].strip()) for n in headers_to_sign])
+        return '\n'.join(l)
+
+    def string_to_sign(self, http_request):
+        """
+        Return the canonical StringToSign as well as a dict
+        containing the original version of all headers that
+        were included in the StringToSign.
+        """
+        headers_to_sign = self.headers_to_sign(http_request)
+        canonical_headers = self.canonical_headers(headers_to_sign)
+        string_to_sign = '\n'.join([http_request.method,
+                                    http_request.auth_path,
+                                    '',
+                                    canonical_headers,
+                                    '',
+                                    http_request.body])
+        return string_to_sign, headers_to_sign
+
+    def add_auth(self, req, **kwargs):
+        """
+        Add AWS3 authentication to a request.
+
+        :type req: :class`boto.connection.HTTPRequest`
+        :param req: The HTTPRequest object.
+        """
+        # This could be a retry.  Make sure the previous
+        # authorization header is removed first.
+        if 'X-Amzn-Authorization' in req.headers:
+            del req.headers['X-Amzn-Authorization']
+        req.headers['X-Amz-Date'] = formatdate(usegmt=True)
+        if self._provider.security_token:
+            req.headers['X-Amz-Security-Token'] = self._provider.security_token
+        string_to_sign, headers_to_sign = self.string_to_sign(req)
+        boto.log.debug('StringToSign:\n%s' % string_to_sign)
+        hash_value = sha256(string_to_sign.encode('utf-8')).digest()
+        b64_hmac = self.sign_string(hash_value)
+        s = "AWS3 AWSAccessKeyId=%s," % self._provider.access_key
+        s += "Algorithm=%s," % self.algorithm()
+        s += "SignedHeaders=%s," % ';'.join(headers_to_sign)
+        s += "Signature=%s" % b64_hmac
+        req.headers['X-Amzn-Authorization'] = s
+
+
+class HmacAuthV4Handler(AuthHandler, HmacKeys):
+    """
+    Implements the new Version 4 HMAC authorization.
+    """
+
+    capability = ['hmac-v4']
+
+    def __init__(self, host, config, provider,
+                 service_name=None, region_name=None):
+        AuthHandler.__init__(self, host, config, provider)
+        HmacKeys.__init__(self, host, config, provider)
+        # You can set the service_name and region_name to override the
+        # values which would otherwise come from the endpoint, e.g.
+        # <service>.<region>.amazonaws.com.
+        self.service_name = service_name
+        self.region_name = region_name
+
+    def _sign(self, key, msg, hex=False):
+        if not isinstance(key, bytes):
+            key = key.encode('utf-8')
+
+        if hex:
+            sig = hmac.new(key, msg.encode('utf-8'), sha256).hexdigest()
+        else:
+            sig = hmac.new(key, msg.encode('utf-8'), sha256).digest()
+        return sig
+
+    def headers_to_sign(self, http_request):
+        """
+        Select the headers from the request that need to be included
+        in the StringToSign.
+        """
+        host_header_value = self.host_header(self.host, http_request)
+        if http_request.headers.get('Host'):
+            host_header_value = http_request.headers['Host']
+        headers_to_sign = {'Host': host_header_value}
+        for name, value in http_request.headers.items():
+            lname = name.lower()
+            if lname.startswith('x-amz'):
+                if isinstance(value, bytes):
+                    value = value.decode('utf-8')
+                headers_to_sign[name] = value
+        return headers_to_sign
+
+    def host_header(self, host, http_request):
+        port = http_request.port
+        secure = http_request.protocol == 'https'
+        if ((port == 80 and not secure) or (port == 443 and secure)):
+            return host
+        return '%s:%s' % (host, port)
+
+    def query_string(self, http_request):
+        parameter_names = sorted(http_request.params.keys())
+        pairs = []
+        for pname in parameter_names:
+            pval = boto.utils.get_utf8_value(http_request.params[pname])
+            pairs.append(urllib.parse.quote(pname, safe='') + '=' +
+                         urllib.parse.quote(pval, safe='-_~'))
+        return '&'.join(pairs)
+
+    def canonical_query_string(self, http_request):
+        # POST requests pass parameters in through the
+        # http_request.body field.
+        if http_request.method == 'POST':
+            return ""
+        l = []
+        for param in sorted(http_request.params):
+            value = boto.utils.get_utf8_value(http_request.params[param])
+            l.append('%s=%s' % (urllib.parse.quote(param, safe='-_.~'),
+                                urllib.parse.quote(value, safe='-_.~')))
+        return '&'.join(l)
+
+    def canonical_headers(self, headers_to_sign):
+        """
+        Return the headers that need to be included in the StringToSign
+        in their canonical form by converting all header keys to lower
+        case, sorting them in alphabetical order and then joining
+        them into a string, separated by newlines.
+        """
+        canonical = []
+
+        for header in headers_to_sign:
+            c_name = header.lower().strip()
+            raw_value = str(headers_to_sign[header])
+            if '"' in raw_value:
+                c_value = raw_value.strip()
+            else:
+                c_value = ' '.join(raw_value.strip().split())
+            canonical.append('%s:%s' % (c_name, c_value))
+        return '\n'.join(sorted(canonical))
+
+    def signed_headers(self, headers_to_sign):
+        l = ['%s' % n.lower().strip() for n in headers_to_sign]
+        l = sorted(l)
+        return ';'.join(l)
+
+    def canonical_uri(self, http_request):
+        path = http_request.auth_path
+        # Normalize the path
+        # in windows normpath('/') will be '\\' so we chane it back to '/'
+        normalized = posixpath.normpath(path).replace('\\', '/')
+        # Then urlencode whatever's left.
+        encoded = urllib.parse.quote(normalized)
+        if len(path) > 1 and path.endswith('/'):
+            encoded += '/'
+        return encoded
+
+    def payload(self, http_request):
+        body = http_request.body
+        # If the body is a file like object, we can use
+        # boto.utils.compute_hash, which will avoid reading
+        # the entire body into memory.
+        if hasattr(body, 'seek') and hasattr(body, 'read'):
+            return boto.utils.compute_hash(body, hash_algorithm=sha256)[0]
+        elif not isinstance(body, bytes):
+            body = body.encode('utf-8')
+        return sha256(body).hexdigest()
+
+    def canonical_request(self, http_request):
+        cr = [http_request.method.upper()]
+        cr.append(self.canonical_uri(http_request))
+        cr.append(self.canonical_query_string(http_request))
+        headers_to_sign = self.headers_to_sign(http_request)
+        cr.append(self.canonical_headers(headers_to_sign) + '\n')
+        cr.append(self.signed_headers(headers_to_sign))
+        cr.append(self.payload(http_request))
+        return '\n'.join(cr)
+
+    def scope(self, http_request):
+        scope = [self._provider.access_key]
+        scope.append(http_request.timestamp)
+        scope.append(http_request.region_name)
+        scope.append(http_request.service_name)
+        scope.append('aws4_request')
+        return '/'.join(scope)
+
+    def split_host_parts(self, host):
+        return host.split('.')
+
+    def determine_region_name(self, host):
+        parts = self.split_host_parts(host)
+        if self.region_name is not None:
+            region_name = self.region_name
+        elif len(parts) > 1:
+            if parts[1] == 'us-gov':
+                region_name = 'us-gov-west-1'
+            else:
+                if len(parts) == 3:
+                    region_name = 'us-east-1'
+                else:
+                    region_name = parts[1]
+        else:
+            region_name = parts[0]
+
+        return region_name
+
+    def determine_service_name(self, host):
+        parts = self.split_host_parts(host)
+        if self.service_name is not None:
+            service_name = self.service_name
+        else:
+            service_name = parts[0]
+        return service_name
+
+    def credential_scope(self, http_request):
+        scope = []
+        http_request.timestamp = http_request.headers['X-Amz-Date'][0:8]
+        scope.append(http_request.timestamp)
+        # The service_name and region_name either come from:
+        # * The service_name/region_name attrs or (if these values are None)
+        # * parsed from the endpoint <service>.<region>.amazonaws.com.
+        region_name = self.determine_region_name(http_request.host)
+        service_name = self.determine_service_name(http_request.host)
+        http_request.service_name = service_name
+        http_request.region_name = region_name
+
+        scope.append(http_request.region_name)
+        scope.append(http_request.service_name)
+        scope.append('aws4_request')
+        return '/'.join(scope)
+
+    def string_to_sign(self, http_request, canonical_request):
+        """
+        Return the canonical StringToSign as well as a dict
+        containing the original version of all headers that
+        were included in the StringToSign.
+        """
+        sts = ['AWS4-HMAC-SHA256']
+        sts.append(http_request.headers['X-Amz-Date'])
+        sts.append(self.credential_scope(http_request))
+        sts.append(sha256(canonical_request.encode('utf-8')).hexdigest())
+        return '\n'.join(sts)
+
+    def signature(self, http_request, string_to_sign):
+        key = self._provider.secret_key
+        k_date = self._sign(('AWS4' + key).encode('utf-8'),
+                            http_request.timestamp)
+        k_region = self._sign(k_date, http_request.region_name)
+        k_service = self._sign(k_region, http_request.service_name)
+        k_signing = self._sign(k_service, 'aws4_request')
+        return self._sign(k_signing, string_to_sign, hex=True)
+
+    def add_auth(self, req, **kwargs):
+        """
+        Add AWS4 authentication to a request.
+
+        :type req: :class`boto.connection.HTTPRequest`
+        :param req: The HTTPRequest object.
+        """
+        # This could be a retry.  Make sure the previous
+        # authorization header is removed first.
+        if 'X-Amzn-Authorization' in req.headers:
+            del req.headers['X-Amzn-Authorization']
+        now = datetime.datetime.utcnow()
+        req.headers['X-Amz-Date'] = now.strftime('%Y%m%dT%H%M%SZ')
+        if self._provider.security_token:
+            req.headers['X-Amz-Security-Token'] = self._provider.security_token
+        qs = self.query_string(req)
+
+        qs_to_post = qs
+
+        # We do not want to include any params that were mangled into
+        # the params if performing s3-sigv4 since it does not
+        # belong in the body of a post for some requests.  Mangled
+        # refers to items in the query string URL being added to the
+        # http response params. However, these params get added to
+        # the body of the request, but the query string URL does not
+        # belong in the body of the request. ``unmangled_resp`` is the
+        # response that happened prior to the mangling.  This ``unmangled_req``
+        # kwarg will only appear for s3-sigv4.
+        if 'unmangled_req' in kwargs:
+            qs_to_post = self.query_string(kwargs['unmangled_req'])
+
+        if qs_to_post and req.method == 'POST':
+            # Stash request parameters into post body
+            # before we generate the signature.
+            req.body = qs_to_post
+            req.headers['Content-Type'] = 'application/x-www-form-urlencoded; charset=UTF-8'
+            req.headers['Content-Length'] = str(len(req.body))
+        else:
+            # Safe to modify req.path here since
+            # the signature will use req.auth_path.
+            req.path = req.path.split('?')[0]
+
+            if qs:
+                # Don't insert the '?' unless there's actually a query string
+                req.path = req.path + '?' + qs
+        canonical_request = self.canonical_request(req)
+        boto.log.debug('CanonicalRequest:\n%s' % canonical_request)
+        string_to_sign = self.string_to_sign(req, canonical_request)
+        boto.log.debug('StringToSign:\n%s' % string_to_sign)
+        signature = self.signature(req, string_to_sign)
+        boto.log.debug('Signature:\n%s' % signature)
+        headers_to_sign = self.headers_to_sign(req)
+        l = ['AWS4-HMAC-SHA256 Credential=%s' % self.scope(req)]
+        l.append('SignedHeaders=%s' % self.signed_headers(headers_to_sign))
+        l.append('Signature=%s' % signature)
+        req.headers['Authorization'] = ','.join(l)
+
+
+class S3HmacAuthV4Handler(HmacAuthV4Handler, AuthHandler):
+    """
+    Implements a variant of Version 4 HMAC authorization specific to S3.
+    """
+    capability = ['hmac-v4-s3']
+
+    def __init__(self, *args, **kwargs):
+        super(S3HmacAuthV4Handler, self).__init__(*args, **kwargs)
+
+        if self.region_name:
+            self.region_name = self.clean_region_name(self.region_name)
+
+    def clean_region_name(self, region_name):
+        if region_name.startswith('s3-'):
+            return region_name[3:]
+
+        return region_name
+
+    def canonical_uri(self, http_request):
+        # S3 does **NOT** do path normalization that SigV4 typically does.
+        # Urlencode the path, **NOT** ``auth_path`` (because vhosting).
+        path = urllib.parse.urlparse(http_request.path)
+        # Because some quoting may have already been applied, let's back it out.
+        unquoted = urllib.parse.unquote(path.path)
+        # Requote, this time addressing all characters.
+        encoded = urllib.parse.quote(unquoted, safe='/~')
+        return encoded
+
+    def canonical_query_string(self, http_request):
+        # Note that we just do not return an empty string for
+        # POST request. Query strings in url are included in canonical
+        # query string.
+        l = []
+        for param in sorted(http_request.params):
+            value = boto.utils.get_utf8_value(http_request.params[param])
+            l.append('%s=%s' % (urllib.parse.quote(param, safe='-_.~'),
+                                urllib.parse.quote(value, safe='-_.~')))
+        return '&'.join(l)
+
+    def host_header(self, host, http_request):
+        port = http_request.port
+        secure = http_request.protocol == 'https'
+        if ((port == 80 and not secure) or (port == 443 and secure)):
+            return http_request.host
+        return '%s:%s' % (http_request.host, port)
+
+    def headers_to_sign(self, http_request):
+        """
+        Select the headers from the request that need to be included
+        in the StringToSign.
+        """
+        host_header_value = self.host_header(self.host, http_request)
+        headers_to_sign = {'Host': host_header_value}
+        for name, value in http_request.headers.items():
+            lname = name.lower()
+            # Hooray for the only difference! The main SigV4 signer only does
+            # ``Host`` + ``x-amz-*``. But S3 wants pretty much everything
+            # signed, except for authorization itself.
+            if lname not in ['authorization']:
+                headers_to_sign[name] = value
+        return headers_to_sign
+
+    def determine_region_name(self, host):
+        # S3's different format(s) of representing region/service from the
+        # rest of AWS makes this hurt too.
+        #
+        # Possible domain formats:
+        # - s3.amazonaws.com (Classic)
+        # - s3-us-west-2.amazonaws.com (Specific region)
+        # - bukkit.s3.amazonaws.com (Vhosted Classic)
+        # - bukkit.s3-ap-northeast-1.amazonaws.com (Vhosted specific region)
+        # - s3.cn-north-1.amazonaws.com.cn - (Beijing region)
+        # - bukkit.s3.cn-north-1.amazonaws.com.cn - (Vhosted Beijing region)
+        parts = self.split_host_parts(host)
+
+        if self.region_name is not None:
+            region_name = self.region_name
+        else:
+            # Classic URLs - s3-us-west-2.amazonaws.com
+            if len(parts) == 3:
+                region_name = self.clean_region_name(parts[0])
+
+                # Special-case for Classic.
+                if region_name == 's3':
+                    region_name = 'us-east-1'
+            else:
+                # Iterate over the parts in reverse order.
+                for offset, part in enumerate(reversed(parts)):
+                    part = part.lower()
+
+                    # Look for the first thing starting with 's3'.
+                    # Until there's a ``.s3`` TLD, we should be OK. :P
+                    if part == 's3':
+                        # If it's by itself, the region is the previous part.
+                        region_name = parts[-offset]
+
+                        # Unless it's Vhosted classic
+                        if region_name == 'amazonaws':
+                            region_name = 'us-east-1'
+
+                        break
+                    elif part.startswith('s3-'):
+                        region_name = self.clean_region_name(part)
+                        break
+
+        return region_name
+
+    def determine_service_name(self, host):
+        # Should this signing mechanism ever be used for anything else, this
+        # will fail. Consider utilizing the logic from the parent class should
+        # you find yourself here.
+        return 's3'
+
+    def mangle_path_and_params(self, req):
+        """
+        Returns a copy of the request object with fixed ``auth_path/params``
+        attributes from the original.
+        """
+        modified_req = copy.copy(req)
+
+        # Unlike the most other services, in S3, ``req.params`` isn't the only
+        # source of query string parameters.
+        # Because of the ``query_args``, we may already have a query string
+        # **ON** the ``path/auth_path``.
+        # Rip them apart, so the ``auth_path/params`` can be signed
+        # appropriately.
+        parsed_path = urllib.parse.urlparse(modified_req.auth_path)
+        modified_req.auth_path = parsed_path.path
+
+        if modified_req.params is None:
+            modified_req.params = {}
+        else:
+            # To keep the original request object untouched. We must make
+            # a copy of the params dictionary. Because the copy of the
+            # original request directly refers to the params dictionary
+            # of the original request.
+            copy_params = req.params.copy()
+            modified_req.params = copy_params
+
+        raw_qs = parsed_path.query
+        existing_qs = parse_qs_safe(
+            raw_qs,
+            keep_blank_values=True
+        )
+
+        # ``parse_qs`` will return lists. Don't do that unless there's a real,
+        # live list provided.
+        for key, value in existing_qs.items():
+            if isinstance(value, (list, tuple)):
+                if len(value) == 1:
+                    existing_qs[key] = value[0]
+
+        modified_req.params.update(existing_qs)
+        return modified_req
+
+    def payload(self, http_request):
+        if http_request.headers.get('x-amz-content-sha256'):
+            return http_request.headers['x-amz-content-sha256']
+
+        return super(S3HmacAuthV4Handler, self).payload(http_request)
+
+    def add_auth(self, req, **kwargs):
+        if 'x-amz-content-sha256' not in req.headers:
+            if '_sha256' in req.headers:
+                req.headers['x-amz-content-sha256'] = req.headers.pop('_sha256')
+            else:
+                req.headers['x-amz-content-sha256'] = self.payload(req)
+        updated_req = self.mangle_path_and_params(req)
+        return super(S3HmacAuthV4Handler, self).add_auth(updated_req,
+                                                         unmangled_req=req,
+                                                         **kwargs)
+
+    def presign(self, req, expires, iso_date=None):
+        """
+        Presign a request using SigV4 query params. Takes in an HTTP request
+        and an expiration time in seconds and returns a URL.
+
+        http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html
+        """
+        if iso_date is None:
+            iso_date = datetime.datetime.utcnow().strftime('%Y%m%dT%H%M%SZ')
+
+        region = self.determine_region_name(req.host)
+        service = self.determine_service_name(req.host)
+
+        params = {
+            'X-Amz-Algorithm': 'AWS4-HMAC-SHA256',
+            'X-Amz-Credential': '%s/%s/%s/%s/aws4_request' % (
+                self._provider.access_key,
+                iso_date[:8],
+                region,
+                service
+            ),
+            'X-Amz-Date': iso_date,
+            'X-Amz-Expires': expires,
+            'X-Amz-SignedHeaders': 'host'
+        }
+
+        if self._provider.security_token:
+            params['X-Amz-Security-Token'] = self._provider.security_token
+
+        headers_to_sign = self.headers_to_sign(req)
+        l = sorted(['%s' % n.lower().strip() for n in headers_to_sign])
+        params['X-Amz-SignedHeaders'] = ';'.join(l)
+ 
+        req.params.update(params)
+
+        cr = self.canonical_request(req)
+
+        # We need to replace the payload SHA with a constant
+        cr = '\n'.join(cr.split('\n')[:-1]) + '\nUNSIGNED-PAYLOAD'
+
+        # Date header is expected for string_to_sign, but unused otherwise
+        req.headers['X-Amz-Date'] = iso_date
+
+        sts = self.string_to_sign(req, cr)
+        signature = self.signature(req, sts)
+
+        # Add signature to params now that we have it
+        req.params['X-Amz-Signature'] = signature
+
+        return '%s://%s%s?%s' % (req.protocol, req.host, req.path,
+                                 urllib.parse.urlencode(req.params))
+
+
+class STSAnonHandler(AuthHandler):
+    """
+    Provides pure query construction (no actual signing).
+
+    Used for making anonymous STS request for operations like
+    ``assume_role_with_web_identity``.
+    """
+
+    capability = ['sts-anon']
+
+    def _escape_value(self, value):
+        # This is changed from a previous version because this string is
+        # being passed to the query string and query strings must
+        # be url encoded. In particular STS requires the saml_response to
+        # be urlencoded when calling assume_role_with_saml.
+        return urllib.parse.quote(value)
+
+    def _build_query_string(self, params):
+        keys = list(params.keys())
+        keys.sort(key=lambda x: x.lower())
+        pairs = []
+        for key in keys:
+            val = boto.utils.get_utf8_value(params[key])
+            pairs.append(key + '=' + self._escape_value(val.decode('utf-8')))
+        return '&'.join(pairs)
+
+    def add_auth(self, http_request, **kwargs):
+        headers = http_request.headers
+        qs = self._build_query_string(
+            http_request.params
+        )
+        boto.log.debug('query_string in body: %s' % qs)
+        headers['Content-Type'] = 'application/x-www-form-urlencoded'
+        # This will be  a POST so the query string should go into the body
+        # as opposed to being in the uri
+        http_request.body = qs
+
+
+class QuerySignatureHelper(HmacKeys):
+    """
+    Helper for Query signature based Auth handler.
+
+    Concrete sub class need to implement _calc_sigature method.
+    """
+
+    def add_auth(self, http_request, **kwargs):
+        headers = http_request.headers
+        params = http_request.params
+        params['AWSAccessKeyId'] = self._provider.access_key
+        params['SignatureVersion'] = self.SignatureVersion
+        params['Timestamp'] = boto.utils.get_ts()
+        qs, signature = self._calc_signature(
+            http_request.params, http_request.method,
+            http_request.auth_path, http_request.host)
+        boto.log.debug('query_string: %s Signature: %s' % (qs, signature))
+        if http_request.method == 'POST':
+            headers['Content-Type'] = 'application/x-www-form-urlencoded; charset=UTF-8'
+            http_request.body = qs + '&Signature=' + urllib.parse.quote_plus(signature)
+            http_request.headers['Content-Length'] = str(len(http_request.body))
+        else:
+            http_request.body = ''
+            # if this is a retried request, the qs from the previous try will
+            # already be there, we need to get rid of that and rebuild it
+            http_request.path = http_request.path.split('?')[0]
+            http_request.path = (http_request.path + '?' + qs +
+                                 '&Signature=' + urllib.parse.quote_plus(signature))
+
+
+class QuerySignatureV0AuthHandler(QuerySignatureHelper, AuthHandler):
+    """Provides Signature V0 Signing"""
+
+    SignatureVersion = 0
+    capability = ['sign-v0']
+
+    def _calc_signature(self, params, *args):
+        boto.log.debug('using _calc_signature_0')
+        hmac = self._get_hmac()
+        s = params['Action'] + params['Timestamp']
+        hmac.update(s.encode('utf-8'))
+        keys = params.keys()
+        keys.sort(cmp=lambda x, y: cmp(x.lower(), y.lower()))
+        pairs = []
+        for key in keys:
+            val = boto.utils.get_utf8_value(params[key])
+            pairs.append(key + '=' + urllib.parse.quote(val))
+        qs = '&'.join(pairs)
+        return (qs, base64.b64encode(hmac.digest()))
+
+
+class QuerySignatureV1AuthHandler(QuerySignatureHelper, AuthHandler):
+    """
+    Provides Query Signature V1 Authentication.
+    """
+
+    SignatureVersion = 1
+    capability = ['sign-v1', 'mturk']
+
+    def __init__(self, *args, **kw):
+        QuerySignatureHelper.__init__(self, *args, **kw)
+        AuthHandler.__init__(self, *args, **kw)
+        self._hmac_256 = None
+
+    def _calc_signature(self, params, *args):
+        boto.log.debug('using _calc_signature_1')
+        hmac = self._get_hmac()
+        keys = list(params.keys())
+        keys.sort(key=lambda x: x.lower())
+        pairs = []
+        for key in keys:
+            hmac.update(key.encode('utf-8'))
+            val = boto.utils.get_utf8_value(params[key])
+            hmac.update(val)
+            pairs.append(key + '=' + urllib.parse.quote(val))
+        qs = '&'.join(pairs)
+        return (qs, base64.b64encode(hmac.digest()))
+
+
+class QuerySignatureV2AuthHandler(QuerySignatureHelper, AuthHandler):
+    """Provides Query Signature V2 Authentication."""
+
+    SignatureVersion = 2
+    capability = ['sign-v2', 'ec2', 'ec2', 'emr', 'fps', 'ecs',
+                  'sdb', 'iam', 'rds', 'sns', 'sqs', 'cloudformation']
+
+    def _calc_signature(self, params, verb, path, server_name):
+        boto.log.debug('using _calc_signature_2')
+        string_to_sign = '%s\n%s\n%s\n' % (verb, server_name.lower(), path)
+        hmac = self._get_hmac()
+        params['SignatureMethod'] = self.algorithm()
+        if self._provider.security_token:
+            params['SecurityToken'] = self._provider.security_token
+        keys = sorted(params.keys())
+        pairs = []
+        for key in keys:
+            val = boto.utils.get_utf8_value(params[key])
+            pairs.append(urllib.parse.quote(key, safe='') + '=' +
+                         urllib.parse.quote(val, safe='-_~'))
+        qs = '&'.join(pairs)
+        boto.log.debug('query string: %s' % qs)
+        string_to_sign += qs
+        boto.log.debug('string_to_sign: %s' % string_to_sign)
+        hmac.update(string_to_sign.encode('utf-8'))
+        b64 = base64.b64encode(hmac.digest())
+        boto.log.debug('len(b64)=%d' % len(b64))
+        boto.log.debug('base64 encoded digest: %s' % b64)
+        return (qs, b64)
+
+
+class POSTPathQSV2AuthHandler(QuerySignatureV2AuthHandler, AuthHandler):
+    """
+    Query Signature V2 Authentication relocating signed query
+    into the path and allowing POST requests with Content-Types.
+    """
+
+    capability = ['mws']
+
+    def add_auth(self, req, **kwargs):
+        req.params['AWSAccessKeyId'] = self._provider.access_key
+        req.params['SignatureVersion'] = self.SignatureVersion
+        req.params['Timestamp'] = boto.utils.get_ts()
+        qs, signature = self._calc_signature(req.params, req.method,
+                                             req.auth_path, req.host)
+        boto.log.debug('query_string: %s Signature: %s' % (qs, signature))
+        if req.method == 'POST':
+            req.headers['Content-Length'] = str(len(req.body))
+            req.headers['Content-Type'] = req.headers.get('Content-Type',
+                                                          'text/plain')
+        else:
+            req.body = ''
+        # if this is a retried req, the qs from the previous try will
+        # already be there, we need to get rid of that and rebuild it
+        req.path = req.path.split('?')[0]
+        req.path = (req.path + '?' + qs +
+                    '&Signature=' + urllib.parse.quote_plus(signature))
+
+
+def get_auth_handler(host, config, provider, requested_capability=None):
+    """Finds an AuthHandler that is ready to authenticate.
+
+    Lists through all the registered AuthHandlers to find one that is willing
+    to handle for the requested capabilities, config and provider.
+
+    :type host: string
+    :param host: The name of the host
+
+    :type config:
+    :param config:
+
+    :type provider:
+    :param provider:
+
+    Returns:
+        An implementation of AuthHandler.
+
+    Raises:
+        boto.exception.NoAuthHandlerFound
+    """
+    ready_handlers = []
+    auth_handlers = boto.plugin.get_plugin(AuthHandler, requested_capability)
+    for handler in auth_handlers:
+        try:
+            ready_handlers.append(handler(host, config, provider))
+        except boto.auth_handler.NotReadyToAuthenticate:
+            pass
+
+    if not ready_handlers:
+        checked_handlers = auth_handlers
+        names = [handler.__name__ for handler in checked_handlers]
+        raise boto.exception.NoAuthHandlerFound(
+            'No handler was ready to authenticate. %d handlers were checked.'
+            ' %s '
+            'Check your credentials' % (len(names), str(names)))
+
+    # We select the last ready auth handler that was loaded, to allow users to
+    # customize how auth works in environments where there are shared boto
+    # config files (e.g., /etc/boto.cfg and ~/.boto): The more general,
+    # system-wide shared configs should be loaded first, and the user's
+    # customizations loaded last. That way, for example, the system-wide
+    # config might include a plugin_directory that includes a service account
+    # auth plugin shared by all users of a Google Compute Engine instance
+    # (allowing sharing of non-user data between various services), and the
+    # user could override this with a .boto config that includes user-specific
+    # credentials (for access to user data).
+    return ready_handlers[-1]
+
+
+def detect_potential_sigv4(func):
+    def _wrapper(self):
+        if os.environ.get('EC2_USE_SIGV4', False):
+            return ['hmac-v4']
+
+        if boto.config.get('ec2', 'use-sigv4', False):
+            return ['hmac-v4']
+
+        if hasattr(self, 'region'):
+            # If you're making changes here, you should also check
+            # ``boto/iam/connection.py``, as several things there are also
+            # endpoint-related.
+            if getattr(self.region, 'endpoint', ''):
+                for test in SIGV4_DETECT:
+                    if test in self.region.endpoint:
+                        return ['hmac-v4']
+
+        return func(self)
+    return _wrapper
+
+
+def detect_potential_s3sigv4(func):
+    def _wrapper(self):
+        if os.environ.get('S3_USE_SIGV4', False):
+            return ['hmac-v4-s3']
+
+        if boto.config.get('s3', 'use-sigv4', False):
+            return ['hmac-v4-s3']
+
+        if not hasattr(self, 'host'):
+            return func(self)
+
+        # Keep the old explicit logic in case somebody was adding to the list.
+        for test in SIGV4_DETECT:
+            if test in self.host:
+                return ['hmac-v4-s3']
+
+        # Use default for non-aws hosts. Adding a url scheme is necessary if
+        # not present for urlparse to properly function.
+        host = self.host
+        if not self.host.startswith('http://') or \
+                self.host.startswith('https://'):
+            host = 'https://' + host
+        netloc = urlparse(host).netloc
+        if not (netloc.endswith('amazonaws.com') or
+                netloc.endswith('amazonaws.com.cn')):
+            return func(self)
+
+        # Use the default for the global endpoint
+        if netloc.endswith('s3.amazonaws.com'):
+            return func(self)
+
+        # Use the default for regions that support sigv4 and sigv2
+        if any(test in self.host for test in S3_AUTH_DETECT):
+            return func(self)
+
+        # Use anonymous if enabled.
+        if hasattr(self, 'anon') and self.anon:
+            return func(self)
+
+        # Default to sigv4 for aws hosts outside of regions that are known
+        # to support sigv2
+        return ['hmac-v4-s3']
+    return _wrapper