aws-sdk-iam 0.2.0__py3-none-any.whl

aws_sdk_iam/__init__.py

@@ -0,0 +1,15 @@
+from __future__ import annotations
+from ._auth._identity import Identity as Identity, Credentials as Credentials
+from ._auth._providers import (
+    IdentityNotFound as IdentityNotFound,
+    IdentityProvider as IdentityProvider,
+    ChainedProvider as ChainedProvider,
+    CachedProvider as CachedProvider,
+    CredentialsProvider as CredentialsProvider,
+    StaticAwsCredentialsProvider as StaticAwsCredentialsProvider,
+    EnvCredentialsProvider as EnvCredentialsProvider,
+    ProfileCredentialsProvider as ProfileCredentialsProvider,
+)
+from ._auth._signers import Signer as Signer, SigV4Signer as SigV4Signer
+from ._services.iam import IAMClient as IAMClient
+from ._services.async_iam import AsyncIAMClient as AsyncIAMClient

aws_sdk_iam/_async.py

@@ -0,0 +1,25 @@
+from __future__ import annotations
+
+import asyncio
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+    import trio
+else:
+    try:
+        import trio
+    except ImportError:
+        trio = None
+
+
+def in_trio_run() -> bool:
+    if trio is None:
+        return False
+    return trio.lowlevel.in_trio_run()
+
+
+async def anysleep(delay: float) -> None:
+    if in_trio_run():
+        await trio.sleep(delay)
+    else:
+        await asyncio.sleep(delay)

aws_sdk_iam/_auth/_identity.py

@@ -0,0 +1,15 @@
+from __future__ import annotations
+
+from datetime import datetime
+from typing import TypedDict
+from typing_extensions import NotRequired
+
+
+class Identity(TypedDict):
+    expiration: NotRequired[datetime | None]
+
+
+class Credentials(Identity):
+    access_key: str
+    secret_key: str
+    session_token: NotRequired[str | None]

aws_sdk_iam/_auth/_providers.py

@@ -0,0 +1,159 @@
+from __future__ import annotations
+
+import configparser
+import os
+from abc import abstractmethod
+from datetime import datetime, timezone
+from pathlib import Path
+from typing import Generic, TypeVar
+
+from aws_sdk_iam._auth._identity import (
+    Credentials,
+    Identity,
+)
+
+
+class IdentityNotFound(Exception):
+    """Raised when a provider cannot resolve an identity. Chain continues."""
+
+
+IdentityT = TypeVar("IdentityT", bound="Identity")
+
+
+class IdentityProvider(Generic[IdentityT]):
+    @abstractmethod
+    def resolve_identity(self) -> IdentityT:
+        raise NotImplementedError
+
+
+class ChainedProvider(IdentityProvider[IdentityT]):
+    """Try each provider in order; first non-`IdentityNotFound` wins."""
+
+    def __init__(self, *providers: IdentityProvider[IdentityT]) -> None:
+        if not providers:
+            raise ValueError("ChainedProvider requires at least one provider")
+        self._providers = providers
+
+    def resolve_identity(self) -> IdentityT:
+        errors: list[str] = []
+        for p in self._providers:
+            try:
+                return p.resolve_identity()
+            except IdentityNotFound as e:
+                errors.append(f"{type(p).__name__}: {e}")
+        raise IdentityNotFound("no provider succeeded: " + "; ".join(errors))
+
+
+class CachedProvider(IdentityProvider[IdentityT]):
+    """Cache an identity until its `expiration` (minus skew) elapses."""
+
+    _SKEW_SECONDS = 60
+
+    def __init__(self, inner: IdentityProvider[IdentityT]) -> None:
+        self._inner = inner
+        self._cached: IdentityT | None = None
+
+    def resolve_identity(self) -> IdentityT:
+        if self._cached is not None and not self._expired(self._cached):
+            return self._cached
+        self._cached = self._inner.resolve_identity()
+        return self._cached
+
+    @classmethod
+    def _expired(cls, ident: Identity) -> bool:
+        exp = ident.get("expiration")
+        if exp is None:
+            return False
+        return (exp - datetime.now(timezone.utc)).total_seconds() <= cls._SKEW_SECONDS
+
+
+class CredentialsProvider(IdentityProvider[Credentials]):
+    """Base class for providers that resolve AWS `Credentials`."""
+
+    @abstractmethod
+    def resolve_identity(self) -> Credentials:
+        raise NotImplementedError
+
+
+class StaticAwsCredentialsProvider(CredentialsProvider):
+    def __init__(self, credentials: Credentials) -> None:
+        self._credentials = credentials
+
+    def resolve_identity(self) -> Credentials:
+        return self._credentials
+
+
+class EnvCredentialsProvider(CredentialsProvider):
+    """Read AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY / AWS_SESSION_TOKEN."""
+
+    def resolve_identity(self) -> Credentials:
+        ak = os.environ.get("AWS_ACCESS_KEY_ID")
+        sk = os.environ.get("AWS_SECRET_ACCESS_KEY")
+        if not ak or not sk:
+            raise IdentityNotFound("AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY unset")
+        out: Credentials = {"access_key": ak, "secret_key": sk}
+        token = os.environ.get("AWS_SESSION_TOKEN")
+        if token:
+            out["session_token"] = token
+        return out
+
+
+class ProfileCredentialsProvider(CredentialsProvider):
+    """Read ~/.aws/credentials and ~/.aws/config for the active profile."""
+
+    def __init__(
+        self,
+        profile: str | None = None,
+        credentials_file: Path | None = None,
+        config_file: Path | None = None,
+    ) -> None:
+        self._profile = profile or os.environ.get("AWS_PROFILE", "default")
+        self._cred_file = credentials_file or Path(
+            os.environ.get("AWS_SHARED_CREDENTIALS_FILE")
+            or Path.home() / ".aws" / "credentials"
+        )
+        self._cfg_file = config_file or Path(
+            os.environ.get("AWS_CONFIG_FILE") or Path.home() / ".aws" / "config"
+        )
+
+    def resolve_identity(self) -> Credentials:
+        section = self._load_profile()
+        ak = section.get("aws_access_key_id")
+        sk = section.get("aws_secret_access_key")
+        if not ak or not sk:
+            raise IdentityNotFound(
+                f"profile {self._profile!r}: missing aws_access_key_id/aws_secret_access_key"
+            )
+        out: Credentials = {"access_key": ak, "secret_key": sk}
+        token = section.get("aws_session_token")
+        if token:
+            out["session_token"] = token
+        return out
+
+    def _load_profile(self) -> dict[str, str]:
+        merged: dict[str, str] = {}
+        if self._cfg_file.is_file():
+            cfg = configparser.ConfigParser()
+            cfg.read(self._cfg_file)
+            # config file profiles look like `[profile foo]`, except default
+            key = (
+                "default" if self._profile == "default" else f"profile {self._profile}"
+            )
+            if cfg.has_section(key):
+                merged.update(dict(cfg.items(key)))
+        if self._cred_file.is_file():
+            cfg = configparser.ConfigParser()
+            cfg.read(self._cred_file)
+            if cfg.has_section(self._profile):
+                merged.update(dict(cfg.items(self._profile)))
+        if not merged:
+            raise IdentityNotFound(
+                f"profile {self._profile!r} not found in {self._cred_file} or {self._cfg_file}"
+            )
+        return merged
+
+
+def default_aws_credentials_chain() -> IdentityProvider[Credentials]:
+    return CachedProvider(
+        ChainedProvider(EnvCredentialsProvider(), ProfileCredentialsProvider())
+    )

aws_sdk_iam/_auth/_signers.py

@@ -0,0 +1,83 @@
+from __future__ import annotations
+
+from abc import ABC, abstractmethod
+from typing import Generic, TypeVar
+from typing import Any
+from zapros import Request
+from aws_sdk_iam._auth._sigv4 import SigV4AuthContext, sign_sigv4
+from aws_sdk_iam._auth._identity import Credentials, Identity
+from aws_sdk_iam._auth._providers import IdentityProvider
+
+IdentityT = TypeVar("IdentityT", bound="Identity")
+
+
+class Signer(ABC, Generic[IdentityT]):
+    """Per-request request signer. Holds an IdentityProvider plus static config."""
+
+    def __init__(self, provider: IdentityProvider[IdentityT]) -> None:
+        self.provider = provider
+
+    @abstractmethod
+    async def asign(self, req: Request) -> Request: ...
+    @abstractmethod
+    def sign(self, req: Request) -> Request: ...
+
+
+class SigV4Signer(Signer[Credentials]):
+    """aws.auth#sigv4 — AWS Signature Version 4.
+
+    The full auth scheme (``name`` variant, ``signingName``, ``signingRegion``,
+    encoding/normalization flags) is provided by the caller — either from the
+    endpoint rule-set's ``authSchemes`` property or built by the generated
+    ``get_signer`` from operation defaults.
+    """
+
+    def __init__(
+        self, provider: IdentityProvider[Credentials], *, auth_scheme: dict[str, Any]
+    ) -> None:
+        super().__init__(provider)
+        self._auth_scheme = auth_scheme
+
+    async def asign(self, req: Request) -> Request:
+        creds = self.provider.resolve_identity()
+        ctx: SigV4AuthContext = {
+            "type": "sig_v4",
+            "access_key_id": creds["access_key"],
+            "secret_access_key": creds["secret_key"],
+            "session_token": creds.get("session_token"),
+            "signing_region": self._auth_scheme["signingRegion"],
+            "signing_name": self._auth_scheme["signingName"],
+        }
+        if req.body is None:
+            body: bytes | None = b""
+        elif isinstance(req.body, bytes):
+            body = req.body
+        else:
+            body = None
+        # Strip Accept-Encoding so transports/intermediaries can't transcode
+        # the response and so the value never enters the canonical request.
+        if "accept-encoding" in req.headers:
+            del req.headers["Accept-Encoding"]
+        return sign_sigv4(req, ctx, body)
+
+    def sign(self, req: Request) -> Request:
+        creds = self.provider.resolve_identity()
+        ctx: SigV4AuthContext = {
+            "type": "sig_v4",
+            "access_key_id": creds["access_key"],
+            "secret_access_key": creds["secret_key"],
+            "session_token": creds.get("session_token"),
+            "signing_region": self._auth_scheme["signingRegion"],
+            "signing_name": self._auth_scheme["signingName"],
+        }
+        if req.body is None:
+            body: bytes | None = b""
+        elif isinstance(req.body, bytes):
+            body = req.body
+        else:
+            body = None
+        # Strip Accept-Encoding so transports/intermediaries can't transcode
+        # the response and so the value never enters the canonical request.
+        if "accept-encoding" in req.headers:
+            del req.headers["Accept-Encoding"]
+        return sign_sigv4(req, ctx, body)

aws_sdk_iam/_auth/_sigv4.py

@@ -0,0 +1,364 @@
+"""AWS Signature Version 4 — single-chunk signing.
+
+Reference:
+    https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv-create-signed-request.html
+
+Verified byte-for-byte against ``botocore.auth.S3SigV4Auth`` / ``SigV4Auth``
+across S3 GET/PUT/POST, query-string, session-token, and non-S3 (IAM)
+canonicalization paths.
+"""
+
+from __future__ import annotations
+
+import datetime as _dt
+import hashlib
+import hmac
+import re
+from typing import Literal, TypedDict
+from urllib.parse import quote, unquote
+
+from pywhatwgurl import URLSearchParams
+from zapros import Headers, Request
+import zapros
+from zapros._utils import get_host_header_value
+
+
+class SigV4AuthContext(TypedDict):
+    type: Literal["sig_v4"]
+    access_key_id: str
+    secret_access_key: str
+    session_token: str | None
+    signing_region: str
+    signing_name: str
+
+
+_SIGV4_ALGORITHM = "AWS4-HMAC-SHA256"
+_EMPTY_PAYLOAD_SHA256 = hashlib.sha256(b"").hexdigest()
+
+# Headers excluded from the signed-headers set. Mirrors botocore's denylist:
+# these are hop-by-hop / mutable in transit, so signing them would break
+# proxies or duplicate values already added by the transport layer.
+_UNSIGNED_HEADERS = frozenset(
+    {
+        "authorization",
+        "cache-control",
+        "connection",
+        "expect",
+        "from",
+        "keep-alive",
+        "max-forwards",
+        "pragma",
+        "referer",
+        "te",
+        "trailer",
+        "transfer-encoding",
+        "upgrade",
+        "user-agent",
+        "x-amzn-trace-id",
+        "content-length",
+        "accept",
+        "accept-encoding",
+    }
+)
+
+_MULTI_SPACE = re.compile(r" +")
+
+
+def _uri_encode(value: str) -> str:
+    """RFC 3986 percent-encoding using only the unreserved set as safe."""
+    return quote(value, safe="-_.~")
+
+
+def _canonical_path(path: str, *, service: str) -> str:
+    """Build CanonicalURI.
+
+    Per the SigV4 spec, every segment is URI-encoded; for services other
+    than S3 each segment is URI-encoded **twice**. S3 keeps the path
+    exactly as provided (no normalization, no double-encoding).
+    """
+    if not path:
+        return "/"
+    if service == "s3":
+        return path if path.startswith("/") else "/" + path
+    decoded = unquote(path)
+    first = quote(decoded, safe="/~")
+    return quote(first, safe="/~")
+
+
+def _canonical_query(query: str) -> str:
+    """Build CanonicalQueryString from a raw query string (with or without ``?``)."""
+    if not query:
+        return ""
+    if query.startswith("?"):
+        query = query[1:]
+    if not query:
+        return ""
+    sp = URLSearchParams(query)
+    encoded = sorted((_uri_encode(k), _uri_encode(v)) for k, v in sp.entries())
+    return "&".join(f"{k}={v}" for k, v in encoded)
+
+
+def _trim_header_value(value: str) -> str:
+    """Trim leading/trailing whitespace and collapse internal whitespace runs.
+
+    Spec note: the canonical form treats sequential whitespace inside an
+    unquoted value as a single space. We do not parse quoted-string syntax;
+    the conservative collapse is correct for every header AWS actually signs.
+    """
+    return _MULTI_SPACE.sub(" ", value.strip())
+
+
+def _canonical_headers(headers: Headers) -> tuple[str, str]:
+    """Return ``(canonical_headers, signed_headers)``."""
+    grouped: dict[str, list[str]] = {}
+    for name in headers:
+        lname = name.lower()
+        if lname in _UNSIGNED_HEADERS:
+            continue
+        grouped[lname] = [_trim_header_value(v) for v in headers.getall(name)]
+
+    signed = sorted(grouped)
+    canonical = "".join(f"{name}:{','.join(grouped[name])}\n" for name in signed)
+    return canonical, ";".join(signed)
+
+
+def _build_canonical_request(
+    *,
+    method: str,
+    path: str,
+    query: str,
+    headers: Headers,
+    payload_hash: str,
+    service: str,
+) -> tuple[str, str]:
+    canonical_uri = _canonical_path(path, service=service)
+    canonical_query = _canonical_query(query)
+    canonical_headers, signed_headers = _canonical_headers(headers)
+    canonical_request = (
+        f"{method}\n"
+        f"{canonical_uri}\n"
+        f"{canonical_query}\n"
+        f"{canonical_headers}\n"
+        f"{signed_headers}\n"
+        f"{payload_hash}"
+    )
+    return canonical_request, signed_headers
+
+
+def _derive_signing_key(secret: str, date: str, region: str, service: str) -> bytes:
+    k_date = hmac.new(
+        b"AWS4" + secret.encode("utf-8"), date.encode("ascii"), hashlib.sha256
+    ).digest()
+    k_region = hmac.new(k_date, region.encode("utf-8"), hashlib.sha256).digest()
+    k_service = hmac.new(k_region, service.encode("utf-8"), hashlib.sha256).digest()
+    return hmac.new(k_service, b"aws4_request", hashlib.sha256).digest()
+
+
+def _amz_now() -> _dt.datetime:
+    return _dt.datetime.now(_dt.timezone.utc)
+
+
+def _canonical_query_from_pairs(pairs: list[tuple[str, str]]) -> str:
+    """CanonicalQueryString from raw (unencoded) key/value pairs."""
+    encoded = sorted((_uri_encode(k), _uri_encode(v)) for k, v in pairs)
+    return "&".join(f"{k}={v}" for k, v in encoded)
+
+
+def sign_sigv4(
+    request: Request,
+    ctx: SigV4AuthContext,
+    body: bytes | None,
+) -> Request:
+    """Return a new ``Request`` carrying SigV4 single-chunk auth headers.
+
+    Pass ``body=None`` to sign with ``UNSIGNED-PAYLOAD`` (streaming requests).
+    The original ``request.body`` is forwarded unchanged in that case.
+    """
+    service = ctx["signing_name"]
+    region = ctx["signing_region"]
+
+    headers = request.headers.copy()
+
+    # X-Amz-Date — honor caller-supplied value (allows deterministic tests).
+    existing_date = headers.get("X-Amz-Date")
+    if existing_date:
+        amz_date = existing_date
+        date_stamp = amz_date[:8]
+    else:
+        now = _amz_now()
+        amz_date = now.strftime("%Y%m%dT%H%M%SZ")
+        date_stamp = now.strftime("%Y%m%d")
+        headers["X-Amz-Date"] = amz_date
+
+    # Payload hash. For S3, x-amz-content-sha256 is mandatory and must be set
+    # BEFORE computing the canonical request (it gets signed).
+    payload_hash = headers.get("X-Amz-Content-SHA256")
+    if payload_hash is None:
+        if body is None:
+            payload_hash = "UNSIGNED-PAYLOAD"
+        else:
+            payload_hash = (
+                hashlib.sha256(body).hexdigest() if body else _EMPTY_PAYLOAD_SHA256
+            )
+    if service == "s3":
+        headers["X-Amz-Content-SHA256"] = payload_hash
+
+    # Session token (STS / assumed-role credentials).
+    session_token = ctx.get("session_token")
+    if session_token:
+        headers["X-Amz-Security-Token"] = session_token
+
+    # Host header is added by Request.__init__ from the URL; defensive fallback.
+    if "host" not in headers and request.url.hostname:
+        headers["Host"] = get_host_header_value(request.url)
+
+    canonical_request, signed_headers = _build_canonical_request(
+        method=request.method.upper(),
+        path=request.url.pathname,
+        query=request.url.search,
+        headers=headers,
+        payload_hash=payload_hash,
+        service=service,
+    )
+
+    credential_scope = f"{date_stamp}/{region}/{service}/aws4_request"
+    string_to_sign = (
+        f"{_SIGV4_ALGORITHM}\n"
+        f"{amz_date}\n"
+        f"{credential_scope}\n"
+        f"{hashlib.sha256(canonical_request.encode('utf-8')).hexdigest()}"
+    )
+
+    signing_key = _derive_signing_key(
+        ctx["secret_access_key"], date_stamp, region, service
+    )
+    signature = hmac.new(
+        signing_key, string_to_sign.encode("utf-8"), hashlib.sha256
+    ).hexdigest()
+
+    headers["Authorization"] = (
+        f"{_SIGV4_ALGORITHM} "
+        f"Credential={ctx['access_key_id']}/{credential_scope},"
+        f"SignedHeaders={signed_headers},"
+        f"Signature={signature}"
+    )
+
+    effective_body = body if body is not None else request.body
+    if effective_body is not None:
+        return Request(
+            request.url,
+            request.method,
+            headers,
+            body=effective_body,
+            context=request.context,
+        )
+    return Request(request.url, request.method, headers, context=request.context)
+
+
+def presign_sigv4(
+    request: Request,
+    ctx: SigV4AuthContext,
+    *,
+    expires_in: int = 3600,
+    now: _dt.datetime | None = None,
+) -> Request:
+    """Return a new ``Request`` whose URL carries SigV4 query-string auth.
+
+    The signature travels in the URL (``X-Amz-*`` query params), so the result
+    is usable standalone (browser, curl). Payload is signed as
+    ``UNSIGNED-PAYLOAD``, so the body is not bound by the signature.
+
+    ``expires_in`` is the validity window in seconds; range 1..604800 (7 days),
+    bounded by the max lifetime of the derived signing key.
+    """
+    if not 1 <= expires_in <= 604800:
+        raise ValueError(f"expires_in must be in [1, 604800], got {expires_in}")
+
+    sign_time = now or _amz_now()
+    if sign_time.tzinfo is None:
+        raise ValueError("now must be timezone-aware (UTC)")
+
+    service = ctx["signing_name"]
+    region = ctx["signing_region"]
+
+    amz_date = sign_time.strftime("%Y%m%dT%H%M%SZ")
+    date_stamp = sign_time.strftime("%Y%m%d")
+    credential_scope = f"{date_stamp}/{region}/{service}/aws4_request"
+
+    # Canonical headers: host is mandatory; anything else already on the request
+    # is signed too (and must then be sent alongside the URL). Strip the headers
+    # that belong in the query string to avoid header/query value conflicts
+    # (which AWS rejects as InvalidRequest).
+    headers = request.headers.copy()
+    for h in (
+        "Authorization",
+        "X-Amz-Date",
+        "X-Amz-Content-SHA256",
+        "X-Amz-Security-Token",
+    ):
+        if h in headers:
+            del headers[h]
+    if "host" not in headers and request.url.hostname:
+        headers["Host"] = get_host_header_value(request.url)
+
+    canonical_headers, signed_headers = _canonical_headers(headers)
+
+    # Signed query params (raw values). X-Amz-Signature is appended afterwards.
+    amz_params: list[tuple[str, str]] = [
+        ("X-Amz-Algorithm", _SIGV4_ALGORITHM),
+        ("X-Amz-Credential", f"{ctx['access_key_id']}/{credential_scope}"),
+        ("X-Amz-Date", amz_date),
+        ("X-Amz-Expires", str(expires_in)),
+        ("X-Amz-SignedHeaders", signed_headers),
+    ]
+    session_token = ctx.get("session_token")
+    if session_token:
+        # S3 and most services require the token inside the canonical query.
+        # (A few — e.g. iotdevicegateway — want it appended post-signature
+        # instead; handle those as a special case if you ever target them.)
+        amz_params.append(("X-Amz-Security-Token", session_token))
+
+    existing = list(URLSearchParams(request.url.search).entries())
+    canonical_query = _canonical_query_from_pairs(existing + amz_params)
+
+    canonical_request = (
+        f"{request.method.upper()}\n"
+        f"{_canonical_path(request.url.pathname, service=service)}\n"
+        f"{canonical_query}\n"
+        f"{canonical_headers}\n"
+        f"{signed_headers}\n"
+        f"UNSIGNED-PAYLOAD"
+    )
+
+    string_to_sign = (
+        f"{_SIGV4_ALGORITHM}\n"
+        f"{amz_date}\n"
+        f"{credential_scope}\n"
+        f"{hashlib.sha256(canonical_request.encode('utf-8')).hexdigest()}"
+    )
+    signing_key = _derive_signing_key(
+        ctx["secret_access_key"], date_stamp, region, service
+    )
+    signature = hmac.new(
+        signing_key, string_to_sign.encode("utf-8"), hashlib.sha256
+    ).hexdigest()
+
+    # X-Amz-Signature is hex (no encoding needed) and is NOT part of the
+    # canonical query. The sorted canonical query doubles as the URL query.
+    final_query = f"{canonical_query}&X-Amz-Signature={signature}"
+
+    url = request.url
+    fragment = url.hash or ""
+    presigned_href = zapros.URL(
+        f"{url.protocol}//{url.host}{url.pathname}?{final_query}{fragment}"
+    )
+
+    if request.body is not None:
+        return Request(
+            presigned_href,
+            request.method,
+            headers,
+            body=request.body,
+            context=request.context,
+        )
+    return Request(presigned_href, request.method, headers, context=request.context)