sSrSSKJr SSKJr SSKJr SSKJr SSKrSSKrSSKJr SSKJ r SS KJ r SSK r SSK r SSK r SSKrSSKrSS KJr SS KJr SS KJr SS KJr SSKJr SSKJr SSKJr SSKJr SSKJ r SSK!J"r" SSK!J#r# SSK$J%r% SSK&J'r' SSK(J)r)J*r* SSK+J,r,J-r-J.r. SSK/J0r0 SSK/J1r1 SSK/J2r2 SSK/J3r3 Sr4SSK6J7r7 SS K8J9r9 SS!K:J;r; SS"KJ?r? Sr@S%rB\ "S&S'9rC\ "S(S)9rDS*rES+\E-S,-rFS-rGS.rHS4S/jrIS0rJS5S1jrK"S2S3\5rLg!\5a Sr1Sr2Sr4Sr0Nlf=f!\5a Sr@S$rAN[f=f)6zpImplementation of URL Signing workflow. see: https://cloud.google.com/storage/docs/access-control#Signed-URLs) )absolute_import)print_function)division)unicode_literalsN)datetime) timedelta)timezone)urllib) HttpError) MakeRequest)Request)config)Command)CommandArgument) ApiSelector)CommandException)ContainsWildcard)StorageUrlFromString) constants) GetNewHttp)GcloudStorageMapGcloudStorageFlag) CreatePayload GetFinalUrlto_bytes) FILETYPE_PEM)load_privatekey)sign)PKeyTF)hashes)padding) RSAPrivateKey)pkcs12)NameOIDzapyca/cryptography is not available. Either install it, or please consider using the .json keyfileautodays hoursz gsutil signurl [-c ] [-d ] [-m ] \ [-p ] [-r ] [-b ] (-u | ) \ (gs:// | gs:///)... z SYNOPSIS aG DESCRIPTION The signurl command will generate a signed URL that embeds authentication data so the URL can be used by someone who does not have a Google account. Please see the `Signed URLs documentation `_ for background about signed URLs. Multiple gs:// URLs may be provided and may contain wildcards. A signed URL will be produced for each provided URL, authorized for the specified HTTP method and valid for the given duration. NOTE: Unlike the gsutil ls command, the signurl command does not support operations on sub-directories. For example, unless you have an object named ``some-directory/`` stored inside the bucket ``some-bucket``, the following command returns an error: ``gsutil signurl gs://some-bucket/some-directory/`` The signurl command uses the private key for a service account (the '' argument) to generate the cryptographic signature for the generated URL. The private key file must be in PKCS12 or JSON format. If the private key is encrypted the signed URL command will prompt for the passphrase used to protect the private key file (default 'notasecret'). For more information regarding generating a private key for use with the signurl command please see the `Authentication documentation. `_ If you used `service account credentials `_ for authentication, you can replace the argument with the -u or --use-service-account option to use the system-managed private key directly. This avoids the need to store a private key file locally, but prior to using this flag you must `configure `_ ``gcloud`` to use your service account credentials. OPTIONS -b Allows you to specify a user project that will be billed for requests that use the signed URL. This is useful for generating presigned links for buckets that use requester pays. Note that it's not valid to specify both the ``-b`` and ``--use-service-account`` options together. -c Specifies the content type for which the signed URL is valid for. -d Specifies the duration that the signed URL should be valid for, default duration is 1 hour. Times may be specified with no suffix (default hours), or with s = seconds, m = minutes, h = hours, d = days. This option may be specified multiple times, in which case the duration the link remains valid is the sum of all the duration options. The max duration allowed is 7 days when ``private-key-file`` is used. The max duration allowed is 12 hours when -u option is used. This limitation exists because the system-managed key used to sign the URL may not remain valid after 12 hours. -m Specifies the HTTP method to be authorized for use with the signed URL, default is GET. You may also specify RESUMABLE to create a signed resumable upload start URL. When using a signed URL to start a resumable upload session, you will need to specify the 'x-goog-resumable:start' header in the request or else signature validation will fail. -p Specify the private key password instead of prompting. -r Specifies the `region `_ in which the resources for which you are creating signed URLs are stored. Default value is 'auto' which will cause gsutil to fetch the region for the resource. When auto-detecting the region, the current gsutil user's credentials, not the credentials from the private-key-file, are used to fetch the bucket's metadata. This option must be specified and not 'auto' when generating a signed URL to create a bucket. -u Use service account credentials instead of a private key file to sign the URL. You can also use the ``--use-service-account`` option, which is equivalent to ``-u``. Note that both options have a maximum allowed duration of 12 hours for a valid link. USAGE Create a signed URL for downloading an object valid for 10 minutes: gsutil signurl -d 10m gs:/// Create a signed URL, valid for one hour, for uploading a plain text file via HTTP PUT: gsutil signurl -m PUT -d 1h -c text/plain \ gs:/// To construct a signed URL that allows anyone in possession of the URL to PUT to the specified bucket for one day, creating an object of Content-Type image/jpg, run: gsutil signurl -m PUT -d 1d -c image/jpg \ gs:/// To construct a signed URL that allows anyone in possession of the URL to POST a resumable upload to the specified bucket for one day, creating an object of Content-Type image/jpg, run: gsutil signurl -m RESUMABLE -d 1d -c image/jpg \ gs://bucket/ c`[R"[RS9R SS9$)z2Returns the current utc time as a datetime object.tzNtzinfo)rnowr utcreplace)platform/gsutil/gslib/commands/signurl.py_NowUTCr7s#  & . .d . ;;r5c8[R"SU5nU(d [S5eURS5up[ U5nUR 5nUS:Xa [ US9nU$US:Xa [ US9nU$US:Xa [ US9nU$US :Xa [ US 9nW$) z>Parses the given duration and returns an equivalent timedelta.z^(\d+)([dDhHmMsS])?$zUnable to parse duration stringhdr'r*m)minutessseconds)rematchrgroupsintlowerr)durationrAmodifierrets r6_DurationToTimeDeltarHs ((*H 5%  < ==||C(( ]( ^^ ( _  "C *3 ( #C * 3 H %C *3 H %C *r5c T[R"SSS5nSU0nUS:XaSnSUS'U (dURS 5 U (aXS 'U(aURUUUUU UU UU S 9 nU$[R (aS nOS n[ UUUUU UU UU U S9 unn[U[5(a[UUU5nO\[(d[[5eUR[U5[R"5[ R""55n[%UXU5nU$)aConstruct a string to sign with the provided key. Args: key: The private key to use for signing the URL. api: The CloudApiDelegator instance use_service_account: If True, use the service account credentials instead of using the key file to sign the URL provider: Cloud storage provider to connect to. If not present, class-wide default is used. client_id: Client ID signing this URL. method: The HTTP method to be used with the signed URL. duration: timedelta for which the constructed signed URL should be valid. gcs_path: String path to the bucket of object for signing, in the form 'bucket' or 'bucket/object'. logger: logging.Logger for warning and debug output. region: Geographic region in which the requested resource resides. content_type: Optional Content-Type for the signed URL. HTTP requests using the URL must match this Content-Type. billing_project: Specify a user project to be billed for the request. string_to_sign_debug: If true AND logger is enabled for debug level, print string to sign to debug. Used to differentiate user's signed URL from the probing permissions-check signed URL. generation: If not None, specifies a version of an object for signing. Returns: The complete URL (string). Credentialsgs_hostzstorage.googleapis.comhost RESUMABLEPOSTstartzx-goog-resumablezWarning: no Content-Type header was specified with the -c flag, so uploads to the resulting Signed URL must not specify a Content-Type.z content-type) providermethodrEpath generationloggerregionsigned_headersstring_to_sign_debugs RSA-SHA256z RSA-SHA256) client_idrQrErRrSrTrUrVbilling_projectrW)rgetwarnSignUrlsixPY2r isinstancerr HAVE_CRYPTOr_CRYPTO_IMPORT_ERRORrr!PKCS1v15r SHA256r)keyapiuse_service_accountrPrXrQrEgcs_pathrTrU content_typerYrWrSrKrV final_urldigeststring_to_signcanonical_query_string raw_signatures r6 _GenSignedUrlrnsCR JJ}i1I J'G$. { F)0N%&  kk,-%1>" X#)%-!)'1#)#)+91EGIF 3 wwff-: %'1 .3*N*#t37m [344hhx79I9I9KV]]_]mM724I r5c([U5n[U5n[(d[[5e[R "X5up#nUR R[R5SRnX%4$! [S5e=f)Nrz[R"UR5n[R"UR5nSSSSURS-/nURSSUlSnSnSnSn[ UR5H0unupU S:XaUnMU S:XaUnMU S :XaUnM&U S :XdM.UnM2 UbO[ [ [URUS5R555S -n SU 4URU'Ub+URUSS :XaS URU'US/- nUb&URUSn S SU -4URU'Ub&URUSn S SU -4URU'[TU])[U[S5[S5[S5[S5[S5[S5S.S95nXlX lU$)Nstoragezsign-urlz--format=csv[separator="\t"](resource:label="URL", http_verb:label="HTTP Method", expiration:label="Expiration", signed_url:label="Signed URL")z--private-key-file=rr-d-m-c-br=rM)rrNz --headers=x-goog-resumable=startz content-type=z userProject=z --http-verbz --durationz--query-paramsz --headersz--regionz--private-key-password)rrrr-r-p)gcloud_commandflag_map) copydeepcopyargssub_opts enumeratestrrCrH total_secondssuperget_gcloud_storage_argsrr)self original_argsoriginal_sub_optsrduration_arg_idxhttp_verb_arg_idxcontent_type_arg_idxbilling_project_arg_idxiflag_r?content_type_value project_valuefully_translated_command __class__s r6r&UrlSignCommand.get_gcloud_storage_argss8MM$)),M dmm4: *,A499Q<+O N !" DI"!$--0 9D  4< 4<  4<"#1# "-- 01!466Cmo GHKNNg*.wdmm$%$ ( )! , ;+9 '(=>>'==)=>qA-1?-?4@-Admm()*mm$;0N0Pdmm+, %w>#4]#C#4\#B#45E#F#4[#A#4Z#@#45M#N #  I%M ##r5c8SnSnSnSn[nSnSnURHup[R(a@U R [ R R=(d [R5n US:Xa UbU[U 5- nMs[U 5nMUS:XaU nMUS:XaU nMUS:XaU nMUS:XaU nMUS :XdUS :XaS nMUS :XaU nMUR5 M Uc [S S9nO?U(aU[:a[S[-5eU[:a[S[-5eUS;a [S5eU(d$[!UR"5S:a [S5eU(aU(a [S5eX!X4XVU4$)NGETFrrrrrz-uz--use-service-accountTrrr*zMax valid duration allowed is %s when -u flag is used. For longer duration, consider using the private-key-file instead of the -u option.z Max valid duration allowed is %s)rPUTDELETEHEADrMz9HTTP method must be one of[GET|HEAD|PUT|DELETE|RESUMABLE]zThe command requires a key file argument and one or more URL arguments if the --use-service-account flag is missing. Run `gsutil help signurl` for more infozLSpecifying both the -b and --use-service-account options together isinvalid.)_AUTO_DETECT_REGIONrr]r^decodesysstdinencodingrUTF8rHRaiseInvalidArgumentExceptionr!_MAX_EXPIRATION_TIME_WITH_MINUS_Ur_MAX_EXPIRATION_TIMElenr) rdeltarQrhrvrUrfrYovs r6_ParseAndCheckSubOpts$UrlSignCommand._ParseAndCheckSubOptss E FL F FO   HHSYY''99>> : d   '* *%&q)% 9 9 9 9 944" 9 **,-0 }a e )J!J : ;< < ' ' $&: ;< <BB ? @@ 3tyy>A#5  4 55     ,_ \\r5c [UURUUUS[SS9UUUUU SS9 n [5n [ U S5n [ X5n U R S;a[R"U 5eU R $![ajnURS5(a?URnSUR -nUR(aUS UR-- nOS U-n[U5eS nAff=f) zFPerforms a head request against a signed URL to check for read access.r<r>T) rdrerfrPrXrQrErgrSrTrUrYrW)responsezbUnexpected HTTP response code %s while querying object readability. Is your system clock accurate?z Content: %szbExpected an HTTP response code of 200 while querying object readability, but received an error: %sN) rn gsutil_apirrr r status_coder FromResponsehas_attrrcontentr)rrdrfrPryrgrSrTrUrY signed_urlr9reqr http_errorerror_response error_strings r6_ProbeObjectAccessWithClient+UrlSignCommand._ProbeObjectAccessWithClient1s 3#'??3F(0)5&,(1"(=(0*4&,&,/>48 :J+ ,a J 'cQ$h   _ 4$$X..  ! !!  +   Z ( (#,,M&223   ! ! .>+A+AA A,')34  \ ** +sAA;; C/A%C**C/c/nUHin[U5(a<URURU5Vs/sHoDRPM sn5 MOUR [ U55 Mk U$s snfN)rextendWildcardIterator storage_urlappendr)rin_urlsrGurl_strblrs r6_EnumerateStorageUrls$UrlSignCommand._EnumerateStorageUrls]se C ' " " t/D/DW/MN/MOO/MNO '01  J OsA4 c [(d [S5eUR5upp4pVnU(aSOSnURURUS5n 0n Sn U(d5[ [ URSS5R5U5upOURRSS 9n [S 5 U GH\n U RS:wa [S 5eU R!5(a3U[":Xa [S 5eU R$nUS :Xa [S5eO_SRU R$[&R(R+U R,R/[0R25SS95nU[":XavU R$U ;aXR$nOYUR5SRU R$5S/S9unnUR<R?5nXU R$'OUn[AU URUU RU UUUU RBURDUUUSS9n[FRH"[JRL"[NRPS9RSSS9U-RU55n[JRV"U5nURYS5n[ZR\(aUR_[0R25nSRU R`UUU5n[ZR\(aUR/[0R25n[U5 URcXU RXU RBURDX5 nUS:XaaU R!5(a US:wa[SRU 55eUS:wa#US :wa[SRU 55eGM*GM-US :XdGM6URDReS!U =(d S"U 5 GM_ g![a U(d[R"S5n[[ URSS5R5U5upGN![a( [SRURS55ef=ff=f![6a>n[SRUR8R:U R$55eSnAff=f)#z(Command entry point for signurl command.zhThe signurl command requires the pyopenssl library (try pip install pyopenssl or easy_install pyopenssl)rrNrbzKeystore password:z$Unable to parse private key from {0}gs)rPz%URL HTTP Method Expiration Signed URLz+Can only create signed urls from gs:// urlszGenerating signed URLs for creating buckets requires a region be specified via the -r option. Run `gsutil help signurl` for more information about the '-r' option.rMz-Resumable signed URLs require an object name.z{0}/{1}s/~)safezgs://{}location) bucket_fieldsz{}: Failed to auto-detect location for bucket '{}'. Please ensure you have storage.buckets.get permission on the bucket or specify the bucket's location using the '-r' option.T)rdrerfrPrXrQrErgrSrTrUrhrYrWr-r/z%Y-%m-%d %H:%M:%Sz{0} {1} {2} {3}rrzkBucket {0} does not exist. Please create a bucket with that name before a creating signed URL to access it.zsObject {0} does not exist. Please create/upload an object with that name before a creating signed URL to access it.rz%s does not have permissions on %s, using this link will likely result in a 403 error until at least READ permissions are grantedz The account)3 HAVE_OPENSSLrrrrropenreadrgetpassrzformatrGetServiceAccountIdprintschemeIsBucketr bucket_namer parsequote object_nameencoderrGetSingleBucketUrlFromArg Exceptionr__name__rrDrnrSrTcalendartimegmrr1r r2r3 utctimetuple fromtimestampstrftimer]r^r url_stringrr[)rrQrrhrvrUrfrYarg_start_index storage_urls region_cacherdryurlrg bucket_regionrbucketeri expiration expiration_dttime_str url_info_str response_codes r6 RunCommandUrlSignCommand.RunCommandhs <  9 :: ""$VF<o.aAO--dii8H.IJLL C  - 1t $ ) ) +V5\__88$8Gl 45 t LMM  ( ( "HI I?? [  ")* * ! ## OO LL  s55innE$)  +, & & ??l *&7- ?66  1*7OIAv!////1-*7s ' C$(OO4G),*6'-).)1+.>>'+{{'4-90?59 ;i??HLLHLL$A$I$IQU$I$VY^$^#l#l#noj,,Z8m''(;>2)00199Fl #**9>>:  L77 CJJ ..$++}Gm #  <<>>fo EEKVF  u_;!6"Ls  "7_ C   P  )M3 0ox U ??#78& +499Q<&++-v7 #|  !G!N!Niil"   T ?"Mq{{++S__= ? ? ?s6!3P+-R4'R13Q;;2R--R14 S<>9S77S<)rr)r __module__ __qualname____firstlineno____doc__rCreateCommandSpec _SYNOPSISrNO_MAXrXMLJSONrMakeZeroOrMoreFileURLsArgumentMakeZeroOrMoreCloudURLsArgument command_specHelpSpec_DETAILED_HELP_TEXT help_specrrrrr__static_attributes__ __classcell__)rs@r6rrs2**'5(34!oo{'7'78 %%  8 8 :  9 9 ;,&  1# )E$N@]D*+X | | r5r)NNFNr)Mr  __future__rrrrr rrrr rr}r@rr] six.movesr apitools.base.py.exceptionsr apitools.base.py.http_wrapperr r botor gslib.commandrgslib.command_argumentrgslib.cs_api_maprgslib.exceptionrgslib.storage_urlrr gslib.utilsrgslib.utils.boto_utilrgslib.utils.shim_utilrrgslib.utils.signurl_helperrrrOpenSSL.cryptorrrrr ImportErrorcryptography.hazmat.primitivesr )cryptography.hazmat.primitives.asymmetricr!-cryptography.hazmat.primitives.asymmetric.rsar",cryptography.hazmat.primitives.serializationr#cryptography.hazmat._oidr$r`rarrrr"r*r7rHrnrzrrr4r5r6rCsW '%'  151!2(,.2!,EKK *,!!, }3?IA.+  a($-B$7!  z|~<  B $"&',![| [#L_ W_ O / $,, }+|}s$*D  D4 D10D14 EE