In [6]:
import ast
import datetime
import re

import boto3
from envs import env
from jose import JWTError, jwt
import requests
from getpass import getpass

from aws_srp import AWSSRP
from exceptions import TokenVerificationException

from config import config

import uuid

In [20]:
class Garner:
    
    def __init__(self, username=None, private_key=None, password=None):
        
        self.user_pool_id = config["aws_user_pools_id"]
        self.user_pool_region = config["aws_cognito_region"]
        self.client_id = config["aws_user_pools_web_client_id"]
        
        self.username = username
        self.private_key = private_key
        
        self.refresh_token = None
        self.token_type = None
        self.access_token = None
        self.pool_jwk = None
        self.id_token = None
        
        self.client = boto3.client("cognito-idp", region_name=self.user_pool_region)
        
        self.authenticate(password)
        
    def authenticate(self, password):
        """
        Authenticate the user using the SRP protocol
        :param password: The user's passsword
        :return:
        """
        if not password:
            print("Enter Password")
        aws = AWSSRP(
            username=self.username,
            password=(password if password else getpass("Password:")),
            pool_id=self.user_pool_id,
            client_id=self.client_id,
            client=self.client,
        )
        tokens = aws.authenticate_user('Password:')
        
        
        print("Authenticated")
        self.verify_token(tokens["AuthenticationResult"]["IdToken"], "id_token", "id")
        self.refresh_token = tokens["AuthenticationResult"]["RefreshToken"]
        self.verify_token(
            tokens["AuthenticationResult"]["AccessToken"], "access_token", "access"
        )
        self.id_token: refresh_response['AuthenticationResult']['IdToken']
        self.token_type = tokens["AuthenticationResult"]["TokenType"]
        self.access_token = tokens['AuthenticationResult']['AccessToken']
        
    def get_keys(self):
        if self.pool_jwk:
            return self.pool_jwk

        # Check for the dictionary in environment variables.
        pool_jwk_env = env("COGNITO_JWKS", {}, var_type="dict")
        if pool_jwk_env:
            self.pool_jwk = pool_jwk_env
        # If it is not there use the requests library to get it
        else:
            self.pool_jwk = requests.get(
                "https://cognito-idp.{}.amazonaws.com/{}/.well-known/jwks.json".format(
                    self.user_pool_region, self.user_pool_id
                )
            ).json()
        return self.pool_jwk

    def get_key(self, kid):
        keys = self.get_keys().get("keys")
        key = list(filter(lambda x: x.get("kid") == kid, keys))
        return key[0]
    
    def verify_token(self, token, id_name, token_use):
        kid = jwt.get_unverified_header(token).get("kid")
        unverified_claims = jwt.get_unverified_claims(token)
        token_use_verified = unverified_claims.get("token_use") == token_use
        if not token_use_verified:
            raise TokenVerificationException("Your {} token use could not be verified.")
        hmac_key = self.get_key(kid)
        try:
            verified = jwt.decode(
                token,
                hmac_key,
                algorithms=["RS256"],
                audience=unverified_claims.get("aud"),
                issuer=unverified_claims.get("iss"),
            )
        except JWTError:
            raise TokenVerificationException("Your {} token could not be verified.")
        setattr(self, id_name, token)
        return verified
    
    def check_token(self, renew=True):
        """
        Checks the exp attribute of the access_token and either refreshes
        the tokens by calling the renew_access_tokens method or does nothing
        :param renew: bool indicating whether to refresh on expiration
        :return: bool indicating whether access_token has expired
        """
        if not self.access_token:
            raise AttributeError('Access Token Required to Check Token')
        now = datetime.datetime.now()
        dec_access_token = jwt.get_unverified_claims(self.access_token)

        if now > datetime.datetime.fromtimestamp(dec_access_token['exp']):
            expired = True
            if renew:
                self.renew_access_token()
        else:
            expired = False
        return expired
    
    def renew_access_token(self):
        """
        Sets a new access token on the User using the refresh token.
        """
        auth_params = {'REFRESH_TOKEN': self.refresh_token}
        #self._add_secret_hash(auth_params, 'SECRET_HASH')
        refresh_response = self.client.initiate_auth(
            ClientId=self.client_id,
            AuthFlow='REFRESH_TOKEN',
            AuthParameters=auth_params,
        )
        
        status_code = refresh_response.get(
            'HTTPStatusCode',
            refresh_response['ResponseMetadata']['HTTPStatusCode']
        )
        
        if status_code == 200:
            self.access_token = refresh_response['AuthenticationResult']['AccessToken']
            self.id_token: refresh_response['AuthenticationResult']['IdToken']
            self.token_type: refresh_response['AuthenticationResult']['TokenType']

In [10]:
u = Garner('kipsterbroz@gmail.com', 'dbfaab17-b8b1-41ad-95ec-1568ac734109')

Enter Password


Password: ·········


Authenticated


In [18]:
class CognitoUserFileUploader(object):

    def __init__(self, *args, **kwargs):
        self.__dict__.update(kwargs)
        self.id_token = self.get_cognito_id_token(
            self.username, self.refresh_token,
            self.device_key, self.client_id
        )
        self.identity_id = self.get_identity_id(
            self.account_id, self.identity_pool_id,
            self.provider_name, self.id_token
        )
        self.aws_credentials = self.get_credentials(
            self.identity_id, self.provider_name, self.id_token
        )

    def get_cognito_id_token(self, username, refresh_token,
                             device_key, client_id):
        client = boto3.client('cognito-idp', region_name=self.region_name)
        response = client.initiate_auth(
            AuthFlow='REFRESH_TOKEN',
            AuthParameters={
                'USERNAME': username,
                'REFRESH_TOKEN': refresh_token,
                #'DEVICE_KEY': device_key
            },
            ClientId=client_id
        )
        return response['AuthenticationResult']['IdToken']

    def get_identity_id(self, account_id, identity_pool_id,
                        provider_name, id_token):
        client = boto3.client('cognito-identity', region_name=self.region_name)
        creds = client.get_id(
            AccountId=account_id, IdentityPoolId=identity_pool_id,
            Logins={provider_name: id_token}
        )
        return creds['IdentityId']

    def get_credentials(self, identity_id, provider_name, id_token):
        client = boto3.client('cognito-identity', region_name=self.region_name)
        creds = client.get_credentials_for_identity(
            IdentityId=identity_id,
            Logins={provider_name: id_token},
        )
        return creds['Credentials']

    def upload_file(self, file_path, bucket_name):
        prefix = self.s3_key_prefix or ''
        key = str(uuid.uuid4())
        s3_client = boto3.client(
            's3',
            aws_access_key_id=self.aws_credentials['AccessKeyId'],
            aws_secret_access_key=self.aws_credentials['SecretKey'],
            aws_session_token=self.aws_credentials['SessionToken'],
        )
        key = '/'.join([prefix, key])
        return s3_client.upload_file(file_path, bucket_name, key)

In [19]:
file_uploader = CognitoUserFileUploader(
    region_name=config["aws_cognito_region"],
    refresh_token=u.refresh_token,
    username=u.username,
    device_key=config["aws_user_pools_web_client_id"],
    client_id=config["aws_user_pools_web_client_id"],
    #account_id=ACCOUNT_ID,
    identity_pool_id="eu-west-2:8c164809-a9ec-4ad8-9e7f-f07048c9d2ba",
    #provider_name=PROVIDER_NAME,
    s3_key_prefix='myfolder'
)

AttributeError: 'CognitoUserFileUploader' object has no attribute 'account_id'

In [25]:
def get_identity_id(account_id, identity_pool_id,
                    provider_name, id_token):
    client = boto3.client('cognito-identity', region_name="eu-west-2")
    creds = client.get_id(
        AccountId=account_id, IdentityPoolId=identity_pool_id,
        Logins={provider_name: id_token}
    )
    return creds['IdentityId']

account_id = boto3.client('sts').get_caller_identity().get('Account')
identity_pool_id="eu-west-2:8c164809-a9ec-4ad8-9e7f-f07048c9d2ba",
provider_name = "cognito-idp.eu-west-2.amazonaws.com/eu-west-2_ewIawpZwb"
id_token = u.id_token

get_identity_id(account_id, identity_pool_id,
                    provider_name, id_token)

NameError: name 'self' is not defined

'eyJraWQiOiJZbWZ6XC94YjdaN2Z2blgzZ09ZSm9odjhyNnpuRXZCcXcyQkl6U3NuTXp2cz0iLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJkNjk3ZGY2Yi1hNTUzLTRkYWItOWZhZS1kNjljN2Q4YjRlMWYiLCJhdWQiOiI1ZWowNnJuMTRtb2U1b29kbWMxanZtbmIwaCIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJldmVudF9pZCI6IjRkZWZmNTQyLTMyYWUtNDkwYS05Y2ExLTBkMDMzNTk2ZjM2NyIsInRva2VuX3VzZSI6ImlkIiwiYXV0aF90aW1lIjoxNjA0ODU2NzQxLCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAuZXUtd2VzdC0yLmFtYXpvbmF3cy5jb21cL2V1LXdlc3QtMl9ld0lhd3Bad2IiLCJuYW1lIjoia2lwIiwiY29nbml0bzp1c2VybmFtZSI6ImQ2OTdkZjZiLWE1NTMtNGRhYi05ZmFlLWQ2OWM3ZDhiNGUxZiIsImV4cCI6MTYwNDg2MDM0MSwiaWF0IjoxNjA0ODU2NzQxLCJlbWFpbCI6ImtpcHN0ZXJicm96QGdtYWlsLmNvbSJ9.ncw5rxeNhZ_AKwSuOwXw0u4oKO8h9ly-yYwCSabeea0_mxpcDhojUZ2hfb1wUV0qu2Tnx_8VswhOX_1AA6wx-bzicWG29lZcIRkv0upk3ymdAdQlo9CbYhHPl58CN_wR84XKJONQ7hSGf7G5sqAvrVCK6Wq-3sJQvcAMglNbyQYdZb7-xkCgjq960J1oJBTOIoa1Uhp2OgM9ujuP-C9erPy1gMqRcLGn10f_Co7znzk6aLqWqnz8vWS9Yl7lGg7OQyDDpieG2Mc3UEx5f3_LlsEkz58kl3xsXgXtkVmdqIr1JJeTVBHZihmknYltBJ6QcXJ-9jnmsLpMANLTruC58A'

In [9]:
import requests
import json

APPSYNC_API_ENDPOINT_URL = config["aws_appsync_graphqlEndpoint"]
#APPSYNC_API_KEY = "da2-fakeApiId123456"

headers = {
    #'Content-Type': "application/graphql",
    #'x-api-key': APPSYNC_API_KEY,
    #'Authorization': u.pool_jwk
    'Authorization': str(u.access_token)
}

params = {
    "filter": {"privateKey" : {"eq": u.private_key}}
}

def execute_gql(query):
    u.check_token()
    payload_obj = {"query": query, "variables" : params,}
    payload = json.dumps(payload_obj)
    response = requests.request("POST", APPSYNC_API_ENDPOINT_URL, data=payload, headers=headers)
    return response

query = """query ListPools(
    $filter: ModelPoolFilterInput
    $limit: Int
    $nextToken: String
  ) {
    listPools(filter: $filter, limit: $limit, nextToken: $nextToken) {
      items {
        id
        title
        privateKey
      }
    }
  }"""

output = execute_gql(query).json()

#print(output)
print("working on: {}".format('\033[1m' +output['data']['listPools']['items'][0]['title']))
#for item in output['data']['listPools']['items']:
   # print("-{}".format(item['title'][]))

working on: [1mkai man


In [1]:
object_name = 'movie.gif'
s3 = boto3.client('s3')

with open(object_name, 'rb') as data:
    loc = 'pooldata211140-dev'
    
    key = 'protected/'
    key += u.username
    key += '/'
    key += str(uuid.uuid4())
    key += '.'
    key += object_name.split('.')[-1]
    
    s3.upload_fileobj(data, loc, key)

NameError: name 'boto3' is not defined

In [16]:
import boto3
from botocore.exceptions import ClientError


def create_presigned_post(bucket_name, object_name,
                          fields=None, conditions=None, expiration=900):
    """Generate a presigned URL S3 POST request to upload a file

    :param bucket_name: string
    :param object_name: string
    :param fields: Dictionary of prefilled form fields
    :param conditions: List of conditions to include in the policy
    :param expiration: Time in seconds for the presigned URL to remain valid
    :return: Dictionary with the following keys:
        url: URL to post to
        fields: Dictionary of form fields and values to submit with the POST
    :return: None if error.
    """

    # Generate a presigned S3 POST URL
    s3_client = boto3.client('s3')
    try:
        response = s3_client.generate_presigned_post(bucket_name,
                                                     object_name,
                                                     Fields=fields,
                                                     Conditions=conditions,
                                                     ExpiresIn=expiration)
    except ClientError as e:
        logging.error(e)
        return None

    # The response contains the presigned URL and required fields
    return response

config = [{'level':'protected'}]

create_presigned_post('backgroundimages211140-dev', '01330317-76dd-4363-9b93-e1a6b0f57e20.gif', conditions = config)



{'url': 'https://backgroundimages211140-dev.s3.amazonaws.com/',
 'fields': {'key': '01330317-76dd-4363-9b93-e1a6b0f57e20.gif',
  'x-amz-algorithm': 'AWS4-HMAC-SHA256',
  'x-amz-credential': 'AKIAVW4W3CK35EZ2TW2W/20201107/eu-west-2/s3/aws4_request',
  'x-amz-date': '20201107T220915Z',
  'policy': 'eyJleHBpcmF0aW9uIjogIjIwMjAtMTEtMDdUMjI6MjQ6MTVaIiwgImNvbmRpdGlvbnMiOiBbeyJsZXZlbCI6ICJwcm90ZWN0ZWQifSwgeyJidWNrZXQiOiAiYmFja2dyb3VuZGltYWdlczIxMTE0MC1kZXYifSwgeyJrZXkiOiAiMDEzMzAzMTctNzZkZC00MzYzLTliOTMtZTFhNmIwZjU3ZTIwLmdpZiJ9LCB7IngtYW16LWFsZ29yaXRobSI6ICJBV1M0LUhNQUMtU0hBMjU2In0sIHsieC1hbXotY3JlZGVudGlhbCI6ICJBS0lBVlc0VzNDSzM1RVoyVFcyVy8yMDIwMTEwNy9ldS13ZXN0LTIvczMvYXdzNF9yZXF1ZXN0In0sIHsieC1hbXotZGF0ZSI6ICIyMDIwMTEwN1QyMjA5MTVaIn1dfQ==',
  'x-amz-signature': '6bcfb09ae7bc03246a31873393707dd6cb912d0f35ad065c599fefc6fde856d0'}}

In [17]:
import requests    # To install: pip install requests

# Generate a presigned S3 POST URL
object_name = 'OBJECT_NAME'
response = create_presigned_post('BUCKET_NAME', object_name)
if response is None:
    exit(1)

# Demonstrate how another Python program can use the presigned URL to upload a file
with open(object_name, 'rb') as f:
    files = {'file': (object_name, f)}
    http_response = requests.post(response['url'], data=response['fields'], files=files)
# If successful, returns HTTP status code 204
logging.info(f'File upload HTTP status code: {http_response.status_code}')

FileNotFoundError: [Errno 2] No such file or directory: 'OBJECT_NAME'

In [1]:
import boto3

client = boto3.client('sts')

In [2]:
client.get_session_token()

{'Credentials': {'AccessKeyId': 'ASIAVW4W3CK32UHAVLNS',
  'SecretAccessKey': 'SKXzat5uk496GZDWWr3IjBjB146nXwGglAxtRXaz',
  'SessionToken': 'FwoGZXIvYXdzEOP//////////wEaDHzl9xYWcQBj0O/I6CKCAerhGk68LpT23YMxLxm6oxS5qr56wC+LilAU5iraxVOXTBnxQJON3An4ftM6NbiXSnO40QM/rJ66TJb9h7yYlgPAJDCWcaaICkWR9L1F+sh74qFxxyTrCiehpXB5/wdBvBAgQbw3We/OJCQiihX8Wr1dRixfhyYAIkmAMKnFZ/tNqdUop4qd/QUyKBY2i1V7794hiAqasKB3645pZevgbNjSXnS+XT1YS4XqoQu1bUoRjl8=',
  'Expiration': datetime.datetime(2020, 11, 8, 13, 8, 55, tzinfo=tzutc())},
 'ResponseMetadata': {'RequestId': '38c89c9a-f37c-49d6-8a76-6f6345ccf402',
  'HTTPStatusCode': 200,
  'HTTPHeaders': {'x-amzn-requestid': '38c89c9a-f37c-49d6-8a76-6f6345ccf402',
   'content-type': 'text/xml',
   'content-length': '812',
   'date': 'Sun, 08 Nov 2020 01:08:55 GMT'},
  'RetryAttempts': 0}}

In [5]:
u.

ParamValidationError: Parameter validation failed:
Missing required parameter in input: "IdentityId"