f5ddlZddlmZmZmZmZddlmZmZm Z m Z m Z m Z m Z mZddlmZmZddlmZddlmZddgZd d d Zej0Zej4ej6eZGd d eZdZy)N)AnyDictOptionalTuple) event_logger exceptionshttp livepatchmessagessnapsystemutil)IncompatibleService UAEntitlement)ApplicationStatus)StaticAffordanceg?g?z)Invalid Auth-Token provided to livepatch.z2Your running kernel is not supported by Livepatch.)zUnknown Auth-Tokenzunsupported kernelc eZdZejj ZdZejZ ejZ ejZ dZdZdZdZedeedffdZedeedffdZddedefd Z dd ed edefd Zdd Zdeeeej<ffdZdeeeej<ffdZ dZ! dde"e#e$fde"e#e$fdedeffd Z%xZ&S)LivepatchEntitlementr FTreturn.cddlm}ddlm}t |t j t |t jfS)NrFIPSEntitlement)RealtimeKernelEntitlement)uaclient.entitlements.fipsruaclient.entitlements.realtimerrr LIVEPATCH_INVALIDATES_FIPSREALTIME_LIVEPATCH_INCOMPATIBLE)selfrrs A/usr/lib/python3/dist-packages/uaclient/entitlements/livepatch.pyincompatible_servicesz*LivepatchEntitlement.incompatible_services+s=>L !D!D  )88    cddlm}||j}t|j dt j k(tjj|jddftjfddffS)Nrrtitlec*tjSN)r is_containerr!rz9LivepatchEntitlement.static_affordances..Js++-r!FcSr&r()is_fips_enabledsrr)z9LivepatchEntitlement.static_affordances..Osr!) rrcfgboolapplication_statusrENABLEDr "SERVICE_ERROR_INSTALL_ON_CONTAINERformatr$!LIVEPATCH_ERROR_WHEN_FIPS_ENABLED)rrfips_entr+s @rstatic_affordancesz'LivepatchEntitlement.static_affordances:s ?"488,  ' ' )! ,0A0I0I I  ;;BB**C.  ::'   r!silentc"tjsGtjtj j dtjtjsItjtj j d tjdtj tj dt#j$d |j&j(t"j*}t#j$d |j&j,t"j.}tj0||tj2 t5j6sItjtj j d tjdt5j<|||j?ddS#tj$rU}tjd|tjtjj dYd}~d}~wwxYw#tj$rU}tjd |tjtjj d Yd}~d}~wwxYw#tj$r$}tj8t;|d}~wwxYw)zYEnable specific entitlement. @return: True on success, False otherwise. snapd)packagesz snapd snapz!Failed to install snapd as a snapexc_infozsnap install snapd)commandNzFailed to refresh snapd snapzsnap refresh snapdr https) http_proxy https_proxy retry_sleepszcanonical-livepatch snapzcanonical-livepatch error_msgTprocess_directives process_token) r is_snapd_installedeventinfor INSTALLING_PACKAGESr1 install_snapdis_snapd_installed_as_a_snap install_snaprProcessExecutionErrorLOGwarningEXECUTING_COMMAND_FAILEDrun_snapd_wait_cmd refresh_snapr validate_proxyr,r=PROXY_VALIDATION_SNAP_HTTP_URLr>PROXY_VALIDATION_SNAP_HTTPS_URLconfigure_snap_proxySNAP_INSTALL_RETRIESr is_livepatch_installedErrorInstallingLivepatchstrconfigure_livepatch_proxysetup_livepatch_config)rr5er=r>s r_perform_enablez$LivepatchEntitlement._perform_enableTsd &&( JJx33::G:L M    002 JJ,,33\3J  !!'* !    g &(( DHH'')L)L )) TXX))4+O+O  !!!#22 //1 JJ,,3374   L!!"78 ++J D**#4+  Y33  ?! L 55<< 4= //  KK6K C JJ118809   633 L 99CFKK LsJ$HI,KI)A I$$I),K?A KKL*L  LrCrDc|jjjj|j}|r t ||r,|jd}|s9tj!d|j"|jj$d}|j'\}}|t(j*k7r^tjdtjtj, t/j0t2j4d g t/j0t2j4d |gd tjtj<jd y #t j$rf}tjt||tjtjjt|Yd}~yd}~wwxYw#t j$r*}tjt||Yd}~yd}~wwxYw#t j$r}tj6}t8j;D]\} } | t|vs|| z }n|tj6k(r|t|z }tj|Yd}~yd}~wwxYw)aProcesss configuration setup for livepatch directives. :param process_directives: Boolean set True when directives should be processsed. :param process_token: Boolean set True when token should be processsed. r9r@NF resourceTokenzHNo specific resourceToken present. Using machine token as %s credentials machineTokenz&Disabling livepatch before re-enablingdisableenableTcapturezCanonical Livepatchr#)r,machine_token_file entitlementsgetnameprocess_config_directivesrrLrMerrorrYrFrGr LIVEPATCH_UNABLE_TO_CONFIGUREr1debugr$ machine_tokenr.rDISABLEDLIVEPATCH_DISABLE_REATTACHr subpr LIVEPATCH_CMDLIVEPATCH_UNABLE_TO_ENABLE ERROR_MSG_MAPitems ENABLED_TMPL) rrCrDentitlement_cfgr\livepatch_tokenr._detailsmsg error_message print_messages rr[z+LivepatchEntitlement.setup_livepatch_configs@((55BBFF II   )/: -11/BO" &JJ #'(("8"8"H+/+B+B+D ( !%6%?%??AB 8>>?!KK!8!8) DE  ,,hH  JJ%%,,3H,I Y33  #a&1 - ::AA"%a&B  ."77!IIc!fqI1 !33 994A4G4G4I0M=$A.},(===3q6MC 3 sN E86%G4(H48G1 AG,,G14H1 H,,H14K7K?>KKc|tjsytjtjdgdy)zYDisable specific entitlement @return: True on success, False otherwise. Trarc)r rWr rprq)rr5s r_perform_disablez%LivepatchEntitlement._perform_disables/ //1 Y,,i8$Gr!ctjdf}tjs tjt j fS tj}| tjt jfS|S#tj$rD}tjt jj|jfcYd}~Sd}~wwxYw)N)livepatch_error)rr/r rWrnr LIVEPATCH_NOT_ENABLEDstatusrrLWARNING LIVEPATCH_CLIENT_FAILURE_WARNINGr1stderr+LIVEPATCH_APPLICATION_STATUS_CLIENT_FAILURE)rrlivepatch_statusr\s rr.z'LivepatchEntitlement.application_statuss$++T2//1%..0N0NO O (//1   #"**DD  // !))99@@$%HHA  sBC9C CCc*tj}|tjjk(rKt j }dt jj|j|jfS|tjjk(rKt j }dt jj|j|jfS|tjjk(rdt jfSy)NT)versionarch)FN)r on_supported_kernelLivepatchSupport UNSUPPORTEDr get_kernel_infor LIVEPATCH_KERNEL_NOT_SUPPORTEDr1 uname_releaseuname_machine_arch KERNEL_EOLLIVEPATCH_KERNEL_EOLKERNEL_UPGRADE_REQUIRED!LIVEPATCH_KERNEL_UPGRADE_REQUIRED)rsupport kernel_infos renabled_warning_statusz+LivepatchEntitlement.enabled_warning_statuss//1 i00<< < 002K77>>'55$77?  i00;; ; 002K--44'55$775  i00HH H:: r!ctjtjjk(r$t j st jSyr&)r rrrr r'r *LIVEPATCH_KERNEL_NOT_SUPPORTED_DESCRIPTION)rs rstatus_description_overridez0LivepatchEntitlement.status_description_overrides=  ) ) +))55 6'')FF Fr! orig_accessdeltas allow_enablect ||||ry|jdi}|jdijdd}|r|j\}}|S|j \}}|t j k(ry|jdi} tddg} t| j| } t|jd d} t| | gretjd tjtjj!|j" |j%| | Sy) a1Process any contract access deltas for this entitlement. :param orig_access: Dictionary containing the original resourceEntitlement access details. :param deltas: Dictionary which contains only the changed access keys and values. :param allow_enable: Boolean set True if allowed to perform the enable operation. When False, a message will be logged to inform the user about the recommended enabled service. :return: True when delta operations are processed; False when noop. T entitlement obligationsenabledByDefaultF directivescaCerts remoteServerr_zANew livepatch directives or token. running setup_livepatch_config)servicerB)superprocess_contract_deltasrgrbr.rrnsetr- intersectionanyrMrGrFr #SERVICE_UPDATING_CHANGED_DIRECTIVESr1rhr[)rrrrdelta_entitlementprocess_enable_defaultenable_success_r.delta_directivessupported_deltasrCrD __class__s rrz,LivepatchEntitlement.process_contract_deltassU$ 7 *; M"JJ}b9!2!6!6}b!I!M!M "  " $ NA! ! $ 7 7 9A !2!;!; ;,00rB >:;!  ) )*: ; VZZ?@ "M2 3 HH)  JJ<<CC IID  ..#5+/ r!)F)TT)'__name__ __module__ __qualname__r urlsLIVEPATCH_HOME_PAGE help_doc_urlrhLIVEPATCH_TITLEr$LIVEPATCH_DESCRIPTION descriptionLIVEPATCH_HELP_TEXT help_text#affordance_check_kernel_min_versionaffordance_check_kernel_flavoraffordance_check_seriesaffordance_check_archpropertyrrr rr4r-r]r[r}rr NamedMessager.rrrrYrr __classcell__)rs@rrrsj==44L D  $ $E00K,,I*/'%*""!   u-@#-E'F     E*:C*?$@  2= d= t= @FJ<"&<>B< <|  (8+@+@"AA B4 tXh3344 5@# 5#s(^5S#X5 5  55r!rc|sy|jdijdi}|jd}|r7tjtjddj |gd|jd d }|j d r|dd }|r8tjtjdd j |gdyy)aProcess livepatch configuration directives. We process caCerts before remoteServer because changing remote-server in the canonical-livepatch CLI performs a PUT against the new server name. If new caCerts were required for the new remoteServer, this canonical-livepatch client PUT could fail on unmatched old caCerts. @raises: ProcessExecutionError if unable to configure livepatch. Nrrrconfigz ca-certs={}Trcr/zremote-server={})rgr rpr rqr1endswith)r,rca_certs remote_servers rririVs +// bAJ~~i(H ''$$X.    NN>26Mc"%cr*  ''"))-8    r!) loggingtypingrrrruaclientrrr r r r r ruaclient.entitlements.baserr(uaclient.entitlements.entitlement_statusruaclient.typesrLIVEPATCH_RETRIESrsget_event_loggerrF getLoggerreplace_top_level_logger_namerrMrrir(r!rrs--   JF+#JFN & %%'g:::8DEv=vr " r!