o K&b3 @s$ddlZddlZddlmZmZmZmZmZddlm Z m Z m Z m Z m Z mZmZddlmZmZddlmZddlmZddgZd Zd Zd d d ZdZe Z ddedeeeddfddZ   d deedeedeeeddfddZ!dedeefddZ"GdddeZ#ddZ$dS)!N)AnyDictListOptionalTuple)apt event_logger exceptionsmessagessnapstatusutil)IncompatibleService UAEntitlement)ApplicationStatus)StaticAffordanceg?g?z http-proxyz https-proxyz)Invalid Auth-Token provided to livepatch.z2Your running kernel is not supported by Livepatch.)zUnknown Auth-Tokenzunsupported kernelz/snap/bin/canonical-livepatch protocol_type retry_sleepsreturncCs,ttsdStjtdd|g|ddS)a Unset livepatch configuration settings for http and https proxies. :param protocol_type: String either http or https :param retry_sleeps: Optional list of sleep lengths to apply between retries. Specifying a list of [0.5, 1] tells subp to retry twice on failure; sleeping half a second before the first retry and 1 second before the second retry. Nconfigz {}-proxy=r)r which LIVEPATCH_CMDsubpformat)rrrA/usr/lib/python3/dist-packages/uaclient/entitlements/livepatch.pyunconfigure_livepatch_proxy s  r http_proxy https_proxycCsb|s|rttjjtjd|rtjt dd|g|d|r/tjt dd|g|ddSdS)a Configure livepatch to use http and https proxies. :param http_proxy: http proxy to be used by livepatch. If None, it will not be configured :param https_proxy: https proxy to be used by livepatch. If None, it will not be configured :@param retry_sleeps: Optional list of sleep lengths to apply between snap calls )servicerz http-proxy={}rzhttps-proxy={}N) eventinfor ZSETTING_SERVICE_PROXYrLivepatchEntitlementtitler rrrrrrrrconfigure_livepatch_proxy4s" r&keycCs\ttdg\}}td||tj}|r|dnd}|r&tdd|}|r,| SdS)z Gets the config value from livepatch. :param protocol: can be any valid livepatch config option :return: the value of the livepatch config option, or None if not set rz ^{}: (.*)$Nz\"(.*)\"z\g<1>) r rrresearchr MULTILINEgroupsubstrip)r'out_matchvaluerrrget_config_option_valueWs r3c seZdZdZdZdZdZedee dffddZ edee dffd d Z dd e de fd dZ dde de de fddZdddZdeeeejffddZ ddeeefdeeefde de ffdd ZZS)r#z%https://ubuntu.com/security/livepatchZ livepatchZ LivepatchzCanonical Livepatch servicer.cCsddlm}t|tjfS)NrFIPSEntitlement)uaclient.entitlements.fipsr5rr ZLIVEPATCH_INVALIDATES_FIPS)selfr5rrrincompatible_servicesms z*LivepatchEntitlement.incompatible_servicescsPddlm}||j}t|dtjktjdddftj fdddffS)Nrr4cSstSN)r Z is_containerrrrrsz9LivepatchEntitlement.static_affordances..FcsSr9rrZis_fips_enabledrrr:s) r6r5cfgboolapplication_statusrENABLEDr Z$LIVEPATCH_ERROR_INSTALL_ON_CONTAINERZ!LIVEPATCH_ERROR_WHEN_FIPS_ENABLED)r7r5Zfips_entrr;rstatic_affordancesws   z'LivepatchEntitlement.static_affordancesFsilentc Csttjs?tdttjzt Wnt j y2}zt dt|WYd}~nd}~wwtjgddtjdndtvrNt jtj|jdztjtjd d d gdd Wn%t jy}ztd t|rvt tjnWYd}~nd}~wwtd|jjtj}td|jjtj}tj ||tj!dtt"stdztjtjddgdtj!dWnt jy}zt j#t|dd}~wwt$|||j%dddS)zYEnable specific entitlement. @return: True on success, False otherwise. zInstalling snapdzr rDISABLEDr rr ERROR_MSG_MAPitems) r7rIrJZentitlement_cfgrQmsgZlivepatch_tokenr>Z_detailsZ error_messageZ print_messagerrrrPsf               z+LivepatchEntitlement.setup_livepatch_configcCs$ttsdStjtdgdddS)zYDisable specific entitlement @return: True on success, False otherwise. TrTrG)r rrr)r7rArrr_perform_disables z%LivepatchEntitlement._perform_disablec Cstjdf}ttstjtjfSz tjtdgt dW|St j yC}zt dt|tjtjdt|dfWYd}~Sd}~ww)Nr rzLivepatch not enabled. %s)rWr])rr?r rrrZr ZLIVEPATCH_NOT_ENABLEDrLIVEPATCH_RETRIESr rNrKrLrM NamedMessage)r7r rQrrrr>s    z'LivepatchEntitlement.application_status orig_accessdeltas allow_enablec st|||r dS|di}|didd}|r$|\}}|S|\}}|tjjkr2dS|di} tddg} t | | } t |d d} t | | grat d |j|j| | d SdS) a1Process any contract access deltas for this entitlement. :param orig_access: Dictionary containing the original resourceEntitlement access details. :param deltas: Dictionary which contains only the changed access keys and values. :param allow_enable: Boolean set True if allowed to perform the enable operation. When False, a message will be logged to inform the user about the recommended enabled service. :return: True when delta operations are processed; False when noop. T entitlementZ obligationsZenabledByDefaultF directivescaCerts remoteServerrSz$Updating '%s' on changed directives.rH)superprocess_contract_deltasrVrUr>r rrZsetr= intersectionanyrKr"rWrP) r7rbrcrdZdelta_entitlementZprocess_enable_defaultZenable_successr0r>Zdelta_directivesZsupported_deltasrIrJ __class__rrrj's2        z,LivepatchEntitlement.process_contract_deltas)F)TT)__name__ __module__ __qualname__Z help_doc_urlrWr$ descriptionpropertyrrr8rr@r=rRrPr^rrr rar>rrMrrj __classcell__rrrnrr#fs@ B 8    r#cCs|sdS|didi}|d}|r"tjtdd|gdd|d d }|d r3|dd }|rDtjtdd |gdddSdS)aProcess livepatch configuration directives. We process caCerts before remoteServer because changing remote-server in the canonical-livepatch CLI performs a PUT against the new server name. If new caCerts were required for the new remoteServer, this canonical-livepatch client PUT could fail on unmatched old caCerts. @raises: ProcessExecutionError if unable to configure livepatch. Nrerfrgrz ca-certs={}TrGrhr_/zremote-server={})rVr rrrendswith)r<rfZca_certsZ remote_serverrrrrXWs*      rXr9)NNN)%rKr)typingrrrrrZuaclientrrr r r r r Zuaclient.entitlements.baserrZuaclient.statusrZuaclient.typesrr`ZHTTP_PROXY_OPTIONZHTTPS_PROXY_OPTIONr[rZget_event_loggerr!rMfloatrr&r3r#rXrrrrsN$      # r