CasperSecurity

Current Path : /lib/python3/dist-packages/uaclient/entitlements/__pycache__/
Current File : //lib/python3/dist-packages/uaclient/entitlements/__pycache__/livepatch.cpython-310.pyc
o

��Jh�7�@s�ddlZddlmZmZmZmZddlmZmZm	Z	m
Z
mZmZm
Z
mZmZddlmZmZddlmZddlmZddgZd	d
d�Ze��Ze�e�e��ZGdd
�d
e�Zdd�Z dS)�N)�Any�Dict�Optional�Tuple)	�api�event_logger�
exceptions�http�	livepatch�messages�snap�system�util)�EntitlementWithMessage�
UAEntitlement)�ApplicationStatus)�StaticAffordanceg�?g�?z)Invalid Auth-Token provided to livepatch.z2Your running kernel is not supported by Livepatch.)zUnknown Auth-Tokenzunsupported kernelc	sFeZdZejjZdZejZ	ej
ZejZ
dZdZdZdZedeedffdd��Zedeedffdd	��Zdefd
d�Zdefdd
�Zdejdefdd�Z		d"dejdededefdd�Zdejfdd�Z dee!e"ej#ffdd�Z$deee"ej#ffdd�Z%dd�Z&	d#de'e(e)fde'e(e)fdedef�fd d!�
Z*�Z+S)$�LivepatchEntitlementr
FT�return.cCs0ddlm}ddlm}t|tj�t|tj�fS)Nr��FIPSEntitlement)�RealtimeKernelEntitlement)�uaclient.entitlements.fipsr�uaclient.entitlements.realtimerrr�LIVEPATCH_INVALIDATES_FIPS�REALTIME_LIVEPATCH_INCOMPATIBLE)�selfrr�r�A/usr/lib/python3/dist-packages/uaclient/entitlements/livepatch.py�incompatible_services,s���z*LivepatchEntitlement.incompatible_servicescs\ddlm}||jd�}t|��dtjk��tjj	|j
d�dd�dftj�fdd�dffS)	Nrr)�cfg)�titlecSst��p	t��dkS)N�wsl)r
�is_container�
get_virt_typerrrr�<lambda>Ksz9LivepatchEntitlement.static_affordances.<locals>.<lambda>Fcs�S�Nrr��is_fips_enabledrrr%Qs)rrr �bool�application_statusr�ENABLEDr�"SERVICE_ERROR_INSTALL_ON_CONTAINER�formatr!�!LIVEPATCH_ERROR_WHEN_FIPS_ENABLED)rr�fips_entrr'r�static_affordances;s ���	
��z'LivepatchEntitlement.static_affordancescC�dS)N�r�rrrr�enable_stepsV�z!LivepatchEntitlement.enable_stepscCr1)N�rr3rrr�
disable_stepsYr5z"LivepatchEntitlement.disable_steps�progressc
Cs�|�tj�t��s|�dtjjdd��t��t�	�sU|�dtjjdd��zt�
d�Wn%tjyT}zt
jd|d�|�dtjjdd��WYd	}~nd	}~wwt�|�zt�d�Wn$tjy�}zt
jd
|d�t�tjjdd��WYd	}~nd	}~wwt�d|jjtj�}t�d
|jjtj�}tj||tjd�t��s�|�dtjjdd��zt�
d�Wntjy�}ztjt |�d��d	}~wwt�!||�|j"|ddd�S)zYEnable specific entitlement.

        @return: True on success, False otherwise.
        �info�snapd)�packagesz
snapd snapz!Failed to install snapd as a snap��exc_infozsnap install snapd��commandNzFailed to refresh snapd snapzsnap refresh snapdr	�https)�
http_proxy�https_proxy�retry_sleepszcanonical-livepatch snapzcanonical-livepatch��	error_msgT)�process_directives�
process_token)#r8r�INSTALLING_LIVEPATCHr�is_snapd_installed�emit�INSTALLING_PACKAGESr-�
install_snapd�is_snapd_installed_as_a_snap�install_snapr�ProcessExecutionError�LOG�warning�EXECUTING_COMMAND_FAILED�run_snapd_wait_cmd�refresh_snap�eventr9r	�validate_proxyr rA�PROXY_VALIDATION_SNAP_HTTP_URLrB�PROXY_VALIDATION_SNAP_HTTPS_URL�configure_snap_proxy�SNAP_INSTALL_RETRIESr
�is_livepatch_installed�ErrorInstallingLivepatch�str�configure_livepatch_proxy�setup_livepatch_config)rr8�erArBrrr�_perform_enable\s~������
	������������z$LivepatchEntitlement._perform_enablerFrGc
Cs�|�tj�|j���|j�}|rBzt|�Wn*tj	yA}zt
jt|�|d�|�
dtjjt|�d��WYd}~dSd}~ww|r�|�d�}|sXt
�d|j�|jjd}|��\}}|tjkr�t
�d	�|�
dtj�z
t�tjd
g�Wntj	y�}zt
jt|�|d�WYd}~dSd}~wwztjtjd|gdd
�WdStj	y�}z0tj}	t��D]\}
}|
t|�vr�|	|7}	nq�|	tjkr�|	t|�7}	|�
d|	�WYd}~dSd}~wwdS)aProcesss configuration setup for livepatch directives.

        :param process_directives: Boolean set True when directives should be
            processsed.
        :param process_token: Boolean set True when token should be
            processsed.
        r<r9rDNF�
resourceTokenzHNo specific resourceToken present. Using machine token as %s credentials�machineTokenz&Disabling livepatch before re-enabling�disable�enableT��capture)r8r�SETTING_UP_LIVEPATCH�machine_token_file�entitlements�get�name�process_config_directivesrrOrP�errorr]rJ�LIVEPATCH_UNABLE_TO_CONFIGUREr-�debugr!�
machine_tokenr*r�DISABLEDr9�LIVEPATCH_DISABLE_REATTACHr
�subpr
�
LIVEPATCH_CMD�LIVEPATCH_UNABLE_TO_ENABLE�
ERROR_MSG_MAP�items)rr8rFrG�entitlement_cfgr`�livepatch_tokenr*�_details�msg�
error_message�
print_messagerrrr_�sr
����	
��

��
���
��
z+LivepatchEntitlement.setup_livepatch_configcCsBt��sdStjdg}|�tjjd�|�d��tj	|dd�dS)zYDisable specific entitlement

        @return: True on success, False otherwise.
        Trd� r>rf)
r
r[rur8r�EXECUTING_COMMANDr-�joinr
rt)rr8�cmdrrr�_perform_disable�s
�z%LivepatchEntitlement._perform_disablec
Cs�tjdf}t��stjtjfSzt��}Wntj	y3}ztj
tjj|j
d�fWYd}~Sd}~ww|dur>tjtjfS|S)N)�livepatch_error)rr+r
r[rrr�LIVEPATCH_NOT_ENABLED�statusrrO�WARNING� LIVEPATCH_CLIENT_FAILURE_WARNINGr-�stderr�+LIVEPATCH_APPLICATION_STATUS_CLIENT_FAILURE)rr��livepatch_statusr`rrrr*�s$
�����z'LivepatchEntitlement.application_statuscCszt��}|tjjkrt��}dtjj|j	|j
d�fS|tjjkr0t��}dtjj|j	|j
d�fS|tjj
kr;dtjfSdS)NT)�version�arch)FN)r
�on_supported_kernel�LivepatchSupport�UNSUPPORTEDr
�get_kernel_infor�LIVEPATCH_KERNEL_NOT_SUPPORTEDr-�
uname_release�uname_machine_arch�
KERNEL_EOL�LIVEPATCH_KERNEL_EOL�KERNEL_UPGRADE_REQUIRED�!LIVEPATCH_KERNEL_UPGRADE_REQUIRED)r�support�kernel_inforrr�enabled_warning_statuss,�����z+LivepatchEntitlement.enabled_warning_statuscCs"t��tjjkrt��stjSdSr&)r
r�r�r�r
r#r�*LIVEPATCH_KERNEL_NOT_SUPPORTED_DESCRIPTIONr3rrr�status_description_override+s��z0LivepatchEntitlement.status_description_override�orig_access�deltas�allow_enablec
s�t��|||�r
dS|�di�}|�di��dd�}|r'|�t���\}}|S|��\}}|tjkr4dS|�di�}	t	ddg�}
t
|
�|	��}t
|�d	d��}t||g�rot
�d
�t�tjj|jd��|jt��||d�SdS)
a1Process any contract access deltas for this entitlement.

        :param orig_access: Dictionary containing the original
            resourceEntitlement access details.
        :param deltas: Dictionary which contains only the changed access keys
        and values.
        :param allow_enable: Boolean set True if allowed to perform the enable
            operation. When False, a message will be logged to inform the user
            about the recommended enabled service.

        :return: True when delta operations are processed; False when noop.
        T�entitlement�obligations�enableByDefaultF�
directives�caCerts�remoteServerrbzANew livepatch directives or token. running setup_livepatch_config)�service)r8rFrG)�super�process_contract_deltasrkrer�ProgressWrapperr*rrr�setr)�intersection�anyrPr9rUr�#SERVICE_UPDATING_CHANGED_DIRECTIVESr-rlr_)
rr�r�r��delta_entitlement�process_enable_default�enable_success�_r*�delta_directives�supported_deltasrFrG��	__class__rrr�4sB�
�����z,LivepatchEntitlement.process_contract_deltas)TT)F),�__name__�
__module__�__qualname__r�urls�LIVEPATCH_HOME_PAGE�help_doc_urlrl�LIVEPATCH_TITLEr!�LIVEPATCH_DESCRIPTION�description�LIVEPATCH_HELP_TEXT�	help_text�#affordance_check_kernel_min_version�affordance_check_kernel_flavor�affordance_check_series�affordance_check_arch�propertyrrrrr0�intr4r7rr�r)rar_r�rr�NamedMessager*r�r�rr]rr��
__classcell__rrr�rrs\I����
�A
�
� 
�
�
���rcCs�|sdS|�di��di�}|�d�}|r#tjtjdd�|�gdd�|�d	d
�}|�d�r4|dd�}|rFtjtjdd
�|�gdd�dSdS)a�Process livepatch configuration directives.

    We process caCerts before remoteServer because changing remote-server
    in the canonical-livepatch CLI performs a PUT against the new server name.
    If new caCerts were required for the new remoteServer, this
    canonical-livepatch client PUT could fail on unmatched old caCerts.

    @raises: ProcessExecutionError if unable to configure livepatch.
    Nr�r�r��configzca-certs={}Trfr���/���zremote-server={})rkr
rtr
rur-�endswith)r r��ca_certs�
remote_serverrrrrmms0

��
�
��rm)!�logging�typingrrrr�uaclientrrrr	r
rrr
r�uaclient.entitlements.baserr�(uaclient.entitlements.entitlement_statusr�uaclient.typesr�LIVEPATCH_RETRIESrw�get_event_loggerrU�	getLogger�replace_top_level_logger_namer�rPrrmrrrr�<module>s ,�Q
CasperSecurity

Telegram @BIBIL_0DAY
