o Hcfy7@sddlZddlmZmZmZmZddlmZmZm Z m Z m Z m Z m Z mZmZddlmZmZddlmZddlmZddgZd d d ZeZeeeZGd d d eZddZ dS)N)AnyDictOptionalTuple) api event_logger exceptionshttp livepatchmessagessnapsystemutil)EntitlementWithMessage UAEntitlement)ApplicationStatus)StaticAffordanceg?g?z)Invalid Auth-Token provided to livepatch.z2Your running kernel is not supported by Livepatch.)zUnknown Auth-Tokenzunsupported kernelc sFeZdZejjZdZejZ ej Z ej Z dZdZdZdZedeedffddZedeedffdd Zdefd d Zdefd d ZdejdefddZ  d"dejdededefddZdejfddZ dee!e"ej#ffddZ$deee"ej#ffddZ%ddZ& d#de'e(e)fde'e(e)fdedeffd d! Z*Z+S)$LivepatchEntitlementr FTreturn.cCs0ddlm}ddlm}t|tjt|tjfS)NrFIPSEntitlement)RealtimeKernelEntitlement)uaclient.entitlements.fipsruaclient.entitlements.realtimerrr LIVEPATCH_INVALIDATES_FIPSREALTIME_LIVEPATCH_INCOMPATIBLE)selfrrrA/usr/lib/python3/dist-packages/uaclient/entitlements/livepatch.pyincompatible_services,s  z*LivepatchEntitlement.incompatible_servicescsZddlm}||j}t|dtjktjj |j ddddftj fdddffS)Nrr)titlecSstSN)r is_containerrrrrKsz9LivepatchEntitlement.static_affordances..FcsSr!rris_fips_enabledrrr#Ps) rrcfgboolapplication_statusrENABLEDr "SERVICE_ERROR_INSTALL_ON_CONTAINERformatr !LIVEPATCH_ERROR_WHEN_FIPS_ENABLED)rrfips_entrr$rstatic_affordances;s   z'LivepatchEntitlement.static_affordancescCdS)Nrrrrr enable_stepsUz!LivepatchEntitlement.enable_stepscCr/)Nrr1rrr disable_stepsXr3z"LivepatchEntitlement.disable_stepsprogressc Cs|tjts|dtjjddtt sU|dtjjddzt dWn%t j yT}zt jd|d|dtjjddWYd }~nd }~wwt|ztdWn$t j y}zt jd |dttjjd dWYd }~nd }~wwtd |jjtj}td |jjtj}tj||tjdts|dtjjddzt dWnt j y}zt jt |dd }~wwt!|||j"|dddS)zYEnable specific entitlement. @return: True on success, False otherwise. infosnapd)packagesz snapd snapz!Failed to install snapd as a snapexc_infozsnap install snapdcommandNzFailed to refresh snapd snapzsnap refresh snapdr https) http_proxy https_proxy retry_sleepszcanonical-livepatch snapzcanonical-livepatch error_msgT)process_directives process_token)#r6r INSTALLING_LIVEPATCHr is_snapd_installedemitINSTALLING_PACKAGESr+ install_snapdis_snapd_installed_as_a_snap install_snaprProcessExecutionErrorLOGwarningEXECUTING_COMMAND_FAILEDrun_snapd_wait_cmd refresh_snapeventr7r validate_proxyr&r?PROXY_VALIDATION_SNAP_HTTP_URLr@PROXY_VALIDATION_SNAP_HTTPS_URLconfigure_snap_proxySNAP_INSTALL_RETRIESr is_livepatch_installedErrorInstallingLivepatchstrconfigure_livepatch_proxysetup_livepatch_config)rr6er?r@rrr_perform_enable[s~      z$LivepatchEntitlement._perform_enablerDrEc Cs|tj|jjj|j}|rBzt|Wn*t j yA}zt j t ||d|dtjjt |dWYd}~dSd}~ww|r|d}|sXt d|j|jjd}|\}}|tjkrt d |dtjz ttjd gWnt j y}zt j t ||dWYd}~dSd}~wwztjtjd |gd d Wd St j y}z0tj} tD]\} } | t |vr| | 7} nq| tjkr| t |7} |d| WYd}~dSd}~wwd S)aProcesss configuration setup for livepatch directives. :param process_directives: Boolean set True when directives should be processsed. :param process_token: Boolean set True when token should be processsed. r:r7rBNF resourceTokenzHNo specific resourceToken present. Using machine token as %s credentials machineTokenz&Disabling livepatch before re-enablingdisableenableTcapture) r6r SETTING_UP_LIVEPATCHr&machine_token_file entitlementsgetnameprocess_config_directivesrrMrNerrorr[rHLIVEPATCH_UNABLE_TO_CONFIGUREr+debugr machine_tokenr(rDISABLEDr7LIVEPATCH_DISABLE_REATTACHr subpr LIVEPATCH_CMDLIVEPATCH_UNABLE_TO_ENABLE ERROR_MSG_MAPitems) rr6rDrEentitlement_cfgr^livepatch_tokenr(_detailsmsg error_message print_messagerrrr]sr             z+LivepatchEntitlement.setup_livepatch_configcCsBtsdStjdg}|tjjd|dtj |dddS)zYDisable specific entitlement @return: True on success, False otherwise. Trb r<rd) r rYrsr6r EXECUTING_COMMANDr+joinr rr)rr6cmdrrr_perform_disables z%LivepatchEntitlement._perform_disablec Cstjdf}tstjtjfSzt}Wntj y3}ztj tj j |j dfWYd}~Sd}~ww|dur>tjtjfS|S)N)livepatch_error)rr)r rYrpr LIVEPATCH_NOT_ENABLEDstatusrrMWARNING LIVEPATCH_CLIENT_FAILURE_WARNINGr+stderr+LIVEPATCH_APPLICATION_STATUS_CLIENT_FAILURE)rrlivepatch_statusr^rrrr(s$   z'LivepatchEntitlement.application_statuscCszt}|tjjkrt}dtjj|j |j dfS|tjj kr0t}dtj j|j |j dfS|tjj kr;dtjfSdS)NT)versionarch)FN)r on_supported_kernelLivepatchSupport UNSUPPORTEDr get_kernel_infor LIVEPATCH_KERNEL_NOT_SUPPORTEDr+ uname_releaseuname_machine_arch KERNEL_EOLLIVEPATCH_KERNEL_EOLKERNEL_UPGRADE_REQUIRED!LIVEPATCH_KERNEL_UPGRADE_REQUIRED)rsupport kernel_inforrrenabled_warning_status s,   z+LivepatchEntitlement.enabled_warning_statuscCs"ttjjkrtstjSdSr!)r rrrr r"r *LIVEPATCH_KERNEL_NOT_SUPPORTED_DESCRIPTIONr1rrrstatus_description_override*sz0LivepatchEntitlement.status_description_override orig_accessdeltas allow_enablec st|||r dS|di}|didd}|r'|t\}}|S|\}}|tjkr4dS|di} t ddg} t | | } t |d d} t | | grot d ttjj|jd |jt| | d SdS) a1Process any contract access deltas for this entitlement. :param orig_access: Dictionary containing the original resourceEntitlement access details. :param deltas: Dictionary which contains only the changed access keys and values. :param allow_enable: Boolean set True if allowed to perform the enable operation. When False, a message will be logged to inform the user about the recommended enabled service. :return: True when delta operations are processed; False when noop. T entitlement obligationsenableByDefaultF directivescaCerts remoteServerr`zANew livepatch directives or token. running setup_livepatch_config)service)r6rDrE)superprocess_contract_deltasrircrProgressWrapperr(rrpsetr' intersectionanyrNr7rSr #SERVICE_UPDATING_CHANGED_DIRECTIVESr+rjr]) rrrrdelta_entitlementprocess_enable_defaultenable_success_r(delta_directivessupported_deltasrDrE __class__rrr3sB       z,LivepatchEntitlement.process_contract_deltas)TT)F),__name__ __module__ __qualname__r urlsLIVEPATCH_HOME_PAGE help_doc_urlrjLIVEPATCH_TITLEr LIVEPATCH_DESCRIPTION descriptionLIVEPATCH_HELP_TEXT help_text#affordance_check_kernel_min_versionaffordance_check_kernel_flavoraffordance_check_seriesaffordance_check_archpropertyrrrrr.intr2r5rrr'r_r]rrr NamedMessager(rrrr[rr __classcell__rrrrrs\I A      rcCs|sdS|didi}|d}|r#tjtjdd|gdd|d d }|d r4|dd }|rFtjtjdd |gdddSdS)aProcess livepatch configuration directives. We process caCerts before remoteServer because changing remote-server in the canonical-livepatch CLI performs a PUT against the new server name. If new caCerts were required for the new remoteServer, this canonical-livepatch client PUT could fail on unmatched old caCerts. @raises: ProcessExecutionError if unable to configure livepatch. Nrrrconfigz ca-certs={}Trdr/zremote-server={})rir rrr rsr+endswith)r&rca_certs remote_serverrrrrkls0      rk)!loggingtypingrrrruaclientrrrr r r r r ruaclient.entitlements.baserr(uaclient.entitlements.entitlement_statusruaclient.typesrLIVEPATCH_RETRIESruget_event_loggerrS getLoggerreplace_top_level_logger_namerrNrrkrrrrs ,   P