| Server IP : 209.38.156.173 / Your IP : 216.73.216.122 [ Web Server : Apache/2.4.52 (Ubuntu) System : Linux lakekumayuhotel 5.15.0-136-generic #147-Ubuntu SMP Sat Mar 15 15:53:30 UTC 2025 x86_64 User : root ( 0) PHP Version : 8.1.2-1ubuntu2.22 Disable Function : NONE Domains : 2 Domains MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : OFF | Sudo : ON | Pkexec : ON Directory : /lib/python3/dist-packages/uaclient/entitlements/__pycache__/ |
Upload File : |
o
����F��c-5������������������� ���@���s$��d�dl�Z�d�dlZd�dlmZmZmZmZmZ�d�dlm Z m
Z
m
Z
m
Z
m
Z
mZmZ�d�dlmZmZ�d�dlmZ�d�dlmZ�ddgZd Zd
Zd
d
d
�ZdZe
�
��Z
d de
deee ��ddfdd�Z d dee
�dee
�deee ��ddfdd�Z!de
dee
�fdd�Z"G�dd
��d
e�Z#d
d
��Z$dS�)!�����N)�Any�Dict�List�Optional�Tuple)�apt�
event_logger�
exceptions�messages�snap�system�util)�IncompatibleService�
UAEntitlement)�ApplicationStatus)�StaticAffordanceg�������?g�������?z
http-proxyz
https-proxyz)Invalid Auth-Token provided to livepatch.z2Your running kernel is not supported by Livepatch.)zUnknown Auth-Tokenzunsupported kernelz
/snap/bin/canonical-livepatch�
protocol_type�
retry_sleeps�returnc�����������������C���s,���t��t�sdS�t�jtdd�|��g|d��dS�)a���
Unset livepatch configuration settings for http and https proxies.
:param protocol_type: String either http or https
:param retry_sleeps: Optional list of sleep lengths to apply between
retries. Specifying a list of [0.5, 1] tells subp to retry twice
on failure; sleeping half a second before the first retry and 1 second
before the second retry.
N�configz {}-proxy=�r���)r
����which�
LIVEPATCH_CMD�subp�format)r���r�����r����A/usr/lib/python3/dist-packages/uaclient/entitlements/livepatch.py�unconfigure_livepatch_proxy ���s
���
�r
����
http_proxy�
https_proxyc�����������������C���sb���|�s|rt��tjjtjd���|�r
tjt dd�|��g|d��|r/tjt dd�|�g|d��dS�dS�)a���
Configure livepatch to use http and https proxies.
:param http_proxy: http proxy to be used by livepatch. If None, it will
not be configured
:param https_proxy: https proxy to be used by livepatch. If None, it will
not be configured
:@param retry_sleeps: Optional list of sleep lengths to apply between
snap calls
)�servicer���z
http-proxy={}r���zhttps-proxy={}N)
�event�infor
����SETTING_SERVICE_PROXYr����LivepatchEntitlement�titler
���r���r����r
���r ���r���r���r���r
����configure_livepatch_proxy4���s"������
��r'����keyc�����������������C���s\���t��tdg�\}}t�d�|��|tj�}|r|�d�nd}|r&t�dd|�}|r,|� ��S�dS�)z�
Gets the config value from livepatch.
:param protocol: can be any valid livepatch config option
:return: the value of the livepatch config option, or None if not set
r���z
^{}: (.*)$����Nz\"(.*)\"z\g<1>)
r
���r���r����re�searchr���� MULTILINE�group�sub�strip)r(����out�_�match�valuer���r���r
����get_config_option_valueW���s
���r4���c���������������� �������s����e�Zd�ZdZdZdZdZedee df�fdd��Z
edee
df�fd d
��Z
d
d
e
de
fd
d�Z d
de
de
de
fdd�Zd
dd�Zdeeeej�f�fdd�Z
d
deeef�deeef�de
de
f��fdd
�
Z���ZS�) r$���z%https://ubuntu.com/security/livepatch� livepatch� LivepatchzCanonical Livepatch servicer���.c�����������������C���s0���ddl�m}�ddlm}�t|tj�t|tj�fS�)Nr�����FIPSEntitlement)�RealtimeKernelEntitlement)�uaclient.entitlements.fipsr8����
uaclient.entitlements.realtimer9���r���r
����LIVEPATCH_INVALIDATES_FIPS� REALTIME_LIVEPATCH_INCOMPATIBLE)�selfr8���r9���r���r���r
����incompatible_servicesm���s���
���z*LivepatchEntitlement.incompatible_servicesc��������������������sP���ddl�m}�||�j�}t|���d�tjk���tjdd��dftj ��fdd�dffS�)Nr���r7���c�������������������S���s���t����S��N)r
����
is_containerr���r���r���r
����<lambda>����s����z9LivepatchEntitlement.static_affordances.<locals>.<lambda>Fc����������������������s�����S�r@���r���r�����is_fips_enabledr���r
���rB�������s����)
r:���r8����cfg�bool�application_statusr����ENABLEDr
����$LIVEPATCH_ERROR_INSTALL_ON_CONTAINER�!LIVEPATCH_ERROR_WHEN_FIPS_ENABLED)r>���r8����fips_entr���rC���r
����static_affordances|���s
���
��
��z'LivepatchEntitlement.static_affordancesF�silentc��������������
���C���s���t��tj�sLt�d��t�tj��zt� ���W�n�t
j
y2�}�zt
�
dt|���W�Y�d}~nd}~ww�z
t�jg�d�tjd��W�n�t
jyK���t
����w�t���sYt
jtj|�jd��zt�jtjddd gd
d
��W�n%�t
jy��}�zt�d
t|�����r�t
�tj��n��W�Y�d}~nd}~ww�t�
d
|�j
j
tj �}t�
d|�j
j tj!�}tj"||tj#d��t��t$�s�t�d��zt�jtjddgd
tj#d��W�n�t
jy��}�zt
j%t|�d��d}~ww�t&||��|�j'd
d
d�S�)zYEnable specific entitlement.
@return: True on success, False otherwise.
zInstalling snapdz<Trying to install snapd. Ignoring apt-get update failure: %sN)zapt-get�installz
--assume-yes�snapdr���)�snap_cmdr ����waitr
���z
seed.loadedT��capturezunknown command .*wait�http�httpsr&���z#Installing canonical-livepatch snaprN���zcanonical-livepatch)rS���r���)� error_msg��process_directives�
process_token)(r
���r���r
����SNAP_CMDr!���r"���r
����APT_UPDATING_LISTSr����run_apt_update_commandr ����UserFacingError�logging�debug�strr����
APT_RETRIES�ProcessExecutionError�CannotInstallSnapdError�
is_installed�
SnapdNotProperlyInstalledErrorr%���r*���r+����lower�warning�
SNAPD_DOES_NOT_HAVE_WAIT_CMDr
����validate_proxyrE���r
����
PROXY_VALIDATION_SNAP_HTTP_URLr ���� PROXY_VALIDATION_SNAP_HTTPS_URL�configure_snap_proxy�SNAP_INSTALL_RETRIESr����ErrorInstallingLivepatchr'����setup_livepatch_config)r>���rM����er
���r ���r���r���r
����_perform_enable����s|���
���
���
�
���
�
��
���
�z$LivepatchEntitlement._perform_enableTrX���rY���c�����������
���
���C���s���|�j�jj�|�j�}|r6zt|��W�n$�tjy5�}�zdt|��}t �
|��t
�
|��W�Y�d}~dS�d}~ww�|r�|�d�}|sLt
�
d|�j��|�j�jd�}|����\}}|tjkr�t
�
d|�j��z t�tdg��W�n�tjy��}�zt
�
t|���W�Y�d}~dS�d}~ww�z
tjtd |gd
d
��W�n:�tjy��}�z-d
}t���D�]\} }
| t|�v�r�||
7�}�nq�|d
kr�|t|�7�}t �
|��W�Y�d}~dS�d}~ww�t �
d
��d
S�)a��Processs configuration setup for livepatch directives.
:param process_directives: Boolean set True when directives should be
processsed.
:param process_token: Boolean set True when token should be
processsed.
z Unable to configure Livepatch: NF�
resourceTokenzHNo specific resourceToken present. Using machine token as %s credentials�
machineTokenz.Disabling %s prior to re-attach with new token�disable�enableTrR���z
Unable to enable Livepatch: z
Canonical livepatch enabled.)rE����machine_token_file�
entitlements�get�name�process_config_directivesr ���rb���r`���r!���r"���r^����errorr_���r%����
machine_tokenrG���r����DISABLEDr
���r���r����
ERROR_MSG_MAP�items)
r>���rX���rY����entitlement_cfgrp����msg�livepatch_tokenrG����_details�
error_message�
print_messager���r���r
���ro�������sj���
�
��
�
���
�
�
��
z+LivepatchEntitlement.setup_livepatch_configc�����������������C���s$���t��t�sdS�t�jtdgdd��dS�)zYDisable specific entitlement
@return: True on success, False otherwise.
Trt���rR���)r
���r���r���r���)r>���rM���r���r���r
����_perform_disable��s���
z%LivepatchEntitlement._perform_disablec��������������
���C���s����t�jd�f}t�t�st�jtjfS�z
tjtdgt d��W�|S��t
j
yC�}�zt
�
dt|���t�jtjdt|�d�fW��Y�d�}~S�d�}~ww�)N�statusr���zLivepatch not enabled. %s��)ry���r����)r���rH���r
���r���r���r}���r
����LIVEPATCH_NOT_ENABLEDr����LIVEPATCH_RETRIESr ���rb���r^���r_���r`����
NamedMessage)r>���r����rp���r���r���r
���rG���
��s
���
�
����z'LivepatchEntitlement.application_status�
orig_access�deltas�
allow_enablec�����������
���������s����t����|||�r
dS�|�di��}|�di���dd�}|r$|����\}}|S�|����\}}|tjkr1dS�|�di��} tddg�}
t|
� | ��}
t|�d d��}
t
|
|
g�r`t
�
d
|�j
��|�j|
|
d
�S�dS�)
a1��Process any contract access deltas for this entitlement.
:param orig_access: Dictionary containing the original
resourceEntitlement access details.
:param deltas: Dictionary which contains only the changed access keys
and values.
:param allow_enable: Boolean set True if allowed to perform the enable
operation. When False, a message will be logged to inform the user
about the recommended enabled service.
:return: True when delta operations are processed; False when noop.
T�
entitlement�
obligations�enabledByDefaultF�
directives�caCerts�
remoteServerrr���z$Updating '%s' on changed directives.rW���)�super�process_contract_deltasrx���ru���rG���r���r}����setrF����
intersection�anyr^���r"���ry���ro���)
r>���r����r����r�����delta_entitlement�process_enable_default�enable_successr1���rG����delta_directives�supported_deltasrX���rY����� __class__r���r
���r����1��s2���
�
�
�z,LivepatchEntitlement.process_contract_deltas)F)TT)�__name__�
__module__�
__qualname__�
help_doc_urlry���r%����
description�propertyr���r���r?���r���rL���rF���rq���ro���r����r���r���r
���r����rG���r���r`���r���r�����
__classcell__r���r���r����r
���r$���f���s@����E���
�
:
��
�
���r$���c�����������������C���s����|�sdS�|���di����di��}|��d�}|r"tjtdd�|�gdd��|��d d
�}|�d
�r3|dd
��}|rDtjtdd
�|�gdd��dS�dS�)a���Process livepatch configuration directives.
We process caCerts before remoteServer because changing remote-server
in the canonical-livepatch CLI performs a PUT against the new server name.
If new caCerts were required for the new remoteServer, this
canonical-livepatch client PUT could fail on unmatched old caCerts.
@raises: ProcessExecutionError if unable to configure livepatch.
Nr����r����r����r���z
ca-certs={}TrR���r����r�����/���zremote-server={})rx���r
���r���r���r����endswith)rE���r�����ca_certs�
remote_serverr���r���r
���rz���a��s*���
�
�
��rz���r@���)NNN)%r^���r*����typingr���r���r���r���r����uaclientr���r���r ���r
���r
���r
���r
����uaclient.entitlements.baser���r����(uaclient.entitlements.entitlement_statusr����uaclient.typesr���r�����HTTP_PROXY_OPTION�HTTPS_PROXY_OPTIONr~���r����get_event_loggerr!���r`����floatr
���r'���r4���r$���rz���r���r���r���r
����<module>���sN����
$
���
�
����
�
�#�
|