o

��Jh�7�@s�dd
lZddl
mZmZmZmZ
ddlmZmZm	Z	m
Z
mZmZm
Z
mZmZ
ddlmZmZ
ddlmZ
ddlmZ
ddgZd	d
d�Ze��Ze�e�e�
�
ZGdd
�d
e�Zdd�Z d
S)�N)�Any�Dict�Optional�Tuple)	�api�event_logger�
exceptions�http�	livepatch�messages�snap�system�util)�EntitlementWithMessage�
UAEntitlement)
�ApplicationStatus)
�StaticAffordanceg�?g�?z)Invalid Auth-Token provided to livepatch.z2Your running kernel is not supported by Livepatch.)zUnknown Auth-Tokenzunsupported kernelc	sF
eZ
dZejjZd
ZejZ	ej
ZejZ
dZdZdZdZedeedffdd��
Zedeedffdd	��
Zdefd
d�Zdefdd
�Zdejdefdd�Z		d"dejdededefdd�Zdejfdd�Z dee!e"ej#ffdd�Z$deee"ej#ffdd�Z%dd�Z&	d#de'e(e)fde'e(e)fdedef�f
d d!�
Z*�Z+S)$�LivepatchEntitlementr
FT�return.c
Cs0d
dlm
}

d
dlm}
t|
tj�t|tj�fS)Nr
�
�FIPSEntitlement)
�RealtimeKernelEntitlement)�uaclient.entitlements.fipsr�uaclient.entitlements.realtimerrr�LIVEPATCH_INVALIDATES_FIPS�REALTIME_LIVEPATCH_INCOMPATIBLE)�selfrr�r�A/usr/lib/python3/dist-packages/uaclient/entitlements/livepatch.py�incompatible_services,s

�

��z*LivepatchEntitlement.incompatible_servicesc
s\d
dlm
}

|
|jd�
}t|��d
tjk�
�tjj	|j
d�
dd�dftj�f
dd�dffS)	Nr
r)
�cfg)
�titlecSst�
�p	t��d
kS)N�wsl)r
�is_container�
get_virt_typerrrr�<lambda>Ks
z9LivepatchEntitlement.static_affordances.<locals>.<lambda>Fc
s�S�
Nrr�
�is_fips_enabledrrr%Qs)rrr �bool�application_statusr�ENABLEDr�"SERVICE_ERROR_INSTALL_ON_CONTAINER�formatr!�!LIVEPATCH_ERROR_WHEN_FIPS_ENABLED)rr�fips_entrr'r�static_affordances;s 
�
��	


��z'LivepatchEntitlement.static_affordancesc


C�d
S)N�r�
rrrr�enable_stepsV�
z!LivepatchEntitlement.enable_stepsc


Cr1)N�
rr3rrr�
disable_stepsYr5z"LivepatchEntitlement.disable_steps�progressc
Cs�
|
�t
j�

t��s|
�d
t
jjdd�
�
t��
t�	�sU|
�d
t
jjdd�
�
zt�
d�

Wn%tjyT
}
zt
jd|d�
|
�d
t
jjdd�
�
WYd	}~nd	}~w
wt�|
�

zt�d�

Wn$tjy�
}
zt
jd
|d�
t�t
jjdd�
�

WYd	}~nd	}~w
wt�d|jjtj�}t�d
|jjtj�}tj||tjd�
t��s�|
�d
t
jjdd�
�
zt�
d�

Wntjy�
}
ztjt |�
d�
�
d	}~w
wt�!||�
|j"|
ddd�S)zYEnable specific entitlement.

        @return: True on success, False otherwise.
        �info�snapd)
�packagesz
snapd snapz!Failed to install snapd as a snap�
�exc_infozsnap install snapd�
�commandNzFailed to refresh snapd snapzsnap refresh snapdr	�https)�
http_proxy�https_proxy�retry_sleepszcanonical-livepatch snapzcanonical-livepatch�
�	error_msgT)�process_directives�
process_token)#r8r�INSTALLING_LIVEPATCHr�is_snapd_installed�emit�INSTALLING_PACKAGESr-�
install_snapd�is_snapd_installed_as_a_snap�install_snapr�ProcessExecutionError�LOG�warning�EXECUTING_COMMAND_FAILED�run_snapd_wait_cmd�refresh_snap�eventr9r	�validate_proxyr rA�PROXY_VALIDATION_SNAP_HTTP_URLrB�PROXY_VALIDATION_SNAP_HTTPS_URL�configure_snap_proxy�SNAP_INSTALL_RETRIESr
�is_livepatch_installed�ErrorInstallingLivepatch�str�configure_livepatch_proxy�setup_livepatch_config)rr8�
erArBrrr�_perform_enable\s~

�


�






����
	





����
�
�


�



��


��
�z$LivepatchEntitlement._perform_enablerFrGc
Cs�
|
�t
j�

|j���|j�
}|rBzt|�

Wn*tj	yA
}
zt
jt|�
|d
�
|
�
dt
jjt|�
d�
�
WYd}~dSd}~w
w|r�|�d�
}|sXt
�d|j�
|jjd}|��\}}|tjkr�t
�d	�

|
�
dt
j�
z
t�tjd
g�

Wntj	y�
}
zt
jt|�
|d
�
WYd}~dSd}~w
wztjtjd|gdd
�
WdStj	y�
}
z0t
j}	t��D]\}
}|
t|�
vr�|	|7}	
n
q�|	t
jkr�|	t|�
7}	|
�
d|	�
WYd}~dSd}~w
wdS)a
Processs configuration setup for livepatch directives.

        :param process_directives: Boolean set True when directives should be
            processsed.
        :param process_token: Boolean set True when token should be
            processsed.
        r<r9rDNF�
resourceTokenzHNo specific resourceToken present. Using machine token as %s credentials�machineTokenz&Disabling livepatch before re-enabling�disable�enableT�
�capture)r8r�SETTING_UP_LIVEPATCH�machine_token_file�entitlements�get�name�process_config_directivesrrOrP�errorr]rJ�LIVEPATCH_UNABLE_TO_CONFIGUREr-�debugr!�
machine_tokenr*r�DISABLEDr9�LIVEPATCH_DISABLE_REATTACHr
�subpr
�
LIVEPATCH_CMD�LIVEPATCH_UNABLE_TO_ENABLE�
ERROR_MSG_MAP�items)rr8rFrG�entitlement_cfgr`�livepatch_tokenr*�_details�msg�
error_message�
print_messagerrrr_�sr









����	




�
�









��



��




�



��
z+LivepatchEntitlement.setup_livepatch_configcCsBt�
�sd
Stjdg}|
�tjjd�|�
d�
�

tj	|d
d�
d
S)zYDisable specific entitlement

        @return: True on success, False otherwise.
        Trd�
 r>rf)
r
r[rur8r�EXECUTING_COMMANDr-�joinr
rt)rr8�cmdrrr�_perform_disable�s




�
z%LivepatchEntitlement._perform_disablec

Cs�tj
df}
t��stjtjfSzt��}Wntj	y3
}
ztj
tjj|j
d
�
fWYd}~Sd}~w
w|dur>tjtjfS|
S)N)
�livepatch_error)rr+r
r[rrr�LIVEPATCH_NOT_ENABLED�statusrrO�WARNING� LIVEPATCH_CLIENT_FAILURE_WARNINGr-�stderr�+LIVEPATCH_APPLICATION_STATUS_CLIENT_FAILURE)rr��livepatch_statusr`rrrr*�s$





����
�z'LivepatchEntitlement.application_statusc
Cszt�
�}
|
tjjkrt��}d
tjj|j	|j
d�fS|
tjjkr0t��}d
tjj|j	|j
d�fS|
tjj
kr;d
tjfSdS)NT)�version�arch)FN)r
�on_supported_kernel�LivepatchSupport�UNSUPPORTEDr
�get_kernel_infor�LIVEPATCH_KERNEL_NOT_SUPPORTEDr-�
uname_release�uname_machine_arch�
KERNEL_EOL�LIVEPATCH_KERNEL_EOL�KERNEL_UPGRADE_REQUIRED�!LIVEPATCH_KERNEL_UPGRADE_REQUIRED)r�support�kernel_inforrr�enabled_warning_status
s,




��



��
�z+LivepatchEntitlement.enabled_warning_statusc

Cs"t�
�tjjkrt��stjSdSr&)r
r�r�r�r
r#r�*LIVEPATCH_KERNEL_NOT_SUPPORTED_DESCRIPTIONr3rrr�status_description_override+
s
��
z0LivepatchEntitlement.status_description_override�orig_access�deltas�allow_enablec
s�t��
|
||�r
d
S|�di�}|�di��dd�}|r'|�t���
\}}|S|��\}}|tjkr4dS|�di�}	t	ddg�
}
t
|
�|	�
�
}t
|�d	d��
}t||g�
rot
�d
�

t�tjj|jd�
�

|jt��||d�Sd
S)
a1Process any contract access deltas for this entitlement.

        :param orig_access: Dictionary containing the original
            resourceEntitlement access details.
        :param deltas: Dictionary which contains only the changed access keys
        and values.
        :param allow_enable: Boolean set True if allowed to perform the enable
            operation. When False, a message will be logged to inform the user
            about the recommended enabled service.

        :return: True when delta operations are processed; False when noop.
        T�entitlement�obligations�enableByDefaultF�
directives�caCerts�remoteServerrbzANew livepatch directives or token. running setup_livepatch_config)
�service)r8rFrG)�super�process_contract_deltasrkrer�ProgressWrapperr*rrr�setr)�intersection�anyrPr9rUr�#SERVICE_UPDATING_CHANGED_DIRECTIVESr-rlr_)
rr�r�r��delta_entitlement�process_enable_default�enable_success�
_r*�delta_directives�supported_deltasrFrG�
�	__class__rrr�4
sB


�








�


�

��


�z,LivepatchEntitlement.process_contract_deltas)TT)
F),�__name__�
__module__�__qualname__r�urls�LIVEPATCH_HOME_PAGE�help_doc_urlrl�LIVEPATCH_TITLEr!�LIVEPATCH_DESCRIPTION�description�LIVEPATCH_HELP_TEXT�	help_text�#affordance_check_kernel_min_version�affordance_check_kernel_flavor�affordance_check_series�affordance_check_arch�propertyrrrrr0�intr4r7rr�r)rar_r�rr�NamedMessager*r�r�rr]rr��
__classcell__rrr�rrs\








I
����
�A
�
� 
�
�
���rc
Cs�|sd
S|�di��di�}
|
�d�
}|r#t
jtjdd�|�
gdd�
|
�d	d
�}|�d�
r4|d
d�}|rFt
jtjdd
�|�
gdd�
d
Sd
S)a�
Process livepatch configuration directives.

    We process caCerts before remoteServer because changing remote-server
    in the canonical-livepatch CLI performs a PUT against the new server name.
    If new caCerts were required for the new remoteServer, this
    canonical-livepatch client PUT could fail on unmatched old caCerts.

    @raises: ProcessExecutionError if unable to configure livepatch.
    Nr�r�r��configzca-certs={}Trfr���
/���zremote-server={})rkr
rtr
rur-�endswith)r r��ca_certs�
remote_serverrrrrmm
s0








��






�
��rm)!�logging�typingrrrr�uaclientrrrr	r
rrr
r�uaclient.entitlements.baserr�(uaclient.entitlements.entitlement_statusr�uaclient.typesr�LIVEPATCH_RETRIESrw�get_event_loggerrU�	getLogger�replace_top_level_logger_namer�rPrrmrrrr�<module>
s 
,


�
Q