U Jhr@s&ddlZddlmZmZmZmZmZmZmZddl m Z m Z m Z m Z mZddlmZmZddlmZddlmZmZddlmZmZddlmZmZmZdd lmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2dd l3m4Z4dd l3m5Z6dd l7m8Z8dd l7m5Z9dd l:m;Z;mZ>ddl?m@Z@mAZAmBZBddlCmDZDddlEmFZFddlGmHZHmIZImJZJddlKmLZLddlMmNZNddlOmPZPddlQmRZRmSZSmTZTddlUmVZVddlWmXZXddlYmZZZddl[m\Z\GdddZ]e)dddZ^e+d d!d"Z_e`eaeLd#d$d%Zbe`eaeaeLd&d'd(Zcdpee`e`ededee`e`d)d*d+ZeeLe`ead,d-d.Zfdd/d0d1ZgeLd2d3d4ZheLead5d6d7Ziee`e`d8d9d:ZjeLeaead;dd?ZleLe`ead@dAdBZme`eLeaeadCdDdEZndqee`e`dGdHdIZoe`dJdKdLZpe]e.dMdNdOZqe]e/dMdPdQZre]e-dMdRdSZse]e"dMdTdUZte]e#dMdVdWZue]e$dMdXdYZve]e(dMdZd[Zwe]e&dMd\d]Zxe]e%dMd^d_Zye)eaeLeeeefd`dadbZze>j{dcdddedfZ|eBdce j}e j~e|eFjdgeAe@dhe jdie@dje jdkdle@dme jdkdlgdngdoZdS)rN)DictList NamedTupleOptionalSetTupleUnion)apt exceptionsmessagessystemutil)attach_with_tokenenable_entitlement_by_name) _initiate)MagicAttachRevokeOptions_revoke)MagicAttachWaitOptions_wait) FixStatusUnfixedPackagestatus_message)ESM_APPS_POCKETESM_INFRA_POCKETSTANDARD_UPDATES_POCKETFixPlanAptUpgradeStepFixPlanAttachStepFixPlanEnableStepFixPlanNoOpAlreadyFixedStepFixPlanNoOpLivepatchFixStepFixPlanNoOpStatusFixPlanNoOpStep FixPlanResult FixPlanStepFixPlanUSNResultFixPlanWarning"FixPlanWarningFailUpdatingESMCache&FixPlanWarningPackageCannotBeInstalled#FixPlanWarningSecurityIssueNotFixedNoOpAlreadyFixedDataNoOpLivepatchFixDataUSNAdditionalData)CVEFixPlanOptions)_plan)USNFixPlanOptions)ContractExpiryStatus _is_attached)cli_util) ProArgumentProArgumentGroup ProCommand) action_detach) HelpCategory)CLOUD_TYPE_TO_TITLEPRO_CLOUD_URLSget_cloud_type)UAConfig)PRINT_WRAP_WIDTH)entitlement_factory)ApplicabilityStatusCanEnableFailureUserFacingStatus)notices)Notice) PRO_HOME_PAGE)colorize_commandsc@s\eZdZeeeeedddZddZd eeee eddd Z eeed d d Z dS) FixContexttitledry_run affected_pkgscfgcCsJd|_g|_t|_tj|_||_||_||_ ||_ d|_ d|_ d|_ dS)NrTF) pkg_index unfixed_pkgssetinstalled_pkgsrSYSTEM_NON_VULNERABLE fix_statusrFrHrGrIshould_print_pkg_header warn_package_cannot_be_installedfixed_by_livepatch)selfrFrGrHrIrT2/usr/lib/python3/dist-packages/uaclient/cli/fix.py__init__RszFixContext.__init__cCsN|jrJtjt|jjt|jdt|jd}tt j |t ddddS)N, )countpkgs F)widthsubsequent_indentZreplace_whitespace) rHr ZSECURITY_AFFECTED_PKGS pluralizelenformatjoinsortedprinttextwrapfillr;)rSmsgrTrTrUprint_fix_headereszFixContext.print_fix_headerN source_pkgsstatuspocketcCs4|jr0tt|||jt|j|r&t|ndddS)N)pkg_listrirJnum_pkgs pocket_source)rPrb_format_packages_messagerJr^rHget_pocket_description)rSrhrirjrTrTrUprint_pkg_headervszFixContext.print_pkg_headerrYunfixed_reasoncCs"|D]}|jt||dqdS)N)pkgrr)rKappendr)rSrYrrrsrTrTrUadd_unfixed_packagess zFixContext.add_unfixed_packages)N) __name__ __module__ __qualname__strboolrr:rVrfrrprurTrTrTrUrDQs  rDcvecCs8dj|j|jdd|jg}td|dS)N{issue}: {description}issue descriptionz! - https://ubuntu.com/security/{} )r_rFupperrrbr`)r|linesrTrTrUprint_cve_headersr)fix_plancCs|j}dj|j|jdg}|j}t|tr|jrj| t j |jD] }| dt j j j|dqFn,|jr| t j|jD]}| d|qtd|dS)Nr}r~z - {}r{z - r)target_usn_planr_rFrradditional_data isinstancer+Zassociated_cvesrtr ZSECURITY_FOUND_CVESZurlsZSECURITY_CVE_PAGEZassociated_launchpad_bugsZSECURITY_FOUND_LAUNCHPAD_BUGSrbr`)rZ target_usnrrr|Zlp_bugrTrTrUprint_usn_headers*     r)security_issuerGrIcCsztt|gd|d}|jjdj}|rH|jrHtjt |j pd|jdt |jjdt dt jj|dt|jjdj||\}}|tjtjfkr|S|jjdj}|r|r|St dt jjdd d |Dd t dt ji} |D],} t d | jt| ||| | j<t qt t jt||t jd d} |D]} | | j\} } t| | jt jd | tjkrt dt jjddd} | tjkrD| D]"}|j rt d|j!|j qd} qD| rt dt j"j|d|S)N)usnsrrrrr)issue_idz - css|] }|jVqdSN)rF).0ZusnrTrTrU szfix_usn..)Z related_usnsz- {})contextF- fix operationZ operationTz - {}: {})#usn_planr.Z usns_datarrrrer rr rrrrbZSECURITY_FIXING_REQUESTED_USNr_rrrNSYSTEM_NOT_AFFECTEDrelated_usns_planZSECURITY_RELATED_USNSr`ZSECURITY_FIXING_RELATED_USNSrFZSECURITY_USN_SUMMARY_handle_fix_status_messageZFIX_ISSUE_CONTEXT_REQUESTEDZFIX_ISSUE_CONTEXT_RELATEDSYSTEM_VULNERABLE_UNTIL_REBOOTENABLE_REBOOT_REQUIRED_TMPLSYSTEM_STILL_VULNERABLErrrsZSECURITY_RELATED_USN_ERROR)rrGrrIrrZtarget_usn_statusrrZrelated_usn_statusZrelated_usn_planZfailure_on_related_usnrirK unfixed_pkgrTrTrUfix_usns       r)rkrirJrlrmreturnc Cs|sdSg}g}|D](}|d7}|d||||qtjddd|ddt|tdd }d |t||S) z;Format the packages and status to an user friendly message.z{}/{}z{} {}:(rW)rZr[r\z{} {})rtr_rcrdr`rar;r) rkrirJrlrmZ msg_indexZsrc_pkgsZsrc_pkgZ msg_headerrTrTrUrn/s"  rn)rItokenrc Csbttdd|ggzt||ddWdStjk r\}zt|jWYdSd}~XYnXdS)ztAttach to an Ubuntu Pro subscription with a given token. :return: True if attach performed without errors. proZattachT)rZ allow_enableFN)rbrCrr ZUbuntuProErrorre)rIrerrrTrTrU_run_ua_attachKs r)rcCs:t\}}|tkr6ttjjt|t|ddS)z:Alert the user when running Pro on cloud with PRO support.)rFZcloud_specific_urlN) r9r8keysrbr ZSECURITY_USE_PRO_TMPLr_r7get)Z cloud_typerrTrTrU*_inform_ubuntu_pro_existence_if_applicableYs  rrIc Csttjt|d}tdtjj|jdt|jd}zt ||d}WnJt j k r}z*ttj t |jd}t||d|W5d}~XYnXtdtjt||jS)Nrr) user_code)Z magic_tokenr)rbr ZCLI_MAGIC_ATTACH_INITrZCLI_MAGIC_ATTACH_SIGN_INr_rrrrr ZMagicAttachTokenErrorZCLI_MAGIC_ATTACH_FAILEDrrZCLI_MAGIC_ATTACH_PROCESSINGrZcontract_token)rIZ initiate_respZ wait_optionsZ wait_respeZrevoke_optionsrTrTrU_perform_magic_attaches*     r)rIrcCsjtttjtjtjdddgd}|dkr2dS|dkrBt|S|dkrfttjt d}t ||SdS)zZPrompt for attach to a subscription or token. :return: True if attach performed. sacZ valid_choicesF> T) rrbr Z*SECURITY_UPDATE_NOT_INSTALLED_SUBSCRIPTIONr prompt_choicesZSECURITY_FIX_ATTACH_PROMPTrZPROMPT_ENTER_TOKENinputr)rIchoicerrTrTrU_prompt_for_attachs   r)rKrcCs4t|}tjtj|j|dt|dt ddS)zFormat the list of unfixed packages into an message. :returns: A string containing the message output for the unfixed packages. rW)rlrYrZr) r^rcrdr ZSECURITY_PKG_STILL_AFFECTEDr]r_r`rar;)rKZnum_pkgs_unfixedrTrTrU_format_unfixed_packages_msgs r)rIrGrcCs4t|j}|r0|tjjkr0|r,ttjdSdSdS)zuCheck if the Ubuntu Pro subscription is expired. :returns: True if subscription is expired and not renewed. FT)r0Zcontract_statusr/ZEXPIREDvaluerbr (SECURITY_DRY_RUN_UA_EXPIRED_SUBSCRIPTION)rIrGZcontract_expiry_statusrTrTrU_check_subscription_is_expireds   rcCsddl}tttjtjtjjt dddgd}|dkr~ttj t d}tt dd ggt |jd d d |t||Sd S)zdPrompt for attach a new subscription token to the user. :return: True if attach performed. rN)ZurlrrrrrdetachTZcli)Z assume_yesr_F)argparserrbr Z%SECURITY_UPDATE_NOT_INSTALLED_EXPIREDr rZSECURITY_FIX_RENEW_PROMPTr_rBZPROMPT_EXPIRED_ENTER_TOKENrrCr5Z Namespacer)rIrrrrTrTrU_prompt_for_new_tokens    r)rIservicercCsttjj|dtjtjj|dddgd}|dkrttdd|ggt||d\}}|s|dk rt |t r|j dk rt|j j |Sd S) zMPrompt for enable a pro service. :return: True if enable performed. rrrrrenablerInameNF) rbr ZSECURITY_SERVICE_DISABLEDr_r rZSECURITY_FIX_ENABLE_PROMPTrCrrr>messagere)rIrrZretreasonrTrTrU_prompt_for_enables$   r)rrIrGrcCst||d}|r|\}}|tjkr*dS|\}}|tjkr|r`tdtj j |j ddSt ||j rpdSttj j |j dnttjj |j ddS)zQ Verify if the Ubuntu Pro subscription has the required service enabled. rTrrF)r<Zuser_facing_statusr?ZACTIVEapplicability_statusr=Z APPLICABLErbr Z'SECURITY_DRY_RUN_UA_SERVICE_NOT_ENABLEDr_rrZSECURITY_UA_SERVICE_NOT_ENABLEDZ SECURITY_UA_SERVICE_NOT_ENTITLED)rrIrGZentZ ent_statusrrrTrTrU)_handle_subscription_for_required_services:      rr)rirrcCs|tjkr>|r tjj||d}ntjj|d}tt|n|tj kr||r^tj j||d}ntj j|d}tt|np|tj kr|rtj j||d}ntjj|d}tt|n2|rtj j||d}ntjj|d}tt|dS)N)rr)r)rrNr Z%SECURITY_ISSUE_RESOLVED_ISSUE_CONTEXTr_ZSECURITY_ISSUE_RESOLVEDrbr Zhandle_unicode_charactersrZ'SECURITY_ISSUE_UNAFFECTED_ISSUE_CONTEXTZSECURITY_ISSUE_UNAFFECTEDrZ)SECURITY_ISSUE_NOT_RESOLVED_ISSUE_CONTEXTZSECURITY_ISSUE_NOT_RESOLVED)rirrrerTrTrUrs>   rrjcCs2|tkrtjS|tkrtjS|tkr*tjS|SdSr)rr Z'SECURITY_UBUNTU_STANDARD_UPDATES_POCKETrZSECURITY_UA_INFRA_POCKETrZSECURITY_UA_APPS_POCKETrrTrTrUro?sro fix_contextstepcCsh|j|jjd|jjdd|_tjj|jj|jj d}t d||j |jj g|dd|_ tj|_dS)NreleasedrgF)packageversionrrqT)rpdataZrelated_source_packagesrjrPr ZFIX_CANNOT_INSTALL_PACKAGEr_Zbinary_packageZbinary_package_versionrbruZsource_packagerQrrrO)rrZwarn_msgrTrTrU)_execute_package_cannot_be_installed_stepJs" rcCsR|j|jj|jjd|jt|jj7_|j|jjt|jjdtj |_ dS)N)rhrirq) rprsource_packagesrirJr^rurrrrOrrTrTrU&_execute_security_issue_not_fixed_stepcs rcCs*trttjntdtjddS)Nr)r we_are_currently_rootrbr ZCLI_FIX_FAIL_UPDATING_ESM_CACHEZ(CLI_FIX_FAIL_UPDATING_ESM_CACHE_NON_ROOTrrTrTrU%_execute_fail_updating_esm_cache_stepss rc Csv|j|jjd|jjd|jt|jj7_|jjsR|jsFtt j t j |_ dSts|jstt jt j|_ |j|jjt jddSttdddgdddd gt|jjg|jrt j |_ dSz.ttjd ddd g|jjd d id Wn\tk rR}z<z"execute_fix_plan..)keycSsg|] }|jqSrT)rs)rrrTrTrU `sz$execute_fix_plan..)rMrr)0ZplanwarningsrDrFZaffected_packagesrfrarr'rr(rr&rrrrOrrNrrrrr!rrrrrrbrKrlistrLrr Z should_rebootrMrr rr_r@addrAZENABLE_REBOOT_REQUIREDrRr)rrGrIZ full_planrrZ reboot_msgrTrTrUr,s                        rZfix)rcKsJ|jrttjd|jkr0t|j|j|}nt|j|j|j|}|j S)Nr|) rGrbr ZSECURITY_DRY_RUN_WARNINGrlowerrrrZ exit_code)argsrIkwargsrirTrTrU action_fix~s rTr)helpz --dry-run store_true)ractionz --no-related)Z arguments)rrrZ help_categoryZpreserve_descriptionZargument_groups)N)r)rctypingrrrrrrrZuaclientr r r r r Zuaclient.actionsrrZ+uaclient.api.u.pro.attach.magic.initiate.v1rZ)uaclient.api.u.pro.attach.magic.revoke.v1rrZ'uaclient.api.u.pro.attach.magic.wait.v1rrZ'uaclient.api.u.pro.security.fix._commonrrrZ/uaclient.api.u.pro.security.fix._common.plan.v1rrrrrrrrr r!r"r#r$r%r&r'r(r)r*r+Z+uaclient.api.u.pro.security.fix.cve.plan.v1r,r-rZ+uaclient.api.u.pro.security.fix.usn.plan.v1r.rZ(uaclient.api.u.pro.status.is_attached.v1r/r0Z uaclient.clir1Zuaclient.cli.commandsr2r3r4Zuaclient.cli.detachr5Zuaclient.cli.parserr6Zuaclient.clouds.identityr7r8r9Zuaclient.configr:Zuaclient.defaultsr;Zuaclient.entitlementsr<Z(uaclient.entitlements.entitlement_statusr=r>r?Zuaclient.filesr@Zuaclient.files.noticesrAZuaclient.messages.urlsrBZuaclient.statusrCrDrrryrzrrintrnrrrrrrrrrrrorrrrrrrrrrZ assert_vulnerability_issue_validrZ CLI_ROOT_FIXZ CLI_FIX_DESCZSECURITYZ CLI_FIX_ISSUEZCLI_FIX_DRY_RUNZCLI_FIX_NO_RELATEDZ fix_commandrTrTrTrUs$  X              ?  l   , %     ? 0 "    R