U Jh7@sddlZddlmZmZmZmZddlmZmZm Z m Z m Z m Z m Z mZmZddlmZmZddlmZddlmZddgZd d d ZeZeeeZGd d d eZddZ dS)N)AnyDictOptionalTuple) api event_logger exceptionshttp livepatchmessagessnapsystemutil)EntitlementWithMessage UAEntitlement)ApplicationStatus)StaticAffordanceg?g?z)Invalid Auth-Token provided to livepatch.z2Your running kernel is not supported by Livepatch.)zUnknown Auth-Tokenzunsupported kernelcs2eZdZejjZdZejZ ej Z ej Z dZdZdZdZeeedfdddZeeedfddd Zedd d Zedd d ZejedddZd ejeeedddZejdddZ ee!e"ej#fdddZ$eee"ej#fdddZ%ddZ&d!e'e(e)fe'e(e)feedfdd Z*Z+S)"LivepatchEntitlementr FT.)returncCs0ddlm}ddlm}t|tjt|tjfS)NrFIPSEntitlement)RealtimeKernelEntitlement)uaclient.entitlements.fipsrZuaclient.entitlements.realtimerrr ZLIVEPATCH_INVALIDATES_FIPSZREALTIME_LIVEPATCH_INCOMPATIBLE)selfrrrA/usr/lib/python3/dist-packages/uaclient/entitlements/livepatch.pyincompatible_services,s  z*LivepatchEntitlement.incompatible_servicescs\ddlm}||jd}t|dtjktjj |j ddddftj fdddffS) Nrr)cfg)titlecSstptdkS)NZwsl)r is_containerZ get_virt_typerrrrKsz9LivepatchEntitlement.static_affordances..FcsSNrrZis_fips_enabledrrr Q) rrrboolapplication_statusrENABLEDr Z"SERVICE_ERROR_INSTALL_ON_CONTAINERformatrZ!LIVEPATCH_ERROR_WHEN_FIPS_ENABLED)rrZfips_entrr"rstatic_affordances;s     z'LivepatchEntitlement.static_affordancescCsdS)Nrrrrr enable_stepsVsz!LivepatchEntitlement.enable_stepscCsdS)Nrr*rrr disable_stepsYsz"LivepatchEntitlement.disable_steps)progressrc Cs|tjts2|dtjjddtt s|dtjjddzt dWnHt j k r}z(t jd|d|dtjjddW5d }~XYnXt|ztdWnHt j k r}z&t jd |dttjjd dW5d }~XYnXtd |jjtj}td |jjtj}tj||tjdts|dtjjddzt dWn6t j k r}zt jt |dW5d }~XYnXt!|||j"|dddS)zYEnable specific entitlement. @return: True on success, False otherwise. infoZsnapd)Zpackagesz snapd snapz!Failed to install snapd as a snapexc_infozsnap install snapdZcommandNzFailed to refresh snapd snapzsnap refresh snapdr Zhttps) http_proxy https_proxyZ retry_sleepszcanonical-livepatch snapzcanonical-livepatchZ error_msgT)process_directives process_token)#r.r ZINSTALLING_LIVEPATCHr Zis_snapd_installedemitZINSTALLING_PACKAGESr'Z install_snapdZis_snapd_installed_as_a_snapZ install_snaprProcessExecutionErrorLOGZwarningZEXECUTING_COMMAND_FAILEDZrun_snapd_wait_cmdZ refresh_snapeventr/r Zvalidate_proxyrr3ZPROXY_VALIDATION_SNAP_HTTP_URLr4ZPROXY_VALIDATION_SNAP_HTTPS_URLZconfigure_snap_proxyZSNAP_INSTALL_RETRIESr is_livepatch_installedZErrorInstallingLivepatchstrZconfigure_livepatch_proxysetup_livepatch_config)rr.er3r4rrr_perform_enable\s     " z$LivepatchEntitlement._perform_enable)r.r6r7rc Cs|tj|j|j}|rz t|WnVtj k r}z6t j t ||d| dtjjt |dWYdSd}~XYnX|r|d}|st d|j|jjd}|\}}|tjkr8t d | dtjzttjd gWn>tj k r6}zt j t ||dWYdSd}~XYnXztjtjd |gd d Wntj k r}zdtj} tD]&\} } | t |krv| | 7} qqv| tjkr| t |7} | d| WYdSd}~XYnXd S)aProcesss configuration setup for livepatch directives. :param process_directives: Boolean set True when directives should be processsed. :param process_token: Boolean set True when token should be processsed. r0r/r5FN resourceTokenzHNo specific resourceToken present. Using machine token as %s credentialsZ machineTokenz&Disabling livepatch before re-enablingdisableenableTZcapture)r.r ZSETTING_UP_LIVEPATCHZmachine_token_fileZ entitlementsgetnameprocess_config_directivesrr9r:errorr=r8ZLIVEPATCH_UNABLE_TO_CONFIGUREr'debugrZ machine_tokenr%rDISABLEDr/ZLIVEPATCH_DISABLE_REATTACHr subpr LIVEPATCH_CMDZLIVEPATCH_UNABLE_TO_ENABLE ERROR_MSG_MAPitems) rr.r6r7Zentitlement_cfgr?Zlivepatch_tokenr%Z_detailsmsgZ error_messageZ print_messagerrrr>sb            z+LivepatchEntitlement.setup_livepatch_config)r.cCsBts dStjdg}|tjjd|dtj |dddS)zYDisable specific entitlement @return: True on success, False otherwise. TrB r2rD) r r<rLr.r ZEXECUTING_COMMANDr'joinr rK)rr.cmdrrr_perform_disables z%LivepatchEntitlement._perform_disablec Cstjdf}tstjtjfSz t}Wn>tj k rh}ztj tj j |j dfWYSd}~XYnX|dkr~tjtjfS|S)N)Zlivepatch_error)rr&r r<rJr ZLIVEPATCH_NOT_ENABLEDstatusrr9ZWARNINGZ LIVEPATCH_CLIENT_FAILURE_WARNINGr'stderrZ+LIVEPATCH_APPLICATION_STATUS_CLIENT_FAILURE)rrTZlivepatch_statusr?rrrr%s    z'LivepatchEntitlement.application_statuscCszt}|tjjkr4t}dtjj|j |j dfS|tjj kr`t}dtj j|j |j dfS|tjj krvdtjfSdS)NT)versionZarch)FN)r on_supported_kernelLivepatchSupport UNSUPPORTEDr Zget_kernel_infor ZLIVEPATCH_KERNEL_NOT_SUPPORTEDr'Z uname_releaseZuname_machine_archZ KERNEL_EOLZLIVEPATCH_KERNEL_EOLZKERNEL_UPGRADE_REQUIREDZ!LIVEPATCH_KERNEL_UPGRADE_REQUIRED)rZsupportZ kernel_inforrrenabled_warning_status s,   z+LivepatchEntitlement.enabled_warning_statuscCs"ttjjkrtstjSdSr!)r rWrXrYr rr Z*LIVEPATCH_KERNEL_NOT_SUPPORTED_DESCRIPTIONr*rrrstatus_description_override+sz0LivepatchEntitlement.status_description_override) orig_accessdeltas allow_enablerc st|||rdS|di}|didd}|rN|t\}}|S|\}}|tjkrhdS|di} t ddg} t | | } t |d d} t | | grt d ttjj|jd |jt| | d SdS) a1Process any contract access deltas for this entitlement. :param orig_access: Dictionary containing the original resourceEntitlement access details. :param deltas: Dictionary which contains only the changed access keys and values. :param allow_enable: Boolean set True if allowed to perform the enable operation. When False, a message will be logged to inform the user about the recommended enabled service. :return: True when delta operations are processed; False when noop. T entitlementZ obligationsZenableByDefaultF directivescaCerts remoteServerrAzANew livepatch directives or token. running setup_livepatch_config)service)r.r6r7)superprocess_contract_deltasrErCrProgressWrapperr%rrJsetr$ intersectionanyr:r/r;r Z#SERVICE_UPDATING_CHANGED_DIRECTIVESr'rFr>) rr\r]r^Zdelta_entitlementZprocess_enable_defaultZenable_success_r%Zdelta_directivesZsupported_deltasr6r7 __class__rrre4sD       z,LivepatchEntitlement.process_contract_deltas)TT)F),__name__ __module__ __qualname__r ZurlsZLIVEPATCH_HOME_PAGEZ help_doc_urlrFZLIVEPATCH_TITLErZLIVEPATCH_DESCRIPTIONZ descriptionZLIVEPATCH_HELP_TEXTZ help_textZ#affordance_check_kernel_min_versionZaffordance_check_kernel_flavorZaffordance_check_seriesZaffordance_check_archpropertyrrrrr(intr+r-rrfr$r@r>rSrrZ NamedMessager%rZr[rr=rre __classcell__rrrkrrsJI A     rcCs|sdS|didi}|d}|rFtjtjdd|gdd|d d }|d rh|dd }|rtjtjdd |gdddS)aProcess livepatch configuration directives. We process caCerts before remoteServer because changing remote-server in the canonical-livepatch CLI performs a PUT against the new server name. If new caCerts were required for the new remoteServer, this canonical-livepatch client PUT could fail on unmatched old caCerts. @raises: ProcessExecutionError if unable to configure livepatch. Nr_r`raZconfigz ca-certs={}TrDrb/zremote-server={})rEr rKr rLr'endswith)rr`Zca_certsZ remote_serverrrrrGms.     rG)!ZloggingtypingrrrrZuaclientrrrr r r r r rZuaclient.entitlements.baserrZ(uaclient.entitlements.entitlement_statusrZuaclient.typesrZLIVEPATCH_RETRIESrMZget_event_loggerr;Z getLoggerZreplace_top_level_logger_namermr:rrGrrrrs,   Q