dddlZddlZddlZddlZddlZddlmZddlmZddlm Z ddl m Z ddl m Z mZddlmZmZddlmZdd lmZdd lmZmZdd lmZmZdd lmZmZmZm Z m!Z!m"Z"dd l#m$Z$ddl%m&Z&m'Z'ddl(m)Z)ddl*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0dZ1dZ2dZ3dZ4dZ5dZ6dZ7Gdde8Z9GddeZ:Gdde8Z;Gdde8Z<Gd d!e8Z=Gd"d#e8Z>Gd$d%Z?Gd&d'e8Z@Gd(d)e8ZAy)*N)conf)logger) AgentGlobals)set_properties) add_eventWALAEventOperation) ProtocolErrorResourceGoneError)ustr)ExtensionsGoalStateFactory)VmSettingsParseErrorGoalStateSource)VmSettingsNotSupportedVmSettingsSupportStopped)CertCertListRemoteAccessUserRemoteAccessUsersListExtHandlerPackageExtHandlerPackageList)fileutil)GoalStateHistorySHARED_CONF_FILE_NAME) CryptUtil) parse_docfindallfindfindtext getattribgettextz"http://{0}/machine/?comp=goalstatezCertificates.xmlzCertificates.p7mzCertificates.pemzTransportCert.pemzTransportPrivate.pemcJeZdZdZdZdZdZdZdZdZ eezezezeze zZ y) GoalStatePropertieszJ Enum for defining the properties that we fetch in the goal state  N) __name__ __module__ __qualname____doc__ RoleConfig HostingEnv SharedConfigExtensionsGoalState CertificatesRemoteAccessInfoAllL/usr/lib/python3/dist-packages/azurelinuxagent/common/protocol/goal_state.pyr#r#3sIJJLL z !L 03F F UXh hCr6r#c$eZdZdZdfd ZxZS)GoalStateInconsistentErrorzX Indicates an inconsistency in the goal state (e.g. missing tenant certificate) c.tt| ||yN)superr9__init__)selfmsginner __class__s r7r=z#GoalStateInconsistentError.__init__Ds ($8eDr6r;)r*r+r,r-r= __classcell__)rAs@r7r9r9@sEEr6r9c,eZdZejdfdZedZedZedZ edZ edZ edZ ed Z ed Zed Zd Zd ZdZedZddZdZdZdZdZdZedZeddZdZy) GoalStateFc ||_d|_d|_||_t j tj |_||j_d|_d|_ d|_ d|_ d|_ d|_ t|_d|_d|_|j%|y#t&$rt($r}t'd|d}~wwxYw)aC Fetches the goal state using the given wire client. Fetching the goal state involves several HTTP requests to the WireServer and the HostGAPlugin. There is an initial request to WireServer's goalstate API, which response includes the incarnation, role instance, container ID, role config, and URIs to the rest of the goal state (ExtensionsConfig, Certificates, Remote Access users, etc.). Additional requests are done using those URIs (all of them point to APIs in the WireServer). Additionally, there is a request to the HostGAPlugin for the vmSettings, which determines the goal state for extensions when using the Fast Track pipeline. To reduce the number of requests, when possible, create a single instance of GoalState and use the update() method to keep it up to date. N)silentError fetching goal stater?r@) _wire_client_history_extensions_goal_state_goal_state_propertiesrLoggerDEFAULT_LOGGERrF _incarnation_role_instance_id_role_config_name _container_id _hosting_env _shared_confEmptyCertificates_certs _certs_uri_remote_accessupdater Exception)r> wire_clientgoal_state_propertiesrF exceptions r7r=zGoalState.__init__Is R +D  DM*.D '*?D ' --(=(=>DK!'DKK !%D %)D "%)D "!%D  $D  $D +-DK"DO"&D  KKvK &   R$?yQ Q RsB.B11C CCc|jSr;)rOr>s r7 incarnationzGoalState.incarnationos   r6cj|jtjzs td|jS)Nz+ContainerId is not in goal state properties)rLr#r.r rRr_s r7 container_idzGoalState.container_idss/**-@-K-KK MN N%% %r6cj|jtjzs td|jS)Nz.RoleInstanceId is not in goal state properties)rLr#r.r rPr_s r7role_instance_idzGoalState.role_instance_idzs/**-@-K-KK PQ Q)) )r6cj|jtjzs td|jS)Nz*RoleConfig is not in goal state properties)rLr#r.r rQr_s r7role_config_namezGoalState.role_config_names/**-@-K-KK LM M)) )r6cj|jtjzs td|jS)Nz3ExtensionsGoalState is not in goal state properties)rLr#r1r rKr_s r7extensions_goal_statezGoalState.extensions_goal_states/**-@-T-TT UV V.. .r6cj|jtjzs td|jS)Nz,Certificates is not in goal state properties)rLr#r2r rVr_s r7certszGoalState.certss-**-@-M-MM NO O;; r6cj|jtjzs td|jS)Nz2HostingEnvironment is not in goal state properties)rLr#r/r rSr_s r7 hosting_envzGoalState.hosting_envs/**-@-K-KK TU U$$ $r6cj|jtjzs td|jS)Nz,SharedConfig is not in goal state properties)rLr#r0r rTr_s r7 shared_confzGoalState.shared_confs/**-@-M-MM NO O$$ $r6cj|jtjzs td|jS)Nz0RemoteAccessInfo is not in goal state properties)rLr#r3r rXr_s r7 remote_accesszGoalState.remote_accesss/**-@-Q-QQ RS S&& &r6cF|jddj||S) This is a convenience method that wraps WireClient.fetch_manifest(), but adds the required 'use_verify_header' parameter and saves the manifest to the history folder. agentz waagent.{0})_fetch_manifestformat)r> family_nameuriss r7fetch_agent_manifestzGoalState.fetch_agent_manifests% ##G]-A-A+-NPTUUr6c(|jd||S)rr extension)rt)r>extension_namerws r7fetch_extension_manifestz"GoalState.fetch_extension_manifests ##KFFr6c D |jjtjk(}|jj ||}|j j||t|S#t$r)}tdj|t|d}~wwxYw)N)use_verify_headerz+Failed to retrieve {0} manifest. Error: {1}) rhsourcer FastTrackrIfetch_manifestrJ save_manifestExtensionManifestrZr rur )r> manifest_typenamerw is_fast_trackxml_textes r7rtzGoalState._fetch_manifests n 66==AZAZZM((77P]7^H MM ' 'h 7$X. . n M T TUbdhijdk lm m nsA*A-- B6$BBc.tj|y)z Updates the container ID and role config name that are send in the headers of HTTP requests to the HostGAPlugin N)rD_fetch_goal_state)r[s r7update_host_plugin_headersz$GoalState.update_host_plugin_headerss ##K0r6c||j_ |jdy#t$r\}|jj dt ||jd|jj dYd}~yd}~wwxYw)zs Updates the current GoalState instance fetching values from the WireServer/HostGAPlugin as needed F force_updatez0Detected an inconsistency in the goal state: {0}TzThe goal state is consistentN)rrF_updater9warnr info)r>rFrs r7rYzGoalState.updatess$  = LLeL ,) = KK  OQUVWQX Y LLdL + KK  ; < < =s& B ABB ctjj}|r|jjdtj |j \}}}|xs||jk7}|rGdj|}|jj|ttj|d\}} |jtjzr% tj|j |\}} | r|jjddj|j"|j$|j&}|jj|ttj||\|j&t(j*k(r?| r8d}|jj|ttj|d\}} |s| sy|d j|nd j||j$} t-|| |_|r|j.j1|| r)|j.j3|j5d} |r|j7||} |r | r|j8| j8kDr|n| } n|r| } n|} |j:#| j8|j:j8k\r| |_|j:j&t(j<k(r|j?yy#t$r} |j!|||| Yd} ~ yd} ~ wwxYw) Nz$Refreshing goal state and vmSettingszIFetched a new incarnation for the WireServer goal state [incarnation {0}]opmessageNFrzOFetched new vmSettings [HostGAPlugin correlation ID: {0} eTag: {1} source: {2}]z7The vmSettings originated via Fabric; will ignore them.z{0}z{0}-{1}) datetimeutcnowrrrDrrIrOrurrrLr#r1_fetch_vm_settingsr_restore_wire_server_goal_statehostga_plugin_correlation_idetagrrFabricrrJsave_goal_statesave_vm_settingsget_redacted_text"_fetch_full_wire_server_goal_statecreated_on_timestamprKr_check_certificates)r>r timestampr`rxml_docgoal_state_updatedr vm_settingsvm_settings_updatedr]tagextensions_config most_recents r7rzGoalState._updates%%,,.  KK  C D)2)D)DTEVEV)W& Xw)M[Dell;'IDTDTU`bmbrbrDs(C8  MM ) )( 3  MM * *;+H+H+J K !  $ G G U\ ]  "5)4)I)IL]LrLr)r+yJK +K%K  & & .+2R2RVZVqVqWGWG3G*5D '  & & - -1J1J J  $ $ & Ku, 44[(GU^_ s$L M(MMc|jtjzr'|j|j |j|j j D]{}|jD]jj|jj}tfd|Dr;djj|j}t|}y)Nc3BK|]}j|dk(yw) thumbprintN)certificateThumbprint).0csettingss r7 z0GoalState._check_certificates..2s!cQR899Q|_Lcszrz certificatesrrs @r7rzGoalState._check_certificates(s  & &)<)I)I IdooNi  ' ' 833>> >I%.. >--5#zz11 cVbcc\ccdleCeCENESESTG4W==  > >r6c~|jj||jj}t||j}|j D]I}dj |}|jj|ttj|Kt|jdkDrJ|jj|jttj|j|jjt!j"|j |S)NzDownloaded certificate {0}rr)rI fetch_configget_header_for_certr2rrrurrrrDlenwarningsrrJsave_certificatesjsondumps)r> certs_urirrjrrs r7rz GoalState._download_certificates6s$$11)T=N=N=b=b=deXt{{3 HA299!r`rr!vm_settings_support_stopped_errorr?s r7rz)GoalState._restore_wire_server_goal_stateDsh '22C@():):)A)A)C[Q  %%h/&*&M&Mk[b&c#  & & ; ;>_>i>i i6:D ' ' 3OVV--BBDeDoDoqC KK  S ! +66 D jr6c<|jj||yr;)rJsave)r>data file_names r7save_to_historyzGoalState.save_to_historyRs 4+r6ctj|j}d}tdtD]^}|j ||j }t|}t|d}t|d}|rn2tjd`tdj|t|d}t|d }t|d } t| d } tj||j|| |||fS) z Issues an HTTP request for the goal state (WireServer) and returns a tuple containing the response as text and as an XML Document unknownr Incarnation RoleInstanceg?z=Fetched goal state without a RoleInstance [incarnation {inc}])inc Container ContainerId Configuration ConfigName)GOAL_STATE_URIru get_endpointrange_GET_GOAL_STATE_MAX_ATTEMPTSr get_headerrrrtimesleepr rupdate_container_idupdate_host_plugin) r[urir`_rr role_instance containerrb role_configrfs r7rzGoalState._fetch_goal_stateUs ##K$<$<$>? q67 yA"//[5K5K5MNH)G"7M:K .9M JJsO y _ f fkv f wx x+.  =9 =/: #K>((6&&|5EFHg--r6c@d\}}tjr) |jj|\}}||fS||fS#t$r;t j ||jj|\}}YKwxYw#t$rt$rY||fSt$rp}tj|jsKttjj|jj|j d}~wwxYw)z Issues an HTTP request (HostGAPlugin) for the vm settings and returns the response as an ExtensionsGoalState. rrN)rget_enable_fast_trackget_host_pluginfetch_vm_settingsr rDrrrr r tag_existsrrrrvm_settings_text)r[rrrr]s r7rzGoalState._fetch_vm_settingsxs/ ,9( (  % % ' B7B7R7R7T7f7fuA7f8B4K!4 ///{///)B88E7B7R7R7T7f7fuA7f8B4K!4B , ) /// ( '229>>B$X%6%6%=%=%?Paabkb|b|}  s7#AAB B B  BD%D-A+DDc |jjddj|}|jj|ttj |d}d}d}t j|jzrHt|d}t|d}t|d}t|d}t|d } t| d }t|d } t j|jzr| tj|} n~|jj| |jj!} tj"|| |j} |j$j'| j)d} t j*|jzrft|d }|jj||jj!} t+| } |j$j-| d}t j.|jzrt|d }|jj||jj!} t/| }|j$j1| t2j4j7t9j:t<} t?j@|| tG}t|d}t jH|jzr||jK|}d}t jL|jzrht d}|Z|jj||jjO} tQ| }|j$jS| ||_*||_+||_,||_-| |_.||_/||_0||_1||_2| d}|jj|ttj |S#tB$r0}tjDdj||Yd}~zd}~wwxYw#tB$r7}|jjEdtg|tid|d}~wwxYw#d}|jj|ttj |wxYw)z Issues HTTP requests (to the WireServer) for each of the URIs in the goal state (ExtensionsConfig, Certificate, Remote Access users, etc) and populates the corresponding properties. Returns the value of ExtensionsConfig. rz>Fetching full goal state from the WireServer [incarnation {0}]rNr InstanceIdrrrrExtensionsConfigHostingEnvironmentConfigr0zFailed to save {0}: {1}r2r3zFetch goal state completedz#Fetching the goal state failed: {0}rGrH)5rrrurrrDr#r.rLrrr1r create_emptyrIrrcreate_from_extensions_configrJsave_extensions_configrr/save_hosting_envr0save_shared_confospathjoinr get_lib_dirrr write_filerZrrUr2rr3r RemoteAccesssave_remote_accessrOrPrQrRrSrTrVrWrXr r )r>r`rrrdrfrbrrrextensions_config_urirrrlhosting_env_uri shared_configshared_conf_urishared_config_filerrjrrpremote_access_urir]s r7rz,GoalState._fetch_full_wire_server_goal_states)L H KK  R V]]^ijG KK  W % +55w G# # L"--0K0KK $Wn = #+M<#H "=/B #+K#F  +6 ' =A $,W6H$I !';;d>Y>YY^s^{$>$K$KK$X!,,99:OQUQbQbQmQmQop$>$\$\]hjrtxuFuF%G! 445F5X5X5Z[K"--0K0KK"*74N"O,,99/4K\K\KgKgKij(2  ..x8 M"//$2M2MM"*7N"C,,99/4K\K\KgKgKij ,X 6  ..x8%'WW\\$2B2B2DF[%\"T''(:HE&'E .9I#0043N3NNT]Ti33I> M"33d6Q6QQ$,Y8J$K!$0#00==>OQUQbQbQvQvQxyH$0$:MMM44X> +D %5D "%5D "!-D  +D  -D DK'DO"/D $ 3G KK  W % +55w GE!TKK 9 @ @PQ RSST8 R KK  BDO T$?yQ Q R3G KK  W % +55w GsOK Q'P+%D Q'+ Q$4%QQ'Q$$Q'' R'02R""R''R**:S$N)F)r*r+r,r#r4r=propertyr`rbrdrfrhrjrlrnrprxr|rt staticmethodrrYrrrrrrrrr5r6r7rDrDHs@:M:Q:QZ_$RL!!&& ** ** //  %% %% '' VGn11 =O'b >  E, . .D006SHr6rDceZdZdZy)r/c||_t|}t|d}t|d|_t|d}t|d|_t|d}t|d|_y)NrinstanceRoler Deployment)rrrrvm_name role_namedeployment_name)r>rrr`role deployments r7r=zHostingEnv.__init__sb  H%7M2  j9 GV$"40'<0 (V<r6Nr*r+r,r=r5r6r7r/r/s=r6r/ceZdZdZy)r0c||_yr;)rr>rs r7r=zSharedConfig.__init__s   r6Nr r5r6r7r0r0s!r6r0c"eZdZdZedZy)r2c V t|_g|_g|_tj j tjt}tj||t|}t|d}|yt|d}|rC|dk7r>dj|}|j|t!t"j$|yt'tj(}tj j tjt*} dj| | |} tj| | tj j tjt,} tj j tjt.} tj j tjt0} |j3| | | | g}d}d}i}i}d}g}t5| 5}|j7D]\}|j9|t;j<d |rd }.t;j<d |rd }Gt;j<d |r7t>jA|d |}|jC|}|||<g}|dz }d}t;j<d|st>jA|d|}|jE|}|jG|}|||<dj|}|j9d|dt jH|tj j tj|g}|dz }d}_ ddd|D]}||}|r]||}dj|}t jH|tj j tj|g|jj9d|jKD]'\}}||v}|jj9||d)|D]>}tM}tOd|||jjPj9|@y#1swYxYw)NDataFormatPkcs7BlobWithPfxContentsz9The Format is not Pkcs7BlobWithPfxContents. Format is {0}rzMIME-Version:1.0 Content-Disposition: attachment; filename="{0}" Content-Type: application/x-pkcs7-mime; name="{1}" Content-Transfer-Encoding: base64 {2}Frz[-]+BEGIN.*KEY[-]+Tz[-]+BEGIN.*CERTIFICATE[-]+z[-]+END.*KEY[-]+prvr$z[-]+END.*CERTIFICATE[-]+crtz{0}.crt)rrz{0}.prvz2Found NO matching cert/thumbprint for private key!)r hasPrivateKeyrj))r cert_listrrrrrrrCERTS_FILE_NAMErrrrrurrrrDrget_openssl_cmd P7M_FILE_NAMETRANSPORT_PRV_FILE_NAMETRANSPORT_CERT_FILE_NAME PEM_FILE_NAME decrypt_p7mopen readlinesappendrematchr2_write_to_tmp_fileget_pubkey_from_prvget_pubkey_from_crtget_thumbprint_from_crtrenameitemsrrr) r>r my_logger local_filerrcertificate_formatr cryptutilp7m_filep7mtrans_prv_filetrans_cert_filepem_filebuf begin_crt begin_prvprvs thumbprintsindex v1_cert_listpemlinetmp_filepubrrpubkeyrhas_private_keyv1_certcerts r7r=zCertificates.__init__s!  WW\\$"2"2"4oF J1H%( < &gx8 "48R"RQXXYklG NN7 # +55w G d2245 77<< 0 0 2MB fXx6  Hc*d&6&6&8:QR'',,t'7'7'9;ST77<< 0 0 2MBhR    (^ &s  & 4 88148 $IXX;TB $IXX148+>>ueSQH#77AC (DICQJE %IXX94@+>>ueSQH#77AC!*!B!B8!LJ'1K$#**:6C '' $&0)IIh T5E5E5G(MNCQJE %I7 & &> [F$V,J<&&z2 (BGGLL1A1A1CS$IJ $$%YZ [#."3"3"5 ^ FJ$nO LL  zO \ ] ^$ 5G6D 7D' 2 NN ' ' . .t 4 5] & &s B;RB5RR(ctjjtjdj ||}t j|dj||S)Nz{0}.{1}r)rrrrrrurr)r9suffixr4rs r7r%zCertificates._write_to_tmp_file_sJGGLL!1!1!3Y5E5EeV5TU Irwws|4r6N)r*r+r,r=rr%r5r6r7r2r2sa5Fr6r2ceZdZdZy)rUc>t|_g|_g|_yr;)rrrrr_s r7r=zEmptyCertificates.__init__fs!  r6Nr r5r6r7rUrUesr6rUc&eZdZdZdZedZy)rz; Object containing information about user accounts c||_d|_d|_t|_|jt |jdk(ryt |j}t|d|_t|d|_t|d}t|d}|D]<}tj|}|jjj|>y)NrVersionrUsersUser)rversionr`r user_listrrrrrr _parse_userusersr")r>rruser_collectionrOuserremote_access_users r7r=zRemoteAccess.__init__|s   .0 == C $6!$; DMM*3 #G];w00 rrs r7r^zExtensionManifest._parses`H% gd7+4'6&.0$ % gd7+<'>&.0# $r6c|D]}t|d}t|d}|d}|jdk(}t|d}t|d}|Dcgc] }t |}}t } || _|| _|D]} | jj| || _ |jjj| ycc}w)NrIDisallowMajorVersionUpgradertrueUrisUri) rlowerrrr rrLdisallow_major_upgraderwr" isinternalr]versions) r>packagesrkpackagerLrjrwuri_listxpkgrs r7rcz"ExtensionManifest._handle_packagess /Gw 2G%-g.K&M "%-)+&%;%A%A%Cv%M "(DtU+H,45q 5H5#%C!CK)?C & %$ %(CN MM " " ) )# .' /6sCN)r*r+r,r=r^rcr5r6r7rrs $/r6r)Brrr#rrazurelinuxagent.commonrr#azurelinuxagent.common.AgentGlobalsr#azurelinuxagent.common.datacontractrazurelinuxagent.common.eventrr azurelinuxagent.common.exceptionr r azurelinuxagent.common.futurer =azurelinuxagent.common.protocol.extensions_goal_state_factoryr 5azurelinuxagent.common.protocol.extensions_goal_stater r*azurelinuxagent.common.protocol.hostpluginrr'azurelinuxagent.common.protocol.restapirrrrrrazurelinuxagent.common.utilsr$azurelinuxagent.common.utils.archiverr&azurelinuxagent.common.utils.cryptutilr%azurelinuxagent.common.utils.textutilrrrrrr rrrrrrrobjectr#r9rDr/r0r2rUrrr5r6r7rs$ ')<>FM.dggVV1X<hh6$" " .0  i& iEE_H_HD = =!6! h6hT *"6*"Z'/'/r6