M/ePRddZddlZddlZddlZddlmZddlmZddlmZddlmZddlm Z ddlm Z dd lm Z ddl Z dd l mZdd lmZdd lmZdd lmZddlmZddlmZddlmZdd lmZddlmZddlmZddlmZddlmZddl m!Z"ejFe$Z%GddZ&dejNde jPde)dejTfdZ+deejNdee ejXde e-dffd Z.deejNdej^fd!Z0d"eejTde)fd#Z1y)$zACME AuthHandler.N)Dict)Iterable)List)Optional)Sequence)Tuple)Type)Response) challenges)client)errors)messages) achallenges) configuration) interfaces) error_handler)Account)util)commonceZdZdZdej deejdee de e ddf dZ dd e jd ej d ed ed ede e j(f dZd e jdee e ffdZde e j(d eded eddf dZdee j(de ej6fdZde de eej>fdZ de ej6ddfdZ!de j(de"ede ej6fdZ#de e j(ddfdZ$de ej6d ej de fdZ%y) AuthHandleraACME Authorization Handler for a client. :ivar auth: Authenticator capable of solving :class:`~acme.challenges.Challenge` types :type auth: certbot.interfaces.Authenticator :ivar acme.client.ClientV2 acme_client: ACME client API. :ivar account: Client's Account :type account: :class:`certbot._internal.account.Account` :ivar list pref_challs: sorted user specified preferred challenges type strings with the most preferred challenge listed first auth acme_clientaccount pref_challsreturnNc<||_||_||_||_yN)racmerr)selfrrrrs @/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py__init__zAuthHandler.__init__0s   &orderrconfig best_effort max_retries max_time_minsc,|jdd}|stjd|jstjd|j |}|s|St j|j|5 |jj|}|jr*tjd|j||zdt%|t%|k(sJd t'||D]+\} } |jj)| j*| -tj#d |j-|||||D cgc]+} | j.j0t2j4k(r| -} } | stjd | cdddS#tj$r1} tj!dtj#d| d} ~ wwxYwcc} w#1swYnxYwtjd ) a Retrieve all authorizations, perform all challenges required to validate these authorizations, then poll and wait for the authorization to be checked. :param acme.messages.OrderResource orderr: must have authorizations filled in :param certbot.configuration.NamespaceConfig config: current Certbot configuration :param bool best_effort: if True, not all authorizations need to be validated (eg. renew) :param int max_retries: maximum number of retries to poll authorizations :param float max_time_mins: maximum time (in minutes) to poll authorizations :returns: list of all validated authorizations :rtype: List :raises .AuthorizationError: If unable to retrieve all authorizations NzNo authorization to handle.z9No ACME client defined, authorizations cannot be handled.z3Challenges loaded. Press continue to submit to CA. T)pausez!Failure in setting up challenges.z0Attempting to clean up outstanding challenges...z(Some challenges have not been performed.zWaiting for verification...zAll challenges have failed.z?An unexpected error occurred while handling the authorizations.)authorizationsr AuthorizationErrorrError_choose_challengesr ExitHandler_cleanup_challengesrperformdebug_challenges display_util notification_debug_challenges_msgloggercriticalinfolenzipanswer_challengechallb_poll_authorizationsbodystatusr STATUS_VALID)r r$r%r&r'r(authzrsachallsrespserrorachallrespauthzrauthzrs_validateds r!handle_authorizationsz!AuthHandler.handle_authorizations8s"''*++,IJ Jyy,,Z[ [))'2N & &t'?'? I %  ))'2** --N227FCDKOQu:W- Y/Y Y-!$GU 3 @  **6==$? @ KK5 6  % %g{M; W7>!QF$*KK$6$6(:O:O$O"(!Q !Q$//0MNN$? % %,,  CD NO   !Q5 % %Bll\]]s>=G5?AF)BG50G0G5)G-<,G((G--G55G>c|jstjd|jDcgc]+}|jj t jk(r|-}}g}g}|D]/} |jj|}|j|1||fScc}w#tj$r<}|j|tjd|j|Yd}~d}~wwxYw)a~ Deactivate all `valid` authorizations in the order, so that they cannot be re-used in subsequent orders. :param messages.OrderResource orderr: must have authorizations filled in :returns: tuple of list of successfully deactivated authorizations, and list of unsuccessfully deactivated authorizations. :rtype: tuple z?No ACME client defined, cannot deactivate valid authorizations.z)Failed to deactivate authorization %s: %sN)rr r-r+r>r?rr@deactivate_authorizationappend acme_errorsr6debuguri)r r$rG to_deactivate deactivatedfailedes r!deactivate_valid_authorizationsz+AuthHandler.deactivate_valid_authorizationsxsyy,,`a a.4.C.CIF"KK..(2G2GG I I # YF Y;;FC""6* YV$$I$$ Y f% H&**VWXX Ys0B,,B##C262C--C2rAdeadline_minutesc jstjdt|Dcic] \}}||df c}}}g}tjj t j |z} d} t|D]} | dkDrtj| |jD cic]$\}\}} |jj|&}}}} |jD] \}\}} |||<|jD cgc].\}} |jjtj k(r|0} }} | D]6} t"j%d| jj&j(8|j+| |jDcic]4\}\}}|jjtj,k(r|||f6}}}}|r!tjj | kDrn`t/fd|jD}t1|| }|tjj z j3} |r(j5||stj6d|rtj6d ycc}}wcc} }}wcc} }wcc}}}w) a# Poll the ACME CA server, to wait for confirmation that authorizations have their challenges all verified. The poll may occur several times, until all authorizations are checked (valid or invalid), or a maximum of retries, or the polling deadline is reached. z3No ACME client defined, cannot poll authorizations.N)minutesrzChallenge failed for domain %sc3`K|]%\}}|jj|d'yw)N)r retry_after).0_rFr s r! z3AuthHandler._poll_authorizations..s43")!T!%!1#ii33D!<3s+.zSome challenges have failed.z0All authorizations were not finalized by the CA.)rr r- enumeratedatetimenow timedeltarangetimesleepitemspollvaluesr>r?rSTATUS_INVALIDr6r8 identifiervalueextendSTATUS_PENDINGmaxmin total_seconds_report_failed_authzrsr,)r rAr'rUr&indexrGauthzrs_to_checkauthzrs_failed_to_reportdeadline sleep_secondsr]authzrs_failed authzr_failedrFr[s` r!r=z AuthHandler._poll_authorizationssyy,,TU U2;71CBE -vCH&RVBWBE $& $$((*X-?-?HX-YY {#) TAq  =)$4#9#9#; = =BT%&RStyy~~f'= = =  ='7&<&<&> ("{!' (7G6M6M6OP!'!3!3x7N7N!N%PNP!/ D  <,11<<BBD D % + +N ; $4#9#9#; R R:O%&$#);;#5#59P9P#P!&~ 5 R  R$x'8'8'<'<'>'I3-=-D-D-F33K k84K(8+<+<+@+@+BBQQSMS) TX $  ' '(@ A//0NOO ++,^_ _ qBE =P RsJ4:)J: 3K09K c|jstjd|Dcgc]+}|jjt j k7r|-}}g}|rtjd|D]r}|jj}t||j|jjj}|j|j||t|Scc}w)z Retrieve necessary and pending challenges to satisfy server. NB: Necessary and already validated challenges are not retrieved, as they can be reused for a certificate issuance. z5No ACME client defined, cannot choose the challenges.z$Performing the following challenges:)rr r-r>r?rr@r6r8r gen_challenge_path_get_chall_prefrjrkrl_challenge_factory)r rArGpending_authzrsrBauthzr_challengespaths r!r.zAuthHandler._choose_challengessyy,,VW W07Kf$kk00H4I4II"KK8:  KK> ?% BF & 6 6 %!$$V[[%;%;%A%ABDD NN42264@ A BKs0C*domainclg}|jj|}|jrt|Dchc]}|j}}|jD]3}||vs|j t j j|5|r|Stjd|j||Scc}w)z{Return list of challenge preferences. :param str domain: domain for which you are requesting preferences zENone of the preferred challenges are supported by the selected plugin) rget_chall_prefrtyprLr ChallengeTYPESr r,rl)r r chall_prefs plugin_prefchallplugin_pref_typesrs r!r{zAuthHandler._get_chall_prefs  ii..v6   8C Du D  D'' H++&&z';';'A'A#'FG H""++78 8 ;'!EsB1rBcdtjd|jj|y)zCleanup challenges. :param achalls: annotated challenges to cleanup :type achalls: `list` of :class:`certbot.achallenges.AnnotatedChallenge` zCleaning up challengesN)r6r8rcleanup)r rBs r!r0zAuthHandler._cleanup_challenges s#  ,- '"r#rGrc(|jstjdg}|D]i}|jj|}|j t ||jj|jjjk|S)atConstruct Namedtuple Challenges :param messages.AuthorizationResource authzr: authorization :param list path: List of indices from `challenges`. :returns: achalls, list of challenge type :class:`certbot.achallenges.AnnotatedChallenge` :rtype: list :raises .errors.Error: if challenge type is not recognized Account is not set.) rr r-r>r rLchallb_to_achallkeyrjrk)r rGrrBrrr<s r!r|zAuthHandler._challenge_factorys||,,45 5 IE[[++E2F NN+ ((&++*@*@*F*FH I I r#failed_authzrsc Z|jstjdi}|Dcgc]h}|jjD]M}|j r?t ||jj|jjjOj}}}|D]7}|j|j jgj|9d|jjdg}t|j!dD]\}} |jt#| !|rRt%|jt&j(r.|jd|jj+|dt-j.dj1|y cc}}w) z.Notifies the user about failed authorizations.rz= Certbot failed to authenticate some domains (authenticator: z5). The Certificate Authority reported these problems:c |dS)Nr)items r!z4AuthHandler._report_failed_authzrs..>s DGr#)rz Hint:  N)rr r-r>r rDrrrjrk setdefaultrrLrnamesortedrf_generate_failed_chall_msg isinstance plugin_commonPlugin auth_hintr3notifyjoin) r rproblemsrGr<failed_achallsrEmsgr]rBs r!rqz"AuthHandler._report_failed_authzrs.sn||,,45 5DF&4)"6;;CYCY)9?!<<+64<<3C3CV[[E[E[EaEab)b))% EF    0 0" 5 < ))&*<*<=D#6<<#3#3FMM#BCfllJ,<,<=))&*<*<=D"&"?"? "NO   HI&4&:&:&<KNCJJse+=i[IJK @A,9,?,?,AR(D.JJv-??OPQR$))C.( (>r#)Fr)&__name__ __module__ __qualname____doc__r Authenticatorrr ClientV2rrstrr"r OrderResourcerNamespaceConfigboolintfloatAuthorizationResourcerIrrTr=rrAnnotatedChallenger.r r rr{r0rr|rqr5rr#r!rr s'Z55'HV__D]'"7+':>s)'HL'Z_1357>^H,B,B>^&3&C&C>^RV>^+.>^.3>^=AA_A_<`>^@%h6L6L%QVW[]aWaQb%6E`D1O1O,PE`_bE`/4E`CGE`LPE`N(83Q3Q*R $[%C%C D4cd4 8L8L3M.N,#4 0N0N+O#TX#)G)G!)#37 8V8V3W4*T(:X:X5Y*^b*4$?T+2P2P-Q$?&3&C&C$?HK$?r#rr<rrrcP|j}tjd|j|t |t j rtj|||St |t jrtj||Stj||S)a:Converts a ChallengeBody object to an AnnotatedChallenge. :param .ChallengeBody challb: ChallengeBody :param .JWK account_key: Authorized Account Key :param str domain: Domain of the challb :returns: Appropriate AnnotatedChallenge :rtype: :class:`certbot.achallenges.AnnotatedChallenge` z%s challenge for %s)r<rr)r<r) rr6r8rrr KeyAuthorizationChallenger"KeyAuthorizationAnnotatedChallengeDNSOther)r<rrrs r!rros LLE KK%uyy&9%==>==&kC C E:>> *fV<<  v>>r#challbs preferences.c@i}d}t|D]\}}|||<||z }d}|}tdtt|D}d} |D]@} | D].} | |j || j j |z } 0| |kr| }| }d} B|s t||S)aGenerate a plan to get authority over the identity. :param tuple challbs: A tuple of challenges (:class:`acme.messages.Challenge`) from :class:`acme.messages.AuthorizationResource` to be fulfilled by the client in order to prove possession of the identifier. :param list preferences: List of challenge preferences for domain (:class:`acme.challenges.Challenge` subclasses) :returns: list of indices from ``challenges``. :rtype: list :raises certbot.errors.AuthorizationError: If a path cannot be created that satisfies the CA given the preferences and combinations. rXNc3"K|]}|f ywrr)r\is r!r^z%gen_challenge_path..s;!!;s r)r_tuplercr9getr __class___report_no_chall_path) rr chall_costmax_costr chall_cls best_combobest_combo_cost combinations combo_totalcombochallenge_indexs r!rzrzs*JH!+. 9 ! 9A  -1JO;uS\':;;LK $ >'+!!&yy(< rs&  $&!+-03   8 $L?L?^ ?X33?&**? ?%0%C%C?02X%;%; <2$(j.B.B)C$D2INsTWx2j*4(>(>#?*FD]D]*&tK4R4R/SX[r#