g7 ddlZddlmZmZmZmZddlmZmZm Z m Z m Z m Z m Z mZmZddlmZmZddlmZddlmZddgZd d d Zej2Zej6ej8eZGd d eZdZ y)N)AnyDictOptionalTuple) api event_logger exceptionshttp livepatchmessagessnapsystemutil)EntitlementWithMessage UAEntitlement)ApplicationStatus)StaticAffordanceg?g?z)Invalid Auth-Token provided to livepatch.z2Your running kernel is not supported by Livepatch.)zUnknown Auth-Tokenzunsupported kernelc eZdZejj ZdZejZ ejZ ejZ dZdZdZdZedeedffdZedeedffdZdefdZdefd Zd ej8defd Z dd ej8d ed edefdZd ej8fdZ dee!e"ejFffdZ$deee"ejFffdZ%dZ& dde'e(e)fde'e(e)fdedeffd Z*xZ+S)LivepatchEntitlementr FTreturn.cddlm}ddlm}t |t j t |t jfS)NrFIPSEntitlement)RealtimeKernelEntitlement)uaclient.entitlements.fipsruaclient.entitlements.realtimerrr LIVEPATCH_INVALIDATES_FIPSREALTIME_LIVEPATCH_INCOMPATIBLE)selfrrs A/usr/lib/python3/dist-packages/uaclient/entitlements/livepatch.pyincompatible_servicesz*LivepatchEntitlement.incompatible_services,s=>L #!D!D  #)88    cddlm}||j}t|j dt j k(tjj|jddftjfddffS)Nrr)cfg)titlec\tjxstjdk(S)Nwsl)r is_container get_virt_typer"r z9LivepatchEntitlement.static_affordances..Ks(++-3'')U2r"FcSNr*)is_fips_enabledsr r+z9LivepatchEntitlement.static_affordances..Qsr") rrr$boolapplication_statusrENABLEDr "SERVICE_ERROR_INSTALL_ON_CONTAINERformatr%!LIVEPATCH_ERROR_WHEN_FIPS_ENABLED)rrfips_entr.s @r static_affordancesz'LivepatchEntitlement.static_affordances;s ?"txx0  ' ' )! ,0A0I0I I  ;;BB**C3  ::'   r"cy)Nr*rs r enable_stepsz!LivepatchEntitlement.enable_stepsVr"cy)Nr*r9s r disable_stepsz"LivepatchEntitlement.disable_stepsYr;r"progresscL|jtjtjsD|j dtj jdtjtjsF|j dtj jd tjdtj | tj"dt)j*d |j,j.t(j0}t)j*d |j,j2t(j4}tj6||tj8t;j<sF|j dtj jd tjdt;jB|||jE|ddS#tj$rR}tjd||j dtjjdYd }~d }~wwxYw#tj$rU}tjd |t$j'tjjd Yd }~d }~wwxYw#tj$r$}tj>tA|d }~wwxYw)zYEnable specific entitlement. @return: True on success, False otherwise. infosnapd)packagesz snapd snapz!Failed to install snapd as a snapexc_infozsnap install snapdcommandNzFailed to refresh snapd snapzsnap refresh snapdr https) http_proxy https_proxy retry_sleepszcanonical-livepatch snapzcanonical-livepatch error_msgT)process_directives process_token)#r?r INSTALLING_LIVEPATCHr is_snapd_installedemitINSTALLING_PACKAGESr3 install_snapdis_snapd_installed_as_a_snap install_snapr ProcessExecutionErrorLOGwarningEXECUTING_COMMAND_FAILEDrun_snapd_wait_cmd refresh_snapeventrAr validate_proxyr$rIPROXY_VALIDATION_SNAP_HTTP_URLrJPROXY_VALIDATION_SNAP_HTTPS_URLconfigure_snap_proxySNAP_INSTALL_RETRIESr is_livepatch_installedErrorInstallingLivepatchstrconfigure_livepatch_proxysetup_livepatch_config)rr?erIrJs r _perform_enablez$LivepatchEntitlement._perform_enable\s (778&&( MM44;;W;M     002 MM,,33\3J  !!'* )    g &(( DHH'')L)L )) TXX))4+O+O  !!!#22 //1 MM,,3374   L!!"78 ++J D** T+  ]33  ?! L 55<< 4= //  KK6K C JJ118809   833 L 99CFKK LsJ=H(JK,I>,AI99I>K)A K$$K),L#?LL#rNrOc N|jtj|jj j |j }|r t||r|j d}|s9tj!d|j"|jj$d}|j'\}}|t(j*k7r[tj-d |jdtj. t1j2t4j6d g t1j2t4j6d |gd y y #tj$rc}tjt|||jdtjjt|Yd}~yd}~wwxYw#tj$r*}tjt||Yd}~yd}~wwxYw#tj$r}}tj8} t:j=D]\} } | t|vs| | z } n| tj8k(r| t|z } |jd| Yd}~yd}~wwxYw)aProcesss configuration setup for livepatch directives. :param process_directives: Boolean set True when directives should be processsed. :param process_token: Boolean set True when token should be processsed. rDrArLNF resourceTokenzHNo specific resourceToken present. Using machine token as %s credentials machineTokenz&Disabling livepatch before re-enablingdisableenableTcapture)r?r SETTING_UP_LIVEPATCHmachine_token_file entitlementsgetnameprocess_config_directivesr rWrXerrorrerRLIVEPATCH_UNABLE_TO_CONFIGUREr3debugr% machine_tokenr0rDISABLEDrALIVEPATCH_DISABLE_REATTACHrsubpr LIVEPATCH_CMDLIVEPATCH_UNABLE_TO_ENABLE ERROR_MSG_MAPitems) rr?rNrOentitlement_cfgrhlivepatch_tokenr0_detailsmsg error_message print_messages r rgz+LivepatchEntitlement.setup_livepatch_configs7 (77811>>@DDTYYO  )/: -11/BO" &JJ #'"9"9"G"G"#,0+B+B+D ( !%6%?%??AB fh&I&IJ!KK!8!8) DE  ,,hH Y33  #a&1 - ::AA"%a&B  4"77!IIc!fqI1 !33 994A4G4G4I0M=$A.},(===3q6MC fc* sO E %G1(HG.AG  GH' H  HJ$'7J;JJ$ctjsytjdg}|jtj j dj|tj|dy)zYDisable specific entitlement @return: True on success, False otherwise. Trm rFro) r rcr~r?r EXECUTING_COMMANDr3joinrr})rr?cmds r _perform_disablez%LivepatchEntitlement._perform_disablesc //1&& 2  & & - -chhsm - D   C&r"ctjdf}tjs tjt j fS tj}| tjt jfS|S#tj$rD}tjt jj|jfcYd}~Sd}~wwxYw)N)livepatch_error)rr1r rcr{r LIVEPATCH_NOT_ENABLEDstatusr rWWARNING LIVEPATCH_CLIENT_FAILURE_WARNINGr3stderr+LIVEPATCH_APPLICATION_STATUS_CLIENT_FAILURE)rrlivepatch_statusrhs r r0z'LivepatchEntitlement.application_statuss$++T2//1%..0N0NO O (//1   #"**DD  // !))99@@$%HHA  sBC9C CCc*tj}|tjjk(rKt j }dt jj|j|jfS|tjjk(rKt j }dt jj|j|jfS|tjjk(rdt jfSy)NT)versionarch)FN)r on_supported_kernelLivepatchSupport UNSUPPORTEDrget_kernel_infor LIVEPATCH_KERNEL_NOT_SUPPORTEDr3 uname_releaseuname_machine_arch KERNEL_EOLLIVEPATCH_KERNEL_EOLKERNEL_UPGRADE_REQUIRED!LIVEPATCH_KERNEL_UPGRADE_REQUIRED)rsupport kernel_infos r enabled_warning_statusz+LivepatchEntitlement.enabled_warning_status s//1 i00<< < 002K77>>'55$77?  i00;; ; 002K--44'55$775  i00HH H:: r"ctjtjjk(r$t j st jSyr-)r rrrrr(r *LIVEPATCH_KERNEL_NOT_SUPPORTED_DESCRIPTIONr9s r status_description_overridez0LivepatchEntitlement.status_description_override+s=  ) ) +))55 6'')FF Fr" orig_accessdeltas allow_enablect ||||ry|jdi}|jdijdd}|r(|jt j \}}|S|j \}}|tjk(ry|jdi} tddg} t| j| } t|jd d} t| | grxtjd tjt j"j%|j& |j)t j | | Sy) a1Process any contract access deltas for this entitlement. :param orig_access: Dictionary containing the original resourceEntitlement access details. :param deltas: Dictionary which contains only the changed access keys and values. :param allow_enable: Boolean set True if allowed to perform the enable operation. When False, a message will be logged to inform the user about the recommended enabled service. :return: True when delta operations are processed; False when noop. T entitlement obligationsenableByDefaultF directivescaCerts remoteServerrkzANew livepatch directives or token. running setup_livepatch_config)service)r?rNrO)superprocess_contract_deltasrtrnrProgressWrapperr0rr{setr/ intersectionanyrXrAr]r #SERVICE_UPDATING_CHANGED_DIRECTIVESr3rurg)rrrrdelta_entitlementprocess_enable_defaultenable_success_r0delta_directivessupported_deltasrNrO __class__s r rz,LivepatchEntitlement.process_contract_deltas4sm$ 7 *; M"JJ}b9!2!6!6}b!I!M!M u"  " $ C,?,?,A B NA! ! $ 7 7 9A !2!;!; ;,00rB >:;!  ) )*: ; VZZ?@ "M2 3 HH)  JJ<<CC IID  ..,,.#5+/  r")TT)F),__name__ __module__ __qualname__r urlsLIVEPATCH_HOME_PAGE help_doc_urlruLIVEPATCH_TITLEr%LIVEPATCH_DESCRIPTION descriptionLIVEPATCH_HELP_TEXT help_text#affordance_check_kernel_min_versionaffordance_check_kernel_flavoraffordance_check_seriesaffordance_check_archpropertyrrr!rr6intr:r>rrr/rirgrrr NamedMessager0rrrrerr __classcell__)rs@r rrs==44L D  $ $E00K,,I*/'%*""!   u-CS-H'I     E*:C*?$@  4csD (;(;D D R$(" ?%%?!? ?  ?B )<)<   (8+@+@"AA B4 tXh3344 5@# 6#s(^6S#X6 6  66r"rc|sy|jdijdi}|jd}|r7tjtjddj |gd|jd d }|j d r|dd }|r8tjtjdd j |gdyy)aProcess livepatch configuration directives. We process caCerts before remoteServer because changing remote-server in the canonical-livepatch CLI performs a PUT against the new server name. If new caCerts were required for the new remoteServer, this canonical-livepatch client PUT could fail on unmatched old caCerts. @raises: ProcessExecutionError if unable to configure livepatch. Nrrrconfigz ca-certs={}Tror/zremote-server={})rtrr}r r~r3endswith)r$rca_certs remote_servers r rvrvms +// bAJ~~i(H ''$$X.    NN>26Mc"%cr*  ''"))-8    r")!loggingtypingrrrruaclientrrr r r r r rruaclient.entitlements.baserr(uaclient.entitlements.entitlement_statusruaclient.typesrLIVEPATCH_RETRIESrget_event_loggerr] getLoggerreplace_top_level_logger_namerrXrrvr*r"r rs--   MF+#JFN & %%'g:::8DEL=L^ " r"