U

��Jh�7�@s�dd
lZddl
mZmZmZmZ
ddlmZmZm	Z	m
Z
mZmZm
Z
mZmZ
ddlmZmZ
ddlmZ
ddlmZ
ddgZd	d
d�Ze��Ze�e�e�
�
ZGdd
�d
e�Zdd�Z d
S)�N)�Any�Dict�Optional�Tuple)	�api�event_logger�
exceptions�http�	livepatch�messages�snap�system�util)�EntitlementWithMessage�
UAEntitlement)
�ApplicationStatus)
�StaticAffordanceg�?g�?z)Invalid Auth-Token provided to livepatch.z2Your running kernel is not supported by Livepatch.)zUnknown Auth-Tokenzunsupported kernelcs2
eZ
dZejjZd
ZejZ	ej
ZejZ
dZdZdZdZeeedfd�
dd��
Zeeedfd�
dd	��
Zed�
d
d�Zed�
dd
�Zejed�dd�Zd ejeeed�dd�Zejd�
dd�Z ee!e"ej#fd�
dd�Z$eee"ej#fd�
dd�Z%dd�Z&d!e'e(e)fe'e(e)feed��f
dd�
Z*�Z+S)"�LivepatchEntitlementr
FT.)
�returnc
Cs0d
dlm
}

d
dlm}
t|
tj�t|tj�fS)Nr
�
�FIPSEntitlement)
�RealtimeKernelEntitlement)�uaclient.entitlements.fipsrZuaclient.entitlements.realtimerrrZLIVEPATCH_INVALIDATES_FIPSZREALTIME_LIVEPATCH_INCOMPATIBLE)�selfrr�r�A/usr/lib/python3/dist-packages/uaclient/entitlements/livepatch.py�incompatible_services,s

�

��z*LivepatchEntitlement.incompatible_servicesc
s\d
dlm
}

|
|jd�
}t|��d
tjk�
�tjj	|j
d�
dd�dftj�f
dd�dffS)	Nr
r)
�cfg)
�titlecSst�
�pt��d
kS)NZwsl)r
�is_containerZ
get_virt_typerrrr�<lambda>Ks
z9LivepatchEntitlement.static_affordances.<locals>.<lambda>Fc
s�S�
Nrr�
Zis_fips_enabledrrr Q�)rrr�bool�application_statusr�ENABLEDrZ"SERVICE_ERROR_INSTALL_ON_CONTAINER�formatrZ!LIVEPATCH_ERROR_WHEN_FIPS_ENABLED)rrZfips_entrr"r�static_affordances;s 
�
��	


��z'LivepatchEntitlement.static_affordancesc


Csd
S)N�r�
rrrr�enable_stepsVs
z!LivepatchEntitlement.enable_stepsc


Csd
S)N�
rr*rrr�
disable_stepsYs
z"LivepatchEntitlement.disable_steps)�progressrc
Cs�
|
�t
j�

t��s2|
�d
t
jjdd�
�
t��
t�	�s�|
�d
t
jjdd�
�
zt�
d�

WnHtjk
r�
}
z(t
jd|d�
|
�d
t
jjdd�
�
W5d	}~XYnXt�|
�

zt�d�

WnHtjk
�
r
}
z&t
jd
|d�
t�t
jjdd�
�

W5d	}~XYnXt�d|jjtj�}t�d
|jjtj�}tj||tjd�
t���
s�|
�d
t
jjdd�
�
zt�
d�

Wn6tjk
�
r�
}
ztjt |�
d�
�
W5d	}~XYnXt�!||�
|j"|
ddd�S)zYEnable specific entitlement.

        @return: True on success, False otherwise.
        �infoZsnapd)
Zpackagesz
snapd snapz!Failed to install snapd as a snap�
�exc_infozsnap install snapd�
ZcommandNzFailed to refresh snapd snapzsnap refresh snapdr	Zhttps)�
http_proxy�https_proxyZretry_sleepszcanonical-livepatch snapzcanonical-livepatch�
Z	error_msgT)�process_directives�
process_token)#r.rZINSTALLING_LIVEPATCHrZis_snapd_installed�emitZINSTALLING_PACKAGESr'Z
install_snapdZis_snapd_installed_as_a_snapZinstall_snapr�ProcessExecutionError�LOGZwarningZEXECUTING_COMMAND_FAILEDZrun_snapd_wait_cmdZrefresh_snap�eventr/r	Zvalidate_proxyrr3ZPROXY_VALIDATION_SNAP_HTTP_URLr4ZPROXY_VALIDATION_SNAP_HTTPS_URLZconfigure_snap_proxyZSNAP_INSTALL_RETRIESr
�is_livepatch_installedZErrorInstallingLivepatch�strZconfigure_livepatch_proxy�setup_livepatch_config)rr.�
er3r4rrr�_perform_enable\s�

�


�






��






��
�
�


�




��


"
�z$LivepatchEntitlement._perform_enable)r.r6r7rc
Cs�
|
�t
j�

|j���|j�
}|r�zt|�

WnVtj	k
r�
}
z6t
jt|�
|d
�
|
�
dt
jjt|�
d�
�
WY�dSd}~XYnX|�
r�|�d�
}|s�t
�d|j�
|jjd}|��\}}|tjk�
r8t
�d	�

|
�
dt
j�
zt�tjd
g�

Wn>tj	k
�
r6
}
zt
jt|�
|d
�
WY�dSd}~XYnXztjtjd|gdd
�
Wn�tj	k
�
r�
}
zdt
j}	t��D]&\}
}|
t|�
k�
rv|	|7}	
�
q��
qv|	t
jk�
r�|	t|�
7}	|
�
d|	�
WY�dSd}~XYnXdS)a
Processs configuration setup for livepatch directives.

        :param process_directives: Boolean set True when directives should be
            processsed.
        :param process_token: Boolean set True when token should be
            processsed.
        r0r/r5FN�
resourceTokenzHNo specific resourceToken present. Using machine token as %s credentialsZmachineTokenz&Disabling livepatch before re-enabling�disable�enableT�
Zcapture)r.rZSETTING_UP_LIVEPATCHZmachine_token_fileZentitlements�get�name�process_config_directivesrr9r:�errorr=r8ZLIVEPATCH_UNABLE_TO_CONFIGUREr'�debugrZ
machine_tokenr%r�DISABLEDr/ZLIVEPATCH_DISABLE_REATTACHr
�subpr
�
LIVEPATCH_CMDZLIVEPATCH_UNABLE_TO_ENABLE�
ERROR_MSG_MAP�items)rr.r6r7Zentitlement_cfgr?Zlivepatch_tokenr%Z_details�msgZ
error_messageZ
print_messagerrrr>�sb









��





�
�













�











z+LivepatchEntitlement.setup_livepatch_config)
r.cCsBt�
�sd
Stjdg}|
�tjjd�|�
d�
�

tj	|d
d�
d
S)zYDisable specific entitlement

        @return: True on success, False otherwise.
        TrB�
 r2rD)
r
r<rLr.rZEXECUTING_COMMANDr'�joinr
rK)rr.�cmdrrr�_perform_disable�s




�
z%LivepatchEntitlement._perform_disablec

Cs�tj
df}
t��stjtjfSzt��}Wn>tj	k
rh
}
ztj
tjj|j
d
�
fWY�Sd}~XYnX|dkr~tjtjfS|
S)N)
Zlivepatch_error)rr&r
r<rJrZLIVEPATCH_NOT_ENABLED�statusrr9ZWARNINGZ LIVEPATCH_CLIENT_FAILURE_WARNINGr'�stderrZ+LIVEPATCH_APPLICATION_STATUS_CLIENT_FAILURE)rrTZlivepatch_statusr?rrrr%�s 





��
�z'LivepatchEntitlement.application_statusc
Cszt�
�}
|
tjjkr4t��}d
tjj|j	|j
d�fS|
tjjkr`t��}d
tjj|j	|j
d�fS|
tjj
krvd
tjfSdS)NT)�versionZarch)FN)r
�on_supported_kernel�LivepatchSupport�UNSUPPORTEDr
Zget_kernel_inforZLIVEPATCH_KERNEL_NOT_SUPPORTEDr'Z
uname_releaseZuname_machine_archZ
KERNEL_EOLZLIVEPATCH_KERNEL_EOLZKERNEL_UPGRADE_REQUIREDZ!LIVEPATCH_KERNEL_UPGRADE_REQUIRED)rZsupportZkernel_inforrr�enabled_warning_status
s,




��



��
�z+LivepatchEntitlement.enabled_warning_statusc

Cs"t�
�tjjkrt��stjSdSr!)r
rWrXrYr
rrZ*LIVEPATCH_KERNEL_NOT_SUPPORTED_DESCRIPTIONr*rrr�status_description_override+
s
���
z0LivepatchEntitlement.status_description_override)�orig_access�deltas�allow_enablerc
s�t��
|
||�rd
S|�di�}|�di��dd�}|rN|�t���
\}}|S|��\}}|tjkrhdS|�di�}	t	ddg�
}
t
|
�|	�
�
}t
|�d	d��
}t||g�
r�t
�d
�

t�tjj|jd�
�

|jt��||d�Sd
S)
a1Process any contract access deltas for this entitlement.

        :param orig_access: Dictionary containing the original
            resourceEntitlement access details.
        :param deltas: Dictionary which contains only the changed access keys
        and values.
        :param allow_enable: Boolean set True if allowed to perform the enable
            operation. When False, a message will be logged to inform the user
            about the recommended enabled service.

        :return: True when delta operations are processed; False when noop.
        T�entitlementZobligationsZenableByDefaultF�
directives�caCerts�remoteServerrAzANew livepatch directives or token. running setup_livepatch_config)
�service)r.r6r7)�super�process_contract_deltasrErCr�ProgressWrapperr%rrJ�setr$�intersection�anyr:r/r;rZ#SERVICE_UPDATING_CHANGED_DIRECTIVESr'rFr>)
rr\r]r^Zdelta_entitlementZprocess_enable_defaultZenable_success�
_r%Zdelta_directivesZsupported_deltasr6r7�
�	__class__rrre4
sD


�








�


�

��


�z,LivepatchEntitlement.process_contract_deltas)TT)
F),�__name__�
__module__�__qualname__rZurlsZLIVEPATCH_HOME_PAGEZhelp_doc_urlrFZLIVEPATCH_TITLErZLIVEPATCH_DESCRIPTIONZdescriptionZLIVEPATCH_HELP_TEXTZ	help_textZ#affordance_check_kernel_min_versionZaffordance_check_kernel_flavorZaffordance_check_seriesZaffordance_check_arch�propertyrrrrr(�intr+r-rrfr$r@r>rSrrZNamedMessager%rZr[rr=rre�
__classcell__rrrkrrsJ








I
�


�A�� 
�




�rc
Cs�|sd
S|�di��di�}
|
�d�
}|rFt
jtjdd�|�
gdd�
|
�d	d
�}|�d�
rh|d
d�}|r�t
jtjdd
�|�
gdd�
d
S)a�
Process livepatch configuration directives.

    We process caCerts before remoteServer because changing remote-server
    in the canonical-livepatch CLI performs a PUT against the new server name.
    If new caCerts were required for the new remoteServer, this
    canonical-livepatch client PUT could fail on unmatched old caCerts.

    @raises: ProcessExecutionError if unable to configure livepatch.
    Nr_r`raZconfigzca-certs={}TrDrb��
/���zremote-server={})rEr
rKr
rLr'�endswith)rr`Zca_certsZ
remote_serverrrrrGm
s.








��






��rG)!Zlogging�typingrrrrZuaclientrrrr	r
rrr
rZuaclient.entitlements.baserrZ(uaclient.entitlements.entitlement_statusrZuaclient.typesrZLIVEPATCH_RETRIESrMZget_event_loggerr;Z	getLoggerZreplace_top_level_logger_namermr:rrGrrrr�<module>
s
,


�
Q