M/euD dZddlmZddlmZddlZddlZddlZddlZddlZddl Z ddl m Z ddl m Z ddl m Z ddl mZdd l mZdd l mZdd l mZdd l mZdd l mZddlmZddlmZddlmZddlmZddlmZddlmZddlmZddlmZddlm Z ddlm!Z!ddl"m#Z$ddl"m%Z&ddl'm(Z(ejRdk\rddl*m+Z,nddl,Z,ejZe.Z/de0de0fdZ1de0de0fdZ2ejfd Z4ejfd!ejjZ6Gd"d#e&e$Z%Gd%d&e$e%e$Z#Gd'd(e#ejne$Z8ed)d*+Z9Gd,d*Z:Gd-d.Z;d/e0d0e0d1e0d2e e0ddf d3Zs  &  r&add).Ncy)zAdd plugin arguments to the CLI argument parser. :param callable add: Function that proxies calls to `argparse.ArgumentParser.add_argument` prepending options with unique plugin name prefix. Nr")clsr4s r$add_parser_argumentszPlugin.add_parser_argumentsCsr&parserc^dtdtdtddffd }|j|S)zkInject parser options. See `~.certbot.interfaces.Plugin.inject_parser_options` for docs. arg_name_no_prefixargskwargsrNcdjdjt|g|i|y)Nz--{0}{1}) add_argumentformatr%)r:r;r<rr8s r$r4z)Plugin.inject_parser_options..addVs: F  !!"24"8:LM ! ! !r&)strrr7)r6r8rr4s `` r$inject_parser_optionszPlugin.inject_parser_optionsNs7 !C ! !s !t !'',,r&c,t|jS)r )r%rr2s r$r%zPlugin.option_namespace\s  **r&c |j|zS)z'Option name (include plugin namespace).)r%)r2rs r$ option_namezPlugin.option_nameas$$t++r&c,t|jS)r()r+rrCs r$r+zPlugin.dest_namespaceesdii((r&varc@|j|jddzS)z.Find a destination for given variable ``var``.r!r))r+r*r2rGs r$destz Plugin.destjs ""S[[c%:::r&cLt|j|j|S)z0Find a configuration value for variable ``var``.)getattrr-rJrIs r$confz Plugin.confpst{{DIIcN33r&failed_achallscdjt|Dchc]}|jc}}dj|j|Scc}w)a9Human-readable string to help the user troubleshoot the authenticator. Shown to the user if one or more of the attempted challenges were not a success. Should describe, in simple language, what the authenticator tried to do, what went wrong and what the user should try as their "next steps". TODO: auth_hint belongs in Authenticator but can't be added until the next major version of Certbot. For now, it lives in .Plugin and auth_handler will only call it on authenticators that subclass .Plugin. For now, inherit from `.Plugin` to implement and/or override the method. :param list failed_achalls: List of one or more failed challenges (:class:`achallenges.AnnotatedChallenge` subclasses). :rtype str: z and zThe Certificate Authority couldn't externally verify that the {name} plugin completed the required {challs} challenges. Ensure the plugin is configured correctly and that the changes it makes are accessible from the internet.)rchalls)joinsortedtypr?r)r2rNachallrPs r$ auth_hintzPlugin.auth_hinttsK(f~%NVfjj%NOP\TYYv6 8&OsA )__name__ __module__ __qualname____doc__rNamespaceConfigr@r1 classmethodrrr7argparseArgumentParserrApropertyr%rEr+rJrrMrrAnnotatedChallengerU __classcell__r3s@r$rr;s}<<CD  x ': t   -8+B+B -# -RV - -+#++,,,)));;; 4448[-K-K(L8QT8r&r) metaclassc eZdZdZdededdffd Z ddeeded eddfd Z d eddfd Z dd Z ddZ dde ddfdZedefdZedefdZddZxZS)rzAn installer base class with reverter and ssl_dhparam methods defined. Installer plugins do not have to inherit from this class. r;r<rNct||i|t|j|j|_t j|j|_yr/)r0r1rr-rstoragerReverter)r2r;r<r3s r$r1zInstaller.__init__sA $)&)$T[[$))<  ))$++6 r& save_files save_notes temporaryc|r|jj}n|jj} |||y#tj$r#}tj t |d}~wwxYw)aAdd files to a checkpoint. :param set save_files: set of filepaths to save :param str save_notes: notes about changes during the save :param bool temporary: True if the files should be added to a temporary checkpoint rather than a permanent one. This is usually used for changes that will soon be reverted. :raises .errors.PluginError: when unable to add to checkpoint N)radd_to_temp_checkpointadd_to_checkpointr ReverterError PluginErrorr@)r2rgrhricheckpoint_funcerrs r$rlzInstaller.add_to_checkpoints_ "mmBBO"mm==O / J 3## /$$SX. . /s ;A1A,,A1titlec |jj|y#tj$r#}tjt |d}~wwxYw)zTimestamp and save changes made through the reverter. :param str title: Title describing checkpoint :raises .errors.PluginError: when an error occurs N)rfinalize_checkpointrrmrnr@)r2rqrps r$rszInstaller.finalize_checkpointsD / MM - -e 4## /$$SX. . /AAAc |jjy#tj$r#}tjt |d}~wwxYw)zRevert all previously modified files. Reverts all modified files that have not been saved as a checkpoint :raises .errors.PluginError: If unable to recover the configuration N)rrecovery_routinerrmrnr@r2rps r$rvzInstaller.recovery_routinesB / MM * * ,## /$$SX. . /AAAc |jjy#tj$r#}tjt |d}~wwxYw)zkRollback temporary checkpoint. :raises .errors.PluginError: when unable to revert config N)rrevert_temporary_configrrmrnr@rws r$rzz!Installer.revert_temporary_configsB  / MM 1 1 3## /$$SX. . /rxrollbackc |jj|y#tj$r#}tjt |d}~wwxYw)zRollback saved checkpoints. :param int rollback: Number of checkpoints to revert :raises .errors.PluginError: If there is a problem with the input or the function is unable to correctly revert the configuration N)rrollback_checkpointsrrmrnr@)r2r{rps r$r}zInstaller.rollback_checkpointssD / MM . .x 8## /$$SX. . /rtctjj|jjt j S)z(Full absolute path to ssl_dhparams file.)rpathrQr- config_dirrSSL_DHPARAMS_DESTrCs r$ ssl_dhparamszInstaller.ssl_dhparamss)ww||DKK22I4O4OPPr&ctjj|jjt j S)z:Full absolute path to digest of updated ssl_dhparams file.)rrrQr-rrUPDATED_SSL_DHPARAMS_DIGESTrCs r$updated_ssl_dhparams_digestz%Installer.updated_ssl_dhparams_digests)ww||DKK22I4Y4YZZr&ct|j|jtjtj y)zJCopy Certbot's ssl_dhparams file into the system's config dir if required.N)install_version_controlled_filerrrSSL_DHPARAMS_SRCALL_SSL_DHPARAMS_HASHESrCs r$install_ssl_dhparamszInstaller.install_ssl_dhparamss.'     , ,  & &  - -  /r&FrN))rVrWrXrYrr1r r@boolrlrsrvrzintr}r^rrrr`ras@r$rrs 7c7S7T7 -2/CH/#/%)/6:/. / / / / / /S / /QcQQ[S[[/r&rceZdZdZy) Configuratorzt A plugin that extends certbot.plugins.common.Installer and implements certbot.interfaces.Authenticator N)rVrWrXrYr"r&r$rrsr&r GenericAddrAddr)boundceZdZdZddeeefdefdZede e dede e fdZ defd Z deeeffd Zd edefd Zdefd ZdefdZdefdZde dede fdZdedeefdZdefdZdedeefdZy)rzRepresents an virtual host address. :param str addr: addr part of vhost address :param str port: port number or \*, or "" tupipv6c ||_||_yr/)rr)r2rrs r$r1z Addr.__init__s r&r6str_addrrc|jdrK|jd}|d|dz}d}t||dzkDr||dzdk(r||dzd}|||fd S|jd}||d |dfS) zInitialize Addr from string.[]Nr:T)rr) startswithrfindlen partition)r6rendIndexhostportrs r$ fromstringzAddr.fromstring s   s #~~c*HMX\*DD8}x!|+A0F#0M1 .d|$/ /$$S)CAA'( (r&c\|jdrd|jzS|jdS)Nrz%s:%srrrCs r$__str__z Addr.__str__s* 88A;TXX% %xx{r&cp|jr|j|jdfS|jS)z5Normalized representation of addr/port tuple r)rget_ipv6_explodedrrCs r$normalized_tuplezAddr.normalized_tuple s0 99))+TXXa[8 8xxr&othercrt||jr!|j|jk(Sy)NF) isinstancer3r)r2rs r$__eq__z Addr.__eq__'s2 eT^^ ,((*e.D.D.FF Fr&c,t|jSr/)hashrrCs r$__hash__z Addr.__hash__/sDHH~r&c |jdS)z Return addr part of Addr object.rrrCs r$get_addrz Addr.get_addr2xx{r&c |jdS)z Return port.rrrCs r$get_portz Addr.get_port6rr&r2rcX|j|jd|f|jS)z6Return new address object with same addr and new port.r)r3rr)r2rs r$ get_addr_objzAddr.get_addr_obj:s$~~txx{D1499==r&addrch|jd}|jd}|j|S)z7Return IPv6 address in normalized form, helper functionrr)lstriprstrip _explode_ipv6)r2rs r$_normalize_ipv6zAddr._normalize_ipv6>s/{{3{{3!!$''r&cv|jr-dj|j|jdSy)zReturn IPv6 in normalized formrrr)rrQrrrCs r$rzAddr.get_ipv6_explodedDs. 9988D00!=> >r&cBgd}|jd}t|t|kDr|dt|}d}t|D]T\}}|sd} t|dkDr|jd}|st |||<;t |||t|z <V|S)z#Explode IPv6 address for comparison)0rrrrrrrrrFTrr)splitr enumeraterr@)r2rresult addr_list append_to_endiblocks r$rzAddr._explode_ipv6Js9JJsO y>CK '!!CK0I !), 6HAu!% 5zA~ S) Jq ,/u:qY'( 6 r&Nr)rVrWrXrYr r@rr1r[r rr rrrrrrrrrrrrrrr"r&r$rrs E#s(O4 )[) )S )Xk=R ) ) %S/CD###>;>c>k>(C(DI( 3 #$s)r&cteZdZdZdefdZ d dejdee ddfdZ de e jfd Zy) ChallengePerformeravAbstract base for challenge performers. :ivar configurator: Authenticator and installer plugin :ivar achalls: Annotated challenges :vartype achalls: `list` of `.KeyAuthorizationAnnotatedChallenge` :ivar indices: Holds the indices of challenges from a larger array so the user of the class doesn't have to. :vartype indices: `list` of `int` configuratorc.||_g|_g|_yr/)rachallsindices)r2rs r$r1zChallengePerformer.__init__os(MO "$ r&NrTidxrcv|jj|||jj|yy)zStore challenge to be performed when perform() is called. :param .KeyAuthorizationAnnotatedChallenge achall: Annotated challenge. :param int idx: index to challenge in a larger array N)rappendr)r2rTrs r$ add_challzChallengePerformer.add_challts2 F# ? LL   $ r&ct)zPerform all added challenges. :returns: challenge responses :rtype: `list` of `acme.challenges.KeyAuthorizationChallengeResponse` )NotImplementedErrorrCs r$performzChallengePerformer.performs "##r&r/)rVrWrXrYrr1r"KeyAuthorizationAnnotatedChallenger rrrr!KeyAuthorizationChallengeResponserr"r&r$rrcsU %\% (, % N N %} %04 %$jJJK$r&r dest_path digest_pathsrc_path all_hashesc tj d fd dfd }tjj s|ytj}| k(ry||vr|ytjj r+t d5}|j }ddd k(rytjdy#1swY/xYw)aCopy a file into an active location (likely the system's config dir) if required. :param str dest_path: destination path for version controlled file :param str digest_path: path to save a digest of the file in :param str src_path: path to version controlled file found in distribution :param list all_hashes: hashes of every released version of the file Ncjtd5}|jdddy#1swYyxYw)Nw)openwrite)file_h current_hashrs r$_write_current_hashz._write_current_hashs0 +s # 'v LL & ' ' 's)2c@tjyr/)shutilcopyfile)rrrsr$_install_current_filez>install_version_controlled_file.._install_current_files),r&rzh%s has been manually modified; updated file saved to %s. We recommend updating %s for security purposes.r) r sha256sumrrisfilerreadloggerwarning) rrrrractive_file_digestf saved_digestrrs ``` @@r$rrs((2L' 77>>) $%..y9\)Z' 77>>+ &k3' (1 vvx  (|+ K x , ( (s #C""C+test_dirpkgcZdtdtfd}|d}|d}|d}tj|tjtj|tjtj|tjt j |jdj|}t j|5}tj|tjj||d d d d |||fS#1swYxYw) z5Setup the directories necessary for the configurator.prefixrcRtjtj|S)aReturn the real path of a temp directory with the specified prefix Some plugins rely on real paths of symlinks for working correctly. For example, certbot-apache uses real paths of configuration files to tell a virtual host from another. On systems where TMP itself is a symbolic link, (ex: OS X) such plugins will be confused. This function prevents such a case. )rrealpathtempfilemkdtemp)rs r$expanded_tempdirz#dir_setup..expanded_tempdirs ""8#3#3F#;<rYabcrrr\loggingrersysrtypingrrrrr r r r r acmercertbotrrrrrrcertbot._internalrcertbot.compatrrcertbot.interfacesrAbstractInstallerrAbstractPlugincertbot.plugins.storager version_infoimportlib.resources resourcesr getLoggerrVrr@r%r+compileprivate_ips_regex IGNORECASEhostname_regex Authenticatorrrrrrr r"r&r$r"s !'%=71v5   8 $33 ((( BJJ78:BMMKQ8^wQ8he/!6We/P9j66'm62 __D&$&$R,,s,,,,PS,,08 ,,BF,,f**#*%S# *>*r&