Hcfy7 ddlZddlmZmZmZmZddlmZmZm Z m Z m Z m Z m Z mZmZddlmZmZddlmZddlmZddgZd d d Zej2Zej6ej8eZGd d eZdZ y)N)AnyDictOptionalTuple) api event_logger exceptionshttp livepatchmessagessnapsystemutil)EntitlementWithMessage UAEntitlement)ApplicationStatus)StaticAffordanceg?g?z)Invalid Auth-Token provided to livepatch.z2Your running kernel is not supported by Livepatch.)zUnknown Auth-Tokenzunsupported kernelc eZdZejj ZdZejZ ejZ ejZ dZdZdZdZedeedffdZedeedffdZdefdZdefd Zd ej8defd Z dd ej8d ed edefdZd ej8fdZ dee!e"ejFffdZ$deee"ejFffdZ%dZ& dde'e(e)fde'e(e)fdedeffd Z*xZ+S)LivepatchEntitlementr FTreturn.cddlm}ddlm}t |t j t |t jfS)NrFIPSEntitlement)RealtimeKernelEntitlement)uaclient.entitlements.fipsruaclient.entitlements.realtimerrr LIVEPATCH_INVALIDATES_FIPSREALTIME_LIVEPATCH_INCOMPATIBLE)selfrrs A/usr/lib/python3/dist-packages/uaclient/entitlements/livepatch.pyincompatible_servicesz*LivepatchEntitlement.incompatible_services,s=>L #!D!D  #)88    cddlm}||j}t|j dt j k(tjj|jddftjfddffS)Nrr)titlec*tjSN)r is_containerr"r z9LivepatchEntitlement.static_affordances..Ks++-r"FcSr&r()is_fips_enabledsr r)z9LivepatchEntitlement.static_affordances..Psr") rrcfgboolapplication_statusrENABLEDr "SERVICE_ERROR_INSTALL_ON_CONTAINERformatr$!LIVEPATCH_ERROR_WHEN_FIPS_ENABLED)rrfips_entr+s @r static_affordancesz'LivepatchEntitlement.static_affordances;s ?"488,  ' ' )! ,0A0I0I I  ;;BB**C.  ::'   r"cy)Nr(rs r enable_stepsz!LivepatchEntitlement.enable_stepsUr"cy)Nr(r7s r disable_stepsz"LivepatchEntitlement.disable_stepsXr9r"progresscL|jtjtjsD|j dtj jdtjtjsF|j dtj jd tjdtj | tj"dt)j*d |j,j.t(j0}t)j*d |j,j2t(j4}tj6||tj8t;j<sF|j dtj jd tjdt;jB|||jE|ddS#tj$rR}tjd||j dtjjdYd }~d }~wwxYw#tj$rU}tjd |t$j'tjjd Yd }~d }~wwxYw#tj$r$}tj>tA|d }~wwxYw)zYEnable specific entitlement. @return: True on success, False otherwise. infosnapd)packagesz snapd snapz!Failed to install snapd as a snapexc_infozsnap install snapdcommandNzFailed to refresh snapd snapzsnap refresh snapdr https) http_proxy https_proxy retry_sleepszcanonical-livepatch snapzcanonical-livepatch error_msgT)process_directives process_token)#r=r INSTALLING_LIVEPATCHr is_snapd_installedemitINSTALLING_PACKAGESr1 install_snapdis_snapd_installed_as_a_snap install_snapr ProcessExecutionErrorLOGwarningEXECUTING_COMMAND_FAILEDrun_snapd_wait_cmd refresh_snapeventr?r validate_proxyr,rGPROXY_VALIDATION_SNAP_HTTP_URLrHPROXY_VALIDATION_SNAP_HTTPS_URLconfigure_snap_proxySNAP_INSTALL_RETRIESr is_livepatch_installedErrorInstallingLivepatchstrconfigure_livepatch_proxysetup_livepatch_config)rr=erGrHs r _perform_enablez$LivepatchEntitlement._perform_enable[s (778&&( MM44;;W;M     002 MM,,33\3J  !!'* )    g &(( DHH'')L)L )) TXX))4+O+O  !!!#22 //1 MM,,3374   L!!"78 ++J D** T+  ]33  ?! L 55<< 4= //  KK6K C JJ118809   833 L 99CFKK LsJ=H(JK,I>,AI99I>K)A K$$K),L#?LL#rLrMc Z|jtj|jjj j |j}|r t||r|j d}|s9tj#d|j$|jj&d}|j)\}}|t*j,k7r[tj/d |jdtj0 t3j4t6j8d g t3j4t6j8d |gd y y #tj$rc}tjt|||jdtjj!t|Yd}~yd}~wwxYw#tj$r*}tjt||Yd}~yd}~wwxYw#tj$r}}tj:} t<j?D]\} } | t|vs| | z } n| tj:k(r| t|z } |jd| Yd}~yd}~wwxYw)aProcesss configuration setup for livepatch directives. :param process_directives: Boolean set True when directives should be processsed. :param process_token: Boolean set True when token should be processsed. rBr?rJNF resourceTokenzHNo specific resourceToken present. Using machine token as %s credentials machineTokenz&Disabling livepatch before re-enablingdisableenableTcapture) r=r SETTING_UP_LIVEPATCHr,machine_token_file entitlementsgetnameprocess_config_directivesr rUrVerrorrcrPLIVEPATCH_UNABLE_TO_CONFIGUREr1debugr$ machine_tokenr.rDISABLEDr?LIVEPATCH_DISABLE_REATTACHrsubpr LIVEPATCH_CMDLIVEPATCH_UNABLE_TO_ENABLE ERROR_MSG_MAPitems) rr=rLrMentitlement_cfgrflivepatch_tokenr._detailsmsg error_message print_messages r rez+LivepatchEntitlement.setup_livepatch_configs6 (778((55BBFF II   )/: -11/BO" &JJ #'(("8"8"H+/+B+B+D ( !%6%?%??AB fh&I&IJ!KK!8!8) DE  ,,hH U33  #a&1 - ::AA"%a&B  0"77!IIc!fqI1 !33 994A4G4G4I0M=$A.},(===3q6MC fc* sO E!%G7(H!G4AGGH- HHJ*-7J%%;J%%J*ctjsytjdg}|jtj j dj|tj|dy)zYDisable specific entitlement @return: True on success, False otherwise. Trk rDrm) r rar|r=r EXECUTING_COMMANDr1joinrr{)rr=cmds r _perform_disablez%LivepatchEntitlement._perform_disablesc //1&& 2  & & - -chhsm - D   C&r"ctjdf}tjs tjt j fS tj}| tjt jfS|S#tj$rD}tjt jj|jfcYd}~Sd}~wwxYw)N)livepatch_error)rr/r raryr LIVEPATCH_NOT_ENABLEDstatusr rUWARNING LIVEPATCH_CLIENT_FAILURE_WARNINGr1stderr+LIVEPATCH_APPLICATION_STATUS_CLIENT_FAILURE)rrlivepatch_statusrfs r r.z'LivepatchEntitlement.application_statuss$++T2//1%..0N0NO O (//1   #"**DD  // !))99@@$%HHA  sBC9C CCc*tj}|tjjk(rKt j }dt jj|j|jfS|tjjk(rKt j }dt jj|j|jfS|tjjk(rdt jfSy)NT)versionarch)FN)r on_supported_kernelLivepatchSupport UNSUPPORTEDrget_kernel_infor LIVEPATCH_KERNEL_NOT_SUPPORTEDr1 uname_releaseuname_machine_arch KERNEL_EOLLIVEPATCH_KERNEL_EOLKERNEL_UPGRADE_REQUIRED!LIVEPATCH_KERNEL_UPGRADE_REQUIRED)rsupport kernel_infos r enabled_warning_statusz+LivepatchEntitlement.enabled_warning_status s//1 i00<< < 002K77>>'55$77?  i00;; ; 002K--44'55$775  i00HH H:: r"ctjtjjk(r$t j st jSyr&)r rrrrr'r *LIVEPATCH_KERNEL_NOT_SUPPORTED_DESCRIPTIONr7s r status_description_overridez0LivepatchEntitlement.status_description_override*s=  ) ) +))55 6'')FF Fr" orig_accessdeltas allow_enablect ||||ry|jdi}|jdijdd}|r(|jt j \}}|S|j \}}|tjk(ry|jdi} tddg} t| j| } t|jd d} t| | grxtjd tjt j"j%|j& |j)t j | | Sy) a1Process any contract access deltas for this entitlement. :param orig_access: Dictionary containing the original resourceEntitlement access details. :param deltas: Dictionary which contains only the changed access keys and values. :param allow_enable: Boolean set True if allowed to perform the enable operation. When False, a message will be logged to inform the user about the recommended enabled service. :return: True when delta operations are processed; False when noop. T entitlement obligationsenableByDefaultF directivescaCerts remoteServerrizANew livepatch directives or token. running setup_livepatch_config)service)r=rLrM)superprocess_contract_deltasrrrlrProgressWrapperr.rrysetr- intersectionanyrVr?r[r #SERVICE_UPDATING_CHANGED_DIRECTIVESr1rsre)rrrrdelta_entitlementprocess_enable_defaultenable_success_r.delta_directivessupported_deltasrLrM __class__s r rz,LivepatchEntitlement.process_contract_deltas3sm$ 7 *; M"JJ}b9!2!6!6}b!I!M!M u"  " $ C,?,?,A B NA! ! $ 7 7 9A !2!;!; ;,00rB >:;!  ) )*: ; VZZ?@ "M2 3 HH)  JJ<<CC IID  ..,,.#5+/  r")TT)F),__name__ __module__ __qualname__r urlsLIVEPATCH_HOME_PAGE help_doc_urlrsLIVEPATCH_TITLEr$LIVEPATCH_DESCRIPTION descriptionLIVEPATCH_HELP_TEXT help_text#affordance_check_kernel_min_versionaffordance_check_kernel_flavoraffordance_check_seriesaffordance_check_archpropertyrrr!rr4intr8r<rrr-rgrerrr NamedMessager.rrrrcrr __classcell__)rs@r rrs==44L D  $ $E00K,,I*/'%*""!   u-CS-H'I     E*:C*?$@  2csD (;(;D D R$(" ?%%?!? ?  ?B )<)<   (8+@+@"AA B4 tXh3344 5@# 6#s(^6S#X6 6  66r"rc|sy|jdijdi}|jd}|r7tjtjddj |gd|jd d }|j d r|dd }|r8tjtjdd j |gdyy)aProcess livepatch configuration directives. We process caCerts before remoteServer because changing remote-server in the canonical-livepatch CLI performs a PUT against the new server name. If new caCerts were required for the new remoteServer, this canonical-livepatch client PUT could fail on unmatched old caCerts. @raises: ProcessExecutionError if unable to configure livepatch. Nrrrconfigz ca-certs={}Trmr/zremote-server={})rrrr{r r|r1endswith)r,rca_certs remote_servers r rtrtls +// bAJ~~i(H ''$$X.    NN>26Mc"%cr*  ''"))-8    r")!loggingtypingrrrruaclientrrr r r r r rruaclient.entitlements.baserr(uaclient.entitlements.entitlement_statusruaclient.typesrLIVEPATCH_RETRIESr~get_event_loggerr[ getLoggerreplace_top_level_logger_namerrVrrtr(r"r rs--   MF+#JFN & %%'g:::8DEK=K\ " r"