U lHJe2@sddlZddlmZmZmZmZddlmZmZm Z m Z m Z m Z m Z mZddlmZmZddlmZddlmZddgZd d d ZeZeeeZGd d d eZddZdS)N)AnyDictOptionalTuple) event_logger exceptionshttp livepatchmessagessnapsystemutil)IncompatibleService UAEntitlement)ApplicationStatus)StaticAffordanceg?g?z)Invalid Auth-Token provided to livepatch.z2Your running kernel is not supported by Livepatch.)zUnknown Auth-Tokenzunsupported kernelcs eZdZejjZdZejZ ej Z ej Z dZdZdZdZeeedfdddZeeedfddd Zdeed d d Zdeeed ddZdddZeeeejfdddZeeeejfdddZ ddZ!de"e#e$fe"e#e$feedfdd Z%Z&S)LivepatchEntitlementr FT.)returncCs0ddlm}ddlm}t|tjt|tjfS)NrFIPSEntitlement)RealtimeKernelEntitlement)uaclient.entitlements.fipsrZuaclient.entitlements.realtimerrr ZLIVEPATCH_INVALIDATES_FIPSZREALTIME_LIVEPATCH_INCOMPATIBLE)selfrrrA/usr/lib/python3/dist-packages/uaclient/entitlements/livepatch.pyincompatible_services+s  z*LivepatchEntitlement.incompatible_servicescsZddlm}||j}t|dtjktjj |j ddddftj fdddffS)NrrtitlecSstSN)r is_containerrrrrJz9LivepatchEntitlement.static_affordances..FcsSrrrZis_fips_enabledrrr Or!) rrcfgboolapplication_statusrENABLEDr Z"SERVICE_ERROR_INSTALL_ON_CONTAINERformatrZ!LIVEPATCH_ERROR_WHEN_FIPS_ENABLED)rrZfips_entrr"rstatic_affordances:s    z'LivepatchEntitlement.static_affordances)silentrc CsVts$ttjjddttsttjjddzt dWnFt j k r}z&t j d|dttjjddW5d}~XYnXttd |jjtj}td |jjtj}tj||tjd tstjk r&}ztj t ||dWYdSd}~XYnXztjtjd |gd d Wntjk r}zbt j}tD]&\} } | t |krf|| 7}qqf|t jkr|t |7}t |WYdSd}~XYnXt t jjd dd S)aProcesss configuration setup for livepatch directives. :param process_directives: Boolean set True when directives should be processsed. :param process_token: Boolean set True when token should be processsed. r*r.FN resourceTokenzHNo specific resourceToken present. Using machine token as %s credentialsZ machineTokenz&Disabling livepatch before re-enablingdisableenableTZcapturezCanonical Livepatchr)r#Zmachine_token_fileZ entitlementsgetnameprocess_config_directivesrr4r5errorr7r2r3r ZLIVEPATCH_UNABLE_TO_CONFIGUREr'debugrZ machine_tokenr%rDISABLEDZLIVEPATCH_DISABLE_REATTACHr subpr LIVEPATCH_CMDZLIVEPATCH_UNABLE_TO_ENABLE ERROR_MSG_MAPitemsZ ENABLED_TMPL) rr0r1Zentitlement_cfgr9Zlivepatch_tokenr%Z_detailsmsgZ error_messageZ print_messagerrrr8sd               z+LivepatchEntitlement.setup_livepatch_configcCs$ts dStjtjdgdddS)zYDisable specific entitlement @return: True on success, False otherwise. Tr<r>)r r6r rErF)rr)rrr_perform_disablesz%LivepatchEntitlement._perform_disablecCs:tjdf}tstjtjfStdkr6tjtjfS|Sr) rr&r r6rDr ZLIVEPATCH_NOT_ENABLEDstatusZ+LIVEPATCH_APPLICATION_STATUS_CLIENT_FAILURE)rrKrrrr%s   z'LivepatchEntitlement.application_statuscCszt}|tjjkr4t}dtjj|j |j dfS|tjj kr`t}dtj j|j |j dfS|tjj krvdtjfSdS)NT)versionZarch)FN)r on_supported_kernelLivepatchSupport UNSUPPORTEDr Zget_kernel_infor ZLIVEPATCH_KERNEL_NOT_SUPPORTEDr'Z uname_releaseZuname_machine_archZ KERNEL_EOLZLIVEPATCH_KERNEL_EOLZKERNEL_UPGRADE_REQUIREDZ!LIVEPATCH_KERNEL_UPGRADE_REQUIRED)rZsupportZ kernel_inforrrenabled_warning_statuss,   z+LivepatchEntitlement.enabled_warning_statuscCs"ttjjkrtstjSdSr)r rMrNrOr rr Z*LIVEPATCH_KERNEL_NOT_SUPPORTED_DESCRIPTION)rrrrstatus_description_overridesz0LivepatchEntitlement.status_description_override) orig_accessdeltas allow_enablerc st|||rdS|di}|didd}|rH|\}}|S|\}}|tjkrbdS|di} tddg} t| | } t|d d} t | | grt d t tjj|jd |j| | d SdS) a1Process any contract access deltas for this entitlement. :param orig_access: Dictionary containing the original resourceEntitlement access details. :param deltas: Dictionary which contains only the changed access keys and values. :param allow_enable: Boolean set True if allowed to perform the enable operation. When False, a message will be logged to inform the user about the recommended enabled service. :return: True when delta operations are processed; False when noop. T entitlementZ obligationsZenabledByDefaultF directivescaCerts remoteServerr;zANew livepatch directives or token. running setup_livepatch_config)servicer/)superprocess_contract_deltasr?r=r%rrDsetr$ intersectionanyr5r3r2r Z#SERVICE_UPDATING_CHANGED_DIRECTIVESr'r@r8) rrRrSrTZdelta_entitlementZprocess_enable_defaultZenable_success_r%Zdelta_directivesZsupported_deltasr0r1 __class__rrr[ sB        z,LivepatchEntitlement.process_contract_deltas)F)TT)F)F)'__name__ __module__ __qualname__r ZurlsZLIVEPATCH_HOME_PAGEZ help_doc_urlr@ZLIVEPATCH_TITLErZLIVEPATCH_DESCRIPTIONZ descriptionZLIVEPATCH_HELP_TEXTZ help_textZ#affordance_check_kernel_min_versionZaffordance_check_kernel_flavorZaffordance_check_seriesZaffordance_check_archpropertyrrrrr(r$r:r8rJrrZ NamedMessager%rPrQrr7rr[ __classcell__rrr`rrsD6 >      rcCs|sdS|didi}|d}|rFtjtjdd|gdd|d d }|d rh|dd }|rtjtjdd |gdddS)aProcess livepatch configuration directives. We process caCerts before remoteServer because changing remote-server in the canonical-livepatch CLI performs a PUT against the new server name. If new caCerts were required for the new remoteServer, this canonical-livepatch client PUT could fail on unmatched old caCerts. @raises: ProcessExecutionError if unable to configure livepatch. NrUrVrWZconfigz ca-certs={}Tr>rX/zremote-server={})r?r rEr rFr'endswith)r#rVZca_certsZ remote_serverrrrrAAs.     rA) ZloggingtypingrrrrZuaclientrrrr r r r r Zuaclient.entitlements.baserrZ(uaclient.entitlements.entitlement_statusrZuaclient.typesrZLIVEPATCH_RETRIESrGZget_event_loggerr2Z getLoggerZreplace_top_level_logger_namerbr5rrArrrrs(   &