U lHJeYq@sddlZddlZddlmZmZmZmZmZmZm Z ddl m Z m Z m Z mZmZmZddlmZmZddlmZddlmZmZddlmZmZddlmZmZmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/dd l0m1Z1dd l2m3Z3dd l2m4Z5dd l6m7Z7dd l6m4Z8dd l9m:Z:ddl;mm?Z?m@Z@mAZAddlBmCZCddlDmEZEmFZFddlGmHZHddlImJZJddlKmLZLmMZMmNZNddlOmPZPddlQmRZRddlSmTZTddlUmVZVddlWmXZXGdddZYddZZddZ[e'd d!d"Z\e)d#d$d%Z]e^e_eCd&d'd(Z`e^e_e_eCd)d*d+Zadfee^e^ebebee^e^d,d-d.ZceCe^e_d/d0d1Zddd2d3d4ZeeCd5d6d7ZfeCe_d8d9d:Zgee^e^d;dd?d@ZieCe_d8dAdBZjeCe^e_dCdDdEZke^eCe_e_dFdGdHZldgeVe^e^dJdKdLZme^dMdNdOZneYe+dPdQdRZoeYe,dPdSdTZpeYe dPdUdVZqeYe!dPdWdXZreYe"dPdYdZZseYe&dPd[d\ZteYe$dPd]d^ZueYe#dPd_d`Zve'e_eCeeVeejwfdadbdcZxdddeZydS)hN)DictList NamedTupleOptionalSetTupleUnion)apt exceptionsmessagessecuritysystemutil)attach_with_tokenenable_entitlement_by_name) _initiate)MagicAttachRevokeOptions_revoke)MagicAttachWaitOptions_wait)ESM_APPS_POCKETESM_INFRA_POCKETSTANDARD_UPDATES_POCKETFixPlanAptUpgradeStepFixPlanAttachStepFixPlanEnableStepFixPlanNoOpAlreadyFixedStepFixPlanNoOpLivepatchFixStepFixPlanNoOpStatusFixPlanNoOpStep FixPlanResult FixPlanStepFixPlanUSNResultFixPlanWarning&FixPlanWarningPackageCannotBeInstalled#FixPlanWarningSecurityIssueNotFixedNoOpAlreadyFixedDataNoOpLivepatchFixDataUSNAdditionalData)status_message)CVEFixPlanOptions)_plan)USNFixPlanOptions) _is_attached)NAME USAGE_TMPL)CLOUD_TYPE_TO_TITLEPRO_CLOUD_URLSget_cloud_type)UAConfig)ContractExpiryStatusget_contract_expiry_status)PRINT_WRAP_WIDTH)entitlement_factory)ApplicabilityStatusCanEnableFailureUserFacingStatus)notices)Notice) PRO_HOME_PAGE) FixStatus)colorize_commandsc@s\eZdZeeeeedddZddZd eeee eddd Z eeed d d Z dS) FixContexttitledry_run affected_pkgscfgcCsDd|_g|_t|_tj|_||_||_||_ ||_ d|_ d|_ dS)NrTF) pkg_index unfixed_pkgssetinstalled_pkgsr>SYSTEM_NON_VULNERABLE fix_statusrBrDrCrEshould_print_pkg_header warn_package_cannot_be_installed)selfrBrCrDrErO2/usr/lib/python3/dist-packages/uaclient/cli/fix.py__init__JszFixContext.__init__cCsN|jrJtjt|jjt|jdt|jd}tt j |t ddddS)N, )countpkgs F)widthsubsequent_indentZreplace_whitespace) rDr ZSECURITY_AFFECTED_PKGS pluralizelenformatjoinsortedprinttextwrapfillr6)rNmsgrOrOrPprint_fix_header\szFixContext.print_fix_headerN source_pkgsstatuspocketcCs4|jr0tt|||jt|j|r&t|ndddS)N)pkg_listrdrFnum_pkgs pocket_source)rLr]_format_packages_messagerFrYrDget_pocket_description)rNrcrdrerOrOrPprint_pkg_headerms zFixContext.print_pkg_headerrTunfixed_reasoncCs$|D]}|jtj||dqdS)N)pkgrm)rGappendr UnfixedPackage)rNrTrmrnrOrOrPadd_unfixed_packagess zFixContext.add_unfixed_packages)N) __name__ __module__ __qualname__strboolrr3rQrarrkrqrOrOrOrPr@Is  r@cCs(|jdtjd}|jtdt|dS)Nfixhelp)action)Z add_parserr Z CLI_ROOT_FIXZ set_defaults action_fix fix_parser)Z subparsersZ parser_fixrOrOrPset_fix_parsers r}cCs`tjtdd|_d|_tj|_tj|j _ |j dtj d|j ddtj d|j d dtjd|S) z1Build or extend an arg parser for fix subcommand.z"fix |)nameZcommandrwsecurity_issuerxz --dry-run store_true)rzryz --no-related)r/rZr.Zusageprogr Z CLI_FIX_DESC descriptionZ CLI_FLAGSZ _optionalsrB add_argumentZ CLI_FIX_ISSUEZCLI_FIX_DRY_RUNZCLI_FIX_NO_RELATED)parserrOrOrPr|s& r|cvecCs8dj|j|jdd|jg}td|dS)N{issue}: {description}issuerz! - https://ubuntu.com/security/{} )rZrBupperrr]r[)rlinesrOrOrPprint_cve_headersr)fix_plancCs|j}dj|j|jdg}|j}t|tr|jrj| t j |jD] }| dt j j j|dqFn,|jr| t j|jD]}| d|qtd|dS)Nrrz - {}rz - r)target_usn_planrZrBrradditional_data isinstancer(Zassociated_cvesror ZSECURITY_FOUND_CVESZurlsZSECURITY_CVE_PAGEZassociated_launchpad_bugsZSECURITY_FOUND_LAUNCHPAD_BUGSr]r[)rZ target_usnrrrZlp_bugrOrOrPprint_usn_headers*     r)rrCrEcCsztt|gd|d}|jjdj}|rH|jrHtjt |j pd|jdt |jjdt dt jj|dt|jjdj||\}}|tjtjfkr|S|jjdj}|r|r|St dt jjdd d |Dd t dt ji} |D],} t d | jt| ||| | j<t qt t jt||t jd d} |D]} | | j\} } t| | jt jd | tjkrt dt jjddd} | tjkrD| D]"}|j rt d|j!|j qd} qD| rt dt j"j|d|S)N)usnsrrrrr)issue_idz - css|] }|jVqdSN)rB).0ZusnrOrOrP szfix_usn..)Z related_usnsz- {})contextF- fix operationZ operationTz - {}: {})#usn_planr,Z usns_datarrrr`r rr rrrr]ZSECURITY_FIXING_REQUESTED_USNrZrr>rJSYSTEM_NOT_AFFECTEDrelated_usns_planZSECURITY_RELATED_USNSr[ZSECURITY_FIXING_RELATED_USNSrBZSECURITY_USN_SUMMARY_handle_fix_status_messageZFIX_ISSUE_CONTEXT_REQUESTEDZFIX_ISSUE_CONTEXT_RELATEDSYSTEM_VULNERABLE_UNTIL_REBOOTENABLE_REBOOT_REQUIRED_TMPLSYSTEM_STILL_VULNERABLErmrnZSECURITY_RELATED_USN_ERROR)rrCrrErrZtarget_usn_statusrrZrelated_usn_statusZrelated_usn_planZfailure_on_related_usnrdrG unfixed_pkgrOrOrPfix_usns       r)rfrdrFrgrhreturnc Cs|sdSg}g}|D](}|d7}|d||||qtjddd|ddt|tdd }d |t||S) z;Format the packages and status to an user friendly message.z{}/{}z{} {}:(rR)rUrVrWz{} {})rorZr^r_r[r\r6r)) rfrdrFrgrhZ msg_indexZsrc_pkgsZsrc_pkgZ msg_headerrOrOrPri?s"  ri)rEtokenrc Csbttdd|ggzt||ddWdStjk r\}zt|jWYdSd}~XYnXdS)ztAttach to an Ubuntu Pro subscription with a given token. :return: True if attach performed without errors. proZattachT)rZ allow_enableFN)r]r?rr ZUbuntuProErrorr`)rErerrrOrOrP_run_ua_attach[s r)rcCs:t\}}|tkr6ttjjt|t|ddS)z:Alert the user when running Pro on cloud with PRO support.)rBZcloud_specific_urlN) r2r1keysr]r ZSECURITY_USE_PRO_TMPLrZr0get)Z cloud_typerrOrOrP*_inform_ubuntu_pro_existence_if_applicableis  rrEc Csttjt|d}tdtjj|jdt|jd}zt ||d}WnJt j k r}z*ttj t |jd}t||d|W5d}~XYnXtdtjt||jS)Nrr) user_code)Z magic_tokenr)r]r ZCLI_MAGIC_ATTACH_INITrZCLI_MAGIC_ATTACH_SIGN_INrZrrrrr ZMagicAttachTokenErrorZCLI_MAGIC_ATTACH_FAILEDrrZCLI_MAGIC_ATTACH_PROCESSINGrZcontract_token)rEZ initiate_respZ wait_optionsZ wait_respeZrevoke_optionsrOrOrP_perform_magic_attachus*     r)rErcCsjtttjtjtjdddgd}|dkr2dS|dkrBt|S|dkrfttjt d}t ||SdS)zZPrompt for attach to a subscription or token. :return: True if attach performed. sacZ valid_choicesF> T) rr]r Z*SECURITY_UPDATE_NOT_INSTALLED_SUBSCRIPTIONrprompt_choicesZSECURITY_FIX_ATTACH_PROMPTrZPROMPT_ENTER_TOKENinputr)rEchoicerrOrOrP_prompt_for_attachs   r)rGrcCs4t|}tjtj|j|dt|dt ddS)zFormat the list of unfixed packages into an message. :returns: A string containing the message output for the unfixed packages. rR)rgrTrUr) rYr^r_r ZSECURITY_PKG_STILL_AFFECTEDrXrZr[r\r6)rGZnum_pkgs_unfixedrOrOrP_format_unfixed_packages_msgs r)rErCrcCs0t|}|dtjkr,|r(ttjdSdSdS)zuCheck if the Ubuntu Pro subscription is expired. :returns: True if subscription is expired and not renewed. rFT)r5r4ZEXPIREDr]r (SECURITY_DRY_RUN_UA_EXPIRED_SUBSCRIPTION)rErCZcontract_expiry_statusrOrOrP_check_subscription_is_expireds rcCsddl}ddlm}tttjtjtj j t dddgd}|dkrttj t d}ttd d gg||jd d d |t||SdS)zdPrompt for attach a new subscription token to the user. :return: True if attach performed. rN)cli)ZurlrrrrrdetachTr) assume_yesrZF)argparseuaclientrrr]r Z%SECURITY_UPDATE_NOT_INSTALLED_EXPIREDrrZSECURITY_FIX_RENEW_PROMPTrZr=ZPROMPT_EXPIRED_ENTER_TOKENrr?Z action_detachZ Namespacer)rErrrrrOrOrP_prompt_for_new_tokens$      r)rEservicercCsttjj|dtjtjj|dddgd}|dkrttdd|ggt||dd\}}|s|d k rt |t r|j d k rt|j j |Sd S) zMPrompt for enable a pro service. :return: True if enable performed. rrrrrenableT)rEr~rNF) r]r ZSECURITY_SERVICE_DISABLEDrZrrZSECURITY_FIX_ENABLE_PROMPTr?rrr9messager`)rErrZretreasonrOrOrP_prompt_for_enables,    r)rrErCrcCst||d}||}|r|\}}|tjkr2dS|\}}|tjkr|rhtdtj j |j ddSt ||j rxdSttj j |j dnttjj |j ddS)zQ Verify if the Ubuntu Pro subscription has the required service enabled. )rEr~TrrF)r7Zuser_facing_statusr:ZACTIVEapplicability_statusr8Z APPLICABLEr]r Z'SECURITY_DRY_RUN_UA_SERVICE_NOT_ENABLEDrZr~rSECURITY_UA_SERVICE_NOT_ENABLEDZ SECURITY_UA_SERVICE_NOT_ENTITLED)rrErCZent_clsZentZ ent_statusrrrOrOrP)_handle_subscription_for_required_services<      rr)rdrrcCs|tjkr>|r tjj||d}ntjj|d}tt|n|tj kr||r^tj j||d}ntj j|d}tt|np|tj kr|rtj j||d}ntjj|d}tt|n2|rtj j||d}ntjj|d}tt|dS)N)rrr)r>rJr Z%SECURITY_ISSUE_RESOLVED_ISSUE_CONTEXTrZZSECURITY_ISSUE_RESOLVEDr]rZhandle_unicode_charactersrZ'SECURITY_ISSUE_UNAFFECTED_ISSUE_CONTEXTZSECURITY_ISSUE_UNAFFECTEDrZ)SECURITY_ISSUE_NOT_RESOLVED_ISSUE_CONTEXTZSECURITY_ISSUE_NOT_RESOLVED)rdrrr`rOrOrPr.s>   rrecCs2|tkrtjS|tkrtjS|tkr*tjS|SdSr)rr Z'SECURITY_UBUNTU_STANDARD_UPDATES_POCKETrZSECURITY_UA_INFRA_POCKETrZSECURITY_UA_APPS_POCKETrrOrOrPrjSsrj fix_contextstepcCsh|j|jjd|jjdd|_tjj|jj|jj d}t d||j |jj g|dd|_ tj|_dS)NreleasedrbF)packageversionrrlT)rkdataZrelated_source_packagesrerLr ZFIX_CANNOT_INSTALL_PACKAGErZZbinary_packageZbinary_package_versionr]rqZsource_packagerMr>rrK)rrZwarn_msgrOrOrP)_execute_package_cannot_be_installed_step^s" rcCsR|j|jj|jjd|jt|jj7_|j|jjt|jjdtj |_ dS)N)rcrdrl) rkrsource_packagesrdrFrYrqr)r>rrKrrOrOrP&_execute_security_issue_not_fixed_stepws rc Csv|j|jjd|jjd|jt|jj7_|jjsR|jsFtt j t j |_ dSts|jstt jt j|_ |j|jjt jddSttdddgdddd gt|jjg|jrt j |_ dSz.ttjd ddd g|jjd d id Wn\tk rR}zrJrKrZwe_are_currently_rootrCZSECURITY_APT_NON_ROOTrrqr?r\r Zrun_apt_update_commandZrun_apt_command ExceptiongetattrrurLrIr)rrrr`rOrOrP_execute_apt_upgrade_stepsh       rcCs|jjdkrtnt}|j|jjd|dd|_t|jj s|j rPt dt j qt|jstj|_|j|jjt jj|jjdddSnXt|j|j dr|j rt t jn6t|jstj|_|j|jjt jj|jjdddStj|_dS) N esm-infrarrbFrrrl)rErC)rZrequired_servicerrrkrrLr-rEZ is_attachedrCr]r Z SECURITY_DRY_RUN_UA_NOT_ATTACHEDrr>rrKrqZSECURITY_UA_SERVICE_REQUIREDrZrrrZ$SECURITY_UA_SERVICE_WITH_EXPIRED_SUBrJrrrerOrOrP_execute_attach_stepsL     rcCs|jjdkrtnt}|j|jjd|dd|_t|jj|j|j st t j j |jjd|j|jjt jj |jjddtj|_dStjS)NrrrbFrrl)rrrrrkrrLrrErCr]r rrZrqZ%SECURITY_UA_SERVICE_NOT_ENABLED_SHORTr>rrKrJrrOrOrP_execute_enable_steps: rcCs&|jjtjjkr"ttjtj |_ dSr) rrdrZ NOT_AFFECTEDvaluer]r ZSECURITY_NO_AFFECTED_PKGSr>rrKrrOrOrP_execute_noop_not_affected_steps rcCs*t|jtr&ttjj|j|jjddS)N)rr) rrr'r]r ZCVE_FIXED_BY_LIVEPATCHrZrBZ patch_versionrrOrOrP%_execute_noop_fixed_by_livepatch_step"s rcCsHt|jtrD|j|jjd|jjdttj|j t |jj7_ dS)Nrrb) rrr&rkrrer]r rrFrYrrOrOrP _execute_noop_already_fixed_step.s  r)rrCrErcCs|j|j}t|j||jpg|d}|t|dddD]}t|trTt ||t|t rht ||t|t rt |||jtjkrqt|trt|||jtjkrqt|trt|||jtjkrqt|trt||t|trt||t|trKz"execute_fix_plan..)keycSsg|] }|jqSrO)rn)rrrOrOrP msz$execute_fix_plan..)rIrr)-Zplanwarningsr@rBZaffected_packagesrar\rr$rr%rrrrKr>rJrrrrrrrrrrr]rGrlistrHrr Z should_rebootrIrr rrZr;addr<ZENABLE_REBOOT_REQUIREDr)rrCrEZ full_planrrZ reboot_msgrOrOrPr;s|                      rcKshttj|jstj|jd|jr.tt j d|j krNt |j|j|}nt |j|j|j|}|jS)Nrr)rematchr ZCVE_OR_USN_REGEXrr ZInvalidSecurityIssueIdFormatrCr]r ZSECURITY_DRY_RUN_WARNINGlowerrrrZ exit_code)argsrEkwargsrdrOrOrPr{s r{)N)r)zrr^typingrrrrrrrrr r r r r rZuaclient.actionsrrZ+uaclient.api.u.pro.attach.magic.initiate.v1rZ)uaclient.api.u.pro.attach.magic.revoke.v1rrZ'uaclient.api.u.pro.attach.magic.wait.v1rrZuaclient.api.u.pro.security.fixrrrrrrrrrrr r!r"r#r$r%r&r'r(Z'uaclient.api.u.pro.security.fix._commonr)Z+uaclient.api.u.pro.security.fix.cve.plan.v1r*r+rZ+uaclient.api.u.pro.security.fix.usn.plan.v1r,rZ(uaclient.api.u.pro.status.is_attached.v1r-Zuaclient.cli.constantsr.r/Zuaclient.clouds.identityr0r1r2Zuaclient.configr3Zuaclient.contractr4r5Zuaclient.defaultsr6Zuaclient.entitlementsr7Z(uaclient.entitlements.entitlement_statusr8r9r:Zuaclient.filesr;Zuaclient.files.noticesr<Zuaclient.messages.urlsr=Zuaclient.securityr>Zuaclient.statusr?r@r}r|rrrurvrrintrirrrrrrrrrrrjrrrrrrrrrprr{rOrOrOrPs$  T              >  l   - %    ? 0 '    N