a }|gC@s:dZddlmZddlmZddlZddlZddlZddlZddl Z ddl Z ddl m Z ddl m Z ddl mZddl mZdd l mZdd l mZdd l mZdd l mZdd l mZddlmZddlmZddlmZddlmZddlmZddlmZddlmZddlmZddl m!Z!ddl m"Z"ddl#m$Z%ddl#m&Z'ddl(m)Z)e*e+Z,e-e-dddZ.e-e-dddZ/e0d Z1e0d!ej2Z3Gd"d#d#e'ed$Z&Gd%d&d&e%e&ed$Z$Gd'd(d(e$ej4ed$Z5ed)d*d+Z6Gd,d*d*Z7Gd-d.d.Z8e-e-e-ee-dd/d0d1Z9e-e-ee-e-e-fd2d3d4Z:dS)5zPlugin common functions.)ABCMeta)abstractmethodN)Any)Callable)Iterable)List)Optional)Set)Tuple)Type)TypeVar) challenges) achallenges) configuration) crypto_util)errors) interfaces)reverter) constants) filesystem)os) Installer)Plugin) PluginStoragenamereturncCs|dS)9ArgumentParser options namespace (prefix of all options).-rrr:/usr/lib/python3.9/site-packages/certbot/plugins/common.pyoption_namespace%sr"cCs|dddS);ArgumentParser dest namespace (prefix of all destinations).r_)replacer rrr!dest_namespace*sr&zX(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)z3^(([a-z0-9]|[a-z0-9][a-z0-9\-]*[a-z0-9])\.)*[a-z]+$cseZdZdZejeddfdd Zee e ddddd Z ee j edd d d Zeed ddZeedddZeed ddZeedddZeedddZeejedddZZS)rzGeneric plugin.N)configrrcst||||_||_dSN)super__init__r'r)selfr'r __class__rr!r*9szPlugin.__init__).N)addrcCsdS)zAdd plugin arguments to the CLI argument parser. :param callable add: Function that proxies calls to `argparse.ArgumentParser.add_argument` prepending options with unique plugin name prefix. Nr)clsr.rrr!add_parser_arguments>szPlugin.add_parser_arguments)parserrrcs$tttddfdd }||S)zkInject parser options. See `~.certbot.interfaces.Plugin.inject_parser_options` for docs. N)arg_name_no_prefixargskwargsrcs(jdt|g|Ri|dS)Nz--{0}{1}) add_argumentformatr")r2r3r4rr1rr!r.Qsz)Plugin.inject_parser_options..add)strrr0)r/r1rr.rr7r!inject_parser_optionsIszPlugin.inject_parser_optionsrcCs t|jS)r)r"rr+rrr!r"WszPlugin.option_namespacercCs |j|S)z'Option name (include plugin namespace).)r")r+rrrr! option_name\szPlugin.option_namecCs t|jS)r#)r&rr;rrr!r&`szPlugin.dest_namespace)varrcCs|j|ddS)z.Find a destination for given variable ``var``.rr$)r&r%r+r=rrr!destesz Plugin.destcCst|j||S)z0Find a configuration value for variable ``var``.)getattrr'r?r>rrr!confksz Plugin.conf)failed_achallsrcCs(dtdd|D}dj|j|dS)a9Human-readable string to help the user troubleshoot the authenticator. Shown to the user if one or more of the attempted challenges were not a success. Should describe, in simple language, what the authenticator tried to do, what went wrong and what the user should try as their "next steps". TODO: auth_hint belongs in Authenticator but can't be added until the next major version of Certbot. For now, it lives in .Plugin and auth_handler will only call it on authenticators that subclass .Plugin. For now, inherit from `.Plugin` to implement and/or override the method. :param list failed_achalls: List of one or more failed challenges (:class:`achallenges.AnnotatedChallenge` subclasses). :rtype str: z and cSsh|] }|jqSr)typ).0achallrrr! z#Plugin.auth_hint..zThe Certificate Authority couldn't externally verify that the {name} plugin completed the required {challs} challenges. Ensure the plugin is configured correctly and that the changes it makes are accessible from the internet.)rchalls)joinsortedr6r)r+rBrHrrr! auth_hintoszPlugin.auth_hint)__name__ __module__ __qualname____doc__rZNamespaceConfigr8r* classmethodrrr0argparseArgumentParserr9propertyr"r<r&r?rrArrZAnnotatedChallengerK __classcell__rrr,r!r6s  r) metaclasscseZdZdZeeddfdd Zdeeeedddd Z edd d d Z dd ddZ dd ddZ de ddddZeed ddZeed ddZdd ddZZS)rzAn installer base class with reverter and ssl_dhparam methods defined. Installer plugins do not have to inherit from this class. N)r3r4rcs4tj|i|t|j|j|_t|j|_dSr()r)r*rr'rZstoragerZReverter)r+r3r4r,rr!r*szInstaller.__init__F) save_files save_notes temporaryrc Cs^|r|jj}n|jj}z|||Wn4tjyX}ztt|WYd}~n d}~00dS)aAdd files to a checkpoint. :param set save_files: set of filepaths to save :param str save_notes: notes about changes during the save :param bool temporary: True if the files should be added to a temporary checkpoint rather than a permanent one. This is usually used for changes that will soon be reverted. :raises .errors.PluginError: when unable to add to checkpoint N)rZadd_to_temp_checkpointadd_to_checkpointr ReverterError PluginErrorr8)r+rVrWrXZcheckpoint_funcerrrrr!rYs  zInstaller.add_to_checkpoint)titlerc CsJz|j|Wn4tjyD}ztt|WYd}~n d}~00dS)zTimestamp and save changes made through the reverter. :param str title: Title describing checkpoint :raises .errors.PluginError: when an error occurs N)rfinalize_checkpointrrZr[r8)r+r]r\rrr!r^szInstaller.finalize_checkpointr:c CsHz|jWn4tjyB}ztt|WYd}~n d}~00dS)zRevert all previously modified files. Reverts all modified files that have not been saved as a checkpoint :raises .errors.PluginError: If unable to recover the configuration N)rrecovery_routinerrZr[r8r+r\rrr!r_szInstaller.recovery_routinec CsHz|jWn4tjyB}ztt|WYd}~n d}~00dS)zkRollback temporary checkpoint. :raises .errors.PluginError: when unable to revert config N)rrevert_temporary_configrrZr[r8r`rrr!rasz!Installer.revert_temporary_config)rollbackrc CsJz|j|Wn4tjyD}ztt|WYd}~n d}~00dS)zRollback saved checkpoints. :param int rollback: Number of checkpoints to revert :raises .errors.PluginError: If there is a problem with the input or the function is unable to correctly revert the configuration N)rrollback_checkpointsrrZr[r8)r+rcr\rrr!rds zInstaller.rollback_checkpointscCstj|jjtjS)z(Full absolute path to ssl_dhparams file.)rpathrIr' config_dirrZSSL_DHPARAMS_DESTr;rrr! ssl_dhparamsszInstaller.ssl_dhparamscCstj|jjtjS)z:Full absolute path to digest of updated ssl_dhparams file.)rrerIr'rfrZUPDATED_SSL_DHPARAMS_DIGESTr;rrr!updated_ssl_dhparams_digestsz%Installer.updated_ssl_dhparams_digestcCst|j|jtjtjdS)zJCopy Certbot's ssl_dhparams file into the system's config dir if required.N)install_version_controlled_filergrhrZSSL_DHPARAMS_SRCZALL_SSL_DHPARAMS_HASHESr;rrr!install_ssl_dhparamss zInstaller.install_ssl_dhparams)F)rb)rLrMrNrOrr*r r8boolrYr^r_raintrdrSrgrhrjrTrrr,r!rs     rc@seZdZdZdS) Configuratorzt A plugin that extends certbot.plugins.common.Installer and implements certbot.interfaces.Authenticator N)rLrMrNrOrrrr!rmsrm GenericAddrAddr)boundc@seZdZdZd"eeefedddZee e ee e dddZ ed d d Z eeefd d d ZeedddZed ddZed ddZed ddZe ee dddZeeedddZed ddZeeeddd Zd!S)#rozRepresents an virtual host address. :param str addr: addr part of vhost address :param str port: port number or \*, or "" Ftupipv6cCs||_||_dSr(rq)r+rrrsrrr!r*sz Addr.__init__)r/str_addrrcCs|drh|d}|d|d}d}t||dkrX||ddkrX||dd}|||fdd S|d}||d |dfSdS) zInitialize Addr from string.[]Nrb:T)rsr) startswithrfindlen partition)r/rtZendIndexhostportrrrrr! fromstrings    zAddr.fromstringr:cCs|jdrd|jS|jdS)Nrbz%s:%srrrr;rrr!__str__s  z Addr.__str__cCs|jr||jdfS|jS)z5Normalized representation of addr/port tuple rb)rsget_ipv6_explodedrrr;rrr!normalized_tupleszAddr.normalized_tuple)otherrcCs t||jr||kSdS)NF) isinstancer-r)r+rrrr!__eq__"s z Addr.__eq__cCs t|jSr()hashrrr;rrr!__hash__*sz Addr.__hash__cCs |jdS)z Return addr part of Addr object.rrr;rrr!get_addr-sz Addr.get_addrcCs |jdS)z Return port.rbrr;rrr!get_port1sz Addr.get_port)r+rrcCs||jd|f|jS)z6Return new address object with same addr and new port.r)r-rrrs)r+rrrr! get_addr_obj5szAddr.get_addr_obj)addrrcCs|d}|d}||S)z7Return IPv6 address in normalized form, helper functionrurv)lstriprstrip _explode_ipv6)r+rrrr!_normalize_ipv69s  zAddr._normalize_ipv6cCs |jrd||jdSdS)zReturn IPv6 in normalized formryrrw)rsrIrrrr;rrr!r?szAddr.get_ipv6_explodedcCsgd}|d}t|t|kr2|dt|}d}t|D]N\}}|sPd}q>t|dkrf|d}|sxt|||<q>t|||t|<q>|S)z#Explode IPv6 address for comparison)0rrrrrrrryrFTrbr)splitr| enumeraterr8)r+rresultZ addr_listZ append_to_endiblockrrr!rEs   zAddr._explode_ipv6N)F)rLrMrNrOr r8rkr*rPr rnrrrrrrrlrrrrrrrrrrrr!rosc@sLeZdZdZedddZd ejee ddddZ e e j d d d ZdS) ChallengePerformeravAbstract base for challenge performers. :ivar configurator: Authenticator and installer plugin :ivar achalls: Annotated challenges :vartype achalls: `list` of `.KeyAuthorizationAnnotatedChallenge` :ivar indices: Holds the indices of challenges from a larger array so the user of the class doesn't have to. :vartype indices: `list` of `int` ) configuratorcCs||_g|_g|_dSr()rachallsindices)r+rrrr!r*jszChallengePerformer.__init__N)rEidxrcCs$|j||dur |j|dS)zStore challenge to be performed when perform() is called. :param .KeyAuthorizationAnnotatedChallenge achall: Annotated challenge. :param int idx: index to challenge in a larger array N)rappendr)r+rErrrr! add_challos zChallengePerformer.add_challr:cCs tdS)zPerform all added challenges. :returns: challenge responses :rtype: `list` of `acme.challenges.KeyAuthorizationChallengeResponse` N)NotImplementedErrorr;rrr!perform|szChallengePerformer.perform)N)rLrMrNrOrmr*rZ"KeyAuthorizationAnnotatedChallengerrlrrr Z!KeyAuthorizationChallengeResponserrrrr!r^s  r) dest_path digest_pathsrc_path all_hashesrcstddfdd ddfdd }tjsJ|dSt}|kr`dS||vrp|n`tjrtd}|}Wdn1s0Y|krdStddS) aCopy a file into an active location (likely the system's config dir) if required. :param str dest_path: destination path for version controlled file :param str digest_path: path to save a digest of the file in :param str src_path: path to version controlled file found in distribution :param list all_hashes: hashes of every released version of the file Nr:cs8td}|Wdn1s*0YdS)Nw)openwrite)Zfile_h) current_hashrrr!_write_current_hashs z._write_current_hashcstdSr()shutilcopyfiler)rrrrr!_install_current_files z>install_version_controlled_file.._install_current_filerzh%s has been manually modified; updated file saved to %s. We recommend updating %s for security purposes.) rZ sha256sumrreisfilerreadloggerZwarning)rrrrrZactive_file_digestfZ saved_digestr)rrrrrr!ris(     &ri)test_dirpkgrcCsttddd}|d}|d}|d}t|tjt|tjt|tjtj|d|}tj |*}t j |t j ||dd Wd n1s0Y|||fS) z5Setup the directories necessary for the configurator.)prefixrcSstt|S)aReturn the real path of a temp directory with the specified prefix Some plugins rely on real paths of symlinks for working correctly. For example, certbot-apache uses real paths of configuration files to tell a virtual host from another. On systems where TMP itself is a symbolic link, (ex: OS X) such plugins will be confused. This function prevents such a case. )rrealpathtempfileZmkdtemp)rrrr!expanded_tempdirs z#dir_setup..expanded_tempdirZtempr'ZworkZtestdataT)symlinksN)r8rchmodrZCONFIG_DIRS_MODE importlibZ resourcesfilesjoinpathZas_filercopytreerrerI)rrrZtemp_dirrfZwork_dirZ test_dir_refrerrr! dir_setups $r);rOabcrrrQZimportlib.resourcesrZloggingrerrtypingrrrrrr r r r Zacmer ZcertbotrrrrrrZcertbot._internalrZcertbot.compatrrZcertbot.interfacesrZAbstractInstallerrZAbstractPluginZcertbot.plugins.storagerZ getLoggerrLrr8r"r&compileZprivate_ips_regex IGNORECASEZhostname_regexZ Authenticatorrmrnrorrirrrrr!sb                         Th b) 3