U ]J@sdZddlZddlZddlZddlZddlZddlZddlZddlZddl Z ddl m Z ddlmZddlmZddlmZddlmZddlmZdd lmZdd lmZddlm Z dd lmZdd lmZdd lmZeeZddZddZ e!dZ"e!dej#Z$e j%&ej'Gddde(Z)Gddde)Z*Gddde(Z+Gddde(Z,Gddde,Z-ddZ.d d!Z/Gd"d#d#e(Z0e0ej1eej1e<dS)$zPlugin common functions.N)util)List) achallenges) constants) crypto_util)errors) interfaces)reverter)os) filesystem) PluginStoragecCs|dS)9ArgumentParser options namespace (prefix of all options).-namerr8/usr/lib/python3/dist-packages/certbot/plugins/common.pyoption_namespacesrcCs|dddS);ArgumentParser dest namespace (prefix of all destinations).r_)replacerrrrdest_namespace$srzX(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)z3^(([a-z0-9]|[a-z0-9][a-z0-9\-]*[a-z0-9])\.)*[a-z]+$c@sbeZdZdZddZejddZeddZ e dd Z d d Z e d d Z ddZddZdS)PluginzGeneric plugin.cCs||_||_dSN)configr)selfrrrrr__init__5szPlugin.__init__cCsdS)aAdd plugin arguments to the CLI argument parser. NOTE: If some of your flags interact with others, you can use cli.report_config_interaction to register this to ensure values are correctly saved/overridable during renewal. :param callable add: Function that proxies calls to `argparse.ArgumentParser.add_argument` prepending options with unique plugin name prefix. Nr)clsaddrrradd_parser_arguments9szPlugin.add_parser_argumentscsfdd}||S)zYInject parser options. See `~.IPlugin.inject_parser_options` for docs. csjdt|f||S)Nz--{0}{1}) add_argumentformatr)Zarg_name_no_prefixargskwargsrparserrrrOsz)Plugin.inject_parser_options..add)r)rr%rrrr$rinject_parser_optionsGszPlugin.inject_parser_optionscCs t|jS)r )rrrrrrrVszPlugin.option_namespacecCs |j|S)z'Option name (include plugin namespace).)r)rrrrr option_name[szPlugin.option_namecCs t|jS)r)rrr'rrrr_szPlugin.dest_namespacecCs|j|ddS)z.Find a destination for given variable ``var``.rr)rrrvarrrrdestdsz Plugin.destcCst|j||S)z0Find a configuration value for variable ``var``.)getattrrr+r)rrrconfjsz Plugin.confN)__name__ __module__ __qualname____doc__r jose_utilabstractclassmethodr classmethodr&propertyrr(rr+r-rrrrr/s    rcsteZdZdZfddZdddZddZd d Zd d ZdddZ ddZ e ddZ e ddZ ddZZS) InstallerzAn installer base class with reverter and ssl_dhparam methods defined. Installer plugins do not have to inherit from this class. cs4tt|j||t|j|j|_t|j|_dSr) superr6rr rrZstorager ZReverter)rr"r# __class__rrruszInstaller.__init__Fc Cs\|r|jj}n|jj}z|||Wn2tjk rV}ztt|W5d}~XYnXdS)aAdd files to a checkpoint. :param set save_files: set of filepaths to save :param str save_notes: notes about changes during the save :param bool temporary: True if the files should be added to a temporary checkpoint rather than a permanent one. This is usually used for changes that will soon be reverted. :raises .errors.PluginError: when unable to add to checkpoint N)r Zadd_to_temp_checkpointadd_to_checkpointr ReverterError PluginErrorstr)rZ save_filesZ save_notesZ temporaryZcheckpoint_funcerrrrrr:zs  zInstaller.add_to_checkpointc CsHz|j|Wn2tjk rB}ztt|W5d}~XYnXdS)zTimestamp and save changes made through the reverter. :param str title: Title describing checkpoint :raises .errors.PluginError: when an error occurs N)r finalize_checkpointrr;r<r=)rtitler>rrrr?szInstaller.finalize_checkpointc CsFz|jWn2tjk r@}ztt|W5d}~XYnXdS)zRevert all previously modified files. Reverts all modified files that have not been saved as a checkpoint :raises .errors.PluginError: If unable to recover the configuration N)r recovery_routinerr;r<r=rr>rrrrAszInstaller.recovery_routinec CsFz|jWn2tjk r@}ztt|W5d}~XYnXdS)zkRollback temporary checkpoint. :raises .errors.PluginError: when unable to revert config N)r revert_temporary_configrr;r<r=rBrrrrCsz!Installer.revert_temporary_configc CsHz|j|Wn2tjk rB}ztt|W5d}~XYnXdS)zRollback saved checkpoints. :param int rollback: Number of checkpoints to revert :raises .errors.PluginError: If there is a problem with the input or the function is unable to correctly revert the configuration N)r rollback_checkpointsrr;r<r=)rZrollbackr>rrrrEs zInstaller.rollback_checkpointsc CsxtjdtddtVtddtz|jWn2tjk rh}zt t |W5d}~XYnXW5QRXdS)zShow all of the configuration changes that have taken place. :raises .errors.PluginError: If there is a problem while processing the checkpoints directories. zThe view_config_changes method is no longer part of Certbot's plugin interface, has been deprecated, and will be removed in a future release. stacklevelignorez.*view_config_changesN) warningswarnDeprecationWarningcatch_warningsfilterwarningsr view_config_changesrr;r<r=rBrrrrOs zInstaller.view_config_changescCstj|jjtjS)z(Full absolute path to ssl_dhparams file.)r pathjoinr config_dirrZSSL_DHPARAMS_DESTr'rrr ssl_dhparamsszInstaller.ssl_dhparamscCstj|jjtjS)z:Full absolute path to digest of updated ssl_dhparams file.)r rPrQrrRrZUPDATED_SSL_DHPARAMS_DIGESTr'rrrupdated_ssl_dhparams_digestsz%Installer.updated_ssl_dhparams_digestcCst|j|jtjtjS)zJCopy Certbot's ssl_dhparams file into the system's config dir if required.)install_version_controlled_filerSrTrZSSL_DHPARAMS_SRCZALL_SSL_DHPARAMS_HASHESr'rrrinstall_ssl_dhparamss zInstaller.install_ssl_dhparams)F)rD)r.r/r0r1rr:r?rArCrErOr5rSrTrV __classcell__rrr8rr6os       r6c@sveZdZdZdddZeddZddZd d Zd d Z d dZ ddZ ddZ ddZ ddZddZddZdS)AddrzRepresents an virtual host address. :param str addr: addr part of vhost address :param str port: port number or \*, or "" FcCs||_||_dSr)tupipv6)rrYrZrrrrsz Addr.__init__cCs|drh|d}|d|d}d}t||dkrX||ddkrX||dd}|||fdd S|d}||d |dfSdS) zInitialize Addr from string.[]NrDrF:T)rZr) startswithrfindlen partition)rZstr_addrZendIndexZhostportrYrrr fromstrings    zAddr.fromstringcCs|jdrd|jS|jdS)NrDz%s:%srrYr'rrr__str__s  z Addr.__str__cCs|jr||jdfS|jS)z5Normalized representation of addr/port tuple rD)rZget_ipv6_explodedrYr'rrrnormalized_tuple szAddr.normalized_tuplecCs t||jr||kSdS)NF) isinstancer9rh)rotherrrr__eq__s z Addr.__eq__cCs t|jSr)hashrYr'rrr__hash__sz Addr.__hash__cCs |jdS)z Return addr part of Addr object.rrer'rrrget_addrsz Addr.get_addrcCs |jdS)z Return port.rDrer'rrrget_portsz Addr.get_portcCs||jd|f|jS)z6Return new address object with same addr and new port.r)r9rYrZ)rrcrrr get_addr_obj#szAddr.get_addr_objcCs|d}|d}||S)z7Return IPv6 address in normalized form, helper functionr[r\)lstriprstrip _explode_ipv6)raddrrrr_normalize_ipv6's  zAddr._normalize_ipv6cCs |jrd||jdSdS)zReturn IPv6 in normalized formr^rr])rZrQrurYr'rrrrg-szAddr.get_ipv6_explodedcCsddddddddg}|d}t|t|kr>|dt|}d}t|D]P\}}|s^d}qJnt|dkrt|d}|st|||<qJt|||t|<qJ|S)z#Explode IPv6 address for comparison0r^rFTrD)splitra enumeraterqr=)rrtresultZ addr_listZ append_to_endiblockrrrrs3s   zAddr._explode_ipv6N)F)r.r/r0r1rr4rdrfrhrkrmrnrorprurgrsrrrrrXs  rXc@s*eZdZdZddZd ddZddZdS) ChallengePerformeravAbstract base for challenge performers. :ivar configurator: Authenticator and installer plugin :ivar achalls: Annotated challenges :vartype achalls: `list` of `.KeyAuthorizationAnnotatedChallenge` :ivar indices: Holds the indices of challenges from a larger array so the user of the class doesn't have to. :vartype indices: `list` of `int` cCs||_g|_g|_dSr) configuratorachallsindicesrr}rrrrXszChallengePerformer.__init__NcCs$|j||dk r |j|dS)zStore challenge to be performed when perform() is called. :param .KeyAuthorizationAnnotatedChallenge achall: Annotated challenge. :param int idx: index to challenge in a larger array N)r~appendr)rachallidxrrr add_chall]s zChallengePerformer.add_challcCs tdS)zPerform all added challenges. :returns: challenge responses :rtype: `list` of `acme.challenges.KeyAuthorizationChallengeResponse` N)NotImplementedErrorr'rrrperformiszChallengePerformer.perform)N)r.r/r0r1rrrrrrrr|Ls  r|csBeZdZdZfddZddZddZdd Zd d d ZZ S)TLSSNI01z1Abstract base for TLS-SNI-01 challenge performerscs(tt||tj|jjd|_dS)Nz!le_tls_sni_01_cert_challenge.conf) r7rrr rPrQrrRZchallenge_confrr8rrrxs zTLSSNI01.__init__cCs tj|jjj|jddS)zReturns standardized name for challenge certificate. :param .KeyAuthorizationAnnotatedChallenge achall: Annotated tls-sni-01 challenge. :returns: certificate file name :rtype: str tokenz.crtr rPrQr}rwork_dirZchallencoderrrrr get_cert_path~s zTLSSNI01.get_cert_pathcCs tj|jjj|jddS)z'Get standardized path to challenge key.rz.pemrrrrr get_key_pathszTLSSNI01.get_key_pathcCs||jjdS)z.Returns z_domain (SNI) name for the challenge.zutf-8)responseZ account_keyZz_domaindecoderrrr get_z_domainszTLSSNI01.get_z_domainNc Cs||}||}|jjd||jjd||j|d\}\}}tjtjj |}tj tjj |} t |d} | |W5QRXt j|ddd} | | W5QRX|S)z-Generate and write out challenge certificate.T)cert_keywb)chmod)rrr}r Zregister_file_creationZresponse_and_validationOpenSSLZcryptoZdump_certificateZ FILETYPE_PEMZdump_privatekeyopenwriterZ safe_open) rrrZ cert_pathZkey_pathrZcertkeyZcert_pemZkey_pemZ cert_chall_fdZkey_filerrr_setup_challenge_certs(   zTLSSNI01._setup_challenge_cert)N) r.r/r0r1rrrrrrWrrr8rrts   rc stfddfdd}tjs>|dSt}|krTdS||krd|nLtjrtd}|}W5QRX|krdStddS)aCopy a file into an active location (likely the system's config dir) if required. :param str dest_path: destination path for version controlled file :param str digest_path: path to save a digest of the file in :param str src_path: path to version controlled file found in distribution :param list all_hashes: hashes of every released version of the file c s$td}|W5QRXdS)Nw)rr)f) current_hash digest_pathrr_write_current_hashs z._write_current_hashcstdSr)shutilZcopyfiler)r dest_pathsrc_pathrr_install_current_files z>install_version_controlled_file.._install_current_fileNrzh%s has been manually modified; updated file saved to %s. We recommend updating %s for security purposes.) rZ sha256sumr rPisfilerreadloggerZwarning)rrrZ all_hashesrZactive_file_digestrZ saved_digestr)rrrrrrrUs,     rUcCsdd}|d}|d}|d}t|tjt|tjt|tjt|tjd|}t j |tj||dd|||fS) z5Setup the directories necessary for the configurator.cSstt|S)aReturn the real path of a temp directory with the specified prefix Some plugins rely on real paths of symlinks for working correctly. For example, certbot-apache uses real paths of configuration files to tell a virtual host from another. On systems where TMP itself is a symbolic link, (ex: OS X) such plugins will be confused. This function prevents such a case. )r realpathtempfileZmkdtemp)prefixrrrexpanded_tempdirs z#dir_setup..expanded_tempdirZtemprZworkZtestdataT)Zsymlinks) r rrZCONFIG_DIRS_MODE pkg_resourcesZresource_filenamer rPrQrZcopytree)Ztest_dirpkgrZtemp_dirrRrZ test_configsrrr dir_setups"   rc@s8eZdZdZddZddZddZdd Zd d Zd S) _TLSSNI01DeprecationModulez Internal class delegating to a module, and displaying warnings when attributes related to TLS-SNI-01 are accessed. cCs||jd<dSN_module)__dict__)rmodulerrrrsz#_TLSSNI01DeprecationModule.__init__cCs$|dkrtjdtddt|j|S)Nrz0TLSSNI01 is deprecated and will be removed soon.rFrG)rJrKrLr,rrattrrrr __getattr__s z&_TLSSNI01DeprecationModule.__getattr__cCst|j||dSr)setattrr)rrvaluerrr __setattr__sz&_TLSSNI01DeprecationModule.__setattr__cCst|j|dSr)delattrrrrrr __delattr__sz&_TLSSNI01DeprecationModule.__delattr__cCsdgt|jSr)dirrr'rrr__dir__sz"_TLSSNI01DeprecationModule.__dir__N) r.r/r0r1rrrrrrrrrrs r)2r1ZloggingrersysrrJrrZzope.interfacezopeZjosepyrr2Zacme.magic_typingrZcertbotrrrrrr Zcertbot.compatr r Zcertbot.plugins.storager Z getLoggerr.rrrcompileZprivate_ips_regex IGNORECASEZhostname_regexZ interfaceZ implementerZIPluginobjectrr6rXr|rrUrrmodulesrrrrsR              ?{b(92!