Your IP : 216.73.216.52

Current Path : /usr/lib/python3/dist-packages/uaclient/__pycache__/
Upload File :
Current File : //usr/lib/python3/dist-packages/uaclient/__pycache__/security.cpython-38.pyc

U

8�-d��@s�ddlZddlZddlZddlZddlZddlmZddlmZddlm	Z	m
Z
mZmZm
Z
mZmZddlmZmZmZmZmZmZddlmZddlmZmZddlmZmZdd	lm Z m!Z!m"Z"dd
l#m$Z$ddl%m&Z&m'Z'ddl(m)Z)dd
l*m+Z+m,Z,ddl-m.Z.ddl/m0Z0ddl1m2Z2dZ3dZ4dZ5dZ6dZ7dZ8dZ9dZ:edde;fdee<fdee<fde;fg�Z=edde<fd e<fd!e<fg�Z>ej?Gd"d#�d#ej@��ZAGd$d%�d%ejB�ZCGd&d'�d'�ZDGd(d)�d)�ZEGd*d+�d+�ZFe
e<e
e<e<ffd,�d-d.�ZGeeFe
e<e;fe
e<e
e<e
e<e<fffd/�d0d1�ZHd2d3�ZIdxe$e<e;eAd5�d6d7�ZJd8d9�ZKd:d;�ZLeFe
e<e
e<e<ffe
e<eDfd<�d=d>�ZMeEe
e<e
e<e<ffe
e<eDfd?�d@dA�ZNe<e
e<eDfdB�dCdD�ZOeDe
e<e
e<e<ffeDdE�dFdG�ZPdHdI�ZQeee<eDfeReRe<dJ�dKdL�ZSe<e$dM�dNdO�ZTe<e$e;dP�dQdR�ZUe$e
e<eee<eDffe
e<ee>feReRe;e=dS�dTdU�ZVee<e<dV�dWdX�ZWe$e<e
e<eDfe
e<e
e<e<ffe
e<e
e<e
e<e<fffe;eAdY�dZd[�ZXdd,�d\d]�ZYe$e<e;d^�d_d`�ZZe$da�dbdc�Z[e$e;dd�dedf�Z\e$e<e;dg�dhdi�Z]e$e;e;dj�dkdl�Z^e<e$e;e;dm�dndo�Z_e$e;dd�dpdq�Z`e
e<e	fe$e;e;dr�dsdt�Zae$ee<e<e;e;du�dvdw�ZbdS)y�N)�defaultdict)�datetime)�Any�Dict�List�
NamedTuple�Optional�Set�Tuple)�apt�
exceptions�messages�
serviceclient�system�util)�	_initiate)�MagicAttachRevokeOptions�_revoke)�MagicAttachWaitOptions�_wait)�CLOUD_TYPE_TO_TITLE�
PRO_CLOUDS�get_cloud_type)�UAConfig)�BASE_UA_URL�PRINT_WRAP_WIDTH)�entitlement_factory)�ApplicabilityStatus�UserFacingStatus)�notices)�Notice)�colorize_commandsz=((CVE|cve)-\d{4}-\d{4,7}$|(USN|usn|LSN|lsn)-\d{1,5}-\d{1,2}$)z	cves.jsonzcves/{cve}.jsonznotices.jsonznotices/{notice}.jsonzUbuntu standard updateszUbuntu Pro: ESM InfrazUbuntu Pro: ESM Apps�ReleasedPackagesInstallResult�
fix_status�unfixed_pkgs�installed_pkgs�all_already_installed�BinaryPackageFix�
source_pkg�
binary_pkg�
fixed_versionc@seZdZdZdZdZdZdS)�	FixStatuszD
    An enum to represent the system status after fix operation
    r��N)�__name__�
__module__�__qualname__�__doc__�SYSTEM_NON_VULNERABLE�SYSTEM_STILL_VULNERABLE�SYSTEM_VULNERABLE_UNTIL_REBOOT�r5r5�3/usr/lib/python3/dist-packages/uaclient/security.pyr+Gsr+cs�eZdZdZdZejZee	e
fee	e
fd�dd�Zej
ejdddgd	�d�fdd�	�Zdee	ee	ee	eeeeee	ee	eee	ed
d�	dd�Ze	d
d�dd�Zdee	ee	eeeeee	edd�dd�Ze	dd�dd�Z�ZS)�UASecurityClient�Zsecurity_url)�query_params�returncCs.|jj�di��di�}|r*|�|�|S|S)zD
        Update query params with data from feature config.
        Zfeatures�extra_security_params)�cfg�get�update)�selfr9r;r5r5r6�_get_query_paramsXs�
z"UASecurityClient._get_query_paramsr,��)Zretry_sleepsNcs"|�|�}t�j|||||dd�S)NF)�path�data�headers�methodr9Zlog_response_body)r@�super�request_url)r?rCrDrErFr9��	__class__r5r6rHhs
�zUASecurityClient.request_url�CVE)	�query�priority�package�limit�offset�	component�version�statusr:c		s:||||||||d�}	�jt|	d�\}
}�fdd�|
D�S)znQuery to match multiple-CVEs.

        @return: List of CVE instances based on the the JSON response.
        )�qrMrNrOrPrQrRrS�r9csg|]}t�|d��qS)��client�response)rK)�.0Zcve_md�r?r5r6�
<listcomp>�sz-UASecurityClient.get_cves.<locals>.<listcomp>)rH�API_V1_CVES)r?rLrMrNrOrPrQrRrSr9Z
cves_response�_headersr5rZr6�get_cvesvs�
�
zUASecurityClient.get_cves)�cve_idr:cCs"|�tj|d��\}}t||d�S)zkQuery to match single-CVE.

        @return: CVE instance for JSON response from the Security API.
        )�cverV)rH�API_V1_CVE_TMPL�formatrK)r?r_�cve_responser]r5r5r6�get_cve�s
�zUASecurityClient.get_cve�USN)�details�releaserOrP�orderr:c	sJ�||||d�}�jt|d�\}}t��fdd�|�dg�D�dd�d�S)	zuQuery to match multiple-USNs.

        @return: Sorted list of USN instances based on the the JSON response.
        )rfrgrOrPrhrUcs0g|](}�dks �|�dg�krt�|d��qS)N�cves_idsrV)r=re)rYZusn_md�rfr?r5r6r[�s�z0UASecurityClient.get_notices.<locals>.<listcomp>rcSs|jS�N��id��xr5r5r6�<lambda>��z.UASecurityClient.get_notices.<locals>.<lambda>��key)rH�API_V1_NOTICES�sortedr=)	r?rfrgrOrPrhr9Z
usns_responser]r5rjr6�get_notices�s 
��

��zUASecurityClient.get_notices)�	notice_idr:cCs"|�tj|d��\}}t||d�S)zbQuery to match single-USN.

        @return: USN instance representing the JSON response.
        )�noticerV)rH�API_V1_NOTICE_TMPLrbre)r?rwZnotice_responser]r5r5r6�
get_notice�s
�zUASecurityClient.get_notice)NNNN)NNNNNNNN)NNNNN)r.r/r0Zurl_timeoutZcfg_url_base_attrr�SecurityAPIErrorZ
api_error_clsr�strrr@rZretry�socketZtimeoutrHr�intrr^rdrvrz�
__classcell__r5r5rIr6r7Rs\

���
���r7c@s�eZdZdZeeefd�dd�Zedd��Z	edd��Z
ed	d
��Zedd��Zed
d��Z
edd��Zeed�dd��Zedd��ZdS)�CVEPackageStatuszAClass representing specific CVE PackageStatus on an Ubuntu series�rccCs
||_dSrk�rX)r?rcr5r5r6�__init__�szCVEPackageStatus.__init__cCs
|jdS�N�descriptionr�rZr5r5r6r��szCVEPackageStatus.descriptioncCs|jSrk)r�rZr5r5r6r*�szCVEPackageStatus.fixed_versioncCs
|jdS)N�pocketr�rZr5r5r6r��szCVEPackageStatus.pocketcCs
|jdS)N�release_codenamer�rZr5r5r6r��sz!CVEPackageStatus.release_codenamecCs
|jdS)NrSr�rZr5r5r6rS�szCVEPackageStatus.statuscCsz|jdkrdS|jdkrdS|jdkr*dS|jdkr8dS|jd	krFd
S|jdkrTdS|jd
krntjj|jd�Sd�|j�S)NZneededzSorry, no fix is available yet.zneeds-triagez7Ubuntu security engineers are investigating this issue.�pendingz)A fix is coming soon. Try again tomorrow.)�ignored�deferredzSorry, no fix is available.ZDNEz.Source package does not exist on this release.�not-affectedz/Source package is not affected on this release.�released)Z
fix_streamzUNKNOWN: {})rSr
ZSECURITY_FIX_RELEASE_STREAMrb�
pocket_sourcerZr5r5r6�status_message�s"






�zCVEPackageStatus.status_message�r:cCst|jtk�S)z?Return True if the package requires an active Pro subscription.)�boolr��UBUNTU_STANDARD_UPDATES_POCKETrZr5r5r6�requires_ua�szCVEPackageStatus.requires_uacCsH|jdkrt}n4|jdkr t}n$|jdkr0t}nd|jkr@t}nt}|S)z>Human-readable string representing where the fix is published.�	esm-infra�esm-apps)ZupdatesZsecurityZesm)r��UA_INFRA_POCKET�UA_APPS_POCKETr�r*)r?Z
fix_sourcer5r5r6r��s



zCVEPackageStatus.pocket_sourceN)r.r/r0r1rr|rr��propertyr�r*r�r�rSr�r�r�r�r5r5r5r6r��s$





r�c@s�eZdZdZeeeefd�dd�Ze	d�dd�Z
edd	��Zd
d�Z
eeed�dd
��Zeedd�dd��Zedd��Zeeeefd�dd��ZdS)rKz7Class representing CVE response from the SecurityClientrVcCs||_||_dSrk�rXrW�r?rWrXr5r5r6r�szCVE.__init__r�cCst|t�sdS|j|jkS�NF)�
isinstancerKrX�r?�otherr5r5r6�__eq__s
z
CVE.__eq__cCs|j�dd���S)NrmZUNKNOWN_CVE_ID�rXr=�upperrZr5r5r6rmszCVE.idcCsB|j}|jD]}|j}qqdj|j|d�d�|j�g}d�|�S)z2Return a string representing the URL for this cve.�{issue}: {title}��issue�title�! - https://ubuntu.com/security/{}�
)r�rr�rbrm�join)r?r�rx�linesr5r5r6�get_url_headers

�zCVE.get_url_headercCs|j�dg�S)N�notices_ids�rXr=rZr5r5r6r�+szCVE.notices_idsrecs<t�d�s6t�fdd��j�dg�D�dd�dd��_�jS)	z�Return a list of USN instances from API response 'notices'.

        Cache the value to avoid extra work on multiple calls.
        �_noticescsg|]}t�j|��qSr5)rerW)rYrxrZr5r6r[7s�zCVE.notices.<locals>.<listcomp>rcSs|jSrkrl��nr5r5r6rp;rqzCVE.notices.<locals>.<lambda>T�rs�reverse)�hasattrrurXr=r�rZr5rZr6r/s

��zCVE.noticescCs|j�d�Sr�r�rZr5r5r6r�@szCVE.descriptioncCsdt|d�r|jSi|_t��d}|jdD]0}|dD]"}|d|kr8t|�|j|d<q8q,|jS)z�Dict of package status dicts for the current Ubuntu series.

        Top-level keys are source packages names and each value is a
        CVEPackageStatus object
        �_packages_status�seriesZpackagesZstatusesr��name)r�r�r�get_platform_inforXr�)r?r�rN�
pkg_statusr5r5r6�packages_statusDs
�zCVE.packages_statusN)r.r/r0r1r7rr|rr�r�r�r�rmr�rr�rr�r�r�r5r5r5r6rKs


rKc@s�eZdZdZeeeefd�dd�Ze	d�dd�Z
eed�dd	��Zee
ed�d
d��Zee
ed�dd
��Zedd��Zedd��Zdd�Zeeeeeeeefffd�dd��ZdS)rez7Class representing USN response from the SecurityClientrVcCs||_||_dSrkr�r�r5r5r6r�[szUSN.__init__r�cCst|t�sdS|j|jkSr�)r�rerXr�r5r5r6r�_s
z
USN.__eq__cCs|j�dd���S)NrmZUNKNOWN_USN_IDr�rZr5r5r6rmdszUSN.idcCs|j�dg�S)z$List of CVE IDs related to this USN.rir�rZr5r5r6rihszUSN.cves_idscs<t�d�s6t�fdd��j�dg�D�dd�dd��_�jS)	z�List of CVE instances based on API response 'cves' key.

        Cache the values to avoid extra work for multiple call-sites.
        �_cvescsg|]}t�j|��qSr5)rKrW)rYr`rZr5r6r[us�zUSN.cves.<locals>.<listcomp>�cvescSs|jSrkrlr�r5r5r6rpyrqzUSN.cves.<locals>.<lambda>Tr�)r�rurXr=r�rZr5rZr6r�ms

��zUSN.cvescCs|j�d�S)Nr�r�rZr5r5r6r�~sz	USN.titlecCs|j�d�S)N�
referencesr�rZr5r5r6r��szUSN.referencescCsvdj|j|jd�g}|jrB|�d�|jD]}|�d�|��q*n*|jrl|�d�|jD]}|�d|�qXd�|�S)z5Return a string representing the URL for this notice.r�r�zFound CVEs:r�zFound Launchpad bugs:z - r�)rbrmr�ri�appendr�r�)r?r�r`Z	referencer5r5r6r��s



zUSN.get_url_headercCsRt|d�r|jSt��d}i|_|j�di��|g�D�]}|�d�r�|d|jkr�d|j|dkr�tjdj|j	|dd�|j	d	��||j|dd<nd|i|j|d<q8|�d
�s�tjdj|j	|dd�|j	d	��n4d
|d
k�rtjdj|j	|d|d
d�|j	d	��|d
�
d
�d}||jk�r8i|j|<||j||d<q8|jS)aWBinary package information available for this release.


        Reformat the USN.release_packages response to key it based on source
        package name and related binary package names.

        :return: Dict keyed by source package name. The second-level key will
            be binary package names generated from that source package and the
            values will be the dict response from USN.release_packages for
            that binary package. The binary metadata contains the following
            keys: name, version.
            Optional additional keys: pocket and component.
        �_release_packagesr��release_packagesZ	is_sourcer��sourcez6{usn} metadata defines duplicate source packages {pkg})�usn�pkg��issue_idZsource_linkzL{issue} metadata does not define release_packages source_link for {bin_pkg}.)r��bin_pkg�/zX{issue} metadata has unexpected release_packages source_link value for {bin_pkg}: {link})r�r��link���)r�r�rr�rXr=r�SecurityAPIMetadataErrorrbrm�split)r?r�r��source_pkg_namer5r5r6r��sN

��
����	
zUSN.release_packagesN)r.r/r0r1r7rr|rr�r�r�r�rmrrirKr�r�r�r�r�r5r5r5r6reXs 

rer�c	Cs|d}t�dd|ddg�\}}i}|��D]J}|�d�\}}}}|sJ|}d|krTq,||krj||||<q,||i||<q,|S)z�Return a dict of all source packages installed on the system.

    The dict keys will be source package name: "krb5". The value will be a dict
    with keys binary_pkg and version.
    z${db:Status-Status}z
dpkg-queryz#-f=${Package},${Source},${Version},r�z-W�,Z	installed)r�subp�
splitlinesr�)	Zstatus_field�outZ_err�installed_packagesZpkg_line�pkg_namer�Zpkg_versionrSr5r5r6�#query_installed_source_pkg_versions�s$
��r�)�usns�beta_pocketsr:cs�i}|D]�}|j��D]�\}}�fdd�|��D�}||krJ|rJ|||<q||kr||}|��D]D\}}	||kr||	||<qb||d}
|	d}t�||
d�sb|	||<qbqq|S)aWalk related USNs, merging the released binary package versions.

    For each USN, iterate over release_packages to collect released binary
        package names and required fix version. If multiple related USNs
        require different version fixes to the same binary package, track the
        maximum version required across all USNs.

    :param usns: List of USN response instances from which to calculate merge.
    :param beta_pockets: Dict keyed on service name: esm-infra, esm-apps
        the values of which will be true of USN response instances
        from which to calculate merge.

    :return: Dict keyed by source package name. Under each source package will
        be a dict with binary package name as keys and binary package metadata
        as the value.
    c	s.i|]&\}}d��|�dd�d�kr||�qS)Fr��None�r=)rYZbin_pkg_nameZ
bin_pkg_md�r�r5r6�
<dictcomp>s��z>merge_usn_released_binary_package_versions.<locals>.<dictcomp>rR�le)r��itemsr�compare_versions)r�r�Zusn_pkg_versionsr��src_pkgZbinary_pkg_versionsZpublic_bin_pkg_versionsZusn_src_pkgr�Z
binary_pkg_mdZprev_versionZcurrent_versionr5r�r6�*merge_usn_released_binary_package_versions�s,
�

�r�cCsX|js|gSi}|jD](}|jD]}||kr |j|d�||<q qtt|��dd�d��S)z�For a give usn, get the related USNs for it.

    For each CVE associated with the given USN, we capture
    other USNs that are related to the CVE. We consider those
    USNs related to the original USN.
    �rwcSs|jSrkrlrnr5r5r6rp8rqz"get_related_usns.<locals>.<lambda>rr)r�r�rz�listru�values)r�rWZrelated_usnsr`Zrelated_usn_idr5r5r6�get_related_usns"s

�r�F)r<r��dry_runr:c
s`|rttj�����t|d�}t�}tt|�tt|�d�}d�k�r�d}zt	�
ddddg�\}}Wntjk
rzYnX|�rzdt
�|�dd	d
}|r�|�dg�}	t�fdd
�|	D��r�ttjj�|�dd�d��tjWSWntttfk
�rYnXz|j�d�}
|j�d�}WnTtjk
�rt}z2t|�}
d|
��k�rZtjj�d�}
t�|
��W5d}~XYnXt|
|d�}t|
� ��t!||�}n�z|j"�d�}t#||�}WnTtjk
�r}z2t|�}
d|
��k�r�tjj�d�}
t�|
��W5d}~XYnXt$||d�}t!||�}t|� ��|j%d�sLtj&d����d��t'|�||||d�S)N�r<)r�r�rKzcanonical-livepatchrSz	--verbosez
--format=jsonZStatusrZ	LivepatchZFixesc3s&|]}|d���ko|dVqdS)�NameZPatchedN)�lower)rYZfixr�r5r6�	<genexpr>as�z(fix_security_issue_id.<locals>.<genexpr>ZVersionzN/A)r�rR)r_)rfz	not foundr�)r`r�r��r�r�r�z.{} metadata defines no fixed package versions.)r<r��affected_pkg_statusr��usn_released_pkgsr�)(�printr
ZSECURITY_DRY_RUN_WARNINGr�r7r��_is_pocket_used_by_beta_servicer�r�rr�rZProcessExecutionError�json�loadsr=�anyZCVE_FIXED_BY_LIVEPATCHrbr+r2�
ValueError�KeyError�
IndexErrorrdrvr{r|r�ZSECURITY_FIX_NOT_FOUND_ISSUE�UserFacingError�'get_cve_affected_source_packages_statusr�r�rzr�� get_usn_affected_packages_statusrXr��prompt_for_affected_packages)r<r�r�rWr�r�Z
status_stdout�_Zparsed_patch�fixesr`r��e�msgr�r�r�r5r�r6�fix_security_issue_id;s�

�
����
�����������r�cCs^i}|D]P}t||���D]<\}}||kr4|||<q||j}t�||jd�s|||<qq|S)Nr�)r�r�r*rr�)r�r��
affected_pkgsr`r�r�Zcurrent_verr5r5r6�get_affected_packages_from_cves�s �

�r�cCs�i}|j��D]n\}}||kr qtt�}d|d<dd�|��D�}|sbd}tj|�|j�|jd��|��|d<t	|d�||<q|S)	Nr�rScSs"h|]\}}|�d�r|d�qS)r�r�)rYr�Zpkg_bin_infor5r5r6�	<setcomp>�s
�z1get_affected_packages_from_usn.<locals>.<setcomp>zC{} metadata defines no pocket information for any release packages.r�r�r�)
r�r�rr|rr�rbrm�popr�)r�r�r�r�Zpkg_inforcZall_pocketsr�r5r5r6�get_affected_packages_from_usn�s&��
�r�)r�r�r:cCs |jrt|j|�St||�SdS)z�Walk CVEs related to a USN and return a dict of all affected packages.

    :return: Dict keyed on source package name, with active CVEPackageStatus
        for the current Ubuntu release.
    N)r�r�r�r�r5r5r6r��sr�)r`r�r:cCs8i}|j��D]$\}}|jdkr"q||kr|||<q|S)z�Get a dict of any CVEPackageStatuses affecting this Ubuntu release.

    :return: Dict of active CVEPackageStatus keyed by source package names.
    r�)r�r�rS)r`r�Zaffected_pkg_versionsr(Zpackage_statusr5r5r6r��s

r�)r�r�cCs�t|�}|dkrFtdtjjddd�d�tdtjj|d��dS|d	krTd
}nd}dtjj||d�dd�t|����}tt	j
|td
dd��dS)a	Print header strings describing affected packages related to a CVE/USN.

    :param issue_id: String of USN or CVE issue id.
    :param affected_pkg_status: Dict keyed on source package name, with active
        CVEPackageStatus for the current Ubuntu release.
    rr�ZNozs are)�count�
plural_str�.�r�Nr,z isz: �, �    F)�width�subsequent_indentZreplace_whitespace)�lenr�r
ZSECURITY_AFFECTED_PKGSrbZSECURITY_ISSUE_UNAFFECTEDr�ru�keys�textwrap�fillr)r�r�r�r�r�r5r5r6�print_affected_packages_header�sH	�����������r
)r��usn_src_released_pkgsr:cCsft�|�}|rb|�d�rbd|jd<|dd|jd<|��D]$\}}|�d�}|r<||jd<qbq<|S)a�Parse release status based on both pkg_status and USN.release_packages.

    Since some source packages in universe are not represented in
    CVEPackageStatus, rely on presence of such source packages in
    usn_src_released_pkgs to represent package as a "released" status.

    :param pkg_status: the CVEPackageStatus for this source package.
    :param usn_src_released_pkgs: The USN.release_packages representing only
       this source package. Normally, release_packages would have data on
       multiple source packages.

    :return: Tuple of:
        human-readable status message, boolean whether released,
        boolean whether the fix requires access to UA
    r�r�rSrRr�r�)�copy�deepcopyr=rXr�)r�r�usn_pkg_statusr�Zusn_released_pkgr�r5r5r6�#override_usn_release_package_status s

��


rcCsdi}t|���D]N\}}|�|i�}t||�}|j�dd�}||krLg||<||�||f�q|S)Nr�r�)rur�r=rrS�replacer�)r�r�Z
status_groupsr�r��usn_released_srcrZstatus_groupr5r5r6�group_by_usn_package_statusCs�r)�pkg_status_list�	pkg_index�num_pkgsr:cCs�|sdSg}g}|D],\}}|d7}|�d�||��|�|�qtjd�dd�|�dd�t|���tdd	�}d
�||j�S)z;Format the packages and status to an user friendly message.�r,z{}/{}z{} {}:�(r�)r�rrz{}
{})r�rbrr	r�rurr�)rrrZ	msg_indexZsrc_pkgsr�r�Z
msg_headerr5r5r6�_format_packages_messageQs"��r)r�r<cCs:d}|tkrd}n|tkrd}t||d�}|r6||�SdS)Nzno-service-neededr�r�)r<r�)r�r�r)r�r<Zservice_to_checkZent_clsr5r5r6�_get_service_for_pocketksr)r�r<r:cCs4t||�}|r0|��\}}|tjkr(dS|jSdS)zBCheck if the pocket where the fix is at belongs to a beta service.F)r�user_facing_statusr�ACTIVEZ
valid_service)r�r<�ent�
ent_statusr�r5r5r6r�vs

r�)r<�src_pocket_pkgs�binary_pocket_pkgsrrr�r:cCs4d}d}t�}t�}	|�r$tttfD]�}
||
}||
}|r�t|||d�}
|
rlt|
�|shttj�q$nd}g}|D]\}t�	|j
�}|r�t�|j|d�r�|�
|j
�qttdtjj|j
|jd�j�|�|j�qt|t|�7}|t|||
|d�M}|�s|�dd	�|D��q$|	�d
d�|D��q$t|||	|d�S)
a%Handle the packages that could be fixed and have a released status.

    :returns: Tuple of
        boolean whether all packages were successfully upgraded,
        list of strings containing the packages that were not upgraded,
        boolean whether all packages were already installed
    T�rrrFr�z- )rNrR)r<�upgrade_pkgsr�r�cSsg|]\}}|�qSr5r5�rYr�r�r5r5r6r[�sz2_handle_released_package_fixes.<locals>.<listcomp>css|]}|jVqdSrk)r))rYr)r5r5r6r��sz1_handle_released_package_fixes.<locals>.<genexpr>)r#r$r%r&)�setr�r�r�rr�r
ZSECURITY_UPDATE_INSTALLEDrZget_pkg_candidate_versionr)r�r*r�ZFIX_CANNOT_INSTALL_PACKAGErbr��addr(r�upgrade_packages_and_attachr>r")r<r r!rrr�r&Zupgrade_statusr$r%r�Z
pkg_src_groupZbinary_pkgsr�r#r)Zcandidate_versionr5r5r6�_handle_released_package_fixes�sz��
������
�
�r()r$r:c
CsFt|�}tjd�||dkrdnd|dkr,dndd�t|���tdd	�S)
z�Format the list of unfixed packages into an message.

    :returns: A string containing the message output for the unfixed
              packages.
    z"{} package{} {} still affected: {}r,�srZare�isrrr)rrr	rbr�rur)r$Znum_pkgs_unfixedr5r5r6�_format_unfixed_packages_msg�s��r+)r<r�r�r�r�r�r:c
Cs�t|�}t||�|dkr tjStjj|d�}tt�}tt�}	d}
t	||�}g}t
|���D�]\}
}|
dkr�tjj|d�}t
t||
|d��|
t|�7}
|dd�|D�7}q\|D]�\}}||j�||f�||��D]�\}}|�|i�}||k�r0|dd�|D�7}dj||d	�}|t|�7}t�||��|�|i��d
d�}t�||d�s�|	|j�t|||d
��q�q�q\t|||	|
||d�}||j7}t
�|�r�t
t|��tjj|d�}|j�rh|j�r�t
t�|��|�r�tjStjStj |j!d��rFtj"jdd�}t
|�t#j$t%j&dd�t
t�tjj|d���|�r@tjStj'St
t�|��|�r`tjStjSnt
t�tjj|d���tjSdS)aProcess security CVE dict returning a CVEStatus object.

    Since CVEs point to a USN if active, get_notice may be called to fill in
    CVE title details.

    :returns: An FixStatus enum value corresponding to the system state
              after processing the affected packages
    rrr�r"cSsg|]\}}|�qSr5r5r$r5r5r6r[sz0prompt_for_affected_packages.<locals>.<listcomp>cSsg|]\}}|�qSr5r5r$r5r5r6r[&sz5{issue} metadata defines no fixed version for {pkg}.
)r�r�rRrr�)r(r)r*)r<r r!rrr�)r%z
fix operation)Z	operationN)(rr
r+r2r
ZSECURITY_ISSUE_RESOLVEDrbrr�rrur�ZSECURITY_ISSUE_NOT_RESOLVEDr�rr�r�r=r+rr�rr�r'r(r$r#r&rZhandle_unicode_charactersr3rZ
should_rebootr%ZENABLE_REBOOT_REQUIRED_TMPLrr&r ZENABLE_REBOOT_REQUIREDr4)r<r�r�r�r�r�r�Zfix_messager r!rZpkg_status_groupsr$Zstatus_valueZpkg_status_groupr�r�r)rRrr�r*Zreleased_pkgs_install_resultZ
reboot_msgr5r5r6r��s�
����
�
�����
��
�	
��
�������
��
���r�cCs0t�\}}|tkr,ttjjt�|�|d��dS)z:Alert the user when running Pro on cloud with PRO support.)r�ZcloudN)rrr�r
ZSECURITY_USE_PRO_TMPLrbrr=)Z
cloud_typer�r5r5r6�*_inform_ubuntu_pro_existence_if_applicable�s
��r,)r<�tokenr:c
Cs�ddl}ddlm}ttdd|gg��z$|�|j|dddd�|�}|dkWStjk
r�}zt|j	�WY�d	Sd}~XYnXdS)
ztAttach to an Ubuntu Pro subscription with a given token.

    :return: True if attach performed without errors.
    rN��cli�proZattachTr/)r-Zauto_enablerbZ
attach_configF)
�argparse�uaclientr/r�r!Z
action_attach�	Namespacerr�r�)r<r-r1r/Zret_code�errr5r5r6�_run_ua_attach�s"��

r5r�c
Cs�ttj�t|d�}tdtjj|jd��t|jd�}zt	||d�}WnJt
jk
r�}z*ttj�t
|jd�}t||d�|�W5d}~XYnXtdtj�t||j�S)Nr�r�)�	user_code)Zmagic_token)Zoptionsr<)r�r
ZCLI_MAGIC_ATTACH_INITrZCLI_MAGIC_ATTACH_SIGN_INrbr6rr-rrZMagicAttachTokenErrorZCLI_MAGIC_ATTACH_FAILEDrrZCLI_MAGIC_ATTACH_PROCESSINGr5Zcontract_token)r<Z
initiate_respZwait_optionsZ	wait_respr�Zrevoke_optionsr5r5r6�_perform_magic_attach�s*

���
�r7)r<r:cCsjt�ttj�tjtjdddgd�}|dkr2dS|dkrBt|�S|dkrfttj�t	d�}t
||�SdS)zZPrompt for attach to a subscription or token.

    :return: True if attach performed.
    r)�a�c�Z
valid_choicesF�> T)r,r�r
Z*SECURITY_UPDATE_NOT_INSTALLED_SUBSCRIPTIONr�prompt_choicesZSECURITY_FIX_ATTACH_PROMPTr7ZPROMPT_ENTER_TOKEN�inputr5)r<�choicer-r5r5r6�_prompt_for_attach�s
�

r?)r<�servicer:cCs�ddl}ddlm}ttjj|d��tjd�|�ddgd�}|dkr�tt	d	d
|gg��t
d|�|j|gddd
dd�|�k�SdS)zMPrompt for enable a pro service.

    :return: True if enable performed.
    rNr.�r@zChoose: [E]nable {} [C]ancelr�r9r:r0�enableTFr/)r@�
assume_yesZbetarbZaccess_only)
r1r2r/r�r
ZSECURITY_SERVICE_DISABLEDrbrr<r!r�Z
action_enabler3)r<r@r1r/r>r5r5r6�_prompt_for_enable�s0�����rD)r<r�r:cCs|rtdtj�dSt|�S)z<Verify if machine is attached to an Ubuntu Pro subscription.r�T)r�r
Z SECURITY_DRY_RUN_UA_NOT_ATTACHEDr?)r<r�r5r5r6�_check_attached�srE)r�r<r�r:cCs�t||�}|r�|��\}}|tjkr(dS|��\}}|tjkr�|r^tdtj	j
|jd��dSt||j�rndSttj
j
|jd��nttjj
|jd��dS)zQ
    Verify if the Ubuntu Pro subscription has the required service enabled.
    Tr�rAF)rrrr�applicability_statusrZ
APPLICABLEr�r
Z'SECURITY_DRY_RUN_UA_SERVICE_NOT_ENABLEDrbr�rDZSECURITY_UA_SERVICE_NOT_ENABLEDZ SECURITY_UA_SERVICE_NOT_ENTITLED)r�r<r�rrr�rFr5r5r6�(_check_subscription_for_required_services:


�������rGcCs�ddl}ddlm}t�ttj�tjd�	t
�ddgd�}|dkr�ttj�td�}tt
d	d
gg��|�|jddd
�|�t||�SdS)zdPrompt for attach a new subscription token to the user.

    :return: True if attach performed.
    rNr.z2Choose: [R]enew your subscription (at {}) [C]ancel�rr9r:r;r0�detachTr/)rCrbF)r1r2r/r,r�r
Z%SECURITY_UPDATE_NOT_INSTALLED_EXPIREDrr<rbrZPROMPT_EXPIRED_ENTER_TOKENr=r!Z
action_detachr3r5)r<r1r/r>r-r5r5r6�_prompt_for_new_token0s(
��
�
rJ)�status_cacher<r�r:cCsV|�dd�}|sdS|�d�}|dks6|t�|j�krR|rHttj�dSt|�SdS)zuCheck if the Ubuntu Pro subscription is expired.

    :returns: True if subscription is expired and not renewed.
    �attachedFZexpiresN)r=rZnowZtzinfor�r
Z(SECURITY_DRY_RUN_UA_EXPIRED_SUBSCRIPTIONrJ)rKr<r�rLZcontract_expiry_datetimer5r5r6�_check_subscription_is_expiredMs

��

rM)r<r#r�r�r:c
Cs|sdSt��s"|s"ttj�dS|tkrv|�d�p6i}|�dd�sTt||�sfdSnt	|||d�rfdSt
|||�svdSttdddgdd	d
dgt|�g��|�sz*t
��t
jdd	d
dg|d
did�WnFtk
�r}z&t|dt|��}t|���WY�dSd}~XYnXdS)aUpgrade available packages to fix a CVE.

    Upgrade all packages in upgrades_packages and, if necessary,
    prompt regarding system attach prior to upgrading Ubuntu Pro packages.

    :return: True if package upgrade completed or unneeded, False otherwise.
    TFzstatus-cacherL)rKr<r�rr>z&&�installz--only-upgradez-yzapt-getZDEBIAN_FRONTENDZnoninteractive)�cmd�envr�N)rZwe_are_currently_rootr�r
ZSECURITY_APT_NON_ROOTr�Z
read_cacher=rErMrGr!rurZrun_apt_update_commandZrun_apt_command�	Exception�getattrr|�strip)r<r#r�r�rKr�r�r5r5r6r'gsT


�
�����

��
r')F)cr�enumr�r}r�collectionsrr�typingrrrrrr	r
r2rrr
rrrZ+uaclient.api.u.pro.attach.magic.initiate.v1rZ)uaclient.api.u.pro.attach.magic.revoke.v1rrZ'uaclient.api.u.pro.attach.magic.wait.v1rrZuaclient.clouds.identityrrrZuaclient.configrZuaclient.defaultsrrZuaclient.entitlementsrZ(uaclient.entitlements.entitlement_statusrrZuaclient.filesrZuaclient.files.noticesr Zuaclient.statusr!ZCVE_OR_USN_REGEXr\rartryr�r�r�r�r|r"r'�unique�Enumr+ZUAServiceClientr7r�rKrer�r�r�r�r�r�r�r�r
rrr~rrr�r(r+r�r,r5r7r?rDrErGrJrMr'r5r5r5r6�<module>s$ �

����

wEJ|
�1��k
�
�
�,�#��Y
�"	�+
��