HEX

File: //usr/lib/python3/dist-packages/certbot/_internal/__pycache__/renewal.cpython-310.pyc
o

6��a�Y�@sZdZddlZddlZddlZddlZddlZddlZddlZddlm	Z	ddlm
Z
ddlmZddl
mZddl
mZddlmZddlZdd	lmZdd
lmZddlmZddlmZdd
lmZddlmZddlmZddlmZddlmZddlmZddlm Z ddl!m"Z#ddl$m%Z&ddl'm(Z(dd
l)mZ*e�+e,�Z-gd�Z.ddgZ/gd�Z0e1e�2e0e/e.d��Z3dd�Z4dd�Z5d d!�Z6d"d#�Z7d$d%�Z8d&d'�Z9d(d)�Z:d*d+�Z;d,d-�Z<d.d/�Z=d0d1�Z>d2ej?d3e
e	e@d4ejAd5ejBd6df
d7d8�ZCd9d:�ZDd2ej?d;e	e@d<e	e@d=e	e@d>e	e@d6dfd?d@�ZEdAdB�ZFdCe@d2ej?d6dfdDdE�ZGdS)FzGFunctionality for autorenewal and associated juggling of configurations�N)�List)�Optional)�default_backend)�ec)�rsa)�load_pem_private_key)�
configuration)�crypto_util)�errors)�
interfaces)�util)�cli)�client)�	constants)�hooks)�storage)�updater)�obj)�disco)�os)�
config_dir�logs_dir�work_dir�
user_agent�server�account�
authenticator�	installer�
renew_hook�pre_hook�	post_hook�http01_address�preferred_chain�key_type�elliptic_curve�rsa_key_size�http01_port)�must_staple�allow_subset_of_names�	reuse_key�	autorenew)�pref_challsc
Cshzt�||�}Wn,tjtfy4}zt�d|�t�dt|��t�dt	�
��WYd}~dSd}~wwd|jvrBt�d|�dS|jd}d|vrSt�d|�dSt|�}zt
||�t||�Wn'ttjfy�}zt�d	|t|��t�dt	�
��WYd}~dSd}~wwz
d
d�|��D�|_W|Stjy�}zt�d||�WYd}~dSd}~ww)
a�Try to instantiate a RenewableCert, updating config with relevant items.

    This is specifically for use in renewal and enforces several checks
    and policies to ensure that we can try to proceed with the renewal
    request. The config argument is modified by including relevant options
    read from the renewal configuration file.

    :param configuration.NamespaceConfig config: configuration for the
        current lineage
    :param str full_path: Absolute path to the configuration file that
        defines this lineage

    :returns: the RenewableCert object or None if a fatal error occurred
    :rtype: `storage.RenewableCert` or NoneType

    z(Renewal configuration file %s is broken.zThe error was: %s
Skipping.�Traceback was:
%sN�
renewalparamsz<Renewal configuration file %s lacks renewalparams. Skipping.rzJRenewal configuration file %s does not specify an authenticator. Skipping.zHAn error occurred while parsing %s. The error was %s. Skipping the file.cSsg|]}t�|��qS�)r�enforce_domain_sanity)�.0�dr.r.�;/usr/lib/python3/dist-packages/certbot/_internal/renewal.py�
<listcomp>ds�z!_reconstitute.<locals>.<listcomp>z{Renewal configuration file %s references a certificate that contains an invalid domain name. The problem was: %s. Skipping.)r�
RenewableCertr
�CertStorageError�IOError�logger�error�str�debug�	traceback�
format_excr�"_remove_deprecated_config_elements� restore_required_config_elements�_restore_plugin_configs�
ValueError�Error�names�domains�ConfigurationError)�config�	full_path�renewal_candidater8r-r.r.r2�
_reconstitute5sZ��
�
�
���
�����rHcCsXd|vrt�d�s|d|_d|vr(t�d�s*|d}t|t�r#|g}||_dSdSdS)z�
    webroot_map is, uniquely, a dict, and the general-purpose configuration
    restoring logic is not able to correctly parse it from the serialized
    form.
    �webroot_map�webroot_pathN)r
�
set_by_clirI�
isinstancer9rJ)rEr-�wpr.r.r2�_restore_webroot_configos


�rNcCs�g}|ddkrt||�n|�|d�|�d�dur#|�|d�t|�D]7}|�dd�}|��D]*\}}|�|d�r]t�|�s]|dvrPt	||t
|��q3t�|�}t	||||��q3q'dS)aSets plugin specific values in config from renewalparams

    :param configuration.NamespaceConfig config: configuration for the
        current lineage
    :param configobj.Section renewalparams: Parameters from the renewal
        configuration file that defines this lineage

    r�webrootrN�-�_)�None�True�False)rN�append�get�set�replace�items�
startswithr
rK�setattr�eval�
argparse_type)rEr-�plugin_prefixes�
plugin_prefix�config_item�config_value�castr.r.r2r?�s"
���r?c
Cszt�dtffttt�t��ttt�t��tt	t�t
���}|D]\}}||vr:t�|�s:||||�}t
|j||�qdS)aSets non-plugin specific values in config from renewalparams

    :param configuration.NamespaceConfig config: configuration for the
        current lineage
    :param configobj.Section renewalparams: parameters from the renewal
        configuration file that defines this lineage

    r+N)�	itertools�chain�_restore_pref_challs�zip�BOOL_CONFIG_ITEMS�repeat�
_restore_bool�INT_CONFIG_ITEMS�_restore_int�STR_CONFIG_ITEMS�_restore_strr
rKr[�	namespace)rEr-�required_items�	item_name�restore_func�valuer.r.r2r>�s
���r>cCsdd�|��D�S)z�Removes deprecated config options from the parsed renewalparams.

    :param dict renewalparams: list of parsed renewalparams

    :returns: list of renewalparams with deprecated config options removed
    :rtype: dict

    cSs i|]\}}|tjvr||�qSr.)r
�DEPRECATED_OPTIONS)r0�option_name�vr.r.r2�
<dictcomp>�s�z6_remove_deprecated_config_elements.<locals>.<dictcomp>)rY)r-r.r.r2r=�s	r=cCst|t�r|gn|}t�|�S)a�Restores preferred challenges from a renewal config file.

    If value is a `str`, it should be a single challenge type.

    :param str unused_name: option name
    :param value: option value
    :type value: `list` of `str` or `str`

    :returns: converted option value to be stored in the runtime config
    :rtype: `list` of `str`

    :raises errors.Error: if value can't be converted to a bool

    )rLr9r
�parse_preferred_challenges)�unused_namerrr.r.r2re�s
recCs*|��}|dvrt�d�||���|dkS)a#Restores a boolean key-value pair from a renewal config file.

    :param str name: option name
    :param str value: option value

    :returns: converted option value to be stored in the runtime config
    :rtype: bool

    :raises errors.Error: if value can't be converted to a bool

    )�true�falsez,Expected True or False for {0} but found {1}ry)�lowerr
rA�format)�namerr�lowercase_valuer.r.r2ri�s
�ricCsN|dkr|dkrt�d�t�d�Szt|�WSty&t�d�|���w)a#Restores an integer key-value pair from a renewal config file.

    :param str name: option name
    :param str value: option value

    :returns: converted option value to be stored in the runtime config
    :rtype: int

    :raises errors.Error: if value can't be converted to an int

    r&rRz!updating legacy http01_port valuez Expected a numeric value for {0})	r7�infor
�flag_default�intr@r
rAr|�r}rrr.r.r2rk�s


�rkcCs@|dkr|tjkrt�dtjd|�tjdS|dkrdS|S)z�Restores a string key-value pair from a renewal config file.

    :param str name: option name
    :param str value: option value

    :returns: converted option value to be stored in the runtime config
    :rtype: str or None

    rz$Using server %s instead of legacy %srRN)r�V1_URIr7r�CLI_DEFAULTSr�r.r.r2rms
�
rmcCsL|jr
t�d�dS|��rt�d�dS|jrt�d�dSt�d�dS)zDReturn true if any of the circumstances for automatic renewal apply.z+Auto-renewal forced with --force-renewal...Tz0Certificate is due for renewal, auto-renewing...zCCertificate not due for renewal, but simulating renewal for dry runz#Certificate not yet due for renewalF)�renew_by_defaultr7r:�should_autorenewr�dry_run�display_util�notify)rE�lineager.r.r2�should_renew%s



r�cCsFt�|j�rt�|�s|js!d�|���}t�d�|���dSdSdS)z9Do not renew a valid cert with one from a staging server!z, z�You've asked to renew/replace a seemingly valid certificate with a test certificate (domains: {0}). We will not do that unless you use the --break-my-certs flag!N)	r�
is_stagingr�break_my_certs�joinrBr
rAr|)rEr��original_serverrBr.r.r2�_avoid_invalidating_lineage4s
��r�rErC�	le_clientr��returncCs�|jd}|�dt�d��}t|||�|s|��}|jr*tj�	|j
�}t||�nd}|�||�\}}}}	|j
rEt�dtj�|j��n|��}
|�|
||j||�|�|���t�|||j�dS)zRenew a certificate lineage.r-rNz(Dry run: skipping updating lineage at %s)rrVr
r�r�rBr)r�path�normpath�privkey�_update_renewal_params_from_key�obtain_certificater�r7r:�dirname�cert�latest_common_version�save_successor�pem�update_all_links_torr�live_dir)rErCr�r��renewal_paramsr��new_key�new_cert�	new_chainrQ�
prior_versionr.r.r2�
renew_cert@s 
r�cs �fdd�|D�}dd�|�S)z:Format a results report for a category of renewal outcomesc3s�|]	}d|�fVqdS)z%s (%s)Nr.)r0�m��categoryr.r2�	<genexpr>]s�zreport.<locals>.<genexpr>z  z
  )r�)�msgsr��linesr.r�r2�report[sr��renew_successes�renew_failures�
renew_skipped�parse_failurescCs8tj}tj}|d�tj��|jrdnd}|r"|d�|t|d��|sB|sB|dj|d��|j	dus=|j
dus=|jdurA|d	�nF|rV|sV|d
j|d��|t|d��n2|rg|sg|d|�|t|d
��n!|r�|r�|dj|d��|t|d�d�|d|�|t|d
��|r�|d�|t|d��|tj�dS)a�
    Print a report to the terminal about the results of the renewal process.

    :param configuration.NamespaceConfiguration config: Configuration
    :param list renew_successes: list of fullchain paths which were renewed
    :param list renew_failures: list of fullchain paths which failed to be renewed
    :param list renew_skipped: list of messages to print about skipped certificates
    :param list parse_failures: list of renewal parameter paths which had errors
    z
{}zsimulated renewal�renewalz7The following certificates are not due for renewal yet:�skippedzNo {renewal}s were attempted.)r�NzNo hooks were run.z+Congratulations, all {renewal}s succeeded: �successz@All %ss failed. The following certificates could not be renewed:�failurez#The following {renewal}s succeeded:�
zThe following %ss failed:zB
Additionally, the following renewal configurations were invalid: �	parsefail)r�r�r7r8r|�display_obj�
SIDE_FRAMEr�r�rrr )rEr�r�r�r�r��notify_error�renewal_nounr.r.r2�_renew_describe_resultsasB
����
r�cs\t�fdd��jD��rt�d���jrt���j�g}nt���}g}g}g}g}tj	�
�o2�j}|D]�}tj
d|dd�t���}t�|�}	zt||�}
Wn'tyx}zt�d||	|�t�dt���|�|�WYd	}~q5d	}~wwzj|
d	ur�|�|�n^tj�|tj�|
��d
dlm }t!j"�#�}
t$||
�r�|r�t%�&dd
�}t�'d|�t(�)|�d}|�*||
|
�|�|
j+�nt,�-|
�.d|
�/���}|�d|
j+|�0d�f�t1�2||
|
�Wq5t�y}zt�d|	|�t�dt���|�|
j+�WYd	}~q5d	}~wwt3�||||�|�s|�r't�d�4t5|�t5|����t�d�d	S)z5Examine each lineage; renew if due and report resultsc3s�|]}|�jvVqdS)N)rI)r0�domain�rEr.r2r��s�z)handle_renewal_request.<locals>.<genexpr>afCurrently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command instead. The renew verb may provide other options for selecting certificates to renew in the future.zProcessing F)�pausezTRenewal configuration file %s (cert: %s) produced an unexpected error: %s. Skipping.r,Nr)�main�i�z3Non-interactive renewal: random delay of %s secondsr�z%s expires on %sz%Y-%m-%dz-Failed to renew certificate %s with error: %sz*{0} renew failure(s), {1} parse failure(s)zno renewal failures)6�anyrCr
rA�certnamer�renewal_file_for_certname�renewal_conf_files�sys�stdin�isatty�random_sleep_on_renewr��notification�copy�deepcopy�lineagename_for_filenamerH�	Exceptionr7r8r:r;r<rU�zope�	component�provideUtilityr�IConfig�ensure_deployed�certbot._internalr��
plugins_disco�PluginsRegistry�find_allr��random�uniformr�time�sleepr��	fullchainr	�notAfter�versionr��strftimer�run_generic_updatersr�r|�len)rE�
conf_filesr�r�r�r��apply_random_sleep�renewal_file�lineage_config�lineagenamerG�er��plugins�
sleep_time�expiryr.r�r2�handle_renewal_request�s�



�
��

�
�
������
��r��key_pathcCs�t|d��}t|��dt�d�}Wd�n1swYt|tj�r.d|_|j|_	dSt|t
j�r>d|_|jj
|_dSt�d�|t|����)N�rb)�password�backendr�ecdsaz*Key at {0} is of an unsupported type: {1}.)�openr�readrrLr�
RSAPrivateKeyr#�key_sizer%r�EllipticCurvePrivateKey�curver}r$r
rAr|�type)r�rE�file_h�keyr.r.r2r��s�r�)H�__doc__r�rc�loggingr�r�r�r;�typingrr�cryptography.hazmat.backendsr�)cryptography.hazmat.primitives.asymmetricrr�,cryptography.hazmat.primitives.serializationr�zope.componentr��certbotrr	r
rrr�r
rrrrr�certbot._internal.displayrr��certbot._internal.pluginsrr��certbot.compatr�certbot.displayr��	getLogger�__name__r7rlrjrgrWrd�CONFIG_ITEMSrHrNr?r>r=rerirkrmr�r��NamespaceConfigr9�Clientr4r�r�r�r�r�r.r.r.r2�<module>s�
�:+
��
����
�0k