a á `X>ã@s:dZddlZddlZddlZddlZddlZddlZddlm Z ddl m Z ddl m Z ddl m Z ddl mZddl mZdd lmZdd lmZddlmZe e¡Zd d „Zd d„Zdd„Zdd„Zdd„Zdd„Zdd„Zdd„Z dd„Z!dd„Z"dd „Z#d.d"d#„Z$d/d$d%„Z%d&d'„Z&d(d)„Z'd*d+„Z(d,d-„Z)dS)0z Tools for managing certificates.éN)ÚList)Ú crypto_util)Úerrors)Ú interfaces)Úocsp)Úutil)Ústorage)ÚoscCs$t |¡D]}tj||ddq dS)ajUpdate the certificate file family symlinks to use archive_dir. Use the information in the config file to make symlinks point to the correct archive directory. .. note:: This assumes that the installation is using a Reverter object. :param config: Configuration. :type config: :class:`certbot._internal.configuration.NamespaceConfig` T)Zupdate_symlinksN)rÚrenewal_conf_filesÚ RenewableCert)ÚconfigÚ renewal_file©rú@/usr/lib/python3/dist-packages/certbot/_internal/cert_manager.pyÚupdate_live_symlinkss rcCsžtj tj¡}t|dƒd}|j}|sX|jd |¡ddd\}}|t j ksN|sXt   d¡‚t ||ƒ}|svt  d |¡¡‚t |||¡|jd  ||¡d d d S) z¡Rename the specified lineage to the new name. :param config: Configuration. :type config: :class:`certbot._internal.configuration.NamespaceConfig` Úrenamerz&Enter the new name for certificate {0}z--updated-cert-nameT)ÚflagÚforce_interactiveúUser ended interaction.z,No existing certificate with name {0} found.z Successfully renamed {0} to {1}.F)ÚpauseN)ÚzopeÚ componentÚ getUtilityrÚIDisplayÚ get_certnamesÚ new_certnameÚinputÚformatÚ display_utilÚOKrÚErrorÚlineage_for_certnameZConfigurationErrorrZrename_renewal_configÚ notification)r ÚdispÚcertnamerÚcodeÚlineagerrrÚrename_lineage)s*þ   ÿÿÿr'c Csšg}g}t |¡D]v}z$t ||¡}t |¡| |¡Wqty†}z4t d||¡t  dt   ¡¡| |¡WYd}~qd}~00qt |||ƒdS)zªDisplay information about certs configured with Certbot :param config: Configuration. :type config: :class:`certbot._internal.configuration.NamespaceConfig` zIRenewal configuration file %s produced an unexpected error: %s. Skipping.úTraceback was: %sN) rr r rZverify_renewable_certÚappendÚ ExceptionÚloggerZwarningÚdebugÚ tracebackÚ format_excÚ_describe_certs)r Ú parsed_certsÚparse_failuresr Zrenewal_candidateÚerrrÚ certificatesEs  ÿ"r3cCst|ddd}tj tj¡}dg}|D]}| d|¡q&| d¡|jd |¡ddsft   d ¡d S|D] }t   ||¡t  d  |¡¡qjd S) z;Delete Certbot files associated with a certificate lineage.ÚdeleteT)Úallow_multiplez8The following certificate(s) are selected for deletion: z * z: Are you sure you want to delete the above certificate(s)?Ú )Údefaultz$Deletion of certificate(s) canceled.Nz.Deleted all files relating to certificate {0}.)rrrrrrr)ZyesnoÚjoinr+ÚinforZ delete_filesrÚnotifyr)r Ú certnamesr#Úmsgr$rrrr4\s   ÿr4c Cs†|j}tj|ddzt ||¡}Wntjy:YdS0zt ||¡WStjtfy€t   d|¡t   dt   ¡¡YdS0dS)z)Find a lineage object with name certname.éí©ÚmodeNzRenewal conf file %s is broken.r() Úrenewal_configs_dirrÚmake_or_verify_dirrZrenewal_file_for_certnamerÚCertStorageErrorr ÚIOErrorr+r,r-r.)Ú cli_configr$Ú configs_dirr rrrr!ps r!cCst||ƒ}|r| ¡SdS)z0Find the domains in the cert with name certname.N)r!Únames)r r$r&rrrÚdomains_for_certnames rGcs‡fdd„}t||dƒS)aˆFind existing certs that match the given domain names. This function searches for certificates whose domains are equal to the `domains` parameter and certificates whose domains are a subset of the domains in the `domains` parameter. If multiple certificates are found whose names are a subset of `domains`, the one whose names are the largest subset of `domains` is returned. If multiple certificates' domains are an exact match or equally sized subsets, which matching certificates are returned is undefined. :param config: Configuration. :type config: :class:`certbot._internal.configuration.NamespaceConfig` :param domains: List of domain names :type domains: `list` of `str` :returns: lineages representing the identically matching cert and the largest subset if they exist :rtype: `tuple` of `storage.RenewableCert` or `None` csb|\}}t| ¡ƒ}|tˆƒkr&|}n4| tˆƒ¡rZ|durB|}nt|ƒt| ¡ƒkrZ|}||fS)zsReturn cert as identical_names_cert if it matches, or subset_names_cert if it matches as subset N)ÚsetrFÚissubsetÚlen)Úcandidate_lineageÚrvZidentical_names_certZsubset_names_certZcandidate_names©ÚdomainsrrÚupdate_certs_for_domain_matchesžs  z?find_duplicative_certs..update_certs_for_domain_matches)NN)Ú_search_lineages)r rNrOrrMrÚfind_duplicative_certs‡s rQcs,|j‰‡‡fdd„t ˆ¡Dƒ}|r(|SdS)aJ In order to match things like: /etc/letsencrypt/archive/example.com/chain1.pem. Anonymous functions which call this function are eventually passed (in a list) to `match_and_check_overlaps` to help specify the acceptable_matches. :param `.storage.RenewableCert` candidate_lineage: Lineage whose archive dir is to be searched. :param str filetype: main file name prefix e.g. "fullchain" or "chain". :returns: Files in candidate_lineage's archive dir that match the provided filetype. :rtype: list of str or None cs,g|]$}t d ˆ¡|¡rtj ˆ|¡‘qS)z {0}[0-9]*.pem)ÚreÚmatchrr Úpathr8)Ú.0Úf©Ú archive_dirÚfiletyperrÚ Ãsÿz"_archive_files..N)rXr Úlistdir)rKrYÚpatternrrWrÚ_archive_files´s r]cCsdd„dd„dd„dd„gS)zª Generates the list that's passed to match_and_check_overlaps. Is its own function to make unit testing easier. :returns: list of functions :rtype: list cSs|jS©N)Zfullchain_path©ÚxrrrÚÑóz%_acceptable_matches..cSs|jSr^©Ú cert_pathr_rrrraÑrbcSs t|dƒS)NÚcert©r]r_rrrraÒrbcSs t|dƒS)NÚ fullchainrfr_rrrraÒrbrrrrrÚ_acceptable_matchesÊs  ÿrhcs(tƒ}tˆ|‡fdd„dd„ƒ}|dS)a“ If config.cert_path is defined, try to find an appropriate value for config.certname. :param `configuration.NamespaceConfig` cli_config: parsed command line arguments :returns: a lineage name :rtype: str :raises `errors.Error`: If the specified cert path can't be matched to a lineage name. :raises `errors.OverlappingMatchFound`: If the matched lineage's archive is shared. cs ˆjdS)Nrrcr_©rDrrraârbz&cert_path_to_lineage..cSs|jSr^)Ú lineagenamer_rrrraârbr)rhÚmatch_and_check_overlaps)rDÚacceptable_matchesrSrrirÚcert_path_to_lineageÕs ÿrmcsP‡‡fdd„}t||g|ƒ}|s8t d |jd¡¡‚nt|ƒdkrLt ¡‚|S)a Searches through all lineages for a match, and checks for duplicates. If a duplicate is found, an error is raised, as performing operations on lineages that have their properties incorrectly duplicated elsewhere is probably a bad idea. :param `configuration.NamespaceConfig` cli_config: parsed command line arguments :param list acceptable_matches: a list of functions that specify acceptable matches :param function match_func: specifies what to match :param function rv_func: specifies what to return cs`‡fdd„|Dƒ}g}|D]"}t|tƒr2||7}q| |¡qˆˆƒ}||vr\| ˆˆƒ¡|S)z1Returns a list of matches using _search_lineages.csg|] }|ˆƒ‘qSrr)rUÚfunc©rKrrrZórbzBmatch_and_check_overlaps..find_matches..)Ú isinstanceÚlistr))rKZ return_valuerlZacceptable_matches_rvÚitemrS©Ú match_funcÚrv_funcrorÚ find_matchesñs   z.match_and_check_overlaps..find_matchesz!No match found for cert-path {0}!ré)rPrr rrdrJZOverlappingMatchFound)rDrlrtrurvZmatchedrrsrrkæs  rkFc CsBg}t ¡}|jr&|j|jkr&|s&dS|jrDt|jƒ | ¡¡sDdStj   t j   ¡¡}g}|j rj| d¡|j|kr€| d¡n| |¡r”| d¡|r¨dd |¡}nB|j|}|jdkrÂd}n(|jdkrÞd  |jd ¡}n d  |j¡}d  |j|¡} tt |j¡d ƒ} | d |j| |jd | ¡¡| |j|j¡¡d |¡S)zJ Returns a human readable description of info about a RenewableCert objectÚZ TEST_CERTZEXPIREDZREVOKEDz INVALID: z, rwz VALID: 1 dayzVALID: {0} hour(s)izVALID: {0} daysz {0} ({1})r`z“ Certificate Name: {} Serial Number: {} Key Type: {} Domains: {} Expiry Date: {} Certificate Path: {} Private Key Path: {}ú )rZRevocationCheckerr$rjrNrHrIrFÚpytzZUTCZfromutcÚdatetimeZutcnowZ is_test_certr)Z target_expiryZ ocsp_revokedr8ZdaysrZsecondsrZget_serial_from_certrdZprivate_key_typergZprivkey) r reZskip_filter_checksÚcertinfoZcheckerZnowZreasonsZstatusZdiffZ valid_stringÚserialrrrÚhuman_readable_cert_infosD          ór~c Csè|j}|r|g}nÒtj tj¡}t |¡}dd„|Dƒ}|sFt  d¡‚|rŠ|sZd  |¡} n|} |j | |ddd\} }| t j krät  d¡‚nZ|sšd   |¡} n|} |j| |ddd\} } | t j ksÐ| td t|ƒƒvrÚt  d¡‚|| g}|S) z9Get certname from flag, interactively, or error out. cSsg|]}t |¡‘qSr)rZlineagename_for_filename)rUÚnamerrrrZArbz!get_certnames..zNo existing certificates found.z+Which certificate(s) would you like to {0}?z --cert-nameT)Zcli_flagrrz(Which certificate would you like to {0}?r)r$rrrrrrr rr rZ checklistrrZmenuÚrangerJ) r Zverbr5Z custom_promptr$r;r#Ú filenamesÚchoicesÚpromptr%Úindexrrrr8s6   ÿ    ÿ   rcCsdd dd„|Dƒ¡S)zFFormat a results report for a category of single-line renewal outcomesz z css|]}t|ƒVqdSr^)Ústr)rUr<rrrÚ brbz _report_lines..)r8)ZmsgsrrrÚ _report_lines`sr‡cCs(g}|D]}| t||ƒ¡qd |¡S)z)Format a results report for a parsed certr6)r)r~r8)r r0r|rerrrÚ_report_human_readableesrˆcCsg}|j}|s|s|dƒnL|rP|js,|jr0dnd}|d |¡ƒ|t||ƒƒ|rh|dƒ|t|ƒƒtj t j ¡}|j d  |¡dddd S) z/Print information about the certs we know aboutzNo certificates found.z matching rxzFound the following {0}certs:z3 The following renewal configurations were invalid:r6F)rZwrapN) r)r$rNrrˆr‡rrrrrr"r8)r r0r1Úoutr:rSr#rrrr/ms  r/c Gsˆ|j}tj|dd|}t |¡D]`}zt ||¡}Wn8tjtfynt   d|¡t   dt   ¡¡Yq"Yn0|||g|¢RŽ}q"|S)aâIterate func over unbroken lineages, allowing custom return conditions. Allows flexible customization of return values, including multiple return values and complex checks. :param `configuration.NamespaceConfig` cli_config: parsed command line arguments :param function func: function used while searching over lineages :param initial_rv: initial return value of the function (any type) :returns: Whatever was specified by `func` if a match is found. r=r>z)Renewal conf file %s is broken. Skipping.r() r@rrArr r rrBrCr+r,r-r.)rDrnZ initial_rvÚargsrErLr rKrrrrPƒs   rP)F)FN)*Ú__doc__r{ZloggingrRr-rzZzope.componentrZacme.magic_typingrZcertbotrrrrrZcertbot._internalrZcertbot.compatr Zcertbot.displayrZ getLoggerÚ__name__r+rr'r3r4r!rGrQr]rhrmrkr~rr‡rˆr/rPrrrrÚsB          - ! 1 (