o

nHJeYq�
@sdd
lZdd
l
Z
ddlmZmZmZmZmZmZm	Z	
ddl
mZmZm
Z
mZmZmZ
ddlmZmZ
ddlmZ
ddlmZmZ
ddlmZmZ
ddlmZmZmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/
dd	l0m1Z1
dd
l2m3Z3
ddl2m4Z5
ddl6m7Z7
ddl6m4Z8
dd
l9m:Z:
ddl;m<Z<m=Z=
ddl>m?Z?m@Z@mAZA
ddlBmCZC
ddlDmEZEmFZF
ddlGmHZH
ddlImJZJ
ddlKmLZLmMZMmNZN
ddlOmPZP
ddlQmRZR
ddlSmTZT
ddlUmVZV
ddlWmXZX
Gdd�d�ZYdd�ZZdd�Z[d e'fd!d"�Z\d#e)fd$d%�Z]d&e^d'e_d(eCfd)d*�Z`d&e^d'e_d+e_d(eCfd,d-�Za	
did.ee^d/e^d0ebd1ebd2ee^d3e^fd4d5�Zcd(eCd6e^d3e_fd7d8�Zddjd9d:�Zed(eCfd;d<�Zfd(eCd3e_fd=d>�Zgd?ee^d3e^fd@dA�Zhd(eCd'e_d3e_fdBdC�Zid(eCd3e_fdDdE�Zjd(eCdFe^d3e_fdGdH�ZkdFe^d(eCd'e_d3e_fdIdJ�Zl	Kdkd/eVdLe^dMe^fdNdO�ZmdPe^fdQdR�ZndSeYdTe+fdUdV�ZodSeYdTe,fdWdX�ZpdSeYdTe fdYdZ�ZqdSeYdTe!fd[d\�ZrdSeYdTe"fd]d^�ZsdSeYdTe&fd_d`�ZtdSeYdTe$fdadb�ZudSeYdTe#fdcdd�Zvd#e'd'e_d(eCd3eeVeejwffdedf�Zxdgdh�Zyd
S)l�N)�Dict�List�
NamedTuple�Optional�Set�Tuple�Union)�apt�
exceptions�messages�security�system�util)�attach_with_token�enable_entitlement_by_name)
�	_initiate)�MagicAttachRevokeOptions�_revoke)�MagicAttachWaitOptions�_wait)�ESM_APPS_POCKET�ESM_INFRA_POCKET�STANDARD_UPDATES_POCKET�FixPlanAptUpgradeStep�FixPlanAttachStep�FixPlanEnableStep�FixPlanNoOpAlreadyFixedStep�FixPlanNoOpLivepatchFixStep�FixPlanNoOpStatus�FixPlanNoOpStep�
FixPlanResult�FixPlanStep�FixPlanUSNResult�FixPlanWarning�&FixPlanWarningPackageCannotBeInstalled�#FixPlanWarningSecurityIssueNotFixed�NoOpAlreadyFixedData�NoOpLivepatchFixData�USNAdditionalData)
�status_message)
�CVEFixPlanOptions)
�_plan)
�USNFixPlanOptions)
�_is_attached)�NAME�
USAGE_TMPL)�CLOUD_TYPE_TO_TITLE�PRO_CLOUD_URLS�get_cloud_type)
�UAConfig)�ContractExpiryStatus�get_contract_expiry_status)
�PRINT_WRAP_WIDTH)
�entitlement_factory)�ApplicabilityStatus�CanEnableFailure�UserFacingStatus)
�notices)
�Notice)
�
PRO_HOME_PAGE)
�	FixStatus)
�colorize_commandsc@sjeZ
dZd
ededeedefdd�Zdd�Z		dd
eedede	efd
d�Z
deedefdd�Zd	S)�
FixContext�title�dry_run�
affected_pkgs�cfgcCsDd
|_g|_
t�|_tj|_|
|_||_||_	||_
d|_d|_dS)Nr
TF)
�	pkg_index�unfixed_pkgs�set�installed_pkgsr>�SYSTEM_NON_VULNERABLE�
fix_statusrArCrBrD�should_print_pkg_header� warn_package_cannot_be_installed)�selfrArBrCrD�rN�2/usr/lib/python3/dist-packages/uaclient/cli/fix.py�__init__Js









zFixContext.__init__c
CsR|jr't
j�t|j�
�
jt|j�
d
�t|j�
�
d�}
tt	j
|
tddd��

dSdS)N�, )�count�pkgs�    F)�width�subsequent_indent�replace_whitespace)rCr�SECURITY_AFFECTED_PKGS�	pluralize�len�format�join�sorted�print�textwrap�fillr6)rM�msgrNrNrO�print_fix_header\s"


�

�




���zFixContext.print_fix_headerN�source_pkgs�status�pocketcCs8|jrt
t|
||jt|j�
|rt|�
n
dd
��

dSdS)N)�pkg_listrdrE�num_pkgs�
pocket_source)rKr^�_format_packages_messagerErZrC�get_pocket_description)rMrcrdrerNrNrO�print_pkg_headerms






����zFixContext.print_pkg_headerrS�unfixed_reasoncCs$|
D]
}|j�
tj||d
��

qdS)N)�pkgrl)rF�appendr�UnfixedPackage)rMrSrlrmrNrNrO�add_unfixed_packages�s



��zFixContext.add_unfixed_packages�
N)�__name__�
__module__�__qualname__�str�boolrr3rPrbrrkrprNrNrNrOr@Is(
���
����
�r@c
Cs(|jd
t
jd�}
|
jtd�

t|
�

dS)N�fix�
�help)
�action)�
add_parserr�CLI_ROOT_FIX�set_defaults�
action_fix�
fix_parser)�
subparsers�
parser_fixrNrNrO�set_fix_parser�s


r�c

Cs`tj
td
d�|_d|_tj|_tj|j	_
|jdtjd�
|jddtj
d�
|jd	dtjd�
|S)
z1Build or extend an arg parser for fix subcommand.z"fix <CVE-yyyy-nnnn+>|<USN-nnnn-d+>)�name�commandrw�security_issuerxz	--dry-run�
store_true)rzryz--no-related)r/r[r.�usage�progr�CLI_FIX_DESC�description�	CLI_FLAGS�
_optionalsrA�add_argument�
CLI_FIX_ISSUE�CLI_FIX_DRY_RUN�CLI_FIX_NO_RELATED)
�parserrNrNrOr�s
�





�
�r�cvec
Cs8d
j|j
��|jd�d�|j
���
g}
td�|
�
�

dS)N�{issue}: {description}��issuer�z! - https://ubuntu.com/security/{}�

)r[rA�upperr�r^r\)r��linesrNrNrO�print_cve_header�s
��r��fix_planc
Cs�|j}
d
j
|
j��|
jd�g
}|
j}t|t�rK|jr5|�	t
j�

|jD]}|�	d�
t
jj
j
|d�
�
�

q#n|jrK|�	t
j�

|jD]	}|�	d|�

qAtd�|�
�

dS)Nr�r�z - {})
r�z - r�)�target_usn_planr[rAr�r��additional_data�
isinstancer(�associated_cvesrnr�SECURITY_FOUND_CVES�urls�SECURITY_CVE_PAGE�associated_launchpad_bugs�SECURITY_FOUND_LAUNCHPAD_BUGSr^r\)r��
target_usnr�r�r��lp_bugrNrNrO�print_usn_header�s*

��








���



r�r�rBrDcCsztt
|g
d
�
|d�}|jjdj}|r$|jr$tjt�	|j
pd|j�d�
�
t|jjd�

t�
t
|jjd|
|�\}}|S)N)
�cves��optionsrDr
�unexpected-error�
�	named_msg)�cve_planr*�	cves_datar��errorrar
�AnonymousUbuntuProErrorr�NamedMessage�coder�r^�execute_fix_plan)r�rBrDr�r�rd�
_rNrNrO�fix_cve�s

�




��

r��
no_relatedcCs�
tt
|g
d
�
|d�}|jjdjj}|r%|jr%tjt	�
|jpd|j�d�
�
t|jjd�

t
dt	jj|d�
�

t|jjdj|
|�\}}|tjtjfv
rO|S|jjdj}|rZ|r\|St
dt	jjd�d	d
�|D�
�
d�
�

t
dt	j�

i}	|D]}
t
d�|
j�
�

t|
|
|�|	|
j<t
�
qzt
t	j�

t||t	jd
�
d}|D]=}
|	|
j\}}
t||
jt	jd
�
|tjkr�t
dt	jjdd�
�

d}|tjkr�|
D]}|j r�t
d�|j!|j ��

q�d}q�|r�t
dt	j"j|d�
�

|S)N)
�usnsr�r
r�r�r�)
�issue_idz
- c
ss�|]}
|
jV
qdSrq)
rA)�.0�usnrNrNrO�	<genexpr>

s�zfix_usn.<locals>.<genexpr>)
�related_usnsz- {})
�contextF�- �
fix operation�
�	operationTz
  - {}: {})#�usn_planr,�	usns_datar�r�r�rar
r�rr�r�r�r^�SECURITY_FIXING_REQUESTED_USNr[r�r>rI�SYSTEM_NOT_AFFECTED�related_usns_plan�SECURITY_RELATED_USNSr\�SECURITY_FIXING_RELATED_USNSrA�SECURITY_USN_SUMMARY�_handle_fix_status_message�FIX_ISSUE_CONTEXT_REQUESTED�FIX_ISSUE_CONTEXT_RELATED�SYSTEM_VULNERABLE_UNTIL_REBOOT�ENABLE_REBOOT_REQUIRED_TMPL�SYSTEM_STILL_VULNERABLErlrm�SECURITY_RELATED_USN_ERROR)r�rBr�rDr�r��target_usn_statusr�r��related_usn_status�related_usn_plan�failure_on_related_usnrdrF�unfixed_pkgrNrNrO�fix_usn�s�
�




��


���


�

�




����





�




�





�




���






����



���r�rfrdrErgrh�returnc	Cs�|sd
Sg}g}|D]}|d7}|�d�
||��

|�|�

q
tjd�
dd�|�
dd�t|�
�
�tdd	�}d
�
|t|
|��S)z;Format the packages and status to an user friendly message.��
z{}/{}z{} {}:�
(rQ�
)rT�rUrVz{}
{})rnr[r_r`r\r]r6r))	rfrdrErgrh�	msg_index�src_pkgs�src_pkg�
msg_headerrNrNrOri?
s 







�
�ri�tokenc
Cs\tt
d
d|
gg
�
�

z
t||
dd�
WdStjy-
}
zt|j�

WYd}~dSd}~w
w)ztAttach to an Ubuntu Pro subscription with a given token.

    :return: True if attach performed without errors.
    �pro�attachT)r��allow_enableNF)r^r?rr
�UbuntuProErrorra)rDr��errrNrNrO�_run_ua_attach[
s






��r�cCs>t�\}}
|t
��vrttjjt�|�
t
�|�
d
��

dSdS)z:Alert the user when running Pro on cloud with PRO support.)rA�cloud_specific_urlN)	r2r1�keysr^r�SECURITY_USE_PRO_TMPLr[r0�get)�
cloud_typer�rNrNrO�*_inform_ubuntu_pro_existence_if_applicablei
s





���r�c

Cs�tt
j�

t|d
�
}
tdt
jj|
jd�
�

t|
jd�
}zt	||d�}Wn t
jyD
}
ztt
j�

t
|
jd�
}t||d�
|�
d}~w
wtdt
j�

t||j�S)N)
rDr�)
�	user_code)
�magic_tokenr�)r^r�CLI_MAGIC_ATTACH_INITr�CLI_MAGIC_ATTACH_SIGN_INr[r�rr�rr
�MagicAttachTokenError�CLI_MAGIC_ATTACH_FAILEDrr�CLI_MAGIC_ATTACH_PROCESSINGr��contract_token)rD�
initiate_resp�wait_options�	wait_resp�
e�revoke_optionsrNrNrO�_perform_magic_attachu
s.







���




�
��	
r�c
Csht�
t
tj�

tjtjgd
�
d�}
|
dkrdS|
dkr t|�
S|
dkr2t
tj�

t	d�
}t
||�SdS)	zZPrompt for attach to a subscription or token.

    :return: True if attach performed.
    )�
s�
a�
c�
�
valid_choicesr�Fr�r��> T)r�r^r�*SECURITY_UPDATE_NOT_INSTALLED_SUBSCRIPTIONr�prompt_choices�SECURITY_FIX_ATTACH_PROMPTr��PROMPT_ENTER_TOKEN�inputr�)rD�choicer�rNrNrO�_prompt_for_attach�
s




�








r
rFc
Cs4t|�
}
t
jtj�|
�
j|
d
�t|�
�
d�t	dd�S)z�Format the list of unfixed packages into an message.

    :returns: A string containing the message output for the unfixed
              packages.
    rQ)rgrSrTr�)
rZr_r`r�SECURITY_PKG_STILL_AFFECTEDrYr[r\r]r6)rF�num_pkgs_unfixedrNrNrO�_format_unfixed_packages_msg�
s


�

�
�r
cCs0t|�
}|d
t
jkr|
rttj�

dSdSdS)zuCheck if the Ubuntu Pro subscription is expired.

    :returns: True if subscription is expired and not renewed.
    r
FT)r5r4�EXPIREDr^r�(SECURITY_DRY_RUN_UA_EXPIRED_SUBSCRIPTION)rDrB�contract_expiry_statusrNrNrO�_check_subscription_is_expired�
s





r
c
Cs�d
dl}
d
dl
m}
t�
ttj�

tjtj	j
td�
ddgd�}|dkrFttj�

t
d�
}ttd	d
gg
�
�

|�|
jddd
�|�
t||�SdS)zdPrompt for attach a new subscription token to the user.

    :return: True if attach performed.
    r
N)
�cli)
�url�
rr�r�r

r��detachTr
)�
assume_yesr[F)�argparse�uaclientr
r�r^r�%SECURITY_UPDATE_NOT_INSTALLED_EXPIREDrr
�SECURITY_FIX_RENEW_PROMPTr[r=�PROMPT_EXPIRED_ENTER_TOKENr
r?�
action_detach�	Namespacer�)rDr
r
r
r�rNrNrO�_prompt_for_new_token�
s"




�





�
r
�servicecCs�tt
jj|
d
�
�

tjt
jj|
d
�
ddgd�}|dkrFttdd|
gg
�
�

t||
dd�\}}|sD|d	u
rDt	|t
�rD|jd	u
rDt|jj�

|Sd
S)zMPrompt for enable a pro service.

    :return: True if enable performed.
    �
r
r�r�r�r��enableT)rDr�r
NF)
r^r�SECURITY_SERVICE_DISABLEDr[rr
�SECURITY_FIX_ENABLE_PROMPTr?rr�r9�messagera)rDr
r
�ret�reasonrNrNrO�_prompt_for_enable�
s&


�



��
�

r%
cCs�t|
|d
�}||
�
}|rR|�
�\}}|tjkrdS|��\}}|tjkrH|r4tdtj	j
|jd�
�

dSt|
|j�r<dSttj
j
|jd�
�

dSttjj
|jd�
�

dS)zQ
    Verify if the Ubuntu Pro subscription has the required service enabled.
    )rDr�Tr�r
F)r7�user_facing_statusr:�ACTIVE�applicability_statusr8�
APPLICABLEr^r�'SECURITY_DRY_RUN_UA_SERVICE_NOT_ENABLEDr[r�r%
�SECURITY_UA_SERVICE_NOT_ENABLED� SECURITY_UA_SERVICE_NOT_ENTITLED)r
rDrB�ent_cls�ent�
ent_statusr�r(
rNrNrO�)_handle_subscription_for_required_services>











���


��
�

��r0
r�r�r�cCs�|tj
kr |rtjj|
|d
�}ntjj|
d�
}tt�|�
�

dS|tj	kr@|r0tj
j|
|d
�}ntjj|
d�
}tt�|�
�

dS|tjkr`|rPtj
j|
|d
�}ntjj|
d�
}tt�|�
�

dS|rktj
j|
|d
�}ntjj|
d�
}tt�|�
�

dS)N)r�r��
r�)r>rIr�%SECURITY_ISSUE_RESOLVED_ISSUE_CONTEXTr[�SECURITY_ISSUE_RESOLVEDr^r�handle_unicode_charactersr��'SECURITY_ISSUE_UNAFFECTED_ISSUE_CONTEXT�SECURITY_ISSUE_UNAFFECTEDr��)SECURITY_ISSUE_NOT_RESOLVED_ISSUE_CONTEXT�SECURITY_ISSUE_NOT_RESOLVED)rdr�r�rarNrNrOr�.s6



�





�





�


�
r�rec

Cs.|tkrt
jS|tkrt
jS|tkrt
jS|Srq)rr�'SECURITY_UBUNTU_STANDARD_UPDATES_POCKETr�SECURITY_UA_INFRA_POCKETr�SECURITY_UA_APPS_POCKET)
rerNrNrOrjSs





rj�fix_context�stepcCsh|j|
j
jd
|
j
jd�
d|_tjj|
j
j|
j
j	d�}t
d|�

|j|
j
jg
|d�
d|_
tj|_dS)N�released�rcrdreF)�package�versionr��rSrlT)rk�data�related_source_packagesrerKr�FIX_CANNOT_INSTALL_PACKAGEr[�binary_package�binary_package_versionr^rp�source_packagerLr>r�rJ)r<
r=
�warn_msgrNrNrO�)_execute_package_cannot_be_installed_step^s 


�

�

�
rJ
cCsR|j|
j
j|
j
jd
�
|jt|
j
j�
7_|j|
j
jt|
j
j�
d�
tj	|_
dS)N)rcrdrB
)rkrC
�source_packagesrdrErZrpr)r>r�rJ�r<
r=
rNrNrO�&_execute_security_issue_not_fixed_stepws

�


�rM
c
Csh
|j|
j
jd
|
j
jd�
|jt|
j
j�
7_|
j
js)|js#tt	j
�

tj|_
dSt��sE|jsEtt	j�

tj|_
|j|
j
jt	jd�
dSttgd�
gd�
t|
j
j�
g
�
�

|jratj|_
dSzt��
tjgd�
|
j
jddi
d	�
Wn,ty�
}
z t|d
t|�
�}t|�

tj|_
|j|
j
j|d�
WYd}~dSd}~w
wtj|_
d|_|j�|
j
j�

dS)Nr>
r?
rB
)r	�updatez&&)r	�install�--only-upgrade�-y)zapt-getrO
rP
rQ
�DEBIAN_FRONTEND�noninteractive)�cmd�override_env_varsraT)rkrC
rK
rerErZ�binary_packagesrLr^r�SECURITY_UPDATE_INSTALLEDr>rIrJr�we_are_currently_rootrB�SECURITY_APT_NON_ROOTr�rpr?r]r	�run_apt_update_command�run_apt_command�	Exception�getattrrurKrHrN
)r<
r=
r�rarNrNrO�_execute_apt_upgrade_step�sl


�










�

�
����






�
�





���


r^
cCs�|
jj
d
krtn
t}|j|
jjd|d�
d|_t|j�
j	sD|j
r(tdtj
�

nHt|j�
sCtj|_|j|
jjtjj|
jj
d�
d�
dSn,t|j|j
d�rp|j
rUttj�

nt|j�
sptj|_|j|
jjtjj|
jj
d�
d�
dStj|_dS)	N�	esm-infrar>
r?
Fr�r
rB
)rDrB)rC
�required_servicerrrkrK
rKr-rD�is_attachedrBr^r� SECURITY_DRY_RUN_UA_NOT_ATTACHEDr
r>r�rJrp�SECURITY_UA_SERVICE_REQUIREDr[r
r

r
�$SECURITY_UA_SERVICE_WITH_EXPIRED_SUBrI�r<
r=
rerNrNrO�_execute_attach_step�sL��


�








���	
�







��rf
cCs�|
jj
d
krtn
t}|j|
jjd|d�
d|_t|
jj
|j|j	�sBt
tjj
|
jj
d�
�

|j|
jjtjj
|
jj
d�
d�
tj|_dStjS)Nr_
r>
r?
Fr
rB
)rC
r
rrrkrK
rKr0
rDrBr^rr+
r[rp�%SECURITY_UA_SERVICE_NOT_ENABLED_SHORTr>r�rJrIre
rNrNrO�_execute_enable_step�s:��


�


�

��


��
rh
cCs*|
jj
tjjkrttj�

tj	|_
dSdSrq)rC
rdr�NOT_AFFECTED�valuer^r�SECURITY_NO_AFFECTED_PKGSr>r�rJrL
rNrNrO�_execute_noop_not_affected_steps


�rl
cCs.t|
j
t�rttjj|j|
j
jd
��

dSdS)N)r�rA
)	r�rC
r'r^r�CVE_FIXED_BY_LIVEPATCHr[rA�
patch_versionrL
rNrNrO�%_execute_noop_fixed_by_livepatch_step"s



���ro
cCsLt|
j
t�r$|j|
j
jd
|
j
jd�
ttj�

|j	t
|
j
j�
7_	dSdS)Nr>
r?
)r�rC
r&rkrK
rer^rrW
rErZrL
rNrNrO� _execute_noop_already_fixed_step.s



�

�rp
cCs�
g|j�
|j
�
}t|j|
|jpg|d
�}|��
t|dd�d�D]j}t|t�r,t	||�
t|t
�r6t||�
t|t�rHt
||�
|jtjkrH
nCt|t�rZt||�
|jtjkrZ
n1t|t�rlt||�
|jtjkrl
nt|t�rvt||�
t|t�r�t||�
t|t�r�t||�
q t�
|jr�ttttdd�|jD�
�
�
�
�

tj |_|jtjkr�t!j"|j#d�
r�tj$|_t%j&j'dd	�
}t|�

t(j)t*j+dd	�
t,|j|j�
|j|jfS)
N)rArBrCrDc


Ss|jSrq)
�order)
�
xrNrNrO�<lambda>Ksz"execute_fix_plan.<locals>.<lambda>)
�keyc
Ssg|]}
|
j�qSrN)
rm)r�r�rNrNrO�
<listcomp>ms��z$execute_fix_plan.<locals>.<listcomp>)
rHr�r�)-�plan�warningsr@rA�affected_packagesrbr]r�r$rJ
r%rM
rr^
rJr>rIrrf
rrh
rrl
rro
rrp
r^rFr
�listrGr�r
�
should_rebootrHr�rr�r[r;�addr<�ENABLE_REBOOT_REQUIREDr�)r�rBrD�	full_planr<
r=
�
reboot_msgrNrNrOr�;s�
��



�

































�





�����
�

�


�
r�c

Kslt�
tj|j�stj|jd
�
�
|jrtt	j
�

d|j��vr)t|j|j|
�}|jSt
|j|j|j|
�}|jS)Nr1
r�)�re�matchr�CVE_OR_USN_REGEXr�r
�InvalidSecurityIssueIdFormatrBr^r�SECURITY_DRY_RUN_WARNING�lowerr�r�r��	exit_code)�argsrD�kwargsrdrNrNrOr~�s


�


�
�r~rq)r�N)
r�)zr
r_�typingrrrrrrrr
r	r
rrr
r�uaclient.actionsrr�+uaclient.api.u.pro.attach.magic.initiate.v1r�)uaclient.api.u.pro.attach.magic.revoke.v1rr�'uaclient.api.u.pro.attach.magic.wait.v1rr�uaclient.api.u.pro.security.fixrrrrrrrrrrr r!r"r#r$r%r&r'r(�'uaclient.api.u.pro.security.fix._commonr)�+uaclient.api.u.pro.security.fix.cve.plan.v1r*r+r��+uaclient.api.u.pro.security.fix.usn.plan.v1r,r��(uaclient.api.u.pro.status.is_attached.v1r-�uaclient.cli.constantsr.r/�uaclient.clouds.identityr0r1r2�uaclient.configr3�uaclient.contractr4r5�uaclient.defaultsr6�uaclient.entitlementsr7�(uaclient.entitlements.entitlement_statusr8r9r:�uaclient.filesr;�uaclient.files.noticesr<�uaclient.messages.urlsr=�uaclient.securityr>�uaclient.statusr?r@r�rr�r�rurvr�r��intrir�r�r�r
r
r
r
r%
r0
r�rjrJ
rM
r^
rf
rh
rl
ro
rp
ror�r~rNrNrNrO�<module>
s

$
 



T














>
�
�
�

�l�
�����
�

�
�
�
�-�
�
�

�%
�
�
�

�
�
�>
�
�/
�
�&
�

�
�

�
�

�

�
�
�
�N