�

N�h�K��

�dZd
dl
Z
d
dlZd
dlZd
dlZd
dlmZ
d
dlmZ
d
dlm	Z	
d
dl
mZ
d
dl
mZ
d
dl
mZ
d
d	lmZ
d
d
lmZ
ej$e�
ZGd�dej*�ZGd
�d�Zdeddfd�Zdedefd�Zy)z$Certbot user-supplied configuration.�N)
�Any)
�Optional)
�parse)
�errors)
�util)
�	constants)
�misc)
�osc���eZ
dZd
Zej
�Z	ej
�Z	ej
�Z	ej
�Z		ej
�Z
y)�ArgumentSourcez;Enum for describing where a configuration argument was set.N)�__name__�
__module__�__qualname__�__doc__�enum�auto�COMMAND_LINE�CONFIG_FILE�DEFAULT�ENV_VAR�RUNTIME����/build/snapcraft-certbot-c9561b03ef7f16aa90eb6754ca5f17a1/parts/certbot/install/lib/python3.12/site-packages/certbot/configuration.pyrrsU��E��4�9�9�;�L�4��$�)�)�+�K�6��d�i�i�k�G�N��d�i�i�k�G�;��d�i�i�k�G�0rrc���eZ
dZd
Zdej
ddfd�Zdeee	fddfd�Z
dedefd	�Zdeee
ffd
�Zdeddfd�Zedeeee	ffd
��Zdede
fd�Zdede
ddfd�Zedefd��Zej,deddfd��Zedeefd��Zej,deddfd��Zedefd��Zej,deddfd��Zedefd��Zej,deddfd��Zedefd��Zej,deddfd��Zedefd ��Zedefd!��Zedefd"��Zedefd#��Zedefd$��Z edefd%��Z!edefd&��Z"edefd'��Z#edefd(��Z$edefd)��Z%edefd*��Z&ede'efd+��Z(edefd,��Z)edefd-��Z*edefd.��Z+edeefd/��Z,edeefd0��Z-edeefd1��Z.edefd2��Z/d3edefd4�Z0edefd5��Z1edefd6��Z2edefd7��Z3edefd8��Z4edefd9��Z5edefd:��Z6edefd;��Z7edefd<��Z8edefd=��Z9d>e
ddfd?�Z:y)@�NamespaceConfigaConfiguration wrapper around :class:`argparse.Namespace`.

    Please note that the following attributes are dynamically resolved using
    :attr:`~certbot.configuration.NamespaceConfig.work_dir` and relative
    paths defined in :py:mod:`certbot._internal.constants`:

      - `accounts_dir`
      - `in_progress_dir`
      - `temp_checkpoint_dir`

    And the following paths are dynamically resolved using
    :attr:`~certbot.configuration.NamespaceConfig.config_dir` and relative
    paths defined in :py:mod:`certbot._internal.constants`:

      - `default_archive_dir`
      - `live_dir`
      - `renewal_configs_dir`

    :ivar namespace: Namespace typically produced by
        :meth:`argparse.ArgumentParser.parse_args`.
    :type namespace: :class:`argparse.Namespace`

    �	namespace�returnNc�4�|
tj|d
|
�
tj|dd�
tj|di�
tjj	|j
j�
|j
_tjj	|j
j�
|j
_tjj	|j
j�
|j
_t|�

y)Nr�_argument_sources�_previously_accessed_mutables)
�object�__setattr__r
�path�abspathr�
config_dir�work_dir�logs_dir�_check_config_sanity)�selfrs  r�__init__zNamespaceConfig.__init__<s�������4��i�8����4�!4�d�;����4�!@�"�E�$&�G�G�O�O�D�N�N�4M�4M�$N����!�"$�'�'�/�/�$�.�.�2I�2I�"J�����"$�'�'�/�/�$�.�.�2I�2I�"J�����	�T�"r�argument_sourcesc�2�tj|d
|
�
y)al
        Associate the NamespaceConfig with a dictionary describing where each of
        its arguments came from, e.g. `{ 'email': ArgumentSource.CONFIG_FILE }`.
        This is necessary for making runtime evaluations on whether an argument
        was specified by the user or not (see `set_by_user`).

        For an example of how to build such a dictionary, see
        `certbot._internal.cli.helpful.HelpfulArgumentParser._build_sources_dict`

        :ivar argument_sources: dictionary of argument names to their :class:`ArgumentSource`
        :type argument_sources: :class:`Dict[str, ArgumentSource]`
        r N)r"r#)r*r,s  r�set_argument_sourcesz$NamespaceConfig.set_argument_sourcesJs��	���4�!4�6F�Gr�varc	�
�d
dlm
}
d
dlm}
d
dlm}
|j
�t
d�
�
|
|vr
y|
dvr&|j|�
\}}|
d	k(r|du
S|
d
k(r|du
S|
|j
vrB|j
|
tjk7r"tjd|
t||
��
y|j|
g�D]<}|j|�
s
�tjd|
|j|
g��

yy)
ad

        Return True if a particular config variable has been set by the user
        (via CLI or config file) including if the user explicitly set it to the
        default, or if it was dynamically set at runtime.  Returns False if the
        variable was assigned a default value.

        Raises an exception if `argument_sources` is not set.
        r)
�DEPRECATED_OPTIONS)
�
VAR_MODIFIERS)
�	selectionNzoNamespaceConfig.set_by_user called without an ArgumentSources dict. See NamespaceConfig.set_argument_sources().F)�
authenticator�	installerr4r5zVar %s=%s (set by user).T)�#certbot._internal.cli.cli_constantsr1r2�certbot._internal.pluginsr3r,�RuntimeError�cli_plugin_requestsrr�logger�debug�getattr�get�set_by_user)r*r/r1r2r3�auth�inst�modifiers        rr>zNamespaceConfig.set_by_user\s
��	K
�E�7�� � �(��
>�?�
?��$�$���0�0�"�6�6�t�<�J�D�$��o�%��4�'�'��k�!��4�'�'��$�'�'�'�D�,A�,A�#�,F�.�J`�J`�,`��L�L�3�S�'�$��:L�M��%�)�)�#�r�2�	�H�����)����7���*�*�3��3�
5��		�rc
�,�t
|j�
S)
zQ
        Returns a dictionary mapping all argument names to their values
        )�varsr�
r*s
 r�to_dictzNamespaceConfig.to_dict�s���D�N�N�#�#r�namec��|j�:tj|j|
<|
|jvr|j|
=y
y
y
)a)

        If an argument_sources dict was set, overwrites an argument's source to
        be ArgumentSource.RUNTIME. Used when certbot sets an argument's values
        at runtime. This also clears the modified value from
        _previously_accessed_mutables since it is no longer needed.
        N)r rrr!)r*rFs  r�_mark_runtime_overridez&NamespaceConfig._mark_runtime_override�sL���!�!�-�+9�+A�+A�D�"�"�4�(��t�9�9�9��6�6�t�<�:�.rc
���|jj�j�D]2\}
}t|j|
�}||k7s
�"|j|
�

�4|jS)
zPReturns _argument_sources after handling any changes to accessed mutable values.)r!�copy�itemsr<rrHr )r*rF�
prev_value�
current_values    rr,z NamespaceConfig.argument_sources�sd��!%� B� B� G� G� I� O� O� Q�	2��D�*�#�D�N�N�D�9�M��
�*��+�+�D�1�	2��%�%�%rc��|j}t|j|
�}|�U|
|v
s||
tjk7r;|
|j
v
r-t
|�
s"tj|�
|j
|
<|S�
N)	r,r<rrrr!�
_is_immutablerJ�deepcopy)r*rF�arg_sources�values    r�__getattr__zNamespaceConfig.__getattr__�su���+�+�������-���"��;�&�+�d�*;�~�?U�?U�*U�
�t�A�A�A�-�X]�J^�?C�}�}�U�?S�D�6�6�t�<��rrSc�T�|j
|
�

t|j|
|�
yrO)rH�setattrr)r*rFrSs   rr#zNamespaceConfig.__setattr__�s ���#�#�D�)������e�,rc

�.�|jjS)
zACME Directory Resource URI.)r�serverrDs
 rrXzNamespaceConfig.server�s���~�~�$�$�$r�server_c�H�|j
d
�

|
|j_y)NrX)rHrrX)r*rYs  rrXzNamespaceConfig.server�s���#�#�H�-� '����rc

�.�|jjS)
z�Email used for registration and recovery contact.

        Use comma to register multiple emails,
        ex: u1@example.com,u2@example.com. (default: Ask).
        )r�emailrDs
 rr\zNamespaceConfig.email�s���~�~�#�#�#r�mailc�H�|j
d
�

|
|j_y)Nr\)rHrr\)r*r]s  rr\zNamespaceConfig.email�s���#�#�G�,�#����rc

�.�|jjS)
zSize of the RSA key.)r�rsa_key_sizerDs
 rr`zNamespaceConfig.rsa_key_size�s���~�~�*�*�*r�ksizec�H�|j
d
�

|
|j_y)zSet the rsa_key_size propertyr`N)rHrr`)r*ras  rr`zNamespaceConfig.rsa_key_size�s��	
�#�#�N�3�&+����#rc

�.�|jjS)
z`The SECG elliptic curve name to use.

        Please see RFC 8446 for supported values.
        )r�elliptic_curverDs
 rrdzNamespaceConfig.elliptic_curve�s���~�~�,�,�,r�ecurvec�H�|j
d
�

|
|j_y)zSet the elliptic_curve propertyrdN)rHrrd)r*res  rrdzNamespaceConfig.elliptic_curve�s��	
�#�#�$4�5�(.����%rc

�.�|jjS)
zhType of generated private key.

        Only *ONE* per invocation can be provided at this time.
        )r�key_typerDs
 rrhzNamespaceConfig.key_type�s���~�~�&�&�&r�ktypec�H�|j
d
�

|
|j_y)zSet the key_type propertyrhN)rHrrh)r*ris  rrhzNamespaceConfig.key_type�s��	
�#�#�J�/�"'����rc

�.�|jjS)
z�Adds the OCSP Must-Staple extension to the certificate.

        Autoconfigures OCSP Stapling for supported setups
        (Apache version >= 2.3.3 ).
        )r�must_staplerDs
 rrlzNamespaceConfig.must_staple�����~�~�)�)�)rc

�.�|jjS)
zConfiguration directory.)rr&rDs
 rr&zNamespaceConfig.config_dir
s���~�~�(�(�(rc

�.�|jjS)
zWorking directory.)rr'rDs
 rr'zNamespaceConfig.work_dir
s���~�~�&�&�&rc
�8�|j
|j�
S)
z2Directory where all account information is stored.)�accounts_dir_for_server_path�server_pathrDs
 r�accounts_dirzNamespaceConfig.accounts_dir
s���0�0��1A�1A�B�Brc
��tjj|jjt
j�S)
z Configuration backups directory.)r
r$�joinrr'r�
BACKUP_DIRrDs
 r�
backup_dirzNamespaceConfig.backup_dir
s)���w�w�|�|�D�N�N�3�3�Y�5I�5I�J�Jrc
��tjj|jjt
j�S)
z:Directory used before a permanent checkpoint is finalized.)r
r$rurr'r�IN_PROGRESS_DIRrDs
 r�in_progress_dirzNamespaceConfig.in_progress_dir
s)���w�w�|�|�D�N�N�3�3�Y�5N�5N�O�Orc
��tjj|jjt
j�S)
zTemporary checkpoint directory.)r
r$rurr'r�TEMP_CHECKPOINT_DIRrDs
 r�temp_checkpoint_dirz#NamespaceConfig.temp_checkpoint_dir 
s0���w�w�|�|��N�N�#�#�Y�%B�%B�
D
�
	D
rc

�.�|jjS)
z�Disable verification of the ACME server's certificate.

        The root certificates trusted by Certbot can be overridden by setting the
        REQUESTS_CA_BUNDLE environment variable.
        )r�
no_verify_sslrDs
 rrzNamespaceConfig.no_verify_ssl&
s���~�~�+�+�+rc

�.�|jjS)
z�Port used in the http-01 challenge.

        This only affects the port Certbot listens on.
        A conforming ACME server will still attempt to connect on port 80.
        )r�http01_portrDs
 rr�zNamespaceConfig.http01_port/
rmrc

�.�|jjS)
z;The address the server listens to during http-01 challenge.)r�http01_addressrDs
 rr�zNamespaceConfig.http01_address8
s���~�~�,�,�,rc

�.�|jjS)
z�Port used to serve HTTPS.

        This affects which port Nginx will listen on after a LE certificate
        is installed.
        )r�
https_portrDs
 rr�zNamespaceConfig.https_port=
s���~�~�(�(�(rc

�.�|jjS)
zuList of user specified preferred challenges.

        Sorted with the most preferred challenge listed first.
        )r�pref_challsrDs
 rr�zNamespaceConfig.pref_challsF
s���~�~�)�)�)rc

�.�|jjS)
a�
Allow only a subset of names to be authorized to perform validations.

        When performing domain validation, do not consider it a failure
        if authorizations can not be obtained for a strict subset of
        the requested domains. This may be useful for allowing renewals for
        multiple domains to succeed even if some domains no longer point
        at this system.
        )r�allow_subset_of_namesrDs
 rr�z%NamespaceConfig.allow_subset_of_namesN
s���~�~�3�3�3rc

�.�|jjS)
z�Enable strict permissions checks.

        Require that all configuration files are owned by the current
        user; only needed if your config is somewhere unsafe like /tmp/.
        )r�strict_permissionsrDs
 rr�z"NamespaceConfig.strict_permissionsZ
s���~�~�0�0�0rc

�.�|jjS)
z�Disable renewal updates.

        If updates provided by installer enhancements when Certbot is being run
        with "renew" verb should be disabled.
        )r�disable_renew_updatesrDs
 rr�z%NamespaceConfig.disable_renew_updatesc
s���~�~�3�3�3rc

�.�|jjS)
a]
Request the given profile name from the ACME server.

        If the ACME server returns an error, issuance (or renewal) will fail.
        For long-term reliability, setting preferred_profile instead may be
        preferable because it allows fallback to a default. Use this setting
        when renewal failure is preferable to fallback.
        )r�required_profilerDs
 rr�z NamespaceConfig.required_profilel
s���~�~�.�.�.rc

�.�|jjS)
a�
Request the given profile name from the ACME server, or fallback to default.

        If the given profile name exists in the ACME directory, use it to request a
        a certificate. Otherwise, fall back to requesting a certificate without a profile
        (which means the CA will use its default profile). This allows renewals to
        succeed even if the CA deprecates and removes a given profile.
        )r�preferred_profilerDs
 rr�z!NamespaceConfig.preferred_profilew
s���~�~�/�/�/rc

�.�|jjS)
z�Set the preferred certificate chain.

        If the CA offers multiple certificate chains, prefer the chain whose
        topmost certificate was issued from this Subject Common Name.
        If no match, the default offered chain will be used.
        )r�preferred_chainrDs
 rr�zNamespaceConfig.preferred_chain�
s���~�~�-�-�-rc
���t
j|jj�
}
|
j|
j
zj
d
tj
j�S)zFile path based on ``server``.�
/)	r�urlparserrX�netlocr$�replacer
�sep)r*�parseds  rrrzNamespaceConfig.server_path�
sD�������� 5� 5�6���
�
����+�4�4�S�"�'�'�+�+�F�Frrrc��t
j|
�
}
tjj	|j
jtj|
�S)
z/Path to accounts directory based on server_path)	r	�.underscores_for_unsupported_characters_in_pathr
r$rurr&r�ACCOUNTS_DIR)r*rrs  rrqz,NamespaceConfig.accounts_dir_for_server_path�
s@���I�I�+�V���w�w�|�|��N�N�%�%�y�'=�'=�{�
L
�
	L
rc
��tjj|jjt
j�SrO)r
r$rurr&r�ARCHIVE_DIRrDs
 r�default_archive_dirz#NamespaceConfig.default_archive_dir�
s'���w�w�|�|�D�N�N�5�5�y�7L�7L�M�Mrc
��tjj|jjt
j�SrO)r
r$rurr&r�LIVE_DIRrDs
 r�live_dirzNamespaceConfig.live_dir�
s'���w�w�|�|�D�N�N�5�5�y�7I�7I�J�Jrc
��tjj|jjt
j�SrO)r
r$rurr&r�RENEWAL_CONFIGS_DIRrDs
 r�renewal_configs_dirz#NamespaceConfig.renewal_configs_dir�
s.���w�w�|�|��N�N�%�%�y�'D�'D�
F
�
	F
rc
��tjj|jjt
j�S)
z>Path to directory with hooks to run with the renew subcommand.)r
r$rurr&r�RENEWAL_HOOKS_DIRrDs
 r�renewal_hooks_dirz!NamespaceConfig.renewal_hooks_dir�
s.���w�w�|�|�D�N�N�5�5�%�7�7�
9�
	9rc
�r�tjj|jtj
�S)
z8Path to the pre-hook directory for the renew subcommand.)r
r$rur�r�RENEWAL_PRE_HOOKS_DIRrDs
 r�renewal_pre_hooks_dirz%NamespaceConfig.renewal_pre_hooks_dir�
s*���w�w�|�|�D�2�2�%�;�;�
=�
	=rc
�r�tjj|jtj
�S)
z;Path to the deploy-hook directory for the renew subcommand.)r
r$rur�r�RENEWAL_DEPLOY_HOOKS_DIRrDs
 r�renewal_deploy_hooks_dirz(NamespaceConfig.renewal_deploy_hooks_dir�
s,���w�w�|�|�D�2�2�%�>�>�
@
�
	@
rc
�r�tjj|jtj
�S)
z9Path to the post-hook directory for the renew subcommand.)r
r$rur�r�RENEWAL_POST_HOOKS_DIRrDs
 r�renewal_post_hooks_dirz&NamespaceConfig.renewal_post_hooks_dir�
s*���w�w�|�|�D�2�2�%�<�<�
>�
	>rc

�.�|jjS)
zuThis option specifies how long (in seconds) Certbot will wait
        for the server to issue a certificate.
        )r�issuance_timeoutrDs
 rr�z NamespaceConfig.issuance_timeout�
s��
�~�~�.�.�.rc

�.�|jjS)
z�This option specifies whether Certbot should generate a new private
        key when replacing a certificate, even if reuse_key is set.
        )r�new_keyrDs
 rr�zNamespaceConfig.new_key�
s��
�~�~�%�%�%r�_memoc�6
�t
j|j�
}t|�
|�
}tj|d
t
j|j�
�
tj|dt
j|j�
�
|S)Nr r!)rJrQr�typer"r#r,r!)r*r��new_ns�
new_configs    r�__deepcopy__zNamespaceConfig.__deepcopy__�
sr�����t�~�~�.���T�$�Z��'�
����:�':�D�M�M�$�J_�J_�<`�a����:�'F��=�=��)K�)K�L�
	N
��r);r
rrr�argparse�	Namespacer+�dict�strrr.�boolr>rrErH�propertyrr,rTr#rX�setterr\�intr`rdrhrlr&r'rsrwrzr}rr�r�r��listr�r�r�r�r�r�r�rrrqr�r�r�r�r�r�r�r�r�r�rrrrr#si���0#�(�"4�"4�#��#�H
�T�#�~�:M�5N�H
�SW�H
�$(�s�(�t�(�T
$��c�3�h��$�
=�3�
=�4�
=��&�(�4��^�0C�+D�"E�&��&�&
��
��
�-��-�C�-�D�-��%��%��%��]�]�(�c�(�d�(��(��$�x��}�$��$��\�\�$�#�$�$�$��$��+�c�+��+����,�#�,�$�,��,�
�-��-��-����/�S�/�T�/��/�
�'�#�'��'��_�_�(�c�(�d�(��(�
�*�T�*��*��)�C�)��)��'�#�'��'��C
�c�C
��C
��K
�C�K
��K
��P
��P
��P
��D
�S�D
��D
�
�,�t�,��,��*�S�*��*��-��-��-��)�C�)��)��*�T�#�Y�*��*��	4�t�	4��	4��1�D�1��1��4�t�4��4��/�(�3�-�/��/��0�8�C�=�0��0��.��#��.��.��G
�S�G
��G
�
L
��L
��L
��
N
�S�
N
��
N
��
K
�#�
K
��
K
��F
�S�F
��F
��9�3�9��9�
�=�s�=��=�
�@
�#�@
��@
�
�>��>��>�
�/�#�/��/��&��&��&��#��*;�rr�configrc
� 
�|j|jk(r.tjd
j	|j�
�
�
|j
j�1|j
jD]}
tj|
�

�yy)z�Validate command line options and display error message if
    requirements are not met.

    :param config: NamespaceConfig instance holding user configuration
    :type args: :class:`certbot.configuration.NamespaceConfig`

    z;Trying to run http-01 and https-port on the same port ({0})N)	r�r�r�ConfigurationError�formatr�domainsr�enforce_domain_sanity)r��domains  rr)r)�
s������V�.�.�.��'�'�

%�%+�V�F�,=�,=�%>�@
�	@
�
�����+��&�&�.�.�	/�F��&�&�v�.�	/�,rrSc
��t
|t�rtd
�|D��
Sttt
ttttfD]}
t
||
�s
�
y|duS)zIs value of an immutable type?c
3�2K
�|]}
t
|
�
�
�

�y�w
rO)
rP)�.0�subvalues  r�	<genexpr>z _is_immutable.<locals>.<genexpr>�
s����A�x�=��*�A�s�
TN)
�
isinstance�tuple�allr��float�complexr��bytesr��	frozenset)rS�immutable_types  rrPrP�
sT���%����A�5�A�A�A���w��U�D�)�M����e�^�,����D�=�r)rr�rJr�logging�typingrr�urllibr�certbotrr�certbot._internalr�certbot.compatr	r
�	getLoggerr
r:�Enumrrr)r�rPrrr�<module>r�
s��


�*����������'���
��	�	�8�	$��
1�T�Y�Y�
1�r
�r
�j

/��
/�T�
/�*	
��	
��	
r