a }|g_F @sdZddlZddlZddlZddlZddlmZddlmZddlmZddlm Z ddlm Z ddlm Z dd lm Z dd lm Z ddlZdd lmZdd lmZdd lmZddlmZddlmZddlmZddlmZddlmZeeZejddddZejddddZ ejddddZ!eje"e ej#dddZ$eje"e e e"dddZ%eje e"e e ej#e ej#fdd d!Z&ej#e"e e e"d"d#d$Z'e e eej#ge"feej#ge e e"ffd%d&d'Z(eje"d(d)d*Z)ejee eej#ge"feej#ge e e"ffeej#ge"feej#ge"fe e"d+d,d-Z*dCejej#e+e e"d/d0d1Z,dDeje"e+e e"e e"d2d3d4Z-ee"e"d5d6d7Z.ejeej#e"d8d9d:Z/ejeej#ee"dd;dZ1ejed?e1fe1ee1d@dAdBZ2dS)Ez Tools for managing certificates.N)Any)Callable)Iterable)List)Optional)Tuple)TypeVar)Union) configuration) crypto_util)errors)ocsp)util)storage)os)configreturncCst|dd}|j}|sHtjd|dd\}}|tjks>|sHtdt||}|sft d|t |||tj d||d d d S) zRename the specified lineage to the new name. :param config: Configuration. :type config: :class:`certbot._internal.configuration.NamespaceConfig` renamerz&Enter the new name for certificate {0}T)force_interactiveUser ended interaction.z,No existing certificate with name {0} found.z Successfully renamed {0} to {1}.F)pauseN) get_certnames new_certname display_utilZ input_textformatOKr Errorlineage_for_certnameZConfigurationErrorrZrename_renewal_config notification)rcertnamercodelineager"B/usr/lib/python3.9/site-packages/certbot/_internal/cert_manager.pyrename_lineage!s(   r$c Csg}g}t|D]v}z$t||}t|||Wqty}z4td||t dt ||WYd}~qd}~00qt |||dS)zDisplay information about certs configured with Certbot :param config: Configuration. :type config: :class:`certbot._internal.configuration.NamespaceConfig` zIRenewal configuration file %s produced an unexpected error: %s. Skipping.Traceback was: %sN) rrenewal_conf_files RenewableCertr Zverify_renewable_certappend ExceptionloggerZwarningdebug traceback format_exc_describe_certs)r parsed_certsparse_failures renewal_fileZrenewal_candidateer"r"r# certificates;s  "r3cCst|ddd}dg}|D]}|d|q|d|dtjd|dd sbtd d S|D] }t||t d |qfd S) z;Delete Certbot files associated with a certificate lineage.deleteT)allow_multiplez8The following certificate(s) are selected for deletion: z * aP WARNING: Before continuing, ensure that the listed certificates are not being used by any installed server software (e.g. Apache, nginx, mail servers). Deleting a certificate that is still being used will cause the server software to stop working. See https://certbot.org/deleting-certs for information on deleting certificates safely.z: Are you sure you want to delete the above certificate(s)? )defaultz$Deletion of certificate(s) canceled.Nz.Deleted all files relating to certificate {0}.) rr(rZyesnojoinr*inforZ delete_filesnotifyr)r certnamesmsgrr"r"r#r4Rs    r4) cli_configrrc Cs|j}tj|ddzt||}Wntjy:YdS0zt||WSttjfyt d|t dt YdS0dS)z)Find a lineage object with name certname.modeNzRenewal conf file %s is broken.r%) renewal_configs_dirrmake_or_verify_dirrZrenewal_file_for_certnamer CertStorageErrorr'OSErrorr*r+r,r-)r=r configs_dirr1r"r"r#rls r)rrrcCst||}|r|SdS)z0Find the domains in the cert with name certname.N)rnames)rrr!r"r"r#domains_for_certname~s rG)rdomainsrcsPtjtttjttjftttjttjfdfdd }d}t|||S)aFind existing certs that match the given domain names. This function searches for certificates whose domains are equal to the `domains` parameter and certificates whose domains are a subset of the domains in the `domains` parameter. If multiple certificates are found whose names are a subset of `domains`, the one whose names are the largest subset of `domains` is returned. If multiple certificates' domains are an exact match or equally sized subsets, which matching certificates are returned is undefined. :param config: Configuration. :type config: :class:`certbot._internal.configuration.NamespaceConfig` :param domains: List of domain names :type domains: `list` of `str` :returns: lineages representing the identically matching cert and the largest subset if they exist :rtype: `tuple` of `storage.RenewableCert` or `None` )candidate_lineagervrcsb|\}}t|}|tkr&|}n4|trZ|durB|}nt|t|krZ|}||fS)zsReturn cert as identical_names_cert if it matches, or subset_names_cert if it matches as subset N)setrFissubsetlen)rIrJZidentical_names_certZsubset_names_certZcandidate_namesrHr"r#update_certs_for_domain_matchess   z?find_duplicative_certs..update_certs_for_domain_matches)NN)rr'rr_search_lineages)rrHrOinitr"rNr#find_duplicative_certss  rR)rIfiletypercs,|jfddtD}|r(|SdS)aJ In order to match things like: /etc/letsencrypt/archive/example.com/chain1.pem. Anonymous functions which call this function are eventually passed (in a list) to `match_and_check_overlaps` to help specify the acceptable_matches. :param `.storage.RenewableCert` candidate_lineage: Lineage whose archive dir is to be searched. :param str filetype: main file name prefix e.g. "fullchain" or "chain". :returns: Files in candidate_lineage's archive dir that match the provided filetype. :rtype: list of str or None cs,g|]$}td|rtj|qS)z {0}[0-9]*.pem)rematchrrpathr8).0f archive_dirrSr"r# sz"_archive_files..N)rZrlistdir)rIrSpatternr"rYr#_archive_filess r^)rcCsddddddddgS)z Generates the list that's passed to match_and_check_overlaps. Is its own function to make unit testing easier. :returns: list of functions :rtype: list cSs|jSN)Zfullchain_pathxr"r"r#z%_acceptable_matches..cSs|jSr_ cert_pathr`r"r"r#rbrccSs t|dS)Ncertr^r`r"r"r#rbrccSs t|dS)N fullchainrgr`r"r"r#rbrcr"r"r"r"r#_acceptable_matchess  ri)r=rcs(t}t|fdddd}|dS)a If config.cert_path is defined, try to find an appropriate value for config.certname. :param `configuration.NamespaceConfig` cli_config: parsed command line arguments :returns: a lineage name :rtype: str :raises `errors.Error`: If the specified cert path can't be matched to a lineage name. :raises `errors.OverlappingMatchFound`: If the matched lineage's archive is shared. csjSr_rdr`r=r"r#rbrcz&cert_path_to_lineage..cSs|jSr_) lineagenamer`r"r"r#rbrcr)rimatch_and_check_overlaps)r=acceptable_matchesrUr"rjr#cert_path_to_lineages rn)r=rm match_funcrv_funcrc stjttttttjgtfttjgtttffttdfdd }t||g|}|sxt d|j dnt |dkrt |S)a Searches through all lineages for a match, and checks for duplicates. If a duplicate is found, an error is raised, as performing operations on lineages that have their properties incorrectly duplicated elsewhere is probably a bad idea. :param `configuration.NamespaceConfig` cli_config: parsed command line arguments :param list acceptable_matches: a list of functions that specify acceptable matches :param function match_func: specifies what to match :param function rv_func: specifies what to return )rI return_valuermrcsdfdd|D}g}|D]&}t|tr2||7}q|r||q}||vr`||S)z1Returns a list of matches using _search_lineages.csg|] }|qSr"r")rWfuncrIr"r#r[rczBmatch_and_check_overlaps..find_matches..) isinstancelistr()rIrqrmZacceptable_matches_resolvedZacceptable_matches_rvitemrUrorprsr# find_matchess   z.match_and_check_overlaps..find_matcheszNo match found for cert-path !)rr'rstrrr rrrPr rrerMZOverlappingMatchFound)r=rmrorprxZmatchedr"rwr#rls  rlF)rrfskip_filter_checksrc CsZg}t}|jr&|j|jkr&|s&dS|jrDt|j|sDdStj t j }g}|j rf| d|j|kr|| dn||r| d|rdd|}nF|j|}|jdkrd}n,|jdkrd |jd d }nd |jd }d |j|} tt|jd} | d|jd| d|jdd|d| d|jd|jd|S)zJ Returns a human readable description of info about a RenewableCert objectNZ TEST_CERTZEXPIREDZREVOKEDz INVALID: z, rzz VALID: 1 dayzVALID: iz hour(s)z daysz {0} ({1})raz Certificate Name: z Serial Number: z Key Type: z Domains:  z Expiry Date: z Certificate Path: z Private Key Path: )r ZRevocationCheckerrrkrHrKrLrFdatetimenowpytzZUTCZ is_test_certr(Z target_expiryZ ocsp_revokedr8ZdaysZsecondsrr Zget_serial_from_certreZprivate_key_typerhZprivkey) rrfr|certinfoZcheckerrZreasonsstatusdiffZ valid_stringserialr"r"r#human_readable_cert_infosL         r)rverbr5 custom_promptrc Cs|j}|r|g}nt|}dd|D}|s8td|r||sLd|}n|}tj||ddd\} }| tjkrtdnZ|sd |}n|}tj ||ddd\} } | tjks| t d t |vrtd|| g}|S) z4Get certname from flag, interactively, or error out.cSsg|]}t|qSr")rZlineagename_for_filename)rWnamer"r"r#r[Ircz!get_certnames..zNo existing certificates found.z+Which certificate(s) would you like to {0}?z --cert-nameT)Zcli_flagrrz(Which certificate would you like to {0}?r) rrr&r rrrZ checklistrZmenurangerM) rrr5rrr; filenameschoicespromptr indexr"r"r#rAs4          r)msgsrcCsdddd|DS)zFFormat a results report for a category of single-line renewal outcomesz z css|]}t|VqdSr_)r{)rWr<r"r"r# jrcz _report_lines..)r8)rr"r"r# _report_lineshsr)rr/rcCs4g}|D] }t||}|dur||qd|S)z)Format a results report for a parsed certNr6)rr(r8)rr/rrfZ cert_infor"r"r#_report_human_readablems   r)rr/r0rcCsg}|j}|s|s|dnL|rP|js,|jr0dnd}|d||t|||rh|d|t|tjd|dddd S) z/Print information about the certs we know aboutzNo certificates found.z matching r~zFound the following {0}certs:z3 The following renewal configurations were invalid:r6F)rwrapN) r(rrHrrrrrr8)rr/r0outr:rUr"r"r#r.xs  r.T.)r=rr initial_rvargsrc Gs|j}tj|dd|}t|D]`}zt||}Wn8ttjfynt d|t dt Yq"Yn0|||g|R}q"|S)aIterate func over unbroken lineages, allowing custom return conditions. Allows flexible customization of return values, including multiple return values and complex checks. :param `configuration.NamespaceConfig` cli_config: parsed command line arguments :param function func: function used while searching over lineages :param initial_rv: initial return value of the function (any type) :returns: Whatever was specified by `func` if a match is found. r>r?z)Renewal conf file %s is broken. Skipping.r%) rArrBrr&r'rDr rCr*r+r,r-)r=rrrrrErJr1rIr"r"r#rPs   rP)F)FN)3__doc__rZloggingrTr,typingrrrrrrrr rZcertbotr r r r rZcertbot._internalrZcertbot.compatrZcertbot.displayrZ getLogger__name__r*ZNamespaceConfigr$r3r4r{r'rrGrRr^rirnrlboolrrrrr.rrPr"r"r"r#s                    5  *  +  '