a }|�gp>�@s�dZddlZddlZddlZddlZddlmZddlmZddlmZddlm Z ddlm Z ddlmZdd lmZdd lm Z ddlmZddlmZdd lmZddlmZddlmZddlmZddlmZddlmZddlmZddlmZddlmZddlmZddlm Z!ddl"m#Z#ddl"m Z ddl$m%Z%e�&e'�Z(dZ)ddgZ*Gdd�de#j+ej,�Z,Gdd �d ej-�Z.Gd!d"�d"ej-�Z/e0e0d#�d$d%�Z1dS)&zWebroot plugin.�N)�Any)�Callable)�DefaultDict)�Dict)�Iterable)�List)�Optional)�Sequence)�Set)�Type)�Union)� challenges)�crypto_util)�errors)� interfaces)�cli)�AnnotatedChallenge)� filesystem)�os)�ops)�util)�common)� safe_opena! Z@20c5ca1bd58fa8ad5f07a2f1be8b7cbb707c20fcb607a8fc8db9393952846a97Z@8d31383d3a079d2098a9d0c0921f4ab87e708b9868dc3f314d54094c2fe70336csTeZdZdZdZdZed�dd�Zee ddd �d d��Z eeed�d d�Z eeeejd�dd�Zeedd��fdd�Zdd�dd�Zeeeejd�dd�Zeedd�dd�Zeeeeed�dd�Zeeeeed�dd �Zd/eeeed"�d#d$�Zdd�d%d&�Zeeed'�d(d)�Zeejd*�d+d,�Z eedd�d-d.�Z!�Z"S)0� AuthenticatorzWebroot Authenticator.z�Saves the necessary validation files to a .well-known/acme-challenge/ directory within the nominated webroot path. A separate HTTP server must be running and serving files from the webroot path. HTTP challenge only (wildcards not supported).z�Authenticator plugin that performs http-01 challenge by saving necessary validation resources to appropriate paths on the file system. It expects that there is some other HTTP server configured to serve all files under specified web root ({0}).)�returncCs|j�|�d��S)N�path)� MORE_INFO�format�conf��self�r!�E/usr/lib/python3.9/site-packages/certbot/_internal/plugins/webroot.py� more_infoFszAuthenticator.more_info).NN)�addrcCs&|ddgtdd�|ditdd�dS)Nrz-wapublic_html / webroot path. This can be specified multiple times to handle different domains; each domain will have the webroot path that preceded it. For instance: `-w /var/www/example -d example.com -d www.example.com -w /var/www/thing -d thing.net -d m.thing.net` (default: Ask))�default�action�help�mapa�JSON dictionary mapping domains to webroot paths; this implies -d for each entry. You may need to escape this from your shell. E.g.: --webroot-map '{"eg1.is,m.eg1.is":"/www/eg1/", "eg2.is":"/www/eg2"}' This option is merged with, but takes precedence over, -w / -d entries. At present, if you put webroot-map in a config file, it needs to be on a single line, like: webroot-map = {"example.com":"/var/www"}.)�_WebrootPathAction�_WebrootMapAction)�clsr$r!r!r"�add_parser_argumentsIs ��z"Authenticator.add_parser_arguments)�failed_achallsrcCsdS)Nz�The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.r!)r r-r!r!r"� auth_hint[szAuthenticator.auth_hint)�domainrcCstjgS�N)r �HTTP01)r r/r!r!r"�get_chall_prefaszAuthenticator.get_chall_pref��args�kwargsrcs.t�j|i|��i|_t�t�|_g|_dSr0)�super�__init__� full_roots�collections�defaultdict�set� performed� _created_dirs�r r4r5�� __class__r!r"r7eszAuthenticator.__init__cCsdSr0r!rr!r!r"�preparelszAuthenticator.prepare)�achallsrcs$��|��fdd�|D�S)Ncsg|]}��|��qSr!)�_perform_single)�.0�achallrr!r"� t�z)Authenticator.perform..)� _set_webroots�_create_challenge_dirs)r rBr!rr"�performos zAuthenticator.performc Cs�|�d�rD|�d�d}t�d|�|D]}|�d��|j|�q(n|tt|�d��}|D]`}|j|�d�vr^|�|j|�}z|� |�Wnt y�Yn0|�d|�||�d�|j<q^dS)Nr��z4Using the webroot path %s for all unmatched domains.r(r)r�logger�info� setdefaultr/�listr;�values�_prompt_for_webroot�remove� ValueError�insert)r rB�webroot_pathrE�known_webrootsZnew_webrootr!r!r"rHvs& ��zAuthenticator._set_webroots)r/rVrcCsBd}|dur>|r0|�||�}|dur<|�|�}q|�|d�}q|S)NT)�_prompt_with_webroot_list�_prompt_for_new_webroot)r r/rV�webrootr!r!r"rQ�sz!Authenticator._prompt_for_webrootcCs\d|�d�}tjd�|�dg||dd�\}}|tjkrDt�d��|dkrPdS||d S) Nz--rzSelect the webroot for {0}:zEnter a new webrootT)Zcli_flag�force_interactive�IEvery requested domain must have a webroot when using the webroot plugin.r�)Zoption_name�display_utilZmenur�CANCELr�PluginError)r r/rVZ path_flag�code�indexr!r!r"rW�s� �z'Authenticator._prompt_with_webroot_listF)r/� allowraisercCs>tjtd�|�dd�\}}|tjkr6|s,dSt�d��t|�S)NzInput the webroot for {0}:T)rZr[)rZvalidated_directory�_validate_webrootrr]r^rr_)r r/rbr`rYr!r!r"rX�s� �z%Authenticator._prompt_for_new_webrootc Cs�|�d�}|st�d��|��D�]�\}}tj�|tj�tj j ��|j|<t� d|j|�t�d��tt�|j|�dd�td�D]�}tj�|�r�q�zvt�|d�|j�|�ztj||dddd �Wn@ttf�y}z"t�d �t� d|�WYd}~n d}~00Wq�t�yH}zt�d�||��WYd}~q�d}~00q�Wd�n1�sb0Ytjs tj�|j|d �}tj�|��r�t�d|j|�q t�d|j|�t |ddd��}|�!t"�Wd�q 1�s�0Yq dS)Nr(z�Missing parts of webroot configuration; please set either --webroot-path and --domains, or --webroot-map. Run with --help webroot for examples.z-Creating root challenges validation dir at %s�rK)�keyi�T)Z copy_userZ copy_groupz3Unable to change owner and uid of webroot directory� Error was: %sz=Couldn't create root for {0} http-01 challenge responses: {1}� web.configzPA web.config file has not been created in %s because another one already exists.zGCreating a web.config file in %s to allow IIS to serve challenge files.�w��mode�chmod)#rrr_�itemsrr�join�normcaser r1Z URI_ROOT_PATHr8rL�debugr� temp_umask�sortedrZget_prefixes�len�isdir�mkdirr=�appendZcopy_ownership_and_apply_mode�OSError�AttributeErrorZwarningr� POSIX_MODE�existsrMr�write�_WEB_CONFIG_CONTENT)r Zpath_map�namer�prefix� exception�web_config_pathZ web_configr!r!r"rI�sX ��$ � &��<��z$Authenticator._create_challenge_dirs)� root_pathrErcCstj�||j�d��S)N�token)rrrnZchall�encode)r r�rEr!r!r"�_get_validation_path�sz"Authenticator._get_validation_path)rErc Cs�|��\}}|j|j}|�||�}t�d|�t�d��Lt|ddd��}|� |� ��Wd�n1sn0YWd�n1s�0Y|j|�|�|S)Nz#Attempting to save validation to %srd�wbrirj) Zresponse_and_validationr8r/r�rLrprrqrr{r�r<r$)r rEZresponseZ validationr��validation_pathZvalidation_filer!r!r"rC�sJzAuthenticator._perform_singlec Cs0|D]�}|j�|jd�}|dur|�||�}t�d|�t�|�|j|�|�t j stj�|d�}tj� |�rt�|�}|tvr�t�d|�t�|�qt�d|�qg}|j�r|j��}zt�|�Wq�t�y} z0|�d|�t�d|�t�d| �WYd} ~ q�d} ~ 00q�||_t�d�dS) NzRemoving %srgz4Cleaning web.config file generated by Certbot in %s.zQNot cleaning up the web.config file in %s because it is not generated by Certbot.rz3Challenge directory %s was not empty, didn't removerfzAll challenges cleaned up)r8�getr/r�rLrprrRr<rryrrnrzr� sha256sum�_WEB_CONFIG_SHA256SUMSrMr=�pop�rmdirrwrT) r rBrEr�r�r�r�Znot_removedr�excr!r!r"�cleanups< �� $zAuthenticator.cleanup)F)#�__name__� __module__�__qualname__�__doc__�descriptionr�strr#�classmethodrr,rrr.rrr Z Challenger2rr7rAZChallengeResponserJrHrrQrW�boolrXrIr�rCr�� __classcell__r!r!r?r"r8s*� 7rc@s>eZdZdZdejejeee e dfeedd�dd�ZdS)r*z%Action class for parsing webroot_map.N)�parser� namespace�webroot_map� option_stringrcsV|durdSt�t|��D]2\}�t��|j��fdd�t�||�D��qdS)Nc3s|]}|�fVqdSr0r!)rD�d�rUr!r"� ,sz-_WebrootMapAction.__call__..) �json�loadsr�rmrcr��updaterZadd_domains)r r�r�r�r��domainsr!r�r"�__call__%s �z_WebrootMapAction.__call__)N) r�r�r�r��argparse�ArgumentParser� Namespacerr�r rrr�r!r!r!r"r*"s� �r*csXeZdZdZeedd��fdd�Zd ejeje e eedfee dd�dd�Z �ZS) r)z&Action class for parsing webroot_path.Nr3cst�j|i|��d|_dS)NF)r6r7�_domain_before_webrootr>r?r!r"r73sz_WebrootPathAction.__init__)r�r�rUr�rcCsl|durdS|jrt�d��|jrH|jd}|jD]}|j�||�q2n|jrTd|_|j�tt |��dS)NzPIf you specify multiple webroot paths, one of them must precede all domain flagsrKT) r�rr_rUr�r�rNrvrcr�)r r�r�rUr�Zprev_webrootr/r!r!r"r�7s� z_WebrootPathAction.__call__)N)r�r�r�r�rr7r�r�r�rr�r rr�r�r!r!r?r"r)0s� �r))rUrcCs&tj�|�st�|d��tj�|�S)z�Validates and returns the absolute path of webroot_path. :param str webroot_path: path to the webroot directory :returns: absolute path of webroot_path :rtype: str z% does not exist or is not a directory)rrrtrr_�abspathr�r!r!r"rcMs rc)2r�r�r9r�Zlogging�typingrrrrrrrr r rrZacmer ZcertbotrrrZcertbot._internalrZcertbot.achallengesrZcertbot.compatrrZcertbot.displayrrr]Zcertbot.pluginsrZcertbot.utilrZ getLoggerr�rLr|r�ZPluginr�Actionr*r)r�rcr!r!r!r"�sL �k