o csu@sJdZddlZddlZddlmZddlmZddlZddl Z ddl Z ddl m Z ddl m Z ddl mZddl mZddl mZdd l mZdd l mZdd l mZdd l mZddlZddlZddlZdd lmZddlmZddlmZddlmZddlm Z ddlm!Z!ddlm"Z"e#e$Z%dZ&GdddZ'GdddZ(dS)zACME client API.N) parsedate_tz)Any)cast)List)Mapping)Optional)Set)Text)Tuple)Union) HTTPAdapter)parse_header_links) challenges) crypto_util)errors)jws)messages-c @seZdZdZdejddddfddZd ejdejfd d Z d ejdejfd dZ dNd ejde ej dejfddZ dOd ejdedejfddZdedejfddZdejdeejejffddZ dNdejde ejdejfddZdejdejdejfd d!Z dOdejdejd"edejfd#d$Zd%ejd&eddfd'd(Zdefd)d*Z d+e!d,e!dejfd-d.Z"d/ejd0e#de$e#fd1d2Z%e&d3e#dddejfd4d5Z'e&  dPd/ejd6e e#d7e e#dejfd8d9Z(d ejd:ej dejfd;d<Z)d+e!d,e!dejfd=d>Z*d ejdejfd?d@Z+dejdejfdAdBZ,  dPd/ejdCe ej-d6e e#dejfdDdEZ.dFej/d/e0j1dej2fdGdHZ3e&d/ejdIedejfdJdKZ4d%ejd&ed3e#ddfdLdMZ5dS)QClientV2zuACME client for a v2 API. :ivar messages.Directory directory: :ivar .ClientNetwork net: Client network. directorynet ClientNetworkreturnNcCs||_||_dS)zInitialize. :param .messages.Directory directory: Directory Resource :param .ClientNetwork net: Client network. N)rr)selfrrr8/opt/certbot/lib/python3.10/site-packages/acme/client.py__init__+s zClientV2.__init__ new_accountcCsL||jd|}|jdkrd|jvrt|jd||}||j_|S)zRegister. :param .NewRegistration new_account: :raises .ConflictError: in case the account already exists :returns: Registration Resource. :rtype: `.RegistrationResource` newAccountLocation) _postr status_codeheadersr ConflictError_regr_from_responseraccount)rrresponseregrrrrr4s   zClientV2.new_accountr(cCs||d|j_|jjS)zQuery server about registration. :param messages.RegistrationResource regr: Existing Registration Resource. T)_get_v2_accountrr&rr(rrrquery_registrationGszClientV2.query_registrationupdatecCsJ||}|dur |jn|}tjdit|}|j||d}||j_|S)aKUpdate registration. :param messages.RegistrationResource regr: Registration Resource. :param messages.Registration update: Updated body of the resource. If not provided, body will be taken from `regr`. :returns: Updated Registration Resource. :rtype: `.RegistrationResource` N)bodyr)r)r-rUpdateRegistrationdict_send_recv_regrrr&)rr(r,r- updated_regrrrrupdate_registrationSs zClientV2.update_registrationF update_bodycCsbd|j_|jjdd}||jd|}|jd}|j|r%tj | n|j|d}||j_|S)NT)only_return_existingrr r-uri) rr&r-r,r!rr#r Registration from_jsonjson)rr(r3only_existing_regr' updated_urinew_regrrrrr)is zClientV2._get_v2_accountcsr_pemc Cstjtjj|}t|}t|}g}|D] }|tj tj |dq|D] }|tj tj |dq'tj |d}| |jd|} tj| } g} | jD]} | |j|| | dqQtj| | jd| |dS)zRequest a new Order object from the server. :param bytes csr_pem: A CSR in PEM format. :returns: The newly created order. :rtype: OrderResource )typvalue) identifiersnewOrderr6r )r-r6authorizationsr=)OpenSSLcryptoload_certificate_request FILETYPE_PEMr _pyopenssl_cert_or_req_all_names_pyopenssl_cert_or_req_san_ipappendr IdentifierIDENTIFIER_FQDN IDENTIFIER_IPNewOrderr!rOrderr8r9rC_authzr_from_response _post_as_get OrderResourcer#get) rr=csrdnsNamesipNamesr@nameipsorderr'r-rCurlrrr new_orderus0        zClientV2.new_orderauthzrcCs(||j}|||jj|j}||fS)aPoll Authorization Resource for status. :param authzr: Authorization Resource :type authzr: `.AuthorizationResource` :returns: Updated Authorization Resource and HTTP response. :rtype: (`.AuthorizationResource`, `requests.Response`) )rQr6rPr- identifier)rr\r'updated_authzrrrrpolls  z ClientV2.pollorderrdeadlinecCs6|durtjtjdd}|||}|||S)adPoll authorizations and finalize the order. If no deadline is provided, this method will timeout after 90 seconds. :param messages.OrderResource orderr: order to finalize :param datetime.datetime deadline: when to stop polling and timeout :returns: finalized order :rtype: messages.OrderResource NZseconds)datetimenow timedeltapoll_authorizationsfinalize_order)rr`rarrrpoll_and_finalizes  zClientV2.poll_and_finalizecCsg}|jjD],}tj|kr2|j|||d}|jjtjkr&| |n t dtj|ksqt |t |jjkrAt g}|D]}|jjtjkr_|jjD] }|jdur^| |qRqE|rgt ||j|dS)zPoll Order Resource for status.rBN)rC)r-rCrerfrPrQstatusrSTATUS_PENDINGrJtimesleeplenr TimeoutError STATUS_VALIDrerrorValidationErrorr,)rr`ra responsesrZr\failedchallrrrrhs,        zClientV2.poll_authorizationsfetch_alternative_chainsc stjtjj|j}tjt|d} |j j |t j |krtd|j}tj|}|jtjkrK|jdurFt|jtd|jtjkr}|jdur}|j}|j||jd}|r{|d} fdd| D} |j| d }|St j |ks"t ) a{Finalize an order and obtain a certificate. :param messages.OrderResource orderr: order to finalize :param datetime.datetime deadline: when to stop polling and timeout :param bool fetch_alternative_chains: whether to also fetch alternative certificate chains :returns: finalized order :rtype: messages.OrderResource )rTrkNzPThe certificate order failed. No further information was provided by the server.)r- fullchain_pem alternatecsg|]}|jqSr)rQtext).0rZrrr sz+ClientV2.finalize_order..)alternative_fullchains_pem)!rDrErFrGr=rCertificateRequestjoseComparableX509r!r-finalizererfrnrorQr6rOr8r9rlSTATUS_INVALIDrsr IssuanceErrorErrorrr certificater,r{ _get_linksrq) rr`rarxrT wrapped_csrr'r-certificate_responsealt_chains_urls alt_chainsrr}rris2         zClientV2.finalize_ordercertrsncCs||||jddS)aRevoke certificate. :param .ComparableX509 cert: `OpenSSL.crypto.X509` wrapped in `.ComparableX509` :param int rsn: Reason code for certificate revocation. :raises .ClientError: If revocation is unsuccessful. revokeCertN)_revoker)rrrrrrrevokes zClientV2.revokecCs$t|jdot|jjdo|jjjS)zGChecks if ACME server requires External Account Binding authentication.metaexternal_account_required)hasattrrrrr}rrrrs  z"ClientV2.external_account_requiredargskwargscOs,|ddd|dd}|j|i|S)z Send GET request using the POST-as-GET protocol. :param args: :param kwargs: :return: NrkN)r!)rrrnew_argsrrrrQ szClientV2._post_as_getr' relation_typecs.d|jvrgSt|jd}fdd|DS)z Retrieves all Link URIs of relation_type from the response. :param requests.Response response: The requests HTTP response. :param str relation_type: The relation type to filter by. Linkcs0g|]}d|vrd|vr|dkr|dqS)relrZr)r|lrrrr~"s z'ClientV2._get_links..)r#r )rr'rlinksrrrrs zClientV2._get_linksrZcCstj||S)aB Retrieves the ACME directory (RFC 8555 section 7.1.1) from the ACME server. :param str url: the URL where the ACME directory is available :param ClientNetwork net: the ClientNetwork to use to make the request :returns: the ACME directory object :rtype: messages.Directory )r Directoryr8rSr9)clsrZrrrr get_directory%s zClientV2.get_directoryr6terms_of_servicecCs>d|jvr |jdd}tjtj||jd||dS)Nzterms-of-servicerZr )r-r6r)rrRegistrationResourcer7r8r9r#rS)rr'r6rrrrr%1s  zClientV2._regr_from_responser-cCs"||j|}|j||j|jdS)N)r6r)r!r6r%r)rr(r-r'rrrr0=s zClientV2._send_recv_regrcOs&|dt|jd|jj|i|S)zWrapper around self.net.post that adds the newNonce URL. This is used to retry the request in case of a badNonce error. new_nonce_urlnewNonce) setdefaultgetattrrrpostrrrrrrr!KszClientV2._postcCs||tjdddS)zDeactivate registration. :param messages.RegistrationResource regr: The Registration Resource to be deactivated. :returns: The Registration resource that was deactivated. :rtype: `.RegistrationResource` deactivatedN)rlcontact)r2rr7r8r*rrrdeactivate_registrationTs z ClientV2.deactivate_registrationcCs.tjdd}||j|}|||jj|jS)aDeactivate authorization. :param messages.AuthorizationResource authzr: The Authorization resource to be deactivated. :returns: The Authorization resource that was deactivated. :rtype: `.AuthorizationResource` r)rl)rUpdateAuthorizationr!r6rPr-r])rr\r-r'rrrdeactivate_authorizationbs  z!ClientV2.deactivate_authorizationr]cCsFtjtj||jd|d}|dur!|jj|kr!t ||S)Nr r5) rAuthorizationResource Authorizationr8r9r#rSr-r]rUnexpectedUpdate)rr'r]r6r\rrrrPss  zClientV2._authzr_from_responsechallbcCsp||j|}z |jdd}Wn tytdwtj|tj | d}|j|jkr6t |j|S)ahAnswer challenge. :param challb: Challenge Resource body. :type challb: `.ChallengeBody` :param response: Corresponding Challenge response :type response: `.challenges.ChallengeResponse` :returns: Challenge Resource with updated body. :rtype: `.ChallengeResource` :raises .UnexpectedUpdate: uprZz"up" Link header missing) authzr_urir-) r!r6rKeyErrorr ClientErrorrChallengeResource ChallengeBodyr8r9r)rrr'resprchallrrrranswer_challenge}s    zClientV2.answer_challengedefaultc Cs|jdt|}zt|}Wn<tyKt|}|durGzt|ddur+|dnd}tj|dd|WYSttfyFYnw|}Ynwtj tj|dS)aCompute next `poll` time based on response ``Retry-After`` header. Handles integers and various datestring formats per https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.37 :param requests.Response response: Response from `poll`. :param int default: Default value (in seconds), used when ``Retry-After`` header is not present or invalid. :returns: Time point when next `poll` should be performed. :rtype: `datetime.datetime` z Retry-AfterNrrc) r#rSstrint ValueErrorrrerg OverflowErrorrf)rr'r retry_afterrdwhentz_secsrrrrs   zClientV2.retry_aftercCs0||tj||d}|jtjkrtddS)a.Revoke certificate. :param .ComparableX509 cert: `OpenSSL.crypto.X509` wrapped in `.ComparableX509` :param int rsn: Reason code for certificate revocation. :param str url: ACME URL to post to :raises .ClientError: If revocation is unsuccessful. )rreasonz0Successful revocation must return HTTP OK statusN)r!r Revocationr" http_clientOKrr)rrrrZr'rrrrs  zClientV2._revoker)F)NN)6__name__ __module__ __qualname____doc__rrrNewRegistrationrrr+rr7r2boolr)bytesrRr[rr requestsResponser_rerjrhrirrrrrrrQrrr classmethodrr%r0r!rrrKrPrrChallengeResponserrrrrrrrr$s      #     %              rc@sleZdZdZdZdZdZdZ dej dde fd ej d e e jd ejd ed ededdfddZd/ddZdejdededefddZe d0dejde edejfddZdededededejf d d!Zdededejfd"d#Zefdedededejfd$d%Zdejddfd&d'Zded(edefd)d*Z dededejfd+d,Z!efdedejdededejf d-d.Z"dS)1rzvWrapper around requests that signs POSTs for authentication. Also adds user agent, and handles Content-Type. zapplication/jsonzapplication/jose+jsonzapplication/problem+jsonz Replay-NonceNTz acme-pythonkeyr&alg verify_ssl user_agenttimeoutrcCs\||_||_||_||_t|_||_t|_ ||_ t }|j d||j d|dS)Nzhttp://zhttps://) rr&rrset_noncesrrSessionsession_default_timeoutr mount)rrr&rrrradapterrrrrs zClientNetwork.__init__cCs&z|jWdStyYdSwr)rclose Exceptionr}rrr__del__s  zClientNetwork.__del__objnoncerZcCs~|r |jddnd}td||j||d}|jdur%|jd|d<|j|d <tjj |fit t t t f|jddS) zWrap `JSONDeSerializable` object in JWS. .. todo:: Implement ``acmePath``. :param josepy.JSONDeSerializable obj: :param str url: The URL to which this object will be POSTed :param str nonce: :rtype: str )indentzJWS payload: %s)rrrZNr6kidr) json_dumpsencodeloggerdebugrr&rrJWSsignrrrr)rrrrZjobjrrrr _wrap_in_jwss   *zClientNetwork._wrap_in_jwsr' content_typec Cs |jd}|r|dd}z|}Wn ty"d}Ynw|jdkr2t|jdd|j sd|dur_||j krDt d|zt j|tjy^}zt||fd}~wwt||durs||jkrst d |||jkr|durtd ||S) aCheck response content and its type. .. note:: Checking is not strict: wrong server response ``Content-Type`` HTTP header is ignored if response is an expected JSON object (c.f. Boulder #56). :param str content_type: Expected Content-Type response header. If JSON is expected and not present in server response, this function will raise an error. Otherwise, wrong Content-Type is ignored, but logged. :raises .messages.Error: If server response body carries HTTP Problem (https://datatracker.ietf.org/doc/html/rfc7807). :raises .ClientError: In case of other networking errors. Content-Type;rNir zUNKNOWN-LOCATIONz/Ignoring wrong Content-Type (%r) for JSON Errorzsz.ClientNetwork._send_request..)rrrrrrrrequestr exceptionsRequestExceptionrematchrgroupsrbase64 b64encodecontentencodingr{r"joinr#items)rrrZrrr'e err_regexmhostpath_err_noerr_msg debug_contentrrr _send_requestQsB     zClientNetwork._send_requestcOs|jdg|Ri|S)aSend HEAD request without checking the response. Note, that `_check_response` is not called, as it is expected that status code other than successfully 2xx will be returned, or messages2.Error will be raised by the server. HEAD)rrrrrheadszClientNetwork.headcKs|j|jd|fi||dS)z$Send GET request and check response.GETr)rr)rrZrrrrrrSszClientNetwork.getc Cs||j|jvr9|j|j}z tjjd|}Wntjy*}zt ||d}~wwt d||j |dSt|)NrzStoring nonce: %s)REPLAY_NONCE_HEADERr#rHeader_fieldsdecoderrrBadNoncerrradd MissingNonce)rr'r decoded_noncersrrr _add_nonces     zClientNetwork._add_noncercCsL|js!td|dur||}n |j||dd}|||jS)NzRequesting fresh noncer )rrrrrr)pop)rrZrr'rrr _get_nonces    zClientNetwork._get_noncec Osbz |j|i|WStjy0}z|jdkr+td||j|i|WYd}~Sd}~ww)zPOST object wrapped in `.JWS` and check response. If the server responded with a badNonce error, the request will be retried once. badNoncez Retrying request after error: %sN) _post_oncerrcoderr)rrrrsrrrrs  zClientNetwork.postcKsf|dd}||||||}|dd|i|jd|fd|i|}|j||d}|||S)Nrr#rrrr )r*rr+rrrr))rrZrrrrrr'rrrr-s  zClientNetwork._post_once)rNr)#rrrrrJOSE_CONTENT_TYPErr!rRS256DEFAULT_NETWORK_TIMEOUTJWKrrr JWASignaturerrrrrJSONDeSerializablerrrrrrrrrSr)r+rr-rrrrrs`    :G    r))rrre email.utilsr http.clientclientrloggingr rntypingrrrrrrr r r josepyrrDrrequests.adaptersr requests.utilsr acmerrrrr getLoggerrrr1rrrrrrsD                   /