o c@s,dZddlmZddlZddlZddlZddlZddlZddlZddl m Z ddl m Z ddl m Z ddl m Z ddl mZdd l mZdd l mZdd l mZdd l mZdd l mZddl mZddl mZddl mZddlmZddlmZddlmZddlmZddlmZddlmZddl mZ!ddl"m#Z#ddl$m%Z%ddl&m'Z'ddl(m)Z)ddl*m+Z+ddl*m,Z,ddl*m-Z-ddl*m.Z.ddl*m/Z/dd l*m0Z0dd!l*m1Z1dd"l*m2Z2dd#l3m4Z4zddl5Z5d$Z6Wn e7yd%Z6Ynwe8e9Z:Gd&d'd'Z;Gd(d)d)e%j<Z=e'>e=dS)*zApache Configurator.) defaultdictN)Any)Callable)cast) DefaultDict)Dict)Iterable)List)Optional)Sequence)Set)Tuple)Type)Union) challenges) achallenges)errors)util) filesystem)os) RenewableCert)common)AutoHSTSEnhancement) path_surgery) apache_util) assertions) constants) display_ops) dualparser)http_01)obj)parser)ApacheBlockNodeTFc#@seZdZdZ              dd ed ed ed ededeeedeeedeeedeeedeedeedededededeeddf"ddZdS) OsOptionsz Dedicated class to describe the OS specificities (eg. paths, binary names) that the Apache configurator needs to be aware to operate properly. /etc/apache2/etc/apache2/sites-available*/var/log/apache2 apache2ctlN -le-ssl.confF server_root vhost_root vhost_files logs_rootctl version_cmd restart_cmdrestart_cmd_alt conftest_cmdenmoddismod le_vhost_exthandle_modules handle_siteschallenge_location apache_binreturncCs||_||_||_||_||_|sddgn||_|sddgn||_||_| s*ddgn| |_|ddg}|dg|_ |dg|_ |d g|_ | |_ | |_ | |_| |_||_||_||_dS) Nr(z-vgraceful configtestz-tz-D DUMP_RUN_CFG DUMP_INCLUDES DUMP_MODULES)r*r+r,r-r.r/r0r1r2get_defines_cmdget_includes_cmdget_modules_cmdr3r4r5r6r7r8bin)selfr*r+r,r-r.r/r0r1r2r3r4r5r6r7r8r9syntax_tests_cmd_baserFR/opt/certbot/lib/python3.10/site-packages/certbot_apache/_internal/configurator.py__init__<s(     zOsOptions.__init__)r$r%r&r'r(NNNNNNr)FFr$N) __name__ __module__ __qualname____doc__strr r boolrHrFrFrFrGr#7sj        r#c s2 eZdZUdZdZeed<ej ddkred7Ze Z e ed<dd e d efd d Z dddZdddZededd d fddZdeded d ffdd Zed efddZed efddZded eefdd Zdd e d eefd!d"Zdd#d$Zd d&eed'e d d fd(d)Zdfd*d+ Zdd,d-Zd!d/e d d ffd0d1 Z!d2ed d fd3d4Z"d e#j$fd5d6Z%d7e&eefd e'j(fd8d9Z) d"d:ed;edeed d f d?d@Z*dd:edAe d e+e,j-fdBdCZ.d:ed e+e,j-fdDdEZ/dFed e0j1fdGdHZ2dIed:ed ee fdJdKZ3dd:edLe d e+e,j-fdMdNZ4 d"dOe,j-d;edeed d f dPdQZ5ddFedAe d e,j-fdRdSZ6 %d#dFedTe d e,j-fdUdVZ7dWe8edFed e fdXdYZ9 Zd$d[ed\e d]ed ee,j-fd^d_Z: d%dFed`ee+e,j-d\e d ee,j-fdadbZ;d`e+e,j-d e+e,j-fdcddZdge,j?d efdhdiZ@djeed eAeee+eeffdkdlZBdme,j-d d fdndoZCdjed ee,j-fdpdqZDd e+e,j-fdrdsZEd e+e,j-fdtduZFd e+e,j-fdvdwZGdxeHd e,j-fdydzZIdOe,j-d d fd{d|ZJd#d]edTe d d fd}d~ZKd#d]ede d d fddZLde=ede+ed]ed d fddZMde=ede+ed]ed d fddZNde+ed]ed ee fddZOdTe d d fddZPde,j-d e,j-fddZQde+ede+ed eefddZRded efddZSded e fddZTdOe,j-ded d fddZUde8ed eAe+ee ffddZVdOe,j-d e+efddZWde+ed d fddZXded e=e,j?fddZYdOe,j-d d fddZZdeede+ed d fddZ[deede+ed d fddZ\ded d fddZ]dFedOe,j-d d fddZ^dedFed e fddZ_ded e,j-fddZ`dOe,j-d eefddZadOe,j-d eefddZbded efddZcd e+efddZd d&d:ededeeee+eefd d fddÄZfdOe,j-dede d d fddƄZgdOe,j-dehd d fddɄZiddd˄Zjddd̈́ZkdOe,j-deld e fddЄZmde,j-ded d fddԄZnde,j-ded d fddׄZode,j-ded d fddلZpde,j-ded d fddۄZqdOe,j-d d fdd݄ZrdOe,j-d d fdd߄ZsdOe,j-d e fddZtdOe,j-d eeeee ffddZude,j-d d fddZvde,j-d efddZwde,j-ded efddZxde,j-d ee,j-fddZyd$dOe,j-d]ed e8e,j?fddZzdOe,j-d d fddZ{d#dedTe d d fddZ|dddZ}dddZ~dddZd eAe dffddZd efddZde8ejd efddZded eeejfddZde+ejd e+ejfddZde+eejd e+ejd ejd d fd d Zde+ejd d fd dZ ddeded e d d fddZdelde+ed d fddZde,j-d d fddZded d fddZdeld d fddZZS('ApacheConfiguratoraApache configurator. :ivar config: Configuration. :type config: certbot.configuration.NamespaceConfig :ivar parser: Handles low level parsing :type parser: :class:`~certbot_apache._internal.parser` :ivar tup version: version of Apache :ivar list vhosts: All vhosts found in the configuration (:class:`list` of :class:`~certbot_apache._internal.obj.VirtualHost`) :ivar dict assoc: Mapping between domains and vhosts zApache Web Server plugin description CERTBOT_DOCS1z (Please note that the default values of the Apache plugin options change depending on the operating system Certbot is run on.) OS_DEFAULTSTwarn_on_no_mod_sslr:cCsDtd}||}|jdks|rt||krtdStdS)a Pick the appropriate TLS Apache configuration file for current version of Apache and OS. :param bool warn_on_no_mod_ssl: True if we should warn if mod_ssl is not found. :return: the path to the TLS Apache configuration file to use :rtype: str z1.0.2l) oldcurrent)rparse_loose_versionopenssl_versionversionrfind_ssl_apache_conf)rDrTmin_openssl_versionr[rFrFrGpick_apache_configs    z%ApacheConfigurator.pick_apache_configNcCsd|jj|jjd<|jj|jjd<|jj|jjd<|jj|jjd<|jj|jjd<|jj|jjd<dS)zd Set our various command binaries to whatever the user has overridden for apachectl rN)optionsr.r/r0r2rBrAr@rDrFrFrG_override_cmdss z!ApacheConfigurator._override_cmdsc Cshgd}|D]'}||dddur"t|j|||ddqt|j|t|j|q|dS)zw Set the values possibly changed by command line parameters to OS_DEFAULTS constant dictionary ) r3r4r5r*r+r-r8r6r7r.rC_-N)confreplacesetattrr`getattrrSrb)rDoptsorFrFrG_prepare_optionss  z#ApacheConfigurator._prepare_optionsadd).NcCstjddkr tj}n|j}|d|jdd|d|jdd|d|jd d|d |jd d|d dd d|d|j dd|d|j dd|d|j dd|d|j dd|d|j dd|d|jdddS)NrQrRr3z#Path to the Apache 'a2enmod' binary)defaulthelpr4z$Path to the Apache 'a2dismod' binaryz le-vhost-extz!SSL vhost configuration extensionz server-rootzApache server root directory vhost-rootz,Apache server VirtualHost configuration rootz logs-rootzApache server logs directoryzchallenge-locationz*Directory path for challenge configurationzhandle-moduleszULet installer handle enabling required modules for you (Only Ubuntu/Debian currently)z handle-siteszJLet installer handle enabling sites for you (Only Ubuntu/Debian currently)r.z"Full path to Apache control scriptrCz!Full path to apache2/httpd binary)renvirongetrOrSr3r4r5r*r-r8r6r7r.rC)clsrlDEFAULTSrFrFrGadd_parser_argumentssJ z'ApacheConfigurator.add_parser_argumentsargskwargscs|dd}|dd}|dd}tj|i|i|_t|_i|_tt|_i|_ d|_ ||_ g|_ d|_ |d|_||_||_|t|j|_|j|j|jd|_dS)zInitialize an Apache Configurator. :param tup version: version of Apache as a tuple (2, 4, 7) (used mostly for unittesting) r\Nuse_parsernodeFr[redirectzensure-http-headerz staple-ocsp)popsuperrHassocset _chall_out_wildcard_vhostsr_enhanced_vhosts _autohsts save_notesUSE_PARSERNODE parsed_paths _prepared parser_rootr\_openssl_versioncopydeepcopyrSr`_enable_redirect_set_http_header_enable_ocsp_stapling _enhance_func)rDrurvr\rwr[ __class__rFrGrHs.     zApacheConfigurator.__init__cCtj|jjtjS)z-Full absolute path to SSL configuration file.)rpathjoinconfig config_dirrMOD_SSL_CONF_DESTrarFrFrG mod_ssl_confzApacheConfigurator.mod_ssl_confcCr)z?Full absolute path to digest of updated SSL configuration file.)rrrrrrUPDATED_MOD_SSL_CONF_DIGESTrarFrFrGupdated_mod_ssl_conf_digest rz.ApacheConfigurator.updated_mod_ssl_conf_digestssl_module_locationc Csxzt|dd}|}WdW|S1swYW|Sty;}ztjt|ddWYd}~dSd}~ww)z>Extract the open lines of openssl_version for testing purposesrb)modeNTexc_info)openreadIOErrorloggerdebugrM)rDrfcontentserrorrFrFrG_open_module_file%s  z$ApacheConfigurator._open_module_filecCs|jr|jSz|jjd}Wnty|rtdYdSw|r)|j|}n|jjr2|jj}ntddS| |}|sGtddSt d|}|sVtddS|d d |_|jS) aoLazily retrieve openssl version :param bool warn_on_no_mod_ssl: `True` if we should warn if mod_ssl is not found. Set to `False` when we know we'll try to enable mod_ssl later. This is currently debian/ubuntu, when called from `prepare`. :return: the OpenSSL version as a string, or None. :rtype: str or None ssl_modulez9Could not find ssl_module; not disabling session tickets.Nz[ssl_module is statically linked but --apache-bin is missing; not disabling session tickets.z>Unable to read ssl_module file; not disabling session tickets.sOpenSSL ([0-9]\.[^ ]+) z>Could not find OpenSSL version; not disabling session tickets.rzUTF-8) rr!modulesKeyErrorrwarningstandard_path_from_server_rootr`rCrrefindalldecode)rDrTrrmatchesrFrFrGr[/s2         z"ApacheConfigurator.openssl_versionc Cs<|||jj||jdur(||_tdd dd|jD|jdkr8t d t |j|||_|j|jdd}|jr[||}||_||_|jd ||_|jj }||j|j|z t|jjWnt t j!fytjd d d t "d |jjwd |_#dS)aWPrepare the authenticator/installer. :raises .errors.NoInstallationError: If Apache configs cannot be found :raises .errors.MisconfigurationError: If Apache is misconfigured :raises .errors.NotSupportedError: If Apache version is not supported :raises .errors.PluginError: If there is any other error NzApache version is %s.cs|]}t|VqdSNrM.0irFrFrG oz-ApacheConfigurator.prepare..)rUrVz!Apache Version {0} not supported.) augeasparser augeaspathac_astz httpd.augzEncountered error:Trz|Unable to create a lock file in {0}. Are you running Certbot with sufficient privileges to modify your Apache configuration?)$rk_verify_exe_availabilityr`r. config_testr\ get_versionrrrrNotSupportedErrorformatrMrecovery_routine get_parserr!get_root_augpathrget_parsernode_rootrrcheck_parsing_errorsget_virtual_hostsvhostsr6install_ssl_options_confrrrlock_dir_until_exitr*OSError LockError PluginErrorr)rDpn_metarrTrFrFrGprepareZsN            zApacheConfigurator.prepareFtitle temporarycCsJ|j}|r|j||j|d|j||r!|s#||dSdSdS)afSaves all changes to the configuration files. This function first checks for save errors, if none are found, all configuration changes made will be saved. According to the function parameters. If an exception is raised, a new checkpoint was not created. :param str title: The title of the save. If a title is given, the configuration will be saved as a new checkpoint and put in a timestamped directory. :param bool temporary: Indicates whether the changes made will be quickly reversed in the future (ie. challenges) )rN)r! unsaved_filesadd_to_checkpointrsavefinalize_checkpoint)rDrr save_filesrFrFrGrs  zApacheConfigurator.savecs(tt|dr|jjdSdS)zRevert all previously modified files. Reverts all modified files that have not been saved as a checkpoint :raises .errors.PluginError: If unable to recover the configuration r!N)r|rhasattrr!augloadrarrFrGrs  z#ApacheConfigurator.recovery_routinecCs||jjdS)zUsed to cleanup challenge configurations. :raises .errors.PluginError: If unable to revert the challenge config. N)revert_temporary_configr!rrrarFrFrGrevert_challenge_configsz*ApacheConfigurator.revert_challenge_configrollbackcst||jjdS)zRollback saved checkpoints. :param int rollback: Number of checkpoints to revert :raises .errors.PluginError: If there is a problem with the input or the function is unable to correctly revert the configuration N)r|rollback_checkpointsr!rr)rDrrrFrGrs z'ApacheConfigurator.rollback_checkpointsexecCs*t|st|std|dSdS)z(Checks availability of Apache executablez!Cannot find Apache executable {0}N)r exe_existsrrNoInstallationErrorr)rDrrFrFrGrs z+ApacheConfigurator._verify_exe_availabilitycCstj|jj||d|jdS)zInitializes the ApacheParserro)r\)r! ApacheParserr`r*rer\rarFrFrGrszApacheConfigurator.get_parsermetadatac CstrXt|jjt|jjt|jjd}||d<t |j j d-}t j d ddit jj}|||d<Wdn1sDwYWdn1sSwYtjtjd|j j d|dS) z0Initializes the ParserNode parser root instance.)definesincludesr apache_varsrootwritableTrN)nameancestorfilepathrrF)HAS_APACHECONFIGr parse_definesr`r@parse_includesrA parse_modulesrBrr!loc apacheconfig make_loaderflavors NATIVE_APACHEloadsrr DualBlockNoderPASS)rDrrrloaderrFrFrGrs*     z&ApacheConfigurator.get_parsernode_rootdomain cert_pathkey_path chain_pathfullchain_pathcCs>||}|D]}||||||td||jqdS)aDeploys certificate to specified virtual host. Currently tries to find the last directives to deploy the certificate in the VHost associated with the given domain. If it can't find the directives, it searches the "included" confs. The function verifies that it has located the three directives and finally modifies them to point to the correct destination. After the certificate is installed, the VirtualHost is enabled if it isn't already. .. todo:: Might be nice to remove chain directive if none exists This shouldn't happen within certbot though :raises errors.PluginError: When unable to deploy certificate due to a lack of directives z.Successfully deployed certificate for {} to {}N) choose_vhosts _deploy_cert display_utilnotifyrfilep)rDrrrrrrvhostrFrFrG deploy_certs  zApacheConfigurator.deploy_certcreate_if_no_sslcCs8t|r||jvr|j|S|||S|||gS)a Finds VirtualHosts that can be used with the provided domain :param str domain: Domain name to match VirtualHosts to :param bool create_if_no_ssl: If found VirtualHost doesn't have a HTTPS counterpart, should one get created :returns: List of VirtualHosts or None :rtype: `list` of :class:`~certbot_apache._internal.obj.VirtualHost` )ris_wildcard_domainr_choose_vhosts_wildcard choose_vhost)rDrrrFrFrGrs   z ApacheConfigurator.choose_vhostscCs>t}|jD]}|D] }|||r||q qt|S)z~ Get VHost objects for every VirtualHost that the user wants to handle with the wildcard certificate. )r~r get_names_in_wildcard_scoperllist)rDrmatchedrrrFrFrG_vhosts_for_wildcard,s    z'ApacheConfigurator._vhosts_for_wildcard target_namecCstd|S)a Prepare an error to notify the user that Certbot could not find a vhost to secure. :param str target_name: The server name that could not be mapped :return: An instance of PluginError :rtype: errors.PluginError zCertbot could not find a VirtualHost for {0} in the Apache configuration. Please create a VirtualHost with a ServerName matching {0} and try again.)rrr)rDrrFrFrG!_generate_no_suitable_vhost_error;sz4ApacheConfigurator._generate_no_suitable_vhost_errorrcCs,t|dt|dkrt||SdS)a Helper method for _vhosts_for_wildcard() that makes sure that the domain is in the scope of wildcard domain. eg. in scope: domain = *.wild.card, name = 1.wild.card not in scope: domain = *.wild.card, name = 1.2.wild.card rN)lensplitfnmatch)rDrrrFrFrGr Is z%ApacheConfigurator._in_wildcard_scope create_sslc Cs||}i}|D]}|D]}|jr|||<q||vr#|r#|||<qq t|}tt|}|s9||g} |D]}|jsK| | |q=| |q=| |j |<| S)zCPrompts user to choose vhosts to install a wildcard certificate for) rr sslr~valuesrselect_vhost_multipler rappendmake_vhost_sslr) rDrrrfiltered_vhostsrr dialog_input dialog_output return_vhostsrFrFrGrUs*        z*ApacheConfigurator._choose_vhosts_wildcardrcCs|dd|jjvrtd||j|||jdd|j|jdd|jd}|dur=|jdd|j|d <t d |j |j d ksM|rz|sz|}|jj |d d ||jj |dd ||duru|j|jd|n&td|std|}|jj |d d ||jj |dd ||js|||jd|j ddd|jD||f7_|dur|jd|7_dSdS)a Helper function for deploy_cert() that handles the actual deployment this exists because we might want to do multiple deployments per domain originally passed for deploy_cert(). This is especially true with wildcard certificates 443rz6Could not find ssl_module; not installing certificate.SSLCertificateFileNSSLCertificateKeyFile)rcert_keySSLCertificateChainFilerz'Deploying Certificate to VirtualHost %s)rUrVrr!z3--chain-path is required for your version of ApachezKPlease provide the --fullchain-path option pointing to your full chain filezZChanged vhost at %s with addresses of %s SSLCertificateFile %s SSLCertificateKeyFile %s z, csrrrraddrrFrFrGrrz2ApacheConfigurator._deploy_cert..z SSLCertificateChainFile %s )prepare_server_httpsr!rrMisconfigurationError_add_dummy_ssl_directivesr _clean_vhostfind_dirrinforr\rr~add_dirrenabled enable_siterraddrs)rDrrrrrr set_cert_pathrFrFrGr}sL        zApacheConfigurator._deploy_certcCsh||jvr |j|S||}|dur,|s|S|js||}|||||j|<|S|j|| dS)aChooses a virtual host based on the given domain name. If there is no clear virtual host to be selected, the user is prompted with all available choices. The returned vhost is guaranteed to have TLS enabled unless create_if_no_ssl is set to False, in which case there is no such guarantee and the result is not cached. :param str target_name: domain name :param bool create_if_no_ssl: If found VirtualHost doesn't have a HTTPS counterpart, should one get created :returns: vhost associated with name :rtype: :class:`~certbot_apache._internal.obj.VirtualHost` :raises .errors.PluginError: If no vhost is available or chosen Ntemp)r}_find_best_vhostrr_add_servername_alias_choose_vhost_from_list)rDrrrrFrFrGr s      zApacheConfigurator.choose_vhostr3cst||j}|dur|||r|S|js9||dtfdd|jDs/||}n t dt d| ||||j |<|S)Nrc3s |] }|jo |VqdSr)r. conflicts)r one_vhostr0rFrGrsz=ApacheConfigurator._choose_vhost_from_list..zThe selected vhost would conflict with other HTTPS VirtualHosts within Apache. Please select another vhost or add ServerNames to your configuration.z$VirtualHost not able to be selected.)r select_vhostrrr_get_proposed_addrsanyrrrrrr5r})rDrr3rrFr9rGr6s$       z*ApacheConfigurator._choose_vhost_from_listnamescCs8|}|D]}|}d|vrt||rdSqdS)aChecks if target domain is covered by one or more of the provided names. The target name is matched by wildcard as well as exact match. :param names: server aliases :type names: `collections.Iterable` of `str` :param str target_name: name to compare with wildcards :returns: True if target_name is covered by a wildcard, otherwise, False :rtype: bool [TF)lowerr)rDr=rrrFrFrGdomain_in_namessz"ApacheConfigurator.domain_in_names80targetfilter_defaultsportcsFg}|jD]}tfdd|jDr|js||q||||S)aReturns non-HTTPS vhost objects found from the Apache config :param str target: Domain name of the desired VirtualHost :param bool filter_defaults: whether _default_ vhosts should be included if it is the best match :param str port: port number the vhost should be listening on :returns: VirtualHost object that's the best match for target name :rtype: `obj.VirtualHost` or None c3s$|] }|p |kVqdSr) is_wildcardget_port)rarDrFrGr)s"z:ApacheConfigurator.find_best_http_vhost..)rr<r0rrr4)rDrBrCrDrrrFrHrGfind_best_http_vhosts   z'ApacheConfigurator.find_best_http_vhostrc sd}d}|dur |j}|D];}|jdurq |}|vr d}n||r)d}ntfdd|jDr8d}nq |jr@|d7}||krH|}|}q |dure|rT||}d d |D} t| dkre| d}|S) aFinds the best vhost for a target_name. This does not upgrade a vhost to HTTPS... it only finds the most appropriate vhost for the given target_name. :param str target_name: domain handled by the desired vhost :param vhosts: vhosts to consider :type vhosts: `collections.Iterable` of :class:`~certbot_apache._internal.obj.VirtualHost` :param bool filter_defaults: whether a vhost with a _default_ addr is acceptable :returns: VHost or None NrTrUc3s|] }|kVqdSrget_addrr%rrFrGrSsz6ApacheConfigurator._find_best_vhost..rcSsg|] }|jdur|qSFmodmacrorvhrFrFrG fs z7ApacheConfigurator._find_best_vhost..) rrPr r@r<r0r_non_default_vhostsr) rDrrrCbest_candidate best_pointsrr=pointsreasonable_vhostsrFrMrGr4-s<    z#ApacheConfigurator._find_best_vhostcCsdd|DS)z%Return all non _default_ only vhosts.cSs$g|]}tdd|jDs|qS)css|] }|dkVqdS) _default_NrKr%rFrFrGros  zDApacheConfigurator._non_default_vhosts...)allr0rQrFrFrGrSosz:ApacheConfigurator._non_default_vhosts..rF)rDrrFrFrGrTmsz&ApacheConfigurator._non_default_vhostscCst}g}|jD]4}|||jr||j|jD]}tj | r/| | q| |}|r;| |qq|rLtjdd|ddt|S)zReturns all names found in the Apache Configuration. :returns: All ServerNames, ServerAliases, and reverse DNS entries for virtual host addresses :rtype: set zaApache mod_macro seems to be in use in file(s): {0} Unfortunately mod_macro is not yet supportedz T)force_interactive)r~rupdater rPrrr0rhostname_regexmatchrLrlget_name_from_ipr notificationrrrget_filtered_names)rD all_names vhost_macrorr&rrFrFrG get_all_namesss.      z ApacheConfigurator.get_all_namesr&c CsXtj|s*zt|t|dWStjtjtj fy)YdSwdS)zReturns a reverse dns name if available. :param addr: IP Address :type addr: ~.common.Addr :returns: name or empty string if name cannot be determined :rtype: str rrx) rprivate_ips_regexr^rLsocket inet_aton gethostbyaddrrherrortimeout)rDr&rFrFrGr_s z#ApacheConfigurator.get_name_from_iprcCsl|jjdd|dd}|jjdd|dd}g}|D] }|j|}||qd}|r2|j|d}||fS)zHelper method for getting the ServerName and ServerAlias values from vhost in path :param path: Path to read ServerName and ServerAliases from :returns: Tuple including ServerName and `list` of ServerAlias strings ServerNameNFstartexclude ServerAliasr$)r!r+get_argr)rDrservername_matchserveralias_match serveraliasesalias serveralias servernamerFrFrG_get_vhost_namess   z#ApacheConfigurator._get_vhost_nameshostcCsH||j\}}|D]}|js|dur|j|q |js"||_dSdS)zHelper function for get_virtual_hosts(). :param host: In progress vhost whose names will be added :type host: :class:`~certbot_apache._internal.obj.VirtualHost` N)rwrrPaliasesrlr)rDrxrvrsrtrFrFrG_add_servernamess  z#ApacheConfigurator._add_servernamesc Cs"t}z |jj|d}Wntytd|YdSw|D]}|j|}|dur.)rr~r r! parser_pathsrr^case_irrget_internal_aug_pathrrrealpathrrlrremove) rD file_pathsinternal_pathsvhs vhost_pathpathsr new_vhost internal_pathrnew_vhsvrFrFrGrsP              z'ApacheConfigurator.get_virtual_hosts_v1cCsH|jstdg}|jjddd}|D] }||tt|q|S)zReturns list of virtual hosts found in the Apache configuration using ParserNode interface. :returns: List of :class:`~certbot_apache.obj.VirtualHost` objects found in configuration :rtype: list zHThis ApacheConfigurator instance is not configured to use a node parser.rFrn)rrError find_blocksr_create_vhost_v2rr")rDrrvhblockrFrFrGrOs z'ApacheConfigurator.get_virtual_hosts_v2nodec Cst}|jD]}tj|}|r||qd}|jddd}|r3|D]}|jddkr2d}nq#|D] }|dkr?d}q5|j durJt d t |j |j}d} |d r[d} tj|j d |||| |d } || | S) aUsed by get_virtual_hosts_v2 to create vhost objects using ParserNode interfaces. :param ApacheBlockNode node: The BlockNode object of VirtualHost block :returns: newly created vhost :rtype: :class:`~certbot_apache.obj.VirtualHost` Fr|rrr}TrNzNode filepath cannot be None.Macrorx)rPr)r~ parametersr rrrlfind_directivesr?rFrrrrincluded_in_pathsrfind_ancestorsr_populate_vhost_names_v2) rDrr0paramr&r sslengine directiver.rrrFrFrGr`s:        z#ApacheConfigurator._create_vhost_v2cCs||jstd|jjddd}|jjddd}d}|r#|djd}|js<|D]}|jD]}|j|q-q(||_dSdS)zHelper function that populates the VirtualHost names. :param host: In progress vhost whose names will be added :type host: :class:`~certbot_apache.obj.VirtualHost` z Current VirtualHost has no node.rkFrroNr$) rrrrrrPryrlr)rDrrqrrrvrtrurFrFrGrs   z+ApacheConfigurator._populate_vhost_names_v2cCs|||j|dddS)zPrepare the server for HTTPS. Make sure that the ssl_module is loaded and that the server is appropriately listening on port. :param str port: Port to listen on :param bool temp: If this is just temporary T)httpsN)prepare_https_modules ensure_listen)rDrDr3rFrFrGr's z'ApacheConfigurator.prepare_server_httpsrc s$|r |dkr |d}n|}fddjdD}dd|D}||r*dSt|}|s5|||D]F}t|dd krP||vrO||vrO||q7|ddd dd \}} | ddd } d | |f|vr}d | |f|vr}|d | |fq7|r|||dS|||dS) aXMake sure that Apache is listening on the port. Checks if the Listen statement for the port already exists, and adds it to the configuration if necessary. :param str port: Port number to check and add Listen for if not in place already :param bool https: If the port will be used for HTTPS r httpscsg|]}j|qSrF)r!rprxrarFrGrSz4ApacheConfigurator.ensure_listen..ListencSsg|] }|r|dqS)r)r)rrrFrFrGrSsN:rr$z%s:%s) r!r+_has_port_alreadyr~rlrr_add_listens_https_add_listens_http) rDrDr port_service directiveslistens listen_dirslistenrciprFrarGrs2    z ApacheConfigurator.ensure_listenr listens_origcCs||}||vr,|jt|jjdd||jd|d|jjdd7_dS|D]&}|jt|jjdd|d|jd|d|jjdd7_q.dS)a<Helper method for ensure_listen to figure out which new listen statements need adding for listening HTTP on port :param set listens: Set of all needed Listen statements :param list listens_orig: List of existing listen statements :param string port: Port number we're adding rr Added Listen  directive to   N) differencer!r- get_aug_pathrrr)rDrrrD new_listensrrFrFrGrs$      z$ApacheConfigurator._add_listens_httpcCs|dkr |d}n|}||}||vs||vr?|jt|jjdd|d|jd|d|jjdd7_d S|D]&}|jt|jjdd|d|jd|d|jjdd7_qAd S) a=Helper method for ensure_listen to figure out which new listen statements need adding for listening HTTPS on port :param set listens: Set of all needed Listen statements :param list listens_orig: List of existing listen statements :param string port: Port number we're adding rrrrrrrrN)rr!add_dir_to_ifmodsslrrrr)rDrrrDrrrrFrFrGrs*      z%ApacheConfigurator._add_listens_httpscCsN||vrdS|D]}t|ddkr$|dddd|kr$dSqdS)zHelper method for prepare_server_https to find out if user already has an active Listen statement for the port we need :param list listens: List of listen variables :param string port: Port in question Trrr$rrN)rr)rDrrDrrFrFrGrsz$ApacheConfigurator._has_port_alreadycCs||jjr:d|jjvr|jd|dd|jjvr<|jd|d|j|jj|j|j |j |j dddSdSdS) zHelper method for prepare_server_https, taking care of enabling needed modules :param boolean temp: If the change is temporary socache_shmcb_module socache_shmcbr2rrT)rTN) r`r6r!r enable_modensure_augeas_staterr reset_modulesrrr)rDr3rFrFrGr.s      z(ApacheConfigurator.prepare_https_modules nonssl_vhostc Cs&|j}||}|jjd||tdf}||||jj|jjd||tdf}| ||}|sb|j ||jjd||tdf}| ||}|sbt d| |td||jd|7_|||}|st d|}||_|j||S)aMakes an ssl_vhost version of a nonssl_vhost. Duplicates vhost and adds default ssl options New vhost will reside as (nonssl_vhost.path) + ``self.options.le_vhost_ext`` .. note:: This function saves the configuration :param nonssl_vhost: Valid VH that doesn't have SSLEngine on :type nonssl_vhost: :class:`~certbot_apache._internal.obj.VirtualHost` :returns: SSL vhost :rtype: :class:`~certbot_apache._internal.obj.VirtualHost` :raises .errors.PluginError: If more than one virtual host is in the file or if plugin is unable to write/read vhost files. z#/files%s//* [label()=~regexp('%s')]rz;Could not reverse map the HTTPS VirtualHost to the originalzCreated an SSL vhost at %szCreated ssl vhost at %s zCould not create a vhost)r_get_ssl_vhost_pathr!rr^_escaper_copy_create_ssl_vhost_skeletonr_get_new_vh_path parse_filerr_update_ssl_vhosts_addrsrr,rrrrrrr) rDravail_fpssl_fp orig_matches new_matchesvh_pr ssl_vhostrFrFrGrCsP             z!ApacheConfigurator.make_vhost_sslrrcCs4dd|D}|D]}|dd|vr|Sq dS)a Helper method for make_vhost_ssl for matching augeas paths. Returns VirtualHost path from new_matches that's not present in orig_matches. Paths are normalized, because augeas leaves indices out for paths with only single directive with a similar key cSsg|]}|ddqS)[1]rxrfrrFrFrGrSrz7ApacheConfigurator._get_new_vh_path..rrxNr)rDrrr^rFrFrGrs z#ApacheConfigurator._get_new_vh_path non_ssl_vh_fpcCsx|drtj|drtjt|jjtj |}nt|}| dr6|dt d |jj S||jj S)a- Get a file path for SSL vhost, uses user defined path as priority, but if the value is invalid or not defined, will fall back to non-ssl vhost filepath. :param str non_ssl_vh_fp: Filepath of non-SSL vhost :returns: Filepath for SSL vhost :rtype: str roz.confN) rerrexistsrrrr`r+rendswithrr5)rDrfprFrFrGrs     z&ApacheConfigurator._get_ssl_vhost_pathlinecCsX|ds dS|d}|ddvr'|d|dkr'|dd}|dS) a`Decides whether a line should be copied to a SSL vhost. A canonical example of when sifting a line is required: When the http vhost contains a RewriteRule that unconditionally redirects any request to the https version of the same site. e.g: RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,QSA,R=permanent] Copying the above line to the ssl vhost would cause a redirection loop. :param str line: a line extracted from the http vhost. :returns: True - don't copy line from http vhost to SSL vhost. :rtype: bool rewriteruleFrUr)'"r$rzhttps://)r?lstrip startswithrstrip)rDrrBrFrFrG_sift_rewrite_rules   z%ApacheConfigurator._sift_rewrite_rulerc CsNtj|rd|}t}|||j||n|jd|zF||}| |\}}t |d}| d| d || d| dWdn1sUwY|j |sf|j |Wntyztjd d d td w|rtd |jd|d|j jd||d|j jd||jddS)aCopies over existing Vhost with IfModule mod_ssl.c> skeleton. :param obj.VirtualHost vhost: Original VirtualHost object :param str ssl_fp: Full path where the new ssl_vhost will reside. A new file is created on the filesystem. z-Appended new VirtualHost directive to file %sFrGz rz z Nz/Error writing/reading to file in make_vhost_sslTrz&Unable to write/read in make_vhost_sslzSome rewrite rules copied from z; were disabled in the vhost for your HTTPS site located at z= because they have the potential to create redirection loops.z/augeas/files%s/mtime0)rrrr~rlreverterrregister_file_creation_get_vhost_block_sift_rewrite_rulesrwriterr!parsed_in_currentrrrcriticalrrrrrrr) rDrrnotesfiles orig_contentsssl_vh_contentssiftnew_filerFrFrGrs<             z2ApacheConfigurator._copy_create_ssl_vhost_skeletonrc CsJg}d}t|}d}|D]}|d}|d}|s*|s*||q |r7||s7||q |rO||rO|sG||d}|d|q g}|r||t|}|dsw||t|}|dre||||r|s||d}|ddd |Dq |d|q ||fS) z Helper function for _copy_create_ssl_vhost_skeleton to prepare the new HTTPS VirtualHost contents. Currently disabling the rewrites Fz# Some rewrite rules in this file were disabled on your HTTPS site, # because they have the potential to create redirection loops. rewritecondrT# rcss|]}d|VqdS)rNrF)rlrFrFrGr;rz9ApacheConfigurator._sift_rewrite_rules..)iterr?rrrrnextr) rDrresultrcommentrABchunkrFrFrGrsH        z&ApacheConfigurator._sift_rewrite_rulesc Csz |jj|j}Wnty!tjd|j|jddt dw|d}|d}|d}t |d}| || ||d }Wd n1sMwY|||S) a Helper method to get VirtualHost contents from the original file. This is done with help of augeas span, which returns the span start and end positions :returns: `list` of VirtualHost block content lines without closing tag z3Error while reading the VirtualHost %s from file %sTrz$Unable to read VirtualHost from filerrrN)r!rspanr ValueErrorrrrrrrrseekrr_remove_closing_vhost_tag)rDrspan_val span_filep span_startspan_endfh vh_contentsrFrFrGr@s"      z#ApacheConfigurator._get_vhost_blockrcCsZtt|D]$\}}|r*|d}|dkr't||d}|d|||<dSqdS)aRemoves the closing VirtualHost tag if it exists. This method modifies vh_contents directly to remove the closing tag. If the closing vhost tag is found, everything on the line after it is also removed. Whether or not this tag is included in the result of span depends on the Augeas version. :param list vh_contents: VirtualHost block contents to check zr$rN) enumeratereversedr?findr)rDroffsetr line_index content_indexrFrFrGr Ws z,ApacheConfigurator._remove_closing_vhost_tagvh_pathcCsjt}|jj|d}|D]$}tjt|j|}|r2| d}|jj|t|| |q|S)Nr{r) r~r!rr^r rrrMrp get_addr_objrl)rDr ssl_addrs ssl_addr_pr&old_addrssl_addrrFrFrGrjs  z+ApacheConfigurator._update_ssl_vhosts_addrscCs&||jddg||jdgdS)Nrr r")_deduplicate_directivesr_remove_directivesrDrrFrFrGr*xs zApacheConfigurator._clean_vhostrc Csp|D]3}t|j|d|ddkr5|j|d|d}|jjtdd|dt|j|d|ddksqdS)NFr/\w*$rxr)rr!r+rrrsubrDrrrdirective_pathrFrFrGrs"   z*ApacheConfigurator._deduplicate_directivesc Cs`|D]+}|j|d|dr-|j|d|d}|jjtdd|d|j|d|ds qdS)NFr"rxr)r!r+rrrr#r$rFrFrGr s z%ApacheConfigurator._remove_directivescCsP|j|dd|j|dd|jd|j|}|s&|j|d|jdSdS)Nrinsert_cert_file_pathr insert_key_file_pathInclude)r!r-r+r)rDr existing_incrFrFrGr)s  z,ApacheConfigurator._add_dummy_ssl_directivescCs||j}||\}}||ks||vrdS|||rdS|jjdd|dds/|j|d|n|j|d|||dS)NrkFrlro)rrw_has_matching_wildcardr!r+r-rz)rDrrrsnamesaliasesrFrFrGr5s  z(ApacheConfigurator._add_servername_aliascs0jjd|dd}fdd|D}||S)aLIs target_name already included in a wildcard in the vhost? :param str vh_path: Augeas path to the vhost :param str target_name: name to compare with wildcards :returns: True if there is a wildcard covering target_name in the vhost in vhost_path, otherwise, False :rtype: bool roFrlc3s|] }jj|VqdSrr!rrq)rr^rarFrGrsz.)r!r+r@)rDrrrryrFrarGr*s   z)ApacheConfigurator._has_matching_wildcardid_strcCs@|jD] }|||kr|Sqd|}t|t|)a8 Searches through VirtualHosts and tries to match the id in a comment :param str id_str: Id string for matching :returns: The matched VirtualHost :rtype: :class:`~certbot_apache._internal.obj.VirtualHost` :raises .errors.PluginError: If no VirtualHost is found z$No VirtualHost with ID {} was found.)r_find_vhost_idrrrrr)rDr.rRmsgrFrFrGfind_vhost_by_ids    z#ApacheConfigurator.find_vhost_by_idcCsJtjd}|j||j}|r#|j|d}|r!|ddSdSdS)aMTries to find the unique ID from the VirtualHost comments. This is used for keeping track of VirtualHost directive over time. :param vhost: Virtual host to add the id :type vhost: :class:`~certbot_apache._internal.obj.VirtualHost` :returns: The unique ID or None :rtype: str or None rxrrr$N)rMANAGED_COMMENT_IDrr! find_commentsrrpr)rDrsearch_comment id_commentrrFrFrGr/s z!ApacheConfigurator._find_vhost_idcCs:||}|r |St}tj|}|j|j||S)aAdds an unique ID to the VirtualHost as a comment for mapping back to it on later invocations, as the config file order might have changed. If ID already exists, returns that instead. :param vhost: Virtual host to add or find the id :type vhost: :class:`~certbot_apache._internal.obj.VirtualHost` :returns: The unique ID for vhost :rtype: str or None ) r/r unique_idrr2rr! add_commentr)rDrvh_id id_stringrrFrFrG add_vhost_ids  zApacheConfigurator.add_vhost_idrcCsd|dd}|dd}|dd}|dd}|d d }|d d }|d d}|dd}|S)N,z\,r>z\[]z\]|z\|=z\=(z\()z\)!z\!r)rDrrFrFrGrs        zApacheConfigurator._escapecCsgdS)z)Returns currently supported enhancements.ryrFrarFrFrGsupported_enhancementsz)ApacheConfigurator.supported_enhancements enhancementr`c Csz|j|}Wntytd|w|j|dd}dd|D}|sEd}|}|r5|dt|7}|||} t| t| z |D]} || |qHWd Stjybtd||w) aEnhance configuration. :param str domain: domain to enhance :param str enhancement: enhancement type defined in :const:`~certbot.plugins.enhancements.ENHANCEMENTS` :param options: options for the enhancement See :const:`~certbot.plugins.enhancements.ENHANCEMENTS` documentation for appropriate parameter. :raises .errors.PluginError: If Enhancement is not supported, or if there is any other problem with the enhancement. zUnsupported enhancement: {0}FrcSg|]}|jr|qSrFrrrrFrFrGrSz.ApacheConfigurator.enhance..zCertbot was not able to find SSL VirtualHost for a domain {0} for enabling enhancement "{1}". The requested enhancement was not configured.z: zFailed %s for %sN) rrrrrrrMrr) rDrrDr`funcmatched_vhostsrmsg_tmplmsg_enhancementr0rrFrFrGenhances2     zApacheConfigurator.enhancenextstepcCs.tj|}||||td|j|<dS)a*Increase the AutoHSTS max-age value :param vhost: Virtual host object to modify :type vhost: :class:`~certbot_apache._internal.obj.VirtualHost` :param str id_str: The unique ID string of VirtualHost :param int nextstep: Next AutoHSTS max-age value index laststep timestampN)rAUTOHSTS_STEPS_autohsts_writetimer)rDrr.rOnextstep_valuerFrFrG_autohsts_increase0s z%ApacheConfigurator._autohsts_increaserVc Csd}|jdd|j}|r#d}|D]}t||jj|r"|}q|s0d|j }t |d|}| dd}|jj ||d||j } t| |j| 7_|| dS) zJ Write the new HSTS max-age value to the VirtualHost file NHeaderz/(?:[ "]|^)(strict-transport-security)(?:[ "]|$)zUCertbot was unable to find the existing HSTS header from the VirtualHost at path {0}. "max-age={0}"zarg[3]zarg[4]zHTTPS rewrite in addition to other RewriteRules; you may wish to check for overall consistency. RewriteEnginer}z%{SERVER_NAME}z={0}z[OR]r RewriteCondz*Redirecting host in %s to ssl vhost in %s z*Redirecting vhost in %s to ssl vhost in %s)r!rr_get_http_vhostrrr;rr.r7rr_create_redirect_vhostr_verify_no_certbot_redirect_is_rewrite_existsr_is_rewrite_engine_onr-rr rrrr{#_set_https_redirection_rewrite_rulerrrrlr,) rDrri general_vhredirect_addrsrr=idxrrurFrFrGrsH             z#ApacheConfigurator._enable_redirectcCs|j|jdtjdS)N RewriteRule)r!r-rrREWRITE_HTTPS_ARGSr!rFrFrGrAsz6ApacheConfigurator._set_https_redirection_rewrite_rulec sjjdd|jd}tt}d}|D]}t||}|r(|d}|||q|ra| D]3\}}fdd|D} | t j vrVjj ||td| t jkr`tdq/dSdS) a`Checks to see if a redirect was already installed by certbot. Checks to see if virtualhost already contains a rewrite rule that is identical to Certbot's redirection rewrite rule. For graceful transition to new rewrite rules for HTTPS redireciton we delete certbot's old rewrite rules and set the new one instead. :param vhost: vhost to check :type vhost: :class:`~certbot_apache._internal.obj.VirtualHost` :raises errors.PluginEnhancementAlreadyPresent: When the exact certbot redirection WriteRule exists in virtual host. rNrkz(.*directive\[\d+\]).*rcsg|] }jj|qSrFr-rrarFrGrScszBApacheConfigurator._verify_no_certbot_redirect..z'Certbot has already enabled redirection)r!r+rrr rr^groupritemsrOLD_REWRITE_HTTPS_ARGSrrrrrrur) rDr rewrite_pathrewrite_args_dictr]r^mdir_path args_pathsarg_valsrFrarGr|Ds8     z.ApacheConfigurator._verify_no_certbot_redirectcCs|jjdd|jd}t|S)zChecks if there exists a RewriteRule directive in vhost :param vhost: vhost to check :type vhost: :class:`~certbot_apache._internal.obj.VirtualHost` :returns: True if a RewriteRule directive exists. :rtype: bool rNrk)r!r+rrN)rDrrrFrFrGr}qs z%ApacheConfigurator._is_rewrite_existscCsB|jjdd|jd}|r|D]}d|vr|j|SqdS)zChecks if a RewriteEngine directive is on :param vhost: vhost to check :type vhost: :class:`~certbot_apache._internal.obj.VirtualHost` rxr}rkrF)r!r+rr?rp)rDrrewrite_engine_path_listre_pathrFrFrGr~s z(ApacheConfigurator._is_rewrite_engine_oncCs||}|||}|jj|t||}|dur%t d|j ||j d ||jd|j|jf7_dS)zCreates an http_vhost specifically to redirect for the ssl_vhost. :param ssl_vhost: ssl vhost :type ssl_vhost: :class:`~certbot_apache._internal.obj.VirtualHost` NzCould not create a new vhostrzz=Created a port 80 vhost, %s, for redirection to ssl vhost %s )_get_redirect_config_str_write_out_redirectr!rrrrrrrrrrrlrr)rDrtextredirect_filepathrrFrFrGr{s       z)ApacheConfigurator._create_redirect_vhostc Csxd}d}|jdurd|j}|jrdd|j}dddd||Dd|d |d dtjd |jjd S) Nrxz ServerName z ServerAlias rz ApacheConfigurator._get_redirect_config_str..z> z z4 ServerSignature Off RewriteEngine On RewriteRule z ErrorLog z1/redirect.error.log LogLevel warn )rryrr;rrr`r-)rDrrurvrFrFrGrs    z+ApacheConfigurator._get_redirect_config_strrcCsd}|jdurt|jdt|dkrd|j}tj|jj|}|jd|t |d }| |Wdn1s>wY|j |sO|j |td||S)Nzle-redirect.confrzle-redirect-%s.confFwzCreated redirect file: %s)rrrrrr`r+rrrrr!rrrr,)rDrrredirect_filenamer redirect_filerFrFrGrs        z&ApacheConfigurator._write_out_redirectcCs\|jr|jSdd|jD}|D] }||r|Sq|D] }|j|ddr+|SqdS)z*Find appropriate HTTP vhost for ssl_vhost.cSsg|]}|js|qSrFrGrHrFrFrGrSs z6ApacheConfigurator._get_http_vhost..T)genericN)rr same_server)rDrcandidate_http_vhshttp_vhrFrFrGrzs z"ApacheConfigurator._get_http_vhostcCs&t}|jD] }|||q|S)zReturn all addrs of vhost with the port replaced with the specified. :param obj.VirtualHost ssl_vhost: Original Vhost :param str port: Desired port for new addresses :returns: `set` of :class:`~obj.Addr` )r~r0rlr)rDrrD redirectsr&rFrFrGr;s z&ApacheConfigurator._get_proposed_addrscCs\|jrdS|j|js,td|j|jd|j7_|j|jjd|jd|_dS)a Enables an available site, Apache reload required. .. note:: Does not make sure that the site correctly works or that all modules are enabled appropriately. .. note:: The distribution specific override replaces functionality of this method where available. :param vhost: vhost to enable :type vhost: :class:`~certbot_apache._internal.obj.VirtualHost` :raises .errors.NotSupportedError: If filesystem layout is not supported. Nz8Enabling site %s by adding Include to root configurationzEnabled site %s rmT) r.r!rrrr,r add_includerr!rFrFrGr/ szApacheConfigurator.enable_sitemod_namecCsd|d}t|)aEnables module in Apache. Both enables and reloads Apache so module is active. :param str mod_name: Name of the module to enable. (e.g. 'ssl') :param bool temp: Whether or not this is a temporary action. .. note:: The distribution specific override replaces functionality of this method where available. :raises .errors.MisconfigurationError: We cannot enable modules in generic fashion. zApache needs to have module "z" active for the requested installation options. Unfortunately Certbot is unable to install or enable it for you. Please install the module, and run Certbot again.)rr()rDrr3 mod_messagerFrFrGr s  zApacheConfigurator.enable_modcCs||dS)zRuns a config test and reloads the Apache server. :raises .errors.MisconfigurationError: If either the config test or reload fails. N)r_reloadrarFrFrGrestart4 s zApacheConfigurator.restartc Csz t|jjWdStjy[}zDtd|jj|jjrNt d|jjzt|jjWWYd}~dStjyM}z t |}WYd}~n d}~wwt |}t |d}~ww)zdReloads the Apache server. :raises .errors.MisconfigurationError: If reload fails z!Unable to restart apache using %sz&Trying alternative restart command: %sN) r run_scriptr`r0rSubprocessErrorrrr1rrMr()rDerrsecerrrrFrFrGr> s* zApacheConfigurator._reloadc Cs>z t|jjWdStjy}ztt|d}~ww)z|Check the configuration of Apache for errors. :raises .errors.MisconfigurationError: If config_test fails N)rrr`r2rrr(rM)rDrrFrFrGrW s zApacheConfigurator.config_test.cCsz t|jj\}}Wntjytd|jjwtdtj }| |}t |dkr4tdt dd|d dDS) zReturn version of Apache Server. Version is returned as tuple. (ie. 2.4.7 = (2, 4, 7)) :returns: version :rtype: tuple :raises .PluginError: if unable to find Apache version zUnable to run %s -vzApache/([0-9\.]*)rzUnable to find Apache versioncsrr)intrrFrFrGrz rz1ApacheConfigurator.get_version..rr)rrr`r/rrrrcompile IGNORECASErrtupler)rDstdoutrcregexrrFrFrGrb s    zApacheConfigurator.get_versioncCs,djtj|jjdddd|jDdS)z3Human-readable string to help understand the modulez_Configures Apache to authenticate and install HTTPS.{0}Server root: {root}{0}Version: {version}rrcsrrrrrFrFrGr rz/ApacheConfigurator.more_info..)rr\)rrlinesepr!rrr\rarFrFrG more_info| s zApacheConfigurator.more_infofailed_achallscCsdS)NzThe Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.rF)rDrrFrFrG auth_hint szApacheConfigurator.auth_hint unused_domaincCstjgS)z%Return list of challenge preferences.)rHTTP01)rDrrFrFrGget_chall_pref rCz!ApacheConfigurator.get_chall_prefachallscCs|j|dgt|}t|}t|D]\}}t|tjs%t d| ||q| }|rB| td||||dd|DS)a Perform the configuration related challenge. This function currently assumes all challenges will be fulfilled. If this turns out not to be the case in the future. Cleanup and outstanding challenges will have to be designed better. NzEChallenge should be an instance of KeyAuthorizationAnnotatedChallengerJcSsg|]}|r|qSrFrF)rresponserFrFrGrS sz.ApacheConfigurator.perform..)rr\rr ApacheHttp01r isinstancer"KeyAuthorizationAnnotatedChallengerr add_challperformrrUsleep_update_responses)rDr responses http_doerrachall http_responserFrFrGr s     zApacheConfigurator.performrchall_response chall_doercCs$t|D] \}}|||j|<qdSr)rindices)rDrrrrresprFrFrGr s z$ApacheConfigurator._update_responsescCs4|j||js|||jdSdS)zRevert all challenges.N)rdifference_updaterrr!r)rDrrFrFrGcleanup s zApacheConfigurator.cleanup options_ssloptions_ssl_digestcCs||}t|||tjS)zCopy Certbot's SSL options file into the system's config dir if required. :param bool warn_on_no_mod_ssl: True if we should warn if mod_ssl is not found. )r_rinstall_version_controlled_filerALL_SSL_OPTIONS_HASHES)rDrrrTapache_config_pathrFrFrGr s  z+ApacheConfigurator.install_ssl_options_conf_unused_lineagedomainsc Cs|g}|D]N}|j|dd}dd|D}|s+d}||}t|t||D](} z || || Wq-tj yU| |vrIYq-d}t ||| j wq|rid} | | t | | |dS) a: Enable the AutoHSTS enhancement for defined domains :param _unused_lineage: Certificate lineage object, unused :type _unused_lineage: certbot._internal.storage.RenewableCert :param domains: List of domains in certificate to enhance :type domains: `list` of `str` FrEcSrFrFrGrHrFrFrGrS rIz6ApacheConfigurator.enable_autohsts..z`Certbot was not able to find SSL VirtualHost for a domain {0} for enabling AutoHSTS enhancement.z_VirtualHost for domain {0} in file {1} has a String-Transport-Security header present, exiting.zEnabling AutoHSTSN)rdrrrrrr_enable_autohsts_domainrrurrr,rrf) rDrrrdrKrrLr0rRr`rFrFrGenable_autohsts s:          z"ApacheConfigurator.enable_autohstscCs||dd|jjvr|dtjddd}tjd}|d|| |}|dur5t d|j d ||j 7_ |j|jd |d ||j }|j |7_ dtd |j|<dS) a#Do the initial AutoHSTS deployment to a vhost :param ssl_vhost: The VirtualHost object to deploy the AutoHSTS :type ssl_vhost: :class:`~certbot_apache._internal.obj.VirtualHost` or None :raises errors.PluginEnhancementAlreadyPresent: When already enhanced zStrict-Transport-SecurityrqrrNr$rrYzCould not generate a unique idz+Adding unique ID {0} to VirtualHost in {1} rXzXAdding gradually increasing HSTS header with initial value of {0} to VirtualHost in {1} rP)rsr!rrrrtrSrrr:rrrrr-rrUr)rDr hsts_headerinitial_maxageuniq_idr`rFrFrGr s(      z*ApacheConfigurator._enable_autohsts_domain_unused_domainc Cs||js dSt}d}t|jD]\\}}|dtj|kr$qtt|dd}|t tj krr|j s;| z| |}Wntjy\d|}t||j|Yqw||||d|}|j|7_d}q|r~|d ||dS) z Increase the AutoHSTS values of VirtualHosts that the user has enabled this enhancement for. :param _unused_domain: Not currently used :type _unused_domain: Not Available NFrRrQrzOCould not find VirtualHost with ID {0}, disabling AutoHSTS for this VirtualHostz9Increasing HSTS max-age value for VirtualHost with id {0}TzIncreased HSTS max-age values)rdrrUr rr AUTOHSTS_FREQrrrrSrrr1rrrrrr{rWrrrrf) rDrcurtimesave_and_restartr.rrOrr0rFrFrGupdate_autohsts. sB     z"ApacheConfigurator.update_autohstsc Cs,||js dSg}g}t|jD]A\}}|ddttjkrUz||}Wntj yDd |}t ||j |Yqw|||rU||||qd}|D]}||tjd |j}t ||j|d7_d}qZ|r|d ||D]}|j |q|dS) z Checks if autohsts vhost has reached maximum auto-increased value and changes the HSTS max-age to a high value. :param lineage: Certificate lineage object :type lineage: certbot._internal.storage.RenewableCert NrQrzLVirtualHost with id {} was not found, unable to make HSTS max-age permanent.FzRStrict-Transport-Security max-age value for VirtualHost in {0} was made permanent.rTzMade HSTS max-age permanent)rdrr rrrrSr1rrrrrr{rhrrTAUTOHSTS_PERMANENTrrrrrrf) rDrgr affected_idsr.rrr0rrFrFrGdeploy_autohsts\ sH        z"ApacheConfigurator.deploy_autohsts)T)r:N)NF)r)NNrN)rA)NTr)rIrJrKrLrPrM__annotations__rrprqr#rSrNr_rbrk classmethodrrtrrHpropertyrrr bytesrr[rrrrrrrr!rrrrrrrr r rrrrrrr rrr r6rr@rIr4rTr rdrr_r rwrzrrrrr"rrr'rrrrrrrrrrrrr rr*rr r)r5r*r1r/r:rrBrrNrWfloatrTrdrfrrhrrrsrrr|r}r~r{rrrzr;r/rrrrrrrAnnotatedChallengerr rrrrChallengeResponser!KeyAuthorizationChallengeResponserrrrrrrrr __classcell__rFrFrrGrOs    &, +A      * E)     @!*05. "2"!"L!"/=  *     4% Q- "    " %   ",#.rO)?rL collectionsrrrloggingrrfrUtypingrrrrrrr r r r r rracmercertbotrrrcertbot.compatrrcertbot.displayrcertbot.interfacesrcertbot.pluginsrcertbot.plugins.enhancementsrcertbot.plugins.utilrcertbot_apache._internalrrrrrrr r!%certbot_apache._internal.apacheparserr"rr ImportError getLoggerrIrr# ConfiguratorrOregisterrFrFrFrGs                                    I#