o (fw@sddlZddlZddlZddlmZddlmZmZmZm Z m Z ddl m m ZddlmZmZmZmZmZmZmZmZmZddlmZddlmZddlmZddlm Z dd l!m"Z"m#Z#dd l$m%Z%dd l&m'Z'd Z(d Z)d Z*dZ+dZ,dZ-dZ.dZ/dZ0dZ1dZ2dddddZ3e4Z5e6e7e8Z9edddgZ:Gddde%j;Z !dHd"ed#ee?efd$ee?efd%e@d&e@d'df d(d)ZA * !dId"ed+ee?efd,ee?efd%e@d&e@d'e ee@ff d-d.ZBd/ejCd'ejDfd0d1ZEd"efd2d3ZFd"ed'eefd4d5ZGd"ed6e?d'ee?effd7d8ZHd9ee?e?fd:ee?e?fd'eIfd;d<ZJ dJd=ee?efd>e?d?e?de e?d'eeIee?efff d@dAZK  dKd+ee?efdBe e?de e?d'dfdCdDZLd"edEee?efd'ee:fdFdGZMdS)LN) namedtuple)AnyDictListOptionalTuple) clouds event_logger exceptionshttpmessagessecret_managersystemutilversion)_enabled_services) _is_attached)UAConfig)ATTACH_FAIL_DATE_FORMAT)attachment_data_filemachine_id_file) serviceclient)get_user_or_root_log_file_pathz/v1/context/machines/tokenz3/v1/contracts/{contract}/context/machines/{machine}z /v1/resourcesz3/v1/resources/{resource}/context/machines/{machine}z/v1/clouds/{cloud_type}/tokenz3/v1/contracts/{contract}/machine-activity/{machine}z /v1/contractz/v1/magic-attach)series_overridesseriescloudvariantEnableByDefaultServicenamer c sjeZdZdZ d(deeddffdd Zeje j gdd d(d d Z de e effd d Zd e de e effddZeje j gdddejfddZ d(de de dee de e effddZddZde de e effddZde e effddZde fdd Z d(de d!e dee de e effd"d#Z d(de d!e dee de fd$d%Zd&d'ZZS))UAContractClient contract_urlNcfgreturncstj|dt|_dS)Nr%)super__init__mtfget_machine_token_filemachine_token_file)selfr% __class__3/usr/lib/python3/dist-packages/uaclient/contract.pyr)EszUAContractClient.__init__)rrr) retry_sleepsc Cs|st|j}|}|dd|i|}||d<||d}t|}|j t ||d}|j dkr:t |j dkrCt||j dkrRt jt |j |jd |j} tj| d d | d gD] } tj| d d qe| S)a}Requests machine attach to the provided machine_id. @param contract_token: Token string providing authentication to ContractBearer service endpoint. @param machine_id: Optional unique system machine id. When absent, contents of /etc/machine-id will be used. @return: Dict of the JSON response containing the machine-token. Authorization Bearer {}lastAttachment machineId activityInfo)dataheadersiurlcodebody machineTokenresourceTokenstoken)rget_machine_idr%r:updateformat_get_activity_info isoformat_support_old_machine_info request_urlAPI_V1_ADD_CONTRACT_MACHINEr?r AttachInvalidTokenError_raise_attach_forbidden_messageContractAPIErrorr@ json_dictr secrets add_secretget) r-contract_token attachment_dt machine_idr: activity_infor9backcompat_dataresponse response_jsonrDr0r0r1add_contract_machineLs8       z%UAContractClient.add_contract_machinecCsT|}|jt|d|d|d|ddd}|jdkr'tjt|j|jd|jS) z=Requests list of entitlements available to this machine type. architecturerkernelvirtr\rr]r^) query_paramsr<r=)rHrKAPI_V1_AVAILABLE_RESOURCESr?r rOr@rP)r-rWrYr0r0r1available_resourcesws  z$UAContractClient.available_resourcesrTcCsN|}|dd|i|jt|d}|jdkr$tjt|j|jd|j S)Nr3r4r:r<r=) r:rFrGrKAPI_V1_GET_CONTRACT_USING_TOKENr?r rOr@rP)r-rTr:rYr0r0r1get_contract_using_tokens z)UAContractClient.get_contract_using_tokeninstancecCs~|jtj|jd|jd}|jdkr0|jdd}|r&t |t j |dt j t|j|j d|j}tj|dd|S) zRequests contract token for auto-attach images for Pro clouds. @param instance: AutoAttachCloudInstance for the cloud. @return: Dict of the JSON response containing the contract-token. ) cloud_type)r9r<messagerB) error_msgr= contractToken)rK,API_V1_GET_CONTRACT_TOKEN_FOR_CLOUD_INSTANCErGrg identity_docr?rPrSLOGdebugr InvalidProImagerOr@r rQrR)r-rfrYmsgrZr0r0r1%get_contract_token_for_cloud_instances*     z6UAContractClient.get_contract_token_for_cloud_instance machine_tokenresourcerVc Cs|st|j}|}|dd|itj||d}|j||d}|jdkr3t j t|j|j d|j drA|jd|j d<|j }| dgD] }tj| d d qJ|S) aRequests machine access context for a given resource @param machine_token: The authentication token needed to talk to this contract service endpoint. @param resource: Entitlement name. @param machine_id: Optional unique system machine id. When absent, contents of /etc/machine-id will be used. @return: Dict of the JSON response containing entitlement accessInfo. r3r4)rsmachinercr<r=expiresrCrDrB)rrEr%r:rFrG"API_V1_GET_RESOURCE_MACHINE_ACCESSrKr?r rOr@rSrPr rQrR) r-rrrsrVr:r>rYrZrDr0r0r1get_resource_machine_accesss(   z,UAContractClient.get_resource_machine_accesscCs|jj}|jjd}t|j}|}tj ||d}| }| dd |i|j |||d}|j dkrAtj||j |jd|jrU|jj}|j|d<|j|d Sd S) zReport current activity token and enabled services. This will report to the contracts backend all the current enabled services in the system. rAcontractrtr3r4)r:r9r<r=r8N)r, contract_idrrrSrrEr%rHAPI_V1_UPDATE_ACTIVITY_TOKENrGr:rFrKr?r rOr@rPwrite)r-rzrrrV request_datar>r:rYr0r0r1update_activity_tokens*    z&UAContractClient.update_activity_token magic_tokencCs|}|dd|i|jt|d}|jdkrt|jdkr't|jdkr6tj t|j|j d|j }gd}|D] }t j ||d q?|S) zRequest magic attach token info. When the magic token is registered, it will contain new fields that will allow us to know that the attach process can proceed r3r4rcr;r<r=rDuserCoderjrB)r:rFrGrK"API_V1_GET_MAGIC_ATTACH_TOKEN_INFOr?r MagicAttachTokenErrorMagicAttachUnavailablerOr@rPr rQrRrS)r-rr:rYrZ secret_fieldsfieldr0r0r1get_magic_attach_token_infos(   z,UAContractClient.get_magic_attach_token_infocCsx|}|jt|dd}|jdkrt|jdkr$tjt|j|jd|j}gd}|D] }t j | |dq-|S)z)Create a magic attach token for the user.POSTr:methodrr<r=rrB) r:rKAPI_V1_NEW_MAGIC_ATTACHr?r rrOr@rPr rQrRrS)r-r:rYrZrrr0r0r1new_magic_attach_token$s&  z'UAContractClient.new_magic_attach_tokencCs|}|dd|i|jt|dd}|jdkrt|jdkr(t|jdkr1t |jdkr@tj t|j|j d d S) z)Revoke a magic attach token for the user.r3r4DELETErir;rr<r=N) r:rFrGrKAPI_V1_REVOKE_MAGIC_ATTACHr?r MagicAttachTokenAlreadyActivatedrrrOr@)r-rr:rYr0r0r1revoke_magic_attach_token;s(    z*UAContractClient.revoke_magic_attach_tokenrzc Cs|st|j}|}|dd|itj||d}|}|j|d||d|d|d|dd d }|j d krFt j ||j |j d |j d rT|jd |jd <|jS)a|Get the updated machine token from the contract server. @param machine_token: The machine token needed to talk to this contract service endpoint. @param contract_id: Unique contract id provided by contract service @param machine_id: Optional unique system machine id. When absent, contents of /etc/machine-id will be used. r3r4rxGETr\rr]r^r_)rr:r`r<r=ru)rrEr%r:rFrGAPI_V1_GET_CONTRACT_MACHINErHrKr?r rOr@rSrP)r-rrrzrVr:r>rWrYr0r0r1get_contract_machineRs4    z%UAContractClient.get_contract_machinec Cs|st|j}|}|dd|i||d}t|}tj||d}|j ||d|d}|j dkr@t j ||j |j d|jd rN|jd |jd <|jS) aRequest machine token refresh from contract server. @param machine_token: The machine token needed to talk to this contract service endpoint. @param contract_id: Unique contract id provided by contract service. @param machine_id: Optional unique system machine id. When absent, contents of /etc/machine-id will be used. @return: Dict of the JSON response containing refreshed machine-token r3r4r6rxr)r:rr9r<r=ru)rrEr%r:rFrGrHrJAPI_V1_UPDATE_CONTRACT_MACHINErKr?r rOr@rSrP) r-rrrzrVr:r9rXr>rYr0r0r1update_contract_machine}s*    z(UAContractClient.update_contract_machinecCstjtjtjtttt d}t |j j rOt|j j}t}|jjp4t|j |jjdd|Ddd|D|rJ|jndd}ni}i||S)z9Return a dict of activity info data for contract requests) distributionr]rr\desktopr^ clientVersioncSsg|]}|jqSr0)r".0servicer0r0r1 sz7UAContractClient._get_activity_info..cSsi|] }|jr|j|jqSr0)variant_enabledr" variant_namerr0r0r1 s z7UAContractClient._get_activity_info..N) activityID activityToken resourcesresourceVariantsr5)rget_release_inforget_kernel_info uname_releaser get_dpkg_arch is_desktop get_virt_typer get_versionrr% is_attachedrenabled_servicesrreadr, activity_idrEactivity_token attached_atrI)r- machine_inforattachment_datarWr0r0r1rHs8    z#UAContractClient._get_activity_infoN)__name__ __module__ __qualname__cfg_url_base_attrrrr)rretrysockettimeoutr[rstrrrbrerAutoAttachCloudInstancerqrwr~rrrrrrH __classcell__r0r0r.r1r#Bsh * $  &(  / (r# request_bodyc CsJ|di}|d||d|d|d|ddtjdd S) a? Transforms a request_body that has the new activity_info into a body that includes both old and new forms of machineInfo/activityInfo This is necessary because there may be old ua-airgapped contract servers deployed that we need to support. This function is used for attach and refresh calls. r8r7r\rr]rLinux)rr]rtyperelease)r7r8r\os)rSrrr)rrWr0r0r1rJs rJTr%past_entitlementsnew_entitlements allow_enablerr&c Csjddlm}d}g}g}||D]|} z|| } Wn ty!Yqwg}zt||| i| ||d\} } WnMtjy[} zt| d}| | t d| | WYd} ~ qd} ~ wt y} zt| | | | | td| | WYd} ~ qd} ~ ww| r| rt | qt |t|dkrtjd d t||Dd |rtjd d |Dd dS) aIterate over all entitlements in new_entitlement and apply any delta found according to past_entitlements. :param cfg: UAConfig instance :param past_entitlements: dict containing the last valid information regarding service entitlements. :param new_entitlements: dict containing the current information regarding service entitlements. :param allow_enable: Boolean set True if allowed to perform the enable operation. When False, a message will be logged to inform the user about the recommended enabled service. :param series_overrides: Boolean set True if series overrides should be applied to the new_access dict. r)entitlements_enable_orderF)r% orig_access new_accessrrTz+Failed to process contract delta for %s: %rNz5Unexpected error processing contract delta for %s: %rcSs*g|]\}}|tjjt|tdfqS))rilog_path)r UNEXPECTED_ERRORrGrr)rr" exceptionr0r0r1r/sz.process_entitlements_delta..)failed_servicescSsg|]}|tjfqSr0)r !E_ATTACH_FAILURE_DEFAULT_SERVICES)rr"r0r0r1r<s)uaclient.entitlementsrKeyErrorprocess_entitlement_deltarSr UbuntuProErrorrmrappenderror Exceptioneventservice_processedservices_failedlenAttachFailureUnknownErrorzipAttachFailureDefaultServices)r%rrrrr delta_errorunexpected_errorsrr"new_entitlementdeltasservice_enableder0r0r1process_entitlements_deltasr              rFrrc Csddlm}|r t|t||}d}|rh|did}|s*|did}|s3tj||d|didid d } z |||| d } Wntjy_} zt d || d } ~ ww| j |||d}||fS)a,Process a entitlement access dictionary deltas if they exist. :param cfg: UAConfig instance :param orig_access: Dict with original entitlement access details before contract refresh deltas :param new_access: Dict with updated entitlement access details after contract refresh :param allow_enable: Boolean set True if allowed to perform the enable operation. When False, a message will be logged to inform the user about the recommended enabled service. :param series_overrides: Boolean set True if series overrides should be applied to the new_access dict. :raise UbuntuProError: on failure to process deltas. :return: A tuple containing a dict of processed deltas and a boolean indicating if the service was fully processed rentitlement_factoryF entitlementr)orignew entitlements obligations use_selectorrBr%r"r z3Skipping entitlement deltas for "%s". No such classNr) rrapply_contract_overridesrget_dict_deltasrSr InvalidContractDeltasServiceTypeEntitlementNotFoundErrorrmrnprocess_contract_deltas) r%rrrrrrretr"r rexcr0r0r1rCsD    rrYcCs|jd}|rJ|d}|d}|dkr(|dt}tj|||ddd|dkr@|dt}tj|||ddd |d krJtj|d t) Ninfo contractIdreasonzno-longer-effectivetimez%m-%d-%Y)rzdatecontract_expiry_dateznot-effective-yet)rzrcontract_effective_dateznever-effective)rz) rPrSstrftimerr AttachForbiddenExpiredAttachForbiddenNotYetAttachForbiddenNeverAttachExpiredToken)rYrrzrrr0r0r1rNs*    rNc Cst|}|}|j}|d}|ddd}t|d}|j||d}||tj | di dt|}t |t |||dd d S) zRequest contract refresh from ua-contracts service. :raise UbuntuProError: on failure to update contract or error processing contract deltas :raise ConnectivityError: On failure during a connection rAmachineTokenInfo contractInfoidr')rrrzr7FrN) r*r+rrrr#rr|rrE cache_clearrSrr) r%r,orig_entitlements orig_tokenrrrzcontract_clientresprVr0r0r1refreshs*        r cCst|}|}|dgS)zDQuery available resources from the contract server for this machine.r)r#rbrS)r%clientrr0r0r1get_available_resourcess r rDcCst|}||S)z/Query contract information for a specific token)r#re)r%rDr r0r0r1get_contract_informations r override_selectorselector_valuescCs<d}|D]\}}||f|vrdS|t|7}q|S)Nr)itemsOVERRIDE_SELECTOR_WEIGHTS)r roverride_weightselectorvaluer0r0r1_get_override_weights rr series_namergc Cszi}||d}|r ||d<|di|i}|r||td<t|dg}|D]}t|d|} | r:||| <q*|S)N)rrr rr overridesr)poprcopydeepcopyrSr) rrrgr rrrgeneral_overridesoverrideweightr0r0r1_select_overridess"   rrcCsddlm}tt|td|vgstd||dur!tj n|}|\}}| di}t ||||}t | D]%\} } | D]\} } |d | } t| trY| | qC| |d| <qCq;dS)aApply series-specific overrides to an entitlement dict. This function mutates orig_access dict by applying any series-overrides to the top-level keys under 'entitlement'. The series-overrides are sparse and intended to supplement existing top-level dict values. So, sub-keys under the top-level directives, obligations and affordance sub-key values will be preserved if unspecified in series-overrides. To more clearly indicate that orig_access in memory has already had the overrides applied, the 'series' key is also removed from the orig_access dict. :param orig_access: Dict with original entitlement access details r)get_cloud_typerz?Expected entitlement access dict. Missing "entitlement" key: {}N)uaclient.clouds.identityrall isinstancedict RuntimeErrorrGrrrrSrsortedrrF)rrr rrrg_orig_entitlementr_weightoverrides_to_applykeyrcurrentr0r0r1rs*     rrc Csddlm}g}|D]H\}}|didd}z ||||d}Wn tjy-Yq w|didi}|d} ||| rT|\} } | rT|t ||d q |S) NrrrrrBrr resourceToken)r"r ) rrrrSr r_should_enable_by_default can_enablerr!) r%rrenable_by_default_servicesent_name ent_valuer entrr+r-r%r0r0r1get_enabled_by_default_services's,    r2)T)FTr)NN)Nrloggingr collectionsrtypingrrrrruaclient.files.machine_tokenfilesrrr*uaclientrr r r r r rrr-uaclient.api.u.pro.status.enabled_services.v1r(uaclient.api.u.pro.status.is_attached.v1ruaclient.configruaclient.defaultsruaclient.files.state_filesrr uaclient.httpr uaclient.logrrLrrrarvrkr{rdrrrrget_event_loggerr getLoggerreplace_top_level_logger_namerrmr!UAServiceClientr#r"rJrboolrr HTTPResponse NamedMessagerNr r r intrrrr2r0r0r0r1s ,         ^    ? !       1