U
    wÚ7e$  ã                   @   sl  U d Z ddlZddlmZ ddlmZ ddlmZmZ ddl	m
Z
 ddlmZ ddlmZmZ dd	lmZ e e¡Zdd
dddgdœZdddddgdœdddddgdœdddddgdœdœZdD ]Zed ee< qÀdZddddddddd d!d"d#gZd$d%d&eeeed'ƒgd(d)gd*œZeed+< eeƒZ d,d-„ Zd.d/„ Zd0d1„ Zd2d3„ Zd4d5„ Z d6d7„ Z!e"ee
e#dd8œd9d:„Z$dS );zCA Certs: Add ca certificates.é    N)Údedent)Úlog)ÚsubpÚutil)ÚCloud)ÚConfig)Ú
MetaSchemaÚget_meta_doc)ÚPER_INSTANCEz!/usr/local/share/ca-certificates/z#cloud-init-ca-cert-{cert_index}.crtz/etc/ca-certificates.confzupdate-ca-certificates)Úca_cert_pathÚca_cert_local_pathÚca_cert_filenameÚca_cert_configÚca_cert_update_cmdz/etc/pki/ca-trust/z/usr/share/pki/ca-trust-source/z+anchors/cloud-init-ca-cert-{cert_index}.crtzupdate-ca-trustz/etc/pki/trust/z/usr/share/pki/trust/)ÚfedoraÚrhelÚopensuse)úopensuse-microosúopensuse-tumbleweedúopensuse-leapÚsle_hpcú	sle-microÚslesr   a/  This module adds CA certificates to the system's CA store and updates any
related files using the appropriate OS-specific utility. The default CA
certificates can be disabled/deleted from use by the system with the
configuration option ``remove_defaults``.

.. note::
    certificates must be specified using valid yaml. in order to specify a
    multiline certificate, the yaml multiline list syntax must be used

.. note::
    Alpine Linux requires the ca-certificates package to be installed in
    order to provide the ``update-ca-certificates`` command.
ÚalpineÚdebianr   r   r   r   r   r   r   r   ÚubuntuZcc_ca_certszCA CertificateszAdd ca certificatesa              ca_certs:
              remove_defaults: true
              trusted:
                - single_line_cert
                - |
                  -----BEGIN CERTIFICATE-----
                  YOUR-ORGS-TRUSTED-CA-CERT-HERE
                  -----END CERTIFICATE-----
            Úca_certsúca-certs)ÚidÚnameÚtitleZdescriptionÚdistrosZ	frequencyZexamplesZactivate_by_schema_keysÚmetac                 C   s*   t  | t¡}tj |d |d ¡|d< |S )z²Return a distro-specific ca_certs config dictionary

    @param distro_name: String providing the distro class name.
    @returns: Dict of distro configurations for ca_cert.
    r   r   Úca_cert_full_path)ÚDISTRO_OVERRIDESÚgetÚDEFAULT_CONFIGÚosÚpathÚjoin)Údistro_nameÚcfg© r,   ú>/usr/lib/python3/dist-packages/cloudinit/config/cc_ca_certs.pyÚ_distro_ca_certs_configst   s     ÿr.   c                 C   s   t j | d dd dS )zŽ
    Updates the CA certificate cache on the current machine.

    @param distro_cfg: A hash providing _distro_ca_certs_configs function.
    r   F)ZcaptureN)r   ©Ú
distro_cfgr,   r,   r-   Úupdate_ca_certs   s    r1   c                 C   sH   |sdS t |dƒD ]0\}}t|ƒ}| d j|d}tj||dd qdS )a-  
    Adds certificates to the system. To actually apply the new certificates
    you must also call the appropriate distro-specific utility such as
    L{update_ca_certs}.

    @param distro_cfg: A hash providing _distro_ca_certs_configs function.
    @param certs: A list of certificate strings.
    Né   r#   )Ú
cert_indexi¤  )Úmode)Ú	enumerateÚstrÚformatr   Ú
write_file)r0   Zcertsr3   ÚcZcert_file_contentsZcert_file_namer,   r,   r-   Úadd_ca_certsŠ   s    	ÿr:   c                 C   s>   | dkrt |ƒ n(| dkr:t|ƒ | dkr:d}t d|¡ dS )a.  
    Disables all default trusted CA certificates. For Alpine, Debian and
    Ubuntu to actually apply the changes you must also call
    L{update_ca_certs}.

    @param distro_name: String providing the distro class name.
    @param distro_cfg: A hash providing _distro_ca_certs_configs function.
    r   )r   r   r   )r   r   z8ca-certificates ca-certificates/trust_new_crts select no)zdebconf-set-selectionsú-N)Úremove_default_ca_certsÚdisable_system_ca_certsr   )r*   r0   Zdebconf_selr,   r,   r-   Údisable_default_ca_certsŸ   s    	
ÿr>   c                 C   sÂ   | d }|rt j |¡sdS d}d}t  |¡jr¾t |¡}g }| ¡ D ]\}||krbd}| |¡ qF|dksv|d dkr‚| |¡ qF|s”| |¡ d}| d	| ¡ qFtj	|d
 
|¡d
 dd dS )z¸
    For every entry in the CA_CERT_CONFIG file prefix the entry with a "!"
    in order to disable it.

    @param distro_cfg: A hash providing _distro_ca_certs_configs function.
    r   Nz;# Modified by cloud-init to deselect certs due to user-dataFTÚ r   )ú#ú!rA   Ú
Úwb)Zomode)r'   r(   ÚexistsÚstatÚst_sizer   Z	load_fileÚ
splitlinesÚappendr8   r)   )r0   Zca_cert_cfg_fnZheader_commentZadded_headerZorigZ	out_linesÚliner,   r,   r-   r=   ´   s0    ÿ

  ÿr=   c                 C   s:   | d dkrdS t  d¡ t | d ¡ t | d ¡ dS )z’
    Removes all default trusted CA certificates from the system.

    @param distro_cfg: A hash providing _distro_ca_certs_configs function.
    r   NzDeleting system CA certificatesr   )ÚLOGÚdebugr   Zdelete_dir_contentsr/   r,   r,   r-   r<   Û   s
    
r<   )r   r+   ÚcloudÚargsÚreturnc                 C   sö   d|krt jdddd nd|kr2t d| ¡ dS d|krLd|krLt d	¡ | d| d¡¡}t|jjƒ}d
|kr‚t jdddd | d| d
d¡¡r®t d¡ t	|jj|ƒ d|kràt  
|d¡}|ràt dt|ƒ¡ t||ƒ t d¡ t|ƒ dS )au  
    Call to handle ca_cert sections in cloud-config file.

    @param name: The module name "ca_cert" from cloud.cfg
    @param cfg: A nested dict containing the entire cloud config contents.
    @param cloud: The L{CloudInit} object in use.
    @param log: Pre-initialized Python logger object to use for logging.
    @param args: Any module arguments from cloud.cfg
    r   zKey 'ca-certs'z22.1zUse 'ca_certs' instead.)Z
deprecatedZdeprecated_versionZextra_messager   z<Skipping module named %s, no 'ca_certs' key in configurationNzMFound both ca-certs (deprecated) and ca_certs config keys. Ignoring ca-certs.zremove-defaultszKey 'remove-defaults'zUse 'remove_defaults' instead.Zremove_defaultsFz'Disabling/removing default certificatesZtrustedzAdding %d certificateszUpdating certificates)r   Z	deprecaterJ   rK   Zwarningr%   r.   Údistror   r>   Zget_cfg_option_listÚlenr:   r1   )r   r+   rL   rM   Zca_cert_cfgr0   Ztrusted_certsr,   r,   r-   Úhandleé   sJ    
ýþÿý 
ÿ


rQ   )%Ú__doc__r'   Útextwrapr   Z	cloudinitr   Zloggingr   r   Zcloudinit.cloudr   Zcloudinit.configr   Zcloudinit.config.schemar   r	   Zcloudinit.settingsr
   Z	getLoggerÚ__name__rJ   r&   r$   rO   ZMODULE_DESCRIPTIONr!   r"   Ú__annotations__r.   r1   r:   r>   r=   r<   r6   ÚlistrQ   r,   r,   r,   r-   Ú<module>   sŒ   
û	ûûûñôÿÿë	'