Your IP : 216.73.216.172


Current Path : /proc/self/root/lib/python3/dist-packages/certbot/__pycache__/
Upload File :
Current File : //proc/self/root/lib/python3/dist-packages/certbot/__pycache__/auth_handler.cpython-38.pyc

U

�]�I�@sdZddlZddlZddlZddlZddlmZddlmZddlm	Z
ddlmZm
Z
mZddlmZddlm	Z	ddlmZdd	lmZe�e�ZGd
d�de�Zdd
�Zdd�Zdd�Zdd�Zdd�ZdZededddedeed�Zdd�Zdd �Z dS)!zACME AuthHandler.�N)�
challenges)�messages)�errors)�Dict�List�Tuple)�achallenges)�
error_handler)�
interfacesc@sReZdZdZdd�Zddd�Zdd	�Zd
d�Zdd
�Zdd�Z	dd�Z
dd�ZdS)�AuthHandleraACME Authorization Handler for a client.

    :ivar auth: Authenticator capable of solving
        :class:`~acme.challenges.Challenge` types
    :type auth: :class:`certbot.interfaces.IAuthenticator`

    :ivar acme.client.BackwardsCompatibleClientV2 acme_client: ACME client API.

    :ivar account: Client's Account
    :type account: :class:`certbot.account.Account`

    :ivar list pref_challs: sorted user specified preferred challenges
        type strings with the most preferred challenge listed first

    cCs||_||_||_||_dS�N)�auth�acme�account�pref_challs)�selfr
Zacme_clientrr�r�6/usr/lib/python3/dist-packages/certbot/auth_handler.py�__init__&szAuthHandler.__init__F�c
CsJ|jdd�}|st�d��|�|�}|s.|St�|j|���zJ|j�|�}t	�
d�tj�
tj�}|jr�tj�
tj�j}|ddd�Wn<tjk
r�}	zt	�d�t	�
d�|	�W5d}	~	XYnXt|�t|�ks�td	��t||�D]\}
}|j�|
j|�q�|�|||�d
d�|D�}|�s0t�d��|W5QR�SQRXdS)
aT
        Retrieve all authorizations, perform all challenges required to validate
        these authorizations, then poll and wait for the authorization to be checked.
        :param acme.messages.OrderResource orderr: must have authorizations filled in
        :param bool best_effort: if True, not all authorizations need to be validated (eg. renew)
        :param int max_retries: maximum number of retries to poll authorizations
        :returns: list of all validated authorizations
        :rtype: List

        :raises .AuthorizationError: If unable to retrieve all authorizations
        NzNo authorization to handle.zWaiting for verification...z\Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about challenges.T)�pausez!Failure in setting up challenges.z0Attempting to clean up outstanding challenges...z(Some challenges have not been performed.cSsg|]}|jjtjkr|�qSr��body�statusrZSTATUS_VALID��.0�authzrrrr�
<listcomp>^s�z5AuthHandler.handle_authorizations.<locals>.<listcomp>zAll challenges have failed.)�authorizationsr�AuthorizationError�_choose_challengesr	ZExitHandler�_cleanup_challengesr
Zperform�logger�info�zope�	component�
getUtilityr
ZIConfigZdebug_challengesZIDisplayZnotification�critical�len�AssertionError�ziprZanswer_challenge�challb�_poll_authorizations)
r�orderr�best_effort�max_retries�authzrs�achallsZrespsZconfigZnotify�error�achall�respZauthzrs_validatedrrr�handle_authorizations-s8


�



z!AuthHandler.handle_authorizationscCs�dd�|jD�}g}g}|D]^}z|j�|�}|�|�Wqtjk
rx}z|�|�t�d|j|�W5d}~XYqXq||fS)a~
        Deactivate all `valid` authorizations in the order, so that they cannot be re-used
        in subsequent orders.
        :param messages.OrderResource orderr: must have authorizations filled in
        :returns: tuple of list of successfully deactivated authorizations, and
                  list of unsuccessfully deactivated authorizations.
        :rtype: tuple
        cSsg|]}|jjtjkr|�qSrrrrrrros�z?AuthHandler.deactivate_valid_authorizations.<locals>.<listcomp>z)Failed to deactivate authorization %s: %sN)	rrZdeactivate_authorization�append�acme_errors�Errorr"�debugZuri)rr-Z
to_deactivateZdeactivatedZfailedr�errr�deactivate_valid_authorizationses

$z+AuthHandler.deactivate_valid_authorizationsc
s$dd�t|�D�}g}d}t|�D]�}|dkr8t�|��fdd�|��D�}|��D]\}\}	}|	||<qVdd�|��D�}
|
D]}t�d|jj	j
�q�|�|
�d	d�|��D�}|s�q�t�fd
d�|��D��}|t
j
����}q"|�rt|�jj�|�st�d��|�r t�d
��dS)a
        Poll the ACME CA server, to wait for confirmation that authorizations have their challenges
        all verified. The poll may occur several times, until all authorizations are checked
        (valid or invalid), or after a maximum of retries.
        cSsi|]\}}||df�qSrr)r�indexrrrr�
<dictcomp>�s�z4AuthHandler._poll_authorizations.<locals>.<dictcomp>�rcs"i|]\}\}}|�j�|��qSr)rZpoll)rr<r�_�rrrr=�s
cSs"g|]\}}|jjtjkr|�qSr)rrrZSTATUS_INVALID)rrr?rrrr�s�z4AuthHandler._poll_authorizations.<locals>.<listcomp>zChallenge failed for domain %scSs,i|]$\}\}}|jjtjkr|||f�qSr)rrrZSTATUS_PENDING)rr<rr4rrrr=�s
�c3s |]\}}�j�|d�VqdS)�N)r�retry_after)rr?r4r@rr�	<genexpr>�s�z3AuthHandler._poll_authorizations.<locals>.<genexpr>zSome challenges have failed.z0All authorizations were not finalized by the CA.N)�	enumerate�range�time�sleep�items�valuesr"Zwarningr�
identifier�value�extend�max�datetimeZnowZ
total_seconds�_report_failed_authzrsr�keyrr)
rr0r/r.Zauthzrs_to_checkZauthzrs_failed_to_reportZ
sleep_secondsr?r<rZauthzrs_failedZ
authzr_failedrBrr@rr,~sD�

�
�
��
z AuthHandler._poll_authorizationscCs�dd�|D�}g}|r t�d�|D]f}|jj}|jjdkrF|jj}ntdd�tt	|��D��}t
||�|jjj
�|�}|�|�||��q$|S)z�
        Retrieve necessary and pending challenges to satisfy server.
        NB: Necessary and already validated challenges are not retrieved,
        as they can be reused for a certificate issuance.
        cSsg|]}|jjtjkr|�qSrrrrrrr�s�z2AuthHandler._choose_challenges.<locals>.<listcomp>z$Performing the following challenges:r>css|]}|fVqdSrr)r�irrrrC�sz1AuthHandler._choose_challenges.<locals>.<genexpr>)r"r#rrrZacme_version�combinations�tuplerEr(�gen_challenge_path�_get_chall_prefrJrKrL�_challenge_factory)rr0Zpending_authzrsr1rZauthzr_challengesrR�pathrrrr �s 

�zAuthHandler._choose_challengescCsng}|j�|�}|jr`tdd�|D��}|jD]}||kr.|�tjj|�q.|rV|St�	d��|�
|�|S)z{Return list of challenge preferences.

        :param str domain: domain for which you are requesting preferences

        css|]}|jVqdSr)�typ)r�challrrrrC�sz.AuthHandler._get_chall_pref.<locals>.<genexpr>zENone of the preferred challenges are supported by the selected plugin)r
Zget_chall_prefr�setr6rZ	ChallengeZTYPESrrrL)r�domainZchall_prefsZplugin_prefZplugin_pref_typesrXrrrrU�s
�
zAuthHandler._get_chall_prefcCst�d�|j�|�dS)z�Cleanup challenges.

        :param achalls: annotated challenges to cleanup
        :type achalls: `list` of :class:`certbot.achallenges.AnnotatedChallenge`

        zCleaning up challengesN)r"r#r
Zcleanup)rr1rrrr!�s
zAuthHandler._cleanup_challengescCs:g}|D],}|jj|}|�t||jj|jjj��q|S)aiConstruct Namedtuple Challenges

        :param messages.AuthorizationResource authzr: authorization

        :param list path: List of indices from `challenges`.

        :returns: achalls, list of challenge type
            :class:`certbot.achallenges.Indexed`
        :rtype: list

        :raises .errors.Error: if challenge type is not recognized

        )rrr6�challb_to_achallrrPrJrK)rrrWr1r<r+rrrrV�s�zAuthHandler._challenge_factoryN)Fr)�__name__�
__module__�__qualname__�__doc__rr5r;r,r rUr!rVrrrrrs
8<
rcCsb|j}t�d|j|�t|tj�r2tj|||d�St|tj	�rLtj	||d�St
�d�|j���dS)a:Converts a ChallengeBody object to an AnnotatedChallenge.

    :param .ChallengeBody challb: ChallengeBody
    :param .JWK account_key: Authorized Account Key
    :param str domain: Domain of the challb

    :returns: Appropriate AnnotatedChallenge
    :rtype: :class:`certbot.achallenges.AnnotatedChallenge`

    z%s challenge for %s)r+r[�account_key)r+r[z+Received unsupported challenge of type: {0}N)
rYr"r#rX�
isinstancerZKeyAuthorizationChallengerZ"KeyAuthorizationAnnotatedChallengeZDNSrr8�format)r+rar[rYrrrr\
s�
�r\cCs|rt|||�St||�S)a�Generate a plan to get authority over the identity.

    .. todo:: This can be possibly be rewritten to use resolved_combinations.

    :param tuple challbs: A tuple of challenges
        (:class:`acme.messages.Challenge`) from
        :class:`acme.messages.AuthorizationResource` to be
        fulfilled by the client in order to prove possession of the
        identifier.

    :param list preferences: List of challenge preferences for domain
        (:class:`acme.challenges.Challenge` subclasses)

    :param tuple combinations: A collection of sets of challenges from
        :class:`acme.messages.Challenge`, each of which would
        be sufficient to prove possession of the identifier.

    :returns: tuple of indices from ``challenges``.
    :rtype: tuple

    :raises certbot.errors.AuthorizationError: If a
        path cannot be created that satisfies the CA given the preferences and
        combinations.

    )�_find_smart_path�_find_dumb_path)�challbs�preferencesrRrrrrT%srTcCs�i}d}t|�D]\}}|||<||7}qd}|}d}	|D]:}
|
D]}|	|�||jj|�7}	qB|	|krp|
}|	}d}	q:|s�t|�|S)z�Find challenge path with server hints.

    Can be called if combinations is included. Function uses a simple
    ranking system to choose the combo with the lowest cost.

    r>Nr)rD�getrY�	__class__�_report_no_chall_path)rfrgrRZ
chall_costZmax_costrQZ	chall_clsZ
best_comboZbest_combo_costZcombo_totalZcomboZchallenge_indexrrrrdDs,
��rdcsJg}t|�D]8\}�t�fdd�|D�d�}|r<|�|�qt|�q|S)z�Find challenge path without server hints.

    Should be called if the combinations hint is not included by the
    server. This function either returns a path containing all
    challenges provided by the CA or raises an exception.

    c3s|]}t�j|�rdVqdS)TN)rbrY)rZpref_c�r+rrrCts�z"_find_dumb_path.<locals>.<genexpr>F)rD�nextr6rj)rfrgrWrQZ	supportedrrkrreis�
recCsBd}t|�dkr*t|djtj�r*|d7}t�|�t�|��dS)z�Logs and raises an error that no satisfiable chall path exists.

    :param challbs: challenges from the authorization that can't be satisfied

    zyClient with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.r>rzM You may need to use an authenticator plugin that can do challenges over DNS.N)	r(rbrYrZDNS01r"r'rr)rf�msgrrrrj~s�
rjz�To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.a Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.ze Additionally, if you have DNSSEC enabled for your domain, please ensure that the signature is valid.z�To fix these errors, please make sure that you did not provide any invalid information to the client, and try running Certbot again.zoUnfortunately, an error on the ACME server prevented you from completing authorization. Please try again later.z� Additionally, please check that you have an up-to-date TLS configuration that allows the server to communicate with the Certbot client.)Z
connectionZdnssecZ	malformedZserverInternalZtlsZunauthorizedZunknownHostcshi}�fdd�|D�}|D]}|�|jjg��|�qtj�tj�}|�	�D]}|�
t|�|j�qLdS)z.Notifies the user about failed authorizations.cs2g|]*}|jjD]}|jrt|�|jjj��qqSr)rrr2r\rJrK)rrr+�rarrr�s

�z*_report_failed_authzrs.<locals>.<listcomp>N)
�
setdefaultr2rXr6r$r%r&r
Z	IReporterrIZadd_message�_generate_failed_chall_msgZMEDIUM_PRIORITY)Zfailed_authzrsraZproblems�failed_achallsr3Zreporterr1rrnrrO�s
�rOcCst|dj}|j}t�|�r |j}dg}|D]}|�d|j||jjf�q*|tkrj|�d�|�t|�d�	|�S)aCreates a user friendly error message about failed challenges.

    :param list failed_achalls: A list of failed
        :class:`certbot.achallenges.AnnotatedChallenge` with the same error
        type.

    :returns: A formatted error message for the client.
    :rtype: str

    rz1The following errors were reported by the server:z"

Domain: %s
Type:   %s
Detail: %sz

�)
r2rXrZ
is_acme_error�coder6r[Zdetail�_ERROR_HELP�join)rqr2rXrmr3rrrrp�s

�

rp)!r`ZloggingrFrNZzope.componentr$rrrrr7Zacme.magic_typingrrrZcertbotrr	r
Z	getLoggerr]r"�objectrr\rTrdrerjZ_ERROR_HELP_COMMONrtrOrprrrr�<module>s@
x%��