o th# @slUdZddlZddlZddlmZmZmZddlmZddl m Z ddl m Z ddl mZeeZddd d d gd Zd d dddgd dddddgd dddddgd ddddd gd dd dddgd dZdD]Zedee<qhdD]Zedee<qsgdZdeed d!gd"Ze ed#<d$d%Zd&d'Zd(d)Zd*d+Zd,d-Zd.d/Zd0ed1e d2ed3ed4df d5d6Z dS)7zCA Certs: Add ca certificates.N) lifecyclesubputil)Cloud)Config) MetaSchema) PER_INSTANCEz!/usr/local/share/ca-certificates/z#cloud-init-ca-cert-{cert_index}.crtz/etc/ca-certificates.confzupdate-ca-certificates) ca_cert_pathca_cert_local_pathca_cert_filenameca_cert_configca_cert_update_cmdz/etc/ssl/certs/z#cloud-init-ca-cert-{cert_index}.pemz+/etc/ca-certificates/conf.d/cloud-init.confzupdate-ca-bundlez/etc/pki/ca-trust/z/usr/share/pki/ca-trust-source/z+anchors/cloud-init-ca-cert-{cert_index}.crtzupdate-ca-trustz/etc/pki/trust/z/usr/share/pki/trust/z/etc/pki/tls/certs/zrehash_ca_certificates.sh)aoscfedorarhelopensusephoton)opensuse-microosopensuse-tumbleweed opensuse-leapsle_hpc sle-microslesr) almalinuxcentos cloudlinuxrockyr)rrrralpinedebianrraspberry-pi-osrrrrrrrrubuntur cc_ca_certsca_certsca-certs)iddistros frequencyactivate_by_schema_keysmetacCs*t|t}tj|d|d|d<|S)zReturn a distro-specific ca_certs config dictionary @param distro_name: String providing the distro class name. @returns: Dict of distro configurations for ca_cert. r r ca_cert_full_path)DISTRO_OVERRIDESgetDEFAULT_CONFIGospathjoin) distro_namecfgr2>/usr/lib/python3/dist-packages/cloudinit/config/cc_ca_certs.py_distro_ca_certs_configsns  r4cCstj|ddddS)z Updates the CA certificate cache on the current machine. @param distro_cfg: A hash providing _distro_ca_certs_configs function. r F)captureN)r distro_cfgr2r2r3update_ca_certs{sr8cCsH|sdSt|dD]\}}t|}|dj|d}tj||ddq dS)a- Adds certificates to the system. To actually apply the new certificates you must also call the appropriate distro-specific utility such as L{update_ca_certs}. @param distro_cfg: A hash providing _distro_ca_certs_configs function. @param certs: A list of certificate strings. Nr)) cert_indexi)mode) enumeratestrformatr write_file)r7certsr:ccert_file_contentscert_file_namer2r2r3 add_ca_certss rDcCsJ|dvr t|dS|dvr!t||dvr#d}tjd|ddSdSdS)a. Disables all default trusted CA certificates. For Alpine, Debian and Ubuntu to actually apply the changes you must also call L{update_ca_certs}. @param distro_name: String providing the distro class name. @param distro_cfg: A hash providing _distro_ca_certs_configs function. )rr)rrrrr )rrr z8ca-certificates ca-certificates/trust_new_crts select no)zdebconf-set-selections-)dataN)remove_default_ca_certsdisable_system_ca_certsr)r0r7 debconf_selr2r2r3disable_default_ca_certss  rJcCs|d}|r tj|sdSd}d}t|jrat|}g}|D].}||kr1d}||q#|dks;|ddvrA||q#|sJ||d}|d |q#tj |d |d d d dSdS) z For every entry in the CA_CERT_CONFIG file prefix the entry with a "!" in order to disable it. @param distro_cfg: A hash providing _distro_ca_certs_configs function. r Nz;# Modified by cloud-init to deselect certs due to user-dataFTr)#!rM wb)omode) r-r.existsstatst_sizerload_text_file splitlinesappendr?r/)r7ca_cert_cfg_fnheader_comment added_headerorig out_linesliner2r2r3rHs.       rHcCs:|ddurdStdt|dt|ddS)z Removes all default trusted CA certificates from the system. @param distro_cfg: A hash providing _distro_ca_certs_configs function. r NzDeleting system CA certificatesr )LOGdebugrdelete_dir_contentsr6r2r2r3rGs  rGnamer1cloudargsreturncCsd|vr tjddddn d|vrtd|dSd|vr&d|vr&td |d|d}t|ts8td t |j j }d |vrJtjd dd d|d|d dr`tdt |j j |d|vryt |d}|rytdt|t||tdt|dS)au Call to handle ca_cert sections in cloud-config file. @param name: The module name "ca_cert" from cloud.cfg @param cfg: A nested dict containing the entire cloud config contents. @param cloud: The L{CloudInit} object in use. @param log: Pre-initialized Python logger object to use for logging. @param args: Any module arguments from cloud.cfg r#zKey 'ca-certs'z22.1zUse 'ca_certs' instead.) deprecateddeprecated_version extra_messager"zs~      &  '"