3 a@sddlZddlZddlZddlZddlZddlmZddlmZddlm Z ddl m Z ddl m Z mZmZddlmZddlmZdd lmZdd lmZdd lmZdd lmZmZy dd lmZmZmZmZmZWnek rYnXdZ dZ!dZ"dZ#dZ$dZ%dZ&dZ'Gdddej(Z)Gdddej*Z+GdddZ,GdddZ-GdddZ.d d!d"d#Z/d$d%d&d'd(d)Z0e e1dd*d+d,Z2e.d d-d.d/d0Z3e-d d-d1d2d3Z4e1d-d4d5d6Z5e,d e,d7d8d9Z6d:d;Z7dd?Z9e1e d@dAdBZ:e1e e;dCdDdEZe e1d-d dPddQdRdSZ?dd!dTdUZ@e e1e;dVdWdXZAe e;dYdZd[ZBe e1e;d\d]d^ZCe1e e;dCd_d`ZDe e;dYdadbZEe e;dYdcddZFe dLe1e;dedfdgZGe1e1e;dhdidjZHdS)kN) defaultdict)datetime)apt)UAConfig)CLOUD_TYPE_TO_TITLE PRO_CLOUDSget_cloud_type) exceptions)status) serviceclient)util)ENTITLEMENT_CLASS_BY_NAME) BASE_UA_URLPRINT_WRAP_WIDTH)AnyDictListOptionalTuplez=((CVE|cve)-\d{4}-\d{4,7}$|(USN|usn|LSN|lsn)-\d{1,5}-\d{1,2}$)z cves.jsonzcves/{cve}.jsonz notices.jsonznotices/{notice}.jsonzUbuntu standard updateszUA InfrazUA Appscs:eZdZfddZddZd ddZfdd ZZS) SecurityAPIErrorcs*tj||j|j|j|jdd|_dS)Nmessage)super__init__codeheadersurlgetr)selfeZerror_response) __class__3/usr/lib/python3/dist-packages/uaclient/security.pyr.szSecurityAPIError.__init__cCst||jkS)N)boolr)rZ error_coder!r!r" __contains__2szSecurityAPIError.__contains__NcCs||jkr|jS|S)N)r)rZ error_strdefaultr!r!r"__get__5s zSecurityAPIError.__get__csDtj}|jg}|r2|d|jddj|S|d|jdS)Nz: [z] z, ])r__str__rrjoin)rprefixdetails)r r!r"r(:s  zSecurityAPIError.__str__)N)__name__ __module__ __qualname__rr$r&r( __classcell__r!r!)r r"r-s  rc seZdZdZdZeZdddddZej e j ddd gd d!fd d Z d"dddddddddd ddZ eddddZd#dddddddddZedddd ZZS)$UASecurityClientZ security_urlzDict[str, Any]) query_paramsreturncCs.|jjjdijdi}|r*|j||S|S)zD Update query params with data from feature config. Zfeaturesextra_security_params)cfgrupdate)rr2r4r!r!r"_get_query_paramsHs  z"UASecurityClient._get_query_params)Z retry_sleepsNcs |j|}tj|||||dS)N)pathdatarmethodr2)r7r request_url)rr;r<rr=r2)r r!r"r>Xs zUASecurityClient.request_urlz Optional[str]z Optional[int]zOptional[List[str]]z List[CVE]) queryprioritypackagelimitoffset componentversionr r3c s:||||||||d} jt| d\} } fdd| DS)znQuery to match multiple-CVEs. @return: List of CVE instances based on the the JSON response. )qr@rArBrCrDrEr )r2csg|]}t|dqS))clientresponse)CVE).0Zcve_md)rr!r" sz-UASecurityClient.get_cves..)r> API_V1_CVES) rr?r@rArBrCrDrEr r2Z cves_response_headersr!)rr"get_cveseszUASecurityClient.get_cvesrI)cve_idr3cCs"|jtj|d\}}t||dS)zkQuery to match single-CVE. @return: CVE instance for JSON response from the Security API. )cve)rGrH)r>API_V1_CVE_TMPLformatrI)rrO cve_responserMr!r!r"get_cveszUASecurityClient.get_cvez List[USN])r+releaserBrCorderr3c sJ||||d}jt|d\}}tfdd|jdgDdddS) zuQuery to match multiple-USNs. @return: Sorted list of USN instances based on the the JSON response. )r+rUrBrCrV)r2cs0g|](}dks |jdgkrt|dqS)Ncves_ids)rGrH)rUSN)rJZusn_md)r+rr!r"rKsz0UASecurityClient.get_notices..noticescSs|jS)N)id)xr!r!r"sz.UASecurityClient.get_notices..)key)r>API_V1_NOTICESsortedr) rr+rUrBrCrVr2Z usns_responserMr!)r+rr" get_noticess  zUASecurityClient.get_noticesrX) notice_idr3cCs"|jtj|d\}}t||dS)zbQuery to match single-USN. @return: USN instance representing the JSON response. )notice)rGrH)r>API_V1_NOTICE_TMPLrRrX)rraZnotice_responserMr!r!r" get_noticeszUASecurityClient.get_notice)NNNN)NNNNNNNN)NNNNN)r,r-r.Z url_timeoutZcfg_url_base_attrrZ api_error_clsr7r ZretrysocketZtimeoutr>rNstrrTr`rdr/r!r!)r r"r0Bs0   r0c@seZdZdZddddZeddZedd Zed d Zed d Z eddZ eddZ ee dddZ eddZdS)CVEPackageStatuszAClass representing specific CVE PackageStatus on an Ubuntu serieszDict[str, Any])rScCs ||_dS)N)rH)rrSr!r!r"rszCVEPackageStatus.__init__cCs |jdS)N description)rH)rr!r!r"rhszCVEPackageStatus.descriptioncCs|jS)N)rh)rr!r!r" fixed_versionszCVEPackageStatus.fixed_versioncCs |jdS)Npocket)rH)rr!r!r"rjszCVEPackageStatus.pocketcCs |jdS)Nrelease_codename)rH)rr!r!r"rksz!CVEPackageStatus.release_codenamecCs |jdS)Nr )rH)rr!r!r"r szCVEPackageStatus.statuscCsz|jdkrdS|jdkrdS|jdkr*dS|jdkr8d S|jd krFd S|jd krTd S|jdkrntjj|jdSdj|jS)NZneededzSorry, no fix is available yet.z needs-triagez7Ubuntu security engineers are investigating this issue.pendingz)A fix is coming soon. Try again tomorrow.ignoreddeferredzSorry, no fix is available.ZDNEz.Source package does not exist on this release.z not-affectedz/Source package is not affected on this release.released)Z fix_streamz UNKNOWN: {})rmrn)r Z#MESSAGE_SECURITY_FIX_RELEASE_STREAMrR pocket_source)rr!r!r"status_messages         zCVEPackageStatus.status_message)r3cCst|jtkS)z>Return True if the package requires an active UA subscription.)r#rpUBUNTU_STANDARD_UPDATES_POCKET)rr!r!r" requires_uaszCVEPackageStatus.requires_uacCsH|jdkrt}n4|jdkr t}n$|jdkr0t}nd|jkr@t}nt}|S)z>Human-readable string representing where the fix is published.z esm-infrazesm-appsupdatessecurityZesm)rtru)rjUA_INFRA_POCKETUA_APPS_POCKETrrri)rZ fix_sourcer!r!r"rps    zCVEPackageStatus.pocket_sourceN)r,r-r.__doc__rpropertyrhrirjrkr rqr#rsrpr!r!r!r"rgs      rgc@seZdZdZeddddZedddZed d Z d d Z ed dddZ eddddZ eddZ eddddZdS)rIz7Class representing CVE response from the SecurityClientzDict[str, Any])rGrHcCs||_||_dS)N)rHrG)rrGrHr!r!r"rsz CVE.__init__)r3cCst|tsdS|j|jkS)NF) isinstancerIrH)rotherr!r!r"__eq__s z CVE.__eq__cCs|jjddjS)NrZZUNKNOWN_CVE_ID)rHrupper)rr!r!r"rZ szCVE.idcCsD|j}x|jD] }|j}PqWdj|j|ddj|jg}dj|S)z2Return a string representing the URL for this cve.z{issue}: {title})issuetitlezhttps://ubuntu.com/security/{} )rhrYrrRrZr))rrrblinesr!r!r"get_url_header s zCVE.get_url_headerz List[str]cCs|jjdgS)N notices_ids)rHr)rr!r!r"rszCVE.notices_idsz List[USN]cs<tds6tfddjjdgDdddd_jS) zReturn a list of USN instances from API response 'notices'. Cache the value to avoid extra work on multiple calls. _noticescsg|]}tj|qSr!)rXrG)rJrb)rr!r"rK'szCVE.notices..rYcSs|jS)N)rZ)nr!r!r"r\*szCVE.notices..T)r]reverse)hasattrr_rHrr)rr!)rr"rYs   z CVE.noticescCs |jjdS)Nrh)rHr)rr!r!r"rh/szCVE.descriptionzDict[str, CVEPackageStatus]cCslt|dr|jSi|_tjd}xB|jdD]4}x.|dD]"}|d|kr.cvescSs|jS)N)rZ)rr!r!r"r\hszUSN.cves..T)r]r)rr_rHrr)rr!)rr"r\s   zUSN.cvescCs |jjdS)Nr)rHr)rr!r!r"rmsz USN.titlecCs@dj|j|jddg}x|jD]}|jdj|qWdj|S)z5Return a string representing the URL for this notice.z{issue}: {title})r~rz Found CVEs:zhttps://ubuntu.com/security/{}r)rRrZrrWappendr))rrrPr!r!r"rqs  zUSN.get_url_headerz$Dict[str, Dict[str, Dict[str, str]]]cCsXt|dr|jStjd}i|_x,|jjdij|gD]}|jdr|d|jkrd|j|dkrtjdj|j |dd|j d ||j|dd<nd|i|j|d<q<|jd stjd j|j |dd |j d n4d |d krtjdj|j |d|d d|j d |d j d d}||jkr           zUSN.release_packagesN)r,r-r.rxr0rr#r|ryrfrZrWrrrrr!r!r!r"rXGs  rXzDict[str, Dict[str, str]])r3c Cstjd}|dkrd}nd}tjdd|ddg\}}i}xV|jD]J}|jd \}}}} |sf|}d | krpqH||kr||||<qH||i||<qHW|S) zReturn a dict of all source packages installed on the system. The dict keys will be source package name: "krb5". The value will be a dict with keys binary_pkg and version. rZtrustyz ${Status}z${db:Status-Status}z dpkg-queryz#-f=${Package},${Source},${Version},rz-W,Z installed)r rsubp splitlinesr) rZ status_fieldoutZ_errinstalled_packagesZpkg_linepkg_namerZ pkg_versionr r!r!r"#query_installed_source_pkg_versionss&   rz List[USN]zDict[str, bool]z%Dict[str, Dict[str, Dict[str, str]]])usns beta_pocketsr3c si}x|D]}x|jjD]\}}fdd|jD}||krN|rN|||<q||kr||}xL|jD]@\}} ||kr| ||<qh||d} | d} t| | sh| ||<qhWqWq W|S)aWalk related USNs, merging the released binary package versions. For each USN, iterate over release_packages to collect released binary package names and required fix version. If multiple related USNs require differnt version fixes to the same binary package, track the maximum version required across all USNs. :param usns: List of USN response instances from which to calculate merge. :param beta_pockets: Dict keyed on service name: esm-infra, esm-apps the values of which will be true of USN response instances from which to calculate merge. :return: Dict keyed by source package name. Under each source package will be a dict with binary package name as keys and binary package metadata as the value. cs.i|]&\}}dj|jdddkr||qS)FrjNone)r)rJZ bin_pkg_nameZ bin_pkg_md)rr!r" sz>merge_usn_released_binary_package_versions..rE)ritemsversion_cmp_le) rrZusn_pkg_versionsrsrc_pkgZbinary_pkg_versionsZpublic_bin_pkg_versionsZ usn_src_pkgrZ binary_pkg_mdZ prev_versionZcurrent_versionr!)rr"*merge_usn_released_binary_package_versionss"        r)r5rr3cCs |j}t|d}t}td|td|d}d|kry|j|d}|j|d}WnNtk r}z2t|}d|jkrt j j |d }t j |WYdd}~XnXt||d } t|jt||} n,i} y`|j|d } x6| jD],}x&|jD]} | | kr|j| d | | <qWqWtt| jd d d}WnRtk r~}z4t|}d|jkrdt j j |d }t j |WYdd}~XnXt| |d} t||} t| jttjdd|D}|st jdj ||d | jdst jdj ||d t||| || ddS)N)r5zesm-appsz esm-infra)zesm-appsz esm-infrarI)rO)r+z not found)r)rPr)racSs|jS)N)rZ)r[r!r!r"r\1sz'fix_security_issue_id..)r])rrcSsg|] }|jqSr!)rW)rJur!r!r"rK@sz)fix_security_issue_id..z${} metadata defines no related CVEs.rz.{} metadata defines no fixed package versions.)r5raffected_pkg_statusrusn_released_pkgs)r}r0r_is_pocket_used_by_beta_servicerTr`rrflowerr Z$MESSAGE_SECURITY_FIX_NOT_FOUND_ISSUErRr ZUserFacingError'get_cve_affected_source_packages_statusprintrrrdrrlistr_values get_usn_affected_packages_statusset itertoolschainrrHprompt_for_affected_packages)r5rrGrrrPrrmsgrrZ related_usnsrZrelated_usn_idZ related_cvesr!r!r"fix_security_issue_id sp            rzDict[str, CVEPackageStatus])rrr3cCsdi}xZ|jD]P}xJt||jD]8\}}||kr:|||<q ||j}t||js |||<q Wq W|S)zWalk CVEs related to a USN and return a dict of all affected packages. :return: Dict keyed on source package name, with active CVEPackageStatus for the current Ubuntu release. )rrrrir)rrZ affected_pkgsrPrrZ current_verr!r!r"rXs    r)rPrr3cCs<i}x2|jjD]$\}}|jdkr$q||kr|||<qW|S)zGet a dict of any CVEPackageStatuses affecting this Ubuntu release. :return: Dict of active CVEPackageStatus keyed by source package names. z not-affected)rrr )rPrZaffected_pkg_versionsZ source_pkgZpackage_statusr!r!r"rns  r)rrcCst|}|dkr>ttjjddddttjj|ddS|dkrLd }nd}tjj||dd d jt|j}tt j |t d d dS)a Print header strings describing affected packages related to a CVE/USN. :param issue_id: String of USN or CVE issue id. :param affected_pkg_status: Dict keyed on source package name, with active CVEPackageStatus for the current Ubuntu release. rZNozs are)count plural_str.)r~Nr8z isz: z, z )widthsubsequent_indent) lenrr ZMESSAGE_SECURITY_AFFECTED_PKGSrRZ!MESSAGE_SECURITY_ISSUE_UNAFFECTEDr)r_keystextwrapfillr)rrrrrr!r!r"print_affected_packages_header~s &r)rusn_src_released_pkgsr3cCshtj|}|rd|jdrdd|jd<|dd|jd<x.|jD]"\}}|jd}|r>||jd<Pq>W|S)aParse release status based on both pkg_status and USN.release_packages. Since some source packages in universe are not represented in CVEPackageStatus, rely on presence of such source packages in usn_src_released_pkgs to represent package as a "released" status. :param pkg_status: the CVEPackageStatus for this source package. :param usn_src_released_pkgs: The USN.release_packages representing only this source package. Normally, release_packages would have data on multiple source packages. :return: Tuple of: human-readable status message, boolean whether released, boolean whether the fix requires access to UA rror rErhrj)copydeepcopyrrHr)rrusn_pkg_statusrZusn_released_pkgrjr!r!r"#override_usn_release_package_statuss     rcCshi}x^t|jD]N\}}|j|i}t||}|jjdd}||krNg||<||j||fqW|S)Nrmrn)r_rrrr replacer)rrZ status_groupsrrusn_released_srcrZ status_groupr!r!r"group_by_usn_package_statuss rz"List[Tuple[str, CVEPackageStatus]])pkg_status_list pkg_indexnum_pkgsr3cCs|sdSg}g}x4|D],\}}|d7}|jdj|||j|qWtjdjddj|ddjt|tdd }d j||jS) z;Format the packages and status to an user friendly message.rr8z{}/{}z{} {}:(z, )z )rrz{} {})rrRrrr)r_rrq)rrrZ msg_indexZsrc_pkgsrrZ msg_headerr!r!r"_format_packages_messagesr)rjr5cCs8d}|tkrd}n |tkrd}tj|}|r4||SdS)Nzno-service-neededz esm-infrazesm-apps)rvrwr r)rjr5Zservice_to_checkZent_clsr!r!r"_get_service_for_pockets r)rjr5r3cCs4t||}|r0|j\}}|tjjkr*dS|jSdS)zBCheck if the pocket where the fix is at belongs to a beta service.F)ruser_facing_statusr UserFacingStatusACTIVEZ valid_service)rjr5ent ent_status_r!r!r"rs   rz-Dict[str, List[Tuple[str, CVEPackageStatus]]]zDict[str, List[str]]zTuple[bool, List[str], bool])r5src_pocket_pkgsbinary_pocket_pkgsrrr3c Csd}d}g}|rxtttgD]z}||} ||} |rt| ||d} | rdt| | s`ttjqnd}|t| 7}|t|| |M}|s|dd| D7}qW|||fS)a%Handle the packages that could be fixed and have a released status. :returns: Tuple of boolean whether all packages were successfully upgraded, list of strings containing the packages that were not upgraded, boolean whether all packages were already installed T)rrrFcSsg|] \}}|qSr!r!)rJrrr!r!r"rK9sz2_handle_released_package_fixes..) rrrvrwrrr Z!MESSAGE_SECURITY_UPDATE_INSTALLEDrupgrade_packages_and_attach) r5rrrrall_already_installedZupgrade_status unfixed_pkgsrjZ pkg_src_groupZ binary_pkgsrr!r!r"_handle_released_package_fixess6    rz List[str])rr3cCsFt|}tjdj||dkrdnd|dkr,dnddjt|tdd S) zFormat the list of unfixed packages into an message. :returns: A string containing the message output for the unfixed packages. z"{} package{} {} still affected: {}r8srZareisz, z )rr)rrrrRr)r_r)rZnum_pkgs_unfixedr!r!r"_format_unfixed_packages_msg>srz$Dict[str, Dict[str, Dict[str, str]]])r5rrrrr3cCst|}t|||dkrdStjj|d}tt}tt}d} t||} g} xt| j D]\} } | dkrtj j|d}t t | | |d| t| 7} | dd| D7} q^x| D]\}}||j j||fx||j D]\}}|j|i}||kr6| dd| D7} d j||d }|t| 7}tj||||}|d }t||s||j j|qWqWq^Wt|||| |d \}}}| |7} | rt t| |r|rt |nHtjrtjjd d}t ||jd|t tj j|dnt |nt tj j|ddS)zProcess security CVE dict returning a CVEStatus object. Since CVEs point to a USN if active, get_notice may be called to fill in CVE title details. rN)r~ro)rrrcSsg|] \}}|qSr!r!)rJrrr!r!r"rKxsz0prompt_for_affected_packages..cSsg|] \}}|qSr!r!)rJrrr!r!r"rKsz5{issue} metadata defines no fixed version for {pkg}. )rr~rE)r5rrrrz fix operation)Z operationr)rrr ZMESSAGE_SECURITY_ISSUE_RESOLVEDrRrrrr_rZ#MESSAGE_SECURITY_ISSUE_NOT_RESOLVEDrrrprrrr rrrr Z should_rebootZ#MESSAGE_ENABLE_REBOOT_REQUIRED_TMPLZ add_notice)r5rrrrrZ fix_messagerrrZpkg_status_groupsrZ status_valueZpkg_status_grouprrZ binary_pkgrErrZ fixed_pkgriZ fix_statusZunfixed_pkgs_releasedrZ reboot_msgr!r!r"rQs~                  rcCs,t}|tkr(ttjjtj||ddS)z9Alert the user when running UA on cloud with PRO support.)rZcloudN)rrrr ZMESSAGE_SECURITY_USE_PRO_TMPLrRrr)Z cloud_typer!r!r"*_inform_ubuntu_pro_existence_if_applicables r)r5tokenr3cCsHddl}ddlm}ttjdd|ggtd|j|j|dd|kS)zkAttach to a UA subscription with a given token. :return: True if attach performed without errors. rN)cliuaZattachT)rZ auto_enable) argparseuaclientrrr colorize_commandsr#Z action_attach Namespace)r5rrrr!r!r"_run_ua_attachs r)r5r3cCsrtttjtjddddgd}|dkr0dS|dkrJttjtd|d krnttjtd}t ||Sd S) zZPrompt for attach to a subscription or token. :return: True if attach performed. zBChoose: [S]ubscribe at ubuntu.com [A]ttach existing token [C]ancelrac) valid_choicesFz*Hit [Enter] when subscription is complete.z> T)rr) rrr Z2MESSAGE_SECURITY_UPDATE_NOT_INSTALLED_SUBSCRIPTIONr prompt_choicesZPROMPT_UA_SUBSCRIPTION_URLinputZPROMPT_ENTER_TOKENr)r5choicerr!r!r"_prompt_for_attachs    r)r5servicer3cCsddl}ddlm}ttjj|dtjdj|ddgd}|dkr~ttj d d |ggt d|j |j |gd d d |kSd S)zLPrompt for enable a ua service. :return: True if enable performed. rN)r)rzChoose: [E]nable {} [C]ancelrr)rrenableTF)r assume_yesZbeta) rrrrr Z!MESSAGE_SECURITY_SERVICE_DISABLEDrRr rrr#Z action_enabler)r5rrrrr!r!r"_prompt_for_enables    rcCst||}|r||j\}}|tjjkr*dS|j\}}|tjjkrht||j rRdSt tj j |j dnt tj j |j ddS)z?Verify if the ua subscription has the required service enabled.T)rF)rrr rrapplicability_statusZApplicabilityStatusZ APPLICABLErrrZ'MESSAGE_SECURITY_UA_SERVICE_NOT_ENABLEDrRZ(MESSAGE_SECURITY_UA_SERVICE_NOT_ENTITLED)rjr5rrrrr!r!r"(_check_subscription_for_required_services        rcCsddl}ddlm}tttjtjdj t ddgd}|dkrttj t d}ttj d d gg|j|jd d |t||Sd S)zdPrompt for attach a new subscription token to the user. :return: True if attach performed. rN)rz2Choose: [R]enew your subscription (at {}) [C]ancelrr)rz> rdetachT)rF)rrrrrr Z-MESSAGE_SECURITY_UPDATE_NOT_INSTALLED_EXPIREDr rrRrZPROMPT_EXPIRED_ENTER_TOKENrrZ action_detachrr)r5rrrrr!r!r"_prompt_for_new_token7s     rcCs(|j}|j}|tj|kr$t| SdS)znCheck if user UA subscription is expired. :returns: True if subscription is expired and not renewed. F)contract_expiry_datetimetzinforZnowr)r5rrr!r!r"_check_subscription_is_expiredQs  r)r5upgrade_packagesrjr3cCs|sdStjdkr"ttjdS|tkrX|js>t|sJdSn t|rJdSt ||sXdSttj dddgdddd g|gt j d dgtj d t j d ddd g|tjd d iddS)aUpgrade available packages to fix a CVE. Upgrade all packages in upgrades_packages and, if necessary, prompt regarding system attach prior to upgrading UA packages. :return: True if package upgrade completed or unneeded, False otherwise. TrFrr6z&&Zinstallz--only-upgradez-yzapt-get)cmd error_msgZDEBIAN_FRONTENDZnoninteractive)rrenv)osgetuidrr ZMESSAGE_SECURITY_APT_NON_ROOTrrZ is_attachedrrrrrZrun_apt_commandZMESSAGE_APT_UPDATE_FAILEDZMESSAGE_APT_INSTALL_FAILED)r5rrjr!r!r"r^s.      r)version1version2r3c Cs4ytjdd|d|gdStjk r.dSXdS)zs          vEJs"-O"  2n 0