U 2dbz @sddlZddlZddlZddlZddlmZmZmZmZm Z ddl m Z m Z m Z mZmZmZmZmZddlmZddlmZddlmZddlmZmZmZddlmZdd lm Z d Z!d Z"d Z#d Z$d Z%dZ&dZ'dZ(dZ)dZ*dZ+dddddZ,e -Z.e/e0e1Z2ej3Gdddej4Z5Gddde j6Z7e8dddZ9d>eee:efee:efe;e;ddd d!Zej?d&d'd(Z@d)d*ZAeeed+d,d-ZBee:ee:efd.d/d0ZCee;d+d1d2ZDee:e:fee:e:feEd3d4d5ZFd@ee:efe:e:ee:eeEee:effd6d7d8ZGdAee:efee:ee:dd9d:d;ZHee e5eEfd+ds rc@s0eZdZdZejejdddgdd&ddZe e e fdd d Z e e e e fd d d Z ejejdddgdejdddZd'e e ee ee e e fdddZddZe e e e fdddZe e e fdddZe dddZd(e e ee e e e fdd d!Zd)e e ee e dd"d#Zd$d%ZdS)*UAContractClientZ contract_urlrr)Z retry_sleepsNc Cs|st|j}|}|dd|i|}||d<||d}t|}|j t ||d}|j dkrvt n(|j dkrt|} t j| j| j| jd|j d krt t |j |j|jS) a}Requests machine attach to the provided machine_id. @param contract_token: Token string providing authentication to ContractBearer service endpoint. @param machine_id: Optional unique system machine id. When absent, contents of /etc/machine-id will be used. @return: Dict of the JSON response containing the machine-token. Authorization Bearer {}lastAttachment machineId activityInfo)dataheadersi)msgmsg_codeadditional_info)r get_machine_idcfgr2updateformat_get_activity_info isoformat_support_old_machine_info request_urlAPI_V1_ADD_CONTRACT_MACHINEcoder ZAttachInvalidTokenError _create_attach_forbidden_messageUserFacingErrorr4namer6ContractAPIErrorbody json_dict) selfcontract_tokenZ attachment_dt machine_idr2 activity_infor1backcompat_dataresponser4r(r(r)add_contract_machineJs:        z%UAContractClient.add_contract_machine)returncCsR|}|jt|d|d|d|ddd}|jdkrLtt|j|j|jS)z=Requests list of entitlements available to this machine type. architecturerkernelvirtrPrrQrR) query_paramsr7)r<r?API_V1_AVAILABLE_RESOURCESrAr rErFrG)rHrKrMr(r(r)available_resourcesss  z$UAContractClient.available_resources)rIrOcCsL|}|dd|i|jt|d}|jdkrFtt|j|j|j S)Nr+r,r2r7) r2r:r;r?API_V1_GET_CONTRACT_USING_TOKENrAr rErFrG)rHrIr2rMr(r(r)get_contract_using_tokens z)UAContractClient.get_contract_using_token)instancecCst|jtj|jd|jd}|jdkr^|jdd}|rLt |t j |dt t|j|j |jd|j|jS)zRequests contract token for auto-attach images for Pro clouds. @param instance: AutoAttachCloudInstance for the cloud. @return: Dict of the JSON response containing the contract-token. ) cloud_type)r1r7message)Z error_msgzcontract-token)r?,API_V1_GET_CONTRACT_TOKEN_FOR_CLOUD_INSTANCEr;r[Z identity_docrArGgetLOGdebugr ZInvalidProImagerErFr9 write_cache)rHrZrMr4r(r(r)%get_contract_token_for_cloud_instances$    z6UAContractClient.get_contract_token_for_cloud_instanceT) machine_tokenresourcerJ save_filerOcCs|st|j}|}|dd|itj||d}|j||d}|jdkrdt t|j|j |j dr|jd|j d<|r|jd||j |j S)aRequests machine access context for a given resource @param machine_token: The authentication token needed to talk to this contract service endpoint. @param resource: Entitlement name. @param machine_id: Optional unique system machine id. When absent, contents of /etc/machine-id will be used. @save_file: If the machine access should be saved on the user machine @return: Dict of the JSON response containing entitlement accessInfo. r+r,)remachinerWr7expireszmachine-access-{})r r8r9r2r:r;"API_V1_GET_RESOURCE_MACHINE_ACCESSr?rAr rErFr_rGrb)rHrdrerJrfr2urlrMr(r(r)get_resource_machine_accesss.   z,UAContractClient.get_resource_machine_accesscCs|jjj}|jjd}t|j}|}tj ||d}| }| dd |i|j |||d}|j dkrt||j |j|jr|jj}|j|d<|jj|dS) zReport current activity token and enabled services. This will report to the contracts backend all the current enabled services in the system. machineTokenZcontractrgr+r,)r2r1r7r0N)r9machine_token_file contract_idrdr_r r8r<API_V1_UPDATE_ACTIVITY_TOKENr;r2r:r?rAr rErFrGwrite)rHrordrJZ request_datarjr2rMr(r(r)update_activity_tokens*    z&UAContractClient.update_activity_token) magic_tokenrOc Cs|}|dd|iz|jt|d}Wn:tjk rh}ztt |t W5d}~XYnX|j dkr|t |j dkrt |j dkrtt|j |j|jS)zRequest magic attach token info. When the magic token is registered, it will contain new fields that will allow us to know that the attach process can proceed r+r,rWNr3r7)r2r:r;r?"API_V1_GET_MAGIC_ATTACH_TOKEN_INFOr UrlErrorr` exceptionstrConnectivityErrorrAMagicAttachTokenErrorMagicAttachUnavailablerErFrGrHrsr2rMer(r(r)get_magic_attach_token_infos*    z,UAContractClient.get_magic_attach_token_infoc Cs|}z|jt|dd}Wn:tjk rV}ztt|tW5d}~XYnX|j dkrjt |j dkrt t|j |j |j S)z)Create a magic attach token for the user.POSTr2methodNrtr7)r2r?API_V1_NEW_MAGIC_ATTACHr rvr`rwrxryrAr{rErFrG)rHr2rMr}r(r(r)new_magic_attach_tokens&   z'UAContractClient.new_magic_attach_token)rsc Cs|}|dd|iz|jt|dd}Wn:tjk rj}ztt |t W5d}~XYnX|j dkr~t |j dkrt |j dkrt|j d krtt|j |jdS) z)Revoke a magic attach token for the user.r+r,ZDELETErNir3rtr7)r2r:r;r?API_V1_REVOKE_MAGIC_ATTACHr rvr`rwrxryrAZ MagicAttachTokenAlreadyActivatedrzr{rErFr|r(r(r)revoke_magic_attach_token0s.     z*UAContractClient.revoke_magic_attach_token)rdrorJrOc Cs|st|j}|}|dd|itj||d}|}|j|d||d|d|d|dd d }|j d krt ||j |j |j d r|jd |jd <|jS) a|Get the updated machine token from the contract server. @param machine_token: The machine token needed to talk to this contract service endpoint. @param contract_id: Unique contract id provided by contract service @param machine_id: Optional unique system machine id. When absent, contents of /etc/machine-id will be used. r+r,rmZGETrPrrQrRrS)rr2rTr7rh)r r8r9r2r:r;API_V1_GET_CONTRACT_MACHINEr<r?rAr rErFr_rG)rHrdrorJr2rjrKrMr(r(r)get_contract_machineIs8   z%UAContractClient.get_contract_machinec Cs|st|j}|}|dd|i||d}t|}tj||d}|j ||d|d}|j dkr~t ||j |j |jdr|jd|jd<|jS) aRequest machine token refresh from contract server. @param machine_token: The machine token needed to talk to this contract service endpoint. @param contract_id: Unique contract id provided by contract service. @param machine_id: Optional unique system machine id. When absent, contents of /etc/machine-id will be used. @return: Dict of the JSON response containing refreshed machine-token r+r,r.rmr)r2rr1r7rh)r r8r9r2r:r;r<r>API_V1_UPDATE_CONTRACT_MACHINEr?rAr rErFr_rG) rHrdrorJr2r1rLrjrMr(r(r)update_contract_machinets6   z(UAContractClient.update_contract_machinecCstjtjtjtttt d}t |j j rt|j j}t}|j jjpjt|j |j jjdd|D|r|jndd}ni}||S)z9Return a dict of activity info data for contract requests) distributionrQrrPZdesktoprRZ clientVersioncSsg|] }|jqSr()rD).0servicer(r(r) sz7UAContractClient._get_activity_info..N)Z activityIDZ activityToken resourcesr-)r get_release_inforZget_kernel_infoZ uname_releaserZ get_dpkg_archZ is_desktopZ get_virt_typerZ get_versionrr9 is_attachedrenabled_servicesrreadrnZ activity_idr8Zactivity_tokenZ attached_atr=)rHZ machine_inforZattachment_datarKr(r(r)r<s.       z#UAContractClient._get_activity_info)N)NT)N)N)r r!r"Zcfg_url_base_attrr ZretrysocketZtimeoutrNrrxrrVrYrZAutoAttachCloudInstancercrboolrkrrr~rrrrr<r(r(r(r)r*GsJ ( ! (& / (r*) request_bodyc CsJ|di}|d||d|d|d|ddtjdd S) a? Transforms a request_body that has the new activity_info into a body that includes both old and new forms of machineInfo/activityInfo This is necessary because there may be old ua-airgapped contract servers deployed that we need to support. This function is used for attach and refresh calls. r0r/rPrrQrZLinux)rrQrtyperelease)r/r0rPos)r_r rr)rrKr(r(r)r>s r>T)r9past_entitlementsnew_entitlements allow_enablerrOc Csdddlm}d}d}g}||D]} z || } Wntk rHYq YnXg}z"t||| i| ||d\} } Wntjk rd}|| t t dj | | dW5QRXYq t k rd}|| t t dj | | dW5QRXYq X| r | r t| q t||rDtjd d |Dd n|r`tjd d |Dd d S)aIterate over all entitlements in new_entitlement and apply any delta found according to past_entitlements. :param cfg: UAConfig instance :param past_entitlements: dict containing the last valid information regarding service entitlements. :param new_entitlements: dict containing the current information regarding service entitlements. :param allow_enable: Boolean set True if allowed to perform the enable operation. When False, a message will be logged to inform the user about the recommended enabled service. :param series_overrides: Boolean set True if series overrides should be applied to the new_access dict. r)entitlements_enable_orderF)r9 orig_access new_accessrrTz4Failed to process contract delta for {name}: {delta})rDZdeltaz>Unexpected error processing contract delta for {name}: {delta}cSsg|]}|tjfqSr()r ZUNEXPECTED_ERRORrrDr(r(r)rsz.process_entitlements_delta..)failed_servicescSsg|]}|tjfqSr()r ZATTACH_FAILURE_DEFAULT_SERVICESrr(r(r)r#sN)uaclient.entitlementsrKeyErrorprocess_entitlement_deltar_r rCappendr Zdisable_log_to_consoler`errorr; ExceptionrweventZservice_processedZservices_failedZAttachFailureUnknownErrorZAttachFailureDefaultServices) r9rrrrrZ delta_errorZunexpected_errorrrDnew_entitlementdeltasZservice_enabledr(r(r)process_entitlements_deltasj           rF)r9rrrrrOc Csddlm}|rt|t||}d}|r|did}|sT|did}|sztjj||d} t j | j | j d|did id d } z|||| d } Wn4t j k r} ztd || W5d} ~ XYnX| ||d} | j|||d}||fS)a-Process a entitlement access dictionary deltas if they exist. :param cfg: UAConfig instance :param orig_access: Dict with original entitlement access details before contract refresh deltas :param new_access: Dict with updated entitlement access details after contract refresh :param allow_enable: Boolean set True if allowed to perform the enable operation. When False, a message will be logged to inform the user about the recommended enabled service. :param series_overrides: Boolean set True if series overrides should be applied to the new_access dict. :raise UserFacingError: on failure to process deltas. :return: A tuple containing a dict of processed deltas and a boolean indicating if the service was fully processed r)entitlement_factoryF entitlementr)Zorignew)r4r5 entitlementsZ obligationsZ use_selectorr])r9rDrz3Skipping entitlement deltas for "%s". No such classN)r9Z assume_yesr)rrapply_contract_overridesr get_dict_deltasr_r Z$INVALID_CONTRACT_DELTAS_SERVICE_TYPEr;r rCr4rDZEntitlementNotFoundErrorr`raZprocess_contract_deltas)r9rrrrrrZretrDr4rZent_clsexcrr(r(r)r*sL    r)rMrOcCstj}|jd}|r|d}|d}d}|dkrl|dt}|dd|d}tjj||d}||_nX|d kr|dt}|dd|d }tj j||d}||_n|d krtj j|d }|rtj j|j d }|j |_ |j|_|S)NinfoZ contractIdreasonzno-longer-effectivetimez%m-%d-%Y)Zcontract_expiry_datero)rodateznot-effective-yet)Zcontract_effective_dateroznever-effective)ro)r)r ZATTACH_EXPIRED_TOKENrGr_strftimerZATTACH_FORBIDDEN_EXPIREDr;r6ZATTACH_FORBIDDEN_NOT_YETZATTACH_FORBIDDEN_NEVERZATTACH_FORBIDDENr4rD)rMr4rrorZ reason_msgrr6r(r(r)rBgsF   rBcCs|jj}|j}|d}|ddd}t|}|j||d}|j|tj| di dt|}| d|t |||jjdd d S) a Request contract refresh from ua-contracts service. :param cfg: Instance of UAConfig for this machine. :raise UserFacingError: on failure to update contract or error processing contract deltas :raise UrlError: On failure during a connection rlmachineTokenInfo contractInfoid)rdror/z machine-idFrN) rnrrdr*rrqr r8 cache_clearr_rbr)r9orig_entitlements orig_tokenrdrocontract_clientresprJr(r(r)refreshs,     r)r9rOcCst|}|}|dgS)zDQuery available resources from the contract server for this machine.r)r*rVr_)r9clientrr(r(r)get_available_resourcessr)r9tokenrOcCst|}||S)z/Query contract information for a specific token)r*rY)r9rrr(r(r)get_contract_informationsrc Cs|j}|jj}|dd}|dididd}|s>dSt|}|||}|dididd}|rv|n|jj}|jj|krdS|j|} t| D]&\} } t || i| } | rdSqdS) Nrlr]rrrFZ effectiveToT) rdrnrr_r*rZcontract_expiry_datetimeZget_entitlements_from_tokensorteditemsr r) r9rrrdrorrZ resp_expiryZ new_expiryZcurr_entitlementsrDrrr(r(r)is_contract_changedsP      r)override_selectorselector_valuesrOcCs<d}|D]*\}}||f|kr*dS|t|7}q |S)Nr)rOVERRIDE_SELECTOR_WEIGHTS)rrZoverride_weightselectorvaluer(r(r)_get_override_weights r)r series_namer[rrOc Cszi}||d}|r||d<|di|i}|r>||td<t|dg}|D] }t|d|} | rT||| <qT|S)N)rrrrr overridesr)poprcopydeepcopyr_r) rrr[rrrrZgeneral_overridesoverrideZweightr(r(r)_select_overridess&  r)rrrrOcCsddlm}tt|td|kgs0td||dkrBtj n|}|\}}| di}t ||||}t | D]J\} } | D]8\} } |d | } t| tr| | q| |d| <qqvdS)aApply series-specific overrides to an entitlement dict. This function mutates orig_access dict by applying any series-overrides to the top-level keys under 'entitlement'. The series-overrides are sparse and intended to supplement existing top-level dict values. So, sub-keys under the top-level directives, obligations and affordance sub-key values will be preserved if unspecified in series-overrides. To more clearly indicate that orig_access in memory has already had the overrides applied, the 'series' key is also removed from the orig_access dict. :param orig_access: Dict with original entitlement access details r)get_cloud_typerz?Expected entitlement access dict. Missing "entitlement" key: {}N)Zuaclient.clouds.identityrall isinstancedict RuntimeErrorr;r rrr_rrrr:)rrrrrr[_Zorig_entitlementrZ_weightZoverrides_to_applykeyrZcurrentr(r(r)rs.     rcCst|jstjdfSt}t}|jj}|dkrBt dtj | fSd|krV|krdnn tj |fS| |krzdkrnn tj |fS|| krtj |fStj |fS)z/Return a tuple [ContractExpiryStatus, num_days]rNz:contract effectiveTo date is null - assuming it is expired)rrrr#rrrnZcontract_remaining_daysr`Zwarningr'r%r&r$)r9Z grace_periodZpending_expiryZremaining_daysr(r(r)get_contract_expiry_statusAs"       r)T)FT)N)NN)JrenumZloggingrtypingrrrrrZuaclientrrr r r r r rZ-uaclient.api.u.pro.status.enabled_services.v1rZ(uaclient.api.u.pro.status.is_attached.v1rZuaclient.configrZuaclient.defaultsrrrZuaclient.files.state_filesrZ uaclient.httprr@rrrUrir^rprXrurrrZget_event_loggerrZ getLoggerZreplace_top_level_logger_namer r`uniqueEnumrZUAServiceClientr*rr>rxrrrZ HTTPResponseZ NamedMessagerBrrrrintrrrrr(r(r(r)s(     y    U   > +"'      2