U ˜­“]e‹ã@s†dZddlZddlZddlZddlZddlZddlZddlmZddl Z ddl Z ddl Z ddl Z ddlmZddlmZmZmZmZmZddlmZddlmZddlmZdd lmZdd lmZdd lmZdd lm Z dd l!m"Z"ddl#m$Z$ddl%m&Z&ddl%m'Z'ddl%m(Z(ddl%m)Z)ddl%m*Z*ddl%m+Z+e ,e-¡Z.e j/ 0ej1ej2¡e j/ 3ej4¡Gdd„de j5ƒƒƒZ6e$ 7e6¡dS)zApache Configurator.éN)Ú defaultdict)Ú challenges)Ú DefaultDictÚDictÚListÚSetÚUnion)Úerrors)Ú interfaces)Úutil)Ú"KeyAuthorizationAnnotatedChallenge)Ú filesystem)Úos)Úcommon)Ú path_surgery)ÚAutoHSTSEnhancement)Ú apache_util)Ú constants)Ú display_ops)Úhttp_01)Úobj)ÚparsercsžeZdZdZdZej d¡dkr(ed7Zedddd d d d gd d gd d gdddddde   dd¡dZ dd„Z dd„Z edd„ƒZ‡fdd„Zedd„ƒZedd„ƒZd d!„Zd×d"d#„Z‡fd$d%„Zd&d'„Zd؇fd)d*„ Zd+d,„Zd-d.„Zd/d0„ZdÙd1d2„ZdÚd4d5„Zd6d7„Zd8d9„ZdÛd:d;„Z dd?„Z"dÝd@dA„Z#dBdC„Z$dÞdEdF„Z%dßdGdH„Z&dIdJ„Z'dKdL„Z(dMdN„Z)dOdP„Z*dQdR„Z+dSdT„Z,dUdV„Z-dWdX„Z.dYdZ„Z/dàd[d\„Z0dád]d^„Z1d_d`„Z2dadb„Z3dcdd„Z4dedf„Z5dgdh„Z6didj„Z7dkdl„Z8dmdn„Z9dodp„Z:dqdr„Z;dsdt„Zdydz„Z?d{d|„Z@d}d~„ZAdd€„ZBdd‚„ZCdƒd„„ZDd…d†„ZEd‡dˆ„ZFd‰dŠ„ZGd‹dŒ„ZHddŽ„ZIdd„ZJdâd‘d’„ZKd“d”„ZLd•d–„ZMd—d˜„ZNd™dš„ZOd›dœ„ZPddž„ZQdŸd „ZRd¡d¢„ZSd£d¤„ZTd¥d¦„ZUd§d¨„ZVd©dª„ZWd«d¬„ZXd­d®„ZYd¯d°„ZZd±d²„Z[d³d´„Z\dãdµd¶„Z]d·d¸„Z^däd¹dº„Z_d»d¼„Z`d½d¾„Zad¿dÀ„ZbdÁd„ZcdÃdÄ„ZddÅdÆ„ZedÇdÈ„ZfdÉdÊ„ZgdËdÌ„ZhdÍd΄ZidÏdЄZjdÑdÒ„ZkdÓdÔ„ZldÕdÖ„Zm‡ZnS)åÚApacheConfiguratora·Apache configurator. :ivar config: Configuration. :type config: :class:`~certbot.interfaces.IConfig` :ivar parser: Handles low level parsing :type parser: :class:`~certbot_apache.parser` :ivar tup version: version of Apache :ivar list vhosts: All vhosts found in the configuration (:class:`list` of :class:`~certbot_apache.obj.VirtualHost`) :ivar dict assoc: Mapping between domains and vhosts zApache Web Server pluginÚ CERTBOT_DOCSÚ1z (Please note that the default values of the Apache plugin options change depending on the operating system Certbot is run on.)z /etc/apache2z/etc/apache2/sites-availableÚ*z/var/log/apache2Z apache2ctlz-vZgracefulZ configtestNz -le-ssl.confFÚcertbot_apachezoptions-ssl-apache.conf)Ú server_rootÚ vhost_rootZ vhost_filesÚ logs_rootÚctlÚ version_cmdÚ restart_cmdÚ conftest_cmdÚenmodÚdismodÚ le_vhost_extÚhandle_modulesÚ handle_sitesÚchallenge_locationÚMOD_SSL_CONF_SRCcCs |j |¡S)zGet a value from options)ÚoptionsÚget)ÚselfÚkey©r/ú=/usr/lib/python3/dist-packages/certbot_apache/configurator.pyÚoptionuszApacheConfigurator.optionc Cs¢ddddddddd d g }|D]D}| | d d ¡¡d k rP| | d d ¡¡|j|<q|j||j|<q| d ¡|jdd<| d ¡|jdd<| d ¡|jdd<d S)zw Set the values possibly changed by command line parameters to OS_DEFAULTS constant dictionary r$r%r&rrrr)r'r(r Ú_ú-Nr!rr"r#)ÚconfÚreplacer+Ú OS_DEFAULTSr1)r-ZoptsÚor/r/r0Ú_prepare_optionsys þz#ApacheConfigurator._prepare_optionscCsâtj d¡dkrtj}n|j}|d|ddd|d|ddd|d|d d d|d |d d d|dddd|d|ddd|d|ddd|d|ddd|d|ddd|d|dddtj|ddd dS)!Nrrr$z#Path to the Apache 'a2enmod' binary)ÚdefaultÚhelpr%z$Path to the Apache 'a2dismod' binaryz le-vhost-extr&z!SSL vhost configuration extensionz server-rootrzApache server root directoryú vhost-rootz,Apache server VirtualHost configuration rootz logs-rootrzApache server logs directoryzchallenge-locationr)z*Directory path for challenge configurationzhandle-modulesr'zULet installer handle enabling required modules for you (Only Ubuntu/Debian currently)z handle-sitesr(zJLet installer handle enabling sites for you (Only Ubuntu/Debian currently)r z"Full path to Apache control scriptz init-scripté)Z argument_nameÚnargs)rÚenvironr,rr6r Zadd_deprecated_argument)ÚclsÚaddZDEFAULTSr/r/r0Úadd_parser_argumentssN ÿ ÿ ÿ ÿÿ ÿþ ÿ ÿ ÿÿz'ApacheConfigurator.add_parser_argumentscsŠ| dd¡}tt|ƒj||Žtƒ|_tƒ|_tƒ|_t tƒ|_ i|_ d|_ d|_ d|_||_d|_t |j¡|_|j|j|jdœ|_dS)zšInitialize an Apache Configurator. :param tup version: version of Apache as a tuple (2, 4, 7) (used mostly for unittesting) ÚversionNÚF)Úredirectúensure-http-headerú staple-ocsp)ÚpopÚsuperrÚ__init__ÚdictÚassocÚsetÚ _chall_outÚ_wildcard_vhostsrÚ_enhanced_vhostsÚ _autohstsÚ save_notesÚ _preparedrrBÚvhostsÚcopyÚdeepcopyr6r+Ú_enable_redirectÚ_set_http_headerÚ_enable_ocsp_staplingÚ _enhance_func)r-ÚargsÚkwargsrB©Ú __class__r/r0rI´s"  þzApacheConfigurator.__init__cCstj |jjtj¡S)z-Full absolute path to SSL configuration file.)rÚpathÚjoinÚconfigÚ config_dirrZMOD_SSL_CONF_DEST©r-r/r/r0Ú mod_ssl_confÖszApacheConfigurator.mod_ssl_confcCstj |jjtj¡S)z?Full absolute path to digest of updated SSL configuration file.)rr^r_r`rarZUPDATED_MOD_SSL_CONF_DIGESTrbr/r/r0Úupdated_mod_ssl_conf_digestÛsz.ApacheConfigurator.updated_mod_ssl_conf_digestc Cs| ¡| | d¡¡| ¡|jdkrR| ¡|_t dd dd„|jDƒ¡¡|jdkrrt   d  t |jƒ¡¡‚|  ¡| ¡|_|j d ¡| ¡|_| |j|j¡zt | d ¡¡Wn>tt jfk rütjd d d t  d  | d ¡¡¡‚YnXd |_dS)aWPrepare the authenticator/installer. :raises .errors.NoInstallationError: If Apache configs cannot be found :raises .errors.MisconfigurationError: If Apache is misconfigured :raises .errors.NotSupportedError: If Apache version is not supported :raises .errors.PluginError: If there is any other error r NzApache version is %sÚ.css|]}t|ƒVqdS©N©Ústr©Ú.0Úir/r/r0Ú õsz-ApacheConfigurator.prepare..)érmz!Apache Version {0} not supported.z httpd.augrzEncountered error:T©Úexc_infoz|Unable to create a lock file in {0}. Are you running Certbot with sufficient privileges to modify your Apache configuration?)r8Ú_verify_exe_availabilityr1Ú config_testrBÚ get_versionÚloggerÚdebugr_r ZNotSupportedErrorÚformatrhÚrecovery_routineÚ get_parserrZcheck_parsing_errorsÚget_virtual_hostsrSÚinstall_ssl_options_confrcrdr Zlock_dir_until_exitÚOSErrorZ LockErrorÚ PluginErrorrRrbr/r/r0Úprepareàs:   ÿ ÿ   ÿþÿ zApacheConfigurator.preparecCsB|j ¡}|r |j||j|d|j |¡|r>|s>| |¡dS)afSaves all changes to the configuration files. This function first checks for save errors, if none are found, all configuration changes made will be saved. According to the function parameters. If an exception is raised, a new checkpoint was not created. :param str title: The title of the save. If a title is given, the configuration will be saved as a new checkpoint and put in a timestamped directory. :param bool temporary: Indicates whether the changes made will be quickly reversed in the future (ie. challenges) )Ú temporaryN)rZ unsaved_filesÚadd_to_checkpointrQÚsaveZfinalize_checkpoint)r-Útitler}Z save_filesr/r/r0rs ÿ zApacheConfigurator.savecs$tt|ƒ ¡|jr |jj ¡dS)zÉRevert all previously modified files. Reverts all modified files that have not been saved as a checkpoint :raises .errors.PluginError: If unable to recover the configuration N)rHrrvrÚaugÚloadrbr\r/r0rv-sz#ApacheConfigurator.recovery_routinecCs| ¡|jj ¡dS)zƒUsed to cleanup challenge configurations. :raises .errors.PluginError: If unable to revert the challenge config. N)Zrevert_temporary_configrrr‚rbr/r/r0Úrevert_challenge_config<sz*ApacheConfigurator.revert_challenge_configr<cs tt|ƒ |¡|jj ¡dS)zúRollback saved checkpoints. :param int rollback: Number of checkpoints to revert :raises .errors.PluginError: If there is a problem with the input or the function is unable to correctly revert the configuration N)rHrÚrollback_checkpointsrrr‚)r-Zrollbackr\r/r0r„Es z'ApacheConfigurator.rollback_checkpointscCs&t |¡s"t|ƒs"t d |¡¡‚dS)z(Checks availability of Apache executablez!Cannot find Apache executable {0}N)r Z exe_existsrr ZNoInstallationErrorru)r-Úexer/r/r0rpQs  ÿz+ApacheConfigurator._verify_exe_availabilitycCs tj| d¡| d¡|j|dS)zInitializes the ApacheParserrr;)Z configurator)rZ ApacheParserr1r4rBrbr/r/r0rwXs þzApacheConfigurator.get_parsercCs t|tjƒrd}nd}| |¡S)z¬ Checks if domain is a wildcard domain :param str domain: Domain to check :returns: If the domain is wildcard domain :rtype: bool z*.s*.)Ú isinstanceÚsixZ text_typeÚ startswith)r-ÚdomainZwildcard_markerr/r/r0Ú_wildcard_domain_s z#ApacheConfigurator._wildcard_domaincCs*| |¡}|D]}| |||||¡qdS)aêDeploys certificate to specified virtual host. Currently tries to find the last directives to deploy the certificate in the VHost associated with the given domain. If it can't find the directives, it searches the "included" confs. The function verifies that it has located the three directives and finally modifies them to point to the correct destination. After the certificate is installed, the VirtualHost is enabled if it isn't already. .. todo:: Might be nice to remove chain directive if none exists This shouldn't happen within certbot though :raises errors.PluginError: When unable to deploy certificate due to a lack of directives N)Ú choose_vhostsÚ _deploy_cert)r-r‰Ú cert_pathÚkey_pathÚ chain_pathÚfullchain_pathrSÚvhostr/r/r0Ú deploy_certns zApacheConfigurator.deploy_certTcCs<| |¡r*||jkr|j|S| ||¡S| ||¡gSdS)a‚ Finds VirtualHosts that can be used with the provided domain :param str domain: Domain name to match VirtualHosts to :param bool create_if_no_ssl: If found VirtualHost doesn't have a HTTPS counterpart, should one get created :returns: List of VirtualHosts or None :rtype: `list` of :class:`~certbot_apache.obj.VirtualHost` N)rŠrNÚ_choose_vhosts_wildcardÚ choose_vhost)r-r‰Úcreate_if_no_sslr/r/r0r‹„s    z ApacheConfigurator.choose_vhostscCs>tƒ}|jD](}| ¡D]}| ||¡r| |¡qq t|ƒS)z~ Get VHost objects for every VirtualHost that the user wants to handle with the wildcard certificate. )rLrSÚ get_namesÚ_in_wildcard_scoper@Úlist)r-r‰Zmatchedr‘Únamer/r/r0Ú_vhosts_for_wildcardšs    z'ApacheConfigurator._vhosts_for_wildcardcCs,t| d¡ƒt| d¡ƒkr(t ||¡SdS)a Helper method for _vhosts_for_wildcard() that makes sure that the domain is in the scope of wildcard domain. eg. in scope: domain = *.wild.card, name = 1.wild.card not in scope: domain = *.wild.card, name = 1.2.wild.card reN)ÚlenÚsplitÚfnmatch)r-r™r‰r/r/r0r—©s z%ApacheConfigurator._in_wildcard_scopec CsÊ| |¡}tƒ}|D]6}| ¡D](}|jr4|||<q ||kr |r |||<q qtdd„| ¡Dƒƒ}t t|ƒ¡}|sŠt   d|¡t   d¡‚tƒ} |D]&}|js°|   | |¡¡q”|   |¡q”| |j|<| S)zCPrompts user to choose vhosts to install a wildcard certificate forcSsg|]}|‘qSr/r/©rjr‘r/r/r0Ú Èsz>ApacheConfigurator._choose_vhosts_wildcard..zNo vhost exists with servername or alias for domain %s. No vhost was selected. Please specify ServerName or ServerAlias in the Apache config.úNo vhost selected)ršrJr–ÚsslrLÚvaluesrZselect_vhost_multipler˜rsÚerrorr r{ÚappendÚmake_vhost_sslrN) r-r‰Z create_sslrSÚfiltered_vhostsr‘r™Z dialog_inputZ dialog_outputZ return_vhostsr/r/r0r“µs.     ü   z*ApacheConfigurator._choose_vhosts_wildcardcCsÌ| d¡| |j¡| |¡|j dd|j¡|j dd|j¡dœ}|dk rd|j dd|j¡|d<|ds†t d |j¡t  d ¡‚n |d s¦t d |j¡t  d ¡‚t  d|j ¡|j dksÊ|r(|s(|}|jj  |dd|¡|jj  |d d|¡|dk r|j |jd|¡n t  d¡‚nD|s8t  d¡‚|}|jj  |dd|¡|jj  |d d|¡|js~| |¡|jd|j d dd„|jDƒ¡||f7_|dk rÈ|jd|7_dS)a Helper function for deploy_cert() that handles the actual deployment this exists because we might want to do multiple deployments per domain originally passed for deploy_cert(). This is especially true with wildcard certificates Ú443ÚSSLCertificateFileNÚSSLCertificateKeyFile)rÚcert_keyÚSSLCertificateChainFilerrzOCannot find an SSLCertificateFile directive in %s. VirtualHost was not modifiedz.Unable to find an SSLCertificateFile directiverªzbCannot find an SSLCertificateKeyFile directive for certificate in %s. VirtualHost was not modifiedzAUnable to find an SSLCertificateKeyFile directive for certificatez'Deploying Certificate to VirtualHost %s)rméééÿÿÿÿz3--chain-path is required for your version of ApachezKPlease provide the --fullchain-path option pointing to your full chain filezZChanged vhost at %s with addresses of %s SSLCertificateFile %s SSLCertificateKeyFile %s z, css|]}t|ƒVqdSrfrg©rjÚaddrr/r/r0rl(sz2ApacheConfigurator._deploy_cert..z SSLCertificateChainFile %s )Úprepare_server_httpsÚ_add_dummy_ssl_directivesr^Ú _clean_vhostrÚfind_dirrsÚwarningr r{ÚinfoÚfileprBrrLÚadd_dirÚenabledÚ enable_siterQr_Úaddrs)r-r‘rrŽrrr^Z set_cert_pathr/r/r0rŒász   ÿÿþÿþÿþÿ  ÿ   þý zApacheConfigurator._deploy_certcCsh||jkr|j|S| |¡}|dk rX|s.|S|js>| |¡}| ||¡||j|<|S|j|| dS)aÏChooses a virtual host based on the given domain name. If there is no clear virtual host to be selected, the user is prompted with all available choices. The returned vhost is guaranteed to have TLS enabled unless create_if_no_ssl is set to False, in which case there is no such guarantee and the result is not cached. :param str target_name: domain name :param bool create_if_no_ssl: If found VirtualHost doesn't have a HTTPS counterpart, should one get created :returns: vhost associated with name :rtype: :class:`~certbot_apache.obj.VirtualHost` :raises .errors.PluginError: If no vhost is available or chosen N©Útemp)rKÚ_find_best_vhostr¡r¥Ú_add_servername_aliasÚ_choose_vhost_from_list)r-Ú target_namer•r‘r/r/r0r”-s      zApacheConfigurator.choose_vhostcsšt ||j¡}|dkr.t d|¡t d¡‚nR|r6|S|js€| |d¡‰t ‡fdd„|jDƒƒsl|  |¡}nt d¡t d¡‚|  ||¡||j |<|S)Nz…No vhost exists with servername or alias of %s. No vhost was selected. Please specify ServerName or ServerAlias in the Apache config.r r§c3s|]}|jo| ˆ¡VqdSrf)r¹Ú conflictsrž©r»r/r0rldsÿz=ApacheConfigurator._choose_vhost_from_list..z”The selected vhost would conflict with other HTTPS VirtualHosts within Apache. Please select another vhost or add ServerNames to your configuration.z$VirtualHost not able to be selected.) rZ select_vhostrSrsr£r r{r¡Ú_get_proposed_addrsÚanyr¥r¿rK)r-rÁr½r‘r/rÃr0rÀUs0ü   ÿ ÿÿ  z*ApacheConfigurator._choose_vhost_from_listcCs8| ¡}|D]&}| ¡}d|kr t ||¡r dSq dS)a¦Checks if target domain is covered by one or more of the provided names. The target name is matched by wildcard as well as exact match. :param names: server aliases :type names: `collections.Iterable` of `str` :param str target_name: name to compare with wildcards :returns: True if target_name is covered by a wildcard, otherwise, False :rtype: bool ú[TF)Úlowerr)r-ÚnamesrÁr™r/r/r0Údomain_in_namesss z"ApacheConfigurator.domain_in_namesÚ80csFg}|jD],}t‡fdd„|jDƒƒr |js | |¡q | |||¡S)a¹Returns non-HTTPS vhost objects found from the Apache config :param str target: Domain name of the desired VirtualHost :param bool filter_defaults: whether _default_ vhosts should be included if it is the best match :param str port: port number the vhost should be listening on :returns: VirtualHost object that's the best match for target name :rtype: `obj.VirtualHost` or None c3s"|]}| ¡p| ¡ˆkVqdSrf)Z is_wildcardÚget_port©rjÚa©Úportr/r0rl—sz:ApacheConfigurator.find_best_http_vhost..)rSrÅr»r¡r¤r¾)r-ÚtargetÚfilter_defaultsrÏr¦r‘r/rÎr0Úfind_best_http_vhostŠs   z'ApacheConfigurator.find_best_http_vhostc sÎd}d}|dkr|j}|D]v}|jdkr*q| ¡}ˆ|kr@d}n2| |ˆ¡rRd}n t‡fdd„|jDƒƒrd}nq|jr€|d7}||kr|}|}q|dkrÊ|r¨| |¡}d d „|Dƒ} t| ƒdkrÊ| d}|S) aþFinds the best vhost for a target_name. This does not upgrade a vhost to HTTPS... it only finds the most appropriate vhost for the given target_name. :param str target_name: domain handled by the desired vhost :param vhosts: vhosts to consider :type vhosts: `collections.Iterable` of :class:`~certbot_apache.obj.VirtualHost` :param bool filter_defaults: whether a vhost with a _default_ addr is acceptable :returns: VHost or None NrTérmc3s|]}| ¡ˆkVqdSrf©Úget_addrr¯©rÁr/r0rl¾sz6ApacheConfigurator._find_best_vhost..r<cSsg|]}|jdkr|‘qS)F©Úmodmacro©rjÚvhr/r/r0rŸÑs ÿz7ApacheConfigurator._find_best_vhost..) rSrØr–rÉrÅr»r¡Ú_non_default_vhostsr›) r-rÁrSrÑZbest_candidateZ best_pointsr‘rÈZpointsZreasonable_vhostsr/rÖr0r¾›s:   ÿ z#ApacheConfigurator._find_best_vhostcCsdd„|DƒS)z%Return all non _default_ only vhosts.cSs$g|]}tdd„|jDƒƒs|‘qS)css|]}| ¡dkVqdS)Ú _default_NrÔr¯r/r/r0rlÚszDApacheConfigurator._non_default_vhosts...)Úallr»rÙr/r/r0rŸÚs ÿz:ApacheConfigurator._non_default_vhosts..r/)r-rSr/r/r0rÛØsz&ApacheConfigurator._non_default_vhostscCs¬tƒ}g}|jD]h}| | ¡¡|jr4| |j¡|jD]<}tj   |  ¡¡r^|  |  ¡¡q:|  |¡}|r:|  |¡q:q|r¢tj tj¡jd d |¡¡ddt |¡S)zÊReturns all names found in the Apache Configuration. :returns: All ServerNames, ServerAliases, and reverse DNS entries for virtual host addresses :rtype: set zaApache mod_macro seems to be in use in file(s): {0} Unfortunately mod_macro is not yet supportedz T)Zforce_interactive)rLrSÚupdater–rØr¤r·r»rZhostname_regexÚmatchrÕr@Úget_name_from_ipÚzopeÚ componentÚ getUtilityr ZIDisplayZ notificationrur_r Zget_filtered_names)r-Z all_namesZ vhost_macror‘r°r™r/r/r0Ú get_all_namesÞs(    þýz ApacheConfigurator.get_all_namesc CsXtj | ¡¡sTz"t | ¡¡t | ¡¡dWStjtjtj fk rRYnXdS)zÎReturns a reverse dns name if available. :param addr: IP Address :type addr: ~.common.Addr :returns: name or empty string if name cannot be determined :rtype: str rrC) rZprivate_ips_regexrßrÕÚsocketZ inet_atonZ gethostbyaddrr£ZherrorZtimeout)r-r°r/r/r0ràÿs z#ApacheConfigurator.get_name_from_ipcCsl|jjdd|dd}|jjdd|dd}g}|D]}|j |¡}| |¡q0d}|rd|j |d¡}||fS)zøHelper method for getting the ServerName and ServerAlias values from vhost in path :param path: Path to read ServerName and ServerAliases from :returns: Tuple including ServerName and `list` of ServerAlias strings Ú ServerNameNF©ÚstartZexcludeÚ ServerAliasr®)rr´Úget_argr¤)r-r^Zservername_matchZserveralias_matchÚ serveraliasesÚaliasÚ serveraliasÚ servernamer/r/r0Ú_get_vhost_namess( ÿÿ  z#ApacheConfigurator._get_vhost_namescCs<| |j¡\}}|D]}|js|j |¡q|js8||_dS)z±Helper function for get_virtual_hosts(). :param host: In progress vhost whose names will be added :type host: :class:`~certbot_apache.obj.VirtualHost` N)rïr^rØÚaliasesr@r™)r-Zhostrîrërìr/r/r0Ú_add_servernames-s z#ApacheConfigurator._add_servernamesc Cstƒ}z|jj |d¡}Wn"tk r>t d|¡YdSX|D]}| tj   |j  |¡¡¡qDd}|jj dd|ddr€d}|D]}|  ¡d kr„d}q„t |jj d t |¡¡¡}|dkrÄdSd}d | ¡krØd}|j |¡} tj||||| |d } | | ¡| S) zÑUsed by get_virtual_hosts to create vhost objects :param str path: Augeas path to virtual host :returns: newly created vhost :rtype: :class:`~certbot_apache.obj.VirtualHost` ú/argz6Encountered a problem while parsing file: %s, skippingNFZ SSLEngineÚonrçTr§z/augeas/files%s/pathz/macro/r×)rLrrrßÚ RuntimeErrorrsrµr@rÚAddrÚ fromstringrêr´rËrZ get_file_pathr,rÇÚparsed_in_originalÚ VirtualHostrñ) r-r^r»rZÚargZis_sslr°ÚfilenameZmacroZ vhost_enabledr‘r/r/r0Ú _create_vhost>s:   ÿ   ÿ z ApacheConfigurator._create_vhostc CsRi}ttƒ}g}t|jjƒD].}|jj d|t d¡f¡}dd„|Dƒ}|D]ú}| |¡}|sdqPt   |j ¡}t   |j¡} | |kr¨|j|| <||  |¡| |¡qP| |jkr&| || kr&g} |D]4} | j|| krô||  t   | j ¡¡qÊ|  | ¡qÊ| }| || <||  |¡| |¡qP||| krP||  |¡| |¡qPq|S)zÎReturns list of virtual hosts found in the Apache configuration. :returns: List of :class:`~certbot_apache.obj.VirtualHost` objects found in configuration :rtype: list z"/files%s//*[label()=~regexp('%s')]røcSs$g|]}dtj |¡ ¡kr|‘qS)Ú virtualhost)rr^ÚbasenamerÇ)rjr^r/r/r0rŸ|sÿz8ApacheConfigurator.get_virtual_hosts..)rrLr˜rZ parser_pathsrrßÚcase_irûrZget_internal_aug_pathr^r Úrealpathr·r@r¤Úremove) r-Z file_pathsZinternal_pathsZvhsZ vhost_pathÚpathsr^Ú new_vhostZ internal_pathrÿZnew_vhsÚvr/r/r0rxjsL  ÿÿ       ÿ ÿ   z$ApacheConfigurator.get_virtual_hostscCs|jdkp|j dt|ƒ¡S)azReturns if vhost is a name based vhost NameVirtualHost was deprecated in Apache 2.4 as all VirtualHosts are now NameVirtualHosts. If version is earlier than 2.4, check if addr has a NameVirtualHost directive in the Apache config :param certbot_apache.obj.Addr target_addr: vhost address :returns: Success :rtype: bool ©rmr¬ÚNameVirtualHost)rBrr´rh)r-Z target_addrr/r/r0Ú is_name_vhostŸs ÿz ApacheConfigurator.is_name_vhostcCstt |jjd¡}| ¡dkr6|j |dt|ƒg¡}n|j |dt|ƒg¡}d||f}t |¡|j |7_ dS)z¿Adds NameVirtualHost directive for given address. :param addr: Address that will be added as NameVirtualHost directive :type addr: :class:`~certbot_apache.obj.Addr` r™r§rz=Setting %s to be NameBasedVirtualHost Directive added to %s N) rÚ get_aug_pathÚlocrËÚadd_dir_to_ifmodsslrhr¸rsrtrQ)r-r°rr^Úmsgr/r/r0Úadd_name_vhost´s ÿÿ z!ApacheConfigurator.add_name_vhostcCs| |¡|j|dddS)zÄPrepare the server for HTTPS. Make sure that the ssl_module is loaded and that the server is appropriately listening on port. :param str port: Port to listen on T)ÚhttpsN)Úprepare_https_modulesÚ ensure_listen)r-rÏr½r/r/r0r±Ès z'ApacheConfigurator.prepare_server_httpsc s|r|dkrd|df}n|}‡fdd„ˆj d¡Dƒ}ˆ ||¡rHdSt|ƒ}|s^| |¡|D]Œ}t| d¡ƒd kr”||krî||krî| |¡qb|ddd … dd ¡\}}|ddd …}d ||f|krbd ||f|krb| d ||f¡qb|rˆ |||¡nˆ |||¡dS) aXMake sure that Apache is listening on the port. Checks if the Listen statement for the port already exists, and adds it to the configuration if necessary. :param str port: Port number to check and add Listen for if not in place already :param bool https: If the port will be used for HTTPS r§ú%s %sr cs g|]}ˆj |¡ ¡d‘qS)r)rrêrœ©rjÚxrbr/r0rŸèsÿz4ApacheConfigurator.ensure_listen..ÚListenNú:r<r®z%s:%s) rr´Ú_has_port_alreadyrLr@r›rœÚ_add_listens_httpsÚ_add_listens_http) r-rÏr Ú port_serviceÚlistensZ listen_dirsÚlistenr2Zipr/rbr0rÕs0   ÿ   ÿz ApacheConfigurator.ensure_listencCs | |¡}||krP|j t |jjd¡d|¡|jd||jjdf7_nL|D]F}|j t |jjd¡d| d¡¡|jd||jjdf7_qTdS)a<Helper method for ensure_listen to figure out which new listen statements need adding for listening HTTP on port :param set listens: Set of all needed Listen statements :param list listens_orig: List of existing listen statements :param string port: Port number we're adding rrú Added Listen %s directive to %s ú N)Ú differencerr¸rrrQrœ)r-rÚ listens_origrÏÚ new_listensrr/r/r0rs, ÿ ÿ   ÿÿ ÿÿz$ApacheConfigurator._add_listens_httpcCsÈ|dkrd|df}n|}| |¡}||ks4||krx|j t |jjd¡d| d¡¡|jd||jjdf7_nL|D]F}|j t |jjd¡d| d¡¡|jd||jjdf7_q|dS) a=Helper method for ensure_listen to figure out which new listen statements need adding for listening HTTPS on port :param set listens: Set of all needed Listen statements :param list listens_orig: List of existing listen statements :param string port: Port number we're adding r§rr rrrrN)rrr rrrœrQ)r-rrrÏrrrr/r/r0r s2  þ ÿ þ ÿÿz%ApacheConfigurator._add_listens_httpscCsN||kr dS|D]8}t| d¡ƒdkr| d¡d d¡d|krdSqdS)zëHelper method for prepare_server_https to find out if user already has an active Listen statement for the port we need :param list listens: List of listen variables :param string port: Port in question Trr<r®rrN)r›rœ)r-rrÏrr/r/r0rAsz$ApacheConfigurator._has_port_alreadycCsL| d¡rH|jdkr.d|jjkr.|jd|dd|jjkrH|jd|ddS) z˜Helper method for prepare_server_https, taking care of enabling needed modules :param boolean temp: If the change is temporary r'rÚsocache_shmcb_moduleÚ socache_shmcbr¼Z ssl_moduler¡N)r1rBrÚmodulesÚ enable_mod)r-r½r/r/r0r Ss  ÿ z(ApacheConfigurator.prepare_https_modulescCs|j}| |¡}|jj d| |¡t d¡f¡}| ||¡|jj ¡|jj d| |¡t d¡f¡}|  ||¡}|sÄ|j  |¡|jj d| |¡t d¡f¡}|  ||¡}|sÄt   d¡‚|  |¡t d|¡|jd|7_| ¡| |¡}||_|j |¡| |¡|S)axMakes an ssl_vhost version of a nonssl_vhost. Duplicates vhost and adds default ssl options New vhost will reside as (nonssl_vhost.path) + ``self.option("le_vhost_ext")`` .. note:: This function saves the configuration :param nonssl_vhost: Valid VH that doesn't have SSLEngine on :type nonssl_vhost: :class:`~certbot_apache.obj.VirtualHost` :returns: SSL vhost :rtype: :class:`~certbot_apache.obj.VirtualHost` :raises .errors.PluginError: If more than one virtual host is in the file or if plugin is unable to write/read vhost files. z#/files%s//* [label()=~regexp('%s')]røz;Could not reverse map the HTTPS VirtualHost to the originalzCreated an SSL vhost at %szCreated ssl vhost at %s )r·Ú_get_ssl_vhost_pathrrrßÚ_escaperþÚ_copy_create_ssl_vhost_skeletonr‚Ú_get_new_vh_pathÚ parse_filer r{Ú_update_ssl_vhosts_addrsrsr¶rQrrûÚancestorrSr¤Ú_add_name_vhost_if_necessary)r-Z nonssl_vhostZavail_fpÚssl_fpÚ orig_matchesÚ new_matchesZvh_pÚ ssl_vhostr/r/r0r¥asL  ÿÿ   ÿÿ  ÿÿÿ ÿ    z!ApacheConfigurator.make_vhost_sslcCs4dd„|Dƒ}|D]}| dd¡|kr|SqdS)a Helper method for make_vhost_ssl for matching augeas paths. Returns VirtualHost path from new_matches that's not present in orig_matches. Paths are normalized, because augeas leaves indices out for paths with only single directive with a similar key cSsg|]}| dd¡‘qS)ú[1]rC©r5rir/r/r0rŸ¶sz7ApacheConfigurator._get_new_vh_path..r/rCNr0)r-r,r-rßr/r/r0r&¯s  z#ApacheConfigurator._get_new_vh_pathcCs~| d¡r@tj | d¡¡r@tj t | d¡¡tj |¡¡}n t |¡}|  d¡rp|dt dƒ …| d¡S|| d¡S)a- Get a file path for SSL vhost, uses user defined path as priority, but if the value is invalid or not defined, will fall back to non-ssl vhost filepath. :param str non_ssl_vh_fp: Filepath of non-SSL vhost :returns: Filepath for SSL vhost :rtype: str r;rz.confNr&) r4rr^Úexistsr_r rÿr1rýÚendswithr›)r-Z non_ssl_vh_fpÚfpr/r/r0r#½s  ÿ  z&ApacheConfigurator._get_ssl_vhost_pathcCsX| ¡ ¡ d¡sdS| ¡d ¡}|ddkrN|d|dkrN|dd…}| d¡S) a`Decides whether a line should be copied to a SSL vhost. A canonical example of when sifting a line is required: When the http vhost contains a RewriteRule that unconditionally redirects any request to the https version of the same site. e.g: RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,QSA,R=permanent] Copying the above line to the ssl vhost would cause a redirection loop. :param str line: a line extracted from the http vhost. :returns: True - don't copy line from http vhost to SSL vhost. :rtype: bool Ú rewriteruleFrmr)ú'ú"r®r<zhttps://)rÇÚlstriprˆrœÚstrip)r-ÚlinerÐr/r/r0Ú_sift_rewrite_ruleÓs  z%ApacheConfigurator._sift_rewrite_rulec CsRtj |¡r4d|}tƒ}| |¡|j ||¡n|j d|¡d}zx| |¡}|  |¡\}}t |dƒ4}|  d¡|  d  |¡¡|  d¡|  d¡W5QRX|j  |¡s¼|j  |¡Wn,tk rêtjdd d t d ¡‚YnX|rtj tj¡} |  d  |j|¡| j¡|j j d | |¡d¡|j j d | |j¡d¡dS)aCopies over existing Vhost with IfModule mod_ssl.c> skeleton. :param obj.VirtualHost vhost: Original VirtualHost object :param str ssl_fp: Full path where the new ssl_vhost will reside. A new file is created on the filesystem. z-Appended new VirtualHost directive to file %sFrÍz Ú z z z/Error writing/reading to file in make_vhost_sslTrnz&Unable to write/read in make_vhost_sslzSome rewrite rules copied from {0} were disabled in the vhost for your HTTPS site located at {1} because they have the potential to create redirection loops.z/augeas/files%s/mtimeÚ0N) rr^r1rLr@Úreverterr~Úregister_file_creationÚ_get_vhost_blockÚ_sift_rewrite_rulesÚopenÚwriter_rÚparsed_in_currentr'ÚIOErrorrsÚcriticalr r{rárârãr Z IReporterZ add_messagerur·ZMEDIUM_PRIORITYrr$) r-r‘r+ZnotesÚfilesÚsiftZ orig_contentsZssl_vh_contentsZnew_fileZreporterr/r/r0r%ôs>       ýüz2ApacheConfigurator._copy_create_ssl_vhost_skeletonc CsDg}d}t|ƒ}d}|D] }| ¡ ¡ d¡}| ¡ ¡ d¡}|sV|sV| |¡q|rp| |¡sp| |¡q|r | |¡r |s| |¡d}| d|¡qg}|r| |¡t|ƒ}| ¡ ¡ d¡sà| |¡t|ƒ}qº| |¡| |¡r(|s | |¡d}| d dd „|Dƒ¡¡qq| d |¡¡qq||fS) z Helper function for _copy_create_ssl_vhost_skeleton to prepare the new HTTPS VirtualHost contents. Currently disabling the rewrites Fzƒ# Some rewrite rules in this file were disabled on your HTTPS site, # because they have the potential to create redirection loops. Z rewritecondr4Tú# r;cSsg|] }d|‘qS)rHr/)rjÚlr/r/r0rŸ]sz:ApacheConfigurator._sift_rewrite_rules..)ÚiterrÇr7rˆr¤r:Únextr_) r-ÚcontentsÚresultrGÚcommentr9ÚAÚBÚchunkr/r/r0r@$sL           ÿz&ApacheConfigurator._sift_rewrite_rulesc Cs¤z|jj |j¡}Wn4tk rHtjd|j|jddt   d¡‚YnX|d}|d}|d}t |dƒ$}|  |¡|  ||¡ d ¡}W5QRX| |¡|S) a Helper method to get VirtualHost contents from the original file. This is done with help of augeas span, which returns the span start and end positions :returns: `list` of VirtualHost block content lines without closing tag z3Error while reading the VirtualHost %s from file %sTrnz$Unable to read VirtualHost from filerééÚrr;)rrÚspanr^Ú ValueErrorrsrEr™r·r r{rAÚseekÚreadrœÚ_remove_closing_vhost_tag)r-r‘Zspan_valZ span_filepZ span_startZspan_endZfhÚ vh_contentsr/r/r0r?ds"ÿ   z#ApacheConfigurator._get_vhost_blockcCsXtt|ƒƒD]F\}}|r | ¡ d¡}|dkrNt|ƒ|d}|d|…||<qTq dS)a”Removes the closing VirtualHost tag if it exists. This method modifies vh_contents directly to remove the closing tag. If the closing vhost tag is found, everything on the line after it is also removed. Whether or not this tag is included in the result of span depends on the Augeas version. :param list vh_contents: VirtualHost block contents to check zr®r<N)Ú enumerateÚreversedrÇÚfindr›)r-rZÚoffsetr9Z line_indexZ content_indexr/r/r0rY{s z,ApacheConfigurator._remove_closing_vhost_tagcCsftƒ}|jj |d¡}|D]D}tj t|j |¡ƒ¡}|  d¡}|jj |t|ƒ¡|  |¡q|S)Nròr§) rLrrrßrrõrörhrêÚ get_addr_objr@)r-Úvh_pathZ ssl_addrsZ ssl_addr_pr°Zold_addrZssl_addrr/r/r0r(Žsÿ  z+ApacheConfigurator._update_ssl_vhosts_addrscCs&| |jddg¡| |jdg¡dS)Nr¨r©r«)Ú_deduplicate_directivesr^Ú_remove_directives©r-r‘r/r/r0r³›s ÿÿzApacheConfigurator._clean_vhostc CsX|D]N}t|j |d|d¡ƒdkr|j |d|d¡}|jj t dd|d¡¡qqdS)NFr<ú/\w*$rCr)r›rr´rrÚreÚsub©r-r`Z directivesZ directiveZdirective_pathr/r/r0ra£s ÿÿ ÿz*ApacheConfigurator._deduplicate_directivesc CsP|D]F}|j |d|d¡r|j |d|d¡}|jj t dd|d¡¡qqdS)NFrdrCr)rr´rrrerfrgr/r/r0rb«s ÿz%ApacheConfigurator._remove_directivescCsL|j |dd¡|j |dd¡|j d|j|¡}|sH|j |d|j¡dS)Nr¨Zinsert_cert_file_pathr©Zinsert_key_file_pathZInclude)rr¸r´rc)r-r`Z existing_incr/r/r0r²²s ÿ ÿz,ApacheConfigurator._add_dummy_ssl_directivescCs||j}| |¡\}}||ks$||kr(dS| ||¡r8dS|jjdd|dds^|j |d|¡n|j |d|¡| |¡dS)NræFrçré)r^rïÚ_has_matching_wildcardrr´r¸rñ)r-rÁr‘r`ZsnameZsaliasesr/r/r0r¿¼s  ÿz(ApacheConfigurator._add_servername_aliascs0ˆjjd|dd}‡fdd„|Dƒ}ˆ ||¡S)aLIs target_name already included in a wildcard in the vhost? :param str vh_path: Augeas path to the vhost :param str target_name: name to compare with wildcards :returns: True if there is a wildcard covering target_name in the vhost in vhost_path, otherwise, False :rtype: bool réFrçc3s|]}ˆjj |¡VqdSrf©rrr,)rjrßrbr/r0rl×sz.)rr´rÉ)r-r`rÁÚmatchesrðr/rbr0rhÊs ÿz)ApacheConfigurator._has_matching_wildcardcs¦d}|jD]Š‰tˆfƒ‰ˆ ¡dkr<ˆ ‡fdd„dDƒ¡|jD]P}|j|jkrBt‡fdd„|jDƒƒrB| ˆ¡sB| ˆ¡t   dˆ¡d}q qBq |r¢|  ¡dS) aGAdd NameVirtualHost Directives if necessary for new vhost. NameVirtualHosts was a directive in Apache < 2.4 https://httpd.apache.org/docs/2.2/mod/core.html#namevirtualhost :param vhost: New virtual host that was recently created. :type vhost: :class:`~certbot_apache.obj.VirtualHost` F)rrÜc3s |]}t |ˆ ¡f¡VqdSrf)rrõrËrÌ)r°r/r0rlísÿzBApacheConfigurator._add_name_vhost_if_necessary..c3s|]}|ˆkVqdSrfr/)rjZ test_addrrÃr/r0rlòsÿzEnabling NameVirtualHosts on %sTN) r»rLrÕrÞrSr·rÅrr rsr¶r)r-r‘Z need_to_saveZtest_vhr/)r°r»r0r*Ús*    ÿ   ÿÿý  z/ApacheConfigurator._add_name_vhost_if_necessarycCsD|jD]}| |¡|kr|Sqd |¡}t |¡t |¡‚dS)a> Searches through VirtualHosts and tries to match the id in a comment :param str id_str: Id string for matching :returns: The matched VirtualHost or None :rtype: :class:`~certbot_apache.obj.VirtualHost` or None :raises .errors.PluginError: If no VirtualHost is found z$No VirtualHost with ID {} was found.N)rSÚ_find_vhost_idrursrµr r{)r-Úid_strrÚr r/r/r0Úfind_vhost_by_idýs    z#ApacheConfigurator.find_vhost_by_idcCsBtj d¡}|j ||j¡}|r>|j |d¡}| d¡dSdS)aCTries to find the unique ID from the VirtualHost comments. This is used for keeping track of VirtualHost directive over time. :param vhost: Virtual host to add the id :type vhost: :class:`~certbot_apache.obj.VirtualHost` :returns: The unique ID or None :rtype: str or None rCrrr®N)rÚMANAGED_COMMENT_IDrurZ find_commentsr^rêrœ)r-r‘Zsearch_commentZ id_commentrNr/r/r0rks z!ApacheConfigurator._find_vhost_idcCs:| |¡}|r|St ¡}tj |¡}|j |j|¡|S)aAdds an unique ID to the VirtualHost as a comment for mapping back to it on later invocations, as the config file order might have changed. If ID already exists, returns that instead. :param vhost: Virtual host to add or find the id :type vhost: :class:`~certbot_apache.obj.VirtualHost` :returns: The unique ID for vhost :rtype: str or None ) rkrZ unique_idrrnrurZ add_commentr^)r-r‘Zvh_idZ id_stringrNr/r/r0Ú add_vhost_id%s  zApacheConfigurator.add_vhost_idcCsd| dd¡}| dd¡}| dd¡}| dd¡}| d d ¡}| d d ¡}| d d¡}| dd¡}|S)Nú,z\,rÆz\[ú]z\]ú|z\|ú=z\=ú(z\(ú)z\)ú!z\!r0)r-r3r/r/r0r$:s        zApacheConfigurator._escapecCs dddgS)z)Returns currently supported enhancements.rDrErFr/rbr/r/r0Úsupported_enhancementsHsz)ApacheConfigurator.supported_enhancementsc CsÐz|j|}Wn$tk r2t d |¡¡‚YnX|j|dd}dd„|Dƒ}|sŒd}|}|rl|d|7}| ||¡} t | ¡t | ¡‚z|D]} || |ƒq’Wn&tjk rÊt d||¡‚YnXd S) aëEnhance configuration. :param str domain: domain to enhance :param str enhancement: enhancement type defined in :const:`~certbot.constants.ENHANCEMENTS` :param options: options for the enhancement See :const:`~certbot.constants.ENHANCEMENTS` documentation for appropriate parameter. :raises .errors.PluginError: If Enhancement is not supported, or if there is any other problem with the enhancement. zUnsupported enhancement: {0}F©r•cSsg|]}|jr|‘qSr/©r¡ržr/r/r0rŸbsz.ApacheConfigurator.enhance..z‹Certbot was not able to find SSL VirtualHost for a domain {0} for enabling enhancement "{1}". The requested enhancement was not configured.z: zFailed %s for %sN)rYÚKeyErrorr r{rur‹rsrµ) r-r‰Z enhancementr+ÚfuncÚmatched_vhostsrSÚmsg_tmplZmsg_enhancementr r‘r/r/r0ÚenhanceLs,ÿ     zApacheConfigurator.enhancecCs.tj|}| ||¡|t ¡dœ|j|<dS)a Increase the AutoHSTS max-age value :param vhost: Virtual host object to modify :type vhost: :class:`~certbot_apache.obj.VirtualHost` :param str id_str: The unique ID string of VirtualHost :param int nextstep: Next AutoHSTS max-age value index ©ÚlaststepÚ timestampN)rÚAUTOHSTS_STEPSÚ_autohsts_writeÚtimerP)r-r‘rlÚnextstepÚnextstep_valuer/r/r0Ú_autohsts_increaseus  z%ApacheConfigurator._autohsts_increasec Csºd}|j dd|j¡}|rFd}|D]"}t ||jj |¡ ¡¡r"|}q"|s`d |j ¡}t   |¡‚d |¡}|  dd¡}|jj  ||¡d ||j ¡} t | ¡|j| 7_| | ¡dS) zJ Write the new HSTS max-age value to the VirtualHost file NÚHeaderz/(?:[ "]|^)(strict-transport-security)(?:[ "]|$)zUCertbot was unable to find the existing HSTS header from the VirtualHost at path {0}.ú "max-age={0}"zarg[3]zarg[4]zHTTPS rewrite in addition to other RewriteRules; you may wish to check for overall consistency.Ú RewriteEngineróz%{SERVER_NAME}z={0}z[OR]r<Z RewriteCondz*Redirecting host in %s to ssl vhost in %s z*Redirecting vhost in %s to ssl vhost in %s)rr!r"Ú_get_http_vhostrsrtrÄrSr¹rÂr r{Ú_create_redirect_vhostrOÚ_verify_no_certbot_redirectÚ_is_rewrite_existsrµÚ_is_rewrite_engine_onr¸r^r–r[rur›rGÚ#_set_https_redirection_rewrite_rulerQr·rr@r¶) r-r.r—Z general_vhZredirect_addrsr‘rÈÚidxr™rZr/r/r0rV?sH      ÿ        ÿÿz#ApacheConfigurator._enable_redirectcCs:| ¡dkr"|j |jdtj¡n|j |jdtj¡dS)N©rmrÓé Ú RewriteRule)rrrr¸r^rÚREWRITE_HTTPS_ARGS_WITH_ENDÚREWRITE_HTTPS_ARGSrcr/r/r0r¤s  ÿ ÿz6ApacheConfigurator._set_https_redirection_rewrite_rulec sЈjjdd|jd}ttƒ}d}|D],}t ||¡}|r$| d¡}|| |¡q$|rÌt j t j g}|  ¡D]`\}} ‡fdd„| Dƒ} | t j kr¸ˆjj |¡ˆ |¡ˆ ¡t d¡‚| |krjt d¡‚qjdS) aVChecks to see if a redirect was already installed by certbot. Checks to see if virtualhost already contains a rewrite rule that is identical to Certbot's redirection rewrite rule. For graceful transition to new rewrite rules for HTTPS redireciton we delete certbot's old rewrite rules and set the new one instead. :param vhost: vhost to check :type vhost: :class:`~certbot_apache.obj.VirtualHost` :raises errors.PluginEnhancementAlreadyPresent: When the exact certbot redirection WriteRule exists in virtual host. r¨Nr–z(.*directive\[\d+\]).*r<csg|]}ˆjj |¡‘qSr/rirrbr/r0rŸºszBApacheConfigurator._verify_no_certbot_redirect..z'Certbot has already enabled redirection)rr´r^rr˜rerßÚgroupr¤rrªr©ÚitemsZOLD_REWRITE_HTTPS_ARGSrrr¤rr r) r-r‘Ú rewrite_pathZrewrite_args_dictrŒrßÚmZdir_pathZ redirect_argsZ args_pathsZarg_valsr/rbr0r¡˜s:ÿ  ÿ  ÿÿz.ApacheConfigurator._verify_no_certbot_redirectcCs|jjdd|jd}t|ƒS)zõChecks if there exists a RewriteRule directive in vhost :param vhost: vhost to check :type vhost: :class:`~certbot_apache.obj.VirtualHost` :returns: True if a RewriteRule directive exists. :rtype: bool r¨Nr–)rr´r^r“)r-r‘r­r/r/r0r¢Ès ÿz%ApacheConfigurator._is_rewrite_existscCsB|jjdd|jd}|r>|D] }d| ¡kr|j |¡SqdS)z—Checks if a RewriteEngine directive is on :param vhost: vhost to check :type vhost: :class:`~certbot_apache.obj.VirtualHost` ržrór–rüF)rr´r^rÇrê)r-r‘Zrewrite_engine_path_listZre_pathr/r/r0r£Ös ÿ z(ApacheConfigurator._is_rewrite_engine_oncCsr| |¡}| ||¡}|jj ¡| t | |¡¡¡}|j  |¡|j d  |¡|j d|j |j f7_ dS)a/Creates an http_vhost specifically to redirect for the ssl_vhost. :param ssl_vhost: ssl vhost :type ssl_vhost: :class:`~certbot_apache.obj.VirtualHost` :returns: tuple of the form (`success`, :class:`~certbot_apache.obj.VirtualHost`) :rtype: tuple rDz=Created a port 80 vhost, %s, for redirection to ssl vhost %s N)Ú_get_redirect_config_strÚ_write_out_redirectrrr‚rûrr$rSr¤rOr@rQr·)r-r.ÚtextÚredirect_filepathrr/r/r0r çs     þz)ApacheConfigurator._create_redirect_vhostcCs„d}d}|jdk rd|j}|jr2dd |j¡}g}| ¡dkrJtj}ntj}dd dd„| |¡Dƒ¡||d |¡| d ¡fS) NrCz ServerName z ServerAlias rr¦z‹ %s %s ServerSignature Off RewriteEngine On RewriteRule %s ErrorLog %s/redirect.error.log LogLevel warn css|]}t|ƒVqdSrfrgr¯r/r/r0rlsÿz>ApacheConfigurator._get_redirect_config_str..r) r™rðr_rrrr©rªrÄr1)r-r.rírîZrewrite_rule_argsr/r/r0r¯s(    ÿüõz+ApacheConfigurator._get_redirect_config_strc Csœd}|jdk r2t|jƒdt|ƒdkr2d|j}tj | d¡|¡}|j d|¡t|dƒ}|  |¡W5QRX|j   |¡sŒ|j   |¡t  d|¡|S) Nzle-redirect.conféÿr<zle-redirect-%s.confrFÚwzCreated redirect file: %s)r™r›rr^r_r1r=r>rArBrrCr'rsr¶)r-r.r±Zredirect_filenamer²Z redirect_filer/r/r0r°"s  ÿ    z&ApacheConfigurator._write_out_redirectcCs\|jr |jSdd„|jDƒ}|D]}| |¡r |Sq |D]}|j|ddr<|Sq.T)ZgenericN)r)rSZ same_server)r-r.Zcandidate_http_vhsZhttp_vhr/r/r0rŸ@sÿ   z"ApacheConfigurator._get_http_vhostcCs&tƒ}|jD]}| | |¡¡q |S)zïReturn all addrs of vhost with the port replaced with the specified. :param obj.VirtualHost ssl_vhost: Original Vhost :param str port: Desired port for new addresses :returns: `set` of :class:`~obj.Addr` )rLr»r@r_)r-r‘rÏZ redirectsr°r/r/r0rÄTs  z&ApacheConfigurator._get_proposed_addrscCs\|jr dS|j |j¡sXt d|j¡|jd|j7_|j |jjd|j¡d|_dS)aEnables an available site, Apache reload required. .. note:: Does not make sure that the site correctly works or that all modules are enabled appropriately. .. note:: The distribution specific override replaces functionality of this method where available. :param vhost: vhost to enable :type vhost: :class:`~certbot_apache.obj.VirtualHost` :raises .errors.NotSupportedError: If filesystem layout is not supported. Nz8Enabling site %s by adding Include to root configurationzEnabled site %s r9T) r¹rr÷r·rsr¶rQZ add_includerrcr/r/r0rºcsÿzApacheConfigurator.enable_sitecCsd}t | |¡¡‚dS)a×Enables module in Apache. Both enables and reloads Apache so module is active. :param str mod_name: Name of the module to enable. (e.g. 'ssl') :param bool temp: Whether or not this is a temporary action. .. note:: The distribution specific override replaces functionality of this method where available. :raises .errors.MisconfigurationError: We cannot enable modules in generic fashion. zÄApache needs to have module "{0}" active for the requested installation options. Unfortunately Certbot is unable to install or enable it for you. Please install the module, and run Certbot again.N)r ÚMisconfigurationErrorru)r-Úmod_namer½Z mod_messager/r/r0r"~szApacheConfigurator.enable_modcCs| ¡| ¡dS)z¢Runs a config test and reloads the Apache server. :raises .errors.MisconfigurationError: If either the config test or reload fails. N)rqÚ_reloadrbr/r/r0Úrestart“szApacheConfigurator.restartc CsÈzt | d¡¡Wn®tjk rÂ}zŽt d| d¡¡| d¡}|r t d|¡zt | d¡¡WWY¢HdStjk rœ}z t|ƒ}W5d}~XYq¨Xnt|ƒ}t  |¡‚W5d}~XYnXdS)zdReloads the Apache server. :raises .errors.MisconfigurationError: If reload fails r"z!Unable to restart apache using %sZrestart_cmd_altz&Trying alternative restart command: %sN) r Ú run_scriptr1r ÚSubprocessErrorrsr¶rtrhrµ)r-ÚerrZ alt_restartZsecerrr£r/r/r0r·s(ÿ ÿÿ zApacheConfigurator._reloadc CsLzt | d¡¡Wn2tjk rF}zt t|ƒ¡‚W5d}~XYnXdS)z|Check the configuration of Apache for errors. :raises .errors.MisconfigurationError: If config_test fails r#N)r r¹r1r rºrµrh)r-r»r/r/r0rq¸szApacheConfigurator.config_testc CsŽzt | d¡¡\}}Wn*tjk rBt d| d¡¡‚YnXt dtj¡}|  |¡}t |ƒdkrrt d¡‚t dd„|d  d ¡DƒƒS) zÚReturn version of Apache Server. Version is returned as tuple. (ie. 2.4.7 = (2, 4, 7)) :returns: version :rtype: tuple :raises .PluginError: if unable to find Apache version r!zUnable to run %s -vzApache/([0-9\.]*)r<zUnable to find Apache versioncSsg|] }t|ƒ‘qSr/)Úintrir/r/r0rŸÛsz2ApacheConfigurator.get_version..rre) r r¹r1r rºr{reÚcompileÚ IGNORECASEÚfindallr›Útuplerœ)r-Ústdoutr2Zregexrjr/r/r0rrÃs ÿÿ    zApacheConfigurator.get_versioncCs,djtj|jjdd dd„|jDƒ¡dS)z3Human-readable string to help understand the modulez_Configures Apache to authenticate and install HTTPS.{0}Server root: {root}{0}Version: {version}Úrootrecss|]}t|ƒVqdSrfrgrir/r/r0rläsz/ApacheConfigurator.more_info..)rÂrB)rurÚlineseprrr_rBrbr/r/r0Ú more_infoÝs  üÿzApacheConfigurator.more_infocCstjgS)z%Return list of challenge preferences.)rZHTTP01)r-Z unused_domainr/r/r0Úget_chall_prefêsz!ApacheConfigurator.get_chall_prefcCsr|j |¡dgt|ƒ}t |¡}t|ƒD]\}}| ||¡q,| ¡}|rn| ¡t   d¡|  |||¡|S)a Perform the configuration related challenge. This function currently assumes all challenges will be fulfilled. If this turns out not to be the case in the future. Cleanup and outstanding challenges will have to be designed better. NrÓ) rMrÞr›rZ ApacheHttp01r[Z add_challÚperformr¸r„ÚsleepÚ_update_responses)r-ÚachallsÚ responsesZ http_doerrkZachallZ http_responser/r/r0rÆîs   zApacheConfigurator.performcCs$t|ƒD]\}}|||j|<qdSrf)r[Úindices)r-rÊZchall_responseZ chall_doerrkZrespr/r/r0rÈ sz$ApacheConfigurator._update_responsescCs0|j |¡|js,| ¡| ¡|j ¡dS)zRevert all challenges.N)rMÚdifference_updaterƒr¸rZ reset_modules)r-rÉr/r/r0Úcleanup s  zApacheConfigurator.cleanupcCst ||| d¡tj¡S)zICopy Certbot's SSL options file into the system's config dir if required.r*)rZinstall_version_controlled_filer1rZALL_SSL_OPTIONS_HASHES)r-Z options_sslZoptions_ssl_digestr/r/r0ry sÿz+ApacheConfigurator.install_ssl_options_confc Csæ| ¡g}|D]¤}|j|dd}dd„|Dƒ}|sVd}| |¡}t |¡t |¡‚|D]X} z| | ¡| | ¡WqZtj k r°| |kr”YqZd}t  | || j ¡¡‚YqZXqZq|rÚd} |  | ¡t  | ¡|  ¡| ¡dS) a$ Enable the AutoHSTS enhancement for defined domains :param _unused_lineage: Certificate lineage object, unused :type _unused_lineage: certbot.storage.RenewableCert :param domains: List of domains in certificate to enhance :type domains: str FrxcSsg|]}|jr|‘qSr/ryržr/r/r0rŸ9 sz6ApacheConfigurator.enable_autohsts..z`Certbot was not able to find SSL VirtualHost for a domain {0} for enabling AutoHSTS enhancement.z_VirtualHost for domain {0} in file {1} has a String-Transport-Security header present, exiting.zEnabling AutoHSTSN)r‘r‹rursrµr r{Ú_enable_autohsts_domainr¤rr·rr¶r¸r’) r-Z_unused_lineageZdomainsrOÚdr|rSr}r rÚrŽr/r/r0Úenable_autohsts) s6      ÿ  z"ApacheConfigurator.enable_autohstscCs¶| |d¡d|jjkr"| d¡tjddd…}tjd}| d |¡¡|  |¡}|j d ||j ¡7_ |j  |j d |¡d  ||j ¡}|j |7_ dt ¡d œ|j|<dS) aDo the initial AutoHSTS deployment to a vhost :param ssl_vhost: The VirtualHost object to deploy the AutoHSTS :type ssl_vhost: :class:`~certbot_apache.obj.VirtualHost` or None :raises errors.PluginEnhancementAlreadyPresent: When already enhanced zStrict-Transport-Securityr˜r™Nr®rr‰z+Adding unique ID {0} to VirtualHost in {1} rˆzXAdding gradually increasing HSTS header with initial value of {0} to VirtualHost in {1} r)ršrr!r"rr›r‚r¤rurorQr·r¸r^r„rP)r-r.Z hsts_headerZinitial_maxageZuniq_idrŽr/r/r0rÎU s( ÿ     ÿþz*ApacheConfigurator._enable_autohsts_domainc Cs| ¡|jsdSt ¡}d}t|j ¡ƒD]¸\}}|dtj|krHq,|dd}|ttjƒkr,|j sp|  ¡z|  |¡}Wn:t j k r¸d |¡}t |¡|j |¡Yq,YnX| |||¡d |¡}|j|7_d}q,|rü| d ¡| ¡| ¡dS) zÖ Increase the AutoHSTS values of VirtualHosts that the user has enabled this enhancement for. :param _unused_domain: Not currently used :type _unused_domain: Not Available NFrr€r<zOCould not find VirtualHost with ID {0}, disabling AutoHSTS for this VirtualHostz9Increasing HSTS max-age value for VirtualHost with id {0}TzIncreased HSTS max-age values)r‘rPr„r˜r¬rZ AUTOHSTS_FREQr›r‚rRr|rmr r{rursrµrGr‡rQrr¸r’) r-Z_unused_domainZcurtimeÚsave_and_restartrlr`r…r‘r r/r/r0Úupdate_autohstsw s>  ÿ   ÿ z"ApacheConfigurator.update_autohstsc Cs6| ¡|jsdSg}g}t|j ¡ƒD]ˆ\}}|ddttjƒkr(z| |¡}Wn:tj k rŽd  |¡}t   |¡|j  |¡Yq(YnX| ||¡r(| |¡| |¡q(d}|D]>}| |tj¡d  |j¡}t  |¡|j|d7_d}qº|r| d ¡| ¡|D]}|j  |¡q| ¡dS) zò Checks if autohsts vhost has reached maximum auto-increased value and changes the HSTS max-age to a high value. :param lineage: Certificate lineage object :type lineage: certbot.storage.RenewableCert Nr€r<zLVirtualHost with id {} was not found, unable to make HSTS max-age permanent.FzRStrict-Transport-Security max-age value for VirtualHost in {0} was made permanent.r;TzMade HSTS max-age permanent)r‘rPr˜r¬r›rr‚rmr r{rursrµrGr•r¤rƒZAUTOHSTS_PERMANENTr·rtrQrr¸r’) r-r”rSZ affected_idsrlr`r‘r rÑr/r/r0Údeploy_autohsts¥ sDÿ      ÿ  z"ApacheConfigurator.deploy_autohsts)NF)r<)NN)T)T)T)F)rÊ)NT)F)F)N)rÊ)F)oÚ__name__Ú __module__Ú __qualname__Ú__doc__Z descriptionrr>r,rJÚ pkg_resourcesZresource_filenamer6r1r8Ú classmethodrArIÚpropertyrcrdr|rrvrƒr„rprwrŠr’r‹ršr—r“rŒr”rÀrÉrÒr¾rÛräràrïrñrûrxrr r±rrrrr r¥r&r#r:r%r@r?rYr(r³rarbr²r¿rhr*rmrkror$rwr~r‡rƒr‘r’r•rXrWršrVr¤r¡r¢r£r r¯r°rŸrÄrºr"r¸r·rqrrrÄrÅrÆrÈrÍryrÐrÎrÒrÓÚ __classcell__r/r/r\r0rGsþÿÿñ & "  4    ÿ   ,L (   =!,5 2!N!0@  # )  >(Q0!     !  ,".r)8r×rTrZloggingrerår„Ú collectionsrrØr‡Zzope.componentráZzope.interfaceZacmerZacme.magic_typingrrrrrZcertbotr r r Zcertbot.achallengesr Zcertbot.compatr rZcertbot.pluginsrZcertbot.plugins.utilrZcertbot.plugins.enhancementsrrrrrrrrZ getLoggerrÔrsZ interfaceZ implementerZIAuthenticatorZ IInstallerZproviderZIPluginFactoryZ InstallerrÚregisterr/r/r/r0Úsh                   "