f'% UdZddlZddlZddlmZddlmZmZddlm Z ddl m Z ddl m Z mZddlmZej"eZdd d d d gd Zdddddgd dddddgd ddddd gd ddd ddgd dZdD] Zedee< dZgdZdddeeeedgd d!gd"Ze ed#<eeZd$Zd%Zd&Zd'Zd(Zd)Z d*e!d+e d,e d-e"d.df d/Z#y)0zCA Certs: Add ca certificates.N)dedent)subputil)Cloud)Config) MetaSchema get_meta_doc) PER_INSTANCEz!/usr/local/share/ca-certificates/z#cloud-init-ca-cert-{cert_index}.crtz/etc/ca-certificates.confzupdate-ca-certificates) ca_cert_pathca_cert_local_pathca_cert_filenameca_cert_configca_cert_update_cmdz/etc/pki/ca-trust/z/usr/share/pki/ca-trust-source/z+anchors/cloud-init-ca-cert-{cert_index}.crtzupdate-ca-trustz/etc/pki/trust/z/usr/share/pki/trust/z/etc/ssl/certs/z/etc/pki/tls/certs/zrehash_ca_certificates.sh)fedorarhelopensusephoton)opensuse-microosopensuse-tumbleweed opensuse-leapsle_hpc sle-microslesra/This module adds CA certificates to the system's CA store and updates any related files using the appropriate OS-specific utility. The default CA certificates can be disabled/deleted from use by the system with the configuration option ``remove_defaults``. .. note:: certificates must be specified using valid yaml. in order to specify a multiline certificate, the yaml multiline list syntax must be used .. note:: Alpine Linux requires the ca-certificates package to be installed in order to provide the ``update-ca-certificates`` command. ) alpinedebianrrrrrrrrrubuntur cc_ca_certszCA CertificateszAdd ca certificatesa ca_certs: remove_defaults: true trusted: - single_line_cert - | -----BEGIN CERTIFICATE----- YOUR-ORGS-TRUSTED-CA-CERT-HERE -----END CERTIFICATE----- ca_certsca-certs)idnametitle descriptiondistros frequencyexamplesactivate_by_schema_keysmetactj|t}tjj |d|d|d<|S)zReturn a distro-specific ca_certs config dictionary @param distro_name: String providing the distro class name. @returns: Dict of distro configurations for ca_cert. r r ca_cert_full_path)DISTRO_OVERRIDESgetDEFAULT_CONFIGospathjoin) distro_namecfgs >/usr/lib/python3/dist-packages/cloudinit/config/cc_ca_certs.py_distro_ca_certs_configsr4|sF   {N ;C!ww|| !3'9#: C Jc8tj|ddy)z Updates the CA certificate cache on the current machine. @param distro_cfg: A hash providing _distro_ca_certs_configs function. rF)captureN)r distro_cfgs r3update_ca_certsr:s  IIj-.>r5c|syt|dD]=\}}t|}|dj|}tj||d?y)a- Adds certificates to the system. To actually apply the new certificates you must also call the appropriate distro-specific utility such as L{update_ca_certs}. @param distro_cfg: A hash providing _distro_ca_certs_configs function. @param certs: A list of certificate strings. Nr*) cert_indexi)mode) enumeratestrformatr write_file)r9certsr=ccert_file_contentscert_file_names r3 add_ca_certsrGsb "5!,H A V#$78??!@  (:G Hr5c|dvr t|y|dvr*t||dvrd}tjd|yyy)a. Disables all default trusted CA certificates. For Alpine, Debian and Ubuntu to actually apply the changes you must also call L{update_ca_certs}. @param distro_name: String providing the distro class name. @param distro_cfg: A hash providing _distro_ca_certs_configs function. )rr)rrr)rrz8ca-certificates ca-certificates/trust_new_crts select no)zdebconf-set-selections-)dataN)remove_default_ca_certsdisable_system_ca_certsr)r1r9 debconf_sels r3disable_default_ca_certsrNsR(( + 6 6 + . .O  II5K H / 7r5c|d}|rtjj|syd}d}tj|jrt j |}g}|jD]b}||k(rd}|j||dk(s|ddvr|j|:|s|j|d}|jd |zdt j|d j|d zd yy) z For every entry in the CA_CERT_CONFIG file prefix the entry with a "!" in order to disable it. @param distro_cfg: A hash providing _distro_ca_certs_configs function. rNz;# Modified by cloud-init to deselect certs due to user-dataFTr)#!rR wb)omode) r.r/existsstatst_sizerload_text_file splitlinesappendrBr0)r9ca_cert_cfg_fnheader_comment added_headerorig out_lineslines r3rLrLs 01N !? FL ww~&&"">2 OO% -D~%#   &tAw*4  &#$$^4#'L  t, -  DIIi047t 'r5c|dytjdtj|dtj|dy)z Removes all default trusted CA certificates from the system. @param distro_cfg: A hash providing _distro_ca_certs_configs function. r NzDeleting system CA certificatesr )LOGdebugrdelete_dir_contentsr8s r3rKrKsF .!)II/0Z78Z(<=>r5r!r2cloudargsreturncd|vrtjdddnd|vrtjd|yd|vrd|vrtj d |j d|j d}t |jj}d |vrtjd dd |j d |j d dr5tjdt|jj|d|vrCtj|d}|r+tjdt|t||tjdt|y)au Call to handle ca_cert sections in cloud-config file. @param name: The module name "ca_cert" from cloud.cfg @param cfg: A nested dict containing the entire cloud config contents. @param cloud: The L{CloudInit} object in use. @param log: Pre-initialized Python logger object to use for logging. @param args: Any module arguments from cloud.cfg rzKey 'ca-certs'z22.1zUse 'ca_certs' instead.) deprecateddeprecated_version extra_messagerzrs %  !#<+g!==134 -?I01 -?I01  *5I78 *3A:; ->