U ]I@sdZddlZddlZddlZddlZddlmZddlmZddlm Z ddl m Z m Z mZddlmZddlm Z ddlmZdd lmZeeZGd d d eZd d ZddZddZddZddZdZededddedeedZddZdd Z dS)!zACME AuthHandler.N) challenges)messages)errors)DictListTuple) achallenges) error_handler) interfacesc@sReZdZdZddZdddZdd Zd d Zd d ZddZ ddZ ddZ dS) AuthHandleraACME Authorization Handler for a client. :ivar auth: Authenticator capable of solving :class:`~acme.challenges.Challenge` types :type auth: :class:`certbot.interfaces.IAuthenticator` :ivar acme.client.BackwardsCompatibleClientV2 acme_client: ACME client API. :ivar account: Client's Account :type account: :class:`certbot.account.Account` :ivar list pref_challs: sorted user specified preferred challenges type strings with the most preferred challenge listed first cCs||_||_||_||_dSN)authacmeaccount pref_challs)selfr Z acme_clientrrr6/usr/lib/python3/dist-packages/certbot/auth_handler.py__init__&szAuthHandler.__init__Fc CsJ|jdd}|std||}|s.|St|j|zJ|j|}t dt j tj}|jrt j tjj}|dddWn<tjk r} zt dt d| W5d} ~ XYnXt|t|kstd t||D]\} } |j| j| q||||d d |D} | s0td | W5QRSQRXdS) aT Retrieve all authorizations, perform all challenges required to validate these authorizations, then poll and wait for the authorization to be checked. :param acme.messages.OrderResource orderr: must have authorizations filled in :param bool best_effort: if True, not all authorizations need to be validated (eg. renew) :param int max_retries: maximum number of retries to poll authorizations :returns: list of all validated authorizations :rtype: List :raises .AuthorizationError: If unable to retrieve all authorizations NzNo authorization to handle.zWaiting for verification...z\Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about challenges.T)pausez!Failure in setting up challenges.z0Attempting to clean up outstanding challenges...z(Some challenges have not been performed.cSsg|]}|jjtjkr|qSrbodystatusrZ STATUS_VALID.0authzrrrr ^sz5AuthHandler.handle_authorizations..zAll challenges have failed.)authorizationsrAuthorizationError_choose_challengesr Z ExitHandler_cleanup_challengesr Zperformloggerinfozope component getUtilityr ZIConfigZdebug_challengesZIDisplayZ notificationcriticallenAssertionErrorziprZanswer_challengechallb_poll_authorizations) rorderr best_effort max_retriesauthzrsachallsZrespsZconfigZnotifyerrorachallrespZauthzrs_validatedrrrhandle_authorizations-s8         z!AuthHandler.handle_authorizationsc Csdd|jD}g}g}|D]^}z|j|}||Wqtjk rx}z||td|j|W5d}~XYqXq||fS)a~ Deactivate all `valid` authorizations in the order, so that they cannot be re-used in subsequent orders. :param messages.OrderResource orderr: must have authorizations filled in :returns: tuple of list of successfully deactivated authorizations, and list of unsuccessfully deactivated authorizations. :rtype: tuple cSsg|]}|jjtjkr|qSrrrrrrrosz?AuthHandler.deactivate_valid_authorizations..z)Failed to deactivate authorization %s: %sN) rrZdeactivate_authorizationappend acme_errorsErrorr"debugZuri)rr-Z to_deactivateZ deactivatedZfailedrerrrdeactivate_valid_authorizationses   $z+AuthHandler.deactivate_valid_authorizationsc s$ddt|D}g}d}t|D]}|dkr8t|fdd|D}|D]\}\} }| ||<qVdd|D} | D]} td| jj j q| | d d|D}|sqt fd d |D} | t j }q"|rt|jj|std |r td dS)a Poll the ACME CA server, to wait for confirmation that authorizations have their challenges all verified. The poll may occur several times, until all authorizations are checked (valid or invalid), or after a maximum of retries. cSsi|]\}}||dfqSr r)rindexrrrr sz4AuthHandler._poll_authorizations..rcs"i|]\}\}}|j|qSr)rZpoll)rr<r_rrrr=s cSs"g|]\}}|jjtjkr|qSr)rrrZSTATUS_INVALID)rrr?rrrrsz4AuthHandler._poll_authorizations..zChallenge failed for domain %scSs,i|]$\}\}}|jjtjkr|||fqSr)rrrZSTATUS_PENDING)rr<rr4rrrr=s c3s |]\}}j|dVqdS)N)r retry_after)rr?r4r@rr sz3AuthHandler._poll_authorizations..zSome challenges have failed.z0All authorizations were not finalized by the CA.N) enumeraterangetimesleepitemsvaluesr"Zwarningr identifiervalueextendmaxdatetimeZnowZ total_seconds_report_failed_authzrsrkeyrr) rr0r/r.Zauthzrs_to_checkZauthzrs_failed_to_reportZ sleep_secondsr?r<rZauthzrs_failedZ authzr_failedrBrr@rr,~sD       z AuthHandler._poll_authorizationscCsdd|D}g}|r td|D]f}|jj}|jjdkrF|jj}ntddtt |D}t || |jj j |}||||q$|S)z Retrieve necessary and pending challenges to satisfy server. NB: Necessary and already validated challenges are not retrieved, as they can be reused for a certificate issuance. cSsg|]}|jjtjkr|qSrrrrrrrsz2AuthHandler._choose_challenges..z$Performing the following challenges:r>css|] }|fVqdSr r)rirrrrCsz1AuthHandler._choose_challenges..)r"r#rrrZ acme_version combinationstuplerEr(gen_challenge_path_get_chall_prefrJrKrL_challenge_factory)rr0Zpending_authzrsr1rZauthzr_challengesrRpathrrrr s    zAuthHandler._choose_challengescCsng}|j|}|jr`tdd|D}|jD]}||kr.|tjj|q.|rV|St d| ||S)z{Return list of challenge preferences. :param str domain: domain for which you are requesting preferences css|] }|jVqdSr )typ)rchallrrrrCsz.AuthHandler._get_chall_pref..zENone of the preferred challenges are supported by the selected plugin) r Zget_chall_prefrsetr6rZ ChallengeZTYPESrrrL)rdomainZ chall_prefsZ plugin_prefZplugin_pref_typesrXrrrrUs   zAuthHandler._get_chall_prefcCstd|j|dS)zCleanup challenges. :param achalls: annotated challenges to cleanup :type achalls: `list` of :class:`certbot.achallenges.AnnotatedChallenge` zCleaning up challengesN)r"r#r Zcleanup)rr1rrrr!s zAuthHandler._cleanup_challengescCs:g}|D],}|jj|}|t||jj|jjjq|S)aiConstruct Namedtuple Challenges :param messages.AuthorizationResource authzr: authorization :param list path: List of indices from `challenges`. :returns: achalls, list of challenge type :class:`certbot.achallenges.Indexed` :rtype: list :raises .errors.Error: if challenge type is not recognized )rrr6challb_to_achallrrPrJrK)rrrWr1r<r+rrrrVs zAuthHandler._challenge_factoryN)Fr) __name__ __module__ __qualname____doc__rr5r;r,r rUr!rVrrrrr s 8< r cCsb|j}td|j|t|tjr2tj|||dSt|tj rLtj ||dSt d |jdS)a:Converts a ChallengeBody object to an AnnotatedChallenge. :param .ChallengeBody challb: ChallengeBody :param .JWK account_key: Authorized Account Key :param str domain: Domain of the challb :returns: Appropriate AnnotatedChallenge :rtype: :class:`certbot.achallenges.AnnotatedChallenge` z%s challenge for %s)r+r[ account_key)r+r[z+Received unsupported challenge of type: {0}N) rYr"r#rX isinstancerZKeyAuthorizationChallengerZ"KeyAuthorizationAnnotatedChallengeZDNSrr8format)r+rar[rYrrrr\ s    r\cCs|rt|||St||S)aGenerate a plan to get authority over the identity. .. todo:: This can be possibly be rewritten to use resolved_combinations. :param tuple challbs: A tuple of challenges (:class:`acme.messages.Challenge`) from :class:`acme.messages.AuthorizationResource` to be fulfilled by the client in order to prove possession of the identifier. :param list preferences: List of challenge preferences for domain (:class:`acme.challenges.Challenge` subclasses) :param tuple combinations: A collection of sets of challenges from :class:`acme.messages.Challenge`, each of which would be sufficient to prove possession of the identifier. :returns: tuple of indices from ``challenges``. :rtype: tuple :raises certbot.errors.AuthorizationError: If a path cannot be created that satisfies the CA given the preferences and combinations. )_find_smart_path_find_dumb_path)challbs preferencesrRrrrrT%s rTc Csi}d}t|D]\}}|||<||7}qd}|}d} |D]:} | D]} | ||| jj|7} qB| |krp| }| }d} q:|st||S)zFind challenge path with server hints. Can be called if combinations is included. Function uses a simple ranking system to choose the combo with the lowest cost. r>Nr)rDgetrY __class___report_no_chall_path) rfrgrRZ chall_costZmax_costrQZ chall_clsZ best_comboZbest_combo_costZ combo_totalZcomboZchallenge_indexrrrrdDs, rdcsJg}t|D]8\}tfdd|Dd}|r<||q t|q |S)zFind challenge path without server hints. Should be called if the combinations hint is not included by the server. This function either returns a path containing all challenges provided by the CA or raises an exception. c3s|]}tj|rdVqdS)TN)rbrY)rZpref_cr+rrrCts z"_find_dumb_path..F)rDnextr6rj)rfrgrWrQZ supportedrrkrreis  recCsBd}t|dkr*t|djtjr*|d7}t|t|dS)zLogs and raises an error that no satisfiable chall path exists. :param challbs: challenges from the authorization that can't be satisfied zyClient with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.r>rzM You may need to use an authenticator plugin that can do challenges over DNS.N) r(rbrYrZDNS01r"r'rr)rfmsgrrrrj~s rjzTo fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.a Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.ze Additionally, if you have DNSSEC enabled for your domain, please ensure that the signature is valid.zTo fix these errors, please make sure that you did not provide any invalid information to the client, and try running Certbot again.zoUnfortunately, an error on the ACME server prevented you from completing authorization. Please try again later.z Additionally, please check that you have an up-to-date TLS configuration that allows the server to communicate with the Certbot client.)Z connectionZdnssecZ malformedZserverInternalZtlsZ unauthorizedZ unknownHostcshi}fdd|D}|D]}||jjg|qtjtj}| D]}| t ||j qLdS)z.Notifies the user about failed authorizations.cs2g|]*}|jjD]}|jrt||jjjqqSr)rrr2r\rJrK)rrr+rarrrs  z*_report_failed_authzrs..N) setdefaultr2rXr6r$r%r&r Z IReporterrIZ add_message_generate_failed_chall_msgZMEDIUM_PRIORITY)Zfailed_authzrsraZproblemsfailed_achallsr3Zreporterr1rrnrrOs  rOcCst|dj}|j}t|r |j}dg}|D]}|d|j||jjfq*|tkrj|d|t|d |S)aCreates a user friendly error message about failed challenges. :param list failed_achalls: A list of failed :class:`certbot.achallenges.AnnotatedChallenge` with the same error type. :returns: A formatted error message for the client. :rtype: str rz1The following errors were reported by the server:z" Domain: %s Type: %s Detail: %sz ) r2rXrZ is_acme_errorcoder6r[Zdetail _ERROR_HELPjoin)rqr2rXrmr3rrrrps    rp)!r`ZloggingrFrNZzope.componentr$rrrrr7Zacme.magic_typingrrrZcertbotrr r Z getLoggerr]r"objectr r\rTrdrerjZ_ERROR_HELP_COMMONrtrOrprrrrs@        x%