܍~c$ 0UdZddlZddlmZddlmZddlmZmZddl m Z ddl m Z ddl mZmZdd lmZd d d d dgdZddddddgdiZdZgdZdddeeeedgddgdZeed<eeZdZd Zd!Zd"Zd#Zd$ed%e d&e d'ed(ed)df d*ZdS)+zCA Certs: Add ca certificates.N)Logger)dedent)subputil)Cloud)Config) MetaSchema get_meta_doc) PER_INSTANCEz/usr/share/ca-certificates/zcloud-init-ca-certs.crtz/etc/ca-certificates.confz/etc/ssl/certs/zupdate-ca-certificates) ca_cert_pathca_cert_filenameca_cert_configca_cert_system_pathca_cert_update_cmdrhelz/usr/share/pki/ca-trust-source/zanchors/cloud-init-ca-certs.crtz/etc/pki/ca-trust/zupdate-ca-trustaEThis module adds CA certificates to ``/etc/ca-certificates.conf`` and updates the ssl cert cache using ``update-ca-certificates``. The default certificates can be removed from the system with the configuration option ``remove_defaults``. .. note:: certificates must be specified using valid yaml. in order to specify a multiline certificate, the yaml multiline list syntax must be used .. note:: For Alpine Linux the "remove_defaults" functionality works if the ca-certificates package is installed but not if the ca-certificates-bundle package is installed. )alpinedebianubuntur cc_ca_certszCA CertificateszAdd ca certificatesa ca_certs: remove_defaults: true trusted: - single_line_cert - | -----BEGIN CERTIFICATE----- YOUR-ORGS-TRUSTED-CA-CERT-HERE -----END CERTIFICATE----- ca_certsca-certs)idnametitle descriptiondistros frequencyexamplesactivate_by_schema_keysmetact|t}tj|d|d|d<|S)zReturn a distro-specific ca_certs config dictionary @param distro_name: String providing the distro class name. @returns: Dict of distro configurations for ca-cert. r r ca_cert_full_path)DISTRO_OVERRIDESgetDEFAULT_CONFIGospathjoin) distro_namecfgs >/usr/lib/python3/dist-packages/cloudinit/config/cc_ca_certs.py_distro_ca_certs_configsr,NsK   {N ; ;C!w|| NS!34  C Jc>tj|dddS)z Updates the CA certificate cache on the current machine. @param distro_cfg: A hash providing _distro_ca_certs_configs function. rF)captureN)r) distro_cfgs r+update_ca_certsr1[s%  Ij-.>>>>>>r-c|sdSdd|D}tj|d|dt|dS)z Adds certificates to the system. To actually apply the new certificates you must also call L{update_ca_certs}. @param distro_cfg: A hash providing _distro_ca_certs_configs function. @param certs: A list of certificate strings. N c,g|]}t|S)str).0cs r+ z add_ca_certs..os#:#:#:qCFF#:#:#:r-r"mode)r(r write_fileupdate_cert_config)r0certscert_file_contentss r+ add_ca_certsrAdso #:#:E#:#:#:;;O&');%z"""""r-cddStjdjdkr ddz}nmtjd}dfd|D}|ddd}tjd|d dS) z Update Certificate config file to add the file path managed cloud-init @param distro_cfg: A hash providing _distro_ca_certs_configs function. rNrz%s r r3c,g|]}|dk|S)r r5)r7liner0s r+r9z&update_cert_config..s4   :&8999999r-wb)omode) r&statst_sizer load_filer( splitlinesrstripr=)r0outorigcr_conts` r+r>r>vs "#+ wz*+,,499z"455 ~j)9:;;))     OO--     $NN,,,,j9K.L.L.LMOJ/0#TBBBBBBr-ctj|dtj|dtj|ddd|dvrd}tjd |d Sd S) a Removes all default trusted CA certificates from the system. To actually apply the change you must also call L{update_ca_certs}. @param distro_name: String providing the distro class name. @param distro_cfg: A hash providing _distro_ca_certs_configs function. r rrr:r;)rrz8ca-certificates ca-certificates/trust_new_crts select no)zdebconf-set-selections-N)rdelete_dir_contentsr=r)r)r0 debconf_sels r+remove_default_ca_certsrTs Z7888Z(=>???OJ/0"5AAAA*** K  1;????? +*r-rr*cloudlogargsreturnc`d|vr|dnd|vr|d|dSd|vrd|vr|d|d|d}t|jj}d|vr[|d|dd r/|d t |jj|nE|d d r/|d t |jj|d |vrLtj|d }|r5|d t|zt|||dt|dS)au Call to handle ca-cert sections in cloud-config file. @param name: The module name "ca-cert" from cloud.cfg @param cfg: A nested dict containing the entire cloud config contents. @param cloud: The L{CloudInit} object in use. @param log: Pre-initialized Python logger object to use for logging. @param args: Any module arguments from cloud.cfg rzFDEPRECATION: key 'ca-certs' is now deprecated. Use 'ca_certs' instead.rz>>K0iHH  4 II.]1C1CC D D D ] 3 3 3II%&&&Jr-) __doc__r&loggingrtextwrapr cloudinitrrcloudinit.cloudrcloudinit.configrcloudinit.config.schemar r cloudinit.settingsr r%r#MODULE_DESCRIPTIONrr __annotations__r,r1rAr>rTr6listrcr5r-r+ros %$$  !!!!!!######<<<<<<<<++++++211,34  9=301    1 0 0   "%   !+J7+j0 ,t     ???###$CCC:@@@&7 7 7 #(7 /57 =A7  7 7 7 7 7 7 r-