a

�/�h�X�@sjdd
lZdd
l
Z
dd
lZdd
lZdd
lZdd
lZdd
lZdd
lZdd
l	Z	dd
l
Z
ddlmZ
ddl
mZmZmZmZmZ
ddlmZ
ddlmZ
ddlmZ
ddlmZ
ddlmZmZ
dd	lmZ
dd
l m!Z!
ddl"m#Z#m$Z$
ddl%m&Z&
dd
l'm(Z(m)Z)m*Z*
ddl+m,Z,
ddl-m.Z.m/Z/
ddl0m1Z1m2Z2
ddl3m4Z4
e�5d�
Z6ed�
dd�Z7ee8d�
dd�Z9Gdd�de)�Z:dddd�ej;�
Z;Gdd�de2�Z<Gd d!�d!ej=�Z>e8e?ee8ee8fd"�d#d$�Z@ee8e8ee8e?ee8ee8fd%�d&d'�ZAee8ee8e?ee8ee8fd(�d)d*�ZBGd+d,�d,e,�ZCGd-d.�d.e1�ZDd
d�
d/d0�ZEd
d�
d1d2�ZFeGd3k�rfeF�
d
S)4�N)
�Path)�Dict�Iterable�Literal�Optional�Sequence)
�	polyfills)
�ferny)
�
bootloader)
�BridgeBeibootHelper)�parse_os_release�
setup_logging)
�ChannelRoutingRule)
�PackagesChannel)�
JsonObject�get_str)
�supported_oses)�Packages�PackagesLoader�patch_libexecdir)
�Peer)�CockpitProblem�CockpitProtocolError)�Router�RoutingRule)
�StdioTransportzcockpit.beiboot�
�returnc	Cs�tj
�tj�
d
}|��}
tj�d�
}|dur:tj	�
d�
}tj|dd�
t|d�}t
�d|�
z:|��|
krzt
�d	�

t�
|��jd
@s�t
�d�

t�
Wn4ttfy�


t
�d�

|�|
�

|�d
�

Yn0|S)z�Create askpass executable

    We need this for the flatpak: ssh and thus the askpass program run on the host (via flatpak-spawn),
    not the flatpak. Thus we cannot use the shipped cockpit-askpass program.
    zinteraction_client.pyZXDG_CACHE_HOMENz~/.cacheT)
�exist_okzcockpit-client-askpasszChecking if %s exists...z.  ... it exists but is not the same version...�@z;  ... it has the correct contents, but is not executable...z  ... writing contents.i�
)�	importlibZ	resources�filesr	�__name__�
read_bytes�os�environ�get�path�
expanduser�makedirsr�logger�debug�
ValueError�stat�st_mode�FileNotFoundError�write_bytes�chmod)Zsrc_pathZsrc_dataZxdg_cache_homeZ	dest_path�r2�3/usr/lib/python3.9/site-packages/cockpit/beiboot.py�ensure_ferny_askpass1s(



















r4ccs<t�
�D].}|jD]"}
|
jd
vrt|
jt�r|
jV
qqdS)N)�path-exists�path-not-exists)rZload_manifestsZ
conditions�name�
isinstance�value�str)Zmanifest�	conditionr2r2r3�get_interesting_filesSs




r<c@sFeZ
dZUeeefed
<eeed�dd�Zeeefd�
dd�Z	dS)	�ProxyPackagesLoader�file_status)r;r9rcCsJt|t
�sJ�
||jvsJ�
|
d
kr.|j|S|
dkrB|j|St�
dS)Nr5r6)r8r:r>�KeyError)�selfr;r9r2r2r3�check_condition]s





z#ProxyPackagesLoader.check_condition�
r>cCs
|
|_dS�
NrB)r@r>r2r2r3�__init__hs
zProxyPackagesLoader.__init__N)
r"�
__module__�__qualname__rr:�bool�__annotations__�objectrArDr2r2r2r3r=Zs

r=z�
    import os
    def report_exists(files):
        command('cockpit.report-exists', {name: os.path.exists(name) for name in files})
    z�
    import os
    def check_os_release(_argv):
        try:
            with open('/etc/os-release') as f:
                command('cockpit.check-os-release', f.read())
        except OSError:
                command('cockpit.check-os-release', "")
    z�
    import os
    def force_exec(argv):
        try:
            os.execvp(argv[0], argv)
        except OSError as e:
            command('cockpit.fail-no-cockpit', str(e))
    )�
report_exists�check_os_release�
force_execcsJeZ
dZUd
ed<ed�
�f
dd�Zed
d�dd�Zd	d
�
dd�Z�Z	S)
�DefaultRoutingRulezPeer | None�peer)
�routercst��
|
�

dSrC)�superrD)r@rO�
�	__class__r2r3rD�s
zDefaultRoutingRule.__init__)�optionsrc
Cs|jSrC)
rN)r@rSr2r2r3�
apply_rule�s
zDefaultRoutingRule.apply_ruleNrc

Cs|jdu
r|j�
�
dSrC)rN�close�
r@r2r2r3�shutdown�s


zDefaultRoutingRule.shutdown)
r"rErFrHrrDrrTrW�
__classcell__r2r2rQr3rM�s

rMc@s`eZ
dZUd
Zeed<eeed�dd�Zeeeeed�dd�Z	ee
eeed	d
�dd�Z
d	S)
�AuthorizeResponder)z
ferny.askpass�cockpit.report-exists�cockpit.fail-no-cockpit�cockpit.check-os-releaserO)rO�basic_passwordcCs|
|_||_
|du
|_dSrC)rOr]�have_basic_password)r@rOr]r2r2r3rD�s


zAuthorizeResponder.__init__)�messages�prompt�hintrc�sv
t�
d
||
|�
|jrHd|��vrH|jdu
rHt�
d|�
|j}d|_|S|dkrTdSt�d|�}t�d|�}i}|r�|r�|�d�
}|dkr�t�
d	|�
d
S|�d|�d�
�d�|d
<|�d�
|d<t�	��dt
�
���}	d|	��}
|
dt�|�
��
��}|jj|f
d|
||dd�|�
�
IdH}|�|
�
�
sBtd|�d|
���
�
|�|
�
��}
t�|
�
��
��}t�
dt|�
�
|S)Nz3AuthorizeResponder: prompt %r, messages %r, hint %rz	password:z=AuthorizeResponder: sending Basic auth password for prompt %rZnonez$\n(\w+) key fingerprint is ([^.]+)\.zauthenticity of host '([^ ]+) �
z	127.0.0.1z,auto-accepting fingerprint for 127.0.0.1: %sZyes�
 z login-datazhost-key��default�
-zX-Conversation F)�timeoutr_r`raZechozAuthorizeResponder: response z does not match challenge zReturning a %d chars response)r*r+r^�lowerr]�re�search�groupr$�getpid�time�base64Z	b64encode�encode�decoderOZrequest_authorization�
startswithr�removeprefix�strip�	b64decode�len)r@r_r`raZreplyZfp_matchZ
host_match�args�hostnameZchallenge_idZchallenge_prefix�	challenge�responseZb64r2r2r3�
do_askpass�sN





















��

�


zAuthorizeResponder.do_askpassN)�commandrv�fds�stderrrc
�s�
t�
d
|
||�
|
dkrJ|\
}tt|�
d�
|j_|jj�dt|jt	g
��
|
dkrbt
d|dd��
|
dk�
r�t|d�
�t�
d	��
t�
d
t�
tD]0}t
�f
dd�|��D�
�
r�t�
d
|�

dSq�t�
d��
z8td�
�}t|���
}Wd�
n1s�0


Y
Wn4t�
y>
}	
zt�d|	�
WYd}	~	dSd}	~	00��d�
|�d�
k�
r|��d�
|�d�
k�
r|t�
d|�
dS��d��dd���d��dd���}
t
d|
d��
dS)NzGot ferny command %s %s %srZ)
�loaderr
r[z
no-cockpit)
�messager\z'cockpit.check-os-release: remote OS: %rz,cockpit.check-os-release: supported OSes: %rc
3s |]\}
}��|
�
|kV
qdSrC)
r&)�.0�
k�
v�
Z	remote_osr2r3�	<genexpr>��z7AuthorizeResponder.do_custom_command.<locals>.<genexpr>z8cockpit.check-os-release: remote matches supported OS %rz$cockpit.check-os-release: remote: %rz/etc/os-releasezIfailed to read local /etc/os-release, skipping OS compatibility check: %sZIDZ
VERSION_IDz7cockpit.check-os-release: remote OS matches local OS %r�NAME�
?rc�)
�unsupported)r*r+rr=rO�packagesZ
routing_rules�insertrrrrr�all�items�open�read�OSErrorZwarningr&)r@r{rvr|r}r>Zosinfo�
fZthis_os�
er�r2r�r3�do_custom_command�s6













.


,

&
z$AuthorizeResponder.do_custom_command)r"rErFZcommandsrrHrr:rDrz�tuple�list�intr�r2r2r2r3rY�s



DrY)�commentrc

Csd
dd|��fdfS)NZpython3z-icz# r2r2)
r�r2r2r3�python_interpreter

s
r�)�cmd�dest�ssh_askpass�ssh_optsrcGs~|
�d
�
\}}}|�
�rN|�d
�
sN|�d�
rB|�d�
rB|dd�}d||g}n|
g
}dg
|�
|�
t�|�
�
Rd|�
�d	d
ffS)N�
:�
[�
]rb���z-pZsshzSSH_ASKPASS=z	DISPLAY=xzSSH_ASKPASS_REQUIRE=force)�
rpartition�isdigit�endswithrq�shlex�join)r�r�r�r��host�
_�port�destinationr2r2r3�via_ssh
s&


�
�
�
�
��r��r��envrcCs d
dgdd�|
D�
�
|�
RdfS)Nz
flatpak-spawnz--hostc
ss|]}
d|
��V
qd
S)z--env=Nr2)r�Zkvr2r2r3r�'
r�z flatpak_spawn.<locals>.<genexpr>r2r2)r�r�r2r2r3�
flatpak_spawn$
s����r�cs�eZ
dZUd
ed<eeejd��f
dd�Zdd�
dd	�Z	dd�
d
d�Z
dd�
dd
�Zeeeedd�dd�Z
dd�
dd�Zedd�dd�Z�ZS)�SshPeerzMLiteral["always"] | Literal["never"] | Literal["supported"] | Literal["auto"]�mode)rOr�rvcs@||_|j
|_
t��|_t|jj�
d
|_d|_t	��
|
�

dS)Nzuser-known-hosts)r��
remote_bridge�tempfileZTemporaryDirectoryZtmpdirrr7�known_hosts_filer]rPrD)r@rOr�rvrQr2r3rD0
s






zSshPeer.__init__Nrc

�s.tj
�d
�
r|��IdH
n|��IdH
dS)Nz/.flatpak-info)r$r'�exists�connect_from_flatpak�connect_from_bastion_hostrVr2r2r3�do_connect_transport8
s
zSshPeer.do_connect_transportc
�sNtd
�
\}
}|j
dkr*t|
|j
t��\}
}t|
|�\}
}|�|
|�IdH
dS)N�cockpit-bridgeZ	localhost)r�r�r�r4r��boot)r@r�r�r2r2r3r�?
s

zSshPeer.connect_from_flatpakc
�sX
d}
d
dg}|j�
d�
IdH}t|d�}|�d�
r�t�|dd��
��}|�d�
\}}}
|�d�
\}}|_|r�t	�
d	|�
|d
|g7}|jdur�|d
dg7}td�
\}	}
td
�
}t
|t�s�J�
t|�
}|��s�t	�d|�
t�d�
}
|
du
r�|d
d|
��g7}|
du
�
r(|j�|
�

|d
d|j�
�g7}t|	|j|g|�
R�\}	}
|�|	|
�IdH
dS)Nz-ozNumberOfPasswordPrompts=1�
*ryzBasic ��
r�z,got username %s and password from Basic authz-lzPasswordAuthentication=nor�z${libexecdir}/cockpit-askpassz+Could not find cockpit-askpass helper at %rZCOCKPIT_SSH_KNOWN_HOSTS_FILEzGlobalKnownHostsFile=zUserKnownHostsfile=)rOZrequest_authorization_objectrrqrnrtrp�	partitionr]r*r+r�rr8r:rr��errorr$�getenvr��
write_textr�r�r�)r@�known_hostsrvZauthryZdecodedZ
user_passwordr��userr�r�Zaskpassr�Zenv_known_hostsr2r2r3r�L
s6






















z!SshPeer.connect_from_bastion_hostr�c�s�t|�
}t
�t|j|j�|g�
}t�d
|
|�
|j|
||dd�IdH}|j	dkr`ddg
f
fg
}nN|j	dkrzddg
f
fg
}n4|j	d	kr�ddg
f
fd
gf
fg}n|j	dks�J�
g}t
jg|�
dtt
��
g
f�
|j�
td
�}|�|���

|��IdH
dS)Nz Launching command: cmd=%s env=%sT)r}Zstart_new_session�autoZtry_execr��alwaysrL�	supportedrK�neverrJ)
Zgadgets)rr	ZInteractionAgentrYrOr]r*r+Zspawnr�r
Zmake_bootloaderr�r<Zsteps�BEIBOOT_GADGETS�writero�communicate)r@r�r�Zbeiboot_helperZagentZ	transportZexec_cockpit_bridge_stepsZstage1r2r2r3r�u
s.











����zSshPeer.bootc

Cs
d|_dSrC)
r]rVr2r2r3�do_superuser_init_done�
s
zSshPeer.do_superuser_init_done)rrcCs|t�
d
|
|jdu
�
t|
d��d�
r^t|
d�}|jdu
r^t�
d�

|jd||jd�
d|_dSt�
d�

|jd|d	d
�
dS)Nz*SshPeer.do_authorize: %r; have password %srxzplain1:�cookiez-SshPeer.do_authorize: responded with password�	authorize)r{r�ryz0SshPeer.do_authorize: authentication-unavailablezauthentication-unavailable)r{r��problem)r*r+r]rrq�
write_control)r@rr�r2r2r3�do_authorize�
s












zSshPeer.do_authorize)r"rErFrHrr:�argparse�	NamespacerDr�r�r�rr�r�rr�rXr2r2rQr3r�-
s


)r�cs\eZ
dZUd
Zeeed<eed<ej	d�
�f
dd�Z
dd�Zd	d
�Zd
d�
dd
�Z
�ZS)�	SshBridgeNr��ssh_peer)
rvcs2t|�
}t
��|g
�

t||
j|
�|_|j|_dSrC)rMrPrDr�r�r�rN)r@rvZrulerQr2r3rD�
s

zSshBridge.__init__c


CsdSrCr2rVr2r2r3�do_send_init�
s
zSshBridge.do_send_initcCst�
d
|
�
|j�|
�

dS)NzSshBridge.do_init: %r)r*r+r�r�)r@rr2r2r3�do_init�
s
zSshBridge.do_initrc

Cs|j�
|j�

dSrC)r�Zadd_done_callbackrUrVr2r2r3�
setup_session�
szSshBridge.setup_session)r"rErFr�rrrHr�r�r�rDr�r�r�rXr2r2rQr3r��
s


r�c

�sdt�
d
�

t|�
}
tt��|
�
z�t|
j��IdH�
}|
jj	�
�r`|
jdddd|
jj	��i
d�
|�
di�}t|t�s�|
jdd	d
d�
WdSt|t�s�J�
d|d
<|
jr�t�|
jj�
|d<|
�|�

|
j��
W�
nRtj�
y�
}
z�tj�t|�
�
}t�
d||�
t|tj��
rd}nRt|tj��
r,d}n>t|tj��
r@d}n*t|t��
rRd}nt|tj��
rfd}nd}|
jj	�
��
r�|
jd|t|�
|
jj	��d�
n|
jd|t|�
d�
WYd}~dSd}~0t�y
}
z*t�
d|�
|
j|jdd�
WYd}~dSd}~0tj�y$


t�
d�

YdS0t�
d�

|
��
z|
� �IdH
Wnt!�y^


Yn0dS)NzHi. How are you today?r�zx-login-datarfzknown-hosts)r{rxr�Z
login_data�capabilities�initzprotocol-errorzcapabilities must be a dict)r{r�rTzexplicit-superuserr�z.ferny.InteractionError: %s, interpreted as: %rzauthentication-failedzinvalid-hostkeyzunknown-hostkeyzunknown-hostzinternal-error)r{r�rr�zCockpitProblem: %s)
r{z"Peer bridge got cancelled, exitingz/Startup done.  Looping until connection closes.)"r*r+r�r�asyncioZget_running_loop�dictr��startr�r�r��	read_text�
setdefaultr8r��fromkeysZ
thaw_endpointr	ZInteractionErrorZ
ssh_errorsZget_exception_for_ssh_stderrr:ZSshAuthenticationErrorZSshChangedHostKeyErrorZSshHostKeyErrorr�ZSshErrorr�attrsZCancelledErrorr�r��BrokenPipeError)rvZbridgerr��excr�r�r2r2r3�run�
sl






��























�













r�cCsrt�
�
tjd
d�
}|jdgd�
ddd�
|jdd	d
�
|jddd
�
|��}
t|
jd�

tj	t	|
�
|
jd�
dS)Nz@cockpit-bridge is run automatically inside of a Cockpit session.)
�descriptionz--remote-bridge)r�r�r�r�r�z�How to run cockpit-bridge from the remote host: auto: if installed (default), never: always copy the local one; supported: if not installed, copy local one for compatible OSes, fail otherwise; always: fail if not installed)�choicesre�helpz--debug�
store_true)
�actionr�z5Name of the remote host to connect to, or 'localhost')
r�)
r+)
r�installr��ArgumentParser�add_argument�
parse_argsr
r+r�r�)�parserrvr2r2r3�mains


�

r��__main__)Hr�r�rnZimportlib.resourcesr Zloggingr$rir�r�rm�pathlibr�typingrrrrrZcockpitrZcockpit._vendorr	Zcockpit._vendor.beir
Zcockpit.beipackrZcockpit.bridgerr
Zcockpit.channelrZcockpit.channelsrZcockpit.jsonutilrrZcockpit.osinforZcockpit.packagesrrrZcockpit.peerrZcockpit.protocolrrZcockpit.routerrrZcockpit.transportsrZ	getLoggerr*r4r:r<r=r�rMZAskpassHandlerrYr�r�r�r�r�r�r�r�r"r2r2r2r3�<module>s\
























"	��u **	vG