M/e dZddlZddlZddlZddlZddlZddlZddlmZddlm Z ddlm Z ddlm Z ddlm Z ddlm Z dd lmZdd lmZdd lmZdd lmZdd lmZddlmZddlZddlmZddlmZddlmZddlmZddlmZej<eZ GddZ!dee"de efdZ# dHde ede e ege$fde e ee e%gdfdee e%ddf dZ&de"de e"deee"ee"ffd Z'de"d!e"de$fd"Z(de"d!e"d#e$de$fd$Z)de"d!e"de$fd%Z*dede$fd&Z+dede$fd'Z,d(e ed)e$d*eddfd+Z-d(e ed)e$d*eddfd,Z.d-Z/d.d/e/d0d1hZ0d2Z1d3d4e1gZ2d*ed5e%ddfd6Z3d*ed5e%d7e"ddfd8Z4 dHd*ed9e"d:ee ege$fdee%fd;Z5dZ7d*edNginxParser is a member object of the NginxConfigurator class.N)Any)Callable)cast)Dict)Iterable)List)Mapping)Optional)Sequence)Set)Tuple)Union)errors)os) nginxparser)obj) UnspacedListc eZdZdZdeddfdZd+dZdeddfdZd edefd Zde e eefe ffd Z de ee eeefffd Zdeej&fd Zdeej&ddfdZdedefdZd,dede deefdZdefdZd-dede ddfdZdede eeffdZdej&de fdZ d,dej&deede ddfdZ d,dej&deede ddfdZ d.dej&d ed!ee ege fddfd"Z!dej&d#eddfd$Z"dej&d%e eegdfddfd&Z# d/d'ej&d(e d)eeedej&fd*Z$y)0 NginxParserzClass handles the fine details of parsing the Nginx Configuration. :ivar str root: Normalized absolute path to the server root directory. Without trailing slash. :ivar dict parsed: Mapping of file paths to parsed trees rootreturnNci|_tjj||_|j |_|jyN)parsedrpathabspathr_find_config_root config_rootload)selfrs @/usr/lib/python3/dist-packages/certbot_nginx/_internal/parser.py__init__zNginxParser.__init__)s9/1 GGOOD) 113 cHi|_|j|jy)z/Loads Nginx files into a parsed tree. N)r_parse_recursivelyr)r s r!rzNginxParser.load3s   0 01r#filepathc|j|}|j|}|D]}|D]}t|r|j|d#|ddgk(s |ddgk(s6|dD]`}t|r|j|d#|ddgk(s-|ddgk(s7|dD]"}t|s|j|d$by)aParses nginx config files recursively by looking at 'include' directives inside 'http' and 'server' blocks. Note that this only reads Nginx files that potentially declare a virtual host. :param str filepath: The path to the files to parse, as a glob rhttpserverN)abs_path _parse_files_is_include_directiver%)r r&treestreeentrysubentry server_entrys r!r%zNginxParser._parse_recursively:s==*!!(+ MD M(/++E!H51X&)U1X(-C$)!HM0: 33HQK@"1X&1hqkhZ6O19 M #8#F$($;$;LO$LM M  M Mr#rc tjj|sGtjjtjj |j |Stjj|S)zConverts a relative path to an absolute path relative to the root. Does nothing for paths that are already absolute. :param str path: The path :returns: The absolute path :rtype: str )rrisabsnormpathjoinr)r rs r!r+zNginxParser.abs_pathVsQww}}T"77##BGGLLD$AB Bww%%r#c|j}i}|jD]Z}|D]S\}}t|}|dD];}|j}||vr|j||<|jxs||||<=U\|S)zSBuilds a map from address to whether it listens on ssl in any server block addrs)_get_raw_serversvalues_parse_server_rawnormalized_tuplessl) r servers addr_to_ssl server_listr*_ parsed_serveraddr addr_tuples r!_build_addr_to_sslzNginxParser._build_addr_to_sslcs'')35 ">>+ RK( R  1& 9 )'2RD!%!6!6!8J!426(( J/.2hh.Q+j:QK + R R Rr#ci}|jjD]T\}}g||<||t|dfdt||D]#\}\}}|j |}||f|||<%V|S)z0Get a map of unparsed all server blocks c4t|dk\xr |ddgk(S)Nrr*len)xs r!z.NginxParser._get_raw_servers..~sSVq[-OQqThZ=Or#c0j|d|fS)Nr()append)rKysrvs r!rLz.NginxParser._get_raw_servers..s#**adAY*?r#)ritems_do_for_subarray enumerate_get_included_directives) r r>filenamer/ir*r new_serverrPs @r!r9zNginxParser._get_raw_serverstsJL"kk//1 :NHd "GH (#C T#O? A&/wx/@%A :!>FD!::6B (2D'9!!$ : :r#c d}|j}g}|jD]O\}}|D]E\}}t|}tj||d|d||d||} |j | GQ|j ||S)aGGets list of all 'virtual hosts' found in Nginx configuration. Technically this is a misnomer because Nginx does not have virtual hosts, it has 'server blocks'. :returns: List of :class:`~certbot_nginx._internal.obj.VirtualHost` objects found in configuration :rtype: list Tr8r=names)r9rQr;r VirtualHostrN_update_vhosts_addrs_ssl) r enabledr>vhostsrUr@r*rrBvhosts r! get_vhostszNginxParser.get_vhostss'')%,]]_ % !Hk + % !2& 9 (5g(>(5e(<(/(5g(>(.(, . e$ % % %%f- r#r]c|j}|D]?}|jD].}||j|_|js(d|_0Ay)zPUpdate a list of raw parsed vhosts to include global address sslishness TN)rEr8r<r=)r r]r?r^rCs r!r[z$NginxParser._update_vhosts_addrs_sslsW--/  %E  %&t'<'<'>?88 $EI % %r#blockctj|}|D][}t|stj|j |d}|D]!} |j |j |#]|S#t$rY3wxYw)zReturns array with the "include" directives expanded out by concatenating the contents of the included file to the block. :param list block: :rtype: list r()copydeepcopyr-globr+extendrKeyError)r raresult directiveincluded_filesincls r!rTz$NginxParser._get_included_directivessu% I$Y/!%MM)A,/"1*D dkk$&78   $sA88 BBoverridectj|}g}|D]j}||jvr|s tj|dd5}t j |}||j|<|j |dddl|S#1swY xYw#t$rtjd|Yt$rtjd|Ytj$r!}tjd||Yd}~d}~wwxYw)zParse files from a glob :param str filepath: Nginx config file path :param bool override: Whether to parse a file that has been parsed :returns: list of parsed tree structures :rtype: list rutf-8encodingNzCould not open file: %sSCould not read file: %s due to invalid character. Only UTF-8 encoding is supported."Could not parse file: %s due to %s) rerioopenrrrNIOErrorloggerwarningUnicodeDecodeError pyparsingParseException) r r&rlfilesr.item_filererrs r!r,zNginxParser._parse_filess (# PDt{{"8 PWWT39)U(--e4F(.DKK%LL()  P  )) @8$?% 3 ,-13++ PCT3OO Ps;B6B =B B BD 6D D (DD c&dg}|D]u}tjjtjj|j|sKtjj|j|cSt j d)z)Return the Nginx Configuration Root file.z nginx.confz9Could not find Nginx root configuration file (nginx.conf))rrisfiler6rrNoInstallationError)r locationnames r!rzNginxParser._find_config_rootsn > 5Dww~~bggll499d;<ww||DIIt44 5(( GI Ir#extlazyc|jjD]\}}|r |tjjz|z}t |t std|d |r|js[tj|}tjd||tj|dd5}|j|dddy#1swY xYw#t $rtj#d|YwxYw) zDumps parsed configurations into files. :param str ext: The file extension to use for the dumped files. If empty, this overrides the existing conf files. :param bool lazy: Only write files that have been modified z Error tree z is not an UnspacedListz!Writing nginx conf tree to %s: %swrorpNz#Could not open file for writing: %s)rrQrrextsep isinstancer ValueErroris_dirtyrdumpsrwdebugrtruwriterverror)r rrrUr/outr~s r!filedumpzNginxParser.filedumps#kk//1 NNHd#bggnn4s:dL1 ;tf4K!LMM N !''- A8SQWWXsW=%KK$% N%% N BHM Ns1#C#6AC#:C C#C C##DDr*cT|j}t|}t|||S)zParses a list of server directives, accounting for global address sslishness. :param list server: list of directives in a server block :rtype: dict )rEr;_apply_global_addr_ssl)r r*r?rBs r! parse_serverzNginxParser.parse_servers, --/ )&1 {M:r#r^cJ|j}|D]}|st|syy)zDoes vhost have ssl on for all ports? :param :class:`~certbot_nginx._internal.obj.VirtualHost` vhost: The vhost in question :returns: True if 'ssl on' directive is included :rtype: bool TF)raw_is_ssl_on_directive)r r^r*ris r!has_ssl_on_directivez NginxParser.has_ssl_on_directives2 I#I.   r# directives insert_at_topcZ|j|tjt||y)aAdd directives to the server block identified by vhost. This method modifies vhost to be fully consistent with the new directives. ..note :: It's an error to try and add a nonrepeatable directive that already exists in the config block with a conflicting value. ..todo :: Doesn't match server blocks whose server_name directives are split across multiple conf files. :param :class:`~certbot_nginx._internal.obj.VirtualHost` vhost: The vhost whose information we use to match on :param list directives: The directives to add :param bool insert_at_top: True if the directives need to be inserted at the top of the server block instead of the bottom N)_modify_server_directives functoolspartial_add_directivesr r^rrs r!add_server_directivesz!NginxParser.add_server_directives%s'& &&u   oz= I Kr#cZ|j|tjt||y)a\Add or replace directives in the server block identified by vhost. This method modifies vhost to be fully consistent with the new directives. ..note :: When a directive with the same name already exists in the config block, the first instance will be replaced. Otherwise, the directive will be appended/prepended to the config block as in add_server_directives. ..todo :: Doesn't match server blocks whose server_name directives are split across multiple conf files. :param :class:`~certbot_nginx._internal.obj.VirtualHost` vhost: The vhost whose information we use to match on :param list directives: The directives to add :param bool insert_at_top: True if the directives need to be inserted at the top of the server block instead of the bottom N)rrr_update_or_add_directivesrs r!update_or_add_server_directivesz+NginxParser.update_or_add_server_directives;s(( &&u   7] S Ur#directive_name match_funccZ|j|tjt||y)alRemove all directives of type directive_name. :param :class:`~certbot_nginx._internal.obj.VirtualHost` vhost: The vhost to remove directives from :param string directive_name: The directive type to remove :param callable match_func: Function of the directive that returns true for directives to be deleted. N)rrr_remove_directives)r r^rrs r!remove_server_directivesz$NginxParser.remove_server_directivesRs( &&u   0.* M Or#directives_listc|j|}|j|}|d|_|d|_|d|_||_y)Nr8r=rY)rTrr8r=rYr)r r^rrWrBs r!%_update_vhost_based_on_new_directivesz1NginxParser._update_vhost_based_on_new_directives_sM22?C ))*5 #G, !%( #G,  r# block_funcc |j} |j|}|jD]}||} t|trt |dk7rt jd|d}|||j||y#t j$r)}t jd|dt|d}~wwxYw)NrHzNot a server block.r(z Problem in z: ) fileprrrlistrJrMisconfigurationErrorrstr)r r^rrUrhindexrs r!rz%NginxParser._modify_server_directiveshs;; [[[*F ' 'fd+s6{a/?223HIIAYF v   6 6uf E++ [..hPSTWPX/YZ Z [sA7BC$B==Cvhost_templateremove_singleton_listen_paramsonly_directivesctj|}|j|j}|jddD]}||} tj||jd}|Rt j g}|dD]} | s| d|vs|j|  ||d<|j|||j|t|dz |jd<|r|jD]} d| _ d| _ ||jddD]Q} | s| ddk(shd} | D]:} | D cgc]} | jdd}} | |vs)| |j| =<S|Scc} w) aDuplicate the vhost in the configuration files. :param :class:`~certbot_nginx._internal.obj.VirtualHost` vhost_template: The vhost whose information we copy :param bool remove_singleton_listen_params: If we should remove parameters from listen directives in the block that can only be used once per address :param list only_directives: If it exists, only duplicate the named directives. Only looks at first level of depth; does not expand includes. :returns: A vhost object for the newly created vhost :rtype: :class:`~certbot_nginx._internal.obj.VirtualHost` Nr(rFlisten> bindrcvbufsetfibsndbufbacklogdefaultdeferredfastopenipv6only reuseport so_keepalive accept_filterdefault_server=)rcrdrrrrrrNrrJr8rrsplitr)r rrr new_vhostenclosing_blockr raw_in_parsednew_directivesrirCexcludeparamrKkeyss r!duplicate_vhostzNginxParser.duplicate_vhostxs"MM.1 ++n&:&:;#(("- 5E-e4O 5 on6I6I"6M&NO  &(55b9N*1- 5 1!@")))4 5 .M!   6 6y. Q}- 1A5 r )! &$ %  &-Y^^B-?@C = 1!9LG")=9BCA QCC D= )$**U*; < = = Ds?E9)rN)F)tmpTr)FN)%__name__ __module__ __qualname____doc__rr"rr%r+rr boolrErrrrr9rrZr_rr[rTr,rrrrrrr rrrrrr#r!rr sST2M3M4M8 &S &S &DsCx$)>$?"$sE$s)\2I,J'J"K&D1@%x/H%T%l|(SDT,EW> I3 INCNtNtN2 < DcN #//d&5:K3??KS K-1K>BK.?DUS__URVWZR[U7;UHLU0PT Ocoo Os O-5hud{6K-L OX\ O3???KPT[s[.6S {D7H.I[NR["@E?C4coo48<4)1$s))<4HK4r#r ssl_optionsrc|8 tj|dd5}tj|cdddStgS#1swYnxYw tgS#t$r#t j d|YtgSt$r#t j d|YtgStj$r+}t j d||Yd}~tgSd}~wwxYw)Nrnrorpz"Missing NGINX TLS options file: %srrrs) rtrurrrvrwrxryrzParseBaseExceptionr)rr~rs r!_parse_ssl_optionsrs ScG< /"''. / /   / / /   N NN? M   " M NN?@K M  ++ S NN?c R R   Ss9AA AA AC0 C03C0C++C0r0 conditionfuncrc|g}t|tr8||r |||yt|D]\}}t|||||gzyy)a(Executes a function for a subarray of a nested array if it matches the given condition. :param list entry: The list to iterate over :param function condition: Returns true iff func should be executed on item :param function func: The function to call for each matching item N)rrrSrR)r0rrrrr}s r!rRrRs] |% U   (/ H t y$wG H r# target_namerYcg}g}g}g}|D]|}t||r|j|!t||dr|j|@t||dr|j|_t||sl|j|~|rt |t }d|fS|rt |t }d|fS|rt |t }d|fS|r |d}d|fSy ) ahFinds the best match for target_name out of names using the Nginx name-matching rules (exact > longest wildcard starting with * > longest wildcard ending with * > regex). :param str target_name: The name to match :param set names: The candidate server names :returns: Tuple of (type of match, the name that matched) :rtype: tuple TF)keyexactwildcard_start wildcard_endrregex)NN) _exact_matchrN_wildcard_match _regex_matchminrJmax)rrYrrrrrmatchs r!get_best_matchrs ENL E  T * LL  [$ 5  ! !$ ' [$ 6    % +t , LL  Es#~N,&&Lc*u$$ a~ r#rcP|j}|j|d|zfvS)N.)lower)rr target_lowers r!rrs+$$&L ::W  j+":": ;#**1-J#AJ LLA}Q/0$j"8 X\4(#9r#include_locationcdj|}||}tjg}|j|tj|}|dz|z}tj |}d} |dj d|ddk7rd} |dj j| d|dj jdtj|}tj |}|d||<y)z=Comment out the line at location, with a note of explanation.z duplicated in {0}z #rr(z# ;N)formatrrrNrloadsrr) rarrcomment_messageri new_dir_blockdumped commentednew_dirinsert_locations r!_comment_out_directiver%ss*112BCOhI,,R0M#   } -F /I *GOqzwqz!}, AJ_d3 AJS!   w 'F'GajE(Or#rrcDtfdt|DdS)zeFinds the index of the first instance of directive_name in block. If no line exists, use None.c3PK|]\}}|r|dk(r|r|yw)rNr).0rlinerrs r! z!_find_location..s9Z;5$ aN* 0BjQUFVZs#&N)nextrS)rarrs ``r!_find_locationr,s* Z)E*:Z[_ aar#ric2t|dk(xs|ddk(S)z;Is this directive either a whitespace or comment directive?rrrIris r!_is_whitespace_or_commentr/s y>Q  5)A,#"55r#ct|tjstj|}t|r|j |yt ||d}|d}dt tdtdtfd}d}|tk(rt|d}|D]|}t ||d} |d} t|r#|| | r-tt| } || |k7r(tj|j||| t!|| |d~|||rp|rD|j#dtjd|j#d|t%|dy|j |t%|t'|dz ytt|} || |k7r(tj|j||| y) Nrlocdir_namercB|duxst|txr|tvS)z, Can we append this directive to the block? N)rrREPEATABLE_DIRECTIVES)r1r2s r! can_appendz"_add_directive..can_appends-d{Fz(C8 E#+/D#D Fr#z"5 W -e5G5JK  21 5 -.@A&'79JK-16F,G)237II 66w~~*E2K,L8NOO&u.GSTV W(N+  LLK44T: ; LLI & eQ '  LL # eSZ!^ 4S(+ 9,**7>>)UK\E]+^__-r#c&|||<t||yr)r)rarirs r!_update_directiver@sE(OeX&r#ct|tjstj|}t|r|j |yt ||d}|t |||yt|||y)Nr)rrrr/rNr,r@r )rarirrs r!r r sl i!9!9 :,,Y7  + YeYq\2H%H55)]3r#cd|vxrt|vS)Nr)rr.s r!_is_certbot_commentrCs )  49 44r#c~ t|||}|y|dzt|krt||dzr||dz=||==)zYRemoves directives of name directive_name from a config block if match_func matches. )rNr()r,rJrC)rrrars r!rrsW !%JO    a<#e* $)g&(t4467 88#'M% (r#r*ct}d}t}d}|D]}|s|ddk(rUtjjdj |dd}|sB|j ||j s`d}c|ddk(r|jd |ddDt|sd}d}|r|D] }d|_ |||d S) zxParses a list of server directives. :param list server: list of directives in a server block :rtype: dict Frrrr(NTr c3>K|]}|jdyw)z"'N)strip)r(rKs r!r*z$_parse_server_raw..$s?A?s)r8r=rY) setrAddr fromstringr6addr=updater)r*r8r=rYapply_ssl_to_all_addrsrirCs r!r;r; s5ECeE" *   Q<8 #88&&sxx !" '>?D $88C q\] * LL?12? ? !) ,C%) " * DDH  r#r)>rrcrrertloggingrtypingrrrrrrr r r r r rrzcertbotrcertbot.compatrcertbot_nginx._internalrr#certbot_nginx._internal.nginxparserr getLoggerrrwrrrrr6rRrrrrr-rrrr7r4rrrr%r,r/r r@r rCrrr;rr#r!rVsD   /'<   8 $LL^ HSM d<6H "26HDIH(DI;;L2MH#T#YS $:D$@AH#DI.H:>H*++HSM+eHSMS[\_S`D`>a+\>c>>> 88C8882 c    ' ' '   5S 5$5'5,055$s)5D5%156:5 &'9lS c7# )\)S)T)(!,!#!QT!Y]!2BFa,aa'#(=>aJRSV-a6#646 >`,>`8C=>`QU>`Z^>`B'\'hsm's'W[' 4L4Xc]4,04594&58C=5T5 s #8M * /3 (c3h0E(F(*.sCx.(=A($l$tCH~$r#