Yohohohohohooho | Sanrei Aya
Sanrei Aya


Server : LiteSpeed
System : Linux barito.iixcp.rumahweb.net 5.14.0-611.49.1.el9_7.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Apr 21 16:39:08 EDT 2026 x86_64
User : elvh3918 ( 1528)
PHP Version : 8.2.31
Disable Function : mail
Directory :  /opt/cloudlinux/venv/lib/python3.11/site-packages/ssa/__pycache__/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Current File : //opt/cloudlinux/venv/lib/python3.11/site-packages/ssa/__pycache__/manager.cpython-311.pyc
�

$�&j,n���dZddlZddlZddlZddlZddlZddlmZddlm	Z	ddl
mZddlm
Z
mZddlmZmZdd	lmZdd
lmZddlmZddlmZdd
lmZddlmZmZmZddl m!Z!m"Z"m#Z$Gd�d��Z%dd�Z&dS)zA
This module contains classes implementing SSA Manager behaviour
�N)�contextmanager)�iglob)�
disable_quota)�Optional�Tuple�)�load_validated_parser�load_configuration)�	flag_file)�SSAManagerError)�ssa_version)�
AutoTracer)�
DecisionMaker)�
INI_FILE_NAME�INI_USER_LOCATIONS_BASE�is_excluded_path)�$copy_inis_to_website_isolation_paths�(remove_inis_from_website_isolation_paths�regenerate_inis_for_userc�L�eZdZdZd�Zd�Zedefd���Ze	de
fd���Ze	defd���Z
e	defd���Zd	edefd
�Z	d0dedejfd
�Zdededeejfd�Zdedefd�Zdefd�Zdefd�Zdefd�Zdefd�Zdefd�Zdede
fd�Zdededefd�Zdedefd�Zde e e!e!feffd�Z"e#d���Z$d e!d!e!dedd"fd#�Z%d1d$�Z&de e e!e!feffd%�Z'd1d&�Z(d1d'�Z)d1d(�Z*defd)�Z+d1d*�Z,d1d+�Z-defd,�Z.d1d-�Z/d.edd"fd/�Z0d"S)2�Managerz
    SSA Manager class.
    c���tjd��|_t|_ddg|_ddg|_d|_d|_t|_
tttjf|_dS)N�managerz!usr/lib64/php/modules/clos_ssa.soz0usr/lib/x86_64-linux-gnu/php/modules/clos_ssa.sozlib64/php/modules/clos_ssa.soz,lib/x86_64-linux-gnu/php/modules/clos_ssa.soz lib/php/extensions/*/clos_ssa.so)z /opt/alt/php[0-9][0-9]/link/confz+/opt/cpanel/ea-php[0-9][0-9]/root/etc/php.dz$/opt/plesk/php/[0-9].[0-9]/etc/php.dz'/usr/local/php[0-9][0-9]/lib/php.conf.dzM/usr/share/cagefs/.cpanel.multiphp/opt/cpanel/ea-php[0-9][0-9]/root/etc/php.dzA/usr/share/cagefs-skeleton/usr/local/php[0-9][0-9]/lib/php.conf.d)�logging�	getLogger�loggerr�
ini_file_name�module_patterns_with_usr�module_patterns_no_usr�module_glob_pattern_directadmin�wildcard_ini_locationsr�wildcard_ini_user_locations�OSError�
ValueError�
subprocess�SubprocessError�subprocess_errors��selfs �B/opt/cloudlinux/venv/lib64/python3.11/site-packages/ssa/manager.py�__init__zManager.__init__-sz���'�	�2�2���*���
0�>�)
��%�

,�:�'
��#�0R��,�'
��#�,C��(��Z��!;�"
�����c�J�	tj��}	tj|��j}n#t
$rd}YnwxYwd�d�|���D����}|j�	d|||||��dS#t
$rYdSwxYw)Nz	<unknown>� c3�*K�|]\}}|�d|��V��dS)�=N���.0�k�vs   r*�	<genexpr>z!Manager._audit.<locals>.<genexpr>PsB����$>�$>�%)�Q��1�1�1�a�a� �$>�$>�$>�$>�$>�$>r,z0[audit] operation=%s status=%s uid=%d user=%s %s)
�os�getuid�pwd�getpwuid�pw_name�	Exception�join�itemsr�info)r)�	operation�status�details�uid�username�detail_partss       r*�_auditzManager._auditIs���	��)�+�+�C�
'��<��,�,�4�����
'�
'�
'�&����
'�����8�8�$>�$>�-4�]�]�_�_�$>�$>�$>�>�>�L��K���B��6�3��,�
@�
@�
@�
@�
@���	�	�	��D�D�	���s-�B�0�B�?�B�?�AB�
B"�!B"�returnc��ddi}|�d�|���D����tj|��S)z@
        Form a success json response with given kwargs
        �result�successc��i|]\}}||��	Sr1r1r2s   r*�
<dictcomp>z$Manager.response.<locals>.<dictcomp>^s��=�=�=�d�a��Q��=�=�=r,)�updater>�json�dumps)�args�kwargs�raw_responses   r*�responsezManager.responseXsI��
!�)�,�����=�=�f�l�l�n�n�=�=�=�>�>�>��z�,�'�'�'r,c�J�tj�t��S)z 
        Is SSA enabled
        )r7�path�isfilerr(s r*�_enabledzManager._enabledas��
�w�~�~�i�(�(�(r,c�
�ddhS)zK
        Configuration settings required Request Processor restart
        �requests_duration�ignore_listr1r(s r*�_restart_required_settingsz"Manager._restart_required_settingshs��
$�]�3�3r,c�
�hd�S)N>�time�correlation�domains_number�request_number�correlation_coefficientr1r(s r*�solo_filtered_settingszManager.solo_filtered_settingsos��*�*�*�	*r,�settingsc�6�|j�|��S)z�
        SSA Agent requires restart in case of changing these configuration:
            - requests_duration
            - ignore_list
        )r[�intersection)r)rcs  r*�_restart_requiredzManager._restart_requiredts���.�;�;�H�E�E�Er,F�commandc��	tjdd|gdd|���}|j�d|�d����n#tj$r�}|j�dt
|j��t
|j��t
|j	��|j|j|j	|j
d��	��td
|j�d|j�d|j	p|j
�����d
}~w|j$rS}|j�dt
|��dt
|��i�	��td|�d|�����d
}~wwxYw|S)z�
        Run /sbin/service utility to make given operation with SSA Agent service
        :command: command to invoke
        :check_retcode: whether to run with check or not
        :return: subprocess info about completed process
        z
/sbin/servicez	ssa-agentT��capture_output�text�checkz
ssa-agent z
 succeededz$SSA Agent %s failed with code %s: %s)�cmd�retcode�stdout�stderr��extraz
SSA Agent z failed with code z: Nz&Failed to run %s command for SSA Agent�errzFailed to run z for SSA Agent: )
r%�runrr?�CalledProcessError�error�strrm�
returncoderorprr')r)rg�
check_retcoderI�es     r*�run_service_utilityzManager.run_service_utility|s���	?��^�_�%0�%,�%.�48�d�*7�	9�9�9�F�

�K���=�'�=�=�=�>�>�>�>���,�		^�		^�		^��K���6��A�E�
�
��A�L�!�!��A�H�
�
��e���!"��Q�X�?�?�
�
@�
@�
@�"�\�Q�U�\�\�a�l�\�\�a�h�FZ�RS�RZ�\�\�^�^�
^������%�	?�	?�	?��K���F��G���%*�C��F�F�O�
�
5�
5�
5�!�=��=�=�!�=�=�?�?�
?�����	?����
�
s#�9=�E�BC(�(
E�5AE�E�unitc	��	tjd||gddd���}|j�d|||j��|S#|j$r5}|j�d||t|����Yd}~dSd}~wwxYw)u�
        Run systemctl on a specific unit. Failures are logged but never raised
        — the socket unit may be absent on legacy / non-systemd installs, and
        a best-effort attempt is enough for shutdown paths.

        :return: the CompletedProcess on success (any return code, since
            ``check=False``), or ``None`` if systemctl could not be spawned at
            all (e.g. missing binary). Callers must guard ``.returncode``
            access against ``None``.
        z/bin/systemctlTFrizsystemctl %s %s rc=%dz!Failed to run systemctl %s %s: %sN)r%rtrr?rxr'�warningrw)r)rgr|rIrzs     r*�
run_systemctlzManager.run_systemctl�s���
	��^�!�7�D�1�#�$�e�=�=�=�F�
�K���4�g�t�#�.�
0�
0�
0��M���%�	�	�	��K��� C� '��s�1�v�v�
7�
7�
7��4�4�4�4�4�����	���s�>A�
B�*A;�;BrPc
���t��}�fd�t|��������D��}|����	|���nv#t
$ri}|j�ddt|��i���|�	dd|�t|�����td|�����d	}~wwxYw|�	dd
|����|����r|�dd
���|�
��S)z�
        Change SSA config and restart it.
        :args: dict to override current option values
        :return: JSON encoded result of the action
        c�$��i|]\}}|�v�	||��
Sr1r1)r3r4r5rPs   �r*rLz&Manager.set_config.<locals>.<dictcomp>�s/���(�(�(�D�A�q��$�Y�Y��a�&�Y�Yr,z Failed to update SSA config filersrq�
set_config�failure)�previous�	requestedrvz"Failed to update SSA config file: NrJ)r��new�restartT�ry)r	�dictr>�override�write_ssa_confr#rrvrwrFrrfr{rS)r)rP�config�previous_valuesrzs `   r*r�zManager.set_config�s|���'�(�(��(�(�(�(�D������,@�,@�,F�,F�,H�,H�(�(�(���������	L��!�!�#�#�#�#���	L�	L�	L��K���@�%*�C��F�F�O�
�
5�
5�
5��K�K��i�!0�D�!�!�f�f�
�
&�
&�
&�"�"J�q�"J�"J�K�K�K�����
	L����	
���L�)�,�$�	�	8�	8�	8��!�!�$�'�'�	D��$�$�Y�d�$�C�C�C��}�}���s�%A:�:
C-�A$C(�(C-c�J�t��}|�|���S)zV
        Get current SSA config.
        :return: JSON encoded current config
        )r�)r
rS)r)�full_configs  r*�
get_configzManager.get_config�s#��
)�*�*���}�}�K�}�0�0�0r,c�D�|jrdnd}|�|���S)zY
        Get current status of SSA.
        :return: JSON encoded current status
        �enabled�disabled)�
ssa_status)rWrS)r)rAs  r*�get_ssa_statuszManager.get_ssa_status�s(��
#�m�;������}�}��}�/�/�/r,c	�b�|j}|sw	|���|���|���n9#t$r,}|�dddt
|������d}~wwxYw|�dd|rdnd���|���S)	a�
        Enable SSA:
            - add clos_ssa extension for each PHP version on server
            - add clos_ssa extension into cagefs for each user and each ver
            - start SSA Agent (if it is not already started)
            - restart Apache (etc.) and FPM, reset CRIU images
            - create flag_file indicating that SSA is enabled successfully
        :return: JSON encoded current status
        �
enable_ssar�r�)�previous_statervNrJr�)r�)rW�
generate_inis�start_ssa_agent�create_flagr<rFrwr�)r)�was_enabledrzs   r*r�zManager.enable_ssa�s����m���	�
��"�"�$�$�$��$�$�&�&�&�� � �"�"�"�"���
�
�
����L�)�+5�S��V�V��E�E�E������
����
	
���L�)�0;�#K�9�9��	�	M�	M�	M��"�"�$�$�$s�<A�
A>�'A9�9A>c
���|j}|���dk}|s"|r |j�dt��	|���|���|���n>#t$r1}|�	dd|rdnd|t|������d}~wwxYw|�	dd	|rdnd|�
��|���S)u�
        Disable SSA, authoritatively, regardless of the flag file state.

        Historically this method short-circuited when the flag file was
        absent, which left ssa-agent.service running via socket activation
        whenever the flag file had been deleted out-of-band (CLPRO-3076).
        We now always reconcile real state: stop+disable the agent service
        AND its socket, remove any clos_ssa.ini files present, and clear the
        flag file if it exists. Inconsistency between the flag file and the
        runtime state is logged as a warning so future drift can be traced.

        Ordering: ``stop_ssa_agent`` runs **first**, so a later failure (e.g.
        ini removal raising on a filesystem error) cannot leave the
        OOM-prone daemon running — stopping the agent is the core guarantee
        this method exists to provide.

            - stop+disable SSA Agent service and ssa-agent.socket
            - remove clos_ssa extension for each PHP version on server
            - remove clos_ssa extension from cagefs for each user and each ver
            - remove flag_file indicating that SSA is enabled
        :return: JSON encoded current status
        �activeupdisable_ssa: inconsistent state — flag file %s is missing but ssa-agent is active; reconciling from real state�disable_ssar�r�r�)r��agent_activervNrJ)r�r�)rW�status_ssa_agentrr~r�stop_ssa_agent�remove_clos_inis�remove_flagr<rFrwr�)r)r�r�rzs    r*r�zManager.disable_ssa�s2��.�m���,�,�.�.�(�:���	�|�	��K���G��
�
�
�
	����!�!�!��!�!�#�#�#����������	�	�	��K�K�
�y�4?�'O�y�y�Z�%1��Q���
�
A�
A�
A�
�����		����	
���M�9�0;�#K�9�9��!-�	�	/�	/�	/��"�"�$�$�$s�<B�
B=�,B8�8B=c��d�t�����D��}|�|t��|jrdnd|���t
��������S)z�
        Get SSA statistics.
        Includes:
        - config values
        - version
        - SSA status (enabled|disabled)
        - SSA Agent status (active|inactive)
        :return: JSON encoded current statistics
        c�X�i|]'\}}|t|�������(Sr1)rw�lower)r3�key�values   r*rLz%Manager.get_stats.<locals>.<dictcomp>.s<��1�1�1�z�s�E�3��E�
�
�(�(�*�*�1�1�1r,r�r�)r��versionrA�agent_status�autotracing)r
r>rSr
rWr�r�	get_stats)r)�_configs  r*r�zManager.get_stats$s���1�1�%�'�'�-�-�/�/�1�1�1���}�}���M�M� $�
�=�9�9�:��.�.�0�0�"���.�.�0�0��
�
�	
r,�dir_pathc� �t|��S)z=
        Check if directory path should be excluded.
        )r)r)r�s  r*�unused_dir_pathzManager.unused_dir_path8s�� ��)�)�)r,�php_root�patternsc���|D]E}tj�||��}tj�|��r|cS�F|r&tj�||d��ndS)z�
        Search for clos_ssa.so module in php_root using a list of patterns.
        Returns the first found module path, or the first pattern as expected path if none exist.
        r�)r7rUr=�exists)r)r�r��pattern�module_paths     r*�_find_module_in_rootzManager._find_module_in_root>su��
 �	#�	#�G��'�,�,�x��9�9�K��w�~�~�k�*�*�
#�"�"�"�"�
#�7?�F�r�w�|�|�H�h�q�k�2�2�2�B�Fr,�ini_pathc��|�d��r:d|vr6|�d��d}|�||j��S|�d��rPd|vrL|�dd��}|�d��d}|�||j��S|�d	��r:d|vr6|�d��d}|�||j��S|�d
��r:d|vr6|�d��d}|�||j��S|�d��rjd|vrf|�d��d}t
ttj	�
||j������}|r|dSd
S|�d��rjd|vrf|�d��d}t
ttj	�
||j������}|r|dSd
S|�d��rXd|vrT|�d��d�d��d}d|��}|�||j��Sd
S)z�
        Determine the path to clos_ssa.so module based on ini_path.
        Returns the expected module path, or empty string if not found.
        z/opt/alt/phpz
/link/confrz4/usr/share/cagefs/.cpanel.multiphp/opt/cpanel/ea-phpz/root/etc/php.dz"/usr/share/cagefs/.cpanel.multiphpz/usr/share/cagefs-skeletonz
/etc/php.dz/opt/cpanel/ea-phpz/opt/plesk/php/z(/usr/share/cagefs-skeleton/usr/local/phpz/lib/php.conf.dr�z/usr/local/phpz/var/cagefs/z/etc/cl.php.d/alt-phpr�/z&/usr/share/cagefs-skeleton/opt/alt/php)�
startswith�splitr�r�replacer�listrr7rUr=r )r)r�r��
skeleton_path�possible_paths�php_ver�
skeleton_roots       r*�get_module_pathzManager.get_module_pathJs������~�.�.�	V�<�8�3K�3K��~�~�l�3�3�A�6�H��,�,�X�t�7T�U�U�U����U�V�V�	V�[l�px�[x�[x�$�,�,�-Q�So�p�p�M�$�*�*�<�8�8��;�H��,�,�X�t�7T�U�U�U����3�4�4�	V�9J�h�9V�9V��~�~�l�3�3�A�6�H��,�,�X�t�7T�U�U�U����0�1�1�	T�l�h�6N�6N��~�~�l�3�3�A�6�H��,�,�X�t�7R�S�S�S����I�J�J�	�O`�dl�Ol�Ol��~�~�&7�8�8��;�H�!�%�����X�t�?c�(d�(d�"e�"e�f�f�N��
)�%�a�(�(��2�
���/�0�0�	�5F�(�5R�5R��~�~�&7�8�8��;�H�!�%�����X�t�?c�(d�(d�"e�"e�f�f�N��
)�%�a�(�(��2����~�.�.�	[�3J�h�3V�3V��n�n�%<�=�=�a�@�F�F�s�K�K�A�N�G�N�W�N�N�M��,�,�]�D�<Y�Z�Z�Z��rr,c#�vK�|jD]0}t|��D]}|�|��r�d|fV���1|jD]v}t|d��D]^}|�|��r�	|d|��}|j|jf|fV��=#|j�d|��Y�\xYw�wdS)z�
        Generator of existing paths (matching known wildcard locations)
        for additional ini files
        Returns tuple of (uid, gid) and path.
        )rrrU�userzhUnable to get information about user owning %s directory (maybe he`s already terminated?), skip updatingN)r!rr�r"�pw_uid�pw_gidrr?)r)�locationr��	pw_records    r*�existing_pathszManager.existing_paths�s0�����3�	'�	'�H�!�(�O�O�
'�
'���'�'��1�1����h�&�&�&�&�&�
'�
�8�	I�	I�H�!�(�6�"2�3�3�
I�
I���'�'��1�1���I� 0��� 0�� :� :�I�%�+�Y�-=�>��H�H�H�H�H��
��K�$�$�&5�6>�@�@�@��H����
I�	I�	Is�2B�B5c#�K�	tj|��tj|��dV�tjd��tjd��dS#tjd��tjd��wxYw)z�
        Dive into user context by dropping permissions
        to avoid most of the security issues.

        Does not cover cagefs case because it also requires nsenter,
        which is only available with execve() call in our system
        Nr)r7�setegid�seteuid)r)rC�gids   r*�
_user_contextzManager._user_context�sn����	��J�s�O�O�O��J�s�O�O�O��E�E�E��J�q�M�M�M��J�q�M�M�M�M�M��
�J�q�M�M�M��J�q�M�M�M�M���s�,A�*BrCr�Nc�T�|�|��}|s|j�d|��dStj�|���s|j�d||��tj�||j��}tj�|��r�	|�	||��5tj
|��|j�d|��ddd��n#1swxYwYn@#t$r3}|j�d|t|����Yd}~nd}~wwxYwdStj�||j��}|�	||��5t��5t|d��5}|j�d|��|�d��ddd��n#1swxYwYddd��n#1swxYwYddd��dS#1swxYwYdS)	zB
        Enable SSA extension for single ini_path (given)
        z<Cannot determine module path for %s, skipping ini generationNz8Module %s does not exist, skipping ini generation for %sz&Removed ini file %s (module not found)z Failed to remove ini file %s: %s�wzGenerating %s file...zextension=clos_ssa.so
)r�rr~r7rUr�r?r=rr��unlinkr<rwr�open�write)	r)rCr�r�r��
ini_file_pathrzrU�inis	         r*�generate_single_inizManager.generate_single_ini�s)��
�*�*�8�4�4���	��K��� ^�`h�i�i�i��F��w�~�~�k�*�*�	��K���W�Yd�fn�o�o�o��G�L�L��4�3E�F�F�M��w�~�~�m�,�,�
c�c��+�+�C��5�5�b�b��	�-�0�0�0���(�(�)Q�S`�a�a�a�b�b�b�b�b�b�b�b�b�b�b����b�b�b�b���!�c�c�c��K�'�'�(J�M�[^�_`�[a�[a�b�b�b�b�b�b�b�b�����c�����F��w�|�|�H�d�&8�9�9��
�
�
��S�
)�
)�	1�	1����	1�	1��T�3���	1�#&��K���4�d�;�;�;��I�I�/�0�0�0�		1�	1�	1�	1�	1�	1�	1�	1�	1�	1�	1����	1�	1�	1�	1�	1�	1�	1�	1�	1�	1�	1�	1�	1�	1�	1����	1�	1�	1�	1�	1�	1�	1�	1�	1�	1�	1�	1�	1�	1�	1�	1����	1�	1�	1�	1�	1�	1s��6D�0D�<D�D�D�D�D�
E�)E�E�H� H�11G.�"H�.G2�2H�5G2�6H�9H�H		�	H�H		�
H�H!�$H!c	���|j�d��|���D]�\\}}}	|�|||���!#t$r|j�d|��Y�Ht
$r3}|j�d|t|����Yd}~�d}~wwxYwt|j	��|j�d��dS)z�
        Place clos_ssa.ini into each existing Additional ini path,
        including cagefs ones and per-website directories
        z Generating clos_ssa.ini files...z>Unable to update file %s, possible permission misconfigurationz7Exception on generating clos_ssa.ini: "%s", error: "%s"N�	Finished!)
rr?r�r��PermissionErrorr<rvrwrr�)r)rCr�r�rzs     r*r�zManager.generate_inis�s��
	
����;�<�<�<�$(�$7�$7�$9�$9�		�		� �J�S�#��
��(�(��c�8�<�<�<�<��"�
�
�
��� � �"H�IQ�S�S�S����
�
�
���!�!�"[�]e�gj�kl�gm�gm�n�n�n����������
����
	-�T�-?�@�@�@������%�%�%�%�%s�A�%B3�7	B3�)B.�.B3c#��K�|���D]O\\}}}tj|��D]2}|j|vr�||ftj�||��fV��3�PdS)z�
        Generator function searching for clos_ssa.ini files
        in all existing Additional ini paths
        Returns tuple of (uid, gid) and path.
        N)r�r7�listdirrrUr=)r)rCr�r��names     r*�find_clos_iniszManager.find_clos_inis�s�����%)�$7�$7�$9�$9�	?�	?� �J�S�#���
�8�,�,�
?�
?���%�T�1�1���C�j�"�'�,�,�x��">�">�>�>�>�>�>�
?�	?�	?r,c	���|j�d��|���D]�\\}}}	|�||��5t	j|��ddd��n#1swxYwY�L#t$r3}|j�d|t|����Yd}~��d}~wwxYwt|j��|j�d��dS)z[
        Remove all gathered clos_ssa.ini files, including per-website directories
        zRemoving clos_ssa.ini files...Nz5Exception on removing clos_ssa.ini: "%s", error: "%s"r�)
rr?r�r�r7r�r<�	exceptionrwr)r)rCr��clos_inirzs     r*r�zManager.remove_clos_inis�s?��	
����9�:�:�:�$(�$7�$7�$9�$9�	�	� �J�S�#��
��'�'��S�1�1�(�(��I�h�'�'�'�(�(�(�(�(�(�(�(�(�(�(����(�(�(�(����
�
�
���%�%�&]�_g�il�mn�io�io�p�p�p����������
����
	1��1C�D�D�D������%�%�%�%�%s;�A;�A/�#A;�/A3	�3A;�6A3	�7A;�;
B8�)B3�3B8c���|�dd��|�d��}|jr|�dd���dS|�dd���dS)	a
        Start SSA Agent service or restart it if it is accidentally
        already running, and (re-)enable it so it survives a reboot.

        ``enable`` is the symmetric counterpart of the ``disable`` performed
        in ``stop_ssa_agent``: ``disable_ssa`` disables the unit, so
        ``enable_ssa`` must re-enable it, otherwise enabling SSA after a
        previous disable would not persist across the next boot (CLPRO-3076).
        On a fresh install the unit is already enabled, so this is a no-op
        there.
        �enable�ssa-agent.servicerA�startTr�r�N�rr{rx�r)r�s  r*r�zManager.start_ssa_agentsx��	
���8�%8�9�9�9��/�/��9�9���"�	D��$�$�W�D�$�A�A�A�A�A��$�$�Y�d�$�C�C�C�C�Cr,c�0�|�dd��|�dd��	|�d��}|js|�dd���|�dd��|�dd��|�dd��|�dd��dS#|�dd��|�dd��|�dd��|�dd��wxYw)	u]
        Stop SSA Agent and make the disabled state survive a reboot.

        Stopping the service alone is not enough on systemd, for two reasons:

        * ``ssa-agent.socket`` keeps listening and will re-spawn the service
          the moment a PHP worker writes to /opt/alt/clos_ssa/run/ssa.sock.
        * ``ssa-agent.service`` is shipped *enabled* (``WantedBy=multi-user.target``)
          and pulls the socket back up via ``Requires=ssa-agent.socket`` on
          the next boot — so a plain stop reverts at reboot, and the agent's
          periodic ssa.db maintenance can OOM again (CLPRO-3076 / CLPRO-3077).

        We therefore stop *and disable* both units. ``disable`` only removes
        boot-time wants symlinks, so it is what makes the change persistent;
        disabling the socket also prevents socket-activation from starting a
        disabled service (``disable`` does not block socket activation on its
        own). ``enable_ssa`` re-enables the service via ``start_ssa_agent``.

        Belt-and-suspenders ordering:

        1. **Socket-first** stops socket activation so nothing can spawn a
           fresh agent process between the service stop and our own socket
           stop (closes a narrow race window). The ``run_systemctl`` helper
           is best-effort and never raises.
        2. **try/finally** around the service-utility calls re-asserts the
           full stop+disable of *both* units on the failure path, so if
           ``run_service_utility`` throws ``SSAManagerError`` (e.g. systemd
           stop timeout, ``/sbin/service`` missing) the unit cleanup still
           runs — guaranteeing the CLPRO-3076 fix even on degraded systems.
           The fallback ``stop`` goes through ``/bin/systemctl`` (a different
           binary from ``/sbin/service``), so it can succeed where the
           primary stop failed.
        �stopzssa-agent.socket�disablerATr�r�Nr�r�s  r*r�zManager.stop_ssa_agents9��H	
���6�#5�6�6�6����9�&8�9�9�9�	?��3�3�H�=�=�L��*�
E��(�(��t�(�D�D�D�
���v�'9�:�:�:����v�':�;�;�;����y�*<�=�=�=����y�*=�>�>�>�>�>��
���v�'9�:�:�:����v�':�;�;�;����y�*<�=�=�=����y�*=�>�>�>�>���s�3B;�;ADc�Z�	|�dd���n#t$rYdSwxYwdS)z:
        Get SSA Agent status: active or inactive
        rATr��inactiver�)r{rr(s r*r�zManager.status_ssa_agentVsJ��	��$�$�X�T�$�B�B�B�B���	�	�	��:�:�	�����xs��
(�(c��ttd��5	ddd��n#1swxYwY|j�dt�d���dS)zE
        Create a flag file indicating successful enablement
        r�N�
Flag file z created)r�rrr?r(s r*r�zManager.create_flag`s����)�S�
!�
!�	�	��	�	�	�	�	�	�	�	�	�	�	����	�	�	�	�����9�i�9�9�9�:�:�:�:�:s�$�(�(c	��	tjt��|j�dt�d���dS#t
$r=}|j�dt�dt|������Yd}~dSd}~wwxYw)z:
        Remove a flag file indicating enablement
        r�z removedz removal failed: N)r7r�rrr?r#r~rw)r)rzs  r*r�zManager.remove_flaghs���	C��I�i� � � ��K���=�)�=�=�=�>�>�>�>�>���	C�	C�	C��K���A�Y�A�A��Q���A�A�
C�
C�
C�
C�
C�
C�
C�
C�
C�����	C���s�<A�
B�
2B�Bc�\�t�����}|jdi|��S)zG
        Get last report.
        :return: JSON encoded report
        r1)r�get_json_reportrS)r)�reports  r*�
get_reportzManager.get_reportss1��
���0�0�2�2���t�}�&�&�v�&�&�&r,c�@�|jr|���dSdS)z@
        Regenerates clos_ssa inis while SSA is enabled
        N)rWr�r(s r*�regenerate_iniszManager.regenerate_inis{s0���=�	!���� � � � � �	!�	!r,r�c�B�|jsdSt||j��dS)a8
        Regenerate clos_ssa.ini files for a specific user's website isolation directories.

        This is called by cagefsctl when enabling website isolation for a user.
        Only creates per-website ini files if base per-user ini exists.

        :param user: Username to regenerate ini files for
        N)rW�#_regenerate_inis_for_user_isolationr�)r)r�s  r*rz Manager.regenerate_inis_for_user�s,���}�	��F�+�D�$�2D�E�E�E�E�Er,)F)rGN)1�__name__�
__module__�__qualname__�__doc__r+rF�staticmethodrwrS�property�boolrW�setr[rbr�rfr%�CompletedProcessr{rrr�r�r�r�r�r�r�r�r�r�r�intr�rr�r�r�r�r�r�r�r�r�r�r�r�rr1r,r*rr(s&��������
�
�
�8
�
�
��(�S�(�(�(��\�(��)�$�)�)�)��X�)��4�C�4�4�4��X�4��*��*�*�*��X�*�F�$�F�3�F�F�F�F�+0���3��4>�4O�����@�S������A\�8]�����.�t�������41�C�1�1�1�1�0��0�0�0�0�%�C�%�%�%�%�2,%�S�,%�,%�,%�,%�\
�3�
�
�
�
�(*��*��*�*�*�*�
G�S�
G�D�
G�S�
G�
G�
G�
G�@��@��@�@�@�@�DI��e�C��H�o�s�&:� ;�I�I�I�I�4����^��"1�s�1��1��1��1�1�1�1�<&�&�&�&�,
?��e�C��H�o�s�&:� ;�
?�
?�
?�
?�&�&�&�&�&D�D�D�D�&6?�6?�6?�6?�p�#�����;�;�;�;�	C�	C�	C�	C�'�C�'�'�'�'�!�!�!�!�F�S�F�T�F�F�F�F�F�Fr,rrG�Manager instancec��t��S)zk
    Factory function for appropriate manager initialization
    :return: appropriate manager instance
    )rr1r,r*�initialize_managerr�s��
�9�9�r,)rGr)'r�rNrr7r9r%�
contextlibr�globr�secureior�typingrr�
configurationr	r
�internal.constantsr�internal.exceptionsr�internal.utilsr
�modules.autotracerr�modules.decision_makerr�clos_ssa_inirrr�website_isolationrrrr�rrr1r,r*�<module>rs�������������	�	�	�	�
�
�
�
�����%�%�%�%�%�%�������"�"�"�"�"�"�"�"�"�"�"�"�"�"�D�D�D�D�D�D�D�D�)�)�)�)�)�)�0�0�0�0�0�0�'�'�'�'�'�'�*�*�*�*�*�*�1�1�1�1�1�1�����������
����������e	F�e	F�e	F�e	F�e	F�e	F�e	F�e	F�P�����r,

Yohohohohohooho | Sanrei Aya