Google Keystone Utility for Mac OS X Jun 2013.py

#!/usr/bin/python
# Copyright 2008 Google Inc.  All rights reserved.

"""This script will install Keystone in the correct context
(system-wide or per-user).  It can also uninstall Keystone.  is run by
KeystoneRegistration.framework.

Example command lines for testing:
Install:    install.py --install=/tmp/Keystone.tbz --root=/Users/fred
Uninstall:  install.py --nuke --root=/Users/fred

Example real command lines, for user and root install and uninstall:
  install.py --install Keystone.tbz
  install.py --nuke
  sudo install.py --install Keystone.tbz
  sudo install.py --nuke

For a system-wide Keystone, the install root is "/".  Run with --help
for a list of options.  Use --no-launchdjobs to NOT start background
processes.

Errors can happen if:
 - we don't have write permission to install in the given root
 - pieces of our install are missing

On error, we print a simple message on stdout and our exit status is
non-zero.  On success, we print nothing and exit with a status of 0.
"""

import os
import re
import sys
import pwd
import stat
import glob
import getopt
import shutil
import platform
import fcntl
import traceback


# Allow us to force the installer to think we're on Tiger (10.4)
FORCE_TIGER = False

# Allow us to adjust the agent launch interval (for testing).
# In seconds.  Time is 1 hour minus a jitter factor.
AGENT_START_INTERVAL = 3523

# Name of our "lockdown" ticket.  If you change this name be sure to
# change it in other places in the code (grep is your friend)
LOCKDOWN_TICKET = 'com.google.Keystone.Lockdown'

# Process that we consider a marker of a running user login session
USER_SESSION_PROCESSNAME = \
    ' /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder'

# URL for our Omaha server
OMAHA_SERVER_URL = 'https://tools.google.com/service/update2'


# Error codes. These need to be changed in sync with KSInstallErrors.h
# and (potentially) KSAdministration/KSInstallation
UNKNOWN_ERROR_CODE = -1
MASTER_DISABLE_ERROR_CODE = -2
# Error 1 reserved for generic errors from this script.
GENERIC_ERROR_CODE = 1
PACKAGE_ERROR_CODE = 2
UNSUPPORTED_OS_ERROR_CODE = 3
# These are internal and reported with a generic error message and their value
# in a nested error.
USAGE_ERROR_CODE = 64
BAD_ROOT_ERROR_CODE = 65
INSTALLED_VERSION_CHECK_ERROR_CODE = 66
PACKAGE_VERSION_CHECK_ERROR_CODE = 67
FILE_INSTALLATION_ERROR_CODE = 68
DAEMON_CONTROL_ERROR_CODE = 69
AGENT_CONTROL_ERROR_CODE = 70
AGENT_INSTALL_ERROR_CODE = 71
KSADMIN_MISSING_ERROR_CODE = 72
KEYSTONE_TICKET_ERROR_CODE = 73


class Error(Exception):
  """Exception for Keystone install failure. Has methods for pretty printing
  in a manner readable by our Obj-C wrapper code.
  """

  def __init__(self, package, root, code, msg):
    self.package = package
    self.root = root
    self.code = code
    self.msg = msg

  def __str__(self):
    return '%s (Package: %s Root: %s)' % (self.msg, self.package, self.root)

  def errorcode(self):
    if self.code:
      return self.code
    else:
      return UNKNOWN_ERROR_CODE

  def message(self):
    return self.msg


def CheckOnePath(file, statmode, errorcode=UNKNOWN_ERROR_CODE):
  """Sanity check a file or directory as requested.  On failure throw
  an exception."""
  if os.path.exists(file):
    st = os.stat(file)
    if (st.st_mode & statmode) != 0:
      return True
  return False

# -------------------------------------------------------------------------

class KeystoneInstall(object):
  """Worker object which does the heavy lifting of install or uninstall.
  By default it assumes 10.5 (Leopard).

  Args:
    package: The package to install (i.e. Keystone.tbz)
    is_system: True if this is a system Keystone install
    agent_job_uid: uid to start agent jobs as or None to use current euid
    root: root directory for install.  On System this would be "/";
          else would be a user home directory (unless testing, in which case
          the root can be anywhere).
    launchd_setup: True if the installation should setup launchd job description
                   plists (and Tiger equivalents)
    launchd_jobs: True if the installation should start/stop related jobs
    self_destruct: True if uninstall is being triggered by a process the
                   uninstall is expected to kill

  Conventions:
    All functions which return directory paths end in '/'
  """

  def __init__(self, package, is_system, agent_job_uid, root,
               launchd_setup, launchd_jobs, self_destruct):
    self.package = package
    self.is_system = is_system
    self.agent_job_uid = agent_job_uid
    if is_system:
      assert agent_job_uid is not None, 'System install needs agent job uid'
    self.root = root
    if not self.root.endswith('/'):
      self.root = self.root + '/'
    self.launchd_setup = launchd_setup
    self.launchd_jobs = launchd_jobs
    self.self_destruct = self_destruct
    self.cached_package_version = None
    # Save/restore permissions
    self.old_euid = None
    self.old_egid = None
    self.old_umask = None

  def RunCommand(self, cmd):
    """Runs a command, returning return code and output.

    Returns:
      Tuple of return value, stdout and stderr.
    """
    # We need to work in python 2.3 (OSX 10.4), 2.5 (10.5), and 2.6 (10.6)
    if (sys.version_info[0] == 2) and (sys.version_info[1] <= 5):
      # subprocess.communicate implemented the hard way
      import errno
      import popen2
      import select
      p = popen2.Popen3(cmd, True)
      stdout = []
      stderr = []
      readable = [ p.fromchild, p.childerr ]
      while not p.fromchild.closed or not p.childerr.closed:
        try:
          try_to_read = []
          if not p.fromchild.closed:
            try_to_read.append(p.fromchild)
          if not p.childerr.closed:
            try_to_read.append(p.childerr)
          readable, ignored_w, ignored_x = select.select(try_to_read, [], [])
        except select.error, e:
          if e.args[0] == errno.EINTR:
            continue
          raise
        if p.fromchild in readable:
          out = os.read(p.fromchild.fileno(), 1024)
          stdout.append(out)
          if out == '':
            p.fromchild.close()
        if p.childerr in readable:
          errout = os.read(p.childerr.fileno(), 1024)
          stderr.append(errout)
          if errout == '':
            p.childerr.close()
      result = p.wait()
      return (os.WEXITSTATUS(result), ''.join(stdout), ''.join(stderr))
    else:
      # Just use subprocess, so much simpler
      import subprocess
      p = subprocess.Popen(cmd, shell=False, stdout=subprocess.PIPE,
                           stderr=subprocess.PIPE, close_fds=True)
      (stdout, stderr) = p.communicate()
      return (p.returncode, stdout, stderr)

  def _AgentProcessName(self):
    """Return the process name of the agent."""
    return 'GoogleSoftwareUpdateAgent'

  def _LibraryCachesDirPath(self):
    """Return the Library/Caches subdirectory"""
    return os.path.join(self.root, 'Library/Caches/')

  def _LibraryGoogleDirPath(self):
    """Return the Library subdirectory that parents all our dirs"""
    return os.path.join(self.root, 'Library/Google/')

  def _KeystoneDirPath(self):
    """Return the subdirectory where Keystone.bundle is or will be.
    Does not sanity check the directory."""
    return os.path.join(self._LibraryGoogleDirPath(), 'GoogleSoftwareUpdate/')

  def _KeystoneBundlePath(self):
    """Return the location of Keystone.bundle."""
    return os.path.join(self._KeystoneDirPath(), 'GoogleSoftwareUpdate.bundle/')

  def _KeystoneTicketStorePath(self):
    """Returns directory path of the Keystone ticket store."""
    return os.path.join(self._KeystoneDirPath(), 'TicketStore')

  def _KsadminPath(self):
    """Return a path to ksadmin which will exist only AFTER Keystone is
    installed.  Return None if it doesn't exist."""
    ksadmin = os.path.join(self._KeystoneBundlePath(), 'Contents/MacOS/ksadmin')
    if not os.path.exists(ksadmin):
      return None
    return ksadmin

  def _KeystoneResourcePath(self):
    """Return the subdirectory where Keystone.bundle's resources should be."""
    return os.path.join(self._KeystoneBundlePath(), 'Contents/Resources/')

  def _KeystoneAgentPath(self):
    """Returns a path to installed KeystoneAgent.app."""
    return os.path.join(self._KeystoneResourcePath(),
                        'GoogleSoftwareUpdateAgent.app/')

  def _LaunchAgentConfigDir(self):
    """Return the destination directory where launch agents should go."""
    return os.path.join(self.root, 'Library/LaunchAgents/')

  def _LaunchDaemonConfigDir(self):
    """Return the destination directory where launch daemons should go."""
    return os.path.join(self.root, 'Library/LaunchDaemons/')

  def _AgentPlistFileName(self):
    """Return the filename of the Keystone agent launchd plist or None."""
    return 'com.google.keystone.agent.plist'

  def _DaemonPlistSourceFileName(self):
    """Return the filename of the Keystone daemon launchd plist to install."""
    return 'com.google.keystone.daemon.plist'

  def _DaemonPlistFileName(self):
    """Return the filename of the post-install Keystone daemon launchd plist."""
    return 'com.google.keystone.daemon.plist'

  def _IsMasterDisabled(self):
    """Check for master disable MCX preference."""
    # 'defaults' does not honor MCX, so read the file directly
    if os.path.exists('/Library/Managed Preferences/com.google.Keystone.plist'):
      cmd = ['/usr/bin/defaults', 'read',
             '/Library/Managed Preferences/com.google.Keystone',
             'masterDisable']
      (result, out, errout) = self.RunCommand(cmd)
      if result == 0 and out.strip() == '1':
        return True
    # Honor admin preferences too
    if os.path.exists('/Library/Preferences/com.google.Keystone.plist'):
      cmd = ['/usr/bin/defaults', 'read',
             '/Library/Preferences/com.google.Keystone',
             'masterDisable']
      (result, out, errout) = self.RunCommand(cmd)
      if result == 0 and out.strip() == '1':
        return True
    return False

  def _CFBundleVersionFromInfo(self, info):
    """Given the content of an Info.plist return its CFBundleVersion."""
    linelist = info.splitlines()
    for i in range(len(linelist)):
      if linelist[i].find('<key>CFBundleVersion</key>') != -1:
        version = linelist[i+1].strip()
        version = version.strip('<string>').strip('</string>')
        if version:
          return version
    return None

  def InstalledKeystoneTicketVersion(self):
    """Return the version the current Keystone ticket, or None if not installed.

    Invariant: we use the same a 4-digit version for the ticket as we use
    for CFBundleVersion.
    """
    ksadmin_path = self._KsadminPath()
    if not ksadmin_path or not os.path.exists(ksadmin_path):
      return None
    cmd = [ksadmin_path,
           # store is specified explicitly so unit tests work
           '--store', os.path.join(self._KeystoneTicketStorePath(),
                                   'Keystone.ticketstore'),
           '--productid', 'com.google.Keystone',
           '--print-tickets']
    (result, out, errout) = self.RunCommand(cmd)
    if result:
      return None
    for line in out.splitlines():
      if line.find('version=') != -1:
        version = line.strip()
        version = version.strip('version=')
        if version:
          return version
    return None

  def InstalledKeystoneBundleVersion(self):
    """Return the version of an installed Keystone bundle, or None if
    not installed.  Specifically, it returns the CFBundleVersion as a
    string (e.g. "0.1.0.0").

    Invariant: we require a 4-digit version when building Keystone.bundle.
    """
    plist_path = os.path.join(self._KeystoneBundlePath(), 'Contents/Info.plist')
    if not os.path.exists(plist_path):
      return None
    p = open(plist_path, 'r')
    info = p.read()
    p.close()
    return self._CFBundleVersionFromInfo(info)

  def MyKeystoneBundleVersion(self):
    """Return the version of our Keystone bundle which we might want to install.
    Specifically, it returns the CFBundleVersion as a string (e.g. "0.1.0.0").

    Invariant: we require a 4-digit version when building Keystone.bundle.
    """
    if self.cached_package_version is None:
      cmd = ['/usr/bin/tar', '-Oxjf',
             self.package,
             'GoogleSoftwareUpdate.bundle/Contents/Info.plist']
      (result, out, errout) = self.RunCommand(cmd)
      if result != 0:
        raise Error(self.package, self.root, PACKAGE_VERSION_CHECK_ERROR_CODE,
                    'Google Software Update installer unable to read package '
                    'Info.plist: "%s"' % errout)
      self.cached_package_version = self._CFBundleVersionFromInfo(out)
    return self.cached_package_version

  def IsVersionGreaterThanVersion(self, a_version, b_version):
    """Return True if a_version is greater than b_version.

    Invariant: we require a 4-digit version when building Keystone.bundle.
    """
    if a_version is None or b_version is None:
      return True
    else:
      a_version = a_version.split('.')
      b_version = b_version.split('.')
    # Only correct for 4-digit versions, see invariants.
    if len(a_version) != len(b_version):
      return True
    for a, b in zip(a_version, b_version):
      if int(a) > int(b):
        return True
      elif int(a) < int(b):
        return False
    # If we get here, it's a complete match, so no.
    return False

  def IsMyVersionGreaterThanInstalledVersion(self):
    """Returns True if package Keystone version is greater than current install.

    Invariant: we require a 4-digit version when building Keystone.bundle.
    """
    my_version = self.MyKeystoneBundleVersion()
    bundle_version = self.InstalledKeystoneBundleVersion()
    if self.IsVersionGreaterThanVersion(my_version, bundle_version):
      return True
    ticket_version = self.InstalledKeystoneTicketVersion()
    if self.IsVersionGreaterThanVersion(my_version, ticket_version):
      return True
    return False

  def _SetSystemInstallPermissions(self):
    """Set permissions for system install, must pair with
    _ClearSystemInstallPermissions(). Call before any filesystem access."""
    assert (self.old_euid is None and self.old_egid is None and
            self.old_umask is None), 'System permissions used reentrant'
    self.old_euid = os.geteuid()
    os.seteuid(0)
    self.old_egid = os.getegid()
    os.setegid(0)
    self.old_umask = os.umask(022)

  def _ClearSystemInstallPermissions(self):
    """Restore prior permissions after _SetSystemInstallPermissions()."""
    assert (self.old_euid is not None and self.old_egid is not None and
            self.old_umask is not None), 'System permissions cleared before set'
    os.seteuid(self.old_euid)
    self.old_euid = None
    os.setegid(self.old_egid)
    self.old_egid = None
    os.umask(self.old_umask)
    self.old_umask = None

  def _InstallPlist(self, source, dest_name, dest_dir):
    """Install a copy of the plist from Resources to the dest_dir path using
    dest_name. For system install, assumes you have already called
    _SetSystemInstallPermissions().
    """
    try:
      pf = open(os.path.join(self._KeystoneResourcePath(), source), 'r')
      content = pf.read()
      pf.close()
    except IOError, e:
      raise Error(self.package, self.root, PACKAGE_ERROR_CODE,
                  'Google Software Update installer failed to read resource '
                  'launchd plist "%s": %s' % (source, str(e)))
    # This line is key.  We can't have a tilde in a launchd script;
    # we need an absolute path.  So we replace a known token, like this:
    #    cat src.plist | 's/INSTALL_ROOT/self.root/g' > dest.plist
    content = content.replace('${INSTALL_ROOT}', self.root)
    content = content.replace(self.root + '/', self.root)  # doubleslash remove
    # Make sure launchd can distinguish between user and system Agents.
    # This is a no-op for the daemon.
    if self.is_system:
      content = content.replace('${INSTALL_TYPE}', 'system')
    else:
      content = content.replace('${INSTALL_TYPE}', 'user')
    # Allow start interval to be configured.
    content = content.replace('${START_INTERVAL}', str(AGENT_START_INTERVAL))
    try:
      # Write to temp file then move in place (safe save)
      target_file = os.path.join(dest_dir, dest_name)
      target_tmp_file = target_file + '.tmp'
      pf = open(target_tmp_file, 'w')
      pf.write(content)
      pf.close()
      os.rename(target_tmp_file, target_file)
    except IOError, e:
      raise Error(self.package, self.root, FILE_INSTALLATION_ERROR_CODE,
                  'Google Software Update installer failed to install launchd '
                  'plist "%s": %s' % (os.path.join(dest_dir, dest_name),
                                      str(e)))

  def _RemoveOldDaemonPlists(self):
    """Remove older daemon plists installed using older names.
       Assumes _SetSystemInstallPermissions() has been called."""
    # In general we have nothing to do
    pass

  def _InstallAgentLoginItem(self):
    """Setup the agent login item (vs. launchd job).
    Assumes _SetSystemInstallPermissions() has been called."""
    pass

  def _RemoveAgentLoginItem(self):
    """Remove the agent login item (vs. launchd job).
    Assumes _SetSystemInstallPermissions() has been called.

    Note: We use this code on both Tiger and Leopard to handle the OS upgrade
    case.
    """
    if self.is_system:
      domain = '/Library/Preferences/loginwindow'
    else:
      domain = 'loginwindow'
    (result, alaout, errout) = self.RunCommand(['/usr/bin/defaults', 'read',
        domain, 'AutoLaunchedApplicationDictionary'])
    # Ignoring result
    if len(alaout.strip()) == 0:
      alaout = '()'
    # One line per loginitem to help us match
    alaout = re.compile('[\n]+').sub('', alaout)
    # handles case where we are the only item
    alaout = alaout.replace('(', '(\n')
    alaout = alaout.replace('}', '}\n')
    needed_removal = False
    for line in alaout.splitlines():
      if line.find('/Library/Google/GoogleSoftwareUpdate/'
                   'GoogleSoftwareUpdate.bundle/Contents/'
                   'Resources/GoogleSoftwareUpdateAgent.app') != -1:
        alaout = alaout.replace(line, '')
        needed_removal = True
    alaout = alaout.replace('\n', '')
    # make sure it's a well-formed list
    alaout = alaout.replace('(,', '(')
    if needed_removal:
      (result, out, errout) = self.RunCommand(['/usr/bin/defaults', 'write',
          domain, 'AutoLaunchedApplicationDictionary', alaout])
      # Ignore result, if we messed up the parse just move on.

  def _ChangeDaemonRunStatus(self, start, ignore_failure):
    """Start or stop the daemon using launchd."""
    assert self.is_system, 'Daemon start on non-system install'
    self._SetSystemInstallPermissions()
    try:
      if start:
        action = 'load'
      else:
        action = 'unload'
      job_path = os.path.join(self._LaunchDaemonConfigDir(),
                              self._DaemonPlistFileName())
      # Workaround for incorrect Tiger installation
      if os.path.exists(os.path.join(self._LaunchDaemonConfigDir(),
                                     self._DaemonPlistSourceFileName())):
        job_path = os.path.join(self._LaunchDaemonConfigDir(),
                                self._DaemonPlistSourceFileName())
      (result, out, errout) = self.RunCommand(['/bin/launchctl', action,
                                               job_path])
      if not ignore_failure and result != 0:
        raise Error(self.package, self.root, DAEMON_CONTROL_ERROR_CODE,
                    'Google Software Update installer failed to %s daemon '
                    '(%d): %s' % (action, result, errout))
    finally:
      self._ClearSystemInstallPermissions()

  def _ChangeAgentRunStatus(self, start, ignore_failure):
    """Start or stop the agent using launchd."""
    if self._AgentPlistFileName() is None:
      return
    if start:
      action = 'load'
      search_process_name = USER_SESSION_PROCESSNAME
    else:
      action = 'unload'
      search_process_name = self._AgentProcessName()
    if self.is_system:
      self._SetSystemInstallPermissions()
      try:
        # System installation needs to use bsexec to hit all the running agents
        (result, psout, pserr) = self.RunCommand(['/bin/ps', 'auxwww'])
        if result != 0:  # Internal problem so don't use ignore_failure
          raise Error(self.package, self.root, UNKNOWN_ERROR_CODE,
                      'Google Software Update installer could not run '
                      '/bin/ps: %s' % pserr)
        for psline in psout.splitlines():
          if psline.find(search_process_name) != -1:
            username = psline.split()[0]
            uid = pwd.getpwnam(username)[2]
            # Must be root to bsexec.
            # Must bsexec to (pid) to get in local user's context.
            # Must become local user to have right process owner.
            # Must unset SUDO_COMMAND to keep launchctl happy.
            # Order is important.
            agent_plist_path = os.path.join(self._LaunchAgentConfigDir(),
                                            self._AgentPlistFileName())
            (result, out, errout) = self.RunCommand([
                '/bin/launchctl', 'bsexec', psline.split()[1],
                '/usr/bin/sudo', '-u', username, '/bin/bash', '-c',
                'unset SUDO_COMMAND ; /bin/launchctl %s -S Aqua "%s"' % (
                    action,
                    os.path.join(self._LaunchAgentConfigDir(),
                                 self._AgentPlistFileName()))])
            # Although we're running for every user, only treat the requested
            # user as an error
            if not ignore_failure and result != 0 and uid == self.agent_job_uid:
              raise Error(self.package, self.root, AGENT_CONTROL_ERROR_CODE,
                  'Google Software Update installer failed to %s agent for '
                  'uid %d from plist "%s" (%d): %s' %
                  (action, self.agent_job_uid, agent_plist_path, result,
                   errout))
      finally:
        self._ClearSystemInstallPermissions()
    else:
      # Non-system variant requires basic launchctl commands
      agent_plist_path = os.path.join(self._LaunchAgentConfigDir(),
                                      self._AgentPlistFileName())
      (result, out, errout) = self.RunCommand(['/bin/launchctl', action,
                                               '-S', 'Aqua', agent_plist_path])
      if not ignore_failure and result != 0:
        raise Error(self.package, self.root, AGENT_CONTROL_ERROR_CODE,
                    'Google Software Update installer failed to %s agent from '
                    'plist "%s" (%d): %s' %
                    (action, agent_plist_path, result, errout))

  def _ClearQuarantine(self, path):
    """Remove LaunchServices quarantine attributes from a file hierarchy."""
    # /usr/bin/xattr* are implemented in Python, and there's much magic
    # around which of /usr/bin/xattr and the multiple /usr/bin/xattr-2.?
    # actually execute. I suspect at least some users have /usr/bin/python
    # linked to a "real" copy or otherwise replaced, so we're going to
    # try a bunch of different options.
    # Implement it ourself
    try:
      import xattr
      for (root, dirs, files) in os.walk(path):
        for name in files:
          attrs = xattr.xattr(os.path.join(path, name))
          try:
            del attrs['com.apple.quarantine']
          except KeyError:
            pass
      return  # Success
    except:
      pass
    # Use specific version by name in case /usr/bin/python isn't the Apple magic
    # that selects the right copy of xattr. xattr-2.6 present on 10.6 and 10.7.
    if os.path.exists('/usr/bin/xattr-2.6'):
      (result, out, errout) = self.RunCommand(['/usr/bin/xattr-2.6', '-dr',
                                               'com.apple.quarantine', path])
      if result == 0:
        return
    # Fall back to /usr/bin/xattr. On Leopard it doesn't support '-r' so
    # recurse using find. Ignore the result, this is our last attempt.
    self.RunCommand(['/usr/bin/find', '-x', path, '-exec', '/usr/bin/xattr',
                     '-d', 'com.apple.quarantine', '{}'])

  def Install(self):
    """Perform a complete install operation, including safe upgrade"""
    # Unload any current processes but ignore failures
    if self.launchd_setup and self.launchd_jobs:
      self._ChangeAgentRunStatus(False, True)
      if self.is_system:
        self._ChangeDaemonRunStatus(False, True)
    # Install new files
    if self.is_system:
      self._SetSystemInstallPermissions()
    try:
      # Make and protect base directories (always safe during upgrade)
      if not os.path.isdir(self._KeystoneDirPath()):
        os.makedirs(self._KeystoneDirPath())
      if self.is_system:
        os.chown(self._KeystoneDirPath(), 0, 0)
        os.chmod(self._KeystoneDirPath(), 0755)
        os.chown(self._LibraryGoogleDirPath(), 0, 0)
        os.chmod(self._LibraryGoogleDirPath(), 0755)
      # Unpack Keystone bundle. In an upgrade we want to try to restore
      # to the old binary if install encounters a problem. Options flag names
      # chosen to be compatible with both 10.4 and 10.6 (both BSD tar, but
      # very different versions).
      saved_bundle_path = self._KeystoneBundlePath().rstrip('/') + '.old'
      if os.path.exists(self._KeystoneBundlePath()):
        if os.path.isdir(saved_bundle_path):
          shutil.rmtree(saved_bundle_path)
        elif os.path.exists(saved_bundle_path):
          os.unlink(saved_bundle_path)
        os.rename(self._KeystoneBundlePath(), saved_bundle_path)
      cmd = ['/usr/bin/tar', 'xjf', self.package, '--no-same-owner',
             '-C', self._KeystoneDirPath()]
      (result, out, errout) = self.RunCommand(cmd)
      if result != 0:
        try:
          if os.path.exists(saved_bundle_path):
            os.rename(saved_bundle_path, self._KeystoneBundlePath())
        finally:
          raise Error(self.package, self.root, FILE_INSTALLATION_ERROR_CODE,
                      'Google Software Update installer unable to unpack '
                      'package: "%s"' % errout)
      if os.path.exists(saved_bundle_path):
        shutil.rmtree(saved_bundle_path)
      # Clear quarantine on the new bundle. Failure is ignored, user will
      # be prompted if quarantine is not cleared, but we will still operate
      # correctly.
      self._ClearQuarantine(self._KeystoneBundlePath())
      # Create Keystone ticket store. On a system install start by checking
      # ticket store permissions. Bad permissions on the store could be the
      # result of a prior install or an attempt to poison the store.
      if self.is_system and os.path.exists(self._KeystoneTicketStorePath()):
        s = os.lstat(self._KeystoneTicketStorePath())
        if (s[stat.ST_UID] == 0 and
            (s[stat.ST_GID] == 0 or s[stat.ST_GID] == 80)):
          pass
        else:
          if os.path.isdir(self._KeystoneTicketStorePath()):
            shutil.rmtree(self._KeystoneTicketStorePath())
          else:
            os.unlink(self._KeystoneTicketStorePath())
      # Now create and protect ticket store
      if not os.path.isdir(self._KeystoneTicketStorePath()):
        os.makedirs(self._KeystoneTicketStorePath())
      if self.is_system:
        os.chown(self._KeystoneTicketStorePath(), 0, 0)
        os.chmod(self._KeystoneTicketStorePath(), 0755)
      # Create/update Keystone ticket
      ksadmin_path = self._KsadminPath()
      if not ksadmin_path or not os.path.exists(ksadmin_path):
        raise Error(self.package, self.root, KSADMIN_MISSING_ERROR_CODE,
                    'Google Software Update installer ksadmin not available')
      cmd = [ksadmin_path,
             # store is specified explicitly so unit tests work
             '--store', os.path.join(self._KeystoneTicketStorePath(),
                                     'Keystone.ticketstore'),
             '--register',
             '--productid', 'com.google.Keystone',
             '--version', self.MyKeystoneBundleVersion(),
             '--xcpath', self._KeystoneBundlePath(),
             '--url', OMAHA_SERVER_URL,
             '--preserve-tttoken']
      (result, out, errout) = self.RunCommand(cmd)
      if result != 0:
        raise Error(self.package, self.root, KEYSTONE_TICKET_ERROR_CODE,
            'Google Software Update installer Keystone ticket install failed '
            '(%d): %s' % (result, errout))
      # launchd config if requested
      if self.launchd_setup:
        # Daemon first (safer if upgrade fails)
        if self.is_system:
          if not os.path.isdir(self._LaunchDaemonConfigDir()):
            os.makedirs(self._LaunchDaemonConfigDir())
            # Again set permissions only if we created it, but if we did use
            # standard permission from a default OS install.
            os.chown(self._LaunchDaemonConfigDir(), 0, 0)
            os.chmod(self._LaunchDaemonConfigDir(), 0755)
          self._InstallPlist(self._DaemonPlistSourceFileName(),
                             self._DaemonPlistFileName(),
                             self._LaunchDaemonConfigDir())
          # Remove daemon under older names
          self._RemoveOldDaemonPlists()
        # Agent launchd
        if self._AgentPlistFileName() is not None:
          if not os.path.isdir(self._LaunchAgentConfigDir()):
            os.makedirs(self._LaunchAgentConfigDir())
            # /Library/LaunchAgents is a OS directory, use permissions from
            # default OS install, but only if we created it.
            if self.is_system:
              os.chown(self._LaunchAgentConfigDir(), 0, 0)
              os.chmod(self._LaunchAgentConfigDir(), 0755)
          self._InstallPlist(self._AgentPlistFileName(),
                             self._AgentPlistFileName(),
                             self._LaunchAgentConfigDir())
        # Agent login item remove/restore. Removal prior to add
        # so that removal happens in Tiger -> Leopard upgrade case and
        # we do not duplicate entries.
        self._RemoveAgentLoginItem()
        self._InstallAgentLoginItem()
    finally:
      if self.is_system:
        self._ClearSystemInstallPermissions()
    # If requested, start our jobs, failures treated as errors.
    if self.launchd_setup and self.launchd_jobs:
      if self.is_system:
        self._ChangeDaemonRunStatus(True, False)
      self._ChangeAgentRunStatus(True, False)

  def LockdownKeystone(self):
    """Prevent Keystone from ever self-uninstalling.

    This is necessary for a System Keystone used for Trusted Tester support.
    We do this by installing (and never uninstalling) a system ticket.
    """
    if self.is_system:
      self._SetSystemInstallPermissions()
    try:
      ksadmin_path = self._KsadminPath()
      if not ksadmin_path:
        raise Error(self.package, self.root, KSADMIN_MISSING_ERROR_CODE,
                    'Google Software Update installer ksadmin not available')
      cmd = [ksadmin_path,
             # store is specified explicitly so unit tests work
             '--store', os.path.join(self._KeystoneTicketStorePath(),
                                     'Keystone.ticketstore'),
             '--register',
             '--productid', LOCKDOWN_TICKET,
             '--version', '1.0',
             '--xcpath', '/',
             '--url', OMAHA_SERVER_URL]
      (result, out, errout) = self.RunCommand(cmd)
      if result != 0:
        raise Error(self.package, self.root, KEYSTONE_TICKET_ERROR_CODE,
            'Google Software Update installer Keystone ticket install '
            'failed (%d): %s' % (result, errout))
    finally:
      if self.is_system:
        self._ClearSystemInstallPermissions()

  def Uninstall(self):
    """Perform a complete uninstall (uninstall leaves tickets in place)"""
    # On uninstall if we are not in self-destruct stop all processes but
    # ignore failure (may not be running). On a non-self destruct case we do
    # this first since it avoids race conditions on caches and pref writes
    if not self.self_destruct and self.launchd_setup and self.launchd_jobs:
      self._ChangeAgentRunStatus(False, True)
      if self.is_system:
        self._ChangeDaemonRunStatus(False, True)
    # Perform file removals. In self-destruct case the processes may still
    # be running.
    if self.is_system:
      self._SetSystemInstallPermissions()
    try:
      # Remove plist files unless blocked
      if self.launchd_setup:
        # In self-destruct mode we still need these plists for launchctl
        if not self.self_destruct:
          if self._AgentPlistFileName() is not None:
            agent_plist = os.path.join(self._LaunchAgentConfigDir(),
                                       self._AgentPlistFileName())
            if os.path.exists(agent_plist):
              os.unlink(agent_plist)
          daemon_plist = os.path.join(self._LaunchDaemonConfigDir(),
                                      self._DaemonPlistFileName())
          if os.path.exists(daemon_plist):
            os.unlink(daemon_plist)
          # Remove daemon under older names as well
          self._RemoveOldDaemonPlists()
        # Self-destruct or not, we can remove login item (Tiger)
        self._RemoveAgentLoginItem()
      # Unregister Keystone ticket (if installed at all).
      if os.path.exists(self._KeystoneBundlePath()):
        ksadmin_path = self._KsadminPath()
        if not ksadmin_path or not os.path.exists(ksadmin_path):
          raise Error(self.package, self.root, KSADMIN_MISSING_ERROR_CODE,
                      'Google Software Update installer ksadmin not available')
        cmd = [ksadmin_path,
               # store is specified explicitly so unit tests work
               '--store', os.path.join(self._KeystoneTicketStorePath(),
                                       'Keystone.ticketstore'),
               '--delete', '--productid', 'com.google.Keystone']
        (result, out, errout) = self.RunCommand(cmd)
        if result != 0 and errout.find('No ticket to delete') == -1:
          raise Error(self.package, self.root, KEYSTONE_TICKET_ERROR_CODE,
              'Google Software Update installer Keystone ticket uninstall '
              'failed (%d): %s' % (result, errout))
      # Remove the Keystone bundle
      if os.path.exists(self._KeystoneBundlePath()):
        shutil.rmtree(self._KeystoneBundlePath())
      # Clean up caches. Race condition here if self-destructing, but unlikely
      # and we'll just leak a cache dir.
      if os.path.exists(self._LibraryCachesDirPath()):
        caches = glob.glob(os.path.join(self._LibraryCachesDirPath(),
                                        'com.google.Keystone.*'))
        caches.extend(glob.glob(os.path.join(self._LibraryCachesDirPath(),
                                        'com.google.UpdateEngine.*')))
        caches.extend(glob.glob(os.path.join(self._LibraryCachesDirPath(),
                                        'UpdateEngine-Temp')))
        for cache_item in caches:
          if os.path.isdir(cache_item):
            shutil.rmtree(cache_item, True)  # Ignore cache deletion errors
          else:
            try:
              os.unlink(cache_item)
            except OSError:
              pass
      # Clean up preferences, this prevents old installations from propagating
      # dates (like uninstall embargo time) forward in a complete uninstall/
      # reinstall scenario. Again, race condition here for self-destruct case
      # but the risk is minor and only leaks a pref file.
      if self.is_system:
        agent_pref_path = os.path.join(pwd.getpwuid(self.agent_job_uid)[5],
                                       'Library/Preferences/'
                                       'com.google.Keystone.Agent.plist')
      else:
        agent_pref_path = os.path.expanduser('~/Library/Preferences/'
                                             'com.google.Keystone.Agent.plist')
      if os.path.exists(agent_pref_path):
        os.unlink(agent_pref_path)
    finally:
      if self.is_system:
        self._ClearSystemInstallPermissions()
    # Remove receipts
    self.RemoveReceipts()
    # With all other files removed, cleanup processes and job control files in
    # the self-destruct case. This will presumably kill our parent, so after
    # this no one is listening for our errors. We do it as late as possible.
    if self.self_destruct:
      if self.launchd_setup and self.launchd_jobs:
        self._ChangeAgentRunStatus(False, True)
        if self.is_system:
          self._ChangeDaemonRunStatus(False, True)
      if self.is_system:
        self._SetSystemInstallPermissions()
      try:
        # We needed these plists to stop the agent and daemon. No one is
        # listening to errors, but failure only leaves a stale launchctl file
        # (actual program files removed above)
        if self._AgentPlistFileName() is not None:
          agent_plist = os.path.join(self._LaunchAgentConfigDir(),
                                     self._AgentPlistFileName())
          if os.path.exists(agent_plist):
            os.unlink(agent_plist)
        daemon_plist = os.path.join(self._LaunchDaemonConfigDir(),
                                    self._DaemonPlistFileName())
        if os.path.exists(daemon_plist):
          os.unlink(daemon_plist)
        # Remove daemon under older names as well
        self._RemoveOldDaemonPlists()
      finally:
        if self.is_system:
          self._ClearSystemInstallPermissions()

  def Nuke(self):
    """Perform an uninstall and remove all files (including tickets)"""
    # Uninstall
    self.Uninstall()
    # Nuke what's left
    if self.is_system:
      self._SetSystemInstallPermissions()
    try:
      # Remove whole Keystone tree
      if os.path.exists(self._KeystoneDirPath()):
        shutil.rmtree(self._KeystoneDirPath())
    finally:
      if self.is_system:
        self._ClearSystemInstallPermissions()

  def RemoveReceipts(self):
    """Remove receipts from Apple's package database, allowing downgrade or
    reinstall."""
    # Only works on system installs
    if self.is_system:
      self._SetSystemInstallPermissions()
      try:
        # In theory we should only handle old-style receipts on older OS
        # versions. However, we don't know the upgrade history of the machine.
        # So we try all variants.
        if os.path.isdir('/Library/Receipts/Keystone.pkg'):
          shutil.rmtree('/Library/Receipts/Keystone.pkg', True)
        if os.path.exists('/Library/Receipts/Keystone.pkg'):
          try:
            os.unlink('/Library/Receipts/Keystone.pkg')
          except OSError:
            pass
        if os.path.isdir('/Library/Receipts/UninstallKeystone.pkg'):
          shutil.rmtree('/Library/Receipts/UninstallKeystone.pkg', True)
        if os.path.exists('/Library/Receipts/UninstallKeystone.pkg'):
          try:
            os.unlink('/Library/Receipts/UninstallKeystone.pkg')
          except OSError:
            pass
        if os.path.isdir('/Library/Receipts/NukeKeystone.pkg'):
          shutil.rmtree('/Library/Receipts/NukeKeystone.pkg', True)
        if os.path.exists('/Library/Receipts/NukeKeystone.pkg'):
          try:
            os.unlink('/Library/Receipts/NukeKeystone.pkg')
          except OSError:
            pass
        # pkgutil where appropriate (ignoring results)
        if os.path.exists('/usr/sbin/pkgutil'):
          self.RunCommand(['/usr/sbin/pkgutil', '--forget',
                           'com.google.pkg.Keystone'])
          self.RunCommand(['/usr/sbin/pkgutil', '--forget',
                           'com.google.pkg.UninstallKeystone'])
          self.RunCommand(['/usr/sbin/pkgutil', '--forget',
                           'com.google.pkg.NukeKeystone'])
      finally:
        self._ClearSystemInstallPermissions()

  def FixupProducts(self):
    """Attempt to repair any products might be broken."""
    if self.is_system:
      self._SetSystemInstallPermissions()
    try:
      # Remove the (original) Google Updater manifest files.  Stale manifest
      # caches prevent Updater from checking for updates and downloading its
      # auto-uninstall package. Stomp those files everywhere we can.
      try:
        os.unlink(os.path.expanduser('~/Library/Application Support/'
                                     'Google/SoftwareUpdates/manifest.xml'))
      except OSError:
        pass
      if self.agent_job_uid is not None:
        try:
          os.unlink(os.path.join(pwd.getpwuid(self.agent_job_uid)[5],
                                 'Library/Application Support/'
                                 'Google/SoftwareUpdates/manifest.xml'))
        except OSError:
          pass
      try:
        os.unlink(os.path.join(self.root, 'Library/Application Support/'
                               'Google/SoftwareUpdates/manifest.xml'))
      except OSError:
        pass
      try:
        os.unlink('/Library/Caches/Google/SoftwareUpdates/manifest.xml')
      except OSError:
        pass

      # Other repairs require ksadmin
      ksadmin_path = self._KsadminPath()
      if ksadmin_path and os.path.exists(ksadmin_path):

        # Fix various Talk plugin problems
        if self.is_system:
          (result, out, errout) = self.RunCommand([ksadmin_path, '--productid',
                                      'com.google.talkplugin', '-p'])

          # Google Talk Plugin 1.0.15.1351 can have its existence checker
          # pointing to a deleted directory.  Fix up the xc so it'll update
          # next time.
          if out.find('1.0.15.1351') != -1:
            # Fix the ticket by reregistering it.
            # We can only get here if 1.0.15.1351 is the current version, so
            # it's safe to use that version.
            (result, out, errout) = self.RunCommand([ksadmin_path, '--register',
                '--productid', 'com.google.talkplugin',
                '--xcpath',
                '/Library/Internet Plug-Ins/googletalkbrowserplugin.plugin',
                '--version', '1.0.15.1351',
                '--url', OMAHA_SERVER_URL])

          # Repair tickets presumed lost in the 1.x to 2.x Talk upgrade.
          if ((out.find('productID=com.google.talkplugin') == -1) and
              os.path.exists(
                  '/Library/Internet Plug-Ins/googletalkbrowserplugin.plugin')):
            # Register Talk again, using a unique version number that will be
            # updated.
            (result, out, errout) = self.RunCommand([ksadmin_path, '--register',
                '--productid', 'com.google.talkplugin',
                '--xcpath',
                '/Library/Internet Plug-Ins/googletalkbrowserplugin.plugin',
                '--version', '0.1.0.1234',
                '--url', OMAHA_SERVER_URL])

    finally:
      if self.is_system:
        self._ClearSystemInstallPermissions()

# -------------------------------------------------------------------------

class KeystoneInstallTiger(KeystoneInstall):

  """Like KeystoneInstall, but overrides a few methods to support 10.4"""

  def _AgentPlistFileName(self):
    return None

  def _DaemonPlistSourceFileName(self):
    return 'com.google.keystone.daemon4.plist'

  def _RemoveOldDaemonPlists(self):
    # Older installers installed this under the wrong name
    daemon_plist = os.path.join(self._LaunchDaemonConfigDir(),
                                self._DaemonPlistSourceFileName())
    if os.path.exists(daemon_plist):
      os.unlink(daemon_plist)

  def _InstallAgentLoginItem(self):
    # This will write to the Library domain as root/wheel, which is OK because
    # permissions on /Library/Preferences still allow admin group to modify
    if self.is_system:
      domain = '/Library/Preferences/loginwindow'
    else:
      domain = 'loginwindow'
    (result, out, errout) = self.RunCommand(
        ['/usr/bin/defaults', 'write', domain,
         'AutoLaunchedApplicationDictionary', '-array-add',
         '{Hide = 1; Path = "%s"; }' % self._KeystoneAgentPath()])
    if result == 0:
      return
    # An empty AutoLaunchedApplicationDictionary is an empty string,
    # not an empty array, in which case -array-add chokes.  There is
    # no easy way to do a typeof(AutoLaunchedApplicationDictionary)
    # for a plist. Our solution is to catch the error and try a
    # different way.
    (result, out, errout) = self.RunCommand(
        ['/usr/bin/defaults', 'write', domain,
         'AutoLaunchedApplicationDictionary', '-array',
         '{Hide = 1; Path = "%s"; }' % self._KeystoneAgentPath()])
    if result != 0:
      raise Error(self.package, self.root, AGENT_INSTALL_ERROR_CODE,
                  'Google Software Update installer Keystone agent login item '
                  'in domain "%s" failed (%d): %s' % (domain, result, errout))

  def _ChangeAgentRunStatus(self, start, ignore_failure):
    """Start the agent as a normal (non-launchd) process on Tiger."""
    if self.is_system:
      self._SetSystemInstallPermissions()
    try:
      # Start
      if start:
        if self.is_system:
          # Tiger 'sudo' has problems with numeric uid so use username (man
          # page wrong)
          username = pwd.getpwuid(self.agent_job_uid)[0]
          (result, out, errout) = self.RunCommand(['/usr/bin/sudo',
                                                   '-u', username,
                                                   '/usr/bin/open',
                                                   self._KeystoneAgentPath()])
          if not ignore_failure and result != 0:
            raise Error(self.package, self.root, AGENT_CONTROL_ERROR_CODE,
                        'Google Software Update installer failed to start '
                        'system agent for uid %d (%d): %s' %
                        (self.agent_job_uid, result, errout))
        else:
          (result, out, errout) = self.RunCommand(['/usr/bin/open',
                                                   self._KeystoneAgentPath()])
          if not ignore_failure and result != 0:
            raise Error(self.package, self.root, AGENT_CONTROL_ERROR_CODE,
                        'Google Software Update installer failed to start '
                        'user agent (%d): %s' % (result, errout))
      # Stop
      else:
        if self.is_system:
          cmd = ['/usr/bin/killall', '-u', str(self.agent_job_uid),
                 self._AgentProcessName()]
        else:
          cmd = ['/usr/bin/killall', self._AgentProcessName()]
        (result, out, errout) = self.RunCommand(cmd)
        if (not ignore_failure and result != 0 and
            out.find('No matching processes') == -1):
          raise Error(self.package, self.root, AGENT_CONTROL_ERROR_CODE,
                      'Google Software Update installer failed to kill '
                      'agent (%d): %s' % (result, errout))
    finally:
      if self.is_system:
        self._ClearSystemInstallPermissions()

  def _ClearQuarantine(self, path):
    """Remove LaunchServices quarantine attributes from a file hierarchy."""
    # Tiger does not implement quarantine (http://support.apple.com/kb/HT3662)
    return


# -------------------------------------------------------------------------

class Keystone(object):

  """Top-level interface for Keystone install and uninstall.

  Attributes:
    install_class: KeystoneInstall subclass to use for installation
    installer: KeystoneInstall instance (system or user)
  """

  def __init__(self, package, root, launchd_setup, start_jobs, self_destruct):
    # Sanity
    if package:
      package = os.path.abspath(os.path.expanduser(package))
      if not CheckOnePath(package, stat.S_IRUSR):
        raise Error(package, root, PACKAGE_ERROR_CODE,
                    'Google Software Update installer missing or unreadable '
                    'installation package.')
    if root:
      expanded_root = os.path.abspath(os.path.expanduser(root))
      assert (expanded_root and
              len(expanded_root) > 0), 'Root is empty after expansion.'
      # Force user-supplied root to pre-exist, this was a side effect of
      # prior versions of the code and the tests assume its part of the contract
      if not CheckOnePath(expanded_root, stat.S_IWUSR):
        raise Error(package, root, BAD_ROOT_ERROR_CODE,
                    'Google Software Update installer installation location '
                    'missing or unwritable.')
      root = expanded_root

    # Setup installer instances
    self.install_class = KeystoneInstall
    if self._IsTiger():
      self.install_class = KeystoneInstallTiger
    if self._IsPrivilegedInstall():
      # Install using privileges on behalf of other user (for agent start)
      install_uid = self._LocalUserUID()
      if root is not None:
        self.installer = self.install_class(package, True, install_uid, root,
                                            launchd_setup, start_jobs,
                                            self_destruct)
      else:
        self.installer = self.install_class(package, True, install_uid,
                                            self._DefaultRootForUID(0),
                                            launchd_setup, start_jobs,
                                            self_destruct)
    else:
      # Non-system install, no attempt at privilege changes
      if root is not None:
        self.installer = self.install_class(package, False, None, root,
                                            launchd_setup, start_jobs,
                                            self_destruct)
      else:
        self.installer = self.install_class(package, False, None,
                                            self._DefaultRootForUID(
                                                self._LocalUserUID()),
                                            launchd_setup, start_jobs,
                                            self_destruct)

  def _LocalUserUID(self):
    """Return the UID of the local (non-root) user who initiated this
    install/uninstall.  If we can't figure it out, default to the user
    on conosle.  We don't want to default to console user in case a
    FUS happens in the middle of install or uninstall."""
    uid = os.geteuid()
    if uid != 0:
      return uid
    else:
      return os.stat('/dev/console')[stat.ST_UID]

  def _IsLeopardOrLater(self):
    """Return True if we're on 10.5 or later; else return False."""
    global FORCE_TIGER
    if FORCE_TIGER:
      return False
    # Ouch!  platform.mac_ver() returns strange results.
    # ('10.7', ('', '', ''), 'i386')        - 10.7, python2.7
    # ('10.7.0', ('', '', ''), 'i386')      - 10.7, python2.5 or python2.6
    # ('10.6.7', ('', '', ''), 'i386')      - 10.6, python2.5 or python2.6
    # ('10.5.1', ('', '', ''), 'i386')      - 10.5, python2.4 or python2.5
    # ('', ('', '', ''), '')                - 10.4, python2.3 (also 2.4)
    (vers, ignored1, ignored2) = platform.mac_ver()
    splits = vers.split('.')
    # Try to break down a proper version number
    if ((len(splits) == 2) or (len(splits) == 3)) and (splits[1] >= '5'):
      return True
    # Tiger is rare these days, so unless we're on 2.3 build of Python
    # assume we must be newer.
    if (((sys.version_info[0] == 2) and (sys.version_info[1] == 3)) or
        ((sys.version_info[0] == 2) and (sys.version_info[1] == 4) and
         (vers == ''))):
      return False
    else:
      return True

  def _IsTiger(self):
    """Return the boolean opposite of IsLeopardOrLater()."""
    if self._IsLeopardOrLater():
      return False
    else:
      return True

  def _IsPrivilegedInstall(self):
    """Return True if this is a privileged (root) install."""
    if os.geteuid() == 0:
      return True
    else:
      return False

  def _DefaultRootForUID(self, uid):
    """For the given UID, return the default install root for Keystone (where
    is is, or where it should be, installed)."""
    if uid == 0:
      return '/'
    else:
      return pwd.getpwuid(uid)[5]

  def _ShouldInstall(self):
    """Return True if we should on install.

    Possible reasons for punting (returning False):
    1) This is a System Keystone install and the installed System
       Keystone has a smaller version.
    2) This is a User Keystone and there is a System Keystone
       installed (of any version).
    3) This is a User Keystone and the installed User Keystone has a
       smaller version.
    """
    if self._IsPrivilegedInstall():
      if self.installer.IsMyVersionGreaterThanInstalledVersion():
        return True
      else:
        return False
    else:
      # User install, need to check if system install exists
      system_checker = self.install_class(None, False, None,
                                          self._DefaultRootForUID(0),
                                          False, False, False)
      if system_checker.InstalledKeystoneBundleVersion() != None:
        return False
      # Check just user version
      if self.installer.IsMyVersionGreaterThanInstalledVersion():
        return True
      else:
        return False

  def Install(self, force, lockdown):
    """Public install interface.

      force: If True, no version check is performed.
      lockdown: if True, install a special ticket to lock down Keystone
                and prevent uninstall.  This will happen even if an install
                of Keystone itself is not needed.
    """
    if self.installer._IsMasterDisabled():
      raise Error(None, None, MASTER_DISABLE_ERROR_CODE,
          'Google Software Update installer failed. An administrator has '
          'disabled Google Software Update.')
    if force or self._ShouldInstall():
      self.installer.Install()
    # possibly lockdown even if we don't need to install
    if lockdown:
      self.installer.LockdownKeystone()

  def Uninstall(self):
    """Uninstall, which has the effect of preparing this machine for a new
    install. Although similar, it is NOT as comprehensive as a nuke.
    """
    self.installer.Uninstall()

  def Nuke(self):
    """Public nuke interface. Typically only used for testing."""
    self.installer.Nuke()

  def RemoveReceipts(self):
    """Public receipt removal interface. Used by uninstall, and to allow
    downgraades of system installations."""
    self.installer.RemoveReceipts()

  def FixupProducts(self):
    """Attempt to repair any products might have broken tickets."""
    self.installer.FixupProducts()

# -------------------------------------------------------------------------

def PrintUse():
  print 'Use: '
  print ' [--install PKG]     Install keystone using PKG as the source.'
  print ' [--root ROOT]       Use ROOT as the dest for an install. Optional.'
  print ' [--uninstall]       Remove Keystone program files but do NOT delete '
  print '                       the ticket store.'
  print ' [--nuke]            Remove Keystone and all tickets.'
  print ' [--remove-receipts] Remove Keystone package receipts, allowing for '
  print '                       downgrade (system install only)'
  print ' [--no-launchd]      Do NOT touch Keystone launchd plists or jobs,'
  print '                       for both install and uninstall. For test.'
  print ' [--no-launchdjobs]  Do NOT start/stop jobs, but do change launchd'
  print '                       plist files,for both install and uninstall.'
  print '                       For test.'
  print ' [--self-destruct]   Use if uninstall is triggered by process that '
  print '                       will be killed by uninstall.'
  print ' [--force]           Force an install no matter what. For test.'
  print ' [--forcetiger]      Pretend we are on Tiger (MacOSX 10.4). For test.'
  print ' [--failcode]        Fake an error with that code occurred. For test.'
  print ' [--lockdown]        Prevent Keystone from ever uninstalling itself.'
  print ' [--interval N]      Change agent plist to wake up every N seconds.'
  print ' [--help]            This message.'


def main():
  os.environ.clear()
  os.environ['PATH'] = '/bin:/sbin:/usr/bin:/usr/sbin:/usr/libexec'

  # Make sure AuthorizationExecuteWithPrivileges() is happy
  if os.getuid() and os.geteuid() == 0:
    os.setuid(os.geteuid())

  try:
    opts, args = getopt.getopt(sys.argv[1:], 'i:r:XunNfI:h',
                               ['install=', 'root=', 'nuke', 'uninstall',
                                'no-launchd', 'no-launchdjobs', 'force',
                                'interval=', 'help',
                                # Long-only
                                'remove-receipts', 'self-destruct',
                                'forcetiger', 'failcode=', 'lockdown'])
  except getopt.GetoptError:
    print 'Bad options.'
    PrintUse()
    sys.exit(USAGE_ERROR_CODE)

  root = None
  package = None
  nuke = False
  uninstall = False
  remove_receipts = False
  launchd_setup = True
  fail_code = 0
  start_jobs = True
  self_destruct = False
  force = False
  lockdown = False  # If true, prevent uninstall by adding a "lockdown" ticket

  for opt, val in opts:
    if opt in ('-h', '--help'):
      PrintUse()
      sys.exit(USAGE_ERROR_CODE)

    if opt in ['-i', '--install']:
      package = val
    if opt in ['-r', '--root']:
      root = val
    if opt in ['-X', '--nuke']:
      nuke = True
    if opt in ['-u', '--uninstall']:
      uninstall = True
    if opt in ['-n', '--no-launchd']:
      launchd_setup = False
    if opt in ['-N', '--no-launchdjobs']:
      start_jobs = False
    if opt in ['-f', '--force']:
      force = True
    if opt in ['-I', '--interval']:
      global AGENT_START_INTERVAL
      AGENT_START_INTERVAL = int(val)
    if opt == '--remove-receipts':
      remove_receipts = True
    if opt == '--self-destruct':
      self_destruct = True
    if opt == '--forcetiger':
      global FORCE_TIGER
      FORCE_TIGER = True
    if opt == '--failcode':
      fail_code = int(val)
    if opt == '--lockdown':
      lockdown = True

  if package is None and not nuke and not uninstall and not remove_receipts:
    print 'Must specify package path, uninstall, nuke, or remove-receipts.'
    PrintUse()
    sys.exit(USAGE_ERROR_CODE)
  try:
    (vers, ignored1, ignored2) = platform.mac_ver()
    splits = vers.split('.')
    if (len(splits) == 3) and (int(splits[1]) < 4):
      print 'Requires Mac OS 10.4 or later.'
      sys.exit(UNSUPPORTED_OS_ERROR_CODE)
  except:
    # 10.3 throws an exception for platform.mac_ver()
    print 'Requires Mac OS 10.4 or later.'
    sys.exit(UNSUPPORTED_OS_ERROR_CODE)

  # Lock file to make sure only one Keystone install at once. We want to
  # share this lock amongst all users on the machine.
  lockfilename = '/tmp/.keystone_install_lock'
  oldmask = os.umask(0000)
  lockfile = os.open(lockfilename, os.O_CREAT | os.O_RDONLY | os.O_NOFOLLOW,
                     0444)
  os.umask(oldmask)
  # Lock, callers that cannot wait are expected to kill us.
  fcntl.flock(lockfile, fcntl.LOCK_EX)

  try:
    try:
      # Simulate a failure
      if fail_code != 0:
        raise Error(None, None, fail_code,
            'Google Software Update installer simulated failure %d' % fail_code)
      # Do the install
      k = Keystone(package, root, launchd_setup, start_jobs, self_destruct)
      # Ordered by level of cleanup applied
      if nuke:
        k.Nuke()
      elif uninstall:
        k.Uninstall()
      elif remove_receipts:
        k.RemoveReceipts()
      else:
        k.Install(force, lockdown)
        k.FixupProducts()
    except Error, e:
      # To conform to previous contract on this tool (see headerdoc)
      print e.message()
      # We want the backtrace on stderr, but we need to control the exit code
      # so dump manually
      traceback.print_exc(file=sys.stderr)
      # exit with the right error code
      sys.exit(e.errorcode())
  finally:
    os.close(lockfile)  # Lock file left around on purpose

if __name__ == '__main__':
  main()