U lHJeO@sddlZddlZddlmZddlmZmZmZddlm Z m Z m Z m Z m Z mZddlmZmZddlmZddlmZddlmZdd lmZdd lmZdd lmZmZdd lm Z m!Z!m"Z"e #Z$e%e&e'Z(d ddddgZ)ddgZ*ddddgZ+e)e*e)e*e)e)e+dZ,dddgZ-dddddgZ.dddddgZ/d d!dd"d#ddgZ0e)e*e-e)e*e.e)e/e)e+e0dZ1Gd$d%d%ej2Z3Gd&d'd'e3Z4Gd(d)d)e3Z5Gd*d+d+e4Z6dS),N)groupby)ListOptionalTuple)apt event_logger exceptionsmessagessystemutil)NoCloudTypeReasonget_cloud_type)repo)IncompatibleService)ApplicationStatus)notices)Notice)ServicesOnceEnabledDataservices_once_enabled_file)MessagingOperationsMessagingOperationsDictStaticAffordance strongswanstrongswan-hmacopenssh-clientopenssh-server shim-signedopenssh-client-hmacopenssh-server-hmacZ libnettle8Z libhogweed6Z libgnutls30Zlibgmp10)ZxenialbionicfocalZjammyopenssl libssl1.0.0libssl1.0.0-hmac libssl1.1libssl1.1-hmac libgcrypt20libgcrypt20-hmacZgawkzupdate-notifier-commonzopenssl-fips-module-3Zlibssl3cs8eZdZdZdZdZdZejj Z ddddd dd d d d d ddddddddgZ e ddZ d2eeeeeddfdd Zd3eeddddZeeed fd!d" Ze eed#fd$d%d&Ze eed$fd'd( Zeeeejfd$fd)d* Zdd$d+d,Zd4eed-fd.d/ Zd5edd-fd0d1 ZZS)6FIPSCommonEntitlementizubuntu-pro-fips.gpgz/proc/sys/crypto/fips_enabledTzfips-initramfsr$r%r"r#z linux-fipsrrrrr!rrr&r'zfips-initramfs-genericrcCs*tj}trt|gSt|gS)a Dictionary of conditional packages to be installed when enabling FIPS services. For example, if we are enabling FIPS services in a machine that has openssh-client installed, we will perform two actions: 1. Upgrade the package to the FIPS version 2. Install the corresponding hmac version of that package when available. )r get_release_infoseries is_container#FIPS_CONTAINER_CONDITIONAL_PACKAGESgetFIPS_CONDITIONAL_PACKAGES)selfr*r0z8FIPSCommonEntitlement.install_packages..)key)r3r4r5)servicepkgN)eventinfor ZINSTALLING_SERVICE_PACKAGESformatr8packagessuperinstall_packagesrget_installed_packages_namesrsortedr2rZUbuntuProErrorZFIPS_PACKAGE_NOT_AVAILABLE) r/r3r4r5Zmandatory_packagesZdesired_packagesinstalled_packagesZ pkg_groupsr;Zpkg_listr@ __class__r0r1rFs@    z&FIPSCommonEntitlement.install_packagesF) operationsilentr6cCs\t}t||rX|s.ttjj|d|dkrDt t j n|dkrXt t j dS)zCheck if user should be alerted that a reboot must be performed. @param operation: The operation being executed. @param silent: Boolean set True to silence print/log of messages )rLinstallzdisable operationN) r should_rebootrAZ needs_rebootrBr ZENABLE_REBOOT_REQUIRED_TMPLrCraddrFIPS_SYSTEM_REBOOT_REQUIREDFIPS_DISABLE_REBOOT_REQUIRED)r/rLrMZreboot_requiredr0r0r1_check_for_reboot_msgs" z+FIPSCommonEntitlement._check_for_reboot_msgr*cloud_idr6cs>|dkr:tj|jjddrdS|dkr*dStdtjkSdS)aVReturn False when FIPS is allowed on this cloud and series. On Xenial GCP there will be no cloud-optimized kernel so block default ubuntu-fips enable. This can be overridden in config with features.allow_xenial_fips_on_cloud. GCP doesn't yet have a cloud-optimized kernel or metapackage so block enable of fips if the contract does not specify ubuntu-gcp-fips. This also can be overridden in config with features.allow_default_fips_metapackage_on_gcp. :return: False when this cloud, series or config override allows FIPS. gcez.features.allow_default_fips_metapackage_on_gcp)ZconfigZ path_to_valueT)rr zubuntu-gcp-fips)r Zis_config_value_truecfgboolrErDr/r*rUrJr0r1_allow_fips_on_cloud_instancesz3FIPSCommonEntitlement._allow_fips_on_cloud_instance.r6cs^dddd}t\}dkr"dtjtjj|d}|fddd ffS) Nzan AWSzan Azureza GCP)ZawsZazurerVr9)r*Zcloudcs SN)rZr0rUr/r*r0r1r<r=z:FIPSCommonEntitlement.static_affordances..T) r r r)r*r ZFIPS_BLOCK_ON_CLOUDrCr8r-)r/Z cloud_titles_Zblocked_messager0r]r1static_affordances s   z(FIPSCommonEntitlement.static_affordancescstr gStjSr\)r r+rErDr/rJr0r1rDszFIPSCommonEntitlement.packagescst\}}tr2ts2ttj||fSt j |j rtt |js\ttjt|j dkrttj||fSttjtjtjj|j dfS|tjkr||fStjtjfS)N1) file_name)rEapplication_statusr r+rOrremoverrQospathexistsFIPS_PROC_FILEsetrDZ load_filestripZFIPS_MANUAL_DISABLE_URLrPrZDISABLEDr ZFIPS_PROC_FILE_ERRORrCENABLEDFIPS_REBOOT_REQUIRED)r/Z super_statusZ super_msgrJr0r1rc"s: z(FIPSCommonEntitlement.application_statuscCsPtt}t|jt|j}||}|rLtt|t j j |j ddS)zRemove fips meta package to disable the service. FIPS meta-package will unset grub config options which will deactivate FIPS on any related packages. r7N) rirrGrD differencer2 intersectionremove_packageslistr ZDISABLE_FAILED_TMPLrCr8)r/rIZfips_metapackageror0r0r1roLs   z%FIPSCommonEntitlement.remove_packagesrMr6cs:tj|dr6ttjttjttjdSdS)NrMTF)rE_perform_enablerrdrZWRONG_FIPS_METAPACKAGE_ON_CLOUDrlrR)r/rMrJr0r1rs]s  z%FIPSCommonEntitlement._perform_enablecsddg}t|tjjd|d}g}|D]}||jkr0||q0|rvddg|}t|tjjd|d}t j |ddS)zSetup apt config based on the resourceToken and directives. FIPS-specifically handle apt-mark unhold :raise UbuntuProError: on failure to setup any aspect of this apt configuration zapt-markZ showholds )ZcommandZunholdrrN) rZrun_apt_commandr ZEXECUTING_COMMAND_FAILEDrCjoin splitlinesfips_pro_package_holdsappendrEsetup_apt_config)r/rMcmdZholdsZunholdsZholdZ unhold_cmdrJr0r1ryhs$    z&FIPSCommonEntitlement.setup_apt_config)NTT)F)F)F) __name__ __module__ __qualname__Zrepo_pin_priority repo_key_filerhZapt_noninteractiver ZurlsZFIPS_HOME_PAGEZ help_doc_urlrwpropertyr2rrstrrXrFrSrZrrr_rDrZ NamedMessagercrorsry __classcell__r0r0rJr1r(hsn  4 * r(cseZdZdZejZejZej Z dZ ej Z eeedfdddZeeedfdfdd Zeedd d Zdeed fd d ZZS)FIPSEntitlementfipsZ UbuntuFIPS.r[cCs:ddlm}ddlm}t|tjtttjt|tj fS)Nr)LivepatchEntitlementRealtimeKernelEntitlement) Zuaclient.entitlements.livepatchruaclient.entitlements.realtimerrr ZLIVEPATCH_INVALIDATES_FIPSFIPSUpdatesEntitlementZFIPS_UPDATES_INVALIDATES_FIPSZREALTIME_FIPS_INCOMPATIBLE)r/rrr0r0r1incompatible_servicess  z%FIPSEntitlement.incompatible_servicescstj}t|j}tj}t|d|kt }|r>|j nd|t j j |j|jdfdddft jj |j|jdfdddffS)NrF)r fips_updatescsSr\r0r0)is_fips_updates_enabledr0r1r<r=z4FIPSEntitlement.static_affordances..csSr\r0r0)fips_updates_once_enabledr0r1r<r=)rEr_rrWrrkrXrcrreadrr Z$FIPS_ERROR_WHEN_FIPS_UPDATES_ENABLEDrCr8Z)FIPS_ERROR_WHEN_FIPS_UPDATES_ONCE_ENABLED)r/r_rZenabled_statusZservices_once_enabled_objrJ)rrr1r_s6   z"FIPSEntitlement.static_affordancescCsrd}tr&tjj|jd}tjg}n|j}d}|jsVt j tj j|jd|j dfg}t j ||j dfg||dSNr7)msg assume_yes)Z pre_enable post_enable pre_disable) r r+r PROMPT_FIPS_CONTAINER_PRE_ENABLErCr8FIPS_RUN_APT_UPGRADEpre_enable_msgpurger prompt_for_confirmationPROMPT_FIPS_PRE_DISABLErr/rZpre_enable_promptrr0r0r1 messagings2  zFIPSEntitlement.messagingFrqcsTt\}}|dkr2|tjkr2tdttjt j |drPt t jdSdS)Nz>Could not determine cloud, defaulting to generic FIPS package.rrTF)r r ZCLOUD_ID_ERRORLOGZwarningrArBr Z.FIPS_COULD_NOT_DETERMINE_CLOUD_DEFAULT_PACKAGErErsrrdrZFIPS_INSTALL_OUT_OF_DATE)r/rMZ cloud_typeerrorrJr0r1rss  zFIPSEntitlement._perform_enable)F)r{r|r}namer Z FIPS_TITLEr8ZFIPS_DESCRIPTION descriptionZFIPS_HELP_TEXT help_textoriginZPROMPT_FIPS_PRE_ENABLErrrrrrr_rrrXrsrr0r0rJr1rs!%rcsleZdZdZejZdZejZ ej Z e e edfdddZe edddZd eed fd d ZZS)rz fips-updatesZUbuntuFIPSUpdates.r[cCs$ddlm}tttjt|tjfS)Nrr)rrrrr FIPS_INVALIDATES_FIPS_UPDATESZ"REALTIME_FIPS_UPDATES_INCOMPATIBLE)r/rr0r0r1rs z,FIPSUpdatesEntitlement.incompatible_servicescCsrd}tr&tjj|jd}tjg}ntj}d}|jsVt j tj j|jd|j dfg}t j ||j dfg||dSr) r r+r rrCr8rZPROMPT_FIPS_UPDATES_PRE_ENABLErr rrrrr0r0r1r s2  z FIPSUpdatesEntitlement.messagingFrqcsVtj|drR|jdpi}||jdi|jjd|dtt dddSdS)Nrrzservices-once-enabledT)r>Zcontent)rF) rErsrWZ read_cacheupdaterZ write_cacherwriter)r/rMZservices_once_enabledrJr0r1rs1sz&FIPSUpdatesEntitlement._perform_enable)F)r{r|r}rr ZFIPS_UPDATES_TITLEr8rZFIPS_UPDATES_DESCRIPTIONrZFIPS_UPDATES_HELP_TEXTrrrrrrrrXrsrr0r0rJr1rs %rcsdeZdZdZejZejZej Z dZ ej Z dZeeedfdfdd Zeeedd d ZZS) FIPSPreviewEntitlementz fips-previewZUbuntuFIPSPreviewzubuntu-pro-fips-preview.gpg.r[cstjtttjfSr\)rErrrr rr`rJr0r1rLs z,FIPSPreviewEntitlement.incompatible_servicesrTcCsdS)NTr0rYr0r0r1rZTsz4FIPSPreviewEntitlement._allow_fips_on_cloud_instance)r{r|r}rr ZFIPS_PREVIEW_TITLEr8ZFIPS_PREVIEW_DESCRIPTIONrZFIPS_PREVIEW_HELP_TEXTrrZPROMPT_FIPS_PREVIEW_PRE_ENABLErr~rrrrrrXrZrr0r0rJr1rCsr)7Zloggingre itertoolsrtypingrrrZuaclientrrrr r r Zuaclient.clouds.identityr r Zuaclient.entitlementsrZuaclient.entitlements.baserZ(uaclient.entitlements.entitlement_statusrZuaclient.filesrZuaclient.files.noticesrZuaclient.files.state_filesrrZuaclient.typesrrrZget_event_loggerrAZ getLoggerZreplace_top_level_logger_namer{rZCONDITIONAL_PACKAGES_EVERYWHEREZ!CONDITIONAL_PACKAGES_OPENSSH_HMACZCONDITIONAL_PACKAGES_JAMMYr.Z&UBUNTU_FIPS_METAPACKAGE_DEPENDS_XENIALZ&UBUNTU_FIPS_METAPACKAGE_DEPENDS_BIONICZ%UBUNTU_FIPS_METAPACKAGE_DEPENDS_FOCALZ%UBUNTU_FIPS_METAPACKAGE_DEPENDS_JAMMYr,ZRepoEntitlementr(rrrr0r0r0r1s        rM