o (fa@sddlZddlZddlZddlmZddlmZmZmZddl m Z m Z m Z m Z mZmZmZddlmZmZddlmZddlmZddlmZdd lmZdd lmZdd lmZm Z dd l!m"Z"m#Z#m$Z$e %Z&e'e(e)Z*gd Z+ddgZ,e+e,e+e,e+dZ-gdZ.gdZ/gdZ0e+e,e.e+e,e/e+e0dZ1Gdddej2Z3Gddde3Z4Gddde3Z5Gddde4Z6dS)N)groupby)ListOptionalTuple)apiapt event_logger exceptionsmessagessystemutil)NoCloudTypeReasonget_cloud_type)repo)EntitlementWithMessage)ApplicationStatus)notices)Notice)ServicesOnceEnabledDataservices_once_enabled_file)MessagingOperationsMessagingOperationsDictStaticAffordance) strongswanstrongswan-hmacopenssh-clientopenssh-server shim-signedopenssh-client-hmacopenssh-server-hmac)xenialbionicfocal)openssl libssl1.0.0libssl1.0.0-hmac)r# libssl1.1libssl1.1-hmac libgcrypt20libgcrypt20-hmacc seZdZdZdZdZejZdZ ej j Z gdZ edefddZed d Zd edefd d ZdejfddZdefddZdejfddZ  d6dejdeeededdffdd ZdefddZ d7dededdfdd Zd!ed"edeffd#d$ Zede e!d%ffd&d'Z"edeeffd(d) Z#de e$eej%fffd*d+ Z&d8d,d-Z'dejdeffd.d/ Z(dejdeffd0d1 Z)d2d3Z*dejddffd4d5 Z+Z,S)9FIPSCommonEntitlementizubuntu-pro-fips.gpgz/proc/sys/crypto/fips_enabledT)zfips-initramfszfips-initramfs-genericr(r)libgmp10 libgnutls30 libhogweed6 libnettle8r$r%r$r%r&r'libssl3 linux-fipsrrrrr#zopenssl-fips-module-3rrrz ubuntu-fipszubuntu-aws-fipszubuntu-azure-fipsubuntu-gcp-fipsreturnc Csd}trtjj|jd}|stjg}n|j}d}|j s-t j dtj j|jdifg}t j d|ifg|j ifg||d}t|jdkr|jd}td|}|rX|d}nd}tj}||kr|dpig} tjj||j||ptd d } | t j d| if| |d<|S) Ntitlemsg) pre_enable pre_install post_enable pre_disablerzubuntu-([a-z]+)-fipsgenericr6unknown)variantservice base_flavorcurrent_flavor)r is_containerr PROMPT_FIPS_CONTAINER_PRE_ENABLEformatr4auto_upgrade_all_on_enableFIPS_RUN_APT_UPGRADEpre_enable_msgpurger prompt_for_confirmationPROMPT_FIPS_PRE_DISABLEprompt_if_kernel_downgradelenpackagesrematchgroupget_kernel_infoflavorget#KERNEL_FLAVOR_CHANGE_WARNING_PROMPTnameappend) selfr8pre_enable_promptr9 messagingubuntu_fips_package_name ubuntu_fips_package_flavor_matchubuntu_fips_package_flavorr@r6r5r\\d+\.\d+\.\d+)r0kernel_versionz*Kernel information: cur='%s' and fips='%s'r)current_version new_version)r5rcz2Cannot gather kernel information for '%s' and '%s'T)r rPproc_version_signature_versionLOGwarningrMsearchrget_pkg_candidate_versionrOdebugversion_compareeventinfor KERNEL_DOWNGRADE_WARNINGrCr rH PROMPT_YES_NO)rVrcour_full_kernel_strour_mfips_kernel_version_strour_kernel_version_strr\r\r]rJsJ    z0FIPSCommonEntitlement.prompt_if_kernel_downgradeprogressc Csg}t}tt|jddd}|D] \}}||vr||7}q|D](}ztj|gddigddWq"tjyJ|dt j j |j |d Yq"wdS) NcSs |ddS)Nz-hmac)replace)pkg_namer\r\r] zNFIPSCommonEntitlement.hardcoded_install_conditional_packages..)keyDEBIAN_FRONTENDnoninteractivez--allow-downgradesz$-o Dpkg::Options::="--force-confdef"z$-o Dpkg::Options::="--force-confold"rLoverride_env_vars apt_optionsro)r>pkg) rget_installed_packages_namesrsortedrbrun_apt_install_commandr UbuntuProErroremitr FIPS_PACKAGE_NOT_AVAILABLErCr4)rVrvdesired_packagesinstalled_packages pkg_groupsrypkg_listrr\r\r]&hardcoded_install_conditional_packagess4   zr"r!r )r is_config_value_truecfgr r^r_)rVinstall_all_updates_overridehardcoded_releaser\r\r]rD2s  z0FIPSCommonEntitlement.auto_upgrade_all_on_enablecCsddt|jD}|t|dkrJz"|dtjjd |d| |tj |ddigd d WdSt j yI|dtjYdSwdS) NcSsg|]}|jqSr\)rT).0packager\r\r] AszMFIPSCommonEntitlement.install_all_available_fips_upgrades..rro )rLr}r~rr)r;get_installed_packages_with_uninstalled_candidate_in_originoriginsortrKrr INSTALLING_PACKAGESrCjoinunhold_packagesrr rFIPS_PACKAGES_UPGRADE_FAILURE)rVrv to_upgrader\r\r]#install_all_available_fips_upgrades>s0    z9FIPSCommonEntitlement.install_all_available_fips_upgradesN package_listcleanup_on_failurecsl|j}|rtj||dn |tjj|jd|r#| |n| || r4t tjdSdS)zInstall contract recommended packages for the entitlement. :param package_list: Optional package list to use instead of self.packages. :param cleanup_on_failure: Cleanup apt files if apt install fails. )rr3N)rLsuperinstall_packagesrvr INSTALLING_SERVICE_PACKAGESrCr4rDrr_check_for_rebootraddrFIPS_SYSTEM_REBOOT_REQUIRED)rVrvrrmandatory_packages __class__r\r]r^s"  z&FIPSCommonEntitlement.install_packagescCstS)z=Check if system needs to be rebooted because of this service.)r should_rebootrVr\r\r]rsz'FIPSCommonEntitlement._check_for_rebootF operationsilentcCsN|}t||r#|sttjj|d|dkr%tt j dSdSdS)zCheck if user should be alerted that a reboot must be performed. @param operation: The operation being executed. @param silent: Boolean set True to silence print/log of messages )rzdisable operationN) rrn needs_rebootror ENABLE_REBOOT_REQUIRED_TMPLrCrrrFIPS_DISABLE_REBOOT_REQUIRED)rVrrreboot_requiredr\r\r]_check_for_reboot_msgs z+FIPSCommonEntitlement._check_for_reboot_msgr_cloud_idcs>|dkrtj|jjddrdS|dvrdStdtjvSdS)aVReturn False when FIPS is allowed on this cloud and series. On Xenial GCP there will be no cloud-optimized kernel so block default ubuntu-fips enable. This can be overridden in config with features.allow_xenial_fips_on_cloud. GCP doesn't yet have a cloud-optimized kernel or metapackage so block enable of fips if the contract does not specify ubuntu-gcp-fips. This also can be overridden in config with features.allow_default_fips_metapackage_on_gcp. :return: False when this cloud, series or config override allows FIPS. gcez.features.allow_default_fips_metapackage_on_gcprT)r!r"r1)r rrboolrrLrVr_rrr\r]_allow_fips_on_cloud_instancesz3FIPSCommonEntitlement._allow_fips_on_cloud_instance.cs^dddd}t\}durdtjtjj|d}|fddd ffS) Nzan AWSzan Azureza GCP)awsazurerrw)r_cloudcs SN)rr\rrVr_r\r]rzr{z:FIPSCommonEntitlement.static_affordances..T) rr r^r_r FIPS_BLOCK_ON_CLOUDrCr4rR)rV cloud_titles_blocked_messager\rr]static_affordancess   z(FIPSCommonEntitlement.static_affordancescstrgStjSr)r rArrLrrr\r]rLszFIPSCommonEntitlement.packagescst\}}trtsttj||fSt j |j rStt |js.ttjt|j dkrBttj||fSttjtjtjj|j dfS|tjkr\||fStjtjfS)N1) file_name)rapplication_statusr rArrremoverrospathexistsFIPS_PROC_FILEsetrL load_filestripFIPS_MANUAL_DISABLE_URLrrDISABLEDr FIPS_PROC_FILE_ERRORrCENABLEDFIPS_REBOOT_REQUIRED)rV super_status super_msgrr\r]rs: z(FIPSCommonEntitlement.application_statuscCsTtt}t|jt|j}||}|r(tt|t j j |j ddSdS)zRemove fips meta package to disable the service. FIPS meta-package will unset grub config options which will deactivate FIPS on any related packages. r3N) rrrrL differencerb intersectionremove_packageslistr DISABLE_FAILED_TMPLrCr4)rVrfips_metapackagerr\r\r]rs   z%FIPSCommonEntitlement.remove_packagescs8t|rttjttjttjdSdSNTF)r_perform_enablerrrWRONG_FIPS_METAPACKAGE_ON_CLOUDrrrVrvrr\r]rs   z%FIPSCommonEntitlement._perform_enablecs(t|r|rttjdSdSr)r_perform_disablerrrrrrrr\r]rs z&FIPSCommonEntitlement._perform_disablecCs|ddg}t|tjjd|d}g}|D] }||vr#||q|r.crrr\r\)fips_updates_once_enabledr\r]rz{r)rrr rrrrrrreadrr $FIPS_ERROR_WHEN_FIPS_UPDATES_ENABLEDrCr4)FIPS_ERROR_WHEN_FIPS_UPDATES_ONCE_ENABLED)rVrrenabled_statusservices_once_enabled_objr)rrr]r^s2   z"FIPSEntitlement.static_affordancesrvcsRt\}}|dur|tjkrtdttjt |r't t jdSdS)Nz>Could not determine cloud, defaulting to generic FIPS package.TF)rr CLOUD_ID_ERRORrhrirnror .FIPS_COULD_NOT_DETERMINE_CLOUD_DEFAULT_PACKAGErrrrrFIPS_INSTALL_OUT_OF_DATE)rVrv cloud_typeerrorrr\r]rs   zFIPSEntitlement._perform_enable)rrrrTr FIPS_TITLEr4FIPS_DESCRIPTION descriptionFIPS_HELP_TEXT help_textrrrFrrrr rrrrrrrr\r\rr]rEs !rcsbeZdZdZejZdZejZ ej Z ej Z edeedffddZdejdeffdd ZZS) r z fips-updatesUbuntuFIPSUpdatesr2.cCs$ddlm}tttjt|tjfS)Nrr)rrrrr FIPS_INVALIDATES_FIPS_UPDATES"REALTIME_FIPS_UPDATES_INCOMPATIBLE)rVrr\r\r]r s z,FIPSUpdatesEntitlement.incompatible_servicesrvcs&tj|drttdddSdS)N)rvT)rF)rrrwriterrrr\r]rs z&FIPSUpdatesEntitlement._perform_enable)rrrrTr FIPS_UPDATES_TITLEr4rFIPS_UPDATES_DESCRIPTIONrFIPS_UPDATES_HELP_TEXTr!PROMPT_FIPS_UPDATES_PRE_ENABLErFrrrr rrrrrr\r\rr]r s r csheZdZdZejZejZej Z dZ ej Z dZedeedfffdd Zded edefd d ZZS) FIPSPreviewEntitlementz fips-previewUbuntuFIPSPreviewzubuntu-pro-fips-preview.gpgr2.cstjtttjfSr)rr rrr r#rrr\r]r s z,FIPSPreviewEntitlement.incompatible_servicesr_rcCsdSrr\rr\r\r]rsz4FIPSPreviewEntitlement._allow_fips_on_cloud_instance)rrrrTr FIPS_PREVIEW_TITLEr4FIPS_PREVIEW_DESCRIPTIONrFIPS_PREVIEW_HELP_TEXTr!rPROMPT_FIPS_PREVIEW_PRE_ENABLErFrrrrr rrrrr\r\rr]r*s"r*)7loggingrrM itertoolsrtypingrrruaclientrrrr r r r uaclient.clouds.identityr ruaclient.entitlementsruaclient.entitlements.baser(uaclient.entitlements.entitlement_statusruaclient.filesruaclient.files.noticesruaclient.files.state_filesrruaclient.typesrrrget_event_loggerrn getLoggerreplace_top_level_logger_namerrhCONDITIONAL_PACKAGES_EVERYWHERE!CONDITIONAL_PACKAGES_OPENSSH_HMACra&UBUNTU_FIPS_METAPACKAGE_DEPENDS_XENIAL&UBUNTU_FIPS_METAPACKAGE_DEPENDS_BIONIC%UBUNTU_FIPS_METAPACKAGE_DEPENDS_FOCALr`RepoEntitlementr*rr r*r\r\r\r]sh $      rL