U 2d G@s~ddlZddlZddlmZddlmZmZmZddlm Z m Z m Z m Z m Z mZddlmZmZddlmZddlmZddlmZdd lmZdd lmZdd lmZmZdd lm Z m!Z!m"Z"e #Z$e%e&e'Z(d ddddgZ)ddgZ*e)e*e)e*e)dZ+dddgZ,dddddgZ-dddddgZ.e)e*e,e)e*e-e)e.dZ/Gdddej0Z1Gddde1Z2Gd d!d!e1Z3dS)"N)groupby)ListOptionalTuple)apt event_logger exceptionsmessagessystemutil)NoCloudTypeReasonget_cloud_type)repo)IncompatibleService)ApplicationStatus)notices)Notice)ServicesOnceEnabledDataservices_once_enabled_file)MessagingOperationsMessagingOperationsDictStaticAffordance strongswanstrongswan-hmacopenssh-clientopenssh-server shim-signedopenssh-client-hmacopenssh-server-hmac)Zxenialbionicfocalopenssl libssl1.0.0libssl1.0.0-hmac libssl1.1libssl1.1-hmac libgcrypt20libgcrypt20-hmaccs4eZdZdZdZdZdZdZdddd d d d d d d dddddddddgZe ddZ d3e e e eeddfdd Zd4e edddd Ze e ed!fd"d# Ze eed$fd%d&d'Ze e e d%fd(d) Zeee ejfd%fd*d+ Zdd%d,d-Zd5eed.fd/d0 Zd6edd.fd1d2 ZZS)7FIPSCommonEntitlementizubuntu-pro-fips.gpgz/proc/sys/crypto/fips_enabledTz/https://ubuntu.com/security/certifications#fipszfips-initramfsr$r%r"r#z linux-fipsrrrrr!rrr&r'zfips-initramfs-genericrcCs*tj}trt|gSt|gS)a Dictionary of conditional packages to be installed when enabling FIPS services. For example, if we are enabling FIPS services in a machine that has openssh-client installed, we will perform two actions: 1. Upgrade the package to the FIPS version 2. Install the corresponding hmac version of that package when available. )r get_release_infoseries is_container#FIPS_CONTAINER_CONDITIONAL_PACKAGESgetFIPS_CONDITIONAL_PACKAGES)selfr*r0z8FIPSCommonEntitlement.install_packages..)key)r3r4r5)servicepkgN)eventinfoformatr8packagessuperinstall_packagesrget_installed_packages_namesrsortedr2rZUserFacingErrorr ZFIPS_PACKAGE_NOT_AVAILABLE) r/r3r4r5Zmandatory_packagesZdesired_packagesinstalled_packagesZ pkg_groupsr;Zpkg_listr@ __class__r0r1rFs<    z&FIPSCommonEntitlement.install_packagesF) operationsilentr6cCs\t}t||rX|s.ttjj|d|dkrDt t j n|dkrXt t j dS)zCheck if user should be alerted that a reboot must be performed. @param operation: The operation being executed. @param silent: Boolean set True to silence print/log of messages )rLinstallzdisable operationN) r should_rebootrAZ needs_rebootrBr ZENABLE_REBOOT_REQUIRED_TMPLrCraddrFIPS_SYSTEM_REBOOT_REQUIREDFIPS_DISABLE_REBOOT_REQUIRED)r/rLrMZreboot_requiredr0r0r1_check_for_reboot_msgs" z+FIPSCommonEntitlement._check_for_reboot_msg)r*cloud_idr6cs>|dkr:tj|jjddrdS|dkr*dStdtjkSdS)aVReturn False when FIPS is allowed on this cloud and series. On Xenial GCP there will be no cloud-optimized kernel so block default ubuntu-fips enable. This can be overridden in config with features.allow_xenial_fips_on_cloud. GCP doesn't yet have a cloud-optimized kernel or metapackage so block enable of fips if the contract does not specify ubuntu-gcp-fips. This also can be overridden in config with features.allow_default_fips_metapackage_on_gcp. :return: False when this cloud, series or config override allows FIPS. gcez.features.allow_default_fips_metapackage_on_gcp)ZconfigZ path_to_valueT)rr zubuntu-gcp-fips)r Zis_config_value_truecfgboolrErD)r/r*rTrJr0r1_allow_fips_on_cloud_instancesz3FIPSCommonEntitlement._allow_fips_on_cloud_instance.r6cs^dddd}t\}dkr"dtjtjj|d}|fddd ffS) Nzan AWSzan Azureza GCP)ZawsZazurerUr9)r*Zcloudcs SN)rXr0rTr/r*r0r1r<r=z:FIPSCommonEntitlement.static_affordances..T) r r r)r*r ZFIPS_BLOCK_ON_CLOUDrCr8r-)r/Z cloud_titles_Zblocked_messager0r[r1static_affordancess   z(FIPSCommonEntitlement.static_affordancescstr gStjSrZ)r r+rErD)r/rJr0r1rDszFIPSCommonEntitlement.packagescst\}}tr2ts2ttj||fSt j |j rtt |js\ttjt|j dkrttj||fSttjtjtjj|j dfS|tjkr||fStjtjfS)N1) file_name)rEapplication_statusr r+rOrremoverrQospathexistsFIPS_PROC_FILEsetrDZ load_filestripZFIPS_MANUAL_DISABLE_URLrPrZDISABLEDr ZFIPS_PROC_FILE_ERRORrCENABLEDFIPS_REBOOT_REQUIRED)r/Z super_statusZ super_msgrJr0r1r` s: z(FIPSCommonEntitlement.application_statuscCsPtt}t|jt|j}||}|rLtt|t j j |j ddS)zRemove fips meta package to disable the service. FIPS meta-package will unset grub config options which will deactivate FIPS on any related packages. r7N) rfrrGrD differencer2 intersectionremove_packageslistr ZDISABLE_FAILED_TMPLrCr8)r/rIZfips_metapackagerlr0r0r1rl7s   z%FIPSCommonEntitlement.remove_packagesrMr6cs:tj|dr6ttjttjttjdSdS)NrMTF)rE_perform_enablerrarZWRONG_FIPS_METAPACKAGE_ON_CLOUDrirR)r/rMrJr0r1rpHs  z%FIPSCommonEntitlement._perform_enablecs|ddg}t|d|d}g}|D]}||jkr*||q*|rjddg|}t|d|d}tj|ddS)zSetup apt config based on the resourceToken and directives. FIPS-specifically handle apt-mark unhold :raise UserFacingError: on failure to setup any aspect of this apt configuration zapt-markZ showholds z failed.ZunholdroN)rZrun_apt_commandjoin splitlinesfips_pro_package_holdsappendrEsetup_apt_config)r/rMcmdZholdsZunholdsZholdZ unhold_cmdrJr0r1rvSs     z&FIPSCommonEntitlement.setup_apt_config)NTT)F)F)F)__name__ __module__ __qualname__Zrepo_pin_priorityZ repo_key_filereZapt_noninteractiveZ help_doc_urlrtpropertyr2rrstrrWrFrSrXrrr]rDrr Z NamedMessager`rlrprv __classcell__r0r0rJr1r(Usn  2 * r(cseZdZdZdZdZdZeee dfdddZ eee dfdfd d Z ee dd d Zdeedfdd ZZS)FIPSEntitlementfipsZFIPSzNIST-certified core packagesZ UbuntuFIPS.rYcCs:ddlm}ddlm}t|tjtttjt|tj fS)Nr)LivepatchEntitlementRealtimeKernelEntitlement) Zuaclient.entitlements.livepatchruaclient.entitlements.realtimerrr ZLIVEPATCH_INVALIDATES_FIPSFIPSUpdatesEntitlementZFIPS_UPDATES_INVALIDATES_FIPSZREALTIME_FIPS_INCOMPATIBLE)r/rrr0r0r1incompatible_servicesos  z%FIPSEntitlement.incompatible_servicescstj}t|j}tj}t|d|kt }|r>|j nd|t j j |j|jdfdddft jj |j|jdfdddffS)NrF)r fips_updatescsSrZr0r0)is_fips_updates_enabledr0r1r<r=z4FIPSEntitlement.static_affordances..csSrZr0r0)fips_updates_once_enabledr0r1r<r=)rEr]rrVrrhrWr`rreadrr Z$FIPS_ERROR_WHEN_FIPS_UPDATES_ENABLEDrCr8Z)FIPS_ERROR_WHEN_FIPS_UPDATES_ONCE_ENABLED)r/r]rZenabled_statusZservices_once_enabled_objrJ)rrr1r]s6   z"FIPSEntitlement.static_affordancescCsZd}tr&tjj|jd}tjg}ntj}tj ||j dfg|tj tj |j dfgdSNr7)msg assume_yes)Z pre_enable post_enableZ pre_disable) r r+r PROMPT_FIPS_CONTAINER_PRE_ENABLErCr8FIPS_RUN_APT_UPGRADEZPROMPT_FIPS_PRE_ENABLEr prompt_for_confirmationrPROMPT_FIPS_PRE_DISABLEr/rZpre_enable_promptr0r0r1 messagings(  zFIPSEntitlement.messagingFrncsHt\}}|dkr&|tjkr&tdtj|drDtt j dSdS)Nz>Could not determine cloud, defaulting to generic FIPS package.roTF) r r ZCLOUD_ID_ERRORLOGZwarningrErprrarZFIPS_INSTALL_OUT_OF_DATE)r/rMZ cloud_typeerrorrJr0r1rps zFIPSEntitlement._perform_enable)F)rxryrznamer8 descriptionoriginr{rrrrr]rrrWrpr}r0r0rJr1r~is!r~csbeZdZdZdZdZdZeee dfdddZ ee dd d Z de e d fd d ZZS)rz fips-updatesz FIPS UpdatesZUbuntuFIPSUpdatesz;NIST-certified core packages with priority security updates.rYcCs$ddlm}tttjt|tjfS)Nrr)rrrr~r ZFIPS_INVALIDATES_FIPS_UPDATESZ"REALTIME_FIPS_UPDATES_INCOMPATIBLE)r/rr0r0r1rs z,FIPSUpdatesEntitlement.incompatible_servicescCsZd}tr&tjj|jd}tjg}ntj}tj ||j dfg|tj tj |j dfgdSr) r r+r rrCr8rZPROMPT_FIPS_UPDATES_PRE_ENABLEr rrrrr0r0r1rs(  z FIPSUpdatesEntitlement.messagingFrncsVtj|drR|jdpi}||jdi|jjd|dtt dddSdS)Nrozservices-once-enabledT)r>Zcontent)rF) rErprVZ read_cacheupdaterZ write_cacherwriter)r/rMZservices_once_enabledrJr0r1rpsz&FIPSUpdatesEntitlement._perform_enable)F)rxryrzrr8rrr{rrrrrrWrpr}r0r0rJr1rs r)4Zloggingrb itertoolsrtypingrrrZuaclientrrrr r r Zuaclient.clouds.identityr r Zuaclient.entitlementsrZuaclient.entitlements.baserZ(uaclient.entitlements.entitlement_statusrZuaclient.filesrZuaclient.files.noticesrZuaclient.files.state_filesrrZuaclient.typesrrrZget_event_loggerrAZ getLoggerZreplace_top_level_logger_namerxrZCONDITIONAL_PACKAGES_EVERYWHEREZ!CONDITIONAL_PACKAGES_OPENSSH_HMACr.Z&UBUNTU_FIPS_METAPACKAGE_DEPENDS_XENIALZ&UBUNTU_FIPS_METAPACKAGE_DEPENDS_BIONICZ%UBUNTU_FIPS_METAPACKAGE_DEPENDS_FOCALr,ZRepoEntitlementr(r~rr0r0r0r1s        i