o HcfZ@sddlZddlZddlZddlmZddlmZmZmZm Z m Z ddl m Z m Z mZmZmZmZmZddlmZmZddlmZddlmZddlmZdd lmZdd lmZdd l m!Z!m"Z"dd l#m$Z$m%Z%m&Z&e'Z(e)e*e+Z,gd Z-ddgZ.gdZ/e-e.e-e.e-e-e/dZ0gdZ1gdZ2gdZ3gdZ4e-e.e1e-e.e2e-e3e-e/e4dZ5Gdddej6Z7Gddde7Z8Gddde7Z9Gddde8Z:dS)N)groupby)CallableListOptionalTupleUnion)apiapt event_logger exceptionsmessagessystemutil)NoCloudTypeReasonget_cloud_type)repo)EntitlementWithMessage)ApplicationStatus)notices)Notice)ServicesOnceEnabledDataservices_once_enabled_file)MessagingOperationsMessagingOperationsDictStaticAffordance) strongswanstrongswan-hmacopenssh-clientopenssh-server shim-signedopenssh-client-hmacopenssh-server-hmac) libnettle8 libhogweed6 libgnutls30libgmp10)xenialbionicfocaljammy)openssl libssl1.0.0libssl1.0.0-hmac)r* libssl1.1libssl1.1-hmac libgcrypt20libgcrypt20-hmac)gawkzupdate-notifier-commonr*zopenssl-fips-module-3libssl3r/r0c sPeZdZdZdZdZdZejj Z gdZ e ddZ d*d ed efd d Z d+dejdeeeded d ffdd Zd efddZ d*deded d fddZdeded effdd Ze d eedffddZe d eeffd d! Zd eeeejfffd"d# Zd,d$d%Z dejd effd&d' Z!dejd d ffd(d) Z"Z#S)-FIPSCommonEntitlementizubuntu-pro-fips.gpgz/proc/sys/crypto/fips_enabledT)zfips-initramfsr-r.r+r,r+r, linux-fipsrr rr!r*rrr/r0zfips-initramfs-genericrcCs*tj}trt|gSt|gS)a Dictionary of conditional packages to be installed when enabling FIPS services. For example, if we are enabling FIPS services in a machine that has openssh-client installed, we will perform two actions: 1. Upgrade the package to the FIPS version 2. Install the corresponding hmac version of that package when available. )r get_release_infoseries is_container#FIPS_CONTAINER_CONDITIONAL_PACKAGESgetFIPS_CONDITIONAL_PACKAGES)selfr6r<\d+\.\d+\.\d+)r4kernel_versionz*Kernel information: cur='%s' and fips='%s'r)current_version new_versionmsgr?z2Cannot gather kernel information for '%s' and '%s'T)r get_kernel_infoproc_version_signature_versionLOGwarningresearchr get_pkg_candidate_versiongroupdebugversion_compareeventinfor KERNEL_DOWNGRADE_WARNINGformatrprompt_for_confirmation PROMPT_YES_NOr?)r;r?our_full_kernel_strour_mfips_kernel_version_strour_kernel_version_strr<r<r=prompt_if_kernel_downgradesL     z0FIPSCommonEntitlement.prompt_if_kernel_downgradeNprogress package_listcleanup_on_failurec s|j}|rtj||dn |tjj|jdg}t }t t |j ddd}|D] \}} ||vr8|| 7}q,|D](} ztj | gddigdd Wq;tjyc|d tjj|j| d Yq;w|rpttjd Sd S) zInstall contract recommended packages for the entitlement. :param package_list: Optional package list to use instead of self.packages. :param cleanup_on_failure: Cleanup apt files if apt install fails. )r\titlecSs |ddS)Nz-hmac)replace)pkg_namer<r<r= z8FIPSCommonEntitlement.install_packages..)keyDEBIAN_FRONTENDnoninteractive)z--allow-downgradesz$-o Dpkg::Options::="--force-confdef"z$-o Dpkg::Options::="--force-confold")packagesoverride_env_vars apt_optionsrQ)servicepkgN)rhsuperinstall_packagesr[r INSTALLING_SERVICE_PACKAGESrSr_r get_installed_packages_namesrsortedr>run_apt_install_commandr UbuntuProErroremitFIPS_PACKAGE_NOT_AVAILABLE_check_for_rebootraddrFIPS_SYSTEM_REBOOT_REQUIRED) r;r[r\r]mandatory_packagesdesired_packagesinstalled_packages pkg_groupsrbpkg_listrl __class__r<r=rnsN   z&FIPSCommonEntitlement.install_packagescCstS)z=Check if system needs to be rebooted because of this service.)r should_rebootr;r<r<r=rvsz'FIPSCommonEntitlement._check_for_reboot operationsilentcCsN|}t||r#|sttjj|d|dkr%tt j dSdSdS)zCheck if user should be alerted that a reboot must be performed. @param operation: The operation being executed. @param silent: Boolean set True to silence print/log of messages )rzdisable operationN) rvrP needs_rebootrQr ENABLE_REBOOT_REQUIRED_TMPLrSrrwrFIPS_DISABLE_REBOOT_REQUIRED)r;rrreboot_requiredr<r<r=_check_for_reboot_msgs z+FIPSCommonEntitlement._check_for_reboot_msgr6cloud_idcs>|dkrtj|jjddrdS|dvrdStdtjvSdS)aVReturn False when FIPS is allowed on this cloud and series. On Xenial GCP there will be no cloud-optimized kernel so block default ubuntu-fips enable. This can be overridden in config with features.allow_xenial_fips_on_cloud. GCP doesn't yet have a cloud-optimized kernel or metapackage so block enable of fips if the contract does not specify ubuntu-gcp-fips. This also can be overridden in config with features.allow_default_fips_metapackage_on_gcp. :return: False when this cloud, series or config override allows FIPS. gcez.features.allow_default_fips_metapackage_on_gcp)config path_to_valueT)r'r(zubuntu-gcp-fips)ris_config_value_truecfgboolrmrhr;r6rr~r<r=_allow_fips_on_cloud_instance*sz3FIPSCommonEntitlement._allow_fips_on_cloud_instance.cs^dddd}t\}durdtjtjj|d}|fddd ffS) Nzan AWSzan Azureza GCP)awsazurerr`)r6cloudcs SN)rr<rr;r6r<r=rcWrdz:FIPSCommonEntitlement.static_affordances..T) rr r5r6r FIPS_BLOCK_ON_CLOUDrSr_r9)r; cloud_titles_blocked_messager<rr=static_affordancesIs   z(FIPSCommonEntitlement.static_affordancescstrgStjSr)r r7rmrhrr~r<r=rh\szFIPSCommonEntitlement.packagescst\}}trtsttj||fSt j |j rStt |js.ttjt|j dkrBttj||fSttjtjtjj|j dfS|tjkr\||fStjtjfS)N1) file_name)rmapplication_statusr r7rrremoverrxospathexistsFIPS_PROC_FILEsetrh load_filestripFIPS_MANUAL_DISABLE_URLrwrDISABLEDr FIPS_PROC_FILE_ERRORrSENABLEDFIPS_REBOOT_REQUIRED)r; super_status super_msgr~r<r=rbs: z(FIPSCommonEntitlement.application_statuscCsTtt}t|jt|j}||}|r(tt|t j j |j ddSdS)zRemove fips meta package to disable the service. FIPS meta-package will unset grub config options which will deactivate FIPS on any related packages. r^N) rr rprh differencer> intersectionremove_packageslistr DISABLE_FAILED_TMPLrSr_)r;r{fips_metapackagerr<r<r=rs   z%FIPSCommonEntitlement.remove_packagescs8t|rttjttjttjdSdS)NTF)rm_perform_enablerrrWRONG_FIPS_METAPACKAGE_ON_CLOUDrrr;r[r~r<r=rs   z%FIPSCommonEntitlement._perform_enablecsddg}t|tjjd|d}g}|D] }||jvr$||q|r;ddg|}t|tjjd|d}t |dS)zSetup apt config based on the resourceToken and directives. FIPS-specifically handle apt-mark unhold :raise UbuntuProError: on failure to setup any aspect of this apt configuration zapt-mark showholds )commandunholdN) r run_apt_commandr EXECUTING_COMMAND_FAILEDrSjoin splitlinesfips_pro_package_holdsappendrmsetup_apt_config)r;r[cmdholdsunholdshold unhold_cmdr~r<r=rs&    z&FIPSCommonEntitlement.setup_apt_config)FNT)r@N)$__name__ __module__ __qualname__repo_pin_priority repo_key_filerapt_noninteractiver urlsFIPS_HOME_PAGE help_doc_urlrpropertyr>rrZrProgressWrapperrrstrrnrvrrrrrrhr NamedMessagerrrr __classcell__r<r<r~r=r3ish  5 @  * r3cseZdZdZejZejZej Z dZ ej Z edeedffddZedeedfffdd Zedefd d Zd ejdeffd d ZZS)FIPSEntitlementfips UbuntuFIPSr@.cCs:ddlm}ddlm}t|tjtttjt|tj fS)Nr)LivepatchEntitlementRealtimeKernelEntitlement) uaclient.entitlements.livepatchruaclient.entitlements.realtimerrr LIVEPATCH_INVALIDATES_FIPSFIPSUpdatesEntitlementFIPS_UPDATES_INVALIDATES_FIPSREALTIME_FIPS_INCOMPATIBLE)r;rrr<r<r=incompatible_servicess  z%FIPSEntitlement.incompatible_servicescstj}t|j}tj}t|d|kt }|r|j nd|t j j |j|jdfdddft jj |j|jdfdddffS)NrF)r fips_updatescSrr<r<)is_fips_updates_enabledr<r=rcz4FIPSEntitlement.static_affordances..crrr<r<)fips_updates_once_enabledr<r=rcr)rmrrrrrrrrreadrr $FIPS_ERROR_WHEN_FIPS_UPDATES_ENABLEDrSr_)FIPS_ERROR_WHEN_FIPS_UPDATES_ONCE_ENABLED)r;rrenabled_statusservices_once_enabled_objr~)rrr=rs2   z"FIPSEntitlement.static_affordancescCsd}trtjj|jd}tjg}n|j}d}|js+t j tj j|jd|j dfg}t j ||j dfg|j d|j ifg||dSNr^rDr?) pre_enable pre_install post_enable pre_disable)r r7r PROMPT_FIPS_CONTAINER_PRE_ENABLErSr_FIPS_RUN_APT_UPGRADEpre_enable_msgpurgerrTPROMPT_FIPS_PRE_DISABLEr?rZr;rpre_enable_promptrr<r<r= messaging<  zFIPSEntitlement.messagingr[csRt\}}|dur|tjkrtdttjt |r't t jdSdS)Nz>Could not determine cloud, defaulting to generic FIPS package.TF)rrCLOUD_ID_ERRORrHrIrPrQr .FIPS_COULD_NOT_DETERMINE_CLOUD_DEFAULT_PACKAGErmrrrrFIPS_INSTALL_OUT_OF_DATE)r;r[ cloud_typeerrorr~r<r=r-s   zFIPSEntitlement._perform_enable)rrrnamer FIPS_TITLEr_FIPS_DESCRIPTION descriptionFIPS_HELP_TEXT help_textoriginPROMPT_FIPS_PRE_ENABLErrrrrrrrrrrrrrr<r<r~r=rs! -rcsneZdZdZejZdZejZ ej Z e de edffddZe defddZd ejdeffd d ZZS) rz fips-updatesUbuntuFIPSUpdatesr@.cCs$ddlm}tttjt|tjfS)Nrr)rrrrr FIPS_INVALIDATES_FIPS_UPDATES"REALTIME_FIPS_UPDATES_INCOMPATIBLE)r;rr<r<r=rEs z,FIPSUpdatesEntitlement.incompatible_servicescCsd}trtjj|jd}tjg}ntj}d}|js+t j tj j|jd|j dfg}t j ||j dfg|j d|j ifg||dSr)r r7r rrSr_rPROMPT_FIPS_UPDATES_PRE_ENABLErrrTrr?rZrr<r<r=rSrz FIPSUpdatesEntitlement.messagingr[cs&tj|drttdddSdS)N)r[T)rF)rmrrwriterrr~r<r=rs z&FIPSUpdatesEntitlement._perform_enable)rrrrr FIPS_UPDATES_TITLEr_rFIPS_UPDATES_DESCRIPTIONrFIPS_UPDATES_HELP_TEXTrrrrrrrrrrrrr<r<r~r=r>s  -rcsheZdZdZejZejZej Z dZ ej Z dZedeedfffdd Zded edefd d ZZS) FIPSPreviewEntitlementz fips-previewUbuntuFIPSPreviewzubuntu-pro-fips-preview.gpgr@.cstjtttjfSr)rmrrrr r rr~r<r=rs z,FIPSPreviewEntitlement.incompatible_servicesr6rcCsdSrr<rr<r<r=rsz4FIPSPreviewEntitlement._allow_fips_on_cloud_instance)rrrrr FIPS_PREVIEW_TITLEr_FIPS_PREVIEW_DESCRIPTIONrFIPS_PREVIEW_HELP_TEXTrrPROMPT_FIPS_PREVIEW_PRE_ENABLErrrrrrrrrrr<r<r~r=rs"r);loggingrrJ itertoolsrtypingrrrrruaclientrr r r r r ruaclient.clouds.identityrruaclient.entitlementsruaclient.entitlements.baser(uaclient.entitlements.entitlement_statusruaclient.filesruaclient.files.noticesruaclient.files.state_filesrruaclient.typesrrrget_event_loggerrP getLoggerreplace_top_level_logger_namerrHCONDITIONAL_PACKAGES_EVERYWHERE!CONDITIONAL_PACKAGES_OPENSSH_HMACCONDITIONAL_PACKAGES_JAMMYr:&UBUNTU_FIPS_METAPACKAGE_DEPENDS_XENIAL&UBUNTU_FIPS_METAPACKAGE_DEPENDS_BIONIC%UBUNTU_FIPS_METAPACKAGE_DEPENDS_FOCAL%UBUNTU_FIPS_METAPACKAGE_DEPENDS_JAMMYr8RepoEntitlementr3rrrr<r<r<r=sv $      ]zM