U JhHf@sddlZddlZddlZddlmZddlmZmZmZddl m Z m Z m Z m Z mZmZmZddlmZmZddlmZddlmZddlmZdd lmZdd lmZdd lmZm Z dd l!m"Z"m#Z#m$Z$e %Z&e'e(e)Z*d ddddgZ+ddgZ,e+e,e+e,e+dZ-dddgZ.dddddgZ/dddddgZ0e+e,e.e+e,e/e+e0dZ1Gdddej2Z3Gddde3Z4Gd d!d!e3Z5Gd"d#d#e4Z6dS)$N)groupby)ListOptionalTuple)apiapt event_logger exceptionsmessagessystemutil)NoCloudTypeReasonget_cloud_type)repo)EntitlementWithMessage)ApplicationStatus)notices)Notice)ServicesOnceEnabledDataservices_once_enabled_file)MessagingOperationsMessagingOperationsDictStaticAffordance strongswanstrongswan-hmacopenssh-clientopenssh-server shim-signedopenssh-client-hmacopenssh-server-hmac)xenialbionicfocalopenssl libssl1.0.0libssl1.0.0-hmac libssl1.1libssl1.1-hmac libgcrypt20libgcrypt20-hmaccseZdZdZdZdZejZdZ dZ ej j Z ddddd d d d d dd ddddddddddddddddddgZeed d!d"Zed#d$Zeed%d&d'Zejd(d)d*Zed d+d,Zejd(d-d.ZdNejeeeed/d0fd1d2 Zed d3d4ZdOeed/d6d7d8Zeeed9fd:d; Z ee!e"dZ#eeed fd?d@ Z$e!e%eej&fd fdAdB Z'd/d dCdDZ(ejedEfdFdG Z)ejedEfdHdI Z*dJdKZ+ejd/dEfdLdM Z,Z-S)PFIPSCommonEntitlementizubuntu-pro-fips.gpgz/proc/sys/crypto/fips_enabledTzfips-initramfszfips-initramfs-genericr(r)Zlibgmp10Z libgnutls30Z libhogweed6Z libnettle8r$r%r&r'Zlibssl3 linux-fipsrrrrr#openssl-fips-module-3rrrz ubuntu-fipszubuntu-aws-fipszubuntu-azure-fipsubuntu-gcp-fipsreturnc Cs6d}d}|jsNtr8tjj|jd}|s>tjg}n|j }t j d|ifg}d}|j sz|jszt j dtj j|jdifg}|js|jifgnd}||||d}t|jdkr2|jd}td|}|r|d} nd} tj} | | kr2|dpg}tjj| |j| | pd d } |t j d| if||d<|S) Ntitlemsg) pre_enable pre_install post_enable pre_disablerzubuntu-([a-z]+)-fipsZgenericr3unknown)ZvariantserviceZ base_flavorcurrent_flavor)Z access_onlyr is_containerr Z PROMPT_FIPS_CONTAINER_PRE_ENABLEformatr1auto_upgrade_all_on_enableZFIPS_RUN_APT_UPGRADEpre_enable_msgr prompt_for_confirmationpurgeZPROMPT_FIPS_PRE_DISABLEprompt_if_kernel_downgradelenpackagesrematchgroupget_kernel_infoZflavorgetZ#KERNEL_FLAVOR_CHANGE_WARNING_PROMPTnameappend) selfr3r5Zpre_enable_promptr6r4 messagingZubuntu_fips_package_nameZ ubuntu_fips_package_flavor_matchZubuntu_fips_package_flavorr:r2rM\d+\.\d+\.\d+)r+Zkernel_versionz*Kernel information: cur='%s' and fips='%s'r)Zcurrent_versionZ new_version)r2rTz2Cannot gather kernel information for '%s' and '%s'T)r rGZproc_version_signature_versionLOGwarningrDsearchrZget_pkg_candidate_versionrFdebugZversion_compareeventinfor ZKERNEL_DOWNGRADE_WARNINGr<r r?Z PROMPT_YES_NO)rKrTZour_full_kernel_strZour_mZfips_kernel_version_strZour_kernel_version_strrMrMrNrAsP   z0FIPSCommonEntitlement.prompt_if_kernel_downgradeprogressc Csg}t}tt|jddd}|D]\}}||kr&||7}q&|D]V}z tj|gddidddgd WqDtjk r|d t j j |j |d YqDXqDdS) NcSs |ddS)Nz-hmac)replace)pkg_namerMrMrN#zNFIPSCommonEntitlement.hardcoded_install_conditional_packages..)keyDEBIAN_FRONTENDnoninteractive--allow-downgrades$-o Dpkg::Options::="--force-confdef"$-o Dpkg::Options::="--force-confold"rCZoverride_env_varsZ apt_optionsrZ)r9pkg) rget_installed_packages_namesrsortedrSrun_apt_install_commandr UbuntuProErroremitr ZFIPS_PACKAGE_NOT_AVAILABLEr<r1)rKr\Zdesired_packagesinstalled_packagesZ pkg_groupsr_Zpkg_listrirMrMrN&hardcoded_install_conditional_packagess6   zr!r"r )r is_config_value_truecfgr rOrP)rKZinstall_all_updates_overrideZhardcoded_releaserMrMrNr==s z0FIPSCommonEntitlement.auto_upgrade_all_on_enablecCsddt|jD}tjdkr.|d|t|dkrzD| dt j j d |d||tj|d d id d d gdWn$tjk r| dt jYnXdS)NcSsg|] }|jqSrM)rI).0packagerMrMrN LszMFIPSCommonEntitlement.install_all_available_fips_upgrades..Zjammyr,rrZ )rCrcrdrerfrgrh)rZ;get_installed_packages_with_uninstalled_candidate_in_originoriginr rOrPrJsortrBrnr ZINSTALLING_PACKAGESr<joinunhold_packagesrlr rmZFIPS_PACKAGES_UPGRADE_FAILURE)rKr\Z to_upgraderMrMrN#install_all_available_fips_upgradesIs6    z9FIPSCommonEntitlement.install_all_available_fips_upgradesN)r\ package_listcleanup_on_failurer/csh|j}|rtj||dn|tjj|jd|rF| |n | || rdt tjdS)zInstall contract recommended packages for the entitlement. :param package_list: Optional package list to use instead of self.packages. :param cleanup_on_failure: Cleanup apt files if apt install fails. )r}r0N)rCsuperinstall_packagesr\r ZINSTALLING_SERVICE_PACKAGESr<r1r=r|rp_check_for_rebootraddrFIPS_SYSTEM_REBOOT_REQUIRED)rKr\r}r~Zmandatory_packages __class__rMrNrms   z&FIPSCommonEntitlement.install_packagescCstS)z=Check if system needs to be rebooted because of this service.)r should_rebootrKrMrMrNrsz'FIPSCommonEntitlement._check_for_rebootF) operationsilentr/cCsF|}t||rB|s.ttjj|d|dkrBtt j dS)zCheck if user should be alerted that a reboot must be performed. @param operation: The operation being executed. @param silent: Boolean set True to silence print/log of messages )rzdisable operationN) rrYZ needs_rebootrZr ZENABLE_REBOOT_REQUIRED_TMPLr<rrrFIPS_DISABLE_REBOOT_REQUIRED)rKrrZreboot_requiredrMrMrN_check_for_reboot_msgs z+FIPSCommonEntitlement._check_for_reboot_msgrPcloud_idr/cs>|dkr:tj|jjddrdS|dkr*dStdtjkSdS)aVReturn False when FIPS is allowed on this cloud and series. On Xenial GCP there will be no cloud-optimized kernel so block default ubuntu-fips enable. This can be overridden in config with features.allow_xenial_fips_on_cloud. GCP doesn't yet have a cloud-optimized kernel or metapackage so block enable of fips if the contract does not specify ubuntu-gcp-fips. This also can be overridden in config with features.allow_default_fips_metapackage_on_gcp. :return: False when this cloud, series or config override allows FIPS. gcez.features.allow_default_fips_metapackage_on_gcprqT)r!r"r-)r rrrsboolrrCrKrPrrrMrN_allow_fips_on_cloud_instancesz3FIPSCommonEntitlement._allow_fips_on_cloud_instance.cs^dddd}t\}dkr"dtjtjj|d}|fddd ffS) Nzan AWSzan Azureza GCP)ZawsZazurerr])rPZcloudcs SN)rrMrrKrPrMrNr`raz:FIPSCommonEntitlement.static_affordances..T) rr rOrPr ZFIPS_BLOCK_ON_CLOUDr<r1rH)rKZ cloud_titles_Zblocked_messagerMrrNstatic_affordancess   z(FIPSCommonEntitlement.static_affordancescstr gStjSr)r r;rrCrrrMrNrCszFIPSCommonEntitlement.packagescst\}}tr2ts2ttj||fSt j |j rtt |js\ttjt|j dkrttj||fSttjtjtjj|j dfS|tjkr||fSt}g}|jD]}||kr||q|rtjtjjd||jdfStjtj fS)N1) file_namerw)rCr9)!rapplication_statusr r;rrremoverrospathexistsFIPS_PROC_FILEsetrCZ load_filestripZFIPS_MANUAL_DISABLE_URLrrDISABLEDr ZFIPS_PROC_FILE_ERRORr<ZENABLEDrrjrJZWARNINGZFIPS_PACKAGES_NOT_INSTALLEDrzrIFIPS_REBOOT_REQUIRED)rKZ super_statusZ super_msgroZmissingrurrMrNrsR   z(FIPSCommonEntitlement.application_statuscCsPtt}t|jt|j}||}|rLtt|t j j |j ddS)zRemove fips meta package to disable the service. FIPS meta-package will unset grub config options which will deactivate FIPS on any related packages. r0N) rrrjrC differencerS intersectionremove_packageslistr ZDISABLE_FAILED_TMPLr<r1)rKroZfips_metapackagerrMrMrNr s   z%FIPSCommonEntitlement.remove_packagesr\r/cs8t|r4ttjttjttjdSdSNTF)r_perform_enablerrrZWRONG_FIPS_METAPACKAGE_ON_CLOUDrrrKr\rrMrNr1s   z%FIPSCommonEntitlement._perform_enablecs(t|r$|r ttjdSdSr)r_perform_disablerrrrrrrrMrNr<s z&FIPSCommonEntitlement._perform_disablecCsxddg}t|tjjd|d}g}|D]}||kr0||q0|rtddg|}t|tjjd|d}dS)Nzapt-markZ showholdsrw)ZcommandZunhold)rZrun_apt_commandr ZEXECUTING_COMMAND_FAILEDr<rz splitlinesrJ)rKZ package_namescmdZholdsZunholdsZholdZ unhold_cmdrMrMrNr{Fs"   z%FIPSCommonEntitlement.unhold_packagescs||jt|dS)zSetup apt config based on the resourceToken and directives. FIPS-specifically handle apt-mark unhold :raise UbuntuProError: on failure to setup any aspect of this apt configuration N)r{fips_pro_package_holdsrsetup_apt_configrrrMrNrYs z&FIPSCommonEntitlement.setup_apt_config)NT)F).__name__ __module__ __qualname__Zrepo_pin_priority repo_key_filerr PROMPT_FIPS_PRE_ENABLEr>Zsupports_access_onlyZapt_noninteractiveZurlsZFIPS_HOME_PAGEZ help_doc_urlrpropertyrrLrSrrArProgressWrapperrpr=r|rrstrrrrrrrrrCrZ NamedMessagerrrrr{r __classcell__rMrMrrNr*Vs T / #  ' & ;  r*cs~eZdZdZejZejZej Z dZ ej Z eeedfdddZeeedfdfdd Zejed fd d ZZS) FIPSEntitlementfipsZ UbuntuFIPS.r.cCs:ddlm}ddlm}t|tjtttjt|tj fS)Nr)LivepatchEntitlementRealtimeKernelEntitlement) Zuaclient.entitlements.livepatchruaclient.entitlements.realtimerrr ZLIVEPATCH_INVALIDATES_FIPSFIPSUpdatesEntitlementZFIPS_UPDATES_INVALIDATES_FIPSZREALTIME_FIPS_INCOMPATIBLE)rKrrrMrMrNincompatible_servicesms  z%FIPSEntitlement.incompatible_servicescstj}t|jd}tj}t|d|kt }|r@|j nd|t j j |j|jdfdddft jj |j|jdfdddffS)N)rsrF)r fips_updatescsSrrMrM)is_fips_updates_enabledrMrNr`raz4FIPSEntitlement.static_affordances..csSrrMrM)fips_updates_once_enabledrMrNr`ra)rrrrsrrrrrreadrr Z$FIPS_ERROR_WHEN_FIPS_UPDATES_ENABLEDr<r1Z)FIPS_ERROR_WHEN_FIPS_UPDATES_ONCE_ENABLED)rKrrZdisabled_statusZservices_once_enabled_objr)rrrNr~s6   z"FIPSEntitlement.static_affordancesrcsRt\}}|dkr2|tjkr2tdttjt |rNt t jdSdS)Nz>Could not determine cloud, defaulting to generic FIPS package.TF)rr ZCLOUD_ID_ERRORrUrVrYrZr Z.FIPS_COULD_NOT_DETERMINE_CLOUD_DEFAULT_PACKAGErrrrrZFIPS_INSTALL_OUT_OF_DATE)rKr\Z cloud_typeerrorrrMrNrs   zFIPSEntitlement._perform_enable)rrrrIr Z FIPS_TITLEr1ZFIPS_DESCRIPTION descriptionZFIPS_HELP_TEXT help_textrxrr>rrrrrrrrrrrrMrMrrNres!rcs`eZdZdZejZdZejZ ej Z ej Z eeedfdddZejedfdd ZZS) rz fips-updatesZUbuntuFIPSUpdates.r.cCs$ddlm}tttjt|tjfS)Nrr)rrrrr FIPS_INVALIDATES_FIPS_UPDATESZ"REALTIME_FIPS_UPDATES_INCOMPATIBLE)rKrrMrMrNrs z,FIPSUpdatesEntitlement.incompatible_servicesrcs&tj|dr"ttdddSdS)Nr[T)rF)rrrwriterrrrMrNrs z&FIPSUpdatesEntitlement._perform_enable)rrrrIr ZFIPS_UPDATES_TITLEr1rxZFIPS_UPDATES_DESCRIPTIONrZFIPS_UPDATES_HELP_TEXTrZPROMPT_FIPS_UPDATES_PRE_ENABLEr>rrrrrrrrrrMrMrrNrs rcsdeZdZdZejZejZej Z dZ ej Z dZeeedfdfdd Zeeedd d ZZS) FIPSPreviewEntitlementz fips-previewZUbuntuFIPSPreviewzubuntu-pro-fips-preview.gpg.r.cstjtttjfSr)rrrrr rrrrMrNrs z,FIPSPreviewEntitlement.incompatible_servicesrcCsdS)NTrMrrMrMrNrsz4FIPSPreviewEntitlement._allow_fips_on_cloud_instance)rrrrIr ZFIPS_PREVIEW_TITLEr1ZFIPS_PREVIEW_DESCRIPTIONrZFIPS_PREVIEW_HELP_TEXTrrxZPROMPT_FIPS_PREVIEW_PRE_ENABLEr>rrrrrrrrrrMrMrrNrsr)7ZloggingrrD itertoolsrtypingrrrZuaclientrrrr r r r Zuaclient.clouds.identityr rZuaclient.entitlementsrZuaclient.entitlements.baserZ(uaclient.entitlements.entitlement_statusrZuaclient.filesrZuaclient.files.noticesrZuaclient.files.state_filesrrZuaclient.typesrrrZget_event_loggerrYZ getLoggerZreplace_top_level_logger_namerrUZCONDITIONAL_PACKAGES_EVERYWHEREZ!CONDITIONAL_PACKAGES_OPENSSH_HMACrRZ&UBUNTU_FIPS_METAPACKAGE_DEPENDS_XENIALZ&UBUNTU_FIPS_METAPACKAGE_DEPENDS_BIONICZ%UBUNTU_FIPS_METAPACKAGE_DEPENDS_FOCALrQZRepoEntitlementr*rrrrMrMrMrNs $      L