lg}b ddlZddlZddlZddlmZddlmZmZmZddl m Z m Z m Z m Z mZmZmZddlmZmZddlmZddlmZddlmZdd lmZdd lmZdd lmZm Z dd l!m"Z"m#Z#m$Z$e jJZ&ejNejPe)Z*gd Z+ddgZ,e+e,ze+e,ze+dZ-gdZ.gdZ/gdZ0e+e,ze.ze+e,ze/ze+e0zdZ1GddejdZ3Gdde3Z4Gdde3Z5Gdde4Z6y)N)groupby)ListOptionalTuple)apiapt event_logger exceptionsmessagessystemutil)NoCloudTypeReasonget_cloud_type)repo)EntitlementWithMessage)ApplicationStatus)notices)Notice)ServicesOnceEnabledDataservices_once_enabled_file)MessagingOperationsMessagingOperationsDictStaticAffordance) strongswanstrongswan-hmacopenssh-clientopenssh-server shim-signedopenssh-client-hmacopenssh-server-hmac)xenialbionicfocal)openssl libssl1.0.0libssl1.0.0-hmac)r$ libssl1.1libssl1.1-hmac libgcrypt20libgcrypt20-hmacc jeZdZdZdZdZejZdZ ejjZ gdZ edefdZedZd edefd Zd ej*fd Zdefd Zd ej*fdZ d#d ej*deeededdffd ZdefdZ d$dededdfdZdededeffd Zede e!dffdZ"edeeffd Z#de e$eejJfffd Z&d%dZ'd ej*deffd Z(d ej*deffd Z)d!Z*d ej*ddffd" Z+xZ,S)&FIPSCommonEntitlementizubuntu-pro-fips.gpgz/proc/sys/crypto/fips_enabledT)zfips-initramfszfips-initramfs-genericr)r*libgmp10 libgnutls30 libhogweed6 libnettle8r%r&r%r&r'r(libssl3 linux-fipsrrrr r$openssl-fips-module-3rrrz ubuntu-fipszubuntu-aws-fipszubuntu-azure-fipsubuntu-gcp-fipsreturncd}tjrLtjj |j }|j stjg}n |j}d}|js=tjdtjj |j ifg}tjd|ifg|jifg||d}t|jdk(r|jd}t!j"d|}|r|j%d}nd}tj&j(}||k7rn|j+dxsg} tj,j ||j.||xsd } | j1tjd| if| |d<|S) Ntitlemsg) pre_enable pre_install post_enable pre_disablerzubuntu-([a-z]+)-fipsgenericr:unknown)variantservice base_flavorcurrent_flavor)r is_containerr PROMPT_FIPS_CONTAINER_PRE_ENABLEformatr8auto_upgrade_all_on_enableFIPS_RUN_APT_UPGRADEpre_enable_msgpurger prompt_for_confirmationPROMPT_FIPS_PRE_DISABLEprompt_if_kernel_downgradelenpackagesrematchgroupget_kernel_infoflavorget#KERNEL_FLAVOR_CHANGE_WARNING_PROMPTnameappend) selfr<pre_enable_promptr= messagingubuntu_fips_package_name ubuntu_fips_package_flavor_matchubuntu_fips_package_flavorrDr:r9s B BBII6 II :#1#>Y J !!44  +5 ,'ctjj}tjrtj |gSt j |gS)a Dictionary of conditional packages to be installed when enabling FIPS services. For example, if we are enabling FIPS services in a machine that has openssh-client installed, we will perform two actions: 1. Upgrade the package to the FIPS version 2. Install the corresponding hmac version of that package when available. )r get_release_infoseriesrE#FIPS_CONTAINER_CONDITIONAL_PACKAGESrVFIPS_CONDITIONAL_PACKAGES)rZrds r`conditional_packagesz*FIPSCommonEntitlement.conditional_packagessJ((*11    6::62F F(,,VR88ra assume_yesc2tjj}|tj dyt j d|}tjd}|||jd}tjd||tj||dkrYtjtjj!||t#j$tj&| Sy tj d ||y ) ztCheck if installing a FIPS kernel will downgrade the kernel and prompt for confirmation if it will. z Cannot gather kernel informationFz!(?P\d+\.\d+\.\d+)r2kernel_versionz*Kernel information: cur='%s' and fips='%s'r)current_version new_version)r9rhz2Cannot gather kernel information for '%s' and '%s'T)r rTproc_version_signature_versionLOGwarningrQsearchrget_pkg_candidate_versionrSdebugversion_compareeventinfor KERNEL_DOWNGRADE_WARNINGrGr rL PROMPT_YES_NO)rZrhour_full_kernel_strour_mfips_kernel_version_strour_kernel_version_strs r`rNz0FIPSCommonEntitlement.prompt_if_kernel_downgrades  " " $ C C   & KK: ; 02E #&"?"? "M  !8!D%*[[1A%B " II<#'  ##+-C  55<<(>$;= 33 ..: KKD#'  raprogressc g}tj}tt|jd}|D]\}}||vs ||z }|D] } tj |gddigd"y#t j$r>|jdtjj|j|YtwxYw) Nc&|jddS)Nz-hmac)replace)pkg_names r`zNFIPSCommonEntitlement.hardcoded_install_conditional_packages..s!1!1'2!>ra)keyDEBIAN_FRONTENDnoninteractivez--allow-downgradesz$-o Dpkg::Options::="--force-confdef"z$-o Dpkg::Options::="--force-confold"rPoverride_env_vars apt_optionsru)rBpkg) rget_installed_packages_namesrsortedrgrun_apt_install_commandr UbuntuProErroremitr FIPS_PACKAGE_NOT_AVAILABLErGr8)rZr|desired_packagesinstalled_packages pkg_groupsrpkg_listrs r`&hardcoded_install_conditional_packagesz #- - Hh-- H,  -$ C ++!U'8:J&K! ,,  77>> $ ? sA22ACCctj|jjd}tjj dv}|xs| S)Nzfeatures.fips_auto_upgrade_allconfig path_to_value>r#r"r!)r is_config_value_truecfgr rcrd)rZinstall_all_updates_overridehardcoded_releases r`rHz0FIPSCommonEntitlement.auto_upgrade_all_on_enable2sT'+'@'@88<s ZZ   LL    " " $ + +w 6   5 6 z?Q  N 0077!$*!58 $$Z0++''8:J&K!  <,, N fh&L&LM NsC6A,C;;3D10D1N package_listcleanup_on_failurec|j}|rt| ||n9|jtj j |j|jr|j|n|j||jr$tjtjyy)zInstall contract recommended packages for the entitlement. :param package_list: Optional package list to use instead of self.packages. :param cleanup_on_failure: Cleanup apt files if apt install fails. )rr7N)rPsuperinstall_packagesr|r INSTALLING_SERVICE_PACKAGESrGr8rHrr_check_for_rebootraddrFIPS_SYSTEM_REBOOT_REQUIRED)rZr|rrmandatory_packages __class__s r`rz&FIPSCommonEntitlement.install_packagesbs"]]  G $/ %    44;;$**;M   * * ,  4 4X >  7 7 A  ! ! # KK22  $rac*tjS)z=Check if system needs to be rebooted because of this service.)r should_reboot)rZs r`rz'FIPSCommonEntitlement._check_for_reboots##%%ra operationsilentc|j}tj||r_|s3tjtj j ||dk(r$tjtjyyy)zCheck if user should be alerted that a reboot must be performed. @param operation: The operation being executed. @param silent: Boolean set True to silence print/log of messages )rzdisable operationN) rrt needs_rebootrur ENABLE_REBOOT_REQUIRED_TMPLrGrrrFIPS_DISABLE_REBOOT_REQUIRED)rZrrreboot_requireds r`_check_for_reboot_msgz+FIPSCommonEntitlement._check_for_reboot_msgsy002 ?+  88??"+@ // 770 rardcloud_idc|dk(rFtj|jjdry|dvrytdt|vSy)aVReturn False when FIPS is allowed on this cloud and series. On Xenial GCP there will be no cloud-optimized kernel so block default ubuntu-fips enable. This can be overridden in config with features.allow_xenial_fips_on_cloud. GCP doesn't yet have a cloud-optimized kernel or metapackage so block enable of fips if the contract does not specify ubuntu-gcp-fips. This also can be overridden in config with features.allow_default_fips_metapackage_on_gcp. :return: False when this cloud, series or config override allows FIPS. gcez.features.allow_default_fips_metapackage_on_gcprT)r"r#r4)r rrboolrrP)rZrdrrs r`_allow_fips_on_cloud_instancez3FIPSCommonEntitlement._allow_fips_on_cloud_instancesU u ((xx||N,,)UW-==> >ra.cdddd}t\}dtjjtj j j|j}|fddffS) Nzan AWSzan Azureza GCP)awsazurerr)rdcloudc(jSN)r)rrZrdsr`rz:FIPSCommonEntitlement.static_affordances..s::68LraT) rr rcrdr FIPS_BLOCK_ON_CLOUDrGr8rV)rZ cloud_titles_blocked_messagerrds` @@r`static_affordancesz(FIPSCommonEntitlement.static_affordancess'*WM $& !  H((*11"66==<<>)9)9()C>   L   racDtjrgSt| Sr)r rErrPrZrs r`rPzFIPSCommonEntitlement.packagess    Iwract|\}}tjr;tjs't j tj||fStjj|jrtjt|js#t j tjtj|jj!dk(r't j tj"||fSt j$tj"t&j(t*j,j/|jfS|t&j0k7r||fSt&j0t*j2fS)N1) file_name)rapplication_statusr rErrremoverrospathexistsFIPS_PROC_FILEsetrP load_filestripFIPS_MANUAL_DISABLE_URLrrDISABLEDr FIPS_PROC_FILE_ERRORrGENABLEDFIPS_REBOOT_REQUIRED)rZ super_status super_msgrs r`rz(FIPSCommonEntitlement.application_statuss^#('"<"> i    )=)=)? NN22  * * 77>>$-- .''DMM(:;66 3 34::<C22$Y.. 22&..1188"&"5"59 ,44 4* *  % %  ) )  racbttj}t|jj t|j }|j |}|rHtjt|tjj|jyy)zRemove fips meta package to disable the service. FIPS meta-package will unset grub config options which will deactivate FIPS on any related packages. r7N) rrrrP differencerg intersectionremove_packageslistr DISABLE_FAILED_TMPLrGr8)rZrfips_metapackagers r`rz%FIPSCommonEntitlement.remove_packagess !!A!A!CDt}}-88 )) * +778JK    %&,,33$**3E  ract||rjtjtj tjtj tjtjyyNTF)r_perform_enablerrrWRONG_FIPS_METAPACKAGE_ON_CLOUDrrrZr|rs r`rz%FIPSCommonEntitlement._perform_enablesQ 7 "8 , NN66  NN666 7 NN6>> ?ract||r4|jr#tjt j yyr)r_perform_disablerrrrrrs r`rz&FIPSCommonEntitlement._perform_disable s9 7 #H -%%' 77racddg}tj|tjj dj |}g}|j D]}||vs|j||rKddg|z}tj|tjj dj |}yy)Nzapt-mark showholdsr)commandunhold)rrun_apt_commandr EXECUTING_COMMAND_FAILEDrGr splitlinesrY)rZ package_namescmdholdsunholdshold unhold_cmds r`rz%FIPSCommonEntitlement.unhold_packages*s;'##   - - 4 4SXXc] 4 K $$& %D}$t$ % $h/'9J''1188HHZ09E racZ|j|jt| |y)zSetup apt config based on the resourceToken and directives. FIPS-specifically handle apt-mark unhold :raise UbuntuProError: on failure to setup any aspect of this apt configuration N)rfips_pro_package_holdsrsetup_apt_configrs r`rz&FIPSCommonEntitlement.setup_apt_config=s& T889  *raNT)F)r5N)-__name__ __module__ __qualname__repo_pin_priority repo_key_filerr PROMPT_FIPS_PRE_ENABLErJapt_noninteractiveurlsFIPS_HOME_PAGE help_doc_urlrpropertyrr\rgrrNrProgressWrapperrrHrrrstrrrrrrrrrPr NamedMessagerrrrrr __classcell__rs@r`r,r,Vs)M4N44N ==//L@H2HHT99$,,,\!++!F ED E"N++"NN-1#' $%%$tCy)$! $  $L&4& .3&* ,%( > E*:C*?$@  $ $s)  (  (8+@+@"AA B( T" (;(;  )<)<& +)<)< + + +rar,ceZdZdZej ZejZejZ dZ ejZ edeedffdZedeedfffd Zdej*deffd ZxZS) FIPSEntitlementfips UbuntuFIPSr5.cddlm}ddlm}t |t j t tt jt |t jfS)Nr)LivepatchEntitlementRealtimeKernelEntitlement) uaclient.entitlements.livepatchruaclient.entitlements.realtimerrr LIVEPATCH_INVALIDATES_FIPSFIPSUpdatesEntitlementFIPS_UPDATES_INVALIDATES_FIPSREALTIME_FIPS_INCOMPATIBLE)rZrrs r`incompatible_servicesz%FIPSEntitlement.incompatible_servicesQsQHL #$h&I&I  #&(N(N  #)8+N+N   ract|}t|j}tj }t |jd|k(tj}|r |jnd|tjj|j|jfddftjj|j|jfddffzS)N)rrF)r fips_updatescSr)is_fips_updates_enabledsr`rz4FIPSEntitlement.static_affordances..xs/racSrr&)fips_updates_once_enabledsr`rz4FIPSEntitlement.static_affordances..s1ra)rrrrrrrrrreadr$r $FIPS_ERROR_WHEN_FIPS_UPDATES_ENABLEDrGr8)FIPS_ERROR_WHEN_FIPS_UPDATES_ONCE_ENABLED)rZrr$enabled_statusservices_once_enabled_objr)r'rs @@r`rz"FIPSEntitlement.static_affordancesbs"W7-$((; *22"&  + + -a 0N B# %?$C$C$E!) & 2 2 " "==DD,2D2DE0  BBII,2D2DJ2  %   rar|c t\}}|K|tjk(r8tj dt j tjt|)|r$tjtjyy)Nz>Could not determine cloud, defaulting to generic FIPS package.TF)rrCLOUD_ID_ERRORrnrortrur .FIPS_COULD_NOT_DETERMINE_CLOUD_DEFAULT_PACKAGErrrrrFIPS_INSTALL_OUT_OF_DATE)rZr| cloud_typeerrorrs r`rzFIPSEntitlement._perform_enabless*, E  %+<+K+K"K KK6  JJxNN O 7 "8 , NN// ra)rrrrXr FIPS_TITLEr8FIPS_DESCRIPTION descriptionFIPS_HELP_TEXT help_textrr rJrrrr"rrrrrrrrs@r`rrIs D   E++K''I F44N  u-CS-H'I   E*:C*?$@  B(;(;rarceZdZdZej ZdZejZ ejZ ejZ edeedffdZdej&deffd ZxZS)rz fips-updatesUbuntuFIPSUpdatesr5.c~ddlm}tttj t|tj fS)Nrr)rrrrr FIPS_INVALIDATES_FIPS_UPDATES"REALTIME_FIPS_UPDATES_INCOMPATIBLE)rZrs r`r"z,FIPSUpdatesEntitlement.incompatible_servicess:L #!G!G  #);;    rar|cft||r tjt dyy)N)r|T)r$F)rrrwriterrs r`rz&FIPSUpdatesEntitlement._perform_enables1 7 "H " 5 & , ,'T: ra)rrrrXr FIPS_UPDATES_TITLEr8rFIPS_UPDATES_DESCRIPTIONr7FIPS_UPDATES_HELP_TEXTr9PROMPT_FIPS_UPDATES_PRE_ENABLErJrrrr"rrrrrrs@r`rrs{ D  ' 'E F33K//I<rcsD ((OOOF&=F") & %%'g:::8DE#%! .'(-'( , "*& *&)%.'(,-.'(,--+, '#p+D00p+fI+IX2@_ra