JhHf ddlZddlZddlZddlmZddlmZmZmZddl m Z m Z m Z m Z mZmZmZddlmZmZddlmZddlmZddlmZdd lmZdd lmZdd lmZm Z dd l!m"Z"m#Z#m$Z$e jJZ&ejNejPe)Z*gd Z+ddgZ,e+e,ze+e,ze+dZ-gdZ.gdZ/gdZ0e+e,ze.ze+e,ze/ze+e0zdZ1GddejdZ3Gdde3Z4Gdde3Z5Gdde4Z6y)N)groupby)ListOptionalTuple)apiapt event_logger exceptionsmessagessystemutil)NoCloudTypeReasonget_cloud_type)repo)EntitlementWithMessage)ApplicationStatus)notices)Notice)ServicesOnceEnabledDataservices_once_enabled_file)MessagingOperationsMessagingOperationsDictStaticAffordance) strongswanstrongswan-hmacopenssh-clientopenssh-server shim-signedopenssh-client-hmacopenssh-server-hmac)xenialbionicfocal)openssl libssl1.0.0libssl1.0.0-hmac)r$ libssl1.1libssl1.1-hmac libgcrypt20libgcrypt20-hmacc neZdZdZdZdZejZdZ dZ ejjZ gdZedefdZedZd edefd Zd ej,fd Zdefd Zd ej,fdZ d#d ej,deeededdffd ZdefdZ d$dededdfdZdededeffd Z ede!e"dffdZ#edeeffd Z$de!e%eejLfffd Z'd%dZ(d ej,deffd Z)d ej,deffd Z*d!Z+d ej,ddffd" Z,xZ-S)&FIPSCommonEntitlementizubuntu-pro-fips.gpgz/proc/sys/crypto/fips_enabledT)zfips-initramfszfips-initramfs-genericr)r*libgmp10 libgnutls30 libhogweed6 libnettle8r%r&r%r&r'r(libssl3 linux-fipsrrrr r$openssl-fips-module-3rrrz ubuntu-fipszubuntu-aws-fipszubuntu-azure-fipsubuntu-gcp-fipsreturncd}d}|jstjrLtjj |j }|jstjg}n |j}tjd|ifg}d}|jsI|js=tjdtjj |j ifg}|js|jifgnd}||||d}t|j dk(r|j d}t#j$d|}|r|j'd} nd} tj(j*} | | k7rn|j-dxsg}tj.j | |j0| | xsd } |j3tjd| if||d<|S) Ntitlemsg) pre_enable pre_install post_enable pre_disablerzubuntu-([a-z]+)-fipsgenericr:unknown)variantservice base_flavorcurrent_flavor) access_onlyr is_containerr PROMPT_FIPS_CONTAINER_PRE_ENABLEformatr8auto_upgrade_all_on_enableFIPS_RUN_APT_UPGRADEpre_enable_msgr prompt_for_confirmationpurgePROMPT_FIPS_PRE_DISABLEprompt_if_kernel_downgradelenpackagesrematchgroupget_kernel_infoflavorget#KERNEL_FLAVOR_CHANGE_WARNING_PROMPTnameappend) selfr:r<pre_enable_promptr=r; messagingubuntu_fips_package_name ubuntu_fips_package_flavor_matchubuntu_fips_package_flavorrDr9s B BBII6 II :#1#>Y J !!44  +5 ,'ctjj}tjrtj |gSt j |gS)a Dictionary of conditional packages to be installed when enabling FIPS services. For example, if we are enabling FIPS services in a machine that has openssh-client installed, we will perform two actions: 1. Upgrade the package to the FIPS version 2. Install the corresponding hmac version of that package when available. )r get_release_infoseriesrF#FIPS_CONTAINER_CONDITIONAL_PACKAGESrWFIPS_CONDITIONAL_PACKAGES)r[res raconditional_packagesz*FIPSCommonEntitlement.conditional_packagessJ((*11    6::62F F(,,VR88rb assume_yesc2tjj}|tj dyt j d|}tjd}|||jd}tjd||tj||dkrYtjtjj!||t#j$tj&| Sy tj d ||y ) ztCheck if installing a FIPS kernel will downgrade the kernel and prompt for confirmation if it will. z Cannot gather kernel informationFz!(?P\d+\.\d+\.\d+)r2kernel_versionz*Kernel information: cur='%s' and fips='%s'r)current_version new_version)r9riz2Cannot gather kernel information for '%s' and '%s'T)r rUproc_version_signature_versionLOGwarningrRsearchrget_pkg_candidate_versionrTdebugversion_compareeventinfor KERNEL_DOWNGRADE_WARNINGrHr rL PROMPT_YES_NO)r[riour_full_kernel_strour_mfips_kernel_version_strour_kernel_version_strs rarOz0FIPSCommonEntitlement.prompt_if_kernel_downgrades  " " $ C C   & KK: ; 02E #&"?"? "M  !8!D%*[[1A%B " II<#'  ##+-C  55<<(>$;= 33 ..: KKD#'  rbprogressc g}tj}tt|jd}|D]\}}||vs ||z }|D] } tj |gddigd"y#t j$r>|jdtjj|j|YtwxYw) Nc&|jddS)Nz-hmac)replace)pkg_names razNFIPSCommonEntitlement.hardcoded_install_conditional_packages..#s!1!1'2!>rb)keyDEBIAN_FRONTENDnoninteractivez--allow-downgradesz$-o Dpkg::Options::="--force-confdef"z$-o Dpkg::Options::="--force-confold"rQoverride_env_vars apt_optionsrv)rBpkg) rget_installed_packages_namesrsortedrhrun_apt_install_commandr UbuntuProErroremitr FIPS_PACKAGE_NOT_AVAILABLErHr8)r[r}desired_packagesinstalled_packages pkg_groupsrpkg_listrs ra&hardcoded_install_conditional_packagesz #- - Hh-- H,  -$ C ++!U'8:J&K! ,,  77>> $ ? sA22ACCctj|jjd}tjj dv}|xs| S)Nzfeatures.fips_auto_upgrade_allconfig path_to_value>r#r"r!)r is_config_value_truecfgr rdre)r[install_all_updates_overridehardcoded_releases rarIz0FIPSCommonEntitlement.auto_upgrade_all_on_enable=sT'+'@'@88<  7 7 A  ! ! # KK22  $rbc*tjS)z=Check if system needs to be rebooted because of this service.)r should_reboot)r[s rarz'FIPSCommonEntitlement._check_for_reboots##%%rb operationsilentc|j}tj||r_|s3tjtj j ||dk(r$tjtjyyy)zCheck if user should be alerted that a reboot must be performed. @param operation: The operation being executed. @param silent: Boolean set True to silence print/log of messages )rzdisable operationN) rru needs_rebootrvr ENABLE_REBOOT_REQUIRED_TMPLrHrrrFIPS_DISABLE_REBOOT_REQUIRED)r[rrreboot_requireds ra_check_for_reboot_msgz+FIPSCommonEntitlement._check_for_reboot_msgsy002 ?+  88??"+@ // 770 rbrecloud_idc|dk(rFtj|jjdry|dvrytdt|vSy)aVReturn False when FIPS is allowed on this cloud and series. On Xenial GCP there will be no cloud-optimized kernel so block default ubuntu-fips enable. This can be overridden in config with features.allow_xenial_fips_on_cloud. GCP doesn't yet have a cloud-optimized kernel or metapackage so block enable of fips if the contract does not specify ubuntu-gcp-fips. This also can be overridden in config with features.allow_default_fips_metapackage_on_gcp. :return: False when this cloud, series or config override allows FIPS. gcez.features.allow_default_fips_metapackage_on_gcprT)r"r#r4)r rrboolrrQ)r[rerrs ra_allow_fips_on_cloud_instancez3FIPSCommonEntitlement._allow_fips_on_cloud_instancesU u ((xx||N,,)UW-==> >rb.cdddd}t\}dtjjtj j j|j}|fddffS) Nzan AWSzan Azureza GCP)awsazurerr)recloudc(jSN)r)rr[resrarz:FIPSCommonEntitlement.static_affordances..s::68LrbT) rr rdrer FIPS_BLOCK_ON_CLOUDrHr8rW)r[ cloud_titles_blocked_messagerres` @@rastatic_affordancesz(FIPSCommonEntitlement.static_affordancess'*WM $& !  H((*11"66==<<>)9)9()C>   L   rbcDtjrgSt| Sr)r rFrrQr[rs rarQzFIPSCommonEntitlement.packagess    Iwrbct|\}}tjr;tjs't j tj||fStjj|jrtjt|js#t j tjtj|jj!dk(r't j tj"||fSt j$tj"t&j(t*j,j/|jfS|t&j0k7r||fSt3j4}g}|jD]}||vs|j7||rJt&j8t*j:j/dj=||j>fSt&j0t*j@fS)N1) file_namer)rQrB)!rapplication_statusr rFrrremoverrospathexistsFIPS_PROC_FILEsetrQ load_filestripFIPS_MANUAL_DISABLE_URLrrDISABLEDr FIPS_PROC_FILE_ERRORrHENABLEDrrrZWARNINGFIPS_PACKAGES_NOT_INSTALLEDrrYFIPS_REBOOT_REQUIRED)r[ super_status super_msgrmissingrrs rarz(FIPSCommonEntitlement.application_statuss#('"<"> i    )=)=)? NN22  * * 77>>$-- .''DMM(:;66 3 34::<C22$Y.. 22&..1188"&"5"59 ,44 4* * ==?}} (G00w' ( !))44;; XXg. <   % %  ) )  rbcbttj}t|jj t|j }|j |}|rHtjt|tjj|jyy)zRemove fips meta package to disable the service. FIPS meta-package will unset grub config options which will deactivate FIPS on any related packages. r7N) rrrrQ differencerh intersectionremove_packageslistr DISABLE_FAILED_TMPLrHr8)r[rfips_metapackagers rarz%FIPSCommonEntitlement.remove_packages s !!A!A!CDt}}-88 )) * +778JK    %&,,33$**3E  rbct||rjtjtj tjtj tjtjyyNTF)r_perform_enablerrrWRONG_FIPS_METAPACKAGE_ON_CLOUDrrr[r}rs rarz%FIPSCommonEntitlement._perform_enable1sQ 7 "8 , NN66  NN666 7 NN6>> ?rbct||r4|jr#tjt j yyr)r_perform_disablerrrrrrs rarz&FIPSCommonEntitlement._perform_disable<s9 7 #H -%%' 77rbcddg}tj|tjj dj |}g}|j D]}||vs|j||rKddg|z}tj|tjj dj |}yy)Nzapt-mark showholdsr)commandunhold)rrun_apt_commandr EXECUTING_COMMAND_FAILEDrHr splitlinesrZ)r[ package_namescmdholdsunholdshold unhold_cmds rarz%FIPSCommonEntitlement.unhold_packagesFs;'##   - - 4 4SXXc] 4 K $$& %D}$t$ % $h/'9J''1188HHZ09E rbcZ|j|jt| |y)zSetup apt config based on the resourceToken and directives. FIPS-specifically handle apt-mark unhold :raise UbuntuProError: on failure to setup any aspect of this apt configuration N)rfips_pro_package_holdsrsetup_apt_configrs rarz&FIPSCommonEntitlement.setup_apt_configYs& T889  *rbNT)F)r5N).__name__ __module__ __qualname__repo_pin_priority repo_key_filerr PROMPT_FIPS_PRE_ENABLErKsupports_access_onlyapt_noninteractiveurlsFIPS_HOME_PAGE help_doc_urlrpropertyrr]rhrrOrProgressWrapperrrIrrrstrrrrrrrrrQr NamedMessagerrrrrr __classcell__rs@rar,r,Vs)M4N44N ==//L@R2RRh99$,,,\!++!F ED E"N++"NN-1#' $%%$tCy)$! $  $L&4& .3&* ,%( > E*:C*?$@  $ $s)  9  (8+@+@"AA B9 v" (;(;  )<)<& +)<)< + + +rbr,ceZdZdZej ZejZejZ dZ ejZ edeedffdZedeedfffd Zdej*deffd ZxZS) FIPSEntitlementfips UbuntuFIPSr5.cddlm}ddlm}t |t j t tt jt |t jfS)Nr)LivepatchEntitlementRealtimeKernelEntitlement) uaclient.entitlements.livepatchruaclient.entitlements.realtimer rr LIVEPATCH_INVALIDATES_FIPSFIPSUpdatesEntitlementFIPS_UPDATES_INVALIDATES_FIPSREALTIME_FIPS_INCOMPATIBLE)r[rr s raincompatible_servicesz%FIPSEntitlement.incompatible_servicesmsQHL #$h&I&I  #&(N(N  #)8+N+N   rbct|}t|j}tj }t |jd|k7tj}|r |jnd|tjj|j|jfddftjj|j|jfddffzS)N)rrF)r fips_updatescSr)is_fips_updates_enabledsrarz4FIPSEntitlement.static_affordances..s/rbcSrr+)fips_updates_once_enabledsrarz4FIPSEntitlement.static_affordances..s1rb)rrr$rrrrrrreadr)r $FIPS_ERROR_WHEN_FIPS_UPDATES_ENABLEDrHr8)FIPS_ERROR_WHEN_FIPS_UPDATES_ONCE_ENABLED)r[rr)disabled_statusservices_once_enabled_objr.r,rs @@rarz"FIPSEntitlement.static_affordances~s"W7-$((; +44"&  + + -a 0O C# %?$C$C$E!) & 2 2 " "==DD,2D2DE0  BBII,2D2DJ2  %   rbr}c t\}}|K|tjk(r8tj dt j tjt|)|r$tjtjyy)Nz>Could not determine cloud, defaulting to generic FIPS package.TF)rrCLOUD_ID_ERRORrorprurvr .FIPS_COULD_NOT_DETERMINE_CLOUD_DEFAULT_PACKAGErrrrrFIPS_INSTALL_OUT_OF_DATE)r[r} cloud_typeerrorrs rarzFIPSEntitlement._perform_enabless*, E  %+<+K+K"K KK6  JJxNN O 7 "8 , NN// rb)rr r rYr FIPS_TITLEr8FIPS_DESCRIPTION descriptionFIPS_HELP_TEXT help_textrr rKrrrr'rrrrrrrrs@rarres D   E++K''I F44N  u-CS-H'I   E*:C*?$@  B(;(;rbrceZdZdZej ZdZejZ ejZ ejZ edeedffdZdej&deffd ZxZS)r$z fips-updatesUbuntuFIPSUpdatesr5.c~ddlm}tttj t|tj fS)Nrr)r"r rrr FIPS_INVALIDATES_FIPS_UPDATES"REALTIME_FIPS_UPDATES_INCOMPATIBLE)r[r s rar'z,FIPSUpdatesEntitlement.incompatible_servicess:L #!G!G  #);;    rbr}cft||r tjt dyy)N)r}T)r)F)rrrwriterrs rarz&FIPSUpdatesEntitlement._perform_enables1 7 "H " 5 & , ,'T: rb)rr r rYr FIPS_UPDATES_TITLEr8rFIPS_UPDATES_DESCRIPTIONr<FIPS_UPDATES_HELP_TEXTr>PROMPT_FIPS_UPDATES_PRE_ENABLErKrrrr'rrrrrrs@rar$r$s{ D  ' 'E F33K//I<rPROMPT_FIPS_PREVIEW_PRE_ENABLErKr rrrr'rrrrrs@rarKrKs D  ' 'E33K//I F<rhsD ((OOOF&=F") & %%'g:::8DE#%! .'(-'( , "*& *&)%.'(,-.'(,--+, '#L+D00L+^I+IX2@_rb