o =WbhM@s.ddlZddlZddlZddlmZddlmZmZmZddl m Z m Z m Z m Z mZmZddlmZmZddlmZddlmZddlmZmZmZe Zgd Zd d gZeeeeed Zgd Z gdZ!gdZ"eee eee!ee"d Z#Gdddej$Z%Gddde%Z&Gddde%Z'dS)N)groupby)ListOptionalTuple)apt event_logger exceptionsmessagesstatusutil)NoCloudTypeReasonget_cloud_type)repo)IncompatibleService)MessagingOperationsMessagingOperationsDictStaticAffordance) strongswanstrongswan-hmacopenssh-clientopenssh-serveropenssh-client-hmacopenssh-server-hmac)xenialbionicfocal)openssl libssl1.0.0libssl1.0.0-hmac)r libssl1.1libssl1.1-hmac libgcrypt20libgcrypt20-hmacc s@eZdZdZdZdZdZdZgdZe ddZ  d)d e e d e d e d d ffdd Z d*de de d d fddZde de d e ffdd Ze d eedffddZde e d e e fddZe d e e ffdd Zd eejeejfffd!d" Zd+d#d$Zd*de d e ffd%d& Zd*de d d ffd'd( ZZS),FIPSCommonEntitlementizubuntu-advantage-fips.gpgz/proc/sys/crypto/fips_enabledTz/https://ubuntu.com/security/certifications#fips)zfips-initramfsrr rrrrz linux-fipsrrrrrrrr!r"zfips-initramfs-genericcCs0tdd}trt|gSt|gS)a Dictionary of conditional packages to be installed when enabling FIPS services. For example, if we are enabling FIPS services in a machine that has openssh-client installed, we will perform two actions: 1. Upgrade the package to the FIPS version 2. Install the corresponding hmac version of that package when available. series)r get_platform_infoget is_container#FIPS_CONTAINER_CONDITIONAL_PACKAGESFIPS_CONDITIONAL_PACKAGES)selfr$r, z8FIPSCommonEntitlement.install_packages..)key)r/r0r1)servicepkgN)eventinfoformatr4packagessuperinstall_packagesrget_installed_packagesrsortedr.rZUserFacingErrorr ZFIPS_PACKAGE_NOT_AVAILABLE) r+r/r0r1Zmandatory_packagesZdesired_packagesinstalled_packagesZ pkg_groupsr6Zpkg_listr; __class__r,r-rAs:   z&FIPSCommonEntitlement.install_packagesF operationsilentcCspt}t||r4|sttjj|d|dkr&|j dtj j dS|dkr6|j dtj dSdSdS)zCheck if user should be alerted that a reboot must be performed. @param operation: The operation being executed. @param silent: Boolean set True to silence print/log of messages )rGinstallr%zdisable operationN) r should_rebootr<Z needs_rebootr=r ZENABLE_REBOOT_REQUIRED_TMPLr>cfg add_noticeFIPS_SYSTEM_REBOOT_REQUIREDmsgFIPS_DISABLE_REBOOT_REQUIRED)r+rGrHZreboot_requiredr,r,r-_check_for_reboot_msgs"  z+FIPSCommonEntitlement._check_for_reboot_msgr$cloud_idcsl|dvrdS|dkr#tj|jjddrdS|dvrdStdtjvS|dkr4tj|jjd dr2dSd SdS) a`Return False when FIPS is allowed on this cloud and series. On Xenial Azure and GCP there will be no cloud-optimized kernel so block default ubuntu-fips enable. This can be overridden in config with features.allow_xenial_fips_on_cloud. GCP doesn't yet have a cloud-optimized kernel or metapackage so block enable of fips if the contract does not specify ubuntu-gcp-fips. This also can be overridden in config with features.allow_default_fips_metapackage_on_gcp. :return: False when this cloud, series or config override allows FIPS. )azuregceTrSz.features.allow_default_fips_metapackage_on_gcpZconfigZ path_to_valuerrzubuntu-gcp-fipsrz#features.allow_xenial_fips_on_cloudF)r is_config_value_truerKboolr@r?)r+r$rQrEr,r-_allow_fips_on_cloud_instances&z3FIPSCommonEntitlement._allow_fips_on_cloud_instance.csddddd}t\}durdtddtjj|d}|fdd d ffS) Nzan AWSzan Azureza GCP)awsrRrSr%r$)r$cloudcs SN)rXr,rQr+r$r,r-r7r8z:FIPSCommonEntitlement.static_affordances..T)r r r&r'r ZFIPS_BLOCK_ON_CLOUDr>r4)r+Z cloud_titles_Zblocked_messager,r\r-static_affordancess  z(FIPSCommonEntitlement.static_affordancesr?cstj|jjdd}|r |Std}|dvr|St\}}|dur%d}td|}|r2|dnd}|d vr:|S|d kr@d n|}d |fd d|DS)a Identify correct metapackage to be used if in a cloud instance. Currently, the contract backend is not delivering the right metapackage on a Bionic Azure or AWS cloud instance. For those clouds, we have cloud specific fips metapackages and we should use them. We are now performing that correction here, but this is a temporary fix. z*features.disable_fips_metapackage_overriderTr$rUNr%z^(?P(azure|aws|gce)).*rZ)rRrYrSrSZgcpzubuntu-{}-fipscsg|] }|dkr n|qS)z ubuntu-fipsr,).0r;Z cloud_metapkgr,r- /szPFIPSCommonEntitlement._replace_metapackage_on_cloud_instance..) r rVrKr&r'r rematchgroupr>)r+r?Z%cfg_disable_fips_metapackage_overrider$rQr]Z cloud_matchr,r`r-&_replace_metapackage_on_cloud_instance s*     zENABLEDZFIPS_REBOOT_REQUIRED)r+Z super_statusZ super_msgrEr,r-rh:s< z(FIPSCommonEntitlement.application_statuscCsttt}t|jt|j}||}|r8ddi}ddg}tjgd|t|t j j |j d|ddSdS) zRemove fips meta package to disable the service. FIPS meta-package will unset grub config options which will deactivate FIPS on any related packages. ZDEBIAN_FRONTENDZnoninteractivez$-o Dpkg::Options::="--force-confdef"z$-o Dpkg::Options::="--force-confold")zapt-getremovez --assume-yesr3)envN) setrrBr? differencer. intersectionrun_apt_commandlistr ZDISABLE_FAILED_TMPLr>r4)r+rDZfips_metapackageremove_packagesrrZ apt_optionsr,r,r-rxcs(    z%FIPSCommonEntitlement.remove_packagescs&tj|dr|jdtjdSdS)NrHr%TF)r@_perform_enablerKrir Z&NOTICE_WRONG_FIPS_METAPACKAGE_ON_CLOUD)r+rHrEr,r-rz|s z%FIPSCommonEntitlement._perform_enablecs|ddg}t|d|d}g}|D] }||jvr!||q|r5ddg|}t|d|d}tj|ddS)zSetup apt config based on the resourceToken and directives. FIPS-specifically handle apt-mark unhold :raise UserFacingError: on failure to setup any aspect of this apt configuration zapt-markZ showholds z failed.ZunholdryN)rrvjoin splitlinesfips_pro_package_holdsappendr@setup_apt_config)r+rHcmdZholdsZunholdsZholdZ unhold_cmdrEr,r-rs    z&FIPSCommonEntitlement.setup_apt_config)NTTF)r2N) __name__ __module__ __qualname__Zrepo_pin_priorityZ repo_key_filermZapt_noninteractiveZ help_doc_urlr~propertyr.rstrrWrArPrXrrr^rer?r rorr Z NamedMessagerhrxrzr __classcell__r,r,rEr-r#Msf 2 , ) ) r#cseZdZdZdZdZdZedee dffddZ edee dfffd d Z ede fd d Zddedeffdd ZZS)FIPSEntitlementfipsZFIPSzNIST-certified core packagesZ UbuntuFIPSr2.cCs:ddlm}ddlm}t|tjtttjt|tj fS)Nr)LivepatchEntitlementRealtimeKernelEntitlement) Zuaclient.entitlements.livepatchruaclient.entitlements.realtimerrr ZLIVEPATCH_INVALIDATES_FIPSFIPSUpdatesEntitlementZFIPS_UPDATES_INVALIDATES_FIPSZREALTIME_FIPS_INCOMPATIBLE)r+rrr,r,r-incompatible_servicess  z%FIPSEntitlement.incompatible_servicescstj}t|j}tjj}t|d|k|j dpi}| |j d|t j j|j|jdfdddft jj|j|jdfdddffS)Nrservices-once-enabledF)rZ fips_updatescSr[r,r,)is_fips_update_enabledr,r-r7z4FIPSEntitlement.static_affordances..crr[r,r,)fips_updates_once_enabledr,r-r7r)r@r^rrKr rorprWrh read_cacher'namer Z$FIPS_ERROR_WHEN_FIPS_UPDATES_ENABLEDr>r4Z)FIPS_ERROR_WHEN_FIPS_UPDATES_ONCE_ENABLED)r+r^Z fips_updateZenabled_statusservices_once_enabledrE)rrr-r^s2   z"FIPSEntitlement.static_affordancescCZd}trtjj|jd}tjg}ntj}tj ||j dfg|tj tj |j dfgdSNr3)rN assume_yes)Z pre_enable post_enableZ pre_disable) r r(r PROMPT_FIPS_CONTAINER_PRE_ENABLEr>r4r FIPS_RUN_APT_UPGRADEZPROMPT_FIPS_PRE_ENABLEprompt_for_confirmationrPROMPT_FIPS_PRE_DISABLEr+rZpre_enable_promptr,r,r- messaging&  zFIPSEntitlement.messagingFrHcsLt\}}|dur|tjkrtdtj|dr$|jdt j dSdS)Nz>Could not determine cloud, defaulting to generic FIPS package.ryr%TF) r r ZCLOUD_ID_ERRORloggingZwarningr@rzrKrir ZFIPS_INSTALL_OUT_OF_DATE)r+rHZ cloud_typeerrorrEr,r-rzs zFIPSEntitlement._perform_enabler)rrrrr4 descriptionoriginrrrrrr^rrrWrzrr,r,rEr-rs! rcsdeZdZdZdZdZdZedee dffddZ ede fd d Z dd e de ffd d ZZS)rz fips-updatesz FIPS UpdatesZUbuntuFIPSUpdatesz;NIST-certified core packages with priority security updatesr2.cCs$ddlm}tttjt|tjfS)Nrr)rrrrr ZFIPS_INVALIDATES_FIPS_UPDATESZ"REALTIME_FIPS_UPDATES_INCOMPATIBLE)r+rr,r,r-rs z,FIPSUpdatesEntitlement.incompatible_servicescCrr) r r(r rr>r4r rZPROMPT_FIPS_UPDATES_PRE_ENABLErrrrr,r,r-rrz FIPSUpdatesEntitlement.messagingFrHcsFtj|dr!|jdpi}||jdi|jjd|ddSdS)NryrT)r9ZcontentF)r@rzrKrupdaterZ write_cache)r+rHrrEr,r-rz4sz&FIPSUpdatesEntitlement._perform_enabler)rrrrr4rrrrrrrrrWrzrr,r,rEr-rs  r)(rrjrb itertoolsrtypingrrrZuaclientrrrr r r Zuaclient.clouds.identityr r Zuaclient.entitlementsrZuaclient.entitlements.baserZuaclient.typesrrrZget_event_loggerr<ZCONDITIONAL_PACKAGES_EVERYWHEREZ!CONDITIONAL_PACKAGES_OPENSSH_HMACr*Z&UBUNTU_FIPS_METAPACKAGE_DEPENDS_XENIALZ&UBUNTU_FIPS_METAPACKAGE_DEPENDS_BIONICZ%UBUNTU_FIPS_METAPACKAGE_DEPENDS_FOCALr)ZRepoEntitlementr#rrr,r,r,r-sZ     Pf