HcfZ:ddlZddlZddlZddlmZddlmZmZmZm Z m Z ddl m Z m Z mZmZmZmZmZddlmZmZddlmZddlmZddlmZdd lmZdd lmZdd l m!Z!m"Z"dd l#m$Z$m%Z%m&Z&ejNZ(ejRejTe+Z,gd Z-ddgZ.gdZ/e-e.ze-e.ze-e-e/zdZ0gdZ1gdZ2gdZ3gdZ4e-e.ze1ze-e.ze2ze-e3ze-e/ze4zdZ5GddejlZ7Gdde7Z8Gdde7Z9Gdde8Z:y)N)groupby)CallableListOptionalTupleUnion)apiapt event_logger exceptionsmessagessystemutil)NoCloudTypeReasonget_cloud_type)repo)EntitlementWithMessage)ApplicationStatus)notices)Notice)ServicesOnceEnabledDataservices_once_enabled_file)MessagingOperationsMessagingOperationsDictStaticAffordance) strongswanstrongswan-hmacopenssh-clientopenssh-server shim-signedopenssh-client-hmacopenssh-server-hmac) libnettle8 libhogweed6 libgnutls30libgmp10)xenialbionicfocaljammy)openssl libssl1.0.0libssl1.0.0-hmac)r+ libssl1.1libssl1.1-hmac libgcrypt20libgcrypt20-hmac)gawkzupdate-notifier-commonr+zopenssl-fips-module-3libssl3r0r1c eZdZdZdZdZdZejjZ gdZ e dZ ddedefd Z dd ej"d eeed edd ffd ZdefdZ ddededd fdZdededeffd Ze deedffdZe deeffd Zdeeeej<fffd ZddZ d ej"deffd Z!d ej"dd ffd Z"xZ#S) FIPSCommonEntitlementizubuntu-pro-fips.gpgz/proc/sys/crypto/fips_enabledT)zfips-initramfsr.r/r,r-r,r- linux-fipsrr!rr"r+rrr0r1zfips-initramfs-genericr ctjj}tjrtj |gSt j |gS)a Dictionary of conditional packages to be installed when enabling FIPS services. For example, if we are enabling FIPS services in a machine that has openssh-client installed, we will perform two actions: 1. Upgrade the package to the FIPS version 2. Install the corresponding hmac version of that package when available. )rget_release_infoseries is_container#FIPS_CONTAINER_CONDITIONAL_PACKAGESgetFIPS_CONDITIONAL_PACKAGES)selfr9s \d+\.\d+\.\d+)r6kernel_versionz*Kernel information: cur='%s' and fips='%s'r)current_version new_versionmsgrBz2Cannot gather kernel information for '%s' and '%s'T)rget_kernel_infoproc_version_signature_versionLOGwarningresearchr get_pkg_candidate_versiongroupdebugversion_compareeventinfor KERNEL_DOWNGRADE_WARNINGformatrprompt_for_confirmation PROMPT_YES_NOrB)r>rBour_full_kernel_strour_mfips_kernel_version_strour_kernel_version_strs r?prompt_if_kernel_downgradez0FIPSCommonEntitlement.prompt_if_kernel_downgrades  " " $ C C   & KK: ; 02E #&"?"? "M  !8!D%*[[1A%B " II<#'  ##+-C  55<<(>$;= 33 ..# KKD#'  rANprogress package_listcleanup_on_failurec |j}|rt | ||n9|jtj j |jg}tj}tt|jd}|D]\}} ||vs || z }|D] } tj| gddigd"|j%r$t'j(t*j,y y #tj$r>|j!d tj"j |j| YwxYw) zInstall contract recommended packages for the entitlement. :param package_list: Optional package list to use instead of self.packages. :param cleanup_on_failure: Cleanup apt files if apt install fails. )r`titlec&|jddS)Nz-hmac)replace)pkg_names r?z8FIPSCommonEntitlement.install_packages..s!1!1'2!>rA)keyDEBIAN_FRONTENDnoninteractive)z--allow-downgradesz$-o Dpkg::Options::="--force-confdef"z$-o Dpkg::Options::="--force-confold")packagesoverride_env_vars apt_optionsrU)servicepkgN)rmsuperinstall_packagesr_r INSTALLING_SERVICE_PACKAGESrWrdr get_installed_packages_namesrsortedr@run_apt_install_commandr UbuntuProErroremitFIPS_PACKAGE_NOT_AVAILABLE_check_for_rebootraddrFIPS_SYSTEM_REBOOT_REQUIRED) r>r_r`ramandatory_packagesdesired_packagesinstalled_packages pkg_groupsrhpkg_listrq __class__s r?rsz&FIPSCommonEntitlement.install_packagessX"]]  G $/ %    44;;$**;M   ==? 4,, -> #- - Hh-- H,  -$ C ++!U'8:J&K! $  ! ! # KK22  $,,  77>> $ ? s,DAEEc*tjS)z=Check if system needs to be rebooted because of this service.)r should_reboot)r>s r?r{z'FIPSCommonEntitlement._check_for_reboots##%%rA operationsilentc|j}tj||r_|s3tjtj j ||dk(r$tjtjyyy)zCheck if user should be alerted that a reboot must be performed. @param operation: The operation being executed. @param silent: Boolean set True to silence print/log of messages )rzdisable operationN) r{rT needs_rebootrUr ENABLE_REBOOT_REQUIRED_TMPLrWrr|rFIPS_DISABLE_REBOOT_REQUIRED)r>rrreboot_requireds r?_check_for_reboot_msgz+FIPSCommonEntitlement._check_for_reboot_msgsy002 ?+  88??"+@ // 770 rAr9cloud_idc|dk(rFtj|jjdry|dvrytdt|vSy)aVReturn False when FIPS is allowed on this cloud and series. On Xenial GCP there will be no cloud-optimized kernel so block default ubuntu-fips enable. This can be overridden in config with features.allow_xenial_fips_on_cloud. GCP doesn't yet have a cloud-optimized kernel or metapackage so block enable of fips if the contract does not specify ubuntu-gcp-fips. This also can be overridden in config with features.allow_default_fips_metapackage_on_gcp. :return: False when this cloud, series or config override allows FIPS. gcez.features.allow_default_fips_metapackage_on_gcp)config path_to_valueT)r(r)zubuntu-gcp-fips)ris_config_value_truecfgboolrrrm)r>r9rrs r?_allow_fips_on_cloud_instancez3FIPSCommonEntitlement._allow_fips_on_cloud_instance*sU u ((xx||N,,)UW-==> >rA.cdddd}t\}dtjjtj j j|j}|fddffS) Nzan AWSzan Azureza GCP)awsazurerrf)r9cloudc(jSN)r)rr>r9sr?riz:FIPSCommonEntitlement.static_affordances..Ws::68LrAT) rrr8r9r FIPS_BLOCK_ON_CLOUDrWrdr<)r> cloud_titles_blocked_messagerr9s` @@r?static_affordancesz(FIPSCommonEntitlement.static_affordancesIs'*WM $& !  H((*11"66==<<>)9)9()C>   L   rAcDtjrgSt| Sr)rr:rrrmr>rs r?rmzFIPSCommonEntitlement.packages\s    IwrAct|\}}tjr;tjs't j tj||fStjj|jrtjt|js#t j tjtj|jj!dk(r't j tj"||fSt j$tj"t&j(t*j,j/|jfS|t&j0k7r||fSt&j0t*j2fS)N1) file_name)rrapplication_statusrr:rrremoverr}ospathexistsFIPS_PROC_FILEsetrm load_filestripFIPS_MANUAL_DISABLE_URLr|rDISABLEDr FIPS_PROC_FILE_ERRORrWENABLEDFIPS_REBOOT_REQUIRED)r> super_status super_msgrs r?rz(FIPSCommonEntitlement.application_statusbs^#('"<"> i    )=)=)? NN22  * * 77>>$-- .''DMM(:;66 3 34::<C22$Y.. 22&..1188"&"5"59 ,44 4* *  % %  ) )  rAcbttj}t|jj t|j }|j |}|rHtjt|tjj|jyy)zRemove fips meta package to disable the service. FIPS meta-package will unset grub config options which will deactivate FIPS on any related packages. rcN) rr rurm differencer@ intersectionremove_packageslistr DISABLE_FAILED_TMPLrWrd)r>rfips_metapackagers r?rz%FIPSCommonEntitlement.remove_packagess !!A!A!CDt}}-88 )) * +778JK    %&,,33$**3E  rAct||rjtjtj tjtj tjtjyy)NTF)rr_perform_enablerrrWRONG_FIPS_METAPACKAGE_ON_CLOUDrrr>r_rs r?rz%FIPSCommonEntitlement._perform_enablesQ 7 "8 , NN66  NN666 7 NN6>> ?rAcddg}tj|tjj dj |}g}|j D]"}||jvs|j|$|rJddg|z}tj|tjj dj |}t|)|y)zSetup apt config based on the resourceToken and directives. FIPS-specifically handle apt-mark unhold :raise UbuntuProError: on failure to setup any aspect of this apt configuration zapt-mark showholds )commandunholdN) r run_apt_commandr EXECUTING_COMMAND_FAILEDrWjoin splitlinesfips_pro_package_holdsappendrrsetup_apt_config)r>r_cmdholdsunholdshold unhold_cmdrs r?rz&FIPSCommonEntitlement.setup_apt_configs;'##   - - 4 4SXXc] 4 K $$& %Dt222t$ % $h/'9J''1188HHZ09E  *rA)FNT)rCN)$__name__ __module__ __qualname__repo_pin_priority repo_key_filerapt_noninteractiver urlsFIPS_HOME_PAGE help_doc_urlrpropertyr@rr^r ProgressWrapperrrstrrsr{rrrrrrmr NamedMessagerrrr __classcell__rs@r?r5r5is)M4N ==//L,99(!00 0j-1#' >%%>tCy)>! >  >@&4& .3&* ,%( > E*:C*?$@  $ $s)  (  (8+@+@"AA B( T" (;(;  +)<)<+++rAr5ceZdZdZej ZejZejZ dZ ejZ edeedffdZedeedfffd ZedefdZdej.deffd ZxZS) FIPSEntitlementfips UbuntuFIPSrC.cddlm}ddlm}t |t j t tt jt |t jfS)Nr)LivepatchEntitlementRealtimeKernelEntitlement) uaclient.entitlements.livepatchruaclient.entitlements.realtimerrr LIVEPATCH_INVALIDATES_FIPSFIPSUpdatesEntitlementFIPS_UPDATES_INVALIDATES_FIPSREALTIME_FIPS_INCOMPATIBLE)r>rrs r?incompatible_servicesz%FIPSEntitlement.incompatible_servicessQHL #$h&I&I  #&(N(N  #)8+N+N   rAct|}t|j}tj }t |jd|k(tj}|r |jnd|tjj|j|jfddftjj|j|jfddffzS)NrF)r fips_updatescSr)is_fips_updates_enabledsr?riz4FIPSEntitlement.static_affordances..s/rAcSrr)fips_updates_once_enabledsr?riz4FIPSEntitlement.static_affordances..s1rA)rrrrrrrrrrreadrr $FIPS_ERROR_WHEN_FIPS_UPDATES_ENABLEDrWrd)FIPS_ERROR_WHEN_FIPS_UPDATES_ONCE_ENABLED)r>rrenabled_statusservices_once_enabled_objrrrs @@r?rz"FIPSEntitlement.static_affordancess"W7-dhh7 *22"&  + + -a 0N B# %?$C$C$E!) & 2 2 " "==DD,2D2DE0  BBII,2D2DJ2  %   rAcd}tjrrpre_enable_promptrs r? messagingzFIPSEntitlement.messagings    99@@**A  $889K $ 3 3  zz00'??FF"&** G '+oo  K00-T__M33$doo'&!  rAr_c t\}}|K|tjk(r8tj dt j tjt|)|r$tjtjyy)Nz>Could not determine cloud, defaulting to generic FIPS package.TF)rrCLOUD_ID_ERRORrLrMrTrUr .FIPS_COULD_NOT_DETERMINE_CLOUD_DEFAULT_PACKAGErrrrrrFIPS_INSTALL_OUT_OF_DATE)r>r_ cloud_typeerrorrs r?rzFIPSEntitlement._perform_enable-ss*, E  %+<+K+K"K KK6  JJxNN O 7 "8 , NN// rA)rrrnamer FIPS_TITLErdFIPS_DESCRIPTION descriptionFIPS_HELP_TEXT help_textoriginPROMPT_FIPS_PRE_ENABLErrrrrrrrr r rrrrrs@r?rrs D   E++K''I F44N  u-CS-H'I   E*:C*?$@  B+ 2+ + Z(;(;rArceZdZdZej ZdZejZ ejZ e de edffdZe defdZdej&deffd ZxZS) rz fips-updatesUbuntuFIPSUpdatesrC.c~ddlm}tttj t|tj fS)Nrr)rrrrr FIPS_INVALIDATES_FIPS_UPDATES"REALTIME_FIPS_UPDATES_INCOMPATIBLE)r>rs r?rz,FIPSUpdatesEntitlement.incompatible_servicesEs:L #!G!G  #);;    rAcd}tjrs D  ' 'E F33K//I   u-CS-H'I    + 2+ + Z(;(;rArceZdZdZej ZejZejZ dZ ejZ dZedeedfffd Zdededefd ZxZS) FIPSPreviewEntitlementz fips-previewUbuntuFIPSPreviewzubuntu-pro-fips-preview.gpgrC.cXt|tttj fzSr)rrrrrr rrs r?rz,FIPSPreviewEntitlement.incompatible_servicess-w, "!G!G 0   rAr9rcyrr)r>r9rs r?rz4FIPSPreviewEntitlement._allow_fips_on_cloud_instancesrA)rrrrr FIPS_PREVIEW_TITLErdFIPS_PREVIEW_DESCRIPTIONrFIPS_PREVIEW_HELP_TEXTrrPROMPT_FIPS_PREVIEW_PRE_ENABLErrrrrrrrrrrs@r?r'r's D  ' 'E33K//I F<rFsr 99OOOF&=F") & %%'g:::8DE#%!.'(-'( , ,/I I $*& *&)%)%.'(,-.'(,--+, , !+, '#X+D00X+v w+wtJ2JZ_rA