fO&ddlZddlZddlmZddlmZmZmZddlm Z m Z m Z m Z m Z mZddlmZmZddlmZddlmZddlmZdd lmZdd lmZdd lmZmZdd lm Z m!Z!m"Z"e jFZ$ejJejLe'Z(gd Z)ddgZ*gdZ+e)e*ze)e*ze)e)e+zdZ,gdZ-gdZ.gdZ/gdZ0e)e*ze-ze)e*ze.ze)e/ze)e+ze0zdZ1GddejdZ3Gdde3Z4Gdde3Z5Gdde4Z6y)N)groupby)ListOptionalTuple)apt event_logger exceptionsmessagessystemutil)NoCloudTypeReasonget_cloud_type)repo)IncompatibleService)ApplicationStatus)notices)Notice)ServicesOnceEnabledDataservices_once_enabled_file)MessagingOperationsMessagingOperationsDictStaticAffordance) strongswanstrongswan-hmacopenssh-clientopenssh-server shim-signedopenssh-client-hmacopenssh-server-hmac) libnettle8 libhogweed6 libgnutls30libgmp10)xenialbionicfocaljammy)openssl libssl1.0.0libssl1.0.0-hmac)r( libssl1.1libssl1.1-hmac libgcrypt20libgcrypt20-hmac)gawkzupdate-notifier-commonr(zopenssl-fips-module-3libssl3r-r.c peZdZdZdZdZdZejjZ gdZ e dZ ddeeed ed ed dffd Z dd eded dfdZdeded effd Ze d eedffdZe d eeffd Zd eeeej4fffd ZddZdded effd Zdded dffd ZxZS)FIPSCommonEntitlementizubuntu-pro-fips.gpgz/proc/sys/crypto/fips_enabledT)zfips-initramfsr+r,r)r*r)r*z linux-fipsrrrrr(rrr-r.zfips-initramfs-genericrctjj}tjrtj |gSt j |gS)a Dictionary of conditional packages to be installed when enabling FIPS services. For example, if we are enabling FIPS services in a machine that has openssh-client installed, we will perform two actions: 1. Upgrade the package to the FIPS version 2. Install the corresponding hmac version of that package when available. )r get_release_infoseries is_container#FIPS_CONTAINER_CONDITIONAL_PACKAGESgetFIPS_CONDITIONAL_PACKAGES)selfr5s r@c&|jddS)Nz-hmac)replace)pkg_names r;z8FIPSCommonEntitlement.install_packages..s!1!1'2!>r=)key)r>r?r@)servicepkgN)eventinfor INSTALLING_SERVICE_PACKAGESformatrDpackagessuperinstall_packagesrget_installed_packages_namesrsortedr<r UbuntuProErrorFIPS_PACKAGE_NOT_AVAILABLE) r:r>r?r@mandatory_packagesdesired_packagesinstalled_packages pkg_groupsrHpkg_listrL __class__s r;rSz&FIPSCommonEntitlement.install_packagess$  JJ44;;$**;M "]]  +U !  ==? 4,, -> #- - Hh-- H,  -$ C ("%5%)  ,,  77>> $ ? s/CADD operationsilentcjtj}tj||r|s3tj t j j||dk(r$tjtjy|dk(r$tjtjyyy)zCheck if user should be alerted that a reboot must be performed. @param operation: The operation being executed. @param silent: Boolean set True to silence print/log of messages )r^installzdisable operationN) r should_rebootrM needs_rebootrNr ENABLE_REBOOT_REQUIRED_TMPLrPraddrFIPS_SYSTEM_REBOOT_REQUIREDFIPS_DISABLE_REBOOT_REQUIRED)r:r^r_reboot_requireds r;_check_for_reboot_msgz+FIPSCommonEntitlement._check_for_reboot_msgs!..0 ?+  88??"+@ I% 6611 772 r=r5cloud_idc|dk(rFtj|jjdry|dvrytdt|vSy)aVReturn False when FIPS is allowed on this cloud and series. On Xenial GCP there will be no cloud-optimized kernel so block default ubuntu-fips enable. This can be overridden in config with features.allow_xenial_fips_on_cloud. GCP doesn't yet have a cloud-optimized kernel or metapackage so block enable of fips if the contract does not specify ubuntu-gcp-fips. This also can be overridden in config with features.allow_default_fips_metapackage_on_gcp. :return: False when this cloud, series or config override allows FIPS. gcez.features.allow_default_fips_metapackage_on_gcp)config path_to_valueT)r%r&zubuntu-gcp-fips)r is_config_value_truecfgboolrRrQ)r:r5rjr]s r;_allow_fips_on_cloud_instancez3FIPSCommonEntitlement._allow_fips_on_cloud_instancesU u ((xx||N,,)UW-==> >r=.cdddd}t\}dtjjtj j j|j}|fddffS) Nzan AWSzan Azureza GCP)awsazurerlrF)r5cloudc(jSN)rr)rjr:r5sr;rIz:FIPSCommonEntitlement.static_affordances..s::68Lr=T) rr r4r5r FIPS_BLOCK_ON_CLOUDrPrDr8)r: cloud_titles_blocked_messagerjr5s` @@r;static_affordancesz(FIPSCommonEntitlement.static_affordances s'*WM $& !  H((*11"66==<<>)9)9()C>   L   r=cDtjrgSt| Srx)r r6rRrQr:r]s r;rQzFIPSCommonEntitlement.packagess    Iwr=ct|\}}tjr;tjs't j tj||fStjj|jrtjt|js#t j tjtj|jj!dk(r't j tj"||fSt j$tj"t&j(t*j,j/|jfS|t&j0k7r||fSt&j0t*j2fS)N1) file_name)rRapplication_statusr r6rbrremoverrfospathexistsFIPS_PROC_FILEsetrQ load_filestripFIPS_MANUAL_DISABLE_URLrerDISABLEDr FIPS_PROC_FILE_ERRORrPENABLEDFIPS_REBOOT_REQUIRED)r: super_status super_msgr]s r;rz(FIPSCommonEntitlement.application_status"s^#('"<"> i    )=)=)? NN22  * * 77>>$-- .''DMM(:;66 3 34::<C22$Y.. 22&..1188"&"5"59 ,44 4* *  % %  ) )  r=cbttj}t|jj t|j }|j |}|rHtjt|tjj|jyy)zRemove fips meta package to disable the service. FIPS meta-package will unset grub config options which will deactivate FIPS on any related packages. rCN) rrrTrQ differencer< intersectionremove_packageslistr DISABLE_FAILED_TMPLrPrD)r:rZfips_metapackagers r;rz%FIPSCommonEntitlement.remove_packagesLs !!A!A!CDt}}-88 )) * +778JK    %&,,33$**3E  r=ct||rjtjtj tjtj tjtjyy)Nr_TF)rR_perform_enablerrrWRONG_FIPS_METAPACKAGE_ON_CLOUDrrg)r:r_r]s r;rz%FIPSCommonEntitlement._perform_enable]sT 7 "& " 1 NN66  NN666 7 NN6>> ?r=cddg}tj|tjj dj |}g}|j D]"}||jvs|j|$|rJddg|z}tj|tjj dj |}t|)|y)zSetup apt config based on the resourceToken and directives. FIPS-specifically handle apt-mark unhold :raise UbuntuProError: on failure to setup any aspect of this apt configuration zapt-mark showholds )commandunholdrN) rrun_apt_commandr EXECUTING_COMMAND_FAILEDrPjoin splitlinesfips_pro_package_holdsappendrRsetup_apt_config)r:r_cmdholdsunholdshold unhold_cmdr]s r;rz&FIPSCommonEntitlement.setup_apt_confighs;'##   - - 4 4SXXc] 4 K $$& %Dt222t$ % $h/'9J''1188HHZ09E   /r=)NTTF)rAN) __name__ __module__ __qualname__repo_pin_priority repo_key_filerapt_noninteractiver urlsFIPS_HOME_PAGE help_doc_urlrpropertyr<rrstrrqrSrirrrrr}rQr NamedMessagerrrr __classcell__r]s@r;r2r2hs^)M4N ==//L,99(-1#' 1tCy)1!1 1  1h.3&* 4%( > E*:C*?$@  $ $s)  (  (8+@+@"AA B( T" d t 0t000r=r2ceZdZdZej ZejZejZ dZ ejZ edeedffdZedeedfffd ZedefdZd dedeffd ZxZS) FIPSEntitlementfips UbuntuFIPSrA.cddlm}ddlm}t |t j t tt jt |t jfS)Nr)LivepatchEntitlementRealtimeKernelEntitlement) uaclient.entitlements.livepatchruaclient.entitlements.realtimerrr LIVEPATCH_INVALIDATES_FIPSFIPSUpdatesEntitlementFIPS_UPDATES_INVALIDATES_FIPSREALTIME_FIPS_INCOMPATIBLE)r:rrs r;incompatible_servicesz%FIPSEntitlement.incompatible_servicessQHL $h&I&I  &(N(N  )8+N+N   r=ct|}t|j}tj }t |jd|k(tj}|r |jnd|tjj|j|jfddftjj|j|jfddffzS)NrF)r fips_updatescSrx)is_fips_updates_enabledsr;rIz4FIPSEntitlement.static_affordances..s/r=cSrxr)fips_updates_once_enabledsr;rIz4FIPSEntitlement.static_affordances..s1r=)rRr}rrprrrqrrreadrr $FIPS_ERROR_WHEN_FIPS_UPDATES_ENABLEDrPrD)FIPS_ERROR_WHEN_FIPS_UPDATES_ONCE_ENABLED)r:r}renabled_statusservices_once_enabled_objrrr]s @@r;r}z"FIPSEntitlement.static_affordancess"W7-dhh7 *22"&  + + -a 0N B# %?$C$C$E!) & 2 2 " "==DD,2D2DE0  BBII,2D2DJ2  %   r=cd}tjrCould not determine cloud, defaulting to generic FIPS package.rTF)rr CLOUD_ID_ERRORLOGwarningrMrNr .FIPS_COULD_NOT_DETERMINE_CLOUD_DEFAULT_PACKAGErRrrrrFIPS_INSTALL_OUT_OF_DATE)r:r_ cloud_typeerrorr]s r;rzFIPSEntitlement._perform_enablesv*, E  %+<+K+K"K KK6  JJxNN O 7 "& " 1 NN// r=r)rrrnamer FIPS_TITLErDFIPS_DESCRIPTION descriptionFIPS_HELP_TEXT help_textoriginPROMPT_FIPS_PRE_ENABLErrrrrrr}rrrqrrrs@r;rrs D   E++K''I F44N  u-@#-E'F   E*:C*?$@  B# 2# # Jdtr=rceZdZdZej ZdZejZ ejZ e de edffdZe defdZd dedeffd ZxZS) rz fips-updatesUbuntuFIPSUpdatesrA.c~ddlm}tttj t|tj fS)Nrr)rrrrr FIPS_INVALIDATES_FIPS_UPDATES"REALTIME_FIPS_UPDATES_INCOMPATIBLE)r:rs r;rz,FIPSUpdatesEntitlement.incompatible_servicess:L !G!G  );;    r=cd}tjrr*sl ((JJF&:F") & %%'g:::8DE#%!.'(-'( , ,/I I $*& *&)%)%.'(,-.'(,--+, , !+, '#Y0D00Y0xo+odJ2JZ_r=