o K&bI@s.ddlZddlZddlZddlmZddlmZmZmZddl m Z m Z m Z m Z mZmZddlmZmZddlmZddlmZddlmZmZmZe Zgd Zd d gZeeeeed Zgd Z gdZ!gdZ"eee eee!ee"d Z#Gdddej$Z%Gddde%Z&Gddde%Z'dS)N)groupby)ListOptionalTuple)apt event_logger exceptionsmessagesstatusutil)NoCloudTypeReasonget_cloud_type)repo)IncompatibleService)MessagingOperationsMessagingOperationsDictStaticAffordance) strongswanstrongswan-hmacopenssh-clientopenssh-serveropenssh-client-hmacopenssh-server-hmac)xenialbionicfocal)openssl libssl1.0.0libssl1.0.0-hmac)r libssl1.1libssl1.1-hmacZ libgcrypt20zlibgcrypt20-hmacc seZdZdZdZdZdZdZeddZ   d&d e e d e d e d dffd d Z de d dfddZde de d e ffdd Zed eedffddZde e d e e fddZed e e ffdd Zd eejeejfffdd Zd'd d!Zd(d#e d e ffd$d% ZZS))FIPSCommonEntitlementizubuntu-advantage-fips.gpgz/proc/sys/crypto/fips_enabledTz/https://ubuntu.com/security/certifications#fipscCs0tdd}trt|gSt|gS)a Dictionary of conditional packages to be installed when enabling FIPS services. For example, if we are enabling FIPS services in a machine that has openssh-client installed, we will perform two actions: 1. Upgrade the package to the FIPS version 2. Install the corresponding hmac version of that package when available. series)r get_platform_infoget is_container#FIPS_CONTAINER_CONDITIONAL_PACKAGESFIPS_CONDITIONAL_PACKAGES)selfr"r* z8FIPSCommonEntitlement.install_packages..)key)r-r.r/)servicepkgN)eventinfoformatr2packagessuperinstall_packagesrget_installed_packagesrsortedr,rZUserFacingErrorr ZFIPS_PACKAGE_NOT_AVAILABLE) r)r-r.r/Zmandatory_packagesZdesired_packagesinstalled_packagesZ pkg_groupsr4Zpkg_listr9 __class__r*r+r?ms:   z&FIPSCommonEntitlement.install_packages operationcCslt}t||r2ttjj|d|dkr$|j dtj j dS|dkr4|j dtj dSdSdS)zCheck if user should be alerted that a reboot must be performed. @param operation: The operation being executed. )rEinstallr#zdisable operationN) r should_rebootr:Z needs_rebootr;r ZENABLE_REBOOT_REQUIRED_TMPLr<cfg add_noticeFIPS_SYSTEM_REBOOT_REQUIREDmsgFIPS_DISABLE_REBOOT_REQUIRED)r)rEZreboot_requiredr*r*r+_check_for_reboot_msgs   z+FIPSCommonEntitlement._check_for_reboot_msgr"cloud_idcsl|dvrdS|dkr#tj|jjddrdS|dvrdStdtjvS|dkr4tj|jjd dr2dSd SdS) a`Return False when FIPS is allowed on this cloud and series. On Xenial Azure and GCP there will be no cloud-optimized kernel so block default ubuntu-fips enable. This can be overridden in config with features.allow_xenial_fips_on_cloud. GCP doesn't yet have a cloud-optimized kernel or metapackage so block enable of fips if the contract does not specify ubuntu-gcp-fips. This also can be overridden in config with features.allow_default_fips_metapackage_on_gcp. :return: False when this cloud, series or config override allows FIPS. )azuregceTrPz.features.allow_default_fips_metapackage_on_gcpZconfigZ path_to_valuerrzubuntu-gcp-fipsrz#features.allow_xenial_fips_on_cloudF)r is_config_value_truerHboolr>r=)r)r"rNrCr*r+_allow_fips_on_cloud_instances&z3FIPSCommonEntitlement._allow_fips_on_cloud_instance.csddddd}t\}durdtddtjj|d}|fdd d ffS) Nzan AWSzan Azureza GCP)awsrOrPr#r")r"cloudcs SN)rUr*rNr)r"r*r+r5r6z:FIPSCommonEntitlement.static_affordances..T)r r r$r%r ZFIPS_BLOCK_ON_CLOUDr<r2)r)Z cloud_titles_Zblocked_messager*rYr+static_affordancess  z(FIPSCommonEntitlement.static_affordancesr=cstj|jjdd}|r |Std}|dvr|St\}}|dur%d}td|}|r2|dnd}|d vr:|S|d kr@d n|}d |fd d|DS)a Identify correct metapackage to be used if in a cloud instance. Currently, the contract backend is not delivering the right metapackage on a Bionic Azure or AWS cloud instance. For those clouds, we have cloud specific fips metapackages and we should use them. We are now performing that correction here, but this is a temporary fix. z*features.disable_fips_metapackage_overriderQr"rRNr#z^(?P(azure|aws|gce)).*rW)rOrVrPrPZgcpzubuntu-{}-fipscsg|] }|dkr n|qS)z ubuntu-fipsr*).0r9Z cloud_metapkgr*r+ szPFIPSCommonEntitlement._replace_metapackage_on_cloud_instance..) r rSrHr$r%r rematchgroupr<)r)r=Z%cfg_disable_fips_metapackage_overrider"rNrZZ cloud_matchr*r]r+&_replace_metapackage_on_cloud_instances*     zr=rb)r)r=rCr*r+r=s zFIPSCommonEntitlement.packagescst\}}trts|jdtjj ||fSt j |j r^|jdtjj t|j dkrB|jdtj||fS|jdtj|jdtjtjjtjj|j dfS|jdtj|tjjkrp||fStjjtjfS)Nr#1) file_name)r>application_statusr r&rGrH remove_noticer rJrKospathexistsFIPS_PROC_FILEZ load_filestripr ZNOTICE_FIPS_MANUAL_DISABLE_URLrLrIApplicationStatusZDISABLEDZFIPS_PROC_FILE_ERRORr<ENABLEDZFIPS_REBOOT_REQUIRED)r)Z super_statusZ super_msgrCr*r+re!s< z(FIPSCommonEntitlement.application_statuscCsttt}t|jt|j}||}|r8ddi}ddg}tjgd|t|t j j |j d|ddSdS) zRemove fips meta package to disable the service. FIPS meta-package will unset grub config options which will deactivate FIPS on any related packages. ZDEBIAN_FRONTENDZnoninteractivez$-o Dpkg::Options::="--force-confdef"z$-o Dpkg::Options::="--force-confold")zapt-getremovez --assume-yesr1)envN) setrr@r= differencer, intersectionrun_apt_commandlistr ZDISABLE_FAILED_TMPLr<r2)r)rBZfips_metapackageremove_packagesroZ apt_optionsr*r*r+ruJs(    z%FIPSCommonEntitlement.remove_packagesFsilentcs&tj|dr|jdtjdSdS)Nrvr#TF)r>_perform_enablerHrfr Z&NOTICE_WRONG_FIPS_METAPACKAGE_ON_CLOUD)r)rvrCr*r+rxcs z%FIPSCommonEntitlement._perform_enable)NTT)r0NF)__name__ __module__ __qualname__Zrepo_pin_priorityZ repo_key_filerjZapt_noninteractiveZ help_doc_urlpropertyr,rstrrTr?rMrUrrr[rbr=r rlrr Z NamedMessagererurx __classcell__r*r*rCr+r!MsT 1, ) ) r!cseZdZdZdZdZdZgdZede e dffdd Z ede e dfffd d Z edefd d Zddeddffdd Zddedeffdd ZZS)FIPSEntitlementfipsZFIPSzNIST-certified core packagesZ UbuntuFIPS)zfips-initramfsrr rrrrz linux-fipsrrrrrrrr0.cCs$ddlm}t|tjtttjfS)Nr)LivepatchEntitlement)Zuaclient.entitlements.livepatchrrr ZLIVEPATCH_INVALIDATES_FIPSFIPSUpdatesEntitlementZFIPS_UPDATES_INVALIDATES_FIPS)r)rr*r*r+incompatible_servicess z%FIPSEntitlement.incompatible_servicescstj}t|j}tjj}t|d|k|j dpi}| |j d|t j j|j|jdfdddft jj|j|jdfdddffS)Nrservices-once-enabledF)rZ fips_updatescSrXr*r*)is_fips_update_enabledr*r+r5z4FIPSEntitlement.static_affordances..crrXr*r*)fips_updates_once_enabledr*r+r5r)r>r[rrHr rlrmrTre read_cacher%namer Z$FIPS_ERROR_WHEN_FIPS_UPDATES_ENABLEDr<r2Z)FIPS_ERROR_WHEN_FIPS_UPDATES_ONCE_ENABLED)r)r[Z fips_updateZenabled_statusservices_once_enabledrC)rrr+r[s2   z"FIPSEntitlement.static_affordancescCZd}trtjj|jd}tjg}ntj}tj ||j dfg|tj tj |j dfgdSNr1)rK assume_yes)Z pre_enable post_enableZ pre_disable) r r&r PROMPT_FIPS_CONTAINER_PRE_ENABLEr<r2r FIPS_RUN_APT_UPGRADEZPROMPT_FIPS_PRE_ENABLEprompt_for_confirmationrPROMPT_FIPS_PRE_DISABLEr)rZpre_enable_promptr*r*r+ messaging&  zFIPSEntitlement.messagingFrvNcs|ddg}t|d|d}g}|D] }||jvr!||q|r5ddg|}t|d|d}tj|ddS)zSetup apt config based on the resourceToken and directives. FIPS-specifically handle apt-mark unhold :raise UserFacingError: on failure to setup any aspect of this apt configuration zapt-markZ showholds z failed.ZunholdrwN)rrsjoin splitlinesfips_pro_package_holdsappendr>setup_apt_config)r)rvcmdZholdsZunholdsZholdZ unhold_cmdrCr*r+rs    z FIPSEntitlement.setup_apt_configcsLt\}}|dur|tjkrtdtj|dr$|jdt j dSdS)Nz>Could not determine cloud, defaulting to generic FIPS package.rwr#TF) r r ZCLOUD_ID_ERRORloggingZwarningr>rxrHrfr ZFIPS_INSTALL_OUT_OF_DATE)r)rvZ cloud_typeerrorrCr*r+rxs zFIPSEntitlement._perform_enablery)rzr{r|rr2 descriptionoriginrr}rrrrr[rrrTrrxrr*r*rCr+rms ! rcsJeZdZdZdZdZdZedefddZ d d e de ffd d Z Z S) rz fips-updatesz FIPS UpdatesZUbuntuFIPSUpdatesz;NIST-certified core packages with priority security updatesr0cCrr) r r&r rr<r2r rZPROMPT_FIPS_UPDATES_PRE_ENABLErrrrr*r*r+rrz FIPSUpdatesEntitlement.messagingFrvcsFtj|dr!|jdpi}||jdi|jjd|ddSdS)NrwrT)r7ZcontentF)r>rxrHrupdaterZ write_cache)r)rvrrCr*r+rxsz&FIPSUpdatesEntitlement._perform_enablery) rzr{r|rr2rrr}rrrTrxrr*r*rCr+rs r)(rrgr_ itertoolsrtypingrrrZuaclientrrrr r r Zuaclient.clouds.identityr r Zuaclient.entitlementsrZuaclient.entitlements.baserZuaclient.typesrrrZget_event_loggerr:ZCONDITIONAL_PACKAGES_EVERYWHEREZ!CONDITIONAL_PACKAGES_OPENSSH_HMACr(Z&UBUNTU_FIPS_METAPACKAGE_DEPENDS_XENIALZ&UBUNTU_FIPS_METAPACKAGE_DEPENDS_BIONICZ%UBUNTU_FIPS_METAPACKAGE_DEPENDS_FOCALr'ZRepoEntitlementr!rrr*r*r*r+s\     "