HEX

File: //usr/lib/python3/dist-packages/uaclient/entitlements/__pycache__/fips.cpython-310.pyc
o

nHJe�O�@s�ddlZddlZddlmZddlmZmZmZddlm	Z	m
Z
mZmZm
Z
mZddlmZmZddlmZddlmZddlmZdd	lmZdd
lmZddlmZmZddlm Z m!Z!m"Z"e
�#�Z$e�%e�&e'��Z(gd
�Z)ddgZ*gd�Z+e)e*e)e*e)e)e+d�Z,gd�Z-gd�Z.gd�Z/gd�Z0e)e*e-e)e*e.e)e/e)e+e0d�Z1Gdd�dej2�Z3Gdd�de3�Z4Gdd�de3�Z5Gdd�de4�Z6dS)�N)�groupby)�List�Optional�Tuple)�apt�event_logger�
exceptions�messages�system�util)�NoCloudTypeReason�get_cloud_type)�repo)�IncompatibleService)�ApplicationStatus)�notices)�Notice)�ServicesOnceEnabledData�services_once_enabled_file)�MessagingOperations�MessagingOperationsDict�StaticAffordance)�
strongswan�strongswan-hmac�openssh-client�openssh-server�shim-signed�openssh-client-hmac�openssh-server-hmac)�
libnettle8�libhogweed6�libgnutls30�libgmp10)�xenial�bionic�focal�jammy)�openssl�libssl1.0.0�libssl1.0.0-hmac)r'�	libssl1.1�libssl1.1-hmac�libgcrypt20�libgcrypt20-hmac)�gawkzupdate-notifier-commonr'zopenssl-fips-module-3�libssl3r,r-c	s,eZdZdZdZdZdZejj	Z
gd�Zedd��Z
			d%d	eeed
ededdf�fd
d�
Z	d&dededdfdd�Zdededef�fdd�Zedeedffdd��Zedeef�fdd��Zdeeeejff�fdd�Zd'dd �Zd&dedef�fd!d"�
Zd&deddf�fd#d$�
Z�ZS)(�FIPSCommonEntitlementi�zubuntu-pro-fips.gpgz/proc/sys/crypto/fips_enabledT)zfips-initramfsr*r+r(r)r(r)z
linux-fipsrrrrr'rrr,r-zfips-initramfs-genericrcCs*t��j}t��rt�|g�St�|g�S)a�
        Dictionary of conditional packages to be installed when
        enabling FIPS services. For example, if we are enabling
        FIPS services in a machine that has openssh-client installed,
        we will perform two actions:

        1. Upgrade the package to the FIPS version
        2. Install the corresponding hmac version of that package
           when available.
        )r
�get_release_info�series�is_container�#FIPS_CONTAINER_CONDITIONAL_PACKAGES�get�FIPS_CONDITIONAL_PACKAGES)�selfr2�r8�</usr/lib/python3/dist-packages/uaclient/entitlements/fips.py�conditional_packages�s
z*FIPSCommonEntitlement.conditional_packagesN�package_list�cleanup_on_failure�verbose�returnc
s�|r
t�tjj|jd��|j}t�j|dd�g}t	�
�}tt|j
�dd�d�}|D]\}}	||vr7||	7}q+|D]$}
zt�j|
gddd�Wq:tjy^t�tjj|j|
d��Yq:wd	S)
a)Install contract recommended packages for the entitlement.

        :param package_list: Optional package list to use instead of
            self.packages.
        :param cleanup_on_failure: Cleanup apt files if apt install fails.
        :param verbose: If true, print messages to stdout
        ��titleF)r;r=cSs|�dd�S)Nz-hmac�)�replace)�pkg_namer8r8r9�<lambda>��z8FIPSCommonEntitlement.install_packages.<locals>.<lambda>)�key)r;r<r=)�service�pkgN)�event�infor	�INSTALLING_SERVICE_PACKAGES�formatr@�packages�super�install_packagesr�get_installed_packages_namesr�sortedr:r�UbuntuProError�FIPS_PACKAGE_NOT_AVAILABLE)r7r;r<r=�mandatory_packages�desired_packages�installed_packages�
pkg_groupsrC�pkg_listrH��	__class__r8r9rO�s>
����
�����z&FIPSCommonEntitlement.install_packagesF�	operation�silentcCsft��}t�|�|r/|st�tjj|d��|dkr#t�	t
j�dS|dkr1t�	t
j�dSdSdS)z�Check if user should be alerted that a reboot must be performed.

        @param operation: The operation being executed.
        @param silent: Boolean set True to silence print/log of messages
        )r[�installzdisable operationN)
r
�
should_rebootrI�needs_rebootrJr	�ENABLE_REBOOT_REQUIRED_TMPLrLr�addr�FIPS_SYSTEM_REBOOT_REQUIRED�FIPS_DISABLE_REBOOT_REQUIRED)r7r[r\�reboot_requiredr8r8r9�_check_for_reboot_msg�s&
�����z+FIPSCommonEntitlement._check_for_reboot_msgr2�cloud_idcs>|dkrtj|jjdd�rdS|dvrdStdt�jv�SdS)aVReturn False when FIPS is allowed on this cloud and series.

        On Xenial GCP there will be no cloud-optimized kernel so
        block default ubuntu-fips enable. This can be overridden in
        config with features.allow_xenial_fips_on_cloud.

        GCP doesn't yet have a cloud-optimized kernel or metapackage so
        block enable of fips if the contract does not specify ubuntu-gcp-fips.
        This also can be overridden in config with
        features.allow_default_fips_metapackage_on_gcp.

        :return: False when this cloud, series or config override allows FIPS.
        �gcez.features.allow_default_fips_metapackage_on_gcp)�config�
path_to_valueT)r$r%zubuntu-gcp-fips)r�is_config_value_true�cfg�boolrNrM�r7r2rfrYr8r9�_allow_fips_on_cloud_instance�s�z3FIPSCommonEntitlement._allow_fips_on_cloud_instance.cs^dddd�}t�\�}�durd�t��j�tjj���|���d�}|���fdd�d	ffS)
Nzan AWSzan Azureza GCP)�aws�azurergrA)r2�cloudcs�����S�N)rnr8�rfr7r2r8r9rDrEz:FIPSCommonEntitlement.static_affordances.<locals>.<lambda>T)	r
r
r1r2r	�FIPS_BLOCK_ON_CLOUDrLr@r5)r7�cloud_titles�_�blocked_messager8rsr9�static_affordances	s

���z(FIPSCommonEntitlement.static_affordancescst��rgSt�jSrr)r
r3rNrM�r7rYr8r9rMszFIPSCommonEntitlement.packagescs�t���\}}t��rt��st�tj�||fSt	j
�|j�rSt�t
|j��s.t�tj�t�|j���dkrBt�tj�||fSt�tj�tjtjj|jd�fS|tjkr\||fStjtjfS)N�1)�	file_name)rN�application_statusr
r3r^r�removerrb�os�path�exists�FIPS_PROC_FILE�setrM�	load_file�strip�FIPS_MANUAL_DISABLE_URLrar�DISABLEDr	�FIPS_PROC_FILE_ERRORrL�ENABLED�FIPS_REBOOT_REQUIRED)r7�super_status�	super_msgrYr8r9r|"s:������
�z(FIPSCommonEntitlement.application_statuscCsTtt���}t|j��t|j��}|�|�}|r(t�t|�t	j
j|jd��dSdS)z�Remove fips meta package to disable the service.

        FIPS meta-package will unset grub config options which will deactivate
        FIPS on any related packages.
        r?N)
r�rrPrM�
differencer:�intersection�remove_packages�listr	�DISABLE_FAILED_TMPLrLr@)r7rV�fips_metapackager�r8r8r9r�Ls
�
��z%FIPSCommonEntitlement.remove_packagescs:t�j|d�rt�tj�t�tj�t�tj�dSdS)N�r\TF)rN�_perform_enablerr}r�WRONG_FIPS_METAPACKAGE_ON_CLOUDr�rc)r7r\rYr8r9r�]s�z%FIPSCommonEntitlement._perform_enablecs�ddg}t�|tjjd�|�d��}g}|��D]}||jvr$|�|�q|r;ddg|}t�|tjjd�|�d��}t	�j
|d�dS)z�Setup apt config based on the resourceToken and directives.

        FIPS-specifically handle apt-mark unhold

        :raise UbuntuProError: on failure to setup any aspect of this apt
           configuration
        zapt-mark�	showholds� )�command�unholdr�N)r�run_apt_commandr	�EXECUTING_COMMAND_FAILEDrL�join�
splitlines�fips_pro_package_holds�appendrN�setup_apt_config)r7r\�cmd�holds�unholds�hold�
unhold_cmdrYr8r9r�hs&�

���z&FIPSCommonEntitlement.setup_apt_config)NTT�F)r>N) �__name__�
__module__�__qualname__�repo_pin_priority�
repo_key_filer��apt_noninteractiver	�urls�FIPS_HOME_PAGE�help_doc_urlr��propertyr:rr�strrlrOrernrrrxrMr�NamedMessager|r�r�r��
__classcell__r8r8rYr9r0hs\
�
����4���
�����
* r0cs�eZdZdZejZejZej	Z
dZejZ
edeedffdd��Zedeedff�fdd��Zedefd	d
��Zddedef�fd
d�
Z�ZS)�FIPSEntitlement�fips�
UbuntuFIPSr>.cCs:ddlm}ddlm}t|tj�tttj�t|tj	�fS)Nr)�LivepatchEntitlement��RealtimeKernelEntitlement)
�uaclient.entitlements.livepatchr��uaclient.entitlements.realtimer�rr	�LIVEPATCH_INVALIDATES_FIPS�FIPSUpdatesEntitlement�FIPS_UPDATES_INVALIDATES_FIPS�REALTIME_FIPS_INCOMPATIBLE)r7r�r�r8r8r9�incompatible_services�s����z%FIPSEntitlement.incompatible_servicescs�t�j}t|j�}tj}t|��d|k��t�	�}|r|j
nd�|tjj
|j|jd��fdd�dftjj
|j|jd��fdd�dffS)NrF)r��fips_updatesc��Srrr8r8)�is_fips_updates_enabledr8r9rD��z4FIPSEntitlement.static_affordances.<locals>.<lambda>cr�rrr8r8)�fips_updates_once_enabledr8r9rD�r�)rNrxr�rkrr�rlr|r�readr�r	�$FIPS_ERROR_WHEN_FIPS_UPDATES_ENABLEDrLr@�)FIPS_ERROR_WHEN_FIPS_UPDATES_ONCE_ENABLED)r7rxr��enabled_status�services_once_enabled_objrY)r�r�r9rx�s2
����
��
��z"FIPSEntitlement.static_affordancescCsrd}t��rtjj|jd�}tjg}n|j}d}|js+t	j
tjj|jd�|jd�fg}t	j
||jd�fg||d�S�Nr?)�msg�
assume_yes)�
pre_enable�post_enable�pre_disable)
r
r3r	� PROMPT_FIPS_CONTAINER_PRE_ENABLErLr@�FIPS_RUN_APT_UPGRADE�pre_enable_msg�purger�prompt_for_confirmation�PROMPT_FIPS_PRE_DISABLEr��r7r��pre_enable_promptr�r8r8r9�	messaging��2��
����
���zFIPSEntitlement.messagingFr\csTt�\}}|dur|tjkrt�d�t�tj�t	�j
|d�r(t�t
j�dSdS)Nz>Could not determine cloud, defaulting to generic FIPS package.r�TF)r
r�CLOUD_ID_ERROR�LOG�warningrIrJr	�.FIPS_COULD_NOT_DETERMINE_CLOUD_DEFAULT_PACKAGErNr�rr}r�FIPS_INSTALL_OUT_OF_DATE)r7r\�
cloud_type�errorrYr8r9r��s
��zFIPSEntitlement._perform_enabler�)r�r�r��namer	�
FIPS_TITLEr@�FIPS_DESCRIPTION�description�FIPS_HELP_TEXT�	help_text�origin�PROMPT_FIPS_PRE_ENABLEr�r�rrr�rrxrr�rlr�r�r8r8rYr9r��s! %r�csneZdZdZejZdZejZ	ej
Zede
edffdd��Zedefdd��Zd
d
edef�fdd�
Z�ZS)r�zfips-updates�UbuntuFIPSUpdatesr>.cCs$ddlm}tttj�t|tj�fS)Nrr�)r�r�rr�r	�FIPS_INVALIDATES_FIPS_UPDATES�"REALTIME_FIPS_UPDATES_INCOMPATIBLE)r7r�r8r8r9r��s���z,FIPSUpdatesEntitlement.incompatible_servicescCsrd}t��rtjj|jd�}tjg}ntj}d}|js+t	j
tjj|jd�|jd�fg}t	j
||jd�fg||d�Sr�)
r
r3r	r�rLr@r��PROMPT_FIPS_UPDATES_PRE_ENABLEr�rr�r�r�r�r8r8r9r�r�z FIPSUpdatesEntitlement.messagingFr\csVt�j|d�r)|j�d�pi}|�|jdi�|jjd|d�t�t	dd��dSdS)Nr�zservices-once-enabledT)rF�content)r�F)
rNr�rk�
read_cache�updater��write_cacher�writer)r7r\�services_once_enabledrYr8r9r�1s���z&FIPSUpdatesEntitlement._perform_enabler�)r�r�r�r�r	�FIPS_UPDATES_TITLEr@r��FIPS_UPDATES_DESCRIPTIONr��FIPS_UPDATES_HELP_TEXTr�r�rrr�rr�rlr�r�r8r8rYr9r��s
 %r�csheZdZdZejZejZej	Z
dZejZ
dZedeedff�fdd��Zded	edefd
d�Z�ZS)�FIPSPreviewEntitlementzfips-preview�UbuntuFIPSPreviewzubuntu-pro-fips-preview.gpgr>.cst�jtttj�fSrr)rNr�rr�r	r�ryrYr8r9r�Ls
��z,FIPSPreviewEntitlement.incompatible_servicesr2rfcCsdS)NTr8rmr8r8r9rnTsz4FIPSPreviewEntitlement._allow_fips_on_cloud_instance)r�r�r�r�r	�FIPS_PREVIEW_TITLEr@�FIPS_PREVIEW_DESCRIPTIONr��FIPS_PREVIEW_HELP_TEXTr�r��PROMPT_FIPS_PREVIEW_PRE_ENABLEr�r�r�rrr�r�rlrnr�r8r8rYr9r�Cs"���r�)7�loggingr~�	itertoolsr�typingrrr�uaclientrrrr	r
r�uaclient.clouds.identityrr
�uaclient.entitlementsr�uaclient.entitlements.baser�(uaclient.entitlements.entitlement_statusr�uaclient.filesr�uaclient.files.noticesr�uaclient.files.state_filesrr�uaclient.typesrrr�get_event_loggerrI�	getLogger�replace_top_level_logger_namer�r��CONDITIONAL_PACKAGES_EVERYWHERE�!CONDITIONAL_PACKAGES_OPENSSH_HMAC�CONDITIONAL_PACKAGES_JAMMYr6�&UBUNTU_FIPS_METAPACKAGE_DEPENDS_XENIAL�&UBUNTU_FIPS_METAPACKAGE_DEPENDS_BIONIC�%UBUNTU_FIPS_METAPACKAGE_DEPENDS_FOCAL�%UBUNTU_FIPS_METAPACKAGE_DEPENDS_JAMMYr4�RepoEntitlementr0r�r�r�r8r8r8r9�<module>st ����
��������rM