Current File : //usr/lib/python3/dist-packages/uaclient/entitlements/__pycache__/fips.cpython-312.pyc
�

l�g}b���ddlZddlZddlZddlmZddlmZmZmZddl	m
Z
mZmZm
Z
mZmZmZddlmZmZddlmZddlmZddlmZdd	lmZdd
lmZddlmZm Z ddl!m"Z"m#Z#m$Z$ejJ�Z&ejNejPe)��Z*gd
�Z+ddgZ,e+e,ze+e,ze+d�Z-gd�Z.gd�Z/gd�Z0e+e,ze.ze+e,ze/ze+e0zd�Z1Gd�dejd�Z3Gd�de3�Z4Gd�de3�Z5Gd�de4�Z6y)�N)�groupby)�List�Optional�Tuple)�api�apt�event_logger�
exceptions�messages�system�util)�NoCloudTypeReason�get_cloud_type)�repo)�EntitlementWithMessage)�ApplicationStatus)�notices)�Notice)�ServicesOnceEnabledData�services_once_enabled_file)�MessagingOperations�MessagingOperationsDict�StaticAffordance)�
strongswan�strongswan-hmac�openssh-client�openssh-server�shim-signed�openssh-client-hmac�openssh-server-hmac)�xenial�bionic�focal)�openssl�libssl1.0.0�libssl1.0.0-hmac)r$�	libssl1.1�libssl1.1-hmac�libgcrypt20�libgcrypt20-hmacc	�j��eZdZdZdZdZejZdZ	ejjZgd�Z
edefd��Zed��Zd	edefd
�Zdej*fd�Zdefd
�Zdej*fd�Z		d#dej*deeededdf�fd�
Zdefd�Z	d$dededdfd�Zdededef�fd�Zede e!dffd��Z"edeef�fd��Z#de e$eejJff�fd�Z&d%d�Z'dej*def�fd�Z(dej*def�fd �Z)d!�Z*dej*ddf�fd"�Z+�xZ,S)&�FIPSCommonEntitlementi�zubuntu-pro-fips.gpgz/proc/sys/crypto/fips_enabledT)zfips-initramfszfips-initramfs-genericr)r*�libgmp10�libgnutls30�libhogweed6�
libnettle8r%r&r%r&r'r(�libssl3�
linux-fipsrrrr r$�openssl-fips-module-3rrrzubuntu-fipszubuntu-aws-fipszubuntu-azure-fips�ubuntu-gcp-fips�returnc��d}tj�rLtjj	|j
��}|j
�stjg}n|j}d}|js=tjdtjj	|j
��ifg}tjd|ifg|jifg||d�}t|j�dk(r�|jd}t!j"d|�}|r|j%d�}nd}tj&�j(}||k7rn|j+d�xsg}	tj,j	||j.||xsd	�
�}
|	j1tjd|
if�|	|d<|S)N��title�msg)�
pre_enable�pre_install�post_enable�pre_disable�rzubuntu-([a-z]+)-fips�genericr:�unknown)�variant�service�base_flavor�current_flavor)r�is_containerr� PROMPT_FIPS_CONTAINER_PRE_ENABLE�formatr8�auto_upgrade_all_on_enable�FIPS_RUN_APT_UPGRADE�pre_enable_msg�purger
�prompt_for_confirmation�PROMPT_FIPS_PRE_DISABLE�prompt_if_kernel_downgrade�len�packages�re�match�group�get_kernel_info�flavor�get�#KERNEL_FLAVOR_CHANGE_WARNING_PROMPT�name�append)�selfr<�pre_enable_promptr=�	messaging�ubuntu_fips_package_name� ubuntu_fips_package_flavor_match�ubuntu_fips_package_flavorrDr:r9s           �</usr/lib/python3/dist-packages/uaclient/entitlements/fips.pyr\zFIPSCommonEntitlement.messaging�s�������� ��9�9�@�@��*�*�A��
�
�2�2�4�'�<�<�=�� $� 3� 3�����z�z��0�0��x�?�?�F�F�"&�*�*� G� ���	�K��0�0��-�.����3�3����'�&�
�	�"�t�}�}���"�'+�}�}�Q�'7�$�/1�x�x�&�(@�0�,�0�4�:�:�1�=�+�.7�*�#�3�3�5�<�<�N�)�^�;�&�]�]�<�8�>�B�
��B�B�I�I�6� �I�I� :�#1�#>�Y�	J����!�!��4�4������+5�	�,�'���c��tj�j}tj�rtj|g�Stj|g�S)a�
        Dictionary of conditional packages to be installed when
        enabling FIPS services. For example, if we are enabling
        FIPS services in a machine that has openssh-client installed,
        we will perform two actions:

        1. Upgrade the package to the FIPS version
        2. Install the corresponding hmac version of that package
           when available.
        )r�get_release_info�seriesrE�#FIPS_CONTAINER_CONDITIONAL_PACKAGESrV�FIPS_CONDITIONAL_PACKAGES)rZrds  r`�conditional_packagesz*FIPSCommonEntitlement.conditional_packages�sJ���(�(�*�1�1����� �6�:�:�6�2�F�F�(�,�,�V�R�8�8ra�
assume_yesc�2�tj�j}|�tj	d�ytjd|�}tjd�}|��|��|jd�}tjd||�tj||�dkrYtjtjj!||���t#j$tj&|�	�Sytj	d
||�y)ztCheck if installing a FIPS kernel will downgrade the kernel
        and prompt for confirmation if it will.
        z Cannot gather kernel informationFz!(?P<kernel_version>\d+\.\d+\.\d+)r2�kernel_versionz*Kernel information: cur='%s' and fips='%s'r)�current_version�new_version)r9rhz2Cannot gather kernel information for '%s' and '%s'T)rrT�proc_version_signature_version�LOG�warningrQ�searchr�get_pkg_candidate_versionrS�debug�version_compare�event�infor�KERNEL_DOWNGRADE_WARNINGrGr
rL�
PROMPT_YES_NO)rZrh�our_full_kernel_str�our_m�fips_kernel_version_str�our_kernel_version_strs      r`rNz0FIPSCommonEntitlement.prompt_if_kernel_downgrade�s��
�"�"�$�C�C�	��&��K�K�:�;���	�	�0�2E�
��#&�"?�"?��"M����!8�!D�%*�[�[�1A�%B�"��I�I�<�#�'�
��#�#�+�-C����
�
�
��5�5�<�<�(>�$;�=����3�3� �.�.�:����
�K�K�D�#�'�
�
ra�progressc	��g}tj�}tt|j�d���}|D]\}}||vs�||z
}�|D] }	tj
|gddigd����"y#tj$r>|jdtjj|j|���Y�twxYw)	Nc�&�|jdd�S)Nz-hmac�)�replace)�pkg_names r`�<lambda>zNFIPSCommonEntitlement.hardcoded_install_conditional_packages.<locals>.<lambda>s���!1�!1�'�2�!>�ra)�key�DEBIAN_FRONTEND�noninteractive�z--allow-downgradesz$-o Dpkg::Options::="--force-confdef"z$-o Dpkg::Options::="--force-confold"�rP�override_env_vars�apt_optionsru)rB�pkg)
r�get_installed_packages_namesr�sortedrg�run_apt_install_commandr
�UbuntuProError�emitr�FIPS_PACKAGE_NOT_AVAILABLErGr8)rZr|�desired_packages�installed_packages�
pkg_groupsr��pkg_listr�s        r`�&hardcoded_install_conditional_packagesz<FIPSCommonEntitlement.hardcoded_install_conditional_packagess���
�� �=�=�?����4�,�,�-�>�
�
�
#-�	-��H�h��-�-� �H�,� �	-�$�	�C�
��+�+�!�U�'8�:J�&K�!��	���,�,�
��
�
���7�7�>�>� $�
�
��?���
�s�A2�2AC�Cc��tj|jjd��}tj�j
dv}|xs|S)Nzfeatures.fips_auto_upgrade_all��config�
path_to_value>r#r"r!)r
�is_config_value_true�cfgrrcrd)rZ�install_all_updates_override�hardcoded_releases   r`rHz0FIPSCommonEntitlement.auto_upgrade_all_on_enable2sT��'+�'@�'@��8�8�<�<�/O�(
�$�#�3�3�5�<�<�A
�
��
,�D�3D�/D�Drac�h�tj|j�D�cgc]}|j��}}t	j
�jdk(r|jd�|j�t|�dkDrn	|jdtjjdj|����|j|�tj |ddigd	��
�yycc}w#t"j$$r#|jdtj&�YywxYw)N�jammyr3rru� )rPr�r�r�r�)r�;get_installed_packages_with_uninstalled_candidate_in_origin�originrXrrcrdrY�sortrOr�r�INSTALLING_PACKAGESrG�join�unhold_packagesr�r
r��FIPS_PACKAGES_UPGRADE_FAILURE)rZr|�package�
to_upgrades    r`�#install_all_available_fips_upgradesz9FIPSCommonEntitlement.install_all_available_fips_upgrades>s��
�Z�Z�����
��
�L�L�
�
�
��"�"�$�+�+�w�6����5�6������z�?�Q��
N��
�
���0�0�7�7�!$���*�!5�8����$�$�Z�0��+�+�'�'8�:J�&K�!����
��<�,�,�
N��
�
�f�h�&L�&L�M�
N�s�C6�A,C;�;3D1�0D1N�package_list�cleanup_on_failurec���|j}|rt�|�	||��n9|jtj
j
|j���|j�r|j|�n|j|�|j�r$tjtj�yy)z�Install contract recommended packages for the entitlement.

        :param package_list: Optional package list to use instead of
            self.packages.
        :param cleanup_on_failure: Cleanup apt files if apt install fails.
        )r�r7N)rP�super�install_packagesr|r�INSTALLING_SERVICE_PACKAGESrGr8rHr�r��_check_for_rebootr�addr�FIPS_SYSTEM_REBOOT_REQUIRED)rZr|r�r��mandatory_packages�	__class__s     �r`r�z&FIPSCommonEntitlement.install_packagesbs����"�]�]����G�$��/�
%�
�
����4�4�;�;�$�*�*�;�M�
��*�*�,��4�4�X�>��7�7��A��!�!�#��K�K��2�2�
�$rac�*�tj�S)z=Check if system needs to be rebooted because of this service.)r�
should_reboot)rZs r`r�z'FIPSCommonEntitlement._check_for_reboot�s���#�#�%�%ra�	operation�silentc��|j�}tj|�|r_|s3tjtj
j
|���|dk(r$tjtj�yyy)z�Check if user should be alerted that a reboot must be performed.

        @param operation: The operation being executed.
        @param silent: Boolean set True to silence print/log of messages
        )r�zdisable operationN)r�rt�needs_rebootrur�ENABLE_REBOOT_REQUIRED_TMPLrGrr�r�FIPS_DISABLE_REBOOT_REQUIRED)rZr�r��reboot_requireds    r`�_check_for_reboot_msgz+FIPSCommonEntitlement._check_for_reboot_msg�sy���0�0�2��
���?�+����
�
��8�8�?�?�"+�@���
�/�/�����7�7��0�rard�cloud_idc���|dk(rFtj|jjd��ry|dvrytdt�|�v�Sy)aVReturn False when FIPS is allowed on this cloud and series.

        On Xenial GCP there will be no cloud-optimized kernel so
        block default ubuntu-fips enable. This can be overridden in
        config with features.allow_xenial_fips_on_cloud.

        GCP doesn't yet have a cloud-optimized kernel or metapackage so
        block enable of fips if the contract does not specify ubuntu-gcp-fips.
        This also can be overridden in config with
        features.allow_default_fips_metapackage_on_gcp.

        :return: False when this cloud, series or config override allows FIPS.
        �gcez.features.allow_default_fips_metapackage_on_gcpr�T)r"r#r4)r
r�r��boolr�rP)rZrdr�r�s   �r`�_allow_fips_on_cloud_instancez3FIPSCommonEntitlement._allow_fips_on_cloud_instance�sU��� �u���(�(��x�x�|�|�N����,�,���)�U�W�-=�=�>�>�ra.c�����dddd�}t�\�}��d�tj�j�tj
j
�j�|j����}|���fd�dffS)	Nzan AWSzan Azureza GCP)�aws�azurer�r)rd�cloudc�(���j���S�N)r�)r�rZrds���r`r�z:FIPSCommonEntitlement.static_affordances.<locals>.<lambda>�s����:�:�6�8�L�raT)	rrrcrdr�FIPS_BLOCK_ON_CLOUDrGr8rV)rZ�cloud_titles�_�blocked_messager�rds`   @@r`�static_affordancesz(FIPSCommonEntitlement.static_affordances�s����'�*�W�M��$�&���!����H��(�(�*�1�1��"�6�6�=�=��<�<�>��)9�)9�(�)C�>�
��
 �L��
�
�	
rac�D��tj�rgSt�|�Sr�)rrEr�rP�rZr�s �r`rPzFIPSCommonEntitlement.packages�s������ ��I��w��rac���t�|��\}}tj�r;tj�s'tjtj�||fStjj|j�r�tjt|j��s#tjtj�tj|j�j!�dk(r'tjtj"�||fStj$tj"�t&j(t*j,j/|j��fS|t&j0k7r||fSt&j0t*j2fS)N�1)�	file_name)r��application_statusrrEr�r�removerr��os�path�exists�FIPS_PROC_FILE�setrP�	load_file�strip�FIPS_MANUAL_DISABLE_URLr�r�DISABLEDr�FIPS_PROC_FILE_ERRORrG�ENABLED�FIPS_REBOOT_REQUIRED)rZ�super_status�	super_msgr�s   �r`r�z(FIPSCommonEntitlement.application_status�s^���#(�'�"<�">���i���� ��)=�)=�)?��N�N��2�2�
� ��*�*�
�7�7�>�>�$�-�-�.��'�'��D�M�M�(:�;�����6�6������ 3� 3�4�:�:�<��C�����2�2��$�Y�.�.�����2�2��&�.�.��1�1�8�8�"&�"5�"5�9�����,�4�4�4���*�*��%�%��)�)�
�	
rac�b�ttj��}t|j�j	t|j
��}|j
|�}|rHtjt|�tjj|j���yy)z�Remove fips meta package to disable the service.

        FIPS meta-package will unset grub config options which will deactivate
        FIPS on any related packages.
        r7N)
r�rr�rP�
differencerg�intersection�remove_packages�listr�DISABLE_FAILED_TMPLrGr8)rZr��fips_metapackager�s    r`r�z%FIPSCommonEntitlement.remove_packagess���!��!A�!A�!C�D���t�}�}�-�8�8���)�)�*�
��+�7�7�8J�K�������%�&��,�,�3�3�$�*�*�3�E�
�rac���t�|�|�rjtjtj
�tjtj�tjtj�yy�NTF)r��_perform_enablerr�r�WRONG_FIPS_METAPACKAGE_ON_CLOUDr�r��rZr|r�s  �r`r�z%FIPSCommonEntitlement._perform_enablesQ����7�"�8�,��N�N��6�6�
�
�N�N�6�6�6�7��N�N�6�>�>�?��rac���t�|�|�r4|j�r#tjt
j�yyr�)r��_perform_disabler�rr�rr�r�s  �r`r�z&FIPSCommonEntitlement._perform_disable s9����7�#�H�-��%�%�'�����7�7���rac��ddg}tj|tjj	dj|����}g}|j
�D]}||vs�|j|��|rKddg|z}tj|tjj	dj|����}yy)Nzapt-mark�	showholdsr�)�command�unhold)r�run_apt_commandr�EXECUTING_COMMAND_FAILEDrGr��
splitlinesrY)rZ�
package_names�cmd�holds�unholds�hold�
unhold_cmds       r`r�z%FIPSCommonEntitlement.unhold_packages*s����;�'���#�#���-�-�4�4�S�X�X�c�]�4�K�
�����$�$�&�	%�D��}�$����t�$�	%��$�h�/�'�9�J��'�'���1�1�8�8��H�H�Z�0�9���E�rac�Z��|j|j�t�|�
|�y)z�Setup apt config based on the resourceToken and directives.

        FIPS-specifically handle apt-mark unhold

        :raise UbuntuProError: on failure to setup any aspect of this apt
           configuration
        N)r��fips_pro_package_holdsr��setup_apt_configr�s  �r`rz&FIPSCommonEntitlement.setup_apt_config=s&���	
���T�8�8�9�
�� ��*ra�NT)F)r5N)-�__name__�
__module__�__qualname__�repo_pin_priority�
repo_key_filer�r�PROMPT_FIPS_PRE_ENABLErJ�apt_noninteractive�urls�FIPS_HOME_PAGE�help_doc_urlr�propertyrr\rgr�rNr�ProgressWrapperr�rHr�rr�strr�r�r�r�rrr�rPr�NamedMessager�r�r�r�r�r�
__classcell__�r�s@r`r,r,Vs�����)�M�4�N��4�4�N�
���=�=�/�/�L���@�H�2�H��H�T�9��9�$,��,��,�\!��+�+�!�F
E�D�
E�"N��+�+�"N�N-1�#'�	$��%�%�$��t�C�y�)�$�!�	$�

�$�L&�4�&�
.3����&*��	
��,���%(��	
��>�
�E�*:�C�*?�$@�
��
�$� �$�s�)� �� �
(
�	� �(�8�+@�+@�"A�A�	B�(
�T�"	��(;�(;�	��	���)<�)<�����&	+��)<�)<�	+��	+�	+rar,c����eZdZdZej
ZejZejZ
dZejZ
edeedffd��Zedeedff�fd��Zdej*def�fd�Z�xZS)	�FIPSEntitlement�fips�
UbuntuFIPSr5.c��ddlm}ddlm}t	|t
j�t	tt
j�t	|t
j�fS)Nr)�LivepatchEntitlement��RealtimeKernelEntitlement)
�uaclient.entitlements.livepatchr�uaclient.entitlements.realtimerrr�LIVEPATCH_INVALIDATES_FIPS�FIPSUpdatesEntitlement�FIPS_UPDATES_INVALIDATES_FIPS�REALTIME_FIPS_INCOMPATIBLE)rZrrs   r`�incompatible_servicesz%FIPSEntitlement.incompatible_servicesQsQ��H�L�
#�$�h�&I�&I�
�
#�&��(N�(N�
�
#�)�8�+N�+N�
�

�
	
rac������t�|�}t|j��}tj
}t
|j�d|k(��tj�}|r|jnd�|tjj|j|j���fd�dftjj|j|j���fd�dffzS)N)r�rF)r�fips_updatesc����Sr��)�is_fips_updates_enableds�r`r�z4FIPSEntitlement.static_affordances.<locals>.<lambda>xs���/�rac����Sr�r&)�fips_updates_once_enableds�r`r�z4FIPSEntitlement.static_affordances.<locals>.<lambda>s���1�ra)r�r�rr�rr�r�r�r�readr$r�$FIPS_ERROR_WHEN_FIPS_UPDATES_ENABLEDrGr8�)FIPS_ERROR_WHEN_FIPS_UPDATES_ONCE_ENABLED)rZr�r$�enabled_status�services_once_enabled_objr)r'r�s     @@�r`r�z"FIPSEntitlement.static_affordancesbs����"�W�7��-�$�(�(�;��*�2�2��"&��+�+�-�a�0�N�B�#
��%?�$C�$C�$E�!�)�
&�2�2��	"�"��=�=�D�D����,�2D�2D�E��0��
��B�B�I�I����,�2D�2D�J��2��
�%
�
�	
rar|c� ��t�\}}|�K|tjk(r8tj	d�t
j
tj�t�|�)|�r$tjtj�yy)Nz>Could not determine cloud, defaulting to generic FIPS package.TF)rr�CLOUD_ID_ERRORrnrortrur�.FIPS_COULD_NOT_DETERMINE_CLOUD_DEFAULT_PACKAGEr�r�rr�r�FIPS_INSTALL_OUT_OF_DATE)rZr|�
cloud_type�errorr�s    �r`r�zFIPSEntitlement._perform_enable�ss���*�,��
�E���%�+<�+K�+K�"K��K�K�6�
�
�J�J�x�N�N�O��7�"�8�,��N�N��/�/�
��ra)rrrrXr�
FIPS_TITLEr8�FIPS_DESCRIPTION�description�FIPS_HELP_TEXT�	help_textr�r	rJrrrr"rr�rrr�r�rrs@r`rrIs�����D����E��+�+�K��'�'�I�
�F��4�4�N�
�
�u�-C�S�-H�'I�
��
� �
�E�*:�C�*?�$@�
��
�B��(;�(;����rarc����eZdZdZej
ZdZejZ	ejZejZ
edeedffd��Zdej&def�fd�Z�xZS)rzfips-updates�UbuntuFIPSUpdatesr5.c�~�ddlm}tttj
�t|tj�fS)Nrr)rrrrr�FIPS_INVALIDATES_FIPS_UPDATES�"REALTIME_FIPS_UPDATES_INCOMPATIBLE)rZrs  r`r"z,FIPSUpdatesEntitlement.incompatible_services�s:��L�
#���!G�!G�
�
#�)��;�;�
�	
�	
rar|c�f��t�|�|��r tjt	d���yy)N)r|T)r$F)r�r�r�writerr�s  �r`r�z&FIPSUpdatesEntitlement._perform_enable�s1����7�"�H�"�5�&�,�,�'�T�:�
��ra)rrrrXr�FIPS_UPDATES_TITLEr8r��FIPS_UPDATES_DESCRIPTIONr7�FIPS_UPDATES_HELP_TEXTr9�PROMPT_FIPS_UPDATES_PRE_ENABLErJrrrr"rrr�r�rrs@r`rr�s{����D��'�'�E�
 �F��3�3�K��/�/�I��<�<�N�
�
�u�-C�S�-H�'I�
��
���(;�(;����rarc���eZdZdZej
ZejZejZ
dZejZ
dZedeedff�fd��Zdededefd	�Z�xZS)
�FIPSPreviewEntitlementzfips-preview�UbuntuFIPSPreviewzubuntu-pro-fips-preview.gpgr5.c�X��t�|�tttj
�fzSr�)r�r"rrrr=r�s �r`r"z,FIPSPreviewEntitlement.incompatible_services�s-����w�,�"���!G�!G�
�0
�
�	
rardr�c��yrr&)rZrdr�s   r`r�z4FIPSPreviewEntitlement._allow_fips_on_cloud_instance�s��ra)rrrrXr�FIPS_PREVIEW_TITLEr8�FIPS_PREVIEW_DESCRIPTIONr7�FIPS_PREVIEW_HELP_TEXTr9r��PROMPT_FIPS_PREVIEW_PRE_ENABLErJrrrrr"rr�r�rrs@r`rFrF�s����D��'�'�E��3�3�K��/�/�I�
 �F��<�<�N�1�M�
�
�u�-C�S�-H�'I�
��
����%(��	
�rarF)7�loggingr�rQ�	itertoolsr�typingrrr�uaclientrrr	r
rrr
�uaclient.clouds.identityrr�uaclient.entitlementsr�uaclient.entitlements.baser�(uaclient.entitlements.entitlement_statusr�uaclient.filesr�uaclient.files.noticesr�uaclient.files.state_filesrr�uaclient.typesrrr�get_event_loggerrt�	getLogger�replace_top_level_logger_namerrn�CONDITIONAL_PACKAGES_EVERYWHERE�!CONDITIONAL_PACKAGES_OPENSSH_HMACrf�&UBUNTU_FIPS_METAPACKAGE_DEPENDS_XENIAL�&UBUNTU_FIPS_METAPACKAGE_DEPENDS_BIONIC�%UBUNTU_FIPS_METAPACKAGE_DEPENDS_FOCALre�RepoEntitlementr,rrrFr&rar`�<module>rcsD���	�	��(�(�O�O�O�F�&�=�F�"�)����	&��%�%�'���g���:��:�:�8�D�E��#����%�!�
.�'�(�-�'�(�
,���"*�&�
*�&�)�%�.�'�(�,�-�.�'�(�,�-�-�+�,�	'�#�p+�D�0�0�p+�fI�+�I�X�2��@�_�ra