Your IP : 216.73.216.52

Current Path : /usr/lib/python3/dist-packages/uaclient/entitlements/__pycache__/
Upload File :
Current File : //usr/lib/python3/dist-packages/uaclient/entitlements/__pycache__/fips.cpython-38.pyc

U

8�-d�F�@slddlZddlZddlmZddlmZmZmZddlm	Z	m
Z
mZmZm
Z
mZddlmZmZddlmZddlmZddlmZdd	lmZdd
lmZddlmZmZddlm Z m!Z!m"Z"e
�#�Z$d
dddgZ%ddgZ&e%e&e%e&e%d�Z'dddgZ(dddddgZ)dddddgZ*e%e&e(e%e&e)e%e*d�Z+Gdd�dej,�Z-Gdd�de-�Z.Gdd �d e-�Z/dS)!�N)�groupby)�List�Optional�Tuple)�apt�event_logger�
exceptions�messages�system�util)�NoCloudTypeReason�get_cloud_type)�repo)�IncompatibleService)�ApplicationStatus)�notices)�Notice)�ServicesOnceEnabledData�services_once_enabled_file)�MessagingOperations�MessagingOperationsDict�StaticAffordance�
strongswan�strongswan-hmac�openssh-client�openssh-server�openssh-client-hmac�openssh-server-hmac)Zxenial�bionic�focal�openssl�libssl1.0.0�libssl1.0.0-hmac�	libssl1.1�libssl1.1-hmac�libgcrypt20�libgcrypt20-hmaccs2eZdZdZdZdZdZdZdddd	d
d	d
ddd
ddddddddgZe	dd��Z
d2eee
eedd��fdd�
Zd3e
edd�dd�Ze
e
ed ��fd!d"�Ze	eed#fd$�d%d&��Ze	ee
d$��fd'd(��Zeeeejfd$��fd)d*�Zdd$�d+d,�Zd4eed-��fd.d/�
Zd5edd-��fd0d1�
Z�ZS)6�FIPSCommonEntitlementi�zubuntu-advantage-fips.gpgz/proc/sys/crypto/fips_enabledTz/https://ubuntu.com/security/certifications#fipszfips-initramfsr#r$r!r"z
linux-fipsrrrrr rrr%r&zfips-initramfs-genericcCs0t���dd�}t��r$t�|g�St�|g�S)a�
        Dictionary of conditional packages to be installed when
        enabling FIPS services. For example, if we are enabling
        FIPS services in a machine that has openssh-client installed,
        we will perform two actions:

        1. Upgrade the package to the FIPS version
        2. Install the corresponding hmac version of that package
           when available.
        �series�)r
�get_platform_info�get�is_container�#FIPS_CONTAINER_CONDITIONAL_PACKAGES�FIPS_CONDITIONAL_PACKAGES)�selfr(�r0�</usr/lib/python3/dist-packages/uaclient/entitlements/fips.py�conditional_packagesusz*FIPSCommonEntitlement.conditional_packagesN)�package_list�cleanup_on_failure�verbose�returnc
s�|rt�dj|jd��|j}t�j|dd�g}t��}t	t
|j�dd�d�}|D]\}}	||krT||	7}qT|D]L}
zt�j|
gddd�Wqrtj
k
r�t�tjj|j|
d	��YqrXqrd
S)a)Install contract recommended packages for the entitlement.

        :param package_list: Optional package list to use instead of
            self.packages.
        :param cleanup_on_failure: Cleanup apt files if apt install fails.
        :param verbose: If true, print messages to stdout
        zInstalling {title} packages��titleF)r3r5cSs|�dd�S)Nz-hmacr))�replace)�pkg_namer0r0r1�<lambda>��z8FIPSCommonEntitlement.install_packages.<locals>.<lambda>)�key)r3r4r5)�service�pkgN)�event�info�formatr8�packages�super�install_packagesr�get_installed_packages_namesr�sortedr2rZUserFacingErrorr	ZFIPS_PACKAGE_NOT_AVAILABLE)r/r3r4r5Zmandatory_packagesZdesired_packages�installed_packagesZ
pkg_groupsr:Zpkg_listr?��	__class__r0r1rE�s<
��
�
��z&FIPSCommonEntitlement.install_packagesF)�	operation�silentr6cCs\t��}t�|�|rX|s.t�tjj|d��|dkrDt�	t
j�n|dkrXt�	t
j�dS)z�Check if user should be alerted that a reboot must be performed.

        @param operation: The operation being executed.
        @param silent: Boolean set True to silence print/log of messages
        )rK�installzdisable operationN)
r
�
should_rebootr@Zneeds_rebootrAr	ZENABLE_REBOOT_REQUIRED_TMPLrBr�addr�FIPS_SYSTEM_REBOOT_REQUIRED�FIPS_DISABLE_REBOOT_REQUIRED)r/rKrLZreboot_requiredr0r0r1�_check_for_reboot_msg�s"
����z+FIPSCommonEntitlement._check_for_reboot_msg)r(�cloud_idr6cs>|dkr:tj|jjdd�rdS|dkr*dStdt�jk�SdS)aVReturn False when FIPS is allowed on this cloud and series.

        On Xenial GCP there will be no cloud-optimized kernel so
        block default ubuntu-fips enable. This can be overridden in
        config with features.allow_xenial_fips_on_cloud.

        GCP doesn't yet have a cloud-optimized kernel or metapackage so
        block enable of fips if the contract does not specify ubuntu-gcp-fips.
        This also can be overridden in config with
        features.allow_default_fips_metapackage_on_gcp.

        :return: False when this cloud, series or config override allows FIPS.
        �gcez.features.allow_default_fips_metapackage_on_gcp)ZconfigZ
path_to_valueT)rrzubuntu-gcp-fips)rZis_config_value_true�cfg�boolrDrC)r/r(rSrIr0r1�_allow_fips_on_cloud_instance�s�z3FIPSCommonEntitlement._allow_fips_on_cloud_instance.�r6csddddd�}t�\�}�dkr"d�t���dd��tjj���|���d�}|���fdd	�d
ffS)Nzan AWSzan Azureza GCP)ZawsZazurerTr)r()r(Zcloudcs�����S�N)rWr0�rSr/r(r0r1r;r<z:FIPSCommonEntitlement.static_affordances.<locals>.<lambda>T)r
r
r*r+r	ZFIPS_BLOCK_ON_CLOUDrBr8)r/Zcloud_titles�_Zblocked_messager0rZr1�static_affordances�s
���z(FIPSCommonEntitlement.static_affordancescst��rgSt�jSrY)r
r,rDrC)r/rIr0r1rCszFIPSCommonEntitlement.packagescs�t���\}}t��r2t��s2t�tj�||fSt	j
�|j�r�t�t
|j��s\t�tj�t�|j���dkr�t�tj�||fSt�tj�tjtjj|jd�fS|tjkr�||fStjtjfS)N�1)�	file_name)rD�application_statusr
r,rNr�removerrP�os�path�exists�FIPS_PROC_FILE�setrCZ	load_file�stripZFIPS_MANUAL_DISABLE_URLrOrZDISABLEDr	ZFIPS_PROC_FILE_ERRORrB�ENABLED�FIPS_REBOOT_REQUIRED)r/Zsuper_statusZ	super_msgrIr0r1r_s:������
�z(FIPSCommonEntitlement.application_statuscCsPtt���}t|j��t|j��}|�|�}|rLt�t|�t	j
j|jd��dS)z�Remove fips meta package to disable the service.

        FIPS meta-package will unset grub config options which will deactivate
        FIPS on any related packages.
        r7N)
rerrFrC�
differencer2�intersection�remove_packages�listr	ZDISABLE_FAILED_TMPLrBr8)r/rHZfips_metapackagerkr0r0r1rk6s
�
�z%FIPSCommonEntitlement.remove_packages�rLr6cs:t�j|d�r6t�tj�t�tj�t�tj�dSdS)N�rLTF)rD�_perform_enablerr`rZWRONG_FIPS_METAPACKAGE_ON_CLOUDrhrQ)r/rLrIr0r1roGs�z%FIPSCommonEntitlement._perform_enablecs|ddg}t�|d�|�d�}g}|��D]}||jkr*|�|�q*|rjddg|}t�|d�|�d�}t�j|d�dS)z�Setup apt config based on the resourceToken and directives.

        FIPS-specifically handle apt-mark unhold

        :raise UserFacingError: on failure to setup any aspect of this apt
           configuration
        zapt-markZ	showholds� z failed.ZunholdrnN)rZrun_apt_command�join�
splitlines�fips_pro_package_holds�appendrD�setup_apt_config)r/rL�cmdZholdsZunholdsZholdZ
unhold_cmdrIr0r1ruRs
�z&FIPSCommonEntitlement.setup_apt_config)NTT)F)F)F)�__name__�
__module__�__qualname__Zrepo_pin_priorityZ
repo_key_filerdZapt_noninteractiveZhelp_doc_urlrs�propertyr2rr�strrVrErRrWrrr\rCrr	ZNamedMessager_rkroru�
__classcell__r0r0rIr1r'Ssl�
�
�2����+r'cs�eZdZdZdZdZdZeee	dfd�dd��Z
eeedfd��fd	d
��Zee
d�dd��Zdeed��fdd�
Z�ZS)�FIPSEntitlement�fipsZFIPSzNIST-certified core packagesZ
UbuntuFIPS.rXcCs:ddlm}ddlm}t|tj�tttj�t|tj	�fS)Nr)�LivepatchEntitlement��RealtimeKernelEntitlement)
Zuaclient.entitlements.livepatchr�uaclient.entitlements.realtimer�rr	ZLIVEPATCH_INVALIDATES_FIPS�FIPSUpdatesEntitlementZFIPS_UPDATES_INVALIDATES_FIPSZREALTIME_FIPS_INCOMPATIBLE)r/rr�r0r0r1�incompatible_servicesos����z%FIPSEntitlement.incompatible_servicescs�t�j}t|j�}tj}t|��d|k��t�	�}|r>|j
nd�|tjj
|j|jd��fdd�dftjj
|j|jd��fdd�dffS)NrF)r~�fips_updatescs�SrYr0r0)�is_fips_updates_enabledr0r1r;�r<z4FIPSEntitlement.static_affordances.<locals>.<lambda>cs�SrYr0r0)�fips_updates_once_enabledr0r1r;�r<)rDr\r�rUrrgrVr_r�readr�r	Z$FIPS_ERROR_WHEN_FIPS_UPDATES_ENABLEDrBr8Z)FIPS_ERROR_WHEN_FIPS_UPDATES_ONCE_ENABLED)r/r\r�Zenabled_statusZservices_once_enabled_objrI)r�r�r1r\�s6
����
��
��z"FIPSEntitlement.static_affordancescCsZd}t��r&tjj|jd�}tjg}ntj}tj	||j
d�fg|tj	tj|j
d�fgd�S�Nr7)�msg�
assume_yes)Z
pre_enable�post_enableZpre_disable)r
r,r	� PROMPT_FIPS_CONTAINER_PRE_ENABLErBr8�FIPS_RUN_APT_UPGRADEZPROMPT_FIPS_PRE_ENABLEr�prompt_for_confirmationr��PROMPT_FIPS_PRE_DISABLE�r/r�Zpre_enable_promptr0r0r1�	messaging�s(��

������zFIPSEntitlement.messagingFrmcsHt�\}}|dkr&|tjkr&t�d�t�j|d�rDt�t	j
�dSdS)Nz>Could not determine cloud, defaulting to generic FIPS package.rnTF)r
rZCLOUD_ID_ERROR�loggingZwarningrDrorr`rZFIPS_INSTALL_OUT_OF_DATE)r/rLZ
cloud_type�errorrIr0r1ro�s
��zFIPSEntitlement._perform_enable)F)rwrxry�namer8�description�originrzrrr�rr\rr�rVror|r0r0rIr1r}hs!r}csbeZdZdZdZdZdZeee	dfd�dd��Z
eed�d	d
��Zde
e
d��fd
d�
Z�ZS)r�zfips-updateszFIPS UpdatesZUbuntuFIPSUpdatesz;NIST-certified core packages with priority security updates.rXcCs$ddlm}tttj�t|tj�fS)Nrr�)r�r�rr}r	ZFIPS_INVALIDATES_FIPS_UPDATESZ"REALTIME_FIPS_UPDATES_INCOMPATIBLE)r/r�r0r0r1r��s���z,FIPSUpdatesEntitlement.incompatible_servicescCsZd}t��r&tjj|jd�}tjg}ntj}tj	||j
d�fg|tj	tj|j
d�fgd�Sr�)r
r,r	r�rBr8r�ZPROMPT_FIPS_UPDATES_PRE_ENABLErr�r�r�r�r0r0r1r��s(��

������z FIPSUpdatesEntitlement.messagingFrmcsVt�j|d�rR|j�d�pi}|�|jdi�|jjd|d�t�t	dd��dSdS)Nrnzservices-once-enabledT)r=Zcontent)r�F)
rDrorUZ
read_cache�updater�Zwrite_cacher�writer)r/rLZservices_once_enabledrIr0r1ros���z&FIPSUpdatesEntitlement._perform_enable)F)rwrxryr�r8r�r�rzrrr�rr�rVror|r0r0rIr1r��s
r�)0r�ra�	itertoolsr�typingrrrZuaclientrrrr	r
rZuaclient.clouds.identityrr
Zuaclient.entitlementsrZuaclient.entitlements.baserZ(uaclient.entitlements.entitlement_statusrZuaclient.filesrZuaclient.files.noticesrZuaclient.files.state_filesrrZuaclient.typesrrrZget_event_loggerr@ZCONDITIONAL_PACKAGES_EVERYWHEREZ!CONDITIONAL_PACKAGES_OPENSSH_HMACr.Z&UBUNTU_FIPS_METAPACKAGE_DEPENDS_XENIALZ&UBUNTU_FIPS_METAPACKAGE_DEPENDS_BIONICZ%UBUNTU_FIPS_METAPACKAGE_DEPENDS_FOCALr-ZRepoEntitlementr'r}r�r0r0r0r1�<module>s� ��������������j