HOME


Mini Shell 1.0
DIR: /lib/python3/dist-packages/uaclient/entitlements/__pycache__/
Upload File :
Current File : //lib/python3/dist-packages/uaclient/entitlements/__pycache__/fips.cpython-312.pyc
�

�Hcf�Z��:�ddlZddlZddlZddlmZddlmZmZmZm	Z	m
Z
ddlmZm
Z
mZmZmZmZmZddlmZmZddlmZddlmZddlmZdd	lmZdd
lmZddl m!Z!m"Z"ddl#m$Z$m%Z%m&Z&ejN�Z(ejRejTe+��Z,gd
�Z-ddgZ.gd�Z/e-e.ze-e.ze-e-e/zd�Z0gd�Z1gd�Z2gd�Z3gd�Z4e-e.ze1ze-e.ze2ze-e3ze-e/ze4zd�Z5Gd�dejl�Z7Gd�de7�Z8Gd�de7�Z9Gd�de8�Z:y)�N)�groupby)�Callable�List�Optional�Tuple�Union)�api�apt�event_logger�
exceptions�messages�system�util)�NoCloudTypeReason�get_cloud_type)�repo)�EntitlementWithMessage)�ApplicationStatus)�notices)�Notice)�ServicesOnceEnabledData�services_once_enabled_file)�MessagingOperations�MessagingOperationsDict�StaticAffordance)�
strongswan�strongswan-hmac�openssh-client�openssh-server�shim-signed�openssh-client-hmac�openssh-server-hmac)�
libnettle8�libhogweed6�libgnutls30�libgmp10)�xenial�bionic�focal�jammy)�openssl�libssl1.0.0�libssl1.0.0-hmac)r+�	libssl1.1�libssl1.1-hmac�libgcrypt20�libgcrypt20-hmac)�gawkzupdate-notifier-commonr+zopenssl-fips-module-3�libssl3r0r1c	����eZdZdZdZdZdZejjZ
gd�Zed��Z
	ddedefd	�Z		ddej"deeed
edd
f�fd�
Zdefd�Z	ddededd
fd�Zdededef�fd�Zedeedffd��Zedeef�fd��Zdeeeej<ff�fd�Zdd�Z dej"def�fd�Z!dej"dd
f�fd�Z"�xZ#S) �FIPSCommonEntitlementi�zubuntu-pro-fips.gpgz/proc/sys/crypto/fips_enabledT)zfips-initramfsr.r/r,r-r,r-�
linux-fipsrr!rr"r+rrr0r1zfips-initramfs-genericr c��tj�j}tj�rtj|g�Stj|g�S)a�
        Dictionary of conditional packages to be installed when
        enabling FIPS services. For example, if we are enabling
        FIPS services in a machine that has openssh-client installed,
        we will perform two actions:

        1. Upgrade the package to the FIPS version
        2. Install the corresponding hmac version of that package
           when available.
        )r�get_release_info�series�is_container�#FIPS_CONTAINER_CONDITIONAL_PACKAGES�get�FIPS_CONDITIONAL_PACKAGES)�selfr9s  �</usr/lib/python3/dist-packages/uaclient/entitlements/fips.py�conditional_packagesz*FIPSCommonEntitlement.conditional_packages�sJ���(�(�*�1�1����� �6�:�:�6�2�F�F�(�,�,�V�R�8�8��
assume_yes�returnc�F�tj�j}|�tj	d�ytjd|�}tjd�}|��|��|jd�}tjd||�tj||�dkrctjtjj!||���t#j$tj&|j(�	�Sytj	d
||�y)ztCheck if installing a FIPS kernel will downgrade the kernel
        and prompt for confirmation if it will.
        z Cannot gather kernel informationFz!(?P<kernel_version>\d+\.\d+\.\d+)r6�kernel_versionz*Kernel information: cur='%s' and fips='%s'r)�current_version�new_version��msgrBz2Cannot gather kernel information for '%s' and '%s'T)r�get_kernel_info�proc_version_signature_version�LOG�warning�re�searchr
�get_pkg_candidate_version�group�debug�version_compare�event�infor
�KERNEL_DOWNGRADE_WARNING�formatr�prompt_for_confirmation�
PROMPT_YES_NOrB)r>rB�our_full_kernel_str�our_m�fips_kernel_version_str�our_kernel_version_strs      r?�prompt_if_kernel_downgradez0FIPSCommonEntitlement.prompt_if_kernel_downgrade�s��
�"�"�$�C�C�	��&��K�K�:�;���	�	�0�2E�
��#&�"?�"?��"M����!8�!D�%*�[�[�1A�%B�"��I�I�<�#�'�
��#�#�+�-C����
�
�
��5�5�<�<�(>�$;�=����3�3� �.�.�#������
�K�K�D�#�'�
�
rAN�progress�package_list�cleanup_on_failurec	���|j}|rt�|�	||��n9|jtj
j
|j���g}tj�}tt|j�d���}|D]\}}	||vs�||	z
}�|D] }
	tj|
gddigd����"|j%�r$t'j(t*j,�yy#tj$r>|j!d	tj"j
|j|
�
��Y��wxYw)z�Install contract recommended packages for the entitlement.

        :param package_list: Optional package list to use instead of
            self.packages.
        :param cleanup_on_failure: Cleanup apt files if apt install fails.
        )r`��titlec�&�|jdd�S)Nz-hmac�)�replace)�pkg_names r?�<lambda>z8FIPSCommonEntitlement.install_packages.<locals>.<lambda>�s���!1�!1�'�2�!>�rA)�key�DEBIAN_FRONTEND�noninteractive)z--allow-downgradesz$-o Dpkg::Options::="--force-confdef"z$-o Dpkg::Options::="--force-confold")�packages�override_env_vars�apt_optionsrU)�service�pkgN)rm�super�install_packagesr_r
�INSTALLING_SERVICE_PACKAGESrWrdr
�get_installed_packages_namesr�sortedr@�run_apt_install_commandr�UbuntuProError�emit�FIPS_PACKAGE_NOT_AVAILABLE�_check_for_rebootr�addr�FIPS_SYSTEM_REBOOT_REQUIRED)r>r_r`ra�mandatory_packages�desired_packages�installed_packages�
pkg_groupsrh�pkg_listrq�	__class__s           �r?rsz&FIPSCommonEntitlement.install_packages�sX���"�]�]����G�$��/�
%�
�
����4�4�;�;�$�*�*�;�M�
��� �=�=�?����4�,�,�-�>�
�
�
#-�	-��H�h��-�-� �H�,� �	-�$�	�C�
��+�+�!�U�'8�:J�&K�!��	�$�!�!�#��K�K��2�2�
�$���,�,�
��
�
���7�7�>�>� $�
�
��?���
�s�,D�AE�Ec�*�tj�S)z=Check if system needs to be rebooted because of this service.)r�
should_reboot)r>s r?r{z'FIPSCommonEntitlement._check_for_reboots���#�#�%�%rA�	operation�silentc��|j�}tj|�|r_|s3tjtj
j
|���|dk(r$tjtj�yyy)z�Check if user should be alerted that a reboot must be performed.

        @param operation: The operation being executed.
        @param silent: Boolean set True to silence print/log of messages
        )r�zdisable operationN)r{rT�needs_rebootrUr
�ENABLE_REBOOT_REQUIRED_TMPLrWrr|r�FIPS_DISABLE_REBOOT_REQUIRED)r>r�r��reboot_requireds    r?�_check_for_reboot_msgz+FIPSCommonEntitlement._check_for_reboot_msgsy���0�0�2��
���?�+����
�
��8�8�?�?�"+�@���
�/�/�����7�7��0�rAr9�cloud_idc���|dk(rFtj|jjd��ry|dvrytdt�|�v�Sy)aVReturn False when FIPS is allowed on this cloud and series.

        On Xenial GCP there will be no cloud-optimized kernel so
        block default ubuntu-fips enable. This can be overridden in
        config with features.allow_xenial_fips_on_cloud.

        GCP doesn't yet have a cloud-optimized kernel or metapackage so
        block enable of fips if the contract does not specify ubuntu-gcp-fips.
        This also can be overridden in config with
        features.allow_default_fips_metapackage_on_gcp.

        :return: False when this cloud, series or config override allows FIPS.
        �gcez.features.allow_default_fips_metapackage_on_gcp)�config�
path_to_valueT)r(r)zubuntu-gcp-fips)r�is_config_value_true�cfg�boolrrrm)r>r9r�r�s   �r?�_allow_fips_on_cloud_instancez3FIPSCommonEntitlement._allow_fips_on_cloud_instance*sU��� �u���(�(��x�x�|�|�N����,�,���)�U�W�-=�=�>�>�rA.c�����dddd�}t�\�}��d�tj�j�tj
j
�j�|j����}|���fd�dffS)	Nzan AWSzan Azureza GCP)�aws�azurer�rf)r9�cloudc�(���j���S�N)r�)r�r>r9s���r?riz:FIPSCommonEntitlement.static_affordances.<locals>.<lambda>Ws����:�:�6�8�L�rAT)	rrr8r9r
�FIPS_BLOCK_ON_CLOUDrWrdr<)r>�cloud_titles�_�blocked_messager�r9s`   @@r?�static_affordancesz(FIPSCommonEntitlement.static_affordancesIs����'�*�W�M��$�&���!����H��(�(�*�1�1��"�6�6�=�=��<�<�>��)9�)9�(�)C�>�
��
 �L��
�
�	
rAc�D��tj�rgSt�|�Sr�)rr:rrrm�r>r�s �r?rmzFIPSCommonEntitlement.packages\s������ ��I��w��rAc���t�|��\}}tj�r;tj�s'tjtj�||fStjj|j�r�tjt|j��s#tjtj�tj|j�j!�dk(r'tjtj"�||fStj$tj"�t&j(t*j,j/|j��fS|t&j0k7r||fSt&j0t*j2fS)N�1)�	file_name)rr�application_statusrr:r�r�removerr}�os�path�exists�FIPS_PROC_FILE�setrm�	load_file�strip�FIPS_MANUAL_DISABLE_URLr|r�DISABLEDr
�FIPS_PROC_FILE_ERRORrW�ENABLED�FIPS_REBOOT_REQUIRED)r>�super_status�	super_msgr�s   �r?r�z(FIPSCommonEntitlement.application_statusbs^���#(�'�"<�">���i���� ��)=�)=�)?��N�N��2�2�
� ��*�*�
�7�7�>�>�$�-�-�.��'�'��D�M�M�(:�;�����6�6������ 3� 3�4�:�:�<��C�����2�2��$�Y�.�.�����2�2��&�.�.��1�1�8�8�"&�"5�"5�9�����,�4�4�4���*�*��%�%��)�)�
�	
rAc�b�ttj��}t|j�j	t|j
��}|j
|�}|rHtjt|�tjj|j���yy)z�Remove fips meta package to disable the service.

        FIPS meta-package will unset grub config options which will deactivate
        FIPS on any related packages.
        rcN)
r�r
rurm�
differencer@�intersection�remove_packages�listr
�DISABLE_FAILED_TMPLrWrd)r>r��fips_metapackager�s    r?r�z%FIPSCommonEntitlement.remove_packages�s���!��!A�!A�!C�D���t�}�}�-�8�8���)�)�*�
��+�7�7�8J�K�������%�&��,�,�3�3�$�*�*�3�E�
�rAc���t�|�|�rjtjtj
�tjtj�tjtj�yy)NTF)rr�_perform_enablerr�r�WRONG_FIPS_METAPACKAGE_ON_CLOUDr�r��r>r_r�s  �r?r�z%FIPSCommonEntitlement._perform_enable�sQ����7�"�8�,��N�N��6�6�
�
�N�N�6�6�6�7��N�N�6�>�>�?��rAc���ddg}tj|tjj	dj|����}g}|j
�D]"}||jvs�|j|��$|rJddg|z}tj|tjj	dj|����}t�|�)|�y)z�Setup apt config based on the resourceToken and directives.

        FIPS-specifically handle apt-mark unhold

        :raise UbuntuProError: on failure to setup any aspect of this apt
           configuration
        zapt-mark�	showholds� )�command�unholdN)r
�run_apt_commandr
�EXECUTING_COMMAND_FAILEDrW�join�
splitlines�fips_pro_package_holds�appendrr�setup_apt_config)r>r_�cmd�holds�unholds�hold�
unhold_cmdr�s       �r?r�z&FIPSCommonEntitlement.setup_apt_config�s�����;�'���#�#���-�-�4�4�S�X�X�c�]�4�K�
�����$�$�&�	%�D��t�2�2�2����t�$�	%��$�h�/�'�9�J��'�'���1�1�8�8��H�H�Z�0�9���E�	�� ��*rA)F�NT)rCN)$�__name__�
__module__�__qualname__�repo_pin_priority�
repo_key_filer��apt_noninteractiver
�urls�FIPS_HOME_PAGE�help_doc_urlr��propertyr@r�r^r	�ProgressWrapperrr�strrsr{r�r�rrr�rmr�NamedMessager�r�r�r��
__classcell__�r�s@r?r5r5is������)�M�4�N�
���=�=�/�/�L���,�9��9�(!�0��0�
�0�j-1�#'�	>��%�%�>��t�C�y�)�>�!�	>�

�>�@&�4�&�
.3����&*��	
��,���%(��	
��>�
�E�*:�C�*?�$@�
��
�$� �$�s�)� �� �
(
�	� �(�8�+@�+@�"A�A�	B�(
�T�"	��(;�(;�	��	�+��)<�)<�+��+�+rAr5c���eZdZdZej
ZejZejZ
dZejZ
edeedffd��Zedeedff�fd��Zedefd��Zdej.def�fd	�Z�xZS)
�FIPSEntitlement�fips�
UbuntuFIPSrC.c��ddlm}ddlm}t	|t
j�t	tt
j�t	|t
j�fS)Nr)�LivepatchEntitlement��RealtimeKernelEntitlement)
�uaclient.entitlements.livepatchr��uaclient.entitlements.realtimer�rr
�LIVEPATCH_INVALIDATES_FIPS�FIPSUpdatesEntitlement�FIPS_UPDATES_INVALIDATES_FIPS�REALTIME_FIPS_INCOMPATIBLE)r>r�r�s   r?�incompatible_servicesz%FIPSEntitlement.incompatible_services�sQ��H�L�
#�$�h�&I�&I�
�
#�&��(N�(N�
�
#�)�8�+N�+N�
�

�
	
rAc������t�|�}t|j�}tj
}t
|j�d|k(��tj�}|r|jnd�|tjj|j|j���fd�dftjj|j|j���fd�dffzS)NrF)r��fips_updatesc����Sr��)�is_fips_updates_enableds�r?riz4FIPSEntitlement.static_affordances.<locals>.<lambda>�s���/�rAc����Sr�r�)�fips_updates_once_enableds�r?riz4FIPSEntitlement.static_affordances.<locals>.<lambda>�s���1�rA)rrr�r�r�rr�r�r�r�readr�r
�$FIPS_ERROR_WHEN_FIPS_UPDATES_ENABLEDrWrd�)FIPS_ERROR_WHEN_FIPS_UPDATES_ONCE_ENABLED)r>r�r��enabled_status�services_once_enabled_objr�r�r�s     @@�r?r�z"FIPSEntitlement.static_affordances�s����"�W�7��-�d�h�h�7��*�2�2��"&��+�+�-�a�0�N�B�#
��%?�$C�$C�$E�!�)�
&�2�2��	"�"��=�=�D�D����,�2D�2D�E��0��
��B�B�I�I����,�2D�2D�J��2��
�%
�
�	
rAc���d}tj�r<tjj	|j
��}tjg}n|j}d}|jsHtjtjj	|j
��|jd�fg}tj||jd�fg|jd|jifg||d�S�NrcrHrB)�
pre_enable�pre_install�post_enable�pre_disable)rr:r
� PROMPT_FIPS_CONTAINER_PRE_ENABLErWrd�FIPS_RUN_APT_UPGRADE�pre_enable_msg�purgerrX�PROMPT_FIPS_PRE_DISABLErBr^�r>r�pre_enable_promptrs    r?�	messagingzFIPSEntitlement.messaging�s�������� ��9�9�@�@��*�*�A��
�
$�8�8�9�K� $� 3� 3�����z�z��0�0�'�?�?�F�F�"&�*�*� G� �'+�o�o�	��
�K��0�0�-�T�_�_�M����3�3�$�d�o�o����'�&�!
�	
rAr_c� ��t�\}}|�K|tjk(r8tj	d�t
j
tj�t�|�)|�r$tjtj�yy)Nz>Could not determine cloud, defaulting to generic FIPS package.TF)rr�CLOUD_ID_ERRORrLrMrTrUr
�.FIPS_COULD_NOT_DETERMINE_CLOUD_DEFAULT_PACKAGErrr�rr�r�FIPS_INSTALL_OUT_OF_DATE)r>r_�
cloud_type�errorr�s    �r?r�zFIPSEntitlement._perform_enable-ss���*�,��
�E���%�+<�+K�+K�"K��K�K�6�
�
�J�J�x�N�N�O��7�"�8�,��N�N��/�/�
��rA)r�r�r��namer
�
FIPS_TITLErd�FIPS_DESCRIPTION�description�FIPS_HELP_TEXT�	help_text�origin�PROMPT_FIPS_PRE_ENABLErr�rrr�rr�rrr	r�r�r�r�r�s@r?r�r��s�����D����E��+�+�K��'�'�I�
�F��4�4�N�
�
�u�-C�S�-H�'I�
��
� �
�E�*:�C�*?�$@�
��
�B�+
�2�+
��+
�Z��(;�(;����rAr�c����eZdZdZej
ZdZejZ	ejZede
edffd��Zedefd��Zdej&def�fd�Z�xZS)	r�zfips-updates�UbuntuFIPSUpdatesrC.c�~�ddlm}tttj
�t|tj�fS)Nrr�)r�r�rr�r
�FIPS_INVALIDATES_FIPS_UPDATES�"REALTIME_FIPS_UPDATES_INCOMPATIBLE)r>r�s  r?r�z,FIPSUpdatesEntitlement.incompatible_servicesEs:��L�
#���!G�!G�
�
#�)��;�;�
�	
�	
rAc���d}tj�r<tjj	|j
��}tjg}ntj}d}|jsHtjtjj	|j
��|jd�fg}tj||jd�fg|jd|jifg||d�Sr�)rr:r
rrWrdr�PROMPT_FIPS_UPDATES_PRE_ENABLErrrXrrBr^r	s    r?rz FIPSUpdatesEntitlement.messagingSs�������� ��9�9�@�@��*�*�A��
�
$�8�8�9�K� (� G� G�����z�z��0�0�'�?�?�F�F�"&�*�*� G� �'+�o�o�	��
�K��0�0�-�T�_�_�M����3�3�$�d�o�o����'�&�!
�	
rAr_c�f��t�|�|��r tjt	d���yy)N)r_T)r�F)rrr�r�writerr�s  �r?r�z&FIPSUpdatesEntitlement._perform_enable�s1����7�"�H�"�5�&�,�,�'�T�:�
��rA)r�r�r�rr
�FIPS_UPDATES_TITLErdr�FIPS_UPDATES_DESCRIPTIONr�FIPS_UPDATES_HELP_TEXTrr�rrr�rrr	r�r�r�r�r�s@r?r�r�>s�����D��'�'�E�
 �F��3�3�K��/�/�I�
�
�u�-C�S�-H�'I�
��
��+
�2�+
��+
�Z��(;�(;����rAr�c���eZdZdZej
ZejZejZ
dZejZ
dZedeedff�fd��Zdededefd	�Z�xZS)
�FIPSPreviewEntitlementzfips-preview�UbuntuFIPSPreviewzubuntu-pro-fips-preview.gpgrC.c�X��t�|�tttj
�fzSr�)rrr�rr�r
rr�s �r?r�z,FIPSPreviewEntitlement.incompatible_services�s-����w�,�"���!G�!G�
�0
�
�	
rAr9r�c��yr�r�)r>r9r�s   r?r�z4FIPSPreviewEntitlement._allow_fips_on_cloud_instance�s��rA)r�r�r�rr
�FIPS_PREVIEW_TITLErd�FIPS_PREVIEW_DESCRIPTIONr�FIPS_PREVIEW_HELP_TEXTrr�PROMPT_FIPS_PREVIEW_PRE_ENABLErr�r�rrr�r�r�r�r�r�s@r?r'r'�s����D��'�'�E��3�3�K��/�/�I�
 �F��<�<�N�1�M�
�
�u�-C�S�-H�'I�
��
����%(��	
�rAr');�loggingr�rN�	itertoolsr�typingrrrrr�uaclientr	r
rrr
rr�uaclient.clouds.identityrr�uaclient.entitlementsr�uaclient.entitlements.baser�(uaclient.entitlements.entitlement_statusr�uaclient.filesr�uaclient.files.noticesr�uaclient.files.state_filesrr�uaclient.typesrrr�get_event_loggerrT�	getLogger�replace_top_level_logger_namer�rL�CONDITIONAL_PACKAGES_EVERYWHERE�!CONDITIONAL_PACKAGES_OPENSSH_HMAC�CONDITIONAL_PACKAGES_JAMMYr=�&UBUNTU_FIPS_METAPACKAGE_DEPENDS_XENIAL�&UBUNTU_FIPS_METAPACKAGE_DEPENDS_BIONIC�%UBUNTU_FIPS_METAPACKAGE_DEPENDS_FOCAL�%UBUNTU_FIPS_METAPACKAGE_DEPENDS_JAMMYr;�RepoEntitlementr5r�r�r'r�rAr?�<module>rFsr���	�	��9�9�O�O�O�F�&�=�F�"�)����	&��%�%�'���g���:��:�:�8�D�E��#����%�!���.�'�(�-�'�(�
,�
,�/I�
I�
��$*�&�
*�&�)�%�)�%�.�'�(�,�-�.�'�(�,�-�-�+�,�
,� �!�+�,�'�#�X+�D�0�0�X+�v
w�+�w�tJ�2�J�Z�_�rA