PHP WebShell

Текущая директория: /usr/lib/python3/dist-packages/uaclient/entitlements/__pycache__

Просмотр файла: fips.cpython-310.pyc

o

l�g}b�@s�ddlZddlZddlZddlmZddlmZmZmZddl	m
Z
mZmZm
Z
mZmZmZddlmZmZddlmZddlmZddlmZdd	lmZdd
lmZddlmZm Z ddl!m"Z"m#Z#m$Z$e�%�Z&e�'e�(e)��Z*gd
�Z+ddgZ,e+e,e+e,e+d�Z-gd�Z.gd�Z/gd�Z0e+e,e.e+e,e/e+e0d�Z1Gdd�dej2�Z3Gdd�de3�Z4Gdd�de3�Z5Gdd�de4�Z6dS)�N)�groupby)�List�Optional�Tuple)�api�apt�event_logger�
exceptions�messages�system�util)�NoCloudTypeReason�get_cloud_type)�repo)�EntitlementWithMessage)�ApplicationStatus)�notices)�Notice)�ServicesOnceEnabledData�services_once_enabled_file)�MessagingOperations�MessagingOperationsDict�StaticAffordance)�
strongswan�strongswan-hmac�openssh-client�openssh-server�shim-signed�openssh-client-hmac�openssh-server-hmac)�xenial�bionic�focal)�openssl�libssl1.0.0�libssl1.0.0-hmac)r#�	libssl1.1�libssl1.1-hmac�libgcrypt20�libgcrypt20-hmacc	s�eZdZdZdZdZejZdZ	ej
jZgd�Z
edefdd��Zed	d
��Zdedefdd
�Zdejfdd�Zdefdd�Zdejfdd�Z		d6dejdeeededdf�fdd�
Zdefdd�Z	d7dededdfdd �Zd!ed"edef�fd#d$�Zede e!d%ffd&d'��Z"edeef�fd(d)��Z#de e$eej%ff�fd*d+�Z&d8d,d-�Z'dejdef�fd.d/�Z(dejdef�fd0d1�Z)d2d3�Z*dejddf�fd4d5�Z+�Z,S)9�FIPSCommonEntitlementi�zubuntu-pro-fips.gpgz/proc/sys/crypto/fips_enabledT)zfips-initramfszfips-initramfs-genericr(r)�libgmp10�libgnutls30�libhogweed6�
libnettle8r$r%r$r%r&r'�libssl3�
linux-fipsrrrrr#�openssl-fips-module-3rrrzubuntu-fipszubuntu-aws-fipszubuntu-azure-fips�ubuntu-gcp-fips�returncCsd}t��rtjj|jd�}|��stjg}n|j}d}|j	s-t
jdtjj|jd�ifg}t
jd|ifg|j
ifg||d�}t|j�dkr�|jd}t�d|�}|rX|�d�}nd}t��j}||kr�|�d�pig}	tjj||j||ptd	d
�}
|	�t
jd|
if�|	|d<|S)N��title�msg)�
pre_enable�pre_install�post_enable�pre_disable�rzubuntu-([a-z]+)-fips�genericr7�unknown)�variant�service�base_flavor�current_flavor)r�is_containerr
� PROMPT_FIPS_CONTAINER_PRE_ENABLE�formatr5�auto_upgrade_all_on_enable�FIPS_RUN_APT_UPGRADE�pre_enable_msg�purger�prompt_for_confirmation�PROMPT_FIPS_PRE_DISABLE�prompt_if_kernel_downgrade�len�packages�re�match�group�get_kernel_info�flavor�get�#KERNEL_FLAVOR_CHANGE_WARNING_PROMPT�name�append)�selfr9�pre_enable_promptr:�	messaging�ubuntu_fips_package_name� ubuntu_fips_package_flavor_match�ubuntu_fips_package_flavorrAr7r6�r]�</usr/lib/python3/dist-packages/uaclient/entitlements/fips.pyrY�sn������������
��
���zFIPSCommonEntitlement.messagingcCs*t��j}t��rt�|g�St�|g�S)a�
        Dictionary of conditional packages to be installed when
        enabling FIPS services. For example, if we are enabling
        FIPS services in a machine that has openssh-client installed,
        we will perform two actions:

        1. Upgrade the package to the FIPS version
        2. Install the corresponding hmac version of that package
           when available.
        )r�get_release_info�seriesrB�#FIPS_CONTAINER_CONDITIONAL_PACKAGESrS�FIPS_CONDITIONAL_PACKAGES)rWr`r]r]r^�conditional_packages�s
z*FIPSCommonEntitlement.conditional_packages�
assume_yescCs�t��j}|durt�d�dSt�d|�}t�d�}|durL|durL|�	d�}t�
d||�t�||�dkrJt�
tjj||d	��tjtj|d
�SdSt�d||�dS)
ztCheck if installing a FIPS kernel will downgrade the kernel
        and prompt for confirmation if it will.
        Nz Cannot gather kernel informationFz!(?P<kernel_version>\d+\.\d+\.\d+)r0�kernel_versionz*Kernel information: cur='%s' and fips='%s'r)�current_version�new_version)r6rdz2Cannot gather kernel information for '%s' and '%s'T)rrQ�proc_version_signature_version�LOG�warningrN�searchr�get_pkg_candidate_versionrP�debug�version_compare�event�infor
�KERNEL_DOWNGRADE_WARNINGrDrrI�
PROMPT_YES_NO)rWrd�our_full_kernel_str�our_m�fips_kernel_version_str�our_kernel_version_strr]r]r^rK�sJ�
�

������	��z0FIPSCommonEntitlement.prompt_if_kernel_downgrade�progresscCs�g}t��}tt|j�dd�d�}|D]\}}||vr||7}q|D](}ztj|gddigd�d�Wq"tjyJ|�dt	j
j|j|d	��Yq"wdS)
NcSs|�dd�S)Nz-hmac�)�replace)�pkg_namer]r]r^�<lambda>�zNFIPSCommonEntitlement.hardcoded_install_conditional_packages.<locals>.<lambda>)�key�DEBIAN_FRONTEND�noninteractive�z--allow-downgradesz$-o Dpkg::Options::="--force-confdef"z$-o Dpkg::Options::="--force-confold"�rM�override_env_vars�apt_optionsrp)r?�pkg)
r�get_installed_packages_namesr�sortedrc�run_apt_install_commandr	�UbuntuProError�emitr
�FIPS_PACKAGE_NOT_AVAILABLErDr5)rWrw�desired_packages�installed_packages�
pkg_groupsrz�pkg_listr�r]r]r^�&hardcoded_install_conditional_packagess4��
�	����z<FIPSCommonEntitlement.hardcoded_install_conditional_packagescCs*tj|jjdd�}t��jdv}|p|S)Nzfeatures.fips_auto_upgrade_all��config�
path_to_value>r"r!r )r�is_config_value_true�cfgrr_r`)rW�install_all_updates_override�hardcoded_releaser]r]r^rE2s
�
z0FIPSCommonEntitlement.auto_upgrade_all_on_enablecCs�dd�t�|j�D�}t��jdkr|�d�|��t|�dkrVz"|�	dt
jjd�
|�d��|�|�tj|d	d
igd�d�WdStjyU|�	dt
j�YdSwdS)
NcSsg|]}|j�qSr])rU)�.0�packager]r]r^�
<listcomp>As��zMFIPSCommonEntitlement.install_all_available_fips_upgrades.<locals>.<listcomp>�jammyr1rrp� )rMr~rr�r�)r�;get_installed_packages_with_uninstalled_candidate_in_origin�originrr_r`rV�sortrLr�r
�INSTALLING_PACKAGESrD�join�unhold_packagesr�r	r��FIPS_PACKAGES_UPGRADE_FAILURE)rWrw�
to_upgrader]r]r^�#install_all_available_fips_upgrades>s4��
��
�	��z9FIPSCommonEntitlement.install_all_available_fips_upgradesN�package_list�cleanup_on_failurecsl|j}|rt�j||d�n|�tjj|jd��|��r#|�	|�n|�
|�|��r4t�
tj�dSdS)z�Install contract recommended packages for the entitlement.

        :param package_list: Optional package list to use instead of
            self.packages.
        :param cleanup_on_failure: Cleanup apt files if apt install fails.
        )r�r4N)rM�super�install_packagesrwr
�INSTALLING_SERVICE_PACKAGESrDr5rEr�r��_check_for_rebootr�addr�FIPS_SYSTEM_REBOOT_REQUIRED)rWrwr�r��mandatory_packages��	__class__r]r^r�bs"��
��z&FIPSCommonEntitlement.install_packagescCst��S)z=Check if system needs to be rebooted because of this service.)r�
should_reboot�rWr]r]r^r��sz'FIPSCommonEntitlement._check_for_rebootF�	operation�silentcCsN|��}t�|�|r#|st�tjj|d��|dkr%t�t	j
�dSdSdS)z�Check if user should be alerted that a reboot must be performed.

        @param operation: The operation being executed.
        @param silent: Boolean set True to silence print/log of messages
        )r�zdisable operationN)r�ro�needs_rebootrpr
�ENABLE_REBOOT_REQUIRED_TMPLrDrr�r�FIPS_DISABLE_REBOOT_REQUIRED)rWr�r��reboot_requiredr]r]r^�_check_for_reboot_msg�s
����z+FIPSCommonEntitlement._check_for_reboot_msgr`�cloud_idcs>|dkrtj|jjdd�rdS|dvrdStdt�jv�SdS)aVReturn False when FIPS is allowed on this cloud and series.

        On Xenial GCP there will be no cloud-optimized kernel so
        block default ubuntu-fips enable. This can be overridden in
        config with features.allow_xenial_fips_on_cloud.

        GCP doesn't yet have a cloud-optimized kernel or metapackage so
        block enable of fips if the contract does not specify ubuntu-gcp-fips.
        This also can be overridden in config with
        features.allow_default_fips_metapackage_on_gcp.

        :return: False when this cloud, series or config override allows FIPS.
        �gcez.features.allow_default_fips_metapackage_on_gcpr�T)r!r"r2)rr�r��boolr�rM�rWr`r�r�r]r^�_allow_fips_on_cloud_instance�s�z3FIPSCommonEntitlement._allow_fips_on_cloud_instance.cs^dddd�}t�\�}�durd�t��j�tjj���|���d�}|���fdd�d	ffS)
Nzan AWSzan Azureza GCP)�aws�azurer�rx)r`�cloudcs�����S�N)r�r]�r�rWr`r]r^r{�r|z:FIPSCommonEntitlement.static_affordances.<locals>.<lambda>T)	rrr_r`r
�FIPS_BLOCK_ON_CLOUDrDr5rS)rW�cloud_titles�_�blocked_messager]r�r^�static_affordances�s

���z(FIPSCommonEntitlement.static_affordancescst��rgSt�jSr�)rrBr�rMr�r�r]r^rM�szFIPSCommonEntitlement.packagescs�t���\}}t��rt��st�tj�||fSt	j
�|j�rSt�t
|j��s.t�tj�t�|j���dkrBt�tj�||fSt�tj�tjtjj|jd�fS|tjkr\||fStjtjfS)N�1)�	file_name)r��application_statusrrBr�r�removerr��os�path�exists�FIPS_PROC_FILE�setrM�	load_file�strip�FIPS_MANUAL_DISABLE_URLr�r�DISABLEDr
�FIPS_PROC_FILE_ERRORrD�ENABLED�FIPS_REBOOT_REQUIRED)rW�super_status�	super_msgr�r]r^r��s:������
�z(FIPSCommonEntitlement.application_statuscCsTtt���}t|j��t|j��}|�|�}|r(t�t|�t	j
j|jd��dSdS)z�Remove fips meta package to disable the service.

        FIPS meta-package will unset grub config options which will deactivate
        FIPS on any related packages.
        r4N)
r�rr�rM�
differencerc�intersection�remove_packages�listr
�DISABLE_FAILED_TMPLrDr5)rWr��fips_metapackager�r]r]r^r�s
�
��z%FIPSCommonEntitlement.remove_packagescs8t��|�rt�tj�t�tj�t�tj�dSdS�NTF)r��_perform_enablerr�r�WRONG_FIPS_METAPACKAGE_ON_CLOUDr�r��rWrwr�r]r^r�s�z%FIPSCommonEntitlement._perform_enablecs(t��|�r|��rt�tj�dSdSr�)r��_perform_disabler�rr�rr�r�r�r]r^r� s�z&FIPSCommonEntitlement._perform_disablecCs|ddg}t�|tjjd�|�d��}g}|��D]}||vr#|�|�q|r<ddg|}t�|tjjd�|�d��}dSdS)Nzapt-mark�	showholdsr�)�command�unhold)r�run_apt_commandr
�EXECUTING_COMMAND_FAILEDrDr��
splitlinesrV)rW�
package_names�cmd�holds�unholds�hold�
unhold_cmdr]r]r^r�*s&�
����z%FIPSCommonEntitlement.unhold_packagescs|�|j�t��|�dS)z�Setup apt config based on the resourceToken and directives.

        FIPS-specifically handle apt-mark unhold

        :raise UbuntuProError: on failure to setup any aspect of this apt
           configuration
        N)r��fips_pro_package_holdsr��setup_apt_configr�r�r]r^r�=sz&FIPSCommonEntitlement.setup_apt_config�NT)F)r3N)-�__name__�
__module__�__qualname__�repo_pin_priority�
repo_key_filer�r
�PROMPT_FIPS_PRE_ENABLErG�apt_noninteractive�urls�FIPS_HOME_PAGE�help_doc_urlr��propertyrrYrcr�rKr�ProgressWrapperr�rEr�rr�strr�r�r�r�rrr�rMr�NamedMessager�r�r�r�r�r��
__classcell__r]r]r�r^r*Vsv J
.
�#
�'��
���&���
�����
*
 r*cs�eZdZdZejZejZej	Z
dZejZ
edeedffdd��Zedeedff�fdd��Zd	ejdef�fd
d�Z�ZS)�FIPSEntitlement�fips�
UbuntuFIPSr3.cCs:ddlm}ddlm}t|tj�tttj�t|tj	�fS)Nr)�LivepatchEntitlement��RealtimeKernelEntitlement)
�uaclient.entitlements.livepatchr�uaclient.entitlements.realtimerrr
�LIVEPATCH_INVALIDATES_FIPS�FIPSUpdatesEntitlement�FIPS_UPDATES_INVALIDATES_FIPS�REALTIME_FIPS_INCOMPATIBLE)rWrrr]r]r^�incompatible_servicesQs����z%FIPSEntitlement.incompatible_servicescs�t�j}t|jd�}tj}t|��d|k��t�	�}|r |j
nd�|tjj
|j|jd��fdd�dftjj
|j|jd��fdd�dffS)N)r�rF)r�fips_updatesc��Sr�r]r])�is_fips_updates_enabledr]r^r{x�z4FIPSEntitlement.static_affordances.<locals>.<lambda>crr�r]r])�fips_updates_once_enabledr]r^r{r)r�r�rr�rr�r�r�r�readrr
�$FIPS_ERROR_WHEN_FIPS_UPDATES_ENABLEDrDr5�)FIPS_ERROR_WHEN_FIPS_UPDATES_ONCE_ENABLED)rWr�r�enabled_status�services_once_enabled_objr�)rrr^r�bs2����
��
��z"FIPSEntitlement.static_affordancesrwcsRt�\}}|dur|tjkrt�d�t�tj�t	��
|�r't�t
j�dSdS)Nz>Could not determine cloud, defaulting to generic FIPS package.TF)rr
�CLOUD_ID_ERRORrirjrorpr
�.FIPS_COULD_NOT_DETERMINE_CLOUD_DEFAULT_PACKAGEr�r�rr�r�FIPS_INSTALL_OUT_OF_DATE)rWrw�
cloud_type�errorr�r]r^r��s
��zFIPSEntitlement._perform_enable)r�r�r�rUr
�
FIPS_TITLEr5�FIPS_DESCRIPTION�description�FIPS_HELP_TEXT�	help_textr�r�rGr�rrrrr�rr�r�r�rr]r]r�r^rIs !rcsbeZdZdZejZdZejZ	ej
ZejZ
edeedffdd��Zdejdef�fdd	�Z�ZS)
rzfips-updates�UbuntuFIPSUpdatesr3.cCs$ddlm}tttj�t|tj�fS)Nrr)r
rrrr
�FIPS_INVALIDATES_FIPS_UPDATES�"REALTIME_FIPS_UPDATES_INCOMPATIBLE)rWrr]r]r^r�s���z,FIPSUpdatesEntitlement.incompatible_servicesrwcs&t�j|d�rt�tdd��dSdS)N)rwT)rF)r�r�r�writerr�r�r]r^r��s�z&FIPSUpdatesEntitlement._perform_enable)r�r�r�rUr
�FIPS_UPDATES_TITLEr5r��FIPS_UPDATES_DESCRIPTIONr!�FIPS_UPDATES_HELP_TEXTr#�PROMPT_FIPS_UPDATES_PRE_ENABLErGr�rrrrr�r�r�rr]r]r�r^r�s 
rcsheZdZdZejZejZej	Z
dZejZ
dZedeedff�fdd��Zded	edefd
d�Z�ZS)�FIPSPreviewEntitlementzfips-preview�UbuntuFIPSPreviewzubuntu-pro-fips-preview.gpgr3.cst�jtttj�fSr�)r�rrrr
r%r�r�r]r^r�s
��z,FIPSPreviewEntitlement.incompatible_servicesr`r�cCsdSr�r]r�r]r]r^r��sz4FIPSPreviewEntitlement._allow_fips_on_cloud_instance)r�r�r�rUr
�FIPS_PREVIEW_TITLEr5�FIPS_PREVIEW_DESCRIPTIONr!�FIPS_PREVIEW_HELP_TEXTr#r��PROMPT_FIPS_PREVIEW_PRE_ENABLErGr�r�rrrrr�r�rr]r]r�r^r,�s"���r,)7�loggingr�rN�	itertoolsr�typingrrr�uaclientrrrr	r
rr�uaclient.clouds.identityr
r�uaclient.entitlementsr�uaclient.entitlements.baser�(uaclient.entitlements.entitlement_statusr�uaclient.filesr�uaclient.files.noticesr�uaclient.files.state_filesrr�uaclient.typesrrr�get_event_loggerro�	getLogger�replace_top_level_logger_namer�ri�CONDITIONAL_PACKAGES_EVERYWHERE�!CONDITIONAL_PACKAGES_OPENSSH_HMACrb�&UBUNTU_FIPS_METAPACKAGE_DEPENDS_XENIAL�&UBUNTU_FIPS_METAPACKAGE_DEPENDS_BIONIC�%UBUNTU_FIPS_METAPACKAGE_DEPENDS_FOCALra�RepoEntitlementr*rrr,r]r]r]r^�<module>sh$����������vL

Выполнить команду

Для локальной разработки. Не используйте в интернете!