ubuntu-advantage

#!/bin/bash -e
# shellcheck disable=SC2039,SC1090

SCRIPTNAME=$(basename "$0")

# Services managed by the script (in alphabetical order)
SERVICES="cc-provisioning esm fips livepatch cisaudit"

# system details
SERIES=${SERIES:-$(lsb_release -cs)}
KERNEL_VERSION=${KERNEL_VERSION:-$(uname -r)}
ARCH=${ARCH:-$(uname -m)}
# system files
FSTAB=${FSTAB:-"/etc/fstab"}
CPUINFO=${CPUINFO:-"/proc/cpuinfo"}
KEYRINGS_DIR=${KEYRINGS_DIR:-"/usr/share/keyrings"}
APT_AUTH_FILE=${APT_AUTH_FILE:-"/etc/apt/auth.conf"}
APT_KEYS_DIR=${APT_KEYS_DIR:-"/etc/apt/trusted.gpg.d"}
APT_METHOD_HTTPS=${APT_METHOD_HTTPS:-"/usr/lib/apt/methods/https"}
CA_CERTIFICATES=${CA_CERTIFICATES:-"/usr/sbin/update-ca-certificates"}
# system binaries
SNAPD=${SNAPD:-"/usr/lib/snapd/snapd"}
APT_HELPER=${APT_HELPER:-"/usr/lib/apt/apt-helper"}

load_modules() {
    local script_dir modules_dir
    script_dir=$(dirname "$0")
    if [ "$script_dir" = "/usr/bin" ]; then
        modules_dir="/usr/share/ubuntu-advantage-tools/modules"
    else
        modules_dir="${script_dir}/modules"
    fi

    local module
    for module in "$modules_dir"/*.sh; do
        . "$module"
    done
}

print_status() {
    local service="$1"

    local services="$SERVICES"
    if [ "$service" ]; then
        name_in_list "${service//_/-}" "$SERVICES" || error_exit invalid_command
        services="$service"
    fi

    for service in $services; do
        service_print_status "${service//-/_}"
    done
}

usage() {
    cat >&2 <<EOF
usage: ${SCRIPTNAME} <command> [parameters]

This is a tool that facilitates access to some of Canonical's
Ubuntu Advantage offerings.

Currently available are:
- Ubuntu Extended Security Maintenance archive (https://ubuntu.com/esm)
- Canonical FIPS 140-2 Certified Modules
- Canonical FIPS 140-2 Non-Certified Module Updates
- Canonical Livepatch Service (https://www.ubuntu.com/server/livepatch)
- Canonical Common Criteria EAL2 certification artifacts provisioning
- Canonical CIS Ubuntu Benchmark Audit tool

Commands:
 version                           show the tool version
 status [NAME]                     show current status of Ubuntu Advantage
                                   offerings (or of a specific one if provided)
 enable-esm <TOKEN>                enable the ESM repository
 disable-esm                       disable the ESM repository
 enable-fips <TOKEN>               enable the FIPS repository and install,
                                   configure and enable FIPS certified modules
 disable-fips                      currently not supported
 enable-fips-updates <TOKEN> [-y]  enable non-certified FIPS-UPDATES
                                   repository and install updates. With an
                                   optional "-y" the user prompt will be
                                   bypassed.
 enable-livepatch <TOKEN> [--allow-kernel-change]
                                   enable the Livepatch service. If the
                                   --allow-kernel-change option is provided, a
                                   Livepatch compatible kernel may be installed
                                   if needed.
 disable-livepatch [-r]            disable the Livepatch service. With "-r", the
                                   canonical-livepatch snap will also be removed
 enable-cc-provisioning <TOKEN>    enable the commoncriteria PPA repository and
                                   install the ubuntu-commoncriteria DEB package
 disable-cc-provisioning           disable the commoncriteria PPA repository and
                                   remove the ubuntu-commoncriteria DEB package
 enable-cisaudit <TOKEN>           enable the security benchmarks PPA repository
                                   and install the ubuntu-cisbenchmark-16.04 DEB
                                   package.
 disable-cisaudit                  disable the security benchmarks PPA repository
                                   and uninstall the ubuntu-cisbenchmark-16.04 DEB
                                   package.
EOF
    error_exit invalid_command
}

main() {
    local command="$1"
    shift 1 || true

    local service
    service=$(service_from_command "$command")
    # if the command contains a service name, check that it's valid
    if [ "$service" ] && ! name_in_list "$service" "$SERVICES" \
           && [ "$service" != "fips-updates" ]; then
        error_msg "Invalid command: \"$command\""
        usage
    fi
    # replace -(hyphen) in service commands with _(underscore) (eg: cc-provisioning) to
    # use in generic service function invocations. Adding it here so the name_in_list
    # function call above uses the original command.
    service=${service//-/_}

    case "$command" in
        status)
            print_status "$@"
            ;;

        version)
            package_version ubuntu-advantage-tools
            ;;

        # special case, adding it above enable-*. There is no separate
        # fips-update service.
        enable-fips-updates)
            local token="$1"
            local bypass_prompt=0
            if [ -n "$2" ]; then
                if [ "$2" = "-y" ]; then
                    bypass_prompt=1
                else
                    error_msg "Unknown option \"$2\""
                    usage
                fi
            fi
            service_check_user
            service_check_support "fips"
            fips_validate_token "$token" || error_exit invalid_token
            fips_updates_enable "$token" "$bypass_prompt"
            ;;

        enable-*)
            service_enable "$service" "$@"
            ;;

        disable-*)
            service_disable "$service" "$@"
            ;;

        is-*-enabled)
            service_is_enabled "$service"
            ;;

        *)
            error_msg "Invalid command: \"$command\""
            usage
            ;;
    esac
}


if ! echo "$PATH" | grep -qE "(^|:)/snap/bin/?(:|$)"; then
    PATH="/snap/bin:$PATH"
fi

load_modules
main "$@"