[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Thu Sep 9 20:43:01 UTC 2021
The branch, master has been updated
via efba2c445c5 gpo: Add Chromium Group Policy
via 1047acce9d4 gpo: Test Chromium Group Policy
from 2c18a982537 Don't use sysconf(_SC_NGROUPS_MAX) on macOS for getgroups()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit efba2c445c511f27e220c2c92d507a772ee82bc1
Author: David Mulder <dmulder at suse.com>
Date: Wed Sep 8 07:46:26 2021 -0600
gpo: Add Chromium Group Policy
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Sep 9 20:42:35 UTC 2021 on sn-devel-184
commit 1047acce9d4d04d41ea7e1ba8f58633c8df98a70
Author: David Mulder <dmulder at suse.com>
Date: Wed Sep 8 07:45:56 2021 -0600
gpo: Test Chromium Group Policy
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
-----------------------------------------------------------------------
Summary of changes:
python/samba/gp_chromium_ext.py | 494 ++++
python/samba/tests/gpo.py | 5024 ++++++++++++++++++++++++++++++++++
source4/scripting/bin/samba-gpupdate | 3 +
3 files changed, 5521 insertions(+)
create mode 100644 python/samba/gp_chromium_ext.py
Changeset truncated at 500 lines:
diff --git a/python/samba/gp_chromium_ext.py b/python/samba/gp_chromium_ext.py
new file mode 100644
index 00000000000..c3193d04433
--- /dev/null
+++ b/python/samba/gp_chromium_ext.py
@@ -0,0 +1,494 @@
+# gp_chromium_ext samba gpo policy
+# Copyright (C) David Mulder <dmulder at suse.com> 2021
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import os
+import json
+from samba.gpclass import gp_pol_ext
+from samba.dcerpc import misc
+from samba.common import get_string
+
+def parse_entry_data(name, e):
+ dict_entries = ['VirtualKeyboardFeatures',
+ 'DeviceArcDataSnapshotHours',
+ 'RequiredClientCertificateForDevice',
+ 'RequiredClientCertificateForUser',
+ 'RegisteredProtocolHandlers',
+ 'WebUsbAllowDevicesForUrls',
+ 'DeviceAutoUpdateTimeRestrictions',
+ 'DeviceUpdateStagingSchedule',
+ 'DeviceMinimumVersion',
+ 'DeviceDisplayResolution',
+ 'ExtensionSettings',
+ 'KerberosAccounts',
+ 'NetworkFileSharesPreconfiguredShares',
+ 'NetworkThrottlingEnabled',
+ 'TPMFirmwareUpdateSettings',
+ 'DeviceOffHours',
+ 'ParentAccessCodeConfig',
+ 'PerAppTimeLimits',
+ 'PerAppTimeLimitsWhitelist',
+ 'PerAppTimeLimitsAllowlist',
+ 'UsageTimeLimit',
+ 'PluginVmImage',
+ 'DeviceLoginScreenPowerManagement',
+ 'PowerManagementIdleSettings',
+ 'ScreenLockDelays',
+ 'ScreenBrightnessPercent',
+ 'DevicePowerPeakShiftDayConfig',
+ 'DeviceAdvancedBatteryChargeModeDayConfig',
+ 'PrintingPaperSizeDefault',
+ 'AutoLaunchProtocolsFromOrigins',
+ 'BrowsingDataLifetime',
+ 'DataLeakPreventionRulesList',
+ 'DeviceLoginScreenWebUsbAllowDevicesForUrls',
+ 'DeviceScheduledUpdateCheck',
+ 'KeyPermissions',
+ 'ManagedBookmarks',
+ 'ManagedConfigurationPerOrigin',
+ 'ProxySettings',
+ 'SystemProxySettings',
+ 'WebAppInstallForceList']
+ bools = ['ShowAccessibilityOptionsInSystemTrayMenu',
+ 'LargeCursorEnabled',
+ 'SpokenFeedbackEnabled',
+ 'HighContrastEnabled',
+ 'VirtualKeyboardEnabled',
+ 'StickyKeysEnabled',
+ 'KeyboardDefaultToFunctionKeys',
+ 'DictationEnabled',
+ 'SelectToSpeakEnabled',
+ 'KeyboardFocusHighlightEnabled',
+ 'CursorHighlightEnabled',
+ 'CaretHighlightEnabled',
+ 'MonoAudioEnabled',
+ 'AccessibilityShortcutsEnabled',
+ 'AutoclickEnabled',
+ 'DeviceLoginScreenDefaultLargeCursorEnabled',
+ 'DeviceLoginScreenDefaultSpokenFeedbackEnabled',
+ 'DeviceLoginScreenDefaultHighContrastEnabled',
+ 'DeviceLoginScreenDefaultVirtualKeyboardEnabled',
+ 'DeviceLoginScreenLargeCursorEnabled',
+ 'DeviceLoginScreenSpokenFeedbackEnabled',
+ 'DeviceLoginScreenHighContrastEnabled',
+ 'DeviceLoginScreenVirtualKeyboardEnabled',
+ 'DeviceLoginScreenDictationEnabled',
+ 'DeviceLoginScreenSelectToSpeakEnabled',
+ 'DeviceLoginScreenCursorHighlightEnabled',
+ 'DeviceLoginScreenCaretHighlightEnabled',
+ 'DeviceLoginScreenMonoAudioEnabled',
+ 'DeviceLoginScreenAutoclickEnabled',
+ 'DeviceLoginScreenStickyKeysEnabled',
+ 'DeviceLoginScreenKeyboardFocusHighlightEnabled',
+ 'DeviceLoginScreenShowOptionsInSystemTrayMenu',
+ 'DeviceLoginScreenAccessibilityShortcutsEnabled',
+ 'FloatingAccessibilityMenuEnabled',
+ 'ArcEnabled',
+ 'UnaffiliatedArcAllowed',
+ 'AppRecommendationZeroStateEnabled',
+ 'DeviceBorealisAllowed',
+ 'UserBorealisAllowed',
+ 'SystemUse24HourClock',
+ 'DefaultSearchProviderEnabled',
+ 'ChromeOsReleaseChannelDelegated',
+ 'DeviceAutoUpdateDisabled',
+ 'DeviceAutoUpdateP2PEnabled',
+ 'DeviceUpdateHttpDownloadsEnabled',
+ 'RebootAfterUpdate',
+ 'BlockExternalExtensions',
+ 'VoiceInteractionContextEnabled',
+ 'VoiceInteractionHotwordEnabled',
+ 'EnableMediaRouter',
+ 'ShowCastIconInToolbar',
+ 'DriveDisabled',
+ 'DriveDisabledOverCellular',
+ 'DisableAuthNegotiateCnameLookup',
+ 'EnableAuthNegotiatePort',
+ 'BasicAuthOverHttpEnabled',
+ 'AuthNegotiateDelegateByKdcPolicy',
+ 'AllowCrossOriginAuthPrompt',
+ 'NtlmV2Enabled',
+ 'IntegratedWebAuthenticationAllowed',
+ 'BrowserSwitcherEnabled',
+ 'BrowserSwitcherKeepLastChromeTab',
+ 'BrowserSwitcherUseIeSitelist',
+ 'VirtualMachinesAllowed',
+ 'CrostiniAllowed',
+ 'DeviceUnaffiliatedCrostiniAllowed',
+ 'CrostiniExportImportUIAllowed',
+ 'CrostiniPortForwardingAllowed',
+ 'NativeMessagingUserLevelHosts',
+ 'NetworkFileSharesAllowed',
+ 'NetBiosShareDiscoveryEnabled',
+ 'NTLMShareAuthenticationEnabled',
+ 'DeviceDataRoamingEnabled',
+ 'DeviceWiFiFastTransitionEnabled',
+ 'DeviceWiFiAllowed',
+ 'DeviceAllowBluetooth',
+ 'DeviceAllowRedeemChromeOsRegistrationOffers',
+ 'DeviceQuirksDownloadEnabled',
+ 'SuggestedContentEnabled',
+ 'DeviceShowLowDiskSpaceNotification',
+ 'PasswordManagerEnabled',
+ 'PasswordLeakDetectionEnabled',
+ 'PluginVmAllowed',
+ 'PluginVmDataCollectionAllowed',
+ 'UserPluginVmAllowed',
+ 'DeviceRebootOnShutdown',
+ 'PowerManagementUsesAudioActivity',
+ 'PowerManagementUsesVideoActivity',
+ 'AllowWakeLocks',
+ 'AllowScreenWakeLocks',
+ 'WaitForInitialUserActivity',
+ 'PowerSmartDimEnabled',
+ 'DevicePowerPeakShiftEnabled',
+ 'DeviceBootOnAcEnabled',
+ 'DeviceAdvancedBatteryChargeModeEnabled',
+ 'DeviceUsbPowerShareEnabled',
+ 'PrintingEnabled',
+ 'CloudPrintProxyEnabled',
+ 'PrintingSendUsernameAndFilenameEnabled',
+ 'CloudPrintSubmitEnabled',
+ 'DisablePrintPreview',
+ 'PrintHeaderFooter',
+ 'PrintPreviewUseSystemDefaultPrinter',
+ 'UserNativePrintersAllowed',
+ 'UserPrintersAllowed',
+ 'DeletePrintJobHistoryAllowed',
+ 'DeviceLoginScreenPrivacyScreenEnabled',
+ 'PrivacyScreenEnabled',
+ 'PinUnlockWeakPinsAllowed',
+ 'PinUnlockAutosubmitEnabled',
+ 'RemoteAccessHostFirewallTraversal',
+ 'RemoteAccessHostRequireCurtain',
+ 'RemoteAccessHostAllowClientPairing',
+ 'RemoteAccessHostAllowRelayedConnection',
+ 'RemoteAccessHostAllowUiAccessForRemoteAssistance',
+ 'RemoteAccessHostAllowFileTransfer',
+ 'RemoteAccessHostAllowRemoteAccessConnections',
+ 'AttestationEnabledForUser',
+ 'SafeBrowsingEnabled',
+ 'SafeBrowsingExtendedReportingEnabled',
+ 'DeviceGuestModeEnabled',
+ 'DeviceAllowNewUsers',
+ 'DeviceShowUserNamesOnSignin',
+ 'DeviceEphemeralUsersEnabled',
+ 'DeviceShowNumericKeyboardForPassword',
+ 'DeviceFamilyLinkAccountsAllowed',
+ 'ShowHomeButton',
+ 'HomepageIsNewTabPage',
+ 'DeviceMetricsReportingEnabled',
+ 'DeviceWilcoDtcAllowed',
+ 'AbusiveExperienceInterventionEnforce',
+ 'AccessibilityImageLabelsEnabled',
+ 'AdditionalDnsQueryTypesEnabled',
+ 'AdvancedProtectionAllowed',
+ 'AllowDeletingBrowserHistory',
+ 'AllowDinosaurEasterEgg',
+ 'AllowFileSelectionDialogs',
+ 'AllowScreenLock',
+ 'AllowSyncXHRInPageDismissal',
+ 'AlternateErrorPagesEnabled',
+ 'AlwaysOpenPdfExternally',
+ 'AppCacheForceEnabled',
+ 'AudioCaptureAllowed',
+ 'AudioOutputAllowed',
+ 'AudioProcessHighPriorityEnabled',
+ 'AudioSandboxEnabled',
+ 'AutoFillEnabled',
+ 'AutofillAddressEnabled',
+ 'AutofillCreditCardEnabled',
+ 'AutoplayAllowed',
+ 'BackgroundModeEnabled',
+ 'BlockThirdPartyCookies',
+ 'BookmarkBarEnabled',
+ 'BrowserAddPersonEnabled',
+ 'BrowserGuestModeEnabled',
+ 'BrowserGuestModeEnforced',
+ 'BrowserLabsEnabled',
+ 'BrowserNetworkTimeQueriesEnabled',
+ 'BuiltInDnsClientEnabled',
+ 'CECPQ2Enabled',
+ 'CaptivePortalAuthenticationIgnoresProxy',
+ 'ChromeCleanupEnabled',
+ 'ChromeCleanupReportingEnabled',
+ 'ChromeOsLockOnIdleSuspend',
+ 'ClickToCallEnabled',
+ 'CloudManagementEnrollmentMandatory',
+ 'CloudPolicyOverridesPlatformPolicy',
+ 'CloudUserPolicyMerge',
+ 'CommandLineFlagSecurityWarningsEnabled',
+ 'ComponentUpdatesEnabled',
+ 'DNSInterceptionChecksEnabled',
+ 'DataLeakPreventionReportingEnabled',
+ 'DefaultBrowserSettingEnabled',
+ 'DefaultSearchProviderContextMenuAccessAllowed',
+ 'DeveloperToolsDisabled',
+ 'DeviceAllowMGSToStoreDisplayProperties',
+ 'DeviceDebugPacketCaptureAllowed',
+ 'DeviceLocalAccountManagedSessionEnabled',
+ 'DeviceLoginScreenPrimaryMouseButtonSwitch',
+ 'DevicePciPeripheralDataAccessEnabled',
+ 'DevicePowerwashAllowed',
+ 'DeviceSystemWideTracingEnabled',
+ 'Disable3DAPIs',
+ 'DisableSafeBrowsingProceedAnyway',
+ 'DisableScreenshots',
+ 'EasyUnlockAllowed',
+ 'EditBookmarksEnabled',
+ 'EmojiSuggestionEnabled',
+ 'EnableDeprecatedPrivetPrinting',
+ 'EnableOnlineRevocationChecks',
+ 'EnableSyncConsent',
+ 'EnterpriseHardwarePlatformAPIEnabled',
+ 'ExternalProtocolDialogShowAlwaysOpenCheckbox',
+ 'ExternalStorageDisabled',
+ 'ExternalStorageReadOnly',
+ 'ForceBrowserSignin',
+ 'ForceEphemeralProfiles',
+ 'ForceGoogleSafeSearch',
+ 'ForceMaximizeOnFirstRun',
+ 'ForceSafeSearch',
+ 'ForceYouTubeSafetyMode',
+ 'FullscreenAlertEnabled',
+ 'FullscreenAllowed',
+ 'GloballyScopeHTTPAuthCacheEnabled',
+ 'HardwareAccelerationModeEnabled',
+ 'HideWebStoreIcon',
+ 'ImportAutofillFormData',
+ 'ImportBookmarks',
+ 'ImportHistory',
+ 'ImportHomepage',
+ 'ImportSavedPasswords',
+ 'ImportSearchEngine',
+ 'IncognitoEnabled',
+ 'InsecureFormsWarningsEnabled',
+ 'InsecurePrivateNetworkRequestsAllowed',
+ 'InstantTetheringAllowed',
+ 'IntensiveWakeUpThrottlingEnabled',
+ 'JavascriptEnabled',
+ 'LacrosAllowed',
+ 'LacrosSecondaryProfilesAllowed',
+ 'LockScreenMediaPlaybackEnabled',
+ 'LoginDisplayPasswordButtonEnabled',
+ 'ManagedGuestSessionPrivacyWarningsEnabled',
+ 'MediaRecommendationsEnabled',
+ 'MediaRouterCastAllowAllIPs',
+ 'MetricsReportingEnabled',
+ 'NTPCardsVisible',
+ 'NTPCustomBackgroundEnabled',
+ 'NativeWindowOcclusionEnabled',
+ 'NearbyShareAllowed',
+ 'PaymentMethodQueryEnabled',
+ 'PdfAnnotationsEnabled',
+ 'PhoneHubAllowed',
+ 'PhoneHubNotificationsAllowed',
+ 'PhoneHubTaskContinuationAllowed',
+ 'PolicyAtomicGroupsEnabled',
+ 'PrimaryMouseButtonSwitch',
+ 'PromotionalTabsEnabled',
+ 'PromptForDownloadLocation',
+ 'QuicAllowed',
+ 'RendererCodeIntegrityEnabled',
+ 'RequireOnlineRevocationChecksForLocalAnchors',
+ 'RoamingProfileSupportEnabled',
+ 'SSLErrorOverrideAllowed',
+ 'SafeBrowsingForTrustedSourcesEnabled',
+ 'SavingBrowserHistoryDisabled',
+ 'ScreenCaptureAllowed',
+ 'ScrollToTextFragmentEnabled',
+ 'SearchSuggestEnabled',
+ 'SecondaryGoogleAccountSigninAllowed',
+ 'SharedArrayBufferUnrestrictedAccessAllowed',
+ 'SharedClipboardEnabled',
+ 'ShowAppsShortcutInBookmarkBar',
+ 'ShowFullUrlsInAddressBar',
+ 'ShowLogoutButtonInTray',
+ 'SignedHTTPExchangeEnabled',
+ 'SigninAllowed',
+ 'SigninInterceptionEnabled',
+ 'SitePerProcess',
+ 'SmartLockSigninAllowed',
+ 'SmsMessagesAllowed',
+ 'SpellCheckServiceEnabled',
+ 'SpellcheckEnabled',
+ 'StartupBrowserWindowLaunchSuppressed',
+ 'StricterMixedContentTreatmentEnabled',
+ 'SuggestLogoutAfterClosingLastWindow',
+ 'SuppressDifferentOriginSubframeDialogs',
+ 'SuppressUnsupportedOSWarning',
+ 'SyncDisabled',
+ 'TargetBlankImpliesNoOpener',
+ 'TaskManagerEndProcessEnabled',
+ 'ThirdPartyBlockingEnabled',
+ 'TouchVirtualKeyboardEnabled',
+ 'TranslateEnabled',
+ 'TripleDESEnabled',
+ 'UnifiedDesktopEnabledByDefault',
+ 'UrlKeyedAnonymizedDataCollectionEnabled',
+ 'UserAgentClientHintsEnabled',
+ 'UserFeedbackAllowed',
+ 'VideoCaptureAllowed',
+ 'VmManagementCliAllowed',
+ 'VpnConfigAllowed',
+ 'WPADQuickCheckEnabled',
+ 'WebRtcAllowLegacyTLSProtocols',
+ 'WebRtcEventLogCollectionAllowed',
+ 'WifiSyncAndroidAllowed',
+ 'WindowOcclusionEnabled']
+ if name in dict_entries:
+ return json.loads(get_string(e.data))
+ elif e.type == misc.REG_DWORD and name in bools:
+ return e.data == 1
+ return e.data
+
+def assign_entry(policies, e):
+ if e.valuename.isnumeric():
+ name = e.keyname.split('\\')[-1]
+ if name not in policies:
+ policies[name] = []
+ policies[name].append(parse_entry_data(name, e))
+ else:
+ name = e.valuename
+ policies[name] = parse_entry_data(name, e)
+
+def convert_pol_to_json(managed, recommended, section, entries):
+ recommended_section = '\\'.join([section, 'Recommended'])
+ for e in entries:
+ if '**delvals.' in e.valuename:
+ continue
+ if e.keyname.startswith(recommended_section):
+ assign_entry(recommended, e)
+ elif e.keyname.startswith(section):
+ assign_entry(managed, e)
+ return managed, recommended
+
+class gp_chromium_ext(gp_pol_ext):
+ __managed_policies_path = '/etc/chromium/policies/managed'
+ __recommended_policies_path = '/etc/chromium/policies/recommended'
+
+ def __str__(self):
+ return 'Google/Chromium'
+
+ def set_managed_machine_policy(self, managed):
+ try:
+ managed_policies = os.path.join(self.__managed_policies_path,
+ 'policies.json')
+ os.makedirs(self.__managed_policies_path, exist_ok=True)
+ with open(managed_policies, 'w') as f:
+ json.dump(managed, f)
+ self.logger.debug('Wrote Chromium preferences to %s' % \
+ managed_policies)
+ except PermissionError:
+ self.logger.debug('Failed to write Chromium preferences to %s' % \
+ managed_policies)
+
+
+ def set_recommended_machine_policy(self, recommended):
+ try:
+ recommended_policies = os.path.join(self.__recommended_policies_path,
+ 'policies.json')
+ os.makedirs(self.__recommended_policies_path, exist_ok=True)
+ with open(recommended_policies, 'w') as f:
+ json.dump(recommended, f)
+ self.logger.debug('Wrote Chromium preferences to %s' % \
+ recommended_policies)
+ except PermissionError:
+ self.logger.debug('Failed to write Chromium preferences to %s' % \
+ recommended_policies)
+
+ def get_managed_machine_policy(self):
+ managed_policies = os.path.join(self.__managed_policies_path,
+ 'policies.json')
+ if os.path.exists(managed_policies):
+ with open(managed_policies, 'r') as r:
+ managed = json.load(r)
+ self.logger.debug('Read Chromium preferences from %s' % \
+ managed_policies)
+ else:
+ managed = {}
+ return managed
+
+ def get_recommended_machine_policy(self):
+ recommended_policies = os.path.join(self.__recommended_policies_path,
+ 'policies.json')
+ if os.path.exists(recommended_policies):
+ with open(recommended_policies, 'r') as r:
+ recommended = json.load(r)
+ self.logger.debug('Read Chromium preferences from %s' % \
+ recommended_policies)
+ else:
+ recommended = {}
+ return recommended
+
+ def process_group_policy(self, deleted_gpo_list, changed_gpo_list,
+ policy_dir=None):
+ if policy_dir is not None:
+ self.__recommended_policies_path = os.path.join(policy_dir,
+ 'recommended')
+ self.__managed_policies_path = os.path.join(policy_dir, 'managed')
+ for guid, settings in deleted_gpo_list:
+ self.gp_db.set_guid(guid)
+ if str(self) in settings:
+ for attribute, policies in settings[str(self)].items():
+ if attribute == 'managed':
+ self.set_managed_machine_policy(json.loads(policies))
+ elif attribute == 'recommended':
+ self.set_recommended_machine_policy(json.loads(policies))
+ self.gp_db.delete(str(self), attribute)
+ self.gp_db.commit()
+
+ for gpo in changed_gpo_list:
+ if gpo.file_sys_path:
+ section = 'Software\\Policies\\Google\\Chrome'
+ self.gp_db.set_guid(gpo.name)
+ pol_file = 'MACHINE/Registry.pol'
+ path = os.path.join(gpo.file_sys_path, pol_file)
+ pol_conf = self.parse(path)
+ if not pol_conf:
+ continue
+
+ managed = self.get_managed_machine_policy()
+ recommended = self.get_recommended_machine_policy()
+ self.gp_db.store(str(self), 'managed', json.dumps(managed))
+ self.gp_db.store(str(self), 'recommended',
+ json.dumps(recommended))
+ managed, recommended = convert_pol_to_json(managed,
+ recommended, section,
+ pol_conf.entries)
+ self.set_managed_machine_policy(managed)
+ self.set_recommended_machine_policy(recommended)
+ self.gp_db.commit()
+
+ def rsop(self, gpo):
+ output = {}
+ pol_file = 'MACHINE/Registry.pol'
+ section = 'Software\\Policies\\Google\\Chrome'
+ if gpo.file_sys_path:
+ path = os.path.join(gpo.file_sys_path, pol_file)
+ pol_conf = self.parse(path)
+ if not pol_conf:
+ return output
+ for e in pol_conf.entries:
+ if e.keyname.startswith(section):
+ output['%s\\%s' % (e.keyname, e.valuename)] = e.data
+ return output
+
+class gp_chrome_ext(gp_chromium_ext):
+ __managed_policies_path = '/etc/opt/chrome/policies/managed'
+ __recommended_policies_path = '/etc/opt/chrome/policies/recommended'
+
+ def __str__(self):
+ return 'Google/Chrome'
--
Samba Shared Repository
More information about the samba-cvs
mailing list