gpo: Implement process_group_policy() gp_ext func

MS spec describes the policy callback as a
function called ProcessGroupPolicy which accepts
a pDeletedGPOList and a pChangedGPOList param.
The Group Policy Client Side Extension then
iterates over the deleted, then the changed gpo
lists and applies/unapplies policy. We should do
this also.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>

2 files changed, 36 insertions, 18 deletions

diff --git a/python/samba/gp_sec_ext.py b/python/samba/gp_sec_ext.py
index c3d611bbaad..2dc34e67863 100644
--- a/python/samba/gp_sec_ext.py
+++ b/python/samba/gp_sec_ext.py
@@ -166,3 +166,14 @@ class gp_sec_ext(gp_inf_ext):
                                     }
                 }
 
+    def process_group_policy(self, deleted_gpo_list, changed_gpo_list):
+        if self.lp.get('server role') != 'active directory domain controller':
+            return
+        inf_file = 'MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf'
+
+        for gpo in changed_gpo_list:
+            if gpo.file_sys_path:
+                self.gp_db.set_guid(gpo.name)
+                path = os.path.join(gpo.file_sys_path, inf_file)
+                self.parse(path)
+
diff --git a/python/samba/gpclass.py b/python/samba/gpclass.py
index 2de11e7730e..07b8b217084 100644
--- a/python/samba/gpclass.py
+++ b/python/samba/gpclass.py
@@ -309,6 +309,10 @@ class gp_ext(object):
         pass
 
     @abstractmethod
+    def process_group_policy(self, deleted_gpo_list, changed_gpo_list):
+        pass
+
+    @abstractmethod
     def apply_map(self):
         pass
 
@@ -467,30 +471,33 @@ def apply_gp(lp, creds, logger, store, gp_extensions):
                      % dc_hostname)
         return
 
+    changed_gpos = []
     for gpo_obj in gpos:
-        guid = gpo_obj.name
-        if guid == 'Local Policy':
+        if not gpo_obj.file_sys_path:
             continue
-        path = os.path.join(lp.get('realm'), 'Policies', guid).upper()
+        guid = gpo_obj.name
+        path = check_safe_path(gpo_obj.file_sys_path).upper()
         version = gpo_version(lp, path)
         if version != store.get_int(guid):
             logger.info('GPO %s has changed' % guid)
-            gp_db.state(GPOSTATE.APPLY)
-        else:
-            gp_db.state(GPOSTATE.ENFORCE)
-        gp_db.set_guid(guid)
-        store.start()
-        for ext in gp_extensions:
-            try:
-                ext.parse(ext.list(path))
-            except Exception as e:
-                logger.error('Failed to parse gpo %s for extension %s' %
-                             (guid, str(ext)))
-                logger.error('Message was: ' + str(e))
-                store.cancel()
-                continue
+            changed_gpos.append(gpo_obj)
+
+    store.start()
+    for ext in gp_extensions:
+        try:
+            ext.process_group_policy([], changed_gpos)
+        except Exception as e:
+            logger.error('Failed to apply extension  %s' % str(ext))
+            logger.error('Message was: ' + str(e))
+            continue
+    for gpo_obj in gpos:
+        if not gpo_obj.file_sys_path:
+            continue
+        guid = gpo_obj.name
+        path = check_safe_path(gpo_obj.file_sys_path).upper()
+        version = gpo_version(lp, path)
         store.store(guid, '%i' % version)
-        store.commit()
+    store.commit()
 
 
 def unapply_log(gp_db):