1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
# vgp_access_ext samba group policy
# Copyright (C) David Mulder <dmulder@suse.com> 2020
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os, re
from samba.gpclass import gp_xml_ext
from hashlib import blake2b
from tempfile import NamedTemporaryFile
from samba.common import get_bytes
intro = '''
### autogenerated by samba
#
# This file is generated by the vgp_access_ext Group Policy
# Client Side Extension. To modify the contents of this file,
# modify the appropriate Group Policy objects which apply
# to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
#
'''
# Access files in /etc/security/access.d are read in the order of the system
# locale. Here we number the conf files to ensure they are read in the correct
# order.
def select_next_conf(directory):
configs = [re.match(r'(\d+)', f) for f in os.listdir(directory)]
return max([int(m.group(1)) for m in configs if m]+[0])+1
class vgp_access_ext(gp_xml_ext):
def __str__(self):
return 'VGP/Unix Settings/Host Access'
def process_group_policy(self, deleted_gpo_list, changed_gpo_list,
access='/etc/security/access.d'):
for guid, settings in deleted_gpo_list:
self.gp_db.set_guid(guid)
if str(self) in settings:
for attribute, access_file in settings[str(self)].items():
if os.path.exists(access_file):
os.unlink(access_file)
self.gp_db.delete(str(self), attribute)
self.gp_db.commit()
for gpo in changed_gpo_list:
if gpo.file_sys_path:
self.gp_db.set_guid(gpo.name)
allow = 'MACHINE/VGP/VTLA/VAS/HostAccessControl/Allow/manifest.xml'
path = os.path.join(gpo.file_sys_path, allow)
allow_conf = self.parse(path)
deny = 'MACHINE/VGP/VTLA/VAS/HostAccessControl/Deny/manifest.xml'
path = os.path.join(gpo.file_sys_path, deny)
deny_conf = self.parse(path)
entries = []
if allow_conf:
policy = allow_conf.find('policysetting')
data = policy.find('data')
for listelement in data.findall('listelement'):
adobject = listelement.find('adobject')
name = adobject.find('name').text
domain = adobject.find('domain').text
entries.append('+:%s\\%s:ALL' % (domain, name))
if deny_conf:
policy = deny_conf.find('policysetting')
data = policy.find('data')
for listelement in data.findall('listelement'):
adobject = listelement.find('adobject')
name = adobject.find('name').text
domain = adobject.find('domain').text
entries.append('-:%s\\%s:ALL' % (domain, name))
if len(entries) == 0:
continue
conf_id = select_next_conf(access)
access_file = os.path.join(access, '%010d_gp.conf' % conf_id)
access_contents = '\n'.join(entries)
attribute = blake2b(get_bytes(access_contents)).hexdigest()
old_val = self.gp_db.retrieve(str(self), attribute)
if old_val is not None:
continue
if not os.path.isdir(access):
os.mkdir(access, 0o644)
with NamedTemporaryFile(delete=False, dir=access) as f:
with open(f.name, 'w') as w:
w.write(intro)
w.write(access_contents)
os.chmod(f.name, 0o644)
os.rename(f.name, access_file)
self.gp_db.store(str(self), attribute, access_file)
self.gp_db.commit()
def rsop(self, gpo):
output = {}
if gpo.file_sys_path:
self.gp_db.set_guid(gpo.name)
allow = 'MACHINE/VGP/VTLA/VAS/HostAccessControl/Allow/manifest.xml'
path = os.path.join(gpo.file_sys_path, allow)
allow_conf = self.parse(path)
deny = 'MACHINE/VGP/VTLA/VAS/HostAccessControl/Deny/manifest.xml'
path = os.path.join(gpo.file_sys_path, deny)
deny_conf = self.parse(path)
entries = []
if allow_conf:
policy = allow_conf.find('policysetting')
data = policy.find('data')
for listelement in data.findall('listelement'):
adobject = listelement.find('adobject')
name = adobject.find('name').text
domain = adobject.find('domain').text
if str(self) not in output.keys():
output[str(self)] = []
output[str(self)].append('+:%s\\%s:ALL' % (name, domain))
if deny_conf:
policy = deny_conf.find('policysetting')
data = policy.find('data')
for listelement in data.findall('listelement'):
adobject = listelement.find('adobject')
name = adobject.find('name').text
domain = adobject.find('domain').text
if str(self) not in output.keys():
output[str(self)] = []
output[str(self)].append('-:%s\\%s:ALL' % (name, domain))
return output
|
