From 2571e27235561f69b4247a233bdf31ce881fb81a Mon Sep 17 00:00:00 2001 From: Igor Chudov Date: Fri, 27 Mar 2020 21:30:55 +0400 Subject: [PATCH] gpsetup --- dist/gpupdate-setup | 177 +++++++++++++++++++++++++++++--------------- 1 file changed, 117 insertions(+), 60 deletions(-) diff --git a/dist/gpupdate-setup b/dist/gpupdate-setup index bb04327..a07debf 100755 --- a/dist/gpupdate-setup +++ b/dist/gpupdate-setup @@ -1,4 +1,4 @@ -#! /bin/sh +#! /usr/bin/env python3 # # GPOA - GPO Applier for Linux # @@ -17,79 +17,136 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -set -eu -SYSTEMD_UNIT_LINK=/etc/systemd/system/multi-user.target.wants/gpupdate.service -POLICY_DIR=/usr/share/local-policy +import os +import sys +import argparse + +def parse_arguments(): + ''' + Parse CLI arguments. + ''' + parser = argparse.ArgumentParser(prog='gpupdate-setup') + subparsers = parser.add_subparsers(dest='action', + metavar='action', + help='Group Policy management actions') + + parser_list = subparsers.add_parser('list', + help='List avalable types of local policy') + parser_status = subparsers.add_parser('status', + help='Show current Group Policy status') + parser_write = subparsers.add_parser('write', + help='Operate on Group Policies') + + parser_write.add_argument('status', + choices=['enable', 'disable'], + help='Enable or disable Group Policies') + parser_write.add_argument('localpolicy', + default='server', + nargs='?', + help='Name of local policy to enable') + + return parser.parse_args() + +def get_policy_entries(directory): + + entries = [os.path.join(directory, entry) for entry in os.listdir(directory)] + filtered_entries = list() + + for entry in entries: + if os.path.isdir(os.path.join(entry)): + if not os.path.islink(os.path.join(entry)): + if not entry.rpartition('/')[2] == 'default': + filtered_entries.append(entry) + + return filtered_entries -status() { - test -h ${SYSTEMD_UNIT_LINK} - STATUS=$? - return ${STATUS} -} +def get_policy_variants(): + ''' + Get the list of local policy variants deployed on this system. + Please note that is case overlapping names the names in + /etc/local-policy must override names in /usr/share/local-policy + ''' + policy_dir = '/usr/share/local-policy' + etc_policy_dir = '/etc/local-policy' -list() { - ls "${POLICY_DIR}" -} + system_policies = get_policy_entries(policy_dir) + user_policies = get_policy_entries(etc_policy_dir) -enable() { - POLICY_SETTING="/etc/local-policy" - POLICY="${1:-default}" + general_listing = list() + general_listing.extend(system_policies) + general_listing.extend(user_policies) - if ! test -d "${POLICY_DIR}/${POLICY}"; then - POLICY=default - fi + return general_listing - mkdir -p "${POLICY_SETTING}" - ln -s "${POLICY_DIR}/${POLICY}" "${POLICY_SETTING}/${POLICY}" +def get_status(): + systemd_unit_link = '/etc/systemd/system/multi-user.target.wants/gpupdate.service' - # Enable oddjobd_gpupdate in PAM config - /usr/sbin/control system-policy gpupdate - # Bootstrap the Group Policy engine - /usr/sbin/gpoa --nodomain - # Enable gpupdate-setup.service for all users - systemctl --global --user enable gpupdate-user.service -} + return os.path.islink(systemd_unit_link) -disable() { - /usr/sbin/control system-policy local - systemctl --global --user disable gpupdate-user.service -} +def get_active_policy(): + policy_dir = '/usr/share/local-policy' + etc_policy_dir = '/etc/local-policy' + default_policy_name = os.path.join(policy_dir, 'default') -main() { - COMMAND="${1:-status}" - echo COMMAND ${COMMAND} + active_policy_name = os.path.join(etc_policy_dir, 'policy') - if test ${COMMAND} == "status"; then - status - RESULT=$? + actual_policy_name = os.path.realpath(default_policy_name) - if test ${RESULT} == 0; then - echo "enabled" - else - echo "disabled" - fi + if os.path.isdir(active_policy_name): + return os.path.realpath(active_policy_name) - return ${RESULT} - fi + return actual_policy_name - if test ${COMMAND} == "list"; then - list - return 0 - fi - if test "${COMMAND}" == "write"; then - WRITE_ACTION="${2:-noting}" - if test ${WRITE_ACTION} == "#t"; then - ENABLE_POLICY=${3:-default} - enable "${ENABLE_POLICY}" - fi - if test ${WRITE_ACTION} == "#f"; then - disable - fi - fi -} +def disable_gp(): + os.system('/usr/sbin/control system-policy local') + os.system('systemctl --global --user disable gpupdate-user.service') -main $@ +def enable_gp(policy_name='default'): + policy_dir = '/usr/share/local-policy' + etc_policy_dir = '/etc/local-policy' + target_policy_name = 'default' + if policy_name: + target_policy_name = policy_name + + default_policy_name = os.path.join(policy_dir, policy_name) + active_policy_name = os.path.join(etc_policy_dir, 'active') + + if not os.path.isdir(etc_policy_dir): + os.makedirs(etc_policy_dir) + + if not os.path.isdir(active_policy_name): + os.symlink(default_policy_name, active_policy_name) + + # Enable oddjobd_gpupdate in PAM config + os.system('/usr/sbin/control system-policy gpupdate') + # Bootstrap the Group Policy engine + os.system('/usr/sbin/gpoa --nodomain') + # Enable gpupdate-setup.service for all users + os.system('systemctl --global --user enable gpupdate-user.service') + +def main(): + arguments = parse_arguments() + + if arguments.action == 'list': + for entry in get_policy_variants(): + print(entry.rpartition('/')[2]) + + if arguments.action == 'status': + active_policy = get_active_policy() + if get_status(): + print('{} {}'.format('enabled', active_policy)) + else: + print('{}'.format('disabled')) + + if arguments.action == 'write': + if arguments.status == 'enable' or arguments.status == '#t': + enable_gp(arguments.localpolicy) + if arguments.status == 'disable' or arguments.status == '#f': + disable_gp() + +if __name__ == '__main__': + main()