mirror of
https://github.com/altlinux/gpupdate.git
synced 2025-03-21 18:50:38 +03:00
Operate on configuration file instead of symlinks
This commit is contained in:
parent
55dbdfc246
commit
914a20b244
GPG Key ID:
0F3883600CAE7AAC
@ -21,6 +21,7 @@ from util.windows import smbcreds
|
||||
from .samba_backend import samba_backend
|
||||
from .nodomain_backend import nodomain_backend
|
||||
from util.logging import log
|
||||
from util.config import GPConfig
|
||||
|
||||
def backend_factory(dc, username, is_machine, no_domain = False):
|
||||
'''
|
||||
@ -31,11 +32,12 @@ def backend_factory(dc, username, is_machine, no_domain = False):
|
||||
'''
|
||||
back = None
|
||||
domain = None
|
||||
config = GPConfig()
|
||||
if not no_domain:
|
||||
sc = smbcreds(dc)
|
||||
domain = sc.get_domain()
|
||||
|
||||
if domain:
|
||||
if config.get_backend() == 'samba':
|
||||
ldata = dict({'domain': domain})
|
||||
log('D9', ldata)
|
||||
try:
|
||||
@ -43,7 +45,8 @@ def backend_factory(dc, username, is_machine, no_domain = False):
|
||||
except Exception as exc:
|
||||
logdata = dict({'error': str(exc)})
|
||||
log('E7', logdata)
|
||||
else:
|
||||
|
||||
if config.get_backend() == 'local':
|
||||
log('D8')
|
||||
try:
|
||||
back = nodomain_backend()
|
||||
|
||||
@ -25,61 +25,26 @@ import subprocess
|
||||
|
||||
import re
|
||||
|
||||
from util.samba import smbopts
|
||||
from util.util import runcmd
|
||||
from util.util import (
|
||||
runcmd
|
||||
, get_backends
|
||||
, get_default_policy_name
|
||||
, get_policy_entries
|
||||
, get_policy_variants
|
||||
)
|
||||
from util.config import GPConfig
|
||||
|
||||
|
||||
def command(args):
|
||||
try:
|
||||
subprocess.check_call(args.split())
|
||||
except:
|
||||
print ('command: \'%s\' error' % args)
|
||||
class Runner:
|
||||
__control_path = '/usr/sbin/control'
|
||||
__systemctl_path = '/bin/systemctl'
|
||||
__etc_policy_dir = '/etc/local-policy'
|
||||
__usr_policy_dir = '/usr/share/local-policy'
|
||||
|
||||
def from_command(args):
|
||||
try:
|
||||
with subprocess.Popen(args.split(), stdout=subprocess.PIPE) as proc:
|
||||
value = proc.stdout.readline().decode('utf-8')
|
||||
proc.wait()
|
||||
except:
|
||||
print ('from_command: \'%s\' error' % args)
|
||||
return 'local'
|
||||
|
||||
return value.strip()
|
||||
|
||||
def get_default_policy_name():
|
||||
localpolicy = 'workstation'
|
||||
dcpolicy = 'ad-domain-controller'
|
||||
|
||||
try:
|
||||
if smbopts().get_server_role() == 'active directory domain controller':
|
||||
return dcpolicy
|
||||
except:
|
||||
pass
|
||||
|
||||
try:
|
||||
release = '/etc/altlinux-release'
|
||||
if os.path.isfile(release):
|
||||
f = open(release)
|
||||
s = f.readline()
|
||||
if re.search('server', s, re.I):
|
||||
localpolicy = 'server'
|
||||
except:
|
||||
pass
|
||||
|
||||
return localpolicy
|
||||
|
||||
def get_backends():
|
||||
command = ['/usr/sbin/gpoa', '--list-backends']
|
||||
backends = list()
|
||||
out = list()
|
||||
|
||||
with subprocess.Popen(command, stdout=subprocess.PIPE) as proc:
|
||||
out = proc.stdout.read().decode('utf-8')
|
||||
proc.wait()
|
||||
for line in out:
|
||||
backends.append(line.replace('\n', ''))
|
||||
|
||||
return backends
|
||||
def __init__(self):
|
||||
self.etc_policies = get_policy_entries(self.__etc_policy_dir)
|
||||
self.usr_policies = get_policy_entries(self.__usr_policy_dir)
|
||||
self.arguments = parse_arguments()
|
||||
|
||||
def parse_arguments():
|
||||
'''
|
||||
@ -138,41 +103,6 @@ def parse_arguments():
|
||||
|
||||
return parser.parse_args()
|
||||
|
||||
def get_policy_entries(directory):
|
||||
'''
|
||||
Get list of directories representing "Local Policy" templates.
|
||||
'''
|
||||
filtered_entries = list()
|
||||
if os.path.isdir(directory):
|
||||
entries = [os.path.join(directory, entry) for entry in os.listdir(directory)]
|
||||
|
||||
for entry in entries:
|
||||
if os.path.isdir(os.path.join(entry)):
|
||||
if not os.path.islink(os.path.join(entry)):
|
||||
if not entry.rpartition('/')[2] == 'default':
|
||||
filtered_entries.append(entry)
|
||||
|
||||
return filtered_entries
|
||||
|
||||
|
||||
def get_policy_variants():
|
||||
'''
|
||||
Get the list of local policy variants deployed on this system.
|
||||
Please note that is case overlapping names the names in
|
||||
/etc/local-policy must override names in /usr/share/local-policy
|
||||
'''
|
||||
policy_dir = '/usr/share/local-policy'
|
||||
etc_policy_dir = '/etc/local-policy'
|
||||
|
||||
system_policies = get_policy_entries(policy_dir)
|
||||
user_policies = get_policy_entries(etc_policy_dir)
|
||||
|
||||
general_listing = list()
|
||||
general_listing.extend(system_policies)
|
||||
general_listing.extend(user_policies)
|
||||
|
||||
return general_listing
|
||||
|
||||
def validate_policy_name(policy_name):
|
||||
return policy_name in [os.path.basename(d) for d in get_policy_variants()]
|
||||
|
||||
@ -185,7 +115,14 @@ def is_unit_enabled(unit_name):
|
||||
|
||||
# If first line of stdout is equal to "enabled" and return code
|
||||
# is zero then unit is considered enabled.
|
||||
if value[1][0] == 'enabled' and value[0] == 0:
|
||||
rc = value[0]
|
||||
result = []
|
||||
try:
|
||||
result = value[1][0]
|
||||
except IndexError as exc:
|
||||
return False
|
||||
|
||||
if result == 'enabled' and rc == 0:
|
||||
return True
|
||||
|
||||
return False
|
||||
@ -203,39 +140,50 @@ def get_status():
|
||||
return False
|
||||
|
||||
def get_active_policy_name():
|
||||
etc_policy_dir = '/etc/local-policy'
|
||||
actual_policy_name = 'unknown'
|
||||
|
||||
active_policy_path = os.path.join(etc_policy_dir, 'active')
|
||||
|
||||
if os.path.islink(active_policy_path):
|
||||
active_policy_path = os.path.realpath(active_policy_path)
|
||||
|
||||
if os.path.isdir(active_policy_path):
|
||||
actual_policy_name = os.path.basename(active_policy_path)
|
||||
|
||||
return actual_policy_name
|
||||
'''
|
||||
Show the name of an active Local Policy template
|
||||
'''
|
||||
config = GPConfig()
|
||||
return config.get_local_policy_template()
|
||||
|
||||
def rollback_on_error(command_name):
|
||||
'''
|
||||
Disable group policy services in case command returns error code
|
||||
'''
|
||||
if 0 != runcmd(command_name)[0]:
|
||||
disable_gp()
|
||||
return False
|
||||
return True
|
||||
|
||||
def disable_gp():
|
||||
'''
|
||||
Consistently disable group policy services
|
||||
'''
|
||||
cmd_set_global_policy = ['/usr/sbin/control', 'system-policy', 'global']
|
||||
cmd_set_local_policy = ['/usr/sbin/control', 'system-policy', 'local']
|
||||
cmd_disable_gpupdate_service = ['/bin/systemctl', 'disable', 'gpupdate.service']
|
||||
cmd_disable_gpupdate_user_service = ['/bin/systemctl', '--global', 'disable', 'gpupdate-user.service']
|
||||
cmd_control_system_auth = ['/usr/sbin/control', 'system-auth']
|
||||
|
||||
if from_command('/usr/sbin/control system-auth') != 'local':
|
||||
config = GPConfig()
|
||||
|
||||
auth_result = 'local'
|
||||
try:
|
||||
auth_result = runcmd(cmd_control_system_auth)[1][0]
|
||||
except Exception as exc:
|
||||
print(str(exc))
|
||||
|
||||
if auth_result != 'local':
|
||||
runcmd(cmd_set_global_policy)
|
||||
else:
|
||||
runcmd(cmd_set_local_policy)
|
||||
runcmd(cmd_disable_gpupdate_service)
|
||||
runcmd(cmd_disable_gpupdate_user_service)
|
||||
|
||||
def enable_gp(policy_name):
|
||||
def enable_gp(policy_name, backend_type):
|
||||
'''
|
||||
Consistently enable group policy services
|
||||
'''
|
||||
policy_dir = '/usr/share/local-policy'
|
||||
etc_policy_dir = '/etc/local-policy'
|
||||
cmd_set_gpupdate_policy = ['/usr/sbin/control', 'system-policy', 'gpupdate']
|
||||
@ -243,6 +191,8 @@ def enable_gp(policy_name):
|
||||
cmd_enable_gpupdate_service = ['/bin/systemctl', 'enable', 'gpupdate.service']
|
||||
cmd_enable_gpupdate_user_service = ['/bin/systemctl', '--global', 'enable', 'gpupdate-user.service']
|
||||
|
||||
config = GPConfig()
|
||||
|
||||
target_policy_name = get_default_policy_name()
|
||||
if policy_name:
|
||||
if validate_policy_name(policy_name):
|
||||
@ -250,29 +200,30 @@ def enable_gp(policy_name):
|
||||
|
||||
print (target_policy_name)
|
||||
default_policy_name = os.path.join(policy_dir, target_policy_name)
|
||||
active_policy_name = os.path.join(etc_policy_dir, 'active')
|
||||
|
||||
if not os.path.isdir(etc_policy_dir):
|
||||
os.makedirs(etc_policy_dir)
|
||||
|
||||
if not os.path.islink(active_policy_name):
|
||||
os.symlink(default_policy_name, active_policy_name)
|
||||
else:
|
||||
os.unlink(active_policy_name)
|
||||
os.symlink(default_policy_name, active_policy_name)
|
||||
config.set_local_policy_template(default_policy_name)
|
||||
|
||||
# Enable oddjobd_gpupdate in PAM config
|
||||
rollback_on_error(cmd_set_gpupdate_policy)
|
||||
if not rollback_on_error(cmd_set_gpupdate_policy):
|
||||
return
|
||||
# Bootstrap the Group Policy engine
|
||||
rollback_on_error(cmd_gpoa_nodomain):
|
||||
if not rollback_on_error(cmd_gpoa_nodomain):
|
||||
return
|
||||
# Enable gpupdate.service
|
||||
rollback_on_error(cmd_enable_gpupdate_service)
|
||||
if not rollback_on_error(cmd_enable_gpupdate_service):
|
||||
return
|
||||
if not is_unit_enabled('gpupdate.service'):
|
||||
disable_gp()
|
||||
return
|
||||
# Enable gpupdate-setup.service for all users
|
||||
rollback_on_error(cmd_enable_gpupdate_user_service)
|
||||
if not rollback_on_error(cmd_enable_gpupdate_user_service):
|
||||
return
|
||||
if not is_unit_enabled('gpupdate-user.service'):
|
||||
disable_gp()
|
||||
return
|
||||
|
||||
def act_list():
|
||||
'''
|
||||
@ -298,14 +249,20 @@ def act_status():
|
||||
else:
|
||||
print('disabled')
|
||||
|
||||
def act_write():
|
||||
def act_write(localpolicy, backend):
|
||||
'''
|
||||
Enable or disable group policy services
|
||||
'''
|
||||
if arguments.status == 'enable' or arguments.status == '#t':
|
||||
enable_gp(arguments.localpolicy)
|
||||
enable_gp(localpolicy, backend)
|
||||
if arguments.status == 'disable' or arguments.status == '#f':
|
||||
disable_gp()
|
||||
|
||||
def act_enable():
|
||||
enable_gp(arguments.localpolicy)
|
||||
def act_enable(localpolicy, backend):
|
||||
'''
|
||||
Enable group policy services
|
||||
'''
|
||||
enable_gp(localpolicy, backend)
|
||||
|
||||
def act_active_policy():
|
||||
'''
|
||||
@ -334,6 +291,10 @@ def main():
|
||||
|
||||
if arguments.action == None:
|
||||
action['status']()
|
||||
elif arguments.action == 'enable':
|
||||
action[arguments.action](arguments.localpolicy, arguments.backend)
|
||||
elif arguments.action == 'write':
|
||||
action[arguments.action](arguments.localpolicy)
|
||||
else:
|
||||
action[arguments.action]()
|
||||
|
||||
|
||||
@ -19,18 +19,20 @@
|
||||
import pathlib
|
||||
import os
|
||||
|
||||
from .config import GPConfig
|
||||
|
||||
|
||||
def default_policy_path():
|
||||
'''
|
||||
Returns path pointing to Default Policy directory.
|
||||
'''
|
||||
local_policy_default = '/usr/share/local-policy/default'
|
||||
etc_local_policy_default = '/etc/local-policy/active'
|
||||
config = GPConfig()
|
||||
|
||||
result_path = pathlib.Path(local_policy_default)
|
||||
|
||||
if os.path.exists(etc_local_policy_default):
|
||||
result_path = pathlib.Path(etc_local_policy_default)
|
||||
if os.path.exists(config.get_local_policy_template()):
|
||||
result_path = pathlib.Path(config.get_local_policy_template())
|
||||
|
||||
return pathlib.Path(result_path)
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user