public/gpupdate
1
0
Fork 1
mirror of https://github.com/altlinux/gpupdate.git synced 2025-11-03 12:23:51 +03:00
Code Releases Wiki Activity

Compare commits

base: public:0.12.0-alt1
Branches Tags
public:master public:plugin-system-development public:freeipa_backend public:cleanup_machine_account public:machine_account_creds public:fix_kde_version public:fix_kde_screen public:fix_cache public:fix_kde public:fix_oddjob public:fix_plasmaupdate public:fix_kde_applier public:fix_firefox public:fix_check_enable public:fix_dconf_update public:dconf_registry public:astra public:translation_for_several_logs public:ntp_applier_addition public:local_admin_policy_v3 public:local_admin_policy_v2 public:oddjob-gpupdate public:gsettings_fixed_error_unable_to_cache_specified_URI public:bugsFix public:logRu public:package_pkcon public:kdestroy_trouble public:fix_gsettings public:samba_registry_storage public:man_gpupdate_setup public:postinst_remove_cache public:quota_applier public:binary_modules
public:0.13.4-alt1 public:0.13.3-alt1 public:0.13.2-alt1 public:0.13.1-alt1 public:0.13.0-alt1 public:0.12.2-alt1 public:0.12.1-alt1 public:0.12.0-alt1 public:0.11.4-alt1 public:0.11.3-alt1 public:0.11.2-alt1 public:0.11.1-alt1 public:0.11.0-alt1 public:0.10.6-alt1 public:0.10.5-alt1 public:0.10.4-alt1 public:0.10.3-alt1 public:0.10.2-alt1 public:0.10.1-alt1 public:0.10.0-alt1 public:0.9.13.5-alt1 public:0.9.13.4-alt1 public:0.9.12.4-alt1 public:0.9.12.1-alt1 public:0.9.12-alt2 public:0.9.11.2-alt1 public:0.9.11.1-alt1 public:0.9.11-alt1 public:0.9.10-alt1 public:0.9.9.1-alt1 public:0.9.9-alt1 public:0.9.8-alt1 public:0.9.7-alt1 public:0.9.6-alt1 public:0.9.5-alt1 public:0.9.4-alt1 public:0.9.3-alt1 public:0.9.2-alt1 public:0.9.1-alt1 public:0.9.0-alt1 public:0.8.2-alt1 public:0.8.1-alt3 public:0.8.1-alt2 public:0.8.1-alt1 public:0.8.0-alt1 public:0.7.0-alt1 public:0.6.0-alt2 public:0.6.0-alt1 public:0.5.0-alt1 public:0.4.5-alt1 public:0.4.4-alt1 public:0.4.3-alt1 public:0.4.1-alt1 public:0.4.0-alt1 public:0.3.0-alt1
...
compare: public:freeipa_backend
Branches Tags
public:plugin-system-development public:freeipa_backend public:master public:cleanup_machine_account public:machine_account_creds public:fix_kde_version public:fix_kde_screen public:fix_cache public:fix_kde public:fix_oddjob public:fix_plasmaupdate public:fix_kde_applier public:fix_firefox public:fix_check_enable public:fix_dconf_update public:dconf_registry public:astra public:translation_for_several_logs public:ntp_applier_addition public:local_admin_policy_v3 public:local_admin_policy_v2 public:oddjob-gpupdate public:gsettings_fixed_error_unable_to_cache_specified_URI public:bugsFix public:logRu public:package_pkcon public:kdestroy_trouble public:fix_gsettings public:samba_registry_storage public:man_gpupdate_setup public:postinst_remove_cache public:quota_applier public:binary_modules
public:0.13.4-alt1 public:0.13.3-alt1 public:0.13.2-alt1 public:0.13.1-alt1 public:0.13.0-alt1 public:0.12.2-alt1 public:0.12.1-alt1 public:0.12.0-alt1 public:0.11.4-alt1 public:0.11.3-alt1 public:0.11.2-alt1 public:0.11.1-alt1 public:0.11.0-alt1 public:0.10.6-alt1 public:0.10.5-alt1 public:0.10.4-alt1 public:0.10.3-alt1 public:0.10.2-alt1 public:0.10.1-alt1 public:0.10.0-alt1 public:0.9.13.5-alt1 public:0.9.13.4-alt1 public:0.9.12.4-alt1 public:0.9.12.1-alt1 public:0.9.12-alt2 public:0.9.11.2-alt1 public:0.9.11.1-alt1 public:0.9.11-alt1 public:0.9.10-alt1 public:0.9.9.1-alt1 public:0.9.9-alt1 public:0.9.8-alt1 public:0.9.7-alt1 public:0.9.6-alt1 public:0.9.5-alt1 public:0.9.4-alt1 public:0.9.3-alt1 public:0.9.2-alt1 public:0.9.1-alt1 public:0.9.0-alt1 public:0.8.2-alt1 public:0.8.1-alt3 public:0.8.1-alt2 public:0.8.1-alt1 public:0.8.0-alt1 public:0.7.0-alt1 public:0.6.0-alt2 public:0.6.0-alt1 public:0.5.0-alt1 public:0.4.5-alt1 public:0.4.4-alt1 public:0.4.3-alt1 public:0.4.1-alt1 public:0.4.0-alt1 public:0.3.0-alt1

76 Commits
0.12.0-alt ... freeipa_ba

Author SHA1 Message Date
Danila Skachedubov
bbbc0b8289 refactor: optimize FreeIPA backend and fix configuration 
- Improve GPO downloading with batch processing and better error handling
    - Fix FreeIPA API calls and server discovery logic
    - Add Samba configuration for FreeIPA integration
    - Clean up imports and code formatting
    - Update package dependencies for FreeIPA support
 2025-10-28 18:42:20 +04:00
Danila Skachedubov
d975cd2f10 refactor: optimize GPO downloading and error handling 
- Implement batch downloading of GPOs instead of single downloads
    - Improve caching mechanism with separate handling for cached/downloaded GPOs
 2025-10-10 10:06:33 +04:00
Danila Skachedubov
cb9c70d6c1 feat: add FreeIPA backend configuration and authentication 
- Extend backend options to include FreeIPA in CLI tools
    - Add FreeIPA-Samba auto-configuration during setup
 2025-10-09 14:05:59 +04:00
Danila Skachedubov
99feb569a2 feat: add FreeIPA credentials and localization 
- Implement ipacreds class for FreeIPA GPO management
    - Add FreeIPA API error handling and localization
    - Add freeipa_backend with GPO download and processing
    - Support FreeIPA in backend factory and setup
 2025-10-09 14:00:36 +04:00
Danila Skachedubov
cd1a2fc042 feat: add FreeIPA configuration utility 
- Implement ipaopts class for FreeIPA configuration management
    - Add methods to retrieve realm, domain, and host from IPA config
 2025-10-09 12:26:18 +04:00
Danila Skachedubov
5e918900c6 feat(backend): integrate FreeIPA backend factory 
- Add freeipa_backend to backend factory selection
    - Implement ipacreds initialization
 2025-10-08 16:48:21 +04:00
Valery Sinelnikov
63e5ffc3f8 0.13.4-alt1 
- Added:
  Production-ready modules: CUPS, file management, INI config (default),
  package management, script modules
  Fallback SID lookup for trusted domain users
  Missing log translations (laps: timezone, login)
  Added ownership handling for files within user home directory
- Changed:
  Refactored to use literals ({}, []) instead of constructors
  Final optimization passes and minor cleanups
  Updated copyright year
  Adjusted login time search and messages
- Fixed:
  Skipped policy retrieval for trusted users to avoid GPO errors
  Corrected login time tracking in laps
  Fixed typos
  Prevented subprocess errors from printing to console
  Adjusted call order (save_dconf - start_frontend)
- Removed:
  Legacy sid variable propagation and related helpers
 2025-08-25 15:24:22 +04:00
Valery Sinelnikov
01d219cb8e Added ownership handling for files within user home directory 2025-08-25 10:50:16 +04:00
Valery Sinelnikov
6af54ff17d Stub: skip policy retrieval for trusted users to prevent GPO errors 2025-08-19 15:21:13 +04:00
Valery Sinelnikov
238d1f4784 refactor: finish remaining optimizations 2025-08-18 11:39:04 +04:00
Valery Sinelnikov
b3253bd684 refactor: 
update copyright year and use literal
{} and [] instead of dict() and list()
 2025-08-15 16:02:23 +04:00
Valery Sinelnikov
66b17be85b Typo corrected 2025-08-14 18:33:31 +04:00
Valery Sinelnikov
bea7fe9803 Avoided printing subprocess errors to console 2025-08-14 16:47:13 +04:00
Valery Sinelnikov
f36b362523 Small refactoring 2025-08-08 14:47:15 +04:00
Valery Sinelnikov
abfb756edb Improve SID lookup fallback for trusted domain users 2025-07-31 18:03:45 +04:00
Valery Sinelnikov
0578e21521 Remove legacy sid variable propagation across the project 
- Clean up all instances where `sid` was passed or stored unnecessarily
- Remove related unused helper functions and dependencies
 2025-07-28 10:47:10 +04:00
Valery Sinelnikov
02bd6773aa Enable production-ready script modules 2025-07-28 10:47:10 +04:00
Valery Sinelnikov
927c3ceb2f Package management is now considered production-ready 2025-07-28 10:47:10 +04:00
Valery Sinelnikov
a329f601f7 INI configuration handlers are now production-ready and enabled by default 2025-07-28 10:47:10 +04:00
Valery Sinelnikov
d4f12dacfa The file management modules are now considered stable and ready for production use 2025-07-28 10:47:10 +04:00
Valery Sinelnikov
4d05358790 CUPS is now considered stable and ready for production use 2025-07-28 10:47:10 +04:00
Vladislav Glinkin
bc4bb96b03 Swapped the call to save_dconf and self.start_frontend() with each other 2025-07-28 10:47:10 +04:00
Valery Sinelnikov
5588be1daa Updating the login time calculation message to clarify the context 2025-07-28 10:47:10 +04:00
Valery Sinelnikov
bde48cbedf Improved the search for the latest login after 2025-07-28 10:47:10 +04:00
Valery Sinelnikov
43d32c3882 Fix typo: target_use -> target_user 
Thanks to lepata@basealt.ru for spotting this issue
 2025-07-28 10:47:10 +04:00
Valery Sinelnikov
0932d1da26 refactor: more constructor replacements with literals 2025-07-28 10:47:10 +04:00
Valery Sinelnikov
2a4375c6fb laps: add missing log translations for timezone and login checks 2025-07-28 10:47:10 +04:00
Valery Sinelnikov
ba11149983 laps: fix login time tracking and logging 2025-07-28 10:47:10 +04:00
Valery Sinelnikov
56008e7e1c refactor: use collection literals instead of constructors 2025-07-28 10:47:10 +04:00
Evgeny Sinelnikov
9325c241ef 0.13.3-alt1 
- Fixed machine account credentials initialization (closes: 55324)
 2025-07-26 01:10:09 +04:00
Evgeny Sinelnikov
3c0c722818 Fixed machine account credentials initialization 2025-07-26 01:08:00 +04:00
Valery Sinelnikov
9424c2c8e8 0.13.2-alt1 
- Fixed: Check directory existence before cleanup to avoid errors(closes:53703)
 2025-04-03 10:52:48 +04:00
Valery Sinelnikov
9065352bb0 Added directory existence check before cleanup 2025-04-03 10:47:26 +04:00
Valery Sinelnikov
9034d4ba4c 0.13.1-alt1 
- Refined registry key handling: LAPS enablement and user presence check
 2025-03-14 17:44:20 +04:00
Valery Sinelnikov
2e6c76337b Refined registry key handling: LAPS enablement and user presence check 2025-03-14 17:44:08 +04:00
Valery Sinelnikov
a3398e0307 0.13.0-alt1 
- Implemented Local Administrator Password Solution (LAPS) functionality,
  including support for Group Policy Object (GPO) keys to
  configure LAPS settings
- Added support for disabling cifsacl in autofs mounts (closes:52333)
- Implemented the ability to merge computer and user GPO shortcuts
- Added access restrictions to network directories of other users
- Added cleaning functionality for the autofs configuration catalog
- Added ability to configure KDE 6 files
 2025-03-07 12:24:28 +04:00
Danila Skachedubov
c7192773fd Added ability to configure KDE 6 files 2025-03-07 12:22:46 +04:00
Valery Sinelnikov
93bcac5f19 Added exclude desktop_file_template and desktop_file from dict(obj) 2025-03-06 15:52:26 +04:00
Valery Sinelnikov
967687497c Implemented the ability to merge computer GPO shortcuts with user GPO shortcuts 2025-03-06 15:45:19 +04:00
Valery Sinelnikov
3797993209 Fixed unintended escaping in critical data 2025-03-05 10:29:10 +04:00
Valery Sinelnikov
04831c4dbd Added support for disabling cifsacl 2025-03-04 14:22:16 +04:00
Valery Sinelnikov
316c0881a9 Updated templates to support disabling cifsacl in autofs mounts 2025-03-04 14:20:09 +04:00
Valentin Sokolov
22d0c87538 Added handling of spaces in package names 2025-03-04 11:35:22 +04:00
Valery Sinelnikov
2c66ad9bc1 Added restriction of access to the connected network catalogs of other users 2025-03-04 11:33:19 +04:00
Valery Sinelnikov
5fe0b6f418 Added cleaning the autofs configuration catalog and logs for it 2025-03-04 11:19:06 +04:00
Valery Sinelnikov
829825060b Lower logging level in ncrypt_protect_secret 
to reduce log verbosity
 2025-02-28 16:27:59 +04:00
Valery Sinelnikov
463620ff25 Added verification of target user existence 
and logging message for cases when user is not found
 2025-02-28 15:39:29 +04:00
Valery Sinelnikov
ab632a8177 Added function to check if a local user exist 2025-02-28 15:22:10 +04:00
Valery Sinelnikov
5c47ebb6c5 Added the use of laps in frontend_manager 2025-02-28 13:59:04 +04:00
Valery Sinelnikov
6a840674ca Replaced prints for new logs 2025-02-28 12:35:31 +04:00
Valery Sinelnikov
a6f6b021fa Added translations to messages of new logs 2025-02-28 12:33:53 +04:00
Valery Sinelnikov
0f4066e0f0 Added identifiers and messages to logs 2025-02-28 12:32:22 +04:00
Valery Sinelnikov
030e69cb86 Refactor code with better naming and comments for clarity 2025-02-27 15:15:46 +04:00
Valery Sinelnikov
5f94fad90b Added implementation of actions in case of used password 2025-02-27 11:46:51 +04:00
Valery Sinelnikov
156918ad3b Added accounting of group policies 2025-02-26 13:22:12 +04:00
Valery Sinelnikov
6df5a5754f Added usage of fixed implementations 2025-02-25 12:55:13 +04:00
Valery Sinelnikov
dda57ed179 Fixed password change and added time after changing it 2025-02-25 12:23:42 +04:00
Valery Sinelnikov
99595c85d3 Improved saving of password change time 2025-02-25 11:51:32 +04:00
Valery Sinelnikov
e25c5844a9 Improving get_last_login_hours_ago 2025-02-21 12:55:36 +04:00
Valery Sinelnikov
8e1a76552f Inaccuracies have been corrected 2025-02-14 14:08:28 +04:00
Valery Sinelnikov
1f6776912d Added password change logic 2025-02-13 17:04:21 +04:00
Valery Sinelnikov
3e889622b1 Added implementation for generating password 
and searching for elapsed login time
 2025-02-11 16:13:45 +04:00
Valery Sinelnikov
1c827d4533 Added part of laps implementation 2025-02-10 18:36:13 +04:00
Valery Sinelnikov
ce660afcbd Added laps sketch 2025-02-07 18:37:18 +04:00
Valery Sinelnikov
5b1a928291 Added saving samdb to Dconf_registry 2025-02-07 17:59:19 +04:00
Valery Sinelnikov
a77a6e3c6f Added function remove_prefix_from_keys in util 2025-02-06 14:26:36 +04:00
Valery Sinelnikov
25a784fa2e Added new applier for laps 2025-02-04 17:09:44 +04:00
Valery Sinelnikov
6378c8c78b Added a branch for storing locks and installing them 2025-02-04 11:47:31 +04:00
Valery Sinelnikov
9ad7440c8b Added support for distr profile layer 2025-02-04 11:47:23 +04:00
Valery Sinelnikov
2a5642a76d Added multiuser for machine templates 2025-02-04 11:47:17 +04:00
Danila Skachedubov
dbff83050b Added function to call a method on dbus 2025-02-04 11:45:49 +04:00
Danila Skachedubov
ed1b2aa39e Code refactoring and optimization 2025-02-04 11:45:43 +04:00
Valery Sinelnikov
02701136c0 0.12.2-alt1 
- Fixed interpretation of boolean values (closes:52683)
 2025-01-14 12:10:00 +04:00
Valery Sinelnikov
408d221c3d Fixed interpretation of boolean values 2025-01-14 12:08:15 +04:00
Valery Sinelnikov
67a02a4623 0.12.1-alt1 
- Fixed checking the path for existence (closes:52597)
 2025-01-10 10:37:12 +04:00
Danila Skachedubov
7a0af6ab9b Fixed checking the path for existence 2025-01-09 15:55:40 +04:00
78 changed files with 2243 additions and 711 deletions
Expand all files Collapse all files

16
gpoa/backend/__init__.py
View File

@@ -24,6 +24,8 @@ from util.logging import log
from util.config import GPConfig
from util.util import get_uid_by_username, touch_file
from util.paths import get_dconf_config_file
from util.ipacreds import ipacreds
from .freeipa_backend import freeipa_backend
from storage.dconf_registry import Dconf_registry, create_dconf_ini_file, add_preferences_to_global_registry_dict
def backend_factory(dc, username, is_machine, no_domain = False):
@@ -52,6 +54,20 @@ def backend_factory(dc, username, is_machine, no_domain = False):
logdata = dict({'error': str(exc)})
log('E7', logdata)
if config.get_backend() == 'freeipa' and not no_domain:
try:
if not dc:
dc = config.get_dc()
if dc:
ld = {'dc': dc}
log('D52', ld)
ipac = ipacreds()
domain = ipac.get_domain()
back = freeipa_backend(ipac, username, domain, is_machine)
except Exception as exc:
logdata = {'error': str(exc)}
log('E77', logdata)
if config.get_backend() == 'local' or no_domain:
log('D8')
try:

227
gpoa/backend/freeipa_backend.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2020 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -16,10 +16,231 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
import smbc
import re
from .applier_backend import applier_backend
from pathlib import Path
from gpt.gpt import gpt, get_local_gpt
from gpt.gpo_dconf_mapping import GpoInfoDconf
from storage import registry_factory
from storage.dconf_registry import Dconf_registry, extract_display_name_version
from storage.fs_file_cache import fs_file_cache
from util.logging import log
from util.util import get_uid_by_username
from util.kerberos import (
machine_kinit
, machine_kdestroy
)
class freeipa_backend(applier_backend):
def __init__(self):
pass
def __init__(self, ipacreds, username, domain, is_machine):
self.ipacreds = ipacreds
self.cache_path = '/var/cache/gpupdate/creds/krb5cc_{}'.format(os.getpid())
self.__kinit_successful = machine_kinit(self.cache_path, "freeipa")
if not self.__kinit_successful:
raise Exception('kinit is not successful')
self.storage = registry_factory()
self.storage.set_info('domain', domain)
machine_name = self.ipacreds.get_machine_name()
self.storage.set_info('machine_name', machine_name)
self.username = machine_name if is_machine else username
self._is_machine_username = is_machine
self.cache_dir = self.ipacreds.get_cache_dir()
self.gpo_cache_part = 'gpo_cache'
self.gpo_cache_dir = os.path.join(self.cache_dir, self.gpo_cache_part)
self.storage.set_info('cache_dir', self.gpo_cache_dir)
self.file_cache = fs_file_cache("freeipa_gpo", username)
logdata = {'cachedir': self.cache_dir}
log('D7', logdata)
def __del__(self):
if self.__kinit_successful:
machine_kdestroy()
def retrieve_and_store(self):
'''
Retrieve settings and store it in a database - FreeIPA version
'''
try:
if self._is_machine_username:
dconf_dict = Dconf_registry.get_dictionary_from_dconf_file_db(save_dconf_db=True)
else:
uid = get_uid_by_username(self.username)
dconf_dict = Dconf_registry.get_dictionary_from_dconf_file_db(uid, save_dconf_db=True)
except Exception as e:
logdata = {'msg': str(e)}
log('E72', logdata)
if self._is_machine_username:
machine_gpts = []
try:
machine_name = self.storage.get_info('machine_name')
machine_gpts = self._get_gpts(machine_name)
machine_gpts.reverse()
except Exception as exc:
logdata = {'msg': str(exc)}
log('E17', logdata)
for i, gptobj in enumerate(machine_gpts):
try:
gptobj.merge_machine()
except Exception as exc:
logdata = {'msg': str(exc)}
log('E26', logdata)
else:
user_gpts = []
try:
user_gpts = self._get_gpts(self.username)
user_gpts.reverse()
except Exception as exc:
logdata = {'msg': str(exc)}
log('E17', logdata)
for i, gptobj in enumerate(user_gpts):
try:
gptobj.merge_user()
except Exception as exc:
logdata = {'msg': str(exc)}
log('E27', logdata)
def _get_gpts(self, username):
gpts = []
gpos, server = self.ipacreds.update_gpos(username)
if not gpos:
return gpts
if not server:
return gpts
cached_gpos = []
download_gpos = []
for i, gpo in enumerate(gpos):
if gpo.file_sys_path.startswith('/'):
if os.path.exists(gpo.file_sys_path):
logdata = {'gpo_name': gpo.display_name, 'path': gpo.file_sys_path}
log('D11', logdata)
cached_gpos.append(gpo)
else:
download_gpos.append(gpo)
else:
if self._check_sysvol_present(gpo):
download_gpos.append(gpo)
else:
logdata = {'gpo_name': gpo.display_name}
log('W4', logdata)
if download_gpos:
try:
self._download_gpos(download_gpos, server)
logdata = {'count': len(download_gpos)}
log('D50', logdata)
except Exception as e:
logdata = {'msg': str(e), 'count': len(download_gpos)}
log('E35', logdata)
else:
log('D211', {})
all_gpos = cached_gpos + download_gpos
for gpo in all_gpos:
gpt_abspath = gpo.file_sys_path
if not os.path.exists(gpt_abspath):
logdata = {'path': gpt_abspath, 'gpo_name': gpo.display_name}
log('W12', logdata)
continue
if self._is_machine_username:
obj = gpt(gpt_abspath, None, GpoInfoDconf(gpo))
else:
obj = gpt(gpt_abspath, self.username, GpoInfoDconf(gpo))
obj.set_name(gpo.display_name)
gpts.append(obj)
local_gpt = get_local_gpt()
gpts.append(local_gpt)
logdata = {'total_count': len(gpts), 'downloaded_count': len(download_gpos)}
log('I2', logdata)
return gpts
def _check_sysvol_present(self, gpo):
if not gpo.file_sys_path:
if getattr(gpo, 'name', '') != 'Local Policy':
logdata = {'gponame': getattr(gpo, 'name', 'Unknown')}
log('W4', logdata)
return False
if gpo.file_sys_path.startswith('\\\\'):
return True
elif gpo.file_sys_path.startswith('/'):
if os.path.exists(gpo.file_sys_path):
return True
else:
return False
else:
return False
def _download_gpos(self, gpos, server):
cache_dir = self.ipacreds.get_cache_dir()
domain = self.ipacreds.get_domain().upper()
gpo_cache_dir = os.path.join(cache_dir, domain, 'POLICIES')
os.makedirs(gpo_cache_dir, exist_ok=True)
for gpo in gpos:
if not gpo.file_sys_path:
continue
smb_remote_path = None
try:
smb_remote_path = self._convert_to_smb_path(gpo.file_sys_path, server)
local_gpo_path = os.path.join(gpo_cache_dir, gpo.name)
self._download_gpo_directory(smb_remote_path, local_gpo_path)
gpo.file_sys_path = local_gpo_path
except Exception as e:
logdata = {
'msg': str(e),
'gpo_name': gpo.display_name,
'smb_path': smb_remote_path,
}
log('E38', logdata)
def _convert_to_smb_path(self, windows_path, server):
match = re.search(r'\\\\[^\\]+\\(.+)', windows_path)
if not match:
raise Exception(f"Invalid Windows path format: {windows_path}")
relative_path = match.group(1).replace('\\', '/').lower()
smb_url = f"smb://{server}/{relative_path}"
return smb_url
def _download_gpo_directory(self, remote_smb_path, local_path):
os.makedirs(local_path, exist_ok=True)
try:
entries = self.file_cache.samba_context.opendir(remote_smb_path).getdents()
for entry in entries:
if entry.name in [".", ".."]:
continue
remote_entry_path = f"{remote_smb_path}/{entry.name}"
local_entry_path = os.path.join(local_path, entry.name)
if entry.smbc_type == smbc.DIR:
self._download_gpo_directory(remote_entry_path, local_entry_path)
elif entry.smbc_type == smbc.FILE:
try:
os.makedirs(os.path.dirname(local_entry_path), exist_ok=True)
self.file_cache.store(remote_entry_path, Path(local_entry_path))
except Exception as e:
logdata = {'exception': str(e), 'file': entry.name}
log('W30', logdata)
except Exception as e:
logdata = {'exception': str(e), 'remote_folder_path': remote_smb_path}
log('W31', logdata)

19
gpoa/backend/nodomain_backend.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -20,25 +20,13 @@
from .applier_backend import applier_backend
from storage import registry_factory
from gpt.gpt import get_local_gpt
from util.util import (
get_machine_name
)
from util.sid import get_sid
class nodomain_backend(applier_backend):
def __init__(self):
domain = None
machine_name = get_machine_name()
machine_sid = get_sid(domain, machine_name, True)
self.storage = registry_factory()
self.storage.set_info('domain', domain)
self.storage.set_info('machine_name', machine_name)
self.storage.set_info('machine_sid', machine_sid)
# User SID to work with HKCU hive
self.username = machine_name
self.sid = machine_sid
def retrieve_and_store(self):
'''
@@ -46,8 +34,7 @@ class nodomain_backend(applier_backend):
'''
# Get policies for machine at first.
self.storage.wipe_hklm()
self.storage.wipe_user(self.storage.get_info('machine_sid'))
local_policy = get_local_gpt(self.sid)
local_policy = get_local_gpt()
local_policy.merge_machine()
local_policy.merge_user()

46
gpoa/backend/samba_backend.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -55,7 +55,7 @@ class samba_backend(applier_backend):
# User SID to work with HKCU hive
self.username = username
self._is_machine_username = is_machine
self._is_machine = is_machine
if is_machine:
self.sid = machine_sid
else:
@@ -68,7 +68,7 @@ class samba_backend(applier_backend):
self.gpo_cache_part ='gpo_cache'
self._cached = False
self.storage.set_info('cache_dir', os.path.join(self.cache_dir, self.gpo_cache_part))
logdata = dict({'cachedir': self.cache_dir})
logdata = {'cachedir': self.cache_dir}
log('D7', logdata)
def __del__(self):
@@ -98,28 +98,28 @@ class samba_backend(applier_backend):
Retrieve settings and strore it in a database
'''
# Get policies for machine at first.
machine_gpts = list()
machine_gpts = []
try:
machine_gpts = self._get_gpts(get_machine_name(), self.storage.get_info('machine_sid'))
machine_gpts = self._get_gpts()
except Exception as exc:
log('F2')
raise exc
if self._is_machine_username:
if self._is_machine:
for gptobj in machine_gpts:
try:
gptobj.merge_machine()
except Exception as exc:
logdata = dict()
logdata = {}
logdata['msg'] = str(exc)
log('E26', logdata)
# Load user GPT values in case user's name specified
# This is a buggy implementation and should be tested more
else:
user_gpts = list()
user_gpts = []
try:
user_gpts = self._get_gpts(self.username, self.sid)
user_gpts = self._get_gpts(self.username)
except Exception as exc:
log('F3')
raise exc
@@ -127,7 +127,7 @@ class samba_backend(applier_backend):
# Merge user settings if UserPolicyMode set accordingly
# and user settings (for HKCU) are exist.
policy_mode = self.get_policy_mode()
logdata = dict({'mode': upm2str(policy_mode), 'sid': self.sid})
logdata = {'mode': upm2str(policy_mode)}
log('D152', logdata)
if policy_mode < 2:
@@ -135,17 +135,16 @@ class samba_backend(applier_backend):
try:
gptobj.merge_user()
except Exception as exc:
logdata = dict()
logdata = {}
logdata['msg'] = str(exc)
log('E27', logdata)
if policy_mode > 0:
for gptobj in machine_gpts:
try:
gptobj.sid = self.sid
gptobj.merge_user()
except Exception as exc:
logdata = dict()
logdata = {}
logdata['msg'] = str(exc)
log('E63', logdata)
@@ -162,15 +161,16 @@ class samba_backend(applier_backend):
self._cached = True
return True
elif 'Local Policy' != gpo.name:
logdata = dict({'gponame': gpo.name})
logdata = {'gponame': gpo.name}
log('W4', logdata)
return False
return True
def _get_gpts(self, username, sid):
gpts = list()
log('D45', {'username': username, 'sid': sid})
def _get_gpts(self, username=None):
gpts = []
if not username:
username = get_machine_name()
log('D45', {'username': username})
# util.windows.smbcreds
gpos = self.sambacreds.update_gpos(username)
log('D46')
@@ -178,21 +178,21 @@ class samba_backend(applier_backend):
if self._check_sysvol_present(gpo):
if not self._cached:
path = check_safe_path(gpo.file_sys_path).upper()
slogdata = dict({'sysvol_path': gpo.file_sys_path, 'gpo_name': gpo.display_name, 'gpo_path': path})
slogdata = {'sysvol_path': gpo.file_sys_path, 'gpo_name': gpo.display_name, 'gpo_path': path}
log('D30', slogdata)
gpt_abspath = os.path.join(self.cache_dir, self.gpo_cache_part, path)
else:
gpt_abspath = gpo.file_sys_path
log('D211', {'sysvol_path': gpo.file_sys_path, 'gpo_name': gpo.display_name})
if self._is_machine_username:
obj = gpt(gpt_abspath, sid, None, GpoInfoDconf(gpo))
if self._is_machine:
obj = gpt(gpt_abspath, None, GpoInfoDconf(gpo))
else:
obj = gpt(gpt_abspath, sid, self.username, GpoInfoDconf(gpo))
obj = gpt(gpt_abspath, self.username, GpoInfoDconf(gpo))
obj.set_name(gpo.display_name)
gpts.append(obj)
else:
if 'Local Policy' == gpo.name:
gpts.append(get_local_gpt(sid))
gpts.append(get_local_gpt())
return gpts

14
gpoa/frontend/appliers/control.py
View File

@@ -24,7 +24,7 @@ def control_subst(preg_name):
This is a workaround for control names which can't be used in
PReg/ADMX files.
'''
control_triggers = dict()
control_triggers = {}
control_triggers['dvd_rw-format'] = 'dvd+rw-format'
control_triggers['dvd_rw-mediainfo'] = 'dvd+rw-mediainfo'
control_triggers['dvd_rw-booktype'] = 'dvd+rw-booktype'
@@ -50,7 +50,7 @@ class control:
Query possible values from control in order to perform check of
parameter passed to constructor.
'''
values = list()
values = []
popen_call = ['/usr/sbin/control', self.control_name, 'list']
with subprocess.Popen(popen_call, stdout=subprocess.PIPE, stderr=subprocess.PIPE) as proc:
@@ -68,7 +68,7 @@ class control:
try:
str_status = self.possible_values[int_status]
except IndexError as exc:
logdata = dict()
logdata = {}
logdata['control'] = self.control_name
logdata['value from'] = self.possible_values
logdata['by index'] = int_status
@@ -97,20 +97,20 @@ class control:
if type(self.control_value) == int:
status = self._map_control_status(self.control_value)
if status == None:
logdata = dict()
logdata = {}
logdata['control'] = self.control_name
logdata['inpossible values'] = self.control_value
log('E42', logdata)
return
elif type(self.control_value) == str:
if self.control_value not in self.possible_values:
logdata = dict()
logdata = {}
logdata['control'] = self.control_name
logdata['inpossible values'] = self.control_value
log('E59', logdata)
return
status = self.control_value
logdata = dict()
logdata = {}
logdata['control'] = self.control_name
logdata['status'] = status
log('D68', logdata)
@@ -120,7 +120,7 @@ class control:
with subprocess.Popen(popen_call, stdout=subprocess.PIPE) as proc:
proc.wait()
except:
logdata = dict()
logdata = {}
logdata['control'] = self.control_name
logdata['status'] = status
log('E43', logdata)

4
gpoa/frontend/appliers/envvar.py
View File

@@ -64,7 +64,7 @@ class Envvar:
def _create_action(self, create_dict, envvar_file):
lines_old = envvar_file.readlines()
lines_new = list()
lines_new = []
for name in create_dict:
exist = False
for line in lines_old:
@@ -93,7 +93,7 @@ class Envvar:
with open(self.envvar_file_path, 'r') as f:
lines = f.readlines()
else:
lines = list()
lines = []
file_changed = False
for envvar_object in self.envvars:

57
gpoa/frontend/appliers/file_cp.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2022 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -30,6 +30,8 @@ from util.util import get_homedir
from util.exceptions import NotUNCPathError
from util.paths import UNCPath
import fnmatch
import pwd
import grp
class Files_cp:
def __init__(self, file_obj, file_cache, exe_check, username=None):
@@ -49,7 +51,8 @@ class Files_cp:
self.suppress = str2bool(file_obj.suppress)
self.executable = str2bool(file_obj.executable)
self.username = username
self.fromPathFiles = list()
self.pw = pwd.getpwnam(username) if username else None
self.fromPathFiles = []
if self.fromPath:
if targetPath[-1] == '/' or self.is_pattern(Path(self.fromPath).name):
self.isTargetPathDirectory = True
@@ -77,7 +80,7 @@ class Files_cp:
else:
return targetPath.parent.joinpath('.' + targetPath.name)
except Exception as exc:
logdata = dict()
logdata = {}
logdata['targetPath'] = targetPath
logdata['fromFile'] = fromFile
logdata['exc'] = exc
@@ -94,7 +97,7 @@ class Files_cp:
if fromFilePath.exists():
targetFile.write_bytes(fromFilePath.read_bytes())
except Exception as exc:
logdata = dict()
logdata = {}
logdata['targetFile'] = targetFile
logdata['fromFile'] = fromFile
logdata['exc'] = exc
@@ -125,7 +128,7 @@ class Files_cp:
shutil.os.chmod(targetFile, 0o644)
def _create_action(self):
logdata = dict()
logdata = {}
for fromFile in self.fromPathFiles:
targetFile = None
@@ -134,7 +137,8 @@ class Files_cp:
if targetFile and not targetFile.exists():
self.copy_target_file(targetFile, fromFile)
if self.username:
shutil.chown(targetFile, self.username)
group_name = grp.getgrgid(self.pw.pw_gid).gr_name
chown_home_path(targetFile, username=self.username, group=group_name)
self.set_mod_file(targetFile, fromFile)
logdata['File'] = targetFile
log('D191', logdata)
@@ -149,7 +153,7 @@ class Files_cp:
list_target = [self.targetPath.name]
if self.is_pattern(self.targetPath.name) and self.targetPath.parent.exists() and self.targetPath.parent.is_dir():
list_target = fnmatch.filter([str(x.name) for x in self.targetPath.parent.iterdir() if x.is_file()], self.targetPath.name)
logdata = dict()
logdata = {}
for targetFile in list_target:
targetFile = self.targetPath.parent.joinpath(targetFile)
try:
@@ -165,13 +169,15 @@ class Files_cp:
log('D165', logdata)
def _update_action(self):
logdata = dict()
logdata = {}
for fromFile in self.fromPathFiles:
targetFile = self.get_target_file(self.targetPath, fromFile)
try:
self.copy_target_file(targetFile, fromFile)
if self.username:
shutil.chown(self.targetPath, self.username)
group_name = grp.getgrgid(self.pw.pw_gid).gr_name
chown_home_path(targetFile, username=self.username, group=group_name)
self.set_mod_file(targetFile, fromFile)
logdata['File'] = targetFile
log('D192', logdata)
@@ -200,7 +206,7 @@ class Files_cp:
return False
def get_list_files(self):
logdata = dict()
logdata = {}
logdata['targetPath'] = str(self.targetPath)
fromFilePath = Path(self.fromPath)
if not self.is_pattern(fromFilePath.name):
@@ -254,8 +260,8 @@ class Execution_check():
marker_usage_path_branch = '{}\\{}%'.format(self.__hklm_branch, self.__marker_usage_path_key_name)
self.etension_marker = storage.filter_hklm_entries(etension_marker_branch)
self.marker_usage_path = storage.filter_hklm_entries(marker_usage_path_branch)
self.list_paths = list()
self.list_markers = list()
self.list_paths = []
self.list_markers = []
for marker in self.etension_marker:
self.list_markers.append(marker.data)
for usage_path in self.marker_usage_path:
@@ -266,3 +272,32 @@ class Execution_check():
def get_list_markers(self):
return self.list_markers
def chown_home_path(path: Path, username: str, group: str) -> None:
"""
Change ownership (user and group) of the given path and all its parent
directories up to (but NOT including) the user's home directory.
If the path is not inside the user's home directory, do nothing.
:param path: Path to a file or directory.
:param user: Username to set as owner.
:param group: Group name to set as group.
"""
path = path.resolve()
home_root = Path(get_homedir(username))
# Check if the path is inside user's home directory
if home_root not in path.parents:
return # Not inside user's home - do nothing
# Walk upwards from the given path until just above home_root
current = path
while True:
if current == home_root:
break # do not change ownership of the home directory itself
shutil.chown(current, user=username, group=group)
if current.parent == current: # Safety check: reached root (/)
break
current = current.parent

4
gpoa/frontend/appliers/firewall_rule.py
View File

@@ -20,7 +20,7 @@ from enum import Enum
import subprocess
def getprops(param_list):
props = dict()
props = {}
for entry in param_list:
lentry = entry.lower()
@@ -35,7 +35,7 @@ def getprops(param_list):
def get_ports(param_list):
portlist = list()
portlist = []
for entry in param_list:
lentry = entry.lower()

5
gpoa/frontend/appliers/folder.py
View File

@@ -28,7 +28,7 @@ from util.windows import expand_windows_var
from util.util import get_homedir
def remove_dir_tree(path, delete_files=False, delete_folder=False, delete_sub_folders=False):
content = list()
content = []
for entry in path.iterdir():
content.append(entry)
if entry.is_file() and delete_files:
@@ -77,9 +77,10 @@ class Folder:
self.delete_folder,
self.delete_sub_folders)
def act(self):
if self.hidden_folder == True and str(self.folder_path.name)[0] != '.':
path_components = list(self.folder_path.parts)
path_components = [*self.folder_path.parts]
path_components[-1] = '.' + path_components[-1]
new_folder_path = Path(*path_components)
self.folder_path = new_folder_path

16
gpoa/frontend/appliers/gsettings.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2021 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -53,15 +53,15 @@ class system_gsettings:
__profile_data = 'user-db:user\nsystem-db:policy\nsystem-db:local\n'
def __init__(self, override_file_path):
self.gsettings = list()
self.locks = list()
self.gsettings = []
self.locks = []
self.override_file_path = override_file_path
def append(self, schema, path, data, lock, helper):
if check_existing_gsettings(schema, path):
self.gsettings.append(system_gsetting(schema, path, data, lock, helper))
else:
logdata = dict()
logdata = {}
logdata['schema'] = schema
logdata['path'] = path
logdata['data'] = data
@@ -72,7 +72,7 @@ class system_gsettings:
config = configparser.ConfigParser()
for gsetting in self.gsettings:
logdata = dict()
logdata = {}
logdata['gsetting.schema'] = gsetting.schema
logdata['gsetting.path'] = gsetting.path
logdata['gsetting.value'] = gsetting.value
@@ -132,13 +132,13 @@ def check_existing_gsettings (schema, path):
class user_gsettings:
def __init__(self):
self.gsettings = list()
self.gsettings = []
def append(self, schema, path, value, helper=None):
if check_existing_gsettings(schema, path):
self.gsettings.append(user_gsetting(schema, path, value, helper))
else:
logdata = dict()
logdata = {}
logdata['schema'] = schema
logdata['path'] = path
logdata['data'] = value
@@ -146,7 +146,7 @@ class user_gsettings:
def apply(self):
for gsetting in self.gsettings:
logdata = dict()
logdata = {}
logdata['gsetting.schema'] = gsetting.schema
logdata['gsetting.path'] = gsetting.path
logdata['gsetting.value'] = gsetting.value

4
gpoa/frontend/appliers/ini_file.py
View File

@@ -54,7 +54,7 @@ class Ini_file:
if self.path.is_dir():
return
if self.section not in self.config:
self.config[self.section] = dict()
self.config[self.section] = {}
self.config[self.section][self.key] = self.value
self.config.write()
@@ -85,7 +85,7 @@ class Ini_file:
if self.action == FileAction.REPLACE:
self._create_action()
except Exception as exc:
logdata = dict()
logdata = {}
logdata['action'] = self.action
logdata['exc'] = exc
log('W23', logdata)

4
gpoa/frontend/appliers/netshare.py
View File

@@ -31,7 +31,7 @@ class Networkshare:
def __init__(self, networkshare_obj, username = None):
self.net_full_cmd = ['/usr/bin/net', 'usershare']
self.net_cmd_check = ['/usr/bin/net', 'usershare', 'list']
self.cmd = list()
self.cmd = []
self.name = networkshare_obj.name
self.path = expand_windows_var(networkshare_obj.path, username).replace('\\', '/') if networkshare_obj.path else None
@@ -52,7 +52,7 @@ class Networkshare:
return exc
def _run_net_full_cmd(self):
logdata = dict()
logdata = {}
try:
res = subprocess.check_output(self.net_full_cmd, stderr=subprocess.DEVNULL, encoding='utf-8')
if res:

5
gpoa/frontend/appliers/polkit.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2020 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -50,6 +50,7 @@ class polkit:
if os.path.isfile(self.outfile):
os.remove(self.outfile)
return
logdata = {}
try:
template = self.__template_environment.get_template(self.infilename)
text = template.render(**self.args)
@@ -57,12 +58,10 @@ class polkit:
with open(self.outfile, 'w') as f:
f.write(text)
logdata = dict()
logdata['file'] = self.outfile
logdata['arguments'] = self.args
log('D77', logdata)
except Exception as exc:
logdata = dict()
logdata['file'] = self.outfile
logdata['arguments'] = self.args
log('E44', logdata)

17
gpoa/frontend/appliers/systemd.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2020 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -34,6 +34,7 @@ class systemd_unit:
self.unit_properties = dbus.Interface(self.unit_proxy, dbus_interface='org.freedesktop.DBus.Properties')
def apply(self):
logdata = {'unit': self.unit_name}
if self.desired_state == 1:
self.manager.UnmaskUnitFiles([self.unit_name], dbus.Boolean(False))
self.manager.EnableUnitFiles([self.unit_name], dbus.Boolean(False), dbus.Boolean(True))
@@ -41,8 +42,6 @@ class systemd_unit:
if self.manager.GetUnitFileState(dbus.String(self.unit_name)) == 'enabled':
return
self.manager.StartUnit(self.unit_name, 'replace')
logdata = dict()
logdata['unit'] = self.unit_name
log('I6', logdata)
# In case the service has 'RestartSec' property set it
@@ -50,27 +49,21 @@ class systemd_unit:
# 'active' so we consider 'activating' a valid state too.
service_state = self._get_state()
if not service_state in ['active', 'activating']:
if service_state not in ('active', 'activating'):
service_timer_name = self.unit_name.replace(".service", ".timer")
self.unit = self.manager.LoadUnit(dbus.String(service_timer_name))
service_state = self._get_state()
if not service_state in ['active', 'activating']:
logdata = dict()
logdata['unit'] = self.unit_name
if service_state not in ('active', 'activating'):
log('E46', logdata)
else:
self.manager.StopUnit(self.unit_name, 'replace')
self.manager.DisableUnitFiles([self.unit_name], dbus.Boolean(False))
self.manager.MaskUnitFiles([self.unit_name], dbus.Boolean(False), dbus.Boolean(True))
logdata = dict()
logdata['unit'] = self.unit_name
log('I6', logdata)
service_state = self._get_state()
if not service_state in ['stopped', 'deactivating', 'inactive']:
logdata = dict()
logdata['unit'] = self.unit_name
if service_state not in ('stopped', 'deactivating', 'inactive'):
log('E46', logdata)
def _get_state(self):

15
gpoa/frontend/chromium_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -34,14 +34,13 @@ class chromium_applier(applier_frontend):
__managed_policies_path = '/etc/chromium/policies/managed'
__recommended_policies_path = '/etc/chromium/policies/recommended'
def __init__(self, storage, sid, username):
def __init__(self, storage, username):
self.storage = storage
self.sid = sid
self.username = username
self._is_machine_name = is_machine_name(self.username)
self.chromium_keys = self.storage.filter_hklm_entries(self.__registry_branch)
self.policies_json = dict()
self.policies_json = {}
self.__module_enabled = check_enabled(
self.storage
@@ -69,7 +68,7 @@ class chromium_applier(applier_frontend):
os.makedirs(self.__managed_policies_path, exist_ok=True)
with open(destfile, 'w') as f:
json.dump(dict_item_to_list(self.policies_json), f)
logdata = dict()
logdata = {}
logdata['destfile'] = destfile
log('D97', logdata)
@@ -77,7 +76,7 @@ class chromium_applier(applier_frontend):
os.makedirs(self.__recommended_policies_path, exist_ok=True)
with open(destfilerec, 'w') as f:
json.dump(dict_item_to_list(recommended__json), f)
logdata = dict()
logdata = {}
logdata['destfilerec'] = destfilerec
log('D97', logdata)
@@ -184,7 +183,7 @@ class chromium_applier(applier_frontend):
'''
Collect dictionaries from registry keys into a general dictionary
'''
counts = dict()
counts = {}
#getting the list of keys to read as an integer
valuename_typeint = self.get_valuename_typeint()
for it_data in chromium_keys:
@@ -212,7 +211,7 @@ class chromium_applier(applier_frontend):
branch[parts[-1]] = str(it_data.data).replace('\\', '/')
except Exception as exc:
logdata = dict()
logdata = {}
logdata['Exception'] = exc
logdata['keyname'] = it_data.keyname
log('D178', logdata)

79
gpoa/frontend/cifs_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2022 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -18,6 +18,7 @@
import jinja2
import os
import pwd
import subprocess
from pathlib import Path
import string
@@ -26,12 +27,12 @@ from .applier_frontend import (
applier_frontend
, check_enabled
)
from util.util import get_homedir, get_uid_by_username
from util.util import get_homedir, get_uid_by_username, get_machine_name
from util.logging import log
def storage_get_drives(storage, sid):
drives = storage.get_drives(sid)
drive_list = list()
def storage_get_drives(storage):
drives = storage.get_drives()
drive_list = []
for drv_obj in drives:
drive_list.append(drv_obj)
@@ -64,7 +65,7 @@ def remove_escaped_quotes(input_string):
class Drive_list:
__alphabet = string.ascii_uppercase
def __init__(self):
self.dict_drives = dict()
self.dict_drives = {}
def __get_letter(self, letter):
slice_letters = set(self.__alphabet[self.__alphabet.find(letter) + 1:]) - set(self.dict_drives.keys())
@@ -124,14 +125,28 @@ class cifs_applier(applier_frontend):
__module_name = 'CIFSApplier'
__module_enabled = True
__module_experimental = False
__dir4clean = '/etc/auto.master.gpupdate.d'
def __init__(self, storage, sid):
self.applier_cifs = cifs_applier_user(storage, sid, None)
def __init__(self, storage):
self.clear_directory_auto_dir()
self.applier_cifs = cifs_applier_user(storage, None)
self.__module_enabled = check_enabled(
storage
, self.__module_name
, self.__module_experimental
)
def clear_directory_auto_dir(self):
path = Path(self.__dir4clean)
if not path.exists():
return
for item in path.iterdir():
try:
if item.is_file() or item.is_symlink():
item.unlink()
except Exception as exc:
log('W37', {'exc': exc})
log('D231')
def apply(self):
if self.__module_enabled:
@@ -161,6 +176,7 @@ class cifs_applier_user(applier_frontend):
__key_link_prefix_user = 'DriveMapsHomeDisableNetUser'
__timeout_user_key = '/Software/BaseALT/Policies/GPUpdate/TimeoutAutofsUser'
__timeout_key = '/Software/BaseALT/Policies/GPUpdate/TimeoutAutofs'
__cifsacl_key = '/Software/BaseALT/Policies/GPUpdate/CifsaclDisable'
__target_mountpoint = '/media/gpupdate'
__target_mountpoint_user = '/run/media'
__mountpoint_dirname = 'drives.system'
@@ -171,9 +187,8 @@ class cifs_applier_user(applier_frontend):
__name_value = 'DriveMapsName'
__name_value_user = 'DriveMapsNameUser'
def __init__(self, storage, sid, username):
def __init__(self, storage, username):
self.storage = storage
self.sid = sid
self.username = username
self.state_home_link = False
self.state_home_link_user = False
@@ -196,10 +211,10 @@ class cifs_applier_user(applier_frontend):
self.__mountpoint_dirname = dirname_system_from_machine if dirname_system_from_machine else self.__mountpoint_dirname
mntTarget = self.__mountpoint_dirname_user
self.keys_cifs_previous_values_user = self.dict_registry_user.get(self.__key_cifs_previous_value,dict())
self.keys_cifs_values_user = self.dict_registry_user.get(name_dir,dict())
self.keys_the_preferences_previous_values_user = self.dict_registry_user.get((self.__key_preferences_previous+self.username),dict()).get('Drives', dict())
self.keys_the_preferences_values_user = self.dict_registry_user.get((self.__key_preferences+self.username),dict()).get('Drives', dict())
self.keys_cifs_previous_values_user = self.dict_registry_user.get(self.__key_cifs_previous_value,{})
self.keys_cifs_values_user = self.dict_registry_user.get(name_dir,{})
self.keys_the_preferences_previous_values_user = self.dict_registry_user.get((self.__key_preferences_previous+self.username),{}).get('Drives', {})
self.keys_the_preferences_values_user = self.dict_registry_user.get((self.__key_preferences+self.username),{}).get('Drives', {})
else:
self.home = self.__target_mountpoint
@@ -208,17 +223,19 @@ class cifs_applier_user(applier_frontend):
self.__mountpoint_dirname = dirname_system.data if dirname_system and dirname_system.data else self.__mountpoint_dirname
mntTarget = self.__mountpoint_dirname
self.keys_cifs_previous_values_machine = self.dict_registry_machine.get(self.__key_cifs_previous_value,dict())
self.keys_cifs_values_machine = self.dict_registry_machine.get(name_dir,dict())
self.keys_the_preferences_previous_values = self.dict_registry_machine.get((self.__key_preferences_previous+'Machine'),dict()).get('Drives', dict())
self.keys_the_preferences_values = self.dict_registry_machine.get((self.__key_preferences+'Machine'),dict()).get('Drives', dict())
self.keys_cifs_previous_values_machine = self.dict_registry_machine.get(self.__key_cifs_previous_value,{})
self.keys_cifs_values_machine = self.dict_registry_machine.get(name_dir,{})
self.keys_the_preferences_previous_values = self.dict_registry_machine.get((self.__key_preferences_previous+'Machine'),{}).get('Drives', {})
self.keys_the_preferences_values = self.dict_registry_machine.get((self.__key_preferences+'Machine'),{}).get('Drives', {})
self.cifsacl_disable = self.storage.get_entry(self.__cifsacl_key, preg=False)
self.mntTarget = mntTarget.translate(str.maketrans({" ": r"\ "}))
conf_file = '{}.conf'.format(sid)
conf_hide_file = '{}_hide.conf'.format(sid)
autofs_file = '{}.autofs'.format(sid)
autofs_hide_file = '{}_hide.autofs'.format(sid)
cred_file = '{}.creds'.format(sid)
file_name = username if username else get_machine_name()
conf_file = '{}.conf'.format(file_name)
conf_hide_file = '{}_hide.conf'.format(file_name)
autofs_file = '{}.autofs'.format(file_name)
autofs_hide_file = '{}_hide.autofs'.format(file_name)
cred_file = '{}.creds'.format(file_name)
self.auto_master_d = Path(self.__auto_dir)
@@ -238,7 +255,7 @@ class cifs_applier_user(applier_frontend):
self.mount_dir = Path(os.path.join(self.home))
self.drives = storage_get_drives(self.storage, self.sid)
self.drives = storage_get_drives(self.storage)
self.template_loader = jinja2.FileSystemLoader(searchpath=self.__template_path)
self.template_env = jinja2.Environment(loader=self.template_loader)
@@ -282,6 +299,10 @@ class cifs_applier_user(applier_frontend):
self.auto_master_d.mkdir(parents=True, exist_ok=True)
# Create user's destination mount directory
self.mount_dir.mkdir(parents=True, exist_ok=True)
uid = pwd.getpwnam(self.username).pw_uid if self.username else None
if uid:
os.chown(self.mount_dir, uid=uid, gid=-1)
self.mount_dir.chmod(0o700)
# Add pointer to /etc/auto.master.gpiupdate.d in /etc/auto.master
auto_destdir = '+dir:{}'.format(self.__auto_dir)
@@ -290,7 +311,7 @@ class cifs_applier_user(applier_frontend):
# Collect data for drive settings
drive_list = Drive_list()
for drv in self.drives:
drive_settings = dict()
drive_settings = {}
drive_settings['dir'] = drv.dir
drive_settings['login'] = drv.login
drive_settings['password'] = drv.password
@@ -301,11 +322,13 @@ class cifs_applier_user(applier_frontend):
drive_settings['label'] = remove_escaped_quotes(drv.label)
drive_settings['persistent'] = drv.persistent
drive_settings['useLetter'] = drv.useLetter
drive_settings['username'] = self.username
drive_settings['cifsacl'] = False if self.cifsacl_disable else True
drive_list.append(drive_settings)
if drive_list.len() > 0:
mount_settings = dict()
mount_settings = {}
mount_settings['drives'] = drive_list()
mount_text = self.template_mountpoints.render(**mount_settings)
@@ -321,7 +344,7 @@ class cifs_applier_user(applier_frontend):
f.write(mount_text_hide)
f.flush()
autofs_settings = dict()
autofs_settings = {}
autofs_settings['home_dir'] = self.home
autofs_settings['mntTarget'] = self.mntTarget
autofs_settings['mount_file'] = self.user_config.resolve()
@@ -445,8 +468,6 @@ class cifs_applier_user(applier_frontend):
self.unlink_symlink(dMachineHide)
def admin_context_apply(self):
if self.__module_enabled:
log('D146')

16
gpoa/frontend/control_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -33,7 +33,7 @@ class control_applier(applier_frontend):
def __init__(self, storage):
self.storage = storage
self.control_settings = self.storage.filter_hklm_entries(self._registry_branch)
self.controls = list()
self.controls = []
self.__module_enabled = check_enabled(
self.storage
, self.__module_name
@@ -45,9 +45,7 @@ class control_applier(applier_frontend):
valuename = setting.hive_key.rpartition('/')[2]
try:
self.controls.append(control(valuename, int(setting.data)))
logdata = dict()
logdata['control'] = valuename
logdata['value'] = setting.data
logdata = {'control': valuename, 'value': setting.data}
log('I3', logdata)
except ValueError as exc:
try:
@@ -57,14 +55,10 @@ class control_applier(applier_frontend):
log('I3', logdata)
continue
self.controls.append(ctl)
logdata = dict()
logdata['control'] = valuename
logdata['with string value'] = setting.data
logdata = {'control': valuename, 'with string value': setting.data}
log('I3', logdata)
except Exception as exc:
logdata = dict()
logdata['control'] = valuename
logdata['exc'] = exc
logdata = {'control': valuename, 'exc': exc}
log('E39', logdata)
#for e in polfile.pol_file.entries:
# print('{}:{}:{}:{}:{}'.format(e.type, e.data, e.valuename, e.keyname))

26
gpoa/frontend/cups_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -26,12 +26,12 @@ from gpt.printers import json2printer
from util.rpm import is_rpm_installed
from util.logging import log
def storage_get_printers(storage, sid):
def storage_get_printers(storage):
'''
Query printers configuration from storage
'''
printer_objs = storage.get_printers(sid)
printers = list()
printer_objs = storage.get_printers()
printers = []
for prnj in printer_objs:
printers.append(prnj)
@@ -62,8 +62,8 @@ def connect_printer(connection, prn):
class cups_applier(applier_frontend):
__module_name = 'CUPSApplier'
__module_experimental = True
__module_enabled = False
__module_experimental = False
__module_enabled = True
def __init__(self, storage):
self.storage = storage
@@ -80,10 +80,9 @@ class cups_applier(applier_frontend):
try:
self.cups_connection = cups.Connection()
except Exception as exc:
logdata = dict()
logdata['exc', exc]
logdata = {'exc': exc}
log('W20', logdata)
self.printers = storage_get_printers(self.storage, self.storage.get_info('machine_sid'))
self.printers = storage_get_printers(self.storage)
if self.printers:
for prn in self.printers:
@@ -101,12 +100,11 @@ class cups_applier(applier_frontend):
class cups_applier_user(applier_frontend):
__module_name = 'CUPSApplierUser'
__module_experimental = True
__module_enabled = False
__module_experimental = False
__module_enabled = True
def __init__(self, storage, sid, username):
def __init__(self, storage, username):
self.storage = storage
self.sid = sid
self.username = username
self.__module_enabled = check_enabled(
self.storage
@@ -127,7 +125,7 @@ class cups_applier_user(applier_frontend):
return
self.cups_connection = cups.Connection()
self.printers = storage_get_printers(self.storage, self.sid)
self.printers = storage_get_printers(self.storage)
if self.printers:
for prn in self.printers:

12
gpoa/frontend/envvar_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -29,10 +29,9 @@ class envvar_applier(applier_frontend):
__module_experimental = False
__module_enabled = True
def __init__(self, storage, sid):
def __init__(self, storage):
self.storage = storage
self.sid = sid
self.envvars = self.storage.get_envvars(self.sid)
self.envvars = self.storage.get_envvars()
Envvar.clear_envvar_file()
self.__module_enabled = check_enabled(self.storage, self.__module_name, self.__module_experimental)
@@ -49,11 +48,10 @@ class envvar_applier_user(applier_frontend):
__module_experimental = False
__module_enabled = True
def __init__(self, storage, sid, username):
def __init__(self, storage, username):
self.storage = storage
self.sid = sid
self.username = username
self.envvars = self.storage.get_envvars(self.sid)
self.envvars = self.storage.get_envvars()
Envvar.clear_envvar_file(username)
self.__module_enabled = check_enabled(self.storage, self.__module_name, self.__module_experimental)

20
gpoa/frontend/file_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2022 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -28,15 +28,14 @@ from util.logging import log
class file_applier(applier_frontend):
__module_name = 'FilesApplier'
__module_experimental = True
__module_enabled = False
__module_experimental = False
__module_enabled = True
def __init__(self, storage, file_cache, sid):
def __init__(self, storage, file_cache):
self.storage = storage
self.exe_check = Execution_check(storage)
self.sid = sid
self.file_cache = file_cache
self.files = self.storage.get_files(self.sid)
self.files = self.storage.get_files()
self.__module_enabled = check_enabled(self.storage, self.__module_name, self.__module_experimental)
def run(self):
@@ -52,16 +51,15 @@ class file_applier(applier_frontend):
class file_applier_user(applier_frontend):
__module_name = 'FilesApplierUser'
__module_experimental = True
__module_enabled = False
__module_experimental = False
__module_enabled = True
def __init__(self, storage, file_cache, sid, username):
def __init__(self, storage, file_cache, username):
self.storage = storage
self.file_cache = file_cache
self.sid = sid
self.username = username
self.exe_check = Execution_check(storage)
self.files = self.storage.get_files(self.sid)
self.files = self.storage.get_files()
self.__module_enabled = check_enabled(
self.storage
, self.__module_name

26
gpoa/frontend/firefox_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -42,15 +42,14 @@ class firefox_applier(applier_frontend):
__registry_branch = 'Software/Policies/Mozilla/Firefox'
__firefox_policies = '/etc/firefox/policies'
def __init__(self, storage, sid, username):
def __init__(self, storage, username):
self.storage = storage
self.sid = sid
self.username = username
self._is_machine_name = is_machine_name(self.username)
self.policies = dict()
self.policies_json = dict({ 'policies': self.policies })
self.policies = {}
self.policies_json = {'policies': self.policies}
self.firefox_keys = self.storage.filter_hklm_entries(self.__registry_branch)
self.policies_gen = dict()
self.policies_gen = {}
self.__module_enabled = check_enabled(
self.storage
, self.__module_name
@@ -69,8 +68,7 @@ class firefox_applier(applier_frontend):
os.makedirs(self.__firefox_policies, exist_ok=True)
with open(destfile, 'w') as f:
json.dump(self.policies_json, f)
logdata = dict()
logdata['destfile'] = destfile
logdata = {'destfile': destfile}
log('D91', logdata)
def apply(self):
@@ -112,13 +110,13 @@ def clean_data_firefox(data):
def create_dict(firefox_keys, registry_branch, excp=list()):
def create_dict(firefox_keys, registry_branch, excp=[]):
'''
Collect dictionaries from registry keys into a general dictionary
'''
get_boolean = lambda data: data in ['0', 'false', None, 'none', 0] if isinstance(data, (str, int)) else False
get_boolean = lambda data: data in ['1', 'true', 'True', True, 1] if isinstance(data, (str, int)) else False
get_parts = lambda hivekey, registry: hivekey.replace(registry, '').split('/')
counts = dict()
counts = {}
for it_data in firefox_keys:
branch = counts
try:
@@ -153,7 +151,7 @@ def create_dict(firefox_keys, registry_branch, excp=list()):
for part in parts[:-1]:
branch = branch.setdefault(part, {})
if branch.get(parts[-1]) is None:
branch[parts[-1]] = list()
branch[parts[-1]] = []
if it_data.type == 4:
branch[parts[-1]].append(get_boolean(it_data.data))
else:
@@ -162,9 +160,7 @@ def create_dict(firefox_keys, registry_branch, excp=list()):
else:
branch[parts[-1]].append(str(it_data.data))
except Exception as exc:
logdata = dict()
logdata['Exception'] = exc
logdata['keyname'] = it_data.keyname
logdata = {'Exception': exc, 'keyname': it_data.keyname}
log('W14', logdata)
return {'policies': dict_item_to_list(counts)}

12
gpoa/frontend/folder_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -31,10 +31,9 @@ class folder_applier(applier_frontend):
__module_experimental = False
__module_enabled = True
def __init__(self, storage, sid):
def __init__(self, storage):
self.storage = storage
self.sid = sid
self.folders = self.storage.get_folders(self.sid)
self.folders = self.storage.get_folders()
self.__module_enabled = check_enabled(self.storage, self.__module_name, self.__module_experimental)
def apply(self):
@@ -57,11 +56,10 @@ class folder_applier_user(applier_frontend):
__module_experimental = False
__module_enabled = True
def __init__(self, storage, sid, username):
def __init__(self, storage, username):
self.storage = storage
self.sid = sid
self.username = username
self.folders = self.storage.get_folders(self.sid)
self.folders = self.storage.get_folders()
self.__module_enabled = check_enabled(
self.storage
, self.__module_name

81
gpoa/frontend/frontend_manager.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -73,11 +73,11 @@ from .kde_applier import (
kde_applier
, kde_applier_user
)
from .laps_applier import laps_applier
from .networkshare_applier import networkshare_applier
from .yandex_browser_applier import yandex_browser_applier
from util.sid import get_sid
from util.users import (
is_root,
get_process_user,
@@ -96,16 +96,15 @@ def determine_username(username=None):
# If username is not set then it will be the name
# of process owner.
logdata = {'username': name}
if not username:
name = get_process_user()
logdata = dict({'username': name})
log('D2', logdata)
if not username_match_uid(name):
if not is_root():
raise Exception('Current process UID does not match specified username')
logdata = dict({'username': name})
log('D15', logdata)
return name
@@ -117,9 +116,7 @@ def apply_user_context(user_appliers):
try:
applier_object.user_context_apply()
except Exception as exc:
logdata = dict()
logdata['applier'] = applier_name
logdata['exception'] = str(exc)
logdata = {'applier': applier_name, 'exception': str(exc)}
log('E20', logdata)
class frontend_manager:
@@ -133,7 +130,6 @@ class frontend_manager:
self.storage = registry_factory('dconf', username=self.username)
self.is_machine = is_machine
self.process_uname = get_process_user()
self.sid = get_sid(self.storage.get_info('domain'), self.username, is_machine)
self.file_cache = fs_file_cache('file_cache', self.username)
self.machine_appliers = dict()
@@ -144,55 +140,52 @@ class frontend_manager:
self._init_user_appliers()
def _init_machine_appliers(self):
self.machine_appliers['laps_applier'] = laps_applier(self.storage)
self.machine_appliers['control'] = control_applier(self.storage)
self.machine_appliers['polkit'] = polkit_applier(self.storage)
self.machine_appliers['systemd'] = systemd_applier(self.storage)
self.machine_appliers['firefox'] = firefox_applier(self.storage, self.sid, self.username)
self.machine_appliers['thunderbird'] = thunderbird_applier(self.storage, self.sid, self.username)
self.machine_appliers['chromium'] = chromium_applier(self.storage, self.sid, self.username)
self.machine_appliers['yandex_browser'] = yandex_browser_applier(self.storage, self.sid, self.username)
self.machine_appliers['firefox'] = firefox_applier(self.storage, self.username)
self.machine_appliers['thunderbird'] = thunderbird_applier(self.storage, self.username)
self.machine_appliers['chromium'] = chromium_applier(self.storage, self.username)
self.machine_appliers['yandex_browser'] = yandex_browser_applier(self.storage, self.username)
self.machine_appliers['shortcuts'] = shortcut_applier(self.storage)
self.machine_appliers['gsettings'] = gsettings_applier(self.storage, self.file_cache)
try:
self.machine_appliers['cifs'] = cifs_applier(self.storage, self.sid)
self.machine_appliers['cifs'] = cifs_applier(self.storage)
except Exception as exc:
logdata = dict()
logdata['applier_name'] = 'cifs'
logdata['msg'] = str(exc)
logdata = {'applier_name': 'cifs', 'msg': str(exc)}
log('E24', logdata)
self.machine_appliers['cups'] = cups_applier(self.storage)
self.machine_appliers['firewall'] = firewall_applier(self.storage)
self.machine_appliers['folders'] = folder_applier(self.storage, self.sid)
self.machine_appliers['folders'] = folder_applier(self.storage)
self.machine_appliers['ntp'] = ntp_applier(self.storage)
self.machine_appliers['envvar'] = envvar_applier(self.storage, self.sid)
self.machine_appliers['networkshare'] = networkshare_applier(self.storage, self.sid)
self.machine_appliers['scripts'] = scripts_applier(self.storage, self.sid)
self.machine_appliers['files'] = file_applier(self.storage, self.file_cache, self.sid)
self.machine_appliers['ini'] = ini_applier(self.storage, self.sid)
self.machine_appliers['envvar'] = envvar_applier(self.storage)
self.machine_appliers['networkshare'] = networkshare_applier(self.storage)
self.machine_appliers['scripts'] = scripts_applier(self.storage)
self.machine_appliers['files'] = file_applier(self.storage, self.file_cache)
self.machine_appliers['ini'] = ini_applier(self.storage)
self.machine_appliers['kde'] = kde_applier(self.storage)
self.machine_appliers['package'] = package_applier(self.storage)
def _init_user_appliers(self):
# User appliers are expected to work with user-writable
# files and settings, mostly in $HOME.
self.user_appliers['shortcuts'] = shortcut_applier_user(self.storage, self.sid, self.username)
self.user_appliers['folders'] = folder_applier_user(self.storage, self.sid, self.username)
self.user_appliers['gsettings'] = gsettings_applier_user(self.storage, self.file_cache, self.sid, self.username)
self.user_appliers['shortcuts'] = shortcut_applier_user(self.storage, self.username)
self.user_appliers['folders'] = folder_applier_user(self.storage, self.username)
self.user_appliers['gsettings'] = gsettings_applier_user(self.storage, self.file_cache, self.username)
try:
self.user_appliers['cifs'] = cifs_applier_user(self.storage, self.sid, self.username)
self.user_appliers['cifs'] = cifs_applier_user(self.storage, self.username)
except Exception as exc:
logdata = dict()
logdata['applier_name'] = 'cifs'
logdata['msg'] = str(exc)
logdata = {'applier_name': 'cifs', 'msg': str(exc)}
log('E25', logdata)
self.user_appliers['polkit'] = polkit_applier_user(self.storage, self.sid, self.username)
self.user_appliers['envvar'] = envvar_applier_user(self.storage, self.sid, self.username)
self.user_appliers['networkshare'] = networkshare_applier(self.storage, self.sid, self.username)
self.user_appliers['scripts'] = scripts_applier_user(self.storage, self.sid, self.username)
self.user_appliers['files'] = file_applier_user(self.storage, self.file_cache, self.sid, self.username)
self.user_appliers['ini'] = ini_applier_user(self.storage, self.sid, self.username)
self.user_appliers['kde'] = kde_applier_user(self.storage, self.sid, self.username, self.file_cache)
self.user_appliers['package'] = package_applier_user(self.storage, self.sid, self.username)
self.user_appliers['polkit'] = polkit_applier_user(self.storage, self.username)
self.user_appliers['envvar'] = envvar_applier_user(self.storage, self.username)
self.user_appliers['networkshare'] = networkshare_applier(self.storage, self.username)
self.user_appliers['scripts'] = scripts_applier_user(self.storage, self.username)
self.user_appliers['files'] = file_applier_user(self.storage, self.file_cache, self.username)
self.user_appliers['ini'] = ini_applier_user(self.storage, self.username)
self.user_appliers['kde'] = kde_applier_user(self.storage, self.username, self.file_cache)
self.user_appliers['package'] = package_applier_user(self.storage, self.username)
def machine_apply(self):
'''
@@ -207,9 +200,7 @@ class frontend_manager:
try:
applier_object.apply()
except Exception as exc:
logdata = dict()
logdata['applier_name'] = applier_name
logdata['msg'] = str(exc)
logdata = {'applier_name': applier_name, 'msg': str(exc)}
log('E24', logdata)
def user_apply(self):
@@ -221,24 +212,20 @@ class frontend_manager:
try:
applier_object.admin_context_apply()
except Exception as exc:
logdata = dict()
logdata['applier'] = applier_name
logdata['exception'] = str(exc)
logdata = {'applier': applier_name, 'exception': str(exc)}
log('E19', logdata)
try:
with_privileges(self.username, lambda: apply_user_context(self.user_appliers))
except Exception as exc:
logdata = dict()
logdata['username'] = self.username
logdata['exception'] = str(exc)
logdata = {'username': self.username, 'exception': str(exc)}
log('E30', logdata)
else:
for applier_name, applier_object in self.user_appliers.items():
try:
applier_object.user_context_apply()
except Exception as exc:
logdata = dict({'applier_name': applier_name, 'message': str(exc)})
logdata = {'applier_name': applier_name, 'message': str(exc)}
log('E11', logdata)
def apply_parameters(self):

39
gpoa/frontend/gsettings_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -40,10 +40,7 @@ def uri_fetch(schema, path, value, cache):
Function to fetch and cache uri
'''
retval = value
logdata = dict()
logdata['schema'] = schema
logdata['path'] = path
logdata['src'] = value
logdata = {'schema': schema, 'path': path, 'src': value}
try:
retval = cache.get(value)
if not retval:
@@ -78,7 +75,7 @@ class gsettings_applier(applier_frontend):
self.override_file = os.path.join(self.__global_schema, self.__override_priority_file)
self.override_old_file = os.path.join(self.__global_schema, self.__override_old_file)
self.gsettings = system_gsettings(self.override_file)
self.locks = dict()
self.locks = {}
self.__module_enabled = check_enabled(
self.storage
, self.__module_name
@@ -89,8 +86,7 @@ class gsettings_applier(applier_frontend):
try:
self.file_cache.store(data)
except Exception as exc:
logdata = dict()
logdata['exception'] = str(exc)
logdata = {'exception': str(exc)}
log('D145', logdata)
def uri_fetch_helper(self, schema, path, value):
@@ -158,10 +154,9 @@ class GSettingsMapping:
self.gsettings_schema_key = self.schema.get_key(self.gsettings_key)
self.gsettings_type = self.gsettings_schema_key.get_value_type()
except Exception as exc:
logdata = dict()
logdata['hive_key'] = self.hive_key
logdata['gsettings_schema'] = self.gsettings_schema
logdata['gsettings_key'] = self.gsettings_key
logdata = {'hive_key': self.hive_key,
'gsettings_schema': self.gsettings_schema,
'gsettings_key': self.gsettings_key}
log('W6', logdata)
def preg2gsettings(self):
@@ -185,19 +180,18 @@ class gsettings_applier_user(applier_frontend):
__wallpaper_entry = 'Software/BaseALT/Policies/gsettings/org.mate.background.picture-filename'
__vino_authentication_methods_entry = 'Software/BaseALT/Policies/gsettings/org.gnome.Vino.authentication-methods'
def __init__(self, storage, file_cache, sid, username):
def __init__(self, storage, file_cache, username):
self.storage = storage
self.file_cache = file_cache
self.sid = sid
self.username = username
gsettings_filter = '{}%'.format(self.__registry_branch)
self.gsettings_keys = self.storage.filter_hkcu_entries(self.sid, gsettings_filter)
self.gsettings_keys = self.storage.filter_hkcu_entries(gsettings_filter)
self.gsettings = user_gsettings()
self.__module_enabled = check_enabled(self.storage, self.__module_name, self.__module_experimental)
self.__windows_mapping_enabled = check_windows_mapping_enabled(self.storage)
self.__windows_settings = dict()
self.windows_settings = list()
self.__windows_settings = {}
self.windows_settings = []
mapping = [
# Disable or enable screen saver
GSettingsMapping(
@@ -232,11 +226,9 @@ class gsettings_applier_user(applier_frontend):
def windows_mapping_append(self):
for setting_key in self.__windows_settings.keys():
value = self.storage.get_hkcu_entry(self.sid, setting_key)
value = self.storage.get_hkcu_entry(setting_key)
if value:
logdata = dict()
logdata['setting_key'] = setting_key
logdata['value.data'] = value.data
logdata = {'setting_key': setting_key, 'value.data': value.data}
log('D86', logdata)
mapping = self.__windows_settings[setting_key]
try:
@@ -280,14 +272,13 @@ class gsettings_applier_user(applier_frontend):
# Cache files on remote locations
try:
entry = self.__wallpaper_entry
filter_result = self.storage.get_hkcu_entry(self.sid, entry)
filter_result = self.storage.get_hkcu_entry(entry)
if filter_result and filter_result.data:
self.file_cache.store(filter_result.data)
except NotUNCPathError:
...
except Exception as exc:
logdata = dict()
logdata['exception'] = str(exc)
logdata = {'exception': str(exc)}
log('E50', logdata)

20
gpoa/frontend/ini_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -26,13 +26,12 @@ from util.logging import log
class ini_applier(applier_frontend):
__module_name = 'InifilesApplier'
__module_experimental = True
__module_enabled = False
__module_experimental = False
__module_enabled = True
def __init__(self, storage, sid):
def __init__(self, storage):
self.storage = storage
self.sid = sid
self.inifiles_info = self.storage.get_ini(self.sid)
self.inifiles_info = self.storage.get_ini()
self.__module_enabled = check_enabled(self.storage, self.__module_name, self.__module_experimental)
def run(self):
@@ -48,14 +47,13 @@ class ini_applier(applier_frontend):
class ini_applier_user(applier_frontend):
__module_name = 'InifilesApplierUser'
__module_experimental = True
__module_enabled = False
__module_experimental = False
__module_enabled = True
def __init__(self, storage, sid, username):
self.sid = sid
def __init__(self, storage, username):
self.username = username
self.storage = storage
self.inifiles_info = self.storage.get_ini(self.sid)
self.inifiles_info = self.storage.get_ini()
self.__module_enabled = check_enabled(
self.storage
, self.__module_name

138
gpoa/frontend/kde_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -24,6 +24,7 @@ import os
import subprocess
import re
import dbus
import shutil
class kde_applier(applier_frontend):
__module_name = 'KdeApplier'
@@ -61,24 +62,25 @@ class kde_applier_user(applier_frontend):
__module_name = 'KdeApplierUser'
__module_experimental = True
__module_enabled = False
kde_version = None
__hkcu_branch = 'Software/BaseALT/Policies/KDE'
__hkcu_lock_branch = 'Software/BaseALT/Policies/KDELocks'
__plasma_update_entry = 'Software/BaseALT/Policies/KDE/Plasma/Update'
def __init__(self, storage, sid=None, username=None, file_cache = None):
def __init__(self, storage, username=None, file_cache = None):
self.storage = storage
self.username = username
self.sid = sid
self.file_cache = file_cache
self.locks_dict = {}
self.locks_data_dict = {}
self.all_kde_settings = {}
kde_applier_user.kde_version = get_kde_version()
kde_filter = '{}%'.format(self.__hkcu_branch)
locks_filter = '{}%'.format(self.__hkcu_lock_branch)
self.locks_settings = self.storage.filter_hkcu_entries(self.sid, locks_filter)
self.locks_settings = self.storage.filter_hkcu_entries(locks_filter)
self.plasma_update = self.storage.get_entry(self.__plasma_update_entry)
self.plasma_update_flag = self.plasma_update.data if self.plasma_update is not None else 0
self.kde_settings = self.storage.filter_hkcu_entries(self.sid, kde_filter)
self.kde_settings = self.storage.filter_hkcu_entries(kde_filter)
self.__module_enabled = check_enabled(
self.storage,
self.__module_name,
@@ -94,8 +96,7 @@ class kde_applier_user(applier_frontend):
break
self.file_cache.store(data)
except Exception as exc:
logdata = dict()
logdata['exc'] = exc
logdata = {'exc': exc}
def user_context_apply(self):
'''
@@ -108,6 +109,37 @@ class kde_applier_user(applier_frontend):
else:
log('D201')
dbus_methods_mapping = {
'kscreenlockerrc': {
'dbus_service': 'org.kde.screensaver',
'dbus_path': '/ScreenSaver',
'dbus_interface': 'org.kde.screensaver',
'dbus_method': 'configure'
},
'wallpaper': {
'dbus_service': 'org.freedesktop.systemd1',
'dbus_path': '/org/freedesktop/systemd1',
'dbus_interface': 'org.freedesktop.systemd1.Manager',
'dbus_method': 'RestartUnit',
'dbus_args': ['plasma-plasmashell.service', 'replace']
}
}
def get_kde_version():
try:
kinfo_path = shutil.which("kinfo", path="/usr/lib/kf5/bin:/usr/bin")
if not kinfo_path:
raise FileNotFoundError("Unable to find kinfo")
output = subprocess.check_output([kinfo_path], text=True, env={'LANG':'C'})
for line in output.splitlines():
if "KDE Frameworks Version" in line:
frameworks_version = line.split(":", 1)[1].strip()
major_frameworks_version = int(frameworks_version.split(".")[0])
return major_frameworks_version
except:
return None
def create_dict(kde_settings, all_kde_settings, locks_settings, locks_dict, file_cache = None, username = None, plasmaupdate = False):
for locks in locks_settings:
locks_dict[locks.valuename] = locks.data
@@ -118,23 +150,18 @@ def create_dict(kde_settings, all_kde_settings, locks_settings, locks_dict, file
if file_name == 'wallpaper':
apply_for_wallpaper(data, file_cache, username, plasmaupdate)
else:
if file_name not in all_kde_settings:
all_kde_settings[file_name] = {}
if section not in all_kde_settings[file_name]:
all_kde_settings[file_name][section] = {}
all_kde_settings[file_name][section][value] = data
all_kde_settings.setdefault(file_name, {}).setdefault(section, {})[value] = data
except Exception as exc:
logdata = dict()
logdata['file_name'] = file_name
logdata['section'] = section
logdata['value'] = value
logdata['data'] = data
logdata['exc'] = exc
logdata = {'file_name': file_name,
'section': section,
'value': value,
'data': data,
'exc': exc}
log('W16', logdata)
def apply(all_kde_settings, locks_dict, username = None):
logdata = dict()
logdata = {}
modified_files = set()
if username is None:
system_path_settings = '/etc/xdg/'
system_files = [
@@ -160,11 +187,12 @@ def apply(all_kde_settings, locks_dict, username = None):
file.write(f'[{section}]\n')
for key, value in keys.items():
lock = f"{file_name}.{section}.{key}".replace('][', ')(')
if lock in locks_dict and locks_dict[lock] == 1:
if locks_dict.get(lock) == 1:
file.write(f'{key}[$i]={value}\n')
else:
file.write(f'{key}={value}\n')
file.write('\n')
modified_files.add(file_name)
else:
for file_name, sections in all_kde_settings.items():
path = f'{get_homedir(username)}/.config/{file_name}'
@@ -178,7 +206,7 @@ def apply(all_kde_settings, locks_dict, username = None):
lock = f"{file_name}.{section}.{key}"
if lock in locks_dict and locks_dict[lock] == 1:
command = [
'kwriteconfig5',
f'kwriteconfig{kde_applier_user.kde_version}',
'--file', file_name,
'--group', section,
'--key', key +'/$i/',
@@ -187,7 +215,7 @@ def apply(all_kde_settings, locks_dict, username = None):
]
else:
command = [
'kwriteconfig5',
f'kwriteconfig{kde_applier_user.kde_version}',
'--file', file_name,
'--group', section,
'--key', key,
@@ -196,9 +224,11 @@ def apply(all_kde_settings, locks_dict, username = None):
]
try:
clear_locks_settings(username, file_name, key)
subprocess.run(command, check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
env_path = dict(os.environ)
env_path["PATH"] = "/usr/lib/kf5/bin:/usr/bin"
subprocess.run(command, check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, env=env_path)
except:
logdata['command'] = command
logdata = {'command': command}
log('W22', logdata)
new_content = []
file_path = f'{get_homedir(username)}/.config/{file_name}'
@@ -214,6 +244,9 @@ def apply(all_kde_settings, locks_dict, username = None):
except Exception as exc:
logdata['exc'] = exc
log('W19', logdata)
modified_files.add(file_name)
for file_name in modified_files:
call_dbus_method(file_name)
def clear_locks_settings(username, file_name, key):
'''
@@ -228,15 +261,14 @@ def clear_locks_settings(username, file_name, key):
file.write(line)
for line in lines:
if f'{key}[$i]=' in line:
logdata = dict()
logdata['line'] = line.strip()
logdata = {'line': line.strip()}
log('I10', logdata)
def apply_for_wallpaper(data, file_cache, username, plasmaupdate):
'''
Method to change wallpaper
'''
logdata = dict()
logdata = {}
path_to_wallpaper = f'{get_homedir(username)}/.config/plasma-org.kde.plasma.desktop-appletsrc'
id_desktop = get_id_desktop(path_to_wallpaper)
try:
@@ -260,13 +292,15 @@ def apply_for_wallpaper(data, file_cache, username, plasmaupdate):
os.environ["DISPLAY"] = ":0"
#Variable for command execution plasma-apply-colorscheme
os.environ["XDG_RUNTIME_DIR"] = f"/run/user/{os.getuid()}"
os.environ["DBUS_SESSION_BUS_ADDRESS"] = f"unix:path=/run/user/{os.getuid()}/bus"#plasma-apply-wallpaperimage
os.environ["PATH"] = "/usr/lib/kf5/bin:"
os.environ["DBUS_SESSION_BUS_ADDRESS"] = f"unix:path=/run/user/{os.getuid()}/bus"#plasma-apply-wallpaperimage
env_path = dict(os.environ)
env_path["PATH"] = "/usr/lib/kf5/bin:/usr/bin"
#environment variable for accessing binary files without hard links
if not flag:
if os.path.isfile(path_to_wallpaper):
command = [
'kwriteconfig5',
f'kwriteconfig{kde_applier_user.kde_version}',
'--file', 'plasma-org.kde.plasma.desktop-appletsrc',
'--group', 'Containments',
'--group', id_desktop,
@@ -278,26 +312,20 @@ def apply_for_wallpaper(data, file_cache, username, plasmaupdate):
data
]
try:
subprocess.run(command, check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
subprocess.run(command, check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, env=env_path)
except:
logdata['command'] = command
logdata = {'command': command}
log('E68', logdata)
if plasmaupdate == 1:
try:
session_bus = dbus.SessionBus()
plasma_shell = session_bus.get_object('org.kde.plasmashell', '/PlasmaShell', introspect='org.kde.PlasmaShell')
plasma_shell_iface = dbus.Interface(plasma_shell, 'org.kde.PlasmaShell')
plasma_shell_iface.refreshCurrentShell()
except:
pass
call_dbus_method("wallpaper")
else:
logdata['file'] = path_to_wallpaper
logdata = {'file': path_to_wallpaper}
log('W21', logdata)
except OSError as exc:
logdata['exc'] = exc
logdata = {'exc': exc}
log('W17', logdata)
except Exception as exc:
logdata['exc'] = exc
logdata = {'exc': exc}
log('E67', logdata)
def get_id_desktop(path_to_wallpaper):
@@ -309,9 +337,27 @@ def get_id_desktop(path_to_wallpaper):
with open(path_to_wallpaper, 'r') as file:
file_content = file.read()
match = re.search(pattern, file_content)
if match:
return match.group(1)
else:
return None
return match.group(1) if match else None
except:
return None
def call_dbus_method(file_name):
'''
Method to call D-Bus method based on the file name
'''
os.environ["DBUS_SESSION_BUS_ADDRESS"] = f"unix:path=/run/user/{os.getuid()}/bus"
if file_name in dbus_methods_mapping:
config = dbus_methods_mapping[file_name]
try:
session_bus = dbus.SessionBus()
dbus_object = session_bus.get_object(config['dbus_service'], config['dbus_path'])
dbus_iface = dbus.Interface(dbus_object, config['dbus_interface'])
if 'dbus_args' in config:
getattr(dbus_iface, config['dbus_method'])(*config['dbus_args'])
else:
getattr(dbus_iface, config['dbus_method'])()
except dbus.exceptions.DBusException as exc:
logdata = {'error': str(exc)}
log('E31', logdata)
else:
pass

755
gpoa/frontend/laps_applier.py Normal file
View File

@@ -0,0 +1,755 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from .applier_frontend import (
applier_frontend,
check_enabled
)
import struct
from datetime import datetime, timedelta
import dpapi_ng
from util.util import remove_prefix_from_keys, check_local_user_exists
from util.sid import WellKnown21RID
import subprocess
import ldb
import string
import secrets
import os
import psutil
from util.logging import log
import logging
import re
from datetime import timezone
from dateutil import tz
_DATEUTIL_AVAILABLE = False
try:
from dateutil import tz
_DATEUTIL_AVAILABLE = True
except ImportError:
pass
class laps_applier(applier_frontend):
"""
LAPS (Local Administrator Password Solution) implementation for managing
and automatically rotating administrator passwords.
"""
# Time calculation constants
# Number of seconds between the Windows epoch (1601-01-01 00:00:00 UTC)
# and the Unix epoch (1970-01-01 00:00:00 UTC).
# Used to convert between Unix timestamps and Windows FileTime.
_EPOCH_TIMESTAMP = 11644473600
# Number of 100-nanosecond intervals per second.
# Used to convert seconds to Windows FileTime format.
_HUNDREDS_OF_NANOSECONDS = 10000000
# Number of 100-nanosecond intervals in one day
_DAY_FLOAT = 8.64e11
# Module configuration
__module_name = 'LapsApplier'
__module_experimental = True
__module_enabled = False
# Registry paths
_WINDOWS_REGISTRY_PATH = 'SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/LAPS/'
_ALT_REGISTRY_PATH = 'Software/BaseALT/Policies/Laps/'
# LDAP attributes
_ATTR_ENCRYPTED_PASSWORD = 'msLAPS-EncryptedPassword'
_ATTR_PASSWORD_EXPIRATION_TIME = 'msLAPS-PasswordExpirationTime'
# dconf key for password modification time
_KEY_PASSWORD_LAST_MODIFIED = '/Software/BaseALT/Policies/Laps/PasswordLastModified/'
# Password complexity levels
_PASSWORD_COMPLEXITY = {
1: string.ascii_uppercase,
2: string.ascii_letters,
3: string.ascii_letters + string.digits,
4: string.ascii_letters + string.digits + string.punctuation
}
# Post-authentication actions
_ACTION_NONE = 0
_ACTION_CHANGE_PASSWORD = 1
_ACTION_TERMINATE_SESSIONS = 3
_ACTION_REBOOT = 5
def __init__(self, storage):
"""
Initialize the LAPS applier with configuration from registry.
Args:
storage: Storage object containing registry entries and system information
"""
self.storage = storage
# Load registry configuration
if not self._load_configuration():
self.__module_enabled = False
return
if not self._check_requirements():
log('W29')
self.__module_enabled = False
return
# Initialize system connections and parameters
self._initialize_system_parameters()
# Check if module is enabled in configuration
self.__module_enabled = check_enabled(
self.storage,
self.__module_name,
self.__module_experimental
)
def _load_configuration(self):
"""Load configuration settings from registry."""
alt_keys = remove_prefix_from_keys(
self.storage.filter_entries(self._ALT_REGISTRY_PATH),
self._ALT_REGISTRY_PATH
)
windows_keys = remove_prefix_from_keys(
self.storage.filter_entries(self._WINDOWS_REGISTRY_PATH),
self._WINDOWS_REGISTRY_PATH
)
# Combine configurations with BaseALT taking precedence
self.config = windows_keys
self.config.update(alt_keys)
# Extract commonly used configuration parameters
self.backup_directory = self.config.get('BackupDirectory', None)
self.encryption_enabled = self.config.get('ADPasswordEncryptionEnabled', 1)
self.password_expiration_protection = self.config.get('PasswordExpirationProtectionEnabled', 1)
self.password_age_days = self.config.get('PasswordAgeDays', 30)
self.post_authentication_actions = self.config.get('PostAuthenticationActions', 3)
self.post_authentication_reset_delay = self.config.get('PostAuthenticationResetDelay', 24)
name = self.config.get('AdministratorAccountName', 'root')
if name and check_local_user_exists(name):
self.target_user = name
else:
log('W36')
return False
return True
def _check_requirements(self):
"""
Check if the necessary requirements are met for the module to operate.
Returns:
bool: True if requirements are met, False otherwise
"""
if self.backup_directory != 2 or not self.encryption_enabled:
logdata = {}
logdata['backup_directory'] = self.backup_directory
logdata['encryption_enabled'] = self.encryption_enabled
log('D223', logdata)
return False
return True
def _initialize_system_parameters(self):
"""Initialize system parameters and connections."""
# Set up LDAP connections
self.samdb = self.storage.get_info('samdb')
self.domain_sid = self.samdb.get_domain_sid()
self.domain_dn = self.samdb.domain_dn()
self.computer_dn = self._get_computer_dn()
self.admin_group_sid = f'{self.domain_sid}-{WellKnown21RID.DOMAIN_ADMINS.value}'
# Set up time parameters
self.expiration_date = self._get_expiration_date()
self.expiration_date_int = self._convert_to_filetime(self.expiration_date)
self.current_time_int = self._convert_to_filetime(datetime.now())
# Get current system state
self.expiration_time_attr = self._get_expiration_time_attr()
self.pass_last_mod_int = self._read_dconf_pass_last_mod()
self.encryption_principal = self._get_encryption_principal()
self.last_login_hours_ago = self._get_admin_login_hours_ago_after_timestamp()
def _get_computer_dn(self):
"""
Get the Distinguished Name of the computer account.
Returns:
str: Computer's distinguished name in LDAP
"""
machine_name = self.storage.get_info('machine_name')
search_filter = f'(sAMAccountName={machine_name})'
results = self.samdb.search(base=self.domain_dn, expression=search_filter, attrs=['dn'])
return results[0]['dn']
def _get_encryption_principal(self):
"""
Get the encryption principal for password encryption.
Returns:
str: SID of the encryption principal
"""
encryption_principal = self.config.get('ADPasswordEncryptionPrincipal', None)
if not encryption_principal:
return self.admin_group_sid
return self._verify_encryption_principal(encryption_principal)
def _verify_encryption_principal(self, principal_name):
"""
Verify the encryption principal exists and get its SID.
Args:
principal_name: Principal name to verify
Returns:
str: SID of the encryption principal if found, or admin group SID as fallback
"""
try:
# Try to resolve as domain\\user format
domain = self.storage.get_info('domain')
username = f'{domain}\\{principal_name}'
output = subprocess.check_output(['wbinfo', '-n', username])
sid = output.split()[0].decode('utf-8')
return sid
except subprocess.CalledProcessError:
# Try to resolve directly as SID
try:
output = subprocess.check_output(['wbinfo', '-s', principal_name])
return principal_name
except subprocess.CalledProcessError:
# Fallback to admin group SID
logdata = {}
logdata['principal_name'] = principal_name
log('W30', logdata)
return self.admin_group_sid
def _get_expiration_date(self, base_time=None):
"""
Calculate the password expiration date.
Args:
base_time: Optional datetime to base calculation on, defaults to now
Returns:
datetime: Password expiration date
"""
base = base_time or datetime.now()
# Set to beginning of day and add password age
return (base.replace(hour=0, minute=0, second=0, microsecond=0) +
timedelta(days=int(self.password_age_days)))
def _convert_to_filetime(self, dt):
"""
Convert datetime to Windows filetime format (100ns intervals since 1601-01-01).
Args:
dt: Datetime to convert
Returns:
int: Windows filetime integer
"""
epoch_timedelta = timedelta(seconds=self._EPOCH_TIMESTAMP)
new_dt = dt + epoch_timedelta
return int(new_dt.timestamp() * self._HUNDREDS_OF_NANOSECONDS)
def _get_expiration_time_attr(self):
"""
Get the current password expiration time from LDAP.
Returns:
int: Password expiration time as integer, or 0 if not found
"""
try:
res = self.samdb.search(
base=self.computer_dn,
scope=ldb.SCOPE_BASE,
expression="(objectClass=*)",
attrs=[self._ATTR_PASSWORD_EXPIRATION_TIME]
)
return int(res[0].get(self._ATTR_PASSWORD_EXPIRATION_TIME, 0)[0])
except Exception as exc:
logdata = {'exc': exc}
log('W31', logdata)
return 0
def _read_dconf_pass_last_mod(self):
"""
Read the password last modified time from dconf.
Returns:
int: Timestamp of last password modification or current time if not found
"""
try:
key_path = self._KEY_PASSWORD_LAST_MODIFIED + self.target_user
last_modified = subprocess.check_output(
['dconf', 'read', key_path],
text=True
).strip().strip("'\"")
return int(last_modified)
except Exception as exc:
logdata = {'exc': exc}
log('W32', logdata)
return self.current_time_int
def _write_dconf_pass_last_mod(self):
"""
Write the password last modified time to dconf.
"""
try:
# Ensure dbus session is available
self._ensure_dbus_session()
# Write current time to dconf
key_path = self._KEY_PASSWORD_LAST_MODIFIED + self.target_user
last_modified = f'"{self.current_time_int}"'
subprocess.check_output(['dconf', 'write', key_path, last_modified])
log('D222')
except Exception as exc:
logdata = {'exc': exc}
log('W28', logdata)
def _ensure_dbus_session(self):
"""Ensure a D-Bus session is available for dconf operations."""
dbus_address = os.getenv("DBUS_SESSION_BUS_ADDRESS")
if not dbus_address:
result = subprocess.run(
["dbus-daemon", "--fork", "--session", "--print-address"],
capture_output=True,
text=True
)
dbus_address = result.stdout.strip()
os.environ["DBUS_SESSION_BUS_ADDRESS"] = dbus_address
def _get_changed_password_hours_ago(self):
"""
Calculate how many hours ago the password was last changed.
Returns:
int: Hours since password was last changed, or 0 if error
"""
logdata = {}
logdata['target_user'] = self.target_user
try:
diff_time = self.current_time_int - self.pass_last_mod_int
hours_difference = diff_time // 3.6e10
hours_ago = int(hours_difference)
logdata['hours_ago'] = hours_ago
log('D225', logdata)
return hours_ago
except Exception as exc:
logdata = {'exc': exc}
log('W34', logdata)
return 0
def _generate_password(self):
"""
Generate a secure password based on policy settings.
Returns:
str: Generated password meeting complexity requirements
"""
# Get password length from config
password_length = self.config.get('PasswordLength', 14)
if not isinstance(password_length, int) or not (8 <= password_length <= 64):
password_length = 14
# Get password complexity from config
password_complexity = self.config.get('PasswordComplexity', 4)
if not isinstance(password_complexity, int) or not (1 <= password_complexity <= 4):
password_complexity = 4
# Get character set based on complexity
char_set = self._PASSWORD_COMPLEXITY.get(password_complexity, self._PASSWORD_COMPLEXITY[4])
# Generate initial password
password = ''.join(secrets.choice(char_set) for _ in range(password_length))
# Ensure password meets complexity requirements
if password_complexity >= 3 and not any(c.isdigit() for c in password):
# Add a digit if required but missing
digit = secrets.choice(string.digits)
position = secrets.randbelow(len(password))
password = password[:position] + digit + password[position:]
if password_complexity == 4 and not any(c in string.punctuation for c in password):
# Add a special character if required but missing
special_char = secrets.choice(string.punctuation)
position = secrets.randbelow(len(password))
password = password[:position] + special_char + password[position:]
return password
def _get_json_password_data(self, password):
"""
Format password information as JSON.
Args:
password: The password
Returns:
str: JSON formatted password information
"""
return f'{{"n":"{self.target_user}","t":"{self.expiration_date_int}","p":"{password}"}}'
def _create_password_blob(self, password):
"""
Create encrypted password blob for LDAP storage.
Args:
password: Password to encrypt
Returns:
bytes: Encrypted password blob
"""
# Create JSON data and encode as UTF-16LE with null terminator
json_data = self._get_json_password_data(password)
password_bytes = json_data.encode("utf-16-le") + b"\x00\x00"
# Save and change loglevel
logger = logging.getLogger()
old_level = logger.level
logger.setLevel(logging.ERROR)
# Encrypt the password
dpapi_blob = dpapi_ng.ncrypt_protect_secret(
password_bytes,
self.encryption_principal,
auth_protocol='kerberos'
)
# Restoreloglevel
logger.setLevel(old_level)
# Create full blob with metadata
return self._add_blob_metadata(dpapi_blob)
def _add_blob_metadata(self, dpapi_blob):
"""
Add metadata to the encrypted password blob.
Args:
dpapi_blob: Encrypted password blob
Returns:
bytes: Complete blob with metadata
"""
# Convert timestamp to correct format
left, right = struct.unpack('<LL', struct.pack('Q', self.current_time_int))
packed = struct.pack('<LL', right, left)
# Add blob length and padding
prefix = packed + struct.pack('<i', len(dpapi_blob)) + b'\x00\x00\x00\x00'
# Combine metadata and encrypted blob
return prefix + dpapi_blob
def _change_user_password(self, new_password):
"""
Change the password for the target user.
Args:
new_password: New password to set
Returns:
bool: True if password was changed successfully, False otherwise
"""
logdata = {'target_user': self.target_user}
try:
# Use chpasswd to change the password
process = subprocess.Popen(
["chpasswd"],
stdin=subprocess.PIPE,
text=True
)
process.communicate(f"{self.target_user}:{new_password}")
# Record the time of change
self._write_dconf_pass_last_mod()
log('D221', logdata)
return True
except Exception as exc:
logdata = {'exc': exc}
log('W27', logdata)
return False
def _update_ldap_password(self, encrypted_blob):
"""
Update the encrypted password and expiration time in LDAP.
Args:
encrypted_blob: Encrypted password blob
Returns:
bool: True if LDAP was updated successfully, False otherwise
"""
logdata = {'computer_dn': self.computer_dn}
try:
# Create LDAP modification message
mod_msg = ldb.Message()
mod_msg.dn = self.computer_dn
# Update password blob
mod_msg[self._ATTR_ENCRYPTED_PASSWORD] = ldb.MessageElement(
encrypted_blob,
ldb.FLAG_MOD_REPLACE,
self._ATTR_ENCRYPTED_PASSWORD
)
# Update expiration time
mod_msg[self._ATTR_PASSWORD_EXPIRATION_TIME] = ldb.MessageElement(
str(self.expiration_date_int),
ldb.FLAG_MOD_REPLACE,
self._ATTR_PASSWORD_EXPIRATION_TIME
)
# Perform the LDAP modification
self.samdb.modify(mod_msg)
log('D226', logdata)
return True
except Exception as exc:
logdata = {'exc': exc}
log('E75', logdata)
return False
def _should_update_password(self):
"""
Determine if the password should be updated based on policy.
Returns:
tuple: (bool: update needed, bool: perform post-action)
"""
# Check if password has expired
if not self._is_password_expired():
# Password not expired, check if post-login action needed
return self._check_post_login_action()
# Password has expired, update needed
return True, False
def _is_password_expired(self):
"""
Check if the password has expired according to policy.
Returns:
bool: True if password has expired, False otherwise
"""
# Case 1: No expiration protection, check LDAP attribute
if not self.password_expiration_protection:
if self.expiration_time_attr > self.current_time_int:
return False
# Case 2: With expiration protection, check both policy and LDAP
elif self.password_expiration_protection:
policy_expiry = self.pass_last_mod_int + (self.password_age_days * int(self._DAY_FLOAT))
if policy_expiry > self.current_time_int and self.expiration_time_attr > self.current_time_int:
return False
return True
def _check_post_login_action(self):
"""
Check if a post-login password change action should be performed.
Returns:
tuple: (bool: update needed, bool: perform post-action)
"""
# Check if password was changed after last login
if self._get_changed_password_hours_ago() < self.last_login_hours_ago:
return False, False
# Check if enough time has passed since login
if self.last_login_hours_ago < self.post_authentication_reset_delay:
return False, False
# Check if action is configured
if self.post_authentication_actions == self._ACTION_NONE:
return False, False
# Update needed, determine if post-action required
return True, self.post_authentication_actions > self._ACTION_CHANGE_PASSWORD
def _perform_post_action(self):
"""
Perform post-password-change action based on configuration.
"""
if self.post_authentication_actions == self._ACTION_TERMINATE_SESSIONS:
self._terminate_user_sessions()
elif self.post_authentication_actions == self._ACTION_REBOOT:
log('D220')
subprocess.run(["reboot"])
def _terminate_user_sessions(self):
"""
Terminates all processes associated with the active sessions of the target user.
"""
# Get active sessions for the target user
user_sessions = [user for user in psutil.users() if user.name == self.target_user]
logdata = {'target_user': self.target_user}
if not user_sessions:
log('D227', logdata)
return
# Terminate each session
for session in user_sessions:
try:
# Get the process and terminate it
proc = psutil.Process(session.pid)
proc.kill() # Send SIGKILL
logdata['pid'] = session.pid
log('D228')
except (psutil.NoSuchProcess, psutil.AccessDenied) as exc:
logdata['pid'] = session.pid
logdata['exc'] = exc
log('W35', logdata)
def update_laps_password(self):
"""
Update the LAPS password if needed based on policy.
Checks expiration and login times to determine if update is needed.
"""
# Check if password update is needed
update_needed, perform_post_action = self._should_update_password()
if not update_needed:
log('D229')
return False
# Generate new password
password = self._generate_password()
# Create encrypted password blob
encrypted_blob = self._create_password_blob(password)
# Update password in LDAP
ldap_success = self._update_ldap_password(encrypted_blob)
if not ldap_success:
return False
# Change local user password
local_success = self._change_user_password(password)
if not local_success:
log('E76')
return False
log('D230')
# Perform post-action if configured
if perform_post_action:
self._perform_post_action()
def apply(self):
"""
Main entry point for the LAPS applier.
"""
if self.__module_enabled:
log('D218')
self.update_laps_password()
else:
log('D219')
def _parse_login_time_from_last_line(self, line: str) -> datetime:
match_login_dt = re.search(
r"((?:Mon|Tue|Wed|Thu|Fri|Sat|Sun)\s+\w{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}\s+\d{4})",
line
)
if not match_login_dt:
return None
login_dt_str = match_login_dt.group(1)
try:
dt_naive = datetime.strptime(login_dt_str, "%a %b %d %H:%M:%S %Y")
login_dt_utc: datetime
if _DATEUTIL_AVAILABLE:
local_tz = tz.tzlocal()
dt_local = dt_naive.replace(tzinfo=local_tz)
login_dt_utc = dt_local.astimezone(timezone.utc)
else:
system_local_tz = datetime.now().astimezone().tzinfo
if system_local_tz:
dt_local = dt_naive.replace(tzinfo=system_local_tz)
login_dt_utc = dt_local.astimezone(timezone.utc)
else:
login_dt_utc = dt_naive.replace(tzinfo=timezone.utc)
log('W38')
return login_dt_utc
except ValueError:
return None
def _get_user_login_datetimes_utc(self) -> list[datetime]:
command = ["last", "-F", "-w", self.target_user]
env = os.environ.copy()
env["LC_TIME"] = "C"
login_datetimes = []
try:
process = subprocess.run(command, capture_output=True, text=True, check=False, env=env)
if process.returncode != 0 and not ("no login record" in process.stderr.lower() or "no users logged in" in process.stdout.lower()):
log('W39')
return []
output_lines = process.stdout.splitlines()
except FileNotFoundError:
log('W40')
return []
except Exception as e:
log('W41')
return []
for line in output_lines:
if not line.strip() or "wtmp begins" in line or "btmp begins" in line:
continue
if not line.startswith(self.target_user):
continue
login_dt_utc = self._parse_login_time_from_last_line(line)
if login_dt_utc:
login_datetimes.append(login_dt_utc)
return login_datetimes
def _get_admin_login_hours_ago_after_timestamp(self) -> int:
# Convert Windows FileTime to datetime
reference_dt_utc = datetime.fromtimestamp(
(self.pass_last_mod_int / self._HUNDREDS_OF_NANOSECONDS) - self._EPOCH_TIMESTAMP,
tz=timezone.utc
)
if not (reference_dt_utc.tzinfo is timezone.utc or
(reference_dt_utc.tzinfo is not None and reference_dt_utc.tzinfo.utcoffset(reference_dt_utc) == timedelta(0))):
log('W42')
return 0
user_login_times_utc = self._get_user_login_datetimes_utc()
if not user_login_times_utc:
log('D232')
return 0
most_recent_login_after_reference_utc = None
for login_time_utc in user_login_times_utc[::-1]:
if login_time_utc >= reference_dt_utc:
most_recent_login_after_reference_utc = login_time_utc
break
if most_recent_login_after_reference_utc:
now_utc = datetime.now(timezone.utc)
time_delta_seconds = (now_utc - most_recent_login_after_reference_utc).total_seconds()
hours_ago = int(time_delta_seconds / 3600.0)
log('D233')
return hours_ago
else:
log('D234')
return 0

7
gpoa/frontend/networkshare_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2022 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -29,11 +29,10 @@ class networkshare_applier(applier_frontend):
__module_experimental = True
__module_enabled = False
def __init__(self, storage, sid, username = None):
def __init__(self, storage, username = None):
self.storage = storage
self.sid = sid
self.username = username
self.networkshare_info = self.storage.get_networkshare(self.sid)
self.networkshare_info = self.storage.get_networkshare()
self.__module_enabled = check_enabled(self.storage, self.__module_name, self.__module_experimental)
self.__module_enabled_user = check_enabled(self.storage, self.__module_name_user, self.__module_experimental)

9
gpoa/frontend/ntp_applier.py
View File

@@ -77,8 +77,7 @@ class ntp_applier(applier_frontend):
srv = None
if server:
srv = server.data.rpartition(',')[0]
logdata = dict()
logdata['srv'] = srv
logdata = {'srv': srv}
log('D122', logdata)
start_command = ['/usr/bin/systemctl', 'start', 'chronyd']
@@ -92,8 +91,7 @@ class ntp_applier(applier_frontend):
proc.wait()
if srv:
logdata = dict()
logdata['srv'] = srv
logdata = {'srv': srv}
log('D124', logdata)
proc = subprocess.Popen(chrony_disconnect_all)
@@ -119,8 +117,7 @@ class ntp_applier(applier_frontend):
if server_type and server_type.data:
if NTPServerType.NTP.value != server_type.data:
logdata = dict()
logdata['server_type'] = server_type
logdata = {'server_type': server_type}
log('W10', logdata)
else:
log('D126')

35
gpoa/frontend/package_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -27,8 +27,8 @@ from .applier_frontend import (
class package_applier(applier_frontend):
__module_name = 'PackagesApplier'
__module_experimental = True
__module_enabled = False
__module_experimental = False
__module_enabled = True
__install_key_name = 'Install'
__remove_key_name = 'Remove'
__sync_key_name = 'Sync'
@@ -40,7 +40,7 @@ class package_applier(applier_frontend):
install_branch = '{}\\{}%'.format(self.__hklm_branch, self.__install_key_name)
remove_branch = '{}\\{}%'.format(self.__hklm_branch, self.__remove_key_name)
sync_branch = '{}\\{}%'.format(self.__hklm_branch, self.__sync_key_name)
self.fulcmd = list()
self.fulcmd = []
self.fulcmd.append('/usr/libexec/gpupdate/pkcon_runner')
self.fulcmd.append('--loglevel')
logger = logging.getLogger()
@@ -64,15 +64,13 @@ class package_applier(applier_frontend):
try:
subprocess.check_call(self.fulcmd)
except Exception as exc:
logdata = dict()
logdata['msg'] = str(exc)
logdata = {'msg': str(exc)}
log('E55', logdata)
else:
try:
subprocess.Popen(self.fulcmd,close_fds=False)
except Exception as exc:
logdata = dict()
logdata['msg'] = str(exc)
logdata = {'msg': str(exc)}
log('E61', logdata)
def apply(self):
@@ -85,18 +83,17 @@ class package_applier(applier_frontend):
class package_applier_user(applier_frontend):
__module_name = 'PackagesApplierUser'
__module_experimental = True
__module_enabled = False
__module_experimental = False
__module_enabled = True
__install_key_name = 'Install'
__remove_key_name = 'Remove'
__sync_key_name = 'Sync'
__hkcu_branch = 'Software\\BaseALT\\Policies\\Packages'
def __init__(self, storage, sid, username):
def __init__(self, storage, username):
self.storage = storage
self.sid = sid
self.username = username
self.fulcmd = list()
self.fulcmd = []
self.fulcmd.append('/usr/libexec/gpupdate/pkcon_runner')
self.fulcmd.append('--user')
self.fulcmd.append(self.username)
@@ -108,9 +105,9 @@ class package_applier_user(applier_frontend):
remove_branch = '{}\\{}%'.format(self.__hkcu_branch, self.__remove_key_name)
sync_branch = '{}\\{}%'.format(self.__hkcu_branch, self.__sync_key_name)
self.install_packages_setting = self.storage.filter_hkcu_entries(self.sid, install_branch)
self.remove_packages_setting = self.storage.filter_hkcu_entries(self.sid, remove_branch)
self.sync_packages_setting = self.storage.filter_hkcu_entries(self.sid, sync_branch)
self.install_packages_setting = self.storage.filter_hkcu_entries(install_branch)
self.remove_packages_setting = self.storage.filter_hkcu_entries(remove_branch)
self.sync_packages_setting = self.storage.filter_hkcu_entries(sync_branch)
self.flagSync = False
self.__module_enabled = check_enabled(self.storage, self.__module_name, self.__module_experimental)
@@ -131,15 +128,13 @@ class package_applier_user(applier_frontend):
try:
subprocess.check_call(self.fulcmd)
except Exception as exc:
logdata = dict()
logdata['msg'] = str(exc)
logdata = {'msg': str(exc)}
log('E60', logdata)
else:
try:
subprocess.Popen(self.fulcmd,close_fds=False)
except Exception as exc:
logdata = dict()
logdata['msg'] = str(exc)
logdata = {'msg': str(exc)}
log('E62', logdata)
def admin_context_apply(self):

13
gpoa/frontend/polkit_applier.py
View File

@@ -53,7 +53,7 @@ class polkit_applier(applier_frontend):
template_vars_all = self.__polkit_map[self.__registry_branch][1]
template_file_all_lock = self.__polkit_map[self.__registry_locks_branch][0]
template_vars_all_lock = self.__polkit_map[self.__registry_locks_branch][1]
locks = list()
locks = []
for lock in self.polkit_locks:
if bool(int(lock.data)):
locks.append(lock.valuename)
@@ -77,7 +77,7 @@ class polkit_applier(applier_frontend):
self.__polkit_map[self.__registry_locks_branch][1][key] = item[1]
if deny_all_win:
logdata = dict()
logdata = {}
logdata['Deny_All_win'] = deny_all_win.data
log('D69', logdata)
self.__polkit_map[self.__deny_all_win][1]['Deny_All'] = deny_all_win.data
@@ -115,15 +115,14 @@ class polkit_applier_user(applier_frontend):
__registry_branch : ['48-alt_group_policy_permissions_user', {'User': ''}]
}
def __init__(self, storage, sid, username):
def __init__(self, storage, username):
self.storage = storage
self.sid = sid
self.username = username
deny_all_win = None
if check_windows_mapping_enabled(self.storage):
deny_all_win = storage.filter_hkcu_entries(self.sid, self.__deny_all_win).first()
deny_all_win = storage.filter_hkcu_entries(self.__deny_all_win).first()
polkit_filter = '{}%'.format(self.__registry_branch)
self.polkit_keys = self.storage.filter_hkcu_entries(self.sid, polkit_filter)
self.polkit_keys = self.storage.filter_hkcu_entries(polkit_filter)
# Deny_All hook: initialize defaults
template_file = self.__polkit_map[self.__deny_all_win][0]
template_vars = self.__polkit_map[self.__deny_all_win][1]
@@ -146,7 +145,7 @@ class polkit_applier_user(applier_frontend):
self.__polkit_map[self.__registry_branch][1][key] = item
if deny_all_win:
logdata = dict()
logdata = {}
logdata['user'] = self.username
logdata['Deny_All_win'] = deny_all_win.data
log('D70', logdata)

30
gpoa/frontend/scripts_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2022 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -29,15 +29,14 @@ from .applier_frontend import (
class scripts_applier(applier_frontend):
__module_name = 'ScriptsApplier'
__module_experimental = True
__module_enabled = False
__module_experimental = False
__module_enabled = True
__cache_scripts = '/var/cache/gpupdate_scripts_cache/machine/'
def __init__(self, storage, sid):
def __init__(self, storage):
self.storage = storage
self.sid = sid
self.startup_scripts = self.storage.get_scripts(self.sid, 'STARTUP')
self.shutdown_scripts = self.storage.get_scripts(self.sid, 'SHUTDOWN')
self.startup_scripts = self.storage.get_scripts('STARTUP')
self.shutdown_scripts = self.storage.get_scripts('SHUTDOWN')
self.folder_path = Path(self.__cache_scripts)
self.__module_enabled = check_enabled(self.storage
, self.__module_name
@@ -51,8 +50,7 @@ class scripts_applier(applier_frontend):
except FileNotFoundError as exc:
log('D154')
except Exception as exc:
logdata = dict()
logdata['exc'] = exc
logdata = {'exc': exc}
log('E64', logdata)
def filling_cache(self):
@@ -80,15 +78,14 @@ class scripts_applier(applier_frontend):
class scripts_applier_user(applier_frontend):
__module_name = 'ScriptsApplierUser'
__module_experimental = True
__module_enabled = False
__module_experimental = False
__module_enabled = True
__cache_scripts = '/var/cache/gpupdate_scripts_cache/users/'
def __init__(self, storage, sid, username):
def __init__(self, storage, username):
self.storage = storage
self.sid = sid
self.logon_scripts = self.storage.get_scripts(self.sid, 'LOGON')
self.logoff_scripts = self.storage.get_scripts(self.sid, 'LOGOFF')
self.logon_scripts = self.storage.get_scripts('LOGON')
self.logoff_scripts = self.storage.get_scripts('LOGOFF')
self.username = username
self.folder_path = Path(self.__cache_scripts + self.username)
self.__module_enabled = check_enabled(self.storage
@@ -103,8 +100,7 @@ class scripts_applier_user(applier_frontend):
except FileNotFoundError as exc:
log('D155')
except Exception as exc:
logdata = dict()
logdata['exc'] = exc
logdata = {'exc': exc}
log('E65', logdata)
def filling_cache(self):

82
gpoa/frontend/shortcut_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -26,15 +26,19 @@ from util.windows import expand_windows_var
from util.logging import log
from util.util import (
get_homedir,
homedir_exists
homedir_exists,
string_to_literal_eval
)
from gpt.shortcuts import shortcut, get_ttype
def storage_get_shortcuts(storage, sid, username=None):
def storage_get_shortcuts(storage, username=None, shortcuts_machine=None):
'''
Query storage for shortcuts' rows for specified SID.
Query storage for shortcuts' rows for username.
'''
shortcut_objs = storage.get_shortcuts(sid)
shortcuts = list()
shortcut_objs = storage.get_shortcuts()
shortcuts = []
if username and shortcuts_machine:
shortcut_objs += shortcuts_machine
for sc in shortcut_objs:
if username:
@@ -52,9 +56,7 @@ def apply_shortcut(shortcut, username=None):
dest_abspath = shortcut.dest
if not dest_abspath.startswith('/') and not dest_abspath.startswith('%'):
dest_abspath = '%HOME%/' + dest_abspath
logdata = dict()
logdata['shortcut'] = dest_abspath
logdata['for'] = username
logdata = {'shortcut': dest_abspath, 'for': username}
log('D105', logdata)
dest_abspath = expand_windows_var(dest_abspath, username).replace('\\', '/') + '.desktop'
@@ -65,31 +67,24 @@ def apply_shortcut(shortcut, username=None):
if dest_abspath.startswith(get_homedir(username)):
# Don't try to operate on non-existent directory
if not homedir_exists(username):
logdata = dict()
logdata['user'] = username
logdata['dest_abspath'] = dest_abspath
logdata = {'user': username, 'dest_abspath': dest_abspath}
log('W7', logdata)
return None
else:
logdata = dict()
logdata['user'] = username
logdata['bad path'] = dest_abspath
logdata = {'user': username, 'bad path': dest_abspath}
log('W8', logdata)
return None
if '%' in dest_abspath:
logdata = dict()
logdata['dest_abspath'] = dest_abspath
logdata = {'dest_abspath': dest_abspath}
log('E53', logdata)
return None
if not dest_abspath.startswith('/'):
logdata = dict()
logdata['dest_abspath'] = dest_abspath
logdata = {'dest_abspath': dest_abspath}
log('E54', logdata)
return None
logdata = dict()
logdata['file'] = dest_abspath
logdata = {'file': dest_abspath}
logdata['with_action'] = shortcut.action
log('D106', logdata)
shortcut.apply_desktop(dest_abspath)
@@ -108,7 +103,7 @@ class shortcut_applier(applier_frontend):
)
def run(self):
shortcuts = storage_get_shortcuts(self.storage, self.storage.get_info('machine_sid'))
shortcuts = storage_get_shortcuts(self.storage)
if shortcuts:
for sc in shortcuts:
apply_shortcut(sc)
@@ -119,9 +114,7 @@ class shortcut_applier(applier_frontend):
# /usr/local/share/applications
subprocess.check_call(['/usr/bin/update-desktop-database'])
else:
logdata = dict()
logdata['machine_sid'] = self.storage.get_info('machine_sid')
log('D100', logdata)
log('D100')
def apply(self):
if self.__module_enabled:
@@ -134,15 +127,45 @@ class shortcut_applier_user(applier_frontend):
__module_name = 'ShortcutsApplierUser'
__module_experimental = False
__module_enabled = True
__REGISTRY_PATH_SHORTCATSMERGE= '/Software/BaseALT/Policies/GPUpdate/ShortcutsMerge'
__DCONF_REGISTRY_PATH_PREFERENCES_MACHINE = 'Software/BaseALT/Policies/Preferences/Machine'
def __init__(self, storage, sid, username):
def __init__(self, storage, username):
self.storage = storage
self.sid = sid
self.username = username
self.__module_enabled = check_enabled(self.storage, self.__module_name, self.__module_experimental)
def get_machine_shortcuts(self):
result = []
try:
storage_machine_dict = self.storage.get_dictionary_from_dconf_file_db()
machine_shortcuts = storage_machine_dict.get(
self.__DCONF_REGISTRY_PATH_PREFERENCES_MACHINE, dict()).get('Shortcuts')
shortcut_objs = string_to_literal_eval(machine_shortcuts)
for obj in shortcut_objs:
shortcut_machine =shortcut(
obj.get('dest'),
obj.get('path'),
obj.get('arguments'),
obj.get('name'),
obj.get('action'),
get_ttype(obj.get('target_type')))
shortcut_machine.set_usercontext(1)
result.append(shortcut_machine)
except:
return None
return result
def check_enabled_shortcuts_merge(self):
return self.storage.get_key_value(self.__REGISTRY_PATH_SHORTCATSMERGE)
def run(self, in_usercontext):
shortcuts = storage_get_shortcuts(self.storage, self.sid, self.username)
shortcuts_machine = None
if self.check_enabled_shortcuts_merge():
shortcuts_machine = self.get_machine_shortcuts()
shortcuts = storage_get_shortcuts(self.storage, self.username, shortcuts_machine)
if shortcuts:
for sc in shortcuts:
@@ -151,8 +174,7 @@ class shortcut_applier_user(applier_frontend):
if not in_usercontext and not sc.is_usercontext():
apply_shortcut(sc, self.username)
else:
logdata = dict()
logdata['sid'] = self.sid
logdata = {'username': self.username}
log('D100', logdata)
def user_context_apply(self):

14
gpoa/frontend/systemd_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -44,20 +44,16 @@ class systemd_applier(applier_frontend):
for setting in self.systemd_unit_settings:
try:
self.units.append(systemd_unit(setting.valuename, int(setting.data)))
logdata = dict()
logdata['unit'] = format(setting.valuename)
logdata = {'unit': format(setting.valuename)}
log('I4', logdata)
except Exception as exc:
logdata = dict()
logdata['unit'] = format(setting.valuename)
logdata['exc'] = exc
logdata = {'unit': format(setting.valuename), 'exc': exc}
log('I5', logdata)
for unit in self.units:
try:
unit.apply()
except:
logdata = dict()
logdata['unit'] = unit.unit_name
logdata = {'unit': unit.unit_name}
log('E45', logdata)
def apply(self):
@@ -76,7 +72,7 @@ class systemd_applier_user(applier_frontend):
__module_enabled = True
__registry_branch = 'Software/BaseALT/Policies/SystemdUnits'
def __init__(self, storage, sid, username):
def __init__(self, storage, username):
self.storage = storage
def user_context_apply(self):

14
gpoa/frontend/thunderbird_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2024 BaseALT Ltd.
# Copyright (C) 2024-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -32,15 +32,14 @@ class thunderbird_applier(applier_frontend):
__registry_branch = 'Software/Policies/Mozilla/Thunderbird'
__thunderbird_policies = '/etc/thunderbird/policies'
def __init__(self, storage, sid, username):
def __init__(self, storage, username):
self.storage = storage
self.sid = sid
self.username = username
self._is_machine_name = is_machine_name(self.username)
self.policies = dict()
self.policies_json = dict({ 'policies': self.policies })
self.policies = {}
self.policies_json = {'policies': self.policies}
self.thunderbird_keys = self.storage.filter_hklm_entries(self.__registry_branch)
self.policies_gen = dict()
self.policies_gen = {}
self.__module_enabled = check_enabled(
self.storage
, self.__module_name
@@ -58,8 +57,7 @@ class thunderbird_applier(applier_frontend):
os.makedirs(self.__thunderbird_policies, exist_ok=True)
with open(destfile, 'w') as f:
json.dump(self.policies_json, f)
logdata = dict()
logdata['destfile'] = destfile
logdata = {'destfile': destfile}
log('D212', logdata)
def apply(self):

19
gpoa/frontend/yandex_browser_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -34,14 +34,13 @@ class yandex_browser_applier(applier_frontend):
__managed_policies_path = '/etc/opt/yandex/browser/policies/managed'
__recommended_policies_path = '/etc/opt/yandex/browser/policies/recommended'
def __init__(self, storage, sid, username):
def __init__(self, storage, username):
self.storage = storage
self.sid = sid
self.username = username
self._is_machine_name = is_machine_name(self.username)
self.yandex_keys = self.storage.filter_hklm_entries(self.__registry_branch)
self.policies_json = dict()
self.policies_json = {}
self.__module_enabled = check_enabled(
self.storage
@@ -69,16 +68,14 @@ class yandex_browser_applier(applier_frontend):
os.makedirs(self.__managed_policies_path, exist_ok=True)
with open(destfile, 'w') as f:
json.dump(dict_item_to_list(self.policies_json), f)
logdata = dict()
logdata['destfile'] = destfile
logdata = {'destfile': destfile}
log('D185', logdata)
destfilerec = os.path.join(self.__recommended_policies_path, 'policies.json')
os.makedirs(self.__recommended_policies_path, exist_ok=True)
with open(destfilerec, 'w') as f:
json.dump(dict_item_to_list(recommended__json), f)
logdata = dict()
logdata['destfilerec'] = destfilerec
logdata = {'destfilerec': destfilerec}
log('D185', logdata)
@@ -159,7 +156,7 @@ class yandex_browser_applier(applier_frontend):
'''
Collect dictionaries from registry keys into a general dictionary
'''
counts = dict()
counts = {}
#getting the list of keys to read as an integer
valuename_typeint = self.get_valuename_typeint()
for it_data in yandex_keys:
@@ -187,9 +184,7 @@ class yandex_browser_applier(applier_frontend):
branch[parts[-1]] = str(it_data.data).replace('\\', '/')
except Exception as exc:
logdata = dict()
logdata['Exception'] = exc
logdata['keyname'] = it_data.keyname
logdata = {'Exception': exc, 'keyname': it_data.keyname}
log('D178', logdata)
try:
self.policies_json = counts['']

2
gpoa/gpoa
View File

@@ -153,8 +153,8 @@ class gpoa_controller:
try:
back.retrieve_and_store()
# Start frontend only on successful backend finish
self.start_frontend()
save_dconf(self.username, self.is_machine, nodomain)
self.start_frontend()
except Exception as exc:
logdata = dict({'message': str(exc)})
# In case we're handling "E3" - it means that

14
gpoa/gpt/drives.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2020 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -47,7 +47,7 @@ def decrypt_pass(cpassword):
# decrypt() returns byte array which is immutable and we need to
# strip padding, then convert UTF-16LE to UTF-8
binstr = decrypter.decrypt(password)
by = list()
by = []
for item in binstr:
if item != 16:
by.append(item)
@@ -57,7 +57,7 @@ def decrypt_pass(cpassword):
return utf8str.decode()
def read_drives(drives_file):
drives = list()
drives = []
for drive in get_xml_root(drives_file):
drive_obj = drivemap()
@@ -78,9 +78,9 @@ def read_drives(drives_file):
return drives
def merge_drives(storage, sid, drive_objects, policy_name):
def merge_drives(storage, drive_objects, policy_name):
for drive in drive_objects:
storage.add_drive(sid, drive, policy_name)
storage.add_drive(drive, policy_name)
def json2drive(json_str):
json_obj = json.loads(json_str)
@@ -141,13 +141,13 @@ class drivemap(DynamicAttributes):
self.useLetter = useLetter
def to_json(self):
drive = dict()
drive = {}
drive['login'] = self.login
drive['password'] = self.password
drive['dir'] = self.dir
drive['path'] = self.path
contents = dict()
contents = {}
contents['drive'] = drive
return json.dumps(contents)

6
gpoa/gpt/dynamic_attributes.py
View File

@@ -38,6 +38,12 @@ class DynamicAttributes:
def __iter__(self):
return iter(self.__dict__.items())
def get_original_value(self, key):
value = self.__dict__.get(key)
if isinstance(value, str):
value = value.replace("", "'")
return value
class RegistryKeyMetadata(DynamicAttributes):
def __init__(self, policy_name, type, is_list=None, mod_previous_value=None):
self.policy_name = policy_name

8
gpoa/gpt/envvars.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2020 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -21,7 +21,7 @@ from .dynamic_attributes import DynamicAttributes
def read_envvars(envvars_file):
variables = list()
variables = []
for var in get_xml_root(envvars_file):
props = var.find('Properties')
@@ -34,9 +34,9 @@ def read_envvars(envvars_file):
return variables
def merge_envvars(storage, sid, envvar_objects, policy_name):
def merge_envvars(storage, envvar_objects, policy_name):
for envv in envvar_objects:
storage.add_envvar(sid, envv, policy_name)
storage.add_envvar(envv, policy_name)
class envvar(DynamicAttributes):
def __init__(self, name, value, action):

8
gpoa/gpt/files.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2020 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -20,7 +20,7 @@ from util.xml import get_xml_root
from .dynamic_attributes import DynamicAttributes
def read_files(filesxml):
files = list()
files = []
for fil in get_xml_root(filesxml):
props = fil.find('Properties')
@@ -36,9 +36,9 @@ def read_files(filesxml):
return files
def merge_files(storage, sid, file_objects, policy_name):
def merge_files(storage, file_objects, policy_name):
for fileobj in file_objects:
storage.add_file(sid, fileobj, policy_name)
storage.add_file(fileobj, policy_name)
class fileentry(DynamicAttributes):
def __init__(self, fromPath):

8
gpoa/gpt/folders.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -40,7 +40,7 @@ def folder_int2bool(val):
def read_folders(folders_file):
folders = list()
folders = []
for fld in get_xml_root(folders_file):
props = fld.find('Properties')
@@ -57,9 +57,9 @@ def read_folders(folders_file):
return folders
def merge_folders(storage, sid, folder_objects, policy_name):
def merge_folders(storage, folder_objects, policy_name):
for folder in folder_objects:
storage.add_folder(sid, folder, policy_name)
storage.add_folder(folder, policy_name)
class folderentry(DynamicAttributes):

40
gpoa/gpt/gpt.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -110,7 +110,7 @@ def get_preftype(path_to_file):
return None
def pref_parsers():
parsers = dict()
parsers = {}
parsers[FileType.PREG] = read_polfile
parsers[FileType.SHORTCUTS] = read_shortcuts
@@ -132,7 +132,7 @@ def get_parser(preference_type):
return parsers[preference_type]
def pref_mergers():
mergers = dict()
mergers = {}
mergers[FileType.PREG] = merge_polfile
mergers[FileType.SHORTCUTS] = merge_shortcuts
@@ -154,11 +154,10 @@ def get_merger(preference_type):
return mergers[preference_type]
class gpt:
def __init__(self, gpt_path, sid, username='Machine', gpo_info=None):
def __init__(self, gpt_path, username='Machine', gpo_info=None):
add_to_dict(gpt_path, username, gpo_info)
self.path = gpt_path
self.username = username
self.sid = sid
self.storage = registry_factory()
self.storage._gpt_read_flag = True
self.gpo_info = gpo_info
@@ -185,18 +184,18 @@ class gpt:
, 'scripts'
, 'networkshares'
]
self.settings = dict()
self.settings['machine'] = dict()
self.settings['user'] = dict()
self.settings = {}
self.settings['machine'] = {}
self.settings['user'] = {}
self.settings['machine']['regpol'] = find_file(self._machine_path, 'registry.pol')
self.settings['user']['regpol'] = find_file(self._user_path, 'registry.pol')
for setting in self.settings_list:
machine_preffile = find_preffile(self._machine_path, setting)
user_preffile = find_preffile(self._user_path, setting)
mlogdata = dict({'setting': setting, 'prefpath': machine_preffile})
mlogdata = {'setting': setting, 'prefpath': machine_preffile}
log('D24', mlogdata)
self.settings['machine'][setting] = machine_preffile
ulogdata = dict({'setting': setting, 'prefpath': user_preffile})
ulogdata = {'setting': setting, 'prefpath': user_preffile}
log('D23', ulogdata)
self.settings['user'][setting] = user_preffile
@@ -217,21 +216,21 @@ class gpt:
try:
# Merge machine policies to registry if possible
if self.settings['machine']['regpol']:
mlogdata = dict({'polfile': self.settings['machine']['regpol']})
mlogdata = {'polfile': self.settings['machine']['regpol']}
log('D34', mlogdata)
util.preg.merge_polfile(self.settings['machine']['regpol'], policy_name=self.name, gpo_info=self.gpo_info)
# Merge machine preferences to registry if possible
for preference_name, preference_path in self.settings['machine'].items():
if preference_path:
preference_type = get_preftype(preference_path)
logdata = dict({'pref': preference_type.value, 'sid': self.sid})
logdata = {'pref': preference_type.value}
log('D28', logdata)
preference_parser = get_parser(preference_type)
preference_merger = get_merger(preference_type)
preference_objects = preference_parser(preference_path)
preference_merger(self.storage, self.sid, preference_objects, self.name)
preference_merger(self.storage, preference_objects, self.name)
except Exception as exc:
logdata = dict()
logdata = {}
logdata['gpt'] = self.name
logdata['msg'] = str(exc)
log('E28', logdata)
@@ -243,10 +242,9 @@ class gpt:
try:
# Merge user policies to registry if possible
if self.settings['user']['regpol']:
mulogdata = dict({'polfile': self.settings['user']['regpol']})
mulogdata = {'polfile': self.settings['user']['regpol']}
log('D35', mulogdata)
util.preg.merge_polfile(self.settings['user']['regpol'],
sid=self.sid,
policy_name=self.name,
username=self.username,
gpo_info=self.gpo_info)
@@ -254,14 +252,14 @@ class gpt:
for preference_name, preference_path in self.settings['user'].items():
if preference_path:
preference_type = get_preftype(preference_path)
logdata = dict({'pref': preference_type.value, 'sid': self.sid})
logdata = {'pref': preference_type.value}
log('D29', logdata)
preference_parser = get_parser(preference_type)
preference_merger = get_merger(preference_type)
preference_objects = preference_parser(preference_path)
preference_merger(self.storage, self.sid, preference_objects, self.name)
preference_merger(self.storage, preference_objects, self.name)
except Exception as exc:
logdata = dict()
logdata = {}
logdata['gpt'] = self.name
logdata['msg'] = str(exc)
log('E29', logdata)
@@ -354,13 +352,13 @@ def lp2gpt():
# Write PReg
polparser.write_binary(os.path.join(destdir, 'Registry.pol'))
def get_local_gpt(sid):
def get_local_gpt():
'''
Convert default policy to GPT and create object out of it.
'''
log('D25')
lp2gpt()
local_policy = gpt(str(local_policy_cache()), sid)
local_policy = gpt(str(local_policy_cache()))
local_policy.set_name('Local Policy')
return local_policy

8
gpoa/gpt/inifiles.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -20,7 +20,7 @@ from util.xml import get_xml_root
from .dynamic_attributes import DynamicAttributes
def read_inifiles(inifiles_file):
inifiles = list()
inifiles = []
for ini in get_xml_root(inifiles_file):
prors = ini.find('Properties')
@@ -34,9 +34,9 @@ def read_inifiles(inifiles_file):
return inifiles
def merge_inifiles(storage, sid, inifile_objects, policy_name):
def merge_inifiles(storage, inifile_objects, policy_name):
for iniobj in inifile_objects:
storage.add_ini(sid, iniobj, policy_name)
storage.add_ini(iniobj, policy_name)
class inifile(DynamicAttributes):
def __init__(self, path):

8
gpoa/gpt/networkshares.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -20,7 +20,7 @@ from util.xml import get_xml_root
from .dynamic_attributes import DynamicAttributes
def read_networkshares(networksharesxml):
networkshares = list()
networkshares = []
for share in get_xml_root(networksharesxml):
props = share.find('Properties')
@@ -35,9 +35,9 @@ def read_networkshares(networksharesxml):
return networkshares
def merge_networkshares(storage, sid, networkshares_objects, policy_name):
def merge_networkshares(storage, networkshares_objects, policy_name):
for networkshareobj in networkshares_objects:
storage.add_networkshare(sid, networkshareobj, policy_name)
storage.add_networkshare(networkshareobj, policy_name)
class networkshare(DynamicAttributes):
def __init__(self, name):

10
gpoa/gpt/polfile.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2020 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -23,11 +23,7 @@ from util.preg import (
def read_polfile(filename):
return load_preg(filename).entries
def merge_polfile(storage, sid, policy_objects, policy_name):
def merge_polfile(storage, policy_objects, policy_name):
pass
# for entry in policy_objects:
# if not sid:
# storage.add_hklm_entry(entry, policy_name)
# else:
# storage.add_hkcu_entry(entry, sid, policy_name)

12
gpoa/gpt/printers.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -25,7 +25,7 @@ def read_printers(printers_file):
'''
Read printer configurations from Printer.xml
'''
printers = list()
printers = []
for prn in get_xml_root(printers_file):
prn_obj = printer(prn.tag, prn.get('name'), prn.get('status'))
@@ -42,9 +42,9 @@ def read_printers(printers_file):
return printers
def merge_printers(storage, sid, printer_objects, policy_name):
def merge_printers(storage, printer_objects, policy_name):
for device in printer_objects:
storage.add_printer(sid, device, policy_name)
storage.add_printer(device, policy_name)
def json2printer(json_str):
'''
@@ -101,7 +101,7 @@ class printer(DynamicAttributes):
'''
Return string-serialized JSON representation of the object.
'''
printer = dict()
printer = {}
printer['type'] = self.printer_type
printer['name'] = self.name
printer['status'] = self.status
@@ -113,7 +113,7 @@ class printer(DynamicAttributes):
# Nesting JSON object into JSON object makes it easier to add
# metadata if needed.
config = dict()
config = {}
config['printer'] = printer
return json.dumps(config)

28
gpoa/gpt/scriptsini.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -23,10 +23,10 @@ from .dynamic_attributes import DynamicAttributes
def read_scripts(scripts_file):
scripts = Scripts_lists()
logon_scripts = dict()
logoff_scripts = dict()
startup_scripts = dict()
shutdown_scripts = dict()
logon_scripts = {}
logoff_scripts = {}
startup_scripts = {}
shutdown_scripts = {}
config = configparser.ConfigParser()
config.read(scripts_file, encoding = 'utf-16')
@@ -78,22 +78,22 @@ def read_scripts(scripts_file):
return scripts
def merge_scripts(storage, sid, scripts_objects, policy_name):
def merge_scripts(storage, scripts_objects, policy_name):
for script in scripts_objects.get_logon_scripts():
storage.add_script(sid, script, policy_name)
storage.add_script(script, policy_name)
for script in scripts_objects.get_logoff_scripts():
storage.add_script(sid, script, policy_name)
storage.add_script(script, policy_name)
for script in scripts_objects.get_startup_scripts():
storage.add_script(sid, script, policy_name)
storage.add_script(script, policy_name)
for script in scripts_objects.get_shutdown_scripts():
storage.add_script(sid, script, policy_name)
storage.add_script(script, policy_name)
class Scripts_lists:
def __init__ (self):
self.__logon_scripts = list()
self.__logoff_scripts = list()
self.__startup_scripts = list()
self.__shutdown_scripts = list()
self.__logon_scripts = []
self.__logoff_scripts = []
self.__startup_scripts = []
self.__shutdown_scripts = []
def get_logon_scripts(self):
return self.__logon_scripts

6
gpoa/gpt/services.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -23,7 +23,7 @@ def read_services(service_file):
'''
Read Services.xml from GPT.
'''
services = list()
services = []
for srv in get_xml_root(service_file):
srv_obj = service(srv.get('name'))
@@ -40,7 +40,7 @@ def read_services(service_file):
return services
def merge_services(storage, sid, service_objects, policy_name):
def merge_services(storage, service_objects, policy_name):
for srv in service_objects:
pass

20
gpoa/gpt/shortcuts.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -69,7 +69,7 @@ def read_shortcuts(shortcuts_file):
:shortcuts_file: Location of Shortcuts.xml
'''
shortcuts = list()
shortcuts = []
for link in get_xml_root(shortcuts_file):
props = link.find('Properties')
@@ -95,9 +95,9 @@ def read_shortcuts(shortcuts_file):
return shortcuts
def merge_shortcuts(storage, sid, shortcut_objects, policy_name):
def merge_shortcuts(storage, shortcut_objects, policy_name):
for shortcut in shortcut_objects:
storage.add_shortcut(sid, shortcut, policy_name)
storage.add_shortcut(shortcut, policy_name)
def find_desktop_entry(binary_path):
@@ -114,6 +114,8 @@ def find_desktop_entry(binary_path):
class shortcut(DynamicAttributes):
_ignore_fields = {"desktop_file_template", "desktop_file"}
def __init__(self, dest, path, arguments, name=None, action=None, ttype=TargetType.FILESYSTEM):
'''
:param dest: Path to resulting file on file system
@@ -135,6 +137,14 @@ class shortcut(DynamicAttributes):
self.type = ttype
self.desktop_file_template = None
def items(self):
return ((k, v) for k, v in super().items() if k not in self._ignore_fields)
def __iter__(self):
return iter(self.items())
def replace_slashes(self, input_path):
if input_path.startswith('%'):
index = input_path.find('%', 1)
@@ -238,7 +248,7 @@ class shortcut(DynamicAttributes):
if self.desktop_file_template:
terminal_state = str2bool_lambda(self.desktop_file_template.get('Terminal'))
self.desktop_file.set('Terminal', 'true' if terminal_state else 'false')
self.desktop_file.set('Exec', '{} {}'.format(desktop_path, self.arguments))
self.desktop_file.set('Exec', '{} {}'.format(desktop_path, self.get_original_value('arguments')))
self.desktop_file.set('Comment', self.comment)
if self.icon:

4
gpoa/gpt/tasks.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2020 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -19,7 +19,7 @@
def read_tasks(filename):
pass
def merge_tasks(storage, sid, task_objects, policy_name):
def merge_tasks(storage, task_objects, policy_name):
for task in task_objects:
pass

10
gpoa/gpupdate
View File

@@ -2,7 +2,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2020 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -113,14 +113,14 @@ def runner_factory(args, target):
target = 'COMPUTER'
except:
username = None
logdata = dict({'username': args.user})
logdata = {'username': args.user}
log('W1', logdata)
else:
# User may only perform gpupdate for machine (None) or
# itself (os.getusername()).
username = pwd.getpwuid(os.getuid()).pw_name
if args.user != username:
logdata = dict({'username': username})
logdata = {'username': username}
log('W2', logdata)
if args.system:
@@ -179,7 +179,7 @@ def main():
try:
gpo_appliers[0].run()
except Exception as exc:
logdata = dict({'error': str(exc)})
logdata = {'error': str(exc)}
log('E5')
return int(ExitCodeUpdater.FAIL_GPUPDATE_COMPUTER_NOREPLY)
@@ -187,7 +187,7 @@ def main():
try:
gpo_appliers[1].run()
except Exception as exc:
logdata = dict({'error': str(exc)})
logdata = {'error': str(exc)}
log('E6', logdata)
return int(ExitCodeUpdater.FAIL_GPUPDATE_USER_NOREPLY)
else:

60
gpoa/gpupdate-setup
View File

@@ -2,7 +2,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -30,6 +30,7 @@ from util.util import (
)
from util.config import GPConfig
from util.paths import get_custom_policy_dir
from frontend.appliers.ini_file import Ini_file
class Runner:
@@ -77,7 +78,7 @@ def parse_arguments():
type=str,
nargs='?',
const='backend',
choices=['local', 'samba'],
choices=['local', 'samba', 'freeipa'],
help='Backend (source of settings) name')
parser_write.add_argument('status',
@@ -92,7 +93,7 @@ def parse_arguments():
type=str,
nargs='?',
const='backend',
choices=['local', 'samba'],
choices=['local', 'samba', 'freeipa'],
help='Backend (source of settings) name')
parser_enable.add_argument('--local-policy',
@@ -101,7 +102,7 @@ def parse_arguments():
parser_enable.add_argument('--backend',
default='samba',
type=str,
choices=['local', 'samba'],
choices=['local', 'samba', 'freeipa'],
help='Backend (source of settings) name')
parser_update.add_argument('--local-policy',
@@ -110,7 +111,7 @@ def parse_arguments():
parser_update.add_argument('--backend',
default='samba',
type=str,
choices=['local', 'samba'],
choices=['local', 'samba', 'freeipa'],
help='Backend (source of settings) name')
@@ -221,6 +222,8 @@ def enable_gp(policy_name, backend_type):
cmd_enable_gpupdate_user_timer = ['/bin/systemctl', '--global', 'enable', 'gpupdate-user.timer']
cmd_enable_gpupdate_scripts_service = ['/bin/systemctl', 'enable', 'gpupdate-scripts-run.service']
cmd_enable_gpupdate_user_scripts_service = ['/bin/systemctl', '--global', 'enable', 'gpupdate-scripts-run-user.service']
cmd_ipa_client_samba = ['/usr/sbin/ipa-client-samba', '--unattended']
config = GPConfig()
@@ -271,6 +274,28 @@ def enable_gp(policy_name, backend_type):
if not is_unit_enabled('gpupdate.timer'):
disable_gp()
return
if backend_type == 'freeipa':
result = runcmd(cmd_ipa_client_samba)
if result[0] != 0:
if "already configured" in str(result[1]) or "already exists" in str(result[1]):
print("FreeIPA is already configured")
else:
print(str(result))
return
else:
print(str(result))
ini_obj = type("ini", (), {})()
ini_obj.path = "/etc/samba/smb.conf"
ini_obj.section = "global"
ini_obj.action = "UPDATE"
ini_obj.property = "log level"
ini_obj.value = "0"
Ini_file(ini_obj)
# Enable gpupdate-setup.timer for all users
if not rollback_on_error(cmd_enable_gpupdate_user_timer):
return
@@ -342,18 +367,19 @@ def act_default_policy():
def main():
arguments = parse_arguments()
action = dict()
action['list'] = act_list
action['list-backends'] = act_list_backends
action['status'] = act_status
action['set-backend'] = act_set_backend
action['write'] = act_write
action['enable'] = act_enable
action['update'] = act_enable
action['disable'] = disable_gp
action['active-policy'] = act_active_policy
action['active-backend'] = act_active_backend
action['default-policy'] = act_default_policy
action = {
'list': act_list,
'list-backends': act_list_backends,
'status': act_status,
'set-backend': act_set_backend,
'write': act_write,
'enable': act_enable,
'update': act_enable,
'disable': disable_gp,
'active-policy': act_active_policy,
'active-backend': act_active_backend,
'default-policy': act_default_policy
}
if arguments.action == None:
action['status']()

127
gpoa/locale/ru_RU/LC_MESSAGES/gpoa.po
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -262,6 +262,18 @@ msgstr "Не удалось получить данные из базы dconf"
msgid "Autofs restart failed"
msgstr "Перезапуск Autofs не удался"
msgid "Failed to update LDAP with new password data"
msgstr "Не удалось обновить LDAP новыми данными пароля"
msgid "Failed to change local user password"
msgstr "Не удалось изменить пароль локального пользователя"
msgid "Unable to initialize Freeipa backend"
msgstr "Невозможно инициализировать бэкэнд Freeipa"
msgid "FreeIPA API Error"
msgstr "Ошибка API FreeIPA"
# Error_end
# Debug
@@ -901,6 +913,63 @@ msgstr "Очистка файла environment не удалась"
msgid "Failed to get dictionary"
msgstr "Не удалось получить словарь"
msgid "LAPS applier started"
msgstr "Запущен обработчик LAPS"
msgid "LAPS applier is disabled"
msgstr "Обработчик LAPS отключен"
msgid "Rebooting system after password change"
msgstr "Перезагрузка системы после смены пароля"
msgid "Password changed"
msgstr "Пароль изменён"
msgid "Writing password changes time"
msgstr "Запись времени изменения пароля"
msgid "Requirements not met"
msgstr "Требования не выполнены"
msgid "The number of hours from the moment of the last user entrance"
msgstr "Количество часов с момента последнего входа пользователя"
msgid "The number of hours since the password has last changed"
msgstr "Количество часов с момента последнего изменения пароля"
msgid "LDAP updated with new password data"
msgstr "LDAP обновлён новыми данными пароля"
msgid "No active sessions found"
msgstr "Активные сеансы не найдены"
msgid "Process terminated"
msgstr "Процесс завершён"
msgid "Password update not needed"
msgstr "Обновление пароля не требуется"
msgid "Password successfully updated"
msgstr "Пароль успешно обновлён"
msgid "Cleaning the autofs catalog"
msgstr "Очистка каталога autofs"
msgid "No user login records found"
msgstr "Не найдены записи о входе пользователя"
msgid "Calculating time since the first user login after their password change"
msgstr "Расчет времени с момента первого входа пользователя после изменения их пароля"
msgid "No logins found after password change"
msgstr "Не найдены входы после изменения пароля"
msgid "Unknown message type, no message assigned"
msgstr "Неизвестный тип сообщения"
msgid "Failed to load cached versions"
msgstr "Не удалось загрузить кешированные версии"
# Debug_end
# Warning
@@ -983,6 +1052,58 @@ msgstr "Не удалось загрузить контент с удаленн
msgid "Force mode activated"
msgstr "Режим force задействован"
msgid "Failed to change password"
msgstr "Не удалось изменить пароль"
msgid "Failed to write password modification time"
msgstr "Не удалось записать время изменения пароля"
msgid "LAPS requirements not met, module disabled"
msgstr "Требования LAPS не выполнены, модуль отключён"
msgid "Could not resolve encryption principal name. Return admin group SID"
msgstr "Не удалось определить имя шифрования. Возвращён SID группы администраторов"
msgid "Failed to get expiration time from LDAP"
msgstr "Не удалось получить время истечения срока действия из LDAP"
msgid "Failed to read password modification time from dconf"
msgstr "Не удалось прочитать время изменения пароля из dconf"
msgid "Failed to get last login time"
msgstr "Не удалось получить время последнего входа"
msgid "Failed to calculate password age"
msgstr "Не удалось вычислить возраст пароля"
msgid "Failed to terminate process"
msgstr "Не удалось завершить процесс"
msgid "The user was not found to change the password"
msgstr "Пользователь для изменения пароля не был найден"
msgid "Error while cleaning the autofs catalog"
msgstr "Ошибка при очистке каталога autofs"
msgid "Problem with timezone detection"
msgstr "Проблема с определением часового пояса"
msgid "Error executing last command"
msgstr "Ошибка выполнения команды last"
msgid "Last command not found"
msgstr "Команда last не найдена"
msgid "Error getting user login times"
msgstr "Ошибка получения времени входа пользователя"
msgid "Invalid timezone in reference datetime"
msgstr "Некорректный часовой пояс в reference datetime"
msgid "wbinfo SID lookup failed; will try as trusted domain user"
msgstr "Ошибка получения SID через wbinfo; будет предпринята попытка как для пользователя доверенного домена"
# Warning_end
# Fatal
msgid "Unable to refresh GPO list"
msgstr "Невозможно обновить список объектов групповых политик"
@@ -996,7 +1117,5 @@ msgstr "Не удалось получить GPT для пользователя
msgid "Unknown fatal code"
msgstr "Неизвестный код фатальной ошибки"
# get_message
msgid "Unknown message type, no message assigned"
msgstr "Неизвестный тип сообщения"

51
gpoa/messages/__init__.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -20,7 +20,7 @@
import gettext
def info_code(code):
info_ids = dict()
info_ids = {}
info_ids[1] = 'Got GPO list for username'
info_ids[2] = 'Got GPO'
info_ids[3] = 'Working with control'
@@ -36,7 +36,7 @@ def info_code(code):
return info_ids.get(code, 'Unknown info code')
def error_code(code):
error_ids = dict()
error_ids = {}
error_ids[1] = 'Insufficient permissions to run gpupdate'
error_ids[2] = 'gpupdate will not be started'
error_ids[3] = 'Backend execution error'
@@ -110,10 +110,14 @@ def error_code(code):
error_ids[72] = 'Exception occurred while updating dconf database'
error_ids[73] = 'Failed to retrieve data from dconf database'
error_ids[74] = 'Autofs restart failed'
error_ids[75] = 'Failed to update LDAP with new password data'
error_ids[76] = 'Failed to change local user password'
error_ids[77] = 'Unable to initialize Freeipa backend'
error_ids[78] = 'FreeIPA API error'
return error_ids.get(code, 'Unknown error code')
def debug_code(code):
debug_ids = dict()
debug_ids = {}
debug_ids[1] = 'The GPOA process was started for user'
debug_ids[2] = 'Username is not specified - will use username of the current process'
debug_ids[3] = 'Initializing plugin manager'
@@ -330,11 +334,29 @@ def debug_code(code):
debug_ids[215] = 'The environment file has been cleaned'
debug_ids[216] = 'Cleanup of file environment failed'
debug_ids[217] = 'Failed to get dictionary'
debug_ids[218] = 'LAPS applier started'
debug_ids[219] = 'LAPS applier is disabled'
debug_ids[220] = 'Rebooting system after password change'
debug_ids[221] = 'Password changed'
debug_ids[222] = 'Writing password changes time'
debug_ids[223] = 'Requirements not met'
debug_ids[224] = 'The number of hours from the moment of the last user entrance'
debug_ids[225] = 'The number of hours since the password has last changed'
debug_ids[226] = 'LDAP updated with new password data'
debug_ids[227] = 'No active sessions found'
debug_ids[228] = 'Process terminated'
debug_ids[229] = 'Password update not needed'
debug_ids[230] = 'Password successfully updated'
debug_ids[231] = 'Cleaning the autofs catalog'
debug_ids[232] = 'No user login records found'
debug_ids[233] = 'Calculating time since the first user login after their password change'
debug_ids[234] = 'No logins found after password change'
debug_ids[235] = 'Failed to load cached versions'
return debug_ids.get(code, 'Unknown debug code')
def warning_code(code):
warning_ids = dict()
warning_ids = {}
warning_ids[1] = (
'Unable to perform gpupdate for non-existent user, '
'will update machine settings'
@@ -367,11 +389,28 @@ def warning_code(code):
warning_ids[24] = 'Couldn\'t get the uid'
warning_ids[25] = 'Failed to load content from remote host'
warning_ids[26] = 'Force mode activated'
warning_ids[27] = 'Failed to change password'
warning_ids[28] = 'Failed to write password modification time'
warning_ids[29] = 'LAPS requirements not met, module disabled'
warning_ids[30] = 'Could not resolve encryption principal name. Return admin group SID'
warning_ids[31] = 'Failed to get expiration time from LDAP'
warning_ids[32] = 'Failed to read password modification time from dconf'
warning_ids[33] = 'Failed to get last login time'
warning_ids[34] = 'Failed to calculate password age'
warning_ids[35] = 'Failed to terminate process'
warning_ids[36] = 'The user was not found to change the password'
warning_ids[37] = 'Error while cleaning the autofs catalog'
warning_ids[38] = 'Problem with timezone detection'
warning_ids[39] = 'Error executing last command'
warning_ids[40] = 'Last command not found'
warning_ids[41] = 'Error getting user login times'
warning_ids[42] = 'Invalid timezone in reference datetime'
warning_ids[43] = 'wbinfo SID lookup failed; will try as trusted domain user'
return warning_ids.get(code, 'Unknown warning code')
def fatal_code(code):
fatal_ids = dict()
fatal_ids = {}
fatal_ids[1] = 'Unable to refresh GPO list'
fatal_ids[2] = 'Error getting GPTs for machine'
fatal_ids[3] = 'Error getting GPTs for user'

18
gpoa/pkcon_runner
View File

@@ -20,7 +20,6 @@
import rpm
import subprocess
from gpoa.storage import registry_factory
from util.gpoa_ini_parsing import GpoaConfigObj
from util.util import get_uid_by_username, string_to_literal_eval
import logging
from util.logging import log
@@ -62,9 +61,11 @@ class Pkcon_applier:
self.remove_packages_setting = string_to_literal_eval(dict_packages.get(remove_key_name,[]))
for package in self.install_packages_setting:
package = package.strip()
if not is_rpm_installed(package):
self.install_packages.add(package)
for package in self.remove_packages_setting:
package = package.strip()
if package in self.install_packages:
self.install_packages.remove(package)
if is_rpm_installed(package):
@@ -74,24 +75,20 @@ class Pkcon_applier:
log('D142')
self.update()
for package in self.remove_packages:
logdata = {'name': package}
try:
logdata = dict()
logdata['name'] = package
log('D149', logdata)
self.remove_pkg(package)
except Exception as exc:
logdata = dict()
logdata['exc'] = exc
log('E58', logdata)
for package in self.install_packages:
logdata = {'name': package}
try:
logdata = dict()
logdata['name'] = package
log('D148', logdata)
self.install_pkg(package)
except Exception as exc:
logdata = dict()
logdata['exc'] = exc
log('E57', logdata)
@@ -105,7 +102,7 @@ class Pkcon_applier:
pass
def remove_pkg(self, package_name):
fullcmd = self.__remove_command
fullcmd = list(self.__remove_command)
fullcmd.append(package_name)
return subprocess.check_output(fullcmd)
@@ -116,15 +113,14 @@ class Pkcon_applier:
try:
res = subprocess.check_output(['/usr/bin/apt-get', 'update'], encoding='utf-8')
msg = str(res).split('\n')
logdata = dict()
logdata = {}
for mslog in msg:
ms = str(mslog).split(' ')
if ms:
logdata = {ms[0]: ms[1:-1]}
log('D143', logdata)
except Exception as exc:
logdata = dict()
logdata['msg'] = exc
logdata = {'msg': exc}
log('E56',logdata)
if __name__ == '__main__':

2
gpoa/plugin/plugin_manager.py
View File

@@ -27,7 +27,7 @@ from messages import message_with_code
class plugin_manager:
def __init__(self):
self.plugins = dict()
self.plugins = {}
logging.debug(slogm(message_with_code('D3')))
try:
self.plugins['adp'] = adp()

8
gpoa/scripts_runner
View File

@@ -33,7 +33,7 @@ class Scripts_runner:
self.dir_scripts_machine = '/var/cache/gpupdate_scripts_cache/machine/'
self.dir_scripts_users = '/var/cache/gpupdate_scripts_cache/users/'
self.user_name = user_name
self.list_with_all_commands = list()
self.list_with_all_commands = []
stack_dir = None
if work_mode and work_mode.upper() == 'MACHINE':
stack_dir = self.machine_runner_fill()
@@ -59,7 +59,7 @@ class Scripts_runner:
return self.get_stack_dir(self.dir_scripts_machine)
def get_stack_dir(self, path_dir):
stack_dir = list()
stack_dir = []
try:
dir_script = Path(path_dir)
for it_dir in dir_script.iterdir():
@@ -72,7 +72,7 @@ class Scripts_runner:
def find_action(self, stack_dir):
if not stack_dir:
return
list_tmp = list()
list_tmp = []
while stack_dir:
path_turn = stack_dir.pop()
basename = os.path.basename(path_turn)
@@ -94,7 +94,7 @@ class Scripts_runner:
except Exception as exc:
print('Argument read for {}: {}'.format(self.list_with_all_commands.pop(), exc))
else:
cmd = list()
cmd = []
cmd.append(file_in_task_dir)
self.list_with_all_commands.append(cmd)

149
gpoa/storage/dconf_registry.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2023 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -64,37 +64,37 @@ class Dconf_registry():
'''
_GpoPriority = 'Software/BaseALT/Policies/GpoPriority'
_gpo_name = set()
global_registry_dict = dict({_GpoPriority:{}})
previous_global_registry_dict = dict()
global_registry_dict = {_GpoPriority:{}}
previous_global_registry_dict = {}
__template_file = '/usr/share/dconf/user_mandatory.template'
_policies_path = 'Software/'
_policies_win_path = 'SOFTWARE/'
_gpt_read_flag = False
_force = False
__dconf_dict_flag = False
__dconf_dict = dict()
_dconf_db = dict()
_dict_gpo_name_version_cache = dict()
__dconf_dict = {}
_dconf_db = {}
_dict_gpo_name_version_cache = {}
_username = None
_uid = None
_envprofile = None
_path_bin_system = "/etc/dconf/db/policy"
list_keys = list()
_info = dict()
list_keys = []
_info = {}
_counter_gpt = itertools.count(0)
shortcuts = list()
folders = list()
files = list()
drives = list()
scheduledtasks = list()
environmentvariables = list()
inifiles = list()
services = list()
printers = list()
scripts = list()
networkshares = list()
shortcuts = []
folders = []
files = []
drives = []
scheduledtasks = []
environmentvariables = []
inifiles = []
services = []
printers = []
scripts = []
networkshares = []
_true_strings = {
"True",
@@ -126,7 +126,7 @@ class Dconf_registry():
def get_matching_keys(path):
if path[0] != '/':
path = '/' + path
logdata = dict()
logdata = {}
envprofile = get_dconf_envprofile()
try:
process = subprocess.Popen(['dconf', 'list', path],
@@ -157,7 +157,7 @@ class Dconf_registry():
@staticmethod
def get_key_value(key):
logdata = dict()
logdata = {}
envprofile = get_dconf_envprofile()
try:
process = subprocess.Popen(['dconf', 'read', key],
@@ -176,7 +176,7 @@ class Dconf_registry():
@staticmethod
def dconf_update(uid=None):
logdata = dict()
logdata = {}
path_dconf_config = get_dconf_config_path(uid)
db_file = path_dconf_config[:-3]
try:
@@ -209,7 +209,7 @@ class Dconf_registry():
@classmethod
def apply_template(cls, uid):
logdata = dict()
logdata = {}
if uid and cls.check_profile_template():
with open(cls.__template_file, "r") as f:
template = f.read()
@@ -218,13 +218,15 @@ class Dconf_registry():
elif uid:
content = f"user-db:user\n" \
f"system-db:distr\n" \
f"system-db:policy\n" \
f"system-db:policy{uid}\n" \
f"system-db:local\n" \
f"system-db:default\n" \
f"system-db:local\n" \
f"system-db:policy{uid}\n" \
f"system-db:policy\n"
f"system-db:policy\n" \
f"system-db:distr\n"
else:
logdata['uid'] = uid
log('W24', logdata)
@@ -257,7 +259,7 @@ class Dconf_registry():
@classmethod
def get_dictionary_from_dconf_file_db(self, uid=None, path_bin=None, save_dconf_db=False):
logdata = dict()
logdata = {}
error_skip = None
if path_bin:
error_skip = True
@@ -329,7 +331,7 @@ class Dconf_registry():
@classmethod
def filter_hkcu_entries(cls, sid, startswith):
def filter_hkcu_entries(cls, startswith):
return cls.filter_hklm_entries(startswith)
@@ -356,7 +358,7 @@ class Dconf_registry():
@classmethod
def get_entry(cls, path, dictionary = None, preg = True):
logdata = dict()
logdata = {}
result = Dconf_registry.get_storage(dictionary)
keys = path.split("\\") if "\\" in path else path.split("/")
@@ -384,7 +386,7 @@ class Dconf_registry():
return False
@classmethod
def get_hkcu_entry(cls, sid, hive_key, dictionary = None):
def get_hkcu_entry(cls, hive_key, dictionary = None):
return cls.get_hklm_entry(hive_key, dictionary)
@@ -395,85 +397,85 @@ class Dconf_registry():
@classmethod
def add_shortcut(cls, sid, sc_obj, policy_name):
def add_shortcut(cls, sc_obj, policy_name):
sc_obj.policy_name = policy_name
cls.shortcuts.append(sc_obj)
@classmethod
def add_printer(cls, sid, pobj, policy_name):
def add_printer(cls, pobj, policy_name):
pobj.policy_name = policy_name
cls.printers.append(pobj)
@classmethod
def add_drive(cls, sid, dobj, policy_name):
def add_drive(cls, dobj, policy_name):
dobj.policy_name = policy_name
cls.drives.append(dobj)
@classmethod
def add_folder(cls, sid, fobj, policy_name):
def add_folder(cls, fobj, policy_name):
fobj.policy_name = policy_name
cls.folders.append(fobj)
@classmethod
def add_envvar(self, sid, evobj, policy_name):
def add_envvar(self, evobj, policy_name):
evobj.policy_name = policy_name
self.environmentvariables.append(evobj)
@classmethod
def add_script(cls, sid, scrobj, policy_name):
def add_script(cls, scrobj, policy_name):
scrobj.policy_name = policy_name
cls.scripts.append(scrobj)
@classmethod
def add_file(cls, sid, fileobj, policy_name):
def add_file(cls, fileobj, policy_name):
fileobj.policy_name = policy_name
cls.files.append(fileobj)
@classmethod
def add_ini(cls, sid, iniobj, policy_name):
def add_ini(cls, iniobj, policy_name):
iniobj.policy_name = policy_name
cls.inifiles.append(iniobj)
@classmethod
def add_networkshare(cls, sid, networkshareobj, policy_name):
def add_networkshare(cls, networkshareobj, policy_name):
networkshareobj.policy_name = policy_name
cls.networkshares.append(networkshareobj)
@classmethod
def get_shortcuts(cls, sid):
def get_shortcuts(cls):
return cls.shortcuts
@classmethod
def get_printers(cls, sid):
def get_printers(cls):
return cls.printers
@classmethod
def get_drives(cls, sid):
def get_drives(cls):
return cls.drives
@classmethod
def get_folders(cls, sid):
def get_folders(cls):
return cls.folders
@classmethod
def get_envvars(cls, sid):
def get_envvars(cls):
return cls.environmentvariables
@classmethod
def get_scripts(cls, sid, action):
def get_scripts(cls, action):
action_scripts = list()
for part in cls.scripts:
if action == 'LOGON' and part.action == 'LOGON':
@@ -488,22 +490,22 @@ class Dconf_registry():
@classmethod
def get_files(cls, sid):
def get_files(cls):
return cls.files
@classmethod
def get_networkshare(cls, sid):
def get_networkshare(cls):
return cls.networkshares
@classmethod
def get_ini(cls, sid):
def get_ini(cls):
return cls.inifiles
@classmethod
def wipe_user(cls, sid):
def wipe_user(cls):
cls.wipe_hklm()
@@ -695,12 +697,59 @@ def create_dconf_ini_file(filename, data, uid=None, nodomain=None):
else:
file.write(f'{key} = "{value}"\n')
file.write('\n')
logdata = dict()
logdata['path'] = filename
logdata = {'path': filename}
log('D209', logdata)
create_dconf_file_locks(filename, data)
Dconf_registry.dconf_update(uid)
def create_dconf_file_locks(filename_ini, data):
"""
Creates a dconf lock file based on the provided filename and data.
:param filename_ini: Path to the ini file (str)
:param data: Dictionary containing configuration data
"""
# Extract the path parts up to the directory of the ini file
tmp_lock = filename_ini.split('/')[:-1]
# Construct the path to the lock file
file_lock = '/'.join(tmp_lock + ['locks', tmp_lock[-1][:-1] + 'pol'])
# Create an empty lock file
touch_file(file_lock)
# Open the lock file for writing
with open(file_lock, 'w') as file:
# Iterate over all lock keys obtained from the data
for key_lock in get_keys_dconf_locks(data):
# Remove the "lock/" prefix from the key and split into parts
key = key_lock.split('/')[1:]
# Write the cleaned key to the lock file
file.write(f'{key}\n')
def get_keys_dconf_locks(data):
"""
Extracts keys from the provided data that start with "Locks/"
and have a value of 1.
:param data: Dictionary containing configuration data
:return: List of lock keys (str) without the "Locks/" prefix
"""
result = []
# Flatten the nested dictionary into a single-level dictionary
flatten_data = flatten_dictionary(data)
# Iterate through all keys in the flattened dictionary
for key in flatten_data:
# Check if the key starts with "Locks/" and its value is 1
if key.startswith('Locks/') and flatten_data[key] == 1:
# Remove the "Locks" prefix and append to the result
result.append(key.removeprefix('Locks'))
return result
def check_data(data, t_data):
if isinstance(data, bytes):
if t_data == 7:
@@ -795,7 +844,7 @@ def add_preferences_to_global_registry_dict(username, is_machine):
def extract_display_name_version(data, username):
policy_force = data.get('Software/BaseALT/Policies/GPUpdate', {}).get('Force', False)
if Dconf_registry._force or policy_force:
logdata = dict({'username': username})
logdata = {'username': username}
log('W26', logdata)
return {}
result = {}

16
gpoa/storage/fs_file_cache.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2021-2024 BaseALT Ltd. <org@basealt.ru>
# Copyright (C) 2021-2025 BaseALT Ltd. <org@basealt.ru>
# Copyright (C) 2021 Igor Chudov <nir@nir.org.ru>
#
# This program is free software: you can redistribute it and/or modify
@@ -42,7 +42,7 @@ class fs_file_cache:
self.storage_uri = file_cache_dir()
else:
self.storage_uri = file_cache_dir()
logdata = dict({'cache_file': self.storage_uri})
logdata = {'cache_file': self.storage_uri}
log('D20', logdata)
self.samba_context = smbc.Context(use_kerberos=1)
#, debug=10)
@@ -62,7 +62,7 @@ class fs_file_cache:
return None
except Exception as exc:
logdata = dict({'exception': str(exc)})
logdata = {'exception': str(exc)}
log('D144', logdata)
raise exc
@@ -87,7 +87,7 @@ class fs_file_cache:
os.rename(tmpfile, destfile)
os.chmod(destfile, 0o644)
except Exception as exc:
logdata = dict({'exception': str(exc)})
logdata = {'exception': str(exc)}
log('W25', logdata)
tmppath = Path(tmpfile)
if tmppath.exists():
@@ -103,13 +103,13 @@ class fs_file_cache:
uri_path.get_domain(),
uri_path.get_path()))
except NotUNCPathError as exc:
logdata = dict({'path': str(exc)})
logdata = {'path': str(exc)}
log('D62', logdata)
except Exception as exc:
logdata = dict({'exception': str(exc)})
logdata = {'exception': str(exc)}
log('E36', logdata)
raise exc
if destfile.exists():
if Path(destfile).exists():
return str(destfile)
else:
return None
@@ -125,6 +125,6 @@ class fs_file_cache:
except Exception as exc:
if Path(uri).exists():
return None
logdata = dict({'exception': str(exc)})
logdata = {'exception': str(exc)}
log('W12', logdata)
return None

6
gpoa/templates/autofs_mountpoints.j2
View File

@@ -19,9 +19,9 @@
{%- for drv in drives %}
{% if (drv.thisDrive != 'HIDE') %}
{% if drv.label %}
"{{ drv.label }}" -fstype=cifs,cruid=$USER,sec=krb5,noperm,cifsacl :{{ drv.path }}
"{{ drv.label }}" -fstype=cifs,cruid=$USER,sec=krb5,noperm{% if drv.username %}{% else %},multiuser{% endif %}{% if drv.cifsacl %},cifsacl{% endif %} :{{ drv.path }}
{% else %}
"{{ drv.dir }}" -fstype=cifs,cruid=$USER,sec=krb5,noperm,cifsacl :{{ drv.path }}
"{{ drv.dir }}" -fstype=cifs,cruid=$USER,sec=krb5,noperm{% if drv.username %}{% else %},multiuser{% endif %}{% if drv.cifsacl %},cifsacl{% endif %} :{{ drv.path }}
{% endif %}
{% endif %}
{% endfor %}
{% endfor %}

4
gpoa/templates/autofs_mountpoints_hide.j2
View File

@@ -19,9 +19,9 @@
{%- for drv in drives %}
{% if (drv.thisDrive == 'HIDE') %}
{% if drv.label %}
"{{ drv.label }}" -fstype=cifs,cruid=$USER,sec=krb5,noperm,cifsacl :{{ drv.path }}
"{{ drv.label }}" -fstype=cifs,cruid=$USER,sec=krb5,noperm{% if drv.username %}{% else %},multiuser{% endif %}{% if drv.cifsacl %},cifsacl{% endif %} :{{ drv.path }}
{% else %}
"{{ drv.dir }}" -fstype=cifs,cruid=$USER,sec=krb5,noperm,cifsacl :{{ drv.path }}
"{{ drv.dir }}" -fstype=cifs,cruid=$USER,sec=krb5,noperm{% if drv.username %}{% else %},multiuser{% endif %}{% if drv.cifsacl %},cifsacl{% endif %} :{{ drv.path }}
{% endif %}
{% endif %}
{% endfor %}

2
gpoa/util/arguments.py
View File

@@ -68,7 +68,7 @@ def process_target(target_name=None):
if target_name:
target = target_name
logdata = dict({'target': target})
logdata = {'target': target}
log('D10', logdata)
return target.upper()

15
gpoa/util/dbus.py
View File

@@ -71,7 +71,7 @@ class dbus_runner:
def run(self):
if self.username:
logdata = dict({'username': self.username})
logdata = {'username': self.username}
log('D6', logdata)
gpupdate = 'gpupdate' if not Dconf_registry._force else 'gpupdate_force'
if is_root():
@@ -88,8 +88,7 @@ class dbus_runner:
timeout=self._synchronous_timeout)
print_dbus_result(result)
except dbus.exceptions.DBusException as exc:
logdata = dict()
logdata['username'] = self.username
logdata = {'username': self.username}
log('E23', logdata)
raise exc
else:
@@ -103,7 +102,7 @@ class dbus_runner:
timeout=self._synchronous_timeout)
print_dbus_result(result)
except dbus.exceptions.DBusException as exc:
logdata = dict({'error': str(exc)})
logdata = {'error': str(exc)}
log('E21', logdata)
raise exc
else:
@@ -121,7 +120,7 @@ class dbus_runner:
timeout=self._synchronous_timeout)
print_dbus_result(result)
except dbus.exceptions.DBusException as exc:
logdata = dict({'error': str(exc)})
logdata = {'error': str(exc)}
log('E22', logdata)
raise exc
@@ -194,7 +193,7 @@ def print_dbus_result(result):
'''
exitcode = result[0]
message = result[1:]
logdata = dict({'retcode': exitcode})
logdata = {'retcode': exitcode}
log('D12', logdata)
for line in message:
@@ -208,7 +207,7 @@ class dbus_session:
self.session_dbus = self.session_bus.get_object('org.freedesktop.DBus', '/org/freedesktop/DBus')
self.session_iface = dbus.Interface(self.session_dbus, 'org.freedesktop.DBus')
except dbus.exceptions.DBusException as exc:
logdata = dict({'error': str(exc)})
logdata = {'error': str(exc)}
log('E31', logdata)
raise exc
@@ -219,7 +218,7 @@ class dbus_session:
log('D57', {"pid": pid})
except dbus.exceptions.DBusException as exc:
if exc.get_dbus_name() != 'org.freedesktop.DBus.Error.NameHasNoOwner':
logdata = dict({'error': str(exc)})
logdata = {'error': str(exc)}
log('E32', logdata)
raise exc
log('D58', {'connection': connection})

4
gpoa/util/exceptions.py
View File

@@ -27,13 +27,13 @@ def geterr():
'''
etype, evalue, etrace = sys.exc_info()
traceinfo = dict({
traceinfo = {
'file': etrace.tb_frame.f_code.co_filename
, 'line': etrace.tb_lineno
, 'name': etrace.tb_frame.f_code.co_name
, 'type': etype.__name__
, 'message': evalue
})
}
del(etype, evalue, etrace)

68
gpoa/util/ipa.py Normal file
View File

@@ -0,0 +1,68 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import configparser
import os
from ipalib import api
class ipaopts:
def __init__(self):
"""Initialize the class and load the FreeIPA config file."""
self.config_file = "/etc/ipa/default.conf"
self.config = configparser.ConfigParser()
if not os.path.exists(self.config_file):
raise FileNotFoundError(f"Config file for Freeipa{self.config_file} not found.")
self.config.read(self.config_file)
def get_realm(self):
"""Return the Kerberos realm from the config."""
try:
return self.config.get('global', 'realm')
except (configparser.NoSectionError, configparser.NoOptionError):
raise ValueError("Realm not found in config file.")
def get_domain(self):
"""Return the domain from the config."""
try:
return self.config.get('global', 'domain')
except (configparser.NoSectionError, configparser.NoOptionError):
raise ValueError("Domain not found in config file.")
def get_server(self):
"""
Return the FreeIPA PDC Emulator server from API.
"""
try:
result = api.Command.gpmaster_show_pdc()
pdc_server = result['result']['pdc_emulator']
return pdc_server
except Exception as e:
pass
def get_machine_name(self):
"""Return the host from the config."""
try:
return self.config.get('global', 'host')
except (configparser.NoSectionError, configparser.NoOptionError):
raise ValueError("Host not found in config file.")
def get_cache_dir(self):
"""Return the cache directory path."""
return "/var/cache/freeipa/gpo_cache"

102
gpoa/util/ipacreds.py Normal file
View File

@@ -0,0 +1,102 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>
import smbc
import os
import re
from ipalib import api
from pathlib import Path
from storage.dconf_registry import Dconf_registry, extract_display_name_version
from util.util import get_uid_by_username
from .ipa import ipaopts
from util.logging import log
class ipacreds(ipaopts):
def __init__(self):
super().__init__()
self.smb_context = smbc.Context(use_kerberos=True)
self.gpo_list = []
def update_gpos(self, username):
gpos = []
try:
if not api.isdone('bootstrap'):
api.bootstrap(context='cli')
if not api.isdone('finalize'):
api.finalize()
api.Backend.rpcclient.connect()
try:
server = self.get_server()
is_machine = (username == self.get_machine_name())
if is_machine:
result = api.Command.chain_resolve_for_host(username)
else:
result = api.Command.chain_resolve_for_user(username)
policies_list = result["result"]
try:
if is_machine:
dconf_dict = Dconf_registry.get_dictionary_from_dconf_file_db(save_dconf_db=True)
else:
uid = get_uid_by_username(username)
dconf_dict = Dconf_registry.get_dictionary_from_dconf_file_db(uid, save_dconf_db=True)
dict_gpo_name_version = extract_display_name_version(dconf_dict, username)
except Exception as exc:
logdata = {'exc': str(exc)}
log('D235', logdata)
dict_gpo_name_version = {}
for policy in policies_list:
class SimpleGPO:
def __init__(self, policy_data):
self.display_name = policy_data.get('name', 'Unknown')
self.file_sys_path = policy_data.get('file_system_path', '')
self.version = int(policy_data.get('version', 0))
self.flags = int(policy_data.get('flags', 0))
self.link = policy_data.get('link', 'Unknown')
guid_match = re.search(r'\{[^}]+\}', self.file_sys_path)
self.name = guid_match.group(0) if guid_match else f"policy_{id(self)}"
gpo = SimpleGPO(policy)
if (gpo.display_name in dict_gpo_name_version.keys() and
dict_gpo_name_version.get(gpo.display_name, {}).get('version') == str(gpo.version)):
cached_path = dict_gpo_name_version.get(gpo.display_name, {}).get('correct_path')
if cached_path and Path(cached_path).exists():
gpo.file_sys_path = cached_path
ldata = {'gpo_name': gpo.display_name, 'gpo_uuid': gpo.name, 'file_sys_path_cache': True}
else:
ldata = {'gpo_name': gpo.display_name, 'gpo_uuid': gpo.name, 'file_sys_path': gpo.file_sys_path}
else:
ldata = {'gpo_name': gpo.display_name, 'gpo_uuid': gpo.name, 'file_sys_path': gpo.file_sys_path}
gpos.append(gpo)
finally:
api.Backend.rpcclient.disconnect()
except Exception as exc:
logdata = {'exc': str(exc)}
log('E78', logdata)
return gpos, server
def get_domain(self):
return super().get_domain()
def get_server(self):
return super().get_server()
def get_cache_dir(self):
return super().get_cache_dir()

33
gpoa/util/kerberos.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2020 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -22,20 +22,31 @@ import subprocess
from .util import get_machine_name
from .logging import log
from .samba import smbopts
from .ipa import ipaopts
def machine_kinit(cache_name=None):
def machine_kinit(cache_name=None, backend_type=None):
'''
Perform kinit with machine credentials
'''
opts = smbopts()
host = get_machine_name()
realm = opts.get_realm()
with_realm = '{}@{}'.format(host, realm)
os.environ['KRB5CCNAME'] = 'FILE:{}'.format(cache_name)
kinit_cmd = ['kinit', '-k', with_realm]
if backend_type == 'freeipa':
keytab_path = '/etc/samba/samba.keytab'
opts = ipaopts()
host = "cifs/" + opts.get_machine_name()
realm = opts.get_realm()
with_realm = '{}@{}'.format(host, realm)
kinit_cmd = ['kinit', '-kt', keytab_path, with_realm]
else:
opts = smbopts()
host = get_machine_name()
realm = opts.get_realm()
with_realm = '{}@{}'.format(host, realm)
kinit_cmd = ['kinit', '-k', with_realm]
if cache_name:
os.environ['KRB5CCNAME'] = 'FILE:{}'.format(cache_name)
kinit_cmd.extend(['-c', cache_name])
proc = subprocess.Popen(kinit_cmd)
proc.wait()
@@ -80,12 +91,10 @@ def check_krb_ticket():
subprocess.check_call(['klist', '-s'])
output = subprocess.check_output('klist', stderr=subprocess.STDOUT).decode()
result = True
logdata = dict()
logdata['output'] = output
logdata = {'output': output}
log('D17', logdata)
except Exception as exc:
logdata = dict()
logdata['krb-exc'] = exc
logdata = {'krb-exc': exc}
log('E14', logdata)
return result

6
gpoa/util/logging.py
View File

@@ -40,15 +40,15 @@ class slogm(object):
'''
Structured log message class
'''
def __init__(self, message, kwargs=dict()):
def __init__(self, message, kwargs={}):
self.message = message
self.kwargs = kwargs
if not self.kwargs:
self.kwargs = dict()
self.kwargs = {}
def __str__(self):
now = str(datetime.datetime.now().isoformat(sep=' ', timespec='milliseconds'))
args = dict()
args = {}
args.update(self.kwargs)
result = '{}|{}|{}'.format(now, self.message, args)

18
gpoa/util/preg.py
View File

@@ -39,7 +39,7 @@ def load_xml_preg(xml_path):
'''
Parse XML/PReg file and return its preg object
'''
logdata = dict({'polfile': xml_path})
logdata = {'polfile': xml_path}
log('D36', logdata)
gpparser = GPPolParser()
xml_root = ElementTree.parse(xml_path).getroot()
@@ -53,14 +53,14 @@ def load_pol_preg(polfile):
'''
Parse PReg file and return its preg object
'''
logdata = dict({'polfile': polfile})
logdata = {'polfile': polfile}
log('D31', logdata)
gpparser = GPPolParser()
data = None
with open(polfile, 'rb') as f:
data = f.read()
logdata = dict({'polfile': polfile, 'length': len(data)})
logdata = {'polfile': polfile, 'length': len(data)}
log('D33', logdata)
gpparser.parse(data)
@@ -71,7 +71,7 @@ def load_pol_preg(polfile):
def preg_keymap(preg):
pregfile = load_preg(preg)
keymap = dict()
keymap = {}
for entry in pregfile.entries:
hive_key = '{}\\{}'.format(entry.keyname, entry.valuename)
@@ -86,7 +86,7 @@ def merge_polfile(preg, sid=None, reg_name='registry', reg_path=None, policy_nam
load_preg_dconf(pregfile, preg, policy_name, None, gpo_info)
else:
load_preg_dconf(pregfile, preg, policy_name, username, gpo_info)
logdata = dict({'pregfile': preg})
logdata = {'pregfile': preg}
log('D32', logdata)
@@ -97,16 +97,12 @@ class entry:
self.valuename = e_valuename
self.type = e_type
self.data = e_data
logdata = dict()
logdata['keyname'] = self.keyname
logdata['valuename'] = self.valuename
logdata['type'] = self.type
logdata['data'] = self.data
logdata = {'keyname': self.keyname, 'valuename': self.valuename, 'type': self.type, 'data': self.data}
log('D22', logdata)
class pentries:
def __init__(self):
self.entries = list()
self.entries = []
def preg2entries(preg_obj):

14
gpoa/util/roles.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2020 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -28,7 +28,7 @@ def get_roles(role_dir):
'''
Return list of directories in /etc/role named after role plus '.d'
'''
directories = list()
directories = []
try:
for item in role_dir.iterdir():
if item.is_dir():
@@ -45,7 +45,7 @@ def read_groups(role_file_path):
'''
Read list of whitespace-separated groups from file
'''
groups = list()
groups = []
with open(role_file_path, 'r') as role_file:
lines = role_file.readlines()
@@ -54,7 +54,7 @@ def read_groups(role_file_path):
print(linegroups)
groups.extend(linegroups)
return set(groups)
return {*groups}
def get_rolegroups(roledir):
@@ -63,16 +63,16 @@ def get_rolegroups(roledir):
'''
roledir_path = pathlib.Path(roledir)
group_files = list()
group_files = []
for item in roledir_path.iterdir():
if item.is_file():
group_files.append(item)
groups = list()
groups = []
for item in group_files:
groups.extend(read_groups(item))
return set(groups)
return {*groups}
def create_role(role_name, privilege_list):
'''

6
gpoa/util/rpm.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2020 BaseALT Ltd.
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -116,7 +116,7 @@ def install_rpms(rpm_names):
'''
Install set of RPMs sequentially
'''
result = list()
result = []
for package in rpm_names:
result.append(install_rpm(package))
@@ -127,7 +127,7 @@ def remove_rpms(rpm_names):
'''
Remove set of RPMs requentially
'''
result = list()
result = []
for package in rpm_names:
result.append(remove_rpm(package))

24
gpoa/util/sid.py
View File

@@ -22,6 +22,7 @@ from enum import Enum
import pwd
import subprocess
import pysss_nss_idmap
from storage.dconf_registry import Dconf_registry
from .logging import log
@@ -38,10 +39,19 @@ def wbinfo_getsid(domain, user):
# This part works only on DC
wbinfo_cmd = ['wbinfo', '-n', username]
output = subprocess.check_output(wbinfo_cmd)
sid = output.split()[0].decode('utf-8')
return sid
try:
output = subprocess.check_output(wbinfo_cmd, stderr=subprocess.STDOUT)
Dconf_registry.set_info('trust', False)
return output.split()[0].decode('utf-8')
except:
log('W43')
try:
wbinfo_cmd[-1] = user
output = subprocess.check_output(wbinfo_cmd)
Dconf_registry.set_info('trust', True)
except Exception as exc:
raise exc
return output.split()[0].decode('utf-8')
def get_local_sid_prefix():
@@ -65,10 +75,10 @@ def get_sid(domain, username, is_machine = False):
try:
sid = wbinfo_getsid(domain, username)
except:
logdata = dict({'sid': sid})
logdata = {'sid': sid}
log('E16', logdata)
logdata = dict({'sid': sid})
logdata = {'sid': sid}
log('D21', logdata)
return sid
@@ -203,7 +213,7 @@ def is_sid(sid):
pass
def sid2descr(sid):
sids = dict()
sids = {}
sids['S-1-0'] = 'Null Authority'
sids['S-1-0-0'] = 'Nobody'
sids['S-1-1'] = 'World Authority'

6
gpoa/util/system.py
View File

@@ -55,7 +55,7 @@ def set_privileges(username, uid, gid, groups, home):
os.chdir(home)
logdata = dict()
logdata = {}
logdata['uid'] = uid
logdata['gid'] = gid
logdata['username'] = username
@@ -123,12 +123,12 @@ def with_privileges(username, func):
pass
except Exception as exc:
logdata = dict()
logdata = {}
logdata['msg'] = str(exc)
log('E33', logdata)
result = 1;
finally:
logdata = dict()
logdata = {}
logdata['dbus_pid'] = dbus_pid
logdata['dconf_pid'] = dconf_pid
log('D56', logdata)

24
gpoa/util/util.py
View File

@@ -106,7 +106,7 @@ def get_backends():
'''
Get the list of backends supported by GPOA
'''
return ['local', 'samba']
return ['local', 'samba', 'freeipa']
def get_default_policy_name():
'''
@@ -138,7 +138,7 @@ def get_policy_entries(directory):
'''
Get list of directories representing "Local Policy" templates.
'''
filtered_entries = list()
filtered_entries = []
if os.path.isdir(directory):
entries = [os.path.join(directory, entry) for entry in os.listdir(directory)]
@@ -162,7 +162,7 @@ def get_policy_variants():
system_policies = get_policy_entries(policy_dir)
user_policies = get_policy_entries(etc_policy_dir)
general_listing = list()
general_listing = []
general_listing.extend(system_policies)
general_listing.extend(user_policies)
@@ -221,6 +221,13 @@ def remove_keys_with_prefix(dictionary: dict, prefix: tuple=('Previous/', 'Sourc
"""
return {key: value for key, value in dictionary.items() if not key.startswith(prefix)}
def remove_prefix_from_keys(dictionary: dict, prefix: str) -> dict:
"""
Removes the specified prefix from the keys of the dictionary.
If a key starts with the prefix, it is removed.
"""
return {key[len(prefix):] if key.startswith(prefix) else key: value for key, value in dictionary.items()}
def get_trans_table():
return str.maketrans({
@@ -236,3 +243,14 @@ def clean_data(data):
return cleaned_string
except:
return None
def check_local_user_exists(username):
"""
Checks if a local user with the given username exists on a Linux system.
"""
try:
# Try to get user information from the password database
pwd.getpwnam(username)
return True
except:
return False

41
gpoa/util/windows.py
View File

@@ -19,13 +19,13 @@
import os
from pathlib import Path
from samba import getopt as options
from samba.credentials import Credentials
from samba import NTSTATUSError
try:
from samba.gpclass import get_dc_hostname, check_refresh_gpo_list
except ImportError:
from samba.gp.gpclass import get_dc_hostname, check_refresh_gpo_list
from samba.gp.gpclass import get_dc_hostname, check_refresh_gpo_list, get_gpo_list
from samba.netcmd.common import netcmd_get_domain_infos_via_cldap
from storage.dconf_registry import Dconf_registry, extract_display_name_version
@@ -51,10 +51,13 @@ class smbcreds (smbopts):
def __init__(self, dc_fqdn=None):
smbopts.__init__(self, 'GPO Applier')
self.credopts = options.CredentialsOptions(self.parser)
self.creds = self.credopts.get_credentials(self.lp, fallback_machine=True)
self.creds = Credentials()
self.creds.guess(self.lp)
self.creds.set_machine_account()
self.set_dc(dc_fqdn)
self.sDomain = SiteDomainScanner(self.creds, self.lp, self.selected_dc)
self.sDomain = SiteDomainScanner(self.creds, self.lp, self.selected_dc)
self.dc_site_servers = self.sDomain.select_site_servers()
self.all_servers = self.sDomain.select_all_servers()
[self.all_servers.remove(element)
@@ -73,7 +76,7 @@ class smbcreds (smbopts):
try:
if dc_fqdn is not None:
logdata = dict()
logdata = {}
logdata['user_dc'] = dc_fqdn
log('D38', logdata)
@@ -81,7 +84,7 @@ class smbcreds (smbopts):
else:
self.selected_dc = get_dc_hostname(self.creds, self.lp)
except Exception as exc:
logdata = dict()
logdata = {}
logdata['msg'] = str(exc)
log('E10', logdata)
raise exc
@@ -96,7 +99,7 @@ class smbcreds (smbopts):
# Look and python/samba/netcmd/domain.py for more examples
res = netcmd_get_domain_infos_via_cldap(self.lp, None, self.selected_dc)
dns_domainname = res.dns_domain
logdata = dict({'domain': dns_domainname})
logdata = {'domain': dns_domainname}
log('D18', logdata)
except Exception as exc:
log('E15')
@@ -109,11 +112,18 @@ class smbcreds (smbopts):
Get GPO list for the specified username for the specified DC
hostname
'''
gpos = list()
gpos = []
if Dconf_registry.get_info('machine_name') == username:
dconf_dict = Dconf_registry.get_dictionary_from_dconf_file_db(save_dconf_db=True)
self.is_machine = True
else:
dconf_dict = Dconf_registry.get_dictionary_from_dconf_file_db(get_uid_by_username(username), save_dconf_db=True)
self.is_machine = False
if not self.is_machine and Dconf_registry.get_info('trust'):
# TODO: Always returning an empty list here.
# Need to implement fetching policies from the trusted domain.
return []
dict_gpo_name_version = extract_display_name_version(dconf_dict, username)
try:
log('D48')
@@ -121,7 +131,7 @@ class smbcreds (smbopts):
if ads.connect():
log('D47')
gpos = ads.get_gpo_list(username)
logdata = dict({'username': username})
logdata = {'username': username}
log('I1', logdata)
for gpo in gpos:
# These setters are taken from libgpo/pygpo.c
@@ -129,16 +139,16 @@ class smbcreds (smbopts):
if gpo.display_name in dict_gpo_name_version.keys() and dict_gpo_name_version.get(gpo.display_name, {}).get('version') == str(getattr(gpo, 'version', None)):
if Path(dict_gpo_name_version.get(gpo.display_name, {}).get('correct_path')).exists():
gpo.file_sys_path = ''
ldata = dict({'gpo_name': gpo.display_name, 'gpo_uuid': gpo.name, 'file_sys_path_cache': True})
ldata = {'gpo_name': gpo.display_name, 'gpo_uuid': gpo.name, 'file_sys_path_cache': True}
log('I11', ldata)
continue
ldata = dict({'gpo_name': gpo.display_name, 'gpo_uuid': gpo.name, 'file_sys_path': gpo.file_sys_path})
ldata = {'gpo_name': gpo.display_name, 'gpo_uuid': gpo.name, 'file_sys_path': gpo.file_sys_path}
log('I2', ldata)
except Exception as exc:
if self.selected_dc != self.pdc_emulator_server:
raise GetGPOListFail(exc)
logdata = dict({'username': username, 'dc': self.selected_dc, 'exc': exc})
logdata = {'username': username, 'dc': self.selected_dc, 'exc': exc}
log('E17', logdata)
return gpos
@@ -163,7 +173,7 @@ class smbcreds (smbopts):
gpos = self.get_gpos(username)
while list_selected_dc:
logdata = dict()
logdata = {}
logdata['username'] = username
logdata['dc'] = self.selected_dc
try:
@@ -209,6 +219,7 @@ class smbcreds (smbopts):
class SiteDomainScanner:
def __init__(self, smbcreds, lp, dc):
self.samdb = SamDB(url='ldap://{}'.format(dc), session_info=system_session(), credentials=smbcreds, lp=lp)
Dconf_registry.set_info('samdb', self.samdb)
self.pdc_emulator = self._search_pdc_emulator()
@staticmethod
@@ -307,7 +318,7 @@ def expand_windows_var(text, username=None):
'''
Scan the line for percent-encoded variables and expand them.
'''
variables = dict()
variables = {}
variables['HOME'] = '/etc/skel'
variables['HOMEPATH'] = '/etc/skel'
variables['HOMEDRIVE'] = '/'

3
gpoa/util/xdg.py
View File

@@ -27,8 +27,7 @@ def xdg_get_desktop(username, homedir = None):
homedir = get_homedir(username)
if not homedir:
msgtext = message_with_code('E18')
logdata = dict()
logdata['username'] = username
logdata = {}
log('E18', logdata)
raise Exception(msgtext)

55
gpupdate.spec
View File

@@ -34,9 +34,11 @@
%add_python3_req_skip util.windows
%add_python3_req_skip util.xml
%add_python3_req_skip util.gpoa_ini_parsing
%add_python3_req_skip util.ipacreds
%add_python3_req_skip frontend.appliers.ini_file
Name: gpupdate
Version: 0.12.0
Version: 0.13.4
Release: alt1
Summary: GPT applier
@@ -52,13 +54,18 @@ BuildRequires: gettext-tools
Requires: python3-module-rpm
Requires: python3-module-dbus
Requires: python3-module-configobj
Requires: python3-module-gssapi
Requires: python3-module-krb5
Requires: oddjob-%name >= 0.2.3
Requires: libnss-role >= 0.5.0
Requires: local-policy >= 0.4.9
Requires: pam-config >= 1.9.0
Requires: autofs
Requires: dconf-profile
Requires: packagekit
Requires: dconf
Requires: libgvdb-gir
Requires: freeipa-client-samba
# This is needed by shortcuts_applier
Requires: desktop-file-utils
# This is needed for smb file cache support
@@ -195,6 +202,52 @@ fi
%exclude %python3_sitelibdir/gpoa/test
%changelog
* Mon Aug 25 2025 Valery Sinelnikov <greh@altlinux.org> 0.13.4-alt1
- Added:
Production-ready modules: CUPS, file management, INI config (default),
package management, script modules
Fallback SID lookup for trusted domain users
Missing log translations (laps: timezone, login)
Added ownership handling for files within user home directory
- Changed:
Refactored to use literals ({}, []) instead of constructors
Final optimization passes and minor cleanups
Updated copyright year
Adjusted login time search and messages
- Fixed:
Skipped policy retrieval for trusted users to avoid GPO errors
Corrected login time tracking in laps
Fixed typos
Prevented subprocess errors from printing to console
Adjusted call order (save_dconf - start_frontend)
- Removed:
Legacy sid variable propagation and related helpers
* Sat Jul 26 2025 Evgeny Sinelnikov <sin@altlinux.org> 0.13.3-alt1
- Fixed machine account credentials initialization (closes: 55324)
* Thu Apr 03 2025 Valery Sinelnikov <greh@altlinux.org> 0.13.2-alt1
- Fixed: Check directory existence before cleanup to avoid errors(closes:53703)
* Fri Mar 14 2025 Valery Sinelnikov <greh@altlinux.org> 0.13.1-alt1
- Refined registry key handling: LAPS enablement and user presence check
* Thu Mar 06 2025 Valery Sinelnikov <greh@altlinux.org> 0.13.0-alt1
- Implemented Local Administrator Password Solution (LAPS) functionality,
including support for Group Policy Object (GPO) keys to
configure LAPS settings
- Added support for disabling cifsacl in autofs mounts (closes:52333)
- Implemented the ability to merge computer and user GPO shortcuts
- Added access restrictions to network directories of other users
- Added cleaning functionality for the autofs configuration catalog
- Added ability to configure KDE 6 files
* Tue Jan 14 2025 Valery Sinelnikov <greh@altlinux.org> 0.12.2-alt1
- Fixed interpretation of boolean values (closes:52683)
* Fri Jan 10 2025 Valery Sinelnikov <greh@altlinux.org> 0.12.1-alt1
- Fixed checking the path for existence (closes:52597)
* Tue Dec 10 2024 Valery Sinelnikov <greh@altlinux.org> 0.12.0-alt1
- Special thanks to Andrey Belgorodtsev (andrey@net55.su)
for valuable pre-release testing and feedback