public/gpupdate
1
0
Fork 1
mirror of https://github.com/altlinux/gpupdate.git synced 2025-11-09 00:23:51 +03:00
Code Releases Wiki Activity

Compare commits

base: public:plugin-system-development
Branches Tags
public:master public:plugin-system-development public:freeipa_backend public:cleanup_machine_account public:machine_account_creds public:fix_kde_version public:fix_kde_screen public:fix_cache public:fix_kde public:fix_oddjob public:fix_plasmaupdate public:fix_kde_applier public:fix_firefox public:fix_check_enable public:fix_dconf_update public:dconf_registry public:astra public:translation_for_several_logs public:ntp_applier_addition public:local_admin_policy_v3 public:local_admin_policy_v2 public:oddjob-gpupdate public:gsettings_fixed_error_unable_to_cache_specified_URI public:bugsFix public:logRu public:package_pkcon public:kdestroy_trouble public:fix_gsettings public:samba_registry_storage public:man_gpupdate_setup public:postinst_remove_cache public:quota_applier public:binary_modules
public:0.13.4-alt1 public:0.13.3-alt1 public:0.13.2-alt1 public:0.13.1-alt1 public:0.13.0-alt1 public:0.12.2-alt1 public:0.12.1-alt1 public:0.12.0-alt1 public:0.11.4-alt1 public:0.11.3-alt1 public:0.11.2-alt1 public:0.11.1-alt1 public:0.11.0-alt1 public:0.10.6-alt1 public:0.10.5-alt1 public:0.10.4-alt1 public:0.10.3-alt1 public:0.10.2-alt1 public:0.10.1-alt1 public:0.10.0-alt1 public:0.9.13.5-alt1 public:0.9.13.4-alt1 public:0.9.12.4-alt1 public:0.9.12.1-alt1 public:0.9.12-alt2 public:0.9.11.2-alt1 public:0.9.11.1-alt1 public:0.9.11-alt1 public:0.9.10-alt1 public:0.9.9.1-alt1 public:0.9.9-alt1 public:0.9.8-alt1 public:0.9.7-alt1 public:0.9.6-alt1 public:0.9.5-alt1 public:0.9.4-alt1 public:0.9.3-alt1 public:0.9.2-alt1 public:0.9.1-alt1 public:0.9.0-alt1 public:0.8.2-alt1 public:0.8.1-alt3 public:0.8.1-alt2 public:0.8.1-alt1 public:0.8.0-alt1 public:0.7.0-alt1 public:0.6.0-alt2 public:0.6.0-alt1 public:0.5.0-alt1 public:0.4.5-alt1 public:0.4.4-alt1 public:0.4.3-alt1 public:0.4.1-alt1 public:0.4.0-alt1 public:0.3.0-alt1
..
compare: public:fix_dconf_update
Branches Tags
public:plugin-system-development public:freeipa_backend public:master public:cleanup_machine_account public:machine_account_creds public:fix_kde_version public:fix_kde_screen public:fix_cache public:fix_kde public:fix_oddjob public:fix_plasmaupdate public:fix_kde_applier public:fix_firefox public:fix_check_enable public:fix_dconf_update public:dconf_registry public:astra public:translation_for_several_logs public:ntp_applier_addition public:local_admin_policy_v3 public:local_admin_policy_v2 public:oddjob-gpupdate public:gsettings_fixed_error_unable_to_cache_specified_URI public:bugsFix public:logRu public:package_pkcon public:kdestroy_trouble public:fix_gsettings public:samba_registry_storage public:man_gpupdate_setup public:postinst_remove_cache public:quota_applier public:binary_modules
public:0.13.4-alt1 public:0.13.3-alt1 public:0.13.2-alt1 public:0.13.1-alt1 public:0.13.0-alt1 public:0.12.2-alt1 public:0.12.1-alt1 public:0.12.0-alt1 public:0.11.4-alt1 public:0.11.3-alt1 public:0.11.2-alt1 public:0.11.1-alt1 public:0.11.0-alt1 public:0.10.6-alt1 public:0.10.5-alt1 public:0.10.4-alt1 public:0.10.3-alt1 public:0.10.2-alt1 public:0.10.1-alt1 public:0.10.0-alt1 public:0.9.13.5-alt1 public:0.9.13.4-alt1 public:0.9.12.4-alt1 public:0.9.12.1-alt1 public:0.9.12-alt2 public:0.9.11.2-alt1 public:0.9.11.1-alt1 public:0.9.11-alt1 public:0.9.10-alt1 public:0.9.9.1-alt1 public:0.9.9-alt1 public:0.9.8-alt1 public:0.9.7-alt1 public:0.9.6-alt1 public:0.9.5-alt1 public:0.9.4-alt1 public:0.9.3-alt1 public:0.9.2-alt1 public:0.9.1-alt1 public:0.9.0-alt1 public:0.8.2-alt1 public:0.8.1-alt3 public:0.8.1-alt2 public:0.8.1-alt1 public:0.8.0-alt1 public:0.7.0-alt1 public:0.6.0-alt2 public:0.6.0-alt1 public:0.5.0-alt1 public:0.4.5-alt1 public:0.4.4-alt1 public:0.4.3-alt1 public:0.4.1-alt1 public:0.4.0-alt1 public:0.3.0-alt1

2 Commits
plugin-sys ... fix_dconf_

Author SHA1 Message Date
Danila Skachedubov
c320613fda Changed macro processing method 2024-06-18 19:12:34 +04:00
Danila Skachedubov
a860419a67 Added dictionary with macros 2024-06-18 19:09:59 +04:00
118 changed files with 2677 additions and 6498 deletions
Expand all files Collapse all files

332
PLUGIN_DEVELOPMENT_GUIDE.md
View File

@@ -1,332 +0,0 @@
# GPOA Plugin Development Guide
## Introduction
GPOA (GPO Applier for Linux) supports a plugin system for extending group policy application functionality.
Plugins allow adding support for new policy types and system settings without modifying the core code.
## Plugin Architecture
### Base Classes
- **`plugin`** - Abstract base class with final methods `apply()` and `apply_user()`
- **`FrontendPlugin`** - Simplified class for plugins with logging support
### Plugin Manager
- **`plugin_manager`** - Loads and executes plugins from directories:
- `/usr/lib/gpupdate/plugins/` - system plugins
- `gpoa/frontend_plugins/` - development plugins
## Creating a Simple Plugin
### Example: Basic Plugin with Logging
```python
#!/usr/bin/env python3
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
from gpoa.plugin.plugin_base import FrontendPlugin
class ExampleApplier(FrontendPlugin):
"""
Example simple plugin with logging and registry access.
"""
# Domain for translations
domain = 'example_applier'
def __init__(self, dict_dconf_db, username=None, fs_file_cache=None):
"""
Initialize the plugin.
Args:
dict_dconf_db (dict): Dictionary with registry data
username (str): Username
fs_file_cache: File system cache
"""
super().__init__(dict_dconf_db, username, fs_file_cache)
# Initialize logging system
self._init_plugin_log(
message_dict={
'i': { # Informational messages
1: "Example Applier initialized",
2: "Configuration applied successfully"
},
'w': { # Warnings
10: "No configuration found in registry"
},
'e': { # Errors
20: "Failed to apply configuration"
}
},
domain="example_applier"
)
def run(self):
"""
Main plugin execution method.
Returns:
bool: True if successful, False on error
"""
try:
self.log("I1") # Plugin initialized
# Get data from registry
self.config = self.get_dict_registry('Software/BaseALT/Policies/Example')
if not self.config:
self.log("W10") # No configuration found in registry
return True
# Log registry data
self.log("I2") # Configuration applied successfully
return True
except Exception as e:
self.log("E20", {"error": str(e)})
return False
def create_machine_applier(dict_dconf_db, username=None, fs_file_cache=None):
"""
Factory function for creating plugin instance for machine context.
Args:
dict_dconf_db (dict): Dictionary with registry data
username (str): Username
fs_file_cache: File system cache
Returns:
ExampleApplier: Plugin instance
"""
return ExampleApplier(dict_dconf_db, username, fs_file_cache)
def create_user_applier(dict_dconf_db, username=None, fs_file_cache=None):
"""
Factory function for creating plugin instance for user context.
Args:
dict_dconf_db (dict): Dictionary with registry data
username (str): Username
fs_file_cache: File system cache
Returns:
ExampleApplier: Plugin instance
"""
return ExampleApplier(dict_dconf_db, username, fs_file_cache)
```
## Key Plugin Elements
### 1. Log Registration
Plugins use a logging system with message codes:
```python
self._init_plugin_log(
message_dict={
'i': { # Informational messages
1: "Example Applier initialized",
2: "Configuration applied successfully"
},
'w': { # Warnings
10: "No configuration found in registry"
},
'e': { # Errors
20: "Failed to apply configuration"
}
},
domain="example_applier"
)
```
### 2. Registry Access
Access registry data through `get_dict_registry()` method:
```python
self.config = self.get_dict_registry('Software/BaseALT/Policies/Example')
```
### 3. Logging in run Method
Using registered message codes:
```python
self.log("I1") # Simple message
self.log("E20", {"error": str(e)}) # Message with data
```
### 4. Factory Functions
Plugins must provide factory functions:
- `create_machine_applier()` - for machine context
- `create_user_applier()` - for user context
## Translation System
### Localization Support
GPOA supports automatic localization of plugin messages. The system uses standard GNU gettext.
### Translation File Structure
```
gpoa/locale/
├── ru/
│ └── LC_MESSAGES/
│ ├── gpoa.mo
│ └── gpoa.po
└── en/
└── LC_MESSAGES/
├── gpoa.mo
└── gpoa.po
```
### Setting Up Translations in Plugin
1. **Define translation domain**:
```python
class MyPlugin(FrontendPlugin):
domain = 'my_plugin' # Domain for translation files
```
2. **Initialize logger with translation support**:
```python
self._init_plugin_log(
message_dict={
'i': {
1: "Plugin initialized",
2: "Configuration applied successfully"
},
'e': {
10: "Configuration error"
}
},
domain="my_plugin" # Domain for translation file lookup
)
```
3. **Usage in code**:
```python
# Messages are automatically translated when logged
self.log("I1") # Will be displayed in system language
```
### Creating Translation Files
1. **Extract strings for translation**:
```bash
# Extract strings from plugin code
xgettext -d my_plugin -o my_plugin.po my_plugin.py
```
2. **Create translation file**:
```po
# my_plugin.po
msgid "Plugin initialized"
msgstr ""
msgid "Configuration applied successfully"
msgstr ""
```
3. **Compile translations**:
```bash
# Compile .po to .mo
msgfmt my_plugin.po -o my_plugin.mo
# Place in correct directory
mkdir -p /usr/share/locale/ru/LC_MESSAGES/
cp my_plugin.mo /usr/share/locale/ru/LC_MESSAGES/
```
### Best Practices for Translations
1. **Use complete sentences** - don't split strings into parts
2. **Avoid string concatenation** - this complicates translation
3. **Provide context** - add comments for translators
4. **Test translations** - verify display in different languages
5. **Update translations** - update .po files when messages change
### Example Plugin Structure with Translations
```
my_plugin/
├── my_plugin.py # Main plugin code
├── locale/
│ ├── ru/
│ │ └── LC_MESSAGES/
│ │ ├── my_plugin.mo
│ │ └── my_plugin.po
│ └── en/
│ └── LC_MESSAGES/
│ ├── my_plugin.mo
│ └── my_plugin.po
└── README.md
```
## Plugin API
### Core Methods
- **`__init__(dict_dconf_db, username=None, fs_file_cache=None)`** - initialization
- **`run()`** - main execution method (abstract)
- **`apply()`** - execute with current privileges (final)
- **`apply_user(username)`** - execute with user privileges (final)
- **`get_dict_registry(prefix='')`** - get registry data
- **`_init_plugin_log(message_dict=None, locale_dir=None, domain=None)`** - initialize logger
- **`log(message_code, data=None)`** - logging with message codes
### Logging System
Message codes:
- **I** - Informational messages
- **W** - Warnings
- **E** - Errors
- **D** - Debug messages
- **F** - Fatal errors
### Data Access
- **`dict_dconf_db`** - dictionary with registry data
- **`username`** - username (for user context)
- **`fs_file_cache`** - file system cache for file operations
## Execution Contexts
### Machine Context
- Executed with root privileges
- Applies system-wide settings
- Uses factory function `create_machine_applier()`
### User Context
- Executed with specified user privileges
- Applies user-specific settings
- Uses factory function `create_user_applier()`
## Best Practices
1. **Security**: Always validate input data
2. **Idempotence**: Repeated execution should produce the same result
3. **Logging**: Use message codes for all operations
4. **Error Handling**: Plugin should not crash on errors
5. **Transactional**: Changes should be atomic
6. **Translations**: Support message localization

332
PLUGIN_DEVELOPMENT_GUIDE_RU.md
View File

@@ -1,332 +0,0 @@
# Руководство по разработке плагинов GPOA
## Введение
GPOA (GPO Applier for Linux) поддерживает систему плагинов для расширения функциональности применения групповых политик.
Плагины позволяют добавлять поддержку новых типов политик и системных настроек без изменения основного кода.
## Архитектура плагинов
### Базовые классы
- **`plugin`** - Абстрактный базовый класс с финальными методами `apply()` и `apply_user()`
- **`FrontendPlugin`** - Упрощенный класс для плагинов с поддержкой логирования
### Менеджер плагинов
- **`plugin_manager`** - Загружает и выполняет плагины из директорий:
- `/usr/lib/gpupdate/plugins/` - системные плагины
- `gpoa/frontend_plugins/` - плагины разработки
## Создание простого плагина
### Пример: Базовый плагин с логированием
```python
#!/usr/bin/env python3
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
from gpoa.plugin.plugin_base import FrontendPlugin
class ExampleApplier(FrontendPlugin):
"""
Пример простого плагина с логированием и работой с реестром.
"""
# Домен для переводов
domain = 'example_applier'
def __init__(self, dict_dconf_db, username=None, fs_file_cache=None):
"""
Инициализация плагина.
Args:
dict_dconf_db (dict): Словарь с данными из реестра
username (str): Имя пользователя
fs_file_cache: Кэш файловой системы
"""
super().__init__(dict_dconf_db, username, fs_file_cache)
# Инициализация системы логирования
self._init_plugin_log(
message_dict={
'i': { # Информационные сообщения
1: "Example Applier initialized",
2: "Configuration applied successfully"
},
'w': { # Предупреждения
10: "No configuration found in registry"
},
'e': { # Ошибки
20: "Failed to apply configuration"
}
},
domain="example_applier"
)
def run(self):
"""
Основной метод выполнения плагина.
Returns:
bool: True если успешно, False при ошибке
"""
try:
self.log("I1") # Плагин инициализирован
# Получение данных из реестра
self.config = self.get_dict_registry('Software/BaseALT/Policies/Example')
if not self.config:
self.log("W10") # Конфигурация не найдена в реестре
return True
# Логирование данных из реестра
self.log("I2") # Конфигурация успешно применена
return True
except Exception as e:
self.log("E20", {"error": str(e)})
return False
def create_machine_applier(dict_dconf_db, username=None, fs_file_cache=None):
"""
Фабричная функция для создания экземпляра плагина для машинного контекста.
Args:
dict_dconf_db (dict): Словарь с данными из реестра
username (str): Имя пользователя
fs_file_cache: Кэш файловой системы
Returns:
ExampleApplier: Экземпляр плагина
"""
return ExampleApplier(dict_dconf_db, username, fs_file_cache)
def create_user_applier(dict_dconf_db, username=None, fs_file_cache=None):
"""
Фабричная функция для создания экземпляра плагина для пользовательского контекста.
Args:
dict_dconf_db (dict): Словарь с данными из реестра
username (str): Имя пользователя
fs_file_cache: Кэш файловой системы
Returns:
ExampleApplier: Экземпляр плагина
"""
return ExampleApplier(dict_dconf_db, username, fs_file_cache)
```
## Ключевые элементы плагина
### 1. Регистрация логов
Плагины используют систему логирования с кодами сообщений:
```python
self._init_plugin_log(
message_dict={
'i': { # Информационные сообщения
1: "Example Applier initialized",
2: "Configuration applied successfully"
},
'w': { # Предупреждения
10: "No configuration found in registry"
},
'e': { # Ошибки
20: "Failed to apply configuration"
}
},
domain="example_applier"
)
```
### 2. Работа с реестром
Доступ к данным из реестра через метод `get_dict_registry()`:
```python
self.config = self.get_dict_registry('Software/BaseALT/Policies/Example')
```
### 3. Вывод логов в методе run
Использование зарегистрированных кодов сообщений:
```python
self.log("I1") # Простое сообщение
self.log("E20", {"error": str(e)}) # Сообщение с данными
```
### 4. Фабричные функции
Плагины должны предоставлять фабричные функции:
- `create_machine_applier()` - для машинного контекста
- `create_user_applier()` - для пользовательского контекста
## Система переводов
### Поддержка локализации
GPOA поддерживает автоматическую локализацию сообщений плагинов. Система использует стандарт GNU gettext.
### Структура файлов переводов
```
gpoa/locale/
├── ru/
│ └── LC_MESSAGES/
│ ├── gpoa.mo
│ └── gpoa.po
└── en/
└── LC_MESSAGES/
├── gpoa.mo
└── gpoa.po
```
### Настройка переводов в плагине
1. **Определение домена переводов**:
```python
class MyPlugin(FrontendPlugin):
domain = 'my_plugin' # Домен для файлов перевода
```
2. **Инициализация логгера с поддержкой переводов**:
```python
self._init_plugin_log(
message_dict={
'i': {
1: "Plugin initialized",
2: "Configuration applied successfully"
},
'e': {
10: "Configuration error"
}
},
domain="my_plugin" # Домен для поиска файлов перевода
)
```
3. **Использование в коде**:
```python
# Сообщения автоматически переводятся при логировании
self.log("I1") # Будет показано на языке системы
```
### Создание файлов перевода
1. **Извлечение строк для перевода**:
```bash
# Извлечь строки из кода плагина
xgettext -d my_plugin -o my_plugin.po my_plugin.py
```
2. **Создание файла перевода**:
```po
# my_plugin.po
msgid "Plugin initialized"
msgstr "Плагин инициализирован"
msgid "Configuration applied successfully"
msgstr "Конфигурация успешно применена"
```
3. **Компиляция переводов**:
```bash
# Скомпилировать .po в .mo
msgfmt my_plugin.po -o my_plugin.mo
# Разместить в правильной директории
mkdir -p /usr/share/locale/ru/LC_MESSAGES/
cp my_plugin.mo /usr/share/locale/ru/LC_MESSAGES/
```
### Лучшие практики для переводов
1. **Используйте полные предложения** - не разбивайте строки на части
2. **Избегайте конкатенации строк** - это затрудняет перевод
3. **Указывайте контекст** - добавляйте комментарии для переводчиков
4. **Тестируйте переводы** - проверяйте отображение на разных языках
5. **Обновляйте переводы** - при изменении сообщений обновляйте файлы .po
### Пример структуры плагина с переводами
```
my_plugin/
├── my_plugin.py # Основной код плагина
├── locale/
│ ├── ru/
│ │ └── LC_MESSAGES/
│ │ ├── my_plugin.mo
│ │ └── my_plugin.po
│ └── en/
│ └── LC_MESSAGES/
│ ├── my_plugin.mo
│ └── my_plugin.po
└── README.md
```
## API плагинов
### Основные методы
- **`__init__(dict_dconf_db, username=None, fs_file_cache=None)`** - инициализация
- **`run()`** - основной метод выполнения (абстрактный)
- **`apply()`** - выполнение с текущими привилегиями (финальный)
- **`apply_user(username)`** - выполнение с привилегиями пользователя (финальный)
- **`get_dict_registry(prefix='')`** - получение данных из реестра
- **`_init_plugin_log(message_dict=None, locale_dir=None, domain=None)`** - инициализация логгера
- **`log(message_code, data=None)`** - логирование с кодами сообщений
### Система логирования
Коды сообщений:
- **I** - Информационные сообщения
- **W** - Предупреждения
- **E** - Ошибки
- **D** - Отладочные сообщения
- **F** - Фатальные ошибки
### Доступ к данным
- **`dict_dconf_db`** - словарь данных из реестра
- **`username`** - имя пользователя (для пользовательского контекста)
- **`fs_file_cache`** - кэш файловой системы для работы с файлами
## Контексты выполнения
### Машинный контекст
- Выполняется с правами root
- Применяет системные настройки
- Использует фабричную функцию `create_machine_applier()`
### Пользовательский контекст
- Выполняется с правами указанного пользователя
- Применяет пользовательские настройки
- Использует фабричную функцию `create_user_applier()`
## Лучшие практики
1. **Безопасность**: Всегда валидируйте входные данные
2. **Идемпотентность**: Повторное выполнение должно давать тот же результат
3. **Логирование**: Используйте коды сообщений для всех операций
4. **Обработка ошибок**: Плагин не должен "падать" при ошибках
5. **Транзакционность**: Изменения должны быть атомарными
6. **Переводы**: Поддерживайте локализацию сообщений

139
README.md
View File

@@ -1,13 +1,9 @@
# GPOA - GPO Applier for Linux
# GPOA - GPO Applier
## Contents
* [Introduction](#introduction)
* [Features](#features)
* [Architecture](#architecture)
* [Installation](#installation)
* [Usage](#usage)
* [Plugin Development](#plugin-development)
* [Development](#development)
* [Contributing](#contributing)
* [License](#license)
@@ -15,137 +11,38 @@
## Introduction
GPOA (GPO Applier for Linux) is a comprehensive facility to fetch, reinterpret and apply Group Policy Objects (GPOs) from Windows Active Directory domains in Linux environments. Developed by ALT Linux team, it enables seamless integration of Linux machines into corporate Windows infrastructure.
GPOA is a facility to fetch, reinterpret and apply GPOs from Windows
Active Directory domains in UNIX environments.
## Development
## Features
This project needs some additional dependencies for development
purposes (static analisys):
### Core Functionality
- **Multi-backend Support**: Samba, FreeIPA, and no-domain backends
- **Policy Types**: Registry settings, files, folders, environment variables, scripts, services, and more
- **Display Manager Integration**: LightDM, GDM with background and theme support
- **Plugin System**: Extensible architecture for custom policy types
- **Privilege Separation**: Secure execution with proper privilege contexts
* python3-module-setuptools
* python3-module-pip
* python3-module-pylint
### Supported Policy Areas
- **System Configuration**: Environment variables, services
- **Desktop Settings**: GSettings, KDE configuration, browser policies
- **Security**: Polkit policies
- **Network**: Network shares
- **Applications**: Firefox, Chrome, Thunderbird, Yandex Browser
- **Files and Folders**: File deployment, folder redirection
And then you may install prospector like:
## Architecture
### Backend System
- **Samba Backend**: Traditional Active Directory integration
- **FreeIPA Backend**: Enhanced FreeIPA/IdM integration
- **No-domain Backend**: Local policy application
### Frontend System
- **Policy Appliers**: Specialized modules for different policy types
- **Plugin Framework**: Extensible plugin system with logging and translations
### Plugin System
- **Machine Context**: Root-privileged system-wide changes
- **User Context**: User-specific configuration application
- **Message Codes**: Structured logging with translation support
- **Registry Access**: Secure access to policy registry data
## Installation
### From Source
```bash
# Clone the repository
git clone https://github.com/altlinux/gpupdate.git
cd gpupdate
# Build RPM package
rpmbuild -ba gpupdate.spec
# Install the package
rpm -ivh ~/rpmbuild/RPMS/noarch/gpupdate-*.rpm
```
### Dependencies
- Python 3.6+
- Samba client tools
- FreeIPA client (optional)
- Systemd
- D-Bus
## Usage
### Apply Policies for Machine
```bash
# Run as root for system-wide policies
sudo gpoa
```
### Apply Policies for User
```bash
# Run as root for user-specific policies
sudo gpoa username
```
### Force Policy Refresh
```bash
# Can be run as regular user
gpupdate --force
```
### Plugin Management
Plugins are automatically discovered from:
- `/usr/lib/gpupdate/plugins/` (system plugins)
- `gpoa/frontend_plugins/` (development plugins)
## Plugin Development
GPOA features a comprehensive plugin system. See documentation for detailed information:
- [PLUGIN_DEVELOPMENT_GUIDE.md](PLUGIN_DEVELOPMENT_GUIDE.md) - English version
- [PLUGIN_DEVELOPMENT_GUIDE_RU.md](PLUGIN_DEVELOPMENT_GUIDE_RU.md) - Russian version
Documentation covers:
- Plugin architecture and API
- Creating custom plugins
- Logging and message codes
- Translation support
- Best practices
### Quick Plugin Example
```python
from gpoa.plugin.plugin_base import FrontendPlugin
class MyPlugin(FrontendPlugin):
domain = 'my_plugin'
def __init__(self, dict_dconf_db, username=None, fs_file_cache=None):
super().__init__(dict_dconf_db, username, fs_file_cache)
self._init_plugin_log(message_dict={
'i': {1: "Plugin initialized"},
'e': {1: "Plugin failed"}
}, domain="my_plugin")
def run(self):
self.log("I1")
return True
def create_machine_applier(dict_dconf_db, username=None, fs_file_cache=None):
return MyPlugin(dict_dconf_db, username, fs_file_cache)
```sh
# pip install prospector[with_pyroma]
```
## Contributing
The main communication channel for GPOA is [Samba@ALT Linux mailing lists](https://lists.altlinux.org/mailman/listinfo/samba). The mailing list is in Russian but you may also send e-mail in English or German.
The main communication channel for GPOA is
[Samba@ALT Linux mailing lists](https://lists.altlinux.org/mailman/listinfo/samba).
The mailing list is in Russian but you may also send e-mail in English
or German.
## License
GPOA - GPO Applier for Linux
Copyright (C) 2019-2025 BaseALT Ltd.
Copyright (C) 2019-2020 BaseALT Ltd.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by

22
completions/gpoa
View File

@@ -1,22 +0,0 @@
_gpoa()
{
local cur prev words cword split
_init_completion -s || return
case $prev in
--dc)
_filedir
return
;;
--loglevel)
COMPREPLY=($(compgen -W '0 1 2 3 4 5' -- "$cur"))
return
;;
*)
COMPREPLY=($(compgen -W '--dc --nodomain --noupdate --noplugins --list-backends --loglevel --help --force' -- "$cur"))
return
;;
esac
}
complete -F _gpoa gpoa

27
completions/gpupdate
View File

@@ -1,27 +0,0 @@
_gpupdate()
{
local cur prev words cword split
_init_completion -s || return
case $prev in
-u|--user)
_filedir
return
;;
-t|--target)
COMPREPLY=($(compgen -W 'ALL USER COMPUTER' -- "$cur"))
return
;;
-l|--loglevel)
COMPREPLY=($(compgen -W '0 1 2 3 4 5' -- "$cur"))
return
;;
*)
COMPREPLY=($(compgen -W '--user --target --loglevel --system --help --force' -- "$cur"))
return
;;
esac
}
complete -F _gpupdate gpupdate

18
completions/gpupdate-setup
View File

@@ -1,18 +0,0 @@
_gpupdate-setup()
{
local cur prev words cword split
_init_completion -s || return
case $prev in
set-backend)
COMPREPLY=($(compgen -W 'local samba' -- "$cur"))
return
;;
*)
COMPREPLY=($(compgen -W 'list list-backends status enable disable update write set-backend default-policy active-policy active-backend' -- "$cur"))
return
;;
esac
}
complete -F _gpupdate-setup gpupdate-setup

1
dist/gpupdate.service vendored
View File

@@ -1,7 +1,6 @@
[Unit]
Description=Group policy update for machine
After=syslog.target network-online.target sssd.service
Before=systemd-logind.service
[Service]
Environment=PATH=/bin:/sbin:/usr/bin:/usr/sbin

20
doc/gpoa.1
View File

@@ -20,15 +20,12 @@
gpoa \- utility to update and apply group policy settings
.
.SH SYNOPSYS
.B gpoa [user][options]
.B gpoa
.
.SH DESCRIPTION
.B gpoa
Fetches GPT files for designated user from AD instance and transforms
them into UNIX system settings.
If no user argument is specified, gpoa applies machine policies.
If a user name is given, gpoa applies user policies for that domain account.
.SS Options
.TP
\fB-h\fP
@@ -38,11 +35,7 @@ Show help.
Specify domain controller hostname FQDN to replicate GPTs from. May be
useful in case of default DC problems.
.TP
\fB--list-backends\fP
Show a list of available backends for applying policies.
.TP
\fB--nodomain\fP
Operate without a domain controller. Apply only local policy.
\fB--target \fITARGET\fP
.TP
\fB--noupdate\fP
Don't update settings.
@@ -52,9 +45,6 @@ Don't run plugins.
.TP
\fB--loglevel \fILOGLEVEL\fP
Set logging verbosity from 0 to 5.
.TP
\fB--force\fP
Force GPT download.
.
.SH FILES
\fB/usr/sbin/gpoa\fR utility uses \fB/usr/share/local-policy/default\fR
@@ -65,10 +55,8 @@ All data is located in \fB/var/cache/gpupdate\fR. Also domain GPTs are
taken from Samba's \fB/var/cache/samba\fR.
.
The settings read from Samba are stored in
Dconf. Machine policies are stored in the \fB/etc/dconf/db/policy.d/policy.ini\fR file,
user policies are stored in the \fB/etc/dconf/db/policy<UID>.d/policy<UID>.ini\fR file
(where UID is the user ID in the system)."Local Policy" settings
read from \fB/usr/share/local-policy/\fR are converted
\fB/var/cache/gpupdate/registry.sqlite\fR and "Local Policy" settings
read from \fB/usr/local/share/local-policy/default\fR are converted
into GPT and stored as \fB/var/cache/gpupdate/local-policy\fR.
.SH "SEE ALSO"
gpupdate(1)

3
doc/gpupdate.1
View File

@@ -43,9 +43,6 @@ Show help.
.TP
\fB--user \fIusername\fR
Run \fBgpupdate\fP for \fIusername\fP.
.TP
\fB--force\fP
Force GPT download.
.
.SS "EXIT CODES"
.TP

41
gpoa/backend/__init__.py
View File

@@ -17,21 +17,14 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from storage.dconf_registry import (
Dconf_registry,
add_preferences_to_global_registry_dict,
create_dconf_ini_file,
)
from util.config import GPConfig
from util.logging import log
from util.paths import get_dconf_config_file
from util.util import get_uid_by_username, touch_file
from util.windows import smbcreds
from util.ipacreds import ipacreds
from .nodomain_backend import nodomain_backend
from .samba_backend import samba_backend
from .freeipa_backend import freeipa_backend
from .nodomain_backend import nodomain_backend
from util.logging import log
from util.config import GPConfig
from util.util import get_uid_by_username, touch_file
from util.paths import get_dconf_config_path
from storage.dconf_registry import Dconf_registry, create_dconf_ini_file
def backend_factory(dc, username, is_machine, no_domain = False):
'''
@@ -59,20 +52,6 @@ def backend_factory(dc, username, is_machine, no_domain = False):
logdata = dict({'error': str(exc)})
log('E7', logdata)
if config.get_backend() == 'freeipa' and not no_domain:
try:
if not dc:
dc = config.get_dc()
if dc:
ld = {'dc': dc}
log('D52', ld)
ipac = ipacreds()
domain = ipac.get_domain()
back = freeipa_backend(ipac, username, domain, is_machine)
except Exception as exc:
logdata = {'error': str(exc)}
log('E79', logdata)
if config.get_backend() == 'local' or no_domain:
log('D8')
try:
@@ -83,14 +62,12 @@ def backend_factory(dc, username, is_machine, no_domain = False):
return back
def save_dconf(username, is_machine, nodomain=None):
def save_dconf(username, is_machine):
if is_machine:
uid = None
else:
uid = get_uid_by_username(username) if not is_machine else None
target_file = get_dconf_config_file(uid)
target_file = get_dconf_config_path(uid)
touch_file(target_file)
Dconf_registry.apply_template(uid)
add_preferences_to_global_registry_dict(username, is_machine)
Dconf_registry.update_dict_to_previous()
create_dconf_ini_file(target_file,Dconf_registry.global_registry_dict, uid, nodomain)
create_dconf_ini_file(target_file,Dconf_registry.global_registry_dict)

1
gpoa/backend/applier_backend.py
View File

@@ -18,7 +18,6 @@
from abc import ABC
class applier_backend(ABC):
@classmethod
def __init__(self):

228
gpoa/backend/freeipa_backend.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -16,232 +16,10 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
import smbc
import re
from .applier_backend import applier_backend
from pathlib import Path
from gpt.gpt import gpt, get_local_gpt
from gpt.gpo_dconf_mapping import GpoInfoDconf
from storage import registry_factory
from storage.dconf_registry import Dconf_registry, extract_display_name_version
from storage.fs_file_cache import fs_file_cache
from util.logging import log
from util.util import get_uid_by_username
from util.kerberos import (
machine_kinit
, machine_kdestroy
)
class freeipa_backend(applier_backend):
def __init__(self, ipacreds, username, domain, is_machine):
self.ipacreds = ipacreds
self.cache_path = '/var/cache/gpupdate/creds/krb5cc_{}'.format(os.getpid())
self.__kinit_successful = machine_kinit(self.cache_path, "freeipa")
if not self.__kinit_successful:
raise Exception('kinit is not successful')
self.storage = registry_factory()
self.storage.set_info('domain', domain)
machine_name = self.ipacreds.get_machine_name()
self.storage.set_info('machine_name', machine_name)
self.username = machine_name if is_machine else username
self._is_machine_username = is_machine
self.cache_dir = self.ipacreds.get_cache_dir()
self.gpo_cache_part = 'gpo_cache'
self.gpo_cache_dir = os.path.join(self.cache_dir, self.gpo_cache_part)
self.storage.set_info('cache_dir', self.gpo_cache_dir)
self.file_cache = fs_file_cache("freeipa_gpo", username)
logdata = {'cachedir': self.cache_dir}
log('D7', logdata)
def __del__(self):
if self.__kinit_successful:
machine_kdestroy()
def retrieve_and_store(self):
'''
Retrieve settings and store it in a database - FreeIPA version
'''
try:
if self._is_machine_username:
dconf_dict = Dconf_registry.get_dictionary_from_dconf_file_db(save_dconf_db=True)
else:
uid = get_uid_by_username(self.username)
dconf_dict = Dconf_registry.get_dictionary_from_dconf_file_db(uid, save_dconf_db=True)
except Exception as e:
logdata = {'msg': str(e)}
log('E72', logdata)
if self._is_machine_username:
machine_gpts = []
try:
machine_name = self.storage.get_info('machine_name')
machine_gpts = self._get_gpts(machine_name)
machine_gpts.reverse()
except Exception as exc:
logdata = {'msg': str(exc)}
log('E17', logdata)
for i, gptobj in enumerate(machine_gpts):
try:
gptobj.merge_machine()
except Exception as exc:
logdata = {'msg': str(exc)}
log('E26', logdata)
else:
user_gpts = []
try:
user_gpts = self._get_gpts(self.username)
user_gpts.reverse()
except Exception as exc:
logdata = {'msg': str(exc)}
log('E17', logdata)
for i, gptobj in enumerate(user_gpts):
try:
gptobj.merge_user()
except Exception as exc:
logdata = {'msg': str(exc)}
log('E27', logdata)
def _get_gpts(self, username):
gpts = []
gpos, server = self.ipacreds.update_gpos(username)
if not gpos:
return gpts
if not server:
return gpts
cached_gpos = []
download_gpos = []
for i, gpo in enumerate(gpos):
if gpo.file_sys_path.startswith('/'):
if os.path.exists(gpo.file_sys_path):
logdata = {'gpo_name': gpo.display_name, 'path': gpo.file_sys_path}
log('D11', logdata)
cached_gpos.append(gpo)
else:
download_gpos.append(gpo)
else:
if self._check_sysvol_present(gpo):
download_gpos.append(gpo)
else:
logdata = {'gpo_name': gpo.display_name}
log('W4', logdata)
if download_gpos:
try:
self._download_gpos(download_gpos, server)
logdata = {'count': len(download_gpos)}
log('D50', logdata)
except Exception as e:
logdata = {'msg': str(e), 'count': len(download_gpos)}
log('E35', logdata)
else:
log('D211', {})
all_gpos = cached_gpos + download_gpos
for gpo in all_gpos:
gpt_abspath = gpo.file_sys_path
if not os.path.exists(gpt_abspath):
logdata = {'path': gpt_abspath, 'gpo_name': gpo.display_name}
log('W12', logdata)
continue
if self._is_machine_username:
obj = gpt(gpt_abspath, None, GpoInfoDconf(gpo))
else:
obj = gpt(gpt_abspath, self.username, GpoInfoDconf(gpo))
obj.set_name(gpo.display_name)
gpts.append(obj)
local_gpt = get_local_gpt()
gpts.append(local_gpt)
logdata = {'total_count': len(gpts), 'downloaded_count': len(download_gpos)}
log('I2', logdata)
return gpts
def _check_sysvol_present(self, gpo):
if not gpo.file_sys_path:
if getattr(gpo, 'name', '') != 'Local Policy':
logdata = {'gponame': getattr(gpo, 'name', 'Unknown')}
log('W4', logdata)
return False
if gpo.file_sys_path.startswith('\\\\'):
return True
elif gpo.file_sys_path.startswith('/'):
if os.path.exists(gpo.file_sys_path):
return True
else:
return False
else:
return False
def _download_gpos(self, gpos, server):
cache_dir = self.ipacreds.get_cache_dir()
domain = self.ipacreds.get_domain().upper()
gpo_cache_dir = os.path.join(cache_dir, domain, 'POLICIES')
os.makedirs(gpo_cache_dir, exist_ok=True)
for gpo in gpos:
if not gpo.file_sys_path:
continue
smb_remote_path = None
try:
smb_remote_path = self._convert_to_smb_path(gpo.file_sys_path, server)
local_gpo_path = os.path.join(gpo_cache_dir, gpo.name)
self._download_gpo_directory(smb_remote_path, local_gpo_path)
gpo.file_sys_path = local_gpo_path
except Exception as e:
logdata = {
'msg': str(e),
'gpo_name': gpo.display_name,
'smb_path': smb_remote_path,
}
log('E38', logdata)
def _convert_to_smb_path(self, windows_path, server):
match = re.search(r'\\\\[^\\]+\\(.+)', windows_path)
if not match:
raise Exception(f"Invalid Windows path format: {windows_path}")
relative_path = match.group(1).replace('\\', '/').lower()
smb_url = f"smb://{server}/{relative_path}"
return smb_url
def _download_gpo_directory(self, remote_smb_path, local_path):
os.makedirs(local_path, exist_ok=True)
try:
entries = self.file_cache.samba_context.opendir(remote_smb_path).getdents()
for entry in entries:
if entry.name in [".", ".."]:
continue
remote_entry_path = f"{remote_smb_path}/{entry.name}"
local_entry_path = os.path.join(local_path, entry.name)
if entry.smbc_type == smbc.DIR:
self._download_gpo_directory(remote_entry_path, local_entry_path)
elif entry.smbc_type == smbc.FILE:
try:
os.makedirs(os.path.dirname(local_entry_path), exist_ok=True)
self.file_cache.store(remote_entry_path, Path(local_entry_path))
except Exception as e:
logdata = {'exception': str(e), 'file': entry.name}
log('W30', logdata)
except Exception as e:
logdata = {'exception': str(e), 'remote_folder_path': remote_smb_path}
log('W31', logdata)
def __init__(self):
pass

28
gpoa/backend/nodomain_backend.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -16,18 +16,33 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from gpt.gpt import get_local_gpt
from storage import registry_factory
import logging
import os
from .applier_backend import applier_backend
from storage import registry_factory
from gpt.gpt import gpt, get_local_gpt
from util.util import (
get_machine_name
)
from util.sid import get_sid
import util.preg
from util.logging import slogm
class nodomain_backend(applier_backend):
def __init__(self):
domain = None
machine_name = get_machine_name()
machine_sid = get_sid(domain, machine_name, True)
self.storage = registry_factory()
self.storage.set_info('domain', domain)
self.storage.set_info('machine_name', machine_name)
self.storage.set_info('machine_sid', machine_sid)
# User SID to work with HKCU hive
self.username = machine_name
self.sid = machine_sid
def retrieve_and_store(self):
'''
@@ -35,7 +50,8 @@ class nodomain_backend(applier_backend):
'''
# Get policies for machine at first.
self.storage.wipe_hklm()
local_policy = get_local_gpt()
self.storage.wipe_user(self.storage.get_info('machine_sid'))
local_policy = get_local_gpt(self.sid)
local_policy.merge_machine()
local_policy.merge_user()

105
gpoa/backend/samba_backend.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -17,23 +17,26 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
# Facility to determine GPTs for user
try:
from samba.gpclass import check_safe_path
except ImportError:
from samba.gp.gpclass import check_safe_path
from gpt.gpo_dconf_mapping import GpoInfoDconf
from gpt.gpt import get_local_gpt, gpt
from storage import registry_factory
from util.kerberos import machine_kdestroy, machine_kinit
from util.logging import log
from util.sid import get_sid
from util.util import get_machine_name
from .applier_backend import applier_backend
from storage import registry_factory
from gpt.gpt import gpt, get_local_gpt
from util.util import (
get_machine_name,
is_machine_name
)
from util.kerberos import (
machine_kinit
, machine_kdestroy
)
from util.sid import get_sid
import util.preg
from util.logging import log
class samba_backend(applier_backend):
__user_policy_mode_key = '/SOFTWARE/Policies/Microsoft/Windows/System/UserPolicyMode'
@@ -53,7 +56,7 @@ class samba_backend(applier_backend):
# User SID to work with HKCU hive
self.username = username
self._is_machine = is_machine
self._is_machine_username = is_machine
if is_machine:
self.sid = machine_sid
else:
@@ -63,10 +66,7 @@ class samba_backend(applier_backend):
self.sambacreds = sambacreds
self.cache_dir = self.sambacreds.get_cache_dir()
self.gpo_cache_part ='gpo_cache'
self._cached = False
self.storage.set_info('cache_dir', os.path.join(self.cache_dir, self.gpo_cache_part))
logdata = {'cachedir': self.cache_dir}
logdata = dict({'cachedir': self.cache_dir})
log('D7', logdata)
def __del__(self):
@@ -96,56 +96,57 @@ class samba_backend(applier_backend):
Retrieve settings and strore it in a database
'''
# Get policies for machine at first.
machine_gpts = []
machine_gpts = list()
try:
machine_gpts = self._get_gpts()
machine_gpts = self._get_gpts(get_machine_name(), self.storage.get_info('machine_sid'))
except Exception as exc:
log('F2')
raise exc
if self._is_machine:
if self._is_machine_username:
self.storage.wipe_hklm()
self.storage.wipe_user(self.storage.get_info('machine_sid'))
for gptobj in machine_gpts:
try:
gptobj.merge_machine()
except Exception as exc:
logdata = {}
logdata = dict()
logdata['msg'] = str(exc)
log('E26', logdata)
# Load user GPT values in case user's name specified
# This is a buggy implementation and should be tested more
else:
user_gpts = []
user_path_gpts = set()
user_gpts = list()
try:
user_gpts = self._get_gpts(self.username)
user_gpts = self._get_gpts(self.username, self.sid)
except Exception as exc:
log('F3')
raise exc
self.storage.wipe_user(self.sid)
# Merge user settings if UserPolicyMode set accordingly
# and user settings (for HKCU) are exist.
policy_mode = self.get_policy_mode()
logdata = {'mode': upm2str(policy_mode)}
logdata = dict({'mode': upm2str(policy_mode), 'sid': self.sid})
log('D152', logdata)
if policy_mode < 2:
for gptobj in user_gpts:
try:
gptobj.merge_user()
user_path_gpts.add(gptobj.path)
except Exception as exc:
logdata = {}
logdata = dict()
logdata['msg'] = str(exc)
log('E27', logdata)
filtered_machine_gpts = [gpt for gpt in machine_gpts
if gpt.path not in user_path_gpts]
if policy_mode > 0:
for gptobj in filtered_machine_gpts:
for gptobj in machine_gpts:
try:
gptobj.sid = self.sid
gptobj.merge_user()
except Exception as exc:
logdata = {}
logdata = dict()
logdata['msg'] = str(exc)
log('E63', logdata)
@@ -153,47 +154,43 @@ class samba_backend(applier_backend):
'''
Check if there is SYSVOL path for GPO assigned
'''
self._cached = False
if not gpo.file_sys_path:
# GPO named "Local Policy" has no entry by its nature so
# no reason to print warning.
if gpo.display_name in self.storage._dict_gpo_name_version_cache.keys():
gpo.file_sys_path = self.storage._dict_gpo_name_version_cache.get(gpo.display_name, {}).get('correct_path')
self._cached = True
return True
elif 'Local Policy' != gpo.name:
logdata = {'gponame': gpo.name}
if 'Local Policy' != gpo.name:
logdata = dict({'gponame': gpo.name})
log('W4', logdata)
return False
return True
def _get_gpts(self, username=None):
gpts = []
if not username:
username = get_machine_name()
log('D45', {'username': username})
def _get_gpts(self, username, sid):
gpts = list()
log('D45', {'username': username, 'sid': sid})
# util.windows.smbcreds
gpos = self.sambacreds.update_gpos(username)
log('D46')
for gpo in gpos:
if self._check_sysvol_present(gpo):
if not self._cached:
path = check_safe_path(gpo.file_sys_path).upper()
slogdata = {'sysvol_path': gpo.file_sys_path, 'gpo_name': gpo.display_name, 'gpo_path': path}
log('D30', slogdata)
gpt_abspath = os.path.join(self.cache_dir, self.gpo_cache_part, path)
path = check_safe_path(gpo.file_sys_path).upper()
slogdata = dict({'sysvol_path': gpo.file_sys_path, 'gpo_name': gpo.display_name, 'gpo_path': path})
log('D30', slogdata)
gpt_abspath = os.path.join(self.cache_dir, 'gpo_cache', path)
gpo_version=None
try:
gpo_version=gpo.version
except:
log('D210')
if self._is_machine_username:
obj = gpt(gpt_abspath, sid, None, version=gpo_version)
else:
gpt_abspath = gpo.file_sys_path
log('D211', {'sysvol_path': gpo.file_sys_path, 'gpo_name': gpo.display_name})
if self._is_machine:
obj = gpt(gpt_abspath, None, GpoInfoDconf(gpo))
else:
obj = gpt(gpt_abspath, self.username, GpoInfoDconf(gpo))
obj = gpt(gpt_abspath, sid, self.username, version=gpo_version)
obj.set_name(gpo.display_name)
gpts.append(obj)
else:
if 'Local Policy' == gpo.name:
gpts.append(get_local_gpt())
gpts.append(get_local_gpt(sid))
return gpts

5
gpoa/frontend/__init__.py
View File

@@ -16,4 +16,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from .frontend_manager import frontend_manager as applier
from .frontend_manager import (
frontend_manager as applier
)

13
gpoa/frontend/applier_frontend.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -18,6 +18,7 @@
from abc import ABC
from util.logging import log
def check_experimental_enabled(storage):
experimental_enable_flag = '/Software/BaseALT/Policies/GPUpdate/GlobalExperimental'
@@ -35,8 +36,8 @@ def check_windows_mapping_enabled(storage):
flag = storage.get_key_value(windows_mapping_enable_flag)
result = True
flag = str(flag)
if flag and '0' == flag:
if flag and '0' == str(flag):
result = False
return result
@@ -47,9 +48,9 @@ def check_module_enabled(storage, module_name):
flag = storage.get_key_value(gpupdate_module_flag)
result = None
flag = str(flag)
if flag and flag!='None':
if '1' == flag:
if flag:
if '1' == str(flag):
result = True
else:
result = False

22
gpoa/frontend/appliers/control.py
View File

@@ -17,14 +17,16 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import subprocess
from util.logging import log
import threading
import logging
from util.logging import slogm, log
def control_subst(preg_name):
'''
This is a workaround for control names which can't be used in
PReg/ADMX files.
'''
control_triggers = {}
control_triggers = dict()
control_triggers['dvd_rw-format'] = 'dvd+rw-format'
control_triggers['dvd_rw-mediainfo'] = 'dvd+rw-mediainfo'
control_triggers['dvd_rw-booktype'] = 'dvd+rw-booktype'
@@ -50,7 +52,7 @@ class control:
Query possible values from control in order to perform check of
parameter passed to constructor.
'''
values = []
values = list()
popen_call = ['/usr/sbin/control', self.control_name, 'list']
with subprocess.Popen(popen_call, stdout=subprocess.PIPE, stderr=subprocess.PIPE) as proc:
@@ -68,7 +70,7 @@ class control:
try:
str_status = self.possible_values[int_status]
except IndexError as exc:
logdata = {}
logdata = dict()
logdata['control'] = self.control_name
logdata['value from'] = self.possible_values
logdata['by index'] = int_status
@@ -97,20 +99,20 @@ class control:
if type(self.control_value) == int:
status = self._map_control_status(self.control_value)
if status == None:
logdata = {}
logdata = dict()
logdata['control'] = self.control_name
logdata['inpossible values'] = self.control_value
logdata['inpossible values'] = self.self.control_value
log('E42', logdata)
return
elif type(self.control_value) == str:
if self.control_value not in self.possible_values:
logdata = {}
logdata = dict()
logdata['control'] = self.control_name
logdata['inpossible values'] = self.control_value
logdata['inpossible values'] = self.self.control_value
log('E59', logdata)
return
status = self.control_value
logdata = {}
logdata = dict()
logdata['control'] = self.control_name
logdata['status'] = status
log('D68', logdata)
@@ -120,7 +122,7 @@ class control:
with subprocess.Popen(popen_call, stdout=subprocess.PIPE) as proc:
proc.wait()
except:
logdata = {}
logdata = dict()
logdata['control'] = self.control_name
logdata['status'] = status
log('E43', logdata)

37
gpoa/frontend/appliers/envvar.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -17,40 +17,27 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from os.path import isfile
from util.logging import slogm
import logging
from util.arguments import (
from gpt.envvars import (
FileAction
, action_letter2enum
)
from util.windows import expand_windows_var
from util.util import get_homedir
from util.logging import log
from util.util import (
get_homedir,
homedir_exists
)
class Envvar:
__envvar_file_path = '/etc/gpupdate/environment'
__envvar_file_path_user = '/.gpupdate_environment'
def __init__(self, envvars, username=''):
self.username = username
self.envvars = envvars
if self.username == 'root':
self.envvar_file_path = Envvar.__envvar_file_path
self.envvar_file_path = '/etc/gpupdate/environment'
else:
self.envvar_file_path = get_homedir(self.username) + Envvar.__envvar_file_path_user
@staticmethod
def clear_envvar_file(username = False):
if username:
file_path = get_homedir(username) + Envvar.__envvar_file_path_user
else:
file_path = Envvar.__envvar_file_path
try:
with open(file_path, 'w') as file:
file.write('')
log('D215', {'path':file_path})
except Exception as exc:
log('D216', {'path': file_path, 'exc': exc})
self.envvar_file_path = get_homedir(self.username) + '/.gpupdate_environment'
def _open_envvar_file(self):
fd = None
@@ -64,7 +51,7 @@ class Envvar:
def _create_action(self, create_dict, envvar_file):
lines_old = envvar_file.readlines()
lines_new = []
lines_new = list()
for name in create_dict:
exist = False
for line in lines_old:
@@ -93,7 +80,7 @@ class Envvar:
with open(self.envvar_file_path, 'r') as f:
lines = f.readlines()
else:
lines = []
lines = list()
file_changed = False
for envvar_object in self.envvars:

61
gpoa/frontend/appliers/file_cp.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2022 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -17,7 +17,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from util.arguments import (
from gpt.folders import (
FileAction
, action_letter2enum
)
@@ -26,12 +26,10 @@ from util.logging import log
import shutil
from pathlib import Path
from util.windows import expand_windows_var
from util.util import get_homedir, get_user_info
from util.util import get_homedir
from util.exceptions import NotUNCPathError
from util.paths import UNCPath
import fnmatch
import pwd
import grp
class Files_cp:
def __init__(self, file_obj, file_cache, exe_check, username=None):
@@ -51,8 +49,7 @@ class Files_cp:
self.suppress = str2bool(file_obj.suppress)
self.executable = str2bool(file_obj.executable)
self.username = username
self.pw = get_user_info(username) if username else None
self.fromPathFiles = []
self.fromPathFiles = list()
if self.fromPath:
if targetPath[-1] == '/' or self.is_pattern(Path(self.fromPath).name):
self.isTargetPathDirectory = True
@@ -80,7 +77,7 @@ class Files_cp:
else:
return targetPath.parent.joinpath('.' + targetPath.name)
except Exception as exc:
logdata = {}
logdata = dict()
logdata['targetPath'] = targetPath
logdata['fromFile'] = fromFile
logdata['exc'] = exc
@@ -97,7 +94,7 @@ class Files_cp:
if fromFilePath.exists():
targetFile.write_bytes(fromFilePath.read_bytes())
except Exception as exc:
logdata = {}
logdata = dict()
logdata['targetFile'] = targetFile
logdata['fromFile'] = fromFile
logdata['exc'] = exc
@@ -128,7 +125,7 @@ class Files_cp:
shutil.os.chmod(targetFile, 0o644)
def _create_action(self):
logdata = {}
logdata = dict()
for fromFile in self.fromPathFiles:
targetFile = None
@@ -137,8 +134,7 @@ class Files_cp:
if targetFile and not targetFile.exists():
self.copy_target_file(targetFile, fromFile)
if self.username:
group_name = grp.getgrgid(self.pw.pw_gid).gr_name
chown_home_path(targetFile, username=self.username, group=group_name)
shutil.chown(targetFile, self.username)
self.set_mod_file(targetFile, fromFile)
logdata['File'] = targetFile
log('D191', logdata)
@@ -153,7 +149,7 @@ class Files_cp:
list_target = [self.targetPath.name]
if self.is_pattern(self.targetPath.name) and self.targetPath.parent.exists() and self.targetPath.parent.is_dir():
list_target = fnmatch.filter([str(x.name) for x in self.targetPath.parent.iterdir() if x.is_file()], self.targetPath.name)
logdata = {}
logdata = dict()
for targetFile in list_target:
targetFile = self.targetPath.parent.joinpath(targetFile)
try:
@@ -169,15 +165,13 @@ class Files_cp:
log('D165', logdata)
def _update_action(self):
logdata = {}
logdata = dict()
for fromFile in self.fromPathFiles:
targetFile = self.get_target_file(self.targetPath, fromFile)
try:
self.copy_target_file(targetFile, fromFile)
if self.username:
shutil.chown(self.targetPath, self.username)
group_name = grp.getgrgid(self.pw.pw_gid).gr_name
chown_home_path(targetFile, username=self.username, group=group_name)
self.set_mod_file(targetFile, fromFile)
logdata['File'] = targetFile
log('D192', logdata)
@@ -206,7 +200,7 @@ class Files_cp:
return False
def get_list_files(self):
logdata = {}
logdata = dict()
logdata['targetPath'] = str(self.targetPath)
fromFilePath = Path(self.fromPath)
if not self.is_pattern(fromFilePath.name):
@@ -260,8 +254,8 @@ class Execution_check():
marker_usage_path_branch = '{}\\{}%'.format(self.__hklm_branch, self.__marker_usage_path_key_name)
self.etension_marker = storage.filter_hklm_entries(etension_marker_branch)
self.marker_usage_path = storage.filter_hklm_entries(marker_usage_path_branch)
self.list_paths = []
self.list_markers = []
self.list_paths = list()
self.list_markers = list()
for marker in self.etension_marker:
self.list_markers.append(marker.data)
for usage_path in self.marker_usage_path:
@@ -272,32 +266,3 @@ class Execution_check():
def get_list_markers(self):
return self.list_markers
def chown_home_path(path: Path, username: str, group: str) -> None:
"""
Change ownership (user and group) of the given path and all its parent
directories up to (but NOT including) the user's home directory.
If the path is not inside the user's home directory, do nothing.
:param path: Path to a file or directory.
:param user: Username to set as owner.
:param group: Group name to set as group.
"""
path = path.resolve()
home_root = Path(get_homedir(username))
# Check if the path is inside user's home directory
if home_root not in path.parents:
return # Not inside user's home - do nothing
# Walk upwards from the given path until just above home_root
current = path
while True:
if current == home_root:
break # do not change ownership of the home directory itself
shutil.chown(current, user=username, group=group)
if current.parent == current: # Safety check: reached root (/)
break
current = current.parent

4
gpoa/frontend/appliers/firewall_rule.py
View File

@@ -20,7 +20,7 @@ from enum import Enum
import subprocess
def getprops(param_list):
props = {}
props = dict()
for entry in param_list:
lentry = entry.lower()
@@ -35,7 +35,7 @@ def getprops(param_list):
def get_ports(param_list):
portlist = []
portlist = list()
for entry in param_list:
lentry = entry.lower()

7
gpoa/frontend/appliers/folder.py
View File

@@ -20,7 +20,7 @@
from pathlib import Path
from util.arguments import (
from gpt.folders import (
FileAction
, action_letter2enum
)
@@ -28,7 +28,7 @@ from util.windows import expand_windows_var
from util.util import get_homedir
def remove_dir_tree(path, delete_files=False, delete_folder=False, delete_sub_folders=False):
content = []
content = list()
for entry in path.iterdir():
content.append(entry)
if entry.is_file() and delete_files:
@@ -77,10 +77,9 @@ class Folder:
self.delete_folder,
self.delete_sub_folders)
def act(self):
if self.hidden_folder == True and str(self.folder_path.name)[0] != '.':
path_components = [*self.folder_path.parts]
path_components = list(self.folder_path.parts)
path_components[-1] = '.' + path_components[-1]
new_folder_path = Path(*path_components)
self.folder_path = new_folder_path

19
gpoa/frontend/appliers/gsettings.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2021 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -18,9 +18,10 @@
import configparser
import os
import logging
from gi.repository import Gio, GLib
from util.logging import log
from util.logging import slogm, log
class system_gsetting:
def __init__(self, schema, path, value, lock, helper_function=None):
@@ -53,15 +54,15 @@ class system_gsettings:
__profile_data = 'user-db:user\nsystem-db:policy\nsystem-db:local\n'
def __init__(self, override_file_path):
self.gsettings = []
self.locks = []
self.gsettings = list()
self.locks = list()
self.override_file_path = override_file_path
def append(self, schema, path, data, lock, helper):
if check_existing_gsettings(schema, path):
self.gsettings.append(system_gsetting(schema, path, data, lock, helper))
else:
logdata = {}
logdata = dict()
logdata['schema'] = schema
logdata['path'] = path
logdata['data'] = data
@@ -72,7 +73,7 @@ class system_gsettings:
config = configparser.ConfigParser()
for gsetting in self.gsettings:
logdata = {}
logdata = dict()
logdata['gsetting.schema'] = gsetting.schema
logdata['gsetting.path'] = gsetting.path
logdata['gsetting.value'] = gsetting.value
@@ -132,13 +133,13 @@ def check_existing_gsettings (schema, path):
class user_gsettings:
def __init__(self):
self.gsettings = []
self.gsettings = list()
def append(self, schema, path, value, helper=None):
if check_existing_gsettings(schema, path):
self.gsettings.append(user_gsetting(schema, path, value, helper))
else:
logdata = {}
logdata = dict()
logdata['schema'] = schema
logdata['path'] = path
logdata['data'] = value
@@ -146,7 +147,7 @@ class user_gsettings:
def apply(self):
for gsetting in self.gsettings:
logdata = {}
logdata = dict()
logdata['gsetting.schema'] = gsetting.schema
logdata['gsetting.path'] = gsetting.path
logdata['gsetting.value'] = gsetting.value

6
gpoa/frontend/appliers/ini_file.py
View File

@@ -18,7 +18,7 @@
from util.arguments import (
from gpt.folders import (
FileAction
, action_letter2enum
)
@@ -54,7 +54,7 @@ class Ini_file:
if self.path.is_dir():
return
if self.section not in self.config:
self.config[self.section] = {}
self.config[self.section] = dict()
self.config[self.section][self.key] = self.value
self.config.write()
@@ -85,7 +85,7 @@ class Ini_file:
if self.action == FileAction.REPLACE:
self._create_action()
except Exception as exc:
logdata = {}
logdata = dict()
logdata['action'] = self.action
logdata['exc'] = exc
log('W23', logdata)

6
gpoa/frontend/appliers/netshare.py
View File

@@ -18,7 +18,7 @@
import subprocess
from util.arguments import (
from gpt.folders import (
FileAction
, action_letter2enum
)
@@ -31,7 +31,7 @@ class Networkshare:
def __init__(self, networkshare_obj, username = None):
self.net_full_cmd = ['/usr/bin/net', 'usershare']
self.net_cmd_check = ['/usr/bin/net', 'usershare', 'list']
self.cmd = []
self.cmd = list()
self.name = networkshare_obj.name
self.path = expand_windows_var(networkshare_obj.path, username).replace('\\', '/') if networkshare_obj.path else None
@@ -52,7 +52,7 @@ class Networkshare:
return exc
def _run_net_full_cmd(self):
logdata = {}
logdata = dict()
try:
res = subprocess.check_output(self.net_full_cmd, stderr=subprocess.DEVNULL, encoding='utf-8')
if res:

5
gpoa/frontend/appliers/polkit.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -50,7 +50,6 @@ class polkit:
if os.path.isfile(self.outfile):
os.remove(self.outfile)
return
logdata = {}
try:
template = self.__template_environment.get_template(self.infilename)
text = template.render(**self.args)
@@ -58,10 +57,12 @@ class polkit:
with open(self.outfile, 'w') as f:
f.write(text)
logdata = dict()
logdata['file'] = self.outfile
logdata['arguments'] = self.args
log('D77', logdata)
except Exception as exc:
logdata = dict()
logdata['file'] = self.outfile
logdata['arguments'] = self.args
log('E44', logdata)

39
gpoa/frontend/appliers/systemd.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -17,8 +17,9 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import dbus
import logging
from util.logging import log
from util.logging import slogm, log
class systemd_unit:
def __init__(self, unit_name, state):
@@ -34,14 +35,12 @@ class systemd_unit:
self.unit_properties = dbus.Interface(self.unit_proxy, dbus_interface='org.freedesktop.DBus.Properties')
def apply(self):
logdata = {'unit': self.unit_name}
if self.desired_state == 1:
self.manager.UnmaskUnitFiles([self.unit_name], dbus.Boolean(False))
self.manager.EnableUnitFiles([self.unit_name], dbus.Boolean(False), dbus.Boolean(True))
if self.unit_name == 'gpupdate.service':
if self.manager.GetUnitFileState(dbus.String(self.unit_name)) == 'enabled':
return
self.manager.StartUnit(self.unit_name, 'replace')
logdata = dict()
logdata['unit'] = self.unit_name
log('I6', logdata)
# In case the service has 'RestartSec' property set it
@@ -49,21 +48,27 @@ class systemd_unit:
# 'active' so we consider 'activating' a valid state too.
service_state = self._get_state()
if service_state not in ('active', 'activating'):
if not service_state in ['active', 'activating']:
service_timer_name = self.unit_name.replace(".service", ".timer")
self.unit = self.manager.LoadUnit(dbus.String(service_timer_name))
service_state = self._get_state()
if service_state not in ('active', 'activating'):
if not service_state in ['active', 'activating']:
logdata = dict()
logdata['unit'] = self.unit_name
log('E46', logdata)
else:
self.manager.StopUnit(self.unit_name, 'replace')
self.manager.DisableUnitFiles([self.unit_name], dbus.Boolean(False))
self.manager.MaskUnitFiles([self.unit_name], dbus.Boolean(False), dbus.Boolean(True))
logdata = dict()
logdata['unit'] = self.unit_name
log('I6', logdata)
service_state = self._get_state()
if service_state not in ('stopped', 'deactivating', 'inactive'):
if not service_state in ['stopped', 'deactivating', 'inactive']:
logdata = dict()
logdata['unit'] = self.unit_name
log('E46', logdata)
def _get_state(self):
@@ -72,19 +77,3 @@ class systemd_unit:
'''
return self.unit_properties.Get('org.freedesktop.systemd1.Unit', 'ActiveState')
def restart(self):
"""
Restarts the specified unit, if available
"""
logdata = {'unit': self.unit_name, 'action': 'restart'}
try:
self.unit = self.manager.LoadUnit(dbus.String(self.unit_name))
self.manager.RestartUnit(self.unit_name, 'replace')
log('I13', logdata)
service_state = self._get_state()
if service_state not in ('active', 'activating'):
log('E77', logdata)
except dbus.DBusException as exc:
log('E77', {**logdata, 'error': str(exc)})

36
gpoa/frontend/chromium_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -16,15 +16,16 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from .applier_frontend import (
applier_frontend
, check_enabled
)
import json
import os
from util.logging import log
from util.util import is_machine_name, string_to_literal_eval
from .applier_frontend import applier_frontend, check_enabled
class chromium_applier(applier_frontend):
__module_name = 'ChromiumApplier'
__module_enabled = True
@@ -33,13 +34,15 @@ class chromium_applier(applier_frontend):
__managed_policies_path = '/etc/chromium/policies/managed'
__recommended_policies_path = '/etc/chromium/policies/recommended'
def __init__(self, storage, username):
def __init__(self, storage, sid, username):
self.storage = storage
self.sid = sid
self.username = username
self._is_machine_name = is_machine_name(self.username)
self.chromium_keys = self.storage.filter_hklm_entries(self.__registry_branch)
chromium_filter = '{}%'.format(self.__registry_branch)
self.chromium_keys = self.storage.filter_hklm_entries(chromium_filter)
self.policies_json = {}
self.policies_json = dict()
self.__module_enabled = check_enabled(
self.storage
@@ -67,7 +70,7 @@ class chromium_applier(applier_frontend):
os.makedirs(self.__managed_policies_path, exist_ok=True)
with open(destfile, 'w') as f:
json.dump(dict_item_to_list(self.policies_json), f)
logdata = {}
logdata = dict()
logdata['destfile'] = destfile
log('D97', logdata)
@@ -75,7 +78,7 @@ class chromium_applier(applier_frontend):
os.makedirs(self.__recommended_policies_path, exist_ok=True)
with open(destfilerec, 'w') as f:
json.dump(dict_item_to_list(recommended__json), f)
logdata = {}
logdata = dict()
logdata['destfilerec'] = destfilerec
log('D97', logdata)
@@ -119,11 +122,6 @@ class chromium_applier(applier_frontend):
'ProxyServerMode',
'ExtensionManifestV2Availability',
'ExtensionUnpublishedAvailability',
'CreateThemesSettings',
'DevToolsGenAiSettings',
'GenAILocalFoundationalModelSettings',
'HelpMeWriteSettings',
'TabOrganizerSettings',
'BrowserSwitcherParsingMode',
'CloudAPAuthEnabled',
'AdsSettingForIntrusiveAdsSites',
@@ -137,14 +135,10 @@ class chromium_applier(applier_frontend):
'HeadlessMode',
'IncognitoModeAvailability',
'IntranetRedirectBehavior',
'LensOverlaySettings',
'MemorySaverModeSavings',
'NetworkPredictionOptions',
'ProfilePickerOnStartupAvailability',
'ProfileReauthPrompt',
'RelaunchNotification',
'SafeSitesFilterBehavior',
'ToolbarAvatarLabelSettings',
'UserAgentReduction',
'BatterySaverModeAvailability_recommended',
'DownloadRestrictions_recommended',
@@ -182,7 +176,7 @@ class chromium_applier(applier_frontend):
'''
Collect dictionaries from registry keys into a general dictionary
'''
counts = {}
counts = dict()
#getting the list of keys to read as an integer
valuename_typeint = self.get_valuename_typeint()
for it_data in chromium_keys:
@@ -210,7 +204,7 @@ class chromium_applier(applier_frontend):
branch[parts[-1]] = str(it_data.data).replace('\\', '/')
except Exception as exc:
logdata = {}
logdata = dict()
logdata['Exception'] = exc
logdata['keyname'] = it_data.keyname
log('D178', logdata)

241
gpoa/frontend/cifs_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2022 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -16,22 +16,22 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
from pathlib import Path
import pwd
import string
import subprocess
import jinja2
import os
import subprocess
from pathlib import Path
import string
from .applier_frontend import (
applier_frontend
, check_enabled
)
from util.util import get_homedir
from util.logging import log
from util.util import get_homedir, get_machine_name, get_uid_by_username, get_user_info
from .applier_frontend import applier_frontend, check_enabled
def storage_get_drives(storage):
drives = storage.get_drives()
drive_list = []
def storage_get_drives(storage, sid):
drives = storage.get_drives(sid)
drive_list = list()
for drv_obj in drives:
drive_list.append(drv_obj)
@@ -64,7 +64,7 @@ def remove_escaped_quotes(input_string):
class Drive_list:
__alphabet = string.ascii_uppercase
def __init__(self):
self.dict_drives = {}
self.dict_drives = dict()
def __get_letter(self, letter):
slice_letters = set(self.__alphabet[self.__alphabet.find(letter) + 1:]) - set(self.dict_drives.keys())
@@ -124,28 +124,14 @@ class cifs_applier(applier_frontend):
__module_name = 'CIFSApplier'
__module_enabled = True
__module_experimental = False
__dir4clean = '/etc/auto.master.gpupdate.d'
def __init__(self, storage):
self.clear_directory_auto_dir()
self.applier_cifs = cifs_applier_user(storage, None)
def __init__(self, storage, sid):
self.applier_cifs = cifs_applier_user(storage, sid, None)
self.__module_enabled = check_enabled(
storage
, self.__module_name
, self.__module_experimental
)
def clear_directory_auto_dir(self):
path = Path(self.__dir4clean)
if not path.exists():
return
for item in path.iterdir():
try:
if item.is_file() or item.is_symlink():
item.unlink()
except Exception as exc:
log('W37', {'exc': exc})
log('D231')
def apply(self):
if self.__module_enabled:
@@ -166,75 +152,32 @@ class cifs_applier_user(applier_frontend):
__template_auto = 'autofs_auto.j2'
__template_mountpoints_hide = 'autofs_mountpoints_hide.j2'
__template_auto_hide = 'autofs_auto_hide.j2'
__enable_home_link = '/Software/BaseALT/Policies/GPUpdate/DriveMapsHome'
__enable_home_link_user = '/Software/BaseALT/Policies/GPUpdate/DriveMapsHomeUser'
__name_dir = '/Software/BaseALT/Policies/GPUpdate'
__name_link_prefix = '/Software/BaseALT/Policies/GPUpdate/DriveMapsHomeDisableNet'
__name_link_prefix_user = '/Software/BaseALT/Policies/GPUpdate/DriveMapsHomeDisableNetUser'
__key_link_prefix = 'DriveMapsHomeDisableNet'
__key_link_prefix_user = 'DriveMapsHomeDisableNetUser'
__timeout_user_key = '/Software/BaseALT/Policies/GPUpdate/TimeoutAutofsUser'
__timeout_key = '/Software/BaseALT/Policies/GPUpdate/TimeoutAutofs'
__cifsacl_key = '/Software/BaseALT/Policies/GPUpdate/CifsaclDisable'
__enable_home_link = 'Software\\BaseALT\\Policies\\GPUpdate\\DriveMapsHome'
__enable_home_link_user = 'Software\\BaseALT\\Policies\\GPUpdate\\DriveMapsHomeUser'
__target_mountpoint = '/media/gpupdate'
__target_mountpoint_user = '/run/media'
__mountpoint_dirname = 'drives.system'
__mountpoint_dirname_user = 'drives'
__key_cifs_previous_value = 'Previous/Software/BaseALT/Policies/GPUpdate'
__key_preferences = 'Software/BaseALT/Policies/Preferences/'
__key_preferences_previous = 'Previous/Software/BaseALT/Policies/Preferences/'
__name_value = 'DriveMapsName'
__name_value_user = 'DriveMapsNameUser'
def __init__(self, storage, username):
def __init__(self, storage, sid, username):
self.storage = storage
self.sid = sid
self.username = username
self.state_home_link = False
self.state_home_link_user = False
self.dict_registry_machine = self.storage.get_dictionary_from_dconf_file_db()
self.homedir = ''
name_dir = self.__name_dir[1:]
if username:
self.dict_registry_user = self.storage.get_dictionary_from_dconf_file_db(get_uid_by_username(username))
self.home = self.__target_mountpoint_user + '/' + username
self.state_home_link = self.storage.check_enable_key(self.__enable_home_link)
self.state_home_link_disable_net = self.storage.check_enable_key(self.__name_link_prefix)
self.state_home_link_disable_net_user = self.storage.check_enable_key(self.__name_link_prefix_user)
self.state_home_link_user = self.storage.check_enable_key(self.__enable_home_link_user)
self.timeout = self.storage.get_entry(self.__timeout_user_key)
dirname = self.storage.get_entry(self.__name_dir + '/' + self.__name_value_user)
dirname_system_from_machine = self.dict_registry_machine.get(name_dir, dict()).get(self.__name_value, None)
self.__mountpoint_dirname_user = dirname.data if dirname and dirname.data else self.__mountpoint_dirname_user
self.__mountpoint_dirname = dirname_system_from_machine if dirname_system_from_machine else self.__mountpoint_dirname
mntTarget = self.__mountpoint_dirname_user
self.keys_cifs_previous_values_user = self.dict_registry_user.get(self.__key_cifs_previous_value,{})
self.keys_cifs_values_user = self.dict_registry_user.get(name_dir,{})
self.keys_the_preferences_previous_values_user = self.dict_registry_user.get((self.__key_preferences_previous+self.username),{}).get('Drives', {})
self.keys_the_preferences_values_user = self.dict_registry_user.get((self.__key_preferences+self.username),{}).get('Drives', {})
self.state_home_link = self.check_enable_home_link(self.__enable_home_link)
self.state_home_link_user = self.check_enable_home_link(self.__enable_home_link_user)
else:
self.home = self.__target_mountpoint
self.timeout = self.storage.get_entry(self.__timeout_key)
dirname_system = self.storage.get_entry(self.__name_dir + '/' + self.__name_value)
self.__mountpoint_dirname = dirname_system.data if dirname_system and dirname_system.data else self.__mountpoint_dirname
mntTarget = self.__mountpoint_dirname
self.keys_cifs_previous_values_machine = self.dict_registry_machine.get(self.__key_cifs_previous_value,{})
self.keys_cifs_values_machine = self.dict_registry_machine.get(name_dir,{})
self.keys_the_preferences_previous_values = self.dict_registry_machine.get((self.__key_preferences_previous+'Machine'),{}).get('Drives', {})
self.keys_the_preferences_values = self.dict_registry_machine.get((self.__key_preferences+'Machine'),{}).get('Drives', {})
self.cifsacl_disable = self.storage.get_entry(self.__cifsacl_key, preg=False)
self.mntTarget = mntTarget.translate(str.maketrans({" ": r"\ "}))
file_name = username if username else get_machine_name()
conf_file = '{}.conf'.format(file_name)
conf_hide_file = '{}_hide.conf'.format(file_name)
autofs_file = '{}.autofs'.format(file_name)
autofs_hide_file = '{}_hide.autofs'.format(file_name)
cred_file = '{}.creds'.format(file_name)
conf_file = '{}.conf'.format(sid)
conf_hide_file = '{}_hide.conf'.format(sid)
autofs_file = '{}.autofs'.format(sid)
autofs_hide_file = '{}_hide.autofs'.format(sid)
cred_file = '{}.creds'.format(sid)
self.auto_master_d = Path(self.__auto_dir)
@@ -252,9 +195,13 @@ class cifs_applier_user(applier_frontend):
self.user_autofs_hide.unlink()
self.user_creds = self.auto_master_d / cred_file
if username:
self.mntTarget = self.__mountpoint_dirname_user
else:
self.mntTarget = self.__mountpoint_dirname
self.mount_dir = Path(os.path.join(self.home))
self.drives = storage_get_drives(self.storage)
self.drives = storage_get_drives(self.storage, self.sid)
self.template_loader = jinja2.FileSystemLoader(searchpath=self.__template_path)
self.template_env = jinja2.Environment(loader=self.template_loader)
@@ -272,20 +219,12 @@ class cifs_applier_user(applier_frontend):
, self.__module_experimental
)
def is_mount_point_dirname(self):
if self.username:
return self.mount_dir.joinpath(self.__mountpoint_dirname_user).is_mount()
def check_enable_home_link(self, enable_home_link):
if self.storage.get_hkcu_entry(self.sid, enable_home_link):
data = self.storage.get_hkcu_entry(self.sid, enable_home_link).data
return bool(int(data)) if data else None
else:
return self.mount_dir.joinpath(self.__mountpoint_dirname).is_mount()
def is_changed_keys(self):
if self.username:
return (self.keys_cifs_previous_values_user.get(self.__name_value_user) != self.keys_cifs_values_user.get(self.__name_value_user) or
self.keys_the_preferences_previous_values_user != self.keys_the_preferences_values_user)
else:
return (self.keys_cifs_previous_values_machine.get(self.__name_value) != self.keys_cifs_values_machine.get(self.__name_value) or
self.keys_the_preferences_previous_values != self.keys_the_preferences_values)
return False
def user_context_apply(self):
'''
@@ -298,10 +237,6 @@ class cifs_applier_user(applier_frontend):
self.auto_master_d.mkdir(parents=True, exist_ok=True)
# Create user's destination mount directory
self.mount_dir.mkdir(parents=True, exist_ok=True)
uid = get_user_info(self.username).pw_uid if self.username else None
if uid:
os.chown(self.mount_dir, uid=uid, gid=-1)
self.mount_dir.chmod(0o700)
# Add pointer to /etc/auto.master.gpiupdate.d in /etc/auto.master
auto_destdir = '+dir:{}'.format(self.__auto_dir)
@@ -310,7 +245,7 @@ class cifs_applier_user(applier_frontend):
# Collect data for drive settings
drive_list = Drive_list()
for drv in self.drives:
drive_settings = {}
drive_settings = dict()
drive_settings['dir'] = drv.dir
drive_settings['login'] = drv.login
drive_settings['password'] = drv.password
@@ -318,16 +253,14 @@ class cifs_applier_user(applier_frontend):
drive_settings['action'] = drv.action
drive_settings['thisDrive'] = drv.thisDrive
drive_settings['allDrives'] = drv.allDrives
drive_settings['label'] = remove_escaped_quotes(drv.label) if drv.persistent == '1' else None
drive_settings['label'] = remove_escaped_quotes(drv.label)
drive_settings['persistent'] = drv.persistent
drive_settings['useLetter'] = drv.useLetter
drive_settings['username'] = self.username
drive_settings['cifsacl'] = False if self.cifsacl_disable else True
drive_list.append(drive_settings)
if drive_list.len() > 0:
mount_settings = {}
mount_settings = dict()
mount_settings['drives'] = drive_list()
mount_text = self.template_mountpoints.render(**mount_settings)
@@ -343,12 +276,10 @@ class cifs_applier_user(applier_frontend):
f.write(mount_text_hide)
f.flush()
autofs_settings = {}
autofs_settings = dict()
autofs_settings['home_dir'] = self.home
autofs_settings['mntTarget'] = self.mntTarget
autofs_settings['mount_file'] = self.user_config.resolve()
autofs_settings['timeout'] = self.timeout.data if self.timeout and self.timeout.data else 120
autofs_text = self.template_auto.render(**autofs_settings)
with open(self.user_autofs.resolve(), 'w') as f:
@@ -363,109 +294,59 @@ class cifs_applier_user(applier_frontend):
f.write(autofs_text)
f.flush()
if self.is_changed_keys() or (self.drives and not self.is_mount_point_dirname()):
self.restart_autofs()
if self.username:
self.update_drivemaps_home_links()
if self.username:
self.update_drivemaps_home_links()
def restart_autofs(self):
try:
subprocess.check_call(['/bin/systemctl', 'restart', 'autofs'])
except Exception as exc:
log('E74', {'exc': exc})
def unlink_symlink(self, symlink:Path, previous=None):
try:
if symlink.exists() and symlink.is_symlink() and symlink.owner() == 'root':
symlink.unlink()
elif symlink.is_symlink() and not symlink.exists():
symlink.unlink()
elif previous:
symlink.unlink()
except:
pass
def del_previous_link(self, previous_value_link , mountpoint_dirname, prefix):
d_previous = Path(self.homedir + ('/' if prefix else '/net.') + previous_value_link)
if d_previous.name != mountpoint_dirname:
dHide_previous = Path(self.homedir + ('/.' if prefix else '/.net.') + previous_value_link)
self.unlink_symlink(d_previous, True)
self.unlink_symlink(dHide_previous, True)
def update_drivemaps_home_links(self):
if self.state_home_link_disable_net:
prefix = ''
else:
prefix = 'net.'
if self.state_home_link_disable_net_user:
prefix_user = ''
else:
prefix_user = 'net.'
previous_value_link = self.keys_cifs_previous_values_machine.get(self.__name_value, self.__mountpoint_dirname)
previous_state_home_link_disable_net_user = self.keys_cifs_previous_values_user.get(self.__key_link_prefix_user)
previous_state_home_link_disable_net = self.keys_cifs_previous_values_user.get(self.__key_link_prefix)
previous_value_link_user = self.keys_cifs_previous_values_user.get(self.__name_value_user, self.__mountpoint_dirname_user)
self.homedir = get_homedir(self.username)
dUser = Path(self.homedir + '/' + prefix_user + self.__mountpoint_dirname_user)
dUserHide = Path(self.homedir + '/.' + prefix_user + self.__mountpoint_dirname_user)
dMachine = Path(self.homedir+'/' + prefix + self.__mountpoint_dirname)
dMachineHide = Path(self.homedir+'/.' + prefix + self.__mountpoint_dirname)
dUser = Path(get_homedir(self.username)+'/net.' + self.__mountpoint_dirname_user)
dUserHide = Path(get_homedir(self.username)+'/.net.' + self.__mountpoint_dirname_user)
if self.state_home_link_user:
dUserMountpoint = Path(self.home).joinpath(self.__mountpoint_dirname_user)
dUserMountpointHide = Path(self.home).joinpath('.' + self.__mountpoint_dirname_user)
self.del_previous_link(previous_value_link_user, dUser.name, previous_state_home_link_disable_net_user)
if not dUser.exists() and dUserMountpoint.exists():
if not dUser.exists():
try:
os.symlink(dUserMountpoint, dUser, True)
except Exception as exc:
log('D194', {'exc': exc})
elif dUser.is_symlink() and not dUserMountpoint.exists():
self.unlink_symlink(dUser)
if not dUserHide.exists() and dUserMountpointHide.exists():
if not dUserHide.exists():
try:
os.symlink(dUserMountpointHide, dUserHide, True)
except Exception as exc:
log('D196', {'exc': exc})
elif dUserHide.is_symlink() and not dUserMountpointHide.exists():
self.unlink_symlink(dUserHide)
else:
self.del_previous_link(previous_value_link_user, dUser.name, previous_state_home_link_disable_net_user)
self.unlink_symlink(dUser)
self.unlink_symlink(dUserHide)
if dUser.is_symlink() and dUser.owner() == 'root':
dUser.unlink()
if dUserHide.is_symlink() and dUserHide.owner() == 'root':
dUserHide.unlink()
dMachine = Path(get_homedir(self.username)+'/net.' + self.__mountpoint_dirname)
dMachineHide = Path(get_homedir(self.username)+'/.net.' + self.__mountpoint_dirname)
if self.state_home_link:
dMachineMountpoint = Path(self.__target_mountpoint).joinpath(self.__mountpoint_dirname)
dMachineMountpointHide = Path(self.__target_mountpoint).joinpath('.' + self.__mountpoint_dirname)
self.del_previous_link(previous_value_link, dMachine.name, previous_state_home_link_disable_net)
if not dMachine.exists() and dMachineMountpoint.exists():
if not dMachine.exists():
try:
os.symlink(dMachineMountpoint, dMachine, True)
except Exception as exc:
log('D195', {'exc': exc})
elif dMachine.is_symlink() and not dMachineMountpoint.exists():
self.unlink_symlink(dMachine)
if not dMachineHide.exists() and dMachineMountpointHide.exists():
if not dMachineHide.exists():
try:
os.symlink(dMachineMountpointHide, dMachineHide, True)
except Exception as exc:
log('D197', {'exc': exc})
elif dMachineHide.is_symlink() and not dMachineMountpointHide.exists():
self.unlink_symlink(dMachineHide)
else:
self.del_previous_link(previous_value_link, dMachine.name, previous_state_home_link_disable_net)
self.unlink_symlink(dMachine)
self.unlink_symlink(dMachineHide)
if dMachine.is_symlink() and dMachine.owner() == 'root':
dMachine.unlink()
if dMachineHide.is_symlink() and dMachineHide.owner() == 'root':
dMachineHide.unlink()
def admin_context_apply(self):
if self.__module_enabled:

25
gpoa/frontend/control_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -16,11 +16,14 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from util.logging import log
from .applier_frontend import applier_frontend, check_enabled
from .applier_frontend import (
applier_frontend
, check_enabled
)
from .appliers.control import control
from util.logging import slogm, log
import logging
class control_applier(applier_frontend):
__module_name = 'ControlApplier'
@@ -31,7 +34,7 @@ class control_applier(applier_frontend):
def __init__(self, storage):
self.storage = storage
self.control_settings = self.storage.filter_hklm_entries(self._registry_branch)
self.controls = []
self.controls = list()
self.__module_enabled = check_enabled(
self.storage
, self.__module_name
@@ -43,7 +46,9 @@ class control_applier(applier_frontend):
valuename = setting.hive_key.rpartition('/')[2]
try:
self.controls.append(control(valuename, int(setting.data)))
logdata = {'control': valuename, 'value': setting.data}
logdata = dict()
logdata['control'] = valuename
logdata['value'] = setting.data
log('I3', logdata)
except ValueError as exc:
try:
@@ -53,10 +58,14 @@ class control_applier(applier_frontend):
log('I3', logdata)
continue
self.controls.append(ctl)
logdata = {'control': valuename, 'with string value': setting.data}
logdata = dict()
logdata['control'] = valuename
logdata['with string value'] = setting.data
log('I3', logdata)
except Exception as exc:
logdata = {'control': valuename, 'exc': exc}
logdata = dict()
logdata['control'] = valuename
logdata['exc'] = exc
log('E39', logdata)
#for e in polfile.pol_file.entries:
# print('{}:{}:{}:{}:{}'.format(e.type, e.data, e.valuename, e.keyname))

40
gpoa/frontend/cups_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -16,22 +16,26 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import logging
import os
import json
import cups
from .applier_frontend import (
applier_frontend
, check_enabled
)
from gpt.printers import json2printer
from util.logging import log
from util.rpm import is_rpm_installed
from util.logging import slogm, log
from .applier_frontend import applier_frontend, check_enabled
def storage_get_printers(storage):
def storage_get_printers(storage, sid):
'''
Query printers configuration from storage
'''
printer_objs = storage.get_printers()
printers = []
printer_objs = storage.get_printers(sid)
printers = list()
for prnj in printer_objs:
printers.append(prnj)
@@ -62,8 +66,8 @@ def connect_printer(connection, prn):
class cups_applier(applier_frontend):
__module_name = 'CUPSApplier'
__module_experimental = False
__module_enabled = True
__module_experimental = True
__module_enabled = False
def __init__(self, storage):
self.storage = storage
@@ -80,9 +84,10 @@ class cups_applier(applier_frontend):
try:
self.cups_connection = cups.Connection()
except Exception as exc:
logdata = {'exc': exc}
logdata = dict()
logdata['exc', exc]
log('W20', logdata)
self.printers = storage_get_printers(self.storage)
self.printers = storage_get_printers(self.storage, self.storage.get_info('machine_sid'))
if self.printers:
for prn in self.printers:
@@ -100,16 +105,17 @@ class cups_applier(applier_frontend):
class cups_applier_user(applier_frontend):
__module_name = 'CUPSApplierUser'
__module_experimental = False
__module_enabled = True
__module_experimental = True
__module_enabled = False
def __init__(self, storage, username):
def __init__(self, storage, sid, username):
self.storage = storage
self.sid = sid
self.username = username
self.__module_enabled = check_enabled(
self.storage
, self.__module_name
, self.__module_experimental
, self.__module_enabled
)
def user_context_apply(self):
@@ -125,7 +131,7 @@ class cups_applier_user(applier_frontend):
return
self.cups_connection = cups.Connection()
self.printers = storage_get_printers(self.storage)
self.printers = storage_get_printers(self.storage, self.sid)
if self.printers:
for prn in self.printers:

33
gpoa/frontend/envvar_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -16,22 +16,25 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from util.logging import log
from .applier_frontend import applier_frontend, check_enabled
from .applier_frontend import (
applier_frontend
, check_enabled
)
from .appliers.envvar import Envvar
from util.logging import slogm, log
import logging
class envvar_applier(applier_frontend):
__module_name = 'EnvvarsApplier'
__module_experimental = False
__module_enabled = True
def __init__(self, storage):
def __init__(self, storage, sid):
self.storage = storage
self.envvars = self.storage.get_envvars()
Envvar.clear_envvar_file()
self.__module_enabled = check_enabled(self.storage, self.__module_name, self.__module_experimental)
self.sid = sid
self.envvars = self.storage.get_envvars(self.sid)
#self.__module_enabled = check_enabled(self.storage, self.__module_name, self.__module_enabled)
def apply(self):
if self.__module_enabled:
@@ -46,14 +49,17 @@ class envvar_applier_user(applier_frontend):
__module_experimental = False
__module_enabled = True
def __init__(self, storage, username):
def __init__(self, storage, sid, username):
self.storage = storage
self.sid = sid
self.username = username
self.envvars = self.storage.get_envvars()
Envvar.clear_envvar_file(username)
self.__module_enabled = check_enabled(self.storage, self.__module_name, self.__module_experimental)
self.envvars = self.storage.get_envvars(self.sid)
#self.__module_enabled = check_enabled(self.storage, self.__module_name, self.__module_experimental)
def admin_context_apply(self):
pass
def user_context_apply(self):
if self.__module_enabled:
log('D136')
ev = Envvar(self.envvars, self.username)
@@ -61,6 +67,3 @@ class envvar_applier_user(applier_frontend):
else:
log('D137')
def user_context_apply(self):
pass

27
gpoa/frontend/file_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2022 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -17,22 +17,26 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from .appliers.file_cp import Files_cp, Execution_check
from .applier_frontend import (
applier_frontend
, check_enabled
)
from util.logging import log
from .applier_frontend import applier_frontend, check_enabled
from .appliers.file_cp import Execution_check, Files_cp
class file_applier(applier_frontend):
__module_name = 'FilesApplier'
__module_experimental = False
__module_enabled = True
__module_experimental = True
__module_enabled = False
def __init__(self, storage, file_cache):
def __init__(self, storage, file_cache, sid):
self.storage = storage
self.exe_check = Execution_check(storage)
self.sid = sid
self.file_cache = file_cache
self.files = self.storage.get_files()
self.files = self.storage.get_files(self.sid)
self.__module_enabled = check_enabled(self.storage, self.__module_name, self.__module_experimental)
def run(self):
@@ -48,15 +52,16 @@ class file_applier(applier_frontend):
class file_applier_user(applier_frontend):
__module_name = 'FilesApplierUser'
__module_experimental = False
__module_enabled = True
__module_experimental = True
__module_enabled = False
def __init__(self, storage, file_cache, username):
def __init__(self, storage, file_cache, sid, username):
self.storage = storage
self.file_cache = file_cache
self.sid = sid
self.username = username
self.exe_check = Execution_check(storage)
self.files = self.storage.get_files()
self.files = self.storage.get_files(self.sid)
self.__module_enabled = check_enabled(
self.storage
, self.__module_name

165
gpoa/frontend/firefox_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -28,46 +28,117 @@
import json
import os
from .applier_frontend import (
applier_frontend
, check_enabled
)
from util.logging import log
from util.util import is_machine_name, try_dict_to_literal_eval
from .applier_frontend import applier_frontend, check_enabled
from util.util import is_machine_name
class firefox_applier(applier_frontend):
__module_name = 'FirefoxApplier'
__module_experimental = False
__module_enabled = True
__registry_branch = 'Software/Policies/Mozilla/Firefox'
__firefox_policies = '/etc/firefox/policies'
__firefox_installdir1 = '/usr/lib64/firefox/distribution'
__firefox_installdir2 = '/etc/firefox/policies'
def __init__(self, storage, username):
def __init__(self, storage, sid, username):
self.storage = storage
self.sid = sid
self.username = username
self._is_machine_name = is_machine_name(self.username)
self.policies = {}
self.policies_json = {'policies': self.policies}
self.firefox_keys = self.storage.filter_hklm_entries(self.__registry_branch)
self.policies_gen = {}
self.policies = dict()
self.policies_json = dict({ 'policies': self.policies })
firefox_filter = '{}%'.format(self.__registry_branch)
self.firefox_keys = self.storage.filter_hklm_entries(firefox_filter)
self.policies_gen = dict()
self.__module_enabled = check_enabled(
self.storage
, self.__module_name
, self.__module_experimental
)
def get_boolean(self,data):
if data in ['0', 'false', None, 'none', 0]:
return False
if data in ['1', 'true', 1]:
return True
def get_parts(self, hivekeyname):
'''
Parse registry path string and leave key parameters
'''
parts = hivekeyname.replace(self.__registry_branch, '').split('/')
return parts
def create_dict(self, firefox_keys):
'''
Collect dictionaries from registry keys into a general dictionary
'''
excp = ['SOCKSVersion']
counts = dict()
for it_data in firefox_keys:
branch = counts
try:
if type(it_data.data) is bytes:
it_data.data = it_data.data.decode(encoding='utf-16').replace('\x00','')
#Cases when it is necessary to create nested dictionaries
if it_data.valuename != it_data.data:
parts = self.get_parts(it_data.hive_key)
#creating a nested dictionary from elements
for part in parts[:-1]:
branch = branch.setdefault(part, {})
#dictionary key value initialization
if it_data.type == 4:
if it_data.valuename in excp:
branch[parts[-1]] = int(it_data.data)
else:
branch[parts[-1]] = self.get_boolean(it_data.data)
else:
branch[parts[-1]] = str(it_data.data).replace('\\', '/')
#Cases when it is necessary to create lists in a dictionary
else:
parts = self.get_parts(it_data.keyname)
for part in parts[:-1]:
branch = branch.setdefault(part, {})
if branch.get(parts[-1]) is None:
branch[parts[-1]] = list()
if it_data.type == 4:
branch[parts[-1]].append(self.get_boolean(it_data.data))
else:
if os.path.isdir(str(it_data.data).replace('\\', '/')):
branch[parts[-1]].append(str(it_data.data).replace('\\', '/'))
else:
branch[parts[-1]].append(str(it_data.data))
except Exception as exc:
logdata = dict()
logdata['Exception'] = exc
logdata['keyname'] = it_data.keyname
log('W14', logdata)
self.policies_json = {'policies': dict_item_to_list(counts)}
def machine_apply(self):
'''
Write policies.json to Firefox.
Write policies.json to Firefox installdir.
'''
excp = ['SOCKSVersion']
self.policies_json = create_dict(self.firefox_keys, self.__registry_branch, excp)
self.create_dict(self.firefox_keys)
destfile = os.path.join(self.__firefox_installdir1, 'policies.json')
destfile = os.path.join(self.__firefox_policies, 'policies.json')
os.makedirs(self.__firefox_policies, exist_ok=True)
os.makedirs(self.__firefox_installdir1, exist_ok=True)
with open(destfile, 'w') as f:
json.dump(self.policies_json, f)
logdata = {'destfile': destfile}
logdata = dict()
logdata['destfile'] = destfile
log('D91', logdata)
destfile = os.path.join(self.__firefox_installdir2, 'policies.json')
os.makedirs(self.__firefox_installdir2, exist_ok=True)
with open(destfile, 'w') as f:
json.dump(self.policies_json, f)
logdata = dict()
logdata['destfile'] = destfile
log('D91', logdata)
def apply(self):
@@ -103,63 +174,3 @@ def dict_item_to_list(dictionary:dict) -> dict:
else:
dict_item_to_list(dictionary[key])
return dictionary
def clean_data_firefox(data):
return data.replace("'", '\"')
def create_dict(firefox_keys, registry_branch, excp=[]):
'''
Collect dictionaries from registry keys into a general dictionary
'''
get_boolean = lambda data: data in ['1', 'true', 'True', True, 1] if isinstance(data, (str, int)) else False
get_parts = lambda hivekey, registry: hivekey.replace(registry, '').split('/')
counts = {}
for it_data in firefox_keys:
branch = counts
try:
if type(it_data.data) is bytes:
it_data.data = it_data.data.decode(encoding='utf-16').replace('\x00','')
json_data = try_dict_to_literal_eval(it_data.data)
if json_data:
it_data.data = json_data
it_data.type = 7
else:
if it_data.type == 1:
it_data.data = clean_data_firefox(it_data.data)
#Cases when it is necessary to create nested dictionaries
if it_data.valuename != it_data.data:
parts = get_parts(it_data.hive_key, registry_branch)
#creating a nested dictionary from elements
for part in parts[:-1]:
branch = branch.setdefault(part, {})
#dictionary key value initialization
if it_data.type == 4:
if it_data.valuename in excp:
branch[parts[-1]] = int(it_data.data)
else:
branch[parts[-1]] = get_boolean(it_data.data)
elif it_data.type == 7:
branch[parts[-1]] = it_data.data
else:
branch[parts[-1]] = str(it_data.data).replace('\\', '/')
#Cases when it is necessary to create lists in a dictionary
else:
parts = get_parts(it_data.keyname, registry_branch)
for part in parts[:-1]:
branch = branch.setdefault(part, {})
if branch.get(parts[-1]) is None:
branch[parts[-1]] = []
if it_data.type == 4:
branch[parts[-1]].append(get_boolean(it_data.data))
else:
if os.path.isdir(str(it_data.data).replace('\\', '/')):
branch[parts[-1]].append(str(it_data.data).replace('\\', '/'))
else:
branch[parts[-1]].append(str(it_data.data))
except Exception as exc:
logdata = {'Exception': exc, 'keyname': it_data.keyname}
log('W14', logdata)
return {'policies': dict_item_to_list(counts)}

17
gpoa/frontend/firewall_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -17,15 +17,16 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
import logging
import subprocess
from util.logging import log
from .applier_frontend import applier_frontend, check_enabled
from util.logging import slogm, log
from .applier_frontend import (
applier_frontend
, check_enabled
)
from .appliers.firewall_rule import FirewallRule
class firewall_applier(applier_frontend):
__module_name = 'FirewallApplier'
__module_experimental = True
@@ -33,7 +34,6 @@ class firewall_applier(applier_frontend):
__firewall_branch = 'SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\FirewallRules'
__firewall_switch = 'SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile\\EnableFirewall'
__firewall_reset_cmd = ['/usr/bin/alterator-net-iptables', 'reset']
__firewall_reset_cmd_path = '/usr/bin/alterator-net-iptables'
def __init__(self, storage):
self.storage = storage
@@ -51,9 +51,6 @@ class firewall_applier(applier_frontend):
rule.apply()
def apply(self):
if not os.path.exists(self.__firewall_reset_cmd_path):
log('D120', {'not_found_cmd': self.__firewall_reset_cmd_path})
return
if self.__module_enabled:
log('D117')
if '1' == self.firewall_enabled:

25
gpoa/frontend/folder_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -16,24 +16,26 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from pathlib import Path
import re
from .applier_frontend import (
applier_frontend
, check_enabled
)
from .appliers.folder import Folder
from util.logging import log
from util.windows import expand_windows_var
from .applier_frontend import applier_frontend, check_enabled
from .appliers.folder import Folder
import re
class folder_applier(applier_frontend):
__module_name = 'FoldersApplier'
__module_experimental = False
__module_enabled = True
def __init__(self, storage):
def __init__(self, storage, sid):
self.storage = storage
self.folders = self.storage.get_folders()
self.sid = sid
self.folders = self.storage.get_folders(self.sid)
self.__module_enabled = check_enabled(self.storage, self.__module_name, self.__module_experimental)
def apply(self):
@@ -56,10 +58,11 @@ class folder_applier_user(applier_frontend):
__module_experimental = False
__module_enabled = True
def __init__(self, storage, username):
def __init__(self, storage, sid, username):
self.storage = storage
self.sid = sid
self.username = username
self.folders = self.storage.get_folders()
self.folders = self.storage.get_folders(self.sid)
self.__module_enabled = check_enabled(
self.storage
, self.__module_name

170
gpoa/frontend/frontend_manager.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -18,37 +18,73 @@
from storage import registry_factory
from storage.fs_file_cache import fs_file_cache
from util.logging import log
from util.system import with_privileges
from util.users import (
get_process_user,
is_root,
username_match_uid,
from .control_applier import control_applier
from .polkit_applier import (
polkit_applier
, polkit_applier_user
)
from .systemd_applier import systemd_applier
from .firefox_applier import firefox_applier
from .chromium_applier import chromium_applier
from .cups_applier import cups_applier
from .package_applier import (
package_applier
, package_applier_user
)
from .shortcut_applier import (
shortcut_applier,
shortcut_applier_user
)
from .gsettings_applier import (
gsettings_applier,
gsettings_applier_user
)
from .firewall_applier import firewall_applier
from .folder_applier import (
folder_applier
, folder_applier_user
)
from .cifs_applier import (
cifs_applier_user
, cifs_applier)
from .ntp_applier import ntp_applier
from .envvar_applier import (
envvar_applier
, envvar_applier_user
)
from .scripts_applier import (
scripts_applier
, scripts_applier_user
)
from .file_applier import (
file_applier
, file_applier_user
)
from .ini_applier import (
ini_applier
, ini_applier_user
)
from .kde_applier import (
kde_applier
, kde_applier_user
)
from .chromium_applier import chromium_applier
from .cifs_applier import cifs_applier, cifs_applier_user
from .control_applier import control_applier
from .cups_applier import cups_applier
from .envvar_applier import envvar_applier, envvar_applier_user
from .file_applier import file_applier, file_applier_user
from .firefox_applier import firefox_applier
from .firewall_applier import firewall_applier
from .folder_applier import folder_applier, folder_applier_user
from .gsettings_applier import gsettings_applier, gsettings_applier_user
from .ini_applier import ini_applier, ini_applier_user
from .kde_applier import kde_applier, kde_applier_user
from .laps_applier import laps_applier
from .networkshare_applier import networkshare_applier
from .ntp_applier import ntp_applier
from .package_applier import package_applier, package_applier_user
from .polkit_applier import polkit_applier, polkit_applier_user
from .scripts_applier import scripts_applier, scripts_applier_user
from .shortcut_applier import shortcut_applier, shortcut_applier_user
from .systemd_applier import systemd_applier
from .thunderbird_applier import thunderbird_applier
from .yandex_browser_applier import yandex_browser_applier
from util.sid import get_sid
from util.users import (
is_root,
get_process_user,
username_match_uid,
)
from util.logging import log
from util.system import with_privileges
def determine_username(username=None):
'''
@@ -59,15 +95,16 @@ def determine_username(username=None):
# If username is not set then it will be the name
# of process owner.
logdata = {'username': name}
if not username:
name = get_process_user()
logdata = dict({'username': name})
log('D2', logdata)
if not username_match_uid(name):
if not is_root():
raise Exception('Current process UID does not match specified username')
logdata = dict({'username': name})
log('D15', logdata)
return name
@@ -79,7 +116,9 @@ def apply_user_context(user_appliers):
try:
applier_object.user_context_apply()
except Exception as exc:
logdata = {'applier': applier_name, 'exception': str(exc)}
logdata = dict()
logdata['applier'] = applier_name
logdata['exception'] = str(exc)
log('E20', logdata)
class frontend_manager:
@@ -93,6 +132,7 @@ class frontend_manager:
self.storage = registry_factory('dconf', username=self.username)
self.is_machine = is_machine
self.process_uname = get_process_user()
self.sid = get_sid(self.storage.get_info('domain'), self.username, is_machine)
self.file_cache = fs_file_cache('file_cache', self.username)
self.machine_appliers = dict()
@@ -103,52 +143,54 @@ class frontend_manager:
self._init_user_appliers()
def _init_machine_appliers(self):
self.machine_appliers['laps_applier'] = laps_applier(self.storage)
self.machine_appliers['control'] = control_applier(self.storage)
self.machine_appliers['polkit'] = polkit_applier(self.storage)
self.machine_appliers['systemd'] = systemd_applier(self.storage)
self.machine_appliers['firefox'] = firefox_applier(self.storage, self.username)
self.machine_appliers['thunderbird'] = thunderbird_applier(self.storage, self.username)
self.machine_appliers['chromium'] = chromium_applier(self.storage, self.username)
self.machine_appliers['yandex_browser'] = yandex_browser_applier(self.storage, self.username)
self.machine_appliers['firefox'] = firefox_applier(self.storage, self.sid, self.username)
self.machine_appliers['chromium'] = chromium_applier(self.storage, self.sid, self.username)
self.machine_appliers['yandex_browser'] = yandex_browser_applier(self.storage, self.sid, self.username)
self.machine_appliers['shortcuts'] = shortcut_applier(self.storage)
self.machine_appliers['gsettings'] = gsettings_applier(self.storage, self.file_cache)
try:
self.machine_appliers['cifs'] = cifs_applier(self.storage)
self.machine_appliers['cifs'] = cifs_applier(self.storage, self.sid)
except Exception as exc:
logdata = {'applier_name': 'cifs', 'msg': str(exc)}
logdata = dict()
logdata['applier_name'] = 'cifs'
logdata['msg'] = str(exc)
log('E24', logdata)
self.machine_appliers['cups'] = cups_applier(self.storage)
self.machine_appliers['firewall'] = firewall_applier(self.storage)
self.machine_appliers['folders'] = folder_applier(self.storage)
self.machine_appliers['ntp'] = ntp_applier(self.storage)
self.machine_appliers['envvar'] = envvar_applier(self.storage)
self.machine_appliers['networkshare'] = networkshare_applier(self.storage)
self.machine_appliers['scripts'] = scripts_applier(self.storage)
self.machine_appliers['files'] = file_applier(self.storage, self.file_cache)
self.machine_appliers['ini'] = ini_applier(self.storage)
self.machine_appliers['kde'] = kde_applier(self.storage)
self.machine_appliers['folders'] = folder_applier(self.storage, self.sid)
self.machine_appliers['package'] = package_applier(self.storage)
self.machine_appliers['ntp'] = ntp_applier(self.storage)
self.machine_appliers['envvar'] = envvar_applier(self.storage, self.sid)
self.machine_appliers['networkshare'] = networkshare_applier(self.storage, self.sid)
self.machine_appliers['scripts'] = scripts_applier(self.storage, self.sid)
self.machine_appliers['files'] = file_applier(self.storage, self.file_cache, self.sid)
self.machine_appliers['ini'] = ini_applier(self.storage, self.sid)
self.machine_appliers['kde'] = kde_applier(self.storage)
def _init_user_appliers(self):
# User appliers are expected to work with user-writable
# files and settings, mostly in $HOME.
self.user_appliers['shortcuts'] = shortcut_applier_user(self.storage, self.username)
self.user_appliers['folders'] = folder_applier_user(self.storage, self.username)
self.user_appliers['gsettings'] = gsettings_applier_user(self.storage, self.file_cache, self.username)
self.user_appliers['shortcuts'] = shortcut_applier_user(self.storage, self.sid, self.username)
self.user_appliers['folders'] = folder_applier_user(self.storage, self.sid, self.username)
self.user_appliers['gsettings'] = gsettings_applier_user(self.storage, self.file_cache, self.sid, self.username)
try:
self.user_appliers['cifs'] = cifs_applier_user(self.storage, self.username)
self.user_appliers['cifs'] = cifs_applier_user(self.storage, self.sid, self.username)
except Exception as exc:
logdata = {'applier_name': 'cifs', 'msg': str(exc)}
logdata = dict()
logdata['applier_name'] = 'cifs'
logdata['msg'] = str(exc)
log('E25', logdata)
self.user_appliers['polkit'] = polkit_applier_user(self.storage, self.username)
self.user_appliers['envvar'] = envvar_applier_user(self.storage, self.username)
self.user_appliers['networkshare'] = networkshare_applier(self.storage, self.username)
self.user_appliers['scripts'] = scripts_applier_user(self.storage, self.username)
self.user_appliers['files'] = file_applier_user(self.storage, self.file_cache, self.username)
self.user_appliers['ini'] = ini_applier_user(self.storage, self.username)
self.user_appliers['kde'] = kde_applier_user(self.storage, self.username, self.file_cache)
self.user_appliers['package'] = package_applier_user(self.storage, self.username)
self.user_appliers['package'] = package_applier_user(self.storage, self.sid, self.username)
self.user_appliers['polkit'] = polkit_applier_user(self.storage, self.sid, self.username)
self.user_appliers['envvar'] = envvar_applier_user(self.storage, self.sid, self.username)
self.user_appliers['networkshare'] = networkshare_applier(self.storage, self.sid, self.username)
self.user_appliers['scripts'] = scripts_applier_user(self.storage, self.sid, self.username)
self.user_appliers['files'] = file_applier_user(self.storage, self.file_cache, self.sid, self.username)
self.user_appliers['ini'] = ini_applier_user(self.storage, self.sid, self.username)
self.user_appliers['kde'] = kde_applier_user(self.storage, self.sid, self.username, self.file_cache)
def machine_apply(self):
'''
@@ -163,7 +205,9 @@ class frontend_manager:
try:
applier_object.apply()
except Exception as exc:
logdata = {'applier_name': applier_name, 'msg': str(exc)}
logdata = dict()
logdata['applier_name'] = applier_name
logdata['msg'] = str(exc)
log('E24', logdata)
def user_apply(self):
@@ -175,20 +219,24 @@ class frontend_manager:
try:
applier_object.admin_context_apply()
except Exception as exc:
logdata = {'applier': applier_name, 'exception': str(exc)}
logdata = dict()
logdata['applier'] = applier_name
logdata['exception'] = str(exc)
log('E19', logdata)
try:
with_privileges(self.username, lambda: apply_user_context(self.user_appliers))
except Exception as exc:
logdata = {'username': self.username, 'exception': str(exc)}
logdata = dict()
logdata['username'] = self.username
logdata['exception'] = str(exc)
log('E30', logdata)
else:
for applier_name, applier_object in self.user_appliers.items():
try:
applier_object.user_context_apply()
except Exception as exc:
logdata = {'applier_name': applier_name, 'message': str(exc)}
logdata = dict({'applier_name': applier_name, 'message': str(exc)})
log('E11', logdata)
def apply_parameters(self):

68
gpoa/frontend/gsettings_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2021 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -16,33 +16,38 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from util.exceptions import NotUNCPathError
import os
import pwd
import subprocess
from gi.repository import Gio
from storage.dconf_registry import Dconf_registry
from util.exceptions import NotUNCPathError
from util.logging import log
from gi.repository import (
Gio
, GLib
)
from .applier_frontend import (
applier_frontend,
check_enabled,
check_windows_mapping_enabled,
applier_frontend
, check_enabled
, check_windows_mapping_enabled
)
from .appliers.gsettings import system_gsettings, user_gsettings
from .appliers.gsettings import (
system_gsettings,
user_gsettings
)
from util.logging import slogm ,log
def uri_fetch(schema, path, value, cache):
'''
Function to fetch and cache uri
'''
retval = value
logdata = {'schema': schema, 'path': path, 'src': value}
logdata = dict()
logdata['schema'] = schema
logdata['path'] = path
logdata['src'] = value
try:
retval = cache.get(value)
if not retval:
retval = ''
logdata['dst'] = retval
log('D90', logdata)
except Exception as exc:
@@ -73,7 +78,7 @@ class gsettings_applier(applier_frontend):
self.override_file = os.path.join(self.__global_schema, self.__override_priority_file)
self.override_old_file = os.path.join(self.__global_schema, self.__override_old_file)
self.gsettings = system_gsettings(self.override_file)
self.locks = {}
self.locks = dict()
self.__module_enabled = check_enabled(
self.storage
, self.__module_name
@@ -84,7 +89,8 @@ class gsettings_applier(applier_frontend):
try:
self.file_cache.store(data)
except Exception as exc:
logdata = {'exception': str(exc)}
logdata = dict()
logdata['exception'] = str(exc)
log('D145', logdata)
def uri_fetch_helper(self, schema, path, value):
@@ -131,7 +137,10 @@ class gsettings_applier(applier_frontend):
log('E48')
# Update desktop configuration system backend
Dconf_registry.dconf_update()
try:
proc = subprocess.run(args=['/usr/bin/dconf', "update"], capture_output=True, check=True)
except Exception as exc:
log('E49')
def apply(self):
if self.__module_enabled:
@@ -152,9 +161,10 @@ class GSettingsMapping:
self.gsettings_schema_key = self.schema.get_key(self.gsettings_key)
self.gsettings_type = self.gsettings_schema_key.get_value_type()
except Exception as exc:
logdata = {'hive_key': self.hive_key,
'gsettings_schema': self.gsettings_schema,
'gsettings_key': self.gsettings_key}
logdata = dict()
logdata['hive_key'] = self.hive_key
logdata['gsettings_schema'] = self.gsettings_schema
logdata['gsettings_key'] = self.gsettings_key
log('W6', logdata)
def preg2gsettings(self):
@@ -178,18 +188,19 @@ class gsettings_applier_user(applier_frontend):
__wallpaper_entry = 'Software/BaseALT/Policies/gsettings/org.mate.background.picture-filename'
__vino_authentication_methods_entry = 'Software/BaseALT/Policies/gsettings/org.gnome.Vino.authentication-methods'
def __init__(self, storage, file_cache, username):
def __init__(self, storage, file_cache, sid, username):
self.storage = storage
self.file_cache = file_cache
self.sid = sid
self.username = username
gsettings_filter = '{}%'.format(self.__registry_branch)
self.gsettings_keys = self.storage.filter_hkcu_entries(gsettings_filter)
self.gsettings_keys = self.storage.filter_hkcu_entries(self.sid, gsettings_filter)
self.gsettings = user_gsettings()
self.__module_enabled = check_enabled(self.storage, self.__module_name, self.__module_experimental)
self.__windows_mapping_enabled = check_windows_mapping_enabled(self.storage)
self.__windows_settings = {}
self.windows_settings = []
self.__windows_settings = dict()
self.windows_settings = list()
mapping = [
# Disable or enable screen saver
GSettingsMapping(
@@ -224,9 +235,11 @@ class gsettings_applier_user(applier_frontend):
def windows_mapping_append(self):
for setting_key in self.__windows_settings.keys():
value = self.storage.get_hkcu_entry(setting_key)
value = self.storage.get_hkcu_entry(self.sid, setting_key)
if value:
logdata = {'setting_key': setting_key, 'value.data': value.data}
logdata = dict()
logdata['setting_key'] = setting_key
logdata['value.data'] = value.data
log('D86', logdata)
mapping = self.__windows_settings[setting_key]
try:
@@ -270,13 +283,14 @@ class gsettings_applier_user(applier_frontend):
# Cache files on remote locations
try:
entry = self.__wallpaper_entry
filter_result = self.storage.get_hkcu_entry(entry)
filter_result = self.storage.get_hkcu_entry(self.sid, entry)
if filter_result and filter_result.data:
self.file_cache.store(filter_result.data)
except NotUNCPathError:
...
except Exception as exc:
logdata = {'exception': str(exc)}
logdata = dict()
logdata['exception'] = str(exc)
log('E50', logdata)

30
gpoa/frontend/ini_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2022 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -16,21 +16,24 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from pathlib import Path
from util.logging import log
from .applier_frontend import applier_frontend, check_enabled
from .appliers.ini_file import Ini_file
from .applier_frontend import (
applier_frontend
, check_enabled
)
from util.logging import log
class ini_applier(applier_frontend):
__module_name = 'InifilesApplier'
__module_experimental = False
__module_enabled = True
__module_experimental = True
__module_enabled = False
def __init__(self, storage):
def __init__(self, storage, sid):
self.storage = storage
self.inifiles_info = self.storage.get_ini()
self.sid = sid
self.inifiles_info = self.storage.get_ini(self.sid)
self.__module_enabled = check_enabled(self.storage, self.__module_name, self.__module_experimental)
def run(self):
@@ -46,13 +49,14 @@ class ini_applier(applier_frontend):
class ini_applier_user(applier_frontend):
__module_name = 'InifilesApplierUser'
__module_experimental = False
__module_enabled = True
__module_experimental = True
__module_enabled = False
def __init__(self, storage, username):
def __init__(self, storage, sid, username):
self.sid = sid
self.username = username
self.storage = storage
self.inifiles_info = self.storage.get_ini()
self.inifiles_info = self.storage.get_ini(self.sid)
self.__module_enabled = check_enabled(
self.storage
, self.__module_name

252
gpoa/frontend/kde_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2023 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -16,25 +16,21 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
import re
import shutil
import subprocess
import dbus
from util.exceptions import NotUNCPathError
from .applier_frontend import applier_frontend, check_enabled
from util.logging import log
from util.util import get_homedir
from .applier_frontend import applier_frontend, check_enabled
from util.exceptions import NotUNCPathError
import os
import subprocess
import re
import dbus
class kde_applier(applier_frontend):
__module_name = 'KdeApplier'
__module_experimental = True
__module_enabled = False
__hklm_branch = 'Software/BaseALT/Policies/KDE/'
__hklm_lock_branch = 'Software/BaseALT/Policies/KDELocks/'
__hklm_branch = 'Software\\BaseALT\\Policies\\KDE\\'
__hklm_lock_branch = 'Software\\BaseALT\\Policies\\KDELocks\\'
def __init__(self, storage):
self.storage = storage
@@ -65,25 +61,21 @@ class kde_applier_user(applier_frontend):
__module_name = 'KdeApplierUser'
__module_experimental = True
__module_enabled = False
kde_version = None
__hkcu_branch = 'Software/BaseALT/Policies/KDE'
__hkcu_lock_branch = 'Software/BaseALT/Policies/KDELocks'
__plasma_update_entry = 'Software/BaseALT/Policies/KDE/Plasma/Update'
__hkcu_branch = 'Software\\BaseALT\\Policies\\KDE\\'
__hkcu_lock_branch = 'Software\\BaseALT\\Policies\\KDELocks\\'
def __init__(self, storage, username=None, file_cache = None):
def __init__(self, storage, sid=None, username=None, file_cache = None):
self.storage = storage
self.username = username
self.sid = sid
self.file_cache = file_cache
self.locks_dict = {}
self.locks_data_dict = {}
self.all_kde_settings = {}
kde_applier_user.kde_version = get_kde_version()
kde_filter = '{}%'.format(self.__hkcu_branch)
locks_filter = '{}%'.format(self.__hkcu_lock_branch)
self.locks_settings = self.storage.filter_hkcu_entries(locks_filter)
self.plasma_update = self.storage.get_entry(self.__plasma_update_entry)
self.plasma_update_flag = self.plasma_update.data if self.plasma_update is not None else 0
self.kde_settings = self.storage.filter_hkcu_entries(kde_filter)
self.locks_settings = self.storage.filter_hkcu_entries(self.sid, locks_filter)
self.kde_settings = self.storage.filter_hkcu_entries(self.sid, kde_filter)
self.__module_enabled = check_enabled(
self.storage,
self.__module_name,
@@ -91,15 +83,7 @@ class kde_applier_user(applier_frontend):
)
def admin_context_apply(self):
try:
for setting in self.kde_settings:
file_name = setting.keyname.split("/")[-2]
if file_name == 'wallpaper':
data = setting.data
break
self.file_cache.store(data)
except Exception as exc:
logdata = {'exc': exc}
pass
def user_context_apply(self):
'''
@@ -107,43 +91,12 @@ class kde_applier_user(applier_frontend):
'''
if self.__module_enabled:
log('D200')
create_dict(self.kde_settings, self.all_kde_settings, self.locks_settings, self.locks_dict, self.file_cache, self.username, self.plasma_update_flag)
create_dict(self.kde_settings, self.all_kde_settings, self.locks_settings, self.locks_dict, self.file_cache, self.username)
apply(self.all_kde_settings, self.locks_dict, self.username)
else:
log('D201')
dbus_methods_mapping = {
'kscreenlockerrc': {
'dbus_service': 'org.kde.screensaver',
'dbus_path': '/ScreenSaver',
'dbus_interface': 'org.kde.screensaver',
'dbus_method': 'configure'
},
'wallpaper': {
'dbus_service': 'org.freedesktop.systemd1',
'dbus_path': '/org/freedesktop/systemd1',
'dbus_interface': 'org.freedesktop.systemd1.Manager',
'dbus_method': 'RestartUnit',
'dbus_args': ['plasma-plasmashell.service', 'replace']
}
}
def get_kde_version():
try:
kinfo_path = shutil.which("kinfo", path="/usr/lib/kf5/bin:/usr/bin")
if not kinfo_path:
raise FileNotFoundError("Unable to find kinfo")
output = subprocess.check_output([kinfo_path], text=True, env={'LANG':'C'})
for line in output.splitlines():
if "KDE Frameworks Version" in line:
frameworks_version = line.split(":", 1)[1].strip()
major_frameworks_version = int(frameworks_version.split(".")[0])
return major_frameworks_version
except:
return None
def create_dict(kde_settings, all_kde_settings, locks_settings, locks_dict, file_cache = None, username = None, plasmaupdate = False):
def create_dict(kde_settings, all_kde_settings, locks_settings, locks_dict, file_cache = None, username = None):
for locks in locks_settings:
locks_dict[locks.valuename] = locks.data
for setting in kde_settings:
@@ -151,51 +104,41 @@ def create_dict(kde_settings, all_kde_settings, locks_settings, locks_dict, file
file_name, section, value = setting.keyname.split("/")[-2], setting.keyname.split("/")[-1], setting.valuename
data = setting.data
if file_name == 'wallpaper':
apply_for_wallpaper(data, file_cache, username, plasmaupdate)
apply_for_wallpaper(data, file_cache, username)
else:
all_kde_settings.setdefault(file_name, {}).setdefault(section, {})[value] = data
if file_name not in all_kde_settings:
all_kde_settings[file_name] = {}
if section not in all_kde_settings[file_name]:
all_kde_settings[file_name][section] = {}
all_kde_settings[file_name][section][value] = data
except Exception as exc:
logdata = {'file_name': file_name,
'section': section,
'value': value,
'data': data,
'exc': exc}
logdata = dict()
logdata['file_name'] = file_name
logdata['section'] = section
logdata['value'] = value
logdata['data'] = data
logdata['exc'] = exc
log('W16', logdata)
def apply(all_kde_settings, locks_dict, username = None):
logdata = {}
modified_files = set()
logdata = dict()
if username is None:
system_path_settings = '/etc/xdg/'
system_files = [
"baloofilerc",
"kcminputrc",
"kded_device_automounterrc",
"kdeglobals",
"ksplashrc",
"kwinrc",
"plasma-localerc",
"plasmarc",
"powermanagementprofilesrc"
]
for file in system_files:
file_to_remove = f'{system_path_settings}{file}'
if os.path.exists(file_to_remove):
os.remove(file_to_remove)
for file_name, sections in all_kde_settings.items():
file_path = f'{system_path_settings}{file_name}'
file_path = f'/etc/xdg/{file_name}'
if os.path.exists(file_path):
os.remove(file_path)
with open(file_path, 'w') as file:
for section, keys in sections.items():
section = section.replace(')(', '][')
file.write(f'[{section}]\n')
for key, value in keys.items():
lock = f"{file_name}.{section}.{key}".replace('][', ')(')
if locks_dict.get(lock) == 1:
if lock in locks_dict and locks_dict[lock] == 1:
file.write(f'{key}[$i]={value}\n')
else:
file.write(f'{key}={value}\n')
file.write('\n')
modified_files.add(file_name)
else:
for file_name, sections in all_kde_settings.items():
path = f'{get_homedir(username)}/.config/{file_name}'
@@ -205,11 +148,10 @@ def apply(all_kde_settings, locks_dict, username = None):
pass
for section, keys in sections.items():
for key, value in keys.items():
value = str(value)
lock = f"{file_name}.{section}.{key}"
if lock in locks_dict and locks_dict[lock] == 1:
command = [
f'kwriteconfig{kde_applier_user.kde_version}',
'kwriteconfig5',
'--file', file_name,
'--group', section,
'--key', key +'/$i/',
@@ -218,7 +160,7 @@ def apply(all_kde_settings, locks_dict, username = None):
]
else:
command = [
f'kwriteconfig{kde_applier_user.kde_version}',
'kwriteconfig5',
'--file', file_name,
'--group', section,
'--key', key,
@@ -227,11 +169,9 @@ def apply(all_kde_settings, locks_dict, username = None):
]
try:
clear_locks_settings(username, file_name, key)
env_path = dict(os.environ)
env_path["PATH"] = "/usr/lib/kf5/bin:/usr/bin"
subprocess.run(command, check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, env=env_path)
subprocess.run(command, check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
except:
logdata = {'command': command}
logdata['command'] = command
log('W22', logdata)
new_content = []
file_path = f'{get_homedir(username)}/.config/{file_name}'
@@ -247,9 +187,6 @@ def apply(all_kde_settings, locks_dict, username = None):
except Exception as exc:
logdata['exc'] = exc
log('W19', logdata)
modified_files.add(file_name)
for file_name in modified_files:
call_dbus_method(file_name)
def clear_locks_settings(username, file_name, key):
'''
@@ -264,71 +201,64 @@ def clear_locks_settings(username, file_name, key):
file.write(line)
for line in lines:
if f'{key}[$i]=' in line:
logdata = {'line': line.strip()}
logdata = dict()
logdata['line'] = line.strip()
log('I10', logdata)
def apply_for_wallpaper(data, file_cache, username, plasmaupdate):
def apply_for_wallpaper(data, file_cache, username):
'''
Method to change wallpaper
'''
logdata = {}
logdata = dict()
path_to_wallpaper = f'{get_homedir(username)}/.config/plasma-org.kde.plasma.desktop-appletsrc'
id_desktop = get_id_desktop(path_to_wallpaper)
try:
try:
data = str(file_cache.get(data))
file_cache.store(data)
data = file_cache.get(data)
except NotUNCPathError:
data = str(data)
with open(path_to_wallpaper, 'r') as file:
current_wallpaper = file.read()
match = re.search(rf'\[Containments\]\[{id_desktop}\]\[Wallpaper\]\[org\.kde\.image\]\[General\]\s+Image=(.*)', current_wallpaper)
if match:
current_wallpaper_path = match.group(1)
flag = (current_wallpaper_path == data)
else:
flag = False
os.environ["LANGUAGE"] = os.environ["LANG"].split(".")[0]
data = data
os.environ["XDG_DATA_DIRS"] = "/usr/share/kf5:"
#Variable for system detection of directories before files with .colors extension
os.environ["DISPLAY"] = ":0"
#Variable for command execution plasma-apply-colorscheme
os.environ["XDG_RUNTIME_DIR"] = f"/run/user/{os.getuid()}"
os.environ["PATH"] = "/usr/lib/kf5/bin:"
os.environ["DBUS_SESSION_BUS_ADDRESS"] = f"unix:path=/run/user/{os.getuid()}/bus"#plasma-apply-wallpaperimage
env_path = dict(os.environ)
env_path["PATH"] = "/usr/lib/kf5/bin:/usr/bin"
os.environ["PATH"] = "/usr/lib/kf5/bin:"
#environment variable for accessing binary files without hard links
if not flag:
if os.path.isfile(path_to_wallpaper):
command = [
f'kwriteconfig{kde_applier_user.kde_version}',
'--file', 'plasma-org.kde.plasma.desktop-appletsrc',
'--group', 'Containments',
'--group', id_desktop,
'--group', 'Wallpaper',
'--group', 'org.kde.image',
'--group', 'General',
'--key', 'Image',
'--type', 'string',
data
]
try:
subprocess.run(command, check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, env=env_path)
except:
logdata = {'command': command}
log('E68', logdata)
if plasmaupdate == 1:
call_dbus_method("wallpaper")
if os.path.isfile(path_to_wallpaper):
id_desktop = get_id_desktop(path_to_wallpaper)
command = [
'kwriteconfig5',
'--file', 'plasma-org.kde.plasma.desktop-appletsrc',
'--group', 'Containments',
'--group', id_desktop,
'--group', 'Wallpaper',
'--group', 'org.kde.image',
'--group', 'General',
'--key', 'Image',
'--type', 'string',
data
]
try:
subprocess.run(command, check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
except:
logdata['command'] = command
log('E68', logdata)
try:
session_bus = dbus.SessionBus()
plasma_shell = session_bus.get_object('org.kde.plasmashell', '/PlasmaShell', introspect='org.kde.PlasmaShell')
plasma_shell_iface = dbus.Interface(plasma_shell, 'org.kde.PlasmaShell')
plasma_shell_iface.refreshCurrentShell()
except:
pass
else:
logdata = {'file': path_to_wallpaper}
logdata['file'] = path_to_wallpaper
log('W21', logdata)
except OSError as exc:
logdata = {'exc': exc}
logdata['exc'] = exc
log('W17', logdata)
except Exception as exc:
logdata = {'exc': exc}
logdata['exc'] = exc
log('E67', logdata)
def get_id_desktop(path_to_wallpaper):
@@ -340,27 +270,9 @@ def get_id_desktop(path_to_wallpaper):
with open(path_to_wallpaper, 'r') as file:
file_content = file.read()
match = re.search(pattern, file_content)
return match.group(1) if match else None
if match:
return match.group(1)
else:
return None
except:
return None
def call_dbus_method(file_name):
'''
Method to call D-Bus method based on the file name
'''
os.environ["DBUS_SESSION_BUS_ADDRESS"] = f"unix:path=/run/user/{os.getuid()}/bus"
if file_name in dbus_methods_mapping:
config = dbus_methods_mapping[file_name]
try:
session_bus = dbus.SessionBus()
dbus_object = session_bus.get_object(config['dbus_service'], config['dbus_path'])
dbus_iface = dbus.Interface(dbus_object, config['dbus_interface'])
if 'dbus_args' in config:
getattr(dbus_iface, config['dbus_method'])(*config['dbus_args'])
else:
getattr(dbus_iface, config['dbus_method'])()
except dbus.exceptions.DBusException as exc:
logdata = {'error': str(exc)}
log('E31', logdata)
else:
pass
return None

816
gpoa/frontend/laps_applier.py
View File

@@ -1,816 +0,0 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from datetime import datetime, timedelta, timezone
import logging
import os
import re
import secrets
import string
import struct
import subprocess
from dateutil import tz
import ldb
import psutil
from util.logging import log
from util.sid import WellKnown21RID
from util.util import check_local_user_exists, remove_prefix_from_keys, get_machine_name
from util.windows import get_kerberos_domain_info
from .applier_frontend import applier_frontend, check_enabled
from libcng_dpapi import (
create_protection_descriptor,
protect_secret,
unprotect_secret,
NcryptError
)
_DATEUTIL_AVAILABLE = False
try:
from dateutil import tz
_DATEUTIL_AVAILABLE = True
except ImportError:
pass
class laps_applier(applier_frontend):
"""
LAPS (Local Administrator Password Solution) implementation for managing
and automatically rotating administrator passwords.
"""
# Time calculation constants
# Number of seconds between the Windows epoch (1601-01-01 00:00:00 UTC)
# and the Unix epoch (1970-01-01 00:00:00 UTC).
# Used to convert between Unix timestamps and Windows FileTime.
_EPOCH_TIMESTAMP = 11644473600
# Number of 100-nanosecond intervals per second.
# Used to convert seconds to Windows FileTime format.
_HUNDREDS_OF_NANOSECONDS = 10000000
# Number of 100-nanosecond intervals in one day
_DAY_FLOAT = 8.64e11
# Module configuration
__module_name = 'LapsApplier'
__module_experimental = True
__module_enabled = False
# Registry paths
_WINDOWS_REGISTRY_PATH = 'SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/LAPS/'
_ALT_REGISTRY_PATH = 'Software/BaseALT/Policies/Laps/'
# LDAP attributes
_ATTR_ENCRYPTED_PASSWORD = 'msLAPS-EncryptedPassword'
_ATTR_PASSWORD_EXPIRATION_TIME = 'msLAPS-PasswordExpirationTime'
# dconf key for password modification time
_KEY_PASSWORD_LAST_MODIFIED = '/Software/BaseALT/Policies/Laps/PasswordLastModified/'
# Password complexity levels
_PASSWORD_COMPLEXITY = {
1: string.ascii_uppercase,
2: string.ascii_letters,
3: string.ascii_letters + string.digits,
4: string.ascii_letters + string.digits + string.punctuation
}
# Post-authentication actions
_ACTION_NONE = 0
_ACTION_CHANGE_PASSWORD = 1
_ACTION_TERMINATE_SESSIONS = 3
_ACTION_REBOOT = 5
def __init__(self, storage):
"""
Initialize the LAPS applier with configuration from registry.
Args:
storage: Storage object containing registry entries and system information
"""
self.storage = storage
# Load registry configuration
if not self._load_configuration():
self.__module_enabled = False
return
if not self._check_requirements():
log('W29')
self.__module_enabled = False
return
# Initialize system connections and parameters
self._initialize_system_parameters()
# Check if module is enabled in configuration
self.__module_enabled = check_enabled(
self.storage,
self.__module_name,
self.__module_experimental
)
def _load_configuration(self):
"""Load configuration settings from registry."""
alt_keys = remove_prefix_from_keys(
self.storage.filter_entries(self._ALT_REGISTRY_PATH),
self._ALT_REGISTRY_PATH
)
windows_keys = remove_prefix_from_keys(
self.storage.filter_entries(self._WINDOWS_REGISTRY_PATH),
self._WINDOWS_REGISTRY_PATH
)
# Combine configurations with BaseALT taking precedence
self.config = windows_keys
self.config.update(alt_keys)
# Extract commonly used configuration parameters
self.backup_directory = self.config.get('BackupDirectory', None)
self.encryption_enabled = self.config.get('ADPasswordEncryptionEnabled', 1)
self.password_expiration_protection = self.config.get('PasswordExpirationProtectionEnabled', 1)
self.password_age_days = self.config.get('PasswordAgeDays', 30)
self.post_authentication_actions = self.config.get('PostAuthenticationActions', 3)
self.post_authentication_reset_delay = self.config.get('PostAuthenticationResetDelay', 24)
name = self.config.get('AdministratorAccountName', 'root')
if name and check_local_user_exists(name):
self.target_user = name
else:
log('W36')
return False
return True
def _check_requirements(self):
"""
Check if the necessary requirements are met for the module to operate.
Returns:
bool: True if requirements are met, False otherwise
"""
if self.backup_directory != 2 or not self.encryption_enabled:
logdata = {}
logdata['backup_directory'] = self.backup_directory
logdata['encryption_enabled'] = self.encryption_enabled
log('D223', logdata)
return False
return True
def _initialize_system_parameters(self):
"""Initialize system parameters and connections."""
# Set up LDAP connections
self.samdb = self.storage.get_info('samdb')
self.domain_sid = self.samdb.get_domain_sid()
self.domain_dn = self.samdb.domain_dn()
self.computer_dn = self._get_computer_dn()
self.admin_group_sid = f'{self.domain_sid}-{WellKnown21RID.DOMAIN_ADMINS.value}'
# Set up time parameters
self.expiration_date = self._get_expiration_date()
self.expiration_date_int = self._convert_to_filetime(self.expiration_date)
self.current_time_int = self._convert_to_filetime(datetime.now())
# Get current system state
self.expiration_time_attr = self._get_expiration_time_attr()
self.pass_last_mod_int = self._read_dconf_pass_last_mod()
self.encryption_principal = self._get_encryption_principal()
self.last_login_hours_ago = self._get_admin_login_hours_ago_after_timestamp()
def _get_computer_dn(self):
"""
Get the Distinguished Name of the computer account.
Returns:
str: Computer's distinguished name in LDAP
"""
machine_name = self.storage.get_info('machine_name')
search_filter = f'(sAMAccountName={machine_name})'
results = self.samdb.search(base=self.domain_dn, expression=search_filter, attrs=['dn'])
return results[0]['dn']
def _get_encryption_principal(self):
"""
Get the encryption principal for password encryption.
Returns:
str: SID of the encryption principal
"""
encryption_principal = self.config.get('ADPasswordEncryptionPrincipal', None)
if not encryption_principal:
return self.admin_group_sid
return self._verify_encryption_principal(encryption_principal)
def _verify_encryption_principal(self, principal_name):
"""
Verify the encryption principal exists and get its SID.
Args:
principal_name: Principal name to verify
Returns:
str: SID of the encryption principal if found, or admin group SID as fallback
"""
try:
# Try to resolve as domain\\user format
domain = self.storage.get_info('domain')
username = f'{domain}\\{principal_name}'
output = subprocess.check_output(['wbinfo', '-n', username])
sid = output.split()[0].decode('utf-8')
return sid
except subprocess.CalledProcessError:
# Try to resolve directly as SID
try:
output = subprocess.check_output(['wbinfo', '-s', principal_name])
return principal_name
except subprocess.CalledProcessError:
# Fallback to admin group SID
logdata = {}
logdata['principal_name'] = principal_name
log('W30', logdata)
return self.admin_group_sid
def _get_expiration_date(self, base_time=None):
"""
Calculate the password expiration date.
Args:
base_time: Optional datetime to base calculation on, defaults to now
Returns:
datetime: Password expiration date
"""
base = base_time or datetime.now()
# Set to beginning of day and add password age
return (base.replace(hour=0, minute=0, second=0, microsecond=0) +
timedelta(days=int(self.password_age_days)))
def _convert_to_filetime(self, dt):
"""
Convert datetime to Windows filetime format (100ns intervals since 1601-01-01).
Args:
dt: Datetime to convert
Returns:
int: Windows filetime integer
"""
epoch_timedelta = timedelta(seconds=self._EPOCH_TIMESTAMP)
new_dt = dt + epoch_timedelta
return int(new_dt.timestamp() * self._HUNDREDS_OF_NANOSECONDS)
def _get_expiration_time_attr(self):
"""
Get the current password expiration time from LDAP.
Returns:
int: Password expiration time as integer, or 0 if not found
"""
try:
res = self.samdb.search(
base=self.computer_dn,
scope=ldb.SCOPE_BASE,
expression="(objectClass=*)",
attrs=[self._ATTR_PASSWORD_EXPIRATION_TIME]
)
return int(res[0].get(self._ATTR_PASSWORD_EXPIRATION_TIME, 0)[0])
except Exception as exc:
logdata = {'exc': exc}
log('W31', logdata)
return 0
def _read_dconf_pass_last_mod(self):
"""
Read the password last modified time from dconf.
Returns:
int: Timestamp of last password modification or current time if not found
"""
try:
key_path = self._KEY_PASSWORD_LAST_MODIFIED + self.target_user
last_modified = subprocess.check_output(
['dconf', 'read', key_path],
text=True
).strip().strip("'\"")
return int(last_modified)
except Exception as exc:
logdata = {'exc': exc}
log('W32', logdata)
return self.current_time_int
def _write_dconf_pass_last_mod(self):
"""
Write the password last modified time to dconf.
"""
try:
# Ensure dbus session is available
self._ensure_dbus_session()
# Write current time to dconf
key_path = self._KEY_PASSWORD_LAST_MODIFIED + self.target_user
last_modified = f'"{self.current_time_int}"'
subprocess.check_output(['dconf', 'write', key_path, last_modified])
log('D222')
except Exception as exc:
logdata = {'exc': exc}
log('W28', logdata)
def _ensure_dbus_session(self):
"""Ensure a D-Bus session is available for dconf operations."""
dbus_address = os.getenv("DBUS_SESSION_BUS_ADDRESS")
if not dbus_address:
result = subprocess.run(
["dbus-daemon", "--fork", "--session", "--print-address"],
capture_output=True,
text=True
)
dbus_address = result.stdout.strip()
os.environ["DBUS_SESSION_BUS_ADDRESS"] = dbus_address
def _get_changed_password_hours_ago(self):
"""
Calculate how many hours ago the password was last changed.
Returns:
int: Hours since password was last changed, or 0 if error
"""
logdata = {}
logdata['target_user'] = self.target_user
try:
diff_time = self.current_time_int - self.pass_last_mod_int
hours_difference = diff_time // 3.6e10
hours_ago = int(hours_difference)
logdata['hours_ago'] = hours_ago
log('D225', logdata)
return hours_ago
except Exception as exc:
logdata = {'exc': exc}
log('W34', logdata)
return 0
def _generate_password(self):
"""
Generate a secure password based on policy settings.
Returns:
str: Generated password meeting complexity requirements
"""
# Get password length from config
password_length = self.config.get('PasswordLength', 14)
if not isinstance(password_length, int) or not (8 <= password_length <= 64):
password_length = 14
# Get password complexity from config
password_complexity = self.config.get('PasswordComplexity', 4)
if not isinstance(password_complexity, int) or not (1 <= password_complexity <= 4):
password_complexity = 4
# Get character set based on complexity
char_set = self._PASSWORD_COMPLEXITY.get(password_complexity, self._PASSWORD_COMPLEXITY[4])
# Generate initial password
password = ''.join(secrets.choice(char_set) for _ in range(password_length))
# Ensure password meets complexity requirements
if password_complexity >= 3 and not any(c.isdigit() for c in password):
# Add a digit if required but missing
digit = secrets.choice(string.digits)
position = secrets.randbelow(len(password))
password = password[:position] + digit + password[position:]
if password_complexity == 4 and not any(c in string.punctuation for c in password):
# Add a special character if required but missing
special_char = secrets.choice(string.punctuation)
position = secrets.randbelow(len(password))
password = password[:position] + special_char + password[position:]
return password
def _get_json_password_data(self, password):
"""
Format password information as JSON.
Args:
password: The password
Returns:
str: JSON formatted password information
"""
return f'{{"n":"{self.target_user}","t":"{self.expiration_date_int}","p":"{password}"}}'
def _create_password_blob(self, password):
"""
Create encrypted password blob for LDAP storage.
Args:
password: Password to encrypt
Returns:
bytes: Encrypted password blob
"""
# Create JSON data and encode as UTF-16LE with null terminator
json_data = self._get_json_password_data(password)
password_bytes = json_data.encode("utf-16-le") + b"\x00\x00"
# Save and change loglevel
logger = logging.getLogger()
old_level = logger.level
logger.setLevel(logging.ERROR)
# Encrypt the password
descriptor_string = f"SID={self.encryption_principal}"
descriptor_handle = create_protection_descriptor(descriptor_string)
secret_message = password_bytes
# Resolve DPAPI-NG parameters dynamically using single Kerberos info fetch
info = get_kerberos_domain_info()
domain_realm = self._get_windows_realm(info)
dc_fqdn = self._get_domain_controller_fqdn(info)
machine_username = self._get_machine_account_username()
if not domain_realm or not dc_fqdn or not machine_username:
logdata = {
'realm': bool(domain_realm),
'dc_fqdn': bool(dc_fqdn),
'machine_username': bool(machine_username)
}
log('E78', logdata)
return None
dpapi_blob = protect_secret(
descriptor_handle,
secret_message,
domain=domain_realm,
server=dc_fqdn,
username=machine_username
)
# Restoreloglevel
logger.setLevel(old_level)
# Create full blob with metadata
return self._add_blob_metadata(dpapi_blob)
def _add_blob_metadata(self, dpapi_blob):
"""
Add metadata to the encrypted password blob.
Args:
dpapi_blob: Encrypted password blob
Returns:
bytes: Complete blob with metadata
"""
# Convert timestamp to correct format
left, right = struct.unpack('<LL', struct.pack('Q', self.current_time_int))
packed = struct.pack('<LL', right, left)
# Add blob length and padding
prefix = packed + struct.pack('<i', len(dpapi_blob)) + b'\x00\x00\x00\x00'
# Combine metadata and encrypted blob
return prefix + dpapi_blob
def _get_windows_realm(self, info):
"""Return Kerberos/Windows realm in FQDN upper-case form (e.g., EXAMPLE.COM)."""
try:
realm = info.get('principal')
# If principal like 'HOST/NAME@REALM', extract realm
if isinstance(realm, str) and '@' in realm:
realm = realm.rsplit('@', 1)[-1]
if isinstance(realm, str) and realm:
return realm.upper()
except Exception:
pass
return None
def _get_domain_controller_fqdn(self, info):
"""Determine a domain controller FQDN using Kerberos info only."""
try:
pdc = info.get('pdc_dns_name')
if isinstance(pdc, str) and pdc:
return pdc
except Exception:
pass
return None
def _get_machine_account_username(self):
"""Return machine account username with trailing '$' (e.g., HOSTNAME$)."""
try:
name = get_machine_name()
if not isinstance(name, str):
name = str(name)
if not name:
return None
return name if name.endswith('$') else f'{name}$'
except Exception:
return None
def _change_user_password(self, new_password):
"""
Change the password for the target user.
Args:
new_password: New password to set
Returns:
bool: True if password was changed successfully, False otherwise
"""
logdata = {'target_user': self.target_user}
try:
# Use chpasswd to change the password
process = subprocess.Popen(
["chpasswd"],
stdin=subprocess.PIPE,
text=True
)
process.communicate(f"{self.target_user}:{new_password}")
# Record the time of change
self._write_dconf_pass_last_mod()
log('D221', logdata)
return True
except Exception as exc:
logdata = {'exc': exc}
log('W27', logdata)
return False
def _update_ldap_password(self, encrypted_blob):
"""
Update the encrypted password and expiration time in LDAP.
Args:
encrypted_blob: Encrypted password blob
Returns:
bool: True if LDAP was updated successfully, False otherwise
"""
logdata = {'computer_dn': self.computer_dn}
try:
# Create LDAP modification message
mod_msg = ldb.Message()
mod_msg.dn = self.computer_dn
# Update password blob
mod_msg[self._ATTR_ENCRYPTED_PASSWORD] = ldb.MessageElement(
encrypted_blob,
ldb.FLAG_MOD_REPLACE,
self._ATTR_ENCRYPTED_PASSWORD
)
# Update expiration time
mod_msg[self._ATTR_PASSWORD_EXPIRATION_TIME] = ldb.MessageElement(
str(self.expiration_date_int),
ldb.FLAG_MOD_REPLACE,
self._ATTR_PASSWORD_EXPIRATION_TIME
)
# Perform the LDAP modification
self.samdb.modify(mod_msg)
log('D226', logdata)
return True
except Exception as exc:
logdata = {'exc': exc}
log('E75', logdata)
return False
def _should_update_password(self):
"""
Determine if the password should be updated based on policy.
Returns:
tuple: (bool: update needed, bool: perform post-action)
"""
# Check if password has expired
if not self._is_password_expired():
# Password not expired, check if post-login action needed
return self._check_post_login_action()
# Password has expired, update needed
return True, False
def _is_password_expired(self):
"""
Check if the password has expired according to policy.
Returns:
bool: True if password has expired, False otherwise
"""
# Case 1: No expiration protection, check LDAP attribute
if not self.password_expiration_protection:
if self.expiration_time_attr > self.current_time_int:
return False
# Case 2: With expiration protection, check both policy and LDAP
elif self.password_expiration_protection:
policy_expiry = self.pass_last_mod_int + (self.password_age_days * int(self._DAY_FLOAT))
if policy_expiry > self.current_time_int and self.expiration_time_attr > self.current_time_int:
return False
return True
def _check_post_login_action(self):
"""
Check if a post-login password change action should be performed.
Returns:
tuple: (bool: update needed, bool: perform post-action)
"""
# Check if password was changed after last login
if self._get_changed_password_hours_ago() < self.last_login_hours_ago:
return False, False
# Check if enough time has passed since login
if self.last_login_hours_ago < self.post_authentication_reset_delay:
return False, False
# Check if action is configured
if self.post_authentication_actions == self._ACTION_NONE:
return False, False
# Update needed, determine if post-action required
return True, self.post_authentication_actions > self._ACTION_CHANGE_PASSWORD
def _perform_post_action(self):
"""
Perform post-password-change action based on configuration.
"""
if self.post_authentication_actions == self._ACTION_TERMINATE_SESSIONS:
self._terminate_user_sessions()
elif self.post_authentication_actions == self._ACTION_REBOOT:
log('D220')
subprocess.run(["reboot"])
def _terminate_user_sessions(self):
"""
Terminates all processes associated with the active sessions of the target user.
"""
# Get active sessions for the target user
user_sessions = [user for user in psutil.users() if user.name == self.target_user]
logdata = {'target_user': self.target_user}
if not user_sessions:
log('D227', logdata)
return
# Terminate each session
for session in user_sessions:
try:
# Get the process and terminate it
proc = psutil.Process(session.pid)
proc.kill() # Send SIGKILL
logdata['pid'] = session.pid
log('D228')
except (psutil.NoSuchProcess, psutil.AccessDenied) as exc:
logdata['pid'] = session.pid
logdata['exc'] = exc
log('W35', logdata)
def update_laps_password(self):
"""
Update the LAPS password if needed based on policy.
Checks expiration and login times to determine if update is needed.
"""
# Check if password update is needed
update_needed, perform_post_action = self._should_update_password()
if not update_needed:
log('D229')
return False
# Generate new password
password = self._generate_password()
# Create encrypted password blob
encrypted_blob = self._create_password_blob(password)
if not encrypted_blob:
log('E78')
return False
# Update password in LDAP
ldap_success = self._update_ldap_password(encrypted_blob)
if not ldap_success:
return False
# Change local user password
local_success = self._change_user_password(password)
if not local_success:
log('E76')
return False
log('D230')
# Perform post-action if configured
if perform_post_action:
self._perform_post_action()
def apply(self):
"""
Main entry point for the LAPS applier.
"""
if self.__module_enabled:
log('D218')
self.update_laps_password()
else:
log('D219')
def _parse_login_time_from_last_line(self, line: str) -> datetime:
match_login_dt = re.search(
r"((?:Mon|Tue|Wed|Thu|Fri|Sat|Sun)\s+\w{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}\s+\d{4})",
line
)
if not match_login_dt:
return None
login_dt_str = match_login_dt.group(1)
try:
dt_naive = datetime.strptime(login_dt_str, "%a %b %d %H:%M:%S %Y")
login_dt_utc: datetime
if _DATEUTIL_AVAILABLE:
local_tz = tz.tzlocal()
dt_local = dt_naive.replace(tzinfo=local_tz)
login_dt_utc = dt_local.astimezone(timezone.utc)
else:
system_local_tz = datetime.now().astimezone().tzinfo
if system_local_tz:
dt_local = dt_naive.replace(tzinfo=system_local_tz)
login_dt_utc = dt_local.astimezone(timezone.utc)
else:
login_dt_utc = dt_naive.replace(tzinfo=timezone.utc)
log('W38')
return login_dt_utc
except ValueError:
return None
def _get_user_login_datetimes_utc(self) -> list[datetime]:
command = ["last", "-F", "-w", self.target_user]
env = os.environ.copy()
env["LC_TIME"] = "C"
login_datetimes = []
try:
process = subprocess.run(command, capture_output=True, text=True, check=False, env=env)
if process.returncode != 0 and not ("no login record" in process.stderr.lower() or "no users logged in" in process.stdout.lower()):
log('W39')
return []
output_lines = process.stdout.splitlines()
except FileNotFoundError:
log('W40')
return []
except Exception as e:
log('W41')
return []
for line in output_lines:
if not line.strip() or "wtmp begins" in line or "btmp begins" in line:
continue
if not line.startswith(self.target_user):
continue
login_dt_utc = self._parse_login_time_from_last_line(line)
if login_dt_utc:
login_datetimes.append(login_dt_utc)
return login_datetimes
def _get_admin_login_hours_ago_after_timestamp(self) -> int:
# Convert Windows FileTime to datetime
reference_dt_utc = datetime.fromtimestamp(
(self.pass_last_mod_int / self._HUNDREDS_OF_NANOSECONDS) - self._EPOCH_TIMESTAMP,
tz=timezone.utc
)
if not (reference_dt_utc.tzinfo is timezone.utc or
(reference_dt_utc.tzinfo is not None and reference_dt_utc.tzinfo.utcoffset(reference_dt_utc) == timedelta(0))):
log('W42')
return 0
user_login_times_utc = self._get_user_login_datetimes_utc()
if not user_login_times_utc:
log('D232')
return 0
most_recent_login_after_reference_utc = None
for login_time_utc in user_login_times_utc[::-1]:
if login_time_utc >= reference_dt_utc:
most_recent_login_after_reference_utc = login_time_utc
break
if most_recent_login_after_reference_utc:
now_utc = datetime.now(timezone.utc)
time_delta_seconds = (now_utc - most_recent_login_after_reference_utc).total_seconds()
hours_ago = int(time_delta_seconds / 3600.0)
log('D233')
return hours_ago
else:
log('D234')
return 0

16
gpoa/frontend/networkshare_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2022 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -16,11 +16,12 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from util.logging import log
from .applier_frontend import applier_frontend, check_enabled
from .appliers.netshare import Networkshare
from .applier_frontend import (
applier_frontend
, check_enabled
)
from util.logging import log
class networkshare_applier(applier_frontend):
__module_name = 'NetworksharesApplier'
@@ -28,10 +29,11 @@ class networkshare_applier(applier_frontend):
__module_experimental = True
__module_enabled = False
def __init__(self, storage, username = None):
def __init__(self, storage, sid, username = None):
self.storage = storage
self.sid = sid
self.username = username
self.networkshare_info = self.storage.get_networkshare()
self.networkshare_info = self.storage.get_networkshare(self.sid)
self.__module_enabled = check_enabled(self.storage, self.__module_name, self.__module_experimental)
self.__module_enabled_user = check_enabled(self.storage, self.__module_name_user, self.__module_experimental)

18
gpoa/frontend/ntp_applier.py
View File

@@ -18,13 +18,16 @@
from enum import Enum
import subprocess
from enum import Enum
from .applier_frontend import (
applier_frontend
, check_enabled
)
from util.logging import log
from .applier_frontend import applier_frontend, check_enabled
class NTPServerType(Enum):
NTP = 'NTP'
@@ -74,7 +77,8 @@ class ntp_applier(applier_frontend):
srv = None
if server:
srv = server.data.rpartition(',')[0]
logdata = {'srv': srv}
logdata = dict()
logdata['srv'] = srv
log('D122', logdata)
start_command = ['/usr/bin/systemctl', 'start', 'chronyd']
@@ -88,7 +92,8 @@ class ntp_applier(applier_frontend):
proc.wait()
if srv:
logdata = {'srv': srv}
logdata = dict()
logdata['srv'] = srv
log('D124', logdata)
proc = subprocess.Popen(chrony_disconnect_all)
@@ -114,7 +119,8 @@ class ntp_applier(applier_frontend):
if server_type and server_type.data:
if NTPServerType.NTP.value != server_type.data:
logdata = {'server_type': server_type}
logdata = dict()
logdata['server_type'] = server_type
log('W10', logdata)
else:
log('D126')

52
gpoa/frontend/package_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -18,16 +18,22 @@
import logging
import subprocess
from util.logging import slogm, log
from util.rpm import (
update
, install_rpm
, remove_rpm
)
from util.logging import log
from .applier_frontend import applier_frontend, check_enabled
from .applier_frontend import (
applier_frontend
, check_enabled
)
class package_applier(applier_frontend):
__module_name = 'PackagesApplier'
__module_experimental = False
__module_enabled = True
__module_experimental = True
__module_enabled = False
__install_key_name = 'Install'
__remove_key_name = 'Remove'
__sync_key_name = 'Sync'
@@ -39,7 +45,7 @@ class package_applier(applier_frontend):
install_branch = '{}\\{}%'.format(self.__hklm_branch, self.__install_key_name)
remove_branch = '{}\\{}%'.format(self.__hklm_branch, self.__remove_key_name)
sync_branch = '{}\\{}%'.format(self.__hklm_branch, self.__sync_key_name)
self.fulcmd = []
self.fulcmd = list()
self.fulcmd.append('/usr/libexec/gpupdate/pkcon_runner')
self.fulcmd.append('--loglevel')
logger = logging.getLogger()
@@ -56,20 +62,23 @@ class package_applier(applier_frontend):
)
def run(self):
for flag in self.sync_packages_setting:
self.flagSync = bool(flag.data)
if flag.data:
self.flagSync = bool(int(flag.data))
if 0 < self.install_packages_setting.count() or 0 < self.remove_packages_setting.count():
if self.flagSync:
try:
subprocess.check_call(self.fulcmd)
except Exception as exc:
logdata = {'msg': str(exc)}
logdata = dict()
logdata['msg'] = str(exc)
log('E55', logdata)
else:
try:
subprocess.Popen(self.fulcmd,close_fds=False)
except Exception as exc:
logdata = {'msg': str(exc)}
logdata = dict()
logdata['msg'] = str(exc)
log('E61', logdata)
def apply(self):
@@ -82,17 +91,18 @@ class package_applier(applier_frontend):
class package_applier_user(applier_frontend):
__module_name = 'PackagesApplierUser'
__module_experimental = False
__module_enabled = True
__module_experimental = True
__module_enabled = False
__install_key_name = 'Install'
__remove_key_name = 'Remove'
__sync_key_name = 'Sync'
__hkcu_branch = 'Software\\BaseALT\\Policies\\Packages'
def __init__(self, storage, username):
def __init__(self, storage, sid, username):
self.storage = storage
self.sid = sid
self.username = username
self.fulcmd = []
self.fulcmd = list()
self.fulcmd.append('/usr/libexec/gpupdate/pkcon_runner')
self.fulcmd.append('--user')
self.fulcmd.append(self.username)
@@ -104,9 +114,9 @@ class package_applier_user(applier_frontend):
remove_branch = '{}\\{}%'.format(self.__hkcu_branch, self.__remove_key_name)
sync_branch = '{}\\{}%'.format(self.__hkcu_branch, self.__sync_key_name)
self.install_packages_setting = self.storage.filter_hkcu_entries(install_branch)
self.remove_packages_setting = self.storage.filter_hkcu_entries(remove_branch)
self.sync_packages_setting = self.storage.filter_hkcu_entries(sync_branch)
self.install_packages_setting = self.storage.filter_hkcu_entries(self.sid, install_branch)
self.remove_packages_setting = self.storage.filter_hkcu_entries(self.sid, remove_branch)
self.sync_packages_setting = self.storage.filter_hkcu_entries(self.sid, sync_branch)
self.flagSync = False
self.__module_enabled = check_enabled(self.storage, self.__module_name, self.__module_experimental)
@@ -127,13 +137,15 @@ class package_applier_user(applier_frontend):
try:
subprocess.check_call(self.fulcmd)
except Exception as exc:
logdata = {'msg': str(exc)}
logdata = dict()
logdata['msg'] = str(exc)
log('E60', logdata)
else:
try:
subprocess.Popen(self.fulcmd,close_fds=False)
except Exception as exc:
logdata = {'msg': str(exc)}
logdata = dict()
logdata['msg'] = str(exc)
log('E62', logdata)
def admin_context_apply(self):

31
gpoa/frontend/polkit_applier.py
View File

@@ -16,20 +16,18 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from util.logging import log
from .applier_frontend import (
applier_frontend,
check_enabled,
check_windows_mapping_enabled,
applier_frontend
, check_enabled
, check_windows_mapping_enabled
)
from .appliers.polkit import polkit
from util.logging import log
class polkit_applier(applier_frontend):
__module_name = 'PolkitApplier'
__module_experimental = False
__module_enabled = True
__module_experimental = True
__module_enabled = False
__deny_all_win = 'Software\\Policies\\Microsoft\\Windows\\RemovableStorageDevices\\Deny_All'
__registry_branch = 'Software\\BaseALT\\Policies\\Polkit\\'
__registry_locks_branch = 'Software\\BaseALT\\Policies\\PolkitLocks\\'
@@ -55,7 +53,7 @@ class polkit_applier(applier_frontend):
template_vars_all = self.__polkit_map[self.__registry_branch][1]
template_file_all_lock = self.__polkit_map[self.__registry_locks_branch][0]
template_vars_all_lock = self.__polkit_map[self.__registry_locks_branch][1]
locks = []
locks = list()
for lock in self.polkit_locks:
if bool(int(lock.data)):
locks.append(lock.valuename)
@@ -79,7 +77,7 @@ class polkit_applier(applier_frontend):
self.__polkit_map[self.__registry_locks_branch][1][key] = item[1]
if deny_all_win:
logdata = {}
logdata = dict()
logdata['Deny_All_win'] = deny_all_win.data
log('D69', logdata)
self.__polkit_map[self.__deny_all_win][1]['Deny_All'] = deny_all_win.data
@@ -108,8 +106,8 @@ class polkit_applier(applier_frontend):
class polkit_applier_user(applier_frontend):
__module_name = 'PolkitApplierUser'
__module_experimental = False
__module_enabled = True
__module_experimental = True
__module_enabled = False
__deny_all_win = 'Software\\Policies\\Microsoft\\Windows\\RemovableStorageDevices\\Deny_All'
__registry_branch = 'Software\\BaseALT\\Policies\\Polkit\\'
__polkit_map = {
@@ -117,14 +115,15 @@ class polkit_applier_user(applier_frontend):
__registry_branch : ['48-alt_group_policy_permissions_user', {'User': ''}]
}
def __init__(self, storage, username):
def __init__(self, storage, sid, username):
self.storage = storage
self.sid = sid
self.username = username
deny_all_win = None
if check_windows_mapping_enabled(self.storage):
deny_all_win = storage.filter_hkcu_entries(self.__deny_all_win).first()
deny_all_win = storage.filter_hkcu_entries(self.sid, self.__deny_all_win).first()
polkit_filter = '{}%'.format(self.__registry_branch)
self.polkit_keys = self.storage.filter_hkcu_entries(polkit_filter)
self.polkit_keys = self.storage.filter_hkcu_entries(self.sid, polkit_filter)
# Deny_All hook: initialize defaults
template_file = self.__polkit_map[self.__deny_all_win][0]
template_vars = self.__polkit_map[self.__deny_all_win][1]
@@ -147,7 +146,7 @@ class polkit_applier_user(applier_frontend):
self.__polkit_map[self.__registry_branch][1][key] = item
if deny_all_win:
logdata = {}
logdata = dict()
logdata['user'] = self.username
logdata['Deny_All_win'] = deny_all_win.data
log('D70', logdata)

44
gpoa/frontend/scripts_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2022 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -17,25 +17,27 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
from pathlib import Path
import shutil
from pathlib import Path
from util.logging import log
from .applier_frontend import applier_frontend, check_enabled
from .appliers.folder import remove_dir_tree
from .applier_frontend import (
applier_frontend
, check_enabled
)
class scripts_applier(applier_frontend):
__module_name = 'ScriptsApplier'
__module_experimental = False
__module_enabled = True
__module_experimental = True
__module_enabled = False
__cache_scripts = '/var/cache/gpupdate_scripts_cache/machine/'
def __init__(self, storage):
def __init__(self, storage, sid):
self.storage = storage
self.startup_scripts = self.storage.get_scripts('STARTUP')
self.shutdown_scripts = self.storage.get_scripts('SHUTDOWN')
self.sid = sid
self.startup_scripts = self.storage.get_scripts(self.sid, 'STARTUP')
self.shutdown_scripts = self.storage.get_scripts(self.sid, 'SHUTDOWN')
self.folder_path = Path(self.__cache_scripts)
self.__module_enabled = check_enabled(self.storage
, self.__module_name
@@ -49,7 +51,8 @@ class scripts_applier(applier_frontend):
except FileNotFoundError as exc:
log('D154')
except Exception as exc:
logdata = {'exc': exc}
logdata = dict()
logdata['exc'] = exc
log('E64', logdata)
def filling_cache(self):
@@ -77,20 +80,22 @@ class scripts_applier(applier_frontend):
class scripts_applier_user(applier_frontend):
__module_name = 'ScriptsApplierUser'
__module_experimental = False
__module_enabled = True
__module_experimental = True
__module_enabled = False
__cache_scripts = '/var/cache/gpupdate_scripts_cache/users/'
def __init__(self, storage, username):
def __init__(self, storage, sid, username):
self.storage = storage
self.logon_scripts = self.storage.get_scripts('LOGON')
self.logoff_scripts = self.storage.get_scripts('LOGOFF')
self.sid = sid
self.logon_scripts = self.storage.get_scripts(self.sid, 'LOGON')
self.logoff_scripts = self.storage.get_scripts(self.sid, 'LOGOFF')
self.username = username
self.folder_path = Path(self.__cache_scripts + self.username)
self.__module_enabled = check_enabled(self.storage
, self.__module_name
, self.__module_experimental
)
self.filling_cache()
def cleaning_cache(self):
log('D161')
@@ -99,7 +104,8 @@ class scripts_applier_user(applier_frontend):
except FileNotFoundError as exc:
log('D155')
except Exception as exc:
logdata = {'exc': exc}
logdata = dict()
logdata['exc'] = exc
log('E65', logdata)
def filling_cache(self):
@@ -137,9 +143,7 @@ def install_script(storage_script_entry, script_dir, access_permissions):
'''
dir_cr = Path(script_dir)
dir_cr.mkdir(parents=True, exist_ok=True)
if storage_script_entry.number is None:
return
script_name = str(storage_script_entry.number).zfill(5) + '_' + os.path.basename(storage_script_entry.path)
script_name = str(int(storage_script_entry.number)).zfill(5) + '_' + os.path.basename(storage_script_entry.path)
script_file = os.path.join(script_dir, script_name)
shutil.copyfile(storage_script_entry.path, script_file)

96
gpoa/frontend/shortcut_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -16,24 +16,27 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import logging
import subprocess
from gpt.shortcuts import get_ttype, shortcut
from util.logging import log
from util.util import get_homedir, homedir_exists, string_to_literal_eval
from .applier_frontend import (
applier_frontend
, check_enabled
)
from gpt.shortcuts import json2sc
from util.windows import expand_windows_var
from util.logging import slogm, log
from util.util import (
get_homedir,
homedir_exists
)
from .applier_frontend import applier_frontend, check_enabled
def storage_get_shortcuts(storage, username=None, shortcuts_machine=None):
def storage_get_shortcuts(storage, sid, username=None):
'''
Query storage for shortcuts' rows for username.
Query storage for shortcuts' rows for specified SID.
'''
shortcut_objs = storage.get_shortcuts()
shortcuts = []
if username and shortcuts_machine:
shortcut_objs += shortcuts_machine
shortcut_objs = storage.get_shortcuts(sid)
shortcuts = list()
for sc in shortcut_objs:
if username:
@@ -51,7 +54,9 @@ def apply_shortcut(shortcut, username=None):
dest_abspath = shortcut.dest
if not dest_abspath.startswith('/') and not dest_abspath.startswith('%'):
dest_abspath = '%HOME%/' + dest_abspath
logdata = {'shortcut': dest_abspath, 'for': username}
logdata = dict()
logdata['shortcut'] = dest_abspath
logdata['for'] = username
log('D105', logdata)
dest_abspath = expand_windows_var(dest_abspath, username).replace('\\', '/') + '.desktop'
@@ -62,24 +67,31 @@ def apply_shortcut(shortcut, username=None):
if dest_abspath.startswith(get_homedir(username)):
# Don't try to operate on non-existent directory
if not homedir_exists(username):
logdata = {'user': username, 'dest_abspath': dest_abspath}
logdata = dict()
logdata['user'] = username
logdata['dest_abspath'] = dest_abspath
log('W7', logdata)
return None
else:
logdata = {'user': username, 'bad path': dest_abspath}
logdata = dict()
logdata['user'] = username
logdata['bad path'] = dest_abspath
log('W8', logdata)
return None
if '%' in dest_abspath:
logdata = {'dest_abspath': dest_abspath}
logdata = dict()
logdata['dest_abspath'] = dest_abspath
log('E53', logdata)
return None
if not dest_abspath.startswith('/'):
logdata = {'dest_abspath': dest_abspath}
logdata = dict()
logdata['dest_abspath'] = dest_abspath
log('E54', logdata)
return None
logdata = {'file': dest_abspath}
logdata = dict()
logdata['file'] = dest_abspath
logdata['with_action'] = shortcut.action
log('D106', logdata)
shortcut.apply_desktop(dest_abspath)
@@ -98,7 +110,7 @@ class shortcut_applier(applier_frontend):
)
def run(self):
shortcuts = storage_get_shortcuts(self.storage)
shortcuts = storage_get_shortcuts(self.storage, self.storage.get_info('machine_sid'))
if shortcuts:
for sc in shortcuts:
apply_shortcut(sc)
@@ -109,7 +121,9 @@ class shortcut_applier(applier_frontend):
# /usr/local/share/applications
subprocess.check_call(['/usr/bin/update-desktop-database'])
else:
log('D100')
logdata = dict()
logdata['machine_sid'] = self.storage.get_info('machine_sid')
log('D100', logdata)
def apply(self):
if self.__module_enabled:
@@ -122,45 +136,14 @@ class shortcut_applier_user(applier_frontend):
__module_name = 'ShortcutsApplierUser'
__module_experimental = False
__module_enabled = True
__REGISTRY_PATH_SHORTCATSMERGE= '/Software/BaseALT/Policies/GPUpdate/ShortcutsMerge'
__DCONF_REGISTRY_PATH_PREFERENCES_MACHINE = 'Software/BaseALT/Policies/Preferences/Machine'
def __init__(self, storage, username):
def __init__(self, storage, sid, username):
self.storage = storage
self.sid = sid
self.username = username
self.__module_enabled = check_enabled(self.storage, self.__module_name, self.__module_experimental)
def get_machine_shortcuts(self):
result = []
try:
storage_machine_dict = self.storage.get_dictionary_from_dconf_file_db()
machine_shortcuts = storage_machine_dict.get(
self.__DCONF_REGISTRY_PATH_PREFERENCES_MACHINE, dict()).get('Shortcuts')
shortcut_objs = string_to_literal_eval(machine_shortcuts)
for obj in shortcut_objs:
shortcut_machine =shortcut(
obj.get('dest'),
obj.get('path'),
obj.get('arguments'),
obj.get('name'),
obj.get('action'),
get_ttype(obj.get('target_type')))
shortcut_machine.set_usercontext(1)
result.append(shortcut_machine)
except:
return None
return result
def check_enabled_shortcuts_merge(self):
return self.storage.get_key_value(self.__REGISTRY_PATH_SHORTCATSMERGE)
def run(self, in_usercontext):
shortcuts_machine = None
if self.check_enabled_shortcuts_merge():
shortcuts_machine = self.get_machine_shortcuts()
shortcuts = storage_get_shortcuts(self.storage, self.username, shortcuts_machine)
shortcuts = storage_get_shortcuts(self.storage, self.sid, self.username)
if shortcuts:
for sc in shortcuts:
@@ -169,7 +152,8 @@ class shortcut_applier_user(applier_frontend):
if not in_usercontext and not sc.is_usercontext():
apply_shortcut(sc, self.username)
else:
logdata = {'username': self.username}
logdata = dict()
logdata['sid'] = self.sid
log('D100', logdata)
def user_context_apply(self):

26
gpoa/frontend/systemd_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -16,11 +16,14 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from util.logging import log
from .applier_frontend import applier_frontend, check_enabled
from .applier_frontend import (
applier_frontend
, check_enabled
)
from .appliers.systemd import systemd_unit
from util.logging import slogm, log
import logging
class systemd_applier(applier_frontend):
__module_name = 'SystemdApplier'
@@ -40,18 +43,23 @@ class systemd_applier(applier_frontend):
def run(self):
for setting in self.systemd_unit_settings:
valuename = setting.hive_key.rpartition('/')[2]
try:
self.units.append(systemd_unit(setting.valuename, int(setting.data)))
logdata = {'unit': format(setting.valuename)}
self.units.append(systemd_unit(valuename, int(setting.data)))
logdata = dict()
logdata['unit'] = format(valuename)
log('I4', logdata)
except Exception as exc:
logdata = {'unit': format(setting.valuename), 'exc': exc}
logdata = dict()
logdata['unit'] = format(valuename)
logdata['exc'] = exc
log('I5', logdata)
for unit in self.units:
try:
unit.apply()
except:
logdata = {'unit': unit.unit_name}
logdata = dict()
logdata['unit'] = unit.unit_name
log('E45', logdata)
def apply(self):
@@ -70,7 +78,7 @@ class systemd_applier_user(applier_frontend):
__module_enabled = True
__registry_branch = 'Software/BaseALT/Policies/SystemdUnits'
def __init__(self, storage, username):
def __init__(self, storage, sid, username):
self.storage = storage
def user_context_apply(self):

67
gpoa/frontend/thunderbird_applier.py
View File

@@ -1,67 +0,0 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2024-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
import json
import os
from util.logging import log
from util.util import is_machine_name
from .applier_frontend import applier_frontend, check_enabled
from .firefox_applier import create_dict
class thunderbird_applier(applier_frontend):
__module_name = 'ThunderbirdApplier'
__module_experimental = False
__module_enabled = True
__registry_branch = 'Software/Policies/Mozilla/Thunderbird'
__thunderbird_policies = '/etc/thunderbird/policies'
def __init__(self, storage, username):
self.storage = storage
self.username = username
self._is_machine_name = is_machine_name(self.username)
self.policies = {}
self.policies_json = {'policies': self.policies}
self.thunderbird_keys = self.storage.filter_hklm_entries(self.__registry_branch)
self.policies_gen = {}
self.__module_enabled = check_enabled(
self.storage
, self.__module_name
, self.__module_experimental
)
def machine_apply(self):
'''
Write policies.json to Thunderbird.
'''
self.policies_json = create_dict(self.thunderbird_keys, self.__registry_branch)
destfile = os.path.join(self.__thunderbird_policies, 'policies.json')
os.makedirs(self.__thunderbird_policies, exist_ok=True)
with open(destfile, 'w') as f:
json.dump(self.policies_json, f)
logdata = {'destfile': destfile}
log('D212', logdata)
def apply(self):
if self.__module_enabled:
log('D213')
self.machine_apply()
else:
log('D214')

31
gpoa/frontend/yandex_browser_applier.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2022 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -16,15 +16,16 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from .applier_frontend import (
applier_frontend
, check_enabled
)
import json
import os
from util.logging import log
from util.util import is_machine_name, string_to_literal_eval
from .applier_frontend import applier_frontend, check_enabled
class yandex_browser_applier(applier_frontend):
__module_name = 'YandexBrowserApplier'
__module_enabled = True
@@ -33,13 +34,15 @@ class yandex_browser_applier(applier_frontend):
__managed_policies_path = '/etc/opt/yandex/browser/policies/managed'
__recommended_policies_path = '/etc/opt/yandex/browser/policies/recommended'
def __init__(self, storage, username):
def __init__(self, storage, sid, username):
self.storage = storage
self.sid = sid
self.username = username
self._is_machine_name = is_machine_name(self.username)
self.yandex_keys = self.storage.filter_hklm_entries(self.__registry_branch)
yandex_filter = '{}%'.format(self.__registry_branch)
self.yandex_keys = self.storage.filter_hklm_entries(yandex_filter)
self.policies_json = {}
self.policies_json = dict()
self.__module_enabled = check_enabled(
self.storage
@@ -67,14 +70,16 @@ class yandex_browser_applier(applier_frontend):
os.makedirs(self.__managed_policies_path, exist_ok=True)
with open(destfile, 'w') as f:
json.dump(dict_item_to_list(self.policies_json), f)
logdata = {'destfile': destfile}
logdata = dict()
logdata['destfile'] = destfile
log('D185', logdata)
destfilerec = os.path.join(self.__recommended_policies_path, 'policies.json')
os.makedirs(self.__recommended_policies_path, exist_ok=True)
with open(destfilerec, 'w') as f:
json.dump(dict_item_to_list(recommended__json), f)
logdata = {'destfilerec': destfilerec}
logdata = dict()
logdata['destfilerec'] = destfilerec
log('D185', logdata)
@@ -155,7 +160,7 @@ class yandex_browser_applier(applier_frontend):
'''
Collect dictionaries from registry keys into a general dictionary
'''
counts = {}
counts = dict()
#getting the list of keys to read as an integer
valuename_typeint = self.get_valuename_typeint()
for it_data in yandex_keys:
@@ -183,7 +188,9 @@ class yandex_browser_applier(applier_frontend):
branch[parts[-1]] = str(it_data.data).replace('\\', '/')
except Exception as exc:
logdata = {'Exception': exc, 'keyname': it_data.keyname}
logdata = dict()
logdata['Exception'] = exc
logdata['keyname'] = it_data.keyname
log('D178', logdata)
try:
self.policies_json = counts['']

24
gpoa/frontend_plugins/__init__.py
View File

@@ -1,24 +0,0 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
Frontend plugins package for GPOA.
This package contains display policy and other frontend-related plugins
that can be dynamically loaded by the plugin manager.
"""

747
gpoa/frontend_plugins/dm_applier.py
View File

@@ -1,747 +0,0 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
import shutil
import subprocess
import re
# Import only what's absolutely necessary
try:
from gpoa.frontend.appliers.systemd import systemd_unit
except ImportError:
# Fallback for testing
systemd_unit = None
try:
from gpoa.util.gpoa_ini_parsing import GpoaConfigObj
except ImportError:
# Fallback for testing
GpoaConfigObj = None
from gpoa.plugin.plugin_base import FrontendPlugin
class DMApplier(FrontendPlugin):
"""
Display Manager Applier - handles loading of display manager policy keys
from registry (machine/user) and user preferences.
Also includes DMConfigGenerator functionality for display manager configuration.
"""
__registry_path = 'Software/BaseALT/Policies/DisplayManager'
domain = 'dm_applier'
def __init__(self, dict_dconf_db, username=None, fs_file_cache=None):
super().__init__(dict_dconf_db, username, fs_file_cache)
# Initialize plugin-specific logger - locale_dir will be set by plugin_manager
self._init_plugin_log(
message_dict={
'i': {
1: "Display Manager Applier initialized",
2: "Display manager configuration generated successfully",
3: "Display Manager Applier execution started",
4: "Display manager configuration completed successfully",
5: "LightDM greeter configuration generated successfully",
6: "GDM theme modified successfully",
7: "GDM backup restored successfully"
},
'w': {
10: "No display managers detected",
11: "No background configuration to apply",
12: "GDM backup file not found",
13: "Backup mode only supported for GDM"
},
'e': {
20: "Configuration file path is invalid or inaccessible",
21: "Failed to generate display manager configuration",
22: "Unknown display manager config directory",
23: "Failed to generate display manager configuration",
24: "Display Manager Applier execution failed",
25: "GDM theme gresource not found",
26: "Failed to extract GDM gresource",
27: "Failed to modify GDM background",
28: "Failed to recompile GDM gresource",
29: "Failed to restore GDM backup"
},
'd': {
30: "Display manager detection details",
31: "Display manager configuration details",
32: "Removed empty configuration value",
33: "GDM background modification details",
34: "GDM backup operation details"
}
},
# locale_dir will be set by plugin_manager during plugin loading
domain="dm_applier"
)
self.config = self.get_dict_registry(self.__registry_path)
# DMConfigGenerator configuration - only background settings
background_path = self.config.get("Greeter.Background", None)
self.backup = background_path == 'backup'
if background_path and not self.backup:
normalized_path = background_path.replace('\\', '/')
fs_file_cache.store(normalized_path)
self.dm_config = {
"Greeter.Background": fs_file_cache.get(normalized_path)
}
else:
self.dm_config = {
"Greeter.Background": ''
}
self.log("I1") # Display Manager Applier initialized
@classmethod
def _get_plugin_prefix(cls):
"""Return plugin prefix for translation lookup."""
return "dm_applier"
def _prepare_conf(self, path):
"""
Load existing file or create new, preserving all comments and structure.
"""
try:
conf = GpoaConfigObj(path, encoding="utf-8", create_empty=True)
return conf
except Exception as exc:
self.log("E20", {"path": path, "error": str(exc)})
return None
def _clean_empty_values(self, section):
"""
Remove keys with empty values from configuration section.
Avoids writing empty values to config files.
"""
if not section:
return
# Create list of keys to remove (can't modify dict during iteration)
keys_to_remove = []
for key, value in section.items():
# Remove keys with empty strings, None, or whitespace-only values
if value is None or (isinstance(value, str) and not value.strip()):
keys_to_remove.append(key)
# Remove the identified keys
for key in keys_to_remove:
del section[key]
self.log("D32", {"key": key, "section": str(section)})
def generate_lightdm(self, path):
if not path or not os.path.isabs(path):
self.log("E20", {"path": path}) # Configuration file path is invalid or inaccessible
return None
conf = self._prepare_conf(path)
if conf is None:
return None
section = conf.setdefault("Seat:*", {})
# Set values only if they have meaningful content (avoid writing empty values)
if self.dm_config["Greeter.Background"]:
section["greeter-background"] = self.dm_config["Greeter.Background"]
# Remove any existing empty values that might have been set previously
self._clean_empty_values(section)
# Comments example:
conf.initial_comment = ["# LightDM custom config"]
try:
conf.write()
self.log("I2", {"path": path, "dm": "lightdm"})
return conf
except Exception as exc:
self.log("E21", {"path": path, "error": str(exc)})
return None
def generate_gdm(self, path):
"""Generate GDM configuration by modifying gnome-shell-theme.gresource"""
# Check if we need to restore from backup
if self.backup:
return self._restore_gdm_backup()
if not self.dm_config["Greeter.Background"]:
return None
background_path = self.dm_config["Greeter.Background"]
try:
# Find gnome-shell-theme.gresource
gresource_path = self._find_gnome_shell_gresource()
if not gresource_path:
self.log("E25", {"path": "gnome-shell-theme.gresource"})
return None
# Create backup if it doesn't exist
backup_path = gresource_path + '.backup'
if not os.path.exists(backup_path):
shutil.copy2(gresource_path, backup_path)
self.log("D34", {"action": "backup_created", "backup": backup_path})
# Extract gresource to temporary directory
temp_dir = self._extract_gresource(gresource_path)
if not temp_dir:
return None
# Modify background in theme files
modified = self._modify_gdm_background(temp_dir, background_path)
if not modified:
shutil.rmtree(temp_dir)
return None
# Recompile gresource
success = self._recompile_gresource(temp_dir, gresource_path)
# Clean up temporary directory
shutil.rmtree(temp_dir)
if success:
self.log("I6", {"path": gresource_path, "background": background_path})
return True
else:
self.log("E28", {"path": gresource_path})
return None
except Exception as exc:
self.log("E21", {"path": "gnome-shell-theme.gresource", "error": str(exc), "dm": "gdm"})
return None
def _find_gnome_shell_gresource(self):
"""Find gnome-shell-theme.gresource file"""
possible_paths = [
"/usr/share/gnome-shell/gnome-shell-theme.gresource",
"/usr/share/gnome-shell/theme/gnome-shell-theme.gresource",
"/usr/share/gdm/gnome-shell-theme.gresource",
"/usr/local/share/gnome-shell/gnome-shell-theme.gresource"
]
for path in possible_paths:
if os.path.exists(path):
return path
return None
def _restore_gdm_backup(self):
"""Restore GDM gresource from backup if available"""
try:
# Find gnome-shell-theme.gresource
gresource_path = self._find_gnome_shell_gresource()
if not gresource_path:
self.log("E25", {"path": "gnome-shell-theme.gresource"})
return None
backup_path = gresource_path + '.backup'
if not os.path.exists(backup_path):
self.log("W12", {"backup": backup_path})
return None
# Restore from backup
shutil.copy2(backup_path, gresource_path)
self.log("I7", {"path": gresource_path})
return True
except Exception as exc:
self.log("E29", {"path": "gnome-shell-theme.gresource", "error": str(exc)})
return None
def _extract_gresource(self, gresource_path):
"""Extract gresource file to temporary directory by creating XML from gresource list"""
try:
temp_dir = "/tmp/gdm_theme_" + str(os.getpid())
os.makedirs(temp_dir, exist_ok=True)
# Get list of resources from gresource file
cmd_list = ["gresource", "list", gresource_path]
result_list = subprocess.run(cmd_list, capture_output=True, text=True)
if result_list.returncode != 0:
self.log("E26", {"path": gresource_path, "error": result_list.stderr})
shutil.rmtree(temp_dir)
return None
resource_paths = result_list.stdout.strip().split('\n')
if not resource_paths or not resource_paths[0]:
self.log("E26", {"path": gresource_path, "error": "No resources found in gresource file"})
shutil.rmtree(temp_dir)
return None
# Extract prefix from resource paths (remove filename from first path)
first_resource = resource_paths[0]
prefix = os.path.dirname(first_resource)
# Create temporary XML file using proper XML generation
import xml.etree.ElementTree as ET
# Create root element
gresources = ET.Element('gresources')
gresource = ET.SubElement(gresources, 'gresource', prefix=prefix)
for resource_path in resource_paths:
# Extract filename from resource path
filename = os.path.basename(resource_path)
ET.SubElement(gresource, 'file').text = filename
# Extract the resource to temporary directory
cmd_extract = ["gresource", "extract", gresource_path, resource_path]
result_extract = subprocess.run(cmd_extract, capture_output=True, text=True)
if result_extract.returncode == 0:
# Write extracted content to file
output_path = os.path.join(temp_dir, filename)
with open(output_path, 'w') as f:
f.write(result_extract.stdout)
else:
self.log("E26", {"path": gresource_path, "error": f"Failed to extract {resource_path}: {result_extract.stderr}"})
# Write XML file with proper formatting
xml_file = os.path.join(temp_dir, "gnome-shell-theme.gresource.xml")
tree = ET.ElementTree(gresources)
tree.write(xml_file, encoding='utf-8', xml_declaration=True)
return temp_dir
except Exception as exc:
self.log("E26", {"path": gresource_path, "error": str(exc)})
return None
def _modify_gdm_background(self, temp_dir, background_path):
"""Modify background in GDM theme files - specifically target gnome-shell-dark.css and gnome-shell-light.css"""
try:
# Target specific CSS files that contain GDM background definitions
target_css_files = ["gnome-shell-dark.css", "gnome-shell-light.css"]
modified = False
for css_filename in target_css_files:
css_file = os.path.join(temp_dir, css_filename)
if not os.path.exists(css_file):
continue
with open(css_file, 'r') as f:
content = f.read()
# Look for background-related CSS rules
patterns = [
# Handle only #lockDialogGroup background with file://// (4 slashes)
r'(#lockDialogGroup\s*{[^}]*background:\s*[^;]*)url\(file:////[^)]+\)',
# Handle only #lockDialogGroup background with file:/// (3 slashes)
r'(#lockDialogGroup\s*{[^}]*background:\s*[^;]*)url\(file:///[^)]+\)'
]
for pattern in patterns:
# Use lambda function to handle optional groups gracefully
def replace_url(match):
groups = match.groups()
return f'{groups[0]}url(file:///{background_path})'
new_content = re.sub(pattern, replace_url, content)
if new_content != content:
with open(css_file, 'w') as f:
f.write(new_content)
modified = True
self.log("D33", {"file": css_filename, "background": background_path})
break
return modified
except Exception as exc:
self.log("E27", {"path": temp_dir, "error": str(exc)})
return False
def _recompile_gresource(self, temp_dir, gresource_path):
"""Recompile gresource from modified files using temporary XML"""
try:
# Use the temporary XML file created during extraction
xml_file = os.path.join(temp_dir, "gnome-shell-theme.gresource.xml")
if not os.path.exists(xml_file):
self.log("E28", {"path": gresource_path, "error": "Temporary XML file not found"})
return False
# Recompile gresource - run from temp directory where files are located
original_cwd = os.getcwd()
try:
os.chdir(temp_dir)
cmd = ["glib-compile-resources", "--target", gresource_path, "gnome-shell-theme.gresource.xml"]
result = subprocess.run(cmd, capture_output=True, text=True)
if result.returncode == 0:
return True
else:
self.log("E28", {"path": gresource_path, "error": result.stderr})
return False
finally:
os.chdir(original_cwd)
except Exception as exc:
self.log("E28", {"path": gresource_path, "error": str(exc)})
return False
def generate_sddm(self, path):
conf = self._prepare_conf(path)
if conf is None:
return None
# Set values only if they have meaningful content
if self.dm_config["Greeter.Background"]:
theme = conf.setdefault("Theme", {})
theme["Background"] = self.dm_config["Greeter.Background"]
# Clean up empty values from all sections
self._clean_empty_values(theme)
conf.write()
return conf
def write_config(self, dm_name, directory):
if self.backup and dm_name!='gdm':
self.log("W13", {"dm": dm_name})
return
os.makedirs(directory, exist_ok=True)
filename = os.path.join(directory, "50-custom.conf")
gen = {
"lightdm": self.generate_lightdm,
"gdm": self.generate_gdm,
"sddm": self.generate_sddm
}.get(dm_name)
if not gen:
raise ValueError("Unknown DM: {}".format(dm_name))
result = gen(filename)
# For LightDM, always generate greeter configuration if needed
if dm_name == "lightdm":
self._generate_lightdm_greeter_config()
# Return True if configuration was created or if we have background settings
return result is not None or self.dm_config["Greeter.Background"]
def _detect_lightdm_greeter(self):
"""Detect which LightDM greeter is being used"""
# Check main lightdm.conf
lightdm_conf_path = "/etc/lightdm/lightdm.conf"
if os.path.exists(lightdm_conf_path):
with open(lightdm_conf_path, 'r') as f:
for line in f:
if line.strip().startswith("greeter-session") and not line.strip().startswith('#'):
greeter = line.split('=')[1].strip()
self.log("D30", {"greeter": greeter, "source": "lightdm.conf"}) # Greeter detection details
return greeter
# Check lightdm.conf.d directory
lightdm_conf_d = "/etc/lightdm/lightdm.conf.d"
if os.path.exists(lightdm_conf_d):
for file in sorted(os.listdir(lightdm_conf_d)):
if file.endswith('.conf'):
file_path = os.path.join(lightdm_conf_d, file)
with open(file_path, 'r') as f:
for line in f:
if line.strip().startswith("greeter-session") and not line.strip().startswith('#'):
greeter = line.split('=')[1].strip()
self.log("D30", {"greeter": greeter, "source": file}) # Greeter detection details
return greeter
# Check default greeter
default_greeter_path = "/usr/share/xgreeters/lightdm-default-greeter.desktop"
if os.path.exists(default_greeter_path):
with open(default_greeter_path, 'r') as f:
for line in f:
if line.strip().startswith("Exec=") and not line.strip().startswith('#'):
greeter_exec = line.split('=')[1].strip()
# Extract greeter name from exec path
greeter_name = os.path.basename(greeter_exec)
self.log("D30", {"greeter": greeter_name, "source": "default-greeter"}) # Greeter detection details
return greeter_name
# Fallback to gtk-greeter (most common)
self.log("D30", {"greeter": "lightdm-gtk-greeter", "source": "fallback"}) # Greeter detection details
return "lightdm-gtk-greeter"
def _generate_lightdm_greeter_config(self):
"""Generate configuration for the detected LightDM greeter"""
# Only generate if we have background settings
if not self.dm_config["Greeter.Background"]:
return
greeter_name = self._detect_lightdm_greeter()
# Map greeter names to configuration files and settings
greeter_configs = {
"lightdm-gtk-greeter": {
"config_path": "/etc/lightdm/lightdm-gtk-greeter.conf",
"section": "greeter",
"background_key": "background",
"theme_key": "theme-name"
},
"lightdm-webkit2-greeter": {
"config_path": "/etc/lightdm/lightdm-webkit2-greeter.conf",
"section": "greeter",
"background_key": "background",
"theme_key": "theme"
},
"lightdm-unity-greeter": {
"config_path": "/etc/lightdm/lightdm-unity-greeter.conf",
"section": "greeter",
"background_key": "background",
"theme_key": "theme-name"
},
"lightdm-slick-greeter": {
"config_path": "/etc/lightdm/lightdm-slick-greeter.conf",
"section": "greeter",
"background_key": "background",
"theme_key": "theme-name"
},
"lightdm-kde-greeter": {
"config_path": "/etc/lightdm/lightdm-kde-greeter.conf",
"section": "greeter",
"background_key": "background",
"theme_key": "theme"
}
}
config_info = greeter_configs.get(greeter_name)
if not config_info:
self.log("E22", {"greeter": greeter_name}) # Unknown greeter type
return
conf = self._prepare_conf(config_info["config_path"])
# Get or create the greeter section
greeter_section = conf.setdefault(config_info["section"], {})
# Apply background setting only if it has meaningful content
if self.dm_config["Greeter.Background"]:
greeter_section[config_info["background_key"]] = self.dm_config["Greeter.Background"]
# Clean up any empty values in the greeter section
self._clean_empty_values(greeter_section)
conf.initial_comment = [f"# {greeter_name} custom config"]
try:
conf.write()
self.log("I5", {"path": config_info["config_path"], "greeter": greeter_name})
except Exception as exc:
self.log("E21", {"path": config_info["config_path"], "error": str(exc)})
def detect_dm(self):
"""Detect available and active display managers with fallback methods"""
result = {"available": [], "active": None}
# Check for available DMs using multiple methods
available_dms = self._detect_available_dms()
result["available"] = available_dms
# Check active DM with fallbacks
active_dm = self._detect_active_dm_with_fallback(available_dms)
if active_dm:
result["active"] = active_dm
return result
def _detect_available_dms(self):
"""Detect available display managers using multiple reliable methods"""
available = []
# Method 1: Check systemd unit files
systemd_units = [
("lightdm", "lightdm.service"),
("gdm", "gdm.service"),
("gdm", "gdm3.service"),
("sddm", "sddm.service")
]
for dm_name, unit_name in systemd_units:
if self._check_systemd_unit_exists(unit_name):
if dm_name not in available:
available.append(dm_name)
# Method 2: Check binary availability as fallback
binary_checks = [
("lightdm", ["lightdm"]),
("gdm", ["gdm", "gdm3"]),
("sddm", ["sddm"])
]
for dm_name, binaries in binary_checks:
if dm_name not in available:
if any(shutil.which(binary) for binary in binaries):
available.append(dm_name)
return available
def _detect_active_dm_with_fallback(self, available_dms):
"""Detect active DM with multiple fallback methods"""
# Primary method: systemd D-Bus
active_dm = self._check_systemd_dm()
if active_dm:
return active_dm
# Fallback 1: Check running processes
active_dm = self._check_running_processes(available_dms)
if active_dm:
return active_dm
# Fallback 2: Check display manager symlink
active_dm = self._check_display_manager_symlink()
if active_dm:
return active_dm
return None
def _check_systemd_unit_exists(self, unit_name):
"""Check if systemd unit exists without requiring D-Bus"""
unit_paths = [
f"/etc/systemd/system/{unit_name}",
f"/usr/lib/systemd/system/{unit_name}",
f"/lib/systemd/system/{unit_name}"
]
return any(os.path.exists(path) for path in unit_paths)
def _check_running_processes(self, available_dms):
"""Check running processes for display manager indicators"""
try:
import psutil
for proc in psutil.process_iter(['name']):
proc_name = proc.info['name'].lower()
for dm in available_dms:
if dm in proc_name:
return dm
except (ImportError, psutil.NoSuchProcess):
pass
return None
def _check_display_manager_symlink(self):
"""Check /etc/systemd/system/display-manager.service symlink"""
symlink_path = "/etc/systemd/system/display-manager.service"
if os.path.islink(symlink_path):
target = os.readlink(symlink_path)
for dm in ["lightdm", "gdm", "sddm"]:
if dm in target:
return dm
return None
def _check_systemd_dm(self):
"""
Check active display manager via systemd D-Bus API with improved error handling.
Returns dm name (lightdm/gdm/sddm) or None if not active.
"""
try:
dm_unit = systemd_unit("display-manager.service", 1)
state = dm_unit._get_state()
if state in ("active", "activating"):
unit_path = str(dm_unit.unit) # D-Bus object path, e.g. /org/.../lightdm_2eservice
# More robust DM name extraction
dm_mapping = {
"lightdm": "lightdm",
"gdm": "gdm",
"sddm": "sddm"
}
for key, dm_name in dm_mapping.items():
if key in unit_path.lower():
return dm_name
except Exception as exc:
self.log("D30", {"unit": "display-manager.service", "error": str(exc)})
return None
def run(self):
"""
Main plugin execution method with improved error handling and validation.
Detects active display manager and applies configuration.
"""
self.log("I3")
try:
# Validate configuration before proceeding
if not self._validate_configuration():
self.log("W11")
if not self.backup:
return False
# Detect available and active display managers
dm_info = self.detect_dm()
self.log("D30", {"dm_info": dm_info})
if not dm_info["available"]:
self.log("W10")
return False
# Use active DM or first available
target_dm = dm_info["active"] or (dm_info["available"][0] if dm_info["available"] else None)
if not target_dm:
self.log("W10")
return False
# Determine config directory based on DM
config_dir = self._get_config_directory(target_dm)
if not config_dir:
self.log("E22", {"dm": target_dm})
return False
# Generate configuration
result = self.write_config(target_dm, config_dir)
if result:
self.log("I4", {"dm": target_dm, "config_dir": config_dir})
return True
else:
self.log("E23", {"dm": target_dm, "config_dir": config_dir})
return False
except Exception as exc:
self.log("E24", {"error": str(exc)})
return False
def _validate_configuration(self):
"""Validate DM configuration before applying"""
# Check if we have background configuration to apply
return bool(self.dm_config["Greeter.Background"])
def _get_config_directory(self, dm_name):
"""Get configuration directory for display manager with fallbacks"""
config_dirs = {
"lightdm": ["/etc/lightdm/lightdm.conf.d", "/etc/lightdm"],
"gdm": ["/etc/gdm/custom.conf.d", "/etc/gdm"],
"sddm": ["/etc/sddm.conf.d", "/etc/sddm"]
}
dirs = config_dirs.get(dm_name, [])
for config_dir in dirs:
if os.path.exists(config_dir):
return config_dir
# If no existing directory, use the primary one
return dirs[0] if dirs else None
def create_machine_applier(dict_dconf_db, username=None, fs_file_cache=None):
"""Factory function to create DMApplier instance"""
return DMApplier(dict_dconf_db, username, fs_file_cache)
def create_user_applier(dict_dconf_db, username=None, fs_file_cache=None):
"""Factory function to create DMApplier instance"""
pass

93
gpoa/frontend_plugins/locale/ru_RU/LC_MESSAGES/dm_applier.po
View File

@@ -1,93 +0,0 @@
# Russian translations for dm_applier plugin.
# Copyright (C) 2025 BaseALT Ltd.
# This file is distributed under the same license as the dm_applier plugin.
#
msgid ""
msgstr ""
"Project-Id-Version: dm_applier\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2025-01-18 12:00+0000\n"
"PO-Revision-Date: 2025-01-18 12:00+0000\n"
"Last-Translator: Automatically generated\n"
"Language-Team: Russian\n"
"Language: ru_RU\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
# DM Applier messages
msgid "Display Manager Applier initialized"
msgstr "Инициализирован апплаер дисплей менеджера"
msgid "Display manager configuration generated successfully"
msgstr "Конфигурация дисплей менеджера успешно сгенерирована"
msgid "Display Manager Applier execution started"
msgstr "Запущено выполнение апплаера дисплей менеджера"
msgid "Display manager configuration completed successfully"
msgstr "Конфигурация дисплей менеджера успешно завершена"
msgid "LightDM greeter configuration generated successfully"
msgstr "Конфигурация LightDM greeter успешно сгенерирована"
msgid "GDM theme modified successfully"
msgstr "Тема GDM успешно изменена"
msgid "GDM backup restored successfully"
msgstr "Резервная копия GDM успешно восстановлена"
msgid "No display managers detected"
msgstr "Дисплей менеджеры не обнаружены"
msgid "No background configuration to apply"
msgstr "Нет конфигурации фона для применения"
msgid "GDM backup file not found"
msgstr "Резервная копия GDM не найдена"
msgid "Backup mode only supported for GDM"
msgstr "Режим восстановления поддерживается только для GDM"
msgid "Configuration file path is invalid or inaccessible"
msgstr "Путь к файлу конфигурации недействителен или недоступен"
msgid "Failed to generate display manager configuration"
msgstr "Не удалось сгенерировать конфигурацию дисплей менеджера"
msgid "Unknown display manager config directory"
msgstr "Неизвестный каталог конфигурации дисплей менеджера"
msgid "Display Manager Applier execution failed"
msgstr "Выполнение апплаера дисплей менеджера завершилось ошибкой"
msgid "GDM theme gresource not found"
msgstr "GDM тема gresource не найдена"
msgid "Failed to extract GDM gresource"
msgstr "Не удалось извлечь GDM gresource"
msgid "Failed to modify GDM background"
msgstr "Не удалось изменить фон GDM"
msgid "Failed to recompile GDM gresource"
msgstr "Не удалось перекомпилировать GDM gresource"
msgid "Failed to restore GDM backup"
msgstr "Не удалось восстановить резервную копию GDM"
msgid "Display manager detection details"
msgstr "Детали обнаружения дисплей менеджера"
msgid "Display manager configuration details"
msgstr "Детали конфигурации дисплей менеджера"
msgid "Removed empty configuration value"
msgstr "Удалено пустое значение конфигурации"
msgid "GDM background modification details"
msgstr "Детали изменения фона GDM"
msgid "GDM backup operation details"
msgstr "Детали операции резервного копирования GDM"

15
gpoa/gpoa
View File

@@ -25,9 +25,8 @@ import locale
from backend import backend_factory, save_dconf
from frontend.frontend_manager import frontend_manager, determine_username
from gpoa.plugin import plugin_manager
from plugin import plugin_manager
from messages import message_with_code
from storage import Dconf_registry
from util.util import get_machine_name
from util.users import (
@@ -62,9 +61,6 @@ def parse_arguments():
arguments.add_argument('--list-backends',
action='store_true',
help='Show list of available backends')
arguments.add_argument('--force',
action='store_true',
help='Force GPT download')
arguments.add_argument('--loglevel',
type=int,
default=4,
@@ -124,7 +120,7 @@ class gpoa_controller:
print('local')
print('samba')
return
Dconf_registry._force = self.__args.force
self.start_plugins()
self.start_backend()
def start_backend(self):
@@ -152,7 +148,6 @@ class gpoa_controller:
try:
back.retrieve_and_store()
# Start frontend only on successful backend finish
save_dconf(self.username, self.is_machine, nodomain)
self.start_frontend()
except Exception as exc:
logdata = dict({'message': str(exc)})
@@ -164,7 +159,7 @@ class gpoa_controller:
einfo = geterr()
logdata.update(einfo)
log('E3', logdata)
self.start_plugins(self.is_machine, self.username)
save_dconf(self.username, self.is_machine)
def start_frontend(self):
'''
@@ -180,12 +175,12 @@ class gpoa_controller:
logdata.update(einfo)
log('E4', logdata)
def start_plugins(self, is_machine, username):
def start_plugins(self):
'''
Function to start supplementary facilities
'''
if not self.__args.noplugins:
pm = plugin_manager(is_machine, username)
pm = plugin_manager()
pm.run()
def main():

23
gpoa/gpt/drives.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -16,15 +16,12 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from base64 import b64decode
import json
from base64 import b64decode
from Crypto.Cipher import AES
from util.xml import get_xml_root
from .dynamic_attributes import DynamicAttributes
def decrypt_pass(cpassword):
'''
AES key for cpassword decryption: http://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be%28v=PROT.13%29#endNote2
@@ -50,7 +47,7 @@ def decrypt_pass(cpassword):
# decrypt() returns byte array which is immutable and we need to
# strip padding, then convert UTF-16LE to UTF-8
binstr = decrypter.decrypt(password)
by = []
by = list()
for item in binstr:
if item != 16:
by.append(item)
@@ -60,7 +57,7 @@ def decrypt_pass(cpassword):
return utf8str.decode()
def read_drives(drives_file):
drives = []
drives = list()
for drive in get_xml_root(drives_file):
drive_obj = drivemap()
@@ -81,9 +78,9 @@ def read_drives(drives_file):
return drives
def merge_drives(storage, drive_objects, policy_name):
def merge_drives(storage, sid, drive_objects, policy_name):
for drive in drive_objects:
storage.add_drive(drive, policy_name)
storage.add_drive(sid, drive, policy_name)
def json2drive(json_str):
json_obj = json.loads(json_str)
@@ -96,7 +93,7 @@ def json2drive(json_str):
return drive_obj
class drivemap(DynamicAttributes):
class drivemap:
def __init__(self):
self.login = None
self.password = None
@@ -144,13 +141,13 @@ class drivemap(DynamicAttributes):
self.useLetter = useLetter
def to_json(self):
drive = {}
drive = dict()
drive['login'] = self.login
drive['password'] = self.password
drive['dir'] = self.dir
drive['path'] = self.path
contents = {}
contents = dict()
contents['drive'] = drive
return json.dumps(contents)

57
gpoa/gpt/dynamic_attributes.py
View File

@@ -1,57 +0,0 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from enum import Enum
class DynamicAttributes:
def __init__(self, **kwargs):
self.policy_name = None
for key, value in kwargs.items():
self.__setattr__(key, value)
def __setattr__(self, key, value):
if isinstance(value, Enum):
value = str(value)
if isinstance(value, str):
for q in ["'", "\""]:
if any(q in ch for ch in value):
value = value.replace(q, "")
self.__dict__[key] = value
def items(self):
return self.__dict__.items()
def __iter__(self):
return iter(self.__dict__.items())
def get_original_value(self, key):
value = self.__dict__.get(key)
if isinstance(value, str):
value = value.replace("", "'")
return value
class RegistryKeyMetadata(DynamicAttributes):
def __init__(self, policy_name, type, is_list=None, mod_previous_value=None):
self.policy_name = policy_name
self.type = type
self.reloaded_with_policy_key = None
self.is_list = is_list
self.mod_previous_value = mod_previous_value
def __repr__(self):
return str(dict(self))

36
gpoa/gpt/envvars.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -18,30 +18,48 @@
from util.xml import get_xml_root
from .dynamic_attributes import DynamicAttributes
from enum import Enum
class FileAction(Enum):
CREATE = 'C'
REPLACE = 'R'
UPDATE = 'U'
DELETE = 'D'
def action_letter2enum(letter):
if letter in ['C', 'R', 'U', 'D']:
if letter == 'C': return FileAction.CREATE
if letter == 'R': return FileAction.REPLACE
if letter == 'U': return FileAction.UPDATE
if letter == 'D': return FileAction.DELETE
return FileAction.CREATE
def read_envvars(envvars_file):
variables = []
variables = list()
for var in get_xml_root(envvars_file):
props = var.find('Properties')
name = props.get('name')
value = props.get('value')
action = props.get('action', default='C')
var_obj = envvar(name, value, action)
var_obj = envvar(name, value)
var_obj.set_action(action_letter2enum(props.get('action', default='C')))
variables.append(var_obj)
return variables
def merge_envvars(storage, envvar_objects, policy_name):
def merge_envvars(storage, sid, envvar_objects, policy_name):
for envv in envvar_objects:
storage.add_envvar(envv, policy_name)
storage.add_envvar(sid, envv, policy_name)
class envvar(DynamicAttributes):
def __init__(self, name, value, action):
class envvar:
def __init__(self, name, value):
self.name = name
self.value = value
self.action = FileAction.CREATE
def set_action(self, action):
self.action = action

13
gpoa/gpt/files.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -18,11 +18,8 @@
from util.xml import get_xml_root
from .dynamic_attributes import DynamicAttributes
def read_files(filesxml):
files = []
files = list()
for fil in get_xml_root(filesxml):
props = fil.find('Properties')
@@ -38,11 +35,11 @@ def read_files(filesxml):
return files
def merge_files(storage, file_objects, policy_name):
def merge_files(storage, sid, file_objects, policy_name):
for fileobj in file_objects:
storage.add_file(fileobj, policy_name)
storage.add_file(sid, fileobj, policy_name)
class fileentry(DynamicAttributes):
class fileentry:
def __init__(self, fromPath):
self.fromPath = fromPath

39
gpoa/gpt/folders.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -17,9 +17,27 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from enum import Enum
from util.xml import get_xml_root
from .dynamic_attributes import DynamicAttributes
class FileAction(Enum):
CREATE = 'C'
REPLACE = 'R'
UPDATE = 'U'
DELETE = 'D'
def action_letter2enum(letter):
if letter in ['C', 'R', 'U', 'D']:
if letter == 'C': return FileAction.CREATE
if letter == 'R': return FileAction.REPLACE
if letter == 'U': return FileAction.UPDATE
if letter == 'D': return FileAction.DELETE
return FileAction.CREATE
def action_enum2letter(enumitem):
@@ -39,13 +57,12 @@ def folder_int2bool(val):
def read_folders(folders_file):
folders = []
folders = list()
for fld in get_xml_root(folders_file):
props = fld.find('Properties')
path = props.get('path')
action = props.get('action', default='C')
fld_obj = folderentry(path, action)
fld_obj = folderentry(props.get('path'))
fld_obj.set_action(action_letter2enum(props.get('action', default='C')))
fld_obj.set_delete_folder(folder_int2bool(props.get('deleteFolder', default=1)))
fld_obj.set_delete_sub_folders(folder_int2bool(props.get('deleteSubFolders', default=1)))
fld_obj.set_delete_files(folder_int2bool(props.get('deleteFiles', default=1)))
@@ -56,15 +73,15 @@ def read_folders(folders_file):
return folders
def merge_folders(storage, folder_objects, policy_name):
def merge_folders(storage, sid, folder_objects, policy_name):
for folder in folder_objects:
storage.add_folder(folder, policy_name)
storage.add_folder(sid, folder, policy_name)
class folderentry(DynamicAttributes):
def __init__(self, path, action):
class folderentry:
def __init__(self, path):
self.path = path
self.action = action
self.action = FileAction.CREATE
self.delete_folder = False
self.delete_sub_folders = False
self.delete_files = False

49
gpoa/gpt/gpo_dconf_mapping.py
View File

@@ -1,49 +0,0 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from .dynamic_attributes import DynamicAttributes
class GpoInfoDconf(DynamicAttributes):
_counter = 0
def __init__(self, gpo) -> None:
GpoInfoDconf._counter += 1
self.counter = GpoInfoDconf._counter
self.display_name = None
self.name = None
self.version = None
self.link = None
self._fill_attributes(gpo)
def _fill_attributes(self, gpo):
try:
self.display_name = gpo.display_name
except:
self.display_name = "Unknown"
try:
self.name = gpo.name
except:
self.name = "Unknown"
try:
self.version = gpo.version
except:
self.version = "Unknown"
try:
self.link = gpo.link
except:
self.link = "Unknown"

125
gpoa/gpt/gpt.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -16,30 +16,70 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from enum import Enum, unique
import os
from pathlib import Path
from enum import Enum, unique
from samba.gp_parse.gp_pol import GPPolParser
from storage import registry_factory
from storage.dconf_registry import add_to_dict
import util
from util.logging import log
from util.paths import cache_dir, local_policy_cache, local_policy_path
import util.preg
from .drives import merge_drives, read_drives
from .envvars import merge_envvars, read_envvars
from .files import merge_files, read_files
from .folders import merge_folders, read_folders
from .inifiles import merge_inifiles, read_inifiles
from .networkshares import merge_networkshares, read_networkshares
from .polfile import merge_polfile, read_polfile
from .printers import merge_printers, read_printers
from .scriptsini import merge_scripts, read_scripts
from .services import merge_services, read_services
from .shortcuts import merge_shortcuts, read_shortcuts
from .tasks import merge_tasks, read_tasks
from storage import registry_factory
from .polfile import (
read_polfile
, merge_polfile
)
from .shortcuts import (
read_shortcuts
, merge_shortcuts
)
from .services import (
read_services
, merge_services
)
from .printers import (
read_printers
, merge_printers
)
from .inifiles import (
read_inifiles
, merge_inifiles
)
from .folders import (
read_folders
, merge_folders
)
from .files import (
read_files
, merge_files
)
from .envvars import (
read_envvars
, merge_envvars
)
from .drives import (
read_drives
, merge_drives
)
from .tasks import (
read_tasks
, merge_tasks
)
from .scriptsini import (
read_scripts
, merge_scripts
)
from .networkshares import (
read_networkshares
, merge_networkshares
)
import util
import util.preg
from util.paths import (
local_policy_path,
cache_dir,
local_policy_cache
)
from util.logging import log
@unique
@@ -69,7 +109,7 @@ def get_preftype(path_to_file):
return None
def pref_parsers():
parsers = {}
parsers = dict()
parsers[FileType.PREG] = read_polfile
parsers[FileType.SHORTCUTS] = read_shortcuts
@@ -91,7 +131,7 @@ def get_parser(preference_type):
return parsers[preference_type]
def pref_mergers():
mergers = {}
mergers = dict()
mergers[FileType.PREG] = merge_polfile
mergers[FileType.SHORTCUTS] = merge_shortcuts
@@ -113,13 +153,13 @@ def get_merger(preference_type):
return mergers[preference_type]
class gpt:
def __init__(self, gpt_path, username='Machine', gpo_info=None):
add_to_dict(gpt_path, username, gpo_info)
def __init__(self, gpt_path, sid, username='Machine', version=None):
self.path = gpt_path
self.username = username
self.sid = sid
self.storage = registry_factory()
self.storage._gpt_read_flag = True
self.gpo_info = gpo_info
self.version = version
self.name = ''
self.guid = self.path.rpartition('/')[2]
if 'default' == self.guid:
@@ -143,18 +183,18 @@ class gpt:
, 'scripts'
, 'networkshares'
]
self.settings = {}
self.settings['machine'] = {}
self.settings['user'] = {}
self.settings = dict()
self.settings['machine'] = dict()
self.settings['user'] = dict()
self.settings['machine']['regpol'] = find_file(self._machine_path, 'registry.pol')
self.settings['user']['regpol'] = find_file(self._user_path, 'registry.pol')
for setting in self.settings_list:
machine_preffile = find_preffile(self._machine_path, setting)
user_preffile = find_preffile(self._user_path, setting)
mlogdata = {'setting': setting, 'prefpath': machine_preffile}
mlogdata = dict({'setting': setting, 'prefpath': machine_preffile})
log('D24', mlogdata)
self.settings['machine'][setting] = machine_preffile
ulogdata = {'setting': setting, 'prefpath': user_preffile}
ulogdata = dict({'setting': setting, 'prefpath': user_preffile})
log('D23', ulogdata)
self.settings['user'][setting] = user_preffile
@@ -175,21 +215,21 @@ class gpt:
try:
# Merge machine policies to registry if possible
if self.settings['machine']['regpol']:
mlogdata = {'polfile': self.settings['machine']['regpol']}
mlogdata = dict({'polfile': self.settings['machine']['regpol']})
log('D34', mlogdata)
util.preg.merge_polfile(self.settings['machine']['regpol'], policy_name=self.name, gpo_info=self.gpo_info)
util.preg.merge_polfile(self.settings['machine']['regpol'], policy_name=self.name, version=self.version)
# Merge machine preferences to registry if possible
for preference_name, preference_path in self.settings['machine'].items():
if preference_path:
preference_type = get_preftype(preference_path)
logdata = {'pref': preference_type.value}
logdata = dict({'pref': preference_type.value, 'sid': self.sid})
log('D28', logdata)
preference_parser = get_parser(preference_type)
preference_merger = get_merger(preference_type)
preference_objects = preference_parser(preference_path)
preference_merger(self.storage, preference_objects, self.name)
preference_merger(self.storage, self.sid, preference_objects, self.name)
except Exception as exc:
logdata = {}
logdata = dict()
logdata['gpt'] = self.name
logdata['msg'] = str(exc)
log('E28', logdata)
@@ -201,24 +241,25 @@ class gpt:
try:
# Merge user policies to registry if possible
if self.settings['user']['regpol']:
mulogdata = {'polfile': self.settings['user']['regpol']}
mulogdata = dict({'polfile': self.settings['user']['regpol']})
log('D35', mulogdata)
util.preg.merge_polfile(self.settings['user']['regpol'],
sid=self.sid,
policy_name=self.name,
username=self.username,
gpo_info=self.gpo_info)
version=self.version)
# Merge user preferences to registry if possible
for preference_name, preference_path in self.settings['user'].items():
if preference_path:
preference_type = get_preftype(preference_path)
logdata = {'pref': preference_type.value}
logdata = dict({'pref': preference_type.value, 'sid': self.sid})
log('D29', logdata)
preference_parser = get_parser(preference_type)
preference_merger = get_merger(preference_type)
preference_objects = preference_parser(preference_path)
preference_merger(self.storage, preference_objects, self.name)
preference_merger(self.storage, self.sid, preference_objects, self.name)
except Exception as exc:
logdata = {}
logdata = dict()
logdata['gpt'] = self.name
logdata['msg'] = str(exc)
log('E29', logdata)
@@ -311,13 +352,13 @@ def lp2gpt():
# Write PReg
polparser.write_binary(os.path.join(destdir, 'Registry.pol'))
def get_local_gpt():
def get_local_gpt(sid):
'''
Convert default policy to GPT and create object out of it.
'''
log('D25')
lp2gpt()
local_policy = gpt(str(local_policy_cache()))
local_policy = gpt(str(local_policy_cache()), sid)
local_policy.set_name('Local Policy')
return local_policy

15
gpoa/gpt/inifiles.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2022 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -18,11 +18,8 @@
from util.xml import get_xml_root
from .dynamic_attributes import DynamicAttributes
def read_inifiles(inifiles_file):
inifiles = []
inifiles = list()
for ini in get_xml_root(inifiles_file):
prors = ini.find('Properties')
@@ -30,17 +27,17 @@ def read_inifiles(inifiles_file):
ini_obj.set_section(prors.get('section', default=None))
ini_obj.set_property(prors.get('property', default=None))
ini_obj.set_value(prors.get('value', default=None))
ini_obj.set_action(prors.get('action', default='C'))
ini_obj.set_action(prors.get('action'))
inifiles.append(ini_obj)
return inifiles
def merge_inifiles(storage, inifile_objects, policy_name):
def merge_inifiles(storage, sid, inifile_objects, policy_name):
for iniobj in inifile_objects:
storage.add_ini(iniobj, policy_name)
storage.add_ini(sid, iniobj, policy_name)
class inifile(DynamicAttributes):
class inifile:
def __init__(self, path):
self.path = path

14
gpoa/gpt/networkshares.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2022 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -17,12 +17,10 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from util.xml import get_xml_root
from .dynamic_attributes import DynamicAttributes
from storage.dconf_registry import Dconf_registry
def read_networkshares(networksharesxml):
networkshares = []
networkshares = list()
for share in get_xml_root(networksharesxml):
props = share.find('Properties')
@@ -37,11 +35,11 @@ def read_networkshares(networksharesxml):
return networkshares
def merge_networkshares(storage, networkshares_objects, policy_name):
def merge_networkshares(storage, sid, networkshares_objects, policy_name):
for networkshareobj in networkshares_objects:
storage.add_networkshare(networkshareobj, policy_name)
storage.add_networkshare(sid, networkshareobj, policy_name)
class networkshare(DynamicAttributes):
class networkshare:
def __init__(self, name):
self.name = name

15
gpoa/gpt/polfile.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -16,13 +16,18 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from util.preg import load_preg
from util.preg import (
load_preg
)
def read_polfile(filename):
return load_preg(filename).entries
def merge_polfile(storage, policy_objects, policy_name):
def merge_polfile(storage, sid, policy_objects, policy_name):
pass
# for entry in policy_objects:
# if not sid:
# storage.add_hklm_entry(entry, policy_name)
# else:
# storage.add_hkcu_entry(entry, sid, policy_name)

17
gpoa/gpt/printers.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -20,14 +20,11 @@ import json
from util.xml import get_xml_root
from .dynamic_attributes import DynamicAttributes
def read_printers(printers_file):
'''
Read printer configurations from Printer.xml
'''
printers = []
printers = list()
for prn in get_xml_root(printers_file):
prn_obj = printer(prn.tag, prn.get('name'), prn.get('status'))
@@ -44,9 +41,9 @@ def read_printers(printers_file):
return printers
def merge_printers(storage, printer_objects, policy_name):
def merge_printers(storage, sid, printer_objects, policy_name):
for device in printer_objects:
storage.add_printer(device, policy_name)
storage.add_printer(sid, device, policy_name)
def json2printer(json_str):
'''
@@ -63,7 +60,7 @@ def json2printer(json_str):
return prn
class printer(DynamicAttributes):
class printer:
def __init__(self, ptype, name, status):
'''
ptype may be one of:
@@ -103,7 +100,7 @@ class printer(DynamicAttributes):
'''
Return string-serialized JSON representation of the object.
'''
printer = {}
printer = dict()
printer['type'] = self.printer_type
printer['name'] = self.name
printer['status'] = self.status
@@ -115,7 +112,7 @@ class printer(DynamicAttributes):
# Nesting JSON object into JSON object makes it easier to add
# metadata if needed.
config = {}
config = dict()
config['printer'] = printer
return json.dumps(config)

33
gpoa/gpt/scriptsini.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -19,16 +19,14 @@
import configparser
import os
from .dynamic_attributes import DynamicAttributes
def read_scripts(scripts_file):
scripts = Scripts_lists()
logon_scripts = {}
logoff_scripts = {}
startup_scripts = {}
shutdown_scripts = {}
logon_scripts = dict()
logoff_scripts = dict()
startup_scripts = dict()
shutdown_scripts = dict()
config = configparser.ConfigParser()
config.read(scripts_file, encoding = 'utf-16')
@@ -80,22 +78,22 @@ def read_scripts(scripts_file):
return scripts
def merge_scripts(storage, scripts_objects, policy_name):
def merge_scripts(storage, sid, scripts_objects, policy_name):
for script in scripts_objects.get_logon_scripts():
storage.add_script(script, policy_name)
storage.add_script(sid, script, policy_name)
for script in scripts_objects.get_logoff_scripts():
storage.add_script(script, policy_name)
storage.add_script(sid, script, policy_name)
for script in scripts_objects.get_startup_scripts():
storage.add_script(script, policy_name)
storage.add_script(sid, script, policy_name)
for script in scripts_objects.get_shutdown_scripts():
storage.add_script(script, policy_name)
storage.add_script(sid, script, policy_name)
class Scripts_lists:
def __init__ (self):
self.__logon_scripts = []
self.__logoff_scripts = []
self.__startup_scripts = []
self.__shutdown_scripts = []
self.__logon_scripts = list()
self.__logoff_scripts = list()
self.__startup_scripts = list()
self.__shutdown_scripts = list()
def get_logon_scripts(self):
return self.__logon_scripts
@@ -117,7 +115,7 @@ class Scripts_lists:
self.get_shutdown_scripts().append(script)
class Script(DynamicAttributes):
class Script:
__logon_counter = 0
__logoff_counter = 0
__startup_counter = 0
@@ -128,7 +126,6 @@ class Script(DynamicAttributes):
self.action = action_upper
self.path = os.path.join(script_dir, action_upper, script_filename.upper())
if not os.path.isfile(self.path):
self.number = None
return None
self.args = None

11
gpoa/gpt/services.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -18,14 +18,11 @@
from util.xml import get_xml_root
from .dynamic_attributes import DynamicAttributes
def read_services(service_file):
'''
Read Services.xml from GPT.
'''
services = []
services = list()
for srv in get_xml_root(service_file):
srv_obj = service(srv.get('name'))
@@ -42,11 +39,11 @@ def read_services(service_file):
return services
def merge_services(storage, service_objects, policy_name):
def merge_services(storage, sid, service_objects, policy_name):
for srv in service_objects:
pass
class service(DynamicAttributes):
class service:
def __init__(self, name):
self.unit = name
self.servname = None

87
gpoa/gpt/shortcuts.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -16,26 +16,23 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from enum import Enum
import json
from pathlib import Path
import stat
import logging
from enum import Enum
from xml.etree import ElementTree
from xdg.DesktopEntry import DesktopEntry
import json
from util.paths import get_desktop_files_directory
from util.windows import transform_windows_path
from util.xml import get_xml_root
from xdg.DesktopEntry import DesktopEntry
from .dynamic_attributes import DynamicAttributes
from util.paths import get_desktop_files_directory
class TargetType(Enum):
FILESYSTEM = 'FILESYSTEM'
URL = 'URL'
def __str__(self):
return self.value
def get_ttype(targetstr):
'''
Validation function for targetType property
@@ -46,7 +43,7 @@ def get_ttype(targetstr):
'''
ttype = TargetType.FILESYSTEM
if targetstr == 'URL'or targetstr == TargetType.URL:
if targetstr == 'URL':
ttype = TargetType.URL
return ttype
@@ -70,7 +67,7 @@ def read_shortcuts(shortcuts_file):
:shortcuts_file: Location of Shortcuts.xml
'''
shortcuts = []
shortcuts = list()
for link in get_xml_root(shortcuts_file):
props = link.find('Properties')
@@ -96,10 +93,28 @@ def read_shortcuts(shortcuts_file):
return shortcuts
def merge_shortcuts(storage, shortcut_objects, policy_name):
def merge_shortcuts(storage, sid, shortcut_objects, policy_name):
for shortcut in shortcut_objects:
storage.add_shortcut(shortcut, policy_name)
storage.add_shortcut(sid, shortcut, policy_name)
def json2sc(json_str):
'''
Build shortcut out of string-serialized JSON
'''
json_obj = json.loads(json_str)
link_type = get_ttype(json_obj['type'])
sc = shortcut(json_obj['dest'], json_obj['path'], json_obj['arguments'], json_obj['name'], json_obj['action'], link_type)
sc.set_changed(json_obj['changed'])
sc.set_clsid(json_obj['clsid'])
sc.set_guid(json_obj['guid'])
sc.set_usercontext(json_obj['is_in_user_context'])
if 'comment' in json_obj:
sc.set_comment(json_obj['comment'])
if 'icon' in json_obj:
sc.set_icon(json_obj['icon'])
return sc
def find_desktop_entry(binary_path):
desktop_dir = get_desktop_files_directory()
@@ -114,9 +129,7 @@ def find_desktop_entry(binary_path):
return None
class shortcut(DynamicAttributes):
_ignore_fields = {"desktop_file_template", "desktop_file"}
class shortcut:
def __init__(self, dest, path, arguments, name=None, action=None, ttype=TargetType.FILESYSTEM):
'''
:param dest: Path to resulting file on file system
@@ -138,14 +151,6 @@ class shortcut(DynamicAttributes):
self.type = ttype
self.desktop_file_template = None
def items(self):
return ((k, v) for k, v in super().items() if k not in self._ignore_fields)
def __iter__(self):
return iter(self.items())
def replace_slashes(self, input_path):
if input_path.startswith('%'):
index = input_path.find('%', 1)
@@ -212,6 +217,30 @@ class shortcut(DynamicAttributes):
def is_usercontext(self):
return self.is_in_user_context
def to_json(self):
'''
Return shortcut's JSON for further serialization.
'''
content = dict()
content['dest'] = self.dest
content['path'] = self.path
content['name'] = self.name
content['arguments'] = self.arguments
content['clsid'] = self.clsid
content['guid'] = self.guid
content['changed'] = self.changed
content['action'] = self.action
content['is_in_user_context'] = self.is_in_user_context
content['type'] = ttype2str(self.type)
if self.icon:
content['icon'] = self.icon
if self.comment:
content['comment'] = self.comment
result = self.desktop()
result.content.update(content)
return json.dumps(result.content)
def desktop(self, dest=None):
'''
Returns desktop file object which may be written to disk.
@@ -231,7 +260,7 @@ class shortcut(DynamicAttributes):
'''
Update desktop file object from internal data.
'''
if get_ttype(self.type) == TargetType.URL:
if self.type == TargetType.URL:
self.desktop_file.set('Type', 'Link')
else:
self.desktop_file.set('Type', 'Application')
@@ -241,7 +270,7 @@ class shortcut(DynamicAttributes):
desktop_path = self.path
if self.expanded_path:
desktop_path = self.expanded_path
if get_ttype(self.type) == TargetType.URL:
if self.type == TargetType.URL:
self.desktop_file.set('URL', desktop_path)
else:
str2bool_lambda = (lambda boolstr: boolstr if isinstance(boolstr, bool)
@@ -249,7 +278,7 @@ class shortcut(DynamicAttributes):
if self.desktop_file_template:
terminal_state = str2bool_lambda(self.desktop_file_template.get('Terminal'))
self.desktop_file.set('Terminal', 'true' if terminal_state else 'false')
self.desktop_file.set('Exec', '{} {}'.format(desktop_path, self.get_original_value('arguments')))
self.desktop_file.set('Exec', '{} {}'.format(desktop_path, self.arguments))
self.desktop_file.set('Comment', self.comment)
if self.icon:

4
gpoa/gpt/tasks.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -19,7 +19,7 @@
def read_tasks(filename):
pass
def merge_tasks(storage, task_objects, policy_name):
def merge_tasks(storage, sid, task_objects, policy_name):
for task in task_objects:
pass

27
gpoa/gpupdate
View File

@@ -2,7 +2,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -25,7 +25,6 @@ import os
import sys
import pwd
import signal
from storage import Dconf_registry
from util.users import (
is_root
@@ -84,11 +83,6 @@ def parse_cli_arguments():
type=int,
default=5,
help='Set logging verbosity level')
argparser.add_argument('-f',
'--force',
action='store_true',
default=False,
help='Force GPT download')
argparser.add_argument('-s',
'--system',
action='store_true',
@@ -113,14 +107,14 @@ def runner_factory(args, target):
target = 'COMPUTER'
except:
username = None
logdata = {'username': args.user}
logdata = dict({'username': args.user})
log('W1', logdata)
else:
# User may only perform gpupdate for machine (None) or
# itself (os.getusername()).
username = pwd.getpwuid(os.getuid()).pw_name
if args.user != username:
logdata = {'username': username}
logdata = dict({'username': username})
log('W2', logdata)
if args.system:
@@ -167,17 +161,10 @@ def try_directly(username, target, loglevel):
def main():
args = parse_cli_arguments()
# Set up locale for main application
import os
base_dir = os.path.dirname(os.path.abspath(__file__))
main_locale_path = os.path.join(base_dir, 'locale')
locale.bindtextdomain('gpoa', main_locale_path)
gettext.bindtextdomain('gpoa', main_locale_path)
locale.bindtextdomain('gpoa', '/usr/lib/python3/site-packages/gpoa/locale')
gettext.bindtextdomain('gpoa', '/usr/lib/python3/site-packages/gpoa/locale')
gettext.textdomain('gpoa')
set_loglevel(args.loglevel)
Dconf_registry._force = args.force
gpo_appliers = runner_factory(args, process_target(args.target))
if gpo_appliers:
@@ -185,7 +172,7 @@ def main():
try:
gpo_appliers[0].run()
except Exception as exc:
logdata = {'error': str(exc)}
logdata = dict({'error': str(exc)})
log('E5')
return int(ExitCodeUpdater.FAIL_GPUPDATE_COMPUTER_NOREPLY)
@@ -193,7 +180,7 @@ def main():
try:
gpo_appliers[1].run()
except Exception as exc:
logdata = {'error': str(exc)}
logdata = dict({'error': str(exc)})
log('E6', logdata)
return int(ExitCodeUpdater.FAIL_GPUPDATE_USER_NOREPLY)
else:

62
gpoa/gpupdate-setup
View File

@@ -2,7 +2,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -19,7 +19,9 @@
import os
import sys
import argparse
import subprocess
from util.util import (
runcmd
@@ -30,7 +32,6 @@ from util.util import (
)
from util.config import GPConfig
from util.paths import get_custom_policy_dir
from frontend.appliers.ini_file import Ini_file
class Runner:
@@ -78,7 +79,7 @@ def parse_arguments():
type=str,
nargs='?',
const='backend',
choices=['local', 'samba', 'freeipa'],
choices=['local', 'samba'],
help='Backend (source of settings) name')
parser_write.add_argument('status',
@@ -93,7 +94,7 @@ def parse_arguments():
type=str,
nargs='?',
const='backend',
choices=['local', 'samba', 'freeipa'],
choices=['local', 'samba'],
help='Backend (source of settings) name')
parser_enable.add_argument('--local-policy',
@@ -102,7 +103,7 @@ def parse_arguments():
parser_enable.add_argument('--backend',
default='samba',
type=str,
choices=['local', 'samba', 'freeipa'],
choices=['local', 'samba'],
help='Backend (source of settings) name')
parser_update.add_argument('--local-policy',
@@ -111,7 +112,7 @@ def parse_arguments():
parser_update.add_argument('--backend',
default='samba',
type=str,
choices=['local', 'samba', 'freeipa'],
choices=['local', 'samba'],
help='Backend (source of settings) name')
@@ -222,8 +223,6 @@ def enable_gp(policy_name, backend_type):
cmd_enable_gpupdate_user_timer = ['/bin/systemctl', '--global', 'enable', 'gpupdate-user.timer']
cmd_enable_gpupdate_scripts_service = ['/bin/systemctl', 'enable', 'gpupdate-scripts-run.service']
cmd_enable_gpupdate_user_scripts_service = ['/bin/systemctl', '--global', 'enable', 'gpupdate-scripts-run-user.service']
cmd_ipa_client_samba = ['/usr/sbin/ipa-client-samba', '--unattended']
config = GPConfig()
@@ -274,28 +273,6 @@ def enable_gp(policy_name, backend_type):
if not is_unit_enabled('gpupdate.timer'):
disable_gp()
return
if backend_type == 'freeipa':
result = runcmd(cmd_ipa_client_samba)
if result[0] != 0:
if "already configured" in str(result[1]) or "already exists" in str(result[1]):
print("FreeIPA is already configured")
else:
print(str(result))
return
else:
print(str(result))
ini_obj = type("ini", (), {})()
ini_obj.path = "/etc/samba/smb.conf"
ini_obj.section = "global"
ini_obj.action = "UPDATE"
ini_obj.property = "log level"
ini_obj.value = "0"
Ini_file(ini_obj)
# Enable gpupdate-setup.timer for all users
if not rollback_on_error(cmd_enable_gpupdate_user_timer):
return
@@ -367,19 +344,18 @@ def act_default_policy():
def main():
arguments = parse_arguments()
action = {
'list': act_list,
'list-backends': act_list_backends,
'status': act_status,
'set-backend': act_set_backend,
'write': act_write,
'enable': act_enable,
'update': act_enable,
'disable': disable_gp,
'active-policy': act_active_policy,
'active-backend': act_active_backend,
'default-policy': act_default_policy
}
action = dict()
action['list'] = act_list
action['list-backends'] = act_list_backends
action['status'] = act_status
action['set-backend'] = act_set_backend
action['write'] = act_write
action['enable'] = act_enable
action['update'] = act_enable
action['disable'] = disable_gp
action['active-policy'] = act_active_policy
action['active-backend'] = act_active_backend
action['default-policy'] = act_default_policy
if arguments.action == None:
action['status']()

212
gpoa/locale/ru_RU/LC_MESSAGES/gpoa.po
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -65,15 +65,6 @@ msgstr "Установка свойств для пользователя"
msgid "The line in the configuration file was cleared"
msgstr "В конфигурационном файле была очищена строка"
msgid "Found GPT in cache"
msgstr "Найден GPT в кеше"
msgid "Got GPO list for trusted user"
msgstr "Получен список GPO для доверенного пользователя"
msgid "Restarting systemd unit"
msgstr "Перезапуск unit systemd"
# Error
msgid "Insufficient permissions to run gpupdate"
msgstr "Недостаточно прав для запуска gpupdate"
@@ -261,30 +252,6 @@ msgstr "Не удалось обновить базу данных dconf"
msgid "Exception occurred while updating dconf database"
msgstr "Возникло исключение при обновлении базы данных dconf"
msgid "Failed to retrieve data from dconf database"
msgstr "Не удалось получить данные из базы dconf"
msgid "Autofs restart failed"
msgstr "Перезапуск Autofs не удался"
msgid "Failed to update LDAP with new password data"
msgstr "Не удалось обновить LDAP новыми данными пароля"
msgid "Failed to change local user password"
msgstr "Не удалось изменить пароль локального пользователя"
msgid "Unable to restart systemd unit"
msgstr "Не удалось перезапустить unit systemd"
msgid "Kerberos info unavailable; cannot construct DPAPI parameters"
msgstr "Информация Kerberos недоступна; невозможно сформировать параметры DPAPI"
msgid "Unable to initialize Freeipa backend"
msgstr "Невозможно инициализировать бэкэнд Freeipa"
msgid "FreeIPA API Error"
msgstr "Ошибка API FreeIPA"
# Error_end
# Debug
@@ -297,6 +264,12 @@ msgstr "Имя пользователя не указано - будет исп
msgid "Initializing plugin manager"
msgstr "Инициализация плагинов"
msgid "ADP plugin initialized"
msgstr "Инициализирован плагин ADP"
msgid "Running ADP plugin"
msgstr "Запущен плагин ADP"
msgid "Starting GPOA for user via D-Bus"
msgstr "Запускается GPOA для пользователя обращением к oddjobd через D-Bus"
@@ -654,11 +627,11 @@ msgstr "Запуск применение настроек Envvar для маш
msgid "Envvar applier for machine will not be started"
msgstr "Применение настроек Envvar для машины не запускается"
msgid "Running Envvar applier for user in admin context"
msgstr "Запуск применение настроек Envvar для пользователя в контексте администратора"
msgid "Running Envvar applier for user in user context"
msgstr "Запуск применение настроек Envvar для пользователя в контексте пользователя"
msgid "Envvar applier for user in admin context will not be started"
msgstr "Применение настроек Envvar для пользователя в контексте администратора не запускается"
msgid "Envvar applier for user in user context will not be started"
msgstr "Применение настроек Envvar для пользователя в контексте пользователя не запускается"
msgid "Running Package applier for machine"
msgstr "Запуск установки пакетов для машины"
@@ -897,93 +870,6 @@ msgstr "Создание ini-файла с политиками для dconf"
msgid "GPO version was not found"
msgstr "Версия GPO не найдена"
msgid "SYSVOL entry found in cache"
msgstr "Запись SYSVOL найдена в кеше"
msgid "Wrote Thunderbird preferences to"
msgstr "Настройки Thunderbird записаны в"
msgid "Running Thunderbird applier for machine"
msgstr "Запуск применение настроек Thunderbird для машины"
msgid "Thunderbird applier for machine will not be started"
msgstr "Применение настроек Thunderbird для компьютера не запускается"
msgid "The environment file has been cleaned"
msgstr "Файл environment очищен"
msgid "Cleanup of file environment failed"
msgstr "Очистка файла environment не удалась"
msgid "Failed to get dictionary"
msgstr "Не удалось получить словарь"
msgid "LAPS applier started"
msgstr "Запущен обработчик LAPS"
msgid "LAPS applier is disabled"
msgstr "Обработчик LAPS отключен"
msgid "Rebooting system after password change"
msgstr "Перезагрузка системы после смены пароля"
msgid "Password changed"
msgstr "Пароль изменён"
msgid "Writing password changes time"
msgstr "Запись времени изменения пароля"
msgid "Requirements not met"
msgstr "Требования не выполнены"
msgid "The number of hours from the moment of the last user entrance"
msgstr "Количество часов с момента последнего входа пользователя"
msgid "The number of hours since the password has last changed"
msgstr "Количество часов с момента последнего изменения пароля"
msgid "LDAP updated with new password data"
msgstr "LDAP обновлён новыми данными пароля"
msgid "No active sessions found"
msgstr "Активные сеансы не найдены"
msgid "Process terminated"
msgstr "Процесс завершён"
msgid "Password update not needed"
msgstr "Обновление пароля не требуется"
msgid "Password successfully updated"
msgstr "Пароль успешно обновлён"
msgid "Cleaning the autofs catalog"
msgstr "Очистка каталога autofs"
msgid "No user login records found"
msgstr "Не найдены записи о входе пользователя"
msgid "Calculating time since the first user login after their password change"
msgstr "Расчет времени с момента первого входа пользователя после изменения их пароля"
msgid "No logins found after password change"
msgstr "Не найдены входы после изменения пароля"
msgid "User not found in passwd database"
msgstr "Пользователь не найден в базе данных паролей"
msgid "Unknown message type, no message assigned"
msgstr "Неизвестный тип сообщения"
msgid "Plugin is disabled"
msgstr "Плагин отключен"
msgid "Running plugin"
msgstr "Запуск плагина"
msgid "Failed to load cached versions"
msgstr "Не удалось загрузить кешированные версии"
# Debug_end
# Warning
@@ -1036,8 +922,8 @@ msgstr "Не удалось скопировать файл"
msgid "Failed to create KDE settings list"
msgstr "Не удалось создать список настроек KDE"
msgid "Could not find tools to configure KDE"
msgstr "Не удалось найти инструменты для настройки KDE"
msgid "Could not find application tools"
msgstr "Не удалось найти инструменты применения"
msgid "Failed to open KDE settings"
msgstr "Не удалось открыть настройки KDE"
@@ -1060,74 +946,6 @@ msgstr "Не удалось выполнить действие для INI-фа
msgid "Couldn't get the uid"
msgstr "Не удалось получить uid"
msgid "Failed to load content from remote host"
msgstr "Не удалось загрузить контент с удаленного узла"
msgid "Force mode activated"
msgstr "Режим force задействован"
msgid "Failed to change password"
msgstr "Не удалось изменить пароль"
msgid "Failed to write password modification time"
msgstr "Не удалось записать время изменения пароля"
msgid "LAPS requirements not met, module disabled"
msgstr "Требования LAPS не выполнены, модуль отключён"
msgid "Could not resolve encryption principal name. Return admin group SID"
msgstr "Не удалось определить имя шифрования. Возвращён SID группы администраторов"
msgid "Failed to get expiration time from LDAP"
msgstr "Не удалось получить время истечения срока действия из LDAP"
msgid "Failed to read password modification time from dconf"
msgstr "Не удалось прочитать время изменения пароля из dconf"
msgid "Failed to get last login time"
msgstr "Не удалось получить время последнего входа"
msgid "Failed to calculate password age"
msgstr "Не удалось вычислить возраст пароля"
msgid "Failed to terminate process"
msgstr "Не удалось завершить процесс"
msgid "The user was not found to change the password"
msgstr "Пользователь для изменения пароля не был найден"
msgid "Error while cleaning the autofs catalog"
msgstr "Ошибка при очистке каталога autofs"
msgid "Problem with timezone detection"
msgstr "Проблема с определением часового пояса"
msgid "Error executing last command"
msgstr "Ошибка выполнения команды last"
msgid "Last command not found"
msgstr "Команда last не найдена"
msgid "Error getting user login times"
msgstr "Ошибка получения времени входа пользователя"
msgid "Invalid timezone in reference datetime"
msgstr "Некорректный часовой пояс в reference datetime"
msgid "wbinfo SID lookup failed; will try as trusted domain user"
msgstr "Ошибка получения SID через wbinfo; будет предпринята попытка как для пользователя доверенного домена"
msgid "Plugin is not valid API object"
msgstr "Плагин не является допустимым объектом API"
msgid "Error loading plugin from file"
msgstr "Ошибка загрузки плагина из файла"
msgid "Plugin failed to apply with user privileges"
msgstr "Плагин не смог примениться с правами пользователя"
# Warning_end
# Fatal
msgid "Unable to refresh GPO list"
msgstr "Невозможно обновить список объектов групповых политик"
@@ -1141,5 +959,7 @@ msgstr "Не удалось получить GPT для пользователя
msgid "Unknown fatal code"
msgstr "Неизвестный код фатальной ошибки"
# get_message
msgid "Unknown message type, no message assigned"
msgstr "Неизвестный тип сообщения"

89
gpoa/messages/__init__.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -19,9 +19,8 @@
import gettext
def info_code(code):
info_ids = {}
info_ids = dict()
info_ids[1] = 'Got GPO list for username'
info_ids[2] = 'Got GPO'
info_ids[3] = 'Working with control'
@@ -32,14 +31,11 @@ def info_code(code):
info_ids[8] = 'Chromium policy'
info_ids[9] = 'Set user property to'
info_ids[10] = 'The line in the configuration file was cleared'
info_ids[11] = 'Found GPT in cache'
info_ids[12] = 'Got GPO list for trusted user'
info_ids[13] = 'Restarting systemd unit'
return info_ids.get(code, 'Unknown info code')
def error_code(code):
error_ids = {}
error_ids = dict()
error_ids[1] = 'Insufficient permissions to run gpupdate'
error_ids[2] = 'gpupdate will not be started'
error_ids[3] = 'Backend execution error'
@@ -48,7 +44,7 @@ def error_code(code):
error_ids[6] = 'Error running GPOA for user'
error_ids[7] = 'Unable to initialize Samba backend'
error_ids[8] = 'Unable to initialize no-domain backend'
error_ids[9] = 'Error running plugin'
error_ids[9] = 'Error running ADP'
error_ids[10] = 'Unable to determine DC hostname'
error_ids[11] = 'Error occured while running applier with user privileges'
error_ids[12] = 'Unable to initialize backend'
@@ -111,23 +107,15 @@ def error_code(code):
error_ids[70] = 'Error getting key value'
error_ids[71] = 'Failed to update dconf database'
error_ids[72] = 'Exception occurred while updating dconf database'
error_ids[73] = 'Failed to retrieve data from dconf database'
error_ids[74] = 'Autofs restart failed'
error_ids[75] = 'Failed to update LDAP with new password data'
error_ids[76] = 'Failed to change local user password'
error_ids[77] = 'Unable to restart systemd unit'
error_ids[78] = 'Kerberos info unavailable; cannot construct DPAPI parameters'
error_ids[79] = 'Unable to initialize Freeipa backend'
error_ids[80] = 'FreeIPA API error'
return error_ids.get(code, 'Unknown error code')
def debug_code(code):
debug_ids = {}
debug_ids = dict()
debug_ids[1] = 'The GPOA process was started for user'
debug_ids[2] = 'Username is not specified - will use username of the current process'
debug_ids[3] = 'Initializing plugin manager'
debug_ids[4] = 'Running plugin'
#debug_ids[5] = ''
debug_ids[4] = 'ADP plugin initialized'
debug_ids[5] = 'Running ADP plugin'
debug_ids[6] = 'Starting GPOA for user via D-Bus'
debug_ids[7] = 'Cache directory determined'
debug_ids[8] = 'Initializing local backend without domain'
@@ -258,8 +246,8 @@ def debug_code(code):
debug_ids[133] = 'NTP applier for machine will not be started'
debug_ids[134] = 'Running Envvar applier for machine'
debug_ids[135] = 'Envvar applier for machine will not be started'
debug_ids[136] = 'Running Envvar applier for user in admin context'
debug_ids[137] = 'Envvar applier for user in admin context will not be started'
debug_ids[136] = 'Running Envvar applier for user in user context'
debug_ids[137] = 'Envvar applier for user in user context will not be started'
debug_ids[138] = 'Running Package applier for machine'
debug_ids[139] = 'Package applier for machine will not be started'
debug_ids[140] = 'Running Package applier for user in administrator context'
@@ -332,38 +320,12 @@ def debug_code(code):
debug_ids[207] = 'Creating a dictionary with keys and values from the dconf database'
debug_ids[208] = 'No entry found for the specified path'
debug_ids[209] = 'Creating an ini file with policies for dconf'
debug_ids[211] = 'SYSVOL entry found in cache'
debug_ids[212] = 'Wrote Thunderbird preferences to'
debug_ids[213] = 'Running Thunderbird applier for machine'
debug_ids[214] = 'Thunderbird applier for machine will not be started'
debug_ids[215] = 'The environment file has been cleaned'
debug_ids[216] = 'Cleanup of file environment failed'
debug_ids[217] = 'Failed to get dictionary'
debug_ids[218] = 'LAPS applier started'
debug_ids[219] = 'LAPS applier is disabled'
debug_ids[220] = 'Rebooting system after password change'
debug_ids[221] = 'Password changed'
debug_ids[222] = 'Writing password changes time'
debug_ids[223] = 'Requirements not met'
debug_ids[224] = 'The number of hours from the moment of the last user entrance'
debug_ids[225] = 'The number of hours since the password has last changed'
debug_ids[226] = 'LDAP updated with new password data'
debug_ids[227] = 'No active sessions found'
debug_ids[228] = 'Process terminated'
debug_ids[229] = 'Password update not needed'
debug_ids[230] = 'Password successfully updated'
debug_ids[231] = 'Cleaning the autofs catalog'
debug_ids[232] = 'No user login records found'
debug_ids[233] = 'Calculating time since the first user login after their password change'
debug_ids[234] = 'No logins found after password change'
debug_ids[235] = 'User not found in passwd database'
debug_ids[236] = 'Plugin is disabled'
debug_ids[237] = 'Failed to load cached versions'
debug_ids[210] = 'GPO version was not found'
return debug_ids.get(code, 'Unknown debug code')
def warning_code(code):
warning_ids = {}
warning_ids = dict()
warning_ids[1] = (
'Unable to perform gpupdate for non-existent user, '
'will update machine settings'
@@ -386,7 +348,7 @@ def warning_code(code):
warning_ids[14] = 'Could not create a valid list of keys'
warning_ids[15] = 'Failed to copy file'
warning_ids[16] = 'Failed to create KDE settings list'
warning_ids[17] = 'Could not find tools to configure KDE'
warning_ids[17] = 'Could not find application tools'
warning_ids[18] = 'Failed to open KDE settings'
warning_ids[19] = 'Failed to change KDE configuration file'
warning_ids[20] = 'Error connecting to server'
@@ -394,33 +356,12 @@ def warning_code(code):
warning_ids[22] = 'The user setting was not installed, conflict with computer setting'
warning_ids[23] = 'Action for ini file failed'
warning_ids[24] = 'Couldn\'t get the uid'
warning_ids[25] = 'Failed to load content from remote host'
warning_ids[26] = 'Force mode activated'
warning_ids[27] = 'Failed to change password'
warning_ids[28] = 'Failed to write password modification time'
warning_ids[29] = 'LAPS requirements not met, module disabled'
warning_ids[30] = 'Could not resolve encryption principal name. Return admin group SID'
warning_ids[31] = 'Failed to get expiration time from LDAP'
warning_ids[32] = 'Failed to read password modification time from dconf'
warning_ids[33] = 'Failed to get last login time'
warning_ids[34] = 'Failed to calculate password age'
warning_ids[35] = 'Failed to terminate process'
warning_ids[36] = 'The user was not found to change the password'
warning_ids[37] = 'Error while cleaning the autofs catalog'
warning_ids[38] = 'Problem with timezone detection'
warning_ids[39] = 'Error executing last command'
warning_ids[40] = 'Last command not found'
warning_ids[41] = 'Error getting user login times'
warning_ids[42] = 'Invalid timezone in reference datetime'
warning_ids[43] = 'wbinfo SID lookup failed; will try as trusted domain user'
warning_ids[44] = 'Plugin is not valid API object'
warning_ids[45] = 'Error loading plugin from file'
warning_ids[46] = 'Plugin failed to apply with user privileges'
return warning_ids.get(code, 'Unknown warning code')
def fatal_code(code):
fatal_ids = {}
fatal_ids = dict()
fatal_ids[1] = 'Unable to refresh GPO list'
fatal_ids[2] = 'Error getting GPTs for machine'
fatal_ids[3] = 'Error getting GPTs for user'
@@ -444,7 +385,7 @@ def get_message(code):
return retstr
def message_with_code(code):
retstr = 'core' + '[' + code[0:1] + code[1:].rjust(7, '0') + ']| ' + gettext.gettext(get_message(code))
retstr = '[' + code[0:1] + code[1:].rjust(5, '0') + ']| ' + gettext.gettext(get_message(code))
return retstr

56
gpoa/pkcon_runner
View File

@@ -20,12 +20,15 @@
import rpm
import subprocess
from gpoa.storage import registry_factory
from util.util import get_uid_by_username, string_to_literal_eval
import logging
from util.logging import log
import argparse
import gettext
import locale
from messages import message_with_code
from util.arguments import (
set_loglevel
)
def is_rpm_installed(rpm_name):
@@ -42,53 +45,51 @@ def is_rpm_installed(rpm_name):
class Pkcon_applier:
def __init__(self, user = None):
install_key_name = 'Install'
remove_key_name = 'Remove'
hklm_branch = 'Software/BaseALT/Policies/Packages'
self.__install_key_name = 'Install'
self.__remove_key_name = 'Remove'
self.__hklm_branch = '/Software/BaseALT/Policies/Packages'
self.__install_command = ['/usr/bin/pkcon', '-y', 'install']
self.__remove_command = ['/usr/bin/pkcon', '-y', 'remove']
self.__reinstall_command = ['/usr/bin/pkcon', '-y', 'reinstall']
self.install_packages = set()
self.remove_packages = set()
self.storage = registry_factory()
if user:
uid = get_uid_by_username(user)
dict_dconf_db = self.storage.get_dictionary_from_dconf_file_db(uid)
else:
dict_dconf_db = self.storage.get_dictionary_from_dconf_file_db()
dict_packages = dict_dconf_db.get(hklm_branch,{})
self.install_packages_setting = string_to_literal_eval(dict_packages.get(install_key_name,[]))
self.remove_packages_setting = string_to_literal_eval(dict_packages.get(remove_key_name,[]))
self.storage = registry_factory(username=user)
self.storage.filling_storage_from_dconf()
install_branch = '{}/{}'.format(self.__hklm_branch, self.__install_key_name)
remove_branch = '{}/{}'.format(self.__hklm_branch, self.__remove_key_name)
self.install_packages_setting = self.storage.filter_hklm_entries(install_branch)
self.remove_packages_setting = self.storage.filter_hklm_entries(remove_branch)
for package in self.install_packages_setting:
package = package.strip()
if not is_rpm_installed(package):
self.install_packages.add(package)
if not is_rpm_installed(package.data):
self.install_packages.add(package.data)
for package in self.remove_packages_setting:
package = package.strip()
if package in self.install_packages:
self.install_packages.remove(package)
if is_rpm_installed(package):
self.remove_packages.add(package)
if package.data in self.install_packages:
self.install_packages.remove(package.data)
if is_rpm_installed(package.data):
self.remove_packages.add(package.data)
def apply(self):
log('D142')
self.update()
for package in self.remove_packages:
logdata = {'name': package}
try:
logdata = dict()
logdata['name'] = package
log('D149', logdata)
self.remove_pkg(package)
except Exception as exc:
logdata = dict()
logdata['exc'] = exc
log('E58', logdata)
for package in self.install_packages:
logdata = {'name': package}
try:
logdata = dict()
logdata['name'] = package
log('D148', logdata)
self.install_pkg(package)
except Exception as exc:
logdata = dict()
logdata['exc'] = exc
log('E57', logdata)
@@ -102,7 +103,7 @@ class Pkcon_applier:
pass
def remove_pkg(self, package_name):
fullcmd = list(self.__remove_command)
fullcmd = self.__remove_command
fullcmd.append(package_name)
return subprocess.check_output(fullcmd)
@@ -113,14 +114,15 @@ class Pkcon_applier:
try:
res = subprocess.check_output(['/usr/bin/apt-get', 'update'], encoding='utf-8')
msg = str(res).split('\n')
logdata = {}
logdata = dict()
for mslog in msg:
ms = str(mslog).split(' ')
if ms:
logdata = {ms[0]: ms[1:-1]}
log('D143', logdata)
except Exception as exc:
logdata = {'msg': exc}
logdata = dict()
logdata['msg'] = exc
log('E56',logdata)
if __name__ == '__main__':

1
gpoa/plugin/__init__.py
View File

@@ -17,5 +17,4 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from .plugin_manager import plugin_manager
from .messages import register_plugin_messages, get_plugin_message, get_all_plugin_messages

41
gpoa/plugin/adp.py Normal file
View File

@@ -0,0 +1,41 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import logging
import subprocess
from util.rpm import is_rpm_installed
from .exceptions import PluginInitError
from util.logging import slogm
from messages import message_with_code
class adp:
def __init__(self):
if not is_rpm_installed('adp'):
raise PluginInitError(message_with_code('W5'))
logging.info(slogm(message_with_code('D4')))
def run(self):
try:
logging.info(slogm(message_with_code('D5')))
subprocess.call(['/usr/bin/adp', 'fetch'])
subprocess.call(['/usr/bin/adp', 'apply'])
except Exception as exc:
logging.error(slogm(message_with_code('E9')))
raise exc

180
gpoa/plugin/messages.py
View File

@@ -1,180 +0,0 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
Plugin message registry for GPOA plugins.
This module allows plugins to register their message codes and descriptions
without modifying the main messages.py file.
"""
import os
import sys
import inspect
import gettext
import importlib.util
from pathlib import Path
_plugin_messages = {}
_plugin_translations = {}
def _load_plugin_translations(domain):
"""
Load translations for a specific plugin from its locale directory.
Dynamically searches for plugin modules across the entire project.
Args:
domain (str): Plugin domain/prefix
"""
try:
# Try to find the plugin module that registered these messages
for prefix, msgs in _plugin_messages.items():
if prefix == domain:
# Search through all loaded modules to find the plugin class
for module_name, module in list(sys.modules.items()):
if module and hasattr(module, '__dict__'):
for name, obj in module.__dict__.items():
# Check if this is a class with the domain attribute
if (isinstance(obj, type) and
hasattr(obj, 'domain') and
obj.domain == domain):
# Found the plugin class, now find its file
try:
plugin_file = Path(inspect.getfile(obj))
plugin_dir = plugin_file.parent
# Look for locale directory in plugin directory
locale_dir = plugin_dir / 'locale'
if locale_dir.exists():
# Try to load translations
lang = 'ru_RU' # Default to Russian
lc_messages_dir = locale_dir / lang / 'LC_MESSAGES'
if lc_messages_dir.exists():
# Look for .po files
po_files = list(lc_messages_dir.glob('*.po'))
for po_file in po_files:
try:
translation = gettext.translation(
po_file.stem,
localedir=str(locale_dir),
languages=[lang]
)
_plugin_translations[domain] = translation
return # Successfully loaded translations
except FileNotFoundError:
continue
# If not found in plugin directory, check parent directories
# (for plugins that are in subdirectories)
parent_dirs_to_check = [
plugin_dir.parent / 'locale', # Parent directory
plugin_dir.parent.parent / 'locale' # Grandparent directory
]
for parent_locale_dir in parent_dirs_to_check:
if parent_locale_dir.exists():
lang = 'ru_RU'
lc_messages_dir = parent_locale_dir / lang / 'LC_MESSAGES'
if lc_messages_dir.exists():
po_files = list(lc_messages_dir.glob('*.po'))
for po_file in po_files:
try:
translation = gettext.translation(
po_file.stem,
localedir=str(parent_locale_dir),
languages=[lang]
)
_plugin_translations[domain] = translation
return # Successfully loaded translations
except FileNotFoundError:
continue
except (TypeError, OSError):
# Could not get file path for the class
continue
break
# If not found through module inspection, try system-wide gpupdate plugins directory
gpupdate_plugins_locale = Path('/usr/lib/gpupdate/plugins/locale')
if gpupdate_plugins_locale.exists():
lang = 'ru_RU'
lc_messages_dir = gpupdate_plugins_locale / lang / 'LC_MESSAGES'
if lc_messages_dir.exists():
# Look for .po files matching the plugin prefix
po_files = list(lc_messages_dir.glob(f'*{domain.lower()}*.po'))
if not po_files:
# Try any .po file if no specific match
po_files = list(lc_messages_dir.glob('*.po'))
for po_file in po_files:
try:
translation = gettext.translation(
po_file.stem,
localedir=str(gpupdate_plugins_locale),
languages=[lang]
)
_plugin_translations[domain] = translation
return # Successfully loaded translations
except FileNotFoundError:
continue
except Exception:
# Silently fail if translations cannot be loaded
pass
def register_plugin_messages(domain, messages_dict):
"""
Register message codes for a plugin.
Args:
domain (str): Plugin domain/prefix
messages_dict (dict): Dictionary mapping message codes to descriptions
"""
_plugin_messages[domain] = messages_dict
# Try to load plugin-specific translations
_load_plugin_translations(domain)
def get_plugin_message(domain, code):
"""
Get message description for a plugin-specific code.
Args:
domain (str): Plugin domain/prefix
code (int): Message code
Returns:
str: Message description or generic message if not found
"""
plugin_msgs = _plugin_messages.get(domain, {})
message_text = plugin_msgs.get(code, f"Plugin {domain} message {code}")
# Try to translate the message if translations are available
translation = _plugin_translations.get(domain)
if translation:
try:
return translation.gettext(message_text)
except:
pass
return message_text
def get_all_plugin_messages():
"""
Get all registered plugin messages.
Returns:
dict: Dictionary of all registered plugin messages
"""
return _plugin_messages.copy()

73
gpoa/plugin/plugin.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -16,75 +16,12 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from abc import ABC, abstractmethod
from typing import final
from gpoa.util.util import string_to_literal_eval
from gpoa.util.logging import log
from gpoa.plugin.plugin_log import PluginLog
from gpoa.storage.dconf_registry import Dconf_registry
from abc import ABC
class plugin(ABC):
def __init__(self, dict_dconf_db={}, username=None, fs_file_cache=None):
self.dict_dconf_db = dict_dconf_db
self.file_cache = fs_file_cache
self.username = username
self._log = None
self.plugin_name = self.__class__.__name__
class plugin():
def __init__(self, plugin_name):
self.plugin_name = plugin_name
@final
def apply(self):
"""Apply the plugin with current privileges"""
self.run()
@final
def apply_user(self, username):
"""Apply the plugin with user privileges"""
from util.system import with_privileges
def run_with_user():
try:
result = self.run()
# Ensure result is JSON-serializable
return {"success": True, "result": result}
except Exception as exc:
# Return error information in JSON-serializable format
return {"success": False, "error": str(exc)}
try:
execution_result = with_privileges(username, run_with_user)
if execution_result and execution_result.get("success"):
result = execution_result.get("result", True)
return result
else:
return False
except:
return False
@final
def get_dict_registry(self, prefix=''):
"""Get the dictionary from the registry"""
return string_to_literal_eval(self.dict_dconf_db.get(prefix,{}))
def _init_plugin_log(self, message_dict=None, locale_dir=None, domain=None):
"""Initialize plugin-specific logger with message codes."""
self._log = PluginLog(message_dict, locale_dir, domain, self.plugin_name)
def log(self, message_code, data=None):
"""
Log message using plugin-specific logger with message codes.
Args:
message_code (str): Message code in format 'W1', 'E2', etc.
data (dict): Additional data for message formatting
"""
if self._log:
self._log(message_code, data)
else:
# Fallback to basic logging
level_char = message_code[0] if message_code else 'E'
log(level_char, {"plugin": self.__class__.__name__, "message": f"Message {message_code}", "data": data})
@abstractmethod
def run(self):
pass

44
gpoa/plugin/plugin_base.py
View File

@@ -1,44 +0,0 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from abc import abstractmethod
from gpoa.plugin.plugin import plugin
class FrontendPlugin(plugin):
"""
Base class for frontend plugins with simplified logging support.
"""
def __init__(self, dict_dconf_db={}, username=None, fs_file_cache=None):
super().__init__(dict_dconf_db, username, fs_file_cache)
@abstractmethod
def run(self):
"""
Abstract method that must be implemented by concrete plugins.
This method should contain the main plugin execution logic.
"""
pass

276
gpoa/plugin/plugin_log.py
View File

@@ -1,276 +0,0 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
import gettext
import locale
import logging
import inspect
from pathlib import Path
from gpoa.util.logging import slogm
from gpoa.plugin.messages import register_plugin_messages
class PluginLog:
"""
Plugin logging class with message codes and translations support.
Usage:
log = PluginLog({
'w': {1: 'Warning message template {param}'},
'e': {1: 'Error message template {param}'},
'i': {1: 'Info message template {param}'},
'd': {1: 'Debug message template {param}'}
}, domain='dm_applier')
log('W1', {'param': 'value'})
"""
def __init__(self, message_dict=None, locale_dir=None, domain=None, plugin_name=None):
"""
Initialize plugin logger.
Args:
message_dict (dict): Dictionary with message templates
locale_dir (str): Path to locale directory for translations
domain (str): Translation domain name (required for translations)
"""
self.message_dict = message_dict or {}
self.locale_dir = locale_dir
self.domain = domain or 'plugin'
self._translation = None
self.plugin_name = plugin_name
# Register plugin messages
if message_dict:
# Convert to flat dictionary for registration
flat_messages = {}
for level, level_dict in message_dict.items():
for code, message in level_dict.items():
flat_messages[code] = message
register_plugin_messages(self.domain, flat_messages)
# Auto-detect locale directory only if explicitly None (not provided)
# If locale_dir is an empty string or other falsy value, don't auto-detect
if self.locale_dir is None:
self._auto_detect_locale_dir()
# Load translations
self._load_translations()
def _auto_detect_locale_dir(self):
"""Auto-detect locale directory based on plugin file location."""
try:
# Try to find the calling plugin module
frame = inspect.currentframe()
while frame:
module = frame.f_globals.get('__name__', '')
if module and 'plugin' in module:
module_file = frame.f_globals.get('__file__', '')
if module_file:
plugin_dir = Path(module_file).parent
# First try: locale directory in plugin's own directory
locale_candidate = plugin_dir / 'locale'
if locale_candidate.exists():
self.locale_dir = str(locale_candidate)
return
# Second try: common locale directory for frontend plugins
if 'frontend_plugins' in str(plugin_dir):
frontend_plugins_dir = plugin_dir.parent
common_locale_dir = frontend_plugins_dir / 'locale'
if common_locale_dir.exists():
self.locale_dir = str(common_locale_dir)
return
frame = frame.f_back
# Third try: relative to current working directory
cwd_locale = Path.cwd() / 'gpoa' / 'frontend_plugins' / 'locale'
if cwd_locale.exists():
self.locale_dir = str(cwd_locale)
return
# Fourth try: relative to script location
script_dir = Path(__file__).parent.parent.parent / 'frontend_plugins' / 'locale'
if script_dir.exists():
self.locale_dir = str(script_dir)
return
# Fifth try: system installation path for frontend plugins
system_paths = [
'/usr/lib/python3/site-packages/gpoa/frontend_plugins/locale',
'/usr/local/lib/python3/site-packages/gpoa/frontend_plugins/locale'
]
for path in system_paths:
if os.path.exists(path):
self.locale_dir = path
return
# Sixth try: system-wide gpupdate package locale directory
gpupdate_package_locale = Path('/usr/lib/python3/site-packages/gpoa/locale')
if gpupdate_package_locale.exists():
self.locale_dir = str(gpupdate_package_locale)
return
# Seventh try: system-wide locale directory (fallback)
system_locale_dir = Path('/usr/share/locale')
if system_locale_dir.exists():
self.locale_dir = str(system_locale_dir)
return
except:
pass
def _load_translations(self):
"""Load translations for the plugin using system locale."""
if self.locale_dir:
# Use only self.domain as the translation file name
# This aligns with the convention that plugin translation files
# are always named according to the domain
domain = self.domain
try:
# Get system locale
system_locale = locale.getdefaultlocale()[0]
languages = [system_locale] if system_locale else ['ru_RU']
# First try: load from the detected locale_dir without fallback
try:
self._translation = gettext.translation(
domain,
localedir=self.locale_dir,
languages=languages,
fallback=False
)
except FileNotFoundError:
# File not found, try with fallback
self._translation = gettext.translation(
domain,
localedir=self.locale_dir,
languages=languages,
fallback=True
)
# Check if we got real translations or NullTranslations
if isinstance(self._translation, gettext.NullTranslations):
# Try loading from system locale directory as fallback
try:
self._translation = gettext.translation(
domain,
localedir='/usr/share/locale',
languages=languages,
fallback=False
)
except FileNotFoundError:
# File not found in system directory, use fallback
self._translation = gettext.translation(
domain,
localedir='/usr/share/locale',
languages=languages,
fallback=True
)
except Exception:
# If any exception occurs, fall back to NullTranslations
self._translation = gettext.NullTranslations()
# Ensure _translation is set even if all attempts failed
if not hasattr(self, '_translation'):
self._translation = gettext.NullTranslations()
else:
self._translation = gettext.NullTranslations()
def _get_message_template(self, level, code):
"""Get message template for given level and code."""
level_dict = self.message_dict.get(level, {})
return level_dict.get(code, 'Unknown message {code}')
def _format_message(self, level, code, data=None):
"""Format message with data and apply translation."""
template = self._get_message_template(level, code)
# Apply translation
translated_template = self._translation.gettext(template)
# Format with data if provided
if data and isinstance(data, dict):
try:
return translated_template.format(**data)
except:
return "{} | {}".format(translated_template, data)
return translated_template
def _get_full_code(self, level_char, code):
"""Get full message code without plugin prefix."""
return f"{level_char}{code:05d}"
def __call__(self, message_code, data=None):
"""
Log a message with the given code and data.
Args:
message_code (str): Message code in format 'W1', 'E2', etc.
data (dict): Additional data for message formatting
"""
if not message_code or len(message_code) < 2:
logging.error(slogm("Invalid message code format", {"code": message_code}))
return
level_char = message_code[0].lower()
try:
code_num = int(message_code[1:])
except ValueError:
logging.error(slogm("Invalid message code number", {"code": message_code}))
return
# Get the formatted message
message = self._format_message(level_char, code_num, data)
# Create full message code for logging
full_code = self._get_full_code(level_char.upper(), code_num)
# Format the log message like main code: [Code]| Message | data
full_code = self._get_full_code(level_char.upper(), code_num)
log_message = f"{self.plugin_name}[{full_code}]| {message}"
if data:
log_message += f"|{data}"
# Log with appropriate level - no kwargs needed
if level_char == 'i':
logging.info(slogm(log_message))
elif level_char == 'w':
logging.warning(slogm(log_message))
elif level_char == 'e':
logging.error(slogm(log_message))
elif level_char == 'd':
logging.debug(slogm(log_message))
elif level_char == 'f':
logging.fatal(slogm(log_message))
else:
logging.info(slogm(log_message))
def info(self, code, data=None):
"""Log info message."""
self(f"I{code}", data)
def warning(self, code, data=None):
"""Log warning message."""
self(f"W{code}", data)
def error(self, code, data=None):
"""Log error message."""
self(f"E{code}", data)
def debug(self, code, data=None):
"""Log debug message."""
self(f"D{code}", data)
def fatal(self, code, data=None):
"""Log fatal message."""
self(f"F{code}", data)

210
gpoa/plugin/plugin_manager.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -16,203 +16,25 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import importlib.util
import inspect
from pathlib import Path
from gpoa.util.logging import log
from gpoa.util.paths import gpupdate_plugins_path
from gpoa.util.util import string_to_literal_eval
import logging
from .adp import adp
from .roles import roles
from .exceptions import PluginInitError
from .plugin import plugin
from gpoa.storage import registry_factory
from gpoa.storage.fs_file_cache import fs_file_cache
from gpoa.util.util import get_uid_by_username
from util.logging import slogm
from messages import message_with_code
class plugin_manager:
def __init__(self, is_machine, username):
self.is_machine = is_machine
self.username = username
self.file_cache = fs_file_cache('file_cache', self.username)
self.list_plugins = []
self.dict_dconf_db = self.get_dict_dconf_db()
self.filling_settings()
self.plugins = self.load_plugins()
log('D3')
def get_dict_dconf_db(self):
dconf_storage = registry_factory()
if self.username and not self.is_machine:
uid = get_uid_by_username(self.username)
dict_dconf_db = dconf_storage.get_dictionary_from_dconf_file_db(uid)
else:
dict_dconf_db = dconf_storage.get_dictionary_from_dconf_file_db()
return dict_dconf_db
def filling_settings(self):
"""Filling in settings"""
dict_gpupdate_key = string_to_literal_eval(
self.dict_dconf_db.get('Software/BaseALT/Policies/GPUpdate',{}))
self.plugins_enable = dict_gpupdate_key.get('Plugins')
self.plugins_list = dict_gpupdate_key.get('PluginsList')
def check_enabled_plugin(self, plugin_name):
"""Check if the plugin is enabled"""
if not self.plugins_enable:
return False
if isinstance(self.plugins_list, list):
return plugin_name in self.plugins_list
# if the list is missing or not a list, consider the plugin enabled
return True
def __init__(self):
self.plugins = dict()
logging.debug(slogm(message_with_code('D3')))
try:
self.plugins['adp'] = adp()
except PluginInitError as exc:
logging.warning(slogm(str(exc)))
def run(self):
"""Run the plugins with appropriate privileges"""
for plugin_obj in self.plugins:
if self.is_valid_api_object(plugin_obj):
# Set execution context for plugins that support it
if hasattr(plugin_obj, 'set_context'):
plugin_obj.set_context(self.is_machine, self.username)
if self.check_enabled_plugin(plugin_obj.plugin_name):
log('D4', {'plugin_name': plugin_obj.plugin_name})
self.plugins.get('adp', plugin('adp')).run()
self.plugins.get('roles', plugin('roles')).run()
# Use apply_user for user context, apply for machine context
if not self.is_machine and self.username:
result = plugin_obj.apply_user(self.username)
if result is False:
log('W46', {'plugin_name': plugin_obj.plugin_name, 'username': self.username})
else:
plugin_obj.apply()
else:
log('D236', {'plugin_name': plugin_obj.plugin_name})
else:
log('W44', {'plugin_name': getattr(plugin_obj, 'plugin_name', 'unknown')})
def load_plugins(self):
"""Load plugins from multiple directories"""
plugins = []
# Default plugin directories
plugin_dirs = [
# Frontend plugins
Path(gpupdate_plugins_path()).absolute(),
# System-wide plugins
Path("/usr/lib/gpupdate/plugins")
]
for plugin_dir in plugin_dirs:
if plugin_dir.exists() and plugin_dir.is_dir():
plugins.extend(self._load_plugins_from_directory(plugin_dir))
return plugins
def _load_plugins_from_directory(self, directory):
"""Load plugins from a specific directory"""
plugins = []
for file_path in directory.glob("*.py"):
if file_path.name == "__init__.py":
continue
try:
plugin_obj = self._load_plugin_from_file(file_path)
if plugin_obj:
plugins.append(plugin_obj)
except Exception as exc:
log('W45', {'plugin_file': file_path.name, 'error': str(exc)})
return plugins
def _load_plugin_from_file(self, file_path):
"""Load a single plugin from a Python file"""
module_name = file_path.stem
# Load the module
spec = importlib.util.spec_from_file_location(module_name, file_path)
if not spec or not spec.loader or module_name in self.list_plugins:
return None
# Save the list of names to prevent repetition
self.list_plugins.append(module_name)
module = importlib.util.module_from_spec(spec)
spec.loader.exec_module(module)
# Find factory functions based on context
factory_funcs = []
target_factory_names = []
if self.is_machine:
target_factory_names = ['create_machine_applier', 'create_plugin']
else:
target_factory_names = ['create_user_applier', 'create_plugin']
for name, obj in inspect.getmembers(module):
if (inspect.isfunction(obj) and
name.lower() in target_factory_names and
callable(obj)):
factory_funcs.append(obj)
# Create plugin instance
if factory_funcs:
# Use factory function if available
plugin_instance = factory_funcs[0](self.dict_dconf_db, self.username, self.file_cache)
else:
# No suitable factory function found for this context
return None
# Auto-detect locale directory for this plugin and initialize/update logger
if hasattr(plugin_instance, '_init_plugin_log'):
plugin_file = file_path
plugin_dir = plugin_file.parent
# First try: locale directory in plugin's own directory
locale_candidate = plugin_dir / 'locale'
# Second try: common locale directory for frontend plugins
if not locale_candidate.exists() and 'frontend_plugins' in str(plugin_dir):
frontend_plugins_dir = plugin_dir.parent
common_locale_dir = frontend_plugins_dir / 'locale'
if common_locale_dir.exists():
locale_candidate = common_locale_dir
# Third try: system-wide gpupdate plugins locale directory
if not locale_candidate.exists():
gpupdate_plugins_locale = Path('/usr/lib/gpupdate/plugins/locale')
if gpupdate_plugins_locale.exists():
locale_candidate = gpupdate_plugins_locale
if locale_candidate.exists():
# If logger already exists, reinitialize it with the correct locale directory
if hasattr(plugin_instance, '_log') and plugin_instance._log is not None:
# Save message_dict and domain from existing logger
message_dict = getattr(plugin_instance._log, 'message_dict', None)
domain = getattr(plugin_instance._log, 'domain', None)
# Reinitialize logger with proper locale directory
plugin_instance._log = None
else:
message_dict = None
domain = None
# Get domain from plugin instance or use class name
if not domain:
domain = getattr(plugin_instance, 'domain', plugin_instance.__class__.__name__.lower())
# Initialize plugin logger with the found locale directory
plugin_instance._init_plugin_log(
message_dict=message_dict,
locale_dir=str(locale_candidate),
domain=domain
)
return plugin_instance
return None
def is_valid_api_object(self, obj):
"""Check if the object is a valid plugin API object"""
return isinstance(obj, plugin)

17
gpoa/plugin/roles.py
View File

@@ -16,17 +16,12 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from gpoa.util.roles import fill_roles
from .plugin import plugin
from util.roles import fill_roles
class roles(plugin):
def __init__(self, user=None):
super().__init__(user)
self.plugin_name = "roles"
def run(self):
# Roles plugin logic would go here
# For now, just pass as the original was doing nothing
class roles:
def __init__(self):
pass
def run(self):
fill_roles()

40
gpoa/scripts_runner
View File

@@ -21,8 +21,6 @@ import subprocess
import argparse
import os
from pathlib import Path
import psutil
import time
class Scripts_runner:
'''
@@ -33,7 +31,7 @@ class Scripts_runner:
self.dir_scripts_machine = '/var/cache/gpupdate_scripts_cache/machine/'
self.dir_scripts_users = '/var/cache/gpupdate_scripts_cache/users/'
self.user_name = user_name
self.list_with_all_commands = []
self.list_with_all_commands = list()
stack_dir = None
if work_mode and work_mode.upper() == 'MACHINE':
stack_dir = self.machine_runner_fill()
@@ -59,7 +57,7 @@ class Scripts_runner:
return self.get_stack_dir(self.dir_scripts_machine)
def get_stack_dir(self, path_dir):
stack_dir = []
stack_dir = list()
try:
dir_script = Path(path_dir)
for it_dir in dir_script.iterdir():
@@ -72,7 +70,7 @@ class Scripts_runner:
def find_action(self, stack_dir):
if not stack_dir:
return
list_tmp = []
list_tmp = list()
while stack_dir:
path_turn = stack_dir.pop()
basename = os.path.basename(path_turn)
@@ -94,7 +92,7 @@ class Scripts_runner:
except Exception as exc:
print('Argument read for {}: {}'.format(self.list_with_all_commands.pop(), exc))
else:
cmd = []
cmd = list()
cmd.append(file_in_task_dir)
self.list_with_all_commands.append(cmd)
@@ -111,34 +109,7 @@ class Scripts_runner:
except Exception as exc:
return exc
def find_process_by_name_and_script(name, script_path):
for proc in psutil.process_iter(['pid', 'name', 'cmdline']):
try:
# Check if the process name matches and the script path is in the command line arguments
if proc.info['name'] == name and script_path in proc.info['cmdline']:
return proc
except (psutil.NoSuchProcess, psutil.AccessDenied, psutil.ZombieProcess):
continue
return None
def wait_for_process(name, script_path, check_interval=1):
process = find_process_by_name_and_script(name, script_path)
if not process:
print(f"Process with name {name} and script path {script_path} not found.")
return
try:
# Loop to wait for the process to finish
while process.is_running():
print(f"Waiting for process {name} with PID {process.pid} to finish...")
time.sleep(check_interval)
print(f"Process {name} with PID {process.pid} has finished.")
return
except (psutil.NoSuchProcess, psutil.AccessDenied):
print(f"Process {name} with PID {process.pid} is no longer accessible.")
return
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Scripts runner')
@@ -146,9 +117,6 @@ if __name__ == '__main__':
parser.add_argument('--user', type = str, help = 'User name ', nargs = '?', default = None)
parser.add_argument('--action', type = str, help = 'MACHINE : [STARTUP or SHUTDOWN], USER : [LOGON or LOGOFF]', nargs = '?', default = None)
process_name = "python3"
script_path = "/usr/sbin/gpoa"
wait_for_process(process_name, script_path)
args = parser.parse_args()
try:
Scripts_runner(args.mode, args.user, args.action)

3
gpoa/storage/__init__.py
View File

@@ -17,8 +17,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from .dconf_registry import Dconf_registry
from storage.dconf_registry import Dconf_registry
def registry_factory(registry_name='', envprofile=None , username=None):
if username:

1
gpoa/storage/cache.py
View File

@@ -18,7 +18,6 @@
from abc import ABC
class cache(ABC):
def __init__(self):
pass

471
gpoa/storage/dconf_registry.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2025 BaseALT Ltd.
# Copyright (C) 2019-2023 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -16,29 +16,11 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from collections import OrderedDict
import itertools
from pathlib import Path
import re
import subprocess
import gi
from gpoa.gpt.dynamic_attributes import RegistryKeyMetadata
from gpoa.util.logging import log
from gpoa.util.paths import get_dconf_config_path
from gpoa.util.util import (
add_prefix_to_keys,
clean_data,
get_uid_by_username,
remove_keys_with_prefix,
string_to_literal_eval,
touch_file,
try_dict_to_literal_eval,
)
gi.require_version("Gvdb", "1.0")
gi.require_version("GLib", "2.0")
from gi.repository import GLib, Gvdb
from pathlib import Path
from util.util import string_to_literal_eval, touch_file, get_uid_by_username
from util.logging import log
import re
class PregDconf():
@@ -67,52 +49,33 @@ class Dconf_registry():
'''
A class variable that represents a global registry dictionary shared among instances of the class
'''
_GpoPriority = 'Software/BaseALT/Policies/GpoPriority'
_gpo_name = set()
global_registry_dict = {_GpoPriority:{}}
previous_global_registry_dict = {}
_ReadQueue = 'Software/BaseALT/Policies/ReadQueue'
global_registry_dict = dict({_ReadQueue:{}})
__template_file = '/usr/share/dconf/user_mandatory.template'
_policies_path = 'Software/'
_policies_win_path = 'SOFTWARE/'
_gpt_read_flag = False
_force = False
__dconf_dict_flag = False
__dconf_dict = {}
_dconf_db = {}
_dict_gpo_name_version_cache = {}
__dconf_dict = dict()
_username = None
_uid = None
_envprofile = None
_path_bin_system = "/etc/dconf/db/policy"
list_keys = []
_info = {}
_counter_gpt = itertools.count(0)
list_keys = list()
_info = dict()
shortcuts = list()
folders = list()
files = list()
drives = list()
scheduledtasks = list()
environmentvariables = list()
inifiles = list()
services = list()
printers = list()
scripts = list()
networkshares = list()
shortcuts = []
folders = []
files = []
drives = []
scheduledtasks = []
environmentvariables = []
inifiles = []
services = []
printers = []
scripts = []
networkshares = []
_true_strings = {
"True",
"true",
"TRUE",
"yes",
"Yes",
"enabled",
"enable",
"Enabled",
"Enable",
'1'
}
@classmethod
def set_info(cls, key , data):
@@ -123,15 +86,12 @@ class Dconf_registry():
def get_info(cls, key):
return cls._info.setdefault(key, None)
@staticmethod
def get_next_number():
return next(Dconf_registry._counter_gpt)
@staticmethod
def get_matching_keys(path):
if path[0] != '/':
path = '/' + path
logdata = {}
logdata = dict()
envprofile = get_dconf_envprofile()
try:
process = subprocess.Popen(['dconf', 'list', path],
@@ -162,7 +122,7 @@ class Dconf_registry():
@staticmethod
def get_key_value(key):
logdata = {}
logdata = dict()
envprofile = get_dconf_envprofile()
try:
process = subprocess.Popen(['dconf', 'read', key],
@@ -180,12 +140,10 @@ class Dconf_registry():
return None
@staticmethod
def dconf_update(uid=None):
logdata = {}
path_dconf_config = get_dconf_config_path(uid)
db_file = path_dconf_config[:-3]
def dconf_update():
logdata = dict()
try:
process = subprocess.Popen(['dconf', 'compile', db_file, path_dconf_config],
process = subprocess.Popen(['dconf', 'update'],
stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True)
output, error = process.communicate()
@@ -206,15 +164,9 @@ class Dconf_registry():
else:
return None
@classmethod
def update_dict_to_previous(cls):
dict_clean_previous = remove_keys_with_prefix(cls._dconf_db)
dict_with_previous = add_prefix_to_keys(dict_clean_previous)
cls.global_registry_dict.update(dict_with_previous)
@classmethod
def apply_template(cls, uid):
logdata = {}
logdata = dict()
if uid and cls.check_profile_template():
with open(cls.__template_file, "r") as f:
template = f.read()
@@ -223,15 +175,13 @@ class Dconf_registry():
elif uid:
content = f"user-db:user\n" \
f"system-db:distr\n" \
f"system-db:policy\n" \
f"system-db:policy{uid}\n" \
f"system-db:local\n" \
f"system-db:default\n" \
f"system-db:local\n" \
f"system-db:policy{uid}\n" \
f"system-db:policy\n" \
f"system-db:distr\n"
f"system-db:policy\n"
else:
logdata['uid'] = uid
log('W24', logdata)
@@ -256,62 +206,20 @@ class Dconf_registry():
dconf_dict = self.get_key_values(self.get_matching_keys(startswith))
for key, value in dconf_dict.items():
keys_tmp = key.split('/')
update_dict(output_dict.setdefault('/'.join(keys_tmp[:-1])[1:], {}), {keys_tmp[-1]: str(value)})
update_dict(output_dict.setdefault('/'.join(keys_tmp[:-1])[1:], {}), {keys_tmp[-1]: value})
log('D207')
return output_dict
@classmethod
def get_dictionary_from_dconf_file_db(self, uid=None, path_bin=None, save_dconf_db=False):
logdata = {}
error_skip = None
if path_bin:
error_skip = True
elif not uid:
path_bin = self._path_bin_system
else:
path_bin = self._path_bin_system + str(uid)
output_dict = {}
try:
if (GLib.file_get_contents(path_bin)[0]):
bytes1 = GLib.Bytes.new(GLib.file_get_contents(path_bin)[1])
table = Gvdb.Table.new_from_bytes(bytes1, True)
name_list = Gvdb.Table.get_names(table)
for name in name_list:
value = Gvdb.Table.get_value(table, name)
if value is None:
continue
list_path = name.split('/')
if value.is_of_type(GLib.VariantType('s')):
part = output_dict.setdefault('/'.join(list_path[1:-1]), {})
part[list_path[-1]] = value.get_string()
elif value.is_of_type(GLib.VariantType('i')):
part = output_dict.setdefault('/'.join(list_path[1:-1]), {})
part[list_path[-1]] = value.get_int32()
except Exception as exc:
logdata['exc'] = exc
logdata['path_bin'] = path_bin
if not error_skip:
log('E73', logdata)
else:
log('D217', logdata)
if save_dconf_db:
Dconf_registry._dconf_db = output_dict
return output_dict
@classmethod
def filter_entries(cls, startswith, registry_dict = None):
if not registry_dict:
registry_dict = cls.global_registry_dict
def filter_entries(cls, startswith):
if startswith[-1] == '%':
startswith = startswith[:-1]
if startswith[-1] == '/' or startswith[-1] == '\\':
startswith = startswith[:-1]
return filter_dict_keys(startswith, flatten_dictionary(registry_dict))
return filter_dict_keys(startswith, flatten_dictionary(registry_dict))
return filter_dict_keys(startswith, flatten_dictionary(cls.global_registry_dict))
return filter_dict_keys(startswith, flatten_dictionary(cls.global_registry_dict))
@classmethod
@@ -326,7 +234,7 @@ class Dconf_registry():
elif isinstance(value, list):
for data in value:
list_entiers.append(PregDconf(
keyname, data, find_preg_type(data), data))
keyname, convert_string_dconf(data), find_preg_type(data), data))
else:
list_entiers.append(PregDconf(
'/'.join(keyname.split('/')[:-1]), convert_string_dconf(keyname.split('/')[-1]), find_preg_type(value), value))
@@ -336,7 +244,7 @@ class Dconf_registry():
@classmethod
def filter_hkcu_entries(cls, startswith):
def filter_hkcu_entries(cls, sid, startswith):
return cls.filter_hklm_entries(startswith)
@@ -362,8 +270,8 @@ class Dconf_registry():
@classmethod
def get_entry(cls, path, dictionary = None, preg = True):
logdata = {}
def get_entry(cls, path, dictionary = None):
logdata = dict()
result = Dconf_registry.get_storage(dictionary)
keys = path.split("\\") if "\\" in path else path.split("/")
@@ -372,26 +280,15 @@ class Dconf_registry():
if isinstance(result, dict) and key in result.keys():
data = result.get(key).get(keys[-1])
return PregDconf(
key, convert_string_dconf(keys[-1]), find_preg_type(data), data) if preg else data
key, convert_string_dconf(keys[-1]), find_preg_type(data), data)
else:
logdata['path'] = path
log('D208', logdata)
return None
@classmethod
def check_enable_key(cls ,key):
data = cls.get_entry(key, preg = False)
if data:
if isinstance(data, str):
return True if data in cls._true_strings else False
elif isinstance(data, int):
return bool(data)
else:
return False
return False
@classmethod
def get_hkcu_entry(cls, hive_key, dictionary = None):
def get_hkcu_entry(cls, sid, hive_key, dictionary = None):
return cls.get_hklm_entry(hive_key, dictionary)
@@ -402,121 +299,112 @@ class Dconf_registry():
@classmethod
def add_shortcut(cls, sc_obj, policy_name):
sc_obj.policy_name = policy_name
def add_shortcut(cls, sid, sc_obj, policy_name):
cls.shortcuts.append(sc_obj)
@classmethod
def add_printer(cls, pobj, policy_name):
pobj.policy_name = policy_name
def add_printer(cls, sid, pobj, policy_name):
cls.printers.append(pobj)
@classmethod
def add_drive(cls, dobj, policy_name):
dobj.policy_name = policy_name
def add_drive(cls, sid, dobj, policy_name):
cls.drives.append(dobj)
@classmethod
def add_folder(cls, fobj, policy_name):
fobj.policy_name = policy_name
def add_folder(cls, sid, fobj, policy_name):
cls.folders.append(fobj)
@classmethod
def add_envvar(self, evobj, policy_name):
evobj.policy_name = policy_name
def add_envvar(self, sid, evobj, policy_name):
self.environmentvariables.append(evobj)
@classmethod
def add_script(cls, scrobj, policy_name):
scrobj.policy_name = policy_name
def add_script(cls, sid, scrobj, policy_name):
cls.scripts.append(scrobj)
@classmethod
def add_file(cls, fileobj, policy_name):
fileobj.policy_name = policy_name
def add_file(cls, sid, fileobj, policy_name):
cls.files.append(fileobj)
@classmethod
def add_ini(cls, iniobj, policy_name):
iniobj.policy_name = policy_name
def add_ini(cls, sid, iniobj, policy_name):
cls.inifiles.append(iniobj)
@classmethod
def add_networkshare(cls, networkshareobj, policy_name):
networkshareobj.policy_name = policy_name
def add_networkshare(cls, sid, networkshareobj, policy_name):
cls.networkshares.append(networkshareobj)
@classmethod
def get_shortcuts(cls):
def get_shortcuts(cls, sid):
return cls.shortcuts
@classmethod
def get_printers(cls):
def get_printers(cls, sid):
return cls.printers
@classmethod
def get_drives(cls):
def get_drives(cls, sid):
return cls.drives
@classmethod
def get_folders(cls):
def get_folders(cls, sid):
return cls.folders
@classmethod
def get_envvars(cls):
def get_envvars(cls, sid):
return cls.environmentvariables
@classmethod
def get_scripts(cls, action):
def get_scripts(cls, sid, action):
action_scripts = list()
for part in cls.scripts:
if action == 'LOGON' and part.action == 'LOGON':
if action == 'LOGON':
action_scripts.append(part)
elif action == 'LOGOFF' and part.action == 'LOGOFF':
elif action == 'LOGOFF':
action_scripts.append(part)
elif action == 'STARTUP' and part.action == 'STARTUP':
elif action == 'STARTUP':
action_scripts.append(part)
elif action == 'SHUTDOWN' and part.action == 'SHUTDOWN':
elif action == 'SHUTDOWN':
action_scripts.append(part)
return action_scripts
@classmethod
def get_files(cls):
def get_files(cls, sid):
return cls.files
@classmethod
def get_networkshare(cls):
def get_networkshare(cls, sid):
return cls.networkshares
@classmethod
def get_ini(cls):
def get_ini(cls, sid):
return cls.inifiles
@classmethod
def wipe_user(cls):
def wipe_user(cls, sid):
cls.wipe_hklm()
@classmethod
def wipe_hklm(cls):
cls.global_registry_dict = dict({cls._GpoPriority:{}})
cls.global_registry_dict = dict({cls._ReadQueue:{}})
def filter_dict_keys(starting_string, input_dict):
@@ -537,7 +425,7 @@ def find_preg_type(argument):
return 1
def update_dict(dict1, dict2, save_key=None):
def update_dict(dict1, dict2):
'''
Updates dict1 with the key-value pairs from dict2
'''
@@ -545,144 +433,74 @@ def update_dict(dict1, dict2, save_key=None):
if key in dict1:
# If both values are dictionaries, recursively call the update_dict function
if isinstance(dict1[key], dict) and isinstance(value, dict):
save_key = key
update_dict(dict1[key], value, save_key)
update_dict(dict1[key], value)
# If the value in dict1 is a list, extend it with unique values from value
elif isinstance(dict1[key], list):
dict1[key].extend(set(value) - set(dict1[key]))
else:
# If the value in dict1 is not a dictionary or the value in dict2 is not a dictionary,
# replace the value in dict1 with the value from dict2
if save_key and save_key.startswith('Source'):
value.reloaded_with_policy_key = [dict1[key].policy_name]
if dict1[key].reloaded_with_policy_key:
value.reloaded_with_policy_key += dict1[key].reloaded_with_policy_key
dict1[key] = value
else:
dict1[key] = value
dict1[key] = value
else:
# If the key does not exist in dict1, add the key-value pair from dict2 to dict1
dict1[key] = value
def add_to_dict(string, username, gpo_info):
if gpo_info:
counter = gpo_info.counter
display_name = gpo_info.display_name
name = gpo_info.name
version = gpo_info.version
else:
counter = 0
display_name = 'Local Policy'
name = None
version = None
if username is None or username == 'Machine':
machine= '{}/Machine/{}'.format(Dconf_registry._GpoPriority, counter)
def add_to_dict(string, policy_name, username, version):
if username is None:
correct_path = '/'.join(string.split('/')[:-2])
machine= '{}/Machine'.format(Dconf_registry._ReadQueue)
dictionary = Dconf_registry.global_registry_dict.setdefault(machine, dict())
else:
if name in Dconf_registry._gpo_name:
return
user = '{}/User/{}'.format(Dconf_registry._GpoPriority, counter)
correct_path = '/'.join(string.split('/')[:-2])
user = '{}/User'.format(Dconf_registry._ReadQueue)
dictionary = Dconf_registry.global_registry_dict.setdefault(user, dict())
Dconf_registry._gpo_name.add(name)
dictionary['display_name'] = display_name
dictionary['name'] = name
dictionary['version'] = str(version)
dictionary['correct_path'] = string
dictionary[len(dictionary)] = (policy_name, correct_path, version)
def get_mod_previous_value(key_source, key_valuename):
previous_sourc = try_dict_to_literal_eval(Dconf_registry._dconf_db
.get(key_source, {})
.get(key_valuename, {}))
return previous_sourc.get('mod_previous_value') if previous_sourc else None
def get_previous_value(key_source, key_valuename):
previous = key_source.replace('Source', 'Previous')
return (Dconf_registry._dconf_db
.get(previous, {})
.get(key_valuename, None))
def load_preg_dconf(pregfile, pathfile, policy_name, username, gpo_info):
def load_preg_dconf(pregfile, pathfile, policy_name, username, version=None):
'''
Loads the configuration from preg registry into a dictionary
'''
# Prefix for storing key data
source_pre = "Source"
dd = dict()
for i in pregfile.entries:
# Skip this entry if the valuename starts with '**del'
if i.valuename.lower().startswith('**del'):
if i.valuename.startswith('**del'):
continue
valuename = convert_string_dconf(i.valuename)
data = check_data(i.data, i.type)
if i.valuename != i.data and i.valuename:
key_registry_source = f"{source_pre}/{i.keyname}".replace('\\', '/')
key_registry = f"{i.keyname}".replace('\\', '/')
key_valuename = valuename.replace('\\', '/')
if i.keyname.replace('\\', '/') in dd:
# If the key exists in dd, update its value with the new key-value pair
dd[i.keyname.replace('\\', '/')].update({key_valuename:data})
mod_previous_value = get_mod_previous_value(key_registry_source, key_valuename)
previous_value = get_previous_value(key_registry, key_valuename)
if previous_value != data:
(dd[key_registry_source]
.update({key_valuename:RegistryKeyMetadata(policy_name, i.type, mod_previous_value=previous_value)}))
else:
(dd[key_registry_source]
.update({key_valuename:RegistryKeyMetadata(policy_name, i.type, mod_previous_value=mod_previous_value)}))
dd[i.keyname.replace('\\', '/')].update({valuename.replace('\\', '/'):data})
else:
# If the key does not exist in dd, create a new key-value pair
dd[i.keyname.replace('\\', '/')] = {key_valuename:data}
mod_previous_value = get_mod_previous_value(key_registry_source, key_valuename)
previous_value = get_previous_value(key_registry, key_valuename)
if previous_value != data:
dd[key_registry_source] = {key_valuename:RegistryKeyMetadata(policy_name, i.type, mod_previous_value=previous_value)}
else:
dd[key_registry_source] = {key_valuename:RegistryKeyMetadata(policy_name, i.type, mod_previous_value=mod_previous_value)}
dd[i.keyname.replace('\\', '/')] = {valuename.replace('\\', '/'):data}
elif not i.valuename:
keyname_tmp = i.keyname.replace('\\', '/').split('/')
keyname = '/'.join(keyname_tmp[:-1])
mod_previous_value = get_mod_previous_value(f"{source_pre}/{keyname}", keyname_tmp[-1])
previous_value = get_previous_value(f"{keyname}", keyname_tmp[-1])
if keyname in dd:
# If the key exists in dd, update its value with the new key-value pair
dd[keyname].update({keyname_tmp[-1]:data})
if previous_value != data:
dd[f"{source_pre}/{keyname}"].update({keyname_tmp[-1]:RegistryKeyMetadata(policy_name, i.type, mod_previous_value=previous_value)})
else:
dd[f"{source_pre}/{keyname}"].update({keyname_tmp[-1]:RegistryKeyMetadata(policy_name, i.type, mod_previous_value=mod_previous_value)})
else:
# If the key does not exist in dd, create a new key-value pair
dd[keyname] = {keyname_tmp[-1]:data}
if previous_value != data:
dd[f"{source_pre}/{keyname}"] = {keyname_tmp[-1]:RegistryKeyMetadata(policy_name, i.type, mod_previous_value=previous_value)}
else:
dd[f"{source_pre}/{keyname}"] = {keyname_tmp[-1]:RegistryKeyMetadata(policy_name, i.type, mod_previous_value=mod_previous_value)}
else:
# If the value name is the same as the data,
# split the keyname and add the data to the appropriate location in dd.
all_list_key = i.keyname.split('\\')
key_d ='/'.join(all_list_key[:-1])
dd_target = dd.setdefault(key_d,{})
key_source = f"Source/{key_d}"
dd_target_source = dd.setdefault(key_source, {})
data_list = dd_target.setdefault(all_list_key[-1], []).append(data)
mod_previous_value = get_mod_previous_value(key_source, all_list_key[-1])
previous_value = get_previous_value(key_d, all_list_key[-1])
if previous_value != str(data_list):
dd_target_source[all_list_key[-1]] = RegistryKeyMetadata(policy_name, i.type, is_list=True, mod_previous_value=previous_value)
else:
dd_target_source[all_list_key[-1]] = RegistryKeyMetadata(policy_name, i.type, is_list=True, mod_previous_value=mod_previous_value)
dd_target = dd.setdefault('/'.join(all_list_key[:-1]),{})
dd_target.setdefault(all_list_key[-1], []).append(data)
# Update the global registry dictionary with the contents of dd
add_to_dict(pathfile, policy_name, username, version)
update_dict(Dconf_registry.global_registry_dict, dd)
def create_dconf_ini_file(filename, data, uid=None, nodomain=None):
def create_dconf_ini_file(filename, data):
'''
Create an ini-file based on a dictionary of dictionaries.
Args:
@@ -693,78 +511,31 @@ def create_dconf_ini_file(filename, data, uid=None, nodomain=None):
Raises:
None
'''
with open(filename, 'a' if nodomain else 'w') as file:
with open(filename, 'w') as file:
for section, section_data in data.items():
if not section:
continue
file.write(f'[{section}]\n')
for key, value in section_data.items():
if not key:
continue
if isinstance(value, int):
file.write(f'{key} = {value}\n')
else:
file.write(f'{key} = "{value}"\n')
file.write('\n')
logdata = {'path': filename}
logdata = dict()
logdata['path'] = filename
log('D209', logdata)
create_dconf_file_locks(filename, data)
Dconf_registry.dconf_update(uid)
def create_dconf_file_locks(filename_ini, data):
"""
Creates a dconf lock file based on the provided filename and data.
:param filename_ini: Path to the ini file (str)
:param data: Dictionary containing configuration data
"""
# Extract the path parts up to the directory of the ini file
tmp_lock = filename_ini.split('/')[:-1]
# Construct the path to the lock file
file_lock = '/'.join(tmp_lock + ['locks', tmp_lock[-1][:-1] + 'pol'])
# Create an empty lock file
touch_file(file_lock)
# Open the lock file for writing
with open(file_lock, 'w') as file:
# Iterate over all lock keys obtained from the data
for key_lock in get_keys_dconf_locks(data):
# Remove the "lock/" prefix from the key and split into parts
key = key_lock.split('/')[1:]
# Write the cleaned key to the lock file
file.write(f'{key}\n')
def get_keys_dconf_locks(data):
"""
Extracts keys from the provided data that start with "Locks/"
and have a value of 1.
:param data: Dictionary containing configuration data
:return: List of lock keys (str) without the "Locks/" prefix
"""
result = []
# Flatten the nested dictionary into a single-level dictionary
flatten_data = flatten_dictionary(data)
# Iterate through all keys in the flattened dictionary
for key in flatten_data:
# Check if the key starts with "Locks/" and its value is 1
if key.startswith('Locks/') and flatten_data[key] == 1:
# Remove the "Locks" prefix and append to the result
result.append(key.removeprefix('Locks'))
return result
Dconf_registry.dconf_update()
def clean_data(data):
try:
cleaned_string = data.replace('\n', '').replace('\r', '')
cleaned_string = cleaned_string.replace('"', "'")
return cleaned_string
except:
return None
def check_data(data, t_data):
if isinstance(data, bytes):
if t_data == 7:
return clean_data(data.decode('utf-16').replace('\x00',''))
else:
return None
return None
elif t_data == 4:
return data
return clean_data(data)
@@ -773,10 +544,9 @@ def convert_string_dconf(input_string):
macros = {
'#': '%sharp%',
';': '%semicolon%',
'//': '%doubleslash%',
'/': '%oneslash%'
'//': '%doubleslash%'
}
output_string = input_string
for key, value in macros.items():
if key in input_string:
output_string = input_string.replace(key, value)
@@ -816,54 +586,3 @@ def get_dconf_envprofile():
profile = '/run/dconf/user/{}'.format(get_uid_by_username(Dconf_registry._username))
return {'DCONF_PROFILE': profile}
def convert_elements_to_list_dicts(elements):
return list(map(lambda x: dict(x), elements))
def remove_duplicate_dicts_in_list(list_dict):
return convert_elements_to_list_dicts(list(OrderedDict((tuple(sorted(d.items())), d) for d in list_dict).values()))
def add_preferences_to_global_registry_dict(username, is_machine):
if is_machine:
prefix = 'Software/BaseALT/Policies/Preferences/Machine'
else:
prefix = f'Software/BaseALT/Policies/Preferences/{username}'
preferences_global = [('Shortcuts',remove_duplicate_dicts_in_list(Dconf_registry.shortcuts)),
('Folders',remove_duplicate_dicts_in_list(Dconf_registry.folders)),
('Files',remove_duplicate_dicts_in_list(Dconf_registry.files)),
('Drives',remove_duplicate_dicts_in_list(Dconf_registry.drives)),
('Scheduledtasks',remove_duplicate_dicts_in_list(Dconf_registry.scheduledtasks)),
('Environmentvariables',remove_duplicate_dicts_in_list(Dconf_registry.environmentvariables)),
('Inifiles',remove_duplicate_dicts_in_list(Dconf_registry.inifiles)),
('Services',remove_duplicate_dicts_in_list(Dconf_registry.services)),
('Printers',remove_duplicate_dicts_in_list(Dconf_registry.printers)),
('Scripts',remove_duplicate_dicts_in_list(Dconf_registry.scripts)),
('Networkshares',remove_duplicate_dicts_in_list(Dconf_registry.networkshares))]
preferences_global_dict = dict()
preferences_global_dict[prefix] = dict()
for key, val in preferences_global:
preferences_global_dict[prefix].update({key:clean_data(str(val))})
update_dict(Dconf_registry.global_registry_dict, preferences_global_dict)
def extract_display_name_version(data, username):
policy_force = data.get('Software/BaseALT/Policies/GPUpdate', {}).get('Force', False)
if Dconf_registry._force or policy_force:
logdata = {'username': username}
log('W26', logdata)
return {}
result = {}
tmp = {}
if isinstance(data, dict):
for key in data.keys():
if key.startswith(Dconf_registry._GpoPriority+'/'):
tmp[key] = data[key]
for value in tmp.values():
if isinstance(value, dict) and value.get('version', 'None')!='None' and value.get('display_name'):
result[value['display_name']] = {'version': value['version'], 'correct_path': value['correct_path']}
Dconf_registry._dict_gpo_name_version_cache = result
return result

35
gpoa/storage/fs_file_cache.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2021-2025 BaseALT Ltd. <org@basealt.ru>
# Copyright (C) 2021 BaseALT Ltd. <org@basealt.ru>
# Copyright (C) 2021 Igor Chudov <nir@nir.org.ru>
#
# This program is free software: you can redistribute it and/or modify
@@ -19,14 +19,14 @@
import os
import os.path
from pathlib import Path
import tempfile
from pathlib import Path
import smbc
from util.exceptions import NotUNCPathError
from util.logging import log
from util.paths import UNCPath, file_cache_dir, file_cache_path_home
from util.util import get_machine_name
from util.paths import file_cache_dir, file_cache_path_home, UNCPath
from util.exceptions import NotUNCPathError
class fs_file_cache:
@@ -34,15 +34,14 @@ class fs_file_cache:
def __init__(self, cache_name, username = None):
self.cache_name = cache_name
self.username = username
if username and username != get_machine_name():
if username:
try:
self.storage_uri = file_cache_path_home(username)
except:
self.storage_uri = file_cache_dir()
else:
self.storage_uri = file_cache_dir()
logdata = {'cache_file': self.storage_uri}
logdata = dict({'cache_file': self.storage_uri})
log('D20', logdata)
self.samba_context = smbc.Context(use_kerberos=1)
#, debug=10)
@@ -62,7 +61,7 @@ class fs_file_cache:
return None
except Exception as exc:
logdata = {'exception': str(exc)}
logdata = dict({'exception': str(exc)})
log('D144', logdata)
raise exc
@@ -86,9 +85,7 @@ class fs_file_cache:
df.close()
os.rename(tmpfile, destfile)
os.chmod(destfile, 0o644)
except Exception as exc:
logdata = {'exception': str(exc)}
log('W25', logdata)
except:
tmppath = Path(tmpfile)
if tmppath.exists():
tmppath.unlink()
@@ -103,16 +100,14 @@ class fs_file_cache:
uri_path.get_domain(),
uri_path.get_path()))
except NotUNCPathError as exc:
logdata = {'path': str(exc)}
logdata = dict({'path': str(exc)})
log('D62', logdata)
except Exception as exc:
logdata = {'exception': str(exc)}
logdata = dict({'exception': str(exc)})
log('E36', logdata)
raise exc
if Path(destfile).exists():
return str(destfile)
else:
return None
return str(destfile)
def get_ls_smbdir(self, uri):
type_file_smb = 8
@@ -125,6 +120,6 @@ class fs_file_cache:
except Exception as exc:
if Path(uri).exists():
return None
logdata = {'exception': str(exc)}
logdata = dict({'exception': str(exc)})
log('W12', logdata)
return None

309
gpoa/storage/record_types.py Normal file
View File

@@ -0,0 +1,309 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
class samba_preg(object):
'''
Object mapping representing HKLM entry (registry key without SID)
'''
def __init__(self, preg_obj, policy_name):
self.policy_name = policy_name
self.keyname = preg_obj.keyname
self.valuename = preg_obj.valuename
self.hive_key = '{}\\{}'.format(self.keyname, self.valuename)
self.type = preg_obj.type
self.data = preg_obj.data
def update_fields(self):
fields = dict()
fields['policy_name'] = self.policy_name
fields['type'] = self.type
fields['data'] = self.data
return fields
class samba_hkcu_preg(object):
'''
Object mapping representing HKCU entry (registry key with SID)
'''
def __init__(self, sid, preg_obj, policy_name):
self.sid = sid
self.policy_name = policy_name
self.keyname = preg_obj.keyname
self.valuename = preg_obj.valuename
self.hive_key = '{}\\{}'.format(self.keyname, self.valuename)
self.type = preg_obj.type
self.data = preg_obj.data
def update_fields(self):
fields = dict()
fields['policy_name'] = self.policy_name
fields['type'] = self.type
fields['data'] = self.data
return fields
class ad_shortcut(object):
'''
Object mapping representing Windows shortcut.
'''
def __init__(self, sid, sc, policy_name):
self.sid = sid
self.policy_name = policy_name
self.path = sc.dest
self.shortcut = sc.to_json()
def update_fields(self):
fields = dict()
fields['policy_name'] = self.policy_name
fields['path'] = self.path
fields['shortcut'] = self.shortcut
return fields
class info_entry(object):
def __init__(self, name, value):
self.name = name
self.value = value
def update_fields(self):
fields = dict()
fields['value'] = self.value
return fields
class printer_entry(object):
'''
Object mapping representing Windows printer of some type.
'''
def __init__(self, sid, pobj, policy_name):
self.sid = sid
self.policy_name = policy_name
self.name = pobj.name
self.printer = pobj.to_json()
def update_fields(self):
fields = dict()
fields['policy_name'] = self.policy_name
fields['name'] = self.name
fields['printer'] = self.printer.to_json()
return fields
class drive_entry(object):
'''
Object mapping representing Samba share bound to drive letter
'''
def __init__(self, sid, dobj, policy_name):
self.sid = sid
self.policy_name = policy_name
self.login = dobj.login
self.password = dobj.password
self.dir = dobj.dir
self.path = dobj.path
self.action = dobj.action
self.thisDrive = dobj.thisDrive
self.allDrives = dobj.allDrives
self.label = dobj.label
self.persistent = dobj.persistent
self.useLetter = dobj.useLetter
def update_fields(self):
fields = dict()
fields['policy_name'] = self.policy_name
fields['login'] = self.login
fields['password'] = self.password
fields['dir'] = self.dir
fields['path'] = self.path
fields['action'] = self.action
fields['thisDrive'] = self.thisDrive
fields['allDrives'] = self.allDrives
fields['label'] = self.label
fields['persistent'] = self.persistent
fields['useLetter'] = self.useLetter
return fields
class folder_entry(object):
'''
Object mapping representing file system directory
'''
def __init__(self, sid, fobj, policy_name):
self.sid = sid
self.policy_name = policy_name
self.path = fobj.path
self.action = fobj.action.value
self.delete_folder = str(fobj.delete_folder)
self.delete_sub_folders = str(fobj.delete_sub_folders)
self.delete_files = str(fobj.delete_files)
self.hidden_folder = str(fobj.hidden_folder)
def update_fields(self):
'''
Return list of fields to update
'''
fields = dict()
fields['policy_name'] = self.policy_name
fields['action'] = self.action
fields['delete_folder'] = self.delete_folder
fields['delete_sub_folders'] = self.delete_sub_folders
fields['delete_files'] = self.delete_files
fields['hidden_folder'] = self.hidden_folder
return fields
class envvar_entry(object):
'''
Object mapping representing environment variables
'''
def __init__(self, sid, evobj, policy_name):
self.sid = sid
self.policy_name = policy_name
self.name = evobj.name
self.value = evobj.value
self.action = evobj.action.value
def update_fields(self):
'''
Return list of fields to update
'''
fields = dict()
fields['policy_name'] = self.policy_name
fields['action'] = self.action
fields['value'] = self.value
return fields
class script_entry(object):
'''
Object mapping representing scripts.ini
'''
def __init__(self, sid, scrobj, policy_name):
self.sid = sid
self.policy_name = policy_name
self.action = scrobj.action
self.number = scrobj.number
self.path = scrobj.path
self.arg = scrobj.args
def update_fields(self):
'''
Return list of fields to update
'''
fields = dict()
fields['policy_name'] = self.policy_name
fields['action'] = self.action
fields['number'] = self.number
fields['path'] = self.path
fields['arg'] = self.arg
return fields
class file_entry(object):
'''
Object mapping representing FILES.XML
'''
def __init__(self, sid, fileobj, policy_name):
self.sid = sid
self.policy_name = policy_name
self.action = fileobj.action
self.fromPath = fileobj.fromPath
self.targetPath = fileobj.targetPath
self.readOnly = fileobj.readOnly
self.archive = fileobj.archive
self.hidden = fileobj.hidden
self.suppress = fileobj.suppress
self.executable = fileobj.executable
def update_fields(self):
'''
Return list of fields to update
'''
fields = dict()
fields['policy_name'] = self.policy_name
fields['action'] = self.action
fields['fromPath'] = self.fromPath
fields['targetPath'] = self.targetPath
fields['readOnly'] = self.readOnly
fields['archive'] = self.archive
fields['hidden'] = self.hidden
fields['suppress'] = self.suppress
fields['executable'] = self.executable
return fields
class ini_entry(object):
'''
Object mapping representing INIFILES.XML
'''
def __init__(self, sid, iniobj, policy_name):
self.sid = sid
self.policy_name = policy_name
self.action = iniobj.action
self.path = iniobj.path
self.section = iniobj.section
self.property = iniobj.property
self.value = iniobj.value
def update_fields(self):
'''
Return list of fields to update
'''
fields = dict()
fields['policy_name'] = self.policy_name
fields['action'] = self.action
fields['path'] = self.path
fields['section'] = self.section
fields['property'] = self.property
fields['value'] = self.value
return fields
class networkshare_entry(object):
'''
Object mapping representing NETWORKSHARES.XML
'''
def __init__(self, sid, networkshareobj, policy_name):
self.sid = sid
self.policy_name = policy_name
self.name = networkshareobj.name
self.action = networkshareobj.action
self.path = networkshareobj.path
self.allRegular = networkshareobj.allRegular
self.comment = networkshareobj.comment
self.limitUsers = networkshareobj.limitUsers
self.abe = networkshareobj.abe
def update_fields(self):
'''
Return list of fields to update
'''
fields = dict()
fields['policy_name'] = self.policy_name
fields['name'] = self.name
fields['action'] = self.action
fields['path'] = self.path
fields['allRegular'] = self.allRegular
fields['comment'] = self.comment
fields['limitUsers'] = self.limitUsers
fields['abe'] = self.abe
return fields

1
gpoa/storage/registry.py
View File

@@ -18,7 +18,6 @@
from abc import ABC
class registry(ABC):
def __init__(self, db_name):
pass

101
gpoa/storage/sqlite_cache.py Normal file
View File

@@ -0,0 +1,101 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from .cache import cache
import os
from sqlalchemy import (
create_engine,
Table,
Column,
Integer,
String,
)
from sqlalchemy.orm import sessionmaker
from .sqlite_registry_compat import sqlite_registry_compat
from util.logging import log
from util.paths import cache_dir
def mapping_factory(mapper_suffix):
exec(
'''
class mapped_id_{}(object):
def __init__(self, str_id, value):
self.str_id = str_id
self.value = str(value)
'''.format(mapper_suffix)
)
return eval('mapped_id_{}'.format(mapper_suffix))
class sqlite_cache(cache):
def __init__(self, cache_name):
self.cache_name = cache_name
self.mapper_obj = mapping_factory(self.cache_name)
self.storage_uri = os.path.join('sqlite:///{}/{}.sqlite'.format(cache_dir(), self.cache_name))
logdata = dict({'cache_file': self.storage_uri})
log('D20', logdata)
self.db_cnt = create_engine(self.storage_uri, echo=False)
self.__compat = sqlite_registry_compat(self.db_cnt)
self.__metadata = self.__compat.metadata()
self.cache_table = Table(
self.cache_name,
self.__metadata,
Column('id', Integer, primary_key=True),
Column('str_id', String(65536), unique=True),
Column('value', String)
)
self.__metadata.create_all(self.db_cnt)
Session = sessionmaker(bind=self.db_cnt)
self.db_session = Session()
mapper_reg = self.__compat
mapper_reg.map_imperatively(self.mapper_obj, self.cache_table)
def store(self, str_id, value):
obj = self.mapper_obj(str_id, value)
self._upsert(obj)
def get(self, obj_id):
result = self.db_session.query(self.mapper_obj).filter(self.mapper_obj.str_id == obj_id).first()
return result
def get_default(self, obj_id, default_value):
result = self.get(obj_id)
if result == None:
logdata = dict()
logdata['object'] = obj_id
log('D43', logdata)
self.store(obj_id, default_value)
return str(default_value)
return result.value
def _upsert(self, obj):
try:
self.db_session.add(obj)
self.db_session.commit()
except Exception as exc:
self.db_session.rollback()
logdata = dict()
logdata['msg'] = str(exc)
log('D44', logdata)
self.db_session.query(self.mapper_obj).filter(self.mapper_obj.str_id == obj.str_id).update({ 'value': obj.value })
self.db_session.commit()

621
gpoa/storage/sqlite_registry.py Normal file
View File

@@ -0,0 +1,621 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
from sqlalchemy import (
create_engine,
Table,
Column,
Integer,
String,
UniqueConstraint
)
from sqlalchemy.orm import sessionmaker
from .sqlite_registry_compat import sqlite_registry_compat
from util.logging import log
from util.paths import cache_dir
from .registry import registry
from .record_types import (
samba_preg
, samba_hkcu_preg
, ad_shortcut
, info_entry
, printer_entry
, drive_entry
, folder_entry
, envvar_entry
, script_entry
, file_entry
, ini_entry
, networkshare_entry
)
class sqlite_registry(registry):
def __init__(self, db_name, registry_cache_dir=None):
self.db_name = db_name
cdir = registry_cache_dir
if cdir == None:
cdir = cache_dir()
self.db_path = os.path.join('sqlite:///{}/{}.sqlite'.format(cdir, self.db_name))
self.db_cnt = create_engine(self.db_path, echo=False)
self.__compat = sqlite_registry_compat(self.db_cnt)
self.__metadata = self.__compat.metadata()
self.__info = Table(
'info',
self.__metadata,
Column('id', Integer, primary_key=True),
Column('name', String(65536), unique=True),
Column('value', String(65536))
)
self.__hklm = Table(
'HKLM'
, self.__metadata
, Column('id', Integer, primary_key=True)
, Column('hive_key', String(65536, collation='NOCASE'),
unique=True)
, Column('keyname', String(collation='NOCASE'))
, Column('valuename', String(collation='NOCASE'))
, Column('policy_name', String)
, Column('type', Integer)
, Column('data', String)
)
self.__hkcu = Table(
'HKCU'
, self.__metadata
, Column('id', Integer, primary_key=True)
, Column('sid', String)
, Column('hive_key', String(65536, collation='NOCASE'))
, Column('keyname', String(collation='NOCASE'))
, Column('valuename', String(collation='NOCASE'))
, Column('policy_name', String)
, Column('type', Integer)
, Column('data', String)
, UniqueConstraint('sid', 'hive_key')
)
self.__shortcuts = Table(
'Shortcuts'
, self.__metadata
, Column('id', Integer, primary_key=True)
, Column('sid', String)
, Column('path', String)
, Column('policy_name', String)
, Column('shortcut', String)
, UniqueConstraint('sid', 'path')
)
self.__printers = Table(
'Printers'
, self.__metadata
, Column('id', Integer, primary_key=True)
, Column('sid', String)
, Column('name', String)
, Column('policy_name', String)
, Column('printer', String)
, UniqueConstraint('sid', 'name')
)
self.__drives = Table(
'Drives'
, self.__metadata
, Column('id', Integer, primary_key=True)
, Column('sid', String)
, Column('login', String)
, Column('password', String)
, Column('dir', String)
, Column('policy_name', String)
, Column('path', String)
, Column('action', String)
, Column('thisDrive', String)
, Column('allDrives', String)
, Column('label', String)
, Column('persistent', String)
, Column('useLetter', String)
, UniqueConstraint('sid', 'dir')
)
self.__folders = Table(
'Folders'
, self.__metadata
, Column('id', Integer, primary_key=True)
, Column('sid', String)
, Column('path', String)
, Column('policy_name', String)
, Column('action', String)
, Column('delete_folder', String)
, Column('delete_sub_folders', String)
, Column('delete_files', String)
, Column('hidden_folder', String)
, UniqueConstraint('sid', 'path')
)
self.__envvars = Table(
'Envvars'
, self.__metadata
, Column('id', Integer, primary_key=True)
, Column('sid', String)
, Column('name', String)
, Column('policy_name', String)
, Column('action', String)
, Column('value', String)
, UniqueConstraint('sid', 'name')
)
self.__scripts = Table(
'Scripts'
, self.__metadata
, Column('id', Integer, primary_key=True)
, Column('sid', String)
, Column('policy_name', String)
, Column('number', String)
, Column('action', String)
, Column('path', String)
, Column('arg', String)
, UniqueConstraint('sid', 'path', 'arg')
)
self.__files = Table(
'Files'
, self.__metadata
, Column('id', Integer, primary_key=True)
, Column('sid', String)
, Column('policy_name', String)
, Column('action', String)
, Column('fromPath', String)
, Column('targetPath', String)
, Column('readOnly', String)
, Column('archive', String)
, Column('hidden', String)
, Column('suppress', String)
, Column('executable', String)
, UniqueConstraint('sid', 'policy_name', 'targetPath', 'fromPath')
)
self.__ini = Table(
'Ini'
, self.__metadata
, Column('id', Integer, primary_key=True)
, Column('sid', String)
, Column('policy_name', String)
, Column('action', String)
, Column('path', String)
, Column('section', String)
, Column('property', String)
, Column('value', String)
, UniqueConstraint('sid', 'action', 'path', 'section', 'property', 'value')
)
self.__networkshare = Table(
'Networkshare'
, self.__metadata
, Column('id', Integer, primary_key=True)
, Column('sid', String)
, Column('policy_name', String)
, Column('name', String)
, Column('action', String)
, Column('path', String)
, Column('allRegular', String)
, Column('comment', String)
, Column('limitUsers', String)
, Column('abe', String)
, UniqueConstraint('sid', 'name', 'path')
)
self.__metadata.create_all(self.db_cnt)
Session = sessionmaker(bind=self.db_cnt)
self.db_session = Session()
mapper_reg = self.__compat
try:
mapper_reg.map_imperatively(info_entry, self.__info)
mapper_reg.map_imperatively(samba_preg, self.__hklm)
mapper_reg.map_imperatively(samba_hkcu_preg, self.__hkcu)
mapper_reg.map_imperatively(ad_shortcut, self.__shortcuts)
mapper_reg.map_imperatively(printer_entry, self.__printers)
mapper_reg.map_imperatively(drive_entry, self.__drives)
mapper_reg.map_imperatively(folder_entry, self.__folders)
mapper_reg.map_imperatively(envvar_entry, self.__envvars)
mapper_reg.map_imperatively(script_entry, self.__scripts)
mapper_reg.map_imperatively(file_entry, self.__files)
mapper_reg.map_imperatively(ini_entry, self.__ini)
mapper_reg.map_imperatively(networkshare_entry, self.__networkshare)
except:
pass
#logging.error('Error creating mapper')
def _add(self, row):
try:
self.db_session.add(row)
self.db_session.commit()
except Exception as exc:
self.db_session.rollback()
raise exc
def _info_upsert(self, row):
try:
self._add(row)
except:
(self
.db_session.query(info_entry)
.filter(info_entry.name == row.name)
.update(row.update_fields()))
self.db_session.commit()
def _hklm_upsert(self, row):
try:
self._add(row)
except:
(self
.db_session
.query(samba_preg)
.filter(samba_preg.hive_key == row.hive_key)
.update(row.update_fields()))
self.db_session.commit()
def _hkcu_upsert(self, row):
try:
self._add(row)
except Exception as exc:
(self
.db_session
.query(samba_hkcu_preg)
.filter(samba_hkcu_preg.sid == row.sid)
.filter(samba_hkcu_preg.hive_key == row.hive_key)
.update(row.update_fields()))
self.db_session.commit()
def _shortcut_upsert(self, row):
try:
self._add(row)
except:
(self
.db_session
.query(ad_shortcut)
.filter(ad_shortcut.sid == row.sid)
.filter(ad_shortcut.path == row.path)
.update(row.update_fields()))
self.db_session.commit()
def _printer_upsert(self, row):
try:
self._add(row)
except:
(self
.db_session
.query(printer_entry)
.filter(printer_entry.sid == row.sid)
.filter(printer_entry.name == row.name)
.update(row.update_fields()))
self.db_session.commit()
def _drive_upsert(self, row):
try:
self._add(row)
except:
(self
.db_session
.query(drive_entry)
.filter(drive_entry.sid == row.sid)
.filter(drive_entry.dir == row.dir)
.update(row.update_fields()))
self.db_session.commit()
def set_info(self, name, value):
ientry = info_entry(name, value)
logdata = dict()
logdata['varname'] = name
logdata['value'] = value
log('D19', logdata)
self._info_upsert(ientry)
def _delete_hklm_keyname(self, keyname):
'''
Delete PReg hive_key from HKEY_LOCAL_MACHINE
'''
logdata = dict({'keyname': keyname})
try:
(self
.db_session
.query(samba_preg)
.filter(samba_preg.keyname == keyname)
.delete(synchronize_session=False))
self.db_session.commit()
log('D65', logdata)
except Exception as exc:
log('D63', logdata)
def add_hklm_entry(self, preg_entry, policy_name):
'''
Write PReg entry to HKEY_LOCAL_MACHINE
'''
pentry = samba_preg(preg_entry, policy_name)
if not pentry.valuename.startswith('**'):
self._hklm_upsert(pentry)
else:
logdata = dict({'key': pentry.hive_key})
if pentry.valuename.lower() == '**delvals.':
self._delete_hklm_keyname(pentry.keyname)
else:
log('D27', logdata)
def _delete_hkcu_keyname(self, keyname, sid):
'''
Delete PReg hive_key from HKEY_CURRENT_USER
'''
logdata = dict({'sid': sid, 'keyname': keyname})
try:
(self
.db_session
.query(samba_hkcu_preg)
.filter(samba_hkcu_preg.sid == sid)
.filter(samba_hkcu_preg.keyname == keyname)
.delete(synchronize_session=False))
self.db_session.commit()
log('D66', logdata)
except:
log('D64', logdata)
def add_hkcu_entry(self, preg_entry, sid, policy_name):
'''
Write PReg entry to HKEY_CURRENT_USER
'''
hkcu_pentry = samba_hkcu_preg(sid, preg_entry, policy_name)
logdata = dict({'sid': sid, 'policy': policy_name, 'key': hkcu_pentry.hive_key})
if not hkcu_pentry.valuename.startswith('**'):
log('D26', logdata)
self._hkcu_upsert(hkcu_pentry)
else:
if hkcu_pentry.valuename.lower() == '**delvals.':
self._delete_hkcu_keyname(hkcu_pentry.keyname, sid)
else:
log('D51', logdata)
def add_shortcut(self, sid, sc_obj, policy_name):
'''
Store shortcut information in the database
'''
sc_entry = ad_shortcut(sid, sc_obj, policy_name)
logdata = dict()
logdata['link'] = sc_entry.path
logdata['sid'] = sid
log('D41', logdata)
self._shortcut_upsert(sc_entry)
def add_printer(self, sid, pobj, policy_name):
'''
Store printer configuration in the database
'''
prn_entry = printer_entry(sid, pobj, policy_name)
logdata = dict()
logdata['printer'] = prn_entry.name
logdata['sid'] = sid
log('D40', logdata)
self._printer_upsert(prn_entry)
def add_drive(self, sid, dobj, policy_name):
drv_entry = drive_entry(sid, dobj, policy_name)
logdata = dict()
logdata['uri'] = drv_entry.path
logdata['sid'] = sid
log('D39', logdata)
self._drive_upsert(drv_entry)
def add_folder(self, sid, fobj, policy_name):
fld_entry = folder_entry(sid, fobj, policy_name)
logdata = dict()
logdata['folder'] = fld_entry.path
logdata['sid'] = sid
log('D42', logdata)
try:
self._add(fld_entry)
except Exception as exc:
(self
._filter_sid_obj(folder_entry, sid)
.filter(folder_entry.path == fld_entry.path)
.update(fld_entry.update_fields()))
self.db_session.commit()
def add_envvar(self, sid, evobj, policy_name):
ev_entry = envvar_entry(sid, evobj, policy_name)
logdata = dict()
logdata['envvar'] = ev_entry.name
logdata['sid'] = sid
log('D53', logdata)
try:
self._add(ev_entry)
except Exception as exc:
(self
._filter_sid_obj(envvar_entry, sid)
.filter(envvar_entry.name == ev_entry.name)
.update(ev_entry.update_fields()))
self.db_session.commit()
def add_script(self, sid, scrobj, policy_name):
scr_entry = script_entry(sid, scrobj, policy_name)
logdata = dict()
logdata['script path'] = scrobj.path
logdata['sid'] = sid
log('D153', logdata)
try:
self._add(scr_entry)
except Exception as exc:
(self
._filter_sid_obj(script_entry, sid)
.filter(script_entry.path == scr_entry.path)
.update(scr_entry.update_fields()))
self.db_session.commit()
def add_file(self, sid, fileobj, policy_name):
f_entry = file_entry(sid, fileobj, policy_name)
logdata = dict()
logdata['targetPath'] = f_entry.targetPath
logdata['fromPath'] = f_entry.fromPath
log('D162', logdata)
try:
self._add(f_entry)
except Exception as exc:
(self
._filter_sid_obj(file_entry, sid)
.filter(file_entry.targetPath == f_entry.targetPath)
.update(f_entry.update_fields()))
self.db_session.commit()
def add_ini(self, sid, iniobj, policy_name):
inientry = ini_entry(sid, iniobj, policy_name)
logdata = dict()
logdata['path'] = inientry.path
logdata['action'] = inientry.action
log('D177', logdata)
try:
self._add(inientry)
except Exception as exc:
(self
._filter_sid_obj(ini_entry, sid)
.filter(ini_entry.path == inientry.path)
.update(inientry.update_fields()))
self.db_session.commit()
def add_networkshare(self, sid, networkshareobj, policy_name):
networkshareentry = networkshare_entry(sid, networkshareobj, policy_name)
logdata = dict()
logdata['name'] = networkshareentry.name
logdata['path'] = networkshareentry.path
logdata['action'] = networkshareentry.action
log('D186', logdata)
try:
self._add(networkshareentry)
except Exception as exc:
(self
._filter_sid_obj(networkshare_entry, sid)
.filter(networkshare_entry.path == networkshareentry.path)
.update(networkshareentry.update_fields()))
self.db_session.commit()
def _filter_sid_obj(self, row_object, sid):
res = (self
.db_session
.query(row_object)
.filter(row_object.sid == sid))
return res
def _filter_sid_list(self, row_object, sid):
res = (self
.db_session
.query(row_object)
.filter(row_object.sid == sid)
.order_by(row_object.id)
.all())
return res
def get_shortcuts(self, sid):
return self._filter_sid_list(ad_shortcut, sid)
def get_printers(self, sid):
return self._filter_sid_list(printer_entry, sid)
def get_drives(self, sid):
return self._filter_sid_list(drive_entry, sid)
def get_folders(self, sid):
return self._filter_sid_list(folder_entry, sid)
def get_envvars(self, sid):
return self._filter_sid_list(envvar_entry, sid)
def _filter_scripts_list(self, row_object, sid, action):
res = (self
.db_session
.query(row_object)
.filter(row_object.sid == sid)
.filter(row_object.action == action)
.order_by(row_object.id)
.all())
return res
def get_scripts(self, sid, action):
return self._filter_scripts_list(script_entry, sid, action)
def get_files(self, sid):
return self._filter_sid_list(file_entry, sid)
def get_networkshare(self, sid):
return self._filter_sid_list(networkshare_entry, sid)
def get_ini(self, sid):
return self._filter_sid_list(ini_entry, sid)
def get_hkcu_entry(self, sid, hive_key):
res = (self
.db_session
.query(samba_hkcu_preg)
.filter(samba_hkcu_preg.sid == sid)
.filter(samba_hkcu_preg.hive_key == hive_key)
.first())
# Try to get the value from machine SID as a default if no option is set.
if not res:
machine_sid = self.get_info('machine_sid')
res = self.db_session.query(samba_hkcu_preg).filter(samba_hkcu_preg.sid == machine_sid).filter(samba_hkcu_preg.hive_key == hive_key).first()
return res
def filter_hkcu_entries(self, sid, startswith):
res = (self
.db_session
.query(samba_hkcu_preg)
.filter(samba_hkcu_preg.sid == sid)
.filter(samba_hkcu_preg.hive_key.like(startswith)))
return res
def get_info(self, name):
res = (self
.db_session
.query(info_entry)
.filter(info_entry.name == name)
.first())
return res.value
def get_hklm_entry(self, hive_key):
res = (self
.db_session
.query(samba_preg)
.filter(samba_preg.hive_key == hive_key)
.first())
return res
def filter_hklm_entries(self, startswith):
res = (self
.db_session
.query(samba_preg)
.filter(samba_preg.hive_key.like(startswith)))
return res
def wipe_user(self, sid):
self._wipe_sid(samba_hkcu_preg, sid)
self._wipe_sid(ad_shortcut, sid)
self._wipe_sid(printer_entry, sid)
self._wipe_sid(drive_entry, sid)
self._wipe_sid(script_entry, sid)
self._wipe_sid(file_entry, sid)
self._wipe_sid(ini_entry, sid)
self._wipe_sid(networkshare_entry, sid)
def _wipe_sid(self, row_object, sid):
(self
.db_session
.query(row_object)
.filter(row_object.sid == sid)
.delete())
self.db_session.commit()
def wipe_hklm(self):
self.db_session.query(samba_preg).delete()
self.db_session.commit()

45
gpoa/storage/sqlite_registry_compat.py Normal file
View File

@@ -0,0 +1,45 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2024 BaseALT Ltd.
# Copyright (C) 2024 Evgeny SInelnikov <sin@altlinux.org>.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
__compat__ = False
from sqlalchemy import MetaData
try:
from sqlalchemy.orm import registry
except:
from sqlalchemy.orm import mapper
__compat__ = True
class sqlite_registry_compat:
def __init__(self, db_cnt):
if not __compat__:
self.__registry = registry()
self.__metadata = MetaData()
else:
self.__metadata = MetaData(db_cnt)
def metadata(self):
return self.__metadata
def map_imperatively(self, obj, table):
if __compat__:
mapper(obj, table)
else:
self.__registry.map_imperatively(obj, table)

2
gpoa/templates/autofs_auto.j2
View File

@@ -16,5 +16,5 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#}
{{ home_dir }}/{{mntTarget}} {{ mount_file }} -t {{timeout}} --browse
{{ home_dir }}/{{mntTarget}} {{ mount_file }} -t 120 --browse

2
gpoa/templates/autofs_auto_hide.j2
View File

@@ -16,5 +16,5 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#}
{{ home_dir }}/.{{mntTarget}} {{ mount_file }} -t {{timeout}}
{{ home_dir }}/.{{mntTarget}} {{ mount_file }} -t 120

6
gpoa/templates/autofs_mountpoints.j2
View File

@@ -19,9 +19,9 @@
{%- for drv in drives %}
{% if (drv.thisDrive != 'HIDE') %}
{% if drv.label %}
"{{ drv.label }}" -fstype=cifs,cruid=$USER,sec=krb5,noperm{% if drv.username %}{% else %},multiuser{% endif %}{% if drv.cifsacl %},cifsacl{% endif %} :{{ drv.path }}
"{{ drv.label }}" -fstype=cifs,cruid=$USER,sec=krb5,noperm,cifsacl :{{ drv.path }}
{% else %}
"{{ drv.dir }}" -fstype=cifs,cruid=$USER,sec=krb5,noperm{% if drv.username %}{% else %},multiuser{% endif %}{% if drv.cifsacl %},cifsacl{% endif %} :{{ drv.path }}
"{{ drv.dir }}" -fstype=cifs,cruid=$USER,sec=krb5,noperm,cifsacl :{{ drv.path }}
{% endif %}
{% endif %}
{% endfor %}
{% endfor %}

4
gpoa/templates/autofs_mountpoints_hide.j2
View File

@@ -19,9 +19,9 @@
{%- for drv in drives %}
{% if (drv.thisDrive == 'HIDE') %}
{% if drv.label %}
"{{ drv.label }}" -fstype=cifs,cruid=$USER,sec=krb5,noperm{% if drv.username %}{% else %},multiuser{% endif %}{% if drv.cifsacl %},cifsacl{% endif %} :{{ drv.path }}
"{{ drv.label }}" -fstype=cifs,cruid=$USER,sec=krb5,noperm,cifsacl :{{ drv.path }}
{% else %}
"{{ drv.dir }}" -fstype=cifs,cruid=$USER,sec=krb5,noperm{% if drv.username %}{% else %},multiuser{% endif %}{% if drv.cifsacl %},cifsacl{% endif %} :{{ drv.path }}
"{{ drv.dir }}" -fstype=cifs,cruid=$USER,sec=krb5,noperm,cifsacl :{{ drv.path }}
{% endif %}
{% endif %}
{% endfor %}

28
gpoa/util/arguments.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -16,11 +16,12 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from enum import Enum, IntEnum
import logging
import logging.handlers
from enum import IntEnum
from .logging import log
from messages import message_with_code
from .logging import slogm
def set_loglevel(loglevel_num=None):
@@ -68,8 +69,8 @@ def process_target(target_name=None):
if target_name:
target = target_name
logdata = {'target': target}
log('D10', logdata)
logdata = dict({'target': target})
logging.debug(slogm(message_with_code('D10'), logdata))
return target.upper()
@@ -83,20 +84,3 @@ class ExitCodeUpdater(IntEnum):
FAIL_GPUPDATE_USER_NOREPLY = 3
EXIT_SIGINT = 130
class FileAction(Enum):
CREATE = 'C'
REPLACE = 'R'
UPDATE = 'U'
DELETE = 'D'
def __str__(self):
return self.value
def action_letter2enum(letter):
if letter in ['C', 'R', 'U', 'D']:
if letter == 'C': return FileAction.CREATE
if letter == 'R': return FileAction.REPLACE
if letter == 'U': return FileAction.UPDATE
if letter == 'D': return FileAction.DELETE
return FileAction.CREATE

6
gpoa/util/config.py
View File

@@ -19,8 +19,10 @@
from configparser import ConfigParser
from .util import get_backends, get_default_policy_name
from .util import (
get_backends
, get_default_policy_name
)
class GPConfig:
__config_path = '/etc/gpupdate/gpupdate.ini'

25
gpoa/util/dbus.py
View File

@@ -1,7 +1,7 @@
#
# GPOA - GPO Applier for Linux
#
# Copyright (C) 2019-2024 BaseALT Ltd.
# Copyright (C) 2019-2020 BaseALT Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -17,7 +17,6 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import dbus
from storage import Dconf_registry
from .logging import log
from .users import is_root
@@ -71,9 +70,8 @@ class dbus_runner:
def run(self):
if self.username:
logdata = {'username': self.username}
logdata = dict({'username': self.username})
log('D6', logdata)
gpupdate = 'gpupdate' if not Dconf_registry._force else 'gpupdate_force'
if is_root():
# oddjobd-gpupdate's ACL allows access to this method
# only for superuser. This method is called via PAM
@@ -88,7 +86,8 @@ class dbus_runner:
timeout=self._synchronous_timeout)
print_dbus_result(result)
except dbus.exceptions.DBusException as exc:
logdata = {'username': self.username}
logdata = dict()
logdata['username'] = self.username
log('E23', logdata)
raise exc
else:
@@ -96,23 +95,22 @@ class dbus_runner:
result = self.system_bus.call_blocking(self.bus_name,
self._object_path,
self.interface_name,
gpupdate,
'gpupdate',
None,
[],
timeout=self._synchronous_timeout)
print_dbus_result(result)
except dbus.exceptions.DBusException as exc:
logdata = {'error': str(exc)}
logdata = dict({'error': str(exc)})
log('E21', logdata)
raise exc
else:
log('D11')
gpupdate_computer = 'gpupdate_computer' if not Dconf_registry._force else 'gpupdate_computer_force'
try:
result = self.system_bus.call_blocking(self.bus_name,
self._object_path,
self.interface_name,
gpupdate_computer,
'gpupdate_computer',
None,
# The following positional parameter is called "args".
# There is no official documentation for it.
@@ -120,7 +118,8 @@ class dbus_runner:
timeout=self._synchronous_timeout)
print_dbus_result(result)
except dbus.exceptions.DBusException as exc:
logdata = {'error': str(exc)}
print(exc)
logdata = dict({'error': str(exc)})
log('E22', logdata)
raise exc
@@ -193,7 +192,7 @@ def print_dbus_result(result):
'''
exitcode = result[0]
message = result[1:]
logdata = {'retcode': exitcode}
logdata = dict({'retcode': exitcode})
log('D12', logdata)
for line in message:
@@ -207,7 +206,7 @@ class dbus_session:
self.session_dbus = self.session_bus.get_object('org.freedesktop.DBus', '/org/freedesktop/DBus')
self.session_iface = dbus.Interface(self.session_dbus, 'org.freedesktop.DBus')
except dbus.exceptions.DBusException as exc:
logdata = {'error': str(exc)}
logdata = dict({'error': str(exc)})
log('E31', logdata)
raise exc
@@ -218,7 +217,7 @@ class dbus_session:
log('D57', {"pid": pid})
except dbus.exceptions.DBusException as exc:
if exc.get_dbus_name() != 'org.freedesktop.DBus.Error.NameHasNoOwner':
logdata = {'error': str(exc)}
logdata = dict({'error': str(exc)})
log('E32', logdata)
raise exc
log('D58', {'connection': connection})

4
gpoa/util/exceptions.py
View File

@@ -27,13 +27,13 @@ def geterr():
'''
etype, evalue, etrace = sys.exc_info()
traceinfo = {
traceinfo = dict({
'file': etrace.tb_frame.f_code.co_filename
, 'line': etrace.tb_lineno
, 'name': etrace.tb_frame.f_code.co_name
, 'type': etype.__name__
, 'message': evalue
}
})
del(etype, evalue, etrace)

24
gpoa/util/gpoa_ini_parsing.py
View File

@@ -16,25 +16,15 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
from configobj import (ConfigObj, NestingError, Section,
DuplicateError, ParseError, UnreprError,
UnknownType,UnreprError,
BOM_UTF8, DEFAULT_INDENT_TYPE, BOM_LIST,
match_utf8, unrepr)
import six
import re
import sys
from configobj import (
BOM_LIST,
BOM_UTF8,
DEFAULT_INDENT_TYPE,
ConfigObj,
DuplicateError,
NestingError,
ParseError,
Section,
UnknownType,
UnreprError,
match_utf8,
unrepr,
)
import six
import os
# Michael Foord: fuzzyman AT voidspace DOT org DOT uk
# Nicola Larosa: nico AT tekNico DOT net

Some files were not shown because too many files have changed in this diff Show More