gpo: Apply Group Policy Sudo Rights

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

python/samba/gp_sudoers_ext.py

@@ -14,9 +14,72 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+import os
 from samba.gpclass import gp_pol_ext
+from base64 import b64encode
+from tempfile import NamedTemporaryFile
+from subprocess import Popen, PIPE
+from distutils.spawn import find_executable
+
+intro = '''
+### autogenerated by samba
+#
+# This file is generated by the gp_sudoers_ext Group Policy
+# Client Side Extension. To modify the contents of this file,
+# modify the appropriate Group Policy objects which apply
+# to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
+#
+
+'''
+visudo = find_executable('visudo',
+        path='%s:%s' % (os.environ['PATH'], '/usr/sbin'))
 
 class gp_sudoers_ext(gp_pol_ext):
+    def __str__(self):
+        return 'Unix Settings/Sudo Rights'
+
     def process_group_policy(self, deleted_gpo_list, changed_gpo_list,
             sdir='/etc/sudoers.d'):
-        pass
+        for gpo in deleted_gpo_list:
+            self.gp_db.set_guid(gpo[0])
+            if str(self) in gpo[1]:
+                for attribute, sudoers in gpo[1][str(self)].items():
+                    os.unlink(sudoers)
+                    self.gp_db.delete(str(self), attribute)
+            self.gp_db.commit()
+
+        for gpo in changed_gpo_list:
+            if gpo.file_sys_path:
+                section = 'Software\\Policies\\Samba\\Unix Settings\\Sudo Rights'
+                self.gp_db.set_guid(gpo.name)
+                pol_file = 'MACHINE/Registry.pol'
+                path = os.path.join(gpo.file_sys_path, pol_file)
+                pol_conf = self.parse(path)
+                if not pol_conf:
+                    continue
+                for e in pol_conf.entries:
+                    if e.keyname == section and e.data.strip():
+                        attribute = b64encode(e.data.encode()).decode()
+                        old_val = self.gp_db.retrieve(str(self), attribute)
+                        if not old_val:
+                            contents = intro
+                            contents += '%s\n' % e.data
+                            with NamedTemporaryFile() as f:
+                                with open(f.name, 'w') as w:
+                                    w.write(contents)
+                                sudo_validation = \
+                                        Popen([visudo, '-c', '-f', f.name],
+                                            stdout=PIPE, stderr=PIPE).wait()
+                            if sudo_validation == 0:
+                                with NamedTemporaryFile(prefix='gp_',
+                                                        delete=False,
+                                                        dir=sdir) as f:
+                                    with open(f.name, 'w') as w:
+                                        w.write(contents)
+                                    self.gp_db.store(str(self),
+                                                     attribute,
+                                                     f.name)
+                            else:
+                                self.logger.warn('Sudoers apply "%s" failed'
+                                        % e.data)
+                        self.gp_db.commit()