1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00

gpo: Add Chromium Group Policy

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Sep  9 20:42:35 UTC 2021 on sn-devel-184
This commit is contained in:
David Mulder 2021-09-08 07:46:26 -06:00 committed by Jeremy Allison
parent 1047acce9d
commit efba2c445c
3 changed files with 470 additions and 3 deletions

View File

@ -14,16 +14,481 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
import json
from samba.gpclass import gp_pol_ext from samba.gpclass import gp_pol_ext
from samba.dcerpc import misc
from samba.common import get_string
def parse_entry_data(name, e):
dict_entries = ['VirtualKeyboardFeatures',
'DeviceArcDataSnapshotHours',
'RequiredClientCertificateForDevice',
'RequiredClientCertificateForUser',
'RegisteredProtocolHandlers',
'WebUsbAllowDevicesForUrls',
'DeviceAutoUpdateTimeRestrictions',
'DeviceUpdateStagingSchedule',
'DeviceMinimumVersion',
'DeviceDisplayResolution',
'ExtensionSettings',
'KerberosAccounts',
'NetworkFileSharesPreconfiguredShares',
'NetworkThrottlingEnabled',
'TPMFirmwareUpdateSettings',
'DeviceOffHours',
'ParentAccessCodeConfig',
'PerAppTimeLimits',
'PerAppTimeLimitsWhitelist',
'PerAppTimeLimitsAllowlist',
'UsageTimeLimit',
'PluginVmImage',
'DeviceLoginScreenPowerManagement',
'PowerManagementIdleSettings',
'ScreenLockDelays',
'ScreenBrightnessPercent',
'DevicePowerPeakShiftDayConfig',
'DeviceAdvancedBatteryChargeModeDayConfig',
'PrintingPaperSizeDefault',
'AutoLaunchProtocolsFromOrigins',
'BrowsingDataLifetime',
'DataLeakPreventionRulesList',
'DeviceLoginScreenWebUsbAllowDevicesForUrls',
'DeviceScheduledUpdateCheck',
'KeyPermissions',
'ManagedBookmarks',
'ManagedConfigurationPerOrigin',
'ProxySettings',
'SystemProxySettings',
'WebAppInstallForceList']
bools = ['ShowAccessibilityOptionsInSystemTrayMenu',
'LargeCursorEnabled',
'SpokenFeedbackEnabled',
'HighContrastEnabled',
'VirtualKeyboardEnabled',
'StickyKeysEnabled',
'KeyboardDefaultToFunctionKeys',
'DictationEnabled',
'SelectToSpeakEnabled',
'KeyboardFocusHighlightEnabled',
'CursorHighlightEnabled',
'CaretHighlightEnabled',
'MonoAudioEnabled',
'AccessibilityShortcutsEnabled',
'AutoclickEnabled',
'DeviceLoginScreenDefaultLargeCursorEnabled',
'DeviceLoginScreenDefaultSpokenFeedbackEnabled',
'DeviceLoginScreenDefaultHighContrastEnabled',
'DeviceLoginScreenDefaultVirtualKeyboardEnabled',
'DeviceLoginScreenLargeCursorEnabled',
'DeviceLoginScreenSpokenFeedbackEnabled',
'DeviceLoginScreenHighContrastEnabled',
'DeviceLoginScreenVirtualKeyboardEnabled',
'DeviceLoginScreenDictationEnabled',
'DeviceLoginScreenSelectToSpeakEnabled',
'DeviceLoginScreenCursorHighlightEnabled',
'DeviceLoginScreenCaretHighlightEnabled',
'DeviceLoginScreenMonoAudioEnabled',
'DeviceLoginScreenAutoclickEnabled',
'DeviceLoginScreenStickyKeysEnabled',
'DeviceLoginScreenKeyboardFocusHighlightEnabled',
'DeviceLoginScreenShowOptionsInSystemTrayMenu',
'DeviceLoginScreenAccessibilityShortcutsEnabled',
'FloatingAccessibilityMenuEnabled',
'ArcEnabled',
'UnaffiliatedArcAllowed',
'AppRecommendationZeroStateEnabled',
'DeviceBorealisAllowed',
'UserBorealisAllowed',
'SystemUse24HourClock',
'DefaultSearchProviderEnabled',
'ChromeOsReleaseChannelDelegated',
'DeviceAutoUpdateDisabled',
'DeviceAutoUpdateP2PEnabled',
'DeviceUpdateHttpDownloadsEnabled',
'RebootAfterUpdate',
'BlockExternalExtensions',
'VoiceInteractionContextEnabled',
'VoiceInteractionHotwordEnabled',
'EnableMediaRouter',
'ShowCastIconInToolbar',
'DriveDisabled',
'DriveDisabledOverCellular',
'DisableAuthNegotiateCnameLookup',
'EnableAuthNegotiatePort',
'BasicAuthOverHttpEnabled',
'AuthNegotiateDelegateByKdcPolicy',
'AllowCrossOriginAuthPrompt',
'NtlmV2Enabled',
'IntegratedWebAuthenticationAllowed',
'BrowserSwitcherEnabled',
'BrowserSwitcherKeepLastChromeTab',
'BrowserSwitcherUseIeSitelist',
'VirtualMachinesAllowed',
'CrostiniAllowed',
'DeviceUnaffiliatedCrostiniAllowed',
'CrostiniExportImportUIAllowed',
'CrostiniPortForwardingAllowed',
'NativeMessagingUserLevelHosts',
'NetworkFileSharesAllowed',
'NetBiosShareDiscoveryEnabled',
'NTLMShareAuthenticationEnabled',
'DeviceDataRoamingEnabled',
'DeviceWiFiFastTransitionEnabled',
'DeviceWiFiAllowed',
'DeviceAllowBluetooth',
'DeviceAllowRedeemChromeOsRegistrationOffers',
'DeviceQuirksDownloadEnabled',
'SuggestedContentEnabled',
'DeviceShowLowDiskSpaceNotification',
'PasswordManagerEnabled',
'PasswordLeakDetectionEnabled',
'PluginVmAllowed',
'PluginVmDataCollectionAllowed',
'UserPluginVmAllowed',
'DeviceRebootOnShutdown',
'PowerManagementUsesAudioActivity',
'PowerManagementUsesVideoActivity',
'AllowWakeLocks',
'AllowScreenWakeLocks',
'WaitForInitialUserActivity',
'PowerSmartDimEnabled',
'DevicePowerPeakShiftEnabled',
'DeviceBootOnAcEnabled',
'DeviceAdvancedBatteryChargeModeEnabled',
'DeviceUsbPowerShareEnabled',
'PrintingEnabled',
'CloudPrintProxyEnabled',
'PrintingSendUsernameAndFilenameEnabled',
'CloudPrintSubmitEnabled',
'DisablePrintPreview',
'PrintHeaderFooter',
'PrintPreviewUseSystemDefaultPrinter',
'UserNativePrintersAllowed',
'UserPrintersAllowed',
'DeletePrintJobHistoryAllowed',
'DeviceLoginScreenPrivacyScreenEnabled',
'PrivacyScreenEnabled',
'PinUnlockWeakPinsAllowed',
'PinUnlockAutosubmitEnabled',
'RemoteAccessHostFirewallTraversal',
'RemoteAccessHostRequireCurtain',
'RemoteAccessHostAllowClientPairing',
'RemoteAccessHostAllowRelayedConnection',
'RemoteAccessHostAllowUiAccessForRemoteAssistance',
'RemoteAccessHostAllowFileTransfer',
'RemoteAccessHostAllowRemoteAccessConnections',
'AttestationEnabledForUser',
'SafeBrowsingEnabled',
'SafeBrowsingExtendedReportingEnabled',
'DeviceGuestModeEnabled',
'DeviceAllowNewUsers',
'DeviceShowUserNamesOnSignin',
'DeviceEphemeralUsersEnabled',
'DeviceShowNumericKeyboardForPassword',
'DeviceFamilyLinkAccountsAllowed',
'ShowHomeButton',
'HomepageIsNewTabPage',
'DeviceMetricsReportingEnabled',
'DeviceWilcoDtcAllowed',
'AbusiveExperienceInterventionEnforce',
'AccessibilityImageLabelsEnabled',
'AdditionalDnsQueryTypesEnabled',
'AdvancedProtectionAllowed',
'AllowDeletingBrowserHistory',
'AllowDinosaurEasterEgg',
'AllowFileSelectionDialogs',
'AllowScreenLock',
'AllowSyncXHRInPageDismissal',
'AlternateErrorPagesEnabled',
'AlwaysOpenPdfExternally',
'AppCacheForceEnabled',
'AudioCaptureAllowed',
'AudioOutputAllowed',
'AudioProcessHighPriorityEnabled',
'AudioSandboxEnabled',
'AutoFillEnabled',
'AutofillAddressEnabled',
'AutofillCreditCardEnabled',
'AutoplayAllowed',
'BackgroundModeEnabled',
'BlockThirdPartyCookies',
'BookmarkBarEnabled',
'BrowserAddPersonEnabled',
'BrowserGuestModeEnabled',
'BrowserGuestModeEnforced',
'BrowserLabsEnabled',
'BrowserNetworkTimeQueriesEnabled',
'BuiltInDnsClientEnabled',
'CECPQ2Enabled',
'CaptivePortalAuthenticationIgnoresProxy',
'ChromeCleanupEnabled',
'ChromeCleanupReportingEnabled',
'ChromeOsLockOnIdleSuspend',
'ClickToCallEnabled',
'CloudManagementEnrollmentMandatory',
'CloudPolicyOverridesPlatformPolicy',
'CloudUserPolicyMerge',
'CommandLineFlagSecurityWarningsEnabled',
'ComponentUpdatesEnabled',
'DNSInterceptionChecksEnabled',
'DataLeakPreventionReportingEnabled',
'DefaultBrowserSettingEnabled',
'DefaultSearchProviderContextMenuAccessAllowed',
'DeveloperToolsDisabled',
'DeviceAllowMGSToStoreDisplayProperties',
'DeviceDebugPacketCaptureAllowed',
'DeviceLocalAccountManagedSessionEnabled',
'DeviceLoginScreenPrimaryMouseButtonSwitch',
'DevicePciPeripheralDataAccessEnabled',
'DevicePowerwashAllowed',
'DeviceSystemWideTracingEnabled',
'Disable3DAPIs',
'DisableSafeBrowsingProceedAnyway',
'DisableScreenshots',
'EasyUnlockAllowed',
'EditBookmarksEnabled',
'EmojiSuggestionEnabled',
'EnableDeprecatedPrivetPrinting',
'EnableOnlineRevocationChecks',
'EnableSyncConsent',
'EnterpriseHardwarePlatformAPIEnabled',
'ExternalProtocolDialogShowAlwaysOpenCheckbox',
'ExternalStorageDisabled',
'ExternalStorageReadOnly',
'ForceBrowserSignin',
'ForceEphemeralProfiles',
'ForceGoogleSafeSearch',
'ForceMaximizeOnFirstRun',
'ForceSafeSearch',
'ForceYouTubeSafetyMode',
'FullscreenAlertEnabled',
'FullscreenAllowed',
'GloballyScopeHTTPAuthCacheEnabled',
'HardwareAccelerationModeEnabled',
'HideWebStoreIcon',
'ImportAutofillFormData',
'ImportBookmarks',
'ImportHistory',
'ImportHomepage',
'ImportSavedPasswords',
'ImportSearchEngine',
'IncognitoEnabled',
'InsecureFormsWarningsEnabled',
'InsecurePrivateNetworkRequestsAllowed',
'InstantTetheringAllowed',
'IntensiveWakeUpThrottlingEnabled',
'JavascriptEnabled',
'LacrosAllowed',
'LacrosSecondaryProfilesAllowed',
'LockScreenMediaPlaybackEnabled',
'LoginDisplayPasswordButtonEnabled',
'ManagedGuestSessionPrivacyWarningsEnabled',
'MediaRecommendationsEnabled',
'MediaRouterCastAllowAllIPs',
'MetricsReportingEnabled',
'NTPCardsVisible',
'NTPCustomBackgroundEnabled',
'NativeWindowOcclusionEnabled',
'NearbyShareAllowed',
'PaymentMethodQueryEnabled',
'PdfAnnotationsEnabled',
'PhoneHubAllowed',
'PhoneHubNotificationsAllowed',
'PhoneHubTaskContinuationAllowed',
'PolicyAtomicGroupsEnabled',
'PrimaryMouseButtonSwitch',
'PromotionalTabsEnabled',
'PromptForDownloadLocation',
'QuicAllowed',
'RendererCodeIntegrityEnabled',
'RequireOnlineRevocationChecksForLocalAnchors',
'RoamingProfileSupportEnabled',
'SSLErrorOverrideAllowed',
'SafeBrowsingForTrustedSourcesEnabled',
'SavingBrowserHistoryDisabled',
'ScreenCaptureAllowed',
'ScrollToTextFragmentEnabled',
'SearchSuggestEnabled',
'SecondaryGoogleAccountSigninAllowed',
'SharedArrayBufferUnrestrictedAccessAllowed',
'SharedClipboardEnabled',
'ShowAppsShortcutInBookmarkBar',
'ShowFullUrlsInAddressBar',
'ShowLogoutButtonInTray',
'SignedHTTPExchangeEnabled',
'SigninAllowed',
'SigninInterceptionEnabled',
'SitePerProcess',
'SmartLockSigninAllowed',
'SmsMessagesAllowed',
'SpellCheckServiceEnabled',
'SpellcheckEnabled',
'StartupBrowserWindowLaunchSuppressed',
'StricterMixedContentTreatmentEnabled',
'SuggestLogoutAfterClosingLastWindow',
'SuppressDifferentOriginSubframeDialogs',
'SuppressUnsupportedOSWarning',
'SyncDisabled',
'TargetBlankImpliesNoOpener',
'TaskManagerEndProcessEnabled',
'ThirdPartyBlockingEnabled',
'TouchVirtualKeyboardEnabled',
'TranslateEnabled',
'TripleDESEnabled',
'UnifiedDesktopEnabledByDefault',
'UrlKeyedAnonymizedDataCollectionEnabled',
'UserAgentClientHintsEnabled',
'UserFeedbackAllowed',
'VideoCaptureAllowed',
'VmManagementCliAllowed',
'VpnConfigAllowed',
'WPADQuickCheckEnabled',
'WebRtcAllowLegacyTLSProtocols',
'WebRtcEventLogCollectionAllowed',
'WifiSyncAndroidAllowed',
'WindowOcclusionEnabled']
if name in dict_entries:
return json.loads(get_string(e.data))
elif e.type == misc.REG_DWORD and name in bools:
return e.data == 1
return e.data
def assign_entry(policies, e):
if e.valuename.isnumeric():
name = e.keyname.split('\\')[-1]
if name not in policies:
policies[name] = []
policies[name].append(parse_entry_data(name, e))
else:
name = e.valuename
policies[name] = parse_entry_data(name, e)
def convert_pol_to_json(managed, recommended, section, entries):
recommended_section = '\\'.join([section, 'Recommended'])
for e in entries:
if '**delvals.' in e.valuename:
continue
if e.keyname.startswith(recommended_section):
assign_entry(recommended, e)
elif e.keyname.startswith(section):
assign_entry(managed, e)
return managed, recommended
class gp_chromium_ext(gp_pol_ext): class gp_chromium_ext(gp_pol_ext):
__managed_policies_path = '/etc/chromium/policies/managed'
__recommended_policies_path = '/etc/chromium/policies/recommended'
def __str__(self):
return 'Google/Chromium'
def set_managed_machine_policy(self, managed):
try:
managed_policies = os.path.join(self.__managed_policies_path,
'policies.json')
os.makedirs(self.__managed_policies_path, exist_ok=True)
with open(managed_policies, 'w') as f:
json.dump(managed, f)
self.logger.debug('Wrote Chromium preferences to %s' % \
managed_policies)
except PermissionError:
self.logger.debug('Failed to write Chromium preferences to %s' % \
managed_policies)
def set_recommended_machine_policy(self, recommended):
try:
recommended_policies = os.path.join(self.__recommended_policies_path,
'policies.json')
os.makedirs(self.__recommended_policies_path, exist_ok=True)
with open(recommended_policies, 'w') as f:
json.dump(recommended, f)
self.logger.debug('Wrote Chromium preferences to %s' % \
recommended_policies)
except PermissionError:
self.logger.debug('Failed to write Chromium preferences to %s' % \
recommended_policies)
def get_managed_machine_policy(self):
managed_policies = os.path.join(self.__managed_policies_path,
'policies.json')
if os.path.exists(managed_policies):
with open(managed_policies, 'r') as r:
managed = json.load(r)
self.logger.debug('Read Chromium preferences from %s' % \
managed_policies)
else:
managed = {}
return managed
def get_recommended_machine_policy(self):
recommended_policies = os.path.join(self.__recommended_policies_path,
'policies.json')
if os.path.exists(recommended_policies):
with open(recommended_policies, 'r') as r:
recommended = json.load(r)
self.logger.debug('Read Chromium preferences from %s' % \
recommended_policies)
else:
recommended = {}
return recommended
def process_group_policy(self, deleted_gpo_list, changed_gpo_list, def process_group_policy(self, deleted_gpo_list, changed_gpo_list,
policy_dir=None): policy_dir=None):
pass if policy_dir is not None:
self.__recommended_policies_path = os.path.join(policy_dir,
'recommended')
self.__managed_policies_path = os.path.join(policy_dir, 'managed')
for guid, settings in deleted_gpo_list:
self.gp_db.set_guid(guid)
if str(self) in settings:
for attribute, policies in settings[str(self)].items():
if attribute == 'managed':
self.set_managed_machine_policy(json.loads(policies))
elif attribute == 'recommended':
self.set_recommended_machine_policy(json.loads(policies))
self.gp_db.delete(str(self), attribute)
self.gp_db.commit()
for gpo in changed_gpo_list:
if gpo.file_sys_path:
section = 'Software\\Policies\\Google\\Chrome'
self.gp_db.set_guid(gpo.name)
pol_file = 'MACHINE/Registry.pol'
path = os.path.join(gpo.file_sys_path, pol_file)
pol_conf = self.parse(path)
if not pol_conf:
continue
managed = self.get_managed_machine_policy()
recommended = self.get_recommended_machine_policy()
self.gp_db.store(str(self), 'managed', json.dumps(managed))
self.gp_db.store(str(self), 'recommended',
json.dumps(recommended))
managed, recommended = convert_pol_to_json(managed,
recommended, section,
pol_conf.entries)
self.set_managed_machine_policy(managed)
self.set_recommended_machine_policy(recommended)
self.gp_db.commit()
def rsop(self, gpo): def rsop(self, gpo):
output = {} output = {}
pol_file = 'MACHINE/Registry.pol'
section = 'Software\\Policies\\Google\\Chrome'
if gpo.file_sys_path:
path = os.path.join(gpo.file_sys_path, pol_file)
pol_conf = self.parse(path)
if not pol_conf:
return output
for e in pol_conf.entries:
if e.keyname.startswith(section):
output['%s\\%s' % (e.keyname, e.valuename)] = e.data
return output return output
class gp_chrome_ext(gp_chromium_ext): class gp_chrome_ext(gp_chromium_ext):
pass __managed_policies_path = '/etc/opt/chrome/policies/managed'
__recommended_policies_path = '/etc/opt/chrome/policies/recommended'
def __str__(self):
return 'Google/Chrome'

View File

@ -1 +0,0 @@
^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_chromium_ext

View File

@ -47,6 +47,7 @@ from samba.vgp_access_ext import vgp_access_ext
from samba.gp_gnome_settings_ext import gp_gnome_settings_ext from samba.gp_gnome_settings_ext import gp_gnome_settings_ext
from samba.gp_cert_auto_enroll_ext import gp_cert_auto_enroll_ext from samba.gp_cert_auto_enroll_ext import gp_cert_auto_enroll_ext
from samba.gp_firefox_ext import gp_firefox_ext from samba.gp_firefox_ext import gp_firefox_ext
from samba.gp_chromium_ext import gp_chromium_ext, gp_chrome_ext
from samba.credentials import Credentials from samba.credentials import Credentials
import logging import logging
@ -123,6 +124,8 @@ if __name__ == "__main__":
gp_extensions.append(gp_gnome_settings_ext) gp_extensions.append(gp_gnome_settings_ext)
gp_extensions.append(gp_cert_auto_enroll_ext) gp_extensions.append(gp_cert_auto_enroll_ext)
gp_extensions.append(gp_firefox_ext) gp_extensions.append(gp_firefox_ext)
gp_extensions.append(gp_chromium_ext)
gp_extensions.append(gp_chrome_ext)
gp_extensions.extend(machine_exts) gp_extensions.extend(machine_exts)
elif opts.target == 'User': elif opts.target == 'User':
gp_extensions.append(gp_user_scripts_ext) gp_extensions.append(gp_user_scripts_ext)