From: David Mulder Date: Wed, 8 Sep 2021 13:46:26 +0000 (-0600) Subject: gpo: Add Chromium Group Policy X-Git-Tag: ldb-2.5.0~730 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=efba2c445c511f27e220c2c92d507a772ee82bc1;p=thirdparty%2Fsamba.git gpo: Add Chromium Group Policy Signed-off-by: David Mulder Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Thu Sep 9 20:42:35 UTC 2021 on sn-devel-184 --- diff --git a/python/samba/gp_chromium_ext.py b/python/samba/gp_chromium_ext.py index 05a1065ce33..c3193d04433 100644 --- a/python/samba/gp_chromium_ext.py +++ b/python/samba/gp_chromium_ext.py @@ -14,16 +14,481 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +import os +import json from samba.gpclass import gp_pol_ext +from samba.dcerpc import misc +from samba.common import get_string + +def parse_entry_data(name, e): + dict_entries = ['VirtualKeyboardFeatures', + 'DeviceArcDataSnapshotHours', + 'RequiredClientCertificateForDevice', + 'RequiredClientCertificateForUser', + 'RegisteredProtocolHandlers', + 'WebUsbAllowDevicesForUrls', + 'DeviceAutoUpdateTimeRestrictions', + 'DeviceUpdateStagingSchedule', + 'DeviceMinimumVersion', + 'DeviceDisplayResolution', + 'ExtensionSettings', + 'KerberosAccounts', + 'NetworkFileSharesPreconfiguredShares', + 'NetworkThrottlingEnabled', + 'TPMFirmwareUpdateSettings', + 'DeviceOffHours', + 'ParentAccessCodeConfig', + 'PerAppTimeLimits', + 'PerAppTimeLimitsWhitelist', + 'PerAppTimeLimitsAllowlist', + 'UsageTimeLimit', + 'PluginVmImage', + 'DeviceLoginScreenPowerManagement', + 'PowerManagementIdleSettings', + 'ScreenLockDelays', + 'ScreenBrightnessPercent', + 'DevicePowerPeakShiftDayConfig', + 'DeviceAdvancedBatteryChargeModeDayConfig', + 'PrintingPaperSizeDefault', + 'AutoLaunchProtocolsFromOrigins', + 'BrowsingDataLifetime', + 'DataLeakPreventionRulesList', + 'DeviceLoginScreenWebUsbAllowDevicesForUrls', + 'DeviceScheduledUpdateCheck', + 'KeyPermissions', + 'ManagedBookmarks', + 'ManagedConfigurationPerOrigin', + 'ProxySettings', + 'SystemProxySettings', + 'WebAppInstallForceList'] + bools = ['ShowAccessibilityOptionsInSystemTrayMenu', + 'LargeCursorEnabled', + 'SpokenFeedbackEnabled', + 'HighContrastEnabled', + 'VirtualKeyboardEnabled', + 'StickyKeysEnabled', + 'KeyboardDefaultToFunctionKeys', + 'DictationEnabled', + 'SelectToSpeakEnabled', + 'KeyboardFocusHighlightEnabled', + 'CursorHighlightEnabled', + 'CaretHighlightEnabled', + 'MonoAudioEnabled', + 'AccessibilityShortcutsEnabled', + 'AutoclickEnabled', + 'DeviceLoginScreenDefaultLargeCursorEnabled', + 'DeviceLoginScreenDefaultSpokenFeedbackEnabled', + 'DeviceLoginScreenDefaultHighContrastEnabled', + 'DeviceLoginScreenDefaultVirtualKeyboardEnabled', + 'DeviceLoginScreenLargeCursorEnabled', + 'DeviceLoginScreenSpokenFeedbackEnabled', + 'DeviceLoginScreenHighContrastEnabled', + 'DeviceLoginScreenVirtualKeyboardEnabled', + 'DeviceLoginScreenDictationEnabled', + 'DeviceLoginScreenSelectToSpeakEnabled', + 'DeviceLoginScreenCursorHighlightEnabled', + 'DeviceLoginScreenCaretHighlightEnabled', + 'DeviceLoginScreenMonoAudioEnabled', + 'DeviceLoginScreenAutoclickEnabled', + 'DeviceLoginScreenStickyKeysEnabled', + 'DeviceLoginScreenKeyboardFocusHighlightEnabled', + 'DeviceLoginScreenShowOptionsInSystemTrayMenu', + 'DeviceLoginScreenAccessibilityShortcutsEnabled', + 'FloatingAccessibilityMenuEnabled', + 'ArcEnabled', + 'UnaffiliatedArcAllowed', + 'AppRecommendationZeroStateEnabled', + 'DeviceBorealisAllowed', + 'UserBorealisAllowed', + 'SystemUse24HourClock', + 'DefaultSearchProviderEnabled', + 'ChromeOsReleaseChannelDelegated', + 'DeviceAutoUpdateDisabled', + 'DeviceAutoUpdateP2PEnabled', + 'DeviceUpdateHttpDownloadsEnabled', + 'RebootAfterUpdate', + 'BlockExternalExtensions', + 'VoiceInteractionContextEnabled', + 'VoiceInteractionHotwordEnabled', + 'EnableMediaRouter', + 'ShowCastIconInToolbar', + 'DriveDisabled', + 'DriveDisabledOverCellular', + 'DisableAuthNegotiateCnameLookup', + 'EnableAuthNegotiatePort', + 'BasicAuthOverHttpEnabled', + 'AuthNegotiateDelegateByKdcPolicy', + 'AllowCrossOriginAuthPrompt', + 'NtlmV2Enabled', + 'IntegratedWebAuthenticationAllowed', + 'BrowserSwitcherEnabled', + 'BrowserSwitcherKeepLastChromeTab', + 'BrowserSwitcherUseIeSitelist', + 'VirtualMachinesAllowed', + 'CrostiniAllowed', + 'DeviceUnaffiliatedCrostiniAllowed', + 'CrostiniExportImportUIAllowed', + 'CrostiniPortForwardingAllowed', + 'NativeMessagingUserLevelHosts', + 'NetworkFileSharesAllowed', + 'NetBiosShareDiscoveryEnabled', + 'NTLMShareAuthenticationEnabled', + 'DeviceDataRoamingEnabled', + 'DeviceWiFiFastTransitionEnabled', + 'DeviceWiFiAllowed', + 'DeviceAllowBluetooth', + 'DeviceAllowRedeemChromeOsRegistrationOffers', + 'DeviceQuirksDownloadEnabled', + 'SuggestedContentEnabled', + 'DeviceShowLowDiskSpaceNotification', + 'PasswordManagerEnabled', + 'PasswordLeakDetectionEnabled', + 'PluginVmAllowed', + 'PluginVmDataCollectionAllowed', + 'UserPluginVmAllowed', + 'DeviceRebootOnShutdown', + 'PowerManagementUsesAudioActivity', + 'PowerManagementUsesVideoActivity', + 'AllowWakeLocks', + 'AllowScreenWakeLocks', + 'WaitForInitialUserActivity', + 'PowerSmartDimEnabled', + 'DevicePowerPeakShiftEnabled', + 'DeviceBootOnAcEnabled', + 'DeviceAdvancedBatteryChargeModeEnabled', + 'DeviceUsbPowerShareEnabled', + 'PrintingEnabled', + 'CloudPrintProxyEnabled', + 'PrintingSendUsernameAndFilenameEnabled', + 'CloudPrintSubmitEnabled', + 'DisablePrintPreview', + 'PrintHeaderFooter', + 'PrintPreviewUseSystemDefaultPrinter', + 'UserNativePrintersAllowed', + 'UserPrintersAllowed', + 'DeletePrintJobHistoryAllowed', + 'DeviceLoginScreenPrivacyScreenEnabled', + 'PrivacyScreenEnabled', + 'PinUnlockWeakPinsAllowed', + 'PinUnlockAutosubmitEnabled', + 'RemoteAccessHostFirewallTraversal', + 'RemoteAccessHostRequireCurtain', + 'RemoteAccessHostAllowClientPairing', + 'RemoteAccessHostAllowRelayedConnection', + 'RemoteAccessHostAllowUiAccessForRemoteAssistance', + 'RemoteAccessHostAllowFileTransfer', + 'RemoteAccessHostAllowRemoteAccessConnections', + 'AttestationEnabledForUser', + 'SafeBrowsingEnabled', + 'SafeBrowsingExtendedReportingEnabled', + 'DeviceGuestModeEnabled', + 'DeviceAllowNewUsers', + 'DeviceShowUserNamesOnSignin', + 'DeviceEphemeralUsersEnabled', + 'DeviceShowNumericKeyboardForPassword', + 'DeviceFamilyLinkAccountsAllowed', + 'ShowHomeButton', + 'HomepageIsNewTabPage', + 'DeviceMetricsReportingEnabled', + 'DeviceWilcoDtcAllowed', + 'AbusiveExperienceInterventionEnforce', + 'AccessibilityImageLabelsEnabled', + 'AdditionalDnsQueryTypesEnabled', + 'AdvancedProtectionAllowed', + 'AllowDeletingBrowserHistory', + 'AllowDinosaurEasterEgg', + 'AllowFileSelectionDialogs', + 'AllowScreenLock', + 'AllowSyncXHRInPageDismissal', + 'AlternateErrorPagesEnabled', + 'AlwaysOpenPdfExternally', + 'AppCacheForceEnabled', + 'AudioCaptureAllowed', + 'AudioOutputAllowed', + 'AudioProcessHighPriorityEnabled', + 'AudioSandboxEnabled', + 'AutoFillEnabled', + 'AutofillAddressEnabled', + 'AutofillCreditCardEnabled', + 'AutoplayAllowed', + 'BackgroundModeEnabled', + 'BlockThirdPartyCookies', + 'BookmarkBarEnabled', + 'BrowserAddPersonEnabled', + 'BrowserGuestModeEnabled', + 'BrowserGuestModeEnforced', + 'BrowserLabsEnabled', + 'BrowserNetworkTimeQueriesEnabled', + 'BuiltInDnsClientEnabled', + 'CECPQ2Enabled', + 'CaptivePortalAuthenticationIgnoresProxy', + 'ChromeCleanupEnabled', + 'ChromeCleanupReportingEnabled', + 'ChromeOsLockOnIdleSuspend', + 'ClickToCallEnabled', + 'CloudManagementEnrollmentMandatory', + 'CloudPolicyOverridesPlatformPolicy', + 'CloudUserPolicyMerge', + 'CommandLineFlagSecurityWarningsEnabled', + 'ComponentUpdatesEnabled', + 'DNSInterceptionChecksEnabled', + 'DataLeakPreventionReportingEnabled', + 'DefaultBrowserSettingEnabled', + 'DefaultSearchProviderContextMenuAccessAllowed', + 'DeveloperToolsDisabled', + 'DeviceAllowMGSToStoreDisplayProperties', + 'DeviceDebugPacketCaptureAllowed', + 'DeviceLocalAccountManagedSessionEnabled', + 'DeviceLoginScreenPrimaryMouseButtonSwitch', + 'DevicePciPeripheralDataAccessEnabled', + 'DevicePowerwashAllowed', + 'DeviceSystemWideTracingEnabled', + 'Disable3DAPIs', + 'DisableSafeBrowsingProceedAnyway', + 'DisableScreenshots', + 'EasyUnlockAllowed', + 'EditBookmarksEnabled', + 'EmojiSuggestionEnabled', + 'EnableDeprecatedPrivetPrinting', + 'EnableOnlineRevocationChecks', + 'EnableSyncConsent', + 'EnterpriseHardwarePlatformAPIEnabled', + 'ExternalProtocolDialogShowAlwaysOpenCheckbox', + 'ExternalStorageDisabled', + 'ExternalStorageReadOnly', + 'ForceBrowserSignin', + 'ForceEphemeralProfiles', + 'ForceGoogleSafeSearch', + 'ForceMaximizeOnFirstRun', + 'ForceSafeSearch', + 'ForceYouTubeSafetyMode', + 'FullscreenAlertEnabled', + 'FullscreenAllowed', + 'GloballyScopeHTTPAuthCacheEnabled', + 'HardwareAccelerationModeEnabled', + 'HideWebStoreIcon', + 'ImportAutofillFormData', + 'ImportBookmarks', + 'ImportHistory', + 'ImportHomepage', + 'ImportSavedPasswords', + 'ImportSearchEngine', + 'IncognitoEnabled', + 'InsecureFormsWarningsEnabled', + 'InsecurePrivateNetworkRequestsAllowed', + 'InstantTetheringAllowed', + 'IntensiveWakeUpThrottlingEnabled', + 'JavascriptEnabled', + 'LacrosAllowed', + 'LacrosSecondaryProfilesAllowed', + 'LockScreenMediaPlaybackEnabled', + 'LoginDisplayPasswordButtonEnabled', + 'ManagedGuestSessionPrivacyWarningsEnabled', + 'MediaRecommendationsEnabled', + 'MediaRouterCastAllowAllIPs', + 'MetricsReportingEnabled', + 'NTPCardsVisible', + 'NTPCustomBackgroundEnabled', + 'NativeWindowOcclusionEnabled', + 'NearbyShareAllowed', + 'PaymentMethodQueryEnabled', + 'PdfAnnotationsEnabled', + 'PhoneHubAllowed', + 'PhoneHubNotificationsAllowed', + 'PhoneHubTaskContinuationAllowed', + 'PolicyAtomicGroupsEnabled', + 'PrimaryMouseButtonSwitch', + 'PromotionalTabsEnabled', + 'PromptForDownloadLocation', + 'QuicAllowed', + 'RendererCodeIntegrityEnabled', + 'RequireOnlineRevocationChecksForLocalAnchors', + 'RoamingProfileSupportEnabled', + 'SSLErrorOverrideAllowed', + 'SafeBrowsingForTrustedSourcesEnabled', + 'SavingBrowserHistoryDisabled', + 'ScreenCaptureAllowed', + 'ScrollToTextFragmentEnabled', + 'SearchSuggestEnabled', + 'SecondaryGoogleAccountSigninAllowed', + 'SharedArrayBufferUnrestrictedAccessAllowed', + 'SharedClipboardEnabled', + 'ShowAppsShortcutInBookmarkBar', + 'ShowFullUrlsInAddressBar', + 'ShowLogoutButtonInTray', + 'SignedHTTPExchangeEnabled', + 'SigninAllowed', + 'SigninInterceptionEnabled', + 'SitePerProcess', + 'SmartLockSigninAllowed', + 'SmsMessagesAllowed', + 'SpellCheckServiceEnabled', + 'SpellcheckEnabled', + 'StartupBrowserWindowLaunchSuppressed', + 'StricterMixedContentTreatmentEnabled', + 'SuggestLogoutAfterClosingLastWindow', + 'SuppressDifferentOriginSubframeDialogs', + 'SuppressUnsupportedOSWarning', + 'SyncDisabled', + 'TargetBlankImpliesNoOpener', + 'TaskManagerEndProcessEnabled', + 'ThirdPartyBlockingEnabled', + 'TouchVirtualKeyboardEnabled', + 'TranslateEnabled', + 'TripleDESEnabled', + 'UnifiedDesktopEnabledByDefault', + 'UrlKeyedAnonymizedDataCollectionEnabled', + 'UserAgentClientHintsEnabled', + 'UserFeedbackAllowed', + 'VideoCaptureAllowed', + 'VmManagementCliAllowed', + 'VpnConfigAllowed', + 'WPADQuickCheckEnabled', + 'WebRtcAllowLegacyTLSProtocols', + 'WebRtcEventLogCollectionAllowed', + 'WifiSyncAndroidAllowed', + 'WindowOcclusionEnabled'] + if name in dict_entries: + return json.loads(get_string(e.data)) + elif e.type == misc.REG_DWORD and name in bools: + return e.data == 1 + return e.data + +def assign_entry(policies, e): + if e.valuename.isnumeric(): + name = e.keyname.split('\\')[-1] + if name not in policies: + policies[name] = [] + policies[name].append(parse_entry_data(name, e)) + else: + name = e.valuename + policies[name] = parse_entry_data(name, e) + +def convert_pol_to_json(managed, recommended, section, entries): + recommended_section = '\\'.join([section, 'Recommended']) + for e in entries: + if '**delvals.' in e.valuename: + continue + if e.keyname.startswith(recommended_section): + assign_entry(recommended, e) + elif e.keyname.startswith(section): + assign_entry(managed, e) + return managed, recommended class gp_chromium_ext(gp_pol_ext): + __managed_policies_path = '/etc/chromium/policies/managed' + __recommended_policies_path = '/etc/chromium/policies/recommended' + + def __str__(self): + return 'Google/Chromium' + + def set_managed_machine_policy(self, managed): + try: + managed_policies = os.path.join(self.__managed_policies_path, + 'policies.json') + os.makedirs(self.__managed_policies_path, exist_ok=True) + with open(managed_policies, 'w') as f: + json.dump(managed, f) + self.logger.debug('Wrote Chromium preferences to %s' % \ + managed_policies) + except PermissionError: + self.logger.debug('Failed to write Chromium preferences to %s' % \ + managed_policies) + + + def set_recommended_machine_policy(self, recommended): + try: + recommended_policies = os.path.join(self.__recommended_policies_path, + 'policies.json') + os.makedirs(self.__recommended_policies_path, exist_ok=True) + with open(recommended_policies, 'w') as f: + json.dump(recommended, f) + self.logger.debug('Wrote Chromium preferences to %s' % \ + recommended_policies) + except PermissionError: + self.logger.debug('Failed to write Chromium preferences to %s' % \ + recommended_policies) + + def get_managed_machine_policy(self): + managed_policies = os.path.join(self.__managed_policies_path, + 'policies.json') + if os.path.exists(managed_policies): + with open(managed_policies, 'r') as r: + managed = json.load(r) + self.logger.debug('Read Chromium preferences from %s' % \ + managed_policies) + else: + managed = {} + return managed + + def get_recommended_machine_policy(self): + recommended_policies = os.path.join(self.__recommended_policies_path, + 'policies.json') + if os.path.exists(recommended_policies): + with open(recommended_policies, 'r') as r: + recommended = json.load(r) + self.logger.debug('Read Chromium preferences from %s' % \ + recommended_policies) + else: + recommended = {} + return recommended + def process_group_policy(self, deleted_gpo_list, changed_gpo_list, policy_dir=None): - pass + if policy_dir is not None: + self.__recommended_policies_path = os.path.join(policy_dir, + 'recommended') + self.__managed_policies_path = os.path.join(policy_dir, 'managed') + for guid, settings in deleted_gpo_list: + self.gp_db.set_guid(guid) + if str(self) in settings: + for attribute, policies in settings[str(self)].items(): + if attribute == 'managed': + self.set_managed_machine_policy(json.loads(policies)) + elif attribute == 'recommended': + self.set_recommended_machine_policy(json.loads(policies)) + self.gp_db.delete(str(self), attribute) + self.gp_db.commit() + + for gpo in changed_gpo_list: + if gpo.file_sys_path: + section = 'Software\\Policies\\Google\\Chrome' + self.gp_db.set_guid(gpo.name) + pol_file = 'MACHINE/Registry.pol' + path = os.path.join(gpo.file_sys_path, pol_file) + pol_conf = self.parse(path) + if not pol_conf: + continue + + managed = self.get_managed_machine_policy() + recommended = self.get_recommended_machine_policy() + self.gp_db.store(str(self), 'managed', json.dumps(managed)) + self.gp_db.store(str(self), 'recommended', + json.dumps(recommended)) + managed, recommended = convert_pol_to_json(managed, + recommended, section, + pol_conf.entries) + self.set_managed_machine_policy(managed) + self.set_recommended_machine_policy(recommended) + self.gp_db.commit() def rsop(self, gpo): output = {} + pol_file = 'MACHINE/Registry.pol' + section = 'Software\\Policies\\Google\\Chrome' + if gpo.file_sys_path: + path = os.path.join(gpo.file_sys_path, pol_file) + pol_conf = self.parse(path) + if not pol_conf: + return output + for e in pol_conf.entries: + if e.keyname.startswith(section): + output['%s\\%s' % (e.keyname, e.valuename)] = e.data return output class gp_chrome_ext(gp_chromium_ext): - pass + __managed_policies_path = '/etc/opt/chrome/policies/managed' + __recommended_policies_path = '/etc/opt/chrome/policies/recommended' + + def __str__(self): + return 'Google/Chrome' diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo deleted file mode 100644 index 9be3c7d2eb1..00000000000 --- a/selftest/knownfail.d/gpo +++ /dev/null @@ -1 +0,0 @@ -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_chromium_ext diff --git a/source4/scripting/bin/samba-gpupdate b/source4/scripting/bin/samba-gpupdate index 7480777e988..0c1c2015287 100755 --- a/source4/scripting/bin/samba-gpupdate +++ b/source4/scripting/bin/samba-gpupdate @@ -47,6 +47,7 @@ from samba.vgp_access_ext import vgp_access_ext from samba.gp_gnome_settings_ext import gp_gnome_settings_ext from samba.gp_cert_auto_enroll_ext import gp_cert_auto_enroll_ext from samba.gp_firefox_ext import gp_firefox_ext +from samba.gp_chromium_ext import gp_chromium_ext, gp_chrome_ext from samba.credentials import Credentials import logging @@ -123,6 +124,8 @@ if __name__ == "__main__": gp_extensions.append(gp_gnome_settings_ext) gp_extensions.append(gp_cert_auto_enroll_ext) gp_extensions.append(gp_firefox_ext) + gp_extensions.append(gp_chromium_ext) + gp_extensions.append(gp_chrome_ext) gp_extensions.extend(machine_exts) elif opts.target == 'User': gp_extensions.append(gp_user_scripts_ext)