gpo: Add Centrify Compatible Sudoers Extension

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/python/samba/gp_centrify_sudoers_ext.py b/python/samba/gp_centrify_sudoers_ext.py
index 181d74138d6d7f0283a7637fa4f05275f3a07908..4af5140605084130c4f5f00753ce1584ee5165c2 100644 (file)
--- a/python/samba/gp_centrify_sudoers_ext.py
+++ b/python/samba/gp_centrify_sudoers_ext.py
@@ -14,13 +14,87 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+import os
 from samba.gpclass import gp_pol_ext
+from base64 import b64encode
+from tempfile import NamedTemporaryFile
+from subprocess import Popen, PIPE
+from samba.gp_sudoers_ext import visudo, intro
+from samba.gp.util.logging import log
+
+def ext_enabled(entries):
+    section = 'Software\\Policies\\Centrify\\UnixSettings'
+    for e in entries:
+        if e.keyname == section and e.valuename == 'sudo.enabled':
+            return e.data == 1
+    return False
 
 class gp_centrify_sudoers_ext(gp_pol_ext):
+    def __str__(self):
+        return 'Centrify/Sudo Rights'
+
     def process_group_policy(self, deleted_gpo_list, changed_gpo_list,
             sdir='/etc/sudoers.d'):
-        pass
+        for guid, settings in deleted_gpo_list:
+            self.gp_db.set_guid(guid)
+            if str(self) in settings:
+                for attribute, sudoers in settings[str(self)].items():
+                    if os.path.exists(sudoers):
+                        os.unlink(sudoers)
+                    self.gp_db.delete(str(self), attribute)
+            self.gp_db.commit()
+
+        for gpo in changed_gpo_list:
+            if gpo.file_sys_path:
+                section = 'Software\\Policies\\Centrify\\UnixSettings\\SuDo'
+                self.gp_db.set_guid(gpo.name)
+                pol_file = 'MACHINE/Registry.pol'
+                path = os.path.join(gpo.file_sys_path, pol_file)
+                pol_conf = self.parse(path)
+                if not pol_conf or not ext_enabled(pol_conf.entries):
+                    continue
+                for e in pol_conf.entries:
+                    if e.keyname == section and e.data.strip():
+                        if '**delvals.' in e.valuename:
+                            continue
+                        attribute = b64encode(e.data.encode()).decode()
+                        old_val = self.gp_db.retrieve(str(self), attribute)
+                        if not old_val:
+                            contents = intro
+                            contents += '%s\n' % e.data
+                            with NamedTemporaryFile() as f:
+                                with open(f.name, 'w') as w:
+                                    w.write(contents)
+                                sudo_validation = \
+                                        Popen([visudo, '-c', '-f', f.name],
+                                            stdout=PIPE, stderr=PIPE).wait()
+                            if sudo_validation == 0:
+                                with NamedTemporaryFile(prefix='gp_',
+                                                        delete=False,
+                                                        dir=sdir) as f:
+                                    with open(f.name, 'w') as w:
+                                        w.write(contents)
+                                    self.gp_db.store(str(self),
+                                                     attribute,
+                                                     f.name)
+                            else:
+                                log.error('Sudoers apply failed', e.data)
+                        self.gp_db.commit()
 
     def rsop(self, gpo):
         output = {}
+        section = 'Software\\Policies\\Centrify\\UnixSettings\\SuDo'
+        pol_file = 'MACHINE/Registry.pol'
+        if gpo.file_sys_path:
+            path = os.path.join(gpo.file_sys_path, pol_file)
+            pol_conf = self.parse(path)
+            if not pol_conf:
+                return output
+            for e in pol_conf.entries:
+                if e.keyname == section and e.data.strip():
+                    if '**delvals.' in e.valuename:
+                        continue
+                    if str(self) not in output.keys():
+                        output[str(self)] = []
+                    output[str(self)].append(e.data)
         return output

diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo
deleted file mode 100644 (file)
index 4566e56..0000000
--- a/selftest/knownfail.d/gpo
+++ /dev/null
@@ -1 +0,0 @@
-samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_centrify_sudoers_ext

diff --git a/source4/scripting/bin/samba-gpupdate b/source4/scripting/bin/samba-gpupdate
index 0d0e9271a14302846bb4bc3d09b700fe197b71ec..b4c2ca9b4451294918da981ae30b0da176cc5cf1 100755 (executable)
--- a/source4/scripting/bin/samba-gpupdate
+++ b/source4/scripting/bin/samba-gpupdate
@@ -49,6 +49,7 @@ from samba.gp_cert_auto_enroll_ext import gp_cert_auto_enroll_ext
 from samba.gp_firefox_ext import gp_firefox_ext
 from samba.gp_chromium_ext import gp_chromium_ext, gp_chrome_ext
 from samba.gp_firewalld_ext import gp_firewalld_ext
+from samba.gp_centrify_sudoers_ext import gp_centrify_sudoers_ext
 from samba.credentials import Credentials
 from samba.gp.util.logging import logger_init
 
@@ -101,6 +102,7 @@ if __name__ == "__main__":
         gp_extensions.append(gp_scripts_ext)
         gp_extensions.append(gp_sudoers_ext)
         gp_extensions.append(vgp_sudoers_ext)
+        gp_extensions.append(gp_centrify_sudoers_ext)
         gp_extensions.append(gp_smb_conf_ext)
         gp_extensions.append(gp_msgs_ext)
         gp_extensions.append(vgp_symlink_ext)