The branch, master has been updated via d5118eb68ad gpo: Add Group Policy Firefox Extension via c5bbb1777ec gpo: Test Group Policy Firefox Extension from fead05a4555 vfs_gpfs: deal with pathrefs fsps in smbd_gpfs_set_times()
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit d5118eb68adc82bede5391821e1db624d119eaec Author: David Mulder <dmul...@suse.com> Date: Wed Aug 25 13:05:28 2021 -0600 gpo: Add Group Policy Firefox Extension Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Mon Aug 30 21:57:09 UTC 2021 on sn-devel-184 commit c5bbb1777ecd595d8472380302949f45bf50dcf8 Author: David Mulder <dmul...@suse.com> Date: Wed Aug 25 13:04:47 2021 -0600 gpo: Test Group Policy Firefox Extension Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Jeremy Allison <j...@samba.org> ----------------------------------------------------------------------- Summary of changes: python/samba/gp_firefox_ext.py | 173 ++++ python/samba/tests/gpo.py | 1715 ++++++++++++++++++++++++++++++++++ source4/scripting/bin/samba-gpupdate | 2 + 3 files changed, 1890 insertions(+) create mode 100644 python/samba/gp_firefox_ext.py Changeset truncated at 500 lines: diff --git a/python/samba/gp_firefox_ext.py b/python/samba/gp_firefox_ext.py new file mode 100644 index 00000000000..afe582502b1 --- /dev/null +++ b/python/samba/gp_firefox_ext.py @@ -0,0 +1,173 @@ +# gp_firefox_ext samba gpo policy +# Copyright (C) David Mulder <dmul...@suse.com> 2021 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os +import json +from samba.gpclass import gp_pol_ext +from samba.dcerpc import misc +from samba.common import get_string + +def parse_entry_data(e): + if e.type == misc.REG_MULTI_SZ: + data = get_string(e.data).replace('\x00', '') + return json.loads(data) + elif e.type == misc.REG_DWORD and e.data in [0, 1]: + return e.data == 1 + return e.data + +def convert_pol_to_json(policies, section, entries): + result = policies['policies'] + index_map = {} + for e in entries: + if not e.keyname.startswith(section): + continue + if '**delvals.' in e.valuename: + continue + sub_keys = e.keyname.replace(section, '').strip('\\') + if sub_keys: + sub_keys = sub_keys.split('\\') + current = result + index = -1 + if sub_keys[-1].isnumeric(): + name = '\\'.join(sub_keys[:-1]) + elif e.valuename.isnumeric(): + name = e.keyname + else: + name = '\\'.join([e.keyname, e.valuename]) + for i in range(len(sub_keys)): + if sub_keys[i] == 'PDFjs': + sub_keys[i] = 'PSFjs' + ctype = dict + if i == len(sub_keys)-1 and e.valuename.isnumeric(): + ctype = list + index = int(e.valuename) + if i < len(sub_keys)-1 and sub_keys[i+1].isnumeric(): + ctype = list + index = int(sub_keys[i+1]) + if type(current) == dict: + if sub_keys[i] not in current: + if ctype == dict: + current[sub_keys[i]] = {} + else: + current[sub_keys[i]] = [] + current = current[sub_keys[i]] + else: + if name not in index_map: + index_map[name] = {} + if index not in index_map[name].keys(): + if ctype == dict: + current.append({}) + else: + current.append([]) + index_map[name][index] = len(current)-1 + current = current[index_map[name][index]] + if type(current) == list: + current.append(parse_entry_data(e)) + else: + current[e.valuename] = parse_entry_data(e) + else: + result[e.valuename] = parse_entry_data(e) + return {'policies': result} + +class gp_firefox_ext(gp_pol_ext): + __firefox_installdir1 = '/usr/lib64/firefox/distribution' + __firefox_installdir2 = '/etc/firefox/policies' + __destfile1 = os.path.join(__firefox_installdir1, 'policies.json') + __destfile2 = os.path.join(__firefox_installdir2, 'policies.json') + + def __str__(self): + return 'Mozilla/Firefox' + + def set_machine_policy(self, policies): + try: + os.makedirs(self.__firefox_installdir1, exist_ok=True) + with open(self.__destfile1, 'w') as f: + json.dump(policies, f) + self.logger.debug('Wrote Firefox preferences to %s' % \ + self.__destfile1) + except PermissionError: + self.logger.debug('Failed to write Firefox preferences to %s' % \ + self.__destfile1) + + try: + os.makedirs(self.__firefox_installdir2, exist_ok=True) + with open(self.__destfile2, 'w') as f: + json.dump(policies, f) + self.logger.debug('Wrote Firefox preferences to %s' % \ + self.__destfile2) + except PermissionError: + self.logger.debug('Failed to write Firefox preferences to %s' % \ + self.__destfile2) + + def get_machine_policy(self): + if os.path.exists(self.__destfile2): + with open(self.__destfile2, 'r') as r: + policies = json.load(r) + self.logger.debug('Read Firefox preferences from %s' % \ + self.__destfile2) + elif os.path.exists(self.__destfile1): + with open(self.__destfile1, 'r') as r: + policies = json.load(r) + self.logger.debug('Read Firefox preferences from %s' % \ + self.__destfile1) + else: + policies = {'policies': {}} + return policies + + def process_group_policy(self, deleted_gpo_list, changed_gpo_list, + policy_dir=None): + if policy_dir is not None: + self.__firefox_installdir2 = policy_dir + self.__destfile2 = os.path.join(policy_dir, 'policies.json') + for guid, settings in deleted_gpo_list: + self.gp_db.set_guid(guid) + if str(self) in settings: + for attribute, policies in settings[str(self)].items(): + self.set_machine_policy(json.loads(policies)) + self.gp_db.delete(str(self), attribute) + self.gp_db.commit() + + for gpo in changed_gpo_list: + if gpo.file_sys_path: + section = 'Software\\Policies\\Mozilla\\Firefox' + self.gp_db.set_guid(gpo.name) + pol_file = 'MACHINE/Registry.pol' + path = os.path.join(gpo.file_sys_path, pol_file) + pol_conf = self.parse(path) + if not pol_conf: + continue + + policies = self.get_machine_policy() + self.gp_db.store(str(self), 'policies.json', + json.dumps(policies)) + policies = convert_pol_to_json(policies, section, + pol_conf.entries) + self.set_machine_policy(policies) + self.gp_db.commit() + + def rsop(self, gpo): + output = {} + pol_file = 'MACHINE/Registry.pol' + section = 'Software\\Policies\\Mozilla\\Firefox' + if gpo.file_sys_path: + path = os.path.join(gpo.file_sys_path, pol_file) + pol_conf = self.parse(path) + if not pol_conf: + return output + for e in pol_conf.entries: + if e.keyname.startswith(section): + output['%s\\%s' % (e.keyname, e.valuename)] = e.data + return output diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py index 6fdf9664f48..4efa50d1a35 100644 --- a/python/samba/tests/gpo.py +++ b/python/samba/tests/gpo.py @@ -42,6 +42,7 @@ from samba.vgp_issue_ext import vgp_issue_ext from samba.vgp_access_ext import vgp_access_ext from samba.gp_gnome_settings_ext import gp_gnome_settings_ext from samba.gp_cert_auto_enroll_ext import gp_cert_auto_enroll_ext +from samba.gp_firefox_ext import gp_firefox_ext import logging from samba.credentials import Credentials from samba.gp_msgs_ext import gp_msgs_ext @@ -58,6 +59,7 @@ from configparser import ConfigParser from samba.gpclass import get_dc_hostname from samba import Ldb from samba.auth import system_session +import json realm = os.environ.get('REALM') policies = realm + '/POLICIES' @@ -227,6 +229,1661 @@ b""" </PolFile> """ +firefox_reg_pol = \ +b""" +<?xml version="1.0" encoding="utf-8"?> +<PolFile num_entries="241" signature="PReg" version="1"> + <Entry type="7" type_name="REG_MULTI_SZ"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>ExtensionSettings</ValueName> + <Value>{ "*": { "blocked_install_message": "Custom error message.", "install_sources": ["about:addons","https://addons.mozilla.org/"], "installation_mode": "blocked", "allowed_types": ["extension"] }, "ublo...@raymondhill.net": { "installation_mode": "force_installed", "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi" }, "https-everywh...@eff.org": { "installation_mode": "allowed" } }</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>ExtensionUpdate</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>SearchSuggestEnabled</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>AppAutoUpdate</ValueName> + <Value>1</Value> + </Entry> + <Entry type="1" type_name="REG_SZ"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>AppUpdateURL</ValueName> + <Value>https://yoursite.com</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>BlockAboutAddons</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>BlockAboutConfig</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>BlockAboutProfiles</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>BlockAboutSupport</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>CaptivePortal</ValueName> + <Value>1</Value> + </Entry> + <Entry type="2" type_name="REG_EXPAND_SZ"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>DefaultDownloadDirectory</ValueName> + <Value>${home}/Downloads</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>DisableAppUpdate</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>DisableBuiltinPDFViewer</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>DisableDefaultBrowserAgent</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>DisableDeveloperTools</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>DisableFeedbackCommands</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>DisableFirefoxAccounts</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>DisableFirefoxScreenshots</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>DisableFirefoxStudies</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>DisableForgetButton</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>DisableFormHistory</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>DisableMasterPasswordCreation</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>DisablePasswordReveal</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>DisablePocket</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>DisablePrivateBrowsing</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>DisableProfileImport</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>DisableProfileRefresh</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>DisableSafeMode</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>DisableSetDesktopBackground</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>DisableSystemAddonUpdate</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>DisableTelemetry</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>DisplayBookmarksToolbar</ValueName> + <Value>1</Value> + </Entry> + <Entry type="1" type_name="REG_SZ"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>DisplayMenuBar</ValueName> + <Value>default-on</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>DontCheckDefaultBrowser</ValueName> + <Value>1</Value> + </Entry> + <Entry type="2" type_name="REG_EXPAND_SZ"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>DownloadDirectory</ValueName> + <Value>${home}/Downloads</Value> + </Entry> + <Entry type="7" type_name="REG_MULTI_SZ"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>Handlers</ValueName> + <Value>{ "mimeTypes": { "application/msword": { "action": "useSystemDefault", "ask": true } }, "schemes": { "mailto": { "action": "useHelperApp", "ask": true, "handlers": [{ "name": "Gmail", "uriTemplate": "https://mail.google.com/mail/?extsrc=mailto&url=%s" }] } }, "extensions": { "pdf": { "action": "useHelperApp", "ask": true, "handlers": [{ "name": "Adobe Acrobat", "path": "/usr/bin/acroread" }] } } }</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>HardwareAcceleration</ValueName> + <Value>1</Value> + </Entry> + <Entry type="7" type_name="REG_MULTI_SZ"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>ManagedBookmarks</ValueName> + <Value>[ { "toplevel_name": "My managed bookmarks folder" }, { "url": "example.com", "name": "Example" }, { "name": "Mozilla links", "children": [ { "url": "https://mozilla.org", "name": "Mozilla.org" }, { "url": "https://support.mozilla.org/", "name": "SUMO" } ] } ]</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>NetworkPrediction</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>NewTabPage</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>NoDefaultBookmarks</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>OfferToSaveLogins</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>OfferToSaveLoginsDefault</ValueName> + <Value>1</Value> + </Entry> + <Entry type="1" type_name="REG_SZ"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>OverrideFirstRunPage</ValueName> + <Value>http://example.org</Value> + </Entry> + <Entry type="1" type_name="REG_SZ"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>OverridePostUpdatePage</ValueName> + <Value>http://example.org</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>PasswordManagerEnabled</ValueName> + <Value>1</Value> + </Entry> + <Entry type="7" type_name="REG_MULTI_SZ"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>Preferences</ValueName> + <Value>{ "accessibility.force_disabled": { "Value": 1, "Status": "default" }, "browser.cache.disk.parent_directory": { "Value": "SOME_NATIVE_PATH", "Status": "user" }, "browser.tabs.warnOnClose": { "Value": false, "Status": "locked" } }</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>PrimaryPassword</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>PromptForDownloadLocation</ValueName> + <Value>1</Value> + </Entry> + <Entry type="1" type_name="REG_SZ"> + <Key>Software\\Policies\\Mozilla\\Firefox\\RequestedLocales</Key> + <ValueName>**delvals.</ValueName> + <Value> </Value> + </Entry> + <Entry type="1" type_name="REG_SZ"> + <Key>Software\\Policies\\Mozilla\\Firefox\\RequestedLocales</Key> + <ValueName>1</ValueName> + <Value>de</Value> + </Entry> + <Entry type="1" type_name="REG_SZ"> + <Key>Software\\Policies\\Mozilla\\Firefox\\RequestedLocales</Key> + <ValueName>2</ValueName> + <Value>en-US</Value> + </Entry> + <Entry type="1" type_name="REG_SZ"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>SSLVersionMax</ValueName> + <Value>tls1.3</Value> + </Entry> + <Entry type="1" type_name="REG_SZ"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>SSLVersionMin</ValueName> + <Value>tls1.3</Value> + </Entry> + <Entry type="1" type_name="REG_SZ"> + <Key>Software\\Policies\\Mozilla\\Firefox</Key> + <ValueName>SearchBar</ValueName> + <Value>unified</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox\\Authentication</Key> + <ValueName>Locked</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox\\Authentication</Key> + <ValueName>PrivateBrowsing</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox\\Authentication\\AllowNonFQDN</Key> + <ValueName>NTLM</ValueName> + <Value>1</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\\Policies\\Mozilla\\Firefox\\Authentication\\AllowNonFQDN</Key> + <ValueName>SPNEGO</ValueName> -- Samba Shared Repository