a W×aíNã@s.ddlZddlZddlZddlZej dd¡ddlmZddlm Z ddlm Z ddlm Z ddl m Z mZddlmmZddlZddlmZdd lmZdd lmZdd lmZddlmZdd lmZdd l m!Z!ddl"m#Z#ddlm$Z$ddlm%Z%ddl&m'Z'm(Z(zddl)m*Z*e*ddƒZ+Wn"e,yLGdd„dƒZ+Yn0Gdd„dƒZ-Gdd„dƒZ.Gdd„de/ƒZ0Gdd„de/ƒZ1Gdd„de0ƒZ2Gd d!„d!e0ƒZ3d"d#„Z4d$d%„Z5d&d'„Z6d(d)„Z7d*d+„Z8d,d-„Z9d.d/„Z:dBd1d2„Z;d3d4„Zd9d:„Z?dCdd?„ZAdEd@dA„ZBdS)FéNz bin/python)Ú NTSTATUSError)Ú ConfigParser)ÚStringIO)Ú get_bytes)ÚABCMetaÚabstractmethod)ÚNet)Únbt)Úlibsmb_samba_internal)Úparam)ÚLoadParm)ÚUUID)ÚNamedTemporaryFile)Úpreg)Úmisc)Úndr_packÚ ndr_unpack)ÚEnumÚGPOSTATEzAPPLY ENFORCE UNAPPLYc@seZdZdZdZdZdS)réééN)Ú__name__Ú __module__Ú __qualname__ÚAPPLYÚENFORCEÚUNAPPLY©rrú//usr/lib/python3/dist-packages/samba/gpclass.pyr.sc@sZeZdZdZddd„Zdd„Zdd„Zd d „Zd d „Zd d„Z dd„Z dd„Z dd„Z dS)Úgp_loga[ Log settings overwritten by gpo apply The gp_log is an xml file that stores a history of gpo changes (and the original setting value). The log is organized like so: -864000000000 -36288000000000 7 1 1d 300 Each guid value contains a list of extensions, which contain a list of attributes. The guid value represents a GPO. The attributes are the values of those settings prior to the application of the GPO. The list of guids is enclosed within a user name, which represents the user the settings were applied to. This user may be the samaccountname of the local computer, which implies that these are machine policies. The applylog keeps track of the order in which the GPOs were applied, so that they can be rolled back in reverse, returning the machine to the state prior to policy application. NcCsltj|_||_||_|r&t |¡|_n t d¡|_||_ |j  d|¡}|durht  |jd¡}||j d<dS)ag Initialize the gp_log param user - the username (or machine name) that policies are being applied to param gpostore - the GPOStorage obj which references the tdb which contains gp_logs param db_log - (optional) a string to initialize the gp_log Zgpúuser[@name="%s"]NÚuserÚname) rrÚ_stateÚgpostoreÚusernameÚetreeZ fromstringÚgpdbZElementr"ÚfindÚ SubElementÚattrib)Úselfr"r%Zdb_logÚuser_objrrrÚ__init__Zs zgp_log.__init__cCsV|tjkrL|j d|j¡}| d¡}|dus:t|ƒdkrDtj|_qR||_n||_dS)a( Policy application state param value - APPLY, ENFORCE, or UNAPPLY The behavior of the gp_log depends on whether we are applying policy, enforcing policy, or unapplying policy. During an apply, old settings are recorded in the log. During an enforce, settings are being applied but the gp_log does not change. During an unapply, additions to the log should be ignored (since function calls to apply settings are actually reverting policy), but removals from the log are allowed. r!ÚapplylogNr)rrr(r)r"Úlenrr$)r,Úvaluer-Ú apply_logrrrÚstateos   z gp_log.statecCs´||_|j d|j¡}| d|¡}|durDt |d¡}||jd<|jtj kr°| d¡}|durnt |d¡}| d|¡}|dur°t |d¡}dt |ƒd|jd <||jd<dS) z˜ Log to a different GPO guid param guid - guid value of the GPO from which we're applying policy r!úguid[@value="%s"]NÚguidr1r/z%drÚcount) r5r(r)r"r'r*r+r$rrr0)r,r5r-Úobjr2ÚprevÚitemrrrÚset_guid…s      zgp_log.set_guidcCs°|jtjks|jtjkrdS|j d|j¡}| d|j¡}|dusNJdƒ‚| d|¡}|durzt  |d¡}||j d<| d|¡}|dur¬t  |d ¡}||j d<||_ dS) a Store an attribute in the gp_log param gp_ext_name - Name of the extension applying policy param attribute - The attribute being modified param old_val - The value of the attribute prior to policy application Nr!r4úgpo guid was not setúgp_ext[@name="%s"]Úgp_extr#úattribute[@name="%s"]Ú attribute) r$rrrr(r)r"r5r'r*r+Útext)r,Ú gp_ext_namer?Zold_valr-Úguid_objÚextÚattrrrrÚstorešs    z gp_log.storecCsh|j d|j¡}| d|j¡}|dus2Jdƒ‚| d|¡}|durd| d|¡}|durd|jSdS)a- Retrieve a stored attribute from the gp_log param gp_ext_name - Name of the extension which applied policy param attribute - The attribute being retrieved return - The value of the attribute prior to policy application r!r4Nr;r<r>)r(r)r"r5r@©r,rAr?r-rBrCrDrrrÚretrieve°szgp_log.retrievecCslg}|j d|j¡}|durh| d¡}|durh| d¡}dd„|Dƒ}|jdd| d d „|Dƒ¡|S) z© Return a list of applied ext guids return - List of guids for gpos that have applied settings to the system. r!Nr/z guid[@count]cSs g|]}| d¡| d¡f‘qS)r6r1)Úget)Ú.0ÚgrrrÚ Ìsÿz,gp_log.get_applied_guids..T)Úreversecss|]\}}|VqdS©Nr)rIr6r5rrrÚ Ïóz+gp_log.get_applied_guids..)r(r)r"ÚfindallÚsortÚextend)r,Úguidsr-r2Z guid_objsZguids_by_countrrrÚget_applied_guidsÁs  ÿ zgp_log.get_applied_guidsc CsŽg}|j d|j¡}|D]n}| d|¡}| d¡}i}|D]:}i} | d¡} | D]} | j| | jd<qT| ||jd<q>| ||f¡q|S)ai Return a list of applied ext guids return - List of tuples containing the guid of a gpo, then a dictionary of policies and their values prior policy application. These are sorted so that the most recently applied settings are removed first. r!r4r=r?r#)r(r)r"rPr@r+Úappend) r,rSZretr-r5Z guid_settingsZextsZsettingsrCZ attr_dictÚattrsrDrrrÚget_applied_settingsÒs  zgp_log.get_applied_settingscCs‚|j d|j¡}| d|j¡}|dus2Jdƒ‚| d|¡}|dur~| d|¡}|dur~| |¡t|ƒdkr~| |¡dS)zÐ Remove an attribute from the gp_log param gp_ext_name - name of extension from which to remove the attribute param attribute - attribute to remove r!r4Nr;r<r>r)r(r)r"r5Úremover0rFrrrÚdeleteès  z gp_log.deletecCs|j |jt |jd¡¡dS)z Write gp_log changes to disk zutf-8N)r%rEr&r'Ztostringr(©r,rrrÚcommitùsz gp_log.commit)N) rrrÚ__doc__r.r3r:rErGrTrWrYr[rrrrr 4s% r c@s\eZdZdd„Zdd„Zdd„Zdd„Zd d „Zd d „Zd d„Z dd„Z dd„Z dd„Z dS)Ú GPOStoragecCs:tj |¡rt |¡|_nt |dtjtjtj B¡|_dS)Nr) ÚosÚpathÚisfileÚtdbÚopenÚlogZTdbZDEFAULTÚO_CREATÚO_RDWR)r,Zlog_filerrrr.ÿs zGPOStorage.__init__cCs|j ¡dSrM)rcZtransaction_startrZrrrÚstartszGPOStorage.startcCs0zt|j t|ƒ¡ƒWSty*YdS0dSrM)ÚintrcrHrÚ TypeError©r,ÚkeyrrrÚget_ints zGPOStorage.get_intcCs|j t|ƒ¡SrM)rcrHrrirrrrHszGPOStorage.getcCst|||j t|ƒ¡ƒSrM)r rcrHr)r,r"rrrÚ get_gplogszGPOStorage.get_gplogcCs|j t|ƒt|ƒ¡dSrM)rcrEr)r,rjÚvalrrrrEszGPOStorage.storecCs|j ¡dSrM)rcZtransaction_cancelrZrrrÚcancelszGPOStorage.cancelcCs|j t|ƒ¡dSrM)rcrYrrirrrrYszGPOStorage.deletecCs|j ¡dSrM)rcZtransaction_commitrZrrrr[szGPOStorage.commitcCs|j ¡dSrM)rcÚcloserZrrrÚ__del__ szGPOStorage.__del__N) rrrr.rfrkrHrlrErnrYr[rprrrrr]þsr]c@sDeZdZeZdd„Zedd„ƒZedd„ƒZdd„Z ed d „ƒZ d S) r=cCs&||_||_||_| | ¡¡|_dSrM)ÚloggerÚlpÚcredsrlÚ get_usernameÚgp_db)r,rqrrrsrErrrr.'szgp_ext.__init__cCsdSrMr)r,Zdeleted_gpo_listZchanged_gpo_listrrrÚprocess_group_policy-szgp_ext.process_group_policycCsdSrMr)r,ÚpolicyrrrÚread1sz gp_ext.readcCs<|j d¡}tj |t|ƒ ¡¡}tj |¡r8| |¡SdS)NÚ gpo_cache) rrÚ cache_pathr^r_ÚjoinÚcheck_safe_pathÚupperÚexistsrx)r,ZafileZ local_pathÚ data_filerrrÚparse5s    z gp_ext.parsecCsdSrMrrZrrrÚ__str__<szgp_ext.__str__N) rrrrÚ __metaclass__r.rrvrxr€rrrrrr=$s  r=c@sHeZdZeZdd„Zdd„Zdd„Zedd„ƒZ d d „Z ed d „ƒZ d S)Ú gp_ext_settercCs(||_||_||_||_||_||_dSrM)rqr?rmrrrsru)r,rqrurrrsr?rmrrrr.Ds zgp_ext_setter.__init__cCs|jSrM)rmrZrrrÚexplicitLszgp_ext_setter.explicitcCs"| ¡ |j¡\}}||ƒƒdSrM)ÚmapperrHr?)r,Úupd_samr1rrrÚ update_sambaOszgp_ext_setter.update_sambacCsdSrMrrZrrrr…Sszgp_ext_setter.mappercCs"| ¡ |j¡\}}||jƒdSrM)r…rHr?rm)r,r†Ú_rrrrYWszgp_ext_setter.deletecCsdSrMrrZrrrr[szgp_ext_setter.__str__N) rrrrr‚r.r„r‡rr…rYrrrrrrƒAs rƒc@seZdZdd„ZdS)Ú gp_inf_extc CsRt|dƒ ¡}tƒ}t|_z| t|ƒ¡Wn | t| d¡ƒ¡Yn0|S)NÚrzutf-16)rbrxrÚstrZ optionxformZreadfprÚdecode)r,rrwZinf_confrrrrxaszgp_inf_ext.readN©rrrrxrrrrr‰`sr‰c@seZdZdd„ZdS)Ú gp_pol_extcCst|dƒ ¡}ttj|ƒS)NÚrb)rbrxrrÚfile)r,rÚrawrrrrxmszgp_pol_ext.readNrrrrrrŽlsrŽcCs.t||d}|j| d¡tjtjBd}|jS)N)rsrrZrealm)ZdomainÚflags)rZfinddcrHr ZNBT_SERVER_LDAPZ NBT_SERVER_DSZ pdc_dns_name)rsrrZnetZ cldap_retrrrÚget_dc_hostnameus  ÿr“cCs,g}t |||¡}| ¡r(| | ¡¡}|SrM)ÚgpoZ ADS_STRUCTZconnectÚ get_gpo_listrt)Ú dc_hostnamersrrÚgposZadsrrrr•s r•c Csü| ¡}tj ||¡}ztj|ddWn2tyZ}z|jtjkrF‚WYd}~n d}~00| |¡D]}|dt j @r”t ||tj ||d¡ƒqf|d ¡}t d|d}tj ||d¡  dd¡} | | | ¡¡| ¡t |jtj ||¡¡qfdS) Nií)Úmoder+r#F)rYÚdirú/ú\)r}r^r_r{ÚmakedirsÚOSErrorÚerrnoZEEXISTÚlistÚlibsmbÚFILE_ATTRIBUTE_DIRECTORYÚ cache_gpo_dirrÚreplaceÚwriteZloadfileroÚrenamer#) ÚconnÚcacheZsub_dirZ loc_sub_dirZ local_dirÚeZfdataZ local_nameÚfÚfnamerrrr¢‡s    r¢cCsJt d|¡}d|vr*|| d¡dd…}d|vr>tjj|ŽSt|ƒ‚dS)Nz/|\\Úsysvolrz..)ÚreÚsplitÚindexr^r_r{r)r_Údirsrrrr|›s   r|cCsZt ¡}| |j¡tj|d||dd}| d¡}|D]}|jsBq6t||t |jƒƒq6dS)Nr«T)rrrsZsignry) Ús3paramZ get_contextÚloadZ configfiler ZConnrzÚ file_sys_pathr¢r|)r–rrrsr—Zs3_lpr¦rzr”rrrÚcheck_refresh_gpo_list¤s  r³cs6| ¡}tdd„|Dƒƒ‰‡fdd„|Dƒ}| |¡S)NcSsg|] }|j‘qSr)r#)rIÚprrrrK²rOz)get_deleted_gpos_list..csg|]}|ˆvr|‘qSrr)rIr5©Z current_guidsrrrK³rO)rTÚsetrW)rur—Z applied_gposZ deleted_gposrrµrÚget_deleted_gpos_list°sr·cCs&| tj d|¡¡}tt |¡dƒS)Nryr)rzr^r_r{rgr”Zgpo_get_sysvol_gpt_version)rrr_Zgpt_pathrrrÚ gpo_version¶sr¸Fc Cs¦| | ¡¡}t||ƒ}t|||ƒ}t||ƒ} zt||||ƒWn| d|¡YdS0|rt|} | tj ¡nfg} |D]P} | j sˆq|| j } t | j ƒ  ¡} t|| ƒ}|| | ¡kr|| d| ¡|  | ¡q|| tj¡| ¡|D]l}z| | | ¡WqætyP}z<| dt|ƒ¡| dt|ƒ¡WYd}~qæWYd}~qæd}~00qæ|D]@} | j shqX| j } t | j ƒ  ¡} t|| ƒ}| | d|¡qX| ¡dS)Nz0Failed downloading gpt cache from '%s' using SMBzGPO %s has changedzFailed to apply extension %sú Message was: z%i)rlrtr“r•r·r³Úerrorr3rrr²r#r|r}r¸rkÚinforUrrfrvÚ Exceptionr‹rEr[)rrrsrqrEÚ gp_extensionsZforcerur–r—Údel_gposZ changed_gposZgpo_objr5r_ÚversionrCr¨rrrÚapply_gp½sR   ÿ   $ rÀc Cs¬| | ¡¡}| tj¡| | ¡¡}| ¡|D]j}z| |g¡Wq4t yœ}z<|  dt |ƒ¡|  dt |ƒ¡WYd}~q4WYd}~q4d}~00q4|  ¡dS)NzFailed to unapply extension %sr¹) rlrtr3rrrWrTrfrvr¼rºr‹r[) rrrsrqrEr½rur¾rCr¨rrrÚ unapply_gpës $rÁcCsDtƒ}|dur| |¡n| ¡| d¡}tƒ}| |¡||fS)Nú gpext.conf)r r±Z load_defaultÚ state_pathrrx)Úsmb_confrrÚext_confÚparserrrrÚparse_gpext_confûs   rÇcCs\| d¡}tddtj |¡d(}| |¡t |j|¡Wdƒn1sN0YdS)NrÂzw+F)r˜rYr™)rÃrr^r_Údirnamer¤r¥r#)rrrÆrÅr©rrrÚatomic_write_confs  rÉcCsR|ddks$|ddks$t|ƒdkr(dSzt|ddWntyLYdS0d S) Nrú{éÿÿÿÿú}é&Fé)r¿T)r0r Ú ValueError)r5rrrÚ check_guids$ rÐTcCs”tj |¡sdSt|ƒsdSt|ƒ\}}|| ¡vr>| |¡| |d|¡| |d|¡| |d|rjdnd¡| |d|r€dnd¡t||ƒdS) NFÚDllNameÚProcessGroupPolicyÚNoMachinePolicyÚ0Ú1Ú NoUserPolicyT) r^r_r~rÐrÇÚsectionsZ add_sectionr¶rÉ)r5r#r_rÄÚmachiner"rrrÆrrrÚregister_gp_extensions     rÙcCs†t|ƒ\}}i}| ¡D]h}i||<| |d¡||d<| |d¡||d<t| |d¡ƒ ||d<t| |d¡ƒ ||d<q|S)NrÑrÒrÓZ MachinePolicyrÖZ UserPolicy)rÇr×rHrg)rÄrˆrÆZresultsr5rrrÚlist_gp_extensions.s   ÿ ÿ rÚcCs<t|ƒs dSt|ƒ\}}|| ¡vr.| |¡t||ƒdS)NFT)rÐrÇr×Zremove_sectionrÉ)r5rÄrrrÆrrrÚunregister_gp_extension<s    rÛ)F)NTT)N)N)CÚsysr^ržrar_ÚinsertZsambarZ samba.compatrrrÚabcrrZxml.etree.ElementTreer'Z ElementTreer¬Z samba.netrZ samba.dcerpcr Z samba.samba3r r r r°Z samba.gpor”Z samba.paramr Zuuidr ZtempfilerrrZ samba.ndrrrÚenumrrÚ ImportErrorr r]Úobjectr=rƒr‰rŽr“r•r¢r|r³r·r¸rÀrÁrÇrÉrÐrÙrÚrÛrrrrÚsd               K&      .  ÿ