1 files changed, 115 insertions, 0 deletions

diff --git a/python/samba/gp/vgp_openssh_ext.py b/python/samba/gp/vgp_openssh_ext.py
new file mode 100644
index 0000000..6e0ab77
--- /dev/null
+++ b/python/samba/gp/vgp_openssh_ext.py
@@ -0,0 +1,115 @@
+# vgp_openssh_ext samba group policy
+# Copyright (C) David Mulder <dmulder@suse.com> 2020
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import os
+import re
+from io import BytesIO
+from samba.gp.gpclass import gp_xml_ext, gp_file_applier
+from samba.common import get_bytes
+
+intro = b'''
+### autogenerated by samba
+#
+# This file is generated by the vgp_openssh_ext Group Policy
+# Client Side Extension. To modify the contents of this file,
+# modify the appropriate Group Policy objects which apply
+# to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
+#
+
+'''
+
+# For each key value pair in sshd_config, the first obtained value will be
+# used. We must insert config files in reverse, so that the last applied policy
+# takes precedence.
+def select_next_conf(directory):
+    configs = [re.match(r'(\d+)', f) for f in os.listdir(directory)]
+    conf_ids = [int(m.group(1)) for m in configs if m]
+    conf_ids.append(9000000000) # The starting node
+    conf_id = min(conf_ids)-1
+    return os.path.join(directory, '%010d_gp.conf' % conf_id)
+
+class vgp_openssh_ext(gp_xml_ext, gp_file_applier):
+    def __str__(self):
+        return 'VGP/Unix Settings/OpenSSH'
+
+    def process_group_policy(self, deleted_gpo_list, changed_gpo_list,
+            cfg_dir='/etc/ssh/sshd_config.d'):
+        for guid, settings in deleted_gpo_list:
+            if str(self) in settings:
+                for attribute, sshd_config in settings[str(self)].items():
+                    self.unapply(guid, attribute, sshd_config)
+
+        for gpo in changed_gpo_list:
+            if gpo.file_sys_path:
+                xml = 'MACHINE/VGP/VTLA/SshCfg/SshD/manifest.xml'
+                path = os.path.join(gpo.file_sys_path, xml)
+                xml_conf = self.parse(path)
+                if not xml_conf:
+                    continue
+                policy = xml_conf.find('policysetting')
+                data = policy.find('data')
+                configfile = data.find('configfile')
+                for configsection in configfile.findall('configsection'):
+                    if configsection.find('sectionname').text:
+                        continue
+                    settings = {}
+                    for kv in configsection.findall('keyvaluepair'):
+                        settings[kv.find('key')] = kv.find('value')
+                    raw = BytesIO()
+                    for k, v in settings.items():
+                        raw.write(b'%s %s\n' %
+                                  (get_bytes(k.text), get_bytes(v.text)))
+                    # Each GPO applies only one set of OpenSSH settings, in a
+                    # single file, so the attribute does not need uniqueness.
+                    attribute = self.generate_attribute(gpo.name)
+                    # The value hash is generated from the raw data we will
+                    # write to the OpenSSH settings file, ensuring any changes
+                    # to this GPO will cause the file to be rewritten.
+                    value_hash = self.generate_value_hash(raw.getvalue())
+                    if not os.path.isdir(cfg_dir):
+                        os.mkdir(cfg_dir, 0o640)
+                    def applier_func(cfg_dir, raw):
+                        filename = select_next_conf(cfg_dir)
+                        f = open(filename, 'wb')
+                        f.write(intro)
+                        f.write(raw.getvalue())
+                        os.chmod(filename, 0o640)
+                        f.close()
+                        return [filename]
+                    self.apply(gpo.name, attribute, value_hash, applier_func,
+                               cfg_dir, raw)
+                    raw.close()
+
+    def rsop(self, gpo):
+        output = {}
+        if gpo.file_sys_path:
+            xml = 'MACHINE/VGP/VTLA/SshCfg/SshD/manifest.xml'
+            path = os.path.join(gpo.file_sys_path, xml)
+            xml_conf = self.parse(path)
+            if not xml_conf:
+                return output
+            policy = xml_conf.find('policysetting')
+            data = policy.find('data')
+            configfile = data.find('configfile')
+            for configsection in configfile.findall('configsection'):
+                if configsection.find('sectionname').text:
+                    continue
+                for kv in configsection.findall('keyvaluepair'):
+                    if str(self) not in output.keys():
+                        output[str(self)] = {}
+                    output[str(self)][kv.find('key').text] = \
+                        kv.find('value').text
+        return output