-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement certificate policy manager for machines #745
Commits on Jul 31, 2023
-
Hack to allow propagation of Microsoft GPO entries
The certificate policy manager is configured via the Windows GPO entries instead of our custom ADMX/ADML counterpart. We were already able to parse these entries but we were excluding them as they didn't start with our Ubuntu-specific prefix. The easiest way to make this work is to add the Ubuntu prefix to the keys that we want to use in our certificate policy manager.
Configuration menu - View commit details
-
Copy full SHA for 61d1100 - Browse repository at this point
Copy the full SHA 61d1100View commit details -
Pass backend object to policies.NewManager
We will need to know both the domain and online status of the backend for the certificate policy manager. Since the backend object contains both of these, pass it along when creating the policy manager object.
Configuration menu - View commit details
-
Copy full SHA for c5f50a6 - Browse repository at this point
Copy the full SHA c5f50a6View commit details -
Add certificate policy manager
This manager leverages the Samba implementation of certificate autoenrollment. It contains a few patches and fixes on top of the samba#master version of `gp_cert_auto_enroll_ext.py` file, that will ultimately be upstreamed. Autoenrollment is performed via a separate policy manager that runs a helper Python script (`cert-autoenroll`) which communicates with the Windows CEP/CES services through Samba. For better control and to avoid unexpected behavior we vendor the required Samba files, which are confirmed to work on all Ubuntu versions starting with (and including) Jammy (22.04). Samba has its own cache mechanism which stores information concerning the applied GPOs which we are using in order to ensure idempotency. By default, Samba would parse the .reg file itself (see the process_group_policy method from the vendored code). However, it is better to have this functionality entirely within adsys so we can provide samba the pre-parsed list of GPO entries and override the entry point of the extension. This ensures we don't operate on disk files which can change at anytime (even during adsys policy application). Doing this we also have better knowledge on the enabled/disabled state of the GPO entry used to configure the policy. The advanced configuration entries are passed via JSON to the external script which then takes care to create the proper PReg entries that can be used by Samba to apply additional logic when determining the policy servers to use. Fixes UDENG-1056
Configuration menu - View commit details
-
Copy full SHA for 0f4d632 - Browse repository at this point
Copy the full SHA 0f4d632View commit details -
Configuration menu - View commit details
-
Copy full SHA for 4ff12e1 - Browse repository at this point
Copy the full SHA 4ff12e1View commit details -
Add CLI command to dump certificate enroll script
Similar to the adsys-gpolist, provide a way for users to dump the certificate autoenrollment script for debugging purposes.
Configuration menu - View commit details
-
Copy full SHA for 170bcfd - Browse repository at this point
Copy the full SHA 170bcfdView commit details -
Match Samba permissions when creating directories
The Samba implementation creates the private directory with 0700 permissions and uses 0755 for the rest. We should honor that in our implementation as well. Additionally, create the global trust dir on the off chance it doesn't already exist.
Configuration menu - View commit details
-
Copy full SHA for af7aca4 - Browse repository at this point
Copy the full SHA af7aca4View commit details -
Configuration menu - View commit details
-
Copy full SHA for 2c1cfcc - Browse repository at this point
Copy the full SHA 2c1cfccView commit details -
Write Samba cache file to a specific directory
And change the naming from stateDir to sambaCacheDir to better reflect what the path is used for.
Configuration menu - View commit details
-
Copy full SHA for b49fcd0 - Browse repository at this point
Copy the full SHA b49fcd0View commit details -
Unenroll machine if cert policy is not configured
Similar to our other policy manager behaviors, if the certificate policy is either disabled or not configured, unenroll the machine if applicable. To avoid running the helper Python script on every policy apply, determine if we actually need to unenroll by checking the existence of the Samba cache directory. Additionally, update the Python script to remove the directory after unenrollment is successful.
Configuration menu - View commit details
-
Copy full SHA for 7c810ff - Browse repository at this point
Copy the full SHA 7c810ffView commit details -
Configuration menu - View commit details
-
Copy full SHA for 7857337 - Browse repository at this point
Copy the full SHA 7857337View commit details -
Disable parallel testing for autoenroll script
Because Python coverage can't be parallelized, avoid running these tests in parallel.
Configuration menu - View commit details
-
Copy full SHA for 3eb2769 - Browse repository at this point
Copy the full SHA 3eb2769View commit details -
Configuration menu - View commit details
-
Copy full SHA for 9b0f22c - Browse repository at this point
Copy the full SHA 9b0f22cView commit details -
Configuration menu - View commit details
-
Copy full SHA for 1a7be22 - Browse repository at this point
Copy the full SHA 1a7be22View commit details