Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

win_lgpo - additional delvals fixes and string value fix #56569

Merged
merged 8 commits into from
Oct 7, 2020
Merged

win_lgpo - additional delvals fixes and string value fix #56569

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
0d9516d
Correct issue with reading some deleted items from registry.pol
lomeroe Apr 6, 2020
adadc13
add special value regex in _checkAllAdmxPolicies helper function
lomeroe Apr 6, 2020
9993fa4
properly cast delvals_regex to bytes for search
lomeroe Apr 7, 2020
71cb1e0
Blacken changed files
dwoz Apr 20, 2020
c0b2e5a
Isort changed files
dwoz Apr 20, 2020
9056938
blacken files
xeacott May 5, 2020
ddd9264
Black
twangboy Oct 5, 2020
5b91abc
Fix pre-commit py2
twangboy Oct 5, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 39 additions & 7 deletions salt/modules/win_lgpo.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,11 +92,13 @@
TEXT_ELEMENT_XPATH = None

try:
import struct

import lxml
import win32net
import win32security
import lxml
import struct
from lxml import etree

from salt.utils.win_reg import Registry

HAS_WINDOWS_MODULES = True
Expand Down Expand Up @@ -5658,7 +5660,7 @@ def _getDataFromRegPolData(search_string, policy_data, return_value_name=False):
match.start() : (
policy_data.index("]".encode("utf-16-le"), match.end())
)
].split(encoded_semicolon)
].split(encoded_semicolon, 4)
if len(pol_entry) >= 2:
valueName = pol_entry[1].decode("utf-16-le").rstrip(chr(0))
if len(pol_entry) >= 5:
Expand Down Expand Up @@ -6790,6 +6792,23 @@ def _checkAllAdmxPolicies(
"explicitValue list, we will return value names"
)
return_value_name = True
regex_str = [
r"(?!\*",
r"\*",
"D",
"e",
"l",
"V",
"a",
"l",
"s",
r"\.",
")",
]
delvals_regex = "\x00".join(regex_str)
delvals_regex = salt.utils.stringutils.to_bytes(
delvals_regex
)
if _regexSearchRegPolData(
re.escape(
_processValueItem(
Expand All @@ -6801,9 +6820,7 @@ def _checkAllAdmxPolicies(
check_deleted=False,
)
)
+ salt.utils.stringutils.to_bytes(
r"(?!\*\*delvals\.)"
),
+ delvals_regex,
policy_file_data,
):
configured_value = _getDataFromRegPolData(
Expand Down Expand Up @@ -9100,6 +9117,21 @@ def _get_policy_adm_setting(
):
log.trace("explicitValue list, we will return value names")
return_value_name = True
regex_str = [
r"(?!\*",
r"\*",
"D",
"e",
"l",
"V",
"a",
"l",
"s",
r"\.",
")",
]
delvals_regex = "\x00".join(regex_str)
delvals_regex = salt.utils.stringutils.to_bytes(delvals_regex)
if _regexSearchRegPolData(
re.escape(
_processValueItem(
Expand All @@ -9111,7 +9143,7 @@ def _get_policy_adm_setting(
check_deleted=False,
)
)
+ salt.utils.stringutils.to_bytes(r"(?!\*\*delvals\.)"),
+ delvals_regex,
policy_data=policy_file_data,
):
configured_value = _getDataFromRegPolData(
Expand Down
144 changes: 142 additions & 2 deletions tests/integration/modules/test_win_lgpo.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,10 +157,12 @@ def _testAdmxPolicy(
lgpo_function = "set_computer_policy"
lgpo_class = "/m"
lgpo_folder = "Machine"
lgpo_top_level = "Computer Configuration"
if policy_class.lower() == "user":
lgpo_function = "set_user_policy"
lgpo_class = "/u"
lgpo_folder = "User"
lgpo_top_level = "User Configuration"

ret = self.run_function(
"lgpo.{}".format(lgpo_function), (policy_name, policy_config)
Expand Down Expand Up @@ -189,6 +191,90 @@ def _testAdmxPolicy(
'"{}" not found in lgpo output:\n{}'
"".format(policy_name, expected_regex, lgpo_output),
)
# validate the lgpo also sees the right setting
this_policy_info = self.run_function(
"lgpo.get_policy_info",
(),
policy_name=policy_name,
policy_class=policy_class,
)
ret = self.run_function(
"lgpo.get", (), policy_class=policy_class, return_not_configured=True
)
self.assertTrue(
lgpo_top_level in ret, msg="lgpo did not return the expected entries"
)
found_policy = False
output_policy_name = None
if "policy_aliases" in this_policy_info:
for policy_alias in this_policy_info["policy_aliases"]:
if policy_alias in ret[lgpo_top_level]:
found_policy = True
output_policy_name = policy_alias
break
else:
found_policy = policy_name in ret[lgpo_top_level]
self.assertTrue(
found_policy, msg="The configured policy is not in the lgpo.get output"
)
if isinstance(policy_config, list):
for this_item in policy_config:
self.assertTrue(
this_item in ret[lgpo_top_level][output_policy_name],
msg="Item {} not found in policy configuration".format(
this_item
),
)
elif isinstance(policy_config, dict):
for this_item, this_val in policy_config.items():
item_correct = False
actual_val = None
if (
"policy_elements" in this_policy_info
and this_policy_info["policy_elements"]
):
for policy_element in this_policy_info["policy_elements"]:
if item_correct:
break
if (
"element_aliases" in policy_element
and policy_element["element_aliases"]
):
if this_item in policy_element["element_aliases"]:
for element_alias in policy_element[
"element_aliases"
]:
if (
element_alias
in ret[lgpo_top_level][output_policy_name]
):
actual_val = ret[lgpo_top_level][
output_policy_name
][element_alias]
if (
ret[lgpo_top_level][output_policy_name][
element_alias
]
== this_val
):
item_correct = True
break
self.assertTrue(
item_correct,
msg='Item "{}" does not have the expected value of "{}"{}'.format(
this_item,
this_val,
' value found: "{}"'.format(actual_val)
if actual_val
else "",
),
)
else:
self.assertEqual(
ret[lgpo_top_level][output_policy_name],
policy_config,
msg="lgpo did not return the expected value for the policy",
)
else:
# expecting it to fail
self.assertNotEqual(ret, True)
Expand Down Expand Up @@ -347,7 +433,6 @@ def test_set_computer_policy_RA_Unsolicit(self):
self._testAdmxPolicy(
"RA_Unsolicit",
{
"Configure Offer Remote Access": "Enabled",
"Permit remote control of this computer": "Allow helpers to remotely control the computer",
"Helpers": ["administrators", "user1"],
},
Expand Down Expand Up @@ -669,7 +754,6 @@ def test_set_computer_policy_multipleAdmxPolicies(self):
self._testAdmxPolicy(
"RA_Unsolicit",
{
"Configure Offer Remote Access": "Enabled",
"Permit remote control of this computer": "Allow helpers to remotely control the computer",
"Helpers": ["administrators", "user1"],
},
Expand Down Expand Up @@ -979,6 +1063,62 @@ def test_set_computer_policy_ScRemoveOption(self):
False,
)

@destructiveTest
def test_set_sxs_servicing_policy(self):
"""
Test setting/unsetting/changing sxs-servicing policy
"""

# Disable sxs-servicing
log.debug("Attempting to disable sxs-servicing")
self._testAdmxPolicy(
"Specify settings for optional component installation and component repair",
"Disabled",
[
r"Computer[\s]*Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Servicing[\s]*LocalSourcePath[\s]*DELETE",
r"Computer[\s]*Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Servicing[\s]*UseWindowsUpdate[\s]*DELETE",
r"Computer[\s]*Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Servicing[\s]*RepairContentServerSource[\s]*DELETE",
],
)
# configure sxs-servicing
log.debug("Attempting to enable sxs-servicing")
self._testAdmxPolicy(
"Specify settings for optional component installation and component repair",
{
"Alternate source file path": "",
"Never attempt to download payload from Windows Update": True,
"CheckBox_SidestepWSUS": False,
},
[
r"Computer[\s]*Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Servicing[\s]*LocalSourcePath[\s]*EXSZ:",
r"Computer[\s]*Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Servicing[\s]*UseWindowsUpdate[\s]*DWORD:2",
r"Computer[\s]*Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Servicing[\s]*RepairContentServerSource[\s]*DELETE",
],
)
log.debug("Attempting to set different values on sxs-servicing")
self._testAdmxPolicy(
"Specify settings for optional component installation and component repair",
{
"Alternate source file path": r"\\some\fake\server",
"Never attempt to download payload from Windows Update": True,
"CheckBox_SidestepWSUS": False,
},
[
r"Computer[\s]*Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Servicing[\s]*LocalSourcePath[\s]*EXSZ:\\\\\\\\some\\\\fake\\\\server",
r"Computer[\s]*Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Servicing[\s]*UseWindowsUpdate[\s]*DWORD:2",
r"Computer[\s]*Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Servicing[\s]*RepairContentServerSource[\s]*DELETE",
],
)
# Not Configure sxs-servicing
log.debug("Attempting to set sxs-servicing to Not Configured")
self._testAdmxPolicy(
"Specify settings for optional component installation and component repair",
"Not Configured",
[
r"; Source file: c:\\windows\\system32\\grouppolicy\\machine\\registry.pol[\s]*; PARSING COMPLETED."
],
)

def tearDown(self):
"""
tearDown method, runs after each test
Expand Down