New issue
Advanced search Search tips

Issue 796186 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Jan 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug



Sign in to add a comment

authpolicy: Implement loopback processing

Project Member Reported by ljusten@chromium.org, Dec 19 2017

Issue description

Basically read user policy from machine GPOs. Also move preg_parser and registry_dict into authpolicy and out of libchrome while we're at it, will make it easier to iterate.

https://blogs.technet.microsoft.com/askds/2013/02/08/circle-back-to-loopback/
 
EstimatedDays: ----
Status: Started (was: Assigned)
Labels: M-66
Project Member

Comment 4 by bugdroid1@chromium.org, Jan 25 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/system_api/+/9ea924a2ea937f9cd5fd3cdef952017ff4dbb794

commit 9ea924a2ea937f9cd5fd3cdef952017ff4dbb794
Author: Lutz Justen <ljusten@chromium.org>
Date: Thu Jan 25 04:24:21 2018

authpolicy: Add ERROR_NO_WINDOWS_POLICY

CL:876124 adds user policy loopback processing, which now requires the
availability of Windows policy during user policy fetch. If this is
missing (user policy fetched before device policy, disk file
corruption), user policy fetch errors out for security reasons and
returns ERROR_NO_WINDOWS_POLICY.

CQ-DEPEND=CL:876124

BUG= chromium:796186 
TEST=cros_run_unit_tests --board=amd64-generic --packages authpolicy
      Tested by setting loopback_processing on AD server and verified
      policies get merged as expected.

Change-Id: I3ea484127560784b8639eac9f8cf7f33e1a6b4c2
Reviewed-on: https://chromium-review.googlesource.com/877939
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>

[modify] https://crrev.com/9ea924a2ea937f9cd5fd3cdef952017ff4dbb794/dbus/authpolicy/active_directory_info.proto

Project Member

Comment 5 by bugdroid1@chromium.org, Jan 25 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/dd04d7ecea979e18bf99bd11f90e70756cb3d426

commit dd04d7ecea979e18bf99bd11f90e70756cb3d426
Author: Lutz Justen <ljusten@chromium.org>
Date: Thu Jan 25 04:24:20 2018

authpolicy: Implement loopback processing

Implements loopback processing, which allows Windows admins to specify
user policy in device GPOs to be merged with or to replace the normal
user policy in user GPOs. This feature emulates Windows behavior. Thus,
it is not controlled by a Chrome OS policy, but by the Windows policy
'UserPolicyMode' at registry key
  Software\\Policies\\Microsoft\\Windows\\System.
Therefore, this CL adds infrastructure to parse Windows policy into
a protobuf and store it locally in /var/lib/authpolicyd. In the future,
more Windows policies are likely added here, e.g. maximum machine
account password age for device password rotation (see chromium:777979).

Windows policy is fetched along with device policy right now
(UserPolicyMode is a device policy). This might change in the future if
Windows user policy is required. Also, since the user policy fetch now
depends on availability on Windows policy, device policy has to be
fetched before user policy. This happens during normal operation.
However, in case the Windows policy disk file is corrupted, user policy
fetch errors out until device policy is fetched. In this case, cached
user policy is used. This is done for security reasons since corrupted
Windows policy could otherwise cause wrong user policy.

CQ-DEPEND=CL:877939

BUG= chromium:796186 
TEST=cros_run_unit_tests --board=amd64-generic --packages authpolicy
     Tested by setting loopback_processing on AD server and verified
     policies get merged as expected.

Change-Id: I25f0837acce27bdb6a2096e217e1eb78bfa8aca8
Reviewed-on: https://chromium-review.googlesource.com/876124
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>

[add] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/policy/windows_policy_encoder.cc
[add] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/windows_policy_manager_unittest.cc
[add] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/windows_policy_manager.cc
[modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/policy/preg_policy_encoder.cc
[modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/authpolicy_unittest.cc
[modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/process_executor_unittest.cc
[modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/path_service.cc
[add] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/policy/windows_policy_encoder.h
[modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/policy/policy_encoder_helper.cc
[add] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/policy/windows_policy_encoder_unittest.cc
[modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/policy/policy_encoder_helper.h
[modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/policy/preg_policy_writer.cc
[modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/stub_common.h
[modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/samba_interface.cc
[add] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/policy/windows_policy_keys.h
[modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/authpolicy_parser_main.cc
[modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/constants.h
[modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/authpolicy_flags_unittest.cc
[modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/path_service.h
[modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/authpolicy.cc
[modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/policy/preg_policy_encoder.h
[modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/stub_net_main.cc
[modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/proto/authpolicy_containers.proto
[modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/authpolicy.gyp
[modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/anonymizer_unittest.cc
[add] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/policy/windows_policy_keys.cc
[modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/samba_interface.h
[modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/stub_common.cc
[modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/policy/preg_policy_writer.h
[modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/authpolicy.h
[add] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/windows_policy_manager.h

Status: Fixed (was: Started)
Status: Verified (was: Fixed)
Marked verified based on the test results. Briefly tested in M66.0.3359.94 10452.52.0 beta pain for policies fetch with AD server without any issue.

Sign in to add a comment