Basically read user policy from machine GPOs. Also move preg_parser and registry_dict into authpolicy and out of libchrome while we're at it, will make it easier to iterate. https://blogs.technet.microsoft.com/askds/2013/02/08/circle-back-to-loopback/
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform/system_api/+/9ea924a2ea937f9cd5fd3cdef952017ff4dbb794 commit 9ea924a2ea937f9cd5fd3cdef952017ff4dbb794 Author: Lutz Justen <ljusten@chromium.org> Date: Thu Jan 25 04:24:21 2018 authpolicy: Add ERROR_NO_WINDOWS_POLICY CL:876124 adds user policy loopback processing, which now requires the availability of Windows policy during user policy fetch. If this is missing (user policy fetched before device policy, disk file corruption), user policy fetch errors out for security reasons and returns ERROR_NO_WINDOWS_POLICY. CQ-DEPEND=CL:876124 BUG= chromium:796186 TEST=cros_run_unit_tests --board=amd64-generic --packages authpolicy Tested by setting loopback_processing on AD server and verified policies get merged as expected. Change-Id: I3ea484127560784b8639eac9f8cf7f33e1a6b4c2 Reviewed-on: https://chromium-review.googlesource.com/877939 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Roman Sorokin <rsorokin@chromium.org> [modify] https://crrev.com/9ea924a2ea937f9cd5fd3cdef952017ff4dbb794/dbus/authpolicy/active_directory_info.proto
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/dd04d7ecea979e18bf99bd11f90e70756cb3d426 commit dd04d7ecea979e18bf99bd11f90e70756cb3d426 Author: Lutz Justen <ljusten@chromium.org> Date: Thu Jan 25 04:24:20 2018 authpolicy: Implement loopback processing Implements loopback processing, which allows Windows admins to specify user policy in device GPOs to be merged with or to replace the normal user policy in user GPOs. This feature emulates Windows behavior. Thus, it is not controlled by a Chrome OS policy, but by the Windows policy 'UserPolicyMode' at registry key Software\\Policies\\Microsoft\\Windows\\System. Therefore, this CL adds infrastructure to parse Windows policy into a protobuf and store it locally in /var/lib/authpolicyd. In the future, more Windows policies are likely added here, e.g. maximum machine account password age for device password rotation (see chromium:777979). Windows policy is fetched along with device policy right now (UserPolicyMode is a device policy). This might change in the future if Windows user policy is required. Also, since the user policy fetch now depends on availability on Windows policy, device policy has to be fetched before user policy. This happens during normal operation. However, in case the Windows policy disk file is corrupted, user policy fetch errors out until device policy is fetched. In this case, cached user policy is used. This is done for security reasons since corrupted Windows policy could otherwise cause wrong user policy. CQ-DEPEND=CL:877939 BUG= chromium:796186 TEST=cros_run_unit_tests --board=amd64-generic --packages authpolicy Tested by setting loopback_processing on AD server and verified policies get merged as expected. Change-Id: I25f0837acce27bdb6a2096e217e1eb78bfa8aca8 Reviewed-on: https://chromium-review.googlesource.com/876124 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Roman Sorokin <rsorokin@chromium.org> [add] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/policy/windows_policy_encoder.cc [add] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/windows_policy_manager_unittest.cc [add] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/windows_policy_manager.cc [modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/policy/preg_policy_encoder.cc [modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/authpolicy_unittest.cc [modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/process_executor_unittest.cc [modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/path_service.cc [add] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/policy/windows_policy_encoder.h [modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/policy/policy_encoder_helper.cc [add] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/policy/windows_policy_encoder_unittest.cc [modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/policy/policy_encoder_helper.h [modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/policy/preg_policy_writer.cc [modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/stub_common.h [modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/samba_interface.cc [add] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/policy/windows_policy_keys.h [modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/authpolicy_parser_main.cc [modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/constants.h [modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/authpolicy_flags_unittest.cc [modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/path_service.h [modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/authpolicy.cc [modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/policy/preg_policy_encoder.h [modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/stub_net_main.cc [modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/proto/authpolicy_containers.proto [modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/authpolicy.gyp [modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/anonymizer_unittest.cc [add] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/policy/windows_policy_keys.cc [modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/samba_interface.h [modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/stub_common.cc [modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/policy/preg_policy_writer.h [modify] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/authpolicy.h [add] https://crrev.com/dd04d7ecea979e18bf99bd11f90e70756cb3d426/authpolicy/windows_policy_manager.h
Marked verified based on the test results. Briefly tested in M66.0.3359.94 10452.52.0 beta pain for policies fetch with AD server without any issue.
Comment 1 by rsorokin@chromium.org
, Dec 19 2017