From 80e9fcd0f53aa1af2c97af1429ba91bb5ad6ec5d Mon Sep 17 00:00:00 2001 From: David Mulder Date: Fri, 7 Feb 2025 14:21:55 -0700 Subject: [PATCH 1/3] Re-enable Intune policy and add scripts and compliance policies Signed-off-by: David Mulder --- Cargo.lock | 19 ++ Cargo.toml | 2 + man/man5/himmelblau.conf.5 | 12 + src/common/src/unix_proto.rs | 4 + src/config/himmelblau.conf.example | 7 + src/daemon/Cargo.toml | 1 + src/daemon/src/daemon.rs | 74 ++++++ src/daemon/src/tasks_daemon.rs | 18 ++ src/policies/Cargo.toml | 5 + src/policies/src/chromium_ext.rs | 47 +--- src/policies/src/compliance_ext.rs | 268 +++++++++++++++++++ src/policies/src/cse.rs | 11 +- src/policies/src/lib.rs | 6 + src/policies/src/policies.rs | 407 ++++++++++++++++++++--------- src/policies/src/scripts_ext.rs | 269 +++++++++++++++++++ 15 files changed, 971 insertions(+), 179 deletions(-) create mode 100644 src/policies/src/compliance_ext.rs create mode 100644 src/policies/src/scripts_ext.rs diff --git a/Cargo.lock b/Cargo.lock index be9f9769..0ef69429 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1927,6 +1927,24 @@ dependencies = [ "thiserror", ] +[[package]] +name = "himmelblau_policies" +version = "1.0.0" +dependencies = [ + "anyhow", + "async-trait", + "base64 0.22.1", + "himmelblau_unix_common", + "os-release", + "regex", + "reqwest", + "semver", + "serde", + "serde_json", + "tokio", + "tracing", +] + [[package]] name = "himmelblau_red_asn1" version = "0.3.7" @@ -1994,6 +2012,7 @@ dependencies = [ "clap 4.5.31", "csv", "futures", + "himmelblau_policies", "himmelblau_unix_common", "identity_dbus_broker", "kanidm-hsm-crypto", diff --git a/Cargo.toml b/Cargo.toml index cdbbda31..722adbd7 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -5,6 +5,7 @@ members = [ "src/common", "src/pam", "src/nss", + "src/policies", "src/sketching", "src/proto", "src/crypto", @@ -47,6 +48,7 @@ anyhow = "^1.0.96" tokio = { version = "^1.28.1", features = ["rt", "macros", "sync", "time", "net", "io-util", "signal", "rt-multi-thread"] } tokio-util = { version = "^0.7.8", features = ["codec"] } async-trait = "^0.1.87" +himmelblau_policies = { path = "src/policies" } pem = "^3.0.5" chrono = "^0.4.40" os-release = "^0.1.0" diff --git a/man/man5/himmelblau.conf.5 b/man/man5/himmelblau.conf.5 index e69b350c..c36f7a43 100644 --- a/man/man5/himmelblau.conf.5 +++ b/man/man5/himmelblau.conf.5 @@ -221,6 +221,18 @@ fi .fi .RE +.TP +.B apply_policy +.RE +A boolean option that enables the experimental application of Intune policies to the authenticated user. This setting does not mark the device as compliant in Entra ID, nor does it register the device as managed in Intune. Instead, it attempts to apply any assigned Intune policies to the user session. + +For this feature to function correctly, an `app_id` must be defined for the corresponding domain, and the "DeviceManagementConfiguration.Read.All" API permission must be granted to it. + +By default, this option is disabled. + +.EXAMPLES +apply_policy = false + .TP .B authority_host .RE diff --git a/src/common/src/unix_proto.rs b/src/common/src/unix_proto.rs index a9d1a2cf..73de6cd7 100644 --- a/src/common/src/unix_proto.rs +++ b/src/common/src/unix_proto.rs @@ -153,6 +153,7 @@ pub enum TaskRequest { LogonScript(String, String), KerberosCCache(uid_t, uid_t, Vec, Vec), LoadProfilePhoto(String, String), + ApplyPolicy(String, String, String), } impl TaskRequest { @@ -168,6 +169,9 @@ impl TaskRequest { TaskRequest::LoadProfilePhoto(account_id, _) => { format!("LoadProfilePhoto({}, ...)", account_id) } + TaskRequest::ApplyPolicy(account_id, object_id, _) => { + format!("ApplyPolicy({}, {}, ...)", account_id, object_id) + } } } } diff --git a/src/config/himmelblau.conf.example b/src/config/himmelblau.conf.example index 1ca012c8..4661fa45 100644 --- a/src/config/himmelblau.conf.example +++ b/src/config/himmelblau.conf.example @@ -92,6 +92,13 @@ # provides flexibility for environments requiring custom name transformations. # name_mapping_script = # +# Whether to apply Intune policies (experimental). This will not mark the device +# compliant in Entra Id, nor create an Intune managed device in the portal. It +# will only attempt to apply the policies assigned in Intune to the user. An +# app_id MUST be defined for this domain for policy application to succeed, and +# the "DeviceManagementConfiguration.Read.All" API permission MUST be granted. +# apply_policy = false ; {true|false} +# # authority_host = login.microsoftonline.com # # The location of the cache database diff --git a/src/daemon/Cargo.toml b/src/daemon/Cargo.toml index e6d8da88..c8709ee5 100644 --- a/src/daemon/Cargo.toml +++ b/src/daemon/Cargo.toml @@ -30,6 +30,7 @@ serde = { workspace = true } serde_json.workspace = true futures = "^0.3.28" systemd-journal-logger = "^2.1.1" +himmelblau_policies = { workspace = true } users = "^0.11.0" sketching = { workspace = true } walkdir = { workspace = true } diff --git a/src/daemon/src/daemon.rs b/src/daemon/src/daemon.rs index a13b4708..b9e3098d 100644 --- a/src/daemon/src/daemon.rs +++ b/src/daemon/src/daemon.rs @@ -513,6 +513,80 @@ async fn handle_client( } } + // Apply Intune policies + let domain = split_username(account_id) + .map(|(_, domain)| domain) + .unwrap_or(""); + if cfg.get_apply_policy() + && cfg.get_app_id(domain).is_some() + { + if let Some(token) = cachelayer + .get_user_accesstoken( + Id::Name(account_id.to_string()), + vec!["DeviceManagementConfiguration.Read.All".to_string()], + None, + ) + .await { + if let Ok(uuid) = token.uuid() { + if let Some(access_token) = + token.access_token.clone() + { + let (tx, rx) = oneshot::channel(); + + match task_channel_tx + .send_timeout( + ( + TaskRequest::ApplyPolicy( + account_id.to_string(), + uuid.to_string(), + access_token + .to_string(), + ), + tx, + ), + Duration::from_millis(100), + ) + .await + { + Ok(()) => { + // Now wait for the other end OR timeout. + match time::timeout_at( + time::Instant::now() + + Duration::from_millis( + 1000, + ), + rx, + ) + .await + { + Ok(Ok(status)) => { + if status == 0 { + debug!("Successfully applied Intune policies"); + } else { + debug!("Authentication was explicitly denied due to Intune failure"); + resp = PamAuthResponse::Denied; + } + } + Ok(Err(e)) => { + debug!("Authentication was explicitly denied due to Intune failure: {}", e); + resp = PamAuthResponse::Denied; + } + Err(e) => { + debug!("Authentication was explicitly denied due to Intune failure: {}", e); + resp = PamAuthResponse::Denied; + } + } + } + Err(e) => { + debug!("Authentication was explicitly denied due to Intune failure: {}", e); + resp = PamAuthResponse::Denied; + } + } + } + } + } + } + ClientResponse::PamAuthenticateStepResponse(resp) } _ => ClientResponse::PamAuthenticateStepResponse(resp), diff --git a/src/daemon/src/tasks_daemon.rs b/src/daemon/src/tasks_daemon.rs index 7f504b21..cbcf6e53 100644 --- a/src/daemon/src/tasks_daemon.rs +++ b/src/daemon/src/tasks_daemon.rs @@ -32,6 +32,7 @@ use std::{fs, io}; use bytes::{BufMut, BytesMut}; use futures::{SinkExt, StreamExt}; use himmelblau::graph::Graph; +use himmelblau_policies::policies::apply_group_policy; use himmelblau_unix_common::config::{split_username, HimmelblauConfig}; use himmelblau_unix_common::constants::{DEFAULT_CCACHE_DIR, DEFAULT_CONFIG_PATH}; use himmelblau_unix_common::unix_proto::{HomeDirectoryInfo, TaskRequest, TaskResponse}; @@ -491,6 +492,23 @@ async fn handle_tasks(stream: UnixStream, cfg: &HimmelblauConfig) { return; } } + Some(Ok(TaskRequest::ApplyPolicy(account_id, object_id, access_token))) => { + let res = apply_group_policy(cfg, &access_token, &account_id, &object_id) + .await + .unwrap_or_else(|e| { + error!("Failed to apply Intune policies: {:?}", e); + false + }); + + // Indicate the status response + if let Err(e) = reqs + .send(TaskResponse::Success(if res { 0 } else { 1 })) + .await + { + error!("Error -> {:?}", e); + return; + } + } Some(Err(e)) => { error!("Error -> {:?}", e); return; diff --git a/src/policies/Cargo.toml b/src/policies/Cargo.toml index 9e38b560..f159c312 100644 --- a/src/policies/Cargo.toml +++ b/src/policies/Cargo.toml @@ -21,3 +21,8 @@ serde_json = { workspace = true } anyhow = { workspace = true } async-trait = { workspace = true } regex = "^1.9.1" +base64.workspace = true +tokio.workspace = true +himmelblau_unix_common = { workspace = true } +os-release = "0.1.0" +semver = "1.0.25" diff --git a/src/policies/src/chromium_ext.rs b/src/policies/src/chromium_ext.rs index ba9aee90..0933cb5f 100644 --- a/src/policies/src/chromium_ext.rs +++ b/src/policies/src/chromium_ext.rs @@ -19,6 +19,7 @@ use crate::cse::CSE; use crate::policies::{Policy, PolicyType, ValueType}; use anyhow::{anyhow, Result}; use async_trait::async_trait; +use himmelblau_unix_common::config::HimmelblauConfig; use regex::Regex; use serde_json; use std::collections::HashMap; @@ -32,11 +33,7 @@ static CHROME_MANAGED_POLICIES_PATH: &str = "/etc/opt/chrome/policies/managed"; static RECOMMENDED_POLICIES_PATH: &str = "/etc/chromium/policies/recommended"; static CHROME_RECOMMENDED_POLICIES_PATH: &str = "/etc/opt/chrome/policies/recommended"; -pub struct ChromiumUserCSE { - pub graph_url: String, - pub access_token: String, - pub id: String, -} +pub struct ChromiumUserCSE {} fn write_policy_to_file(dirname: &str, key: &str, val: &ValueType) -> Result<()> { let mut file = File::create(format!("{}/{}.json", dirname, key))?; @@ -48,23 +45,11 @@ fn write_policy_to_file(dirname: &str, key: &str, val: &ValueType) -> Result<()> #[async_trait] impl CSE for ChromiumUserCSE { - fn new(graph_url: &str, access_token: &str, id: &str) -> Self { - ChromiumUserCSE { - graph_url: graph_url.to_string(), - access_token: access_token.to_string(), - id: id.to_string(), - } + fn new(_config: &HimmelblauConfig, _username: &str) -> Self { + ChromiumUserCSE {} } - async fn process_group_policy( - &self, - deleted_gpo_list: Vec>, - changed_gpo_list: Vec>, - ) -> Result { - debug!("Applying Chromium policy to user with id {}", self.id); - - for _gpo in deleted_gpo_list { /* TODO: Unapply policies that have been removed */ } - + async fn process_group_policy(&self, changed_gpo_list: Vec>) -> Result { for gpo in changed_gpo_list { let pattern = Regex::new(r"^\\Google\\Google Chrome")?; let defs = gpo.list_policy_settings(pattern)?; @@ -97,28 +82,6 @@ impl CSE for ChromiumUserCSE { } Ok(true) } - - async fn rsop(&self, gpo: Arc) -> Result> { - let pattern = Regex::new(r"^\\Google\\Google Chrome")?; - let defs = gpo.list_policy_settings(pattern)?; - let mut res: HashMap = HashMap::new(); - for def in defs { - if def.enabled() && def.class_type() == PolicyType::User { - let key = match convert_display_name_to_name( - &def.key(), - key_is_recommended(&def.get_compare_pattern()), - ) { - Ok(key) => key, - Err(e) => { - error!("{}", e); - continue; - } - }; - res.insert(key, serde_json::to_string(&def.value())?); - } - } - Ok(res) - } } fn key_is_recommended(key: &str) -> bool { diff --git a/src/policies/src/compliance_ext.rs b/src/policies/src/compliance_ext.rs new file mode 100644 index 00000000..0a2f3a78 --- /dev/null +++ b/src/policies/src/compliance_ext.rs @@ -0,0 +1,268 @@ +/* + Unix Azure Entra ID implementation + Copyright (C) David Mulder 2024 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +use crate::cse::CSE; +use crate::policies::{Policy, ValueType}; +use anyhow::{anyhow, Result}; +use async_trait::async_trait; +use himmelblau_unix_common::config::HimmelblauConfig; +use os_release::OsRelease; +use regex::Regex; +use std::sync::Arc; +use tokio::fs; +use tokio::process::Command; + +pub async fn is_disk_encrypted() -> bool { + // Check for LUKS encryption using `lsblk` + if let Ok(output) = Command::new("lsblk") + .arg("-o") + .arg("NAME,FSTYPE") + .output() + .await + { + if let Ok(output_str) = String::from_utf8(output.stdout) { + if output_str.contains("crypt") { + return true; + } + } + } + + // Check for entries in `/etc/crypttab` + if let Ok(crypttab) = fs::read_to_string("/etc/crypttab").await { + if !crypttab.trim().is_empty() { + return true; + } + } + + // Check for mapped encrypted volumes in `/dev/mapper` + if let Ok(entries) = fs::read_dir("/dev/mapper").await { + let mut entries = entries; + while let Some(entry) = entries.next_entry().await.unwrap_or(None) { + if let Some(name_str) = entry.file_name().to_str() { + if name_str.contains("crypt") { + return true; + } + } + } + } + + // Check for `dm-crypt` devices using `lsblk` + if let Ok(output) = Command::new("lsblk") + .arg("-o") + .arg("NAME,TYPE,MOUNTPOINT") + .output() + .await + { + if let Ok(output_str) = String::from_utf8(output.stdout) { + if output_str.contains("dm-crypt") { + return true; + } + } + } + + // No disk encryption detected + false +} + +fn normalize_version(version: &str) -> String { + let parts: Vec<&str> = version.split('.').collect(); + match parts.len() { + 0 => version.to_string(), // Shouldn't happen. + 1 => format!("{}.0.0", version), + 2 => format!("{}.0", version), + _ => version.to_string(), + } +} + +pub struct ComplianceCSE { + config: HimmelblauConfig, +} + +#[async_trait] +impl CSE for ComplianceCSE { + fn new(config: &HimmelblauConfig, _username: &str) -> Self { + ComplianceCSE { + config: config.clone(), + } + } + + /// Process a group of policies. For deleted policies, no action is taken. + /// For changed policies, run compliance checks and return an error if any check fails. + async fn process_group_policy(&self, changed_gpo_list: Vec>) -> Result { + for policy in changed_gpo_list.iter() { + self.apply_compliance(policy.clone()).await?; + } + Ok(true) + } +} + +impl ComplianceCSE { + /// Applies the compliance checks for a given policy. + /// + /// If any check fails, an error is returned with details on the failure. + async fn apply_compliance(&self, policy: Arc) -> Result<()> { + let mut errors: Vec = Vec::new(); + + let pattern = Regex::new("linux_*")?; + let settings = policy.list_policy_settings(pattern)?; + + for setting in settings.iter() { + match setting.key().as_str() { + "linux_distribution_alloweddistros" => { + if let Some(ValueType::Collection(children)) = setting.value() { + let mut allowed_distro = String::new(); + let mut min_version: Option = None; + let mut max_version: Option = None; + + for child in children.iter() { + let child_key = child.key(); + match child_key.as_str() { + "linux_distribution_alloweddistros_item_$type" => { + if let Some(ValueType::Text(val)) = child.value() { + allowed_distro = val; + } else { + errors.push( + "Failed to read allowed distribution policy" + .to_string(), + ); + } + } + "linux_distribution_alloweddistros_item_minimumversion" => { + if let Some(ValueType::Decimal(val)) = child.value() { + min_version = Some(normalize_version(&val.to_string())); + } else if let Some(ValueType::Text(val)) = child.value() { + if !val.is_empty() { + min_version = Some(normalize_version(&val)); + } + } else { + errors.push( + "Failed to read allowed distribution minimum version policy" + .to_string(), + ); + } + } + "linux_distribution_alloweddistros_item_maximumversion" => { + if let Some(ValueType::Decimal(val)) = child.value() { + max_version = Some(normalize_version(&val.to_string())); + } else if let Some(ValueType::Text(val)) = child.value() { + if !val.is_empty() { + max_version = Some(normalize_version(&val)); + } + } else { + errors.push( + "Failed to read allowed distribution maximum version policy" + .to_string(), + ); + } + } + unknown => { + errors.push(format!( + "Unrecognized compliance option '{}'", + unknown, + )); + } + } + } + + let os_release = OsRelease::new()?; + + let system_distro = os_release.id; + let system_version_str = normalize_version(&os_release.version_id); + + if !allowed_distro.is_empty() && system_distro != allowed_distro { + errors.push(format!( + "Distribution compliance failed: system distro '{}' is not '{}'", + system_distro, allowed_distro + )); + } + + use semver::Version; + let system_version = Version::parse(&system_version_str).map_err(|e| { + anyhow!( + "Failed to parse system version '{}' as semver: {}", + system_version_str, + e + ) + })?; + + if let Some(ref min) = min_version { + let min_semver = Version::parse(min).map_err(|e| { + anyhow!( + "Failed to parse minimum version '{}' as semver: {}", + min, + e + ) + })?; + if system_version < min_semver { + errors.push(format!( + "Version compliance failed: system version '{}' is less than minimum '{}'", + system_version, min_semver + )); + } + } + if let Some(ref max) = max_version { + let max_semver = Version::parse(max).map_err(|e| { + anyhow!( + "Failed to parse maximum version '{}' as semver: {}", + max, + e + ) + })?; + if system_version > max_semver { + errors.push(format!( + "Version compliance failed: system version '{}' is greater than maximum '{}'", + system_version, max_semver + )); + } + } + } + } + "linux_deviceencryption_required" => { + if let Some(ValueType::Boolean(required)) = setting.value() { + if required && !is_disk_encrypted().await { + errors.push("Device encryption compliance failed: encryption likely not enabled".to_string()); + } + } else { + errors.push("Failed to read device encryption policy".to_string()); + } + } + "linux_passwordpolicy_minimumlength" => { + if let Some(ValueType::Decimal(min_length)) = setting.value() { + let system_min_length = self.config.get_hello_pin_min_length(); + if system_min_length < min_length as usize { + errors.push(format!( + "Password policy compliance failed: system minimum length {} is less than required {}", + system_min_length, min_length + )); + } + } else { + errors.push("Failed to read minimum password length policy".to_string()); + } + } + unknown => { + errors.push(format!("Unrecognized compliance option '{}'", unknown)); + } + } + } + + if errors.is_empty() { + Ok(()) + } else { + Err(anyhow!("Compliance check failures: {}", errors.join("; "))) + } + } +} diff --git a/src/policies/src/cse.rs b/src/policies/src/cse.rs index b9d4b462..19083001 100644 --- a/src/policies/src/cse.rs +++ b/src/policies/src/cse.rs @@ -22,18 +22,13 @@ use crate::policies::Policy; use anyhow::Result; use async_trait::async_trait; -use std::collections::HashMap; +use himmelblau_unix_common::config::HimmelblauConfig; use std::sync::Arc; #[async_trait] pub trait CSE: Send + Sync { - fn new(graph_url: &str, access_token: &str, id: &str) -> Self + fn new(config: &HimmelblauConfig, username: &str) -> Self where Self: Sized; - async fn process_group_policy( - &self, - deleted_gpo_list: Vec>, - changed_gpo_list: Vec>, - ) -> Result; - async fn rsop(&self, gpo: Arc) -> Result>; + async fn process_group_policy(&self, changed_gpo_list: Vec>) -> Result; } diff --git a/src/policies/src/lib.rs b/src/policies/src/lib.rs index ec26444e..64b8ae88 100644 --- a/src/policies/src/lib.rs +++ b/src/policies/src/lib.rs @@ -39,3 +39,9 @@ pub mod cse; #[cfg(target_family = "unix")] pub mod chromium_ext; + +#[cfg(target_family = "unix")] +pub mod scripts_ext; + +#[cfg(target_family = "unix")] +pub mod compliance_ext; diff --git a/src/policies/src/policies.rs b/src/policies/src/policies.rs index 1fbe75a2..8f53cadc 100644 --- a/src/policies/src/policies.rs +++ b/src/policies/src/policies.rs @@ -16,11 +16,14 @@ along with this program. If not, see . */ use crate::chromium_ext::ChromiumUserCSE; +use crate::compliance_ext::ComplianceCSE; use crate::cse::CSE; +use crate::scripts_ext::ScriptsCSE; use anyhow::{anyhow, Result}; use async_trait::async_trait; +use himmelblau_unix_common::config::{split_username, HimmelblauConfig}; use regex::Regex; -use reqwest::header; +use reqwest::{header, Url}; use serde::{Deserialize, Serialize}; use std::sync::Arc; use tracing::error; @@ -104,9 +107,39 @@ async fn list_configuration_policies( graph_url: &str, access_token: &str, ) -> Result> { + let url = Url::parse_with_params( + &format!("{}/beta/deviceManagement/configurationPolicies", graph_url), + &[ + ("$select", "name,id"), + ( + "$filter", + "(platforms eq 'linux') and (technologies has 'linuxMdm')", + ), + ], + ) + .map_err(|e| anyhow!("{:?}", e))?; + let client = reqwest::Client::new(); + let resp = client + .get(url) + .header(header::AUTHORIZATION, format!("Bearer {}", access_token)) + .send() + .await?; + if resp.status().is_success() { + Ok(resp.json::().await?.value) + } else { + Err(anyhow!(resp.status())) + } +} + +async fn get_compliance_policy_assigned( + graph_url: &str, + access_token: &str, + id: &str, + policy_id: &str, +) -> Result { let url = &format!( - "{}/beta/deviceManagement/configurationPolicies?$select=name,id", - graph_url + "{}/beta/deviceManagement/compliancePolicies/{}/assignments", + graph_url, policy_id ); let client = reqwest::Client::new(); let resp = client @@ -115,7 +148,116 @@ async fn list_configuration_policies( .send() .await?; if resp.status().is_success() { - Ok(resp.json::().await?.value) + let assignments = resp.json::().await?.value; + parse_assignments(graph_url, access_token, id, policy_id, assignments).await + } else { + Err(anyhow!(resp.status())) + } +} + +async fn list_compliance_policy_settings( + graph_url: &str, + access_token: &str, + policy_id: &str, +) -> Result> { + let url = &format!( + "{}/beta/deviceManagement/compliancePolicies/{}/settings", + graph_url, policy_id + ); + let client = reqwest::Client::new(); + let resp = client + .get(url) + .header(header::AUTHORIZATION, format!("Bearer {}", access_token)) + .send() + .await?; + if resp.status().is_success() { + Ok(resp.json::().await?.value) + } else { + Err(anyhow!(resp.status())) + } +} + +#[derive(Deserialize)] +struct CompliancePolicy { + id: String, + name: String, + #[serde(skip)] + policy_definitions: Option>>, +} + +#[async_trait] +impl Policy for CompliancePolicy { + fn get_id(&self) -> String { + self.id.clone() + } + + fn get_name(&self) -> String { + self.name.clone() + } + + async fn load_policy_settings(&mut self, graph_url: &str, access_token: &str) -> Result { + let settings: Vec = + list_compliance_policy_settings(graph_url, access_token, &self.id).await?; + let mut res: Vec> = vec![]; + for setting in settings { + res.push(Arc::new(setting)); + } + self.policy_definitions = Some(res); + Ok(true) + } + + fn list_policy_settings(&self, pattern: Regex) -> Result>> { + match &self.policy_definitions { + Some(policy_definitions) => { + let mut res: Vec> = vec![]; + for policy_definition in policy_definitions { + if pattern.is_match(&policy_definition.get_compare_pattern()) { + res.push(policy_definition.clone()); + } + } + Ok(res) + } + None => Err(anyhow!("Policy Definitions were not loaded")), + } + } + + fn clone(&self) -> Arc { + Arc::new(CompliancePolicy { + id: self.id.clone(), + name: self.name.clone(), + policy_definitions: self.policy_definitions.clone(), + }) + } +} + +#[derive(Deserialize)] +struct CompliancePolicies { + value: Vec, +} + +async fn list_compliance_policies( + graph_url: &str, + access_token: &str, +) -> Result> { + let url = Url::parse_with_params( + &format!("{}/beta/deviceManagement/compliancePolicies", graph_url), + &[ + ("$select", "name,id"), + ( + "$filter", + "(platforms eq 'linux') and (technologies has 'linuxMdm')", + ), + ], + ) + .map_err(|e| anyhow!("{:?}", e))?; + let client = reqwest::Client::new(); + let resp = client + .get(url) + .header(header::AUTHORIZATION, format!("Bearer {}", access_token)) + .send() + .await?; + if resp.status().is_success() { + Ok(resp.json::().await?.value) } else { Err(anyhow!(resp.status())) } @@ -154,7 +296,7 @@ async fn list_group_policy_configurations( } } -#[derive(Debug, Deserialize, Clone)] +#[derive(Deserialize, Clone)] struct GroupPolicyDefinition { #[serde(skip)] enabled: bool, @@ -222,7 +364,7 @@ async fn get_group_policy_definition( } } -#[derive(Debug, Deserialize, Serialize, Clone)] +#[derive(Deserialize, Serialize, Clone)] #[serde(untagged)] pub enum ValueType { Text(String), @@ -230,6 +372,8 @@ pub enum ValueType { Boolean(bool), MultiText(Vec), List(Vec), + #[serde(skip)] + Collection(Vec>), } #[derive(Debug, Deserialize, Serialize, Clone)] @@ -238,13 +382,13 @@ pub struct PresentationValueList { value: Option, } -#[derive(Default, Debug, Deserialize, Clone)] +#[derive(Default, Deserialize, Clone)] struct PresentationValue { value: Option, values: Option, } -#[derive(Debug, Deserialize)] +#[derive(Deserialize)] struct PresentationValues { value: Option>, } @@ -360,10 +504,14 @@ struct GroupPolicies { } async fn list_group_policies(graph_url: &str, access_token: &str) -> Result> { - let url = &format!( - "{}/beta/deviceManagement/groupPolicyConfigurations?$select=displayName,id", - graph_url - ); + let url = Url::parse_with_params( + &format!( + "{}/beta/deviceManagement/groupPolicyConfigurations", + graph_url + ), + &[("$select", "displayName,id")], + ) + .map_err(|e| anyhow!("{:?}", e))?; let client = reqwest::Client::new(); let resp = client .get(url) @@ -377,13 +525,6 @@ async fn list_group_policies(graph_url: &str, access_token: &str) -> Result, -} - #[derive(Serialize, Deserialize)] struct DirectoryObjectsRequest { ids: Vec, types: Vec, } -async fn get_object_type_by_id( - graph_url: &str, - access_token: &str, - id: &str, -) -> Result { - let url = &format!("{}/v1.0/directoryObjects/getByIds", graph_url); - let client = reqwest::Client::new(); - - let json_payload = serde_json::to_string(&DirectoryObjectsRequest { - ids: vec![id.to_string()], - types: vec![ - "user".to_string(), - "group".to_string(), - "device".to_string(), - ], - })?; - - let resp = client - .post(url) - .header(header::AUTHORIZATION, format!("Bearer {}", access_token)) - .header(header::CONTENT_TYPE, "application/json") - .body(json_payload) - .send() - .await?; - if resp.status().is_success() { - let objs = resp.json::().await?.value; - if objs.len() == 1 { - if objs[0].odata_type == "#microsoft.graph.user" { - Ok(ObjectType::User) - } else if objs[0].odata_type == "#microsoft.graph.group" { - Ok(ObjectType::Group) - } else if objs[0].odata_type == "#microsoft.graph.device" { - Ok(ObjectType::Device) - } else { - Err(anyhow!("Unrecognized object type {}", objs[0].odata_type)) - } - } else { - Err(anyhow!("Failed finding exactly one object with id {}", id)) - } - } else { - Err(anyhow!(resp.status())) - } -} - #[derive(Serialize, Deserialize)] struct MemberGroupsRequest { #[serde(rename = "groupIds")] @@ -528,7 +614,6 @@ async fn parse_assignments( ) -> Result { let mut assigned = false; let mut excluded = false; - let id_typ = get_object_type_by_id(graph_url, access_token, id).await?; for rule in assignments { if rule.target.filter_id.is_some() { error!( @@ -539,43 +624,31 @@ async fn parse_assignments( } match rule.target.odata_type.as_str() { "#microsoft.graph.allLicensedUsersAssignmentTarget" => { - if id_typ == ObjectType::User { - assigned = true; - } + assigned = true; } "#microsoft.graph.allDevicesAssignmentTarget" => { - if id_typ == ObjectType::Device { - assigned = true; - } + assigned = true; } - "#microsoft.graph.groupAssignmentTarget" => { - if id_typ != ObjectType::Device { - match rule.target.group_id { - Some(group_id) => { - let member_of = - id_memberof_group(graph_url, access_token, id, &group_id).await?; - if member_of { - assigned = true; - } - } - None => error!("GPO {}: groupAssignmentTarget missing group id", policy_id), + "#microsoft.graph.groupAssignmentTarget" => match rule.target.group_id { + Some(group_id) => { + let member_of = + id_memberof_group(graph_url, access_token, id, &group_id).await?; + if member_of { + assigned = true; } } - } - "#microsoft.graph.exclusionGroupAssignmentTarget" => { - if id_typ != ObjectType::Device { - match rule.target.group_id { - Some(group_id) => { - let member_of = - id_memberof_group(graph_url, access_token, id, &group_id).await?; - if member_of { - excluded = true; - } - } - None => error!("GPO {}: groupAssignmentTarget missing group id", policy_id), + None => error!("GPO {}: groupAssignmentTarget missing group id", policy_id), + }, + "#microsoft.graph.exclusionGroupAssignmentTarget" => match rule.target.group_id { + Some(group_id) => { + let member_of = + id_memberof_group(graph_url, access_token, id, &group_id).await?; + if member_of { + excluded = true; } } - } + None => error!("GPO {}: groupAssignmentTarget missing group id", policy_id), + }, target => { error!("GPO {}: unrecognized rule target \"{}\"", policy_id, target); } @@ -636,24 +709,33 @@ async fn get_config_policy_assigned( } } -#[derive(Debug, Deserialize)] +#[derive(Debug, Deserialize, Clone)] struct SimpleSettingValue { value: String, } -#[derive(Debug, Deserialize)] +#[derive(Debug, Deserialize, Clone)] struct ChoiceSettingValue { value: String, } -#[derive(Debug, Deserialize)] +#[derive(Debug, Deserialize, Clone)] +struct GroupSettingCollectionValue { + children: Vec, +} + +#[derive(Debug, Deserialize, Clone)] struct SettingInstance { + #[serde(rename = "@odata.type")] + odata_type: String, #[serde(rename = "settingDefinitionId")] setting_definition_id: String, #[serde(rename = "simpleSettingValue", default)] simple_value: Option, #[serde(rename = "choiceSettingValue", default)] choice_value: Option, + #[serde(rename = "groupSettingCollectionValue", default)] + group_value: Option>, } #[derive(Debug, Deserialize)] @@ -662,6 +744,23 @@ struct ConfigurationPolicySetting { setting_instance: SettingInstance, } +pub fn parse_input_value(input: &str) -> ValueType { + // Attempt to parse the input as a decimal (i64) + if let Ok(decimal) = input.parse::() { + return ValueType::Decimal(decimal); + } + + // Attempt to parse the input as a boolean + if input.eq_ignore_ascii_case("true") { + return ValueType::Boolean(true); + } else if input.eq_ignore_ascii_case("false") { + return ValueType::Boolean(false); + } + + // If neither, treat it as plain text + ValueType::Text(input.to_string()) +} + impl PolicySetting for ConfigurationPolicySetting { fn enabled(&self) -> bool { // Configuration Policies can't be disabled, so this is always true @@ -691,13 +790,44 @@ impl PolicySetting for ConfigurationPolicySetting { } fn value(&self) -> Option { - match &self.setting_instance.simple_value { - Some(val) => Some(ValueType::Text(val.value.to_string())), - None => self + match self.setting_instance.odata_type.as_str() { + "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance" => self .setting_instance - .choice_value - .as_ref() - .map(|val| ValueType::Text(val.value.to_string())), + .simple_value + .clone() + .map(|val| parse_input_value(&val.value)), + "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance" => { + let def_id = format!("{}_", self.setting_instance.setting_definition_id); + self.setting_instance + .choice_value + .as_ref() + .and_then(|val| val.value.strip_prefix(&def_id).map(|s| s.to_string())) + .as_deref() + .map(parse_input_value) + } + "#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance" => { + self.setting_instance.group_value.clone().map(|collection| { + ValueType::Collection( + collection + .into_iter() + .flat_map(|sub_collection| { + sub_collection.children.into_iter().map(|child| { + Arc::new(ConfigurationPolicySetting { + setting_instance: child.clone(), + }) as Arc + }) + }) + .collect(), + ) + }) + } + unknown => { + error!( + "Unrecognized device management configuration setting instance: {}", + unknown + ); + None + } } } @@ -766,27 +896,46 @@ async fn get_gpo_list( res.push(Arc::new(gpo)); } } + let compliance_policy_list = list_compliance_policies(graph_url, access_token).await?; + for mut policy in compliance_policy_list { + // Check assignments and whether this policy applies + let assigned = + get_compliance_policy_assigned(graph_url, access_token, id, &policy.id).await?; + if assigned { + // Only load policy defs if we know we'll be using them + policy.load_policy_settings(graph_url, access_token).await?; + res.push(Arc::new(policy)); + } + } Ok(res) } -pub async fn apply_group_policy(graph_url: &str, access_token: &str, id: &str) -> Result { - let changed_gpos = get_gpo_list(graph_url, access_token, id).await?; - - /* TODO: Keep track of applied gpos, then unapply them when they disappear */ - let del_gpos: Vec> = vec![]; - - let obj_type = get_object_type_by_id(graph_url, access_token, id).await?; - let mut gp_extensions: Vec> = vec![]; - if obj_type == ObjectType::User { - gp_extensions.push(Arc::new(ChromiumUserCSE::new(graph_url, access_token, id))); - } else if obj_type == ObjectType::Device { - /* TODO: Machine policy extensions go here */ - } +pub async fn apply_group_policy( + config: &HimmelblauConfig, + access_token: &str, + account_id: &str, + id: &str, +) -> Result { + let domain = split_username(account_id) + .map(|(_, domain)| domain) + .ok_or(anyhow!( + "Failed to parse domain name from account id '{}'", + account_id + ))?; + let graph_url = config + .get_graph_url(domain) + .ok_or(anyhow!("Failed to find graph url for domain {}", domain))?; + let changed_gpos = get_gpo_list(&graph_url, access_token, id).await?; + + let gp_extensions: Vec> = vec![ + Arc::new(ChromiumUserCSE::new(config, account_id)), + Arc::new(ScriptsCSE::new(config, account_id)), + Arc::new(ComplianceCSE::new(config, account_id)), + ]; for ext in gp_extensions { - let cdel_gpos: Vec> = del_gpos.to_vec(); let cchanged_gpos: Vec> = changed_gpos.to_vec(); - ext.process_group_policy(cdel_gpos, cchanged_gpos).await?; + ext.process_group_policy(cchanged_gpos).await?; } Ok(true) diff --git a/src/policies/src/scripts_ext.rs b/src/policies/src/scripts_ext.rs new file mode 100644 index 00000000..87dc0fdc --- /dev/null +++ b/src/policies/src/scripts_ext.rs @@ -0,0 +1,269 @@ +/* + Unix Azure Entra ID implementation + Copyright (C) David Mulder 2024 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +use crate::cse::CSE; +use crate::policies::{Policy, ValueType}; +use anyhow::{anyhow, Result}; +use async_trait::async_trait; +use base64::engine::general_purpose::STANDARD; +use base64::Engine; +use himmelblau_unix_common::config::HimmelblauConfig; +use regex::Regex; +use serde::{Deserialize, Serialize}; +use std::collections::{HashMap, HashSet}; +use std::path::PathBuf; +use std::sync::Arc; +use tokio::fs; +use tokio::io::AsyncWriteExt; +use tokio::process::Command; + +/// A simple persistent cache mapping usernames to the set of applied policy IDs. +#[derive(Serialize, Deserialize, Default)] +pub struct PolicyCache { + pub user_policies: HashMap>, +} + +impl PolicyCache { + /// Loads the cache from the given file path. If the file does not exist, returns an empty cache. + pub async fn load(path: &PathBuf) -> Result { + if let Ok(data) = fs::read_to_string(path).await { + let cache = serde_json::from_str(&data)?; + Ok(cache) + } else { + Ok(PolicyCache::default()) + } + } + + /// Saves the cache to the given file path. + pub async fn save(&self, path: &PathBuf) -> Result<()> { + let data = serde_json::to_string_pretty(self)?; + fs::write(path, data).await?; + Ok(()) + } + + /// Returns the set of applied policy IDs for the specified user. + pub fn get_for_user(&self, username: &str) -> HashSet { + self.user_policies + .get(username) + .cloned() + .unwrap_or_default() + } + + /// Updates the cache for the given user. + pub fn update_for_user(&mut self, username: &str, applied_policy_ids: HashSet) { + self.user_policies + .insert(username.to_string(), applied_policy_ids); + } +} + +pub struct ScriptsCSE { + username: String, + config: HimmelblauConfig, +} + +#[async_trait] +impl CSE for ScriptsCSE { + fn new(config: &HimmelblauConfig, username: &str) -> Self { + ScriptsCSE { + username: username.to_string(), + config: config.clone(), + } + } + + async fn process_group_policy(&self, changed_gpo_list: Vec>) -> Result { + // Generate the persistent cache path. + let cache_path_str = self.cache_path().await?; + let cache_path = PathBuf::from(cache_path_str); + // Load the existing cache. + let mut cache = PolicyCache::load(&cache_path).await?; + let cached_policy_ids = cache.get_for_user(&self.username); + // Collect new policy IDs from the changed policies. + let new_policy_ids: HashSet = changed_gpo_list.iter().map(|p| p.get_id()).collect(); + + // Remove policies that were applied before but are not in the new set. + for old_policy in cached_policy_ids.difference(&new_policy_ids) { + let script_path = self.script_path().await?; + let cron_file = format!("/etc/cron.d/policy_{}", old_policy); + let script_file = format!("{}/policy_{}_script.sh", script_path, old_policy); + let wrapper_file = format!("{}/policy_{}_wrapper.sh", script_path, old_policy); + let _ = fs::remove_file(&cron_file).await; + let _ = fs::remove_file(&script_file).await; + let _ = fs::remove_file(&wrapper_file).await; + } + + // Process and apply the changed policies. + for policy in changed_gpo_list.iter() { + self.apply_policy(policy.clone()).await?; + } + + // Update and save the cache. + cache.update_for_user(&self.username, new_policy_ids); + cache.save(&cache_path).await?; + + Ok(true) + } +} + +impl ScriptsCSE { + async fn script_path(&self) -> Result { + let db_path = self.config.get_db_path(); + let mut cache_path = PathBuf::from(db_path); + cache_path.pop(); + cache_path.push("bin"); + let script_path = cache_path + .to_str() + .ok_or(anyhow!("Failed to convert to string")) + .map(|val| val.to_string())?; + let _ = fs::create_dir_all(script_path.clone()).await; + Ok(script_path) + } + + async fn cache_path(&self) -> Result { + let db_path = self.config.get_db_path(); + let mut path = PathBuf::from(db_path); + path.pop(); + // Append a filename, e.g., "cache__scripts.json" + path.push(format!("cache_{}_scripts.json", self.username)); + path.to_str() + .map(|s| s.to_string()) + .ok_or(anyhow!("Failed to convert cache path to string")) + } + + async fn apply_policy(&self, policy: Arc) -> Result<()> { + let pattern = Regex::new(r"linux_customconfig_.*")?; + let settings = policy.list_policy_settings(pattern)?; + + let mut execution_context = "root".to_string(); + let mut frequency = "1hour".to_string(); + let mut retries = 0; + let mut script_b64: Option = None; + + // Process each setting. + for setting in settings.iter() { + match setting.key().as_str() { + "linux_customconfig_executioncontext" => { + if let Some(ValueType::Text(val)) = setting.value() { + match val.as_str() { + "root" => execution_context = val.to_string(), + "user" => execution_context = self.username.to_string(), + _ => return Err(anyhow!("Unrecognized execution context '{}'", val)), + } + } else { + return Err(anyhow!("Failed to parse script execution context")); + } + } + "linux_customconfig_executionfrequency" => { + if let Some(ValueType::Text(val)) = setting.value() { + frequency = val.to_string(); + } else { + return Err(anyhow!("Failed to parse script execution frequency")); + } + } + "linux_customconfig_executionretries" => { + if let Some(ValueType::Decimal(val)) = setting.value() { + retries = val; + } else { + return Err(anyhow!("Failed to parse script execution retries")); + } + } + "linux_customconfig_script" => { + if let Some(ValueType::Text(val)) = setting.value() { + script_b64 = Some(val.to_string()); + } else { + return Err(anyhow!("Failed to parse script")); + } + } + _ => {} + } + } + + let script_path = self.script_path().await?; + + let script_b64 = + script_b64.ok_or(anyhow!("Policy setting missing: script not provided"))?; + let script_bytes = STANDARD.decode(script_b64)?; + let script_content = String::from_utf8(script_bytes)?; + + let script_path = format!("{}/policy_{}_script.sh", script_path, policy.get_id()); + let mut script_file = fs::File::create(&script_path).await?; + script_file.write_all(script_content.as_bytes()).await?; + Command::new("chmod") + .arg("+x") + .arg(&script_path) + .output() + .await?; + + let wrapper_path = format!("{}/policy_{}_wrapper.sh", script_path, policy.get_id()); + let wrapper_script = format!( + r#"#!/bin/bash +# Wrapper script for policy execution with retry logic. +retries={} +attempts=0 +while [ $attempts -le $retries ]; do + {} + exit_code=$? + if [ $exit_code -eq 0 ]; then + exit 0 + fi + attempts=$((attempts+1)) +done +exit $exit_code +"#, + retries, script_path + ); + let mut wrapper_file = fs::File::create(&wrapper_path).await?; + wrapper_file.write_all(wrapper_script.as_bytes()).await?; + Command::new("chmod") + .arg("+x") + .arg(&wrapper_path) + .output() + .await?; + + let cron_schedule = match frequency.as_str() { + "15minutes" => "*/15 * * * *", // Every 15 minutes + "30minutes" => "*/30 * * * *", // Every 30 minutes + "1hour" => "0 * * * *", // At the top of every hour + "2hours" => "0 */2 * * *", // Every 2 hours at minute 0 + "3hours" => "0 */3 * * *", // Every 3 hours at minute 0 + "6hours" => "0 */6 * * *", // Every 6 hours at minute 0 + "12hours" => "0 */12 * * *", // Every 12 hours at minute 0 + "1day" => "0 0 * * *", // Every day at midnight + "1week" => "0 0 * * 0", // Every week on Sunday at midnight + _ => { + return Err(anyhow!( + "Unknown script application frequency '{}' for policy {}.", + frequency, + policy.get_id() + )) + } + }; + + let cron_job_line = format!("{} {} {}\n", cron_schedule, execution_context, wrapper_path); + + let cron_file_path = format!("/etc/cron.d/policy_{}", policy.get_id()); + let mut cron_file = fs::File::create(&cron_file_path).await?; + cron_file.write_all(cron_job_line.as_bytes()).await?; + + Command::new("chmod") + .arg("644") + .arg(&cron_file_path) + .output() + .await?; + + Ok(()) + } +} From d0e41c40b10f719b9a360ea1cb9ef8cddae64980 Mon Sep 17 00:00:00 2001 From: David Mulder Date: Tue, 11 Feb 2025 13:13:09 -0700 Subject: [PATCH 2/3] Disable Chromium policy This is technically applying `Windows` Chrome/ Chromium policy. Disabling until MS provides admx policy for Linux. Signed-off-by: David Mulder --- src/policies/src/lib.rs | 3 --- src/policies/src/policies.rs | 2 -- 2 files changed, 5 deletions(-) diff --git a/src/policies/src/lib.rs b/src/policies/src/lib.rs index 64b8ae88..34977675 100644 --- a/src/policies/src/lib.rs +++ b/src/policies/src/lib.rs @@ -37,9 +37,6 @@ pub mod cse; * Make sure these are added to policies::apply_group_policy(). */ -#[cfg(target_family = "unix")] -pub mod chromium_ext; - #[cfg(target_family = "unix")] pub mod scripts_ext; diff --git a/src/policies/src/policies.rs b/src/policies/src/policies.rs index 8f53cadc..83468419 100644 --- a/src/policies/src/policies.rs +++ b/src/policies/src/policies.rs @@ -15,7 +15,6 @@ You should have received a copy of the GNU General Public License along with this program. If not, see . */ -use crate::chromium_ext::ChromiumUserCSE; use crate::compliance_ext::ComplianceCSE; use crate::cse::CSE; use crate::scripts_ext::ScriptsCSE; @@ -928,7 +927,6 @@ pub async fn apply_group_policy( let changed_gpos = get_gpo_list(&graph_url, access_token, id).await?; let gp_extensions: Vec> = vec![ - Arc::new(ChromiumUserCSE::new(config, account_id)), Arc::new(ScriptsCSE::new(config, account_id)), Arc::new(ComplianceCSE::new(config, account_id)), ]; From b0edf21be0c5ad19ba01bedc423f36ab6076d310 Mon Sep 17 00:00:00 2001 From: David Mulder Date: Wed, 12 Feb 2025 13:13:52 -0700 Subject: [PATCH 3/3] Correct the README regarding Intune policy compliance Signed-off-by: David Mulder --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b6e07188..e5cf626b 100644 --- a/README.md +++ b/README.md @@ -7,8 +7,8 @@ Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. The name of the project comes from a German word for Azure (sky blue). Himmelblau supports Linux authentication to Microsoft Azure Entra ID via PAM and NSS modules. -The PAM and NSS modules communicate with Entra ID via the himmelblaud daemon. Himmelblau plans to -enforce Intune MDM policies, but this work isn't completed yet. +The PAM and NSS modules communicate with Entra ID via the himmelblaud daemon. Himmelblau is capable +of enforcing Intune MDM polices, but is not yet able to mark the device compliant in Entra Id. [![sambaXP 2024: Bridging Worlds – Linux and Azure AD](img/sambaxp.png)](https://www.youtube.com/watch?v=G07FTKoNTRA "sambaXP 2024: Bridging Worlds – Linux and Azure AD")