-
Notifications
You must be signed in to change notification settings - Fork 116
/
Copy pathcpe_chrome_win.rb
executable file
·318 lines (299 loc) · 11.3 KB
/
cpe_chrome_win.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
# Copyright (c) Facebook, Inc. and its affiliates.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Cookbook Name:: cpe_chrome
# Resources:: cpe_chrome_win
resource_name :cpe_chrome_win
provides :cpe_chrome, :os => 'windows'
default_action :config
action :config do
# check file path for Chrome since osquery doesn't detect
# chrome is installed on all machines
chrome_installed = ::File.file?(
"#{ENV['ProgramFiles(x86)']}\\Google\\Chrome\\Application\\chrome.exe",
) || ::File.file?(
"#{ENV['ProgramFiles']}\\Google\\Chrome\\Application\\chrome.exe",
)
return unless chrome_installed || node.installed?('Google Chrome')
return unless node['cpe_chrome']['profile'].values.any?
if node['cpe_chrome']['_use_new_windows_provider']
reg_settings = []
node['cpe_chrome']['profile'].each do |setting_key, setting_value|
next if setting_value.nil?
setting = CPE::ChromeManagement::KnownSettings::GENERATED.fetch(
setting_key,
nil,
)
unless setting
Chef::Log.warn("#{setting_key} is not a known setting, skipping")
next
end
if setting_value.is_a?(Hash)
next if setting_value.empty?
setting.value = setting_value.to_json
else
setting.value = setting_value
end
reg_settings << setting
end
# Set all the keys we care about. If there's any mismatch of data, just
# delete the entire key and re-establish it, because we can't atomically
# change individual subkeys in one single registry_key resource invocation
CPE::ChromeManagement::KnownSettings::GENERATED.each do |name, obj|
if obj.is_a?(WindowsChromeFlatSetting)
begin
current_values = registry_get_values(obj.registry_location).
select { |k, _| name == k[:name] }
rescue Chef::Exceptions::Win32RegKeyMissing
next
end
next unless current_values.any?
next unless obj.value.nil?
next if current_values == obj.to_chef_reg_provider
registry_key obj.registry_location do
values current_values
action :delete
end
elsif obj.is_a?(WindowsChromeIterableSetting)
if registry_key_exists?(obj.registry_location) && obj.value.nil?
registry_key obj.registry_location do
recursive true
action :delete_key
end
end
end
end
reg_settings.each do |setting|
registry_key setting.registry_location do
values setting.to_chef_reg_provider
recursive true
action :create
end
end
# Manage Extension Settings
extprefs = node['cpe_chrome']['extension_profile']
if extprefs.empty? || extprefs.nil?
registry_key CPE::ChromeManagement.chrome_reg_3rd_party_ext_root do
recursive true
action :delete_key
end
else
# Loop through the extensions and create registry entries
# Key path is HKLM\Software\Policies\Google\Chrome\3rdparty\extensions\EXT_ID\policy
# https://www.chromium.org/administrators/configuring-policy-for-extensions
extprefs.each do |k, v|
ext_values = []
v['profile'].each do |k_ext, v_ext|
ext_values << {
'name' => k_ext,
'type' => v_ext['windows_value_type'],
'data' => v_ext['value'],
}
end
registry_key "#{CPE::ChromeManagement.chrome_reg_3rd_party_ext_root}\\#{k}\\policy" do
values ext_values
recursive true
action :create
end
end
end
else
# ExtensionSettings has a "dictionary" format and each key must be stored
# as a separate sub key inside the ExtensionSettings registry setting
# Ref: https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionSettings
extension_settings_key = 'ExtensionSettings'.freeze
reg_settings = []
node['cpe_chrome']['profile'].each do |setting_key, setting_value|
next if setting_value.nil?
if setting_value.is_a?(Hash)
next if setting_value.empty?
end
# ExtensionSettings must have a different registry structure
if (setting_value.is_a? Hash) && (setting_key == extension_settings_key)
setting_value.each do |extension_key, extension_value|
if extension_value.is_a? Hash
extension_value.each do |inner_key, inner_value|
reg_settings <<
WindowsChromeSetting.new(
{ inner_key => inner_value },
"#{setting_key}\\#{extension_key}",
)
end
else
reg_settings <<
WindowsChromeSetting.new(
{ extension_key => extension_value },
setting_key.to_s,
)
end
end
else
reconstruct_setting = { setting_key => setting_value }
reg_settings << WindowsChromeSetting.new(reconstruct_setting)
end
end
# Set all the keys we care about. If there's any mismatch of data, just
# delete the entire key and re-establish it, because we can't atomically
# change individual subkeys in one single registry_key resource invocation
reg_settings.uniq.each do |setting|
next if setting.fullpath.empty?
new_values = setting.to_chef_reg_provider
current_values = nil
if registry_key_exists?(setting.fullpath)
current_values = registry_get_values(setting.fullpath)
end
# Make sure we're comparing apples to apples, as registry_get_values()
# always returns an array, even if the data itself only contains one value
unless new_values.is_a?(Array)
new_values = [new_values]
end
if new_values.empty? || new_values != current_values
Chef::Log.debug(
"cpe_chrome: Deleting #{setting.fullpath} because of mismatch",
)
Chef::Log.debug("cpe_chrome: Old values: #{current_values}")
Chef::Log.debug("cpe_chrome: New values: #{new_values}")
registry_key setting.fullpath do
recursive true
action :delete_key
end
end
registry_key setting.fullpath do
not_if { new_values.empty? }
values new_values
recursive true
action :create
end
end
extprefs = node['cpe_chrome']['extension_profile']
unless extprefs.empty? || extprefs.nil?
# Loop through the extensions and create registry entries
# Key path is HKLM\Software\Policies\Google\Chrome\3rdparty\extensions\EXT_ID\policy
# https://www.chromium.org/administrators/configuring-policy-for-extensions
extprefs.each do |k, v|
ext_values = []
v['profile'].each do |k_ext, v_ext|
ext_values << {
'name' => k_ext,
'type' => v_ext['windows_value_type'],
'data' => v_ext['value'],
}
end
registry_key "#{CPE::ChromeManagement.chrome_reg_3rd_party_ext_root}\\#{k}\\policy" do
values ext_values
recursive true
action :create
end
end
end
# Look at all the subkeys total of the root Chrome extension key.
all_chrome_ext_keys = []
extension_profile = node['cpe_chrome']['extension_profile']
if registry_key_exists?(CPE::ChromeManagement.chrome_reg_3rd_party_ext_root) &&
registry_has_subkeys?(CPE::ChromeManagement.chrome_reg_3rd_party_ext_root)
all_chrome_ext_keys =
registry_get_subkeys(CPE::ChromeManagement.chrome_reg_3rd_party_ext_root)
end
# This variable should be a superset (or a match) to the list of keys
# in the node attribute.
extra_chrome_ext_keys = all_chrome_ext_keys - extension_profile.keys
Chef::Log.debug("#{cookbook_name}: Extra keys: #{extra_chrome_ext_keys}")
extra_chrome_ext_keys.each do |rip_key|
registry_key "#{CPE::ChromeManagement.chrome_reg_3rd_party_ext_root}\\#{rip_key}" do
action :delete_key
recursive true
end
end
# Hack - if any extension profile configs, don't delete the root key
chrome_profile = node['cpe_chrome']['profile'].to_h
if extension_profile.values.any?
chrome_profile['3rdparty'] = nil
end
# Look at all the subkeys total of the root Chrome key.
all_chrome_keys = []
if registry_key_exists?(CPE::ChromeManagement.chrome_reg_root) &&
registry_has_subkeys?(CPE::ChromeManagement.chrome_reg_root)
all_chrome_keys =
registry_get_subkeys(CPE::ChromeManagement.chrome_reg_root)
end
# This variable should be a superset (or a match) to the list of keys
# in the node attribute.
extra_chrome_keys = all_chrome_keys - chrome_profile.keys
extra_chrome_keys.each do |rip_key|
registry_key "#{CPE::ChromeManagement.chrome_reg_root}\\#{rip_key}" do
action :delete_key
recursive true
end
end
end
# There are two migrations going on here. From the legacy x86
# program files to the x86_64 one, and from master_preferences to
# initial_preferences. At time of writing, we have Chrome instances
# installed in both locations. While we probably do not have any
# chromes old enough to be unaware of the new initial_preferences
# file name, we might, and the current files use that name. It's
# safer to just keep creating it until we're sure everything is on
# the new name.
['initial_preferences', 'master_preferences'].each do |basename|
[
'C:\\Program Files (x86)\\',
'C:\\Program Files\\',
].each do |prefix|
pref_path = "#{prefix}\\Google\\Chrome\\Application\\#{basename}"
file "delete-#{pref_path}" do
only_if do
node['cpe_chrome']['mp']['FileContents'].
to_hash.
reject { |_k, v| v.nil? }.
empty?
end
path pref_path
action :delete
end
[
"#{prefix}\\Google",
"#{prefix}\\Google\\Chrome",
"#{prefix}\\Google\\Chrome\\Application",
].each do |dir|
directory dir do # ~FB024
rights :read, 'Everyone', :applies_to_children => true
rights :read_execute, 'Users', :applies_to_children => true
rights :full_control, ['Administrators', 'SYSTEM'],
:applies_to_children => true
action :create
end
end
file "create-#{pref_path}" do # ~FB023
not_if do
node['cpe_chrome']['mp']['FileContents'].
to_hash.
reject { |_k, v| v.nil? }.
empty?
end
content lazy {
Chef::JSONCompat.to_json_pretty(
node['cpe_chrome']['mp']['FileContents'].
to_hash.
reject { |_k, v| v.nil? },
)
}
path pref_path
rights :read, 'Everyone', :applies_to_children => true
rights :read_execute, 'Users', :applies_to_children => true
rights :full_control, ['Administrators', 'SYSTEM'],
:applies_to_children => true
action :create
end
end
end
end