Hook up certificate policy manager to parent manager

internal/policies/manager.go

@@ -38,6 +38,7 @@ import (
 	log "github.com/ubuntu/adsys/internal/grpc/logstreamer"
 	"github.com/ubuntu/adsys/internal/i18n"
 	"github.com/ubuntu/adsys/internal/policies/apparmor"
+	"github.com/ubuntu/adsys/internal/policies/certificate"
 	"github.com/ubuntu/adsys/internal/policies/dconf"
 	"github.com/ubuntu/adsys/internal/policies/entry"
 	"github.com/ubuntu/adsys/internal/policies/gdm"
@@ -60,15 +61,16 @@ type Manager struct {
 	policiesCacheDir string
 	hostname         string
 
-	dconf     *dconf.Manager
-	privilege *privilege.Manager
-	scripts   *scripts.Manager
-	mount     *mount.Manager
-	gdm       *gdm.Manager
-	apparmor  *apparmor.Manager
-	proxy     *proxy.Manager
 	backend backends.Backend
 
+	dconf       *dconf.Manager
+	privilege   *privilege.Manager
+	scripts     *scripts.Manager
+	mount       *mount.Manager
+	gdm         *gdm.Manager
+	apparmor    *apparmor.Manager
+	proxy       *proxy.Manager
+	certificate *certificate.Manager
 
 	subscriptionDbus dbus.BusObject
 
@@ -91,10 +93,12 @@ type systemdCaller interface {
 
 type options struct {
 	cacheDir      string
+	stateDir      string
 	dconfDir      string
 	sudoersDir    string
 	policyKitDir  string
 	runDir        string
+	shareDir      string
 	apparmorDir   string
 	apparmorFsDir string
 	systemUnitDir string
@@ -209,7 +213,9 @@ func NewManager(bus *dbus.Conn, hostname string, backend backends.Backend, opts
 	// defaults
 	args := options{
 		cacheDir:      consts.DefaultCacheDir,
+		stateDir:      consts.DefaultStateDir,
 		runDir:        consts.DefaultRunDir,
+		shareDir:      consts.DefaultShareDir,
 		apparmorDir:   consts.DefaultApparmorDir,
 		systemUnitDir: consts.DefaultSystemUnitDir,
 		systemdCaller: defaultSystemdCaller,
@@ -259,6 +265,13 @@ func NewManager(bus *dbus.Conn, hostname string, backend backends.Backend, opts
 	}
 	proxyManager := proxy.New(bus, proxyOptions...)
 
+	// certificate manager
+	certificateManager := certificate.New(backend.Domain(),
+		certificate.WithRunDir(args.runDir),
+		certificate.WithStateDir(args.stateDir),
+		certificate.WithCacheDir(args.cacheDir),
+	)
+
 	// inject applied dconf mangager if we need to build a gdm manager
 	if args.gdm == nil {
 		if args.gdm, err = gdm.New(gdm.WithDconf(dconfManager)); err != nil {
@@ -284,6 +297,7 @@ func NewManager(bus *dbus.Conn, hostname string, backend backends.Backend, opts
 		mount:            mountManager,
 		apparmor:         apparmorManager,
 		proxy:            proxyManager,
+		certificate:      certificateManager,
 		gdm:              args.gdm,
 
 		subscriptionDbus: subscriptionDbus,
@@ -341,6 +355,11 @@ func (m *Manager) ApplyPolicies(ctx context.Context, objectName string, isComput
 	g.Go(func() error {
 		return m.proxy.ApplyPolicy(ctx, objectName, isComputer, rules["proxy"])
 	})
+	g.Go(func() error {
+		// Ignore error as we don't want to fail because of online status this late in the process
+		isOnline, _ := m.backend.IsOnline()
+		return m.certificate.ApplyPolicy(ctx, objectName, isComputer, isOnline, rules["certificate"])
+	})
 	if err := g.Wait(); err != nil {
 		return err
 	}

internal/policies/manager_test.go

@@ -41,10 +41,12 @@ func TestApplyPolicies(t *testing.T) {
 		isNotSubscribed                 bool
 		secondCallWithNoSubscription    bool
 		noUbuntuProxyManager            bool
+		backendOfflineError             bool
 
 		wantErr bool
 	}{
 		"Succeed": {policiesDir: "all_entry_types"},
+		"Succeed if checking for backend online status returns an error":         {backendOfflineError: true, policiesDir: "all_entry_types"},
 		"Second call with no rules deletes everything":                           {policiesDir: "all_entry_types", secondCallWithNoRules: true, scriptSessionEndedForSecondCall: true},
 		"Second call with no rules don't remove scripts if session hasn’t ended": {policiesDir: "all_entry_types", secondCallWithNoRules: true, scriptSessionEndedForSecondCall: false},
 

internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/etc/apparmor.d/adsys/machine/nested/usr.bin.baz

@@ -0,0 +1 @@
+/usr/bin/baz {}

internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/etc/apparmor.d/adsys/machine/usr.bin.bar

@@ -0,0 +1 @@
+/usr/bin/bar {}

internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/etc/apparmor.d/adsys/machine/usr.bin.foo

@@ -0,0 +1 @@
+/usr/bin/foo {}

internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/etc/dconf/db/machine.d/adsys

@@ -0,0 +1,5 @@
+[path/to]
+key1='ValueOfKey1'
+key2='ValueOfKey2
+On
+Multilines'

internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/etc/dconf/db/machine.d/locks/adsys

@@ -0,0 +1,2 @@
+/path/to/key1
+/path/to/key2

internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/etc/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf

@@ -0,0 +1,6 @@
+# This file is managed by adsys.
+# Do not edit this file manually.
+# Any changes will be overwritten.
+
+[Configuration]
+AdminIdentities=unix-user:alice@domain;unix-user:bob@domain2;unix-group:mygroup@domain;unix-user:cosmic carole@domain

internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/etc/sudoers.d/99-adsys-privilege-enforcement

@@ -0,0 +1,9 @@
+# This file is managed by adsys.
+# Do not edit this file manually.
+# Any changes will be overwritten.
+
+"alice@domain"	ALL=(ALL:ALL) ALL
+"bob@domain2"	ALL=(ALL:ALL) ALL
+"%mygroup@domain"	ALL=(ALL:ALL) ALL
+"cosmic carole@domain"	ALL=(ALL:ALL) ALL
+

internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/etc/systemd/system/adsys-cifs-example.com-smb_share.mount

@@ -0,0 +1,17 @@
+# This template defines the basic structure of a mount unit generated by ADSys for system mounts.
+[Unit]
+Description=ADSys mount for smb://example.com/smb_share
+After=network-online.target
+Requires=network-online.target
+
+[Mount]
+What=//example.com/smb_share
+Where=/adsys/cifs/example.com/smb_share
+Type=cifs
+Options=defaults
+# This option prevents hangs on shutdown due to an unreachable network share.
+LazyUnmount=true
+TimeoutSec=30
+
+[Install]
+WantedBy=default.target

internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/etc/systemd/system/adsys-fuse-example.com-ftp_share.mount

@@ -0,0 +1,17 @@
+# This template defines the basic structure of a mount unit generated by ADSys for system mounts.
+[Unit]
+Description=ADSys mount for ftp://example.com/ftp_share
+After=network-online.target
+Requires=network-online.target
+
+[Mount]
+What=curlftpfs#example.com
+Where=/adsys/fuse/example.com/ftp_share
+Type=fuse
+Options=defaults
+# This option prevents hangs on shutdown due to an unreachable network share.
+LazyUnmount=true
+TimeoutSec=30
+
+[Install]
+WantedBy=default.target

internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/etc/systemd/system/adsys-nfs-example.com-nfs_share.mount

@@ -0,0 +1,17 @@
+# This template defines the basic structure of a mount unit generated by ADSys for system mounts.
+[Unit]
+Description=ADSys mount for nfs://example.com/nfs_share
+After=network-online.target
+Requires=network-online.target
+
+[Mount]
+What=example.com:/nfs_share
+Where=/adsys/nfs/example.com/nfs_share
+Type=nfs
+Options=defaults
+# This option prevents hangs on shutdown due to an unreachable network share.
+LazyUnmount=true
+TimeoutSec=30
+
+[Install]
+WantedBy=default.target

internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/run/adsys/machine/scripts/logoff

@@ -0,0 +1 @@
+scripts/otherfolder/script-user-logoff

internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/run/adsys/machine/scripts/logon

@@ -0,0 +1 @@
+scripts/script-user-logon

internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/run/adsys/machine/scripts/scripts/final-machine-script.sh

@@ -0,0 +1 @@
+final machine script

internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/run/adsys/machine/scripts/scripts/otherfolder/script-user-logoff

@@ -0,0 +1 @@
+script user logoff

internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/run/adsys/machine/scripts/scripts/script-machine-shutdown

@@ -0,0 +1 @@
+script machine shutdown

internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/run/adsys/machine/scripts/scripts/script-machine-startup

@@ -0,0 +1 @@
+script machine startup

internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/run/adsys/machine/scripts/scripts/script-user-logon

@@ -0,0 +1 @@
+script user logon

internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/run/adsys/machine/scripts/scripts/subfolder/other-script

@@ -0,0 +1 @@
+subfolder other script

internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/run/adsys/machine/scripts/scripts/unreferenced-data

@@ -0,0 +1 @@
+unreferenced data

internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/run/adsys/machine/scripts/scripts/unreferenced-script

@@ -0,0 +1 @@
+unreferenced script

internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/run/adsys/machine/scripts/shutdown

@@ -0,0 +1 @@
+scripts/script-machine-shutdown

internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/run/adsys/machine/scripts/startup

@@ -0,0 +1,3 @@
+scripts/script-machine-startup
+scripts/subfolder/other-script
+scripts/final-machine-script.sh

internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/sys/kernel/security/apparmor/profiles

@@ -0,0 +1 @@
+someprofile (enforce)

internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/var/cache/adsys/policies/hostname/policies

@@ -0,0 +1,70 @@
+gpos:
+    - id: '{GPOId}'
+      name: GPOName
+      rules:
+        apparmor:
+            - key: apparmor-machine
+              value: |
+                usr.bin.foo
+                usr.bin.bar
+                nested/usr.bin.baz
+              disabled: false
+        dconf:
+            - key: path/to/key1
+              value: ValueOfKey1
+              disabled: false
+              meta: s
+            - key: path/to/key2
+              value: |
+                ValueOfKey2
+                On
+                Multilines
+              disabled: false
+              meta: s
+        mount:
+            - key: system-mounts
+              value: |
+                nfs://example.com/nfs_share
+                smb://example.com/smb_share
+                ftp://example.com/ftp_share
+              disabled: false
+        privilege:
+            - key: allow-local-admins
+              value: ""
+              disabled: false
+            - key: client-admins
+              value: |
+                alice@domain
+                bob@domain2
+                %mygroup@domain
+                cosmic carole@domain
+              disabled: false
+        proxy:
+            - key: proxy/auto
+              value: http://example.com/proxy.pac
+              disabled: false
+            - key: proxy/http
+              value: ""
+              disabled: true
+            - key: proxy/no-proxy
+              value: localhost,127.0.0.1,::1
+              disabled: false
+        scripts:
+            - key: startup
+              value: |
+                script-machine-startup
+                subfolder/other-script
+                final-machine-script.sh
+              disabled: false
+            - key: shutdown
+              value: |
+                script-machine-shutdown
+              disabled: false
+            - key: logon
+              value: |
+                script-user-logon
+              disabled: false
+            - key: logoff
+              value: |
+                otherfolder/script-user-logoff
+              disabled: false