Show GPO settings, raise error if trying to set gpo managed settings

2025-04-17 10:10:20 +00:00 · 2018-05-08 18:47:24 -06:00 · 2018-05-08 18:47:24 -06:00 · f1f1bfc5c1
commit f1f1bfc5c1
parent 990ece5cd5
1 changed files with 82 additions and 17 deletions
--- a/salt/modules/win_snmp.py
+++ b/salt/modules/win_snmp.py
@ -9,17 +9,21 @@ from __future__ import absolute_import
 import logging

 # Import salt libs
-from salt.exceptions import SaltInvocationError
+from salt.exceptions import SaltInvocationError, CommandExecutionError
 import salt.utils

 # Import 3rd party libs
 from salt.ext import six

 _HKEY = 'HKLM'
+
 _SNMP_KEY = r'SYSTEM\CurrentControlSet\Services\SNMP\Parameters'
 _AGENT_KEY = r'{0}\RFC1156Agent'.format(_SNMP_KEY)
 _COMMUNITIES_KEY = r'{0}\ValidCommunities'.format(_SNMP_KEY)

+_SNMP_GPO_KEY = r'SOFTWARE\Policies\SNMP\Parameters'
+_COMMUNITIES_GPO_KEY = r'{0}\ValidCommunities'.format(_SNMP_GPO_KEY)
+
 _PERMISSION_TYPES = {'None': 1,
                     'Notify': 2,
                     'Read Only': 4,
@ -285,6 +289,21 @@ def get_community_names():
    '''
    Get the current accepted SNMP community names and their permissions.

+    If community names are being managed by Group Policy, those values will be
+    returned instead like this:
+
+    .. code-block:: bash
+
+        TestCommunity:
+            Managed by GPO
+
+    Community names managed normally will denote the permission instead:
+
+    .. code-block:: bash
+
+        TestCommunity:
+            Read Only
+
    Returns:
        dict: A dictionary of community names and permissions.

@ -295,25 +314,57 @@ def get_community_names():
        salt '*' win_snmp.get_community_names
    '''
    ret = dict()
-    current_values = __salt__['reg.list_values'](
-        _HKEY, _COMMUNITIES_KEY, include_default=False)

-    # The communities are stored as the community name with a numeric permission
-    # value. Convert the numeric value to the text equivalent, as present in the
-    # Windows SNMP service GUI.
-    if isinstance(current_values, list):
-        for current_value in current_values:
+    # Look in GPO settings first
+    if __salt__['reg.key_exists'](_HKEY, _COMMUNITIES_GPO_KEY):

-            # Ignore error values
-            if not isinstance(current_value, dict):
-                continue
+        _LOG.debug('Loading communities from Group Policy settings')

-            permissions = str()
-            for permission_name in _PERMISSION_TYPES:
-                if current_value['vdata'] == _PERMISSION_TYPES[permission_name]:
-                    permissions = permission_name
-                    break
-            ret[current_value['vname']] = permissions
+        current_values = __salt__['reg.list_values'](
+            _HKEY, _COMMUNITIES_GPO_KEY, include_default=False)
+
+        # GPO settings are different in that they do not designate permissions
+        # They are a numbered list of communities like so:
+        #
+        # {1: "community 1",
+        #  2: "community 2"}
+        if isinstance(current_values, list):
+            for current_value in current_values:
+
+                # Ignore error values
+                if not isinstance(current_value, dict):
+                    continue
+
+                ret[current_value['vdata']] = 'Managed by GPO'
+
+    if not ret:
+
+        _LOG.debug('Loading communities from SNMP settings')
+
+        current_values = __salt__['reg.list_values'](
+            _HKEY, _COMMUNITIES_KEY, include_default=False)
+
+        # The communities are stored as the community name with a numeric
+        # permission value. Like this (4 = Read Only):
+        #
+        # {"community 1": 4,
+        #  "community 2": 4}
+        #
+        # Convert the numeric value to the text equivalent, as present in the
+        # Windows SNMP service GUI.
+        if isinstance(current_values, list):
+            for current_value in current_values:
+
+                # Ignore error values
+                if not isinstance(current_value, dict):
+                    continue
+
+                permissions = str()
+                for permission_name in _PERMISSION_TYPES:
+                    if current_value['vdata'] == _PERMISSION_TYPES[permission_name]:
+                        permissions = permission_name
+                        break
+                ret[current_value['vname']] = permissions

    if not ret:
        _LOG.debug('Unable to find existing communities.')
@ -324,6 +375,11 @@ def set_community_names(communities):
    '''
    Manage the SNMP accepted community names and their permissions.

+    .. note::
+        Settings managed by Group Policy will always take precedence over those
+        set using the SNMP interface. Therefore if this function finds Group
+        Policy settings it will raise a CommandExecutionError
+
    Args:
        communities (dict): A dictionary of SNMP community names and
            permissions. The possible permissions can be found via
@ -332,6 +388,10 @@ def set_community_names(communities):
    Returns:
        bool: True if successful, otherwise False

+    Raises:
+        CommandExecutionError:
+            If SNMP settings are being managed by Group Policy
+
    CLI Example:

    .. code-block:: bash
@ -340,6 +400,11 @@ def set_community_names(communities):
    '''
    values = dict()

+    if __salt__['reg.key_exists'](_HKEY, _COMMUNITIES_GPO_KEY):
+        _LOG.debug('Communities on this system are managed by Group Policy')
+        raise CommandExecutionError(
+            'Communities on this system are managed by Group Policy')
+
    current_communities = get_community_names()

    if communities == current_communities: