Skip to content

Z
z-push
Commit e37e1c6d authored by Manfred Kutas's avatar Manfred Kutas
Browse files
Options

ZP-77 Move default policies to utils. Join the default policies with the 

loaded policies and build hash on the joined policies. Comment the
policies.

Released under the Affero GNU General Public License (AGPL) version 3.
parent 01649ac6
Hide whitespace changes
Inline Side-by-side
Showing with 340 additions and 46 deletions
src/lib/core/asdevice.php
View file @ e37e1c6d
......@@ -49,6 +49,7 @@ class ASDevice extends StateObject {
const FOLDERTYPE = 2;
const FOLDERSUPPORTEDFIELDS = 3;
const FOLDERSYNCSTATUS = 4;
const DEFAULTPOLICYNAME = 'default';
// expected values for not set member variables
protected $unsetdata = array(
......@@ -61,7 +62,8 @@ class ASDevice extends StateObject {
'wipeactionon' => false,
'lastupdatetime' => 0,
'conversationmode' => false,
'policies' => false,
'policyhash' => false,
'policyname' > self::DEFAULTPOLICYNAME,
'policykey' => self::UNDEFINED,
'forcesave' => false,
'asversion' => false,
......
src/lib/core/devicemanager.php
View file @ e37e1c6d
......@@ -229,9 +229,17 @@ class DeviceManager {
return true;
}
$policyHash = SyncProvisioning::GetInstance()->GetPolicyHash();
if (empty($policyHash)) {
$policies = $this->getProvisioningPolicies();
SyncProvisioning::GetInstance()->Load($policies);
$policyHash = SyncProvisioning::GetInstance()->GetPolicyHash();
}
$p = ( ($this->device->GetWipeStatus() != SYNC_PROVISION_RWSTATUS_NA && $policykey != $this->device->GetPolicyKey()) ||
(Request::WasPolicyKeySent() && $this->device->GetPolicyKey() == ASDevice::UNDEFINED) ||
$this->device->getPolicies() != md5(serialize($this->getProvisioningPolicies())));
$this->device->getPolicyhash() != $policyHash);
if (!$noDebug || $p)
ZLog::Write(LOGLEVEL_DEBUG, sprintf("DeviceManager->ProvisioningRequired('%s') saved device key '%s': %s", $policykey, $this->device->GetPolicyKey(), Utils::PrintAsString($p)));
......@@ -268,13 +276,16 @@ class DeviceManager {
* @return SyncProvisioning
*/
public function GetProvisioningObject() {
$p = new SyncProvisioning();
$p = SyncProvisioning::GetInstance();
$policies = $this->getProvisioningPolicies();
$p->Load($policies);
// save policies' hash
$this->device->SetPolicies(md5(serialize($policies)));
unset($policies);
// save policies' hash and name
$this->device->SetPolicyname($this->getPolicyName());
$this->device->SetPolicyhash($p->GetPolicyHash());
ZLog::Write(LOGLEVEL_DEBUG, sprintf("Set policy: %s with hash: %s", $this->device->GetPolicyname(), $this->device->GetPolicyhash()));
return $p;
}
......@@ -939,21 +950,38 @@ class DeviceManager {
* @return array
*/
private function getProvisioningPolicies() {
$policyName = ZPush::GetBackend()->GetUserPolicyName();
if ($policyName === false) {
// get the policy name from device data
$policyName = $this->device->GetPolicies();
}
// TODO load systemwide Policies
$policyName = $this->getPolicyName();
$policies = parse_ini_file(PROVISIONING_POLICYFILE, true);
if ($policyName !== false && isset($policies[$policyName])) {
$policies = $policies[$policyName];
ZLog::Write(LOGLEVEL_DEBUG, sprintf("DeviceManager->GetProvisioningObject(): load %s policy.", $policyName));
if ($policyName !== false) {
if (isset($policies[$policyName])) {
ZLog::Write(LOGLEVEL_DEBUG, sprintf("DeviceManager->GetProvisioningObject(): load %s policy.", $policyName));
return $policies[$policyName];
}
else {
ZLog::Write(LOGLEVEL_WARN, sprintf("The '%s' policy is configured, but it is not available in the policies' file. Please check %s file. Loading default policy.", $policyName, PROVISIONING_POLICYFILE));
return $policies[ASDevice::DEFAULTPOLICYNAME];
}
}
else {
$policies = $policies['default'];
ZLog::Write(LOGLEVEL_DEBUG, "DeviceManager->GetProvisioningObject(): load default policy.");
ZLog::Write(LOGLEVEL_DEBUG, "DeviceManager->GetProvisioningObject(): load default policy.");
return $policies[ASDevice::DEFAULTPOLICYNAME];
}
/**
* Gets the policy name set in the backend or in device data.
*
* @access private
* @return string|boolean
*/
private function getPolicyName() {
$policyName = ZPush::GetBackend()->GetUserPolicyName();
ZLog::Write(LOGLEVEL_DEBUG, sprintf("The backend returned '%s' policy.", Utils::PrintAsString($policyName)));
if ($policyName === false && $this->device->HasPolicyname()) {
// get the policy name from device data
$policyName = $this->device->GetPolicyname();
ZLog::Write(LOGLEVEL_DEBUG, sprintf("The device data returned '%s' policy %s.", Utils::PrintAsString($policyName), gettype($policyName)));
}
return $policies;
return (!empty($policyName) ? $policyName : ASDevice::DEFAULTPOLICYNAME);
}
}
src/lib/syncobjects/syncprovisioning.php
View file @ e37e1c6d
......@@ -94,6 +94,9 @@ class SyncProvisioning extends SyncObject {
public $unapprovedinromapplist;
public $approvedapplist;
private static $instace;
private $policyHash;
function SyncProvisioning() {
$mapping = array (
SYNC_PROVISION_DEVPWENABLED => array ( self::STREAMER_VAR => "devpwenabled",
......@@ -237,18 +240,22 @@ class SyncProvisioning extends SyncObject {
public function Load($policies = array()) {
// always load default policies because there might be some policy missing in the policies.ini
$this->LoadDefaultPolicies();
if (!empty($policies)) {
$objectsVars = get_object_vars($this);
foreach ($policies as $p=>$v) {
if (!in_array($p, $objectsVars)) {
ZLog::Write(LOGLEVEL_INFO, sprintf("Policy '%s' not supported by the device, ignoring", $p));
continue;
}
ZLog::Write(LOGLEVEL_DEBUG, sprintf("Policy '%s' enforced with: %s (%s)", $p, (is_array($v)) ? Utils::PrintAsString(implode(',', $v)) : Utils::PrintAsString($v), gettype($v)));
$this->$p = (is_array($v) && empty($v)) ? array() : $v;
$defaultPolicies = Utils::GetDefaultPolices();
// Join the policies. Loaded policies have precedence over default policies.
$finalPolicies = $policies + $defaultPolicies;
$objectsVars = get_object_vars($this);
foreach ($finalPolicies as $p=>$v) {
if (!array_key_exists($p, $objectsVars)) {
ZLog::Write(LOGLEVEL_INFO, sprintf("Policy '%s' not supported by the device, ignoring", $p));
unset($finalPolicies[$p]);
continue;
}
ZLog::Write(LOGLEVEL_DEBUG, sprintf("Policy '%s' enforced with: %s (%s)", $p, (is_array($v)) ? Utils::PrintAsString(implode(',', $v)) : Utils::PrintAsString($v), gettype($v)));
$this->$p = (is_array($v) && empty($v)) ? array() : $v;
}
self::GetInstance()->SetPolicyHash(md5(serialize($finalPolicies)));
}
public function LoadDefaultPolicies() {
......@@ -299,4 +306,40 @@ class SyncProvisioning extends SyncObject {
$this->unapprovedinromapplist = array();
$this->approvedapplist = array();
}
/**
* Sets the policy hash.
*
* @param string $hash
*
* @access public
* @return void
*/
public function SetPolicyHash($hash) {
$this->policyHash = $hash;
}
/**
* Returns the policy hash.
*
* @access public
* @return string
*/
public function GetPolicyHash() {
return $this->policyHash;
}
/**
* Returns the SyncProvisioning instance.
*
* @access public
* @return SyncProvisioning
*/
public static function GetInstance() {
if (!self::$instace)
{
self::$instace = new SyncProvisioning();
}
return self::$instace;
}
}
src/lib/utils/utils.php
View file @ e37e1c6d
......@@ -971,6 +971,63 @@ class Utils {
$pow = pow(1024, $base - $fBase);
return sprintf ("%.{$precision}f %s", $pow, $units[$fBase]);
}
/**
* Returns the default policies.
*
* @access public
* @return array
*/
public static function GetDefaultPolices() {
return array(
//AS 12.0 and above properties
'devpwenabled' => 0,
'alphanumpwreq' => 0,
'devencenabled' => 0,
'pwrecoveryenabled' => 0,
'docbrowseenabled' => null,
'attenabled' => 1,
'mindevpwlenngth' => 4,
'maxinacttimedevlock' => 900,
'maxdevpwfailedattempts' => 8,
'maxattsize' => '',
'allowsimpledevpw' => 1,
'devpwexpiration' => 0,
'devpwhistory' => 0,
//AS 12.1 and above properties
'allostoragecard' => 1,
'allowcam' => 1,
'reqdevenc' => 0,
'allowunsignedapps' => 1,
'allowunsigninstallpacks' => 1,
'mindevcomplexchars' => 3,
'allowwifi' => 1,
'allowtextmessaging' => 1,
'allowpopimapemail' => 1,
'allowbluetooth' => 2,
'allowirda' => 1,
'reqmansyncroam' => 0,
'allowdesktopsync' => 1,
'maxcalagefilter' => 0,
'allowhtmlemail' => 1,
'maxemailagefilter' => 0,
'maxemailbodytruncsize' => -1,
'maxemailhtmlbodytruncsize' => -1,
'reqsignedsmimemessages' => 0,
'reqencsmimemessages' => 0,
'reqsignedsmimealgorithm' => 0,
'reqencsmimealgorithm' => 0,
'allowsmimeencalgneg' => 2,
'allowsmimesoftcerts' => 1,
'allowbrowser' => 1,
'allowconsumeremail' => 1,
'allowremotedesk' => 1,
'allowinternetsharing' => 1,
'unapprovedinromapplist' => array(),
'approvedapplist' => array(),
);
}
}
......
src/policies.ini
View file @ e37e1c6d
......@@ -4,63 +4,227 @@
; Z-Push policies' file holds the configuration to be applied
; during the provisioning of a mobile device.
; For more information see the ActiveSync documentation at:
; https://msdn.microsoft.com/en-us/library/dd299443.aspx
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; The default ActiveSync policy. Do not change its name.
[default]
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; AS 12.0, 12.1 and 14.0 props
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Policies for ActiveSync version 12.0 and higher
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Specifies if a device requires a password to unlock it.
; 0 - Password not required.
; 1 - Password is required.
devpwenabled = 0
; Specifies if a device requires an alphanumeric password to unlock it.
; 0 - Alphanumeric password not required.
; 1 - Alphanumeric password required.
alphanumpwreq = 0
; Deprecated. Specifies if the device encrypts the content of the storage card.
; 0 - Storage card encryption not enabled.
; 1 - Storage card encryption enabled.
devencenabled = 0
; Specifies if the server supports storing a recovery password which could be
; sent by the client using the Settings command.
; 0 - Password recovery not enabled on the server.
; 1 - Password recovery enabled on the server.
pwrecoveryenabled = 0
; Deprecated.
docbrowseenabled =
; Specifies if email attachments are enabled for download.
; 0 - Attachments not allowed for download.
; 1 - Attachments allowed for download.
attenabled = 1
; Specifies the minimum client password length to unlock it.
; The mindevpwlenngth can be empty or have a value between 1 and 16.
; If the value is empty or 1, there is no minimum length for the device password.
mindevpwlenngth = 4
; The maximum number of seconds of inactivity before the device locks itself.
; If this value is greater than or equal to 9999, the client interprets it as unlimited.
maxinacttimedevlock = 900
; The maximum number of failed password attempts to unlock the device.
; The client SHOULD perform a local wipe or enter a timed lock out mode if the maximum
; number of failed password attempts is reached.
; The maxdevpwfailedattempts can be empty or have a value between 4 and 16.
; If the value is empty, the client interprets this as no maximum number of
; failed password attempts has been set by the security policy.
maxdevpwfailedattempts = 8
; The maximum attachment size in bytes as determined by security policy.
maxattsize = ''
; Specifies if the device allows simple passwords. A simple password contains
; repeated ("0000") or sequential ("xyz") characters only.
allowsimpledevpw = 1
; The maximum number of days until a password expires.
; Empty or 0 devpwexpiration value indicates that the password will not expire.
devpwexpiration = 0
; The minimum number of previously used passwords stored to prevent reuse by the device.
; 0 - Do not store previously used passwords.
; >0 - Store the minimum number of previously used passwords.
devpwhistory = 0
; AS 12.1 and 14.0 props
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Policies for ActiveSync version 12.1 and higher
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; The device allows to use a storage card.
; 0 - SD card not allowed.
; 1 - SD card allowed.
allostoragecard = 1
; The device allows to use the built-in camera.
; 0 - Usage of the built-in camera not allowed.
; 1 - Usage of built-in the camera allowed.
allowcam = 1
; Specifies if the client uses encryption.
; 0 - Encryption not required.
; 1 - Encryption required.
reqdevenc = 0
; Specifies if the device allows unsigned applications to execute.
; 0 - Unsigned applications not allowed to execute.
; 1 - Unsigned applications allowed to execute.
allowunsignedapps = 1
allowunsigninstallpacks = 1
; The required complexity level of the device password.
; Valid values for mindevcomplexchars are between 1 and 4. The value specifies
; the number of character groups to be contained in the password.
; The character groups are:
; - Lower case alphabetical characters
; - Upper case alphabetical characters
; - Numbers
; - Non-alphanumeric characters
; For example, if the value of mindevcomplexchars is 2, a password may contain
; lower case and upper case characters. A password with numbers and non-alphanumeric
; characters would be also valid.
mindevcomplexchars = 3
; The device allows the use of Wi-Fi connections.
; 0 - The use of Wi-Fi connections not allowed.
; 1 - The use of Wi-Fi connections allowed.
allowwifi = 1
; The device allows the use of SMS or text messaging.
; 0 - SMS or text messaging not allowed.
; 1 - SMS or text messaging allowed.
allowtextmessaging = 1
; The device allows access to POP or IMAP email.
; 0 - POP or IMAP email access not allowed.
; 1 - POP or IMAP email access allowed.
allowpopimapemail = 1
; The use of Bluetooth on the device.
; 0 - Disable Bluetooth.
; 1 - Disable Bluetooth, but allow the configuration of hands-free profiles.
; 2 - Allow Bluetooth.
allowbluetooth = 2
; The device allows the use of IrDA (infrared) connections.
; 0 - Disable IrDA.
; 1 - Allow IrDA.
allowirda = 1
; The device requires manual synchronization when the device is roaming.
; 0 - Do not require manual sync; allow direct push when roaming.
; 1 - Require manual sync when roaming.
reqmansyncroam = 0
allowdesktopsync = 1
; The maximum number of calendar days that can be synchronized.
; 0 - All days
; 4 - 2 weeks
; 5 - 1 month
; 6 - 3 months
; 7 - 6 months
maxcalagefilter = 0
; Specifies if the client uses HTML-formatted email.
; 0 - HTML-formatted email not allowed.
; 1 - HTML-formatted email allowed.
allowhtmlemail = 1
; The email age limit for synchronization.
; 0 - Sync all
; 1 - 1 day
; 2 - 3 days
; 3 - 1 week
; 4 - 2 weeks
; 5 - 1 month
maxemailagefilter = 0
; The maximum truncation size for plain text–formatted email.
; -1 - No truncation.
; 0 - Truncate only the header.
; >0 - Truncate the email body to the specified size.
maxemailbodytruncsize = -1
; The maximum truncation size for HTML-formatted email.
; -1 - No truncation.
; 0 - Truncate only the header.
; >0 - Truncate the email body to the specified size.
maxemailhtmlbodytruncsize = -1
; Specifies if the client sends signed S/MIME messages.
; 0 - Signed S/MIME messages not required.
; 1 - Signed S/MIME messages required.
reqsignedsmimemessages = 0
; Specifies if the client sends encrypted email messages.
; 0 - Encrypted email messages not required.
; 1 - Email messages required to be encrypted.
reqencsmimemessages = 0
; The algorithm used to sign S/MIME messages.
; 0 - Use SHA1.
; 1 - Use MD5.
reqsignedsmimealgorithm = 0
; The algorithm used to encrypt S/MIME messages.
; 0 - TripleDES algorithm
; 1 - DES algorithm
; 2 - RC2128bit
; 3 - RC264bit
; 4 - RC240bit
reqencsmimealgorithm = 0
; Controls negotiation of the encryption algorithm.
; 0 - Do not negotiate.
; 1 - Negotiate a strong algorithm.
; 2 - Negotiate any algorithm.
allowsmimeencalgneg = 2
; Specifies if the client can use soft certificates to sign outgoing messages.
; 0 - Soft certificates are not allowed.
; 1 - Soft certificates are allowed.
allowsmimesoftcerts = 1
; Specifies if the device allows the use of a web browser.
; 0 - Do not allow the use of a web browser.
; 1 - Allow the use of a web browser.
allowbrowser = 1
; Specifies if the device allows the user to configure a personal email account.
; 0 - Do not allow the user to configure a personal email account.
; 1 - Allow the user to configure a personal email account.
allowconsumeremail = 1
allowremotedesk = 1
allowinternetsharing = 1
; in order to have a multivalue policies, add a line for
; every app you want to enable or disable, e.g.
; unapprovedinromapplist[] = app1
; unapprovedinromapplist[] = app2
; unapprovedinromapplist[] = app3
; in order to have a multivalue policies, add a line for
; every app you want to enable or disable, e.g.
; approvedapplist[] = hash1
; approvedapplist[] = hash2
; approvedapplist[] = hash3
; Specifies if the device allows the use of Internet Sharing.
; 0 - Do not allow the use of Internet Sharing.
; 1 - Allow the use of Internet Sharing.
allowinternetsharing = 1
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment