public void Object_PolicyObjectListSigned_Test() { PolicyObjectListSigned pol = new PolicyObjectListSigned(); pol.Items = new List <PolicyObjectSigned>(); pol.Signature = new byte[] { 0, 1, 2, 3, 4 }; pol.TimeStampCheck = new DateTime(2016, 1, 1, 0, 0, 0, 0); string JSON = JsonConvert.SerializeObject(pol); Assert.AreEqual("{\"TimeStampCheck\":\"2016-01-01T00:00:00\",\"Signature\":\"AAECAwQ=\",\"Items\":[]}", JSON); }
public static bool DoSyncPolicy() { RequestCertPolicyID = 0; RequestCertPolicyMessageID = 0; RequestCertPolicyCERData = null; List <Int64> ProcessedPolicies = new List <long>(); Network net; net = Utilities.ConnectNetwork(9); if (net == null) { return(false); } Status.UpdateMessage(9, "Downloading client settings"); FoxEventLog.VerboseWriteEventLog("Downloading client settings", System.Diagnostics.EventLogEntryType.Information); ClientSettings settings = net.GetClientSettings(); if (settings != null) { RegistryData.AdministratorName = settings.AdministratorName; RegistryData.MessageDisclaimer = settings.MessageDisclaimer; } Status.UpdateMessage(9, "Downloading policies"); FoxEventLog.VerboseWriteEventLog("Downloading policies", System.Diagnostics.EventLogEntryType.Information); PolicyObjectListSigned policieslistsigned = net.GetPoliciesForComputer(); List <PolicyObjectSigned> policies = policieslistsigned == null ? null : policieslistsigned.Items; if (policies == null) { FoxEventLog.VerboseWriteEventLog("Downloading policies - nix", System.Diagnostics.EventLogEntryType.Information); Status.UpdateMessage(9); net.CloseConnection(); return(true); } if (FilesystemData.LoadedCertificates.Count > 0) { bool SignatureOK = false; foreach (FilesystemCertificateData cer in FilesystemData.LoadedCertificates) { if (Certificates.Verify(policieslistsigned, cer.Certificate) == true) { SignatureOK = true; break; } } if (SignatureOK == false) { FoxEventLog.WriteEventLog("Invalid signature for PolicyList - no policies will be processed.", System.Diagnostics.EventLogEntryType.Error); net.CloseConnection(); return(true); } } if (RegistryData.Verbose == 1) { string data = "Got policy:\r\n"; foreach (PolicyObjectSigned obj in policies) { data += obj.Policy.Name + " [ID: " + obj.Policy.ID + " VER: " + obj.Policy.Version + "]\r\n"; } FoxEventLog.VerboseWriteEventLog("Downloading policies " + data, System.Diagnostics.EventLogEntryType.Information); } if (FilesystemData.LoadedCertificates.Count > 0) { foreach (PolicyObjectSigned obj in policies) { if (ApplicationCertificate.Verify(obj) == false) { FoxEventLog.WriteEventLog("One or more policies were tampered - no policies will be processed.", System.Diagnostics.EventLogEntryType.Error); net.CloseConnection(); return(true); } } } #region Certificate Checks foreach (PolicyObjectSigned obj in policies) { if (obj.Policy.Type == PolicyIDs.SignCertificate) { if (FilesystemData.ContainsPolicy(obj.Policy, false, false) == true) { continue; } PolicyObjectSigned objj = net.GetPolicyObjectSigned(obj.Policy.ID); //do not verify signing here - that won't work! - Fox PolicySigningCertificates Cert = JsonConvert.DeserializeObject <PolicySigningCertificates>(objj.Policy.Data); if (FilesystemData.ContainsLoadedCert(Convert.FromBase64String(Cert.UUCerFile)) == true) { continue; } bool sig = Certificates.Verify(Convert.FromBase64String(Cert.UUCerFile), Convert.FromBase64String(Cert.UUSignFile), InternalCertificate.Main); if (sig == false) { RequestCertPolicyID = objj.Policy.ID; RequestCertPolicyCERData = Convert.FromBase64String(Cert.UUCerFile); string CN = Certificates.GetCN(Convert.FromBase64String(Cert.UUCerFile)); if (CN == null) { FoxEventLog.WriteEventLog("Invalid certificate from server (Policy ID=" + objj.Policy.ID.ToString() + " Name=" + objj.Policy.Name + ")", System.Diagnostics.EventLogEntryType.Error); continue; } Status.RequestCertificateConfirm("The certificate with " + CN + " is not signed by Vulpes. This may that someone tampered the connection, or a false certificate is installed on the server.\nDo you want to continue, and trust this certificate?", RequestCertPolicyID); RequestCertPolicyMessageID = Status.MessageID; FoxEventLog.WriteEventLog("Got unsinged certificate (Policy ID=" + objj.Policy.ID.ToString() + " Name=" + objj.Policy.Name + " " + CN + ")", System.Diagnostics.EventLogEntryType.Warning); } else { string CN = Certificates.GetCN(Convert.FromBase64String(Cert.UUCerFile)); if (CN == null) { FoxEventLog.WriteEventLog("Invalid (Vulpes signed) certificate from server (Policy ID=" + objj.Policy.ID.ToString() + " Name=" + objj.Policy.Name + ")", System.Diagnostics.EventLogEntryType.Error); continue; } FilesystemData.InstallCertificate(Convert.FromBase64String(Cert.UUCerFile)); } } } #endregion if (FilesystemData.LoadedCertificates.Count > 0) { foreach (PolicyObjectSigned obj in policies) { if (FilesystemData.ContainsPolicy(obj.Policy, false, false) == true) { if (ProcessedPolicies.Contains(obj.Policy.ID) == false) { ProcessedPolicies.Add(obj.Policy.ID); } FilesystemData.UpdatePolicyOrder(obj.Policy, obj.Policy.Order); continue; } PolicyObjectSigned objj = net.GetPolicyObjectSigned(obj.Policy.ID); if (objj == null) { FoxEventLog.WriteEventLog("No data for policy - not applying (Policy ID=" + obj.Policy.ID.ToString() + " Name=" + obj.Policy.Name + ")", System.Diagnostics.EventLogEntryType.Error); continue; } if (ApplicationCertificate.Verify(objj) == false) { FoxEventLog.WriteEventLog("Policy was tampered - not applying (Policy ID=" + objj.Policy.ID.ToString() + " Name=" + objj.Policy.Name + ")", System.Diagnostics.EventLogEntryType.Error); continue; } if (FilesystemData.InstallPolicy(objj.Policy, obj.Policy.Order) == false) { continue; } if (ProcessedPolicies.Contains(obj.Policy.ID) == false) { ProcessedPolicies.Add(obj.Policy.ID); } } List <LoadedPolicyObject> RemovePol = new List <LoadedPolicyObject>(); foreach (LoadedPolicyObject lobj in FilesystemData.LoadedPolicyObjects) { if (ProcessedPolicies.Contains(lobj.PolicyObject.ID) == false) { RemovePol.Add(lobj); } } foreach (LoadedPolicyObject lobj in RemovePol) { FilesystemData.DeletePolicy(lobj); } } net.CloseConnection(); if (RequestCertPolicyID == 0) { Status.UpdateMessage(9); } FoxEventLog.VerboseWriteEventLog("Downloading policies - DONE", System.Diagnostics.EventLogEntryType.Information); return(true); }
public RESTStatus GetPolicyForComputer(SQLLib sql, object dummy, NetworkConnectionInfo ni) { if (ni.HasAcl(ACLFlags.ComputerLogin) == false) { ni.Error = "Access denied"; ni.ErrorID = ErrorFlags.AccessDenied; return(RESTStatus.Denied); } PolicyListSigned = new PolicyObjectListSigned(); PolicyListSigned.Items = new List <PolicyObjectSigned>(); string MachineID = ni.Username; lock (ni.sqllock) { SqlDataReader dr = sql.ExecSQLReader("SELECT * FROM Policies WHERE MachineID=@m AND Enabled=1 AND Type not in (" + PolicyIDs.HiddenPoliciesSQLINClause + ")", new SQLParam("@m", MachineID)); while (dr.Read()) { PolicyObject obj = LoadPolicyDB(dr, false, true); PolicyObjectSigned objs = new PolicyObjectSigned(); objs.Policy = obj; if (Certificates.Sign(objs, SettingsManager.Settings.UseCertificate) == false) { FoxEventLog.WriteEventLog("Cannot sign policy with Certificate " + SettingsManager.Settings.UseCertificate, System.Diagnostics.EventLogEntryType.Warning); ni.Error = "Cannot sign policy with Certificate " + SettingsManager.Settings.UseCertificate; ni.ErrorID = ErrorFlags.CannotSign; dr.Close(); return(RESTStatus.ServerError); } PolicyListSigned.Items.Add(objs); } dr.Close(); } Int64? GroupID = null; object sqlo = sql.ExecSQLScalar("select Grouping from ComputerAccounts where MachineID=@m", new SQLParam("@m", MachineID)); if (sqlo is DBNull || sqlo == null) { GroupID = null; } else { GroupID = Convert.ToInt64(sqlo); } do { lock (ni.sqllock) { SqlDataReader dr = sql.ExecSQLReader("SELECT * FROM Policies WHERE " + (GroupID == null ? "Grouping is NULL" : "Grouping=@g") + " AND Enabled=1 AND Type NOT IN (" + PolicyIDs.HiddenPoliciesSQLINClause + ") AND MachineID is NULL", new SQLParam("@g", GroupID)); while (dr.Read()) { PolicyObject obj = LoadPolicyDB(dr, false, true); PolicyObjectSigned objs = new PolicyObjectSigned(); objs.Policy = obj; PolicyListSigned.Items.Add(objs); } dr.Close(); } if (GroupID != null) { lock (ni.sqllock) { sqlo = sql.ExecSQLScalar("select ParentID FROM Grouping WHERE ID=@g", new SQLParam("@g", GroupID)); } if (sqlo is DBNull || sqlo == null) { GroupID = null; } else { GroupID = Convert.ToInt64(sqlo); } } else { break; } } while (true); PolicyListSigned.Items.Reverse(); Int64 Count = 1; foreach (PolicyObjectSigned p in PolicyListSigned.Items) { p.Policy.Order = Count; Count++; if (Certificates.Sign(p, SettingsManager.Settings.UseCertificate) == false) { FoxEventLog.WriteEventLog("Cannot sign policy with Certificate " + SettingsManager.Settings.UseCertificate, System.Diagnostics.EventLogEntryType.Warning); ni.Error = "Cannot sign policy with Certificate " + SettingsManager.Settings.UseCertificate; ni.ErrorID = ErrorFlags.CannotSign; return(RESTStatus.ServerError); } } List <PolicyObjectSigned> RemoveFromList = new List <PolicyObjectSigned>(); #region Resolve Linked Policies for client for (int i = 0; i < PolicyListSigned.Items.Count; i++) { PolicyObjectSigned pol = PolicyListSigned.Items[i]; if (pol.Policy.Type == PolicyIDs.LinkedPolicy) { List <Int64> RunningIDs = new List <Int64>(); PolicyObject po = pol.Policy; while (true) { if (RunningIDs.Contains(po.ID) == true) { FoxEventLog.WriteEventLog("Policy ID " + pol.Policy.ID.ToString() + " (" + pol.Policy.Name + ") creates a loop!", System.Diagnostics.EventLogEntryType.Warning); break; } RunningIDs.Add(po.ID); lock (ni.sqllock) { po.Data = Convert.ToString(sql.ExecSQLScalar("SELECT DataBlob FROM Policies WHERE ID=@id", new SQLParam("@id", po.ID))); } Int64 PolID; if (Int64.TryParse(po.Data, out PolID) == false) { FoxEventLog.WriteEventLog("Cannot read data of policy ID " + po.ID.ToString() + " (" + po.Name + ") for linking.", System.Diagnostics.EventLogEntryType.Warning); break; } lock (ni.sqllock) { if (Policies.PolicyExsits(sql, PolID) == false) { FoxEventLog.WriteEventLog("Policy ID " + PolID.ToString() + " referencing from " + po.ID.ToString() + " (" + po.Name + ") does not exist.", System.Diagnostics.EventLogEntryType.Warning); break; } } lock (ni.sqllock) { if (Convert.ToInt32(sql.ExecSQLScalar("SELECT Enabled FROM Policies WHERE ID=@id", new SQLParam("@id", PolID))) != 1) { break; } } lock (ni.sqllock) { SqlDataReader dr = sql.ExecSQLReader("SELECT * FROM Policies WHERE ID=@id", new SQLParam("@id", PolID)); dr.Read(); po = LoadPolicyDB(dr, false, true); dr.Close(); } if (po == null) { FoxEventLog.WriteEventLog("Cannot read policy ID for linking " + PolID.ToString(), System.Diagnostics.EventLogEntryType.Warning); break; } if (po.Type != PolicyIDs.LinkedPolicy) { if (PolicyIDs.HiddenPolicies.Contains(po.Type) == true) { pol.Policy = null; pol.Signature = null; break; } else { pol.Policy = po; pol.Signature = null; break; } } } if (pol.Policy != null) { if (Certificates.Sign(pol, SettingsManager.Settings.UseCertificate) == false) { FoxEventLog.WriteEventLog("Cannot sign policy with Certificate " + SettingsManager.Settings.UseCertificate, System.Diagnostics.EventLogEntryType.Warning); ni.Error = "Cannot sign policy with Certificate " + SettingsManager.Settings.UseCertificate; ni.ErrorID = ErrorFlags.CannotSign; return(RESTStatus.ServerError); } } else { RemoveFromList.Add(pol); } } } foreach (PolicyObjectSigned pos in RemoveFromList) { PolicyListSigned.Items.Remove(pos); } #endregion if (Certificates.Sign(PolicyListSigned, SettingsManager.Settings.UseCertificate) == false) { FoxEventLog.WriteEventLog("Cannot sign policy list with Certificate " + SettingsManager.Settings.UseCertificate, System.Diagnostics.EventLogEntryType.Warning); ni.Error = "Cannot sign policy list with Certificate " + SettingsManager.Settings.UseCertificate; ni.ErrorID = ErrorFlags.CannotSign; return(RESTStatus.ServerError); } return(RESTStatus.Success); }