Commit d6f958a6 authored by Joel Rennich's avatar Joel Rennich

JC-79, JC-80

parent 77c19baa
Pipeline #44562593 failed with stage
in 28 seconds
......@@ -37,6 +37,8 @@ enum Preferences: String {
case EnableFDERecoveryKey
// Specify a custom path for the recovery key
case EnableFDERecoveryKeyPath
// Should we rotate the PRK
case EnableFDERekey
/// Path for where the EULA acceptance info goes
case EULAPath
/// Text for EULA as a `String`.
......
<?xml version="1.0" encoding="UTF-8"?>
<document type="com.apple.InterfaceBuilder3.Cocoa.XIB" version="3.0" toolsVersion="14313.18" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES" customObjectInstantitationMethod="direct">
<document type="com.apple.InterfaceBuilder3.Cocoa.XIB" version="3.0" toolsVersion="14460.31" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES" customObjectInstantitationMethod="direct">
<dependencies>
<deployment identifier="macosx"/>
<plugIn identifier="com.apple.InterfaceBuilder.CocoaPlugin" version="14313.18"/>
<plugIn identifier="com.apple.InterfaceBuilder.CocoaPlugin" version="14460.31"/>
<capability name="documents saved in the Xcode 8 format" minToolsVersion="8.0"/>
</dependencies>
<objects>
......
......@@ -24,7 +24,15 @@ class EnableFDE : NoLoMechanism {
// check to see if we're already FileVaulted
if isFdeEnabled() {
os_log("Checking to see if we should rekey", log: enableFDELog, type: .default)
if getManagedPreference(key: .EnableFDERekey) as? Bool ?? false {
}
os_log("FileVault is already enabled, skipping mechanism.", log: enableFDELog, type: .debug)
} else {
enableFDE()
}
......@@ -35,6 +43,89 @@ class EnableFDE : NoLoMechanism {
let _ = allowLogin()
}
fileprivate func rekey() {
os_log("Rekeying FileVault", log: enableFDELog, type: .default)
let userArgs = [
"Username" : nomadUser ?? "",
"Password" : nomadPass ?? "",
]
var userInfo : Data
do {
userInfo = try PropertyListSerialization.data(fromPropertyList: userArgs,
format: PropertyListSerialization.PropertyListFormat.xml,
options: 0)
} catch {
os_log("Unable to create fdesetup arguments.", log: enableFDELog, type: .error)
return
}
let inPipe = Pipe.init()
let outPipe = Pipe.init()
let errorPipe = Pipe.init()
let task = Process.init()
task.launchPath = "/usr/bin/fdesetup"
task.arguments = ["changerecovery", "-outputplist", "-inputplist"]
task.standardInput = inPipe
task.standardOutput = outPipe
task.standardError = errorPipe
task.launch()
inPipe.fileHandleForWriting.write(userInfo)
inPipe.fileHandleForWriting.closeFile()
task.waitUntilExit()
let outputData = outPipe.fileHandleForReading.readDataToEndOfFile()
outPipe.fileHandleForReading.closeFile()
let errorData = errorPipe.fileHandleForReading.readDataToEndOfFile()
let errorMessage = String(data: errorData, encoding: .utf8)
errorPipe.fileHandleForReading.closeFile()
let output = NSString(data: outputData, encoding: String.Encoding.utf8.rawValue)! as String
// write out the PRK if asked to
if getManagedPreference(key: .EnableFDERecoveryKey) as? Bool == true {
var recoveryPath = "/var/db/NoMADFDE"
if let newPath = getManagedPreference(key: .EnableFDERecoveryKeyPath) as? String {
recoveryPath = newPath
}
let fm = FileManager.default
if !fm.fileExists(atPath: recoveryPath, isDirectory: nil) {
do {
os_log("Creating folder for recovery key storage.", log: enableFDELog)
try fm.createDirectory(atPath: recoveryPath, withIntermediateDirectories: true, attributes: [FileAttributeKey.posixPermissions : 0o750])
} catch {
os_log("Unable to create file path for PRK, defaulting to /var/db/", log: enableFDELog)
// reset recovery path to something we know will exist
recoveryPath = "/var/db/"
}
}
recoveryPath += "/NoMADFDESetup.plist"
do {
os_log("Attempting to write key to: %{public}@", log: enableFDELog, type: .default, recoveryPath)
try output.write(toFile: recoveryPath, atomically: true, encoding: String.Encoding.ascii)
} catch {
os_log("Unable to finish fdesetup: %{public}@", log: enableFDELog, type: .error, errorMessage ?? "Unkown error")
}
}
}
fileprivate func enableFDE() {
// check to see if boot volume is AFPS, otherwise do nothing
......
......@@ -17,7 +17,7 @@
<key>CFBundleShortVersionString</key>
<string>1.2.2b1</string>
<key>CFBundleVersion</key>
<string>313</string>
<string>314</string>
<key>NSHumanReadableCopyright</key>
<string>Copyright © 2018 Orchard &amp; Grove. All rights reserved.</string>
<key>NSPrincipalClass</key>
......
<?xml version="1.0" encoding="UTF-8"?>
<document type="com.apple.InterfaceBuilder3.Cocoa.XIB" version="3.0" toolsVersion="14313.18" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES" customObjectInstantitationMethod="direct">
<document type="com.apple.InterfaceBuilder3.Cocoa.XIB" version="3.0" toolsVersion="14460.31" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES" customObjectInstantitationMethod="direct">
<dependencies>
<deployment identifier="macosx"/>
<plugIn identifier="com.apple.InterfaceBuilder.CocoaPlugin" version="14313.18"/>
<plugIn identifier="com.apple.InterfaceBuilder.CocoaPlugin" version="14460.31"/>
<capability name="documents saved in the Xcode 8 format" minToolsVersion="8.0"/>
</dependencies>
<objects>
<customObject id="-2" userLabel="File's Owner" customClass="UserInputUI" customModule="NoMADLoginOkta" customModuleProvider="target">
<customObject id="-2" userLabel="File's Owner" customClass="UserInputUI" customModule="NoMADLoginAD" customModuleProvider="target">
<connections>
<outlet property="button" destination="rsi-bE-pic" id="mdC-FL-1Ez"/>
<outlet property="itemFour" destination="dTe-Me-dbn" id="GRa-ok-JNM"/>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment