...
 
Commits (3)
......@@ -20,3 +20,4 @@ let enableFDELog = OSLog(subsystem: "menu.nomad.login.ad", category: "EnableFDEL
let sierraFixesLog = OSLog(subsystem: "menu.nomad.login.ad", category: "SierraFixesLog")
let keychainAddLog = OSLog(subsystem: "menu.nomad.login.ad", category: "KeychainAdd")
let eulaLog = OSLog(subsystem: "menu.nomad.login.ad", category: "EULA")
let runScriptLog = OSLog(subsystem: "menu.nomad.login.ad", category: "RunScript")
......@@ -46,6 +46,7 @@ struct MechanismRecord {
Boolean fEnableFDE;
Boolean fSierraFixes;
Boolean fEULA;
Boolean fRunScript;
};
typedef struct MechanismRecord MechanismRecord;
......
......@@ -100,6 +100,7 @@ extern OSStatus AuthorizationPluginCreate(const AuthorizationCallbacks *callback
mechanism->fEnableFDE = (strcmp(mechanismId, "EnableFDE") == 0);
mechanism->fSierraFixes = (strcmp(mechanismId, "SierraFixes") == 0);
mechanism->fEULA = (strcmp(mechanismId, "EULA") == 0);
mechanism->fRunScript = (strcmp(mechanismId, "RunScript") == 0);
*outMechanism = mechanism;
os_log_debug(pluginLog, "NoLoPlugin:MechanismCreate: inPlugin=%p, inEngine=%p, mechanismId='%{public}s'", inPlugin, inEngine, mechanismId);
return errSecSuccess;
......@@ -152,6 +153,11 @@ extern OSStatus AuthorizationPluginCreate(const AuthorizationCallbacks *callback
EULA * eula = [[EULA alloc] initWithMechanism:mechanism];
[eula run];
NSLog(@"EULA done");
} else if (mechanism->fRunScript) {
NSLog(@"Calling RunScript");
RunScript * runScript = [[RunScript alloc] initWithMechanism:mechanism];
[runScript run];
NSLog(@"RunScript done");
}
return noErr;
}
......
......@@ -51,6 +51,10 @@ enum Preferences: String {
case LoginLogoData
/// Should NoLo display a macOS-style login screen instead of a window? Set as a `Bool`,
case LoginScreen
/// Arguments for the script that will run
case ScriptArgs
/// Path to the script
case ScriptPath
/// A string to show as the placeholder in the Username textfield
case UsernameFieldPlaceholder
/// A filesystem path to an image to set the user profile image to as a `String`
......
......@@ -55,7 +55,7 @@ class DeMobilize : NoLoMechanism {
}
os_log("DeMobilize mech starting", log: demobilizeLog, type: .debug)
guard let shortName = nomadUser else {
guard let shortName = usernameContext else {
os_log("Something went wrong, there is no user here at all", log: demobilizeLog, type: .error)
_ = allowLogin()
return
......@@ -63,7 +63,7 @@ class DeMobilize : NoLoMechanism {
// sanity check to ensure we have valid information and a local user
os_log("Checking for password", log: demobilizeLog, type: .debug)
if nomadPass == nil {
if passwordContext == nil {
os_log("Something went wrong, there is no password in user data", log: demobilizeLog, type: .error)
// nothing to see here, most likely auth failed earlier on
// we're just here for auditing purposes
......@@ -79,7 +79,7 @@ class DeMobilize : NoLoMechanism {
}
// Is the local account cached from AD?
if !isCachedAD(userRecord) {
if !isCachedUser(userRecord) {
os_log("Account wasn't a cached account, but just a local one. Allow login.", log: demobilizeLog, type: .debug)
_ = allowLogin()
return
......@@ -141,16 +141,16 @@ class DeMobilize : NoLoMechanism {
}
/// Search in a given ODRecord for an Active Directory cached Authentication Authority.
/// Search in a given ODRecord for an LocalCachedUser cached Authentication Authority.
///
/// - Parameter userRecord: `ODRecord` to search in
/// - Returns: `true` if the user is a mobile account cached from Active Directory. `false` if the user is not cached from Active Directory or an error occurs.
func isCachedAD(_ userRecord: ODRecord) -> Bool {
/// - Returns: `true` if the user is a mobile account. `false` if the user is not cached or an error occurs.
func isCachedUser(_ userRecord: ODRecord) -> Bool {
do {
let authAuthority = try userRecord.values(forAttribute: kAuthAuthority) as! [String]
os_log("Found user AuthAuthority: %{public}@", log: demobilizeLog, type: .debug, authAuthority.debugDescription)
os_log("Looking for an Active Directory attribute on the account", log: demobilizeLog, type: .debug)
return authAuthority.contains(where: {$0.contains(";LocalCachedUser;/Active Directory")})
os_log("Looking for an LocalCachedUser attribute on the account", log: demobilizeLog, type: .debug)
return authAuthority.contains(where: {$0.contains(";LocalCachedUser;")})
} catch {
// No Auth Authorities, strange place, but we'll let other mechs decide
os_log("No Auth Authorities, strange place, but we'll let other mechs decide. Allow login. Error: %{public}@", log: demobilizeLog, type: .error, error.localizedDescription)
......@@ -186,8 +186,8 @@ class DeMobilize : NoLoMechanism {
var authAuthority = try userRecord.values(forAttribute: kAuthAuthority) as! [String]
os_log("Found user AuthAuthority: %{public}@", log: demobilizeLog, type: .debug, authAuthority.debugDescription)
os_log("Looking for an Active Directory attribute on the account", log: demobilizeLog, type: .debug)
if let adAuthority = authAuthority.index(where: {$0.contains(";LocalCachedUser;/Active Directory")}) {
authAuthority.remove(at: adAuthority)
if let cacheAuthority = authAuthority.index(where: {$0.contains(";LocalCachedUser;")}) {
authAuthority.remove(at: cacheAuthority)
} else {
os_log("Could not remove AD from the AuthAuthority. Bail out and allow login.", log: demobilizeLog, type: .error)
return false
......
//
// RunScript.swift
// NoMADLoginAD
//
// Created by Joel Rennich on 3/30/18.
// Copyright © 2018 Orchard & Grove. All rights reserved.
//
import Foundation
class RunScript : NoLoMechanism {
let kArgError = "ERROR"
@objc func run() {
os_log("RunScript mech starting", log: runScriptLog, type: .default)
if let scriptPath = getManagedPreference(key: .ScriptPath) as? String {
let task = Process.init()
// check to make sure the path is there
let fm = FileManager.default
if fm.isExecutableFile(atPath: scriptPath) {
task.launchPath = scriptPath
if let args = getManagedPreference(key: .ScriptArgs) as? [String] {
var cleanArgs = [String]()
for arg in args {
if arg == "<<username>>" {
cleanArgs.append(usernameContext ?? "")
} else {
cleanArgs.append(arg)
}
}
task.arguments = cleanArgs
}
do {
if #available(OSX 10.13, *) {
try task.run()
} else {
task.launch()
}
// snooze for a second before we hit the next mechanism to let things start
sleep(1)
} catch {
os_log("Unable to run script.", log: runScriptLog, type: .default)
}
} else {
// ScriptPath isn't executable
os_log("Script path is not executable.", log: runScriptLog, type: .default)
}
} else {
os_log("Unable to get path to script, allowing login.", log: runScriptLog, type: .default)
}
// always let login proceed
_ = allowLogin()
}
}
......@@ -7,13 +7,12 @@
objects = {
/* Begin PBXBuildFile section */
1AB14F7E217656A000199C1F /* NoMAD_ADAuth.framework in CopyFiles */ = {isa = PBXBuildFile; fileRef = 1AB14F7D217656A000199C1F /* NoMAD_ADAuth.framework */; settings = {ATTRIBUTES = (CodeSignOnCopy, RemoveHeadersOnCopy, ); }; };
9C0A3EA41FF2CCD70030A04F /* LoggingDefinitions.swift in Sources */ = {isa = PBXBuildFile; fileRef = 9C0A3EA31FF2CCD70030A04F /* LoggingDefinitions.swift */; };
9C468F812006A95400A475FC /* Preferences.swift in Sources */ = {isa = PBXBuildFile; fileRef = 9C468F802006A95400A475FC /* Preferences.swift */; };
9C573A8920FE6EA20013E141 /* NoMAD_ADAuth.framework.dSYM in CopyFiles */ = {isa = PBXBuildFile; fileRef = 9C7FA0BA20336A1500E7D67B /* NoMAD_ADAuth.framework.dSYM */; };
9C6027461FE8224000B99B51 /* ContextAndHintHandling.swift in Sources */ = {isa = PBXBuildFile; fileRef = 9C6027451FE8224000B99B51 /* ContextAndHintHandling.swift */; };
9C63B74B203DE22300516AF7 /* SierraFixes.swift in Sources */ = {isa = PBXBuildFile; fileRef = 9C63B74A203DE22300516AF7 /* SierraFixes.swift */; };
9C7FA0B7203369DA00E7D67B /* NoMAD_ADAuth.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 9C7FA0B6203369DA00E7D67B /* NoMAD_ADAuth.framework */; };
9C7FA0B8203369EB00E7D67B /* NoMAD_ADAuth.framework in CopyFiles */ = {isa = PBXBuildFile; fileRef = 9C7FA0B6203369DA00E7D67B /* NoMAD_ADAuth.framework */; settings = {ATTRIBUTES = (CodeSignOnCopy, RemoveHeadersOnCopy, ); }; };
9C8A2609207D917900204336 /* DataExtension.swift in Sources */ = {isa = PBXBuildFile; fileRef = 9C8A2608207D917900204336 /* DataExtension.swift */; };
9C9740191FC5DD6A00D9EAE6 /* Media.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = 9C9740181FC5DD6A00D9EAE6 /* Media.xcassets */; };
9C9E3F5B207D8BDD001C7BB8 /* KeychainAdd.swift in Sources */ = {isa = PBXBuildFile; fileRef = 9C9E3F5A207D8BDC001C7BB8 /* KeychainAdd.swift */; };
......@@ -39,7 +38,6 @@
dstPath = "";
dstSubfolderSpec = 16;
files = (
9C573A8920FE6EA20013E141 /* NoMAD_ADAuth.framework.dSYM in CopyFiles */,
);
runOnlyForDeploymentPostprocessing = 0;
};
......@@ -49,13 +47,15 @@
dstPath = "";
dstSubfolderSpec = 10;
files = (
9C7FA0B8203369EB00E7D67B /* NoMAD_ADAuth.framework in CopyFiles */,
1AB14F7E217656A000199C1F /* NoMAD_ADAuth.framework in CopyFiles */,
);
runOnlyForDeploymentPostprocessing = 0;
};
/* End PBXCopyFilesBuildPhase section */
/* Begin PBXFileReference section */
1AB14F7B2176569B00199C1F /* libcommonCrypto.tbd */ = {isa = PBXFileReference; lastKnownFileType = "sourcecode.text-based-dylib-definition"; name = libcommonCrypto.tbd; path = usr/lib/system/libcommonCrypto.tbd; sourceTree = SDKROOT; };
1AB14F7D217656A000199C1F /* NoMAD_ADAuth.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = NoMAD_ADAuth.framework; path = "../../../../Library/Developer/Xcode/DerivedData/NoMAD_Login_AD-affjjsmcgjrmovcvmlyszkzwkxge/Build/Products/Debug/NoMAD_ADAuth.framework"; sourceTree = "<group>"; };
9C0A3EA31FF2CCD70030A04F /* LoggingDefinitions.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = LoggingDefinitions.swift; sourceTree = "<group>"; };
9C2F03601FEB0B9A0036C08C /* README.md */ = {isa = PBXFileReference; lastKnownFileType = net.daringfireball.markdown; path = README.md; sourceTree = "<group>"; };
9C468F802006A95400A475FC /* Preferences.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Preferences.swift; sourceTree = "<group>"; };
......@@ -64,7 +64,6 @@
9C709EED1FE07D91006C74D1 /* loadAD.bash */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.sh; path = loadAD.bash; sourceTree = "<group>"; };
9C709EEE1FE07D91006C74D1 /* resetDB.bash */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.sh; path = resetDB.bash; sourceTree = "<group>"; };
9C7FA0B6203369DA00E7D67B /* NoMAD_ADAuth.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = NoMAD_ADAuth.framework; path = Carthage/Build/Mac/NoMAD_ADAuth.framework; sourceTree = "<group>"; };
9C7FA0BA20336A1500E7D67B /* NoMAD_ADAuth.framework.dSYM */ = {isa = PBXFileReference; lastKnownFileType = wrapper.dsym; name = NoMAD_ADAuth.framework.dSYM; path = Carthage/Build/Mac/NoMAD_ADAuth.framework.dSYM; sourceTree = "<group>"; };
9C8A2608207D917900204336 /* DataExtension.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = DataExtension.swift; sourceTree = "<group>"; };
9C9740181FC5DD6A00D9EAE6 /* Media.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = Media.xcassets; sourceTree = "<group>"; };
9C97401F1FC5DE4500D9EAE6 /* console-ad */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; path = "console-ad"; sourceTree = "<group>"; };
......@@ -115,7 +114,8 @@
9CBDCF921FC4CEE300CF73F4 = {
isa = PBXGroup;
children = (
9C7FA0BA20336A1500E7D67B /* NoMAD_ADAuth.framework.dSYM */,
1AB14F7D217656A000199C1F /* NoMAD_ADAuth.framework */,
1AB14F7B2176569B00199C1F /* libcommonCrypto.tbd */,
9C2F03601FEB0B9A0036C08C /* README.md */,
9CBDCFB61FC5CE2900CF73F4 /* Base */,
9CBDCFB21FC5CE0000CF73F4 /* Mechs */,
......
......@@ -15,9 +15,9 @@
<key>CFBundlePackageType</key>
<string>BNDL</string>
<key>CFBundleShortVersionString</key>
<string>1.2.0-Beta</string>
<string>1.2.2-demobilze</string>
<key>CFBundleVersion</key>
<string>300</string>
<string>307</string>
<key>NSHumanReadableCopyright</key>
<string>Copyright © 2018 Orchard &amp; Grove. All rights reserved.</string>
<key>NSPrincipalClass</key>
......