added check for group membership in oidc claim

twocanoes · May 27, 2023 · 2c03586 · 2c03586
1 parent 91ee8dc
commit 2c03586
Show file tree

Hide file tree

Showing 8 changed files with 57 additions and 13 deletions.
diff --git a/NomadLogin/UI/SignInWindowController.swift b/NomadLogin/UI/SignInWindowController.swift
@@ -994,7 +994,7 @@ extension SignInWindowController: NoMADUserSessionDelegate {
         delegate?.setHint(type: .firstName, hint: user.firstName)
         delegate?.setHint(type: .lastName, hint: user.lastName)
         delegate?.setHint(type: .noMADDomain, hint: domainName)
-        delegate?.setHint(type: .noMADGroups, hint: user.groups)
+        delegate?.setHint(type: .adGroups, hint: user.groups)
         delegate?.setHint(type: .fullName, hint: user.cn)
         delegate?.setHint(type: .kerberos_principal, hint: user.userPrincipal)
         delegate?.setHint(type: .ntName, hint: user.ntName)

diff --git a/Profile Manifest/com.twocanoes.xcreds.plist b/Profile Manifest/com.twocanoes.xcreds.plist
@@ -177,6 +177,25 @@ A profile can consist of payloads with different version numbers. For example, c
 			<key>pfm_type</key>
 			<string>boolean</string>
 		</dict>
+		<dict>
+			<key>pfm_description</key>
+			<string>List of groups that should have its members created as local administrators. Set as an Array of Strings of the group name.</string>
+			<key>pfm_name</key>
+			<string>CreateAdminIfGroupMember</string>
+			<key>pfm_subkeys</key>
+			<array>
+				<dict>
+					<key>pfm_name</key>
+					<string>group</string>
+					<key>pfm_type</key>
+					<string>string</string>
+				</dict>
+			</array>
+			<key>pfm_title</key>
+			<string>Create Admin If Group Member</string>
+			<key>pfm_type</key>
+			<string>array</string>
+		</dict>
 		<dict>
 			<key>pfm_default</key>
 			<false/>

diff --git a/XCredsLoginPlugIn/ContextAndHintHandling.swift b/XCredsLoginPlugIn/ContextAndHintHandling.swift
@@ -30,7 +30,7 @@ enum HintType: String {
 //    case noMADFirst
 //    case noMADLast
 //    case noMADFull
-    case noMADGroups
+    case adGroups
 
 
 }

diff --git a/XCredsLoginPlugIn/LoginWindow/LoginWebViewWindowController.swift b/XCredsLoginPlugIn/LoginWindow/LoginWebViewWindowController.swift
@@ -212,7 +212,6 @@ class LoginWebViewWindowController: WebViewWindowController {
             username = defaultsUsername
         }
         else if let idTokenInfo = idTokenInfo, let mapKey = DefaultsOverride.standardOverride.object(forKey: "map_username")  as? String, mapKey.count>0, let mapValue = idTokenInfo[mapKey] as? String {
-//we have a mapping for username, so use that.
 
             username = mapValue
             TCSLogWithMark("mapped username found: \(username)")
@@ -260,6 +259,15 @@ class LoginWebViewWindowController: WebViewWindowController {
             delegate.setHint(type: .fullName, hint: "\(firstName) \(lastName)")
 
         }
+//groups
+        if let idTokenInfo = idTokenInfo,let mapValue = idTokenInfo["groups"] as? Array<String> {
+            TCSLogWithMark("setting groups: \(mapValue)")
+            delegate.setHint(type: .groups, hint:mapValue)
+        }
+        else {
+
+            TCSLogWithMark("No groups found")
+        }
 
         //first name
         if let idTokenInfo = idTokenInfo, let mapKey = DefaultsOverride.standardOverride.object(forKey: "map_firstname")  as? String, mapKey.count>0, let mapValue = idTokenInfo[mapKey] as? String {

diff --git a/XCredsLoginPlugIn/Mechanisms/XCredsBaseMechanism.swift b/XCredsLoginPlugIn/Mechanisms/XCredsBaseMechanism.swift
@@ -45,6 +45,8 @@ protocol XCredsMechanismProtocol {
 
 
     }
+
+
     var xcredsPass: String? {
         get {
             guard let userPass = getHint(type: .pass) as? String else {
@@ -160,13 +162,13 @@ protocol XCredsMechanismProtocol {
             return
         }
     }
-    var nomadGroups: [String]? {
+    var groups: [String]? {
         get {
             guard let userGroups = getHint(type: .groups) as? [String] else {
-                os_log("noMADGroups value is empty", log: noLoMechlog, type: .debug)
+                os_log("groups value is empty", log: noLoMechlog, type: .debug)
                 return nil
             }
-            os_log("Computed nomadgroups accessed: %{public}@", log: noLoMechlog, type: .debug)
+
             return userGroups
         }
     }

diff --git a/XCredsLoginPlugIn/Mechanisms/XCredsCreateUser.swift b/XCredsLoginPlugIn/Mechanisms/XCredsCreateUser.swift
@@ -35,6 +35,11 @@ class XCredsCreateUser: XCredsBaseMechanism {
     @objc override   func run() {
         TCSLogWithMark("CreateUser mech starting")
 
+        if let xcredsGroups = groups {
+
+            TCSLogWithMark("group: \(xcredsGroups)")
+        }
+
         // check if we are a guest account
         // if so, remove any existing user/home for the guest
         // then allow the mech to create a new user/home
@@ -87,7 +92,17 @@ class XCredsCreateUser: XCredsBaseMechanism {
                 isAdmin = createAdmin
                 TCSLog("Found a createLocalAdmin key value: \(isAdmin.description)")
             }
-
+            os_log("Checking for CreateAdminIfGroupMember groups", log: uiLog, type: .debug)
+            if let adminGroups = getManagedPreference(key: .CreateAdminIfGroupMember) as? [String] {
+                TCSLogWithMark("Found a CreateAdminIfGroupMember key value: \(String(describing: groups))")
+                groups?.forEach { group in
+                    if adminGroups.contains(group) {
+                        isAdmin = true
+                        TCSLogWithMark("User is a member of \(group) group. Setting isAdmin = true ")
+                    }
+                }
+            }
+
             var customAttributes = [String: String]()
 
             let metaPrefix = "_xcreds"

diff --git a/xCreds.xcodeproj/project.pbxproj b/xCreds.xcodeproj/project.pbxproj
@@ -1091,7 +1091,7 @@
 				CLANG_ENABLE_MODULES = YES;
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 4067;
+				CURRENT_PROJECT_VERSION = 4080;
 				DEFINES_MODULE = YES;
 				DEVELOPMENT_TEAM = UXP6YEHSPW;
 				FRAMEWORK_SEARCH_PATHS = (
@@ -1128,7 +1128,7 @@
 				CLANG_ENABLE_MODULES = YES;
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 4067;
+				CURRENT_PROJECT_VERSION = 4080;
 				DEFINES_MODULE = YES;
 				DEVELOPMENT_TEAM = UXP6YEHSPW;
 				FRAMEWORK_SEARCH_PATHS = (
@@ -1193,7 +1193,7 @@
 				CODE_SIGN_ENTITLEMENTS = "XCreds Login Overlay/XCreds_Login_Overlay.entitlements";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 4067;
+				CURRENT_PROJECT_VERSION = 4080;
 				DEVELOPMENT_TEAM = UXP6YEHSPW;
 				ENABLE_HARDENED_RUNTIME = YES;
 				FRAMEWORK_SEARCH_PATHS = (
@@ -1229,7 +1229,7 @@
 				CODE_SIGN_ENTITLEMENTS = "XCreds Login Overlay/XCreds_Login_Overlay.entitlements";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 4067;
+				CURRENT_PROJECT_VERSION = 4080;
 				DEVELOPMENT_TEAM = UXP6YEHSPW;
 				ENABLE_HARDENED_RUNTIME = YES;
 				FRAMEWORK_SEARCH_PATHS = (
@@ -1378,7 +1378,7 @@
 				CODE_SIGN_ENTITLEMENTS = XCreds/xCreds.entitlements;
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 4067;
+				CURRENT_PROJECT_VERSION = 4080;
 				DEVELOPMENT_TEAM = UXP6YEHSPW;
 				ENABLE_HARDENED_RUNTIME = YES;
 				FRAMEWORK_SEARCH_PATHS = (
@@ -1413,7 +1413,7 @@
 				CODE_SIGN_ENTITLEMENTS = XCreds/xCreds.entitlements;
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 4067;
+				CURRENT_PROJECT_VERSION = 4080;
 				DEVELOPMENT_TEAM = UXP6YEHSPW;
 				ENABLE_HARDENED_RUNTIME = YES;
 				FRAMEWORK_SEARCH_PATHS = (

diff --git a/...deproj/project.xcworkspace/xcuserdata/tperfitt.xcuserdatad/UserInterfaceState.xcuserstate b/...deproj/project.xcworkspace/xcuserdata/tperfitt.xcuserdatad/UserInterfaceState.xcuserstate