checkpoint

Cartfile

@@ -1,2 +1,3 @@
 binary "https://bitbucket.org/twocanoes/productlicense-public/downloads/productlicense.json"
 github "PaddleHQ/Mac-Framework-V4"
+git "https://bitbucket.org/twocanoes/nomad-adauth" "fixes"

DefaultsOverride.swift

@@ -0,0 +1,95 @@
+//
+//  DefaultsOverride.swift
+//  XCreds
+//
+//  Created by Timothy Perfitt on 5/21/23.
+//
+
+import Cocoa
+
+class DefaultsOverride: UserDefaults {
+
+    var cachedPrefs=Dictionary<String,Any>()
+    func refreshCachedPrefs()  {
+        cachedPrefs=Dictionary()
+        let prefScriptPath = super.string(forKey: PrefKeys.settingsOverrideScriptPath.rawValue)
+        if let prefScriptPath = prefScriptPath {
+            TCSLogErrorWithMark("Pref script defined at \(prefScriptPath)")
+            if FileManager.default.fileExists(atPath:prefScriptPath)==false{
+                TCSLogErrorWithMark("Pref script defined but does not exist")
+                return
+            }
+
+            if let attributes = try? FileManager.default.attributesOfFileSystem(forPath: prefScriptPath), let ownerID=attributes[.ownerAccountID] as? NSNumber,
+               let permission = attributes[.posixPermissions] as? NSNumber
+            {
+
+                if ownerID.uintValue != 0 {
+                    TCSLogErrorWithMark("override script is not owned by root. not running")
+                    return
+                }
+
+                let unixPermissions = permission.int16Value
+
+                if unixPermissions & 0x15 != 0 {
+                    TCSLogErrorWithMark("override script cannot be writable by anyone besides root. not running.")
+                    return
+
+                }
+                let scriptRes=cliTask(prefScriptPath)
+
+                if scriptRes.count>0{
+                    let rawData = scriptRes.data(using: .utf8)
+                    var format: PropertyListSerialization.PropertyListFormat = .xml
+
+
+                    var propertyListObject = [ String: [String]]()
+
+                    do {
+                        propertyListObject = try PropertyListSerialization.propertyList(from: rawData!, options: [], format: &format) as! [ String: [String]]
+                    } catch {
+                        TCSLogErrorWithMark("Error converting script to property list: \(scriptRes)")
+                        return
+                    }
+                    cachedPrefs=propertyListObject
+
+                }
+
+            }
+
+        }
+
+
+    }
+    override func string(forKey defaultName: String) -> String? {
+        return super.string(forKey: defaultName)
+    }
+    override func object(forKey defaultName: String) -> Any? {
+        return super.object(forKey: defaultName)
+    }
+
+    override func array(forKey defaultName: String) -> [Any]? {
+        return super.array(forKey: defaultName)
+    }
+    override func data(forKey defaultName: String) -> Data? {
+        return super.data(forKey: defaultName)
+    }
+    override func integer(forKey defaultName: String) -> Int {
+        return super.integer(forKey: defaultName)
+    }
+    override func float(forKey defaultName: String) -> Float {
+        return super.float(forKey: defaultName)
+    }
+    override func double(forKey defaultName: String) -> Double {
+        return super.double(forKey: defaultName)
+    }
+    override func bool(forKey defaultName: String) -> Bool {
+        return super.bool(forKey: defaultName)
+    }
+    override func url(forKey defaultName: String) -> URL? {
+        return super.url(forKey: defaultName)
+    }
+
+
+
+}

NomadLogin/CheckAD.swift

@@ -0,0 +1,92 @@
+//
+//  CheckAD.swift
+//  NoMADLogin
+//
+//  Created by Joel Rennich on 9/20/17.
+//  Copyright © 2017 Joel Rennich. All rights reserved.
+//
+
+import Cocoa
+import os.log
+
+class CheckAD: NoLoMechanism {
+    @objc var signIn: SignIn!
+
+    @objc func run() {
+        os_log("CheckAD mech starting", log: checkADLog, type: .debug)
+
+        if useAutologin() {
+            os_log("Using autologin", log: checkADLog, type: .debug)
+            os_log("CheckAD mech complete", log: checkADLog, type: .debug)
+            allowLogin()
+            return
+        }
+        os_log("Activating app", log: checkADLog, type: .debug)
+        NSApp.activate(ignoringOtherApps: true)
+        os_log("Loading XIB", log: checkADLog, type: .debug)
+        signIn = SignIn(windowNibName: NSNib.Name("SignIn"))
+        os_log("Set mech for loginwindow", log: checkADLog, type: .debug)
+        signIn.mech = mech
+        if let domain = self.managedDomain {
+            os_log("Set managed domain for loginwindow", log: checkADLog, type: .debug)
+            signIn.domainName = domain.uppercased()
+        }
+        if let isSSLRequired = self.isSSLRequired {
+            os_log("Set SSL required", log: checkADLog, type: .debug)
+            signIn.isSSLRequired = isSSLRequired
+        }
+        guard signIn.window != nil else {
+            os_log("Could not create login window UI", log: checkADLog, type: .default)
+            return
+        }
+        os_log("Displaying window", log: checkADLog, type: .debug)
+        if getManagedPreference(key: .NormalWindowLevel) as? Bool == false  {
+            NSApp.runModal(for: signIn.window!)
+        }
+
+        os_log("CheckAD mech complete", log: checkADLog, type: .debug)
+    }
+
+    @objc func tearDown() {
+        os_log("Got teardown request", log: checkADLog, type: .debug)
+        signIn.loginTransition()
+    }
+
+    func useAutologin() -> Bool {
+
+        if UserDefaults(suiteName: "com.apple.loginwindow")?.bool(forKey: "DisableFDEAutoLogin") ?? false {
+            os_log("FDE AutoLogin Disabled per loginwindow preference key", log: checkADLog, type: .debug)
+            return false
+        }
+
+        os_log("Checking for autologin.", log: checkADLog, type: .default)
+        if FileManager.default.fileExists(atPath: "/tmp/nolorun") {
+            os_log("NoLo has run once already. Load regular window as this isn't a reboot", log: checkADLog, type: .debug)
+            return false
+        }
+
+        os_log("NoLo hasn't run, trying autologin", log: checkADLog, type: .debug)
+        try? "Run Once".write(to: URL.init(fileURLWithPath: "/tmp/nolorun"), atomically: true, encoding: String.Encoding.utf8)
+
+        if let uuid = getEFIUUID() {
+            if let name = NoLoMechanism.getShortname(uuid: uuid) {
+                setContextString(type: kAuthorizationEnvironmentUsername, value: name)
+            }
+        }
+        return true
+    }
+
+    fileprivate func getEFIUUID() -> String? {
+        let chosen = IORegistryEntryFromPath(kIOMasterPortDefault, "IODeviceTree:/chosen")
+        var properties : Unmanaged<CFMutableDictionary>?
+        let err = IORegistryEntryCreateCFProperties(chosen, &properties, kCFAllocatorDefault, IOOptionBits.init(bitPattern: 0))
+
+        if err != 0 {
+            return nil
+        }
+
+        guard let props = properties!.takeRetainedValue() as? [ String : AnyHashable ] else { return nil }
+        guard let uuid = props["efilogin-unlock-ident"] as? Data else { return nil }
+        return String.init(data: uuid, encoding: String.Encoding.utf8)
+    }
+}

NomadLogin/DS+AD.swift

@@ -0,0 +1,72 @@
+//
+//  DS+AD.swift
+//  NoMADLoginAD
+//
+//  Created by Josh Wisenbaker on 9/20/18.
+//  Copyright © 2018 Orchard & Grove. All rights reserved.
+//
+import OpenDirectory
+
+enum NoMADQueryErrors: Error {
+    case noMigrationCandidates
+}
+
+// MARK: - NoMAD extensions for the DSQueryable Protocol.
+extension DSQueryable {
+    /// Check to see if a given local user has the `kODAttributeOktaUser` set on their account.
+    ///
+    /// - Parameter shortName: The shortname of the user to check as a `String`.
+    /// - Returns: `true` if the user has an Okta attribute. Otherwise `false`.
+    /// - Throws: A `ODFrameworkErrors` or a `DSQueryableErrors` if there is an error.
+    public func checkForNoMADUser(_ shortName: String) throws -> Bool {
+        os_log("Checking for AD username", type: .default)
+        do {
+            let userRecord = try getLocalRecord(shortName)
+
+            let names = try userRecord.values(forAttribute: kODAttributeADUser)
+            if names.isEmpty {
+                return false
+            }
+            return true
+        } catch DSQueryableErrors.notLocalUser {
+            return false
+        } catch {
+            throw error
+        }
+    }
+
+    /// Search in DSLocal and find any potential migration users.
+    ///
+    /// - Parameter excludeList: An optional `Array` of `String` values to exclude from the candidate list. These are typically set in the `.MigrateUsersHide` preference key.
+    /// - Returns: The shortnames of the users to offer for Okta migration in an `Array` of `String` values.
+    /// - Throws: A `ODFrameworkErrors` or a `DSQueryableErrors` if there is an error. Throws `NoMADQueryErrors.noMigrationCandidates` if no results are found.
+    public func findNoMADMigrationCandidates(excludeList: [String] = [String]()) throws -> [String] {
+        do {
+            os_log("Checking for NoMAD migration users.", type: .default)
+            var candidates = [String]()
+            os_log("Getting all user records.", type: .default)
+            let records = try getAllNonSystemUsers()
+            os_log("Filtering records", type: .default)
+            let filtered = try records.filter({ (record) -> Bool in
+                if excludeList.contains(record.recordName) {
+                    os_log("User is exluded", type: .default)
+                    return false
+                }
+                if try checkForNoMADUser(record.recordName) {
+                    os_log("User has a NoMAD Attribute", type: .default)
+                    return false
+                }
+                return true
+            })
+            for record in filtered {
+                candidates.append(record.recordName)
+            }
+            if candidates.isEmpty {
+                throw NoMADQueryErrors.noMigrationCandidates
+            }
+            return candidates
+        } catch {
+            throw error
+        }
+    }
+}