fixed install scripts

README.md

@@ -1,7 +1,19 @@
 # XCreds: Sync Your Cloud Password to your Mac
 
-## Overview
-XCreds works by keeping your local Mac password in sync with your Identity Provider password. If you use Azure or Google or other identity provider, XCreds will make sure the password is the same. XCreds runs in the background and checks if the cloud password has been changed. If it detects the password has changed, it prompts to login to the cloud provider and updates the local password and the keychain password automatically.
+## How It Works
+XCreds has 2 components: the XCreds app that runs in user space and XCreds Login Window that is a security agent that runs when the user is logging in to their mac. Both the security agent and the app share keychain items in the user's keychain to key track of the current local password and the tokens from the cloud provider. Both items prompt the user withe a web view to authenticate to their cloud provider, verify log in was successful and then updates the local password and user keychain passwords as needed. 
+
+## Requirements
+XCreds currently works with Azure and Google cloud as an OIDC identity provider. It has been testing on macOS Monterey but should support earlier version of macOS.
+
+## Components
+XCreds consists of XCreds Login and XCreds app. They do similar tasks but run at different times. 
+
+### XCreds Login
+XCreds Login is a Security Agent that replaces the login window on macOS to provide authentication to the cloud provider. It presents a web view at the login window and fully supports multi-factor authentication. When authentication completes, the web view receives Open Id Connect (OIDC) tokens and stores those tokens in the login keychain. If the local password and the cloud password are different, the local password is updated to match the cloud password and the login keychain password is updated a well. The local password is then stored in the user keychain so that any password changes in the future can be updated silently. Only the security agent and the XCreds app are given permission to access the password and tokens.
+
+### XCreds App
+The XCreds app runs when the user logs in. On first launch, it checks to see if xcreds tokens as available in the login keychain. If they are, the refresh token is used to see if it is still valid. If it is invalid (due to a remote password change), the user is prompted with a web view to authenticate with their cloud credentials. If they authenticate successfully, the tokens are updated in the login keychain and the password is check to see if it has been changed. If it changed, the local account and login keychain is updated to match the cloud password. 
 
 ## Configuration
 Configuration and setting is handled from a config profile. See the Preferences section below for details on each key. The discovery URL and client ID values are required. All others are optional. 
@@ -11,30 +23,65 @@ We recommend you use a preference manifest and use [Profile Creator](https://git
 A sample configuration profile is [available to download](https://github.com/twocanoes/xcreds/releases) as well.
 
 
-
 ## Azure Setup
 See the [wiki](https://github.com/twocanoes/xcreds/wiki) for Azure instructions
 
+## Google Cloud Setup
+See the [wiki](https://github.com/twocanoes/xcreds/wiki) for Azure instructions
+
+
 # Download
 Download XCreds from the [github release page](https://github.com/twocanoes/xcreds/releases)
 
+# Setup
+To get started with XCreds, follow the instructions below. All resources are within the app itself and setup is configured using command line tools inside the app bundle. Preferences are handled by configuration profiles (see below).
+
+1. Install the XCreds package. This will install XCreds.app into your application folder and does not install any other items.
+
+1. Install a configuration profile by follow the instructions below under the Preferences section. 
+
+1. Launch the app by double clicking on it. A new menu item will appear with chasing arrows. A web view will also appear since there are no xcreds tokens in the keychain. Authenticate with your cloud password. You will be prompted for your local password and your local password and keychain password will be updated if it is different from your cloud password.
 
-## How it works
-XCreds is a menu item macOS application that works like this:
+1. In order to activate XCreds Login, open terminal and run:
 
-1. On first launch, it prompts the user for their local macOS password and saves it to the keychain where the app can retrieve it later. The password is verified to be correct against local directory services.
+    `sudo /Applications/XCreds.app/Contents/Resources/xcreds_login.sh -i`
+
+    This will install a XCreds security agent called "XCredsLoginPlugin.bundle" in /Library/Security/SecurityAgentPlugins and a launch daemon called "com.twocanoes.xcreds-overlay.plist" in /Library/LaunchDaemons. The launch daemon shows an overlay on the standard login window to return back to XCreds Login. The authorizationdb is also updated to activate the Security Agent and you can see the new rules by running:
+
+    `security authorizationdb read system.login.console`
+
+	A backup copy of the replaced rules is stored in /Library/Application Support/xcreds/rights.bak.  
+
+1. Log out of the mac. The XCreds login window will be presented. Log in with your cloud credentials.
 
-1. The user is prompted via a webview to log into their cloud provider. 
+1. XCreds.app will not launch automatically. You can use Login Items in System Preferences to automatically launch XCreds.app or use a MDM policy.
 
-1. Once authenticated, OAuth tokens are returned verifying the authentication succeeded. These tokens are saved to the keychain. 
+## Uninstall
+1. 	To remove XCreds Login, restore the backup security agent rules and remove the launch agent, run:
+
+	`sudo /Applications/XCreds.app/Contents/Resources/xcreds_login.sh -r`
+
+1. Drag the XCreds app to the trash.
 
-1. The cloud password entered is then used to set the local password and change the login keychain password.
 
 ## Preferences
 The easiest way configure is to use [Profile Creator](https://github.com/ProfileCreator/ProfileCreator) using the [supplied manifest](https://github.com/twocanoes/xcreds/releases). The following keys can then be set and managed:
 
-*redirectURI* (string): the URI passed back to the webview after successful authentication. Default value: "xcreds://auth/"
+*discoveryURL* (string): The discovery URL provided by your OIDC / Cloud provider. For google it is typically "https://accounts.google.com/.well-known/openid-configuration" and for Azure it is typically "https://login.microsoftonline.com/common/.well-known/openid-configuration"
+
+*scopes* (string): Scopes tell the identify provider what information to return. Note that the values are provided with a single space between then. 
+
+    Provide the following values the follow IdPs:
+
+	    Google: profile openid email
+	    Azure: profile openid offline_access
+
+    Note that Google does not support the offline_access scope and instead the preference "shouldSetGoogleAccessTypeToOffline" preference. Azure provides "unique_name" which is mapped to the local user account by using the prefix before "@" in unique_name and matching to the short name of a user account. Google provides "email" and is matched in the same way. 
+
 
+
+*redirectURI* (string): the URI passed back to the webview after successful authentication. Default value: "xcreds://auth/"
+
 *refreshRateHours* (string): The number of hours between checks. Default value: "3".
 
 *showDebug* (bool): Show push notifications for authentication progress. Default value: false
@@ -43,10 +90,16 @@ The easiest way configure is to use [Profile Creator](https://github.com/Profile
 
 *LogFileName* (string): The name of the log file in ~/Library/Logs/. Default value: "xcreds.log"
 
-*shouldShowQuit* (bool): Show Quit in the menu item menu. Default value: true
+*shouldShowQuitMenu* (bool): Show Quit in the menu item menu. Default value: true
+
+*shouldShowAboutMenu* (bool): Show the About Menu item menu. Default value: true
 
 *shouldShowPreferencesOnStart* (bool): Show Settings on start if none are defined. Default value: false
 
+*username* (bool): When a user uses cloud login, XCreds will try and figure out the local username based on the email or other data returned for the IdP. Use this value to force the local username for any cloud login. Provide only the shortname.
+
+*passwordChangeURL* (string): Add a menu item for changing the password that will open this URL when the menu item is selected.
+
 
 ## Video
 See the [video on youtube](https://youtu.be/6V5MCQNWVTE)

XCreds Login Overlay/com.twocanoes.xcreds-overlay.plist

@@ -12,7 +12,7 @@
 	<false/>
 	<key>ProgramArguments</key>
 	<array>
-		<string>/Applications/XCreds.app/Contents/MacOS/XCreds</string>
+		<string>/Applications/XCreds.app/Contents/Resources/XCreds Login Overlay.app/Contents/MacOS/XCreds Login Overlay</string>
 	</array>
 </dict>
 </plist>

XCredsLoginPlugIn/LoginWindow/xcreds_login.sh

@@ -1,5 +1,18 @@
 #!/bin/bash
 
+script_path="$0"
+script_folder=$(dirname "${script_path}")
+authrights_path="${script_folder}"/authrights
+plugin_path="${script_folder}"/XCredsLoginPlugin.bundle
+plugin_resources_path="${plugin_path}"/Contents/Resources
+overlay_path="${script_folder}"/"XCreds Login Overlay.app"
+overlay_resources_path="${overlay_path}"/Contents/Resources
+auth_backup_folder=/Library/"Application Support"/xcreds
+rights_backup_path="${auth_backup_folder}"/rights.bak
+launch_agent_config_name="com.twocanoes.xcreds-overlay.plist"
+launch_agent_destination_path="/Library/LaunchAgents/"
+launch_agent_source_path="${overlay_resources_path}"/"${launch_agent_config_name}"
+
 f_install=0
 f_remove=0
 
@@ -21,12 +34,6 @@ if [ $(id -u) -ne 0 ]; then
 	exit -1
 fi
 
-script_path="$0"
-script_folder=$(dirname "${script_path}")
-authrights_path="${script_folder}"/authrights
-plugin_path="${script_folder}"/XCredsLoginPlugin.bundle
-auth_backup_folder=/Library/"Application Support"/xcreds
-rights_backup_path="${auth_backup_folder}"/rights.bak
 
 if [ $f_install -eq 1 ] && [ $f_remove -eq 1 ]; then
 	echo "you can't specify both -i and -r"
@@ -50,6 +57,11 @@ if [ $f_install -eq 1 ]; then
 		chown -R root:wheel "${target_volume}"/Library/Security/SecurityAgentPlugins/XCredsLoginPlugin.bundle
 	fi
 
+	if [ ! -e "${launch_agent_destination_path}"/"${launch_agent_config_name}" ]; then
+
+		cp "${launch_agent_source_path}" "${launch_agent_destination_path}"
+#		/bin/launchctl load "${launch_agent_destination_path}"/"${launch_agent_config_name}" 
+	fi
 	if [ -e ${authrights_path} ]; then
 		"${authrights_path}" -r "loginwindow:login" "XCredsLoginPlugin:LoginWindow" 
 		"${authrights_path}" -a  "XCredsLoginPlugin:LoginWindow" "XCredsLoginPlugin:PowerControl,privileged" 
@@ -72,6 +84,12 @@ elif [ $f_remove -eq 1 ]; then
 
 	fi
 
+	if [ -e "${launch_agent_destination_path}"/"${launch_agent_config_name}" ]; then
+#		/bin/launchctl unload "${launch_agent_destination_path}"/"${launch_agent_config_name}" 
+		rm "${launch_agent_destination_path}"/"${launch_agent_config_name}"
+	fi
+
+
 
 else 
 	echo "you must specify -i or -r to install or remove xcreds login"

app_to_test.sh

@@ -8,4 +8,4 @@ ssh -J tcadmin@simac.local root@test001.local rm -rf "/Applications/XCreds.app"
 
 scp -r -J tcadmin@simac.local "${BUILD_ROOT}"/Release/XCreds.app root@test001.local:/Applications/ 
 
-ssh -J tcadmin@simac.local root@test001.local reboot || exit 0
+#ssh -J tcadmin@simac.local root@test001.local reboot || exit 0