added autologin when fv enabled

twocanoes · Sep 15, 2022 · c8b394e · c8b394e
1 parent 1158698
commit c8b394e
Show file tree

Hide file tree

Showing 9 changed files with 181 additions and 115 deletions.
diff --git a/XCreds/WebView.swift b/XCreds/WebView.swift
@@ -82,11 +82,15 @@ extension WebViewController: WKNavigationDelegate {
         if navigationAction.request.httpMethod == "POST" {
             TCSLogWithMark("POST")
             if let idpHostName = idpHostName as? String, navigationAction.request.url?.host == idpHostName {
+                TCSLogWithMark("host matches custom idpHostName")
+
                 TCSLogWithMark(idpHostName.sanitized())
+                TCSLogWithMark("inserting javascript to get password")
 
                 let javaScript = "document.getElementById('\(passwordElementID.sanitized())').value"
                 webView.evaluateJavaScript(javaScript, completionHandler: { response, error in
                     if let rawPass = response as? String {
+                        TCSLogWithMark("password set.")
                         self.password=rawPass
                     }
                     else {
@@ -186,12 +190,17 @@ extension WebViewController: WKNavigationDelegate {
             TCSLogWithMark("redirectURI: \(redirectURI)")
             TCSLogWithMark("URL: \(webView.url?.absoluteString ?? "NONE")")
             if (webView.url?.absoluteString.starts(with: (redirectURI))) ?? false {
+                TCSLogWithMark("got redirect URI match. separating URL")
                 var code = ""
                 let fullCommand = webView.url?.absoluteString ?? ""
                 let pathParts = fullCommand.components(separatedBy: "&")
                 for part in pathParts {
                     if part.contains("code=") {
+                        TCSLogWithMark("found code=. cleaning up.")
+
                         code = part.replacingOccurrences(of: redirectURI + "?" , with: "").replacingOccurrences(of: "code=", with: "")
+                        TCSLogWithMark("getting tokens")
+
                         TokenManager.shared.oidc().getToken(code: code)
                         return
                     }

diff --git a/XCredsLoginPlugIn/Mechanisms/XCredsBaseMechanism.swift b/XCredsLoginPlugIn/Mechanisms/XCredsBaseMechanism.swift
@@ -297,19 +297,13 @@ protocol XCredsMechanismProtocol {
     func getContextString(type: String) -> String? {
         var value: UnsafePointer<AuthorizationValue>?
         var flags = AuthorizationContextFlags()
-        let err = mechCallbacks.GetContextValue((mech?.fEngine)!, type, &flags, &value)
+        let err = mech?.fPlugin.pointee.fCallbacks.pointee.GetContextValue((mech?.fEngine)!, type, &flags, &value)
         if err != errSecSuccess {
-            TCSLogWithMark("Couldn't retrieve context value: %{public}@")
+            TCSLogWithMark("Couldn't retrieve context value \(type)")
             return nil
         }
-        if type == "longname" {
-            return String.init(bytesNoCopy: value!.pointee.data!, length: value!.pointee.length, encoding: .utf8, freeWhenDone: false)
-        } else {
-            let item = Data.init(bytes: value!.pointee.data!, count: value!.pointee.length)
-            TCSLogWithMark("get context error: %{public}@")
-        }
 
-        return nil
+        return String(bytesNoCopy: value!.pointee.data!, length: value!.pointee.length, encoding: .utf8, freeWhenDone: false)
     }
     //MARK: - Directory Service Utilities
 

diff --git a/XCredsLoginPlugIn/Mechanisms/XCredsLoginMechanism.swift b/XCredsLoginPlugIn/Mechanisms/XCredsLoginMechanism.swift
@@ -5,6 +5,7 @@ import Cocoa
     @objc var loginWindow: XCredsLoginMechanism!
     @objc var webViewController: LoginWebViewController!
     @objc var loginWindowControlsWindowController:LoginWindowControlsWindowController!
+    let checkADLog = "checkADLog"
 
     override init(mechanism: UnsafePointer<MechanismRecord>) {
         super.init(mechanism: mechanism)
@@ -14,9 +15,89 @@ import Cocoa
         TCSLogWithMark("reload in controller")
         webViewController.loadPage()
     }
+    func useAutologin() -> Bool {
 
+        if UserDefaults(suiteName: "com.apple.loginwindow")?.bool(forKey: "DisableFDEAutoLogin") ?? false {
+            os_log("FDE AutoLogin Disabled per loginwindow preference key", log: checkADLog, type: .debug)
+            return false
+        }
+
+        os_log("Checking for autologin.", log: checkADLog, type: .default)
+        if FileManager.default.fileExists(atPath: "/tmp/nolorun") {
+            os_log("NoLo has run once already. Load regular window as this isn't a reboot", log: checkADLog, type: .debug)
+            return false
+        }
+
+        os_log("XCreds, trying autologin", log: checkADLog, type: .debug)
+        try? "Run Once".write(to: URL.init(fileURLWithPath: "/tmp/nolorun"), atomically: true, encoding: String.Encoding.utf8)
+
+        if let username = getContextString(type: "fvusername") {
+            TCSLogWithMark("got username = \(username)")
+        }
+        else {
+            TCSLogWithMark("no username found")
+
+        }
+       if let password = getContextString(type: "fvpassword") {
+           TCSLogWithMark("got password ")
+       }
+        else {
+            TCSLogWithMark("no password found")
+        }
+
+        if let username = getContextString(type: "fvusername"), let password = getContextString(type: "fvpassword") {
+            os_log("Found username in context, doing autologin", log: checkADLog, type: .debug)
+            setContextString(type: kAuthorizationEnvironmentUsername, value: username)
+            setContextString(type: kAuthorizationEnvironmentPassword, value: password)
+            return true
+        } else {
+            if let uuid = getEFIUUID() {
+                if let name = XCredsBaseMechanism.getShortname(uuid: uuid) {
+                    os_log("Found username in EFI, doing autologin", log: checkADLog, type: .debug)
+
+                    setContextString(type: kAuthorizationEnvironmentUsername, value: name)
+                    return true
+                }
+            }
+        }
+        return true
+    }
+    fileprivate func getEFIUUID() -> String? {
+        TCSLogWithMark("getEFIUUID")
+        let chosen = IORegistryEntryFromPath(kIOMasterPortDefault, "IODeviceTree:/chosen")
+        var properties : Unmanaged<CFMutableDictionary>?
+        let err = IORegistryEntryCreateCFProperties(chosen, &properties, kCFAllocatorDefault, IOOptionBits.init(bitPattern: 0))
+
+        if err != 0 {
+            TCSLogWithMark("getEFIUUID error")
+            return nil
+        }
+
+        guard let props = properties!.takeRetainedValue() as? [ String : AnyHashable ] else {
+            TCSLogWithMark("getEFIUUID error props")
+            return nil
+
+        }
+        guard let uuid = props["efilogin-unlock-ident"] as? Data else {
+
+            TCSLogWithMark("getEFIUUID error uuid")
+
+            return nil
+
+        }
+        TCSLogWithMark("uuid=\(uuid.hexEncodedString())")
+
+        return String.init(data: uuid, encoding: String.Encoding.utf8)
+    }
     @objc override func run() {
         TCSLogWithMark("\(#function) \(#file):\(#line)")
+        if useAutologin() {
+            os_log("Using autologin", log: checkADLog, type: .debug)
+            os_log("Check autologin complete", log: checkADLog, type: .debug)
+            allowLogin()
+            return
+        }
+
         NSApp.activate(ignoringOtherApps: true)
 
         webViewController = LoginWebViewController(windowNibName: NSNib.Name("LoginWebView"))
@@ -37,8 +118,13 @@ import Cocoa
 
     }
     override func allowLogin() {
+        TCSLogWithMark("Allowing Login")
+        if loginWindowControlsWindowController != nil {
+            TCSLogWithMark("Dismissing controller")
 
-        loginWindowControlsWindowController.dismiss()
+            loginWindowControlsWindowController.dismiss()
+        }
+        TCSLogWithMark("calling super allowLogin")
         super.allowLogin()
     }
     override func denyLogin() {

diff --git a/XCredsLoginPlugIn/XCredsLoginPlugin.m b/XCredsLoginPlugIn/XCredsLoginPlugin.m
@@ -102,6 +102,7 @@ - (OSStatus)MechanismCreate:(AuthorizationPluginRef)inPlugin
 
     MechanismRecord *mechanism = (MechanismRecord *)malloc(sizeof(MechanismRecord));
     if (mechanism == NULL) return errSecMemoryError;
+    TCSLog([NSString stringWithFormat:@"mech is %s\n",mechanismId]);
     mechanism->fMagic = kMechanismMagic;
     mechanism->fEngine = inEngine;
     mechanism->fPlugin = (PluginRecord *)inPlugin;

diff --git a/app_to_test.sh b/app_to_test.sh
@@ -22,4 +22,4 @@ ssh root@"${REMOTE_MAC}" /Applications/XCreds.app/Contents/Resources/xcreds_logi
 ssh  root@"${REMOTE_MAC}" /Applications/XCreds.app/Contents/Resources/xcreds_login.sh -i
 
 #ssh  root@"${REMOTE_MAC}" killall -9 SecurityAgent || echo "unable to kill"
-#ssh root@"${REMOTE_MAC}" reboot
+ssh root@"${REMOTE_MAC}" reboot
diff --git a/build_resources/Packages/XCreds/XCreds_template.pkgproj b/build_resources/Packages/XCreds/XCreds_template.pkgproj
@@ -1000,7 +1000,31 @@
 		<key>PROJECT_REQUIREMENTS</key>
 		<dict>
 			<key>LIST</key>
-			<array/>
+			<array>
+				<dict>
+					<key>BEHAVIOR</key>
+					<integer>3</integer>
+					<key>DICTIONARY</key>
+					<dict>
+						<key>IC_REQUIREMENT_OS_DISK_TYPE</key>
+						<integer>0</integer>
+						<key>IC_REQUIREMENT_OS_DISTRIBUTION_TYPE</key>
+						<integer>0</integer>
+						<key>IC_REQUIREMENT_OS_MINIMUM_VERSION</key>
+						<integer>110000</integer>
+					</dict>
+					<key>IC_REQUIREMENT_CHECK_TYPE</key>
+					<integer>1</integer>
+					<key>IDENTIFIER</key>
+					<string>fr.whitebox.Packages.requirement.os</string>
+					<key>MESSAGE</key>
+					<array/>
+					<key>NAME</key>
+					<string>Operating System</string>
+					<key>STATE</key>
+					<true/>
+				</dict>
+			</array>
 			<key>RESOURCES</key>
 			<array/>
 			<key>ROOT_VOLUME_ONLY</key>

diff --git a/xCreds.xcodeproj/project.pbxproj b/xCreds.xcodeproj/project.pbxproj
@@ -887,7 +887,7 @@
 				CLANG_ENABLE_MODULES = YES;
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 3265;
+				CURRENT_PROJECT_VERSION = 3285;
 				DEFINES_MODULE = YES;
 				DEVELOPMENT_TEAM = UXP6YEHSPW;
 				GENERATE_INFOPLIST_FILE = YES;
@@ -918,7 +918,7 @@
 				CLANG_ENABLE_MODULES = YES;
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 3265;
+				CURRENT_PROJECT_VERSION = 3285;
 				DEFINES_MODULE = YES;
 				DEVELOPMENT_TEAM = UXP6YEHSPW;
 				GENERATE_INFOPLIST_FILE = YES;
@@ -977,7 +977,7 @@
 				CODE_SIGN_ENTITLEMENTS = "XCreds Login Overlay/XCreds_Login_Overlay.entitlements";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 3265;
+				CURRENT_PROJECT_VERSION = 3285;
 				DEVELOPMENT_TEAM = UXP6YEHSPW;
 				ENABLE_HARDENED_RUNTIME = YES;
 				GENERATE_INFOPLIST_FILE = YES;
@@ -1007,7 +1007,7 @@
 				CODE_SIGN_ENTITLEMENTS = "XCreds Login Overlay/XCreds_Login_Overlay.entitlements";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 3265;
+				CURRENT_PROJECT_VERSION = 3285;
 				DEVELOPMENT_TEAM = UXP6YEHSPW;
 				ENABLE_HARDENED_RUNTIME = YES;
 				GENERATE_INFOPLIST_FILE = YES;
@@ -1150,7 +1150,7 @@
 				CODE_SIGN_ENTITLEMENTS = XCreds/xCreds.entitlements;
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 3265;
+				CURRENT_PROJECT_VERSION = 3285;
 				DEVELOPMENT_TEAM = UXP6YEHSPW;
 				ENABLE_HARDENED_RUNTIME = YES;
 				GENERATE_INFOPLIST_FILE = YES;
@@ -1179,7 +1179,7 @@
 				CODE_SIGN_ENTITLEMENTS = XCreds/xCreds.entitlements;
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 3265;
+				CURRENT_PROJECT_VERSION = 3285;
 				DEVELOPMENT_TEAM = UXP6YEHSPW;
 				ENABLE_HARDENED_RUNTIME = YES;
 				GENERATE_INFOPLIST_FILE = YES;

diff --git a/...deproj/project.xcworkspace/xcuserdata/tperfitt.xcuserdatad/UserInterfaceState.xcuserstate b/...deproj/project.xcworkspace/xcuserdata/tperfitt.xcuserdatad/UserInterfaceState.xcuserstate