added removeadmin function but not used since it can cause local admi…

…ns to unadmin

NomadLogin/DSQueryable.swift

@@ -281,6 +281,32 @@ public extension DSQueryable {
         }
         return true
     }
+    func removeAdmin(_ user:ODRecord) -> Bool {
+        if isAdmin(user)==false { //user is not an admin already
+            return true
+        }
+        do {
+            os_log("Find the administrators group",  type: .debug)
+            let query = try ODQuery.init(node: localNode,
+                                         forRecordTypes: kODRecordTypeGroups,
+                                         attribute: kODAttributeTypeRecordName,
+                                         matchType: ODMatchType(kODMatchEqualTo),
+                                         queryValues: "admin",
+                                         returnAttributes: kODAttributeTypeNativeOnly,
+                                         maximumResults: 1)
+            let results = try query.resultsAllowingPartial(false) as! [ODRecord]
+            let adminGroup = results.first
+
+            os_log("Remove user to administrators group", type: .debug)
+            try adminGroup?.removeMemberRecord(user)
+
+        } catch {
+            let errorText = error.localizedDescription
+            os_log("Unable to add user to administrators group: %{public}@", type: .error, errorText)
+            return false
+        }
+        return true
+    }
     func getAllStandardUsers() throws -> [ODRecord] {
             let allRecords = try getAllNonSystemUsers()
             let nonSystem = allRecords.filter { (record) -> Bool in

XCredsLoginPlugIn/Mechanisms/XCredsCreateUser.swift

@@ -70,12 +70,14 @@ class XCredsCreateUser: XCredsBaseMechanism, DSQueryable {
             }
         }
         var isAdmin = false
+//        var shouldRemoveAdmin = false
         if let createAdmin = getManagedPreference(key: .CreateAdminUser) as? Bool {
             isAdmin = createAdmin
             TCSLog("Found a createLocalAdmin key value: \(isAdmin.description)")
         }
         os_log("Checking for CreateAdminIfGroupMember groups", log: uiLog, type: .debug)
         if let adminGroups = getManagedPreference(key: .CreateAdminIfGroupMember) as? [String] {
+
             TCSLogWithMark("Found a CreateAdminIfGroupMember key value: \(String(describing: groups))")
 
             groups?.forEach { group in
@@ -84,6 +86,10 @@ class XCredsCreateUser: XCredsBaseMechanism, DSQueryable {
                     TCSLogWithMark("User is a member of \(group) group. Setting isAdmin = true ")
                 }
             }
+//            if isAdmin == false {
+//                shouldRemoveAdmin = true
+//            }
+
         }
 
 
@@ -94,13 +100,6 @@ class XCredsCreateUser: XCredsBaseMechanism, DSQueryable {
                 secureTokenCreds = creds
             }
 
-            //            if getManagedPreference(key: .ManageSecureTokens) as? Bool ?? false {
-            //                if let creds = PasswordUtils.GetSecureTokenCreds() {
-            //
-            //                    secureTokenCreds = creds
-            //                }
-            //            }
-
             guard let uid = findFirstAvaliableUID() else {
                 TCSLogErrorWithMark("Could not find an available UID")
                 return
@@ -158,7 +157,7 @@ class XCredsCreateUser: XCredsBaseMechanism, DSQueryable {
 
 
         } else {
-            
+
             // Checking to see if we are doing a silent overwrite
             if getHint(type: .passwordOverwrite) as? Bool ?? false && !(getManagedPreference(key: .GuestUserAccounts) as? [String] ?? ["Guest", "guest"]).contains(xcredsUser!){
                 TCSLogWithMark("Password Overwrite enabled and triggered, starting evaluation")
@@ -206,22 +205,36 @@ class XCredsCreateUser: XCredsBaseMechanism, DSQueryable {
             }
         }
         TCSLogWithMark("Checking if user should be made admin")
-        if isAdmin==true, let xcredsUser = xcredsUser {
+        if let xcredsUser = xcredsUser {
             do {
-                TCSLogWithMark("Making admin user")
                 let record = try getLocalRecord(xcredsUser)
-                if makeAdmin(record)==false {
-                    os_log("failed to make user an admin", log: createUserLog, type: .error)
+
+                if isAdmin == true {
+
+                    TCSLogWithMark("Making admin user")
+                    if makeAdmin(record)==false {
+                        os_log("failed to make user an admin", log: createUserLog, type: .error)
+
+                    }
                 }
+//                else if shouldRemoveAdmin == true {
+//                    if removeAdmin(record)==false {
+//                        os_log("failed to remove user an admin", log: createUserLog, type: .error)
+//
+//                    }
+//                }
             }
+
             catch {
                 os_log("error finding user to make admin", log: createUserLog, type: .error)
             }
 
+
         }
 
 
 
+
         os_log("Allowing login", log: createUserLog, type: .debug)
         let _ = allowLogin()
         os_log("CreateUser mech complete", log: createUserLog, type: .debug)

xCreds.xcodeproj/project.pbxproj

@@ -1432,7 +1432,7 @@
 			buildSettings = {
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 6199;
+				CURRENT_PROJECT_VERSION = 6201;
 				DEFINES_MODULE = YES;
 				DEVELOPMENT_TEAM = UXP6YEHSPW;
 				FRAMEWORK_SEARCH_PATHS = (
@@ -1469,7 +1469,7 @@
 			buildSettings = {
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 6199;
+				CURRENT_PROJECT_VERSION = 6201;
 				DEFINES_MODULE = YES;
 				DEVELOPMENT_TEAM = UXP6YEHSPW;
 				FRAMEWORK_SEARCH_PATHS = (
@@ -1590,7 +1590,7 @@
 				CODE_SIGN_ENTITLEMENTS = "XCreds Login Overlay/XCreds_Login_Overlay.entitlements";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 6199;
+				CURRENT_PROJECT_VERSION = 6201;
 				DEVELOPMENT_TEAM = UXP6YEHSPW;
 				ENABLE_HARDENED_RUNTIME = YES;
 				FRAMEWORK_SEARCH_PATHS = (
@@ -1627,7 +1627,7 @@
 				CODE_SIGN_ENTITLEMENTS = "XCreds Login Overlay/XCreds_Login_Overlay.entitlements";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 6199;
+				CURRENT_PROJECT_VERSION = 6201;
 				DEVELOPMENT_TEAM = UXP6YEHSPW;
 				ENABLE_HARDENED_RUNTIME = YES;
 				FRAMEWORK_SEARCH_PATHS = (
@@ -1777,7 +1777,7 @@
 				CODE_SIGN_ENTITLEMENTS = XCreds/xCreds.entitlements;
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 6199;
+				CURRENT_PROJECT_VERSION = 6201;
 				DEVELOPMENT_TEAM = UXP6YEHSPW;
 				ENABLE_HARDENED_RUNTIME = YES;
 				FRAMEWORK_SEARCH_PATHS = (
@@ -1819,7 +1819,7 @@
 				CODE_SIGN_ENTITLEMENTS = XCreds/xCreds.entitlements;
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 6199;
+				CURRENT_PROJECT_VERSION = 6201;
 				DEVELOPMENT_TEAM = UXP6YEHSPW;
 				ENABLE_HARDENED_RUNTIME = YES;
 				FRAMEWORK_SEARCH_PATHS = (

xCreds.xcodeproj/xcuserdata/tperfitt.xcuserdatad/xcschemes/xcschememanagement.plist

@@ -32,7 +32,7 @@
 		<key>auth_mech_fixup.xcscheme_^#shared#^_</key>
 		<dict>
 			<key>orderHint</key>
-			<integer>8</integer>
+			<integer>7</integer>
 		</dict>
 		<key>authrights.xcscheme_^#shared#^_</key>
 		<dict>
@@ -42,7 +42,7 @@
 		<key>test.xcscheme_^#shared#^_</key>
 		<dict>
 			<key>orderHint</key>
-			<integer>7</integer>
+			<integer>8</integer>
 		</dict>
 	</dict>
 	<key>SuppressBuildableAutocreation</key>