runtime dylib loading

AuthorizationPlugin.h

@@ -16,10 +16,6 @@
 
 #pragma mark ***** Define External FDE fuctions
 
-extern CFStringRef CSFDEStorePassphrase(const char* password);
-extern BOOL ODFDEAddUser(CFStringRef authuser, CFStringRef authpass, CFStringRef username, CFStringRef password);
-
-
 @interface AuthorizationPlugin : NSObject
 
 #pragma mark ***** Core Data Structures

AuthorizationPlugin.m

@@ -58,6 +58,7 @@ extern OSStatus AuthorizationPluginCreate(const AuthorizationCallbacks *callback
 @implementation AuthorizationPlugin
 
 - (OSStatus) MechanismInvoke:(AuthorizationMechanismRef)inMechanism {
+
     OSStatus                    err;
     MechanismRecord *           mechanism;
 

FV2AuthPlugin-Installer/FV2AuthPlugin-Installer.pkgproj

@@ -316,7 +316,7 @@
 												<key>GID</key>
 												<integer>0</integer>
 												<key>PATH</key>
-												<string>build/FV2AuthPlugin.bundle</string>
+												<string>FV2AuthPlugin.bundle</string>
 												<key>PATH_TYPE</key>
 												<integer>1</integer>
 												<key>PERMISSIONS</key>
@@ -527,7 +527,7 @@
 			<key>OVERWRITE_PERMISSIONS</key>
 			<false/>
 			<key>VERSION</key>
-			<string>0.1</string>
+			<string>0.2.1</string>
 		</dict>
 		<key>PROJECT_COMMENTS</key>
 		<dict>
@@ -541,7 +541,7 @@
 			ZW50LVN0eWxlLVR5cGUiIGNvbnRlbnQ9InRleHQvY3NzIj4KPHRp
 			dGxlPjwvdGl0bGU+CjxtZXRhIG5hbWU9IkdlbmVyYXRvciIgY29u
 			dGVudD0iQ29jb2EgSFRNTCBXcml0ZXIiPgo8bWV0YSBuYW1lPSJD
-			b2NvYVZlcnNpb24iIGNvbnRlbnQ9IjEyNjUuMjEiPgo8c3R5bGUg
+			b2NvYVZlcnNpb24iIGNvbnRlbnQ9IjEzNDguMTciPgo8c3R5bGUg
 			dHlwZT0idGV4dC9jc3MiPgo8L3N0eWxlPgo8L2hlYWQ+Cjxib2R5
 			Pgo8L2JvZHk+CjwvaHRtbD4K
 			</data>

FV2AuthPlugin-Installer/build/FV2AuthPlugin.bundle/Contents/Info.plist → FV2AuthPlugin-Installer/FV2AuthPlugin.bundle/Contents/Info.plist

@@ -3,7 +3,7 @@
 <plist version="1.0">
 <dict>
 	<key>BuildMachineOSBuild</key>
-	<string>13F34</string>
+	<string>14E46</string>
 	<key>CFBundleDevelopmentRegion</key>
 	<string>en</string>
 	<key>CFBundleExecutable</key>
@@ -17,25 +17,25 @@
 	<key>CFBundlePackageType</key>
 	<string>BNDL</string>
 	<key>CFBundleShortVersionString</key>
-	<string>0.1</string>
+	<string>0.2.1</string>
 	<key>CFBundleSignature</key>
 	<string>????</string>
 	<key>CFBundleVersion</key>
-	<string>1</string>
+	<string>0.2.1</string>
 	<key>DTCompiler</key>
 	<string>com.apple.compilers.llvm.clang.1_0</string>
 	<key>DTPlatformBuild</key>
-	<string>6A313</string>
+	<string>6D2105</string>
 	<key>DTPlatformVersion</key>
 	<string>GM</string>
 	<key>DTSDKBuild</key>
-	<string>13F26</string>
+	<string>12F37</string>
 	<key>DTSDKName</key>
-	<string>macosx10.9</string>
+	<string>macosx10.8</string>
 	<key>DTXcode</key>
-	<string>0600</string>
+	<string>0632</string>
 	<key>DTXcodeBuild</key>
-	<string>6A313</string>
+	<string>6D2105</string>
 	<key>NSHumanReadableCopyright</key>
 	<string>Copyright © 2015 NIH. All rights reserved.</string>
 </dict>

FV2AuthPlugin-Installer/postinstall

@@ -1,4 +1,4 @@
-#!/usr/bin/env python2.6
+#!/usr/bin/python
 
 # Copyright 2015 Thomas Burgin.
 #
@@ -23,23 +23,6 @@ import sys
 
 mechs_to_add = ["FV2AuthPlugin:add-users,privileged"]
 
-if "check_output" not in dir(subprocess):
-    def f(*popenargs, **kwargs):
-        if 'stdout' in kwargs:
-            raise ValueError('stdout argument not allowed, it will be overridden.')
-        process = subprocess.Popen(stdout=subprocess.PIPE, *popenargs, **kwargs)
-        output, unused_err = process.communicate()
-        retcode = process.poll()
-        if retcode:
-            cmd = kwargs.get("args")
-            if cmd is None:
-                cmd = popenargs[0]
-            raise subprocess.CalledProcessError(retcode, cmd)
-        return output
-
-    subprocess.check_output = f
-
-
 def bash_command(script):
     try:
         return subprocess.check_output(script)

FV2AuthPlugin-Uninstaller/postinstall

@@ -24,23 +24,6 @@ import shutil
 
 mechs_to_remove = ["FV2AuthPlugin:add-users,privileged"]
 
-if "check_output" not in dir(subprocess):
-    def f(*popenargs, **kwargs):
-        if 'stdout' in kwargs:
-            raise ValueError('stdout argument not allowed, it will be overridden.')
-        process = subprocess.Popen(stdout=subprocess.PIPE, *popenargs, **kwargs)
-        output, unused_err = process.communicate()
-        retcode = process.poll()
-        if retcode:
-            cmd = kwargs.get("args")
-            if cmd is None:
-                cmd = popenargs[0]
-            raise subprocess.CalledProcessError(retcode, cmd)
-        return output
-
-    subprocess.check_output = f
-
-
 def bash_command(script):
     try:
         return subprocess.check_output(script)

FV2AuthPlugin.xcodeproj/project.pbxproj

@@ -10,19 +10,29 @@
 		D247C39D1AFBC47F00DECC5E /* FV2AuthPluginMechanism.m in Sources */ = {isa = PBXBuildFile; fileRef = D247C39C1AFBC47F00DECC5E /* FV2AuthPluginMechanism.m */; };
 		D257FDEF1AF95F99008A75C8 /* OpenDirectory.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = D257FDEE1AF95F99008A75C8 /* OpenDirectory.framework */; };
 		D2772B261AF934D000B390A0 /* AuthorizationPlugin.m in Sources */ = {isa = PBXBuildFile; fileRef = D2772B251AF934D000B390A0 /* AuthorizationPlugin.m */; };
-		D28055361A8AD195006880C9 /* libodfde.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = D28055351A8AD195006880C9 /* libodfde.dylib */; };
-		D28055381A8AD19B006880C9 /* libcsfde.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = D28055371A8AD19B006880C9 /* libcsfde.dylib */; };
 		D29783991A8AD90500A42A81 /* CreateLocalAdminUser.m in Sources */ = {isa = PBXBuildFile; fileRef = D29783981A8AD90500A42A81 /* CreateLocalAdminUser.m */; };
+		D2D5CE381B55AD4F00D5FBEC /* FV2AuthPlugin.bundle in CopyFiles */ = {isa = PBXBuildFile; fileRef = D28735C71A8A82DE0071A420 /* FV2AuthPlugin.bundle */; settings = {ATTRIBUTES = (CodeSignOnCopy, ); }; };
 /* End PBXBuildFile section */
 
+/* Begin PBXCopyFilesBuildPhase section */
+		D2D5CE351B55A55300D5FBEC /* CopyFiles */ = {
+			isa = PBXCopyFilesBuildPhase;
+			buildActionMask = 12;
+			dstPath = "$SRCROOT/FV2AuthPlugin-Installer";
+			dstSubfolderSpec = 0;
+			files = (
+				D2D5CE381B55AD4F00D5FBEC /* FV2AuthPlugin.bundle in CopyFiles */,
+			);
+			runOnlyForDeploymentPostprocessing = 0;
+		};
+/* End PBXCopyFilesBuildPhase section */
+
 /* Begin PBXFileReference section */
 		D247C39B1AFBC47F00DECC5E /* FV2AuthPluginMechanism.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = FV2AuthPluginMechanism.h; sourceTree = "<group>"; };
 		D247C39C1AFBC47F00DECC5E /* FV2AuthPluginMechanism.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = FV2AuthPluginMechanism.m; sourceTree = "<group>"; };
 		D257FDEE1AF95F99008A75C8 /* OpenDirectory.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = OpenDirectory.framework; path = System/Library/Frameworks/OpenDirectory.framework; sourceTree = SDKROOT; };
 		D2772B241AF934D000B390A0 /* AuthorizationPlugin.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = AuthorizationPlugin.h; path = ../AuthorizationPlugin.h; sourceTree = "<group>"; };
 		D2772B251AF934D000B390A0 /* AuthorizationPlugin.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = AuthorizationPlugin.m; path = ../AuthorizationPlugin.m; sourceTree = "<group>"; };
-		D28055351A8AD195006880C9 /* libodfde.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libodfde.dylib; path = usr/lib/libodfde.dylib; sourceTree = SDKROOT; };
-		D28055371A8AD19B006880C9 /* libcsfde.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libcsfde.dylib; path = usr/lib/libcsfde.dylib; sourceTree = SDKROOT; };
 		D28735C71A8A82DE0071A420 /* FV2AuthPlugin.bundle */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = FV2AuthPlugin.bundle; sourceTree = BUILT_PRODUCTS_DIR; };
 		D28735CB1A8A82DE0071A420 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
 		D29783971A8AD90500A42A81 /* CreateLocalAdminUser.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = CreateLocalAdminUser.h; path = "Open Directory/CreateLocalAdminUser.h"; sourceTree = "<group>"; };
@@ -35,8 +45,6 @@
 			buildActionMask = 2147483647;
 			files = (
 				D257FDEF1AF95F99008A75C8 /* OpenDirectory.framework in Frameworks */,
-				D28055381A8AD19B006880C9 /* libcsfde.dylib in Frameworks */,
-				D28055361A8AD195006880C9 /* libodfde.dylib in Frameworks */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -56,8 +64,6 @@
 			isa = PBXGroup;
 			children = (
 				D257FDEE1AF95F99008A75C8 /* OpenDirectory.framework */,
-				D28055371A8AD19B006880C9 /* libcsfde.dylib */,
-				D28055351A8AD195006880C9 /* libodfde.dylib */,
 			);
 			name = libs;
 			sourceTree = "<group>";
@@ -118,6 +124,8 @@
 				D28735C31A8A82DE0071A420 /* Sources */,
 				D28735C41A8A82DE0071A420 /* Frameworks */,
 				D28735C51A8A82DE0071A420 /* Resources */,
+				D2D5CE351B55A55300D5FBEC /* CopyFiles */,
+				D2D5CE371B55A56600D5FBEC /* ShellScript */,
 			);
 			buildRules = (
 			);
@@ -169,6 +177,22 @@
 		};
 /* End PBXResourcesBuildPhase section */
 
+/* Begin PBXShellScriptBuildPhase section */
+		D2D5CE371B55A56600D5FBEC /* ShellScript */ = {
+			isa = PBXShellScriptBuildPhase;
+			buildActionMask = 2147483647;
+			files = (
+			);
+			inputPaths = (
+			);
+			outputPaths = (
+			);
+			runOnlyForDeploymentPostprocessing = 0;
+			shellPath = /bin/sh;
+			shellScript = "## Clean the build folder\n/bin/rm -r \"$SRCROOT/build\"\n\n## Build the Installer\n/usr/local/bin/packagesbuild -v \"$SRCROOT/FV2AuthPlugin-Installer/FV2AuthPlugin-Installer.pkgproj\"\n\n## Build the UnInstaller\n/usr/local/bin/packagesbuild -v \"$SRCROOT/FV2AuthPlugin-Uninstaller/FV2AuthPlugin-Uninstaller.pkgproj\"\n\n## Create a build folder\nversion=`/usr/libexec/PlistBuddy -c \"Print :CFBundleVersion\" \"$SRCROOT/FV2AuthPlugin-Installer/FV2AuthPlugin.bundle/Contents/Info.plist\"`\n/bin/mkdir \"$SRCROOT/build\"\n/bin/mkdir \"$SRCROOT/build/FV2AuthPlugin-$version\"\n\n## Sign the installers and copy to the build folder\n/usr/bin/productsign --sign \"Developer ID Installer:\" \"$SRCROOT/FV2AuthPlugin-Installer/build/FV2AuthPlugin-Installer.pkg\" \"$SRCROOT/build/FV2AuthPlugin-$version/FV2AuthPlugin-Installer-$version.pkg\"\n/usr/bin/productsign --sign \"Developer ID Installer:\" \"$SRCROOT/FV2AuthPlugin-Uninstaller/build/FV2AuthPlugin-Uninstaller.pkg\" \"$SRCROOT/build/FV2AuthPlugin-$version/FV2AuthPlugin-Uninstaller-$version.pkg\"\n\n## Create the DMG\n/usr/bin/hdiutil create -volname \"FV2AuthPlugin-$version\" -srcfolder \"$SRCROOT/build/FV2AuthPlugin-$version\" -ov -format UDZO build/\"FV2AuthPlugin-Installer-$version\".dmg\n/bin/rm -r \"$SRCROOT/build/FV2AuthPlugin-$version\"\n";
+		};
+/* End PBXShellScriptBuildPhase section */
+
 /* Begin PBXSourcesBuildPhase section */
 		D28735C31A8A82DE0071A420 /* Sources */ = {
 			isa = PBXSourcesBuildPhase;

FV2AuthPlugin/Info.plist

@@ -15,13 +15,13 @@
 	<key>CFBundlePackageType</key>
 	<string>BNDL</string>
 	<key>CFBundleShortVersionString</key>
-	<string>0.1</string>
+	<string>0.2.1</string>
 	<key>CFBundleSignature</key>
 	<string>????</string>
-	<key>CFBundleVersion</key>
-	<string>1</string>
 	<key>NSHumanReadableCopyright</key>
 	<string>Copyright © 2015 NIH. All rights reserved.</string>
+	<key>CFBundleVersion</key>
+	<string>0.2.1</string>
 	<key>NSPrincipalClass</key>
 	<string></string>
 </dict>

Mechanisms/FV2AuthPluginMechanism.h

@@ -8,6 +8,7 @@
 
 #import <Foundation/Foundation.h>
 #import "AuthorizationPlugin.h"
+#include <dlfcn.h>
 
 @interface FV2AuthPluginMechanism : NSObject
 /**

Mechanisms/FV2AuthPluginMechanism.m

@@ -13,55 +13,100 @@ @implementation FV2AuthPluginMechanism
 + (OSStatus) runMechanism:(MechanismRecord*)mechanism {
 
     NSLog(@"FV2AuthPlugin:MechanismInvoke:AddUsers *************************************");
+
     OSStatus err;
     const AuthorizationValue *value;
     AuthorizationContextFlags   flags;
     CFStringRef username;
     CFStringRef password;
 
-    // Get auth user username
+    // Open libcsfde.dylib.
+    void *libcsfde_handle = dlopen("libcsfde.dylib", RTLD_LOCAL | RTLD_LAZY);
+    if (!libcsfde_handle) {
+        NSLog(@"FV2AuthPlugin:[!] [%s] Unable to load library: %s\n", __FILE__, dlerror());
+        err = mechanism->fPlugin->fCallbacks->SetResult(mechanism->fEngine, kAuthorizationResultAllow);
+        return err;
+    }
+
+    // Open libodfde.dylib.
+    void *libodfde_handle = dlopen("libodfde.dylib", RTLD_LOCAL | RTLD_LAZY);
+    if (!libodfde_handle) {
+        NSLog(@"FV2AuthPlugin:[!] [%s] Unable to load library: %s\n", __FILE__, dlerror());
+        err = mechanism->fPlugin->fCallbacks->SetResult(mechanism->fEngine, kAuthorizationResultAllow);
+        return err;
+    }
+
+    // Grab the CSFDEStorePassphrase symbol
+    CFStringRef (*CSFDEStorePassphrase)(const char *password) = dlsym(libcsfde_handle, "CSFDEStorePassphrase");
+    if (!CSFDEStorePassphrase) {
+        NSLog(@"FV2AuthPlugin:[!] [%s] Unable to get symbol: %s\n", __FILE__, dlerror());
+        err = mechanism->fPlugin->fCallbacks->SetResult(mechanism->fEngine, kAuthorizationResultAllow);
+        return err;
+    }
+
+    // Grab the ODFDEAddUser symbol
+    BOOL (*ODFDEAddUser)(CFStringRef authuser, CFStringRef authpass, CFStringRef username, CFStringRef password) = dlsym(libodfde_handle, "ODFDEAddUser");
+    if (!ODFDEAddUser) {
+        NSLog(@"FV2AuthPlugin:[!] [%s] Unable to get symbol: %s\n", __FILE__, dlerror());
+        err = mechanism->fPlugin->fCallbacks->SetResult(mechanism->fEngine, kAuthorizationResultAllow);
+        return err;
+    }
+
+    // Get the AuthorizationEnvironmentUsername
     err = noErr;
+    NSLog(@"FV2AuthPlugin:[+] Attempting to receive kAuthorizationEnvironmentUsername");
     err = mechanism->fPlugin->fCallbacks->GetContextValue(mechanism->fEngine, kAuthorizationEnvironmentUsername, &flags, &value);
-    if (err == noErr) {
+    if (err == noErr && (value->length > 0) && (((const char *) value->data)[value->length - 1] == 0)) {
         username = CFStringCreateWithCString(NULL, (const char *) value->data, kCFStringEncodingUTF8);
+        NSLog(@"FV2AuthPlugin:[+] kAuthorizationEnvironmentUsername [%@] was used.", username);
     } else {
+        NSLog(@"FV2AuthPlugin:[!] kAuthorizationEnvironmentUsername was unreadable.");
         err = mechanism->fPlugin->fCallbacks->SetResult(mechanism->fEngine, kAuthorizationResultAllow);
         return err;
     }
 
-    // Get auth user password
+    // Get the kAuthorizationEnvironmentPassword
     err = noErr;
+    NSLog(@"FV2AuthPlugin:[+] Attempting to receive kAuthorizationEnvironmentPassword");
     err = mechanism->fPlugin->fCallbacks->GetContextValue(mechanism->fEngine, kAuthorizationEnvironmentPassword, &flags, &value);
-    if (err == noErr) {
+    if (err == noErr && (value->length > 0) && (((const char *) value->data)[value->length - 1] == 0)) {
         password = CSFDEStorePassphrase((const char *) value->data);
+        NSLog(@"FV2AuthPlugin:[+] kAuthorizationEnvironmentPassword received");
     } else {
+        NSLog(@"FV2AuthPlugin:[!] kAuthorizationEnvironmentPassword was unreadable.");
         err = mechanism->fPlugin->fCallbacks->SetResult(mechanism->fEngine, kAuthorizationResultAllow);
         return err;
     }
 
     // Define temp's username and password
-    NSString *temp_admin_username = @"fv2authplugin";
-    NSString *temp_password = @"password123";
+    NSString *temp_admin_username = [[NSUUID UUID] UUIDString];
+    NSString *temp_password = [[NSUUID UUID] UUIDString];
 
     // Create a temp admin account
     CreateLocalAdminUser *createLocalAdminUser = [[CreateLocalAdminUser alloc] init];
     BOOL ret = [createLocalAdminUser createRecord:temp_admin_username tempPassword:temp_password];
 
     if (ret == 0) {
-        NSLog(@"Failed to create authenticating admin account. Exiting");
+        NSLog(@"FV2AuthPlugin:[!] Failed to create authenticating admin account. Exiting");
         err = mechanism->fPlugin->fCallbacks->SetResult(mechanism->fEngine, kAuthorizationResultAllow);
         return err;
     }
 
     CFStringRef user_auth = CFStringCreateWithCString(NULL, (const char *)[temp_admin_username UTF8String], kCFStringEncodingUTF8);
     CFStringRef pass_auth = CSFDEStorePassphrase((const char *)[temp_password UTF8String]);
 
-    NSLog(@"ODFDEAddUser [%hhd]", ODFDEAddUser(user_auth, pass_auth, username, password));
+    // Try and add the user
+    ret = ODFDEAddUser(user_auth, pass_auth, username, password);
+    if (ret) {
+        NSLog(@"FV2AuthPlugin:User:[+] Success [%@] added to FV2", (__bridge NSString*)username);
+    } else {
+        NSLog(@"FV2AuthPlugin:User:[!] FAIL. User [%@] NOT added to FV2", (__bridge NSString*)username);
+    }
 
     // Delete the temp admin user
     [createLocalAdminUser destoryCreatedRecord];
 
-    NSLog(@"Done. Exiting");
+    NSLog(@"FV2AuthPlugin:[+] Done. Thanks and have a lovely day.");
     err = mechanism->fPlugin->fCallbacks->SetResult(mechanism->fEngine, kAuthorizationResultAllow);
     return err;