Merge branch 'master' of https://github.com/grahamgilbert/crypt

Author: grahamgilbert

Crypt.xcodeproj/project.pbxproj

@@ -338,7 +338,7 @@
 				SWIFT_COMPILATION_MODE = singlefile;
 				SWIFT_OBJC_BRIDGING_HEADER = "Crypt/Crypt-Bridging-Header.h";
 				SWIFT_OPTIMIZATION_LEVEL = "-Onone";
-				SWIFT_SWIFT3_OBJC_INFERENCE = On;
+				SWIFT_SWIFT3_OBJC_INFERENCE = Default;
 				SWIFT_VERSION = 4.0;
 				WRAPPER_EXTENSION = bundle;
 			};
@@ -367,7 +367,7 @@
 				PROVISIONING_PROFILE_SPECIFIER = "";
 				SKIP_INSTALL = YES;
 				SWIFT_OBJC_BRIDGING_HEADER = "Crypt/Crypt-Bridging-Header.h";
-				SWIFT_SWIFT3_OBJC_INFERENCE = On;
+				SWIFT_SWIFT3_OBJC_INFERENCE = Default;
 				SWIFT_VERSION = 4.0;
 				WRAPPER_EXTENSION = bundle;
 			};

Crypt/Info.plist

@@ -19,7 +19,7 @@
 	<key>CFBundleSignature</key>
 	<string>????</string>
 	<key>CFBundleVersion</key>
-	<string>3.1.2</string>
+	<string>3.2.0</string>
 	<key>NSHumanReadableCopyright</key>
 	<string>Copyright © 2018 The Crypt Project. All rights reserved.</string>
 	<key>NSPrincipalClass</key>

Crypt/Mechanisms/Check.swift

@@ -28,7 +28,7 @@ class Check: CryptMechanism {
   // Preference bundle id
   fileprivate let bundleid = "com.grahamgilbert.crypt"
 
-  func run() {
+  @objc func run() {
     os_log("Starting run of Crypt.Check...", log: Check.log, type: .default)
 
     // check for ServerUrl
@@ -72,15 +72,32 @@ class Check: CryptMechanism {
 
       // Check to see if our recovery key exists at the OutputPath Preference.
       let recoveryKeyExists: Bool = checkFileExists(path: filepath)
+      let genKey = getGenerateNewKey()
+      let generateKey : Bool = genKey.generateKey
+      let forcedKey : Bool = genKey.forcedKey
 
-      if !recoveryKeyExists && !removePlist && rotateKey {
+      if (!recoveryKeyExists && !removePlist && rotateKey) || generateKey {
+        if forcedKey {
+          os_log("WARNING!!!!!! GenerateNewKey is set to True, but it's a Managed Preference, you probably don't want to do this. Please change to a non Managed value.", log: Check.log, type: .error)
+          self.needsEncryption = false
+          _ = allowLogin()
+          return;
+        }
         // If key is missing from disk and we aren't supposed to remove it we should generate a new key...
-        os_log("Key is missing at %{public}@, and RemovePlist is False. And RotateKey is True, Attempting to generate a new key...", log: Check.log, type: .error, String(describing: filepath))
+        os_log("Conditions for making a new key have been met. Attempting to generate a new key...", log: Check.log, type: .default)
         do {
           try _ = rotateRecoveryKey(the_settings, filepath: filepath)
         } catch let error as NSError {
           os_log("Caught error trying to rotate recovery key: %{public}@", log: Check.log, type: .error, error.localizedDescription)
         }
+        
+        if generateKey {
+          os_log("We've rotated the key and GenerateNewKey was True, setting to False to avoid multiple generations", log: Check.log, type: .default)
+          // set to false for house keeping
+          _ = CFPreferencesSetValue("GenerateNewKey" as CFString, false as CFPropertyList, bundleid as CFString, kCFPreferencesAnyUser, kCFPreferencesAnyHost)
+          // delete from root if set there.
+          _ = CFPreferencesSetAppValue("GenerateNewKey" as CFString, nil, bundleid as CFString)
+        }
         self.needsEncryption = false
         _ = allowLogin()
         return;
@@ -228,6 +245,13 @@ class Check: CryptMechanism {
     return removeplist
   }
 
+  fileprivate func getGenerateNewKey() -> (generateKey: Bool, forcedKey: Bool) {
+    let forcedKey : Bool = CFPreferencesAppValueIsForced("GenerateNewKey" as CFString, bundleid as CFString)
+    guard let genkey : Bool = CFPreferencesCopyAppValue("GenerateNewKey" as CFString, bundleid as CFString) as? Bool
+      else {return (false, forcedKey)}
+    return (genkey, forcedKey)
+  }
+
   func rotateRecoveryKey(_ theSettings : NSDictionary, filepath : String) throws -> Bool {
     os_log("Attempting to Rotate Recovery Key...", log: Check.log, type: .default)
     let inputPlist = try PropertyListSerialization.data(fromPropertyList: theSettings,

Crypt/Mechanisms/CryptGUI.swift

@@ -19,7 +19,7 @@
 import Foundation
 
 class CryptGUI: CryptMechanism {
-  func run() {
+  @objc func run() {
     if (self.needsEncryption) {
       let promptWindowController = PromptWindowController.init()
       promptWindowController.mechanism = self.mechanism

Crypt/Mechanisms/CryptMechanism.swift

@@ -34,7 +34,7 @@ class CryptMechanism: NSObject {
   var mechanism:UnsafePointer<MechanismRecord>
 
   // init the class with a MechanismRecord
-  init(mechanism:UnsafePointer<MechanismRecord>) {
+  @objc init(mechanism:UnsafePointer<MechanismRecord>) {
     os_log("initWithMechanismRecord", log: CryptMechanism.log, type: .default)
     self.mechanism = mechanism
   }

Crypt/Mechanisms/Enablement.swift

@@ -29,7 +29,7 @@ class Enablement: CryptMechanism {
   private static let log = OSLog(subsystem: "com.grahamgilbert.crypt", category: "Enablement")
   // This is the only public function. It will be called from the
   // ObjC AuthorizationPlugin class
-  func run() {
+  @objc func run() {
 
     if self.needsEncryption {
 

Example Crypt Profile.mobileconfig

@@ -41,6 +41,11 @@
                 <true/>
                 <key>OutputPath</key>
                 <string>/var/root/crypt_output.plist</string>
+                <key>PostRunCommand</key>
+                <array>
+                    <string>/usr/local/munki/managedsoftwareupdate</string>
+                    <string>--auto</string>
+                </array>
                 <key>KeyEscrowInterval</key>
                 <integer>1</integer>
                 <key>PayloadEnabled</key>

Package/checkin

@@ -8,6 +8,7 @@ import sys
 import datetime
 import syslog
 import platform
+import json
 from distutils.version import LooseVersion
 
 import FoundationPlist
@@ -133,14 +134,42 @@ def escrow_key(plist):
     task = subprocess.Popen(cmd, stdout=subprocess.PIPE,
                             stderr=subprocess.PIPE)
     (output, error) = task.communicate()
+
     if task.returncode == 0:
         logging.info('Key escrow successful.')
+        server_initiated_rotation(output)
         return True
     else:
         logging.error('Key escrow unsuccessful.')
         return False
 
 
+def server_initiated_rotation(output):
+    """
+    Rotate the key if the server tells us to.
+    We need the old key to be present on disk and RotateUsedKey to be True
+    """
+    try:
+        json_output = json.loads(output)
+    except ValueError:
+        return ''
+
+    if not pref('RotateUsedKey') or pref('RemovePlist'):
+        # Don't do anything if we don't care about the good stuff
+        return ''
+
+    output_plist = pref('OutputPath')
+    if not os.path.isfile(output_plist):
+        # Need this to be here too (which it should, but you never know..)
+        return ''
+
+    if json_output.get('rotation_required', False):
+        logging.info('Removing output plist for rotation at next login.')
+        os.remove(output_plist)
+
+    post_run_command()
+
+
 def using_recovery_key():
     """Check if FileVault is currently unlocked using
     the recovery key.
@@ -158,6 +187,18 @@ def using_recovery_key():
         return False
 
 
+def post_run_command():
+    run_command = pref('PostRunCommand')
+    output_plist = pref('OutputPath')
+    if run_command and not os.path.isfile(output_plist):
+        logging.info('Running {}'.format(run_command))
+        try:
+            output = subprocess.check_output(run_command)
+            logging.info(output)
+        except subprocess.CalledProcessError as e:
+            logging.error('Failed to run PostRunCommand: {}'.format(e))
+
+
 def get_recovery_key(key_location):
     """Returns recovery key as a string... If we failed
     to get the proper information, returns an empty string"""
@@ -194,7 +235,7 @@ def rotate_invalid_key(plist_path):
         logging.warning('macOS version is too old to run reliably')
         return False
 
-    if os.path.exists(plist_path):
+    if os.path.isfile(plist_path):
         recovery_key = get_recovery_key(plist_path)
     else:
         logging.warning('Recovery key is not present on disk')
@@ -299,6 +340,7 @@ def main():
     if pref('RotateUsedKey') and pref('ValidateKey') and \
     not pref('RemovePlist'):
         rotate_invalid_key(plist_path)
+        post_run_command()
 
     if os.path.isfile(plist_path):
         plist = FoundationPlist.readPlist(plist_path)
@@ -326,14 +368,17 @@ def main():
                         escrow_interval))
                 sys.exit(0)
         escrow_result = escrow_key(plist=plist)
-        if escrow_result:
+        if escrow_result and os.path.isfile(plist_path):
             remove_plist = pref('RemovePlist')
             plist['escrow_success'] = True
             plist['last_run'] = datetime.datetime.now()
             FoundationPlist.writePlist(plist, plist_path)
             if remove_plist is True:
                 os.remove(plist_path)
                 logging.info('Removing plist due to configuration.')
+            else:
+                os.chmod(plist_path, 0600)
+                logging.info('Ensuring permissions on plist.')
 
 
 if __name__ == '__main__':

README.md

@@ -81,6 +81,10 @@ As of version 3.0.0 you can now define the time interval in Hours for how often
 $ sudo defaults write /Library/Preferences/com.grahamgilbert.crypt KeyEscrowInterval -int 2
 ```
 
+### PostRunCommand
+
+(Introduced in version 3.2.0) This is a command that is run after Crypt has detected an error condition with a stored key that cannot be resolved silently - either it has failed validation or the server has instructed the client to rotate the key. These cannot be resolved silently on APFS volumes, so the user will need to log in again. If you have a tool that can enforce a logout or a reboot, you can run it here. This preference can either be a string if your command has no spaces, or an array if there are spaces in the command.
+
 
 ## Uninstalling