feat(mechanisms): add standard user support and network check (#12)

## Types of changes
<!-- What types of changes does your code introduce? Put an `x` in all
the boxes that apply: -->
- [ ] Bug fix / Chore (PATCH) (non-breaking change which fixes an issue
or does not add functionality)
- [x] New feature (MINOR) (non-breaking change which adds functionality)
- [ ] Breaking change (MAJOR) (fix or feature that would cause existing
functionality to not work as expected)


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

- **New Features**
- Released version 1.1.0 with enhanced security settings and streamlined
login flows.
- Introduced proactive server connectivity checks and automatic
management of user privileges for smoother operation.
  - Added automated cleanup tasks that run on system startup.
- New methods for retrieving MDM server details and managing user
privileges.
  - Added a launch agent for executing cleanup scripts.

- **Chores**
- Updated system configurations to support the latest macOS
compatibility improvements.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

Author: bsojka

Bootstrap Buddy/Bootstrap Buddy.xcodeproj/project.pbxproj

@@ -191,6 +191,7 @@
 				ENABLE_HARDENED_RUNTIME = NO;
 				ENABLE_STRICT_OBJC_MSGSEND = YES;
 				ENABLE_TESTABILITY = YES;
+				ENABLE_USER_SCRIPT_SANDBOXING = YES;
 				GCC_C_LANGUAGE_STANDARD = gnu11;
 				GCC_DYNAMIC_NO_PIC = NO;
 				GCC_NO_COMMON_BLOCKS = YES;
@@ -205,7 +206,7 @@
 				GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE;
 				GCC_WARN_UNUSED_FUNCTION = YES;
 				GCC_WARN_UNUSED_VARIABLE = YES;
-				MACOSX_DEPLOYMENT_TARGET = 10.14;
+				MACOSX_DEPLOYMENT_TARGET = 13.5;
 				MTL_ENABLE_DEBUG_INFO = INCLUDE_SOURCE;
 				MTL_FAST_MATH = YES;
 				ONLY_ACTIVE_ARCH = YES;
@@ -252,6 +253,7 @@
 				ENABLE_HARDENED_RUNTIME = NO;
 				ENABLE_NS_ASSERTIONS = NO;
 				ENABLE_STRICT_OBJC_MSGSEND = YES;
+				ENABLE_USER_SCRIPT_SANDBOXING = YES;
 				GCC_C_LANGUAGE_STANDARD = gnu11;
 				GCC_NO_COMMON_BLOCKS = YES;
 				GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
@@ -260,7 +262,7 @@
 				GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE;
 				GCC_WARN_UNUSED_FUNCTION = YES;
 				GCC_WARN_UNUSED_VARIABLE = YES;
-				MACOSX_DEPLOYMENT_TARGET = 10.14;
+				MACOSX_DEPLOYMENT_TARGET = 13.5;
 				MTL_ENABLE_DEBUG_INFO = NO;
 				MTL_FAST_MATH = YES;
 				"OTHER_CODE_SIGN_FLAGS[sdk=*]" = "--timestamp";
@@ -285,8 +287,8 @@
 				INFOPLIST_KEY_NSHumanReadableCopyright = "@ 2024 Inetum Polska Sp. z o.o";
 				INFOPLIST_KEY_NSPrincipalClass = "";
 				INSTALL_PATH = "$(LOCAL_LIBRARY_DIR)/Security/SecurityAgentPlugins";
-				MACOSX_DEPLOYMENT_TARGET = "$(RECOMMENDED_MACOSX_DEPLOYMENT_TARGET)";
-				MARKETING_VERSION = 1.0.0;
+				MACOSX_DEPLOYMENT_TARGET = 13.5;
+				MARKETING_VERSION = 1.1.0;
 				OTHER_CODE_SIGN_FLAGS = "--timestamp";
 				PRODUCT_BUNDLE_IDENTIFIER = "com.inetum.Bootstrap-Buddy";
 				PRODUCT_NAME = "$(TARGET_NAME)";
@@ -316,8 +318,8 @@
 				INFOPLIST_KEY_NSHumanReadableCopyright = "@ 2024 Inetum Polska Sp. z o.o";
 				INFOPLIST_KEY_NSPrincipalClass = "";
 				INSTALL_PATH = "$(LOCAL_LIBRARY_DIR)/Security/SecurityAgentPlugins";
-				MACOSX_DEPLOYMENT_TARGET = "$(RECOMMENDED_MACOSX_DEPLOYMENT_TARGET)";
-				MARKETING_VERSION = 1.0.0;
+				MACOSX_DEPLOYMENT_TARGET = 13.5;
+				MARKETING_VERSION = 1.1.0;
 				OTHER_CODE_SIGN_FLAGS = "--timestamp";
 				PRODUCT_BUNDLE_IDENTIFIER = "com.inetum.Bootstrap-Buddy";
 				PRODUCT_NAME = "$(TARGET_NAME)";

Bootstrap Buddy/Mechanisms/BBMechanism.swift

@@ -24,6 +24,7 @@
 //  https://github.com/grahamgilbert/crypt/
 
 import Foundation
+import Network
 import Security
 import os.log
 
@@ -105,11 +106,104 @@ class BBMechanism: NSObject {
         return s.replacingOccurrences(of: "\0", with: "") as NSString
     }
 
-    // profiles Errors
-    private enum ProfilesError: Error {
-        case profilesFailed(retCode: Int32)
-        case outputPlistNull
-        case outputPlistMalformed
+    // Get MDM Server FQDN and port:
+    func getMDMServerDetails() -> (fqdn: String, port: UInt16)? {
+        os_log("Getting MDM server details…", log: BBMechanism.log, type: .default)
+        let task = Process()
+        task.launchPath = "/usr/libexec/mdmclient"
+        task.arguments = ["DumpManagementStatus"]
+        let pipe = Pipe()
+        task.standardOutput = pipe
+        task.standardError = Pipe()
+        do {
+            try task.run()
+            task.waitUntilExit()
+
+            let exitStatus = task.terminationStatus
+            if exitStatus != 0 {
+                os_log("ERROR: mdmclient failed with non-zero exit status: %d", log: BBMechanism.log, type: .error, exitStatus)
+                return nil
+            }
+
+            let data = pipe.fileHandleForReading.readDataToEndOfFile()
+
+            guard let output: String = String(data: data, encoding: String.Encoding.utf8) else {
+                os_log("Unable to decode output.", log: BBMechanism.log, type: .error)
+                return nil
+            }
+
+            let regex = try NSRegularExpression(pattern: #"ServerURL = "(https?://[^"]+)""#, options: [])
+            guard let match = regex.firstMatch(in: output, options: [], range: NSRange(output.startIndex..., in: output)) else {
+                os_log("ServerURL not found.", log: BBMechanism.log, type: .error)
+                return nil
+            }
+
+            guard let matchRange = Range(match.range(at: 1), in: output) else {
+                os_log("Invalid regex match, crashing prevented.", log: BBMechanism.log, type: .error)
+                return nil
+            }
+
+            let urlString = String(output[matchRange])
+            os_log("Extracted ServerURL: %{public}@", log: BBMechanism.log, type: .debug, urlString)
+
+            if let urlComponents = URLComponents(string: urlString), let host = urlComponents.host {
+                let port = urlComponents.port ?? 443
+                os_log("Parsed FQDN: %{public}@, Port: %d", log: BBMechanism.log, type: .debug, host, port)
+                return (fqdn: host, port: UInt16(port))
+            } else {
+                os_log("Failed to parse URL components.", log: BBMechanism.log, type: .error)
+            }
+        } catch {
+            os_log("ERROR: %{public}@", log: BBMechanism.log, type: .error, error.localizedDescription)
+        }
+        return nil
+    }
+
+    // Function to check if the FQDN is reachable on the given port with detailed logging
+    func checkMDMReachability(fqdn: String, port: UInt16) -> (Bool) {
+        os_log("Checking reachability of %{public}@ on port %{public}@…", log: BBMechanism.log,
+               type: .default, String(fqdn), String(port))
+        guard let nwPort = NWEndpoint.Port(rawValue: port) else {
+            os_log("Invalid port number: %{public}@", log: BBMechanism.log, type: .error, String(port))
+            return false
+        }
+        let connection = NWConnection(host: NWEndpoint.Host(fqdn), port: nwPort, using: .tcp)
+        let semaphore = DispatchSemaphore(value: 0)
+        let queue = DispatchQueue(label: "com.inetum.Bootstrap-Buddy.checkMDM")
+        var isReachable = false
+        connection.stateUpdateHandler = { state in
+            queue.sync {
+                switch state {
+                case .setup:
+                    os_log("Connection setup initiated…", log: BBMechanism.log, type: .debug)
+                case .waiting(let reason):
+                    os_log("Connection waiting: %{public}@", log: BBMechanism.log, type: .debug, reason.localizedDescription)
+                case .preparing:
+                    os_log("Preparing connection…", log: BBMechanism.log, type: .debug)
+                case .ready:
+                    os_log("Connection successful!", log: BBMechanism.log, type: .default)
+                    isReachable = true
+                    semaphore.signal()
+                case .failed(let error):
+                    os_log("Connection failed: %{public}@", log: BBMechanism.log, type: .error, error.localizedDescription)
+                    semaphore.signal()
+                case .cancelled:
+                    os_log("Connection was cancelled.", log: BBMechanism.log, type: .debug)
+                default:
+                    os_log("Unexpected connection state: %{public}@", log: BBMechanism.log, type: .error, String(describing: state))
+                }
+            }
+        }
+        connection.start(queue: .global())
+        // Wait up to 5 seconds for a response:
+        let timeout = DispatchTime.now() + 5
+        if semaphore.wait(timeout: timeout) == .timedOut {
+            os_log("Timeout: No response received in 5 seconds.", log: BBMechanism.log, type: .error)
+            connection.cancel()
+            return false
+        }
+        connection.cancel()
+        return isReachable
     }
 
     // Check Bootstrap Token status, whether it's supported and escrowed:
@@ -121,6 +215,7 @@ class BBMechanism: NSObject {
         let pipe = Pipe()
         task.standardOutput = pipe
         task.launch()
+        task.waitUntilExit()
         let data = pipe.fileHandleForReading.readDataToEndOfFile()
         guard let output: String = String(data: data, encoding: String.Encoding.utf8)
         else { return (false, false) }
@@ -147,6 +242,7 @@ class BBMechanism: NSObject {
         let pipe = Pipe()
         task.standardOutput = pipe
         task.launch()
+        task.waitUntilExit()
         let data = pipe.fileHandleForReading.readDataToEndOfFile()
         guard let output: String = String(data: data, encoding: String.Encoding.utf8)
         else { return false }
@@ -158,4 +254,57 @@ class BBMechanism: NSObject {
             return false
         }
     }
+
+    // Check if user at login window is and admin:
+    func checkAdminStatus(username: String) -> (Bool) {
+        os_log("Checking if user \"%{public}@\" is an admin…", log: BBMechanism.log, type: .default, username)
+        let task = Process()
+        task.launchPath = "/usr/bin/dscl"
+        task.arguments = [".", "read", "/Groups/admin", "GroupMembership"]
+        let pipe = Pipe()
+        task.standardOutput = pipe
+        task.launch()
+        task.waitUntilExit()
+        let data = pipe.fileHandleForReading.readDataToEndOfFile()
+        guard let output: String = String(data: data, encoding: String.Encoding.utf8)
+        else { return false }
+        // Check if the username is in the output:
+        os_log("dscl output: %{public}@", log: BBMechanism.log, type: .debug, output)
+        os_log("Admin Status: %{public}@", log: BBMechanism.log, type: .debug, output.contains(username).description)
+        return output.contains(username)
+    }
+
+    // Elevate user to admin
+    func elevateUser(username: String) throws {
+        os_log("Temporarily adding user \"%{public}@\" to admin group…", log: BBMechanism.log, type: .default, username)
+        let task = Process()
+        task.launchPath = "/usr/bin/dscl"
+        task.arguments = [".", "append", "/Groups/admin", "GroupMembership", username]
+        task.launch()
+        task.waitUntilExit()
+        if task.terminationStatus != 0 {
+            let termstatus = String(describing: task.terminationStatus)
+            os_log(
+                "User elevation failed with a non-zero exit status: %{public}@",
+                log: BBMechanism.log, type: .error, termstatus)
+        }
+        os_log("User \"%{public}@\" elevated to admin.", log: BBMechanism.log, type: .default, username)
+    }
+
+    // Demote user to standard
+    func demoteUser(username: String) throws {
+        os_log("Removing user \"%{public}@\" from admin group…", log: BBMechanism.log, type: .default, username)
+        let task = Process()
+        task.launchPath = "/usr/bin/dscl"
+        task.arguments = [".", "delete", "/Groups/admin", "GroupMembership", username]
+        task.launch()
+        task.waitUntilExit()
+        if task.terminationStatus != 0 {
+            let termstatus = String(describing: task.terminationStatus)
+            os_log(
+                "User demotion failed with a non-zero exit status: %{public}@",
+                log: BBMechanism.log, type: .error, termstatus)
+        }
+        os_log("User \"%{public}@\" demoted to standard.", log: BBMechanism.log, type: .default, username)
+    }
 }

Bootstrap Buddy/Mechanisms/Invoke.swift

@@ -38,6 +38,23 @@ class Invoke: BBMechanism {
     @objc func run() {
         os_log("Starting Bootstrap Buddy:Invoke", log: Invoke.log, type: .default)
 
+        // Check MDM reachability
+        if let mdm = getMDMServerDetails() {
+            let fqdn: String = mdm.fqdn
+            let port: UInt16 = mdm.port
+
+            let reachable: Bool = checkMDMReachability(fqdn: fqdn, port: port)
+            if !reachable {
+                os_log("MDM server unreachable.", log: Invoke.log, type: .error)
+                allowLogin()
+                return
+            }
+        } else {
+            os_log("Unable to retrieve MDM server details.", log: Invoke.log, type: .error)
+            allowLogin()
+            return
+        }
+
         // Get Bootstrap Token status
         let bootstrapstatus = getBootstrapStatus()
         let btSupported: Bool = bootstrapstatus.supported
@@ -75,6 +92,22 @@ class Invoke: BBMechanism {
             return
         }
 
+        // Check if the user at login window is an admin
+        let adminUser: Bool = checkAdminStatus(username: username as String)
+
+        // Elevate if not an admin
+        if !adminUser {
+            do {
+                try elevateUser(username: username as String)
+            } catch {
+                os_log(
+                    "Failed to add user to admin group: %{public}@", log: Invoke.log,
+                    type: .error, error.localizedDescription)
+                allowLogin()
+                return
+            }
+        }
+
         // EscrowBootstrapToken is True, call profiles to escrow Bootstrap Token
         os_log("Escrowing Bootstrap Token…", log: Invoke.log, type: .default)
         do {
@@ -86,6 +119,17 @@ class Invoke: BBMechanism {
                 error.localizedDescription)
         }
 
+        // Demote previously elevated user
+        if !adminUser {
+            do {
+                try demoteUser(username: username as String)
+            } catch {
+                os_log(
+                    "ERROR: Failed to remove user from admin group: %{public}@", log: Invoke.log,
+                    type: .error, error.localizedDescription)
+            }
+        }
+
         allowLogin()
         return
     }

CHANGELOG.md

@@ -30,6 +30,18 @@ Nothing yet.
 - First removal.
 - Second removal. -->
 
+## [1.1.0] - 2025-03-20
+
+### Added
+
+- Temporary user account privileges elevation for successful Bootstrap Token escrow on standard accounts.
+- Vendor–agnostic MDM server reachability check.
+- Additional LaunchDaemon in scripts to facilitate frequent plugin testing.
+
+### Changed
+
+- Refactored code and updated project settings.
+
 ## [1.0.0] - 2024-10-19
 
 ### Added
@@ -57,7 +69,8 @@ Nothing yet.
 
 - Initial DevOps setup.
 
-[unreleased]: https://github.com/Inetum-Poland/bootstrap-buddy/compare/v1.0.0...HEAD
+[unreleased]: https://github.com/Inetum-Poland/bootstrap-buddy/compare/v1.1.0...HEAD
+[1.1.0]: https://github.com/Inetum-Poland/bootstrap-buddy/compare/v1.0.0...v1.1.0
 [1.0.0]: https://github.com/Inetum-Poland/bootstrap-buddy/compare/v0.0.3...v1.0.0
 [0.0.3]: https://github.com/Inetum-Poland/bootstrap-buddy/compare/v0.0.1...v0.0.3
 [0.0.1]: https://github.com/Inetum-Poland/bootstrap-buddy/releases/tag/v0.0.1

scripts/com.inetum.Bootstrap-Buddy.AuthDBTeardown.plist

@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>KeepAlive</key>
+	<dict>
+		<key>SuccessfulExit</key>
+		<false/>
+	</dict>
+	<key>Label</key>
+	<string>com.inetum.Bootstrap-Buddy.AuthDBTeardown</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>/bin/bash</string>
+		<string>-c</string>
+		<string>/Library/Security/SecurityAgentPlugins/Bootstrap\ Buddy.bundle/Contents/Resources/AuthDBTeardown.sh</string>
+	</array>
+	<key>RunAtLoad</key>
+	<true/>
+</dict>
+</plist>