SFAuthorizationPluginView without UI - macos

I have been crawling through various forums and blogs for an AuthorizationPlugin example or understanding which can show me how to create a mac authorization plugin that do not affect any UI components. I want to use it for a remote access kind of solution. I have been able to get NameAndPasswordPlugin example work. But I am not able to achieve below requirements:
Do not change the default UI. i.e not have any custom UI components
Ability to read and write into default UI fields, especially username (if any) and password
Work on need basis. i.e. I need the mechanism to pass through when remote access session is not ON. In that case I want it to fall back to loginwindow:login mechanism
Also how would it communicate with outside world ? I was not able to read or write into files from plugin. I saw an example where some pipes where used. not sure what the recommended method

You don't need a SFAuthorizationPluginView, you just need an authorization plugin. You insert your plugin into the list of plugins and it can read from contexts set by previous plugins and write to or create contexts for later plugins.
For example, if you are working with console login this bash command shows you what mechanisms are configured (mechanisms are instances of a plugin)
security authorizationdb read system.login.console
If you add your plugin after builtin:authenticate,privileged then you can use this code in your mechanismInvoke function to read the values.
err = mechanism->fPlugin->fCallbacks->GetHintValue(mechanism->fEngine, "username", &value);
if (err == noErr) {
//Log the event
os_log(OS_LOG_DEBUG, "Login for user '%{public}s'.",(const char *)value->data);
}
where mechanism->fPlugin->fCallbacks->GetHintValue and mechanism->fEngine are the callback and engineref you setup as part of your plugin. There is also a "SetContextValue" function for writing the username or password.

You will need to write an authorization plugin which will set the context values "username" (kAuthorizationEnvironmentUsername) and "password" (kAuthorizationEnvironmentPassword). Then set result as kAuthorizationResultAllow. You would also need to place your plugin just before loginwindow:login.

Related

OS X custom login authentication

My Requirement
I need to authenticate the users at login with my own logic like, For eg: calling an external authentication server and using OpenDirectory in case if the server is not reachable.
What I know
I know that i need to create an authorization plugin like the apple's sample NullAuthPlugin and add an entry in authorizationdb at 'system.login.console' right to invoke my plugin to achieve this.
What I need
Can I able to achieve my requirement without replacing the loginwindow GUI ie the mechanism <string>loginwindow:login</string>??
ie,Can i able to achieve this by keeping the existing mac's login screen as such and obtain the credentials to perform my own authentication ?? If possbile where should i place my mechanism at 'system.login.console' ?
My idea
I think of replacing the <string>builtin:authenticate,privileged</string> with my own plugin to achieve my requirement ? Is it OK to replace the buitin login mechanism ?
Is my approach correct ? Can anyone help me to clarify regarding this ?
From what I understood you can create an authorizationplugin and put it after <string> loginwindow: login </ string>.
It will not replace the macOS auth but it will add a layer, I'm not sure what it will look like if you remove <string> builtin: authenticate, privileged </ string>, but I think I remember that I tried something like that and it was crashing.
Otherwise you can also write a PAM module, the PAM stack is just invoked on it: <string> builtin: authenticate, privileged </ string>
If you add a module with sufficient control flag on /etc/pam.d/authorization file it will do the job.

Flash message require session

I'm trying to use express-flash in a standard web express js app. I don't want to use session, because I want to do the app as stateless as possible, but when I try to use without session, the app show me this error:
req.flash() requires sessions
Can I use express-flash without session? Can I use other alternatives for this kind of messages?
Thanks.
Note: A flash message is a variable stored within a session that is only available once, for the next request. That is if we put a flash variable and renders a page, the flash variable is available but if we render the same (or other) page again the flash variable is not present (it is destroyed).
-- acanimal
Based on this premise, you need to have sessions to use message flashing.
One way I think you can accomplish what you want is to add an item to the request (req) object in your middleware, and then in your controller, check if the key exists. You can then pass a specific message to your template, assuming you're using a template engine or pass it as part of your response.
Hope this helps.

Microsoft Edge browser how to read Clipboard data

I am unable to read clipboard data in Microsoft Edge browser. i am using the below javascript.
if (window.clipboardData && window.clipboardData.getData) { // IE
pastedText = window.clipboardData.getData('Text');
} else if (e.clipboardData && e.clipboardData.getData) { //non-IE
pastedText = e.clipboardData.getData('text/plain');
}
Non of the if/elseif block is executed in Edge. I tried using
e.originalEvent.clipboardData.getData('text/plain');
But I am getting 'Access is denied.' error.
Let me know, if anybody know how to fix this issue.
Edge does not currently support the clipboard api, but it is under consideration and likely to be added in near future.
I do not have edge, but it seems that you are not authorized to access the clipboard data. Is this on a website or are you calling this from within a JavaScript script executed locally?
Make sure the website is in the trusted sites.
See https://w3c.github.io/clipboard-apis/#clipboard-event-interfaces, or more precisely:
12.1 Privacy concerns
Untrusted scripts should not get uncontrolled access to a user's clipboard data. This specification assumes that granting access to the current clipboard data when a user explicitly initiates a paste operation from the user agent's trusted chrome is acceptable. However, implementors must proceed carefully, and as a minimum implement the precautions below:
Objects implementing the DataTransfer interface to return clipboard data must not be available outside the ClipboardEvent event handler.
If a script stores a reference to an object implementing the DataTransfer interface to use from outside the ClipboardEvent event handler, all methods must be no-ops when called outside the expected context.
Implementations must not let scripts create synthetic clipboard events to get access to real clipboard data except if configured to do so.
Implementations should not let scripts call document.execCommand('paste') unless the user has explicitly allowed it.
Implementations may choose to further limit the functionality provided by the DataTransfer interface. For example, an implementation may allow the user to disable this API, or configure which web sites should be granted access to it.

How do I run/call/kickoff an external program (custom code) whenever certain attributes or objects are added or modified in OpenDJ’s database?

How do I run/call/kickoff an external program (custom code) whenever certain attributes or objects are added or modified in OpenDJ’s database?
Here is my real world need. (Feel free to change my thought direction entirely).
Whenever a new email address gets created or changed in the OpenDJ database I want to initiate some java code that does some email verification/validation (send the “click here” link with a token to prove the user owns the email they just signed up with).
I know, I could use OpenIDM/AM to accomplish this but to take this a step further I need to validate other information and other credentials (custom) which users supply that are not supported by OpenIDM/AM suites.
Initiating/calling custom code upon ADD or MODIFY of specific objects and attributes is what I want and would like to know how to accomplish this. Preferably without having to scrape logs.
Please Help.
Chad
OpenDJ has a plugin interface where you can plug Java calls on Add or Modify. A sample of this kind of plugin is the attribute uniqueness which verifies that some attributes have a unique value in the directory.
The plugin interface javadoc can be found here : http://docs.forgerock.org/en/opendj/2.6.0/javadoc/org/opends/server/api/plugin/DirectoryServerPlugin.html

Is it possible to get parameters of an unpublished plugin without querying the database directly?

Is there a Joomla 2.5.x API that would allow for retrieval of a plugin information(i.e. parameters) if the desired plugin is unpublished?
Why: We have a few plugins that are only enabled in production and I'm looking for a way to get at some of the parameters programmatically and without querying the database directly.
Try something like
$userPlugin = JPluginHelper::getPlugin('user', 'joomla'); // group, specific - optional
$userPluginParams = new JRegistry();
$userPluginParams->loadString($userPlugin->params); //get the string as a jregistry
$useStrongEncryption = $userPluginParams->get('strong_passwords', 0); // get the one you want.
Here's a workaround to make it not run but still able to get:
Okay how about this for a trick/workaround. Did you realize plugins have access levels? Why don't you create an access level with no one in it and assign to the plugin as the only level it runs for. Then you can publish it but it won't run.

Resources