Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature Request] Ability to get XCreds state via CLI #162

Open
bryanheinz opened this issue Jan 31, 2024 · 10 comments
Open

[Feature Request] Ability to get XCreds state via CLI #162

bryanheinz opened this issue Jan 31, 2024 · 10 comments
Assignees
Milestone

Comments

@bryanheinz
Copy link

As I roll out XCreds it would be nice to be able to check on the state of the rollout programmatically by polling my endpoints.

A "simple" solution could be for XCreds to write it's state to disk when it does a password check. A more complex, but long term (in my opinion) more useful solution could be an XCreds CLI tool that has a flag for getting the current state.

@bryanheinz
Copy link
Author

I was thinking through potential states that I would like to know about. I'm sure that I'll come up with more as I roll out XCreds 😅 For context, my usage is syncing existing macOS account passwords with an IdP and not utilizing the login window/account creation features – I'm sure using the login window feature would generate other states that would be useful to know about.

  • 'Initializing' – on first launch, the user hasn't entered their password and synchronized with the IdP. I want to know who's putting off syncing.
  • 'Synchronized' – Local and IdP passwords are synchronized.
  • 'Out of Sync' – Password differs between local and IdP and has had at least one successful initial synchronization.
  • 'Error' – Any sort of catch-all error state. Ability to get the error message via CLI would be excellent. More specific error states might be useful, but I won't know what those are until I run into them.

A related, but not necessarily a "state", info item would be the connection method/IdP – i.e. Active Directory, Azure IdP, Google IdP, Okta IdP, etc. This would help anyone who is in-between/switching methods/IdP's poll what endpoints are using what system.

@twocanoes twocanoes added this to the XCreds Future milestone Jun 17, 2024
@twocanoes
Copy link
Owner

Is this still wanted? waiting for more upvotes / feedback.

@bryanheinz
Copy link
Author

I'd still love to have this feature. While I’ve already rolled out XCreds, I'd still like to be able to output its status via CLI. I could then write a MunkiReports module, for instance, to get a birds eye view of my fleet and proactively reach out to users to resolve XCreds issues we might catch.

@twocanoes
Copy link
Owner

OK, i could implement it this way:

Initializing: no xcred entries in the keychain means no syncing happened.

Synchronized: I can only go by the last sync date. Not sure how I can tell if the current login password is the same as the IdP given that the IdP could have changed since the user last logged in. Perhaps not if they cancelled when prompted?

Out of Sync: I can only go by the last sync date. Not sure how I can tell if the current login password is the same as the IdP given that the IdP could have changed since the user last logged in. Perhaps not if they cancelled when prompted?

Error: Other?

Another option is to provide a "last synced" date for the user account and leave it up to you to determine what that means.

@bryanheinz
Copy link
Author

Sorry for the delayed response. First, I wouldn't hold back v5 for this. I'd rather see v5 released and collaborate on this than rush this out the door or hold v5 back for this.

The goal with my XCreds CLI request is to know the state that XCreds is in. The thought spawned from looking at the XCreds menu app "Credentials Status: " and wondering if that data was exposed anywhere for me to run reports on.

Reviewing your notes, it sounds like reporting the last successful sync status might be best and to nix the 'Synchronized' and 'Out of Sync' states I mentioned.

Would there be a way to report if there were any sync errors?

What about reporting the "Credentials Status" that I see in the menu bar?

I quickly browsed through the XCreds code and saw a few enum's that might be interesting to check via CLI. I'm curious if it'd be possible or even make sense to securely expose them:

  • PasswordUtils : PasswordError
  • PasswordUtils : PasswordVerificationResult
  • KeychainUtil : KeychainError

I'm greedily looking for any data that I can get my grubby little hands on to build out status dashboards or probe endpoints for issues without having to take over a user's computer.

I appreciate you looking into this with me ✌️

-bryan

@twocanoes twocanoes modified the milestones: XCreds Future, XCreds 5.1 Oct 17, 2024
@twocanoes twocanoes self-assigned this Oct 17, 2024
@davelebbing davelebbing modified the milestones: XCreds 5.1, XCreds Future Oct 22, 2024
@twocanoes
Copy link
Owner

I added a CLI interface to 5.2 (as of build 7289). I only have a few commands for status so far:

Mac:~ tperfitt$ /Applications/XCreds.app/Contents/MacOS/XCreds -h
OVERVIEW: Command line interface for XCreds.

USAGE: xcreds

OPTIONS:
-h, --help Show help information.

SUBCOMMANDS:
status Get status of XCreds
import-users Import users from a CSV for RFID login. Format:Full
Name,Username,Password,UID,RFID-UID. All imported
user data is encrypted with a ECC stored in the
system keychain and the encrypted data is stored in a
file located in /usr/local/var/twocanoes. The file is
only readable by root.
import-user Import an RFID user.
show-user Show RFID user.
show-users Show RFID users.
update-admin-user Set the current admin user used for resetting
keychain.
show-admin-user Show currently set admin user. Used for resetting
keychain.
clear-admin-user Clear the current admin user used for resetting
keychain.
clear-all-users Clear all users. Does not clear the admin user.
list-readers Listen and print the RFID of scanned cards.
rfid-listener Listen and print the RFID of scanned cards.
run-app (default) Start app normally.

See 'xcreds help ' for detailed help.

status shows:

Password:
----- CONSOLE RIGHTS -----
builtin:prelogin
builtin:policy-banner
loginwindow:login
builtin:login-begin
builtin:reset-password,privileged
loginwindow:FDESupport,privileged
builtin:forward-login,privileged
builtin:auto-login,privileged
builtin:authenticate,privileged
PKINITMechanism:auth,privileged
builtin:login-success
loginwindow:success
HomeDirMechanism:login,privileged
HomeDirMechanism:status
MCXMechanism:login
CryptoTokenKit:login
loginwindow:done
----- OIDC User Info -----
test
localUsername:test
oidcUsername: test
mblackwell
localUsername:mblackwell
oidcUsername: mblackwell

You said you wanted "The goal with my XCreds CLI request is to know the state that XCreds is in".

Do you mean of the current logged in user? So add a section with "current user", give the username, say what the token state is, etc?

Also, you can get the output as JSON with the --json flag.

tim

@bryanheinz
Copy link
Author

Hey Tim, thanks for the update! --json output is ::chef kiss::

Personally, I don't need the current logged in user, but I could see other people finding that useful.

My orgs usage of XCreds is "make your macOS password your IdP password". I'm looking for information like:

  • Did the user ever initialize XCreds? (I.e. go through the initial XCreds flow to set their Mac password to their IdP password? We're not using the XCreds LoginWindow.)
  • Is their Mac password currently in sync with their IdP password? (it sounds like this might not be possible)
  • A general Healthy/Unhealthy status ("XCreds is working as expected, things are in sync and tip-top" or "here be dragons, you should investigate")
  • Token state would be great

A couple of extras that I think could be useful:

  • License state (Trial/Valid/Expired/[Other?])
  • Version (just a simple output of the installed version)

An example usage of this using MunkiReport widgets:

  • Display a count of endpoints with incomplete setup (status: unhealthy; errors: incomplete setup)
  • Display a count of unhealthy endpoints (status: unhealthy)
  • Display a count of endpoints with expired license (license: expired — whoops, did we forget to renew? or maybe some endpoints need the license redeployed?)
  • Display a count of healthy endpoints (yay, look boss — happy green numbers! 🎉 )

Click into any of those widgets to see the list of computers with the status, click on the computer to see the error details.

This is the future state that I'd love to be in.


Here's some rough example output I through together:

Status: Healthy
Errors: None
Tokens: Valid
Password: Matched
License: Valid
Version: 5.2.0.7289

Status: Unhealthy
Errors: Invalid IdP tokens.
Tokens: Invalid
Password: Unknown
License: Valid
Version: 5.2.0.7289

Status: Unhealthy
Errors: Passwords do not match.
Tokens: Valid
Password: Mismatch
License: Valid
Version: 5.2.0.7289

Status: Unhealthy
Errors: Setup incomplete.
Tokens: Invalid
Password: Unknown
License: Valid
Version: 5.2.0.7289

Status: Unhealthy
Errors: Setup incomplete. Mismatched passwords.
Tokens: Invalid
Password: Unknown
License: Valid
Version: 5.2.0.7289

Status: Unhealthy
Errors: License/trial expired.
Tokens: Valid
Password: Matched
License: Expired
Version: 5.2.0.7289

@twocanoes
Copy link
Owner

  1. See if xcreds password is set in the keychain, which means the password was synced to the IdP.
  2. write to preferences with the result of the last refresh token and print that state and the date updated.
  3. print if tokens are in the keychain and information inside the ID token
  4. License state
  5. Version
  6. Determine health by looking for when XCreds logs an error status message and determine the state/print error message.

@twocanoes
Copy link
Owner

@bryanheinz doesn't your output presume a single user using xcreds? i could add the user but that may be too much info. I can update a shared pref file for success and then parse that via the command line

@twocanoes
Copy link
Owner

OK, implemented. Here is the output in both text and json:

test:~ root# /Applications/XCreds.app/Contents/MacOS/XCreds status
----- XCreds Info -----
XCreds Version:5.2
XCreds Build number:8187
License Status:Valid
Days Remaining:40
----- Last User Info -----
lastSuccessfulLoginDate: 2025-01-21 22:53:14 +0000
refreshTokenUpdateSuccess: true
lastSuccessfulLoginUser: freddy
refreshTokenUpdateDate: 2025-01-21 22:53:14 +0000
----- CONSOLE RIGHTS -----
builtin:prelogin
builtin:policy-banner
XCredsLoginPlugin:UserSetup,privileged
XCredsLoginPlugin:LoginWindow
XCredsLoginPlugin:PowerControl,privileged
builtin:login-begin
XCredsLoginPlugin:CreateUser,privileged
builtin:reset-password,privileged
loginwindow:FDESupport,privileged
builtin:forward-login,privileged
builtin:auto-login,privileged
builtin:authenticate,privileged
PKINITMechanism:auth,privileged
builtin:login-success
loginwindow:success
HomeDirMechanism:login,privileged
HomeDirMechanism:status
MCXMechanism:login
CryptoTokenKit:login
loginwindow:done
XCredsLoginPlugin:LoginDone
XCredsLoginPlugin:EnableFDE,privileged
XCredsLoginPlugin:KeychainAdd,privileged
----- OIDC User Info -----
fred
localUsername:fred
oidcUsername: fred
identityTokenUpdateDate: 2025-01-21 22:53:16 +0000
identityToken: {"aud":"5487c4cd-949a-402d-9eee-ae8fb696b415","iss":"https://sts.windows.net/e64a2b5d-3eb1-436e-9e8a-521f0c5cd489/","iat":1737499694,"nbf":1737499694,"exp":1737503594,"amr":["pwd"],"email":"[email protected]","family_name":"Flintstone","given_name":"Fred","groups":["47b36644-8477-4194-b42d-9e519e9193e7"],"ipaddr":"73.22.203.24","name":"Fred Flintstone","nonce":"78F66B5E-213D-4DBC-8D4F-CFD588BE3611","oid":"b8e1c482-b4e9-4e11-8f98-a1cce2eda96e","rh":"1.AVkAXStK5rE-bkOeilIfDFzUic3Eh1SalC1Anu6uj7aWtBVZAGdZAA.","sid":"00127e79-028b-db8f-6735-7fd964293b63","sub":"u0oepf8o5q1YjWIJMntF5cM5fxHSAAU52AZBzPexCoA","tid":"e64a2b5d-3eb1-436e-9e8a-521f0c5cd489","unique_name":"[email protected]","upn":"[email protected]","uti":"hctf12eCdUeqrMwtsFciAA","ver":"1.0","wids":["b79fbf4d-3ef9-4689-8143-76b194e85509"],"user-department":"300000"}
freddy
localUsername:freddy
oidcUsername: freddy
tcadmin
localUsername:tcadmin
oidcUsername: tcadmin
test:~ root#

test:~ root# /Applications/XCreds.app/Contents/MacOS/XCreds status --json
{
"oidcUsers" : [
{
"localUsername" : "fred",
"oidcUsername" : "fred"
},
{
"oidcUsername" : "freddy",
"localUsername" : "freddy"
},
{
"localUsername" : "tcadmin",
"oidcUsername" : "tcadmin"
}
],
"consoleRights" : [
"builtin:prelogin",
"builtin:policy-banner",
"XCredsLoginPlugin:UserSetup,privileged",
"XCredsLoginPlugin:LoginWindow",
"XCredsLoginPlugin:PowerControl,privileged",
"builtin:login-begin",
"XCredsLoginPlugin:CreateUser,privileged",
"builtin:reset-password,privileged",
"loginwindow:FDESupport,privileged",
"builtin:forward-login,privileged",
"builtin:auto-login,privileged",
"builtin:authenticate,privileged",
"PKINITMechanism:auth,privileged",
"builtin:login-success",
"loginwindow:success",
"HomeDirMechanism:login,privileged",
"HomeDirMechanism:status",
"MCXMechanism:login",
"CryptoTokenKit:login",
"loginwindow:done",
"XCredsLoginPlugin:LoginDone",
"XCredsLoginPlugin:EnableFDE,privileged",
"XCredsLoginPlugin:KeychainAdd,privileged"
],
"xcredsVersion" : "5.2",
"xcredsBuild" : "8187",
"xcredLicenseStatus" : "Valid",
"xcredsLicenseDaysRemaining" : "40",
"userInfo" : {
"fred" : {
"dsAttrTypeStandard:UniqueID" : "501",
"dsAttrTypeStandard:NFSHomeDirectory" : "/Users/fred",
"dsAttrTypeStandard:UserShell" : "/bin/zsh",
"dsAttrTypeStandard:RealName" : "fred",
"dsAttrTypeStandard:RecordName" : "fred",
"dsAttrTypeNative:_xcreds_oidc_username" : "fred",
"dsAttrTypeStandard:AuthenticationAuthority" : ";ShadowHash;HASHLIST:<SALTED-SHA512-PBKDF2,SRP-RFC5054-4096-SHA512-PBKDF2>;Kerberosv5;;fred@LKDC:SHA1.32D9B0203D44E4A71CE85ECA850280230A08C3F1;LKDC:SHA1.32D9B0203D44E4A71CE85ECA850280230A08C3F1;",
"dsAttrTypeStandard:PrimaryGroupID" : "20"
},
"tcadmin" : {
"dsAttrTypeStandard:UniqueID" : "601",
"dsAttrTypeStandard:NFSHomeDirectory" : "/Users/tcadmin",
"identityToken" : "{"aud":"5487c4cd-949a-402d-9eee-ae8fb696b415","iss":"https://sts.windows.net/e64a2b5d-3eb1-436e-9e8a-521f0c5cd489/","iat":1737499694,"nbf":1737499694,"exp":1737503594,"amr":["pwd"],"email":"[email protected]","family_name":"Flintstone","given_name":"Fred","groups":["47b36644-8477-4194-b42d-9e519e9193e7"],"ipaddr":"73.22.203.24","name":"Fred Flintstone","nonce":"78F66B5E-213D-4DBC-8D4F-CFD588BE3611","oid":"b8e1c482-b4e9-4e11-8f98-a1cce2eda96e","rh":"1.AVkAXStK5rE-bkOeilIfDFzUic3Eh1SalC1Anu6uj7aWtBVZAGdZAA.","sid":"00127e79-028b-db8f-6735-7fd964293b63","sub":"u0oepf8o5q1YjWIJMntF5cM5fxHSAAU52AZBzPexCoA","tid":"e64a2b5d-3eb1-436e-9e8a-521f0c5cd489","unique_name":"[email protected]","upn":"[email protected]","uti":"hctf12eCdUeqrMwtsFciAA","ver":"1.0","wids":["b79fbf4d-3ef9-4689-8143-76b194e85509"],"user-department":"300000"}",
"dsAttrTypeStandard:RecordName" : "tcadmin",
"dsAttrTypeStandard:PrimaryGroupID" : "20",
"dsAttrTypeStandard:RealName" : "tcadmin",
"dsAttrTypeStandard:AuthenticationAuthority" : ";SecureToken;;ShadowHash;HASHLIST:<SALTED-SHA512-PBKDF2,SRP-RFC5054-4096-SHA512-PBKDF2>;Kerberosv5;;tcadmin@LKDC:SHA1.32D9B0203D44E4A71CE85ECA850280230A08C3F1;LKDC:SHA1.32D9B0203D44E4A71CE85ECA850280230A08C3F1;",
"dsAttrTypeStandard:UserShell" : "/bin/bash",
"dsAttrTypeNative:_xcreds_oidc_username" : "tcadmin",
"identityTokenUpdateDate" : "2025-01-21 22:53:16 +0000"
},
"freddy" : {
"dsAttrTypeStandard:RecordName" : "freddy",
"dsAttrTypeNative:_xcreds_oidc_username" : "freddy",
"dsAttrTypeStandard:PrimaryGroupID" : "20",
"dsAttrTypeStandard:NFSHomeDirectory" : "/Users/freddy",
"identityTokenUpdateDate" : "2025-01-21 22:53:16 +0000",
"dsAttrTypeStandard:RealName" : "Fred Flintstone",
"dsAttrTypeStandard:AuthenticationAuthority" : ";ShadowHash;HASHLIST:<SALTED-SHA512-PBKDF2,SRP-RFC5054-4096-SHA512-PBKDF2>;Kerberosv5;;freddy@LKDC:SHA1.32D9B0203D44E4A71CE85ECA850280230A08C3F1;LKDC:SHA1.32D9B0203D44E4A71CE85ECA850280230A08C3F1;",
"dsAttrTypeStandard:UserShell" : "/bin/zsh",
"dsAttrTypeStandard:UniqueID" : "502",
"identityToken" : "{"aud":"5487c4cd-949a-402d-9eee-ae8fb696b415","iss":"https://sts.windows.net/e64a2b5d-3eb1-436e-9e8a-521f0c5cd489/","iat":1737499694,"nbf":1737499694,"exp":1737503594,"amr":["pwd"],"email":"[email protected]","family_name":"Flintstone","given_name":"Fred","groups":["47b36644-8477-4194-b42d-9e519e9193e7"],"ipaddr":"73.22.203.24","name":"Fred Flintstone","nonce":"78F66B5E-213D-4DBC-8D4F-CFD588BE3611","oid":"b8e1c482-b4e9-4e11-8f98-a1cce2eda96e","rh":"1.AVkAXStK5rE-bkOeilIfDFzUic3Eh1SalC1Anu6uj7aWtBVZAGdZAA.","sid":"00127e79-028b-db8f-6735-7fd964293b63","sub":"u0oepf8o5q1YjWIJMntF5cM5fxHSAAU52AZBzPexCoA","tid":"e64a2b5d-3eb1-436e-9e8a-521f0c5cd489","unique_name":"[email protected]","upn":"[email protected]","uti":"hctf12eCdUeqrMwtsFciAA","ver":"1.0","wids":["b79fbf4d-3ef9-4689-8143-76b194e85509"],"user-department":"300000"}"
}
}
}
test:~ root#

@twocanoes twocanoes assigned davelebbing and unassigned twocanoes Jan 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants