Add support for local user account caching of authtoken.secret as in old UI -- this is now pretty much working.

2025-08-14 02:27:38 -07:00 · 2015-05-06 21:02:59 -07:00 · 2015-05-06 21:02:59 -07:00 · 4426899e8c
commit 4426899e8c
parent d56e9fce41
5 changed files with 97 additions and 172 deletions
--- a/ext/mac-ui-macgap1-wrapper/MacGap/AppDelegate.m
+++ b/ext/mac-ui-macgap1-wrapper/MacGap/AppDelegate.m
@ -7,6 +7,8 @@
 //

 #import "AppDelegate.h"
+#include <sys/stat.h>
+#include <sys/types.h>

@implementation AppDelegate

@ -29,75 +31,108 @@
 }

 - (void) applicationDidFinishLaunching:(NSNotification *)aNotification { 
-    // Create authorization reference
-    OSStatus status;
-    AuthorizationRef authorizationRef;
-    
-    // AuthorizationCreate and pass NULL as the initial
-    // AuthorizationRights set so that the AuthorizationRef gets created
-    // successfully, and then later call AuthorizationCopyRights to
-    // determine or extend the allowable rights.
-    // http://developer.apple.com/qa/qa2001/qa1172.html
-    status = AuthorizationCreate(NULL, kAuthorizationEmptyEnvironment, kAuthorizationFlagDefaults, &authorizationRef);
-    if (status != errAuthorizationSuccess)
-    {
-        NSLog(@"Error Creating Initial Authorization: %d", status);
-        return;
-    }
-    
-    // kAuthorizationRightExecute == "system.privilege.admin"
-    AuthorizationItem right = {kAuthorizationRightExecute, 0, NULL, 0};
-    AuthorizationRights rights = {1, &right};
-    AuthorizationFlags flags = kAuthorizationFlagDefaults | kAuthorizationFlagInteractionAllowed |
-    kAuthorizationFlagPreAuthorize | kAuthorizationFlagExtendRights;
-    
-    // Call AuthorizationCopyRights to determine or extend the allowable rights.
-    status = AuthorizationCopyRights(authorizationRef, &rights, NULL, flags, NULL);
-    if (status != errAuthorizationSuccess)
-    {
-        NSLog(@"Copy Rights Unsuccessful: %d", status);
-        return;
-    }
-    
-    // use rm tool with -rf
-    char *tool = "/bin/cat";
-    char *args[] = {"/Library/Application Support/ZeroTier/One/authtoken.secret", NULL};
-    FILE *pipe = NULL;
-    
-    status = AuthorizationExecuteWithPrivileges(authorizationRef, tool, kAuthorizationFlagDefaults, args, &pipe);
-    if (status != errAuthorizationSuccess)
-    {
-        NSLog(@"Error: %d", status);
-    }
-    
-    char url[16384];
-    memset(url,0,sizeof(url));
-    if (pipe) {
-        char buf[16384];
+    char buf[16384],userAuthTokenPath[4096];

-        FILE *pf = fopen("/Library/Application Support/ZeroTier/One/zerotier-one.port","r");
+    FILE *pf = fopen("/Library/Application Support/ZeroTier/One/zerotier-one.port","r");
+    long port = 9993; // default
+    if (pf) {
        long n = fread(buf,1,sizeof(buf)-1,pf);
-        long port = 9993; // default
        if (n > 0) {
            buf[n] = (char)0;
            port = strtol(buf,(char **)0,10);
        }
        fclose(pf);
-
-        n = (long)fread(buf,1,sizeof(buf)-1,pipe);
-        if (n > 0) {
-            buf[n] = (char)0;
-            snprintf(url,sizeof(url),"http://127.0.0.1:%ld/index.html?authToken=%s",port,buf);
-        }
-        fclose(pipe);
    }
-    
-    // The only way to guarantee that a credential acquired when you
-    // request a right is not shared with other authorization instances is
-    // to destroy the credential.  To do so, call the AuthorizationFree
-    // function with the flag kAuthorizationFlagDestroyRights.
-    // http://developer.apple.com/documentation/Security/Conceptual/authorization_concepts/02authconcepts/chapter_2_section_7.html
-    status = AuthorizationFree(authorizationRef, kAuthorizationFlagDestroyRights);
+
+    char url[16384];
+    memset(url,0,sizeof(url));
+
+    const char *homeDir = getenv("HOME");
+    if (homeDir) {
+        snprintf(userAuthTokenPath,sizeof(userAuthTokenPath),"%s/Library/Application Support/ZeroTier/One/authtoken.secret",homeDir);
+        pf = fopen(userAuthTokenPath,"r");
+        if (pf) {
+            long n = fread(buf,1,sizeof(buf)-1,pf);
+            if (n > 0) {
+                buf[n] = (char)0;
+                snprintf(url,sizeof(url),"http://127.0.0.1:%ld/index.html?authToken=%s",port,buf);
+            }
+            fclose(pf);
+        }
+    }
+
+    if (!url[0]) {
+        // Create authorization reference
+        OSStatus status;
+        AuthorizationRef authorizationRef;
+        
+        // AuthorizationCreate and pass NULL as the initial
+        // AuthorizationRights set so that the AuthorizationRef gets created
+        // successfully, and then later call AuthorizationCopyRights to
+        // determine or extend the allowable rights.
+        // http://developer.apple.com/qa/qa2001/qa1172.html
+        status = AuthorizationCreate(NULL, kAuthorizationEmptyEnvironment, kAuthorizationFlagDefaults, &authorizationRef);
+        if (status != errAuthorizationSuccess)
+        {
+            NSLog(@"Error Creating Initial Authorization: %d", status);
+            return;
+        }
+        
+        // kAuthorizationRightExecute == "system.privilege.admin"
+        AuthorizationItem right = {kAuthorizationRightExecute, 0, NULL, 0};
+        AuthorizationRights rights = {1, &right};
+        AuthorizationFlags flags = kAuthorizationFlagDefaults | kAuthorizationFlagInteractionAllowed |
+        kAuthorizationFlagPreAuthorize | kAuthorizationFlagExtendRights;
+        
+        // Call AuthorizationCopyRights to determine or extend the allowable rights.
+        status = AuthorizationCopyRights(authorizationRef, &rights, NULL, flags, NULL);
+        if (status != errAuthorizationSuccess)
+        {
+            NSLog(@"Copy Rights Unsuccessful: %d", status);
+            return;
+        }
+        
+        // use rm tool with -rf
+        char *tool = "/bin/cat";
+        char *args[] = {"/Library/Application Support/ZeroTier/One/authtoken.secret", NULL};
+        FILE *pipe = NULL;
+        
+        status = AuthorizationExecuteWithPrivileges(authorizationRef, tool, kAuthorizationFlagDefaults, args, &pipe);
+        if (status != errAuthorizationSuccess)
+        {
+            NSLog(@"Error: %d", status);
+        }
+        
+        if (pipe) {
+            long n = (long)fread(buf,1,sizeof(buf)-1,pipe);
+            if (n > 0) {
+                buf[n] = (char)0;
+                snprintf(url,sizeof(url),"http://127.0.0.1:%ld/index.html?authToken=%s",port,buf);
+
+                if (homeDir) {
+                    snprintf(userAuthTokenPath,sizeof(userAuthTokenPath),"%s/Library/Application Support/ZeroTier",homeDir);
+                    mkdir(userAuthTokenPath,0755);
+                    snprintf(userAuthTokenPath,sizeof(userAuthTokenPath),"%s/Library/Application Support/ZeroTier/One",homeDir);
+                    mkdir(userAuthTokenPath,0755);
+                    snprintf(userAuthTokenPath,sizeof(userAuthTokenPath),"%s/Library/Application Support/ZeroTier/One/authtoken.secret",homeDir);
+                    pf = fopen(userAuthTokenPath,"w");
+                    if (pf) {
+                        fwrite(buf,1,strlen(buf),pf);
+                        fclose(pf);
+                        chmod(userAuthTokenPath,0600);
+                    }
+                }
+            }
+            fclose(pipe);
+        }
+
+        // The only way to guarantee that a credential acquired when you
+        // request a right is not shared with other authorization instances is
+        // to destroy the credential.  To do so, call the AuthorizationFree
+        // function with the flag kAuthorizationFlagDestroyRights.
+        // http://developer.apple.com/documentation/Security/Conceptual/authorization_concepts/02authconcepts/chapter_2_section_7.html
+        status = AuthorizationFree(authorizationRef, kAuthorizationFlagDestroyRights);
+    }

    NSString *urlStr = [[NSString alloc] initWithCString:url];
    self.windowController = [[WindowController alloc] initWithURL: urlStr];