some OS X Authentication Services wizardry to get /Library/Application Support/ZeroTier/One/authtoken.secret and copy it to ~/Library/Application Support/ZeroTier/One/authtoken.secret

2025-08-21 05:43:59 -07:00 · 2016-05-31 17:19:22 -07:00 · 2016-05-31 17:19:22 -07:00 · 975bcb8aff
commit 975bcb8aff
parent 51e74f8d4f
5 changed files with 151 additions and 1 deletions
--- a/One/AuthtokenCopy.h
+++ b/One/AuthtokenCopy.h
@ -0,0 +1,16 @@
+//
+//  AuthtokenCopy.h
+//  ZeroTier One
+//
+//  Created by Grant Limberg on 5/31/16.
+//  Copyright © 2016 ZeroTier, Inc. All rights reserved.
+//
+
+#ifndef AuthtokenCopy_h
+#define AuthtokenCopy_h
+
+#import <Foundation/Foundation.h>
+
+NSString* getAdminAuthToken(AuthorizationRef authRef);
+
+#endif /* AuthtokenCopy_h */
--- a/One/AuthtokenCopy.m
+++ b/One/AuthtokenCopy.m
@ -0,0 +1,87 @@
+//
+//  AuthtokenCopy.m
+//  ZeroTier One
+//
+//  Created by Grant Limberg on 5/31/16.
+//  Copyright © 2016 ZeroTier, Inc. All rights reserved.
+//
+
+#import <Foundation/Foundation.h>
+
+#import "AuthtokenCopy.h"
+
+
+NSString* getAdminAuthToken(AuthorizationRef authRef) {
+    char *tool = "/bin/cat";
+    char *args[] = { "/Library/Application Support/ZeroTier/One/authtoken.secret", NULL};
+    FILE *pipe = nil;
+    char token[25];
+    memset(token, 0, sizeof(char)*25);
+
+
+    OSStatus status = AuthorizationExecuteWithPrivileges(authRef, tool, kAuthorizationFlagDefaults, args, &pipe);
+
+    if (status != errAuthorizationSuccess) {
+        NSLog(@"Reading authtoken failed!");
+
+
+        switch(status) {
+            case errAuthorizationDenied:
+                NSLog(@"Autorization Denied");
+                break;
+            case errAuthorizationCanceled:
+                NSLog(@"Authorization Canceled");
+                break;
+            case errAuthorizationInternal:
+                NSLog(@"Authorization Internal");
+                break;
+            case errAuthorizationBadAddress:
+                NSLog(@"Bad Address");
+                break;
+            case errAuthorizationInvalidRef:
+                NSLog(@"Invalid Ref");
+                break;
+            case errAuthorizationInvalidSet:
+                NSLog(@"Invalid Set");
+                break;
+            case errAuthorizationInvalidTag:
+                NSLog(@"Invalid Tag");
+                break;
+            case errAuthorizationInvalidFlags:
+                NSLog(@"Invalid Flags");
+                break;
+            case errAuthorizationInvalidPointer:
+                NSLog(@"Invalid Pointer");
+                break;
+            case errAuthorizationToolExecuteFailure:
+                NSLog(@"Tool Execute Failure");
+                break;
+            case errAuthorizationToolEnvironmentError:
+                NSLog(@"Tool Environment Failure");
+                break;
+            case errAuthorizationExternalizeNotAllowed:
+                NSLog(@"Externalize Not Allowed");
+                break;
+            case errAuthorizationInteractionNotAllowed:
+                NSLog(@"Interaction Not Allowed");
+                break;
+            case errAuthorizationInternalizeNotAllowed:
+                NSLog(@"Internalize Not Allowed");
+                break;
+            default:
+                NSLog(@"Unknown Error");
+                break;
+        }
+
+        return @"";
+    }
+
+    if(pipe != nil) {
+        fread(&token, sizeof(char), 24, pipe);
+        fclose(pipe);
+
+        return [NSString stringWithUTF8String:token];
+    }
+
+    return @"";
+}
--- a/One/ServiceCom.swift
+++ b/One/ServiceCom.swift
@ -30,7 +30,36 @@ class ServiceCom: NSObject {
                    Holder.key = try String(contentsOfURL: authtokenURL)
                }
                else {
-                    // TODO: Elevate priviledge to copy /Library/Application Support/ZeroTier/One/authtoken.secret to the user's local AppSupport directory
+                    try NSFileManager.defaultManager().createDirectoryAtURL(appSupportDir, withIntermediateDirectories: true, attributes: nil)
+
+                    var authRef: AuthorizationRef = nil
+                    var status = AuthorizationCreate(nil, nil, .Defaults, &authRef)
+
+                    if status != errAuthorizationSuccess {
+                        NSLog("Authorization Failed! \(status)")
+                        return ""
+                    }
+
+                    var authItem = AuthorizationItem(name: kAuthorizationRightExecute, valueLength: 0, value: nil, flags: 0)
+                    var authRights = AuthorizationRights(count: 1, items: &authItem)
+                    let authFlags: AuthorizationFlags = [.Defaults, .InteractionAllowed, .PreAuthorize, .ExtendRights]
+
+                    status = AuthorizationCopyRights(authRef, &authRights, nil, authFlags, nil)
+
+                    if status != errAuthorizationSuccess {
+                        NSLog("Authorization Failed! \(status)")
+                        return ""
+                    }
+
+                    let localKey = getAdminAuthToken(authRef)
+                    AuthorizationFree(authRef, .DestroyRights)
+
+                    if localKey != nil && localKey.lengthOfBytesUsingEncoding(NSUTF8StringEncoding) > 0 {
+                        NSLog("\(localKey)")
+                        Holder.key = localKey
+
+                        try localKey.writeToURL(authtokenURL, atomically: true, encoding: NSUTF8StringEncoding)
+                    }
                }
            }
            catch {
--- a/One-Bridging-Header.h
+++ b/One-Bridging-Header.h
@ -0,0 +1,5 @@
+//
+//  Use this file to import your target's public headers that you would like to expose to Swift.
+//
+
+#import "AuthtokenCopy.h"