base/enterprise_util_mac.mm - cobalt - Git at Google

 // Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include "base/enterprise_util.h"

 #import <OpenDirectory/OpenDirectory.h>

 #include <string>
 #include <vector>

 #include "base/logging.h"
 #include "base/mac/foundation_util.h"
 #include "base/process/launch.h"
 #include "base/strings/string_split.h"
 #include "base/strings/string_util.h"
 #include "base/strings/sys_string_conversions.h"

 namespace base {

 bool IsManagedDevice() {
   // MDM enrollment indicates the device is actively being managed. Simply being
   // joined to a domain, however, does not.

   // IsDeviceRegisteredWithManagementNew is only available after 10.13.4.
   // Eventually switch to it when that is the minimum OS required by Chromium.
   if (@available(macOS 10.13.4, *)) {
     base::MacDeviceManagementStateNew mdm_state =
         base::IsDeviceRegisteredWithManagementNew();
     return mdm_state ==
                base::MacDeviceManagementStateNew::kLimitedMDMEnrollment ||
            mdm_state == base::MacDeviceManagementStateNew::kFullMDMEnrollment ||
            mdm_state == base::MacDeviceManagementStateNew::kDEPMDMEnrollment;
   }

   base::MacDeviceManagementStateOld mdm_state =
       base::IsDeviceRegisteredWithManagementOld();
   return mdm_state == base::MacDeviceManagementStateOld::kMDMEnrollment;
 }

 bool IsEnterpriseDevice() {
   // Domain join is a basic indicator of being an enterprise device.
   DeviceUserDomainJoinState join_state = AreDeviceAndUserJoinedToDomain();
   return join_state.device_joined || join_state.user_joined;
 }

 MacDeviceManagementStateOld IsDeviceRegisteredWithManagementOld() {
   static MacDeviceManagementStateOld state = [] {
     @autoreleasepool {
       std::vector<std::string> profiler_argv{"/usr/sbin/system_profiler",
                                              "SPConfigurationProfileDataType",
                                              "-detailLevel",
                                              "mini",
                                              "-timeout",
                                              "15",
                                              "-xml"};

       std::string profiler_stdout;
       if (!GetAppOutput(profiler_argv, &profiler_stdout)) {
         LOG(WARNING) << "Could not get system_profiler output.";
         return MacDeviceManagementStateOld::kFailureAPIUnavailable;
       };

       NSArray* root = base::mac::ObjCCast<NSArray>([NSPropertyListSerialization
           propertyListWithData:[SysUTF8ToNSString(profiler_stdout)
                                    dataUsingEncoding:NSUTF8StringEncoding]
                        options:NSPropertyListImmutable
                         format:nil
                          error:nil]);
       if (!root) {
         LOG(WARNING) << "Could not parse system_profiler output.";
         return MacDeviceManagementStateOld::kFailureUnableToParseResult;
       };

       for (NSDictionary* results in root) {
         for (NSDictionary* dict in results[@"_items"]) {
           for (NSDictionary* device_config_profiles in dict[@"_items"]) {
             for (NSDictionary* profile_item in
                      device_config_profiles[@"_items"]) {
               if (![profile_item[@"_name"] isEqual:@"com.apple.mdm"])
                 continue;

               NSString* payload_data =
                   profile_item[@"spconfigprofile_payload_data"];
               NSDictionary* payload_data_dict =
                   base::mac::ObjCCast<NSDictionary>([NSPropertyListSerialization
                       propertyListWithData:
                           [payload_data dataUsingEncoding:NSUTF8StringEncoding]
                                    options:NSPropertyListImmutable
                                     format:nil
                                      error:nil]);

               if (!payload_data_dict)
                 continue;

               // Verify that the URL validates.
               if ([NSURL URLWithString:payload_data_dict[@"CheckInURL"]])
                 return MacDeviceManagementStateOld::kMDMEnrollment;
             }
           }
         }
       }

       return MacDeviceManagementStateOld::kNoEnrollment;
     }
   }();

   return state;
 }

 MacDeviceManagementStateNew IsDeviceRegisteredWithManagementNew() {
   static MacDeviceManagementStateNew state = [] {
     if (@available(macOS 10.13.4, *)) {
       std::vector<std::string> profiles_argv{"/usr/bin/profiles", "status",
                                              "-type", "enrollment"};

       std::string profiles_stdout;
       if (!GetAppOutput(profiles_argv, &profiles_stdout)) {
         LOG(WARNING) << "Could not get profiles output.";
         return MacDeviceManagementStateNew::kFailureAPIUnavailable;
       }

       // Sample output of `profiles` with full MDM enrollment:
       // Enrolled via DEP: Yes
       // MDM enrollment: Yes (User Approved)
       // MDM server: https://applemdm.example.com/some/path?foo=bar
       StringPairs property_states;
       if (!SplitStringIntoKeyValuePairs(profiles_stdout, ':', '\n',
                                         &property_states)) {
         return MacDeviceManagementStateNew::kFailureUnableToParseResult;
       }

       bool enrolled_via_dep = false;
       bool mdm_enrollment_not_approved = false;
       bool mdm_enrollment_user_approved = false;

       for (const auto& property_state : property_states) {
         StringPiece property =
             TrimString(property_state.first, kWhitespaceASCII, TRIM_ALL);
         StringPiece state =
             TrimString(property_state.second, kWhitespaceASCII, TRIM_ALL);

         if (property == "Enrolled via DEP") {
           if (state == "Yes")
             enrolled_via_dep = true;
           else if (state != "No")
             return MacDeviceManagementStateNew::kFailureUnableToParseResult;
         } else if (property == "MDM enrollment") {
           if (state == "Yes")
             mdm_enrollment_not_approved = true;
           else if (state == "Yes (User Approved)")
             mdm_enrollment_user_approved = true;
           else if (state != "No")
             return MacDeviceManagementStateNew::kFailureUnableToParseResult;
         } else {
           // Ignore any other output lines, for future extensibility.
         }
       }

       if (!enrolled_via_dep && !mdm_enrollment_not_approved &&
           !mdm_enrollment_user_approved) {
         return MacDeviceManagementStateNew::kNoEnrollment;
       }

       if (!enrolled_via_dep && mdm_enrollment_not_approved &&
           !mdm_enrollment_user_approved) {
         return MacDeviceManagementStateNew::kLimitedMDMEnrollment;
       }

       if (!enrolled_via_dep && !mdm_enrollment_not_approved &&
           mdm_enrollment_user_approved) {
         return MacDeviceManagementStateNew::kFullMDMEnrollment;
       }

       if (enrolled_via_dep && !mdm_enrollment_not_approved &&
           mdm_enrollment_user_approved) {
         return MacDeviceManagementStateNew::kDEPMDMEnrollment;
       }

       return MacDeviceManagementStateNew::kFailureUnableToParseResult;
     } else {
       return MacDeviceManagementStateNew::kFailureAPIUnavailable;
     }
   }();

   return state;
 }

 DeviceUserDomainJoinState AreDeviceAndUserJoinedToDomain() {
   static DeviceUserDomainJoinState state = [] {
     DeviceUserDomainJoinState state{false, false};

     @autoreleasepool {
       ODSession* session = [ODSession defaultSession];
       if (session == nil) {
         DLOG(WARNING) << "ODSession default session is nil.";
         return state;
       }

       NSError* error = nil;

       NSArray<NSString*>* all_node_names =
           [session nodeNamesAndReturnError:&error];
       if (!all_node_names) {
         DLOG(WARNING) << "ODSession failed to give node names: "
                       << error.localizedDescription.UTF8String;
         return state;
       }

       NSUInteger num_nodes = all_node_names.count;
       if (num_nodes < 3) {
         DLOG(WARNING) << "ODSession returned too few node names: "
                       << all_node_names.description.UTF8String;
         return state;
       }

       if (num_nodes > 3) {
         // Non-enterprise machines have:"/Search", "/Search/Contacts",
         // "/Local/Default". Everything else would be enterprise management.
         state.device_joined = true;
       }

       ODNode* node = [ODNode nodeWithSession:session
                                         type:kODNodeTypeAuthentication
                                        error:&error];
       if (node == nil) {
         DLOG(WARNING) << "ODSession cannot obtain the authentication node: "
                       << error.localizedDescription.UTF8String;
         return state;
       }

       // Now check the currently logged on user.
       ODQuery* query = [ODQuery queryWithNode:node
                                forRecordTypes:kODRecordTypeUsers
                                     attribute:kODAttributeTypeRecordName
                                     matchType:kODMatchEqualTo
                                   queryValues:NSUserName()
                              returnAttributes:kODAttributeTypeAllAttributes
                                maximumResults:0
                                         error:&error];
       if (query == nil) {
         DLOG(WARNING) << "ODSession cannot create user query: "
                       << mac::NSToCFCast(error);
         return state;
       }

       NSArray* results = [query resultsAllowingPartial:NO error:&error];
       if (!results) {
         DLOG(WARNING) << "ODSession cannot obtain current user node: "
                       << error.localizedDescription.UTF8String;
         return state;
       }

       if (results.count != 1) {
         DLOG(WARNING) << @"ODSession unexpected number of user nodes: "
                       << results.count;
       }

       for (id element in results) {
         ODRecord* record = mac::ObjCCastStrict<ODRecord>(element);
         NSArray* attributes =
             [record valuesForAttribute:kODAttributeTypeMetaRecordName
                                  error:nil];
         for (id attribute in attributes) {
           NSString* attribute_value = mac::ObjCCastStrict<NSString>(attribute);
           // Example: "uid=johnsmith,ou=People,dc=chromium,dc=org
           NSRange domain_controller =
               [attribute_value rangeOfString:@"(^|,)\\s*dc="
                                      options:NSRegularExpressionSearch];
           if (domain_controller.length > 0) {
             state.user_joined = true;
           }
         }

         // Scan alternative identities.
         attributes =
             [record valuesForAttribute:kODAttributeTypeAltSecurityIdentities
                                  error:nil];
         for (id attribute in attributes) {
           NSString* attribute_value = mac::ObjCCastStrict<NSString>(attribute);
           NSRange icloud =
               [attribute_value rangeOfString:@"CN=com.apple.idms.appleid.prd"
                                      options:NSCaseInsensitiveSearch];
           if (!icloud.length) {
             // Any alternative identity that is not iCloud is likely enterprise
             // management.
             state.user_joined = true;
           }
         }
       }
     }

     return state;
   }();

   return state;
 }

 }  // namespace base
	// Copyright 2019 The Chromium Authors
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include "base/enterprise_util.h"

	#import <OpenDirectory/OpenDirectory.h>

	#include <string>
	#include <vector>

	#include "base/logging.h"
	#include "base/mac/foundation_util.h"
	#include "base/process/launch.h"
	#include "base/strings/string_split.h"
	#include "base/strings/string_util.h"
	#include "base/strings/sys_string_conversions.h"

	namespace base {

	bool IsManagedDevice() {
	// MDM enrollment indicates the device is actively being managed. Simply being
	// joined to a domain, however, does not.

	// IsDeviceRegisteredWithManagementNew is only available after 10.13.4.
	// Eventually switch to it when that is the minimum OS required by Chromium.
	if (@available(macOS 10.13.4, *)) {
	base::MacDeviceManagementStateNew mdm_state =
	base::IsDeviceRegisteredWithManagementNew();
	return mdm_state ==
	base::MacDeviceManagementStateNew::kLimitedMDMEnrollment \|\|
	mdm_state == base::MacDeviceManagementStateNew::kFullMDMEnrollment \|\|
	mdm_state == base::MacDeviceManagementStateNew::kDEPMDMEnrollment;
	}

	base::MacDeviceManagementStateOld mdm_state =
	base::IsDeviceRegisteredWithManagementOld();
	return mdm_state == base::MacDeviceManagementStateOld::kMDMEnrollment;
	}

	bool IsEnterpriseDevice() {
	// Domain join is a basic indicator of being an enterprise device.
	DeviceUserDomainJoinState join_state = AreDeviceAndUserJoinedToDomain();
	return join_state.device_joined \|\| join_state.user_joined;
	}

	MacDeviceManagementStateOld IsDeviceRegisteredWithManagementOld() {
	static MacDeviceManagementStateOld state = [] {
	@autoreleasepool {
	std::vector<std::string> profiler_argv{"/usr/sbin/system_profiler",
	"SPConfigurationProfileDataType",
	"-detailLevel",
	"mini",
	"-timeout",
	"15",
	"-xml"};

	std::string profiler_stdout;
	if (!GetAppOutput(profiler_argv, &profiler_stdout)) {
	LOG(WARNING) << "Could not get system_profiler output.";
	return MacDeviceManagementStateOld::kFailureAPIUnavailable;
	};

	NSArray* root = base::mac::ObjCCast<NSArray>([NSPropertyListSerialization
	propertyListWithData:[SysUTF8ToNSString(profiler_stdout)
	dataUsingEncoding:NSUTF8StringEncoding]
	options:NSPropertyListImmutable
	format:nil
	error:nil]);
	if (!root) {
	LOG(WARNING) << "Could not parse system_profiler output.";
	return MacDeviceManagementStateOld::kFailureUnableToParseResult;
	};

	for (NSDictionary* results in root) {
	for (NSDictionary* dict in results[@"_items"]) {
	for (NSDictionary* device_config_profiles in dict[@"_items"]) {
	for (NSDictionary* profile_item in
	device_config_profiles[@"_items"]) {
	if (![profile_item[@"_name"] isEqual:@"com.apple.mdm"])
	continue;

	NSString* payload_data =
	profile_item[@"spconfigprofile_payload_data"];
	NSDictionary* payload_data_dict =
	base::mac::ObjCCast<NSDictionary>([NSPropertyListSerialization
	propertyListWithData:
	[payload_data dataUsingEncoding:NSUTF8StringEncoding]
	options:NSPropertyListImmutable
	format:nil
	error:nil]);

	if (!payload_data_dict)
	continue;

	// Verify that the URL validates.
	if ([NSURL URLWithString:payload_data_dict[@"CheckInURL"]])
	return MacDeviceManagementStateOld::kMDMEnrollment;
	}
	}
	}
	}

	return MacDeviceManagementStateOld::kNoEnrollment;
	}
	}();

	return state;
	}

	MacDeviceManagementStateNew IsDeviceRegisteredWithManagementNew() {
	static MacDeviceManagementStateNew state = [] {
	if (@available(macOS 10.13.4, *)) {
	std::vector<std::string> profiles_argv{"/usr/bin/profiles", "status",
	"-type", "enrollment"};

	std::string profiles_stdout;
	if (!GetAppOutput(profiles_argv, &profiles_stdout)) {
	LOG(WARNING) << "Could not get profiles output.";
	return MacDeviceManagementStateNew::kFailureAPIUnavailable;
	}

	// Sample output of `profiles` with full MDM enrollment:
	// Enrolled via DEP: Yes
	// MDM enrollment: Yes (User Approved)
	// MDM server: https://applemdm.example.com/some/path?foo=bar
	StringPairs property_states;
	if (!SplitStringIntoKeyValuePairs(profiles_stdout, ':', '\n',
	&property_states)) {
	return MacDeviceManagementStateNew::kFailureUnableToParseResult;
	}

	bool enrolled_via_dep = false;
	bool mdm_enrollment_not_approved = false;
	bool mdm_enrollment_user_approved = false;

	for (const auto& property_state : property_states) {
	StringPiece property =
	TrimString(property_state.first, kWhitespaceASCII, TRIM_ALL);
	StringPiece state =
	TrimString(property_state.second, kWhitespaceASCII, TRIM_ALL);

	if (property == "Enrolled via DEP") {
	if (state == "Yes")
	enrolled_via_dep = true;
	else if (state != "No")
	return MacDeviceManagementStateNew::kFailureUnableToParseResult;
	} else if (property == "MDM enrollment") {
	if (state == "Yes")
	mdm_enrollment_not_approved = true;
	else if (state == "Yes (User Approved)")
	mdm_enrollment_user_approved = true;
	else if (state != "No")
	return MacDeviceManagementStateNew::kFailureUnableToParseResult;
	} else {
	// Ignore any other output lines, for future extensibility.
	}
	}

	if (!enrolled_via_dep && !mdm_enrollment_not_approved &&
	!mdm_enrollment_user_approved) {
	return MacDeviceManagementStateNew::kNoEnrollment;
	}

	if (!enrolled_via_dep && mdm_enrollment_not_approved &&
	!mdm_enrollment_user_approved) {
	return MacDeviceManagementStateNew::kLimitedMDMEnrollment;
	}

	if (!enrolled_via_dep && !mdm_enrollment_not_approved &&
	mdm_enrollment_user_approved) {
	return MacDeviceManagementStateNew::kFullMDMEnrollment;
	}

	if (enrolled_via_dep && !mdm_enrollment_not_approved &&
	mdm_enrollment_user_approved) {
	return MacDeviceManagementStateNew::kDEPMDMEnrollment;
	}

	return MacDeviceManagementStateNew::kFailureUnableToParseResult;
	} else {
	return MacDeviceManagementStateNew::kFailureAPIUnavailable;
	}
	}();

	return state;
	}

	DeviceUserDomainJoinState AreDeviceAndUserJoinedToDomain() {
	static DeviceUserDomainJoinState state = [] {
	DeviceUserDomainJoinState state{false, false};

	@autoreleasepool {
	ODSession* session = [ODSession defaultSession];
	if (session == nil) {
	DLOG(WARNING) << "ODSession default session is nil.";
	return state;
	}

	NSError* error = nil;

	NSArray<NSString> all_node_names =
	[session nodeNamesAndReturnError:&error];
	if (!all_node_names) {
	DLOG(WARNING) << "ODSession failed to give node names: "
	<< error.localizedDescription.UTF8String;
	return state;
	}

	NSUInteger num_nodes = all_node_names.count;
	if (num_nodes < 3) {
	DLOG(WARNING) << "ODSession returned too few node names: "
	<< all_node_names.description.UTF8String;
	return state;
	}

	if (num_nodes > 3) {
	// Non-enterprise machines have:"/Search", "/Search/Contacts",
	// "/Local/Default". Everything else would be enterprise management.
	state.device_joined = true;
	}

	ODNode* node = [ODNode nodeWithSession:session
	type:kODNodeTypeAuthentication
	error:&error];
	if (node == nil) {
	DLOG(WARNING) << "ODSession cannot obtain the authentication node: "
	<< error.localizedDescription.UTF8String;
	return state;
	}

	// Now check the currently logged on user.
	ODQuery* query = [ODQuery queryWithNode:node
	forRecordTypes:kODRecordTypeUsers
	attribute:kODAttributeTypeRecordName
	matchType:kODMatchEqualTo
	queryValues:NSUserName()
	returnAttributes:kODAttributeTypeAllAttributes
	maximumResults:0
	error:&error];
	if (query == nil) {
	DLOG(WARNING) << "ODSession cannot create user query: "
	<< mac::NSToCFCast(error);
	return state;
	}

	NSArray* results = [query resultsAllowingPartial:NO error:&error];
	if (!results) {
	DLOG(WARNING) << "ODSession cannot obtain current user node: "
	<< error.localizedDescription.UTF8String;
	return state;
	}

	if (results.count != 1) {
	DLOG(WARNING) << @"ODSession unexpected number of user nodes: "
	<< results.count;
	}

	for (id element in results) {
	ODRecord* record = mac::ObjCCastStrict<ODRecord>(element);
	NSArray* attributes =
	[record valuesForAttribute:kODAttributeTypeMetaRecordName
	error:nil];
	for (id attribute in attributes) {
	NSString* attribute_value = mac::ObjCCastStrict<NSString>(attribute);
	// Example: "uid=johnsmith,ou=People,dc=chromium,dc=org
	NSRange domain_controller =
	[attribute_value rangeOfString:@"(^\|,)\\s*dc="
	options:NSRegularExpressionSearch];
	if (domain_controller.length > 0) {
	state.user_joined = true;
	}
	}

	// Scan alternative identities.
	attributes =
	[record valuesForAttribute:kODAttributeTypeAltSecurityIdentities
	error:nil];
	for (id attribute in attributes) {
	NSString* attribute_value = mac::ObjCCastStrict<NSString>(attribute);
	NSRange icloud =
	[attribute_value rangeOfString:@"CN=com.apple.idms.appleid.prd"
	options:NSCaseInsensitiveSearch];
	if (!icloud.length) {
	// Any alternative identity that is not iCloud is likely enterprise
	// management.
	state.user_joined = true;
	}
	}
	}
	}

	return state;
	}();

	return state;
	}

	} // namespace base