SFAuthorizationPluginView without UI

Question

I have been crawling through various forums and blogs for an AuthorizationPlugin example or understanding which can show me how to create a mac authorization plugin that do not affect any UI components. I want to use it for a remote access kind of solution. I have been able to get NameAndPasswordPlugin example work. But I am not able to achieve below requirements:

1. Do not change the default UI. i.e not have any custom UI components
2. Ability to read and write into default UI fields, especially username (if any) and password
3. Work on need basis. i.e. I need the mechanism to pass through when remote access session is not ON. In that case I want it to fall back to loginwindow:login mechanism

Also how would it communicate with outside world ? I was not able to read or write into files from plugin. I saw an example where some pipes where used. not sure what the recommended method

Answer 1

You will need to write an authorization plugin which will set the context values "username" (kAuthorizationEnvironmentUsername) and "password" (kAuthorizationEnvironmentPassword). Then set result as kAuthorizationResultAllow. You would also need to place your plugin just before loginwindow:login.

Answer 2

You don't need a SFAuthorizationPluginView, you just need an authorization plugin. You insert your plugin into the list of plugins and it can read from contexts set by previous plugins and write to or create contexts for later plugins.

For example, if you are working with console login this bash command shows you what mechanisms are configured (mechanisms are instances of a plugin)

security authorizationdb read system.login.console

If you add your plugin after builtin:authenticate,privileged then you can use this code in your mechanismInvoke function to read the values.

err = mechanism->fPlugin->fCallbacks->GetHintValue(mechanism->fEngine, "username", &value);
    if (err == noErr) {
        //Log the event
        os_log(OS_LOG_DEBUG, "Login for user '%{public}s'.",(const char *)value->data);
}

where mechanism->fPlugin->fCallbacks->GetHintValue and mechanism->fEngine are the callback and engineref you setup as part of your plugin. There is also a "SetContextValue" function for writing the username or password.