#!/usr/local/bin/python3 # -*- coding: utf-8 -*- """ This should not be blank. """ # Copyright (c) 2020 University of Utah Student Computing Labs. ################ # All Rights Reserved. # # Permission to use, copy, modify, and distribute this software and # its documentation for any purpose and without fee is hereby granted, # provided that the above copyright notice appears in all copies and # that both that copyright notice and this permission notice appear # in supporting documentation, and that the name of The University # of Utah not be used in advertising or publicity pertaining to # distribution of the software without specific, written prior # permission. This software is supplied as is without expressed or # implied warranties of any kind. ################################################################################ # firmware_password_manager.py ################################################# # # A Python script to help Macintosh administrators manage the firmware passwords # of their computers. # # # 2.0.0 2015.11.05 Initial python rewrite. tjm # # 2.1.0 2016.03.07 "Now with spinning rims" # bug fixes, obfuscation features, # additional tools and examples. tjm # # 2.1.1 2016.03.16 slack identifier customization, # logic clarifications. tjm # # 2.1.2 2016.03.16 cleaned up argparse. tjm # # 2.1.3 2016.04.04 remove obsolete flag logic. tjm # # 2.1.4 2017.10.23 using rm -P for secure delete, # added additional alerting, additional pylint cleanup. tjm # # 2.5.0 2017.11.14 removed flags, uses configuration file, # reintroduced setregproptool functionality, # removed management_tools, ported to # python3, added testing fuctionality. tjm # # 2.5.0 2020.01.23 2.5 actually finished and committed. tjm # # # # keyfile format: # # | comment:passwords <-- comments are ignored, except for new. # | new:newpassword <-- the new password to be installed. # ################################################################################ # notes: ####################################################################### # # ./firmware_password_manager_cfg_v2.5b3.py -c private.INI -t # # # sudo pyinstaller --onefile firmware_password_manager.py # # # ################################################################################ # external tool documentation ################################################## # # firmwarepasswd v 1.0 # Copyright (C) 2014 Apple Inc. All Rights Reserved. # # # Usage: firmwarepasswd [OPTION] # # ? Show usage # -h Show usage # -setpasswd Set a firmware password. You will be promted for passwords as needed. # NOTE: if this is the first password set, and no mode is # in place, the mode will automatically be set to "command" # -setmode [mode] Set mode to: # "command" - password required to change boot disk # "full" - password required on all startups # NOTE: cannot set a mode without having set a password # -mode Prints out the current mode setting # -check Prints out whether there is / isn't a firmware password is set # -delete Delete current firmware password and mode setting # -verify Verify current firmware password # -unlockseed Generates a firmware password recovery key # NOTE: Machine must be stable for this command to generate # a valid seed. No pending changes that need a restart. # NOTE: Seed is only valid until the next time a firmware password # command occurs. # # # # setregproptool v 2.0 (9) Aug 24 2013 # Copyright (C) 2001-2010 Apple Inc. # All Rights Reserved. # # Usage: setregproptool [-c] [-d [-o <old password>]] [[-m <mode> -p <password>] -o <old password>] # # -c Check whether password is enabled. # Sets return status of 0 if set, 1 otherwise. # -d Delete current password/mode. # Requires current password on some machines. # -p Set password. # Requires current password on some machines. # -m Set security mode. # Requires current password on some machines. # Mode can be either "full" or "command". # Full mode requires entry of the password on # every boot, command mode only requires entry # of the password if the boot picker is invoked # to select a different boot device. # # When enabling the Firmware Password for the first # time, both the password and mode must be provided. # Once the firmware password has been enabled, providing # the mode or password alone will change that parameter # only. # # -o Old password. # Only required on certain machines to disable # or change password or mode. Optional, if not # provided the tool will prompt for the password. # ################################################################################ # # imports from argparse import RawTextHelpFormatter import argparse import base64 import configparser import hashlib import inspect import json import logging import os import platform import plistlib import re import socket import subprocess import sys import pexpect import requests class FWPM_Object(object): """ This should not be blank. """ def __init__(self, args, logger, master_version): """ This should not be blank. """ self.args = args self.logger = logger self.master_version = master_version self.srp_path = None self.fwpwd_path = None self.config_options = {} self.local_identifier = None self.passwords_raw = None self.fwpw_managed_string = None self.new_password = None self.other_password_list = [] self.current_fwpw_state = False self.current_fwpm_hash = None self.clean_exit = False self.read_config = False self.read_keyfile = False self.modify_fwpw = False self.modify_nvram = False self.matching_hashes = False self.matching_passwords = False self.configuration_path = None self.system_version = platform.mac_ver()[0].split(".") self.srp_check() self.fwpwd_check() if self.fwpwd_path: self.current_fwpw_state = self.fwpwd_current_state() elif self.srp_path: self.current_fwpw_state = self.srp_current_state() self.injest_config() if self.config_options["slack"]["use_slack"]: self.slack_optionator() self.injest_keyfile() self.hash_current_state() self.hash_incoming() # # What if the string isn't a hash?!? if (self.current_fwpm_hash == self.fwpw_managed_string) and self.config_options["flags"]["management_string_type"] == 'hash': self.matching_hashes = True self.master_control() def master_control(self): """ This should not be blank. """ if self.logger: self.logger.info("%s: activated" % inspect.stack()[0][3]) if self.current_fwpm_hash == self.fwpw_managed_string: if self.logger: self.logger.info("Hashes match. No change required.") else: if self.logger: self.logger.info("Hashes DO NOT match. Change required.") if self.fwpwd_path: self.fwpwd_change() self.secure_delete() elif self.srp_path: self.srp_change() self.secure_delete() else: print("No FW tool found.") quit() # # nvram maintenance # self.nvram_manager() # # some kind of post action reporting. # handle reboot flag here? # self.exit_manager() def hash_current_state(self): """ This should not be blank. """ if self.logger: self.logger.info("%s: activated" % inspect.stack()[0][3]) existing_keyfile_hash = None if self.logger: self.logger.info("Checking existing hash.") try: existing_keyfile_hash_raw = subprocess.check_output(["/usr/sbin/nvram", "-p"]).decode('utf-8') existing_keyfile_hash_raw = existing_keyfile_hash_raw.split('\n') for item in existing_keyfile_hash_raw: if "fwpw-hash" in item: existing_keyfile_hash = item else: self.current_fwpm_hash = None self.current_fwpm_hash = existing_keyfile_hash.split("\t")[1] if self.args.testmode: print("Existing hash: %s" % self.current_fwpm_hash) except: pass def hash_incoming(self): """ This should not be blank. """ if self.logger: self.logger.info("%s: activated" % inspect.stack()[0][3]) if self.logger: self.logger.info("Checking incoming hash.") if self.config_options["flags"]["management_string_type"] == "custom": # # ?!?!?!?!?!?!? # self.fwpw_managed_string = self.config_options["flags"]["management_string_type"] elif self.config_options["flags"]["management_string_type"] == "hash": hashed_key = hashlib.new('sha256') # hashed_key.update(self.passwords_raw.encode('utf-8')) hashed_key.update(self.new_password.encode('utf-8')) for entry in sorted(self.other_password_list): hashed_key.update(entry.encode('utf-8')) self.fwpw_managed_string = hashed_key.hexdigest() # prepend '2:' to denote hash created with v2 of script, will force a password change from v1 self.fwpw_managed_string = '2:' + self.fwpw_managed_string else: self.fwpw_managed_string = None if self.args.testmode: print("Incoming hash: %s" % self.fwpw_managed_string) def secure_delete(self): """ attempts to securely delete the keyfile with medium overwrite and zeroing settings """ if self.logger: self.logger.info("%s: activated" % inspect.stack()[0][3]) if self.logger: self.logger.info("Deleting keyfile") use_srm = bool(os.path.exists("/usr/bin/srm")) if self.args.testmode: if self.logger: self.logger.info("Test mode, keyfile not deleted.") return if use_srm: try: subprocess.call(["/usr/bin/srm", "-mz", self.config_options["keyfile"]["path"]]) if self.logger: self.logger.info("keyfile deleted successfuly.") except Exception as exception_message: if self.logger: self.logger.critical("Issue with attempt to remove keyfile. %s" % exception_message) else: try: deleted_keyfile = subprocess.call(["/bin/rm", "-Pf", self.config_options["keyfile"]["path"]]) print("return: %r" % deleted_keyfile) if self.logger: self.logger.info("keyfile deleted successfuly.") except Exception as exception_message: if self.logger: self.logger.critical("Issue with attempt to remove keyfile. %s" % exception_message) # is this really needed? if os.path.exists(self.config_options["keyfile"]["path"]): if self.logger: self.logger.critical("Failure to remove keyfile.") else: if self.logger: self.logger.info("Keyfile removed.") return def injest_config(self): """ attempts to consume and format configuration file """ # handle parsing errors in cfg?!? # where to handle looking for cfg in specific locations?!? if self.logger: self.logger.info("%s: activated" % inspect.stack()[0][3]) try: if os.path.exists(self.args.configfile): # firmware_password_manager_cfg_v2.5b8.py:434: DeprecationWarning: The SafeConfigParser class has been renamed to ConfigParser in Python 3.2. This alias will be removed in future versions. Use ConfigParser directly instead. config = configparser.ConfigParser(allow_no_value=True) config.read(self.args.configfile) self.config_options["flags"] = {} self.config_options["keyfile"] = {} self.config_options["logging"] = {} self.config_options["slack"] = {} self.config_options["os"] = {} self.config_options["fwpm"] = {} for section in ["flags", "keyfile", "logging", "slack"]: for item in config.options(section): if "use_" in item: try: self.config_options[section][item] = config.getboolean(section, item) except: self.config_options[section][item] = False elif "path" in item: self.config_options[section][item] = config.get(section, item) else: self.config_options[section][item] = config.get(section, item) if self.args.testmode: print("Configuration file variables:") for key, value in self.config_options.items(): print(key) for sub_key, sub_value in value.items(): print("\t%s %r" % (sub_key, sub_value)) else: if self.logger: self.logger.critical("Issue locating configuration file, exiting.") sys.exit() except Exception as exception_message: if self.logger: self.logger.critical("Issue reading configuration file, exiting. %s" % exception_message) sys.exit() self.read_config = True def sanity_check(self): """ This should not be blank. """ if self.logger: self.logger.info("%s: activated" % inspect.stack()[0][3]) def srp_check(self): """ full setregproptool support later, if ever. """ if self.logger: self.logger.info("%s: activated" % inspect.stack()[0][3]) if os.path.exists('/usr/local/bin/setregproptool'): self.srp_path = '/usr/local/bin/setregproptool' elif os.path.exists(os.path.dirname(os.path.abspath(__file__)) + '/setregproptool'): self.srp_path = os.path.dirname(os.path.abspath(__file__)) + '/setregproptool' else: print("SRP #3a") if self.logger: self.logger.info("SRP path: %s" % self.srp_path) def srp_current_state(self): """ full setregproptool support later, if ever. """ if self.logger: self.logger.info("%s: activated" % inspect.stack()[0][3]) try: existing_fw_pw = subprocess.call([self.srp_path, "-c"]) if self.logger: self.logger.info("srp says %r" % existing_fw_pw) if existing_fw_pw: return False # it's weird, I know. Blame Apple. else: return True except: if self.logger: self.logger.info("ERROR srp says %r" % existing_fw_pw) return False # # # E:451,15: Undefined variable 'CalledProcessError' (undefined-variable) # except CalledProcessError: # if self.logger: # self.logger.info("ERROR srp says %r" % existing_fw_pw) # return False def srp_change(self): """ full setregproptool support later, if ever. """ if self.logger: self.logger.info("%s: activated" % inspect.stack()[0][3]) print("Using srp tool!") print("%r" % self.current_fwpw_state) def fwpwd_check(self): """ This should not be blank. """ if self.logger: self.logger.info("%s: activated" % inspect.stack()[0][3]) if os.path.exists('/usr/sbin/firmwarepasswd'): self.fwpwd_path = '/usr/sbin/firmwarepasswd' else: print("FWPWD #2b") if self.logger: self.logger.info("FWPWD path: %s" % self.fwpwd_path) def fwpwd_current_state(self): """ This should not be blank. """ if self.logger: self.logger.info("%s: activated" % inspect.stack()[0][3]) existing_fw_pw = subprocess.check_output([self.fwpwd_path, "-check"]) # R:484, 8: The if statement can be replaced with 'return bool(test)' (simplifiable-if-statement) # return bool('Yes' in existing_fw_pw) if b'Yes' in existing_fw_pw: return True else: return False def fwpwd_change(self): """ This should not be blank. """ if self.logger: self.logger.info("%s: activated" % inspect.stack()[0][3]) known_current_password = False current_password = '' # is this really needed?!? new_fw_tool_cmd = [self.fwpwd_path, '-verify'] if self.current_fwpw_state: if self.logger: self.logger.info("Verifying current FW password") for index in reversed(range(len(self.other_password_list))): child = pexpect.spawn(' '.join(new_fw_tool_cmd)) child.expect('Enter password:') child.sendline(self.other_password_list[index]) result = child.expect(['Correct', 'Incorrect']) if result == 0: # # correct password, exit loop current_password = self.other_password_list[index] known_current_password = True break else: # # wrong password, keep going continue # # We've discovered the currently set firmware password if known_current_password: # # Deleting firmware password if not self.config_options["flags"]["use_fwpw"]: if self.logger: self.logger.info("Deleting FW password") new_fw_tool_cmd = [self.fwpwd_path, '-delete'] if self.logger: self.logger.info(' '.join(new_fw_tool_cmd)) child = pexpect.spawn(' '.join(new_fw_tool_cmd)) child.expect('Enter password:') child.sendline(current_password) result = child.expect(['removed', 'incorrect']) if result == 0: # # password accepted, log result and exit if self.logger: self.logger.info("Finished. Password should be removed. Restart required. [%i]" % (index + 1)) self.clean_exit = True else: if self.logger: self.logger.critical("Asked to delete, current password not accepted. Exiting.") # secure_delete_keyfile(logger, args, config_options) if self.config_options["slack"]["use_slack"]: self.slack_message("_*" + self.local_identifier + "*_ :no_entry:\n" + "Asked to delete, current password not accepted.", '', 'error') # self.error_bot.send_message("_*" + self.local_identifier + "*_ :no_entry:\n" + "Asked to delete, current password not accepted.") sys.exit(1) # # Current and new password are identical # # # WAIT. How (is/would) this possible, clearly the hashes don't match!!! What if they aren't using hashes? # # elif current_password == self.new_password: self.matching_passwords = True self.clean_exit = True # # Change current firmware password to new password else: if self.logger: self.logger.info("Updating FW password") new_fw_tool_cmd = [self.fwpwd_path, '-setpasswd'] if self.logger: self.logger.info(' '.join(new_fw_tool_cmd)) child = pexpect.spawn(' '.join(new_fw_tool_cmd)) result = child.expect('Enter password:') if result == 0: pass else: if self.logger: self.logger.error("bad response from firmwarepasswd. Exiting.") self.secure_delete() if self.config_options["slack"]["use_slack"]: self.slack_message("_*" + self.local_identifier + "*_ :no_entry:\n" + "Bad response from firmwarepasswd.", '', 'error') sys.exit(1) child.sendline(current_password) result = child.expect('Enter new password:') if result == 0: pass else: if self.logger: self.logger.error("bad response from firmwarepasswd. Exiting.") self.secure_delete() if self.config_options["slack"]["use_slack"]: self.slack_message("_*" + self.local_identifier + "*_ :no_entry:\n" + "Bad response from firmwarepasswd.", '', 'error') sys.exit(1) child.sendline(self.new_password) result = child.expect('Re-enter new password:') if result == 0: pass else: if self.logger: self.logger.error("bad response from firmwarepasswd. Exiting.") self.secure_delete() if self.config_options["slack"]["use_slack"]: self.slack_message("_*" + self.local_identifier + "*_ :no_entry:\n" + "Bad response from firmwarepasswd.", '', 'error') sys.exit(1) child.sendline(self.new_password) child.expect(pexpect.EOF) child.close() if self.logger: self.logger.info("Updated FW Password.") self.clean_exit = True # # Unable to match current password with contents of keyfile else: if self.logger: self.logger.critical("Current FW password not in keyfile. Quitting.") if self.config_options["slack"]["use_slack"]: self.slack_message("_*" + self.local_identifier + "*_ :no_entry:\n" + "Current FW password not in keyfile.", '', 'error') self.secure_delete() sys.exit(1) # # No current firmware password, setting it else: new_fw_tool_cmd = [self.fwpwd_path, '-setpasswd'] if self.logger: self.logger.info(' '.join(new_fw_tool_cmd)) child = pexpect.spawn(' '.join(new_fw_tool_cmd)) result = child.expect('Enter new password:') print(child.before) if result == 0: pass else: if self.logger: self.logger.error("bad response from firmwarepasswd. Exiting.") self.secure_delete() if self.config_options["slack"]["use_slack"]: self.slack_message("_*" + self.local_identifier + "*_ :no_entry:\n" + "Bad response from firmwarepasswd.", '', 'error') sys.exit(1) child.sendline(self.new_password) result = child.expect('Re-enter new password:') if result == 0: pass else: if self.logger: self.logger.error("bad response from firmwarepasswd. Exiting.") self.secure_delete() if self.config_options["slack"]["use_slack"]: self.slack_message("_*" + self.local_identifier + "*_ :no_entry:\n" + "Bad response from firmwarepasswd.", '', 'error') sys.exit(1) child.sendline(self.new_password) child.expect(pexpect.EOF) child.close() if self.logger: self.logger.info("Added FW Password.") self.clean_exit = True def slack_optionator(self): """ ip, mac, hostname computername serial """ if self.logger: self.logger.info("%s: activated" % inspect.stack()[0][3]) if self.verify_network(): try: full_ioreg = subprocess.check_output(['ioreg', '-l']).decode('utf-8') serial_number_raw = re.findall('\"IOPlatformSerialNumber\" = \"(.*)\"', full_ioreg) serial_number = serial_number_raw[0] if self.args.testmode: print("Serial number: %r" % serial_number) if self.config_options["slack"]["slack_identifier"].lower() == 'ip' or self.config_options["slack"]["slack_identifier"].lower() == 'mac' or self.config_options["slack"]["slack_identifier"].lower() == 'hostname': processed_device_list = [] # Get ordered list of network devices base_network_list = subprocess.check_output(["/usr/sbin/networksetup", "-listnetworkserviceorder"]).decode('utf-8') network_device_list = re.findall(r'\) (.*)\n\(.*Device: (.*)\)', base_network_list) ether_up_list = subprocess.check_output(["/sbin/ifconfig", "-au", "ether"]).decode('utf-8') for device in network_device_list: device_name = device[0] port_name = device[1] try: if self.args.testmode: print(device_name, port_name) if port_name in ether_up_list: device_info_raw = subprocess.check_output(["/sbin/ifconfig", port_name]).decode('utf-8') mac_address = re.findall('ether (.*) \n', device_info_raw) if self.args.testmode: print("%r" % mac_address) ether_address = re.findall('inet (.*) netmask', device_info_raw) if self.args.testmode: print("%r" % ether_address) if len(ether_address) and len(mac_address): processed_device_list.append([device_name, port_name, ether_address[0], mac_address[0]]) except Exception as this_exception: print(this_exception) if processed_device_list: if self.logger: self.logger.info("1 or more active IP addresses. Choosing primary.") if self.args.testmode: print("Processed devices: ", processed_device_list) if self.config_options["slack"]["slack_identifier"].lower() == 'ip': self.local_identifier = processed_device_list[0][2] + " (" + processed_device_list[0][0] + ":" + processed_device_list[0][1] + ")" elif self.config_options["slack"]["slack_identifier"].lower() == 'mac': self.local_identifier = processed_device_list[0][3] + " (" + processed_device_list[0][0] + ":" + processed_device_list[0][1] + ")" elif self.config_options["slack"]["slack_identifier"].lower() == 'hostname': try: self.local_identifier = socket.getfqdn() except: if self.logger: self.logger.error("error discovering hostname info.") self.local_identifier = serial_number else: if self.logger: self.logger.error("error discovering IP info.") self.local_identifier = serial_number elif self.config_options["slack"]["slack_identifier"].lower() == 'computername': try: cname_identifier_raw = subprocess.check_output(['/usr/sbin/scutil', '--get', 'ComputerName']) self.local_identifier = cname_identifier_raw.split('\n')[0] if self.logger: self.logger.info("Computername: %r" % self.local_identifier) except: if self.logger: self.logger.info("error discovering computername.") self.local_identifier = serial_number elif self.config_options["slack"]["slack_identifier"].lower() == 'serial': self.local_identifier = serial_number if self.logger: self.logger.info("Serial number: %r" % self.local_identifier) else: if self.logger: self.logger.info("bad or no identifier flag, defaulting to serial number.") self.local_identifier = serial_number if self.args.testmode: print("Local identifier: %r" % self.local_identifier) except Exception as this_exception: print(this_exception) self.config_options["slack"]["use_slack"] = False else: self.config_options["slack"]["use_slack"] = False if self.logger: self.logger.info("No network detected.") def slack_message(self, message, icon, type): """ This should not be blank. """ if self.logger: self.logger.info("%s: activated" % inspect.stack()[0][3]) slack_info_channel = False slack_error_channel = False if self.config_options["slack"]["use_slack"] and self.config_options["slack"]["slack_info_url"]: slack_info_channel = True if self.config_options["slack"]["use_slack"] and self.config_options["slack"]["slack_error_url"]: slack_error_channel = True if slack_error_channel and type == 'error': slack_url = self.config_options["slack"]["slack_error_url"] elif slack_info_channel: slack_url = self.config_options["slack"]["slack_info_url"] else: return payload = {'text': message, 'username': 'FWPM ' + self.master_version, 'icon_emoji': ':key:'} response = requests.post(slack_url, data=json.dumps(payload), headers={'Content-Type': 'application/json'}) self.logger.info('Response: ' + str(response.text)) self.logger.info('Response code: ' + str(response.status_code)) def reboot_exit(self): """ This should not be blank. """ if self.logger: self.logger.info("%s: activated" % inspect.stack()[0][3]) def injest_keyfile(self): """ This should not be blank. """ if self.logger: self.logger.info("%s: activated" % inspect.stack()[0][3]) path_to_keyfile_exists = os.path.exists(self.config_options["keyfile"]["path"]) if not path_to_keyfile_exists: if self.logger: self.logger.critical("%r does not exist. Exiting." % self.config_options["keyfile"]["path"]) if self.config_options["slack"]["use_slack"]: self.slack_message("_*" + self.local_identifier + "*_ :no_entry:\n" + "Keyfile does not exist.", '', 'error') sys.exit(2) if self.logger: self.logger.info("Reading password file") if self.config_options["keyfile"]["use_obfuscation"]: # # unobfuscate plist if self.logger: self.logger.info("Reading plist") passwords = [] if "plist" in self.config_options["keyfile"]["path"]: try: keyfile_plist = plistlib.readPlist(self.config_options["keyfile"]["path"]) content_raw = keyfile_plist["data"] except: if self.logger: self.logger.critical("Error reading plist. Exiting.") if self.config_options["slack"]["use_slack"]: self.slack_message("_*" + self.local_identifier + "*_ :no_entry:\n" + "Error reading plist.", '', 'error') sys.exit(1) else: try: with open(self.config_options["keyfile"]["path"], 'r') as reader: content_raw = reader.read() except: if self.logger: self.logger.critical("Error reading plist. Exiting.") if self.config_options["slack"]["use_slack"]: self.slack_message("_*" + self.local_identifier + "*_ :no_entry:\n" + "Error reading plist.", '', 'error') sys.exit(1) content_raw = base64.b64decode(content_raw) content_raw = content_raw.decode('utf-8').split(",") content_raw = [x for x in content_raw if x] output_string = "" for item in content_raw: label, pword = item.split(':') pword = base64.b64decode(pword) try: commented = label.split('#')[1] commented = base64.b64decode(commented) is_commented = True except: is_commented = False if is_commented: output_string = "#" + commented.decode('utf-8') + ":" + pword.decode('utf-8') passwords.append(output_string) else: uncommented = base64.b64decode(label) output_string = uncommented.decode('utf-8') + ":" + pword.decode('utf-8') passwords.append(output_string) else: # # read keyfile if self.logger: self.logger.info("Reading plain text") try: with open(self.config_options["keyfile"]["path"], "r") as keyfile: self.passwords_raw = keyfile.read() passwords = self.passwords_raw.splitlines() except: if self.logger: self.logger.critical("Error reading keyfile. Exiting.") if self.config_options["slack"]["use_slack"]: self.slack_message("_*" + self.local_identifier + "*_ :no_entry:\n" + "Error reading keyfile.", '', 'error') sys.exit(1) if self.logger: self.logger.info("Closed password file") # new_password = None # other_password_list = [] # # parse data from keyfile and build list of passwords for entry in passwords: try: key, value = entry.split(":", 1) except Exception as this_exception: if self.logger: self.logger.critical("Malformed keyfile, key:value format required. %r. Quitting." % this_exception) self.secure_delete() if self.config_options["slack"]["use_slack"]: self.slack_message("_*" + self.local_identifier + "*_ :no_entry:\n" + "Malformed keyfile.", '', 'error') sys.exit(1) if key.lower() == 'new': if self.new_password is not None: if self.logger: self.logger.critical("Malformed keyfile, multiple new keys. Quitting.") self.secure_delete() if self.config_options["slack"]["use_slack"]: self.slack_message("_*" + self.local_identifier + "*_ :no_entry:\n" + "Malformed keyfile.", '', 'error') sys.exit(1) else: self.new_password = value self.other_password_list.append(value) else: self.other_password_list.append(value) if self.logger: self.logger.info("Sanity checking password file contents") if self.new_password is None and self.config_options["flags"]["use_fwpw"]: if self.logger: self.logger.critical("Malformed keyfile, no \'new\' key. Quitting.") self.secure_delete() if self.config_options["slack"]["use_slack"]: self.slack_message("_*" + self.local_identifier + "*_ :no_entry:\n" + "Malformed keyfile.", '', 'error') sys.exit(1) self.read_keyfile = True try: self.other_password_list.remove(self.new_password) except: pass def nvram_manager(self): """ This should not be blank. """ if self.logger: self.logger.info("%s: activated" % inspect.stack()[0][3]) if self.clean_exit: if not self.config_options["flags"]["use_fwpw"]: try: subprocess.call(["/usr/sbin/nvram", "-d", "fwpw-hash"]) if self.logger: self.logger.info("nvram entry pruned.") if self.config_options["slack"]["use_slack"]: self.slack_message("_*" + self.local_identifier + "*_ :unlock:\n" + "FWPW and nvram entry removed.", '', 'info') # # Should we return here? # except Exception as exception_message: if self.logger: self.logger.warning("nvram reported error attempting to remove hash. Exiting. %s" % exception_message) # # Slack? # sys.exit(1) if self.config_options["flags"]["management_string_type"] == "None": try: # ? # existing_keyfile_hash = subprocess.check_output(["/usr/sbin/nvram", "fwpw-hash"]) try: subprocess.call(["/usr/sbin/nvram", "-d", "fwpw-hash"]) if self.logger: self.logger.info("nvram entry pruned.") if self.config_options["slack"]["use_slack"]: self.slack_message("_*" + self.local_identifier + "*_ :closed_lock_with_key:\n" + "FWPW updated.", '', 'info') except Exception as exception_message: if self.logger: self.logger.warning("nvram reported error attempting to remove hash. Exiting. %s" % exception_message) sys.exit(1) except: # assuming hash doesn't exist. if self.logger: self.logger.info("Assuming nvram entry doesn't exist.") if self.config_options["slack"]["use_slack"]: self.slack_message("_*" + self.local_identifier + "*_ :closed_lock_with_key:\n" + "FWPW updated.", '', 'info') elif self.config_options["flags"]["management_string_type"] == "custom" or self.config_options["flags"]["management_string_type"] == "hash": if self.matching_hashes: if self.matching_passwords: if self.logger: self.logger.info("Hashes and Passwords match. No changes needed.") if self.config_options["slack"]["use_slack"]: self.slack_message("_*" + self.local_identifier + "*_ :white_check_mark::white_check_mark:\n" + "FWPM hashes and FW passwords match.", '', 'info') else: if self.logger: self.logger.info("Hashes match, password modified.") if self.config_options["slack"]["use_slack"]: self.slack_message("_*" + self.local_identifier + "*_ :white_check_mark::heavy_exclamation_mark:\n" + "FWPM hashes and FW passwords match.", '', 'info') else: try: subprocess.call(["/usr/sbin/nvram", "fwpw-hash=" + self.fwpw_managed_string]) if self.logger: self.logger.info("nvram modified.") except Exception as exception_message: if self.logger: self.logger.warning("nvram modification failed. nvram reported error. %s" % exception_message) # # slack error message? # sys.exit(1) if self.matching_passwords: if self.logger: self.logger.info("Hash mismatch, Passwords match. Correcting hash.") if self.config_options["slack"]["use_slack"]: self.slack_message("_*" + self.local_identifier + "*_ :heavy_exclamation_mark: :white_check_mark:\n" + "Hash mismatch, Passwords match. Correcting hash.", '', 'info') else: if self.config_options["slack"]["use_slack"]: self.slack_message("_*" + self.local_identifier + "*_ :closed_lock_with_key:\n" + "FWPW and hash updated.", '', 'info') else: if self.logger: self.logger.critical("An error occured. Failed to modify firmware password.") if self.config_options["slack"]["use_slack"]: self.slack_message("_*" + self.local_identifier + "*_ :no_entry:\n" + "An error occured. Failed to modify firmware password.", '', 'error') sys.exit(1) def exit_manager(self): """ This should not be blank. """ if self.logger: self.logger.info("%s: activated" % inspect.stack()[0][3]) # # check the new booleans, etc to find out what we accomplished... # # self.clean_exit = False # # self.read_config = False # self.read_keyfile = False # self.modify_fwpw = False # self.modify_nvram = False # if self.config_options["flags"]["use_reboot_on_exit"]: if self.args.testmode: if self.logger: self.logger.info("Test mode, cancelling reboot.") else: if self.logger: self.logger.warning("Normal completion. Rebooting.") os.system('reboot') else: if self.logger: self.logger.info("FWPM exiting normally.") sys.exit(0) def verify_network(self): """ Host: 8.8.8.8 (google-public-dns-a.google.com) OpenPort: 53/tcp Service: domain (DNS/TCP) """ try: _ = requests.get("https://8.8.8.8", timeout=3) return True except requests.ConnectionError as exception_message: print(exception_message) return False def main(): """ This should not be blank. """ master_version = "2.5" logo = """ /_ _/ /_ _/ University of Utah _/ _/ Marriott Library _/ _/ Mac Group _/ _/ https://apple.lib.utah.edu/ _/_/ https://github.com/univ-of-utah-marriott-library-apple """ desc = "Manages the firmware password on Apple Macintosh computers." # # require root to run. if os.geteuid(): print("Must be root to run script.") sys.exit(2) # # parse option definitions parser = argparse.ArgumentParser(description=logo+desc, formatter_class=RawTextHelpFormatter) # # required, mutually exclusive commands prime_group = parser.add_argument_group('Required management settings', 'Choosing one of these options is required to run FWPM. They tell FWPM how you want to manage the firmware password.') subprime = prime_group.add_mutually_exclusive_group(required=True) subprime.add_argument('-c', '--configfile', help='Read configuration file') parser.add_argument('-b', '--reboot', action="store_true", default=False, help='Reboots the computer after the script completes successfully.') parser.add_argument('-t', '--testmode', action="store_true", default=False, help='Test mode. Verbose logging, will not delete keyfile.') parser.add_argument('-v', '--version', action='version', version='%(prog)s ' + master_version) args = parser.parse_args() if args.testmode: print(args) # # Open log file try: log_path = '/var/log/' + 'FWPW_Manager_' + master_version logging.basicConfig(filename=log_path, level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s') logger = logging.getLogger(__name__) logger.info("Running Firmware Password Manager " + master_version) except: logger = None FWPM_Object(args, logger, master_version) if __name__ == '__main__': main()