MacOS

Adding Verbal Warnings and Time Quotas Configurable by Account for Forced Logouts in Programmatic MacOS Parental Controls

john

Building upon the original Restoring Forced Logouts Removed from MacOS Parental Controls, the original refinements, and the New Year updates to them, I have since added code to add the following features.

  1. Give two verbal warnings about (approximate) time remaining before forced logout; and
  2. Make the minutes allowed per day a configurable property which can be customized for individual accounts.

The first was added as a courtesy to our boys. The second was added to allow cutting back or eliminating hours for each boy individually if they didn’t complete their list of basic daily tasks to be done to be allowed the full amount of computer time for the following day, or to increase it for sick days and the like. Making it a property also allows changing it on the fly, without having to alter the code, and also eliminates some very inconvenient hard-coded values.

The properties were added to the end of the application.properties file. At the same time, I added a missing JPA hibernate dialect property that was needed to get the application to work properly with my MariaDB instance.

spring.jpa.properties.hibernate.dialect = org.hibernate.dialect.MySQLDialect
# Map properties
users.minutes.[kid-login-1]=60
users.minutes.[kid-login-2]=60

Here, [kid-login-1] and [kid-login-2] are the login ID’s for our boys. The default (for us) values of 60 minutes are set for both accounts.

These properties are mapped to a new ConfigProperties.java class in the model package for the application, which looks like the following.

package biz.noip.johnwatne.logtimer.model;

import java.util.Map;

import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.context.annotation.Configuration;

@Configuration
@ConfigurationProperties(prefix = "users")
public class ConfigProperties {
    private Map<String, Long> minutes;

    public Map<String, Long> getMinutes() {
        return minutes;
    }

    public void setMinutes(Map<String, Long> minutes) {
        this.minutes = minutes;
    }
}

We see that the “users” prefix in the “ConfigurationProperties” annotation for the class indicates that those properties in the application.properties file that start with “users.” specify values to use within this configuration class. The configuration class contains a single attribute, “minutes” which maps String values for login IDs to Long values for minutes per day allowed. This ties to the users.minutes.[username]=[minutes] properties in the file. The username part of the property is added as a key to the Map, and the value assigned to the property is set to the corresponding value in the Map.

With the new ConfigProperties class and corresponding properties added, the remaining changes were made to the LogtimerRunner class.

First, the ConfigProperties bean needed to be added as an attribute in LogtimerRunner as follows:

    @Autowired
    private ConfigProperties configProperties;

Then, the logoutIfKidLoggedInTooLong method was modified to

  1. replace the switch statement with hard-coded cases for each child’s name with an iteration of all properties defined in ConfigProperties.getMinutes(), and
  2. Add a new call to the standard MacOS “say” command to notify of time left when there are 10 or fewer minutes left until the forced logout.

The updated method is as follows.

    /**
     * Logs out the specified user if
     * <ol>
     * <li>they are a named child within the family, and</li>
     * <li>the number of minutes they have been logged in exceeds the maximum
     * limit.</li>
     * </ol>
     *
     * @param user
     *            the user whose login time is being checked.
     * @param minutes
     *            the number of minutes the user has been logged in.
     * @throws IOException
     *             if an I/O error occurs.
     * @throws InterruptedException
     *             if an thread is interrupted.
     */
    public void logoutIfKidLoggedInTooLong(final String user,
            final long minutes) throws IOException, InterruptedException {
        if (configProperties != null) {
            final Map<String, Long> map = configProperties.getMinutes();

            if (map != null) {
                Long maxMinutes = map.getOrDefault(user, null);

                if (maxMinutes != null) {
                    LOGGER.debug("maxMinutes for " + user + ": " + maxMinutes
                            + "; minutes: " + minutes);

                    if (minutes > Math.max(maxMinutes - 1, 0)) {
                        LOGGER.info("Logging out user " + user);
                        ProcessBuilder processBuilder = new ProcessBuilder(
                                "/bin/sh", "-c", "./logout-user.sh " + user);
                        processBuilder.directory(new File("/Users/John"));
                        Process process = processBuilder.start();

                        try (final BufferedReader reader =
                                new BufferedReader(new InputStreamReader(
                                        process.getInputStream()))) {
                            String line;

                            while ((line = reader.readLine()) != null) {
                                LOGGER.info(line);
                            }

                            LOGGER.debug(Integer.toString(process.waitFor()));
                        }
                    } else if (minutes > Math.max(maxMinutes - 11, 0)) {
                        final long minutesToGo = maxMinutes - minutes;
                        final String notification = "Logging out user " + user
                                + " in about " + minutesToGo + " minutes";
                        LOGGER.info(notification);
                        ProcessBuilder processBuilder = new ProcessBuilder(
                                "/bin/sh", "-c", "say '" + notification + "'");
                        Process process = processBuilder.start();
                        LOGGER.debug(Integer.toString(process.waitFor()));
                    }
                } else {
                    LOGGER.debug("Time limits not enforced for user " + user);
                }
            }
        } else {
            LOGGER.error("ERROR!! UNABLE TO READ CONFIGURATION PROPERTIES");
        }
    }

I also fixed an off-by-one error in checking the count of login processes for each user in the following method. The value of getCountOfLoginProcessesForUser(persistedLogin.getUsername()) is now checked if < 1, rather than < 2.

    /**
     * Sets the logout time for users no longer logged in, if not already set,
     * to the specified logout time.
     *
     * @throws IOException
     *             if an I/O error occurs.
     */
    private void setLogoutTimesForUsersNotLoggedIn() throws IOException {
        // Do final pass, setting logout times for users no longer logged in.
        for (Logins persistedLogin : loginsRepository.findAll()) {
            if ((persistedLogin.getLogout() == null)
                    && (getCountOfLoginProcessesForUser(
                            persistedLogin.getUsername()) < 1)) {
                // User logged out but not yet indicated as such, so set logout
                // time to now.
                LOGGER.info("*** " + persistedLogin.getUsername()
                        + " logged out; setting logout to now");
                persistedLogin.setLogout(LocalDateTime.now());
                loginsRepository.save(persistedLogin);
                LOGGER.info("*** Record updated: " + persistedLogin);
            }
        }
    }

Finally, to reduce the amount of logging by eliminating info-level logging I had used during initial development, I changed the calculation of lines read from the BufferedReader for the results of the call to get the count of login processes for user in the method getCountOfLoginProcessesForUser(final String user). I removed the logging of each line of output by simplifying

lines = reader.lines().peek(e -> LOGGER.info(e)).count();

to

lines = reader.lines().count();

I hope there might be others who might find these changes to add flexibility to the program helpful. I may consider adding this to GitHub at some point.

Further New Year Updates for Forced Logouts in Programmatic MacOS Parental Controls

john

Early this January, 2022, Sara and I noticed that it seemed like the boys could stay on the computer much longer than what the forced time quotas my refined program enforced. Investigating the code revealed something I should have anticipated, having been part of a “Y2K readiness team” earlier in my career.

The problem was that my “UserLoginTime” objects were obtained given the output from the bash shell’s “who” command, which only shows the login time for users using a two-digit month and two-digit day, but no year. When I constructed UserLoginTimes that were holdovers from old logins at the end of December 2021, the code was assuming that it was December of the current year – nearly a year in  the future. So, when checking whether the total time online for the boys was greater than the specified value, the code was subtracting a future date and time from the current date and time, resulting in a negative “elapsed time”, thus never timing out.

The original code for the constructor, with the error of always assuming the login date was in the current year, was as follows.

 

    /**
     * Constructs a UserLoginTime for the information in the passed line from
     * &quot;who&quot; output.
     *
     * @param line
     *            a line of output from the MacOS / BSD &quot;who&quot; command.
     */
    public UserLoginTime(final String line) {
        final LocalDateTime now = LocalDateTime.now();
        final int year = now.getYear();
        final String[] split = line.split("[\\s]+");
        this.setUser(split[0]);
        this.setTty(split[1]);
        final StringBuilder builder = new StringBuilder();
        builder.append(year);

        for (int i = 2; (i < Math.min(split.length, 5)); i++) {
            builder.append(" ");
            builder.append(split[i]);
        }

        this.setLoginTime(
                LocalDateTime.parse(builder.toString(), DATE_TIME_FORMATTER));
    }

To fix the problem, I simply subtract a year from the originally calculated login date, by adding the following to the end of the constructor, after the initial call to setLoginTime(…) that previously ended the constructor code, as follows:

        // Check for change of year.
        final LocalDateTime originalLoginTime = this.getLoginTime();

        if (originalLoginTime.isAfter(now)) {
            LOGGER.warn("originalLoginTime: "
                    + originalLoginTime.format(DATE_TIME_FORMATTER));
            this.setLoginTime(originalLoginTime.minusYears(1L));
            LOGGER.warn("adjusted login time: "
                    + this.getLoginTime().format(DATE_TIME_FORMATTER));
        }

I suppose that, if I wanted to cover all possibilities, I would use a while loop and keep subtracting a year from the login time until the result of calling it’s “isAfter(now)” method was false. However, the kids’ login accounts would never be logged in for a span covering more than two calendar years. With power outages, OS updates, and reboots either to clear problems or to boot up an older version of MacOS to allow the boys to play an old 32-bit game, the computer wouldn’t stay online that long anyway.

One final refinement I needed to make was to handle the case where my program was unable to connect to the database, in which case it was throwing Exceptions upon startup, and never doing any kind of check. I added some code to the main application to call an alternate method if an Exception was thrown when starting up the application, by adding the Exception handling block shown below, added to the LogtimerApp’s main method.

    public static void main(final String[] args) {
        try {
            SpringApplication.run(LogtimerApp.class, args);
        } catch (final Exception e) {
            LOGGER.error(
                    "Unable to run LogtimerApp application; attempt to check logins without using database.",
                    e);
            LogtimerRunner.checkCurrentLoginsOnly();
        }
    }

I then added the following code to LogtimerRunner, recycling code I had used on the early version of the program that did not store history in the database, requiring the first refinement.

    /**
     * Fallback method to check only the currently logged in sessions, to be
     * called when unable to obtain a database connection on startup.
     */
    public static void checkCurrentLoginsOnly() {
        LOGGER.info("*** checkCurrentLoginsOnly ***");
        LogtimerRunner runner = new LogtimerRunner();

        try {
            Map<String, List<UserLoginTime>> userLogins;
            userLogins = runner.getUserLogins();

            if (userLogins != null) {
                LogtimerRunner.checkCurrentLogins(userLogins);
            }
        } catch (final Exception e) {
            LOGGER.error("Error checking current logins", e);
        }
    }

    /**
     * Check the given Map of users to Lists of user login times and log out
     * those who have exceeded their quota.
     *
     * @param userLogins
     *            a Map of Lists of login times for each user.
     */
    public static void checkCurrentLogins(
            final Map<String, List<UserLoginTime>> userLogins) {
        LOGGER.debug("*** User login lists ****");
        final LocalDateTime now = LocalDateTime.now();

        for (final Entry<String, List<UserLoginTime>> entry : userLogins
                .entrySet()) {
            final String user = entry.getKey();
            final List<UserLoginTime> loginsForUser = entry.getValue();
            final UserLoginTime lastLoginForUser =
                    Collections.max(loginsForUser);
            LOGGER.info("*** Maximum login: " + lastLoginForUser);
            final LocalDateTime fromTemp =
                    LocalDateTime.from(lastLoginForUser.getLoginTime());
            final long minutes = fromTemp.until(now, ChronoUnit.MINUTES);
            LOGGER.debug("Elapsed time: " + minutes + " minutes");

            try {
                (new LogtimerRunner()).logoutIfKidLoggedInTooLong(user,
                        minutes);
            } catch (final IOException e) {
                LOGGER.error("I/O error", e);
            } catch (final InterruptedException e) {
                LOGGER.warn("Thread interrupted", e);
            }
        }
    }

I hope readers may find this information helpful, either if using this program, or to offer some ideas if they find themselves running into similar problems with other programs they maintain.

Refining Forced Logouts in Programmatic MacOS Parental Controls

john

It did not take long for the more math- and computer-oriented of our twin sons to figure out the loophole I mentioned at the end of my original post, “Restoring Forced Logouts Removed from MacOS Parental Controls“:

Crafty minds can probably already spot one loophole with how this works. The kids will only get logged out from their current session if the current session has been an hour or more. There is nothing checking their usage for the day. So, if they want to get the most time, they could log in for, say, 50 minutes, and then log in a few minutes later for another 50 minutes or so, and so forth. The fix will involve a more complex refinement. I think I will need to create a small database of total minutes logged in per day and user (for the monitored kids, not the adults), and add 5 minutes for every time they show up as being logged in by the every-5-minute-run of LogTimerApp. Then, if the total time for the day hits the hour limit, then do the logout.

So, I went ahead and put together the more complex refinement. First, I made a new database, creatively named “logintimes”, on my home MariaDB database server. It now contains a single table, with the similarly creative name “logins”, structured as follows.

CREATE TABLE `logins` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `username` varchar(15) NOT NULL,
  `login` timestamp NOT NULL DEFAULT current_timestamp() ON UPDATE current_timestamp(),
  `logout` timestamp NULL DEFAULT NULL,
  PRIMARY KEY (`id`)
)

[Hint: on MySQL and MariaDB, you can recreate this statement by using this command.]

SHOW CREATE TABLE <table-name>

Having created the database to be used, I added the following dependency to the pom.xml file needed to work with it. Note that this is MariaDB-specific; similar dependencies can be found for different DataBase Management Systems (DBMS).

        <dependency>
            <groupId>org.mariadb.jdbc</groupId>
            <artifactId>mariadb-java-client</artifactId>
            <version>2.7.3</version>
        </dependency>

Having created a database table to keep track of logins, I needed to create a corresponding model Object to map to it. I created a new “model” package and added the following code to it:

package biz.noip.johnwatne.logtimer.model;

import java.io.Serializable;
import java.time.LocalDateTime;
import java.util.Objects;

import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Table;

/**
 * A representation of the login and, if applicable, logout time for a computer
 * user.
 *
 */
@Entity
@Table(name = "logins")
public class Logins implements Serializable {
    private static final long serialVersionUID = 1L;
    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    private Long id;
    private String username;
    private LocalDateTime login;
    private LocalDateTime logout;

    public Logins(final String username, final LocalDateTime login) {
        this.username = username;
        this.login = login;
    }

    /**
     * Default constructor - not used.
     */
    protected Logins() {

    }

    public Long getId() {
        return id;
    }

    public void setId(Long id) {
        this.id = id;
    }

    public String getUsername() {
        return username;
    }

    public void setUsername(String username) {
        this.username = username;
    }

    public LocalDateTime getLogin() {
        return login;
    }

    public void setLogin(LocalDateTime login) {
        this.login = login;
    }

    public LocalDateTime getLogout() {
        return logout;
    }

    public void setLogout(LocalDateTime logout) {
        this.logout = logout;
    }

    @Override
    public int hashCode() {
        return Objects.hash(id, login, username);
    }

    @Override
    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null) {
            return false;
        }
        if (getClass() != obj.getClass()) {
            return false;
        }
        Logins other = (Logins) obj;
        return Objects.equals(id, other.id)
                && Objects.equals(login, other.login)
                && Objects.equals(username, other.username);
    }

    @Override
    public String toString() {
        return "Logins [getId()=" + getId() + ", getUsername()=" + getUsername()
                + ", getLogin()=" + getLogin() + ", getLogout()=" + getLogout()
                + "]";
    }

}

With the model object created, I then needed to create an object containing the queries to get information I needed. I have worked extensively with Hibernate-specific and JPA / JPQL style queries in the past, but thought I would take this opportunity to familiarize myself a tiny bit with Spring Data. I found that it is possible to create just an interface that extends Spring Data’s CrudRepository<T, ID extends Serializable> interface, with the methods annotated with the appropriate JPA query, using far fewer lines of code than either the Hibernate or JPA DAOs I have written in the past. I created a new “repository” package and added my “LoginsRepository” class to it, consisting of the following for the four queries it needed to implement.

package biz.noip.johnwatne.logtimer.repository;

import java.time.LocalDateTime;
import java.util.List;

import org.springframework.data.jpa.repository.Query;
import org.springframework.data.repository.CrudRepository;
import org.springframework.data.repository.query.Param;

import biz.noip.johnwatne.logtimer.model.Logins;

public interface LoginsRepository extends CrudRepository<Logins, Long> {
    List<Logins> findByUsername(final String username);

    @Query("select l from Logins l where l.username = :username and l.login = :login")
    List<Logins> findByUsernameAndLogin(@Param("username") String username,
            @Param("login") LocalDateTime login);

    @Query("select l from Logins l where l.username = :username and l.login between :start and :end")
    List<Logins> findByUsernameAndLoginDay(@Param("username") String username,
            @Param("start") LocalDateTime start,
            @Param("end") LocalDateTime end);

    @Query("select l from Logins l where l.login < CURRENT_DATE")
    List<Logins> findLoggedInBeforeToday();

}

The one method not annotated with an “@Query(…)” annotation, findByUsername(String username), did not require it because, since Logins only contains one String attribute named login, Spring Data is smart enough to recognize the single attribute of the given type, matching the parameter name specified, and generate the query automatically. I found that very impressive.

Next, I replaced the last line of code within the LogtimerApp.checkLoginTimes(userLogins) method with the following, so that a logout would be attempted only if at least one process is found for the user.

            // Get number of lines in list returned from "ps -u username" call.
            final ProcessBuilder processBuilder =
                    new ProcessBuilder("/bin/sh", "-c", "ps -u " + user);
            final Process process = processBuilder.start();
            int lines = 0;

            try (final BufferedReader reader = new BufferedReader(
                    new InputStreamReader(process.getInputStream()))) {
                while ((reader.readLine()) != null) {
                    lines++; // Another line read from file.
                }
            }

            if (lines > 1) {
                // More than header line, so actually running process.
                logoutIfKidLoggedInTooLong(user, minutes);
            } else {
                LOGGER.debug("No processes for user " + user
                        + "; already logged out.");
            }

Next, I worked on persisting the user history of logins, and counting the minutes of usage for the current day. I moved most of the code from LogTimerApp to a new service, LogtimerRunner, which implements Spring’s CommandLineRunner interface, which means that it is

a bean [that] should run when it is contained within a SpringApplication

Spring Boot Javadocs

The code is as follows.

package biz.noip.johnwatne.logtimer.service;

import java.io.BufferedReader;
import java.io.File;
import java.io.IOException;
import java.io.InputStreamReader;
import java.time.LocalDateTime;
import java.time.format.DateTimeFormatter;
import java.time.temporal.ChronoUnit;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.CommandLineRunner;
import org.springframework.stereotype.Service;

import biz.noip.johnwatne.logtimer.UserLoginTime;
import biz.noip.johnwatne.logtimer.model.Logins;
import biz.noip.johnwatne.logtimer.repository.LoginsRepository;

/**
 * Service that does the work for the LogtimerApp.
 *
 * @author John Watne
 *
 */
@Service
public class LogtimerRunner implements CommandLineRunner {
    private static final String [KID1] = "[kid1]";
    private static final String [KID2] = "[kid2]";
    private static final Logger LOGGER =
            LogManager.getLogger(LogtimerRunner.class);
    private static final DateTimeFormatter DATE_TIME_FORMATTER =
            DateTimeFormatter.ofPattern("yyyy MMM d HH:mm");

    @Autowired
    private LoginsRepository loginsRepository;

    @Override
    public void run(String... args) throws Exception {
        try {
            final Map<String, List<UserLoginTime>> userLogins =
                    this.getUserLogins();

            if (userLogins != null) {
                this.checkLoginTimes(userLogins);
            }
        } catch (final Exception e) {
            LOGGER.error("Error checking logout times or logging out user", e);
        }
    }

    /**
     * Checks the time logged in for the most recent login for each user.
     *
     * @param userLogins
     *            Lists of login times for each user.
     * @throws IOException
     *             if an I/O error occurs.
     * @throws InterruptedException
     *             if a thread is interrupted.
     */
    private void
            checkLoginTimes(final Map<String, List<UserLoginTime>> userLogins)
                    throws IOException, InterruptedException {
        LOGGER.debug("*** User login lists ****");
        final LocalDateTime now = LocalDateTime.now();
        LOGGER.info("*** now: " + now.format(DATE_TIME_FORMATTER));
        final LocalDateTime startOfDay = LocalDateTime.of(now.getYear(),
                now.getMonthValue(), now.getDayOfMonth(), 0, 0);
        LOGGER.info(
                "*** startOfDay: " + startOfDay.format(DATE_TIME_FORMATTER));
        final LocalDateTime endOfDay = startOfDay.plusDays(1);
        LOGGER.info("*** endOfDay: " + endOfDay.format(DATE_TIME_FORMATTER));
        deleteDataFromBeforeToday();

        for (final Entry<String, List<UserLoginTime>> entry : userLogins
                .entrySet()) {
            final String user = entry.getKey();
            LOGGER.info("*** user: " + user);

            for (Logins login : loginsRepository.findByUsername(user)) {
                LOGGER.info(login);
            }

            LocalDateTime lastLoginTime =
                    checkPersistedLogins(startOfDay, entry);
            // Get number of lines in list returned from system call to get
            // number of "login" processes for user.
            long lines = getCountOfLoginProcessesForUser(user);

            if (lines < 1) {
                setLogoutForUserWithNoProcesses(user, lastLoginTime);
            } else {
                countMinutesOfUseForDayAndLogoutIfChildExceededMax(now,
                        startOfDay, endOfDay, user);
            }
        }

        setLogoutTimesForUsersNotLoggedIn();
    }

    /**
     * Checks current list of users against persisted information, updating
     * persisted information as needed.
     *
     * @param startOfDay
     *            midnight of the current day.
     * @param entry
     *            the List of UserLoginTimes for the specified username.
     * @return the most recent login time for the user.
     */
    private LocalDateTime checkPersistedLogins(final LocalDateTime startOfDay,
            final Entry<String, List<UserLoginTime>> entry) {
        final String user = entry.getKey();
        final List<UserLoginTime> loginsForUser = entry.getValue();
        final UserLoginTime lastLoginForUser = Collections.max(loginsForUser);
        LOGGER.info("*** Maximum login: " + lastLoginForUser);

        // Check for persisted logins for user.
        LocalDateTime lastLoginTime = lastLoginForUser.getLoginTime();

        for (UserLoginTime loginTime : loginsForUser) {
            final LocalDateTime time = loginTime.getLoginTime();
            List<Logins> usernameAndLogin =
                    loginsRepository.findByUsernameAndLogin(user, time);

            if ((time.isAfter(startOfDay)) && ((usernameAndLogin == null)
                    || usernameAndLogin.isEmpty())) {
                // Need to create new entry.
                Logins newLogin = new Logins(user, time);
                newLogin = loginsRepository.save(newLogin);
                usernameAndLogin.add(newLogin);
            }

            for (Logins logins : usernameAndLogin) {
                // Check if the logout is null and, if the login is not the
                // lastLoginForUser, set logout to now.
                if ((logins.getLogout() == null)
                        && (logins.getLogin().isBefore(lastLoginTime))) {
                    LOGGER.info("*** Setting logout to now");
                    logins.setLogout(LocalDateTime.now());
                    loginsRepository.save(logins);
                }

                LOGGER.info(logins);
            }
        }

        return lastLoginTime;
    }

    /**
     * Sets logout time to now for the specified user, who has no processes
     * running.
     *
     * @param user
     *            a user who has no running processes.
     * @param lastLoginTime
     *            the last time the user logged in.
     */
    private void setLogoutForUserWithNoProcesses(final String user,
            LocalDateTime lastLoginTime) {
        // Only header line, so not running any process.
        final LocalDateTime fromTemp = LocalDateTime.from(lastLoginTime);
        LOGGER.debug("No processes for user " + user + "; already logged out.");
        for (Logins logins : loginsRepository.findByUsernameAndLogin(user,
                fromTemp)) {
            if (logins.getLogout() == null) {
                // Set logout to current time.
                logins.setLogout(LocalDateTime.now());
            }
        }
    }

    /**
     * Counts the minutes the specified user has been logged in today and, if
     * the user is one of the tracked children and they have exceeded their max
     * for the day, logs them out.
     *
     * @param now
     *            Current date/time; used to calculate minutes of usage.
     * @param startOfDay
     *            midnight of the current day.
     * @param endOfDay
     *            midnight at the end of the current day.
     * @param user
     *            the user whose minutes of usage are being calculated.
     * @throws IOException
     *             if an I/O error occurs.
     * @throws InterruptedException
     *             if a thread is interrupted.
     */
    private void countMinutesOfUseForDayAndLogoutIfChildExceededMax(
            final LocalDateTime now, final LocalDateTime startOfDay,
            final LocalDateTime endOfDay, final String user)
            throws IOException, InterruptedException {
        LOGGER.info("*** Counting minutes");
        long minutes = 0;

        for (Logins logins : this.loginsRepository
                .findByUsernameAndLoginDay(user, startOfDay, endOfDay)) {
            LOGGER.info(logins);
            final LocalDateTime logout = logins.getLogout();

            if (logout == null) {
                // Not yet logged out; current session.
                minutes += logins.getLogin().until(now, ChronoUnit.MINUTES);
            } else {
                minutes += logins.getLogin().until(logout, ChronoUnit.MINUTES);
            }

            LOGGER.info("*** updated minutes: " + minutes);
        }

        LOGGER.info("*** Total minutes for user " + user + ": " + minutes);
        logoutIfKidLoggedInTooLong(user, minutes);
    }

    /**
     * Sets the logout time for users no longer logged in, if not already set,
     * to the specified logout time.
     *
     * @throws IOException
     *             if an I/O error occurs.
     */
    private void setLogoutTimesForUsersNotLoggedIn() throws IOException {
        // Do final pass, setting logout times for users no longer logged in.
        for (Logins persistedLogin : loginsRepository.findAll()) {
            if ((persistedLogin.getLogout() == null)
                    && (getCountOfLoginProcessesForUser(
                            persistedLogin.getUsername()) < 2)) {
                // User logged out but not yet indicated as such, so set logout
                // time to now.
                LOGGER.info("*** " + persistedLogin.getUsername()
                        + " logged out; setting logout to now");
                persistedLogin.setLogout(LocalDateTime.now());
                loginsRepository.save(persistedLogin);
                LOGGER.info("*** Record updated: " + persistedLogin);
            }
        }
    }

    /**
     * Deletes database records for logins before today. Assumes kids not
     * allowed to be logged in over midnight hour.
     */
    private void deleteDataFromBeforeToday() {
        LOGGER.info("*** old logins: ");
        List<Logins> oldLogins = loginsRepository.findLoggedInBeforeToday();

        for (Logins oldLogin : oldLogins) {
            LOGGER.info(oldLogin);
        }

        if (!oldLogins.isEmpty()) {
            reEnableLoginsForKidsAccountsDisabledBeforeToday(oldLogins);
            LOGGER.info("*** deleting old logins");
            loginsRepository.deleteAll(oldLogins);
            List<Logins> updatedList =
                    loginsRepository.findLoggedInBeforeToday();
            LOGGER.info("*** All deleted? "
                    + ((updatedList == null) || (updatedList.isEmpty())));
        }
    }

    /**
     * Re-enables login accounts for kids whose accounts may have been disabled
     * by a call to the script forcing a logout before today's date.
     *
     * @param oldLogins
     *            a List of Logins for users logged in before today.
     */
    private void reEnableLoginsForKidsAccountsDisabledBeforeToday(
            final List<Logins> oldLogins) {
        oldLogins.stream().map(Logins::getUsername).distinct()
                .filter(p -> (KID2.equals(p) || KID1.equals(p)))
                .forEach(u -> {
                    try {
                        reEnableLoginForUser(u);
                    } catch (IOException e) {
                        LOGGER.error("IOException thrown", e);
                    } catch (InterruptedException e) {
                        LOGGER.error("InterruptedException thrown", e);
                    }
                });
    }

    /**
     * Re-enables the login account for the specified username.
     *
     * @param username
     *            the username for the account to be re-enabled.
     * @throws IOException
     *             if an I/O error occurs.
     * @throws InterruptedException
     *             if a thread is interrupted.
     */
    private void reEnableLoginForUser(final String username)
            throws IOException, InterruptedException {
        LOGGER.info("Restoring login for user " + username);
        ProcessBuilder processBuilder = new ProcessBuilder("/bin/sh", "-c",
                "./restore-login.sh " + username);
        processBuilder.directory(new File("/Users/John"));
        Process process = processBuilder.start();

        try (final BufferedReader reader = new BufferedReader(
                new InputStreamReader(process.getInputStream()))) {
            String line;

            while ((line = reader.readLine()) != null) {
                LOGGER.info(line);
            }

            LOGGER.debug(process.waitFor());
        }
    }

    /**
     * Returns the number of processes containing the word &quot;login&quot; for
     * the specified user.
     *
     * @param user
     *            the unique username for the user whose process count is
     *            sought.
     * @return the number of processes containing the word &quot;login&quot; for
     *         the specified user.
     * @throws IOException
     *             if an I/O error occurs.
     */
    private long getCountOfLoginProcessesForUser(final String user)
            throws IOException {
        long lines = 0;
        final ProcessBuilder processBuilder = new ProcessBuilder("/bin/sh",
                "-c", "ps aux | grep login | grep -v grep | grep -i ^" + user);
        Process loginCountProcess = processBuilder.start();

        try (final BufferedReader reader = new BufferedReader(
                new InputStreamReader(loginCountProcess.getInputStream()))) {
            lines = reader.lines().peek(e -> LOGGER.info(e)).count();
        }

        LOGGER.info("*** countOfLoginProcessesForUser: " + lines);
        return lines;
    }

    /**
     * Logs out the specified user if
     * <ol>
     * <li>they are a named child within the family, and</li>
     * <li>the number of minutes they have been logged in exceeds the maximum
     * limit.</li>
     * </ol>
     *
     * @param user
     *            the user whose login time is being checked.
     * @param minutes
     *            the number of minutes the user has been logged in.
     * @throws IOException
     *             if an I/O error occurs.
     * @throws InterruptedException
     *             if an thread is interrupted.
     */
    private void logoutIfKidLoggedInTooLong(final String user,
            final long minutes) throws IOException, InterruptedException {
        switch (user) {
        case KID2:
        case KID1:
            if (minutes > 59) {
                LOGGER.info("Logging out user " + user);
                ProcessBuilder processBuilder = new ProcessBuilder("/bin/sh",
                        "-c", "./logout-user.sh " + user);
                processBuilder.directory(new File("/Users/John"));
                Process process = processBuilder.start();

                try (final BufferedReader reader = new BufferedReader(
                        new InputStreamReader(process.getInputStream()))) {
                    String line;

                    while ((line = reader.readLine()) != null) {
                        LOGGER.info(line);
                    }

                    LOGGER.debug(process.waitFor());
                }
            }
            // Consider adding warning when 5-10 minutes left, based on
            // osascript -e 'tell app "System Events" to display dialog "Hello
            // World"'

            break;
        default:
            LOGGER.debug("Time limits not enforced for user " + user);
        }
    }

    /**
     * Returns a Map of Lists of login times for each user.
     *
     * @return a Map of Lists of login times for each user.
     * @throws IOException
     *             if an I/O error occurs.
     * @throws InterruptedException
     *             if a thread is interrupted.
     */
    private Map<String, List<UserLoginTime>> getUserLogins()
            throws IOException, InterruptedException {
        final Map<String, List<UserLoginTime>> userLogins = new HashMap<>();
        ProcessBuilder processBuilder = new ProcessBuilder("bash", "-c", "who");
        Process process = processBuilder.start();

        try (final BufferedReader reader = new BufferedReader(
                new InputStreamReader(process.getInputStream()))) {
            String line;

            while ((line = reader.readLine()) != null) {
                final UserLoginTime userLoginTime = new UserLoginTime(line);
                LOGGER.debug(userLoginTime);
                final String user = userLoginTime.getUser();
                List<UserLoginTime> list = userLogins.get(user);

                if (list == null) {
                    list = new ArrayList<>();
                    userLogins.put(user, list);
                }

                list.add(userLoginTime);
            }
        }

        LOGGER.debug(process.waitFor());
        return userLogins;
    }

}

With most of the code moved out of it, I converted LogtimerApp to a properly annotated Spring Boot application to make use of the new service. The revised, much simpler application class is as follows.

package biz.noip.johnwatne.logtimer;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

/**
 * Application that checks operating system for logged in users and determines
 * how long they've been logged in for the day. If longer than allowed amount,
 * logs them out. This is designed specifically for a Mac, so no provision is
 * made for Windows commands.
 *
 * @author John Watne
 *
 */
@SpringBootApplication
public class LogtimerApp {
    /**
     * Main method.
     *
     * @param args
     *            command-line arguments; not used.
     */
    public static void main(final String[] args) {
        SpringApplication.run(LogtimerApp.class, args);
    }
}

I added the needed Spring Data database connection information into src/main/resources/application.properties.

spring.datasource.url=jdbc:mariadb://[hostname]:[port]/logintimes
spring.datasource.username=[username]
spring.datasource.password=[password]
spring.datasource.driver-class-name=org.mariadb.jdbc.Driver
hibernate.id.new_generator_mappings=false

I added to the pom.xml file the dependencies I needed and removed some no longer used, and made some fixes to use slf4j logging, implemented by log4j 2. The latter change also involved renaming src/main/resources/log4j2.xml to log4j2-spring.xml, to let Spring find it automatically. The revised pom.xml file is as follows.

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.5.2</version>
        <relativePath /> <!-- lookup parent from repository -->
    </parent>
    <groupId>johnwatne</groupId>
    <artifactId>logtimer</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>logtimer</name>
    <description>Kid's computer usage monitor and logout tool</description>
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-jpa</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter</artifactId>
            <exclusions>
                <exclusion>
                    <groupId>org.springframework.boot</groupId>
                    <artifactId>spring-boot-starter-logging</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-log4j2</artifactId>
        </dependency>
        <dependency>
            <groupId>org.mariadb.jdbc</groupId>
            <artifactId>mariadb-java-client</artifactId>
            <scope>runtime</scope>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
    </dependencies>
    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
            <plugin>
                <groupId>org.codehaus.mojo</groupId>
                <artifactId>versions-maven-plugin</artifactId>
                <configuration>
                    <generateBackupPoms>false</generateBackupPoms>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-compiler-plugin</artifactId>
                <configuration>
                    <release>11</release>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-resources-plugin</artifactId>
                <version>3.1.0</version><!--$NO-MVN-MAN-VER$ -->
            </plugin>
        </plugins>
    </build>
</project>

In case you were wondering about the “reEnableLoginForUser(…)” method added to the LogtimerRunner class, that was a slightly later addition to the code. The same son who spotted the first loophole, thinking as I likely would have in his position, spotted the loophole that the check of login times was done every 5 minutes. So, after being kicked off, he would log right back in and play until the next scheduled check of times. So, after researching a bit on how temporarily to hide user logins from the login window, I added the following to the end of the original logout-user.sh script:

# Temporarily remove login from login window.
echo "$PASS" | sudo -S dscl . create /Users/$1 IsHidden 1

The “IsHidden” flag needs to be reset to 0 [false] by the new script, restore-login.sh, called by the previously mentioned reEnableLoginForUser method. It’s code is as follows.

#!/bin/bash

# See https://brettterpstra.com/2021/04/06/scripting-with-sudo-on-mac/ for technique
# of "Scripting with sudo on Mac".

PASS=$(security find-generic-password -l "[keychain password alias]" -a [sudo username] -w|tr -d '\n')
echo "$PASS" | sudo -S dscl . create /Users/$1 IsHidden 0

The completed code seems to be working quite well. The one glitch remaining is that, even after their accounts are restored, our boys’ accounts don’t show up in the quick user switch menu drop-down. I did attempt to add a five minute warning message, but have yet to figure out a way to get it to work when executed by a call from my program.

I hope readers may find some useful things in this experiment of mine, perhaps just ideas for things to research on your own.