Class: Chef::Provider::User::Dscl
- Inherits:
-
Chef::Provider::User
- Object
- Chef::Provider
- Chef::Provider::User
- Chef::Provider::User::Dscl
- Defined in:
- lib/chef/provider/user/dscl.rb
Overview
The most tricky bit of this provider is the way it deals with user passwords. Mac OS X has different password shadow calculations based on the version. < 10.7 => password shadow calculation format SALTED-SHA1
=> stored in: /var/db/shadow/hash/#{guid}
=> shadow binary length 68 bytes
=> First 4 bytes salt / Next 64 bytes shadow value
10.7 => password shadow calculation format SALTED-SHA512
=> stored in: /var/db/dslocal/nodes/Default/users/#{name}.plist
=> shadow binary length 68 bytes
=> First 4 bytes salt / Next 64 bytes shadow value
> 10.7 => password shadow calculation format SALTED-SHA512-PBKDF2
=> stored in: /var/db/dslocal/nodes/Default/users/#{name}.plist
=> shadow binary length 128 bytes
=> Salt / Iterations are stored separately in the same file
This provider only supports Mac OSX versions 10.7 and above
Constant Summary collapse
- DSCL_PROPERTY_MAP =
A simple map of Chef’s terms to DSCL’s terms.
{ :uid => "uid", :gid => "gid", :home => "home", :shell => "shell", :comment => "realname", :password => "passwd", :auth_authority => "authentication_authority", :shadow_hash => "ShadowHashData", }.freeze
- USER_PLIST_DIRECTORY =
Directory where the user plist files are stored for versions 10.7 and above
"/var/db/dslocal/nodes/Default/users".freeze
Constants included from Mixin::ShellOut
Mixin::ShellOut::DEPRECATED_OPTIONS
Instance Attribute Summary collapse
-
#authentication_authority ⇒ Object
Returns the value of attribute authentication_authority.
-
#password_shadow_conversion_algorithm ⇒ Object
Returns the value of attribute password_shadow_conversion_algorithm.
-
#user_info ⇒ Object
Returns the value of attribute user_info.
Attributes inherited from Chef::Provider::User
Attributes inherited from Chef::Provider
#action, #cookbook_name, #current_resource, #new_resource, #recipe_name, #run_context
Instance Method Summary collapse
-
#check_lock ⇒ Object
This is the interface base User provider requires to provide idempotency.
- #convert_binary_plist_to_xml(binary_plist_string) ⇒ Object
- #convert_to_binary(string) ⇒ Object
-
#create_user ⇒ Object
Provider Actions.
- #current_home_exists? ⇒ Boolean
- #define_resource_requirements ⇒ Object
- #ditto_home ⇒ Object
-
#diverged?(parameter) ⇒ Boolean
Returns true if the system state and desired state is different for given attribute.
-
#diverged_password? ⇒ Boolean
We need a special check function for password since we support both plain text and shadow hash data.
-
#dscl_create_comment ⇒ Object
Saves the specified Chef user ‘comment` into RealName attribute of Mac user.
-
#dscl_create_user ⇒ Object
Create a user using dscl.
-
#dscl_get(user_hash, key) ⇒ Object
Gets a value from user information hash using Chef attributes as keys.
-
#dscl_set(user_hash, key, value) ⇒ Object
Sets a value in user information hash using Chef attributes as keys.
-
#dscl_set_gid ⇒ Object
Sets the group id for the user using dscl.
-
#dscl_set_home ⇒ Object
Sets the home directory for the user.
-
#dscl_set_shell ⇒ Object
Sets the shell for the user using dscl.
-
#dscl_set_uid ⇒ Object
Sets the user id for the user using dscl.
-
#get_free_uid(search_limit = 1000) ⇒ Object
Find the next available uid on the system.
- #load_current_resource ⇒ Object
-
#lock_user ⇒ Object
Locks the user.
-
#locked? ⇒ Boolean
Returns true if the user is locked, false otherwise.
-
#mac_osx_version ⇒ Object
System Helpets.
- #mac_osx_version_10_7? ⇒ Boolean
- #mac_osx_version_greater_than_10_7? ⇒ Boolean
- #mac_osx_version_less_than_10_7? ⇒ Boolean
- #manage_user ⇒ Object
-
#member_of_group?(group_name) ⇒ Boolean
Returns true if user is member of the specified group, false otherwise.
- #move_home ⇒ Object
- #new_home_exists? ⇒ Boolean
- #parameter_updated?(parameter) ⇒ Boolean
-
#prepare_password_shadow_info ⇒ Object
Prepares the password shadow info based on the platform version.
-
#read_user_info ⇒ Object
Reads the user plist and returns a hash keyed with DSCL properties specified in DSCL_PROPERTY_MAP.
-
#remove_user ⇒ Object
Removes the user from the system after removing user from his groups and deleting home directory if needed.
- #run_dscl(*args) ⇒ Object
- #run_plutil(*args) ⇒ Object
- #salted_sha512?(string) ⇒ Boolean
- #salted_sha512_password_match? ⇒ Boolean
- #salted_sha512_pbkdf2?(string) ⇒ Boolean
- #salted_sha512_pbkdf2_password_match? ⇒ Boolean
-
#save_user_info(user_info) ⇒ Object
Saves the given hash keyed with DSCL properties specified in DSCL_PROPERTY_MAP to the disk.
-
#set_password ⇒ Object
Sets the password for the user based on given password parameters.
-
#uid_used?(uid) ⇒ Boolean
Returns true if uid is in use by a different account, false otherwise.
-
#unlock_user ⇒ Object
Unlocks the user.
- #validate_home_dir_specification! ⇒ Object
Methods inherited from Chef::Provider::User
#action_create, #action_lock, #action_manage, #action_modify, #action_remove, #action_unlock, #compare_user, #convert_group_name, #initialize, #whyrun_supported?
Methods included from Mixin::Command
#chdir_or_tmpdir, #handle_command_failures, #output_of_command, #run_command, #run_command_and_return_stdout_stderr, #run_command_with_systems_locale
Methods included from Mixin::Command::Windows
Methods included from Mixin::Command::Unix
Methods inherited from Chef::Provider
#action_nothing, #check_resource_semantics!, #cleanup_after_converge, #converge_by, #converge_if_changed, #events, include_resource_dsl, include_resource_dsl_module, #initialize, #node, #process_resource_requirements, provides, provides?, #requirements, #resource_collection, #resource_updated?, #run_action, #set_updated_status, supports?, use_inline_resources, #whyrun_mode?, #whyrun_supported?
Methods included from Mixin::Provides
#provided_as, #provides, #provides?
Methods included from Mixin::DescendantsTracker
#descendants, descendants, direct_descendants, #direct_descendants, find_descendants_by_name, #find_descendants_by_name, #inherited, store_inherited
Methods included from DeprecatedLWRPClass
#const_missing, #deprecated_constants, #register_deprecated_lwrp_class
Methods included from Mixin::LazyModuleInclude
#descendants, #include, #included
Methods included from Mixin::NotifyingBlock
#notifying_block, #subcontext_block
Methods included from DSL::DeclareResource
#build_resource, #declare_resource, #delete_resource, #delete_resource!, #edit_resource, #edit_resource!, #find_resource, #find_resource!, #with_run_context
Methods included from Mixin::ShellOut
#run_command_compatible_options, #shell_out, #shell_out!, #shell_out_with_systems_locale, #shell_out_with_systems_locale!
Methods included from Mixin::PowershellOut
#powershell_out, #powershell_out!
Methods included from Mixin::WindowsArchitectureHelper
#assert_valid_windows_architecture!, #disable_wow64_file_redirection, #forced_32bit_override_required?, #is_i386_process_on_x86_64_windows?, #node_supports_windows_architecture?, #node_windows_architecture, #restore_wow64_file_redirection, #valid_windows_architecture?, #with_os_architecture, #wow64_architecture_override_required?, #wow64_directory
Methods included from DSL::PlatformIntrospection
#docker?, #platform?, #platform_family?, #value_for_platform, #value_for_platform_family
Constructor Details
This class inherits a constructor from Chef::Provider::User
Instance Attribute Details
#authentication_authority ⇒ Object
Returns the value of attribute authentication_authority.
48 49 50 |
# File 'lib/chef/provider/user/dscl.rb', line 48 def @authentication_authority end |
#password_shadow_conversion_algorithm ⇒ Object
Returns the value of attribute password_shadow_conversion_algorithm.
49 50 51 |
# File 'lib/chef/provider/user/dscl.rb', line 49 def password_shadow_conversion_algorithm @password_shadow_conversion_algorithm end |
#user_info ⇒ Object
Returns the value of attribute user_info.
47 48 49 |
# File 'lib/chef/provider/user/dscl.rb', line 47 def user_info @user_info end |
Instance Method Details
#check_lock ⇒ Object
This is the interface base User provider requires to provide idempotency.
485 486 487 |
# File 'lib/chef/provider/user/dscl.rb', line 485 def check_lock return @locked = locked? end |
#convert_binary_plist_to_xml(binary_plist_string) ⇒ Object
672 673 674 |
# File 'lib/chef/provider/user/dscl.rb', line 672 def convert_binary_plist_to_xml(binary_plist_string) Mixlib::ShellOut.new("plutil -convert xml1 -o - -", :input => binary_plist_string).run_command.stdout end |
#convert_to_binary(string) ⇒ Object
676 677 678 |
# File 'lib/chef/provider/user/dscl.rb', line 676 def convert_to_binary(string) string.unpack("a2" * (string.size / 2)).collect { |i| i.hex.chr }.join end |
#create_user ⇒ Object
Provider Actions
164 165 166 167 168 169 170 171 172 173 174 |
# File 'lib/chef/provider/user/dscl.rb', line 164 def create_user dscl_create_user # set_password modifies the plist file of the user directly. So update # the password first before making any modifications to the user. set_password dscl_create_comment dscl_set_uid dscl_set_gid dscl_set_home dscl_set_shell end |
#current_home_exists? ⇒ Boolean
314 315 316 |
# File 'lib/chef/provider/user/dscl.rb', line 314 def current_home_exists? ::File.exist?("#{current_resource.home}") end |
#define_resource_requirements ⇒ Object
53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 |
# File 'lib/chef/provider/user/dscl.rb', line 53 def define_resource_requirements super requirements.assert(:all_actions) do |a| a.assertion { mac_osx_version_less_than_10_7? == false } a.(Chef::Exceptions::User, "Chef::Provider::User::Dscl only supports Mac OS X versions 10.7 and above.") end requirements.assert(:all_actions) do |a| a.assertion { ::File.exists?("/usr/bin/dscl") } a.(Chef::Exceptions::User, "Cannot find binary '/usr/bin/dscl' on the system for #{new_resource}!") end requirements.assert(:all_actions) do |a| a.assertion { ::File.exists?("/usr/bin/plutil") } a.(Chef::Exceptions::User, "Cannot find binary '/usr/bin/plutil' on the system for #{new_resource}!") end requirements.assert(:create, :modify, :manage) do |a| a.assertion do if new_resource.password && mac_osx_version_greater_than_10_7? # SALTED-SHA512 password shadow hashes are not supported on 10.8 and above. !salted_sha512?(new_resource.password) else true end end a.(Chef::Exceptions::User, "SALTED-SHA512 passwords are not supported on Mac 10.8 and above. \ If you want to set the user password using shadow info make sure you specify a SALTED-SHA512-PBKDF2 shadow hash \ in 'password', with the associated 'salt' and 'iterations'.") end requirements.assert(:create, :modify, :manage) do |a| a.assertion do if new_resource.password && mac_osx_version_greater_than_10_7? && salted_sha512_pbkdf2?(new_resource.password) # salt and iterations should be specified when # SALTED-SHA512-PBKDF2 password shadow hash is given !new_resource.salt.nil? && !new_resource.iterations.nil? else true end end a.(Chef::Exceptions::User, "SALTED-SHA512-PBKDF2 shadow hash is given without associated \ 'salt' and 'iterations'. Please specify 'salt' and 'iterations' in order to set the user password using shadow hash.") end requirements.assert(:create, :modify, :manage) do |a| a.assertion do if new_resource.password && !mac_osx_version_greater_than_10_7? # On 10.7 SALTED-SHA512-PBKDF2 is not supported !salted_sha512_pbkdf2?(new_resource.password) else true end end a.(Chef::Exceptions::User, "SALTED-SHA512-PBKDF2 shadow hashes are not supported on \ Mac OS X version 10.7. Please specify a SALTED-SHA512 shadow hash in 'password' attribute to set the \ user password using shadow hash.") end end |
#ditto_home ⇒ Object
322 323 324 325 326 327 |
# File 'lib/chef/provider/user/dscl.rb', line 322 def ditto_home skel = "/System/Library/User Template/English.lproj" raise(Chef::Exceptions::User, "can't find skel at: #{skel}") unless ::File.exists?(skel) shell_out! "ditto '#{skel}' '#{new_resource.home}'" ::FileUtils.chown_R(new_resource.username, new_resource.gid.to_s, new_resource.home) end |
#diverged?(parameter) ⇒ Boolean
Returns true if the system state and desired state is different for given attribute.
497 498 499 |
# File 'lib/chef/provider/user/dscl.rb', line 497 def diverged?(parameter) parameter_updated?(parameter) && (not new_resource.send(parameter).nil?) end |
#diverged_password? ⇒ Boolean
We need a special check function for password since we support both plain text and shadow hash data.
Checks if password needs update based on platform version and the type of the password specified.
512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 |
# File 'lib/chef/provider/user/dscl.rb', line 512 def diverged_password? return false if new_resource.password.nil? # Dscl provider supports both plain text passwords and shadow hashes. if mac_osx_version_10_7? if salted_sha512?(new_resource.password) diverged?(:password) else !salted_sha512_password_match? end else # When a system is upgraded to a version 10.7+ shadow hashes of the users # will be updated when the user logs in. So it's possible that we will have # SALTED-SHA512 password in the current_resource. In that case we will force # password to be updated. return true if salted_sha512?(current_resource.password) # Some system users don't have salts; this can happen if the system is # upgraded and the user hasn't logged in yet. In this case, we will force # the password to be updated. return true if current_resource.salt.nil? if salted_sha512_pbkdf2?(new_resource.password) diverged?(:password) || diverged?(:salt) || diverged?(:iterations) else !salted_sha512_pbkdf2_password_match? end end end |
#dscl_create_comment ⇒ Object
Saves the specified Chef user ‘comment` into RealName attribute of Mac user. If `comment` is not specified, it takes `username` value.
203 204 205 206 |
# File 'lib/chef/provider/user/dscl.rb', line 203 def dscl_create_comment comment = new_resource.comment || new_resource.username run_dscl("create /Users/#{new_resource.username} RealName '#{comment}'") end |
#dscl_create_user ⇒ Object
Create a user using dscl
195 196 197 |
# File 'lib/chef/provider/user/dscl.rb', line 195 def dscl_create_user run_dscl("create /Users/#{new_resource.username}") end |
#dscl_get(user_hash, key) ⇒ Object
Gets a value from user information hash using Chef attributes as keys.
621 622 623 624 625 626 |
# File 'lib/chef/provider/user/dscl.rb', line 621 def dscl_get(user_hash, key) raise "Unknown dscl key #{key}" unless DSCL_PROPERTY_MAP.keys.include?(key) # DSCL values are set as arrays value = user_hash[DSCL_PROPERTY_MAP[key]] value.nil? ? value : value.first end |
#dscl_set(user_hash, key, value) ⇒ Object
Sets a value in user information hash using Chef attributes as keys.
612 613 614 615 616 |
# File 'lib/chef/provider/user/dscl.rb', line 612 def dscl_set(user_hash, key, value) raise "Unknown dscl key #{key}" unless DSCL_PROPERTY_MAP.keys.include?(key) user_hash[DSCL_PROPERTY_MAP[key]] = [ value ] user_hash end |
#dscl_set_gid ⇒ Object
Sets the group id for the user using dscl. Fails if a group doesn’t exist on the system with given group id. If ‘gid` is not specified, it sets a default Mac user group “staff”, with id 20.
268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 |
# File 'lib/chef/provider/user/dscl.rb', line 268 def dscl_set_gid if new_resource.gid.nil? # XXX: mutates the new resource new_resource.gid(20) elsif !new_resource.gid.to_s.match(/^\d+$/) begin possible_gid = run_dscl("read /Groups/#{new_resource.gid} PrimaryGroupID").split(" ").last rescue Chef::Exceptions::DsclCommandFailed => e raise Chef::Exceptions::GroupIDNotFound.new("Group not found for #{new_resource.gid} when creating user #{new_resource.username}") end # XXX: mutates the new resource new_resource.gid(possible_gid) if possible_gid && possible_gid.match(/^\d+$/) end run_dscl("create /Users/#{new_resource.username} PrimaryGroupID '#{new_resource.gid}'") end |
#dscl_set_home ⇒ Object
Sets the home directory for the user. If ‘:manage_home` is set home directory is managed (moved / created) for the user.
288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 |
# File 'lib/chef/provider/user/dscl.rb', line 288 def dscl_set_home if new_resource.home.nil? || new_resource.home.empty? run_dscl("delete /Users/#{new_resource.username} NFSHomeDirectory") return end if new_resource.supports[:manage_home] validate_home_dir_specification! if (current_resource.home == new_resource.home) && !new_home_exists? ditto_home elsif !current_home_exists? && !new_home_exists? ditto_home elsif current_home_exists? move_home end end run_dscl("create /Users/#{new_resource.username} NFSHomeDirectory '#{new_resource.home}'") end |
#dscl_set_shell ⇒ Object
Sets the shell for the user using dscl.
343 344 345 346 347 348 349 |
# File 'lib/chef/provider/user/dscl.rb', line 343 def dscl_set_shell if new_resource.shell || ::File.exists?("#{new_resource.shell}") run_dscl("create /Users/#{new_resource.username} UserShell '#{new_resource.shell}'") else run_dscl("create /Users/#{new_resource.username} UserShell '/usr/bin/false'") end end |
#dscl_set_uid ⇒ Object
Sets the user id for the user using dscl. If a ‘uid` is not specified, it finds the next available one starting from 200 if `system` is set, 500 otherwise.
213 214 215 216 217 218 219 220 221 222 |
# File 'lib/chef/provider/user/dscl.rb', line 213 def dscl_set_uid # XXX: mutates the new resource new_resource.uid(get_free_uid) if new_resource.uid.nil? || new_resource.uid == "" if uid_used?(new_resource.uid) raise(Chef::Exceptions::RequestedUIDUnavailable, "uid #{new_resource.uid} is already in use") end run_dscl("create /Users/#{new_resource.username} UniqueID #{new_resource.uid}") end |
#get_free_uid(search_limit = 1000) ⇒ Object
Find the next available uid on the system. starting with 200 if ‘system` is set, 500 otherwise.
228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 |
# File 'lib/chef/provider/user/dscl.rb', line 228 def get_free_uid(search_limit = 1000) uid = nil base_uid = new_resource.system ? 200 : 500 next_uid_guess = base_uid users_uids = run_dscl("list /Users uid") while next_uid_guess < search_limit + base_uid if users_uids =~ Regexp.new("#{Regexp.escape(next_uid_guess.to_s)}\n") next_uid_guess += 1 else uid = next_uid_guess break end end return uid || raise("uid not found. Exhausted. Searched #{search_limit} times") end |
#load_current_resource ⇒ Object
114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 |
# File 'lib/chef/provider/user/dscl.rb', line 114 def load_current_resource @current_resource = Chef::Resource::User.new(new_resource.username) current_resource.username(new_resource.username) @user_info = read_user_info if user_info current_resource.uid(dscl_get(user_info, :uid)) current_resource.gid(dscl_get(user_info, :gid)) current_resource.home(dscl_get(user_info, :home)) current_resource.shell(dscl_get(user_info, :shell)) current_resource.comment(dscl_get(user_info, :comment)) @authentication_authority = dscl_get(user_info, :auth_authority) if new_resource.password && dscl_get(user_info, :password) == "********" # A password is set. Let's get the password information from shadow file shadow_hash_binary = dscl_get(user_info, :shadow_hash) # Calling shell_out directly since we want to give an input stream shadow_hash_xml = convert_binary_plist_to_xml(shadow_hash_binary.string) shadow_hash = Plist.parse_xml(shadow_hash_xml) if shadow_hash["SALTED-SHA512"] # Convert the shadow value from Base64 encoding to hex before consuming them @password_shadow_conversion_algorithm = "SALTED-SHA512" current_resource.password(shadow_hash["SALTED-SHA512"].string.unpack("H*").first) elsif shadow_hash["SALTED-SHA512-PBKDF2"] @password_shadow_conversion_algorithm = "SALTED-SHA512-PBKDF2" # Convert the entropy from Base64 encoding to hex before consuming them current_resource.password(shadow_hash["SALTED-SHA512-PBKDF2"]["entropy"].string.unpack("H*").first) current_resource.iterations(shadow_hash["SALTED-SHA512-PBKDF2"]["iterations"]) # Convert the salt from Base64 encoding to hex before consuming them current_resource.salt(shadow_hash["SALTED-SHA512-PBKDF2"]["salt"].string.unpack("H*").first) else raise(Chef::Exceptions::User, "Unknown shadow_hash format: #{shadow_hash.keys.join(' ')}") end end convert_group_name if new_resource.gid else @user_exists = false Chef::Log.debug("#{new_resource} user does not exist") end current_resource end |
#lock_user ⇒ Object
Locks the user.
459 460 461 |
# File 'lib/chef/provider/user/dscl.rb', line 459 def lock_user run_dscl("append /Users/#{new_resource.username} AuthenticationAuthority ';DisabledUser;'") end |
#locked? ⇒ Boolean
Returns true if the user is locked, false otherwise.
474 475 476 477 478 479 480 |
# File 'lib/chef/provider/user/dscl.rb', line 474 def locked? if !!( =~ /DisabledUser/ ) else false end end |
#mac_osx_version ⇒ Object
System Helpets
632 633 634 635 636 |
# File 'lib/chef/provider/user/dscl.rb', line 632 def mac_osx_version # This provider will only be invoked on node[:platform] == "mac_os_x" # We do not check or assert that here. node[:platform_version] end |
#mac_osx_version_10_7? ⇒ Boolean
638 639 640 |
# File 'lib/chef/provider/user/dscl.rb', line 638 def mac_osx_version_10_7? mac_osx_version.start_with?("10.7.") end |
#mac_osx_version_greater_than_10_7? ⇒ Boolean
648 649 650 651 652 |
# File 'lib/chef/provider/user/dscl.rb', line 648 def mac_osx_version_greater_than_10_7? versions = mac_osx_version.split(".") # Make integer comparison in order not to report 10.10 less than 10.7 (versions[0].to_i >= 10 && versions[1].to_i > 7) end |
#mac_osx_version_less_than_10_7? ⇒ Boolean
642 643 644 645 646 |
# File 'lib/chef/provider/user/dscl.rb', line 642 def mac_osx_version_less_than_10_7? versions = mac_osx_version.split(".") # Make integer comparison in order not to report 10.10 less than 10.7 (versions[0].to_i <= 10 && versions[1].to_i < 7) end |
#manage_user ⇒ Object
176 177 178 179 180 181 182 183 184 185 186 |
# File 'lib/chef/provider/user/dscl.rb', line 176 def manage_user # set_password modifies the plist file of the user directly. So update # the password first before making any modifications to the user. set_password if diverged_password? dscl_create_user if diverged?(:username) dscl_create_comment if diverged?(:comment) dscl_set_uid if diverged?(:uid) dscl_set_gid if diverged?(:gid) dscl_set_home if diverged?(:home) dscl_set_shell if diverged?(:shell) end |
#member_of_group?(group_name) ⇒ Boolean
Returns true if user is member of the specified group, false otherwise.
545 546 547 548 549 550 551 552 553 554 555 556 557 |
# File 'lib/chef/provider/user/dscl.rb', line 545 def member_of_group?(group_name) membership_info = "" begin membership_info = run_dscl("read /Groups/#{group_name}") rescue Chef::Exceptions::DsclCommandFailed # Raised if the group doesn't contain any members end # Output is something like: # GroupMembership: root admin etc members = membership_info.split(" ") members.shift # Get rid of GroupMembership: string members.include?(new_resource.username) end |
#move_home ⇒ Object
329 330 331 332 333 334 335 336 337 338 |
# File 'lib/chef/provider/user/dscl.rb', line 329 def move_home Chef::Log.debug("#{new_resource} moving #{self} home from #{current_resource.home} to #{new_resource.home}") src = current_resource.home FileUtils.mkdir_p(new_resource.home) files = ::Dir.glob("#{Chef::Util::PathHelper.escape_glob_dir(src)}/*", ::File::FNM_DOTMATCH) - ["#{src}/.", "#{src}/.."] ::FileUtils.mv(files, new_resource.home, :force => true) ::FileUtils.rmdir(src) ::FileUtils.chown_R(new_resource.username, new_resource.gid.to_s, new_resource.home) end |
#new_home_exists? ⇒ Boolean
318 319 320 |
# File 'lib/chef/provider/user/dscl.rb', line 318 def new_home_exists? ::File.exist?("#{new_resource.home}") end |
#parameter_updated?(parameter) ⇒ Boolean
501 502 503 |
# File 'lib/chef/provider/user/dscl.rb', line 501 def parameter_updated?(parameter) not (new_resource.send(parameter) == current_resource.send(parameter)) end |
#prepare_password_shadow_info ⇒ Object
Prepares the password shadow info based on the platform version.
385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 |
# File 'lib/chef/provider/user/dscl.rb', line 385 def prepare_password_shadow_info shadow_info = {} entropy = nil salt = nil iterations = nil if mac_osx_version_10_7? hash_value = if salted_sha512?(new_resource.password) new_resource.password else # Create a random 4 byte salt salt = OpenSSL::Random.random_bytes(4) encoded_password = OpenSSL::Digest::SHA512.hexdigest(salt + new_resource.password) hash_value = salt.unpack("H*").first + encoded_password end shadow_info["SALTED-SHA512"] = StringIO.new shadow_info["SALTED-SHA512"].string = convert_to_binary(hash_value) shadow_info else if salted_sha512_pbkdf2?(new_resource.password) entropy = convert_to_binary(new_resource.password) salt = convert_to_binary(new_resource.salt) iterations = new_resource.iterations else salt = OpenSSL::Random.random_bytes(32) iterations = new_resource.iterations # Use the default if not specified by the user entropy = OpenSSL::PKCS5.pbkdf2_hmac( new_resource.password, salt, iterations, 128, OpenSSL::Digest::SHA512.new ) end pbkdf_info = {} pbkdf_info["entropy"] = StringIO.new pbkdf_info["entropy"].string = entropy pbkdf_info["salt"] = StringIO.new pbkdf_info["salt"].string = salt pbkdf_info["iterations"] = iterations shadow_info["SALTED-SHA512-PBKDF2"] = pbkdf_info end shadow_info end |
#read_user_info ⇒ Object
Reads the user plist and returns a hash keyed with DSCL properties specified in DSCL_PROPERTY_MAP. Return nil if the user is not found.
582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 |
# File 'lib/chef/provider/user/dscl.rb', line 582 def read_user_info user_info = nil # We flush the cache here in order to make sure that we read fresh information # for the user. shell_out("dscacheutil '-flushcache'") begin user_plist_file = "#{USER_PLIST_DIRECTORY}/#{new_resource.username}.plist" user_plist_info = run_plutil("convert xml1 -o - #{user_plist_file}") user_info = Plist.parse_xml(user_plist_info) rescue Chef::Exceptions::PlistUtilCommandFailed end user_info end |
#remove_user ⇒ Object
Removes the user from the system after removing user from his groups and deleting home directory if needed.
439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 |
# File 'lib/chef/provider/user/dscl.rb', line 439 def remove_user if new_resource.supports[:manage_home] # Remove home directory FileUtils.rm_rf(current_resource.home) end # Remove the user from its groups run_dscl("list /Groups").each_line do |group| if member_of_group?(group.chomp) run_dscl("delete /Groups/#{group.chomp} GroupMembership '#{new_resource.username}'") end end # Remove user account run_dscl("delete /Users/#{new_resource.username}") end |
#run_dscl(*args) ⇒ Object
654 655 656 657 658 659 660 |
# File 'lib/chef/provider/user/dscl.rb', line 654 def run_dscl(*args) result = shell_out("dscl . -#{args.join(' ')}") return "" if ( args.first =~ /^delete/ ) && ( result.exitstatus != 0 ) raise(Chef::Exceptions::DsclCommandFailed, "dscl error: #{result.inspect}") unless result.exitstatus == 0 raise(Chef::Exceptions::DsclCommandFailed, "dscl error: #{result.inspect}") if result.stdout =~ /No such key: / result.stdout end |
#run_plutil(*args) ⇒ Object
662 663 664 665 666 667 668 669 670 |
# File 'lib/chef/provider/user/dscl.rb', line 662 def run_plutil(*args) result = shell_out("plutil -#{args.join(' ')}") raise(Chef::Exceptions::PlistUtilCommandFailed, "plutil error: #{result.inspect}") unless result.exitstatus == 0 if result.stdout.encoding == Encoding::ASCII_8BIT result.stdout.encode("utf-8", "binary", :undef => :replace, :invalid => :replace, :replace => "?") else result.stdout end end |
#salted_sha512?(string) ⇒ Boolean
680 681 682 |
# File 'lib/chef/provider/user/dscl.rb', line 680 def salted_sha512?(string) !!(string =~ /^[[:xdigit:]]{136}$/) end |
#salted_sha512_password_match? ⇒ Boolean
684 685 686 687 688 689 |
# File 'lib/chef/provider/user/dscl.rb', line 684 def salted_sha512_password_match? # Salt is included in the first 4 bytes of shadow data salt = current_resource.password.slice(0, 8) shadow = OpenSSL::Digest::SHA512.hexdigest(convert_to_binary(salt) + new_resource.password) current_resource.password == salt + shadow end |
#salted_sha512_pbkdf2?(string) ⇒ Boolean
691 692 693 |
# File 'lib/chef/provider/user/dscl.rb', line 691 def salted_sha512_pbkdf2?(string) !!(string =~ /^[[:xdigit:]]{256}$/) end |
#salted_sha512_pbkdf2_password_match? ⇒ Boolean
695 696 697 698 699 700 701 702 703 704 705 |
# File 'lib/chef/provider/user/dscl.rb', line 695 def salted_sha512_pbkdf2_password_match? salt = convert_to_binary(current_resource.salt) OpenSSL::PKCS5.pbkdf2_hmac( new_resource.password, salt, current_resource.iterations, 128, OpenSSL::Digest::SHA512.new ).unpack("H*").first == current_resource.password end |
#save_user_info(user_info) ⇒ Object
Saves the given hash keyed with DSCL properties specified in DSCL_PROPERTY_MAP to the disk.
603 604 605 606 607 |
# File 'lib/chef/provider/user/dscl.rb', line 603 def save_user_info(user_info) user_plist_file = "#{USER_PLIST_DIRECTORY}/#{new_resource.username}.plist" Plist::Emit.save_plist(user_info, user_plist_file) run_plutil("convert binary1 #{user_plist_file}") end |
#set_password ⇒ Object
Sets the password for the user based on given password parameters. Chef supports specifying plain-text passwords and password shadow hash data.
356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 |
# File 'lib/chef/provider/user/dscl.rb', line 356 def set_password # Return if there is no password to set return if new_resource.password.nil? shadow_info = prepare_password_shadow_info # Shadow info is saved as binary plist. Convert the info to binary plist. shadow_info_binary = StringIO.new command = Mixlib::ShellOut.new("plutil -convert binary1 -o - -", :input => shadow_info.to_plist, :live_stream => shadow_info_binary) command.run_command if user_info.nil? # User is just created. read_user_info() will read the fresh information # for the user with a cache flush. However with experimentation we've seen # that dscl cache is not immediately updated after the creation of the user # This is odd and needs to be investigated further. sleep 3 @user_info = read_user_info end # Replace the shadow info in user's plist dscl_set(user_info, :shadow_hash, shadow_info_binary) save_user_info(user_info) end |
#uid_used?(uid) ⇒ Boolean
Returns true if uid is in use by a different account, false otherwise.
247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 |
# File 'lib/chef/provider/user/dscl.rb', line 247 def uid_used?(uid) return false unless uid users_uids = run_dscl("list /Users uid").split("\n") uid_map = users_uids.inject({}) do |tmap, tuid| x = tuid.split tmap[x[1]] = x[0] tmap end if uid_map[uid.to_s] unless uid_map[uid.to_s] == new_resource.username.to_s return true end end return false end |
#unlock_user ⇒ Object
Unlocks the user
466 467 468 469 |
# File 'lib/chef/provider/user/dscl.rb', line 466 def unlock_user auth_string = .gsub(/AuthenticationAuthority: /, "").gsub(/;DisabledUser;/, "").strip run_dscl("create /Users/#{new_resource.username} AuthenticationAuthority '#{auth_string}'") end |
#validate_home_dir_specification! ⇒ Object
308 309 310 311 312 |
# File 'lib/chef/provider/user/dscl.rb', line 308 def validate_home_dir_specification! unless new_resource.home =~ /^\// raise(Chef::Exceptions::InvalidHomeDirectory, "invalid path spec for User: '#{new_resource.username}', home directory: '#{new_resource.home}'") end end |