Class: Chef::Provider::User::MacUser

Inherits:
Chef::Provider::User show all
Includes:
Mixin::Which
Defined in:
lib/chef/provider/user/mac.rb

Overview

A macOS user provider that is compatible with default TCC restrictions in macOS 10.14. See resource/user/mac_user.rb for complete description of the mac_user resource and how it differs from the dscl resource used on previous platforms.

Defined Under Namespace

Classes: Plist

Instance Attribute Summary collapse

Attributes inherited from Chef::Provider::User

#locked, #user_exists

Attributes inherited from Chef::Provider

#action, #current_resource, #logger, #new_resource, #recipe_name, #run_context

Instance Method Summary collapse

Methods inherited from Chef::Provider::User

#action_create, #action_lock, #action_manage, #action_modify, #action_remove, #action_unlock, #convert_group_name, #define_resource_requirements, #initialize

Methods inherited from Chef::Provider

action, #action_nothing, #check_resource_semantics!, #cleanup_after_converge, #compile_and_converge_action, #converge_by, #converge_if_changed, #cookbook_name, #define_resource_requirements, #description, #events, include_resource_dsl?, include_resource_dsl_module, #initialize, #introduced, #node, #process_resource_requirements, provides, provides?, #requirements, #resource_collection, #resource_updated?, #run_action, #set_updated_status, supports?, use_inline_resources, #whyrun_mode?, #whyrun_supported?

Methods included from Mixin::Provides

#provided_as, #provides, #provides?

Methods included from Mixin::DescendantsTracker

#descendants, descendants, direct_descendants, #direct_descendants, find_descendants_by_name, #find_descendants_by_name, #inherited, store_inherited

Methods included from Mixin::LazyModuleInclude

#descendants, #include, #included

Methods included from Mixin::ShellOut

apply_default_env, maybe_add_timeout, #shell_out, #shell_out!

Methods included from Mixin::PowershellOut

#powershell_out, #powershell_out!

Methods included from Mixin::WindowsArchitectureHelper

#assert_valid_windows_architecture!, #disable_wow64_file_redirection, #forced_32bit_override_required?, #is_i386_process_on_x86_64_windows?, #node_supports_windows_architecture?, #node_windows_architecture, #restore_wow64_file_redirection, #valid_windows_architecture?, #with_os_architecture, #wow64_architecture_override_required?, #wow64_directory

Methods included from Mixin::PowershellExec

#powershell_exec

Methods included from DSL::Powershell

#ps_credential

Methods included from DSL::RegistryHelper

#registry_data_exists?, #registry_get_subkeys, #registry_get_values, #registry_has_subkeys?, #registry_key_exists?, #registry_value_exists?

Methods included from DSL::DataQuery

#data_bag, #data_bag_item, #search, #tagged?

Methods included from EncryptedDataBagItem::CheckEncrypted

#encrypted?

Methods included from DSL::PlatformIntrospection

#older_than_win_2012_or_8?, #platform?, #platform_family?, #value_for_platform, #value_for_platform_family

Methods included from Mixin::NotifyingBlock

#notifying_block, #subcontext_block

Methods included from DSL::DeclareResource

#build_resource, #declare_resource, #delete_resource, #delete_resource!, #edit_resource, #edit_resource!, #find_resource, #find_resource!, #resources, #with_run_context

Constructor Details

This class inherits a constructor from Chef::Provider::User

Instance Attribute Details

#admin_group_plistObject (readonly)

Returns the value of attribute admin_group_plist.



39
40
41
# File 'lib/chef/provider/user/mac.rb', line 39

def admin_group_plist
  @admin_group_plist
end

#user_plistObject (readonly)

Returns the value of attribute user_plist.



39
40
41
# File 'lib/chef/provider/user/mac.rb', line 39

def user_plist
  @user_plist
end

Instance Method Details

#admin_user?Boolean

Returns:

  • (Boolean)


459
460
461
462
463
# File 'lib/chef/provider/user/mac.rb', line 459

def admin_user?
  admin_group_plist[:group_members].any? { |mem| mem == user_plist[:guid][0] }
rescue
  false
end

#check_lockObject



326
327
328
# File 'lib/chef/provider/user/mac.rb', line 326

def check_lock
  @locked = locked?
end

#compare_userObject



210
211
212
# File 'lib/chef/provider/user/mac.rb', line 210

def compare_user
  %i{comment shell uid gid salt password admin secure_token}.any? { |m| diverged?(m) }
end

#convert_to_binary(string) ⇒ Object



465
466
467
# File 'lib/chef/provider/user/mac.rb', line 465

def convert_to_binary(string)
  string.unpack("a2" * (string.size / 2)).collect { |i| i.hex.chr }.join
end

#create_userObject

User Provider Callbacks



135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
# File 'lib/chef/provider/user/mac.rb', line 135

def create_user
  cmd = [-"-addUser", new_resource.username]
  cmd += ["-fullName", new_resource.comment] if prop_is_set?(:comment)
  cmd += ["-UID", new_resource.uid]          if prop_is_set?(:uid)
  cmd += ["-shell", new_resource.shell]
  cmd += ["-home", new_resource.home]
  cmd += ["-admin"] if new_resource.admin

  # We can technically create a new user without the admin credentials
  # but without them the user cannot enable SecureToken, thus they cannot
  # create other secure users or enable FileVault full disk encryption.
  if prop_is_set?(:admin_username) && prop_is_set?(:admin_password)
    cmd += ["-adminUser", new_resource.admin_username]
    cmd += ["-adminPassword", new_resource.admin_password]
  end

  converge_by "create user" do
    # sysadminctl doesn't exit with a non-zero exit code if it encounters
    # a problem. We'll check stderr and make sure we see that it finished
    # correctly.
    res = run_sysadminctl(cmd)
    unless res.downcase =~ /creating user/
      raise Chef::Exceptions::User, "error when creating user: #{res}"
    end
  end

  # Wait for the user to show up in the ds cache
  wait_for_user

  # Reload with up-to-date user information
  reload_user_plist
  reload_admin_group_plist

  if prop_is_set?(:password)
    converge_by("set password") { set_password }
  end

  if new_resource.manage_home
    # "sydadminctl -addUser" will create the home directory if it's
    # the default /Users/<username>, otherwise it sets it in plist
    # but does not create it. Here we'll ensure that it gets created
    # if we've been given a directory that is not the default.
    unless ::File.directory?(new_resource.home) && ::File.exist?(new_resource.home)
      converge_by("create home directory") do
        shell_out!("createhomedir -c -u #{new_resource.username}")
      end
    end
  end

  if prop_is_set?(:gid)
    # NOTE: Here we're managing the primary group of the user which is
    # a departure from previous behavior. We could just set the
    # PrimaryGroupID for the user and move on if we decide that actual
    # group magement should be done outside of the core resource.
    group_name, group_id, group_action = user_group_info

    declare_resource(:group, group_name) do
      members new_resource.username
      gid group_id if group_id
      action :nothing
      append true
    end.run_action(group_action)

    converge_by("create primary group ID") do
      run_dscl("create", "/Users/#{new_resource.username}", "PrimaryGroupID", new_resource.gid)
    end
  end

  if diverged?(:secure_token)
    converge_by("alter SecureToken") { toggle_secure_token }
  end

  reload_user_plist
end

#diverged?(prop) ⇒ Boolean

Methods

Returns:

  • (Boolean)


334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
# File 'lib/chef/provider/user/mac.rb', line 334

def diverged?(prop)
  prop = prop.to_sym

  case prop
  when :password
    password_diverged?
  when :gid
    user_group_diverged?
  when :secure_token
    secure_token_diverged?
  else
    # Other fields are have been set on current resource so just compare
    # them.
    !new_resource.send(prop).nil? && (new_resource.send(prop) != current_resource.send(prop))
  end
end

#load_current_resourceObject



41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# File 'lib/chef/provider/user/mac.rb', line 41

def load_current_resource
  @current_resource = Chef::Resource::User::MacUser.new(new_resource.username)
  current_resource.username(new_resource.username)

  reload_admin_group_plist
  reload_user_plist

  if user_plist
    current_resource.uid(user_plist[:uid][0])
    current_resource.gid(user_plist[:gid][0])
    current_resource.home(user_plist[:home][0])
    current_resource.shell(user_plist[:shell][0])
    current_resource.comment(user_plist[:comment][0])

    shadow_hash = user_plist[:shadow_hash]
    if shadow_hash
      current_resource.password(shadow_hash[0]["SALTED-SHA512-PBKDF2"]["entropy"].string.unpack("H*")[0])
      current_resource.salt(shadow_hash[0]["SALTED-SHA512-PBKDF2"]["salt"].string.unpack("H*")[0])
      current_resource.iterations(shadow_hash[0]["SALTED-SHA512-PBKDF2"]["iterations"].to_i)
    end

    current_resource.secure_token(secure_token_enabled?)
    current_resource.admin(admin_user?)
  else
    @user_exists = false
    logger.trace("#{new_resource} user does not exist")
  end

  current_resource
end

#lock_userObject



303
304
305
306
307
308
309
# File 'lib/chef/provider/user/mac.rb', line 303

def lock_user
  converge_by "lock user" do
    run_dscl("append", "/Users/#{new_resource.username}", "AuthenticationAuthority", ";DisabledUser;")
  end

  reload_user_plist
end

#locked?Boolean

Returns:

  • (Boolean)


320
321
322
323
324
# File 'lib/chef/provider/user/mac.rb', line 320

def locked?
  user_plist[:auth_authority].any? { |tag| tag == ";DisabledUser;" }
rescue
  false
end

#manage_userObject



214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
# File 'lib/chef/provider/user/mac.rb', line 214

def manage_user
  %i{uid home}.each do |prop|
    raise Chef::Exceptions::User, "cannot modify #{prop} on macOS >= 10.14" if diverged?(prop)
  end

  if diverged?(:password)
    converge_by("alter password") { set_password }
  end

  if diverged?(:comment)
    converge_by("alter comment") do
      run_dscl("create", "/Users/#{new_resource.username}", "RealName", new_resource.comment)
    end
  end

  if diverged?(:shell)
    converge_by("alter shell") do
      run_dscl("create", "/Users/#{new_resource.username}", "UserShell", new_resource.shell)
    end
  end

  if diverged?(:secure_token)
    converge_by("alter SecureToken") { toggle_secure_token }
  end

  if diverged?(:admin)
    converge_by("alter admin group membership") do
      declare_resource(:group, "admin") do
        if new_resource.admin
          members new_resource.username
        else
          excluded_members new_resource.username
        end

        action :nothing
        append true
      end.run_action(:create)

      admins = admin_group_plist[:group_members]
      if new_resource.admin
        admins << user_plist[:guid][0]
      else
        admins.reject! { |m| m == user_plist[:guid][0] }
      end

      run_dscl("create", "/Groups/admin", "GroupMembers", admins)
    end

    reload_admin_group_plist
  end

  group_name, group_id, group_action = user_group_info
  declare_resource(:group, group_name) do
    gid group_id if group_id
    members new_resource.username
    action :nothing
    append true
  end.run_action(group_action)

  if diverged?(:gid)
    converge_by("alter group membership") do
      run_dscl("create", "/Users/#{new_resource.username}", "PrimaryGroupID", new_resource.gid)
    end
  end

  reload_user_plist
end

#password_diverged?Boolean

Returns:

  • (Boolean)


426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
# File 'lib/chef/provider/user/mac.rb', line 426

def password_diverged?
  # There are three options for configuring the password:
  #   * ShadowHashData which includes the hash data as:
  #     * hashed entropy as the "password"
  #     * salt
  #     * iterations
  #   * Plaintext password
  #   * Not configuring it

  # Check for no desired password configuration
  return false unless prop_is_set?(:password)

  # Check for ShadowHashData divergence by comparing the entropy,
  # salt, and iterations.
  if prop_is_set?(:salt)
    return true if %i{salt iterations}.any? { |prop| diverged?(prop) }

    return new_resource.password != current_resource.password
  end

  # Check for plaintext password divergence. We don't actually know
  # what the stored password is but we can hash the given password with
  # stored salt and iterations, and compare the resulting entropy with
  # the saved entropy.
  OpenSSL::PKCS5.pbkdf2_hmac(
    new_resource.password,
    convert_to_binary(current_resource.salt),
    current_resource.iterations.to_i,
    128,
    OpenSSL::Digest::SHA512.new
  ).unpack("H*")[0] != current_resource.password
end

#prop_is_set?(prop) ⇒ Boolean

Returns:

  • (Boolean)


583
584
585
586
587
# File 'lib/chef/provider/user/mac.rb', line 583

def prop_is_set?(prop)
  v = new_resource.send(prop.to_sym)

  !v.nil? && v != ""
end

#reload_admin_group_plistObject



72
73
74
75
76
77
78
79
# File 'lib/chef/provider/user/mac.rb', line 72

def reload_admin_group_plist
  @admin_group_plist = nil

  admin_group_xml = run_dscl("read", "/Groups/admin")
  return nil unless admin_group_xml && admin_group_xml != ""

  @admin_group_plist = Plist.new(::Plist.parse_xml(admin_group_xml))
end

#reload_user_plistObject



81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
# File 'lib/chef/provider/user/mac.rb', line 81

def reload_user_plist
  @user_plist = nil

  # Load the user information.
  begin
    user_xml = run_dscl("read", "/Users/#{new_resource.username}")
  rescue Chef::Exceptions::DsclCommandFailed
    return nil
  end

  return nil if user_xml.nil? || user_xml == ""

  @user_plist = Plist.new(::Plist.parse_xml(user_xml))

  shadow_hash_hex = user_plist[:shadow_hash][0]
  return unless shadow_hash_hex && shadow_hash_hex != ""

  # The password infomation is stored in the ShadowHashData key in the
  # plist. However, parsing it is a bit tricky as the value is itself
  # another encoded binary plist. We have to extract the encoded plist,
  # decode it from hex to a binary plist and then convert the binary
  # into XML plist. From there we can extract the hash data.
  #
  # NOTE: `dscl -read` and `plutil -convert` return different values for
  # ShadowHashData.
  #
  # `dscl` returns the value encoded as a hex string and stored as a <string>
  # `plutil` returns the value encoded as a base64 string stored as <data>
  #
  #  eg:
  #
  # <array>
  #   <string>77687920 63616e27 74206170 706c6520 6275696c 6420636f 6e736973 74656e74 20746f6f 6c696e67</string>
  # </array>
  #
  # vs
  #
  # <array>
  #   <data>AADKAAAKAA4LAA0MAAAAAAAAAAA=</data>
  # </array>
  #
  begin
    shadow_binary_plist = [shadow_hash_hex.delete(" ")].pack("H*")
    shadow_xml_plist = shell_out("plutil", "-convert", "xml1", "-o", "-", "-", input: shadow_binary_plist).stdout
    user_plist[:shadow_hash] = ::Plist.parse_xml(shadow_xml_plist)
  rescue Chef::Exceptions::PlistUtilCommandFailed, Chef::Exceptions::DsclCommandFailed
    nil
  end
end

#remove_userObject



282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
# File 'lib/chef/provider/user/mac.rb', line 282

def remove_user
  cmd = ["-deleteUser", new_resource.username]
  cmd << new_resource.manage_home ? "-secure" : "-keepHome"
  if %i{admin_username admin_password}.all? { |p| prop_is_set?(p) }
    cmd += ["-adminUser", new_resource.admin_username]
    cmd += ["-adminPassword", new_resource.admin_password]
  end

  # sysadminctl doesn't exit with a non-zero exit code if it encounters
  # a problem. We'll check stderr and make sure we see that it finished
  converge_by "remove user" do
    res = run_sysadminctl(cmd)
    unless res.downcase =~ /deleting record|not found/
      raise Chef::Exceptions::User, "error deleting user: #{res}"
    end
  end

  reload_user_plist
  @user_exists = false
end

#run_dscl(*args) ⇒ Object



567
568
569
570
571
572
573
574
# File 'lib/chef/provider/user/mac.rb', line 567

def run_dscl(*args)
  result = shell_out("dscl", "-plist", ".", "-#{args[0]}", args[1..-1])
  return "" if ( args.first =~ /^delete/ ) && ( result.exitstatus != 0 )
  raise(Chef::Exceptions::DsclCommandFailed, "dscl error: #{result.inspect}") unless result.exitstatus == 0
  raise(Chef::Exceptions::DsclCommandFailed, "dscl error: #{result.inspect}") if result.stdout =~ /No such key: /

  result.stdout
end

#run_dsimport(*args) ⇒ Object



556
557
558
# File 'lib/chef/provider/user/mac.rb', line 556

def run_dsimport(*args)
  shell_out!("dsimport", args)
end

#run_plutil(*args) ⇒ Object



576
577
578
579
580
581
# File 'lib/chef/provider/user/mac.rb', line 576

def run_plutil(*args)
  result = shell_out("plutil", "-#{args[0]}", args[1..-1])
  raise(Chef::Exceptions::PlistUtilCommandFailed, "plutil error: #{result.inspect}") unless result.exitstatus == 0

  result.stdout
end

#run_sysadminctl(args) ⇒ Object



560
561
562
563
564
565
# File 'lib/chef/provider/user/mac.rb', line 560

def run_sysadminctl(args)
  # sysadminctl doesn't exit with a non-zero code when errors are encountered
  # and ouputs everything to STDERR instead of STDOUT and STDERR. Therefore we'll
  # return the STDERR and let the caller handle it.
  shell_out!("sysadminctl", args).stderr
end

#secure_token_diverged?Boolean

Returns:

  • (Boolean)


380
381
382
# File 'lib/chef/provider/user/mac.rb', line 380

def secure_token_diverged?
  new_resource.secure_token ? !secure_token_enabled? : secure_token_enabled?
end

#secure_token_enabled?Boolean

Returns:

  • (Boolean)


374
375
376
377
378
# File 'lib/chef/provider/user/mac.rb', line 374

def secure_token_enabled?
  user_plist[:auth_authority].any? { |tag| tag == ";SecureToken;" }
rescue
  false
end

#set_passwordObject



469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
# File 'lib/chef/provider/user/mac.rb', line 469

def set_password
  if prop_is_set?(:salt)
    entropy = StringIO.new(convert_to_binary(new_resource.password))
    salt = StringIO.new(convert_to_binary(new_resource.salt))
  else
    salt = StringIO.new(OpenSSL::Random.random_bytes(32))
    entropy = StringIO.new(
      OpenSSL::PKCS5.pbkdf2_hmac(
        new_resource.password,
        salt.string,
        new_resource.iterations,
        128,
        OpenSSL::Digest::SHA512.new
      )
    )
  end

  shadow_hash = user_plist[:shadow_hash][0]
  shadow_hash["SALTED-SHA512-PBKDF2"] = {
    "entropy" => entropy,
    "salt" => salt,
    "iterations" => new_resource.iterations,
  }

  shadow_hash_binary = StringIO.new
  shell_out("plutil", "-convert", "binary1", "-o", "-", "-",
    input: shadow_hash.to_plist,
    live_stream: shadow_hash_binary)

  # Apple seem to have killed their dsimport documentation about the
  # dsimport record format. Perhaps that means our days of being able to
  # use dsimport without an admin password or perhaps at all could be
  # numbered. Here is the record format for posterity:
  #
  # End of record character
  # Escape character
  # Field separator
  # Value separator
  # Record type (Users, Groups, Computers, ComputerGroups, ComputerLists)
  # Number of properties
  # Property 1
  # ...
  # Property N
  #
  # The user password shadow data format breaks down as:
  #
  # 0x0A                                    End of record denoted by \n
  # 0x5C                                    Escaping is denoted by \
  # 0x3A                                    Fields are separated by :
  # 0x2C                                    Values are seperated by ,
  # dsRecTypeStandard:Users                 The record type we're configuring
  # 2                                       How many properties we're going to set
  # dsAttrTypeStandard:RecordName           Property 1: our users record name
  # base64:dsAttrTypeNative:ShadowHashData  Property 2: our shadow hash data

  import_file = ::File.join(Chef::Config["file_cache_path"], "#{new_resource.username}_password_dsimport")
  ::File.open(import_file, "w+", 0600) do |f|
    f.write <<~DSIMPORT
      0x0A 0x5C 0x3A 0x2C dsRecTypeStandard:Users 2 dsAttrTypeStandard:RecordName base64:dsAttrTypeNative:ShadowHashData
      #{new_resource.username}:#{::Base64.strict_encode64(shadow_hash_binary.string)}
    DSIMPORT
  end

  run_dscl("delete", "/Users/#{new_resource.username}", "ShadowHashData")
  run_dsimport(import_file, "/Local/Default", "M")
  run_dscl("create", "/Users/#{new_resource.username}", "Password", "********")
ensure
  ::File.delete(import_file) if defined?(import_file) && ::File.exist?(import_file)
end

#toggle_secure_tokenObject



384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
# File 'lib/chef/provider/user/mac.rb', line 384

def toggle_secure_token
  # Check for this lazily as we only need to validate for these credentials
  # if we're toggling secure token.
  unless %i{admin_username admin_password secure_token_password}.all? { |p| prop_is_set?(p) }
    raise Chef::Exceptions::User, "secure_token_password, admin_username and admin_password properties are required to modify SecureToken"
  end

  cmd = (new_resource.secure_token ? %w{-secureTokenOn} : %w{-secureTokenOff})
  cmd += [new_resource.username, "-password", new_resource.secure_token_password]
  cmd += ["-adminUser", new_resource.admin_username]
  cmd += ["-adminPassword", new_resource.admin_password]

  # sysadminctl doesn't exit with a non-zero exit code if it encounters
  # a problem. We'll check stderr and make sure we see that it finished
  res = run_sysadminctl(cmd)
  unless res.downcase =~ /done/
    raise Chef::Exceptions::User, "error when modifying SecureToken: #{res}"
  end

  # HACK: When SecureToken is enabled or disabled it requires the user
  # password in plaintext, which it verifies and uses as a key. It also
  # takes the liberty of _rehashing_ the password with a random salt and
  # iterations count and saves it back into the user ShadowHashData.
  #
  # Therefore, if we're configuring a user based upon existing shadow
  # hash data we'll have to set the password again so that future runs
  # of the client don't show password drift.
  set_password if prop_is_set?(:salt)
end

#unlock_userObject



311
312
313
314
315
316
317
318
# File 'lib/chef/provider/user/mac.rb', line 311

def unlock_user
  auth_string = user_plist[:auth_authority].reject! { |tag| tag == ";DisabledUser;" }.join.strip
  converge_by "unlock user" do
    run_dscl("create", "/Users/#{new_resource.username}", "AuthenticationAuthority", auth_string)
  end

  reload_user_plist
end

#user_group_diverged?Boolean

Returns:

  • (Boolean)


414
415
416
417
418
419
420
421
422
423
424
# File 'lib/chef/provider/user/mac.rb', line 414

def user_group_diverged?
  return false unless prop_is_set?(:gid)

  group_name, group_id = user_group_info

  if current_resource.gid.is_a?(String)
    current_resource.gid != group_name
  else
    current_resource.gid != group_id.to_i
  end
end

#user_group_infoObject

Attempt to resolve the group name, gid, and the action required for associated group resource. If a group exists we’ll modify it, otherwise create it.



354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
# File 'lib/chef/provider/user/mac.rb', line 354

def user_group_info
  @user_group_info ||= begin
    if new_resource.gid.is_a?(String)
      begin
        g = Etc.getgrnam(new_resource.gid)
        [g.name, g.gid.to_s, :modify]
      rescue
        [new_resource.gid, nil, :create]
      end
    else
      begin
        g = Etc.getgrgid(new_resource.gid)
        [g.name, g.gid.to_s, :modify]
      rescue
        [g.username, nil, :create]
      end
    end
  end
end

#wait_for_userObject



539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
# File 'lib/chef/provider/user/mac.rb', line 539

def wait_for_user
  timeout = Time.now + 5

  loop do
    begin
      run_dscl("read", "/Users/#{new_resource.username}", "ShadowHashData")
      break
    rescue Chef::Exceptions::DsclCommandFailed => e
      if Time.now < timeout
        sleep 0.1
      else
        raise Chef::Exceptions::User, e.message
      end
    end
  end
end