Class: Chef::Provider::User::MacUser
- Inherits:
-
Chef::Provider::User
- Object
- Chef::Provider
- Chef::Provider::User
- Chef::Provider::User::MacUser
- Includes:
- Mixin::Which
- Defined in:
- lib/chef/provider/user/mac.rb
Overview
A macOS user provider that is compatible with default TCC restrictions in macOS 10.14+. See resource/user/mac_user.rb for complete description of the mac_user resource
Defined Under Namespace
Classes: Plist
Instance Attribute Summary collapse
-
#admin_group_plist ⇒ Object
readonly
Returns the value of attribute admin_group_plist.
-
#user_plist ⇒ Object
readonly
Returns the value of attribute user_plist.
Attributes inherited from Chef::Provider::User
#change_desc, #locked, #user_exists
Attributes inherited from Chef::Provider
#action, #after_resource, #current_resource, #logger, #new_resource, #run_context
Instance Method Summary collapse
- #admin_user? ⇒ Boolean
- #check_lock ⇒ Object
- #compare_user ⇒ Object
- #convert_to_binary(string) ⇒ Object
-
#create_user ⇒ Object
User Provider Callbacks.
-
#diverged?(prop) ⇒ Boolean
Methods.
-
#get_free_uid(search_limit = 1000) ⇒ Object
Find the next available uid on the system.
- #hidden_diverged? ⇒ Boolean
- #hidden_value ⇒ Object
- #load_current_resource ⇒ Object
- #lock_user ⇒ Object
- #locked? ⇒ Boolean
- #manage_user ⇒ Object
- #password_diverged? ⇒ Boolean
- #prop_is_set?(prop) ⇒ Boolean
- #reload_admin_group_plist ⇒ Object
- #reload_user_plist ⇒ Object
- #remove_user ⇒ Object
- #run_dscl(*args) ⇒ Object
- #run_dsimport(*args) ⇒ Object
- #run_plutil(*args) ⇒ Object
- #run_sysadminctl(args) ⇒ Object
- #secure_token_diverged? ⇒ Boolean
- #secure_token_enabled? ⇒ Boolean
- #set_hidden ⇒ Object
- #set_password ⇒ Object
- #toggle_secure_token ⇒ Object
- #unlock_user ⇒ Object
- #user_group_diverged? ⇒ Boolean
-
#user_group_info ⇒ Object
Attempt to resolve the group name, gid, and the action required for associated group resource.
- #wait_for_user ⇒ Object
Methods inherited from Chef::Provider::User
#convert_group_name, #define_resource_requirements, #initialize, #load_shadow_options, #supports_ruby_shadow?
Methods inherited from Chef::Provider
action, action_description, action_descriptions, #action_nothing, #check_resource_semantics!, #cleanup_after_converge, #compile_and_converge_action, #converge_by, #converge_if_changed, #cookbook_name, #define_resource_requirements, #description, #events, include_resource_dsl?, include_resource_dsl_module, #initialize, #introduced, #load_after_resource, #node, #process_resource_requirements, provides, provides?, #recipe_name, #requirements, #resource_collection, #resource_updated?, #run_action, #set_updated_status, supports?, use, use_inline_resources, #validate_required_properties!, #whyrun_mode?, #whyrun_supported?
Methods included from Mixin::Provides
#provided_as, #provides, #provides?
Methods included from Mixin::DescendantsTracker
#descendants, descendants, direct_descendants, #direct_descendants, find_descendants_by_name, #find_descendants_by_name, #inherited, store_inherited
Methods included from Mixin::LazyModuleInclude
#descendants, #include, #included
Methods included from Mixin::PowershellOut
#powershell_out, #powershell_out!
Methods included from Mixin::WindowsArchitectureHelper
#assert_valid_windows_architecture!, #disable_wow64_file_redirection, #forced_32bit_override_required?, #is_i386_process_on_x86_64_windows?, #node_supports_windows_architecture?, #node_windows_architecture, #restore_wow64_file_redirection, #valid_windows_architecture?, #with_os_architecture, #wow64_architecture_override_required?, #wow64_directory
Methods included from DSL::Secret
#default_secret_config, #default_secret_service, #secret, #with_secret_config, #with_secret_service
Methods included from DSL::RenderHelpers
#render_json, #render_toml, #render_yaml
Methods included from DSL::ReaderHelpers
#parse_file, #parse_json, #parse_toml, #parse_yaml
Methods included from DSL::Powershell
Methods included from DSL::RegistryHelper
#registry_data_exists?, #registry_get_subkeys, #registry_get_values, #registry_has_subkeys?, #registry_key_exists?, #registry_value_exists?
Methods included from DSL::ChefVault
#chef_vault, #chef_vault_item, #chef_vault_item_for_environment
Methods included from DSL::DataQuery
#data_bag, #data_bag_item, #search, #tagged?
Methods included from EncryptedDataBagItem::CheckEncrypted
Methods included from DSL::PlatformIntrospection
#older_than_win_2012_or_8?, #platform?, #platform_family?, #value_for_platform, #value_for_platform_family
Methods included from DSL::Recipe
#exec, #have_resource_class_for?, #resource_class_for
Methods included from DSL::Definitions
add_definition, #evaluate_resource_definition, #has_resource_definition?
Methods included from DSL::Resources
add_resource_dsl, remove_resource_dsl
Methods included from DSL::Cheffish
Methods included from DSL::RebootPending
Methods included from DSL::IncludeRecipe
Methods included from Mixin::NotifyingBlock
#notifying_block, #subcontext_block
Methods included from DSL::DeclareResource
#build_resource, #declare_resource, #delete_resource, #delete_resource!, #edit_resource, #edit_resource!, #find_resource, #find_resource!, #resources, #with_run_context
Methods included from DSL::Compliance
#include_input, #include_profile, #include_waiver
Constructor Details
This class inherits a constructor from Chef::Provider::User
Instance Attribute Details
#admin_group_plist ⇒ Object (readonly)
Returns the value of attribute admin_group_plist.
39 40 41 |
# File 'lib/chef/provider/user/mac.rb', line 39 def admin_group_plist @admin_group_plist end |
#user_plist ⇒ Object (readonly)
Returns the value of attribute user_plist.
39 40 41 |
# File 'lib/chef/provider/user/mac.rb', line 39 def user_plist @user_plist end |
Instance Method Details
#admin_user? ⇒ Boolean
507 508 509 510 511 |
# File 'lib/chef/provider/user/mac.rb', line 507 def admin_user? admin_group_plist[:group_members].any?(user_plist[:guid][0]) rescue false end |
#check_lock ⇒ Object
347 348 349 |
# File 'lib/chef/provider/user/mac.rb', line 347 def check_lock @locked = locked? end |
#compare_user ⇒ Object
222 223 224 225 226 227 228 229 230 231 232 233 234 |
# File 'lib/chef/provider/user/mac.rb', line 222 def compare_user @change_desc = [] %i{comment shell uid gid salt password admin secure_token hidden}.each do |attr| if diverged?(attr) desc = "Update #{attr}" unless %i{password gid secure_token hidden}.include?(attr) desc << " from #{current_resource.send(attr)} to #{new_resource.send(attr)}" end @change_desc << desc end end !@change_desc.empty? end |
#convert_to_binary(string) ⇒ Object
513 514 515 |
# File 'lib/chef/provider/user/mac.rb', line 513 def convert_to_binary(string) string.unpack("a2" * (string.size / 2)).collect { |i| i.hex.chr }.join end |
#create_user ⇒ Object
User Provider Callbacks
145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 |
# File 'lib/chef/provider/user/mac.rb', line 145 def create_user cmd = [-"-addUser", new_resource.username] cmd += ["-fullName", new_resource.comment] if prop_is_set?(:comment) cmd += ["-UID", prop_is_set?(:uid) ? new_resource.uid : get_free_uid] cmd += ["-shell", new_resource.shell] cmd += ["-home", new_resource.home] cmd += ["-admin"] if new_resource.admin # We can technically create a new user without the admin credentials # but without them the user cannot enable SecureToken, thus they cannot # create other secure users or enable FileVault full disk encryption. if prop_is_set?(:admin_username) && prop_is_set?(:admin_password) cmd += ["-adminUser", new_resource.admin_username] cmd += ["-adminPassword", new_resource.admin_password] end # sysadminctl doesn't exit with a non-zero exit code if it encounters # a problem. We'll check stderr and make sure we see that it finished # correctly. res = run_sysadminctl(cmd) unless /creating user/.match?(res.downcase) raise Chef::Exceptions::User, "error when creating user: #{res}" end # Wait for the user to show up in the ds cache wait_for_user # Reload with up-to-date user information reload_user_plist reload_admin_group_plist if prop_is_set?(:hidden) set_hidden end if prop_is_set?(:password) converge_by("set password") { set_password } end if new_resource.manage_home # "sysadminctl -addUser" will create the home directory if it's # the default /Users/<username>, otherwise it sets it in plist # but does not create it. Here we'll ensure that it gets created # if we've been given a directory that is not the default. unless ::File.directory?(new_resource.home) && ::File.exist?(new_resource.home) converge_by("create home directory") do shell_out!("createhomedir -c -u #{new_resource.username}") end end end if prop_is_set?(:gid) # NOTE: Here we're managing the primary group of the user which is # a departure from previous behavior. We could just set the # PrimaryGroupID for the user and move on if we decide that actual # group management should be done outside of the core resource. group_name, group_id, group_action = user_group_info group group_name do members new_resource.username gid group_id if group_id action group_action append true end converge_by("create primary group ID") do run_dscl("create", "/Users/#{new_resource.username}", "PrimaryGroupID", group_id) end end if diverged?(:secure_token) converge_by("alter SecureToken") { toggle_secure_token } end reload_user_plist end |
#diverged?(prop) ⇒ Boolean
Methods
355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 |
# File 'lib/chef/provider/user/mac.rb', line 355 def diverged?(prop) prop = prop.to_sym case prop when :password password_diverged? when :gid user_group_diverged? when :secure_token secure_token_diverged? when :hidden hidden_diverged? else # Other fields are have been set on current resource so just compare # them. !new_resource.send(prop).nil? && (new_resource.send(prop) != current_resource.send(prop)) end end |
#get_free_uid(search_limit = 1000) ⇒ Object
Find the next available uid on the system. Starting with 200 if ‘system` is set, 501 otherwise.
376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 |
# File 'lib/chef/provider/user/mac.rb', line 376 def get_free_uid(search_limit = 1000) uid = nil base_uid = new_resource.system ? 200 : 501 next_uid_guess = base_uid users_uids = run_dscl("list", "/Users", "uid") while next_uid_guess < search_limit + base_uid if users_uids&.match?(Regexp.new("#{Regexp.escape(next_uid_guess.to_s)}\n")) next_uid_guess += 1 else uid = next_uid_guess break end end uid || raise("uid not found. Exhausted. Searched #{search_limit} times") end |
#hidden_diverged? ⇒ Boolean
460 461 462 463 464 |
# File 'lib/chef/provider/user/mac.rb', line 460 def hidden_diverged? return false unless prop_is_set?(:hidden) (current_resource.hidden ? 1 : 0) != hidden_value.to_i end |
#hidden_value ⇒ Object
470 471 472 |
# File 'lib/chef/provider/user/mac.rb', line 470 def hidden_value new_resource.hidden ? 1 : 0 end |
#load_current_resource ⇒ Object
41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 |
# File 'lib/chef/provider/user/mac.rb', line 41 def load_current_resource @current_resource = Chef::Resource::User::MacUser.new(new_resource.username) current_resource.username(new_resource.username) reload_admin_group_plist reload_user_plist if user_plist current_resource.uid(user_plist[:uid][0]) current_resource.gid(user_plist[:gid][0]) current_resource.home(user_plist[:home]&.first) # use &.first since home can be nil current_resource.shell(user_plist[:shell]&.first) # use &.first since shell can be nil current_resource.comment(user_plist[:comment][0]) if user_plist[:is_hidden] current_resource.hidden(user_plist[:is_hidden]&.first == "1" ? true : false) # when not hidden the value seems to be nil so &.first to handle that end shadow_hash = user_plist[:shadow_hash] if shadow_hash current_resource.password(shadow_hash[0]["SALTED-SHA512-PBKDF2"]["entropy"].string.unpack("H*")[0]) current_resource.salt(shadow_hash[0]["SALTED-SHA512-PBKDF2"]["salt"].string.unpack("H*")[0]) current_resource.iterations(shadow_hash[0]["SALTED-SHA512-PBKDF2"]["iterations"].to_i) end current_resource.secure_token(secure_token_enabled?) current_resource.admin(admin_user?) else @user_exists = false logger.trace("#{new_resource} user does not exist") end current_resource end |
#lock_user ⇒ Object
327 328 329 330 331 |
# File 'lib/chef/provider/user/mac.rb', line 327 def lock_user run_dscl("append", "/Users/#{new_resource.username}", "AuthenticationAuthority", ";DisabledUser;") reload_user_plist end |
#locked? ⇒ Boolean
341 342 343 344 345 |
# File 'lib/chef/provider/user/mac.rb', line 341 def locked? user_plist[:auth_authority].any?(";DisabledUser;") rescue false end |
#manage_user ⇒ Object
236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 |
# File 'lib/chef/provider/user/mac.rb', line 236 def manage_user %i{uid home}.each do |prop| raise Chef::Exceptions::User, "cannot modify #{prop} on macOS >= 10.14" if diverged?(prop) end if diverged?(:password) converge_by("alter password") { set_password } end if diverged?(:comment) converge_by("alter comment") do run_dscl("create", "/Users/#{new_resource.username}", "RealName", new_resource.comment) end end if diverged?(:shell) converge_by("alter shell") do run_dscl("create", "/Users/#{new_resource.username}", "UserShell", new_resource.shell) end end if diverged?(:secure_token) converge_by("alter SecureToken") { toggle_secure_token } end if diverged?(:admin) converge_by("alter admin group membership") do group "admin" do if new_resource.admin members new_resource.username else excluded_members new_resource.username end action :create append true end admins = admin_group_plist[:group_members] if new_resource.admin admins << user_plist[:guid][0] else admins.reject! { |m| m == user_plist[:guid][0] } end run_dscl("create", "/Groups/admin", "GroupMembers", admins) end reload_admin_group_plist end group_name, group_id, group_action = user_group_info group group_name do gid group_id if group_id members new_resource.username action group_action append true end if diverged?(:gid) converge_by("alter group membership") do run_dscl("create", "/Users/#{new_resource.username}", "PrimaryGroupID", group_id) end end if diverged?(:hidden) converge_by("alter hidden") { set_hidden } end reload_user_plist end |
#password_diverged? ⇒ Boolean
474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 |
# File 'lib/chef/provider/user/mac.rb', line 474 def password_diverged? # There are three options for configuring the password: # * ShadowHashData which includes the hash data as: # * hashed entropy as the "password" # * salt # * iterations # * Plaintext password # * Not configuring it # Check for no desired password configuration return false unless prop_is_set?(:password) # Check for ShadowHashData divergence by comparing the entropy, # salt, and iterations. if prop_is_set?(:salt) return true if %i{salt iterations}.any? { |prop| diverged?(prop) } return new_resource.password != current_resource.password end # Check for plaintext password divergence. We don't actually know # what the stored password is but we can hash the given password with # stored salt and iterations, and compare the resulting entropy with # the saved entropy. OpenSSL::PKCS5.pbkdf2_hmac( new_resource.password, convert_to_binary(current_resource.salt), current_resource.iterations.to_i, 128, OpenSSL::Digest.new("SHA512") ).unpack("H*")[0] != current_resource.password end |
#prop_is_set?(prop) ⇒ Boolean
631 632 633 634 635 |
# File 'lib/chef/provider/user/mac.rb', line 631 def prop_is_set?(prop) v = new_resource.send(prop.to_sym) !v.nil? && v != "" end |
#reload_admin_group_plist ⇒ Object
76 77 78 79 80 81 82 83 |
# File 'lib/chef/provider/user/mac.rb', line 76 def reload_admin_group_plist @admin_group_plist = nil admin_group_xml = run_dscl("read", "/Groups/admin") return nil unless admin_group_xml && admin_group_xml != "" @admin_group_plist = Plist.new(::Plist.parse_xml(admin_group_xml)) end |
#reload_user_plist ⇒ Object
85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 |
# File 'lib/chef/provider/user/mac.rb', line 85 def reload_user_plist @user_plist = nil # Load the user information. begin user_xml = run_dscl("read", "/Users/#{new_resource.username}") rescue Chef::Exceptions::DsclCommandFailed return nil end return nil if user_xml.nil? || user_xml == "" @user_plist = Plist.new(::Plist.parse_xml(user_xml)) return unless user_plist[:shadow_hash] shadow_hash_hex = user_plist[:shadow_hash][0] return unless shadow_hash_hex && shadow_hash_hex != "" # The password information is stored in the ShadowHashData key in the # plist. However, parsing it is a bit tricky as the value is itself # another encoded binary plist. We have to extract the encoded plist, # decode it from hex to a binary plist and then convert the binary # into XML plist. From there we can extract the hash data. # # NOTE: `dscl -read` and `plutil -convert` return different values for # ShadowHashData. # # `dscl` returns the value encoded as a hex string and stored as a <string> # `plutil` returns the value encoded as a base64 string stored as <data> # # eg: # # spellchecker: disable # # <array> # <string>77687920 63616e27 74206170 706c6520 6275696c 6420636f 6e736973 74656e74 20746f6f 6c696e67</string> # </array> # # vs # # <array> # <data>AADKAAAKAA4LAA0MAAAAAAAAAAA=</data> # </array> # # spellchecker: disable # begin shadow_binary_plist = [shadow_hash_hex.delete(" ")].pack("H*") shadow_xml_plist = shell_out("plutil", "-convert", "xml1", "-o", "-", "-", input: shadow_binary_plist).stdout user_plist[:shadow_hash] = ::Plist.parse_xml(shadow_xml_plist) rescue Chef::Exceptions::PlistUtilCommandFailed, Chef::Exceptions::DsclCommandFailed nil end end |
#remove_user ⇒ Object
308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 |
# File 'lib/chef/provider/user/mac.rb', line 308 def remove_user cmd = ["-deleteUser", new_resource.username] cmd << new_resource.manage_home ? "-secure" : "-keepHome" if %i{admin_username admin_password}.all? { |p| prop_is_set?(p) } cmd += ["-adminUser", new_resource.admin_username] cmd += ["-adminPassword", new_resource.admin_password] end # sysadminctl doesn't exit with a non-zero exit code if it encounters # a problem. We'll check stderr and make sure we see that it finished res = run_sysadminctl(cmd) unless /deleting record|not found/.match?(res.downcase) raise Chef::Exceptions::User, "error deleting user: #{res}" end reload_user_plist @user_exists = false end |
#run_dscl(*args) ⇒ Object
615 616 617 618 619 620 621 622 |
# File 'lib/chef/provider/user/mac.rb', line 615 def run_dscl(*args) result = shell_out("dscl", "-plist", ".", "-#{args[0]}", args[1..]) return "" if ( args.first =~ /^delete/ ) && ( result.exitstatus != 0 ) raise(Chef::Exceptions::DsclCommandFailed, "dscl error: #{result.inspect}") unless result.exitstatus == 0 raise(Chef::Exceptions::DsclCommandFailed, "dscl error: #{result.inspect}") if /No such key: /.match?(result.stdout) result.stdout end |
#run_dsimport(*args) ⇒ Object
604 605 606 |
# File 'lib/chef/provider/user/mac.rb', line 604 def run_dsimport(*args) shell_out!("dsimport", args) end |
#run_plutil(*args) ⇒ Object
624 625 626 627 628 629 |
# File 'lib/chef/provider/user/mac.rb', line 624 def run_plutil(*args) result = shell_out("plutil", "-#{args[0]}", args[1..]) raise(Chef::Exceptions::PlistUtilCommandFailed, "plutil error: #{result.inspect}") unless result.exitstatus == 0 result.stdout end |
#run_sysadminctl(args) ⇒ Object
608 609 610 611 612 613 |
# File 'lib/chef/provider/user/mac.rb', line 608 def run_sysadminctl(args) # sysadminctl doesn't exit with a non-zero code when errors are encountered # and outputs everything to STDERR instead of STDOUT and STDERR. Therefore we'll # return the STDERR and let the caller handle it. shell_out!("sysadminctl", args).stderr end |
#secure_token_diverged? ⇒ Boolean
419 420 421 |
# File 'lib/chef/provider/user/mac.rb', line 419 def secure_token_diverged? new_resource.secure_token ? !secure_token_enabled? : secure_token_enabled? end |
#secure_token_enabled? ⇒ Boolean
413 414 415 416 417 |
# File 'lib/chef/provider/user/mac.rb', line 413 def secure_token_enabled? user_plist[:auth_authority].any?(";SecureToken;") rescue false end |
#set_hidden ⇒ Object
466 467 468 |
# File 'lib/chef/provider/user/mac.rb', line 466 def set_hidden run_dscl("create", "/Users/#{new_resource.username}", "IsHidden", hidden_value.to_i) end |
#set_password ⇒ Object
517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 |
# File 'lib/chef/provider/user/mac.rb', line 517 def set_password if prop_is_set?(:salt) entropy = StringIO.new(convert_to_binary(new_resource.password)) salt = StringIO.new(convert_to_binary(new_resource.salt)) else salt = StringIO.new(OpenSSL::Random.random_bytes(32)) entropy = StringIO.new( OpenSSL::PKCS5.pbkdf2_hmac( new_resource.password, salt.string, new_resource.iterations, 128, OpenSSL::Digest.new("SHA512") ) ) end shadow_hash = user_plist[:shadow_hash] ? user_plist[:shadow_hash][0] : {} shadow_hash["SALTED-SHA512-PBKDF2"] = { "entropy" => entropy, "salt" => salt, "iterations" => new_resource.iterations, } shadow_hash_binary = StringIO.new shell_out("plutil", "-convert", "binary1", "-o", "-", "-", input: shadow_hash.to_plist, live_stream: shadow_hash_binary) # Apple seem to have killed their dsimport documentation about the # dsimport record format. Perhaps that means our days of being able to # use dsimport without an admin password or perhaps at all could be # numbered. Here is the record format for posterity: # # End of record character # Escape character # Field separator # Value separator # Record type (Users, Groups, Computers, ComputerGroups, ComputerLists) # Number of properties # Property 1 # ... # Property N # # The user password shadow data format breaks down as: # # 0x0A End of record denoted by \n # 0x5C Escaping is denoted by \ # 0x3A Fields are separated by : # 0x2C Values are separated by , # dsRecTypeStandard:Users The record type we're configuring # 2 How many properties we're going to set # dsAttrTypeStandard:RecordName Property 1: our users record name # base64:dsAttrTypeNative:ShadowHashData Property 2: our shadow hash data import_file = ::File.join(Chef::Config["file_cache_path"], "#{new_resource.username}_password_dsimport") ::File.open(import_file, "w+", 0600) do |f| f.write <<~DSIMPORT 0x0A 0x5C 0x3A 0x2C dsRecTypeStandard:Users 2 dsAttrTypeStandard:RecordName base64:dsAttrTypeNative:ShadowHashData #{new_resource.username}:#{::Base64.strict_encode64(shadow_hash_binary.string)} DSIMPORT end run_dscl("delete", "/Users/#{new_resource.username}", "ShadowHashData") run_dsimport(import_file, "/Local/Default", "M") run_dscl("create", "/Users/#{new_resource.username}", "Password", "********") ensure ::File.delete(import_file) if import_file && ::File.exist?(import_file) end |
#toggle_secure_token ⇒ Object
423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 |
# File 'lib/chef/provider/user/mac.rb', line 423 def toggle_secure_token # Check for this lazily as we only need to validate for these credentials # if we're toggling secure token. unless %i{admin_username admin_password secure_token_password}.all? { |p| prop_is_set?(p) } raise Chef::Exceptions::User, "secure_token_password, admin_username and admin_password properties are required to modify SecureToken" end cmd = (new_resource.secure_token ? %w{-secureTokenOn} : %w{-secureTokenOff}) cmd += [new_resource.username, "-password", new_resource.secure_token_password] cmd += ["-adminUser", new_resource.admin_username] cmd += ["-adminPassword", new_resource.admin_password] # sysadminctl doesn't exit with a non-zero exit code if it encounters # a problem. We'll check stderr and make sure we see that it finished res = run_sysadminctl(cmd) unless /done/.match?(res.downcase) raise Chef::Exceptions::User, "error when modifying SecureToken: #{res}" end # HACK: When SecureToken is enabled or disabled it requires the user # password in plaintext, which it verifies and uses as a key. It also # takes the liberty of _rehashing_ the password with a random salt and # iterations count and saves it back into the user ShadowHashData. # # Therefore, if we're configuring a user based upon existing shadow # hash data we'll have to set the password again so that future runs # of the client don't show password drift. set_password if prop_is_set?(:salt) end |
#unlock_user ⇒ Object
333 334 335 336 337 338 339 |
# File 'lib/chef/provider/user/mac.rb', line 333 def unlock_user auth_string = user_plist[:auth_authority].reject! { |tag| tag == ";DisabledUser;" }.join.strip run_dscl("create", "/Users/#{new_resource.username}", "AuthenticationAuthority", auth_string) reload_user_plist end |
#user_group_diverged? ⇒ Boolean
453 454 455 456 457 458 |
# File 'lib/chef/provider/user/mac.rb', line 453 def user_group_diverged? return false unless prop_is_set?(:gid) group_name, group_id = user_group_info current_resource.gid != group_id.to_i end |
#user_group_info ⇒ Object
Attempt to resolve the group name, gid, and the action required for associated group resource. If a group exists we’ll modify it, otherwise create it.
395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 |
# File 'lib/chef/provider/user/mac.rb', line 395 def user_group_info @user_group_info ||= if new_resource.gid.is_a?(String) begin g = Etc.getgrnam(new_resource.gid) [g.name, g.gid.to_s, :modify] rescue [new_resource.gid, nil, :create] end else begin g = Etc.getgrgid(new_resource.gid) [g.name, g.gid.to_s, :modify] rescue [g.username, nil, :create] end end end |
#wait_for_user ⇒ Object
587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 |
# File 'lib/chef/provider/user/mac.rb', line 587 def wait_for_user timeout = Time.now + 5 loop do run_dscl("read", "/Users/#{new_resource.username}", "ShadowHashData") break rescue Chef::Exceptions::DsclCommandFailed => e if Time.now < timeout sleep 0.1 else raise Chef::Exceptions::User, e. end end end |