add code comment, add unit test for case when no salt is found

2 files changed, 12 insertions, 0 deletions

diff --git a/lib/chef/provider/user/dscl.rb b/lib/chef/provider/user/dscl.rb
index 4be7150145..4ad541c2ac 100644
--- a/lib/chef/provider/user/dscl.rb
+++ b/lib/chef/provider/user/dscl.rb
@@ -504,7 +504,11 @@ user password using shadow hash.")
             # password to be updated.
             return true if salted_sha512?(@current_resource.password)
 
+            # Some system users don't have salts; this can happen if the system is
+            # upgraded and the user hasn't logged in yet. In this case, we will force
+            # the password to be updated.
             return true if @current_resource.salt.nil?
+
             if salted_sha512_pbkdf2?(@new_resource.password)
               diverged?(:password) || diverged?(:salt) || diverged?(:iterations)
             else
diff --git a/spec/unit/provider/user/dscl_spec.rb b/spec/unit/provider/user/dscl_spec.rb
index 24691cce33..a6f7449458 100644
--- a/spec/unit/provider/user/dscl_spec.rb
+++ b/spec/unit/provider/user/dscl_spec.rb
@@ -610,6 +610,14 @@ ea18e18b720e358e7fbe3cfbeaa561456f6ba008937a30")
             expect(provider.diverged_password?).to be_truthy
           end
         end
+
+        describe "when salt isn't found" do
+          it "diverged_password? should report true" do
+            provider.load_current_resource
+            provider.current_resource.salt(nil)
+            expect(provider.diverged_password?).to be_truthy
+          end
+        end
       end
     end
   end