Allow user providers to declare no support for ruby-shadow

The AIX platform does not support ruby-shadow, but we always attempt to
load it. The load fails  on the AIX platform, which later causes our
requirement assertion that `@shadow_lib_ok` be true to fail.

Instead we allow user resource providers to override
`supports_ruby_shadow?` if they do not support it, so that we don't
assert that it is required in those cases. We default the return value
to `true` because most platforms are supported by this gem.

Signed-off-by: Marc A. Paradise <marc.paradise@gmail.com>

3 files changed, 49 insertions, 8 deletions

diff --git a/lib/chef/provider/user.rb b/lib/chef/provider/user.rb
index 2abd7f5f3c..3d18c0df82 100644
--- a/lib/chef/provider/user.rb
+++ b/lib/chef/provider/user.rb
@@ -72,7 +72,18 @@ class Chef
             @shadow_lib_ok = false
           else
             @shadow_info = Shadow::Passwd.getspnam(new_resource.username)
-            current_resource.password(@shadow_info.sp_pwdp) if new_resource.password && current_resource.password == "x"
+            # This conditional remains in place until we can sort out whether we need it.
+            # Currently removing it causes tests to fail, but that /seems/ to be mocking/setup issues.
+            # Some notes for context:
+            # 1. Ruby's ETC.getpwnam makes use of /etc/passwd file (https://github.com/ruby/etc/blob/master/ext/etc/etc.c),
+            #    which returns "x" for a nil password. on AIX it returns a "*"
+            #    (https://www.ibm.com/docs/bg/aix/7.2?topic=passwords-using-etcpasswd-file)
+            # 2. On AIX platforms ruby_shadow does not work as it does not
+            #    store encrypted passwords in the /etc/passwd file but in /etc/security/passwd file.
+            #    The AIX provider for user currently declares it does not support ruby-shadow.
+            if new_resource.password && current_resource.password == "x"
+              current_resource.password(@shadow_info.sp_pwdp)
+            end
           end
 
           convert_group_name if new_resource.gid
@@ -81,6 +92,13 @@ class Chef
         current_resource
       end
 
+      # An overridable for platforms that do not support ruby shadow. This way we
+      # can verify that the platform supports ruby shadow before requiring that
+      # it be available.
+      def supports_ruby_shadow?
+        true
+      end
+
       def load_shadow_options
         unless @shadow_info.nil?
           current_resource.inactive(@shadow_info.sp_inact&.to_i)
@@ -102,7 +120,7 @@ class Chef
           a.whyrun "group name #{new_resource.gid} does not exist.  This will cause group assignment to fail.  Assuming this group will have been created previously."
         end
         requirements.assert(:all_actions) do |a|
-          a.assertion { @shadow_lib_ok }
+          a.assertion { !supports_ruby_shadow? || @shadow_lib_ok }
           a.failure_message Chef::Exceptions::MissingLibrary, "You must have ruby-shadow installed for password support!"
           a.whyrun "ruby-shadow is not installed. Attempts to set user password will cause failure.  Assuming that this gem will have been previously installed." \
             "Note that user update converge may report false-positive on the basis of mismatched password. "
diff --git a/lib/chef/provider/user/aix.rb b/lib/chef/provider/user/aix.rb
index 740f9943d3..997bd6bac5 100644
--- a/lib/chef/provider/user/aix.rb
+++ b/lib/chef/provider/user/aix.rb
@@ -23,6 +23,11 @@ class Chef
         provides :user, os: "aix"
         provides :aix_user
 
+        # The ruby-shadow gem is not supported on aix.
+        def supports_ruby_shadow?
+          false
+        end
+
         def create_user
           shell_out!("useradd", universal_options, useradd_options, new_resource.username)
           add_password
diff --git a/spec/unit/provider/user_spec.rb b/spec/unit/provider/user_spec.rb
index c8ad656f06..67cb2debf8 100644
--- a/spec/unit/provider/user_spec.rb
+++ b/spec/unit/provider/user_spec.rb
@@ -178,12 +178,30 @@ describe Chef::Provider::User do
         end
       end
 
-      it "should fail assertions when ruby-shadow cannot be loaded" do
-        expect(@provider).to receive(:require).with("shadow") { raise LoadError }
-        @provider.load_current_resource
-        @provider.action = :create
-        @provider.define_resource_requirements
-        expect { @provider.process_resource_requirements }.to raise_error Chef::Exceptions::MissingLibrary
+      context "when ruby-shadow is supported on the platform" do
+        before do
+          allow(@provider).to receive(:supports_ruby_shadow?).and_return true
+        end
+        it "should fail assertions when ruby-shadow cannot be loaded" do
+          expect(@provider).to receive(:require).with("shadow") { raise LoadError }
+          @provider.load_current_resource
+          @provider.action = :create
+          @provider.define_resource_requirements
+          expect { @provider.process_resource_requirements }.to raise_error Chef::Exceptions::MissingLibrary
+        end
+      end
+
+      context "when ruby-shadow is not supported on the platform" do
+        before do
+          allow(@provider).to receive(:supports_ruby_shadow?).and_return false
+        end
+        it "should not fail any assertions when ruby-shadow cannot be loaded" do
+          expect(@provider).to receive(:require).with("shadow") { raise LoadError }
+          @provider.load_current_resource
+          @provider.action = :create
+          @provider.define_resource_requirements
+          @provider.process_resource_requirements
+        end
       end
 
     end