Updates based on PR comments.

3 files changed, 38 insertions, 25 deletions

diff --git a/lib/chef/exceptions.rb b/lib/chef/exceptions.rb
index 0d86b08558..f6db5dbe56 100644
--- a/lib/chef/exceptions.rb
+++ b/lib/chef/exceptions.rb
@@ -83,7 +83,7 @@ class Chef
     class RequestedUIDUnavailable < RuntimeError; end
     class InvalidHomeDirectory < ArgumentError; end
     class DsclCommandFailed < RuntimeError; end
-    class PlutilCommandFailed < RuntimeError; end
+    class PlistUtilCommandFailed < RuntimeError; end
     class UserIDNotFound < ArgumentError; end
     class GroupIDNotFound < ArgumentError; end
     class ConflictingMembersInGroup < ArgumentError; end
diff --git a/lib/chef/provider/user/dscl.rb b/lib/chef/provider/user/dscl.rb
index 0c4ac27377..8f56859fe4 100644
--- a/lib/chef/provider/user/dscl.rb
+++ b/lib/chef/provider/user/dscl.rb
@@ -62,31 +62,47 @@ class Chef
           end
 
           requirements.assert(:create, :modify, :manage) do |a|
-            # Password Requirements
             a.assertion do
-              if @new_resource.password
-                if mac_osx_version_greater_than_10_7?
-                  if salted_sha512?(@new_resource.password)
-                    # SALTED-SHA512 password shadow hashes are not supported
-                    false
-                  elsif salted_sha512_pbkdf2?(@new_resource.password)
-                    # salt and iterations should be specified when
-                    # SALTED-SHA512-PBKDF2 password shadow hash is given
-                    @new_resource.salt && @new_resource.iterations
-                  else
-                    true
-                  end
-                else
-                  # On 10.7 SALTED-SHA512-PBKDF2 is not supported
-                  !salted_sha512_pbkdf2?(@new_resource.password)
-                end
+              if @new_resource.password && mac_osx_version_greater_than_10_7?
+                # SALTED-SHA512 password shadow hashes are not supported on 10.8 and above.
+                !salted_sha512?(@new_resource.password)
               else
                 true
               end
             end
-            a.failure_message(Chef::Exceptions::User, "Requirements for password is not achieved. Check \
-              http://docs.getchef.com/resource_user.html#attributes for more information!")
+            a.failure_message(Chef::Exceptions::User, "SALTED-SHA512 passwords are not supported on Mac 10.8 and above. \
+If you want to set the user password using shadow info make sure you specify a SALTED-SHA512-PBKDF2 shadow hash \
+in 'password', with the associated 'salt' and 'iterations'.")
           end
+
+          requirements.assert(:create, :modify, :manage) do |a|
+            a.assertion do
+              if @new_resource.password && mac_osx_version_greater_than_10_7? && salted_sha512_pbkdf2?(@new_resource.password)
+                # salt and iterations should be specified when
+                # SALTED-SHA512-PBKDF2 password shadow hash is given
+                !@new_resource.salt.nil? && !@new_resource.iterations.nil?
+              else
+                true
+              end
+            end
+            a.failure_message(Chef::Exceptions::User, "SALTED-SHA512-PBKDF2 shadow hash is given without associated \
+'salt' and 'iterations'. Please specify 'salt' and 'iterations' in order to set the user password using shadow hash.")
+          end
+
+          requirements.assert(:create, :modify, :manage) do |a|
+            a.assertion do
+              if @new_resource.password && !mac_osx_version_greater_than_10_7?
+                # On 10.7 SALTED-SHA512-PBKDF2 is not supported
+                !salted_sha512_pbkdf2?(@new_resource.password)
+              else
+                true
+              end
+            end
+            a.failure_message(Chef::Exceptions::User, "SALTED-SHA512-PBKDF2 shadow hashes are not supported on \
+Mac OS X version 10.7. Please specify a SALTED-SHA512 shadow hash in 'password' attribute to set the \
+user password using shadow hash.")
+          end
+
         end
 
         def load_current_resource
@@ -542,7 +558,7 @@ class Chef
             user_plist_file = "#{USER_PLIST_DIRECTORY}/#{@new_resource.username}.plist"
             user_plist_info = run_plutil("convert xml1 -o - #{user_plist_file}")
             user_info = Plist::parse_xml(user_plist_info)
-          rescue Chef::Exceptions::PlutilCommandFailed
+          rescue Chef::Exceptions::PlistUtilCommandFailed
           end
 
           user_info
@@ -613,7 +629,7 @@ class Chef
 
         def run_plutil(*args)
           result = shell_out("plutil -#{args.join(' ')}")
-          raise(Chef::Exceptions::PlutilCommandFailed,"plutil error: #{result.inspect}") unless result.exitstatus == 0
+          raise(Chef::Exceptions::PlistUtilCommandFailed,"plutil error: #{result.inspect}") unless result.exitstatus == 0
           result.stdout
         end
 
diff --git a/spec/unit/provider/user/dscl_spec.rb b/spec/unit/provider/user/dscl_spec.rb
index 0ff5a26ea6..3cb18f1979 100644
--- a/spec/unit/provider/user/dscl_spec.rb
+++ b/spec/unit/provider/user/dscl_spec.rb
@@ -430,7 +430,6 @@ ea18e18b720e358e7fbe3cfbeaa561456f6ba008937a30"
 
           it "diverged_password? should report false" do
             provider.load_current_resource
-            pending
             provider.diverged_password?.should be_false
           end
         end
@@ -440,7 +439,6 @@ ea18e18b720e358e7fbe3cfbeaa561456f6ba008937a30"
 
           it "diverged_password? should report true" do
             provider.load_current_resource
-            pending
             provider.diverged_password?.should be_true
           end
         end
@@ -644,7 +642,6 @@ ea18e18b720e358e7fbe3cfbeaa561456f6ba008937a30")
         let(:password) { "vagrant" }
 
         it "password_shadow_info should have salted-sha-512 format" do
-          pending
           shadow_info = provider.prepare_password_shadow_info
           shadow_info.should have_key("SALTED-SHA512")
           info = shadow_info["SALTED-SHA512"].string.unpack('H*').first