Merge pull request #8775 from chef/ryancragun/mac_user

Add mac_user resource that is compatible with macOS >= 10.14

12 files changed, 991 insertions, 3 deletions

diff --git a/lib/chef/provider/user/dscl.rb b/lib/chef/provider/user/dscl.rb
index b8f85618da..027f9eba38 100644
--- a/lib/chef/provider/user/dscl.rb
+++ b/lib/chef/provider/user/dscl.rb
@@ -42,7 +42,7 @@ class Chef
       #         => shadow binary length 128 bytes
       #         => Salt / Iterations are stored separately in the same file
       #
-      # This provider only supports Mac OSX versions 10.7 and above
+      # This provider only supports macOS versions 10.7 to 10.13
       class Dscl < Chef::Provider::User
 
         attr_accessor :user_info
@@ -50,7 +50,7 @@ class Chef
         attr_accessor :password_shadow_conversion_algorithm
 
         provides :dscl_user
-        provides :user, os: "darwin"
+        provides :user, os: "darwin", platform_version: "<= 10.13"
 
         # Just-in-case a recipe calls the user dscl provider without specifying
         # a gid property. Avoids chown issues in move_home when the manage_home
diff --git a/lib/chef/provider/user/mac.rb b/lib/chef/provider/user/mac.rb
new file mode 100644
index 0000000000..414445cfa1
--- /dev/null
+++ b/lib/chef/provider/user/mac.rb
@@ -0,0 +1,628 @@
+#
+# Author:: Ryan Cragun (<ryan@chef.io>)
+# Copyright:: Copyright (c) 2019, Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "../../resource"
+require_relative "../../dsl/declare_resource"
+require_relative "../../mixin/shell_out"
+require_relative "../../mixin/which"
+require_relative "../user"
+require_relative "../../resource/user/mac_user"
+
+class Chef
+  class Provider
+    class User
+      # A macOS user provider that is compatible with default TCC restrictions
+      # in macOS 10.14. See resource/user/mac_user.rb for complete description
+      # of the mac_user resource and how it differs from the dscl resource used
+      # on previous platforms.
+      class MacUser < Chef::Provider::User
+        include Chef::Mixin::Which
+
+        provides :mac_user
+        provides :user, os: "darwin", platform_version: ">= 10.14"
+
+        attr_reader :user_plist, :admin_group_plist
+
+        def load_current_resource
+          @current_resource = Chef::Resource::User::MacUser.new(new_resource.username)
+          current_resource.username(new_resource.username)
+
+          reload_admin_group_plist
+          reload_user_plist
+
+          if user_plist
+            current_resource.uid(user_plist[:uid][0])
+            current_resource.gid(user_plist[:gid][0])
+            current_resource.home(user_plist[:home][0])
+            current_resource.shell(user_plist[:shell][0])
+            current_resource.comment(user_plist[:comment][0])
+
+            shadow_hash = user_plist[:shadow_hash]
+            if shadow_hash
+              current_resource.password(shadow_hash[0]["SALTED-SHA512-PBKDF2"]["entropy"].string.unpack("H*")[0])
+              current_resource.salt(shadow_hash[0]["SALTED-SHA512-PBKDF2"]["salt"].string.unpack("H*")[0])
+              current_resource.iterations(shadow_hash[0]["SALTED-SHA512-PBKDF2"]["iterations"].to_i)
+            end
+
+            current_resource.secure_token(secure_token_enabled?)
+            current_resource.admin(admin_user?)
+          else
+            @user_exists = false
+            logger.trace("#{new_resource} user does not exist")
+          end
+
+          current_resource
+        end
+
+        def reload_admin_group_plist
+          @admin_group_plist = nil
+
+          admin_group_xml = run_dscl("read", "/Groups/admin")
+          return nil unless admin_group_xml && admin_group_xml != ""
+
+          @admin_group_plist = Plist.new(::Plist.parse_xml(admin_group_xml))
+        end
+
+        def reload_user_plist
+          @user_plist = nil
+
+          # Load the user information.
+          begin
+            user_xml = run_dscl("read", "/Users/#{new_resource.username}")
+          rescue Chef::Exceptions::DsclCommandFailed
+            return nil
+          end
+
+          return nil if user_xml.nil? || user_xml == ""
+
+          @user_plist = Plist.new(::Plist.parse_xml(user_xml))
+
+          shadow_hash_hex = user_plist[:shadow_hash][0]
+          return unless shadow_hash_hex && shadow_hash_hex != ""
+
+          # The password infomation is stored in the ShadowHashData key in the
+          # plist. However, parsing it is a bit tricky as the value is itself
+          # another encoded binary plist. We have to extract the encoded plist,
+          # decode it from hex to a binary plist and then convert the binary
+          # into XML plist. From there we can extract the hash data.
+          #
+          # NOTE: `dscl -read` and `plutil -convert` return different values for
+          # ShadowHashData.
+          #
+          # `dscl` returns the value encoded as a hex string and stored as a <string>
+          # `plutil` returns the value encoded as a base64 string stored as <data>
+          #
+          #  eg:
+          #
+          # <array>
+          #   <string>77687920 63616e27 74206170 706c6520 6275696c 6420636f 6e736973 74656e74 20746f6f 6c696e67</string>
+          # </array>
+          #
+          # vs
+          #
+          # <array>
+          #   <data>AADKAAAKAA4LAA0MAAAAAAAAAAA=</data>
+          # </array>
+          #
+          begin
+            shadow_binary_plist = [shadow_hash_hex.delete(" ")].pack("H*")
+            shadow_xml_plist = shell_out("plutil", "-convert", "xml1", "-o", "-", "-", input: shadow_binary_plist).stdout
+            user_plist[:shadow_hash] = ::Plist.parse_xml(shadow_xml_plist)
+          rescue Chef::Exceptions::PlistUtilCommandFailed, Chef::Exceptions::DsclCommandFailed
+            nil
+          end
+        end
+
+        #
+        # User Provider Callbacks
+        #
+
+        def create_user
+          cmd = [-"-addUser", new_resource.username]
+          cmd += ["-fullName", new_resource.comment] if new_resource.property_is_set?(:comment)
+          cmd += ["-UID", new_resource.uid]          if new_resource.property_is_set?(:uid)
+          cmd += ["-shell", new_resource.shell]
+          cmd += ["-home", new_resource.home]
+          cmd += ["-admin"] if new_resource.admin
+
+          # We can technically create a new user without the admin credentials
+          # but without them the user cannot enable SecureToken, thus they cannot
+          # create other secure users or enable FileVault full disk encryption.
+          if new_resource.property_is_set?(:admin_username) && new_resource.property_is_set?(:admin_password)
+            cmd += ["-adminUser", new_resource.admin_username]
+            cmd += ["-adminPassword", new_resource.admin_password]
+          end
+
+          converge_by "create user" do
+            # sysadminctl doesn't exit with a non-zero exit code if it encounters
+            # a problem. We'll check stderr and make sure we see that it finished
+            # correctly.
+            res = run_sysadminctl(cmd)
+            unless res.downcase =~ /creating user/
+              raise Chef::Exceptions::User, "error when creating user: #{res}"
+            end
+          end
+
+          # Wait for the user to show up in the ds cache
+          wait_for_user
+
+          # Reload with up-to-date user information
+          reload_user_plist
+          reload_admin_group_plist
+
+          if new_resource.property_is_set?(:password)
+            converge_by("set password") { set_password }
+          end
+
+          if new_resource.manage_home
+            # "sydadminctl -addUser" will create the home directory if it's
+            # the default /Users/<username>, otherwise it sets it in plist
+            # but does not create it. Here we'll ensure that it gets created
+            # if we've been given a directory that is not the default.
+            unless ::File.directory?(new_resource.home) && ::File.exist?(new_resource.home)
+              converge_by("create home directory") do
+                shell_out!("createhomedir -c -u #{new_resource.username}")
+              end
+            end
+          end
+
+          if new_resource.property_is_set?(:gid)
+            # NOTE: Here we're managing the primary group of the user which is
+            # a departure from previous behavior. We could just set the
+            # PrimaryGroupID for the user and move on if we decide that actual
+            # group magement should be done outside of the core resource.
+            group_name, group_id, group_action = user_group_info
+
+            declare_resource(:group, group_name) do
+              members new_resource.username
+              gid group_id if group_id
+              action :nothing
+              append true
+            end.run_action(group_action)
+
+            converge_by("create primary group ID") do
+              run_dscl("create", "/Users/#{new_resource.username}", "PrimaryGroupID", new_resource.gid)
+            end
+          end
+
+          if diverged?(:secure_token)
+            converge_by("alter SecureToken") { toggle_secure_token }
+          end
+
+          reload_user_plist
+        end
+
+        def compare_user
+          %i{comment shell uid gid salt password admin secure_token}.any? { |m| diverged?(m) }
+        end
+
+        def manage_user
+          %i{uid home}.each do |prop|
+            raise Chef::Exceptions::User, "cannot modify #{prop} on macOS >= 10.14" if diverged?(prop)
+          end
+
+          if diverged?(:password)
+            converge_by("alter password") { set_password }
+          end
+
+          if diverged?(:comment)
+            converge_by("alter comment") do
+              run_dscl("create", "/Users/#{new_resource.username}", "RealName", new_resource.comment)
+            end
+          end
+
+          if diverged?(:shell)
+            converge_by("alter shell") do
+              run_dscl("create", "/Users/#{new_resource.username}", "UserShell", new_resource.shell)
+            end
+          end
+
+          if diverged?(:secure_token)
+            converge_by("alter SecureToken") { toggle_secure_token }
+          end
+
+          if diverged?(:admin)
+            converge_by("alter admin group membership") do
+              declare_resource(:group, "admin") do
+                if new_resource.admin
+                  members new_resource.username
+                else
+                  excluded_members new_resource.username
+                end
+
+                action :nothing
+                append true
+              end.run_action(:create)
+
+              admins = admin_group_plist[:group_members]
+              if new_resource.admin
+                admins << user_plist[:guid][0]
+              else
+                admins.reject! { |m| m == user_plist[:guid][0] }
+              end
+
+              run_dscl("create", "/Groups/admin", "GroupMembers", admins)
+            end
+
+            reload_admin_group_plist
+          end
+
+          group_name, group_id, group_action = user_group_info
+          declare_resource(:group, group_name) do
+            gid group_id if group_id
+            members new_resource.username
+            action :nothing
+            append true
+          end.run_action(group_action)
+
+          if diverged?(:gid)
+            converge_by("alter group membership") do
+              run_dscl("create", "/Users/#{new_resource.username}", "PrimaryGroupID", new_resource.gid)
+            end
+          end
+
+          reload_user_plist
+        end
+
+        def remove_user
+          cmd = ["-deleteUser", new_resource.username]
+          cmd << new_resource.manage_home ? "-secure" : "-keepHome"
+          if new_resource.property_is_set?(:admin_username) && new_resource.property_is_set?(:admin_password)
+            cmd += ["-adminUser", new_resource.admin_username]
+            cmd += ["-adminPassword", new_resource.admin_password]
+          end
+
+          # sysadminctl doesn't exit with a non-zero exit code if it encounters
+          # a problem. We'll check stderr and make sure we see that it finished
+          converge_by "remove user" do
+            res = run_sysadminctl(cmd)
+            unless res.downcase =~ /deleting record|not found/
+              raise Chef::Exceptions::User, "error deleting user: #{res}"
+            end
+          end
+
+          reload_user_plist
+          @user_exists = false
+        end
+
+        def lock_user
+          converge_by "lock user" do
+            run_dscl("append", "/Users/#{new_resource.username}", "AuthenticationAuthority", ";DisabledUser;")
+          end
+
+          reload_user_plist
+        end
+
+        def unlock_user
+          auth_string = user_plist[:auth_authority].reject! { |tag| tag == ";DisabledUser;" }.join.strip
+          converge_by "unlock user" do
+            run_dscl("create", "/Users/#{new_resource.username}", "AuthenticationAuthority", auth_string)
+          end
+
+          reload_user_plist
+        end
+
+        def locked?
+          user_plist[:auth_authority].any? { |tag| tag == ";DisabledUser;" }
+        rescue
+          false
+        end
+
+        def check_lock
+          @locked = locked?
+        end
+
+        #
+        # Methods
+        #
+
+        def diverged?(prop)
+          prop = prop.to_sym
+
+          case prop
+          when :password
+            password_diverged?
+          when :gid
+            user_group_diverged?
+          when :secure_token
+            secure_token_diverged?
+          else
+            # Other fields are have been set on current resource so just compare
+            # them.
+            new_resource.property_is_set?(prop) && (new_resource.send(prop) != current_resource.send(prop))
+          end
+        end
+
+        # Attempt to resolve the group name, gid, and the action required for
+        # associated group resource. If a group exists we'll modify it, otherwise
+        # create it.
+        def user_group_info
+          @user_group_info ||= begin
+            if new_resource.gid.is_a?(String)
+              begin
+                g = Etc.getgrnam(new_resource.gid)
+                [g.name, g.gid.to_s, :modify]
+              rescue
+                [new_resource.gid, nil, :create]
+              end
+            else
+              begin
+                g = Etc.getgrgid(new_resource.gid)
+                [g.name, g.gid.to_s, :modify]
+              rescue
+                [g.username, nil, :create]
+              end
+            end
+          end
+        end
+
+        def secure_token_enabled?
+          user_plist[:auth_authority].any? { |tag| tag == ";SecureToken;" }
+        rescue
+          false
+        end
+
+        def secure_token_diverged?
+          new_resource.secure_token ? !secure_token_enabled? : secure_token_enabled?
+        end
+
+        def toggle_secure_token
+          # Check for this lazily as we only need to validate for these credentials
+          # if we're toggling secure token.
+          unless new_resource.property_is_set?(:admin_username) &&
+              new_resource.property_is_set?(:admin_password) &&
+              # property_is_set? can't handle a default inherited from password
+              # when not using shadow hash data. Hence, we'll just have to
+              # make sure some valid string is there.
+              new_resource.secure_token_password &&
+              new_resource.secure_token_password != ""
+            raise Chef::Exceptions::User, "secure_token_password, admin_user and admin_password properties are required to modify SecureToken"
+          end
+
+          cmd = (new_resource.secure_token ? %w{-secureTokenOn} : %w{-secureTokenOff})
+          cmd += [new_resource.username, "-password", new_resource.secure_token_password]
+          cmd += ["-adminUser", new_resource.admin_username]
+          cmd += ["-adminPassword", new_resource.admin_password]
+
+          # sysadminctl doesn't exit with a non-zero exit code if it encounters
+          # a problem. We'll check stderr and make sure we see that it finished
+          res = run_sysadminctl(cmd)
+          unless res.downcase =~ /done/
+            raise Chef::Exceptions::User, "error when modifying SecureToken: #{res}"
+          end
+
+          # HACK: When SecureToken is enabled or disabled it requires the user
+          # password in plaintext, which it verifies and uses as a key. It also
+          # takes the liberty of _rehashing_ the password with a random salt and
+          # iterations count and saves it back into the user ShadowHashData.
+          #
+          # Therefore, if we're configuring a user based upon existing shadow
+          # hash data we'll have to set the password again so that future runs
+          # of the client don't show password drift.
+          set_password if new_resource.property_is_set?(:salt)
+        end
+
+        def user_group_diverged?
+          return false unless new_resource.property_is_set?(:gid)
+
+          group_name, group_id = user_group_info
+
+          if current_resource.gid.is_a?(String)
+            current_resource.gid != group_name
+          else
+            current_resource.gid != group_id.to_i
+          end
+        end
+
+        def password_diverged?
+          # There are three options for configuring the password:
+          #   * ShadowHashData which includes the hash data as:
+          #     * hashed entropy as the "password"
+          #     * salt
+          #     * iterations
+          #   * Plaintext password
+          #   * Not configuring it
+
+          # Check for no desired password configuration
+          return false unless new_resource.property_is_set?(:password)
+
+          # Check for ShadowHashData divergence by comparing the entropy,
+          # salt, and iterations.
+          if new_resource.property_is_set?(:salt)
+            return true if %i{salt iterations}.any? { |prop| diverged?(prop) }
+
+            return new_resource.password != current_resource.password
+          end
+
+          # Check for plaintext password divergence. We don't actually know
+          # what the stored password is but we can hash the given password with
+          # stored salt and iterations, and compare the resulting entropy with
+          # the saved entropy.
+          OpenSSL::PKCS5.pbkdf2_hmac(
+            new_resource.password,
+            convert_to_binary(current_resource.salt),
+            current_resource.iterations.to_i,
+            128,
+            OpenSSL::Digest::SHA512.new
+          ).unpack("H*")[0] != current_resource.password
+        end
+
+        def admin_user?
+          admin_group_plist[:group_members].any? { |mem| mem == user_plist[:guid][0] }
+        rescue
+          false
+        end
+
+        def convert_to_binary(string)
+          string.unpack("a2" * (string.size / 2)).collect { |i| i.hex.chr }.join
+        end
+
+        def set_password
+          if new_resource.property_is_set?(:salt)
+            entropy = StringIO.new(convert_to_binary(new_resource.password))
+            salt = StringIO.new(convert_to_binary(new_resource.salt))
+          else
+            salt = StringIO.new(OpenSSL::Random.random_bytes(32))
+            entropy = StringIO.new(
+              OpenSSL::PKCS5.pbkdf2_hmac(
+                new_resource.password,
+                salt.string,
+                new_resource.iterations,
+                128,
+                OpenSSL::Digest::SHA512.new
+              )
+            )
+          end
+
+          shadow_hash = user_plist[:shadow_hash][0]
+          shadow_hash["SALTED-SHA512-PBKDF2"] = {
+            "entropy" => entropy,
+            "salt" => salt,
+            "iterations" => new_resource.iterations,
+          }
+
+          shadow_hash_binary = StringIO.new
+          shell_out("plutil", "-convert", "binary1", "-o", "-", "-",
+            input: shadow_hash.to_plist,
+            live_stream: shadow_hash_binary)
+
+          # Apple seem to have killed their dsimport documentation about the
+          # dsimport record format. Perhaps that means our days of being able to
+          # use dsimport without an admin password or perhaps at all could be
+          # numbered. Here is the record format for posterity:
+          #
+          # End of record character
+          # Escape character
+          # Field separator
+          # Value separator
+          # Record type (Users, Groups, Computers, ComputerGroups, ComputerLists)
+          # Number of properties
+          # Property 1
+          # ...
+          # Property N
+          #
+          # The user password shadow data format breaks down as:
+          #
+          # 0x0A                                    End of record denoted by \n
+          # 0x5C                                    Escaping is denoted by \
+          # 0x3A                                    Fields are separated by :
+          # 0x2C                                    Values are seperated by ,
+          # dsRecTypeStandard:Users                 The record type we're configuring
+          # 2                                       How many properties we're going to set
+          # dsAttrTypeStandard:RecordName           Property 1: our users record name
+          # base64:dsAttrTypeNative:ShadowHashData  Property 2: our shadow hash data
+
+          import_file = ::File.join(Chef::Config["file_cache_path"], "#{new_resource.username}_password_dsimport")
+          ::File.open(import_file, "w+", 0600) do |f|
+            f.write <<~DSIMPORT
+              0x0A 0x5C 0x3A 0x2C dsRecTypeStandard:Users 2 dsAttrTypeStandard:RecordName base64:dsAttrTypeNative:ShadowHashData
+              #{new_resource.username}:#{::Base64.strict_encode64(shadow_hash_binary.string)}
+            DSIMPORT
+          end
+
+          run_dscl("delete", "/Users/#{new_resource.username}", "ShadowHashData")
+          run_dsimport(import_file, "/Local/Default", "M")
+          run_dscl("create", "/Users/#{new_resource.username}", "Password", "********")
+        ensure
+          ::File.delete(import_file) if defined?(import_file) && ::File.exist?(import_file)
+        end
+
+        def wait_for_user
+          timeout = Time.now + 5
+
+          loop do
+            begin
+              run_dscl("read", "/Users/#{new_resource.username}", "ShadowHashData")
+              break
+            rescue Chef::Exceptions::DsclCommandFailed => e
+              if Time.now < timeout
+                sleep 0.1
+              else
+                raise Chef::Exceptions::User, e.message
+              end
+            end
+          end
+        end
+
+        def run_dsimport(*args)
+          shell_out!("dsimport", args)
+        end
+
+        def run_sysadminctl(args)
+          # sysadminctl doesn't exit with a non-zero code when errors are encountered
+          # and ouputs everything to STDERR instead of STDOUT and STDERR. Therefore we'll
+          # return the STDERR and let the caller handle it.
+          shell_out!("sysadminctl", args).stderr
+        end
+
+        def run_dscl(*args)
+          result = shell_out("dscl", "-plist", ".", "-#{args[0]}", args[1..-1])
+          return "" if ( args.first =~ /^delete/ ) && ( result.exitstatus != 0 )
+          raise(Chef::Exceptions::DsclCommandFailed, "dscl error: #{result.inspect}") unless result.exitstatus == 0
+          raise(Chef::Exceptions::DsclCommandFailed, "dscl error: #{result.inspect}") if result.stdout =~ /No such key: /
+
+          result.stdout
+        end
+
+        def run_plutil(*args)
+          result = shell_out("plutil", "-#{args[0]}", args[1..-1])
+          raise(Chef::Exceptions::PlistUtilCommandFailed, "plutil error: #{result.inspect}") unless result.exitstatus == 0
+
+          result.stdout
+        end
+
+        class Plist
+          DSCL_PROPERTY_MAP = {
+              uid: "dsAttrTypeStandard:UniqueID",
+              guid: "dsAttrTypeStandard:GeneratedUID",
+              gid: "dsAttrTypeStandard:PrimaryGroupID",
+              home: "dsAttrTypeStandard:NFSHomeDirectory",
+              shell: "dsAttrTypeStandard:UserShell",
+              comment: "dsAttrTypeStandard:RealName",
+              password: "dsAttrTypeStandard:Password",
+              auth_authority: "dsAttrTypeStandard:AuthenticationAuthority",
+              shadow_hash: "dsAttrTypeNative:ShadowHashData",
+              group_members: "dsAttrTypeStandard:GroupMembers",
+          }.freeze
+
+          attr_accessor :plist_hash, :property_map
+
+          def initialize(plist_hash = {}, property_map = DSCL_PROPERTY_MAP)
+            @plist_hash = plist_hash
+            @property_map = property_map
+          end
+
+          def get(key)
+            return nil unless property_map.key?(key)
+
+            plist_hash[property_map[key]]
+          end
+          alias_method :[], :get
+
+          def set(key, value)
+            return nil unless property_map.key?(key)
+
+            plist_hash[property_map[key]] = [ value ]
+          end
+          alias_method :[]=, :set
+
+        end
+      end
+    end
+  end
+end
diff --git a/lib/chef/providers.rb b/lib/chef/providers.rb
index 85f2cddaf9..1e45ca13ed 100644
--- a/lib/chef/providers.rb
+++ b/lib/chef/providers.rb
@@ -107,6 +107,7 @@ require_relative "provider/service/aix"
 require_relative "provider/user/aix"
 require_relative "provider/user/dscl"
 require_relative "provider/user/linux"
+require_relative "provider/user/mac"
 require_relative "provider/user/pw"
 require_relative "provider/user/solaris"
 require_relative "provider/user/windows"
diff --git a/lib/chef/resource/user.rb b/lib/chef/resource/user.rb
index 19ae2d8dc8..6ade20082f 100644
--- a/lib/chef/resource/user.rb
+++ b/lib/chef/resource/user.rb
@@ -47,6 +47,7 @@ class Chef
 
       property :password, String,
         description: "The password shadow hash",
+        sensitive: true,
         desired_state: false
 
       property :non_unique, [ TrueClass, FalseClass ],
diff --git a/lib/chef/resource/user/dscl_user.rb b/lib/chef/resource/user/dscl_user.rb
index 54d78d20a0..a3f6661c22 100644
--- a/lib/chef/resource/user/dscl_user.rb
+++ b/lib/chef/resource/user/dscl_user.rb
@@ -24,7 +24,7 @@ class Chef
         resource_name :dscl_user
 
         provides :dscl_user
-        provides :user, os: "darwin"
+        provides :user, os: "darwin", platform_version: "<= 10.13"
 
         property :iterations, Integer,
           description: "macOS platform only. The number of iterations for a password with a SALTED-SHA512-PBKDF2 shadow hash.",
diff --git a/lib/chef/resource/user/mac_user.rb b/lib/chef/resource/user/mac_user.rb
new file mode 100644
index 0000000000..ab5cc12947
--- /dev/null
+++ b/lib/chef/resource/user/mac_user.rb
@@ -0,0 +1,119 @@
+#
+# Author:: Ryan Cragun (<ryan@chef.io>)
+# Copyright:: Copyright 2019, Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "../user"
+
+class Chef
+  class Resource
+    class User
+      # Provide a user resource that is compatible with default TCC restrictions
+      # that were introduced in macOS 10.14.
+      #
+      # Changes:
+      #
+      # * This resource and the corresponding provider have been modified to
+      #   work with default macOS TCC policies. Direct access to user binary
+      #   plists are no longer permitted by default, thus we've chosen to use
+      #   a combination of newer utilities for managing user lifecycles and older
+      #   utilities for managing passwords.
+      #
+      # * Due to tooling changes that were necessitated by the new policy
+      #   restrictions the mac_user resource is only suitable for use on macOS
+      #   >= 10.14. Support for older platforms has been removed.
+      #
+      # New Features:
+      #
+      # * Primary group management is now included.
+      #
+      # * 'admin' is now a boolean property that configures a user to an admin.
+      #
+      # * 'admin_username' and 'admin_password' are new properties that define the
+      #   admin user credentials required for toggling SecureToken for a user.
+      #
+      #   The value of 'admin_username' must correspond to a system user that
+      #   is part of the 'admin' with SecureToken enabled in order to toggle
+      #   SecureToken.
+      #
+      # * 'secure_token' is a boolean property that sets the desired state
+      #   for SecureToken. SecureToken token is required for FileVault full
+      #   disk encryption.
+      #
+      # * 'secure_token_password' is the plaintext password required to enable
+      #   or disable secure_token for a user. If no salt is specified we assume
+      #   the 'password' property corresponds to a plaintext password and will
+      #   attempt to use it in place of secure_token_password if it not set.
+      class MacUser < Chef::Resource::User
+        resource_name :mac_user
+
+        provides :mac_user
+        provides :user, os: "darwin", platform_version: ">= 10.14"
+
+        introduced "15.3"
+
+        property :iterations, Integer,
+          description: "The number of iterations for a password with a SALTED-SHA512-PBKDF2 shadow hash.",
+          default: 57803, desired_state: false
+
+        # Overload gid to set our default gid to 20, the macOS "staff" group.
+        # We also allow a string group name here which we'll attempt to resolve
+        # or create in the provider.
+        property :gid, [Integer, String], description: "The numeric group identifier.", default: 20, coerce: ->(gid) do
+          begin
+            Integer(gid) # Try and coerce a group id string into an integer
+          rescue
+            gid # assume we have a group name
+          end
+        end
+
+        # Overload the password so we can set a length requirements and update the
+        # description.
+        property :password, String, description: "The plain text user password", sensitive: true, coerce: ->(password) {
+          # It would be nice if this could be in callbacks but we need the context
+          # of the resource to get the salt property so we have to do it in coerce.
+          if salt && password !~ /^[[:xdigit:]]{256}$/
+            raise Chef::Exceptions::User, "Password must be a SALTED-SHA512-PBKDF2 shadow hash entropy when a shadow hash salt is given"
+          end
+
+          password
+        },
+        callbacks: {
+          "Password length must be >= 4" => ->(password) { password.size >= 4 },
+        }
+
+        # Overload home so we set our default.
+        property :home, String, description: "The user home directory", default: lazy { "/Users/#{name}" }
+
+        property :admin, [TrueClass, FalseClass], description: "Create the user as an admin", default: false
+
+        # TCC on macOS >= 10.14 requires admin credentials of an Admin user that
+        # has SecureToken enabled in order to toggle SecureToken.
+        property :admin_username, String, description: "Admin username for superuser actions"
+        property :admin_password, String, description: "Admin password for superuser actions", sensitive: true
+
+        property :secure_token, [TrueClass, FalseClass], description: "Enable SecureToken for the user", default: false
+        # In order to enable SecureToken for a user we require the plaintext password.
+        property :secure_token_password, String, description: "The plaintext password for enabling SecureToken", sensitive: true, default: lazy {
+          # In some cases the user can pass the plaintext value to "password" instead of
+          # SALTED-SHA512-PBKDF2 entropy. In those cases we'll default to the
+          # same value.
+          (salt.nil? && password) ? password : nil
+        }
+      end
+    end
+  end
+end
diff --git a/lib/chef/resources.rb b/lib/chef/resources.rb
index d76f1bbf06..235c1e41a1 100644
--- a/lib/chef/resources.rb
+++ b/lib/chef/resources.rb
@@ -116,6 +116,7 @@ require_relative "resource/user"
 require_relative "resource/user/aix_user"
 require_relative "resource/user/dscl_user"
 require_relative "resource/user/linux_user"
+require_relative "resource/user/mac_user"
 require_relative "resource/user/pw_user"
 require_relative "resource/user/solaris_user"
 require_relative "resource/user/windows_user"
diff --git a/spec/functional/resource/user/mac_user_spec.rb b/spec/functional/resource/user/mac_user_spec.rb
new file mode 100644
index 0000000000..d01b08616e
--- /dev/null
+++ b/spec/functional/resource/user/mac_user_spec.rb
@@ -0,0 +1,188 @@
+#
+# Copyright:: Copyright 2019, Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "spec_helper"
+require "chef/mixin/shell_out"
+
+metadata = {
+  macos_1014: true,
+  requires_root: true,
+}
+
+describe "Chef::Resource::User with Chef::Provider::User::MacUser provider", metadata do
+  include Chef::Mixin::ShellOut
+
+  def clean_user
+    shell_out!("/usr/bin/dscl . -delete '/Users/#{username}'")
+  rescue Mixlib::ShellOut::ShellCommandFailed
+      # Raised when the user is already cleaned
+  end
+
+  def user_should_exist
+    expect(shell_out("/usr/bin/dscl . -read /Users/#{username}").error?).to be(false)
+  end
+
+  def check_password(pass)
+    # In order to test the password we use dscl passwd command since
+    # that's the only command that gets the user password from CLI.
+    expect(shell_out("dscl . -passwd /Users/greatchef #{pass} new_password").exitstatus).to eq(0)
+    # Now reset the password back
+    expect(shell_out("dscl . -passwd /Users/greatchef new_password #{pass}").exitstatus).to eq(0)
+  end
+
+  let(:node) do
+    n = Chef::Node.new
+    n.consume_external_attrs(OHAI_SYSTEM.data.dup, {})
+    n
+  end
+
+  let(:events) do
+    Chef::EventDispatch::Dispatcher.new
+  end
+
+  let(:run_context) do
+    Chef::RunContext.new(node, {}, events)
+  end
+
+  let(:username) do
+    "greatchef"
+  end
+
+  let(:uid) { nil }
+  let(:gid) { 20 }
+  let(:home) { nil }
+  let(:manage_home) { false }
+  let(:password) { "XXXYYYZZZ" }
+  let(:comment) { "Great Chef" }
+  let(:shell) { "/bin/bash" }
+  let(:salt) { nil }
+  let(:iterations) { nil }
+
+  let(:user_resource) do
+    r = Chef::Resource::User::MacUser.new("TEST USER RESOURCE", run_context)
+    r.username(username)
+    r.uid(uid)
+    r.gid(gid)
+    r.home(home)
+    r.shell(shell)
+    r.comment(comment)
+    r.manage_home(manage_home)
+    r.password(password)
+    r.salt(salt)
+    r.iterations(iterations)
+    r
+  end
+
+  before do
+    clean_user
+  end
+
+  after(:each) do
+    clean_user
+  end
+
+  describe "action :create" do
+    it "should create the user" do
+      user_resource.run_action(:create)
+      user_should_exist
+      check_password(password)
+    end
+  end
+
+  describe "when user exists" do
+    before do
+      existing_resource = user_resource.dup
+      existing_resource.run_action(:create)
+      user_should_exist
+    end
+
+    describe "when password is updated" do
+      it "should update the password of the user" do
+        user_resource.password("mykitchen")
+        user_resource.run_action(:create)
+        check_password("mykitchen")
+      end
+    end
+  end
+
+  describe "when password is being set via shadow hash" do
+    let(:password) do
+      "c734b6e4787c3727bb35e29fdd92b97c\
+1de12df509577a045728255ec7c6c5f5\
+c18efa05ed02b682ffa7ebc05119900e\
+b1d4880833aa7a190afc13e2bf0936b8\
+20123e8c98f0f9bcac2a629d9163caac\
+9464a8c234f3919082400b4f939bb77b\
+c5adbbac718b7eb99463a7b679571e0f\
+1c9fef2ef08d0b9e9c2bcf644eed2ffc"
+    end
+
+    let(:iterations) { 25000 }
+    let(:salt) { "9e2e7d5ee473b496fd24cf0bbfcaedfcb291ee21740e570d1e917e874f8788ca" }
+
+    it "action :create should create the user" do
+      user_resource.run_action(:create)
+      user_should_exist
+      check_password("soawesome")
+    end
+
+    describe "when user exists" do
+      before do
+        existing_resource = user_resource.dup
+        existing_resource.run_action(:create)
+        user_should_exist
+      end
+
+      describe "when password is updated" do
+        it "should update the password of the user" do
+          user_resource.password("mykitchen")
+          user_resource.run_action(:create)
+          check_password("mykitchen")
+        end
+      end
+    end
+  end
+
+  describe "when a user is member of some groups" do
+    let(:groups) { %w{staff operator} }
+
+    before do
+      existing_resource = user_resource.dup
+      existing_resource.run_action(:create)
+
+      groups.each do |group|
+        shell_out!("/usr/bin/dscl . -append '/Groups/#{group}' GroupMembership #{username}")
+      end
+    end
+
+    after do
+      groups.each do |group|
+        # Do not raise an error when user is correctly removed
+        shell_out("/usr/bin/dscl . -delete '/Groups/#{group}' GroupMembership #{username}")
+      end
+    end
+
+    it ":remove action removes the user from the groups and deletes the user" do
+      user_resource.run_action(:remove)
+      groups.each do |group|
+        # Do not raise an error when group is empty
+        expect(shell_out("dscl . read /Groups/staff GroupMembership").stdout).not_to include(group)
+      end
+    end
+  end
+
+end
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index 5ab97a8320..e19a06f3d7 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -145,6 +145,7 @@ RSpec.configure do |config|
   config.filter_run_excluding not_supported_on_windows: true if windows?
   config.filter_run_excluding not_supported_on_macos: true if mac_osx?
   config.filter_run_excluding macos_only: true unless mac_osx?
+  config.filter_run_excluding macos_1014: true unless mac_osx_1014?
   config.filter_run_excluding not_supported_on_aix: true if aix?
   config.filter_run_excluding not_supported_on_solaris: true if solaris?
   config.filter_run_excluding not_supported_on_gce: true if gce?
diff --git a/spec/support/platform_helpers.rb b/spec/support/platform_helpers.rb
index 0b13169ac1..3ac657d84e 100644
--- a/spec/support/platform_helpers.rb
+++ b/spec/support/platform_helpers.rb
@@ -3,6 +3,7 @@ require "chef/mixin/shell_out"
 require "ohai/mixin/http_helper"
 require "ohai/mixin/gce_metadata"
 require "chef/mixin/powershell_out"
+require "chef/version_class"
 
 class ShellHelpers
   extend Chef::Mixin::ShellOut
@@ -110,6 +111,15 @@ def mac_osx_106?
   false
 end
 
+def mac_osx_1014?
+  if mac_osx?
+    ver = Chef::Version.new(ohai[:platform_version])
+    return ver.major == 10 && ver.minor == 14
+  end
+
+  false
+end
+
 def mac_osx?
   if File.exists? "/usr/bin/sw_vers"
     result = ShellHelpers.shell_out("/usr/bin/sw_vers")
diff --git a/spec/unit/provider/user/dscl_spec.rb b/spec/unit/provider/user/dscl_spec.rb
index b12ea78977..e20873dc92 100644
--- a/spec/unit/provider/user/dscl_spec.rb
+++ b/spec/unit/provider/user/dscl_spec.rb
@@ -35,6 +35,7 @@ describe Chef::Provider::User::Dscl do
   let(:node) do
     Chef::Node.new.tap do |node|
       node.automatic["os"] = "darwin"
+      node.automatic["platform_version"] = "10.13.0"
     end
   end
 
diff --git a/spec/unit/provider/user/mac_spec.rb b/spec/unit/provider/user/mac_spec.rb
new file mode 100644
index 0000000000..f7024f45c1
--- /dev/null
+++ b/spec/unit/provider/user/mac_spec.rb
@@ -0,0 +1,38 @@
+#
+# Author:: Ryan Cragun (<ryan@chef.io>)
+# Copyright:: Copyright (c) 2019 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "spec_helper"
+
+describe Chef::Provider::User::MacUser do
+  before do
+    allow(ChefConfig).to receive(:windows?) { false }
+  end
+
+  let(:new_resource) { Chef::Resource::User::MacUser.new("jane") }
+
+  let(:provider) do
+    node = Chef::Node.new
+    events = Chef::EventDispatch::Dispatcher.new
+    run_context = Chef::RunContext.new(node, {}, events)
+    described_class.new(new_resource, run_context)
+  end
+
+  it "responds to load_current_resource" do
+    expect(provider).to respond_to(:load_current_resource)
+  end
+end