diff options
author | Ryan Cragun <ryan@chef.io> | 2019-07-24 17:12:57 -0600 |
---|---|---|
committer | Ryan Cragun <ryan@chef.io> | 2019-07-24 17:18:53 -0600 |
commit | fae44333ff79f116c266507cd2377c211c4d1f8e (patch) | |
tree | 1b0f20addb8cf24dc3b60ed223135b6ccc8e5933 /lib/chef/resource/user/mac_user.rb | |
parent | 6bbf42b0ff11eabdb72067e78e4101ad93820b71 (diff) | |
download | chef-fae44333ff79f116c266507cd2377c211c4d1f8e.tar.gz |
Add mac_user resource that is compatible with macOS >= 10.14
Provide a user resource that is compatible with default TCC restrictions
that were introduced in macOS 10.14.
Changes:
* This resource and the corresponding provider have been modified to
work with default macOS TCC policies. Direct access to user binary
plists are no longer permitted by default, thus we've chosen to use
use newer methods of creating, modifying and removing users.
* Due to the tooling required by the provider this provider is only
suitable for use on macOS >= 10.14. Support for older platforms has
been removed.
New Features:
* Primary group management is now included.
* 'admin' is now a boolean property that configures a user to an admin.
* 'admin_username' and 'admin_password' are new properties that define the
admin user credentials required for toggling SecureToken for an
exiting user.
The 'admin_username' must correspond to a system admin with SecureToken
enabled in order to toggle SecureToken.
* 'secure_token' is a boolean property that sets the desired state
for SecureToken. SecureToken token is required for FileVault full
disk encryption.
Signed-off-by: Ryan Cragun <ryan@chef.io>
Diffstat (limited to 'lib/chef/resource/user/mac_user.rb')
-rw-r--r-- | lib/chef/resource/user/mac_user.rb | 105 |
1 files changed, 105 insertions, 0 deletions
diff --git a/lib/chef/resource/user/mac_user.rb b/lib/chef/resource/user/mac_user.rb new file mode 100644 index 0000000000..29f52b9ed2 --- /dev/null +++ b/lib/chef/resource/user/mac_user.rb @@ -0,0 +1,105 @@ +# +# Author:: Ryan Cragun (<ryan@chef.io>) +# Copyright:: Copyright 2019, Chef Software Inc. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require_relative "../user" + +class Chef + class Resource + class User + # Provide a user resource that is compatible with default TCC restrictions + # that were introduced in macOS 10.14. + # + # Changes: + # + # * This resource and the corresponding provider have been modified to + # work with default macOS TCC policies. Direct access to user binary + # plists are no longer permitted by default, thus we've chosen to use + # use newer methods of creating, modifying and removing users. + # + # * Due to the tooling required by the provider this provider is only + # suitable for use on macOS >= 10.14. Support for older platforms has + # been removed. + # + # New Features: + # + # * Primary group management is now included. + # + # * 'admin' is now a boolean property that configures a user to an admin. + # + # * 'admin_username' and 'admin_password' are new properties that define the + # admin user credentials required for toggling SecureToken for an + # exiting user. + # + # The 'admin_username' must correspond to a system admin with SecureToken + # enabled in order to toggle SecureToken. + # + # * 'secure_token' is a boolean property that sets the desired state + # for SecureToken. SecureToken token is required for FileVault full + # disk encryption. + class MacUser < Chef::Resource::User + resource_name :mac_user + + provides :mac_user + provides :user, os: "darwin", platform_version: ">= 10.14" + + property :iterations, Integer, + description: "macOS platform only. The number of iterations for a password with a SALTED-SHA512-PBKDF2 shadow hash.", + default: 57803, desired_state: false + + # Overload gid so we can set our default. NilClass is for backwards compat + # and 20 is the macOS "staff" group. + property :gid, [String, Integer, NilClass], description: "The numeric group identifier.", default: 20, coerce: ->(gid) do + begin + return 20 if gid.nil? + + return Etc.getgrnam(gid).gid if gid.is_a?(String) + + Integer(gid) + rescue + gid + end + end + + # Overload the password so we can set a length requirements and update the + # description. + property :password, String, description: "The plain text user password", sensitive: true, callbacks: { + "Password length must be >= 4" => ->(password) { password.size >= 4 }, + } + + # Overload home so we set our default. + property :home, String, description: "The user home directory", default: lazy { "/Users/#{name}" } + + property :admin, [TrueClass, FalseClass], description: "Create the user as an admin", default: false + + # TCC on macOS >= 10.14 requires admin credentials of an Admin user that + # has SecureToken enabled in order to toggle SecureToken. + property :admin_username, String, description: "Admin username for superuser actions" + property :admin_password, String, description: "Admin password for superuser actions", sensitive: true + + property :secure_token, [TrueClass, FalseClass], description: "Enable SecureToken for the user", default: false + # In order to enable SecureToken for a user we require the plaintext password. + property :secure_token_password, String, description: "The plaintext password for enabling SecureToken", sensitive: true, default: lazy { + # In some cases the user can pass the plaintext value to "password" instead of + # SALTED-SHA512-PBKDF2 entropy. In those cases we'll default to the + # same value. + (salt.nil? && password) ? password : nil + } + end + end + end +end |