diff options
| -rw-r--r-- | lib/chef/provider/user/mac.rb | 64 |
1 files changed, 32 insertions, 32 deletions
diff --git a/lib/chef/provider/user/mac.rb b/lib/chef/provider/user/mac.rb index 864a93a256..94b0ce0b21 100644 --- a/lib/chef/provider/user/mac.rb +++ b/lib/chef/provider/user/mac.rb @@ -143,29 +143,27 @@ class Chef # def create_user - uid = prop_is_set?(:uid) ? new_resource.uid : get_free_uid - # 'sysadminctl' cannot create user with specified UID - # on Mac where Chef does not have full disk access - # But 'dscl' can - run_dscl('create', "/Users/#{new_resource.username}", - 'UniqueID', uid) - if prop_is_set?(:comment) - run_dscl('create', "/Users/#{new_resource.username}", - 'RealName', new_resource.comment) - else - # 'comment' field is optional for mac_user - # but 'load_current_resource' above needs it - # otherwise it will fail - run_dscl('create', "/Users/#{new_resource.username}", - 'RealName', new_resource.username) + cmd = [-"-addUser", new_resource.username] + cmd += ["-fullName", new_resource.comment] if prop_is_set?(:comment) + cmd += ["-UID", prop_is_set?(:uid) ? new_resource.uid : get_free_uid] + cmd += ["-shell", new_resource.shell] + cmd += ["-home", new_resource.home] + cmd += ["-admin"] if new_resource.admin + + # We can technically create a new user without the admin credentials + # but without them the user cannot enable SecureToken, thus they cannot + # create other secure users or enable FileVault full disk encryption. + if prop_is_set?(:admin_username) && prop_is_set?(:admin_password) + cmd += ["-adminUser", new_resource.admin_username] + cmd += ["-adminPassword", new_resource.admin_password] end - run_dscl('create', "/Users/#{new_resource.username}", - 'UserShell', new_resource.shell) - run_dscl('create', "/Users/#{new_resource.username}", - 'NFSHomeDirectory', new_resource.home) - if new_resource.admin - run_dscl('append', '/Groups/admin', 'GroupMembership', - new_resource.username) + + # sysadminctl doesn't exit with a non-zero exit code if it encounters + # a problem. We'll check stderr and make sure we see that it finished + # correctly. + res = run_sysadminctl(cmd) + unless /creating user/.match?(res.downcase) + raise Chef::Exceptions::User, "error when creating user: #{res}" end # Wait for the user to show up in the ds cache @@ -183,6 +181,18 @@ class Chef converge_by("set password") { set_password } end + if new_resource.manage_home + # "sysadminctl -addUser" will create the home directory if it's + # the default /Users/<username>, otherwise it sets it in plist + # but does not create it. Here we'll ensure that it gets created + # if we've been given a directory that is not the default. + unless ::File.directory?(new_resource.home) && ::File.exist?(new_resource.home) + converge_by("create home directory") do + shell_out!("createhomedir -c -u #{new_resource.username}") + end + end + end + if prop_is_set?(:gid) # NOTE: Here we're managing the primary group of the user which is # a departure from previous behavior. We could just set the @@ -202,16 +212,6 @@ class Chef end end - # createhomedir needs user GID set first - # otherwise createhomedir will do nothing - # Always create homedir for all users - # because 'sysadminctl' does but 'dscl' does not - unless ::File.directory?(new_resource.home) && ::File.exist?(new_resource.home) - converge_by('create home directory') do - shell_out!("createhomedir -c -u #{new_resource.username}") - end - end - if diverged?(:secure_token) converge_by("alter SecureToken") { toggle_secure_token } end |