1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
|
#
# Author:: Dreamcat4 (<dreamcat4@gmail.com>)
# Copyright:: Copyright (c) 2009 OpsCode, Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
require 'chef/mixin/shell_out'
require 'chef/provider/user'
require 'openssl'
class Chef
class Provider
class User
class Dscl < Chef::Provider::User
include Chef::Mixin::ShellOut
NFS_HOME_DIRECTORY = %r{^NFSHomeDirectory: (.*)$}
AUTHENTICATION_AUTHORITY = %r{^AuthenticationAuthority: (.*)$}
def dscl(*args)
shell_out("dscl . -#{args.join(' ')}")
end
def safe_dscl(*args)
result = dscl(*args)
return "" if ( args.first =~ /^delete/ ) && ( result.exitstatus != 0 )
raise(Chef::Exceptions::DsclCommandFailed,"dscl error: #{result.inspect}") unless result.exitstatus == 0
raise(Chef::Exceptions::DsclCommandFailed,"dscl error: #{result.inspect}") if result.stdout =~ /No such key: /
return result.stdout
end
# This is handled in providers/group.rb by Etc.getgrnam()
# def user_exists?(user)
# users = safe_dscl("list /Users")
# !! ( users =~ Regexp.new("\n#{user}\n") )
# end
# get a free UID greater than 200
def get_free_uid(search_limit=1000)
uid = nil; next_uid_guess = 200
users_uids = safe_dscl("list /Users uid")
while(next_uid_guess < search_limit + 200)
if users_uids =~ Regexp.new("#{Regexp.escape(next_uid_guess.to_s)}\n")
next_uid_guess += 1
else
uid = next_uid_guess
break
end
end
return uid || raise("uid not found. Exhausted. Searched #{search_limit} times")
end
def uid_used?(uid)
return false unless uid
users_uids = safe_dscl("list /Users uid")
!! ( users_uids =~ Regexp.new("#{Regexp.escape(uid.to_s)}\n") )
end
def set_uid
@new_resource.uid(get_free_uid) if (@new_resource.uid.nil? || @new_resource.uid == '')
if uid_used?(@new_resource.uid)
raise(Chef::Exceptions::RequestedUIDUnavailable, "uid #{@new_resource.uid} is already in use")
end
safe_dscl("create /Users/#{@new_resource.username} UniqueID #{@new_resource.uid}")
end
def modify_home
return safe_dscl("delete /Users/#{@new_resource.username} NFSHomeDirectory") if (@new_resource.home.nil? || @new_resource.home.empty?)
if @new_resource.supports[:manage_home]
validate_home_dir_specification!
if (@current_resource.home == @new_resource.home) && !new_home_exists?
ditto_home
elsif !current_home_exists? && !new_home_exists?
ditto_home
elsif current_home_exists?
move_home
end
end
safe_dscl("create /Users/#{@new_resource.username} NFSHomeDirectory '#{@new_resource.home}'")
end
def osx_shadow_hash?(string)
return !! ( string =~ /^[[:xdigit:]]{1240}$/ )
end
def osx_salted_sha1?(string)
return !! ( string =~ /^[[:xdigit:]]{48}$/ )
end
def guid
safe_dscl("read /Users/#{@new_resource.username} GeneratedUID").gsub(/GeneratedUID: /,"").strip
end
def shadow_hash_set?
user_data = safe_dscl("read /Users/#{@new_resource.username}")
if user_data =~ /AuthenticationAuthority: / && user_data =~ /ShadowHash/
true
else
false
end
end
def modify_password
if @new_resource.password
shadow_hash = nil
Chef::Log.debug("#{new_resource} updating password")
if osx_shadow_hash?(@new_resource.password)
shadow_hash = @new_resource.password.upcase
else
if osx_salted_sha1?(@new_resource.password)
salted_sha1 = @new_resource.password.upcase
else
hex_salt = ""
OpenSSL::Random.random_bytes(10).each_byte { |b| hex_salt << b.to_i.to_s(16) }
hex_salt = hex_salt.slice(0...8)
salt = [hex_salt].pack("H*")
sha1 = ::OpenSSL::Digest::SHA1.hexdigest(salt+@new_resource.password)
salted_sha1 = (hex_salt+sha1).upcase
end
shadow_hash = String.new("00000000"*155)
shadow_hash[168] = salted_sha1
end
::File.open("/var/db/shadow/hash/#{guid}",'w',0600) do |output|
output.puts shadow_hash
end
unless shadow_hash_set?
safe_dscl("append /Users/#{@new_resource.username} AuthenticationAuthority ';ShadowHash;'")
end
end
end
def load_current_resource
super
raise Chef::Exceptions::User, "Could not find binary /usr/bin/dscl for #{@new_resource}" unless ::File.exists?("/usr/bin/dscl")
end
def create_user
dscl_create_user
dscl_create_comment
set_uid
dscl_set_gid
modify_home
dscl_set_shell
modify_password
end
def manage_user
dscl_create_user if diverged?(:username)
dscl_create_comment if diverged?(:comment)
set_uid if diverged?(:uid)
dscl_set_gid if diverged?(:gid)
modify_home if diverged?(:home)
dscl_set_shell if diverged?(:shell)
modify_password if diverged?(:password)
end
def dscl_create_user
safe_dscl("create /Users/#{@new_resource.username}")
end
def dscl_create_comment
safe_dscl("create /Users/#{@new_resource.username} RealName '#{@new_resource.comment}'")
end
def dscl_set_gid
unless @new_resource.gid && @new_resource.gid.to_s.match(/^\d+$/)
begin
possible_gid = safe_dscl("read /Groups/#{@new_resource.gid} PrimaryGroupID").split(" ").last
rescue Chef::Exceptions::DsclCommandFailed => e
raise Chef::Exceptions::GroupIDNotFound.new("Group not found for #{@new_resource.gid} when creating user #{@new_resource.username}")
end
@new_resource.gid(possible_gid) if possible_gid && possible_gid.match(/^\d+$/)
end
safe_dscl("create /Users/#{@new_resource.username} PrimaryGroupID '#{@new_resource.gid}'")
end
def dscl_set_shell
if @new_resource.password || ::File.exists?("#{@new_resource.shell}")
safe_dscl("create /Users/#{@new_resource.username} UserShell '#{@new_resource.shell}'")
else
safe_dscl("create /Users/#{@new_resource.username} UserShell '/usr/bin/false'")
end
end
def remove_user
if @new_resource.supports[:manage_home]
user_info = safe_dscl("read /Users/#{@new_resource.username}")
if nfs_home_match = user_info.match(NFS_HOME_DIRECTORY)
#nfs_home = safe_dscl("read /Users/#{@new_resource.username} NFSHomeDirectory")
#nfs_home.gsub!(/NFSHomeDirectory: /,"").gsub!(/\n$/,"")
nfs_home = nfs_home_match[1]
FileUtils.rm_rf(nfs_home)
end
end
# remove the user from its groups
groups = []
Etc.group do |group|
groups << group.name if group.mem.include?(@new_resource.username)
end
groups.each do |group_name|
safe_dscl("delete /Groups/#{group_name} GroupMembership '#{@new_resource.username}'")
end
# remove user account
safe_dscl("delete /Users/#{@new_resource.username}")
end
def locked?
user_info = safe_dscl("read /Users/#{@new_resource.username}")
if auth_authority_md = AUTHENTICATION_AUTHORITY.match(user_info)
!!(auth_authority_md[1] =~ /DisabledUser/ )
else
false
end
end
def check_lock
return @locked = locked?
end
def lock_user
safe_dscl("append /Users/#{@new_resource.username} AuthenticationAuthority ';DisabledUser;'")
end
def unlock_user
auth_info = safe_dscl("read /Users/#{@new_resource.username} AuthenticationAuthority")
auth_string = auth_info.gsub(/AuthenticationAuthority: /,"").gsub(/;DisabledUser;/,"").strip#.gsub!(/[; ]*$/,"")
safe_dscl("create /Users/#{@new_resource.username} AuthenticationAuthority '#{auth_string}'")
end
def validate_home_dir_specification!
unless @new_resource.home =~ /^\//
raise(Chef::Exceptions::InvalidHomeDirectory,"invalid path spec for User: '#{@new_resource.username}', home directory: '#{@new_resource.home}'")
end
end
def current_home_exists?
::File.exist?("#{@current_resource.home}")
end
def new_home_exists?
::File.exist?("#{@new_resource.home}")
end
def ditto_home
skel = "/System/Library/User Template/English.lproj"
raise(Chef::Exceptions::User,"can't find skel at: #{skel}") unless ::File.exists?(skel)
shell_out! "ditto '#{skel}' '#{@new_resource.home}'"
::FileUtils.chown_R(@new_resource.username,@new_resource.gid.to_s,@new_resource.home)
end
def move_home
Chef::Log.debug("#{@new_resource} moving #{self} home from #{@current_resource.home} to #{@new_resource.home}")
src = @current_resource.home
FileUtils.mkdir_p(@new_resource.home)
files = ::Dir.glob("#{src}/*", ::File::FNM_DOTMATCH) - ["#{src}/.","#{src}/.."]
::FileUtils.mv(files,@new_resource.home, :force => true)
::FileUtils.rmdir(src)
::FileUtils.chown_R(@new_resource.username,@new_resource.gid.to_s,@new_resource.home)
end
def diverged?(parameter)
parameter_updated?(parameter) && (not @new_resource.send(parameter).nil?)
end
def parameter_updated?(parameter)
not (@new_resource.send(parameter) == @current_resource.send(parameter))
end
end
end
end
end
|
