1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
|
#
# Author:: Ryan Cragun (<ryan@chef.io>)
# Copyright:: Copyright (c) Chef Software Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
require_relative "../../resource"
require_relative "../../dsl/declare_resource"
require_relative "../../mixin/shell_out"
require_relative "../../mixin/which"
require_relative "../user"
require_relative "../../resource/user/mac_user"
autoload :Plist, "plist"
class Chef
class Provider
class User
# A macOS user provider that is compatible with default TCC restrictions
# in macOS 10.14. See resource/user/mac_user.rb for complete description
# of the mac_user resource
class MacUser < Chef::Provider::User
include Chef::Mixin::Which
provides :mac_user
provides :user, os: "darwin"
attr_reader :user_plist, :admin_group_plist
def load_current_resource
@current_resource = Chef::Resource::User::MacUser.new(new_resource.username)
current_resource.username(new_resource.username)
reload_admin_group_plist
reload_user_plist
if user_plist
current_resource.uid(user_plist[:uid][0])
current_resource.gid(user_plist[:gid][0])
current_resource.home(user_plist[:home][0])
current_resource.shell(user_plist[:shell][0])
current_resource.comment(user_plist[:comment][0])
if user_plist[:is_hidden]
current_resource.hidden(user_plist[:is_hidden][0] == "1" ? true : false)
end
shadow_hash = user_plist[:shadow_hash]
if shadow_hash
current_resource.password(shadow_hash[0]["SALTED-SHA512-PBKDF2"]["entropy"].string.unpack("H*")[0])
current_resource.salt(shadow_hash[0]["SALTED-SHA512-PBKDF2"]["salt"].string.unpack("H*")[0])
current_resource.iterations(shadow_hash[0]["SALTED-SHA512-PBKDF2"]["iterations"].to_i)
end
current_resource.secure_token(secure_token_enabled?)
current_resource.admin(admin_user?)
else
@user_exists = false
logger.trace("#{new_resource} user does not exist")
end
current_resource
end
def reload_admin_group_plist
@admin_group_plist = nil
admin_group_xml = run_dscl("read", "/Groups/admin")
return nil unless admin_group_xml && admin_group_xml != ""
@admin_group_plist = Plist.new(::Plist.parse_xml(admin_group_xml))
end
def reload_user_plist
@user_plist = nil
# Load the user information.
begin
user_xml = run_dscl("read", "/Users/#{new_resource.username}")
rescue Chef::Exceptions::DsclCommandFailed
return nil
end
return nil if user_xml.nil? || user_xml == ""
@user_plist = Plist.new(::Plist.parse_xml(user_xml))
return unless user_plist[:shadow_hash]
shadow_hash_hex = user_plist[:shadow_hash][0]
return unless shadow_hash_hex && shadow_hash_hex != ""
# The password information is stored in the ShadowHashData key in the
# plist. However, parsing it is a bit tricky as the value is itself
# another encoded binary plist. We have to extract the encoded plist,
# decode it from hex to a binary plist and then convert the binary
# into XML plist. From there we can extract the hash data.
#
# NOTE: `dscl -read` and `plutil -convert` return different values for
# ShadowHashData.
#
# `dscl` returns the value encoded as a hex string and stored as a <string>
# `plutil` returns the value encoded as a base64 string stored as <data>
#
# eg:
#
# spellchecker: disable
#
# <array>
# <string>77687920 63616e27 74206170 706c6520 6275696c 6420636f 6e736973 74656e74 20746f6f 6c696e67</string>
# </array>
#
# vs
#
# <array>
# <data>AADKAAAKAA4LAA0MAAAAAAAAAAA=</data>
# </array>
#
# spellchecker: disable
#
begin
shadow_binary_plist = [shadow_hash_hex.delete(" ")].pack("H*")
shadow_xml_plist = shell_out("plutil", "-convert", "xml1", "-o", "-", "-", input: shadow_binary_plist).stdout
user_plist[:shadow_hash] = ::Plist.parse_xml(shadow_xml_plist)
rescue Chef::Exceptions::PlistUtilCommandFailed, Chef::Exceptions::DsclCommandFailed
nil
end
end
#
# User Provider Callbacks
#
def create_user
cmd = [-"-addUser", new_resource.username]
cmd += ["-fullName", new_resource.comment] if prop_is_set?(:comment)
cmd += ["-UID", prop_is_set?(:uid) ? new_resource.uid : get_free_uid]
cmd += ["-shell", new_resource.shell]
cmd += ["-home", new_resource.home]
cmd += ["-admin"] if new_resource.admin
# We can technically create a new user without the admin credentials
# but without them the user cannot enable SecureToken, thus they cannot
# create other secure users or enable FileVault full disk encryption.
if prop_is_set?(:admin_username) && prop_is_set?(:admin_password)
cmd += ["-adminUser", new_resource.admin_username]
cmd += ["-adminPassword", new_resource.admin_password]
end
# sysadminctl doesn't exit with a non-zero exit code if it encounters
# a problem. We'll check stderr and make sure we see that it finished
# correctly.
res = run_sysadminctl(cmd)
unless /creating user/.match?(res.downcase)
raise Chef::Exceptions::User, "error when creating user: #{res}"
end
# Wait for the user to show up in the ds cache
wait_for_user
# Reload with up-to-date user information
reload_user_plist
reload_admin_group_plist
if prop_is_set?(:hidden)
set_hidden
end
if prop_is_set?(:password)
converge_by("set password") { set_password }
end
if new_resource.manage_home
# "sysadminctl -addUser" will create the home directory if it's
# the default /Users/<username>, otherwise it sets it in plist
# but does not create it. Here we'll ensure that it gets created
# if we've been given a directory that is not the default.
unless ::File.directory?(new_resource.home) && ::File.exist?(new_resource.home)
converge_by("create home directory") do
shell_out!("createhomedir -c -u #{new_resource.username}")
end
end
end
if prop_is_set?(:gid)
# NOTE: Here we're managing the primary group of the user which is
# a departure from previous behavior. We could just set the
# PrimaryGroupID for the user and move on if we decide that actual
# group management should be done outside of the core resource.
group_name, group_id, group_action = user_group_info
group group_name do
members new_resource.username
gid group_id if group_id
action group_action
append true
end
converge_by("create primary group ID") do
run_dscl("create", "/Users/#{new_resource.username}", "PrimaryGroupID", group_id)
end
end
if diverged?(:secure_token)
converge_by("alter SecureToken") { toggle_secure_token }
end
reload_user_plist
end
def compare_user
@change_desc = []
%i{comment shell uid gid salt password admin secure_token hidden}.each do |attr|
if diverged?(attr)
desc = "Update #{attr}"
unless %i{password gid secure_token hidden}.include?(attr)
desc << " from #{current_resource.send(attr)} to #{new_resource.send(attr)}"
end
@change_desc << desc
end
end
!@change_desc.empty?
end
def manage_user
%i{uid home}.each do |prop|
raise Chef::Exceptions::User, "cannot modify #{prop} on macOS >= 10.14" if diverged?(prop)
end
if diverged?(:password)
converge_by("alter password") { set_password }
end
if diverged?(:comment)
converge_by("alter comment") do
run_dscl("create", "/Users/#{new_resource.username}", "RealName", new_resource.comment)
end
end
if diverged?(:shell)
converge_by("alter shell") do
run_dscl("create", "/Users/#{new_resource.username}", "UserShell", new_resource.shell)
end
end
if diverged?(:secure_token)
converge_by("alter SecureToken") { toggle_secure_token }
end
if diverged?(:admin)
converge_by("alter admin group membership") do
group "admin" do
if new_resource.admin
members new_resource.username
else
excluded_members new_resource.username
end
action :create
append true
end
admins = admin_group_plist[:group_members]
if new_resource.admin
admins << user_plist[:guid][0]
else
admins.reject! { |m| m == user_plist[:guid][0] }
end
run_dscl("create", "/Groups/admin", "GroupMembers", admins)
end
reload_admin_group_plist
end
group_name, group_id, group_action = user_group_info
group group_name do
gid group_id if group_id
members new_resource.username
action group_action
append true
end
if diverged?(:gid)
converge_by("alter group membership") do
run_dscl("create", "/Users/#{new_resource.username}", "PrimaryGroupID", group_id)
end
end
if diverged?(:hidden)
converge_by("alter hidden") { set_hidden }
end
reload_user_plist
end
def remove_user
cmd = ["-deleteUser", new_resource.username]
cmd << new_resource.manage_home ? "-secure" : "-keepHome"
if %i{admin_username admin_password}.all? { |p| prop_is_set?(p) }
cmd += ["-adminUser", new_resource.admin_username]
cmd += ["-adminPassword", new_resource.admin_password]
end
# sysadminctl doesn't exit with a non-zero exit code if it encounters
# a problem. We'll check stderr and make sure we see that it finished
res = run_sysadminctl(cmd)
unless /deleting record|not found/.match?(res.downcase)
raise Chef::Exceptions::User, "error deleting user: #{res}"
end
reload_user_plist
@user_exists = false
end
def lock_user
run_dscl("append", "/Users/#{new_resource.username}", "AuthenticationAuthority", ";DisabledUser;")
reload_user_plist
end
def unlock_user
auth_string = user_plist[:auth_authority].reject! { |tag| tag == ";DisabledUser;" }.join.strip
run_dscl("create", "/Users/#{new_resource.username}", "AuthenticationAuthority", auth_string)
reload_user_plist
end
def locked?
user_plist[:auth_authority].any? { |tag| tag == ";DisabledUser;" }
rescue
false
end
def check_lock
@locked = locked?
end
#
# Methods
#
def diverged?(prop)
prop = prop.to_sym
case prop
when :password
password_diverged?
when :gid
user_group_diverged?
when :secure_token
secure_token_diverged?
when :hidden
hidden_diverged?
else
# Other fields are have been set on current resource so just compare
# them.
!new_resource.send(prop).nil? && (new_resource.send(prop) != current_resource.send(prop))
end
end
# Find the next available uid on the system.
# Starting with 200 if `system` is set, 501 otherwise.
def get_free_uid(search_limit = 1000)
uid = nil
base_uid = new_resource.system ? 200 : 501
next_uid_guess = base_uid
users_uids = run_dscl("list", "/Users", "uid")
while next_uid_guess < search_limit + base_uid
if users_uids&.match?(Regexp.new("#{Regexp.escape(next_uid_guess.to_s)}\n"))
next_uid_guess += 1
else
uid = next_uid_guess
break
end
end
uid || raise("uid not found. Exhausted. Searched #{search_limit} times")
end
# Attempt to resolve the group name, gid, and the action required for
# associated group resource. If a group exists we'll modify it, otherwise
# create it.
def user_group_info
@user_group_info ||= if new_resource.gid.is_a?(String)
begin
g = Etc.getgrnam(new_resource.gid)
[g.name, g.gid.to_s, :modify]
rescue
[new_resource.gid, nil, :create]
end
else
begin
g = Etc.getgrgid(new_resource.gid)
[g.name, g.gid.to_s, :modify]
rescue
[g.username, nil, :create]
end
end
end
def secure_token_enabled?
user_plist[:auth_authority].any? { |tag| tag == ";SecureToken;" }
rescue
false
end
def secure_token_diverged?
new_resource.secure_token ? !secure_token_enabled? : secure_token_enabled?
end
def toggle_secure_token
# Check for this lazily as we only need to validate for these credentials
# if we're toggling secure token.
unless %i{admin_username admin_password secure_token_password}.all? { |p| prop_is_set?(p) }
raise Chef::Exceptions::User, "secure_token_password, admin_username and admin_password properties are required to modify SecureToken"
end
cmd = (new_resource.secure_token ? %w{-secureTokenOn} : %w{-secureTokenOff})
cmd += [new_resource.username, "-password", new_resource.secure_token_password]
cmd += ["-adminUser", new_resource.admin_username]
cmd += ["-adminPassword", new_resource.admin_password]
# sysadminctl doesn't exit with a non-zero exit code if it encounters
# a problem. We'll check stderr and make sure we see that it finished
res = run_sysadminctl(cmd)
unless /done/.match?(res.downcase)
raise Chef::Exceptions::User, "error when modifying SecureToken: #{res}"
end
# HACK: When SecureToken is enabled or disabled it requires the user
# password in plaintext, which it verifies and uses as a key. It also
# takes the liberty of _rehashing_ the password with a random salt and
# iterations count and saves it back into the user ShadowHashData.
#
# Therefore, if we're configuring a user based upon existing shadow
# hash data we'll have to set the password again so that future runs
# of the client don't show password drift.
set_password if prop_is_set?(:salt)
end
def user_group_diverged?
return false unless prop_is_set?(:gid)
group_name, group_id = user_group_info
current_resource.gid != group_id.to_i
end
def hidden_diverged?
return false unless prop_is_set?(:hidden)
(current_resource.hidden ? 1 : 0) != hidden_value.to_i
end
def set_hidden
run_dscl("create", "/Users/#{new_resource.username}", "IsHidden", hidden_value.to_i)
end
def hidden_value
new_resource.hidden ? 1 : 0
end
def password_diverged?
# There are three options for configuring the password:
# * ShadowHashData which includes the hash data as:
# * hashed entropy as the "password"
# * salt
# * iterations
# * Plaintext password
# * Not configuring it
# Check for no desired password configuration
return false unless prop_is_set?(:password)
# Check for ShadowHashData divergence by comparing the entropy,
# salt, and iterations.
if prop_is_set?(:salt)
return true if %i{salt iterations}.any? { |prop| diverged?(prop) }
return new_resource.password != current_resource.password
end
# Check for plaintext password divergence. We don't actually know
# what the stored password is but we can hash the given password with
# stored salt and iterations, and compare the resulting entropy with
# the saved entropy.
OpenSSL::PKCS5.pbkdf2_hmac(
new_resource.password,
convert_to_binary(current_resource.salt),
current_resource.iterations.to_i,
128,
OpenSSL::Digest.new("SHA512")
).unpack("H*")[0] != current_resource.password
end
def admin_user?
admin_group_plist[:group_members].any? { |mem| mem == user_plist[:guid][0] }
rescue
false
end
def convert_to_binary(string)
string.unpack("a2" * (string.size / 2)).collect { |i| i.hex.chr }.join
end
def set_password
if prop_is_set?(:salt)
entropy = StringIO.new(convert_to_binary(new_resource.password))
salt = StringIO.new(convert_to_binary(new_resource.salt))
else
salt = StringIO.new(OpenSSL::Random.random_bytes(32))
entropy = StringIO.new(
OpenSSL::PKCS5.pbkdf2_hmac(
new_resource.password,
salt.string,
new_resource.iterations,
128,
OpenSSL::Digest.new("SHA512")
)
)
end
shadow_hash = user_plist[:shadow_hash] ? user_plist[:shadow_hash][0] : {}
shadow_hash["SALTED-SHA512-PBKDF2"] = {
"entropy" => entropy,
"salt" => salt,
"iterations" => new_resource.iterations,
}
shadow_hash_binary = StringIO.new
shell_out("plutil", "-convert", "binary1", "-o", "-", "-",
input: shadow_hash.to_plist,
live_stream: shadow_hash_binary)
# Apple seem to have killed their dsimport documentation about the
# dsimport record format. Perhaps that means our days of being able to
# use dsimport without an admin password or perhaps at all could be
# numbered. Here is the record format for posterity:
#
# End of record character
# Escape character
# Field separator
# Value separator
# Record type (Users, Groups, Computers, ComputerGroups, ComputerLists)
# Number of properties
# Property 1
# ...
# Property N
#
# The user password shadow data format breaks down as:
#
# 0x0A End of record denoted by \n
# 0x5C Escaping is denoted by \
# 0x3A Fields are separated by :
# 0x2C Values are separated by ,
# dsRecTypeStandard:Users The record type we're configuring
# 2 How many properties we're going to set
# dsAttrTypeStandard:RecordName Property 1: our users record name
# base64:dsAttrTypeNative:ShadowHashData Property 2: our shadow hash data
import_file = ::File.join(Chef::Config["file_cache_path"], "#{new_resource.username}_password_dsimport")
::File.open(import_file, "w+", 0600) do |f|
f.write <<~DSIMPORT
0x0A 0x5C 0x3A 0x2C dsRecTypeStandard:Users 2 dsAttrTypeStandard:RecordName base64:dsAttrTypeNative:ShadowHashData
#{new_resource.username}:#{::Base64.strict_encode64(shadow_hash_binary.string)}
DSIMPORT
end
run_dscl("delete", "/Users/#{new_resource.username}", "ShadowHashData")
run_dsimport(import_file, "/Local/Default", "M")
run_dscl("create", "/Users/#{new_resource.username}", "Password", "********")
ensure
::File.delete(import_file) if import_file && ::File.exist?(import_file)
end
def wait_for_user
timeout = Time.now + 5
loop do
run_dscl("read", "/Users/#{new_resource.username}", "ShadowHashData")
break
rescue Chef::Exceptions::DsclCommandFailed => e
if Time.now < timeout
sleep 0.1
else
raise Chef::Exceptions::User, e.message
end
end
end
def run_dsimport(*args)
shell_out!("dsimport", args)
end
def run_sysadminctl(args)
# sysadminctl doesn't exit with a non-zero code when errors are encountered
# and outputs everything to STDERR instead of STDOUT and STDERR. Therefore we'll
# return the STDERR and let the caller handle it.
shell_out!("sysadminctl", args).stderr
end
def run_dscl(*args)
result = shell_out("dscl", "-plist", ".", "-#{args[0]}", args[1..])
return "" if ( args.first =~ /^delete/ ) && ( result.exitstatus != 0 )
raise(Chef::Exceptions::DsclCommandFailed, "dscl error: #{result.inspect}") unless result.exitstatus == 0
raise(Chef::Exceptions::DsclCommandFailed, "dscl error: #{result.inspect}") if /No such key: /.match?(result.stdout)
result.stdout
end
def run_plutil(*args)
result = shell_out("plutil", "-#{args[0]}", args[1..])
raise(Chef::Exceptions::PlistUtilCommandFailed, "plutil error: #{result.inspect}") unless result.exitstatus == 0
result.stdout
end
def prop_is_set?(prop)
v = new_resource.send(prop.to_sym)
!v.nil? && v != ""
end
class Plist
DSCL_PROPERTY_MAP = {
uid: "dsAttrTypeStandard:UniqueID",
guid: "dsAttrTypeStandard:GeneratedUID",
gid: "dsAttrTypeStandard:PrimaryGroupID",
home: "dsAttrTypeStandard:NFSHomeDirectory",
shell: "dsAttrTypeStandard:UserShell",
comment: "dsAttrTypeStandard:RealName",
password: "dsAttrTypeStandard:Password",
auth_authority: "dsAttrTypeStandard:AuthenticationAuthority",
shadow_hash: "dsAttrTypeNative:ShadowHashData",
group_members: "dsAttrTypeStandard:GroupMembers",
is_hidden: "dsAttrTypeNative:IsHidden",
}.freeze
attr_accessor :plist_hash, :property_map
def initialize(plist_hash = {}, property_map = DSCL_PROPERTY_MAP)
@plist_hash = plist_hash
@property_map = property_map
end
def get(key)
return nil unless property_map.key?(key)
plist_hash[property_map[key]]
end
alias_method :[], :get
def set(key, value)
return nil unless property_map.key?(key)
plist_hash[property_map[key]] = [ value ]
end
alias_method :[]=, :set
end
end
end
end
end
|
