Release/2.3 (#121)

* add new box names to kitchen.yml

* remove always install strategy since our boxes are clean now

* don't run APFS commands on new box

* make disk image volumes instead of partitions

* update base boxes (#119)

* add new box names to kitchen.yml

* remove always install strategy since our boxes are clean now

* don't run APFS commands on new box

* make disk image volumes instead of partitions

* Fix for Issue #107: User Deletion (#117)

* delete user fix. #{user} is never actually used. Also used an array for command

* add a seperate test suite for testing user deletion

* Add a seperate recipe for user deletion that does not use macos_user resource for user creation

* Use password to unlock keychain (#120)

* Fix for Issue #96: Hidden Users (#118)

* add functionality for hidden user support

* Add a new user called griffin to the new_user recipe for hidden user testing

* Add test suite for hidden user testing

* add some documentation

* Respond to code review comments

1. Update user hiding execute block to check for IsHidden as a guard
2. Don't use mv and instead use FileUtils
3. Change hidden property to accept false or true, right now we ignore false
4. Fix integration test to look for griffin's home in var

* bump version

* update latest stable version of Xcode

* update beta version of Xcode

* Use explicit box versions in kitchen.yml

* update smoke tests

.kitchen.yml

@@ -5,48 +5,56 @@ driver:
 
 provisioner:
   product_name: chef
-  install_strategy: always
 
 verifier:
   name: inspec
   sudo: true
+  format:
+  - cli
+  - junit:/tmp/inspec.xml
   inspec_tests:
   - test/integration/default
 
 platforms:
 - name: el-capitan-chef13
   driver:
-    box: apex/macos-10.11.6
+    box: microsoft/os-x-el-capitan
+    version: 10.11.6
   provisioner:
     product_version: 13
 
 - name: el-capitan-chef14
   driver:
-    box: apex/macos-10.11.6
+    box: microsoft/os-x-el-capitan
+    version: 10.11.6
   provisioner:
     product_version: 14
 
 - name: sierra-chef13
   driver:
-    box: apex/macos-10.12.6
+    box: microsoft/macos-sierra
+    version: 10.12.6
   provisioner:
     product_version: 13
 
 - name: sierra-chef14
   driver:
-    box: apex/macos-10.12.6
+    box: microsoft/macos-sierra
+    version: 10.12.6
   provisioner:
     product_version: 14
 
 - name: high-sierra-chef13
   driver:
-    box: apex/macos-10.13.4
+    box: microsoft/macos-high-sierra
+    version: 10.13.5
   provisioner:
     product_version: 13
 
 - name: high-sierra-chef14
   driver:
-    box: apex/macos-10.13.4
+    box: microsoft/macos-high-sierra
+    version: 10.13.5
   provisioner:
     product_version: 14
 
@@ -114,6 +122,14 @@ suites:
     controls:
     - admin-user
     - standard-user
+    - hidden-user
+
+- name: delete_users
+  run_list:
+  - recipe[macos_test::delete_users]
+  verifier:
+    controls:
+    - test-user
 
 - name: keychain
   run_list:

attributes/default.rb

@@ -1,7 +1,7 @@
 default['macos']['admin_user'] = 'vagrant'
 default['macos']['admin_password'] = 'vagrant'
 
-default['macos']['xcode']['version'] = '9.3'
+default['macos']['xcode']['version'] = '9.4.1'
 
 default['macos']['remote_login_enabled'] = true
 

documentation/resource_macos_user.md

@@ -17,6 +17,7 @@ macos_user 'user and action description' do
   password             String          # password for user, defaults to "password" if not specified
   autologin            TrueClass       # user autologin
   admin                TrueClass       # admin status of user
+  hidden               TrueClass       # hidden status of user
   fullname             String          # full name of user
   groups               Array, String   # list of groups the user is in
 end

metadata.rb

@@ -5,7 +5,7 @@ license 'MIT'
 description 'Resources for configuring and provisioning macOS'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
 chef_version '>= 13.0' if respond_to?(:chef_version)
-version '2.2.0'
+version '2.3.0'
 
 source_url 'https://github.com/Microsoft/macos-cookbook'
 issues_url 'https://github.com/Microsoft/macos-cookbook/issues'

resources/certificate.rb

@@ -15,7 +15,7 @@ action :install do
   cert = SecurityCommand.new(new_resource.certfile, keychain)
 
   execute 'unlock keychain' do
-    command [*cert.unlock_keychain(node['macos']['admin_user'])]
+    command [*cert.unlock_keychain(node['macos']['admin_password'])]
   end
 
   execute 'install-certificate' do

resources/macos_user.rb

@@ -7,12 +7,21 @@ property :autologin, [TrueClass]
 property :admin, [TrueClass]
 property :fullname, String
 property :groups, [Array, String]
+property :hidden, [true, false], default: false
 
 action_class do
   def user_home
     ::File.join('/', 'Users', new_resource.username)
   end
 
+  def user_hidden_home
+    ::File.join('/', 'var', new_resource.username)
+  end
+
+  def user_sharepoints
+    ::File.join('/', 'SharePoints', new_resource.username)
+  end
+
   def setup_assistant_plist
     ::File.join(user_home, 'Library', 'Preferences', 'com.apple.SetupAssistant.plist')
   end
@@ -40,6 +49,10 @@ action_class do
     '/usr/sbin/sysadminctl'
   end
 
+  def dscl
+    '/usr/bin/dscl'
+  end
+
   def user_fullname
     new_resource.property_is_set?(:fullname) ? ['-fullName', new_resource.fullname] : ''
   end
@@ -70,6 +83,34 @@ action :create do
 
   sleep(0.5)
 
+  if new_resource.hidden == true
+    execute "hide user #{new_resource.username}" do
+      key = 'IsHidden'
+      desired_value = '1'
+      read_command = shell_out(dscl, '.', 'read', user_home, key)
+      current_value = read_command.stdout.empty? ? 0 : read_command.stdout.split(':').last.strip
+      command [dscl, '.', 'create', user_home, key, desired_value]
+      not_if { current_value.eql? desired_value }
+    end
+
+    ruby_block "hide user #{new_resource.username} home directory #{user_home}" do
+      block do
+        FileUtils.mkdir_p user_hidden_home
+        FileUtils.cp_r(Dir[user_home.to_s], Dir[user_hidden_home.to_s])
+      end
+    end
+
+    execute 'update user record' do
+      command [dscl, '.', 'create', user_home, 'NFSHomeDirectory', user_hidden_home]
+      only_if { ::File.exist?(user_hidden_home) && ::File.exist?(user_home) }
+    end
+
+    execute 'remove Public Folder share point' do
+      command [dscl, '.', 'delete', user_sharepoints]
+      only_if { ::File.exist?(user_sharepoints) }
+    end
+  end
+
   if new_resource.property_is_set?(:autologin)
     setup_assistant_keypair_values.each do |e, v|
       plist setup_assistant_plist do
@@ -119,8 +160,8 @@ action :delete do
     only_if { ::File.exist? user_home }
   end
 
-  execute "delete user: #{user}" do
-    command "#{sysadminctl} -deleteUser #{new_resource.username}"
+  execute "delete user: #{new_resource.username}" do
+    command [sysadminctl, '-deleteUser', new_resource.username]
     only_if { user_already_exists? }
   end
 end

test/cookbooks/macos_test/recipes/delete_users.rb

@@ -0,0 +1,17 @@
+user = 'test_user'
+user_home = File.join('/', 'Users', user)
+
+if Gem::Version.new(node['platform_version']) >= Gem::Version.new('10.13')
+  admin_credentials = ['-adminUser', node['macos']['admin_user'], '-adminPassword', node['macos']['admin_password']]
+else ''
+end
+
+execute "add user #{user}" do
+  command ['/usr/sbin/sysadminctl', *admin_credentials, '-addUser', user]
+  not_if { ::File.exist?(user_home) && user_already_exists? }
+end
+
+macos_user 'delete a given user' do
+  username user
+  action :delete
+end

test/cookbooks/macos_test/recipes/new_users.rb

@@ -17,3 +17,9 @@ macos_user 'create non-admin without groups' do
   username 'paul'
   password 'bacon-saffron-doormat-educe'
 end
+
+macos_user 'create test' do
+  username 'griffin'
+  password 'wells'
+  hidden true
+end

test/cookbooks/macos_test/recipes/spotlight.rb

@@ -1,23 +1,13 @@
-if node['platform_version'].match?(/10.13/)
-  execute 'create test disk collection on APFS' do
-    command ['diskutil', 'apfs', 'resizeContainer',
-             'disk0s2', '25g',
-             'jhfs+', 'test_disk1', '1G',
-             'jhfs+', 'TDD2', '1G',
-             'jhfs+', 'Macintosh TD', '1G',
-             'jhfs+', 'TDD-ROM', '700MB']
-    not_if ['ls', '/Volumes/test_disk1']
-  end
+test_file = 'test.txt'
+test_volumes = ['test_disk1', 'TDD2', 'Macintosh TD', 'TDD-ROM']
 
-else
+file test_file
+test_volumes.each do |volume|
   execute 'create test disk collection on HFS' do
-    command ['diskutil', 'resizeVolume',
-             'disk0s2', '25g',
-             'jhfs+', 'test_disk1', '1G',
-             'jhfs+', 'TDD2', '1G',
-             'jhfs+', 'Macintosh TD', '1G',
-             'jhfs+', 'TDD-ROM', '700MB']
-    not_if ['ls', '/Volumes/test_disk1']
+    command ['hdiutil', 'create', "#{volume}.dmg",
+             '-size', '1g', '-format', 'UDRW',
+             '-volname', volume, '-srcfolder', test_file,
+             '-ov', '-attach']
   end
 end
 

test/cookbooks/macos_test/recipes/xcode_beta.rb

@@ -2,4 +2,4 @@ execute 'Disable Gatekeeper' do
   command ['spctl', '--master-disable']
 end
 
-xcode '9.4' if node['platform_version'].match? Regexp.union '10.13'
+xcode '10.0' if node['platform_version'].match? Regexp.union '10.13'

test/integration/default/controls/users_and_groups_test.rb

@@ -85,3 +85,30 @@ control 'standard-user' do
     its('stdout.split') { should_not include '80' }
   end
 end
+
+control 'hidden-user' do
+  title 'added as a hidden user'
+  desc 'Verify that a standard user is hidden'
+
+  describe user('griffin') do
+    it { should exist }
+    its('home') { should eq '/var/griffin' }
+  end
+
+  describe command("/usr/libexec/Plistbuddy -c 'Print IsHidden' /var/db/dslocal/nodes/Default/users/griffin.plist") do
+    its('stdout') { should match(/1/) }
+  end
+
+  describe directory('/var/griffin') do
+    it { should exist }
+  end
+end
+
+control 'test-user' do
+  title 'Checks that a user does not exist'
+  desc 'Given a previously added user, check that its deletion results in user no longer being in existence.'
+
+  describe user('test_user').exists? do
+    it { should eq false }
+  end
+end

test/integration/default/controls/xcode_test.rb

@@ -15,7 +15,7 @@ control 'xcode-and-simulators' do
   end
 
   if macos_version.match? Regexp.union '10.13'
-    describe directory('/Applications/Xcode-9.3.app') do
+    describe directory('/Applications/Xcode-9.4.1.app') do
       it { should exist }
     end
 
@@ -51,7 +51,7 @@ control 'xcode-beta' do
   macos_version = command('/usr/bin/sw_vers -productVersion').stdout.strip
 
   if macos_version.match? Regexp.union '10.13'
-    describe directory('/Applications/Xcode-9.4.app') do
+    describe directory('/Applications/Xcode-10.app') do
       it { should exist }
     end
   end