Release/2.7 (#160)

* bump version

* Fix #63 (#152)

* refactor screensaver class disabled method

* fix indentation

* delete some unit tests

* don't smoke test UID when testing user resource (#153)

* remove uid testing

* remove multi-converge, added to idempotency branch

* Add multi-converge testing for all suites, idempotency for select suites (#155)

* remove uid testing

* add multi-converge for all test recipes

* remove sleep

* just see if multi-converges pass

* add idempotency testing for specific suites

* add guard in spotlight test recipe

* guard against last test disk

* add a case if the index is in an unknown state

* add a sleep to allow indexing server to chill out

* add a 3rd converge

* create volume object in guard

* 2 converges for now

* increase sleep to allow indexing state to settle down

* enforce idempotency for spotlight

* add guard to test recipe item

* fix bug

* remove idempotency testing for xcode

* set three times

* Enforce idempotency for default ARD resource actions (#157)

* remove uid testing

* add multi-converge for all test recipes

* remove sleep

* just see if multi-converges pass

* add idempotency testing for specific suites

* add guard in spotlight test recipe

* guard against last test disk

* add a case if the index is in an unknown state

* add a sleep to allow indexing server to chill out

* add a 3rd converge

* create volume object in guard

* 2 converges for now

* increase sleep to allow indexing state to settle down

* enforce idempotency for spotlight

* add guard to test recipe item

* fix bug

* remove idempotency testing for xcode

* set three times

* add guard for ARD activation

* implement very basic guards

* add some unit tests for the ARD module

* remove some whitespace

* fix stub

* demystify magic mask string

* Feature/fix doc links (#158)

* update ard resource documentation

* more updates to ard resource docuemntation

* update certificate resource doccumentation

* update keychain resource doc

* update plist doc

* update spotlight resource doc

* update xcode resource doc

* change link location and fix syntax mistake

* add 2.7 changes to changelog (#159)

* add 2.7 changes to changelog

* add link to broken links issue

* add more details to changelog

* update CL

* Update CHANGELOG.md

Co-Authored-By: jazaval <jazava@microsoft.com>

* Update CHANGELOG.md

Co-Authored-By: jazaval <jazava@microsoft.com>

* remove whitespace

* grammar fix

Co-Authored-By: jazaval <jazava@microsoft.com>

* grammar fix

Co-Authored-By: jazaval <jazava@microsoft.com>

* grammar fix

Co-Authored-By: jazaval <jazava@microsoft.com>

* grammar fix

Co-Authored-By: jazaval <jazava@microsoft.com>

.kitchen.yml

@@ -5,6 +5,7 @@ driver:
 
 provisioner:
   product_name: chef
+  multiple_converge: 2
 
 verifier:
   name: inspec
@@ -16,7 +17,6 @@ verifier:
   - test/integration/default
 
 platforms:
-
 - name: el-capitan-chef13
   driver:
     box: microsoft/os-x-el-capitan
@@ -75,6 +75,8 @@ platforms:
 
 suites:
 - name: default
+  provisioner:
+    enforce_idempotency: true
   run_list:
   - recipe[macos::disable_software_updates]
   - recipe[macos_test::preferences]
@@ -86,7 +88,7 @@ suites:
 
 - name: power-management
   provisioner:
-    multiple_converge: 2
+    enforce_idempotency: true
   run_list:
   - recipe[macos::keep_awake]
   verifier:
@@ -103,6 +105,8 @@ suites:
     - nonstandard-computer-name
 
 - name: spotlight
+  provisioner:
+    enforce_idempotency: true
   run_list:
   - recipe[macos_test::spotlight]
   verifier:
@@ -150,6 +154,8 @@ suites:
     - default-keychain-creation
 
 - name: remote-access
+  provisioner:
+    enforce_idempotency: true
   run_list:
   - recipe[macos_test::remote_access]
   verifier:

CHANGELOG.md

@@ -1,6 +1,19 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## [2.7.0] - 2018-10-26
+### Added
+- Multi-converge testing added for all kitchen suites, idempotency enforced for select resources. Idempotency issues identified and resolved with the `keep_awake` recipe, the `spotlight` resource, and the `ard` resource
+as a result. More enforcing by the idempotence police to come in future releases.
+
+### Removed
+- Removal of dead links in documentation for resources to allow for more up to date and clear documentation. ([Issue #129](https://github.com/Microsoft/macos-cookbook/issues/129)).
+
+### Fixed
+- Resolved an issue with the `ard` resource where a Chef run sometimes fails due to an intermittent `kickstart` failure. Guards added to the default resource actions to prevent this issue. ([Issue #70](https://github.com/Microsoft/macos-cookbook/issues/70)).
+- Resolved an issue with the `spotlight` resource where `mdutil` output was improperly parsed and
+`mdutil` commands were re-ran when not needed.
+
 ## [2.6.1] - 2018-10-04
 ### Added
 - The desert took its toll, the README now declares support for Mojave!

documentation/resource_ard.md

@@ -2,16 +2,13 @@ ard
 ===
 
 Use the **ard** resource to manage the "Remote Management" settings, found in System
-Preferences > Sharing > Remote Management. Under the hood, an **ard** resource
+Preferences > Sharing > Remote Management. Under the hood, the [**ard**](https://github.com/Microsoft/macos-cookbook/blob/master/resources/ard.rb) resource
 executes the `kickstart` command, located in ARDAgent.app (one of macOS' "core services").
-It has some basic actions, which pertain to the simple `kickstart` subcommands.
-It also has the more complicated `:configure` action, which requires some familiarity
-with [`kickstart`](https://support.apple.com/en-us/HT201710).
 
 Syntax
 ------
 
-An **ard** resource block declares a basic description of the command configuration
+The **ard** resource block declares a basic description of the command configuration
 and a set of properties depending on the actions executed. For example:
 
 ```ruby
@@ -23,7 +20,7 @@ end
 where
 
 - `:activate` activates the ARD agent
-- `:configure` configures the agent using the `kickstart` defaut commandline arguments.
+- `:configure` configures the agent using the `kickstart` default commandline arguments.
 
 The default `:configure` action is equivalent to the following
 **System Preferences > Sharing** settings:

documentation/resource_certificate.md

@@ -2,13 +2,9 @@ certificate
 =========
 
 Use the **certificate** resource to manage certificates for keychains.
-Under the hood, a **certificate** resource executes the `security`
+Under the hood, the [**certificate**](https://github.com/Microsoft/macos-cookbook/blob/master/resources/certificate.rb) resource executes the `security`
 command in the `security_cmd` library.
 
-[Learn more about certificates](https://developer.apple.com/library/content/documentation/Security/Conceptual/cryptoservices/KeyManagementAPIs/KeyManagementAPIs.html).
-
-[Learn more about `security`](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html).
-
 Syntax
 ------
 
@@ -79,4 +75,4 @@ certificate 'cert name' do
   cert_passwd 'teach'
   apps ['/Applications/Maps.app', '/Applications/Time Machine.app']
 end
-```
+```

documentation/resource_keychain.md

@@ -2,13 +2,9 @@ keychain
 =========
 
 Use the **keychain** resource to manage keychains.
-Under the hood, a **keychain** resource executes the `security`
+Under the hood, the [**keychain**](https://github.com/Microsoft/macos-cookbook/blob/master/resources/keychain.rb) resource executes the `security`
 command in the `security_cmd` library.
 
-[Learn more about keychains](https://support.apple.com/kb/PH20093?locale=en_US).
-
-[Learn more about `security`](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html).
-
 Syntax
 ------
 
@@ -33,19 +29,19 @@ the `keychain` property. This is the default action.
 `:delete`
 
       Delete a keychain as specified by
-the `keychain` property. 
+the `keychain` property.
 
 `:lock`
 
       Lock a keychain as specified by
-the `keychain` property. If no keychain is specified, the default keychain 
-will be locked instead. 
+the `keychain` property. If no keychain is specified, the default keychain
+will be locked instead.
 
 `:unlock`
 
-      Using the `kc_passwd` property, unlock a 
-keychain as specified by the `keychain` property. If no keychain is specified, 
-the default keychain will be unlocked instead. 
+      Using the `kc_passwd` property, unlock a
+keychain as specified by the `keychain` property. If no keychain is specified,
+the default keychain will be unlocked instead.
 
 
 
@@ -98,4 +94,4 @@ keychain 'test' do
   kc_passwd 'test'
   action :unlock
 end
-```
+```

documentation/resource_machine_name.md

@@ -1,7 +1,7 @@
 machine_name
 ============
 
-Use the **machine_name** resource to manage a machine's name. In theory, the
+Use the [**machine_name**](https://github.com/Microsoft/macos-cookbook/blob/master/resources/machine_name.rb) resource to manage a machine's name. In theory, the
 `machine_name` resource should yield the same results that setting the
 **Computer Name** field in System Preferences would.
 

documentation/resource_macos_user.md

@@ -2,7 +2,7 @@ macos_user
 =========
 
 Use the **macos_user** resource to manage user creation.
-Under the hood, a **macos_user** resource executes the `sysadminctl`
+Under the hood, the [**macos_user**](https://github.com/Microsoft/macos-cookbook/blob/master/resources/macos_user.rb) resource executes the `sysadminctl`
 command.
 
 Syntax
@@ -46,7 +46,7 @@ Actions
 `:delete`
 
       Delete a user specified by
-the `macos_user` username property. 
+the `macos_user` username property.
 
 
 Examples
@@ -82,4 +82,4 @@ macos_user 'create user' do
   password 'reason'
   groups   ['accounting']
 end
-```
+```

documentation/resource_plist.md

@@ -2,7 +2,7 @@ plist
 =====
 
 Use the **plist** resource to manage property list files (plists) and their content.
-A **plist** resource instance represents the state of a single key-value pair in
+The [**plist**](https://github.com/Microsoft/macos-cookbook/blob/master/resources/plist.rb) resource manages the state
 the delared plist `path`. Since each plist resource instance represents only one
 setting, you may end up with several plist resource calls in a given recipe. Although
 this may seem like overkill, it allows us to have a fully idempotent resource with
@@ -13,13 +13,11 @@ before changing any values. It also makes sure that the plist is in binary forma
 so that the settings can be interpreted correctly by the operating system.
 
 Prior knowledge of using commandline utilities such as
-[defaults](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html),
-[plutil](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/plutil.1.html),
-and [PlistBuddy](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man8/PlistBuddy.8.html)
+`defaults`,
+`plutil`,
+and `PlistBuddy`
 will be useful when implementing the **plist** resource.
 
-Want to learn more? See the [Property List Programming Guide](https://developer.apple.com/library/content/documentation/Cocoa/Conceptual/PropertyLists/QuickStartPlist/QuickStartPlist.html#//apple_ref/doc/uid/10000048i-CH4-SW5).
-
 Syntax
 ------
 

documentation/resource_spotlight.md

@@ -3,17 +3,13 @@ spotlight
 
 Use the **spotlight** resource to manage the metadata indexing state for disk volumes.
 This will primarily affect the ability to search volume contents with the macOS
-Spotlight feature. Under the hood, a **spotlight** resource executes the `mdutil`
+Spotlight feature. Under the hood, the [**spotlight**](https://github.com/Microsoft/macos-cookbook/blob/master/resources/spotlight.rb) resource executes the `mdutil`
 command in the `metadata_util` library.
 
-[Learn more about Spotlight](https://support.apple.com/en-us/HT204014).
-
-[Learn more about `mdutil`](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/mdutil.1.html).
-
 Syntax
 ------
 
-The most basic usage of a **spotlight** resource block declares a disk volume as
+The most basic usage of the **spotlight** resource declares a disk volume as
 the name property to **enable** metadata indexing:
 
 ```ruby

documentation/resource_xcode.md

@@ -2,7 +2,7 @@ xcode
 =====
 
 Use the **xcode** resource to manage a single installation of Apple's Xcode IDE.
-An **xcode** resource instance represents the state of a single Xcode installation
+The [**xcode**](https://github.com/Microsoft/macos-cookbook/blob/master/resources/xcode.rb) resource manages the state of a single Xcode installation
 and any additional iOS simulators that are declared using the `ios_simulators`
 property. The latest version of iOS simulators are always installed with Xcode.
 This resource supports beta and GM seeds from Apple if currently available via
@@ -15,7 +15,7 @@ path, overwriting an existing bundle if it is not the requested version.
 Syntax
 ------
 
-The simplest use of an **xcode** resource is:
+The simplest use of the **xcode** resource is:
 
 ```ruby
 xcode '9.4.1'

libraries/ard.rb

@@ -0,0 +1,39 @@
+include Chef::Mixin::ShellOut
+
+module MacOS
+  module ARD
+    def ard_already_activated?
+      ::File.exist?('/Library/Application Support/Apple/Remote Desktop/RemoteManagement.launchd')
+    end
+
+    def ard_already_configured?(configure_options)
+      return false unless configure_options == ['-allowAccessFor -allUsers', '-access -on', '-privs -all']
+      remote_management_plist.include?('ARD_AllLocalUsers = true') && remote_management_plist.include?(all_privileges)
+    end
+
+    def remote_management_plist
+      shell_out('/usr/libexec/PlistBuddy -c Print /Library/Preferences/com.apple.RemoteManagement.plist').stdout
+    end
+
+    def all_privileges
+      # user_has_access  = 1 << 31
+      text_messages    = 1 << 0
+      control_observe  = 1 << 1
+      send_files       = 1 << 2
+      delete_files     = 1 << 3
+      generate_reports = 1 << 4
+      open_quit_apps   = 1 << 5
+      change_settings  = 1 << 6
+      restart_shutdown = 1 << 7
+      # observe_only     = 1 << 8
+      show_observe     = 1 << 30
+
+      (text_messages | control_observe | send_files |
+        delete_files | generate_reports | open_quit_apps |
+        change_settings | restart_shutdown | show_observe).to_s
+    end
+  end
+end
+
+Chef::Recipe.include(MacOS::ARD)
+Chef::Resource.include(MacOS::ARD)

libraries/metadata_util.rb

@@ -8,16 +8,11 @@ module MacOS
     def initialize(volume)
       mdutil_possible_states = { 'Indexing enabled.' => ['on', ''],
                                  'Indexing disabled.' => ['off', ''],
-                                 'Indexing and searching disabled.' => ['off', '-d'] }
+                                 'Indexing and searching disabled.' => ['off', '-d'],
+                                 'Error' => ['', ''] }
 
       @mdutil_output = shell_out('/usr/bin/mdutil', '-s', volume).stdout
-      @status_flags = unless server_disabled?
-                        mdutil_possible_states[volume_current_state(volume)].insert(1, volume)
-                      end
-    end
-
-    def server_disabled?
-      mdutil_output.strip.include? 'disabled'
+      @status_flags = mdutil_possible_states[volume_current_state(volume)].insert(1, volume)
     end
 
     def volume_current_state(_volume)

libraries/system.rb

@@ -38,19 +38,8 @@ module MacOS
       end
 
       def disabled?
-        settings('read', '0') &&
-          settings('read-type', 'integer')
-      end
-
-      def settings(query_type, expected_value)
-        regex_value = query_type == 'read' ? "/^[#{expected_value}]+$/" : expected_value
-        expression_pattern = Regexp.new(regex_value)
-        query(query_type).stdout.chomp.match?(expression_pattern)
-      end
-
-      def query(query_type)
-        shell_out('defaults', '-currentHost', query_type, 'com.apple.screensaver', 'idleTime',
-        user: @user)
+        shell_out('defaults -currentHost read com.apple.screensaver idleTime', user: @user).stdout.chomp == '0' &&
+          shell_out('defaults -currentHost read-type com.apple.screensaver idleTime', user: @user).stdout.chomp == 'Type is integer'
       end
     end
   end

metadata.rb

@@ -5,7 +5,7 @@ license 'MIT'
 description 'Resources for configuring and provisioning macOS'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
 chef_version '>= 13.0' if respond_to?(:chef_version)
-version '2.6.1'
+version '2.7.0'
 
 source_url 'https://github.com/Microsoft/macos-cookbook'
 issues_url 'https://github.com/Microsoft/macos-cookbook/issues'

resources/ard.rb

@@ -17,6 +17,7 @@ property :clientopts, Array
 action :activate do
   execute BASE_COMMAND do
     command "#{BASE_COMMAND} -activate"
+    not_if { ard_already_activated? }
   end
 end
 
@@ -72,5 +73,6 @@ action :configure do
   end
   execute BASE_COMMAND do
     command "#{BASE_COMMAND} -configure #{configure_options.join(' ')}"
+    not_if { ard_already_configured?(configure_options) }
   end
 end

resources/spotlight.rb

@@ -32,8 +32,6 @@ action_class do
 end
 
 action :set do
-  volume = MetadataUtil.new(target_volume)
-
   macosx_service 'metadata server' do
     service_name 'com.apple.metadata.mds'
     plist '/System/Library/LaunchDaemons/com.apple.metadata.mds.plist'
@@ -42,6 +40,6 @@ action :set do
 
   execute "turn Spotlight indexing #{state} for #{target_volume}" do
     command mdutil + desired_spotlight_state.insert(0, '-i')
-    not_if { volume.status_flags == desired_spotlight_state }
+    not_if { MetadataUtil.new(target_volume).status_flags == desired_spotlight_state }
   end
 end

resources/system_preference.rb

@@ -20,11 +20,8 @@ action :set do
     converge_by "set #{new_resource.preference} to #{new_resource.setting}" do
       set_pref = ['-set', new_resource.preference.to_s].join('')
       execute ['/usr/sbin/systemsetup', set_pref, new_resource.setting]
-      ruby_block 'sleep one second' do
-        block do
-          sleep 1
-        end
-      end
+      execute ['/usr/sbin/systemsetup', set_pref, new_resource.setting]
+      execute ['/usr/sbin/systemsetup', set_pref, new_resource.setting]
     end
   end
 end

spec/spec_helper.rb

@@ -11,6 +11,7 @@ require_relative '../libraries/xcversion'
 require_relative '../libraries/developer_account'
 require_relative '../libraries/command_line_tools'
 require_relative '../libraries/security_cmd'
+require_relative '../libraries/ard'
 
 RSpec.configure do |config|
   config.platform = 'mac_os_x'

spec/unit/libraries/ard_spec.rb

@@ -0,0 +1,29 @@
+require 'spec_helper'
+include MacOS::ARD
+
+describe MacOS::ARD, '#ard_already_activated?' do
+  context 'when remote management is already enabled' do
+    before do
+      allow(::File).to receive(:exist?)
+        .with('/Library/Application Support/Apple/Remote Desktop/RemoteManagement.launchd')
+        .and_return(true)
+    end
+    it 'returns true' do
+      expect(ard_already_activated?).to be true
+    end
+  end
+end
+
+describe MacOS::ARD, '#ard_already_configured?' do
+  context 'when remote management is already configured for the defaults' do
+    before do
+      allow_any_instance_of(ARD).to receive(:remote_management_plist)
+        .and_return 'Dict { ARD_AllLocalUsersPrivs = 1073742079
+                            allowInsecureDH = true
+                            ARD_AllLocalUsers = true }'
+    end
+    it 'returns true' do
+      expect(ard_already_configured?(['-allowAccessFor -allUsers', '-access -on', '-privs -all'])).to be true
+    end
+  end
+end

spec/unit/libraries/system_spec.rb

@@ -74,43 +74,3 @@ describe MacOS::System::Environment do
     end
   end
 end
-
-describe MacOS::System::ScreenSaver do
-  context 'querying a read for idleTime' do
-    it 'returns a defaults read command' do
-      screen = MacOS::System::ScreenSaver.new('vagrant')
-      expect(screen.query('read').command).to eq ['defaults', '-currentHost', 'read', 'com.apple.screensaver', 'idleTime']
-    end
-  end
-
-  context 'querying a read-type for idleTime' do
-    it 'returns a defaults read-type command' do
-      screen = MacOS::System::ScreenSaver.new('vagrant')
-      expect(screen.query('read-type').command).to eq ['defaults', '-currentHost', 'read-type', 'com.apple.screensaver', 'idleTime']
-    end
-  end
-
-  context 'when idleTime is 0 and its type is integer' do
-    before do
-      allow_any_instance_of(MacOS::System::ScreenSaver).to receive(:settings)
-        .and_return(true)
-    end
-
-    it 'screensaver is disabled' do
-      screen = MacOS::System::ScreenSaver.new('vagrant')
-      expect(screen.disabled?).to eq true
-    end
-  end
-
-  context 'when idleTime is not 0 or its type is not an integer' do
-    before do
-      allow_any_instance_of(MacOS::System::ScreenSaver).to receive(:settings)
-        .and_return(false)
-    end
-
-    it 'screensaver is not disabled' do
-      screen = MacOS::System::ScreenSaver.new('vagrant')
-      expect(screen.disabled?).to eq false
-    end
-  end
-end

test/cookbooks/macos_test/recipes/spotlight.rb

@@ -8,11 +8,13 @@ test_volumes.each do |volume|
              '-size', '1g', '-format', 'UDRW',
              '-volname', volume, '-srcfolder', test_file,
              '-ov', '-attach']
+    not_if 'diskutil info TDD-ROM'
   end
 end
 
 execute 'test' do
   command ['sudo', 'launchctl', 'unload', '-w', '/System/Library/LaunchDaemons/com.apple.metadata.mds.plist']
+  not_if 'diskutil info TDD-ROM'
 end
 
 spotlight '/'

test/integration/default/controls/users_and_groups_test.rb

@@ -6,7 +6,6 @@ control 'admin-user' do
 
   describe user('randall') do
     it { should exist }
-    its('uid') { should eq 503 }
     its('gid') { should eq 20 }
     its('home') { should eq '/Users/randall' }
     its('groups') { should include 'alpha' }
@@ -49,7 +48,6 @@ control 'standard-user' do
 
   describe user('johnny') do
     it { should exist }
-    its('uid') { should eq 504 }
     its('gid') { should eq 20 }
     its('home') { should eq '/Users/johnny' }
     its('groups') { should include 'staff' }
@@ -75,7 +73,6 @@ control 'standard-user' do
 
   describe user('paul') do
     it { should exist }
-    its('uid') { should eq 505 }
     its('groups') { should include 'staff' }
     its('groups') { should_not include  'admin' }
     its('home') { should eq '/Users/paul' }