diff --git a/resources/macos_user.rb b/resources/macos_user.rb index 2e54752..5030fbe 100644 --- a/resources/macos_user.rb +++ b/resources/macos_user.rb @@ -65,17 +65,23 @@ action_class do '' end end + + def validate_secure_token_modification + if !new_resource.property_is_set?(:existing_token_auth) || !new_resource.property_is_set?(:password) + raise "Both an existing_token_auth hash and the user password for #{new_resource.username} must be provided to modify secure token!" + end + end def token_credentials - if new_resource.property_is_set?(:secure_token) - ['-adminUser', new_resource.existing_token_auth['username'], '-adminPassword', new_resource.existing_token_auth['password']] + if new_resource.property_is_set?(:existing_token_auth) + ['-adminUser', new_resource.existing_token_auth[:username], '-adminPassword', new_resource.existing_token_auth[:password]] else '' end end def secure_token_enabled? - shell_out!([sysadminctl, '-secureTokenStatus', new_resource.username]).stdout.include?('ENABLED') + shell_out(sysadminctl, '-secureTokenStatus', new_resource.username).stderr.include?('ENABLED') end def admin_user @@ -93,27 +99,29 @@ action_class do end action :create do - if property_is_set?(:secure_token) && !property_is_set?(:existing_token_auth) + if new_resource.secure_token && !property_is_set?(:existing_token_auth) raise "You must provide a existing_token_auth hash for an existing secure token user if you want to enable one for #{new_resource.username}" end execute "add user #{new_resource.username}" do command [sysadminctl, *token_credentials, '-addUser', new_resource.username, *user_fullname, '-password', new_resource.password, admin_user] - sensitive true + live_stream true not_if { ::File.exist?(user_home) && user_already_exists? } end if new_resource.secure_token && !secure_token_enabled? + validate_secure_token_modification execute "enable secure token for #{new_resource.username}" do - command [sysadminctl, *token_credentials, '-secureTokenOn', new_resource.username] - sensitive true + command [sysadminctl, *token_credentials, '-secureTokenOn', new_resource.username, '-password', new_resource.password] + live_stream true end end if !new_resource.secure_token && secure_token_enabled? + validate_secure_token_modification execute "disable secure token for #{new_resource.username}" do - command [sysadminctl, *token_credentials, '-secureTokenOff', new_resource.username] - sensitive true + command [sysadminctl, *token_credentials, '-secureTokenOff', new_resource.username, '-password', new_resource.password] + live_stream true end end diff --git a/test/cookbooks/macos_test/recipes/users.rb b/test/cookbooks/macos_test/recipes/users.rb index b8d5450..16ab373 100644 --- a/test/cookbooks/macos_test/recipes/users.rb +++ b/test/cookbooks/macos_test/recipes/users.rb @@ -40,14 +40,7 @@ macos_user 'create user with secure token' do existing_token_auth({ username: 'vagrant', password: 'vagrant' }) end -macos_user 'create user with secure token' do - username 'jung' - password 'philemon' - secure_token true - existing_token_auth({ username: 'vagrant', password: 'vagrant' }) -end - -macos_user 'create user with secure token' do +macos_user 'create user initially with secure token' do username 'ray' password 'leah' secure_token true @@ -56,5 +49,7 @@ end macos_user "remove existing user's secure token" do username 'ray' + password 'leah' secure_token false + existing_token_auth({ username: 'vagrant', password: 'vagrant' }) end diff --git a/test/integration/default/controls/users_and_groups_test.rb b/test/integration/default/controls/users_and_groups_test.rb index cdaa2b6..3535fde 100644 --- a/test/integration/default/controls/users_and_groups_test.rb +++ b/test/integration/default/controls/users_and_groups_test.rb @@ -119,7 +119,7 @@ control 'secure-token-user' do end describe command('sysadminctl -secureTokenStatus jung') do - its('stdout') { should include 'ENABLED' } + its('stderr') { should include 'ENABLED' } end describe user('ray') do @@ -127,6 +127,6 @@ control 'secure-token-user' do end describe command('sysadminctl -secureTokenStatus ray') do - its('stdout') { should include 'DISABLED' } + its('stderr') { should include 'DISABLED' } end end