From cb0fd0f555d2621972742a52dfcab94c6b9849e8 Mon Sep 17 00:00:00 2001
From: Jacob Zaval <jazava@microsoft.com>
Date: Fri, 4 Mar 2022 16:09:14 -0800
Subject: [PATCH] fix securetoken modification

---
 resources/macos_user.rb                       | 26 ++++++++++++-------
 test/cookbooks/macos_test/recipes/users.rb    | 11 +++-----
 .../default/controls/users_and_groups_test.rb |  4 +--
 3 files changed, 22 insertions(+), 19 deletions(-)

diff --git a/resources/macos_user.rb b/resources/macos_user.rb
index 2e54752..5030fbe 100644
--- a/resources/macos_user.rb
+++ b/resources/macos_user.rb
@@ -65,17 +65,23 @@ action_class do
       ''
     end
   end
+  
+  def validate_secure_token_modification
+    if !new_resource.property_is_set?(:existing_token_auth) || !new_resource.property_is_set?(:password)
+      raise "Both an existing_token_auth hash and the user password for #{new_resource.username} must be provided to modify secure token!"
+    end
+  end
 
   def token_credentials
-    if new_resource.property_is_set?(:secure_token)
-      ['-adminUser', new_resource.existing_token_auth['username'], '-adminPassword', new_resource.existing_token_auth['password']]
+    if new_resource.property_is_set?(:existing_token_auth)
+      ['-adminUser', new_resource.existing_token_auth[:username], '-adminPassword', new_resource.existing_token_auth[:password]]
     else
       ''
     end
   end
 
   def secure_token_enabled?
-    shell_out!([sysadminctl, '-secureTokenStatus', new_resource.username]).stdout.include?('ENABLED')
+    shell_out(sysadminctl, '-secureTokenStatus', new_resource.username).stderr.include?('ENABLED')
   end
 
   def admin_user
@@ -93,27 +99,29 @@ action_class do
 end
 
 action :create do
-  if property_is_set?(:secure_token) && !property_is_set?(:existing_token_auth)
+  if new_resource.secure_token && !property_is_set?(:existing_token_auth)
     raise "You must provide a existing_token_auth hash for an existing secure token user if you want to enable one for #{new_resource.username}"
   end
 
   execute "add user #{new_resource.username}" do
     command [sysadminctl, *token_credentials, '-addUser', new_resource.username, *user_fullname, '-password', new_resource.password, admin_user]
-    sensitive true
+    live_stream true
     not_if { ::File.exist?(user_home) && user_already_exists? }
   end
 
   if new_resource.secure_token && !secure_token_enabled?
+    validate_secure_token_modification
     execute "enable secure token for #{new_resource.username}" do
-      command [sysadminctl, *token_credentials, '-secureTokenOn', new_resource.username]
-      sensitive true
+      command [sysadminctl, *token_credentials, '-secureTokenOn', new_resource.username, '-password', new_resource.password]
+      live_stream true
     end
   end
 
   if !new_resource.secure_token && secure_token_enabled?
+    validate_secure_token_modification  
     execute "disable secure token for #{new_resource.username}" do
-      command [sysadminctl, *token_credentials, '-secureTokenOff', new_resource.username]
-      sensitive true
+        command [sysadminctl, *token_credentials, '-secureTokenOff', new_resource.username, '-password', new_resource.password]
+        live_stream true
     end
   end
 
diff --git a/test/cookbooks/macos_test/recipes/users.rb b/test/cookbooks/macos_test/recipes/users.rb
index b8d5450..16ab373 100644
--- a/test/cookbooks/macos_test/recipes/users.rb
+++ b/test/cookbooks/macos_test/recipes/users.rb
@@ -40,14 +40,7 @@ macos_user 'create user with secure token' do
   existing_token_auth({ username: 'vagrant', password: 'vagrant' })
 end
 
-macos_user 'create user with secure token' do
-  username 'jung'
-  password 'philemon'
-  secure_token true
-  existing_token_auth({ username: 'vagrant', password: 'vagrant' })
-end
-
-macos_user 'create user with secure token' do
+macos_user 'create user initially with secure token' do
   username 'ray'
   password 'leah'
   secure_token true
@@ -56,5 +49,7 @@ end
 
 macos_user "remove existing user's secure token" do
   username 'ray'
+  password 'leah'
   secure_token false
+  existing_token_auth({ username: 'vagrant', password: 'vagrant' })
 end
diff --git a/test/integration/default/controls/users_and_groups_test.rb b/test/integration/default/controls/users_and_groups_test.rb
index cdaa2b6..3535fde 100644
--- a/test/integration/default/controls/users_and_groups_test.rb
+++ b/test/integration/default/controls/users_and_groups_test.rb
@@ -119,7 +119,7 @@ control 'secure-token-user' do
   end
 
   describe command('sysadminctl -secureTokenStatus jung') do
-    its('stdout') { should include 'ENABLED' }
+    its('stderr') { should include 'ENABLED' }
   end
 
   describe user('ray') do
@@ -127,6 +127,6 @@ control 'secure-token-user' do
   end
 
   describe command('sysadminctl -secureTokenStatus ray') do
-    its('stdout') { should include 'DISABLED' }
+    its('stderr') { should include 'DISABLED' }
   end
 end