chef 10.12.0 → 10.14.0.beta.1

data/spec/unit/provider/template_spec.rb

@@ -0,0 +1,186 @@
+#
+# Author:: Adam Jacob (<adam@opscode.com>)
+# Copyright:: Copyright (c) 2008 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+require 'stringio'
+require 'spec_helper'
+
+describe Chef::Provider::Template do
+  before(:each) do
+    @cookbook_repo = File.expand_path(File.join(CHEF_SPEC_DATA, "cookbooks"))
+    Chef::Cookbook::FileVendor.on_create { |manifest| Chef::Cookbook::FileSystemFileVendor.new(manifest, @cookbook_repo) }
+
+    @node = Chef::Node.new
+    @cookbook_collection = Chef::CookbookCollection.new(Chef::CookbookLoader.new(@cookbook_repo))
+    @events = Chef::EventDispatch::Dispatcher.new
+    @run_context = Chef::RunContext.new(@node, @cookbook_collection, @events)
+
+    @rendered_file_location = Dir.tmpdir + '/openldap_stuff.conf'
+
+    @resource = Chef::Resource::Template.new(@rendered_file_location)
+    @resource.cookbook_name = 'openldap'
+
+    @provider = Chef::Provider::Template.new(@resource, @run_context)
+    @current_resource = @resource.dup
+    @provider.current_resource = @current_resource
+    @access_controls = mock("access controls")
+    @provider.stub!(:access_controls).and_return(@access_controls)
+  end
+
+  describe "when creating the template" do
+
+    before do 
+
+    end
+    after do
+      FileUtils.rm(@rendered_file_location) if ::File.exist?(@rendered_file_location)
+    end
+
+    it "finds the template file in the coobook cache if it isn't local" do
+      @provider.template_location.should == CHEF_SPEC_DATA + '/cookbooks/openldap/templates/default/openldap_stuff.conf.erb'
+    end
+
+    it "finds the template file locally if it is local" do
+      @resource.local(true)
+      @resource.source('/tmp/its_on_disk.erb')
+      @provider.template_location.should == '/tmp/its_on_disk.erb'
+    end
+
+    it "stops executing when the local template source can't be found" do 
+      @access_controls.stub!(:requires_changes?).and_return(false)
+      @resource.source "invalid.erb" 
+      @resource.local true
+      lambda { @provider.run_action(:create) } .should raise_error Chef::Mixin::WhyRun::ResourceRequirements::Assertion::AssertionFailure
+    end
+
+    it "should use the cookbook name if defined in the template resource" do
+      @resource.cookbook_name = 'apache2'
+      @resource.cookbook('openldap')
+      @resource.source "test.erb"
+      @provider.template_location.should == CHEF_SPEC_DATA + '/cookbooks/openldap/templates/default/test.erb'
+    end
+
+    describe "when the target file does not exist" do
+      it "creates the template with the rendered content" do
+        @access_controls.stub!(:requires_changes?).and_return(true)
+        @access_controls.should_receive(:set_all!)
+        @node[:slappiness] = "a warm gun"
+        @provider.should_receive(:backup)
+        @provider.run_action(:create)
+        IO.read(@rendered_file_location).should == "slappiness is a warm gun"
+        @resource.should be_updated_by_last_action
+      end
+
+      it "should set the file access control as specified in the resource" do
+        @access_controls.stub!(:requires_changes?).and_return(false)
+        @access_controls.should_receive(:set_all!)
+        @resource.owner("adam")
+        @resource.group("wheel")
+        @resource.mode(00644)
+        @provider.run_action(:create)
+        @resource.should be_updated_by_last_action
+      end
+
+      it "creates the template with the rendered content for the create if missing action" do
+        @access_controls.stub!(:requires_changes?).and_return(true)
+        @access_controls.should_receive(:set_all!)
+        @node[:slappiness] = "happiness"
+        @provider.should_receive(:backup)
+        @provider.run_action(:create_if_missing)
+        IO.read(@rendered_file_location).should == "slappiness is happiness"
+        @resource.should be_updated_by_last_action
+      end
+    end
+
+    describe "when the target file has the wrong content" do
+      before do
+        File.open(@rendered_file_location, "w+") { |f| f.print "blargh" }
+      end
+
+      it "overwrites the file with the updated content when the create action is run" do
+        @node[:slappiness] = "a warm gun"
+        @access_controls.stub!(:requires_changes?).and_return(false)
+        @access_controls.should_receive(:set_all!)
+        @provider.should_receive(:backup)
+        @provider.run_action(:create)
+        IO.read(@rendered_file_location).should == "slappiness is a warm gun"
+        @resource.should be_updated_by_last_action
+      end
+
+      it "should set the file access control as specified in the resource" do
+        @access_controls.stub!(:requires_changes?).and_return(true)
+        @access_controls.should_receive(:set_all!)
+        @resource.owner("adam")
+        @resource.group("wheel")
+        @resource.mode(00644)
+        @provider.should_receive(:backup)
+        @provider.run_action(:create)
+        @resource.should be_updated_by_last_action
+      end
+
+      it "doesn't overwrite the file when the create if missing action is run" do
+        @access_controls.stub!(:requires_changes?).and_return(false)
+        @access_controls.should_not_receive(:set_all!)
+        @node[:slappiness] = "a warm gun"
+        @provider.should_not_receive(:backup)
+        @provider.run_action(:create_if_missing)
+        IO.read(@rendered_file_location).should == "blargh"
+        @resource.should_not be_updated_by_last_action
+      end
+    end
+
+    describe "when the target has the correct content" do
+      before do
+        Chef::ChecksumCache.instance.reset!
+        File.open(@rendered_file_location, "w") { |f| f.print "slappiness is a warm gun" }
+        @current_resource.checksum('4ff94a87794ed9aefe88e734df5a66fc8727a179e9496cbd88e3b5ec762a5ee9')
+        @access_controls = mock("access controls")
+        @provider.stub!(:access_controls).and_return(@access_controls)
+      end
+
+      it "does not backup the original or overwrite it" do
+        @node[:slappiness] = "a warm gun"
+        @access_controls.stub!(:requires_changes?).and_return(false)
+        @provider.should_not_receive(:backup)
+        FileUtils.should_not_receive(:mv)
+        @provider.run_action(:create)
+        @resource.should_not be_updated_by_last_action
+      end
+
+      it "does not backup the original or overwrite it on create if missing" do
+        @node[:slappiness] = "a warm gun"
+        @access_controls.stub!(:requires_changes?).and_return(false)
+        @provider.should_not_receive(:backup)
+        FileUtils.should_not_receive(:mv)
+        @provider.run_action(:create)
+        @resource.should_not be_updated_by_last_action
+      end
+
+      it "sets the file access controls if they have diverged" do
+        @provider.stub!(:backup).and_return(true)
+        @access_controls.stub!(:requires_changes?).and_return(true)
+        @access_controls.should_receive(:set_all!)
+        @resource.owner("adam")
+        @resource.group("wheel")
+        @resource.mode(00644)
+        @provider.should_receive(:backup)
+        @provider.run_action(:create)
+        @resource.should be_updated_by_last_action
+      end
+    end
+
+  end
+end

data/spec/unit/provider/user/dscl_spec.rb

@@ -0,0 +1,439 @@
+#
+# Author:: Dreamcat4 (<dreamcat4@gmail.com>)
+# Copyright:: Copyright (c) 2009 OpsCode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+ShellCmdResult = Struct.new(:stdout, :stderr, :exitstatus)
+
+require 'spec_helper'
+require 'ostruct'
+
+describe Chef::Provider::User::Dscl do
+  before do
+    @node = Chef::Node.new
+    @events = Chef::EventDispatch::Dispatcher.new
+    @run_context = Chef::RunContext.new(@node, {}, @events)
+    @new_resource = Chef::Resource::User.new("toor")
+    @provider = Chef::Provider::User::Dscl.new(@new_resource, @run_context)
+  end
+  
+  describe "when shelling out to dscl" do
+    it "should run dscl with the supplied cmd /Path args" do
+      shell_return = ShellCmdResult.new('stdout', 'err', 0)
+      @provider.should_receive(:shell_out).with("dscl . -cmd /Path args").and_return(shell_return)
+      @provider.safe_dscl("cmd /Path args").should == 'stdout'
+    end
+
+    it "returns an empty string from delete commands" do
+      shell_return = ShellCmdResult.new('out', 'err', 23)
+      @provider.should_receive(:shell_out).with("dscl . -delete /Path args").and_return(shell_return)
+      @provider.safe_dscl("delete /Path args").should == ""
+    end
+
+    it "should raise an exception for any other command" do
+      shell_return = ShellCmdResult.new('out', 'err', 23)
+      @provider.should_receive(:shell_out).with('dscl . -cmd /Path arguments').and_return(shell_return)
+      lambda { @provider.safe_dscl("cmd /Path arguments") }.should raise_error(Chef::Exceptions::DsclCommandFailed)
+    end
+
+    it "raises an exception when dscl reports 'no such key'" do
+      shell_return = ShellCmdResult.new("No such key: ", 'err', 23)
+      @provider.should_receive(:shell_out).with('dscl . -cmd /Path args').and_return(shell_return)
+      lambda { @provider.safe_dscl("cmd /Path args") }.should raise_error(Chef::Exceptions::DsclCommandFailed)
+    end
+  end
+
+  describe "get_free_uid" do
+    before do
+      @provider.stub!(:safe_dscl).and_return("\nwheel      200\nstaff      201\n")
+    end
+  
+    it "should run safe_dscl with list /Users uid" do
+      @provider.should_receive(:safe_dscl).with("list /Users uid")
+      @provider.get_free_uid
+    end
+
+    it "should return the first unused uid number on or above 200" do
+      @provider.get_free_uid.should == 202
+    end
+  
+    it "should raise an exception when the search limit is exhausted" do
+      search_limit = 1
+      lambda { @provider.get_free_uid(search_limit) }.should raise_error(RuntimeError)
+    end
+  end
+
+  describe "uid_used?" do
+    before do
+      @provider.stub!(:safe_dscl).and_return("\naj      500\n")
+    end
+
+    it "should run safe_dscl with list /Users uid" do
+      @provider.should_receive(:safe_dscl).with("list /Users uid")
+      @provider.uid_used?(500)
+    end
+  
+    it "should return true for a used uid number" do
+      @provider.uid_used?(500).should be_true
+    end
+
+    it "should return false for an unused uid number" do
+      @provider.uid_used?(501).should be_false
+    end
+
+    it "should return false if not given any valid uid number" do
+      @provider.uid_used?(nil).should be_false
+    end
+  end
+
+  describe "when determining the uid to set" do
+    it "raises RequestedUIDUnavailable if the requested uid is already in use" do
+      @provider.stub!(:uid_used?).and_return(true)
+      @provider.should_receive(:get_free_uid).and_return(501)
+      lambda { @provider.set_uid }.should raise_error(Chef::Exceptions::RequestedUIDUnavailable)
+    end
+  
+    it "finds a valid, unused uid when none is specified" do
+      @provider.should_receive(:safe_dscl).with("list /Users uid").and_return('')
+      @provider.should_receive(:safe_dscl).with("create /Users/toor UniqueID 501")
+      @provider.should_receive(:get_free_uid).and_return(501)
+      @provider.set_uid
+      @new_resource.uid.should == 501
+    end
+  
+    it "sets the uid specified in the resource" do
+      @new_resource.uid(1000)
+      @provider.should_receive(:safe_dscl).with("create /Users/toor UniqueID 1000").and_return(true)
+      @provider.should_receive(:safe_dscl).with("list /Users uid").and_return('')
+      @provider.set_uid
+    end
+  end
+
+  describe "when modifying the home directory" do
+    before do
+      @new_resource.supports({ :manage_home => true })
+      @new_resource.home('/Users/toor')
+      
+      @current_resource = @new_resource.dup
+      @provider.current_resource = @current_resource
+    end
+
+    it "deletes the home directory when resource#home is nil" do
+      @new_resource.instance_variable_set(:@home, nil)
+      @provider.should_receive(:safe_dscl).with("delete /Users/toor NFSHomeDirectory").and_return(true)
+      @provider.modify_home
+    end
+  
+
+    it "raises InvalidHomeDirectory when the resource's home directory doesn't look right" do
+      @new_resource.home('epic-fail')
+      lambda { @provider.modify_home }.should raise_error(Chef::Exceptions::InvalidHomeDirectory)
+    end
+
+    it "moves the users home to the new location if it exists and the target location is different" do
+      @new_resource.supports(:manage_home => true)
+      
+      current_home = CHEF_SPEC_DATA + '/old_home_dir'
+      current_home_files = [current_home + '/my-dot-emacs', current_home + '/my-dot-vim']
+      @current_resource.home(current_home)
+      @new_resource.gid(23)
+      ::File.stub!(:exists?).with('/old/home/toor').and_return(true)
+      ::File.stub!(:exists?).with('/Users/toor').and_return(true)
+    
+      FileUtils.should_receive(:mkdir_p).with('/Users/toor').and_return(true)
+      FileUtils.should_receive(:rmdir).with(current_home)
+      ::Dir.should_receive(:glob).with("#{CHEF_SPEC_DATA}/old_home_dir/*",::File::FNM_DOTMATCH).and_return(current_home_files)
+      FileUtils.should_receive(:mv).with(current_home_files, "/Users/toor", :force => true)
+      FileUtils.should_receive(:chown_R).with('toor','23','/Users/toor')
+      
+      @provider.should_receive(:safe_dscl).with("create /Users/toor NFSHomeDirectory '/Users/toor'")
+      @provider.modify_home
+    end
+
+    it "should raise an exception when the systems user template dir (skel) cannot be found" do
+      ::File.stub!(:exists?).and_return(false,false,false)
+      lambda { @provider.modify_home }.should raise_error(Chef::Exceptions::User)
+    end
+
+    it "should run ditto to copy any missing files from skel to the new home dir" do
+      ::File.should_receive(:exists?).with("/System/Library/User\ Template/English.lproj").and_return(true)
+      FileUtils.should_receive(:chown_R).with('toor', '', '/Users/toor')
+      @provider.should_receive(:shell_out!).with("ditto '/System/Library/User Template/English.lproj' '/Users/toor'")
+      @provider.ditto_home
+    end
+
+    it "creates the user's NFSHomeDirectory and home directory" do
+      @provider.should_receive(:safe_dscl).with("create /Users/toor NFSHomeDirectory '/Users/toor'").and_return(true)
+      @provider.should_receive(:ditto_home)
+      @provider.modify_home
+    end
+  end
+
+  describe "osx_shadow_hash?" do
+    it "should return true when the string is a shadow hash" do
+      @provider.osx_shadow_hash?("0"*8*155).should eql(true)
+    end
+
+    it "should return false otherwise" do
+      @provider.osx_shadow_hash?("any other string").should eql(false)
+    end
+  end
+
+  describe "when detecting the format of a password" do
+    it "detects a OS X salted sha1" do
+      @provider.osx_salted_sha1?("0"*48).should eql(true)
+      @provider.osx_salted_sha1?("any other string").should eql(false)
+    end
+  end
+
+  describe "guid" do
+    it "should run safe_dscl with read /Users/user GeneratedUID to get the users GUID" do
+      expected_uuid = "b398449e-cee0-45e0-80f8-b0b5b1bfdeaa"
+      @provider.should_receive(:safe_dscl).with("read /Users/toor GeneratedUID").and_return(expected_uuid + "\n")
+      @provider.guid.should == expected_uuid
+    end
+  end
+
+  describe "shadow_hash_set?" do
+
+    it "should run safe_dscl with read /Users/user to see if the AuthenticationAuthority key exists" do
+      @provider.should_receive(:safe_dscl).with("read /Users/toor")
+      @provider.shadow_hash_set?
+    end
+
+    describe "when the user account has an AuthenticationAuthority key" do
+      it "uses the shadow hash when there is a ShadowHash field in the AuthenticationAuthority key" do
+        @provider.should_receive(:safe_dscl).with("read /Users/toor").and_return("\nAuthenticationAuthority: ;ShadowHash;\n")
+        @provider.shadow_hash_set?.should be_true
+      end
+
+      it "does not use the shadow hash when there is no ShadowHash field in the AuthenticationAuthority key" do
+        @provider.should_receive(:safe_dscl).with("read /Users/toor").and_return("\nAuthenticationAuthority: \n")
+        @provider.shadow_hash_set?.should be_false
+      end
+
+    end
+
+    describe "with no AuthenticationAuthority key in the user account" do
+      it "does not use the shadow hash" do
+        @provider.should_receive(:safe_dscl).with("read /Users/toor").and_return("")
+        @provider.shadow_hash_set?.should eql(false)
+      end
+    end
+  end
+
+  describe "when setting or modifying the user password" do
+    before do
+      @new_resource.password("password")
+      @output = StringIO.new
+    end
+
+    describe "when using a salted sha1 for the password" do
+      before do
+        @new_resource.password("F"*48)
+      end
+    
+      it "should write a shadow hash file with the expected salted sha1" do
+        uuid = "B398449E-CEE0-45E0-80F8-B0B5B1BFDEAA"
+        File.should_receive(:open).with('/var/db/shadow/hash/B398449E-CEE0-45E0-80F8-B0B5B1BFDEAA', "w", 384).and_yield(@output)
+        @provider.should_receive(:safe_dscl).with("read /Users/toor GeneratedUID").and_return(uuid)
+        @provider.should_receive(:safe_dscl).with("read /Users/toor").and_return("\nAuthenticationAuthority: ;ShadowHash;\n")
+        expected_salted_sha1 = @new_resource.password
+        expected_shadow_hash = "00000000"*155
+        expected_shadow_hash[168] = expected_salted_sha1
+        @provider.modify_password
+        @output.string.strip.should == expected_shadow_hash
+      end    
+    end
+
+    describe "when given a shadow hash file for the password" do
+      it "should write the shadow hash file directly to /var/db/shadow/hash/GUID" do
+        shadow_hash = '0123456789ABCDE0123456789ABCDEF' * 40
+        raise 'oops' unless shadow_hash.size == 1240
+        @new_resource.password shadow_hash
+        uuid = "B398449E-CEE0-45E0-80F8-B0B5B1BFDEAA"
+        File.should_receive(:open).with('/var/db/shadow/hash/B398449E-CEE0-45E0-80F8-B0B5B1BFDEAA', "w", 384).and_yield(@output)
+        @provider.should_receive(:safe_dscl).with("read /Users/toor GeneratedUID").and_return(uuid)
+        @provider.should_receive(:safe_dscl).with("read /Users/toor").and_return("\nAuthenticationAuthority: ;ShadowHash;\n")
+        @provider.modify_password
+        @output.string.strip.should == shadow_hash
+      end
+    end
+
+    describe "when given a string for the password" do
+      it "should output a salted sha1 and shadow hash file from the specified password" do
+        uuid = "B398449E-CEE0-45E0-80F8-B0B5B1BFDEAA"
+        File.should_receive(:open).with('/var/db/shadow/hash/B398449E-CEE0-45E0-80F8-B0B5B1BFDEAA', "w", 384).and_yield(@output)
+        @new_resource.password("password")
+        OpenSSL::Random.stub!(:random_bytes).and_return("\377\377\377\377\377\377\377\377")
+        expected_salted_sha1 = "F"*8+"SHA1-"*8
+        expected_shadow_hash = "00000000"*155
+        expected_shadow_hash[168] = expected_salted_sha1
+        @provider.should_receive(:safe_dscl).with("read /Users/toor GeneratedUID").and_return(uuid)
+        @provider.should_receive(:safe_dscl).with("read /Users/toor").and_return("\nAuthenticationAuthority: ;ShadowHash;\n")
+        @provider.modify_password
+        @output.string.strip.should match(/^0{168}(FFFFFFFF1C1AA7935D4E1190AFEC92343F31F7671FBF126D)0{1071}$/)
+      end    
+    end
+
+    it "should write the output directly to the shadow hash file at /var/db/shadow/hash/GUID" do
+      shadow_file = StringIO.new
+      uuid = "B398449E-CEE0-45E0-80F8-B0B5B1BFDEAA"
+      File.should_receive(:open).with("/var/db/shadow/hash/B398449E-CEE0-45E0-80F8-B0B5B1BFDEAA",'w',0600).and_yield(shadow_file)
+      @provider.should_receive(:safe_dscl).with("read /Users/toor GeneratedUID").and_return(uuid)
+      @provider.should_receive(:safe_dscl).with("read /Users/toor").and_return("\nAuthenticationAuthority: ;ShadowHash;\n")
+      @provider.modify_password
+      shadow_file.string.should match(/^0{168}[0-9A-F]{48}0{1071}$/)
+    end
+
+    it "should run safe_dscl append /Users/user AuthenticationAuthority ;ShadowHash; when no shadow hash set" do
+      shadow_file = StringIO.new
+      uuid = "B398449E-CEE0-45E0-80F8-B0B5B1BFDEAA"
+      File.should_receive(:open).with("/var/db/shadow/hash/B398449E-CEE0-45E0-80F8-B0B5B1BFDEAA",'w',0600).and_yield(shadow_file)
+      @provider.should_receive(:safe_dscl).with("read /Users/toor GeneratedUID").and_return(uuid)
+      @provider.should_receive(:safe_dscl).with("read /Users/toor").and_return("\nAuthenticationAuthority:\n")
+      @provider.should_receive(:safe_dscl).with("append /Users/toor AuthenticationAuthority ';ShadowHash;'")
+      @provider.modify_password
+      shadow_file.string.should match(/^0{168}[0-9A-F]{48}0{1071}$/)
+    end
+  end
+
+  describe "load_current_resource" do
+    it "should raise an error if the required binary /usr/bin/dscl doesn't exist" do
+      ::File.should_receive(:exists?).with("/usr/bin/dscl").and_return(false)
+      lambda { @provider.load_current_resource }.should raise_error(Chef::Exceptions::User)
+    end
+
+    it "shouldn't raise an error if /usr/bin/dscl exists" do
+      ::File.stub!(:exists?).and_return(true)
+      lambda { @provider.load_current_resource }.should_not raise_error(Chef::Exceptions::User)
+    end
+  end
+
+  describe "when the user does not yet exist and chef is creating it" do
+    before do
+      @new_resource.comment "#mockssuck"
+      @new_resource.gid 1001
+    end
+    
+    it "creates the user, comment field, sets uid, gid, configures the home directory, sets the shell, and sets the password" do
+      @provider.should_receive :dscl_create_user
+      @provider.should_receive :dscl_create_comment
+      @provider.should_receive :set_uid
+      @provider.should_receive :dscl_set_gid
+      @provider.should_receive :modify_home
+      @provider.should_receive :dscl_set_shell
+      @provider.should_receive :modify_password
+      @provider.create_user
+    end
+
+    it "creates the user and sets the comment field" do
+      @provider.should_receive(:safe_dscl).with("create /Users/toor").and_return(true)
+      @provider.dscl_create_user
+    end
+    
+    it "sets the comment field" do
+      @provider.should_receive(:safe_dscl).with("create /Users/toor RealName '#mockssuck'").and_return(true)
+      @provider.dscl_create_comment
+    end
+
+    it "should run safe_dscl with create /Users/user PrimaryGroupID to set the users primary group" do
+      @provider.should_receive(:safe_dscl).with("create /Users/toor PrimaryGroupID '1001'").and_return(true)
+      @provider.dscl_set_gid
+    end
+
+    it "should run safe_dscl with create /Users/user UserShell to set the users login shell" do
+      @provider.should_receive(:safe_dscl).with("create /Users/toor UserShell '/usr/bin/false'").and_return(true)
+      @provider.dscl_set_shell
+    end
+
+  end
+
+  describe "when the user exists and chef is managing it" do
+    before do
+      @current_resource = @new_resource.dup
+      @provider.current_resource = @current_resource
+      
+      # These are all different from @current_resource
+      @new_resource.username "mud"
+      @new_resource.uid 2342
+      @new_resource.gid 2342
+      @new_resource.home '/Users/death'
+      @new_resource.password 'goaway'
+    end
+    
+    it "sets the user, comment field, uid, gid, moves the home directory, sets the shell, and sets the password" do
+      @provider.should_receive :dscl_create_user
+      @provider.should_receive :dscl_create_comment
+      @provider.should_receive :set_uid
+      @provider.should_receive :dscl_set_gid
+      @provider.should_receive :modify_home
+      @provider.should_receive :dscl_set_shell
+      @provider.should_receive :modify_password
+      @provider.create_user
+    end
+  end
+
+  describe "when the user exists and chef is removing it" do
+    it "removes the user's home directory when the resource is configured to manage home" do
+      @new_resource.supports({ :manage_home => true })
+      @provider.should_receive(:safe_dscl).with("read /Users/toor").and_return("NFSHomeDirectory: /Users/fuuuuuuuuuuuuu")
+      @provider.should_receive(:safe_dscl).with("delete /Users/toor")
+      FileUtils.should_receive(:rm_rf).with("/Users/fuuuuuuuuuuuuu")
+      @provider.remove_user
+    end
+    
+    it "removes the user from any group memberships" do
+      Etc.stub(:group).and_yield(OpenStruct.new(:name => 'ragefisters', :mem => 'toor'))
+      @provider.should_receive(:safe_dscl).with("delete /Users/toor")
+      @provider.should_receive(:safe_dscl).with("delete /Groups/ragefisters GroupMembership 'toor'")
+      @provider.remove_user
+    end
+  end
+
+  describe "when discovering if a user is locked" do
+
+    it "determines the user is not locked when dscl shows an AuthenticationAuthority without a DisabledUser field" do
+      @provider.should_receive(:safe_dscl).with("read /Users/toor")
+      @provider.should_not be_locked
+    end
+
+    it "determines the user is locked when dscl shows an AuthenticationAuthority with a DisabledUser field" do
+      @provider.should_receive(:safe_dscl).with('read /Users/toor').and_return("\nAuthenticationAuthority: ;DisabledUser;\n")
+      @provider.should be_locked
+    end
+
+    it "determines the user is not locked when dscl shows no AuthenticationAuthority" do
+      @provider.should_receive(:safe_dscl).with('read /Users/toor').and_return("\n")
+      @provider.should_not be_locked
+    end
+  end
+
+  describe "when locking the user" do
+    it "should run safe_dscl with append /Users/user AuthenticationAuthority ;DisabledUser; to lock the user account" do
+      @provider.should_receive(:safe_dscl).with("append /Users/toor AuthenticationAuthority ';DisabledUser;'")
+      @provider.lock_user
+    end
+  end
+
+  describe "when unlocking the user" do
+    it "removes DisabledUser from the authentication string" do
+      @provider.should_receive(:safe_dscl).with("read /Users/toor AuthenticationAuthority").and_return("\nAuthenticationAuthority: ;ShadowHash; ;DisabledUser;\n")
+      @provider.should_receive(:safe_dscl).with("create /Users/toor AuthenticationAuthority ';ShadowHash;'")
+      @provider.unlock_user
+    end
+  end
+end