chef 11.18.12 → 12.0.0.alpha.0

data/lib/chef/provider/remote_directory.rb

@@ -40,7 +40,6 @@ class Chef
                                    name !~ /(?:^|#{Regexp.escape(::File::SEPARATOR)})\.\.?$/
                                  end)
 
-
         files_to_transfer.each do |cookbook_file_relative_path|
           create_cookbook_file(cookbook_file_relative_path)
           # the file is removed from the purge list

data/lib/chef/provider/remote_file.rb

@@ -50,4 +50,3 @@ class Chef
     end
   end
 end
-

data/lib/chef/provider/remote_file/cache_control_data.rb

@@ -140,7 +140,7 @@ class Chef
 
         def load_data
           Chef::JSONCompat.from_json(load_json_data)
-        rescue Chef::Exceptions::FileNotFound, FFI_Yajl::ParseError, Chef::Exceptions::JSON::ParseError
+        rescue Chef::Exceptions::FileNotFound, FFI_Yajl::ParseError, JSON::ParserError
           false
         end
 
@@ -161,5 +161,3 @@ class Chef
     end
   end
 end
-
-

data/lib/chef/provider/remote_file/content.rb

@@ -17,7 +17,6 @@
 # limitations under the License.
 #
 
-require 'rest_client'
 require 'uri'
 require 'tempfile'
 require 'chef/file_content_management/content_base'

data/lib/chef/provider/remote_file/fetcher.rb

@@ -17,7 +17,6 @@
 # limitations under the License.
 #
 
-
 class Chef
   class Provider
     class RemoteFile
@@ -40,4 +39,3 @@ class Chef
     end
   end
 end
-

data/lib/chef/provider/remote_file/ftp.rb

@@ -81,7 +81,6 @@ class Chef
           @filename
         end
 
-
         def fetch
           with_connection do
             get

data/lib/chef/provider/resource_update.rb

@@ -50,6 +50,3 @@ class Chef
     end
   end
 end
-
-
-

data/lib/chef/provider/service/freebsd.rb

@@ -16,7 +16,6 @@
 # limitations under the License.
 #
 
-require 'chef/mixin/shell_out'
 require 'chef/resource/service'
 require 'chef/provider/service/init'
 require 'chef/mixin/command'
@@ -26,8 +25,6 @@ class Chef
     class Service
       class Freebsd < Chef::Provider::Service::Init
 
-        include Chef::Mixin::ShellOut
-
         def load_current_resource
           @current_resource = Chef::Resource::Service.new(@new_resource.name)
           @current_resource.service_name(@new_resource.service_name)

data/lib/chef/provider/service/init.rb

@@ -16,7 +16,6 @@
 # limitations under the License.
 #
 
-require 'chef/mixin/shell_out'
 require 'chef/provider/service/simple'
 require 'chef/mixin/command'
 
@@ -25,8 +24,6 @@ class Chef
     class Service
       class Init < Chef::Provider::Service::Simple
 
-        include Chef::Mixin::ShellOut
-
         def initialize(new_resource, run_context)
           super
           @init_command = "/etc/init.d/#{@new_resource.service_name}"

data/lib/chef/provider/service/macosx.rb

@@ -24,7 +24,6 @@ class Chef
   class Provider
     class Service
       class Macosx < Chef::Provider::Service::Simple
-        include Chef::Mixin::ShellOut
 
         def self.gather_plist_dirs
           locations = %w{/Library/LaunchAgents

data/lib/chef/provider/service/redhat.rb

@@ -17,13 +17,11 @@
 #
 
 require 'chef/provider/service/init'
-require 'chef/mixin/shell_out'
 
 class Chef
   class Provider
     class Service
       class Redhat < Chef::Provider::Service::Init
-        include Chef::Mixin::ShellOut
 
         CHKCONFIG_ON = /\d:on/
         CHKCONFIG_MISSING = /No such/

data/lib/chef/provider/service/simple.rb

@@ -16,7 +16,6 @@
 # limitations under the License.
 #
 
-require 'chef/mixin/shell_out'
 require 'chef/provider/service'
 require 'chef/resource/service'
 require 'chef/mixin/command'
@@ -26,8 +25,6 @@ class Chef
     class Service
       class Simple < Chef::Provider::Service
 
-        include Chef::Mixin::ShellOut
-
         def load_current_resource
           @current_resource = Chef::Resource::Service.new(@new_resource.name)
           @current_resource.service_name(@new_resource.service_name)

data/lib/chef/provider/service/solaris.rb

@@ -16,7 +16,6 @@
 # limitations under the License.
 #
 
-require 'chef/mixin/shell_out'
 require 'chef/provider/service'
 require 'chef/resource/service'
 require 'chef/mixin/command'
@@ -25,7 +24,6 @@ class Chef
   class Provider
     class Service
       class Solaris < Chef::Provider::Service
-        include Chef::Mixin::ShellOut
         attr_reader :maintenance
 
         def initialize(new_resource, run_context=nil)
@@ -35,7 +33,6 @@ class Chef
           @maintenace     = false
         end
 
-
         def load_current_resource
           @current_resource = Chef::Resource::Service.new(@new_resource.name)
           @current_resource.service_name(@new_resource.service_name)

data/lib/chef/provider/service/systemd.rb

@@ -18,7 +18,6 @@
 
 require 'chef/resource/service'
 require 'chef/provider/service/simple'
-require 'chef/mixin/command'
 
 class Chef::Provider::Service::Systemd < Chef::Provider::Service::Simple
   def load_current_resource
@@ -29,11 +28,9 @@ class Chef::Provider::Service::Systemd < Chef::Provider::Service::Simple
     if @new_resource.status_command
       Chef::Log.debug("#{@new_resource} you have specified a status command, running..")
 
-      begin
-        if run_command_with_systems_locale(:command => @new_resource.status_command) == 0
-          @current_resource.running(true)
-        end
-      rescue Chef::Exceptions::Exec
+      unless shell_out_with_systems_locale(@new_resource.status_command).error?
+        @current_resource.running(true)
+      else
         @status_check_success = false
         @current_resource.running(false)
         @current_resource.enabled(false)
@@ -64,7 +61,7 @@ class Chef::Provider::Service::Systemd < Chef::Provider::Service::Simple
       if @new_resource.start_command
         super
       else
-        run_command_with_systems_locale(:command => "/bin/systemctl start #{@new_resource.service_name}")
+        shell_out_with_systems_locale("/bin/systemctl start #{@new_resource.service_name}")
       end
     end
   end
@@ -76,7 +73,7 @@ class Chef::Provider::Service::Systemd < Chef::Provider::Service::Simple
       if @new_resource.stop_command
         super
       else
-        run_command_with_systems_locale(:command => "/bin/systemctl stop #{@new_resource.service_name}")
+        shell_out_with_systems_locale("/bin/systemctl stop #{@new_resource.service_name}")
       end
     end
   end
@@ -85,7 +82,7 @@ class Chef::Provider::Service::Systemd < Chef::Provider::Service::Simple
     if @new_resource.restart_command
       super
     else
-      run_command_with_systems_locale(:command => "/bin/systemctl restart #{@new_resource.service_name}")
+      shell_out_with_systems_locale("/bin/systemctl restart #{@new_resource.service_name}")
     end
   end
 
@@ -93,23 +90,27 @@ class Chef::Provider::Service::Systemd < Chef::Provider::Service::Simple
     if @new_resource.reload_command
       super
     else
-      run_command_with_systems_locale(:command => "/bin/systemctl reload #{@new_resource.service_name}")
+      if @current_resource.running
+        shell_out_with_systems_locale("/bin/systemctl reload #{@new_resource.service_name}")
+      else
+        start_service
+      end
     end
   end
 
   def enable_service
-    run_command_with_systems_locale(:command => "/bin/systemctl enable #{@new_resource.service_name}")
+    shell_out_with_systems_locale("/bin/systemctl enable #{@new_resource.service_name}")
   end
 
   def disable_service
-    run_command_with_systems_locale(:command => "/bin/systemctl disable #{@new_resource.service_name}")
+    shell_out_with_systems_locale("/bin/systemctl disable #{@new_resource.service_name}")
   end
 
   def is_active?
-    run_command_with_systems_locale({:command => "/bin/systemctl is-active #{@new_resource.service_name}", :ignore_failure => true}) == 0
+    shell_out_with_systems_locale("/bin/systemctl is-active #{@new_resource.service_name} --quiet").exitstatus == 0
   end
 
   def is_enabled?
-    run_command_with_systems_locale({:command => "/bin/systemctl is-enabled #{@new_resource.service_name}", :ignore_failure => true}) == 0
+    shell_out_with_systems_locale("/bin/systemctl is-enabled #{@new_resource.service_name} --quiet").exitstatus == 0
   end
 end

data/lib/chef/provider/service/windows.rb

@@ -18,7 +18,6 @@
 # limitations under the License.
 #
 
-require 'chef/mixin/shell_out'
 require 'chef/provider/service/simple'
 if RUBY_PLATFORM =~ /mswin|mingw32|windows/
   require 'win32/service'
@@ -26,8 +25,6 @@ end
 
 class Chef::Provider::Service::Windows < Chef::Provider::Service
 
-  include Chef::Mixin::ShellOut
-
   #Win32::Service.get_start_type
   AUTO_START = 'auto start'
   DISABLED = 'disabled'

data/lib/chef/provider/subversion.rb

@@ -16,7 +16,6 @@
 # limitations under the License.
 #
 
-
 #TODO subversion and git should both extend from a base SCM provider.
 
 require 'chef/log'
@@ -199,7 +198,6 @@ class Chef
         ['svn', *args].compact.join(" ")
       end
 
-
       def target_dir_non_existent_or_empty?
         !::File.exist?(@new_resource.destination) || Dir.entries(@new_resource.destination).sort == ['.','..']
       end

data/lib/chef/provider/template.rb

@@ -22,7 +22,6 @@ require 'chef/provider/file'
 require 'chef/deprecation/provider/template'
 require 'chef/deprecation/warnings'
 
-
 class Chef
   class Provider
     class Template < Chef::Provider::File
@@ -63,4 +62,3 @@ class Chef
     end
   end
 end
-

data/lib/chef/provider/template/content.rb

@@ -58,4 +58,3 @@ class Chef
     end
   end
 end
-

data/lib/chef/provider/user/dscl.rb

@@ -16,214 +16,40 @@
 # limitations under the License.
 #
 
-require 'mixlib/shellout'
 require 'chef/provider/user'
 require 'openssl'
-require 'plist'
 
 class Chef
   class Provider
     class User
-      #
-      # The most tricky bit of this provider is the way it deals with user passwords.
-      # Mac OS X has different password shadow calculations based on the version.
-      # < 10.7  => password shadow calculation format SALTED-SHA1
-      #         => stored in: /var/db/shadow/hash/#{guid}
-      #         => shadow binary length 68 bytes
-      #         => First 4 bytes salt / Next 64 bytes shadow value
-      # = 10.7  => password shadow calculation format SALTED-SHA512
-      #         => stored in: /var/db/dslocal/nodes/Default/users/#{name}.plist
-      #         => shadow binary length 68 bytes
-      #         => First 4 bytes salt / Next 64 bytes shadow value
-      # > 10.7  => password shadow calculation format SALTED-SHA512-PBKDF2
-      #         => stored in: /var/db/dslocal/nodes/Default/users/#{name}.plist
-      #         => shadow binary length 128 bytes
-      #         => Salt / Iterations are stored seperately in the same file
-      #
-      # This provider only supports Mac OSX versions 10.7 and above
       class Dscl < Chef::Provider::User
-        include Chef::Mixin::ShellOut
 
-        def define_resource_requirements
-          super
-
-          requirements.assert(:all_actions) do |a|
-            a.assertion { mac_osx_version_less_than_10_7? == false }
-            a.failure_message(Chef::Exceptions::User, "Chef::Provider::User::Dscl only supports Mac OS X versions 10.7 and above.")
-          end
-
-          requirements.assert(:all_actions) do |a|
-            a.assertion { ::File.exists?("/usr/bin/dscl") }
-            a.failure_message(Chef::Exceptions::User, "Cannot find binary '/usr/bin/dscl' on the system for #{@new_resource}!")
-          end
-
-          requirements.assert(:all_actions) do |a|
-            a.assertion { ::File.exists?("/usr/bin/plutil") }
-            a.failure_message(Chef::Exceptions::User, "Cannot find binary '/usr/bin/plutil' on the system for #{@new_resource}!")
-          end
-
-          requirements.assert(:create, :modify, :manage) do |a|
-            a.assertion do
-              if @new_resource.password && mac_osx_version_greater_than_10_7?
-                # SALTED-SHA512 password shadow hashes are not supported on 10.8 and above.
-                !salted_sha512?(@new_resource.password)
-              else
-                true
-              end
-            end
-            a.failure_message(Chef::Exceptions::User, "SALTED-SHA512 passwords are not supported on Mac 10.8 and above. \
-If you want to set the user password using shadow info make sure you specify a SALTED-SHA512-PBKDF2 shadow hash \
-in 'password', with the associated 'salt' and 'iterations'.")
-          end
-
-          requirements.assert(:create, :modify, :manage) do |a|
-            a.assertion do
-              if @new_resource.password && mac_osx_version_greater_than_10_7? && salted_sha512_pbkdf2?(@new_resource.password)
-                # salt and iterations should be specified when
-                # SALTED-SHA512-PBKDF2 password shadow hash is given
-                !@new_resource.salt.nil? && !@new_resource.iterations.nil?
-              else
-                true
-              end
-            end
-            a.failure_message(Chef::Exceptions::User, "SALTED-SHA512-PBKDF2 shadow hash is given without associated \
-'salt' and 'iterations'. Please specify 'salt' and 'iterations' in order to set the user password using shadow hash.")
-          end
-
-          requirements.assert(:create, :modify, :manage) do |a|
-            a.assertion do
-              if @new_resource.password && !mac_osx_version_greater_than_10_7?
-                # On 10.7 SALTED-SHA512-PBKDF2 is not supported
-                !salted_sha512_pbkdf2?(@new_resource.password)
-              else
-                true
-              end
-            end
-            a.failure_message(Chef::Exceptions::User, "SALTED-SHA512-PBKDF2 shadow hashes are not supported on \
-Mac OS X version 10.7. Please specify a SALTED-SHA512 shadow hash in 'password' attribute to set the \
-user password using shadow hash.")
-          end
+        NFS_HOME_DIRECTORY        = %r{^NFSHomeDirectory: (.*)$}
+        AUTHENTICATION_AUTHORITY  = %r{^AuthenticationAuthority: (.*)$}
 
+        def dscl(*args)
+          shell_out("dscl . -#{args.join(' ')}")
         end
 
-        def load_current_resource
-          @current_resource = Chef::Resource::User.new(@new_resource.username)
-          @current_resource.username(@new_resource.username)
-
-          @user_info = read_user_info
-          if @user_info
-            @current_resource.uid(dscl_get(@user_info, :uid))
-            @current_resource.gid(dscl_get(@user_info, :gid))
-            @current_resource.home(dscl_get(@user_info, :home))
-            @current_resource.shell(dscl_get(@user_info, :shell))
-            @current_resource.comment(dscl_get(@user_info, :comment))
-            @authentication_authority = dscl_get(@user_info, :auth_authority)
-
-            if @new_resource.password && dscl_get(@user_info, :password) == "********"
-              # A password is set. Let's get the password information from shadow file
-              shadow_hash_binary = dscl_get(@user_info, :shadow_hash)
-
-              # Calling shell_out directly since we want to give an input stream
-              shadow_hash_xml = convert_binary_plist_to_xml(shadow_hash_binary.string)
-              shadow_hash = Plist::parse_xml(shadow_hash_xml)
-
-              if shadow_hash["SALTED-SHA512"]
-                # Convert the shadow value from Base64 encoding to hex before consuming them
-                @password_shadow_conversion_algorithm = "SALTED-SHA512"
-                @current_resource.password(shadow_hash["SALTED-SHA512"].string.unpack('H*').first)
-              elsif shadow_hash["SALTED-SHA512-PBKDF2"]
-                @password_shadow_conversion_algorithm = "SALTED-SHA512-PBKDF2"
-                # Convert the entropy from Base64 encoding to hex before consuming them
-                @current_resource.password(shadow_hash["SALTED-SHA512-PBKDF2"]["entropy"].string.unpack('H*').first)
-                @current_resource.iterations(shadow_hash["SALTED-SHA512-PBKDF2"]["iterations"])
-                # Convert the salt from Base64 encoding to hex before consuming them
-                @current_resource.salt(shadow_hash["SALTED-SHA512-PBKDF2"]["salt"].string.unpack('H*').first)
-              else
-                raise(Chef::Exceptions::User,"Unknown shadow_hash format: #{shadow_hash.keys.join(' ')}")
-              end
-            end
-
-            convert_group_name if @new_resource.gid
-          else
-            @user_exists = false
-            Chef::Log.debug("#{@new_resource} user does not exist")
-          end
-
-          @current_resource
-        end
-
-        #
-        # Provider Actions
-        #
-
-        def create_user
-          dscl_create_user
-          # set_password modifies the plist file of the user directly. So update
-          # the password first before making any modifications to the user.
-          set_password
-          dscl_create_comment
-          dscl_set_uid
-          dscl_set_gid
-          dscl_set_home
-          dscl_set_shell
-        end
-
-        def manage_user
-          # set_password modifies the plist file of the user directly. So update
-          # the password first before making any modifications to the user.
-          set_password        if diverged_password?
-          dscl_create_user    if diverged?(:username)
-          dscl_create_comment if diverged?(:comment)
-          dscl_set_uid        if diverged?(:uid)
-          dscl_set_gid        if diverged?(:gid)
-          dscl_set_home       if diverged?(:home)
-          dscl_set_shell      if diverged?(:shell)
-        end
-
-        #
-        # Action Helpers
-        #
-
-        #
-        # Create a user using dscl
-        #
-        def dscl_create_user
-          run_dscl("create /Users/#{@new_resource.username}")
-        end
-
-        #
-        # Saves the specified Chef user `comment` into RealName attribute
-        # of Mac user.
-        #
-        def dscl_create_comment
-          run_dscl("create /Users/#{@new_resource.username} RealName '#{@new_resource.comment}'")
+        def safe_dscl(*args)
+          result = dscl(*args)
+          return "" if ( args.first =~ /^delete/ ) && ( result.exitstatus != 0 )
+          raise(Chef::Exceptions::DsclCommandFailed,"dscl error: #{result.inspect}") unless result.exitstatus == 0
+          raise(Chef::Exceptions::DsclCommandFailed,"dscl error: #{result.inspect}") if result.stdout =~ /No such key: /
+          return result.stdout
         end
 
-        #
-        # Sets the user id for the user using dscl.
-        # If a `uid` is not specified, it finds the next available one starting
-        # from 200 if `system` is set, 500 otherwise.
-        #
-        def dscl_set_uid
-          @new_resource.uid(get_free_uid) if (@new_resource.uid.nil? || @new_resource.uid == '')
-
-          if uid_used?(@new_resource.uid)
-            raise(Chef::Exceptions::RequestedUIDUnavailable, "uid #{@new_resource.uid} is already in use")
-          end
-
-          run_dscl("create /Users/#{@new_resource.username} UniqueID #{@new_resource.uid}")
-        end
+        # This is handled in providers/group.rb by Etc.getgrnam()
+        # def user_exists?(user)
+        #   users = safe_dscl("list /Users")
+        #   !! ( users =~ Regexp.new("\n#{user}\n") )
+        # end
 
-        #
-        # Find the next available uid on the system. starting with 200 if `system` is set,
-        # 500 otherwise.
-        #
+        # get a free UID greater than 200
         def get_free_uid(search_limit=1000)
-          uid = nil
-          base_uid = @new_resource.system ? 200 : 500
-          next_uid_guess = base_uid
-          users_uids = run_dscl("list /Users uid")
-          while(next_uid_guess < search_limit + base_uid)
+          uid = nil; next_uid_guess = 200
+          users_uids = safe_dscl("list /Users uid")
+          while(next_uid_guess < search_limit + 200)
             if users_uids =~ Regexp.new("#{Regexp.escape(next_uid_guess.to_s)}\n")
               next_uid_guess += 1
             else
@@ -234,41 +60,22 @@ user password using shadow hash.")
           return uid || raise("uid not found. Exhausted. Searched #{search_limit} times")
         end
 
-        #
-        # Returns true if uid is in use by a different account, false otherwise.
-        #
         def uid_used?(uid)
           return false unless uid
-          users_uids = run_dscl("list /Users uid")
+          users_uids = safe_dscl("list /Users uid")
           !! ( users_uids =~ Regexp.new("#{Regexp.escape(uid.to_s)}\n") )
         end
 
-        #
-        # Sets the group id for the user using dscl. Fails if a group doesn't
-        # exist on the system with given group id.
-        #
-        def dscl_set_gid
-          unless @new_resource.gid && @new_resource.gid.to_s.match(/^\d+$/)
-            begin
-              possible_gid = run_dscl("read /Groups/#{@new_resource.gid} PrimaryGroupID").split(" ").last
-            rescue Chef::Exceptions::DsclCommandFailed => e
-              raise Chef::Exceptions::GroupIDNotFound.new("Group not found for #{@new_resource.gid} when creating user #{@new_resource.username}")
-            end
-            @new_resource.gid(possible_gid) if possible_gid && possible_gid.match(/^\d+$/)
+        def set_uid
+          @new_resource.uid(get_free_uid) if (@new_resource.uid.nil? || @new_resource.uid == '')
+          if uid_used?(@new_resource.uid)
+            raise(Chef::Exceptions::RequestedUIDUnavailable, "uid #{@new_resource.uid} is already in use")
           end
-          run_dscl("create /Users/#{@new_resource.username} PrimaryGroupID '#{@new_resource.gid}'")
+          safe_dscl("create /Users/#{@new_resource.username} UniqueID #{@new_resource.uid}")
         end
 
-        #
-        # Sets the home directory for the user. If `:manage_home` is set home
-        # directory is managed (moved / created) for the user.
-        #
-        def dscl_set_home
-          if @new_resource.home.nil? || @new_resource.home.empty?
-            run_dscl("delete /Users/#{@new_resource.username} NFSHomeDirectory")
-            return
-          end
-
+        def modify_home
+          return safe_dscl("delete /Users/#{@new_resource.username} NFSHomeDirectory") if (@new_resource.home.nil? || @new_resource.home.empty?)
           if @new_resource.supports[:manage_home]
             validate_home_dir_specification!
 
@@ -280,399 +87,199 @@ user password using shadow hash.")
               move_home
             end
           end
-          run_dscl("create /Users/#{@new_resource.username} NFSHomeDirectory '#{@new_resource.home}'")
+          safe_dscl("create /Users/#{@new_resource.username} NFSHomeDirectory '#{@new_resource.home}'")
         end
 
-        def validate_home_dir_specification!
-          unless @new_resource.home =~ /^\//
-            raise(Chef::Exceptions::InvalidHomeDirectory,"invalid path spec for User: '#{@new_resource.username}', home directory: '#{@new_resource.home}'")
-          end
+        def osx_shadow_hash?(string)
+          return !! ( string =~ /^[[:xdigit:]]{1240}$/ )
         end
 
-        def current_home_exists?
-          ::File.exist?("#{@current_resource.home}")
+        def osx_salted_sha1?(string)
+          return !! ( string =~ /^[[:xdigit:]]{48}$/ )
         end
 
-        def new_home_exists?
-          ::File.exist?("#{@new_resource.home}")
-        end
-
-        def ditto_home
-          skel = "/System/Library/User Template/English.lproj"
-          raise(Chef::Exceptions::User,"can't find skel at: #{skel}") unless ::File.exists?(skel)
-          shell_out! "ditto '#{skel}' '#{@new_resource.home}'"
-          ::FileUtils.chown_R(@new_resource.username,@new_resource.gid.to_s,@new_resource.home)
-        end
-
-        def move_home
-          Chef::Log.debug("#{@new_resource} moving #{self} home from #{@current_resource.home} to #{@new_resource.home}")
-
-          src = @current_resource.home
-          FileUtils.mkdir_p(@new_resource.home)
-          files = ::Dir.glob("#{src}/*", ::File::FNM_DOTMATCH) - ["#{src}/.","#{src}/.."]
-          ::FileUtils.mv(files,@new_resource.home, :force => true)
-          ::FileUtils.rmdir(src)
-          ::FileUtils.chown_R(@new_resource.username,@new_resource.gid.to_s,@new_resource.home)
+        def guid
+          safe_dscl("read /Users/#{@new_resource.username} GeneratedUID").gsub(/GeneratedUID: /,"").strip
         end
 
-        #
-        # Sets the shell for the user using dscl.
-        #
-        def dscl_set_shell
-          if @new_resource.shell || ::File.exists?("#{@new_resource.shell}")
-            run_dscl("create /Users/#{@new_resource.username} UserShell '#{@new_resource.shell}'")
+        def shadow_hash_set?
+          user_data = safe_dscl("read /Users/#{@new_resource.username}")
+          if user_data =~ /AuthenticationAuthority: / && user_data =~ /ShadowHash/
+            true
           else
-            run_dscl("create /Users/#{@new_resource.username} UserShell '/usr/bin/false'")
+            false
           end
         end
 
-        #
-        # Sets the password for the user based on given password parameters.
-        # Chef supports specifying plain-text passwords and password shadow
-        # hash data.
-        #
-        def set_password
-          # Return if there is no password to set
-          return if @new_resource.password.nil?
-
-          shadow_info = prepare_password_shadow_info
-
-          # Shadow info is saved as binary plist. Convert the info to binary plist.
-          shadow_info_binary = StringIO.new
-          command = Mixlib::ShellOut.new("plutil -convert binary1 -o - -",
-            :input => shadow_info.to_plist, :live_stream => shadow_info_binary)
-          command.run_command
-
-          if @user_info.nil?
-            # User is  just created. read_user_info() will read the fresh information
-            # for the user with a cache flush. However with experimentation we've seen
-            # that dscl cache is not immediately updated after the creation of the user
-            # This is odd and needs to be investigated further.
-            sleep 3
-            @user_info = read_user_info
-          end
-
-          # Replace the shadow info in user's plist
-          dscl_set(@user_info, :shadow_hash, shadow_info_binary)
-          save_user_info(@user_info)
-        end
+        def modify_password
+          if @new_resource.password
+            shadow_hash = nil
 
-        #
-        # Prepares the password shadow info based on the platform version.
-        #
-        def prepare_password_shadow_info
-          shadow_info = { }
-          entropy = nil
-          salt = nil
-          iterations = nil
-
-          if mac_osx_version_10_7?
-            hash_value = if salted_sha512?(@new_resource.password)
-              @new_resource.password
+            Chef::Log.debug("#{new_resource} updating password")
+            if osx_shadow_hash?(@new_resource.password)
+              shadow_hash = @new_resource.password.upcase
             else
-              # Create a random 4 byte salt
-              salt = OpenSSL::Random.random_bytes(4)
-              encoded_password = OpenSSL::Digest::SHA512.hexdigest(salt + @new_resource.password)
-              hash_value = salt.unpack('H*').first + encoded_password
+              if osx_salted_sha1?(@new_resource.password)
+                salted_sha1 = @new_resource.password.upcase
+              else
+                hex_salt = ""
+                OpenSSL::Random.random_bytes(10).each_byte { |b| hex_salt << b.to_i.to_s(16) }
+                hex_salt = hex_salt.slice(0...8)
+                salt = [hex_salt].pack("H*")
+                sha1 = ::OpenSSL::Digest::SHA1.hexdigest(salt+@new_resource.password)
+                salted_sha1 = (hex_salt+sha1).upcase
+              end
+              shadow_hash = String.new("00000000"*155)
+              shadow_hash[168] = salted_sha1
             end
 
-            shadow_info["SALTED-SHA512"] = StringIO.new
-            shadow_info["SALTED-SHA512"].string = convert_to_binary(hash_value)
-            shadow_info
-          else
-            if salted_sha512_pbkdf2?(@new_resource.password)
-              entropy = convert_to_binary(@new_resource.password)
-              salt = convert_to_binary(@new_resource.salt)
-              iterations = @new_resource.iterations
-            else
-              salt = OpenSSL::Random.random_bytes(32)
-              iterations = @new_resource.iterations # Use the default if not specified by the user
-
-              entropy = OpenSSL::PKCS5::pbkdf2_hmac(
-                @new_resource.password,
-                salt,
-                iterations,
-                128,
-                OpenSSL::Digest::SHA512.new
-              )
+            ::File.open("/var/db/shadow/hash/#{guid}",'w',0600) do |output|
+              output.puts shadow_hash
             end
 
-            pbkdf_info = { }
-            pbkdf_info["entropy"] = StringIO.new
-            pbkdf_info["entropy"].string = entropy
-            pbkdf_info["salt"] = StringIO.new
-            pbkdf_info["salt"].string = salt
-            pbkdf_info["iterations"] = iterations
-
-            shadow_info["SALTED-SHA512-PBKDF2"] = pbkdf_info
-          end
-
-          shadow_info
-        end
-
-        #
-        # Removes the user from the system after removing user from his groups
-        # and deleting home directory if needed.
-        #
-        def remove_user
-          if @new_resource.supports[:manage_home]
-            # Remove home directory
-            FileUtils.rm_rf(@current_resource.home)
-          end
-
-          # Remove the user from its groups
-          run_dscl("list /Groups").each_line do |group|
-            if member_of_group?(group.chomp)
-              run_dscl("delete /Groups/#{group.chomp} GroupMembership '#{@new_resource.username}'")
+            unless shadow_hash_set?
+              safe_dscl("append /Users/#{@new_resource.username} AuthenticationAuthority ';ShadowHash;'")
             end
           end
-
-          # Remove user account
-          run_dscl("delete /Users/#{@new_resource.username}")
         end
 
-        #
-        # Locks the user.
-        #
-        def lock_user
-          run_dscl("append /Users/#{@new_resource.username} AuthenticationAuthority ';DisabledUser;'")
-        end
-
-        #
-        # Unlocks the user
-        #
-        def unlock_user
-          auth_string = @authentication_authority.gsub(/AuthenticationAuthority: /,"").gsub(/;DisabledUser;/,"").strip
-          run_dscl("create /Users/#{@new_resource.username} AuthenticationAuthority '#{auth_string}'")
+        def load_current_resource
+          super
+          raise Chef::Exceptions::User, "Could not find binary /usr/bin/dscl for #{@new_resource}" unless ::File.exists?("/usr/bin/dscl")
         end
 
-        #
-        # Returns true if the user is locked, false otherwise.
-        #
-        def locked?
-          if @authentication_authority
-            !!(@authentication_authority =~ /DisabledUser/ )
-          else
-            false
-          end
+        def create_user
+          dscl_create_user
+          dscl_create_comment
+          set_uid
+          dscl_set_gid
+          modify_home
+          dscl_set_shell
+          modify_password
         end
 
-        #
-        # This is the interface base User provider requires to provide idempotency.
-        #
-        def check_lock
-          return @locked = locked?
+        def manage_user
+          dscl_create_user    if diverged?(:username)
+          dscl_create_comment if diverged?(:comment)
+          set_uid             if diverged?(:uid)
+          dscl_set_gid        if diverged?(:gid)
+          modify_home         if diverged?(:home)
+          dscl_set_shell      if diverged?(:shell)
+          modify_password     if diverged?(:password)
         end
 
-        #
-        # Helper functions
-        #
-
-        #
-        # Returns true if the system state and desired state is different for
-        # given attribute.
-        #
-        def diverged?(parameter)
-          parameter_updated?(parameter) && (not @new_resource.send(parameter).nil?)
+        def dscl_create_user
+          safe_dscl("create /Users/#{@new_resource.username}")
         end
 
-        def parameter_updated?(parameter)
-          not (@new_resource.send(parameter) == @current_resource.send(parameter))
+        def dscl_create_comment
+          safe_dscl("create /Users/#{@new_resource.username} RealName '#{@new_resource.comment}'")
         end
 
-        #
-        # We need a special check function for password since we support both
-        # plain text and shadow hash data.
-        #
-        # Checks if password needs update based on platform version and the
-        # type of the password specified.
-        #
-        def diverged_password?
-          return false if @new_resource.password.nil?
-
-          # Dscl provider supports both plain text passwords and shadow hashes.
-          if mac_osx_version_10_7?
-            if salted_sha512?(@new_resource.password)
-              diverged?(:password)
-            else
-              !salted_sha512_password_match?
-            end
-          else
-            # When a system is upgraded to a version 10.7+ shadow hashes of the users
-            # will be updated when the user logs in. So it's possible that we will have
-            # SALTED-SHA512 password in the current_resource. In that case we will force
-            # password to be updated.
-            return true if salted_sha512?(@current_resource.password)
-
-            if salted_sha512_pbkdf2?(@new_resource.password)
-              diverged?(:password) || diverged?(:salt) || diverged?(:iterations)
-            else
-              !salted_sha512_pbkdf2_password_match?
+        def dscl_set_gid
+          unless @new_resource.gid && @new_resource.gid.to_s.match(/^\d+$/)
+            begin
+              possible_gid = safe_dscl("read /Groups/#{@new_resource.gid} PrimaryGroupID").split(" ").last
+            rescue Chef::Exceptions::DsclCommandFailed => e
+              raise Chef::Exceptions::GroupIDNotFound.new("Group not found for #{@new_resource.gid} when creating user #{@new_resource.username}")
             end
+            @new_resource.gid(possible_gid) if possible_gid && possible_gid.match(/^\d+$/)
           end
+          safe_dscl("create /Users/#{@new_resource.username} PrimaryGroupID '#{@new_resource.gid}'")
         end
 
-        #
-        # Returns true if user is member of the specified group, false otherwise.
-        #
-        def member_of_group?(group_name)
-          membership_info = ""
-          begin
-            membership_info = run_dscl("read /Groups/#{group_name}")
-          rescue Chef::Exceptions::DsclCommandFailed
-            # Raised if the group doesn't contain any members
+        def dscl_set_shell
+          if @new_resource.password || ::File.exists?("#{@new_resource.shell}")
+            safe_dscl("create /Users/#{@new_resource.username} UserShell '#{@new_resource.shell}'")
+          else
+            safe_dscl("create /Users/#{@new_resource.username} UserShell '/usr/bin/false'")
           end
-          # Output is something like:
-          # GroupMembership: root admin etc
-          members = membership_info.split(" ")
-          members.shift # Get rid of GroupMembership: string
-          members.include?(@new_resource.username)
         end
 
-        #
-        # DSCL Helper functions
-        #
-
-        # A simple map of Chef's terms to DSCL's terms.
-        DSCL_PROPERTY_MAP = {
-          :uid => "generateduid",
-          :gid => "gid",
-          :home => "home",
-          :shell => "shell",
-          :comment => "realname",
-          :password => "passwd",
-          :auth_authority => "authentication_authority",
-          :shadow_hash => "ShadowHashData"
-        }.freeze
-
-        # Directory where the user plist files are stored for versions 10.7 and above
-        USER_PLIST_DIRECTORY = "/var/db/dslocal/nodes/Default/users".freeze
-
-        #
-        # Reads the user plist and returns a hash keyed with DSCL properties specified
-        # in DSCL_PROPERTY_MAP. Return nil if the user is not found.
-        #
-        def read_user_info
-          user_info = nil
-
-          # We flush the cache here in order to make sure that we read fresh information
-          # for the user. 
-          shell_out("dscacheutil '-flushcache'")
-
-          begin
-            user_plist_file = "#{USER_PLIST_DIRECTORY}/#{@new_resource.username}.plist"
-            user_plist_info = run_plutil("convert xml1 -o - #{user_plist_file}")
-            user_info = Plist::parse_xml(user_plist_info)
-          rescue Chef::Exceptions::PlistUtilCommandFailed
+        def remove_user
+          if @new_resource.supports[:manage_home]
+            user_info = safe_dscl("read /Users/#{@new_resource.username}")
+            if nfs_home_match = user_info.match(NFS_HOME_DIRECTORY)
+              #nfs_home = safe_dscl("read /Users/#{@new_resource.username} NFSHomeDirectory")
+              #nfs_home.gsub!(/NFSHomeDirectory: /,"").gsub!(/\n$/,"")
+              nfs_home = nfs_home_match[1]
+              FileUtils.rm_rf(nfs_home)
+            end
           end
-
-          user_info
-        end
-
-        #
-        # Saves the given hash keyed with DSCL properties specified
-        # in DSCL_PROPERTY_MAP to the disk.
-        #
-        def save_user_info(user_info)
-          user_plist_file = "#{USER_PLIST_DIRECTORY}/#{@new_resource.username}.plist"
-          Plist::Emit.save_plist(user_info, user_plist_file)
-          run_plutil("convert binary1 #{user_plist_file}")
-        end
-
-        #
-        # Sets a value in user information hash using Chef attributes as keys.
-        #
-        def dscl_set(user_hash, key, value)
-          raise "Unknown dscl key #{key}" unless DSCL_PROPERTY_MAP.keys.include?(key)
-          user_hash[DSCL_PROPERTY_MAP[key]] = [ value ]
-          user_hash
-        end
-
-        #
-        # Gets a value from user information hash using Chef attributes as keys.
-        #
-        def dscl_get(user_hash, key)
-          raise "Unknown dscl key #{key}" unless DSCL_PROPERTY_MAP.keys.include?(key)
-          # DSCL values are set as arrays
-          value = user_hash[DSCL_PROPERTY_MAP[key]]
-          value.nil? ? value : value.first
+          # remove the user from its groups
+          groups = []
+          Etc.group do |group|
+            groups << group.name if group.mem.include?(@new_resource.username)
+          end
+          groups.each do |group_name|
+            safe_dscl("delete /Groups/#{group_name} GroupMembership '#{@new_resource.username}'")
+          end
+          # remove user account
+          safe_dscl("delete /Users/#{@new_resource.username}")
         end
 
-        #
-        # System Helpets
-        #
-
-        def mac_osx_version
-          # This provider will only be invoked on node[:platform] == "mac_os_x"
-          # We do not check or assert that here.
-          node[:platform_version]
+        def locked?
+          user_info = safe_dscl("read /Users/#{@new_resource.username}")
+          if auth_authority_md = AUTHENTICATION_AUTHORITY.match(user_info)
+            !!(auth_authority_md[1] =~ /DisabledUser/ )
+          else
+            false
+          end
         end
 
-        def mac_osx_version_10_7?
-          mac_osx_version.start_with?("10.7.")
+        def check_lock
+          return @locked = locked?
         end
 
-        def mac_osx_version_less_than_10_7?
-          versions = mac_osx_version.split(".")
-          # Make integer comparison in order not to report 10.10 less than 10.7
-          (versions[0].to_i <= 10 && versions[1].to_i < 7)
+        def lock_user
+          safe_dscl("append /Users/#{@new_resource.username} AuthenticationAuthority ';DisabledUser;'")
         end
 
-        def mac_osx_version_greater_than_10_7?
-          versions = mac_osx_version.split(".")
-          # Make integer comparison in order not to report 10.10 less than 10.7
-          (versions[0].to_i >= 10 && versions[1].to_i > 7)
+        def unlock_user
+          auth_info = safe_dscl("read /Users/#{@new_resource.username} AuthenticationAuthority")
+          auth_string = auth_info.gsub(/AuthenticationAuthority: /,"").gsub(/;DisabledUser;/,"").strip#.gsub!(/[; ]*$/,"")
+          safe_dscl("create /Users/#{@new_resource.username} AuthenticationAuthority '#{auth_string}'")
         end
 
-        def run_dscl(*args)
-          result = shell_out("dscl . -#{args.join(' ')}")
-          return "" if ( args.first =~ /^delete/ ) && ( result.exitstatus != 0 )
-          raise(Chef::Exceptions::DsclCommandFailed,"dscl error: #{result.inspect}") unless result.exitstatus == 0
-          raise(Chef::Exceptions::DsclCommandFailed,"dscl error: #{result.inspect}") if result.stdout =~ /No such key: /
-          result.stdout
+        def validate_home_dir_specification!
+          unless @new_resource.home =~ /^\//
+            raise(Chef::Exceptions::InvalidHomeDirectory,"invalid path spec for User: '#{@new_resource.username}', home directory: '#{@new_resource.home}'")
+          end
         end
 
-        def run_plutil(*args)
-          result = shell_out("plutil -#{args.join(' ')}")
-          raise(Chef::Exceptions::PlistUtilCommandFailed,"plutil error: #{result.inspect}") unless result.exitstatus == 0
-          result.stdout
+        def current_home_exists?
+          ::File.exist?("#{@current_resource.home}")
         end
 
-        def convert_binary_plist_to_xml(binary_plist_string)
-          Mixlib::ShellOut.new("plutil -convert xml1 -o - -", :input => binary_plist_string).run_command.stdout
+        def new_home_exists?
+          ::File.exist?("#{@new_resource.home}")
         end
 
-        def convert_to_binary(string)
-          string.unpack('a2'*(string.size/2)).collect { |i| i.hex.chr }.join
+        def ditto_home
+          skel = "/System/Library/User Template/English.lproj"
+          raise(Chef::Exceptions::User,"can't find skel at: #{skel}") unless ::File.exists?(skel)
+          shell_out! "ditto '#{skel}' '#{@new_resource.home}'"
+          ::FileUtils.chown_R(@new_resource.username,@new_resource.gid.to_s,@new_resource.home)
         end
 
-        def salted_sha512?(string)
-          !!(string =~ /^[[:xdigit:]]{136}$/)
-        end
+        def move_home
+          Chef::Log.debug("#{@new_resource} moving #{self} home from #{@current_resource.home} to #{@new_resource.home}")
 
-        def salted_sha512_password_match?
-          # Salt is included in the first 4 bytes of shadow data
-          salt = @current_resource.password.slice(0,8)
-          shadow = OpenSSL::Digest::SHA512.hexdigest(convert_to_binary(salt) + @new_resource.password)
-          @current_resource.password == salt + shadow
+          src = @current_resource.home
+          FileUtils.mkdir_p(@new_resource.home)
+          files = ::Dir.glob("#{src}/*", ::File::FNM_DOTMATCH) - ["#{src}/.","#{src}/.."]
+          ::FileUtils.mv(files,@new_resource.home, :force => true)
+          ::FileUtils.rmdir(src)
+          ::FileUtils.chown_R(@new_resource.username,@new_resource.gid.to_s,@new_resource.home)
         end
 
-        def salted_sha512_pbkdf2?(string)
-          !!(string =~ /^[[:xdigit:]]{256}$/)
+        def diverged?(parameter)
+          parameter_updated?(parameter) && (not @new_resource.send(parameter).nil?)
         end
 
-        def salted_sha512_pbkdf2_password_match?
-          salt = convert_to_binary(@current_resource.salt)
-
-          OpenSSL::PKCS5::pbkdf2_hmac(
-            @new_resource.password,
-            salt,
-            @current_resource.iterations,
-            128,
-            OpenSSL::Digest::SHA512.new
-          ).unpack('H*').first == @current_resource.password
+        def parameter_updated?(parameter)
+          not (@new_resource.send(parameter) == @current_resource.send(parameter))
         end
-
       end
     end
   end