chef 11.4.4 → 11.6.0.hotfix.1

data/spec/functional/resource/registry_spec.rb

@@ -112,14 +112,18 @@ describe Chef::Resource::RegistryKey, :windows_only do
   #Reporting setup
   before do
     @node.name("windowsbox")
+
     @rest_client = mock("Chef::REST (mock)")
-    @rest_client.stub!(:create_url).and_return("reports/nodes/windowsbox/runs/ABC123");
+    @rest_client.stub!(:create_url).and_return("reports/nodes/windowsbox/runs/#{@run_id}");
     @rest_client.stub!(:raw_http_request).and_return({"result"=>"ok"});
-    @rest_client.stub!(:post_rest).and_return({"uri"=>"https://example.com/reports/nodes/windowsbox/runs/ABC123"});
+    @rest_client.stub!(:post_rest).and_return({"uri"=>"https://example.com/reports/nodes/windowsbox/runs/#{@run_id}"});
 
     @resource_reporter = Chef::ResourceReporter.new(@rest_client)
     @events.register(@resource_reporter)
-    @resource_reporter.node_load_completed(@node, :expanded_run_list, :config)
+    @run_id = @resource_reporter.run_id
+    @run_status = Chef::RunStatus.new(@node, @events)
+
+    @resource_reporter.run_started(@run_status)
 
     @new_resource.cookbook_name = "monkey"
     @cookbook_version = mock("Cookbook::Version", :version => "1.2.3")
@@ -537,7 +541,7 @@ describe Chef::Resource::RegistryKey, :windows_only do
       @report["resources"][0]["type"].should == "registry_key"
       @report["resources"][0]["name"].should == resource_name
       @report["resources"][0]["id"].should == reg_parent + '\ReportKey'
-      #Not testing for before or after values to match since 
+      #Not testing for before or after values to match since
       #after -> new_resource.values and
       #before -> current_resource.values
       @report["resources"][0]["result"].should == "delete_key"

data/spec/functional/resource/remote_directory_spec.rb

@@ -22,7 +22,7 @@ describe Chef::Resource::RemoteDirectory do
   include_context Chef::Resource::Directory
 
   let(:directory_base) { "directory_spec" }
-  let(:default_mode) { "755" }
+  let(:default_mode) { ((0100777 - File.umask) & 07777).to_s(8) }
 
   def create_resource
     cookbook_repo = File.expand_path(File.join(CHEF_SPEC_DATA, "cookbooks"))
@@ -48,7 +48,7 @@ describe Chef::Resource::RemoteDirectory do
     FileUtils.touch(@existing2)
   end
 
-  let!(:resource) do
+  let(:resource) do
     create_resource
   end
 

data/spec/functional/resource/remote_file_spec.rb

@@ -20,17 +20,22 @@ require 'spec_helper'
 require 'tiny_server'
 
 describe Chef::Resource::RemoteFile do
+
+  let(:file_cache_path) { Dir.mktmpdir }
+
+  before(:each) do
+    @old_file_cache = Chef::Config[:file_cache_path]
+    Chef::Config[:file_cache_path] = file_cache_path
+  end
+
+  after(:each) do
+    Chef::Config[:file_cache_path] = @old_file_cache
+    FileUtils.rm_rf(file_cache_path)
+  end
+
   include_context Chef::Resource::File
 
   let(:file_base) { "remote_file_spec" }
-  let(:source) { 'http://localhost:9000/nyan_cat.png' }
-  let(:expected_content) do
-    content = File.open(File.join(CHEF_SPEC_DATA, 'remote_file', 'nyan_cat.png'), "rb") do |f|
-      f.read
-    end
-    content.force_encoding(Encoding::BINARY) if content.respond_to?(:force_encoding)
-    content
-  end
 
   def create_resource
     node = Chef::Node.new
@@ -41,28 +46,14 @@ describe Chef::Resource::RemoteFile do
     resource
   end
 
-  let!(:resource) do
+  let(:resource) do
     create_resource
   end
 
-  let(:default_mode) do
-    # TODO: Lots of ugly here :(
-    # RemoteFile uses FileUtils.cp. FileUtils does a copy by opening the
-    # destination file and writing to it. Before 1.9.3, it does not preserve
-    # the mode of the copied file. In 1.9.3 and after, it does. So we have to
-    # figure out what the default mode ought to be via heuristic.
-
-    t = Tempfile.new("get-the-mode")
-    path = t.path
-    path_2 = t.path + "fileutils-mode-test"
-    FileUtils.cp(path, path_2)
-    t.close
-    m = File.stat(path_2).mode
-    (07777 & m).to_s(8)
-  end
+  let(:default_mode) { ((0100666 - File.umask) & 07777).to_s(8) }
 
-  before(:all) do
-    @server = TinyServer::Manager.new
+  def start_tiny_server(server_opts={})
+    @server = TinyServer::Manager.new(server_opts)
     @server.start
     @api = TinyServer::API.instance
     @api.clear
@@ -71,13 +62,90 @@ describe Chef::Resource::RemoteFile do
         f.read
       end
     }
+    @api.get("/nyan_cat.png.gz", 200, nil, { 'Content-Type' => 'application/gzip', 'Content-Encoding' => 'gzip' } ) {
+      File.open(File.join(CHEF_SPEC_DATA, 'remote_file', 'nyan_cat.png.gz'), "rb") do |f|
+        f.read
+      end
+    }
   end
 
-  after(:all) do
+  def stop_tiny_server
     @server.stop
+    @server = @api = nil
   end
 
-  it_behaves_like "a file resource"
+  context "when fetching files over HTTP" do
+    before(:all) do
+      start_tiny_server
+    end
+
+    after(:all) do
+      stop_tiny_server
+    end
+
+    context "when using normal encoding" do
+      let(:source) { 'http://localhost:9000/nyan_cat.png' }
+      let(:expected_content) do
+        content = File.open(File.join(CHEF_SPEC_DATA, 'remote_file', 'nyan_cat.png'), "rb") do |f|
+          f.read
+        end
+        content.force_encoding(Encoding::BINARY) if content.respond_to?(:force_encoding)
+        content
+      end
+
+      it_behaves_like "a file resource"
+
+      it_behaves_like "a securable resource with reporting"
+    end
+
+    context "when using gzip encoding" do
+      let(:source) { 'http://localhost:9000/nyan_cat.png.gz' }
+      let(:expected_content) do
+        content = File.open(File.join(CHEF_SPEC_DATA, 'remote_file', 'nyan_cat.png.gz'), "rb") do |f|
+          f.read
+        end
+        content.force_encoding(Encoding::BINARY) if content.respond_to?(:force_encoding)
+        content
+      end
+
+      it_behaves_like "a file resource"
+
+      it_behaves_like "a securable resource with reporting"
+    end
+  end
+
+  context "when fetching files over HTTPS" do
+
+    before(:all) do
+      cert_text = File.read(File.expand_path("ssl/chef-rspec.cert", CHEF_SPEC_DATA))
+      cert = OpenSSL::X509::Certificate.new(cert_text)
+      key_text = File.read(File.expand_path("ssl/chef-rspec.key", CHEF_SPEC_DATA))
+      key = OpenSSL::PKey::RSA.new(key_text)
+
+      server_opts = { :SSLEnable => true,
+                      :SSLVerifyClient => OpenSSL::SSL::VERIFY_NONE,
+                      :SSLCertificate => cert,
+                      :SSLPrivateKey => key }
+
+      start_tiny_server(server_opts)
+    end
+
+    after(:all) do
+      stop_tiny_server
+    end
+
+    let(:source) { 'https://localhost:9000/nyan_cat.png' }
+
+    let(:expected_content) do
+      content = File.open(File.join(CHEF_SPEC_DATA, 'remote_file', 'nyan_cat.png'), "rb") do |f|
+        f.read
+      end
+      content.force_encoding(Encoding::BINARY) if content.respond_to?(:force_encoding)
+      content
+    end
+
+    it_behaves_like "a file resource"
+
+  end
 
-  it_behaves_like "a securable resource with reporting"
 end

data/spec/functional/resource/template_spec.rb

@@ -20,6 +20,10 @@ require 'spec_helper'
 
 describe Chef::Resource::Template do
 
+  def binread(file)
+    File.open(file,"rb") {|f| f.read }
+  end
+
   include_context Chef::Resource::File
 
   let(:file_base) { "template_spec" }
@@ -42,29 +46,19 @@ describe Chef::Resource::Template do
     resource = Chef::Resource::Template.new(path, run_context)
     resource.source('openldap_stuff.conf.erb')
     resource.cookbook('openldap')
+
+    # NOTE: partials rely on `cookbook_name` getting set by chef internals and
+    # ignore the user-set `cookbook` attribute.
+    resource.cookbook_name = "openldap"
+
     resource
   end
 
-  let!(:resource) do
+  let(:resource) do
     create_resource
   end
 
-  let(:default_mode) do
-    # TODO: Lots of ugly here :(
-    # RemoteFile uses FileUtils.cp. FileUtils does a copy by opening the
-    # destination file and writing to it. Before 1.9.3, it does not preserve
-    # the mode of the copied file. In 1.9.3 and after, it does. So we have to
-    # figure out what the default mode ought to be via heuristic.
-
-    t = Tempfile.new("get-the-mode")
-    path = t.path
-    path_2 = t.path + "fileutils-mode-test"
-    FileUtils.cp(path, path_2)
-    t.close
-    m = File.stat(path_2).mode
-    (07777 & m).to_s(8)
-  end
-
+  let(:default_mode) { ((0100666 - File.umask) & 07777).to_s(8) }
 
   it_behaves_like "a file resource"
 
@@ -86,4 +80,166 @@ describe Chef::Resource::Template do
       IO.read(path).should == expected_content
     end
   end
+
+  describe "when the template resource defines helper methods" do
+
+    include_context "diff disabled"
+
+    let(:resource) do
+      r = create_resource
+      r.source "helper_test.erb"
+      r
+    end
+
+    let(:expected_content) { "value from helper method" }
+
+    shared_examples "a template with helpers" do
+      it "generates expected content by calling helper methods" do
+        resource.run_action(:create)
+        binread(path).strip.should == expected_content
+      end
+    end
+
+    context "using single helper syntax" do
+      before do
+        resource.helper(:helper_method) { "value from helper method" }
+      end
+
+      it_behaves_like "a template with helpers"
+    end
+
+    context "using single helper syntax referencing @node" do
+      before do
+        node.set[:helper_test_attr] = "value from helper method"
+        resource.helper(:helper_method) { "#{@node[:helper_test_attr]}" }
+      end
+
+      it_behaves_like "a template with helpers"
+    end
+
+    context "using an inline block to define helpers" do
+      before do
+        resource.helpers do
+          def helper_method
+            "value from helper method"
+          end
+        end
+      end
+
+      it_behaves_like "a template with helpers"
+    end
+
+    context "using an inline block referencing @node" do
+      before do
+        node.set[:helper_test_attr] = "value from helper method"
+
+        resource.helpers do
+          def helper_method
+            @node[:helper_test_attr]
+          end
+        end
+      end
+
+      it_behaves_like "a template with helpers"
+
+    end
+
+    context "using a module from a library" do
+
+      module ExampleModule
+        def helper_method
+          "value from helper method"
+        end
+      end
+
+      before do
+        resource.helpers(ExampleModule)
+      end
+
+      it_behaves_like "a template with helpers"
+
+    end
+    context "using a module from a library referencing @node" do
+
+      module ExampleModuleReferencingATNode
+        def helper_method
+          @node[:helper_test_attr]
+        end
+      end
+
+      before do
+        node.set[:helper_test_attr] = "value from helper method"
+
+        resource.helpers(ExampleModuleReferencingATNode)
+      end
+
+      it_behaves_like "a template with helpers"
+
+    end
+
+    context "using helpers with partial templates" do
+      before do
+        resource.source("helpers_via_partial_test.erb")
+        resource.helper(:helper_method) { "value from helper method" }
+      end
+
+      it_behaves_like "a template with helpers"
+
+    end
+  end
+
+  describe "when template source contains windows style line endings" do
+
+    include_context "diff disabled"
+
+    let(:expected_content) {
+      "Template rendering libraries\r\nshould support\r\ndifferent line endings\r\n\r\n"
+    }
+
+    context "for all lines" do
+      let(:resource) do
+        r = create_resource
+        r.source "all_windows_line_endings.erb"
+        r
+      end
+
+      it "output should contain windows line endings" do
+        resource.run_action(:create)
+        binread(path).each_line do |line|
+          line.should end_with("\r\n")
+        end
+      end
+    end
+
+    context "for some lines" do
+      let(:resource) do
+        r = create_resource
+        r.source "some_windows_line_endings.erb"
+        r
+      end
+
+      it "output should contain windows line endings" do
+        resource.run_action(:create)
+        binread(path).each_line do |line|
+          line.should end_with("\r\n")
+        end
+      end
+    end
+
+    context "for no lines" do
+      let(:resource) do
+        r = create_resource
+        r.source "no_windows_line_endings.erb"
+        r
+      end
+
+      it "output should not contain windows line endings" do
+        resource.run_action(:create)
+        IO.read(path).each_line do |line|
+          line.should_not end_with("\r\n")
+        end
+      end
+    end
+  end
+
 end

data/spec/functional/resource/user_spec.rb

@@ -0,0 +1,547 @@
+# encoding: UTF-8
+#
+# Author:: Daniel DeLeo (<dan@opscode.com>)
+# Copyright:: Copyright (c) 2013 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'spec_helper'
+require 'chef/mixin/shell_out'
+
+metadata = { :unix_only => true,
+  :requires_root => true,
+  :provider => {:user => Chef::Provider::User::Useradd}
+}
+
+describe Chef::Resource::User, metadata do
+
+  include Chef::Mixin::ShellOut
+
+
+  # Utility code for /etc/passwd interaction, avoid any caching of user records:
+  PwEntry = Struct.new(:name, :passwd, :uid, :gid, :gecos, :home, :shell)
+
+  class UserNotFound < StandardError; end
+
+  def pw_entry
+    passwd_file = File.open("/etc/passwd", "rb") {|f| f.read}
+    matcher = /^#{Regexp.escape(username)}.+$/
+    if passwd_entry = passwd_file.scan(matcher).first
+      PwEntry.new(*passwd_entry.split(':'))
+    else
+      raise UserNotFound, "no entry matching #{matcher.inspect} found in /etc/passwd"
+    end
+  end
+
+  def etc_shadow
+    File.open("/etc/shadow") {|f| f.read }
+  end
+
+  def supports_quote_in_username?
+    OHAI_SYSTEM["platform_family"] == "debian"
+  end
+
+  before do
+    # Silence shell_out live stream
+    Chef::Log.level = :warn
+  end
+
+  after do
+    begin
+      pw_entry # will raise if the user doesn't exist
+      shell_out!("userdel", "-f", "-r", username, :returns => [0,12])
+    rescue UserNotFound
+      # nothing to remove
+    end
+  end
+
+  let(:node) do
+    n = Chef::Node.new
+    n.consume_external_attrs(OHAI_SYSTEM.data.dup, {})
+    n
+  end
+
+  let(:events) do
+    Chef::EventDispatch::Dispatcher.new
+  end
+
+  let(:run_context) do
+    Chef::RunContext.new(node, {}, events)
+  end
+
+  let(:username) do
+    "chef-functional-test"
+  end
+
+  let(:uid) { nil }
+  let(:home) { nil }
+  let(:manage_home) { false }
+  let(:password) { nil }
+  let(:system) { false }
+  let(:comment) { nil }
+
+  let(:user_resource) do
+    r = Chef::Resource::User.new("TEST USER RESOURCE", run_context)
+    r.username(username)
+    r.uid(uid)
+    r.home(home)
+    r.comment(comment)
+    r.manage_home(manage_home)
+    r.password(password)
+    r.system(system)
+    r
+  end
+
+  let(:skip) { false }
+
+  describe "action :create" do
+
+    context "when the user does not exist beforehand" do
+      before do
+        if reason = skip
+          pending(reason)
+        end
+        user_resource.run_action(:create)
+        user_resource.should be_updated_by_last_action
+      end
+
+
+      it "ensures the user exists" do
+        pw_entry.name.should == username
+      end
+
+      #  On Debian, the only constraints are that usernames must neither start
+      #  with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a colon
+      #  (':'), a comma (','), or a whitespace (space: ' ', end of line: '\n',
+      #  tabulation: '\t', etc.). Note that using a slash ('/') may break the
+      #  default algorithm for the definition of the user's home directory.
+
+      context "and the username contains a single quote" do
+        let(:skip) do
+          if supports_quote_in_username?
+            false
+          else
+            "Platform #{OHAI_SYSTEM["platform"]} not expected to support username w/ quote"
+          end
+        end
+
+        let(:username) { "t'bilisi" }
+
+        it "ensures the user exists" do
+          pw_entry.name.should == username
+        end
+      end
+
+
+      context "when uid is set" do
+        # Should verify uid not in use...
+        let(:uid) { 1999 }
+
+        it "ensures the user has the given uid" do
+          pw_entry.uid.should == "1999"
+        end
+      end
+
+      context "when comment is set" do
+        let(:comment) { "hello this is dog" }
+
+        it "ensures the comment is set" do
+          pw_entry.gecos.should == "hello this is dog"
+        end
+
+        context "in standard gecos format" do
+          let(:comment) { "Bobo T. Clown,some building,555-555-5555,@boboclown" }
+
+          it "ensures the comment is set" do
+            pw_entry.gecos.should == comment
+          end
+        end
+
+        context "to a string containing multibyte characters" do
+          let(:comment) { "(╯°□°）╯︵ ┻━┻" }
+
+          it "ensures the comment is set" do
+            actual = pw_entry.gecos
+            actual.force_encoding(Encoding::UTF_8) if "".respond_to?(:force_encoding)
+            actual.should == comment
+          end
+        end
+
+        context "to a string containing an apostrophe `'`" do
+          let(:comment) { "don't go" }
+
+          it "ensures the comment is set" do
+            pw_entry.gecos.should == comment
+          end
+        end
+      end
+
+      context "when home is set" do
+        let(:home) { "/home/#{username}" }
+
+        it "ensures the user's home is set to the given path" do
+          pw_entry.home.should == "/home/#{username}"
+        end
+
+        if OHAI_SYSTEM["platform_family"] == "rhel"
+          # Inconsistent behavior. See: CHEF-2205
+          it "creates the home dir when not explicitly asked to on RHEL (XXX)" do
+            File.should exist("/home/#{username}")
+          end
+        else
+          it "does not create the home dir without `manage_home'" do
+            File.should_not exist("/home/#{username}")
+          end
+        end
+
+        context "and manage_home is enabled" do
+          let(:manage_home) { true }
+
+          it "ensures the user's home directory exists" do
+            File.should exist("/home/#{username}")
+          end
+        end
+      end
+
+      context "when a password is specified" do
+        # openssl passwd -1 "secretpassword"
+        let(:password) { "$1$RRa/wMM/$XltKfoX5ffnexVF4dHZZf/" }
+        it "sets the user's shadow password" do
+          pw_entry.passwd.should == "x"
+          expected_shadow = "chef-functional-test:$1$RRa/wMM/$XltKfoX5ffnexVF4dHZZf/"
+          etc_shadow.should include(expected_shadow)
+        end
+      end
+
+      context "when a system user is specified" do
+        let(:system) { true }
+        let(:uid_min) do
+          # from `man useradd`, login user means uid will be between
+          # UID_SYS_MIN and UID_SYS_MAX defined in /etc/login.defs. On my
+          # Ubuntu 13.04 system, these are commented out, so we'll look at
+          # UID_MIN to find the lower limit of the non-system-user range, and
+          # use that value in our assertions.
+          login_defs = File.open("/etc/login.defs", "rb") {|f| f.read }
+          uid_min_scan = /^UID_MIN\s+(\d+)/
+          login_defs.match(uid_min_scan)[1]
+        end
+
+        it "ensures the user has the properties of a system user" do
+          pw_entry.uid.to_i.should be < uid_min.to_i
+        end
+      end
+    end # when the user does not exist beforehand
+
+    context "when the user already exists" do
+
+      let(:expect_updated?) { true }
+
+      let(:existing_uid) { nil }
+      let(:existing_home) { nil }
+      let(:existing_manage_home) { false }
+      let(:existing_password) { nil }
+      let(:existing_system) { false }
+      let(:existing_comment) { nil }
+
+      let(:existing_user) do
+        r = Chef::Resource::User.new("TEST USER RESOURCE", run_context)
+        # username is identity attr, must match.
+        r.username(username)
+        r.uid(existing_uid)
+        r.home(existing_home)
+        r.comment(existing_comment)
+        r.manage_home(existing_manage_home)
+        r.password(existing_password)
+        r.system(existing_system)
+        r
+      end
+
+      before do
+        if reason = skip
+          pending(reason)
+        end
+        existing_user.run_action(:create)
+        existing_user.should be_updated_by_last_action
+        user_resource.run_action(:create)
+        user_resource.updated_by_last_action?.should == expect_updated?
+      end
+
+      context "and all properties are in the desired state" do
+        let(:uid) { 1999 }
+        let(:home) { "/home/bobo" }
+        let(:manage_home) { true }
+        # openssl passwd -1 "secretpassword"
+        let(:password) { "$1$RRa/wMM/$XltKfoX5ffnexVF4dHZZf/" }
+        let(:system) { false }
+        let(:comment) { "hello this is dog" }
+
+        let(:existing_uid) { uid }
+        let(:existing_home) { home }
+        let(:existing_manage_home) { manage_home }
+        let(:existing_password) { password }
+        let(:existing_system) { false }
+        let(:existing_comment) { comment }
+
+        let(:expect_updated?) { false }
+
+        it "does not update the user" do
+          user_resource.should_not be_updated
+        end
+      end
+
+      context "and the uid is updated" do
+        let(:uid) { 1999 }
+        let(:existing_uid) { 1998 }
+
+        it "ensures the uid is set to the desired value" do
+          pw_entry.uid.should == "1999"
+        end
+      end
+
+      context "and the comment is updated" do
+        let(:comment) { "hello this is dog" }
+        let(:existing_comment) { "woof" }
+
+        it "ensures the comment field is set to the desired value" do
+          pw_entry.gecos.should == "hello this is dog"
+        end
+      end
+
+      context "and home directory is updated" do
+        let(:existing_home) { "/home/foo" }
+        let(:home) { "/home/bar" }
+        it "ensures the home directory is set to the desired value" do
+          pw_entry.home.should == "/home/bar"
+        end
+
+        context "and manage_home is enabled" do
+          let(:existing_manage_home) { true }
+          let(:manage_home) { true }
+          it "moves the home directory to the new location" do
+            File.should_not exist("/home/foo")
+            File.should exist("/home/bar")
+          end
+        end
+
+        context "and manage_home wasn't enabled but is now" do
+          let(:existing_manage_home) { false }
+          let(:manage_home) { true }
+
+          if OHAI_SYSTEM["platform_family"] == "rhel"
+            # Inconsistent behavior. See: CHEF-2205
+            it "created the home dir b/c of CHEF-2205 so it still exists" do
+              # This behavior seems contrary to expectation and non-convergent.
+              File.should_not exist("/home/foo")
+              File.should exist("/home/bar")
+            end
+          else
+            it "does not create the home dir in the desired location (XXX)" do
+              # This behavior seems contrary to expectation and non-convergent.
+              File.should_not exist("/home/foo")
+              File.should_not exist("/home/bar")
+            end
+          end
+        end
+
+        context "and manage_home was enabled but is not now" do
+          let(:existing_manage_home) { true }
+          let(:manage_home) { false }
+
+          it "leaves the old home directory around (XXX)" do
+            # Would it be better to remove the old home?
+            File.should exist("/home/foo")
+            File.should_not exist("/home/bar")
+          end
+        end
+      end
+
+      context "and a password is added" do
+        # openssl passwd -1 "secretpassword"
+        let(:password) { "$1$RRa/wMM/$XltKfoX5ffnexVF4dHZZf/" }
+
+        it "ensures the password is set" do
+          pw_entry.passwd.should == "x"
+          expected_shadow = "chef-functional-test:$1$RRa/wMM/$XltKfoX5ffnexVF4dHZZf/"
+          etc_shadow.should include(expected_shadow)
+        end
+
+      end
+
+      context "and the password is updated" do
+        # openssl passwd -1 "OLDpassword"
+        let(:existing_password) { "$1$1dVmwm4z$CftsFn8eBDjDRUytYKkXB." }
+        # openssl passwd -1 "secretpassword"
+        let(:password) { "$1$RRa/wMM/$XltKfoX5ffnexVF4dHZZf/" }
+
+        it "ensures the password is set to the desired value" do
+          pw_entry.passwd.should == "x"
+          expected_shadow = "chef-functional-test:$1$RRa/wMM/$XltKfoX5ffnexVF4dHZZf/"
+          etc_shadow.should include(expected_shadow)
+        end
+      end
+
+      context "and the user is changed from not-system to system" do
+        let(:existing_system) { false }
+        let(:system) { true }
+
+        let(:expect_updated?) { false }
+
+        it "does not modify the user at all" do
+        end
+      end
+
+      context "and the user is changed from system to not-system" do
+        let(:existing_system) { true }
+        let(:system) { false }
+
+        let(:expect_updated?) { false }
+
+        it "does not modify the user at all" do
+        end
+      end
+
+    end # when the user already exists
+  end # action :create
+
+  shared_context "user exists for lock/unlock" do
+    let(:user_locked_context?) { false }
+
+    def shadow_entry
+      etc_shadow.lines.select {|l| l.include?(username) }.first
+    end
+
+    def shadow_password
+      shadow_entry.split(':')[1]
+    end
+
+    before do
+      # create user and setup locked/unlocked state
+      user_resource.dup.run_action(:create)
+
+      if user_locked_context?
+        shell_out!("usermod -L #{username}")
+        shadow_password.should include("!")
+      elsif password
+        shadow_password.should_not include("!")
+      end
+    end
+  end
+
+  describe "action :lock" do
+    context "when the user does not exist" do
+      it "raises a sensible error" do
+        expect { user_resource.run_action(:lock) }.to raise_error(Chef::Exceptions::User)
+      end
+    end
+
+    context "when the user exists" do
+
+      include_context "user exists for lock/unlock"
+
+      before do
+        user_resource.run_action(:lock)
+      end
+
+      context "and the user is not locked" do
+        # user will be locked if it has no password
+        let(:password) { "$1$RRa/wMM/$XltKfoX5ffnexVF4dHZZf/" }
+
+        it "locks the user's password" do
+          shadow_password.should include("!")
+        end
+      end
+
+      context "and the user is locked" do
+        # user will be locked if it has no password
+        let(:password) { "$1$RRa/wMM/$XltKfoX5ffnexVF4dHZZf/" }
+        let(:user_locked_context?) { true }
+        it "does not update the user" do
+          user_resource.should_not be_updated_by_last_action
+        end
+      end
+    end
+  end # action :lock
+
+  describe "action :unlock" do
+    context "when the user does not exist" do
+      it "raises a sensible error" do
+        expect { user_resource.run_action(:unlock) }.to raise_error(Chef::Exceptions::User)
+      end
+    end
+
+    context "when the user exists" do
+
+      include_context "user exists for lock/unlock"
+
+      before do
+        begin
+          user_resource.run_action(:unlock)
+          @error = nil
+        rescue Exception => e
+          @error = e
+        end
+      end
+
+      context "and has no password" do
+
+        # TODO: platform_family should be setup in spec_helper w/ tags
+        if OHAI_SYSTEM["platform_family"] == "suse"
+          # suse gets this right:
+          it "errors out trying to unlock the user" do
+            @error.should be_a(Mixlib::ShellOut::ShellCommandFailed)
+            @error.message.should include("Cannot unlock the password")
+          end
+        else
+
+          # borked on all other platforms:
+          it "is marked as updated but doesn't modify the user (XXX)" do
+            # This should be an error instead; note that usermod still exits 0
+            # (which is probably why this case silently fails):
+            #
+            # DEBUG: ---- Begin output of usermod -U chef-functional-test ----
+            # DEBUG: STDOUT:
+            # DEBUG: STDERR: usermod: unlocking the user's password would result in a passwordless account.
+            # You should set a password with usermod -p to unlock this user's password.
+            # DEBUG: ---- End output of usermod -U chef-functional-test ----
+            # DEBUG: Ran usermod -U chef-functional-test returned 0
+            @error.should be_nil
+            pw_entry.passwd.should == 'x'
+            shadow_password.should == "!"
+          end
+        end
+      end
+
+      context "and has a password" do
+        let(:password) { "$1$RRa/wMM/$XltKfoX5ffnexVF4dHZZf/" }
+        context "and the user is not locked" do
+          it "does not update the user" do
+            user_resource.should_not be_updated_by_last_action
+          end
+        end
+
+        context "and the user is locked" do
+          let(:user_locked_context?) { true }
+
+          it "unlocks the user's password" do
+            shadow_entry = etc_shadow.lines.select {|l| l.include?(username) }.first
+            shadow_password = shadow_entry.split(':')[1]
+            shadow_password.should_not include("!")
+          end
+        end
+      end
+    end
+  end # action :unlock
+
+end