puppet 6.21.0 → 6.24.0

data/spec/unit/provider/package/pip_spec.rb

@@ -266,6 +266,43 @@ describe Puppet::Type.type(:package).provider(:pip) do
       let(:pip_version) { '1.5.4' }
       let(:pip_path) { '/fake/bin/pip' }
 
+      context "with pip version >= 20.3 and < 21.1" do
+        let(:pip_version) { '20.3.1' }
+        let(:pip_path) { '/fake/bin/pip' }
+
+        it "should use legacy-resolver argument" do
+          p = StringIO.new(
+            <<-EOS
+            Collecting real-package==versionplease
+              Could not find a version that satisfies the requirement real-package==versionplease (from versions: 1.1.3, 1.0, 1.9b1)
+            No matching distribution found for real-package==versionplease
+            EOS
+          )
+          expect(Puppet::Util::Execution).to receive(:execpipe).with(["/fake/bin/pip", "install", "real_package==versionplease",
+            "--use-deprecated=legacy-resolver"]).and_yield(p).once
+          @resource[:name] = "real_package"
+          @provider.latest
+        end
+      end
+
+      context "with pip version >= 21.1" do
+        let(:pip_version) { '21.1' }
+        let(:pip_path) { '/fake/bin/pip' }
+
+        it "should not use legacy-resolver argument" do
+          p = StringIO.new(
+            <<-EOS
+            Collecting real-package==versionplease
+              Could not find a version that satisfies the requirement real-package==versionplease (from versions: 1.1.3, 1.0, 1.9b1)
+            No matching distribution found for real-package==versionplease
+            EOS
+          )
+          expect(Puppet::Util::Execution).to receive(:execpipe).with(["/fake/bin/pip", "install", "real_package==versionplease"]).and_yield(p).once
+          @resource[:name] = "real_package"
+          @provider.latest
+        end
+      end
+
       it "should find a version number for real_package" do
         p = StringIO.new(
           <<-EOS

data/spec/unit/provider/parsedfile_spec.rb

@@ -79,6 +79,16 @@ describe Puppet::Provider::ParsedFile do
 
       provider.instances
     end
+
+    it "should raise if parsing returns nil" do
+      expect(provider).to receive(:targets).and_return(%w{/one})
+      expect_any_instance_of(Puppet::Util::FileType::FileTypeFlat).to receive(:read).and_return('a=b')
+      expect(provider).to receive(:parse).and_return(nil)
+
+      expect {
+        provider.instances
+      }.to raise_error(Puppet::DevError, %r{Prefetching /one for provider parsedfile_provider returned nil})
+    end
   end
 
   describe "when matching resources to existing records" do

data/spec/unit/provider/service/init_spec.rb

@@ -83,6 +83,7 @@ describe 'Puppet::Type::Service::Provider::Init',
       allow(provider_class).to receive(:defpath).and_return('tmp')
 
       @services = ['one', 'two', 'three', 'four', 'umountfs']
+      allow(Dir).to receive(:entries).and_call_original
       allow(Dir).to receive(:entries).with('tmp').and_return(@services)
       expect(FileTest).to receive(:directory?).with('tmp').and_return(true)
       allow(FileTest).to receive(:executable?).and_return(true)

data/spec/unit/provider/service/openwrt_spec.rb

@@ -32,6 +32,7 @@ describe 'Puppet::Type::Service::Provider::Openwrt',
     allow(File).to receive(:directory?).with('/etc/init.d').and_return(true)
 
     allow(Puppet::FileSystem).to receive(:exist?).with('/etc/init.d/myservice').and_return(true)
+    allow(FileTest).to receive(:file?).and_call_original
     allow(FileTest).to receive(:file?).with('/etc/init.d/myservice').and_return(true)
     allow(FileTest).to receive(:executable?).with('/etc/init.d/myservice').and_return(true)
   end
@@ -47,7 +48,8 @@ describe 'Puppet::Type::Service::Provider::Openwrt',
     let(:services) {['dnsmasq', 'dropbear', 'firewall', 'led', 'puppet', 'uhttpd' ]}
 
     before :each do
-      allow(Dir).to receive(:entries).and_return(services)
+      allow(Dir).to receive(:entries).and_call_original
+      allow(Dir).to receive(:entries).with('/etc/init.d').and_return(services)
       allow(FileTest).to receive(:directory?).and_return(true)
       allow(FileTest).to receive(:executable?).and_return(true)
     end

data/spec/unit/provider/service/systemd_spec.rb

@@ -200,6 +200,17 @@ describe 'Puppet::Type::Service::Provider::Systemd',
       })
     end
 
+    it "correctly parses services when list-unit-files has an additional column" do
+      expect(provider_class).to receive(:systemctl).with('list-unit-files', '--type', 'service', '--full', '--all', '--no-pager').and_return(File.read(my_fixture('list_unit_files_services_vendor_preset')))
+      expect(provider_class.instances.map(&:name)).to match_array(%w{
+        arp-ethers.service
+        auditd.service
+        dbus.service
+        umountnfs.service
+        urandom.service
+      })
+    end
+
     it "should print a debug message when a service with the state `bad` is found" do
       expect(provider_class).to receive(:systemctl).with('list-unit-files', '--type', 'service', '--full', '--all', '--no-pager').and_return(File.read(my_fixture('list_unit_files_services')))
       expect(Puppet).to receive(:debug).with("apparmor.service marked as bad by `systemctl`. It is recommended to be further checked.")
@@ -346,6 +357,9 @@ Jun 14 21:43:23 foo.example.com systemd[1]: sshd.service lacks both ExecStart= a
   describe "#mask" do
     it "should run systemctl to disable and mask a service" do
       provider = provider_class.new(Puppet::Type.type(:service).new(:name => 'sshd.service'))
+      expect(provider).to receive(:execute).
+                            with(['/bin/systemctl','cat', '--', 'sshd.service'], :failonfail => false).
+                            and_return(Puppet::Util::Execution::ProcessOutput.new("# /lib/systemd/system/sshd.service\n...", 0))
       # :disable is the only call in the provider that uses a symbol instead of
       # a string.
       # This should be made consistent in the future and all tests updated.
@@ -353,6 +367,15 @@ Jun 14 21:43:23 foo.example.com systemd[1]: sshd.service lacks both ExecStart= a
       expect(provider).to receive(:systemctl).with(:mask, '--', 'sshd.service')
       provider.mask
     end
+
+    it "masks a service that doesn't exist" do
+      provider = provider_class.new(Puppet::Type.type(:service).new(:name => 'doesnotexist.service'))
+      expect(provider).to receive(:execute).
+                            with(['/bin/systemctl','cat', '--', 'doesnotexist.service'], :failonfail => false).
+                            and_return(Puppet::Util::Execution::ProcessOutput.new("No files found for doesnotexist.service.\n", 1))
+      expect(provider).to receive(:systemctl).with(:mask, '--', 'doesnotexist.service')
+      provider.mask
+    end
   end
 
   # Note: systemd provider does not care about hasstatus or a custom status
@@ -456,17 +479,39 @@ Jun 14 21:43:23 foo.example.com systemd[1]: sshd.service lacks both ExecStart= a
     context 'when service state is static' do
       let(:service_state) { 'static' }
 
-      it 'is always enabled_insync even if current value is the same as expected' do
-        expect(provider).to be_enabled_insync(:false)
-      end
+      context 'when enable is not mask' do
+        it 'is always enabled_insync even if current value is the same as expected' do
+          expect(provider).to be_enabled_insync(:false)
+        end
 
-      it 'is always enabled_insync even if current value is not the same as expected' do
-        expect(provider).to be_enabled_insync(:true)
+        it 'is always enabled_insync even if current value is not the same as expected' do
+          expect(provider).to be_enabled_insync(:true)
+        end
+
+        it 'logs a debug messsage' do
+          expect(Puppet).to receive(:debug).with("Unable to enable or disable static service sshd.service")
+          provider.enabled_insync?(:true)
+        end
       end
 
-      it 'logs a debug messsage' do
-        expect(Puppet).to receive(:debug).with("Unable to enable or disable static service sshd.service")
-        provider.enabled_insync?(:true)
+      context 'when enable is mask' do
+        let(:provider) do
+          provider_class.new(Puppet::Type.type(:service).new(:name => 'sshd.service',
+                                                             :enable => 'mask'))
+        end
+
+        it 'is enabled_insync if current value is the same as expected' do
+          expect(provider).to be_enabled_insync(:mask)
+        end
+
+        it 'is not enabled_insync if current value is not the same as expected' do
+          expect(provider).not_to be_enabled_insync(:true)
+        end
+
+        it 'logs no debug messsage' do
+          expect(Puppet).not_to receive(:debug)
+          provider.enabled_insync?(:true)
+        end
       end
     end
 

data/spec/unit/provider/service/windows_spec.rb

@@ -271,4 +271,206 @@ describe 'Puppet::Type::Service::Provider::Windows',
       }.to raise_error(Puppet::Error, /Cannot enable #{name}/)
     end
   end
+
+  describe "when managing logon credentials" do
+    before do
+      allow(Puppet::Util::Windows::ADSI).to receive(:computer_name).and_return(computer_name)
+      allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(principal)
+      allow(Puppet::Util::Windows::Service).to receive(:set_startup_configuration).and_return(nil)
+    end
+
+    let(:computer_name) { 'myPC' }
+
+    describe "#logonaccount=" do
+      before do
+        allow(Puppet::Util::Windows::User).to receive(:password_is?).and_return(true)
+        resource[:logonaccount] = user_input
+        provider.logonaccount_insync?(user_input)
+      end
+
+      let(:user_input) { principal.account }
+      let(:principal) do
+        Puppet::Util::Windows::SID::Principal.new("myUser", nil, nil, computer_name, :SidTypeUser)
+      end
+
+      context "when given user is 'myUser'" do
+        it "should fail when the `Log On As A Service` right is missing from given user" do
+          allow(Puppet::Util::Windows::User).to receive(:get_rights).with(principal.domain_account).and_return("")
+          expect { provider.logonaccount=(user_input) }.to raise_error(Puppet::Error, /".\\#{principal.account}" is missing the 'Log On As A Service' right./)
+        end
+
+        it "should fail when the `Log On As A Service` right is set to denied for given user" do
+          allow(Puppet::Util::Windows::User).to receive(:get_rights).with(principal.domain_account).and_return("SeDenyServiceLogonRight")
+          expect { provider.logonaccount=(user_input) }.to raise_error(Puppet::Error, /".\\#{principal.account}" has the 'Log On As A Service' right set to denied./)
+        end
+
+        it "should not fail when given user has the `Log On As A Service` right" do
+          allow(Puppet::Util::Windows::User).to receive(:get_rights).with(principal.domain_account).and_return("SeServiceLogonRight")
+          expect { provider.logonaccount=(user_input) }.not_to raise_error
+        end
+
+        ['myUser', 'myPC\\myUser', ".\\myUser", "MYPC\\mYuseR"].each do |user_input_variant|
+          let(:user_input) { user_input_variant }
+
+          it "should succesfully munge #{user_input_variant} to '.\\myUser'" do
+            allow(Puppet::Util::Windows::User).to receive(:get_rights).with(principal.domain_account).and_return("SeServiceLogonRight")
+            expect { provider.logonaccount=(user_input) }.not_to raise_error
+            expect(resource[:logonaccount]).to eq(".\\myUser")
+          end
+        end
+      end
+
+      context "when given user is a system account" do
+        before do
+          allow(Puppet::Util::Windows::User).to receive(:default_system_account?).and_return(true)
+        end
+
+        let(:user_input) { principal.account }
+        let(:principal) do
+          Puppet::Util::Windows::SID::Principal.new("LOCAL SERVICE", nil, nil, "NT AUTHORITY", :SidTypeUser)
+        end
+
+        it "should not fail when given user is a default system account even if the `Log On As A Service` right is missing" do
+          expect(Puppet::Util::Windows::User).not_to receive(:get_rights)
+          expect { provider.logonaccount=(user_input) }.not_to raise_error
+        end
+
+        ['LocalSystem', '.\LocalSystem', 'myPC\LocalSystem', 'lOcALsysTem'].each do |user_input_variant|
+          let(:user_input) { user_input_variant }
+
+          it "should succesfully munge #{user_input_variant} to 'LocalSystem'" do
+            expect { provider.logonaccount=(user_input) }.not_to raise_error
+            expect(resource[:logonaccount]).to eq('LocalSystem')
+          end
+        end
+      end
+
+      context "when domain is different from computer name" do
+        before do
+          allow(Puppet::Util::Windows::User).to receive(:get_rights).and_return("SeServiceLogonRight")
+        end
+
+        context "when given user is from AD" do
+          let(:user_input) { 'myRemoteUser' }
+          let(:principal) do
+            Puppet::Util::Windows::SID::Principal.new("myRemoteUser", nil, nil, "AD", :SidTypeUser)
+          end
+
+          it "should not raise any error" do
+            expect { provider.logonaccount=(user_input) }.not_to raise_error
+          end
+
+          it "should succesfully be munged" do
+            expect { provider.logonaccount=(user_input) }.not_to raise_error
+            expect(resource[:logonaccount]).to eq('AD\myRemoteUser')
+          end
+        end
+
+        context "when given user is LocalService" do
+          let(:user_input) { 'LocalService' }
+          let(:principal) do
+            Puppet::Util::Windows::SID::Principal.new("LOCAL SERVICE", nil, nil, "NT AUTHORITY", :SidTypeWellKnownGroup)
+          end
+
+          it "should succesfully munge well known user" do
+            expect { provider.logonaccount=(user_input) }.not_to raise_error
+            expect(resource[:logonaccount]).to eq('NT AUTHORITY\LOCAL SERVICE')
+          end
+        end
+
+        context "when given user is in SID form" do
+          let(:user_input) { 'S-1-5-20' }
+          let(:principal) do
+            Puppet::Util::Windows::SID::Principal.new("NETWORK SERVICE", nil, nil, "NT AUTHORITY", :SidTypeUser)
+          end
+
+          it "should succesfully munge" do
+            expect { provider.logonaccount=(user_input) }.not_to raise_error
+            expect(resource[:logonaccount]).to eq('NT AUTHORITY\NETWORK SERVICE')
+          end
+        end
+
+        context "when given user is actually a group" do
+          let(:principal) do
+            Puppet::Util::Windows::SID::Principal.new("Administrators", nil, nil, "BUILTIN", :SidTypeAlias)
+          end
+          let(:user_input) { 'Administrators' }
+
+          it "should fail when sid type is not user or well known user" do
+            expect { provider.logonaccount=(user_input) }.to raise_error(Puppet::Error, /"BUILTIN\\#{user_input}" is not a valid account/)
+          end
+        end
+      end
+    end
+
+    describe "#logonpassword=" do
+      before do
+        allow(Puppet::Util::Windows::User).to receive(:get_rights).and_return('SeServiceLogonRight')
+        resource[:logonaccount] = account
+        resource[:logonpassword] = user_input
+        provider.logonaccount_insync?(account)
+      end
+
+      let(:account) { 'LocalSystem' }
+
+      describe "when given logonaccount is a predefined_local_account" do
+        let(:user_input) { 'pass' }
+        let(:principal) { nil }
+
+        it "should pass validation when given account is 'LocalSystem'" do
+          allow(Puppet::Util::Windows::User).to receive(:localsystem?).with('LocalSystem').and_return(true)
+          allow(Puppet::Util::Windows::User).to receive(:default_system_account?).with('LocalSystem').and_return(true)
+
+          expect(Puppet::Util::Windows::User).not_to receive(:password_is?)
+          expect { provider.logonpassword=(user_input) }.not_to raise_error
+        end
+
+        ['LOCAL SERVICE', 'NETWORK SERVICE', 'SYSTEM'].each do |predefined_local_account|
+          describe "when given account is #{predefined_local_account}" do
+            let(:account) { 'predefined_local_account' }
+            let(:principal) do
+              Puppet::Util::Windows::SID::Principal.new(account, nil, nil, "NT AUTHORITY", :SidTypeUser)
+            end
+
+            it "should pass validation" do
+              allow(Puppet::Util::Windows::User).to receive(:localsystem?).with(principal.account).and_return(false)
+              allow(Puppet::Util::Windows::User).to receive(:localsystem?).with(principal.domain_account).and_return(false)
+              expect(Puppet::Util::Windows::User).to receive(:default_system_account?).with(principal.domain_account).and_return(true).twice
+
+              expect(Puppet::Util::Windows::User).not_to receive(:password_is?)
+              expect { provider.logonpassword=(user_input) }.not_to raise_error
+            end
+          end
+        end
+      end
+
+      describe "when given logonaccount is not a predefined local account" do
+        before do
+          allow(Puppet::Util::Windows::User).to receive(:localsystem?).with(".\\#{principal.account}").and_return(false)
+          allow(Puppet::Util::Windows::User).to receive(:default_system_account?).with(".\\#{principal.account}").and_return(false)
+        end
+
+        let(:account) { 'myUser' }
+        let(:principal) do
+          Puppet::Util::Windows::SID::Principal.new(account, nil, nil, computer_name, :SidTypeUser)
+        end
+
+        describe "when password is proven correct" do
+          let(:user_input) { 'myPass' }
+          it "should pass validation" do
+            allow(Puppet::Util::Windows::User).to receive(:password_is?).with('myUser', 'myPass', '.').and_return(true)
+            expect { provider.logonpassword=(user_input) }.not_to raise_error
+          end
+        end
+
+        describe "when password is not proven correct" do
+          let(:user_input) { 'myWrongPass' }
+          it "should not pass validation" do
+            allow(Puppet::Util::Windows::User).to receive(:password_is?).with('myUser', 'myWrongPass', '.').and_return(false)
+            expect { provider.logonpassword=(user_input) }.to raise_error(Puppet::Error, /The given password is invalid for user '.\\myUser'/)
+          end
+        end
+      end
+    end
+  end
 end

data/spec/unit/provider/user/directoryservice_spec.rb

@@ -925,28 +925,75 @@ end
       }
     end
 
-    it 'should call set_salted_sha512 on 10.7 when given a salted-SHA512 password hash' do
-      expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
-      expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(sha512_shadowhashdata)
-      expect(provider.class).to receive(:get_os_version).and_return('10.7')
-      expect(provider).to receive(:set_salted_sha512).with(sample_users_plist, sha512_shadowhashdata, sha512_password_hash)
-      provider.write_password_to_users_plist(sha512_password_hash)
+    before do
+      allow(provider).to receive(:merge_attribute_with_dscl).with('Users', username, 'AuthenticationAuthority', any_args)
     end
 
-    it 'should call set_salted_pbkdf2 on 10.8 when given a PBKDF2 password hash' do
-      expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
-      expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
-      expect(provider.class).to receive(:get_os_version).and_return('10.8')
-      expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
-      provider.write_password_to_users_plist(pbkdf2_password_hash)
+    describe 'when on macOS 11 (Big Sur) or greater' do
+      before do
+        allow(provider.class).to receive(:get_os_version).and_return('11.0.0')
+      end
+
+      it 'should add salted_sha512_pbkdf2 AuthenticationAuthority key if missing' do
+        expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
+        expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
+        expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
+        expect(provider).to receive(:needs_sha512_pbkdf2_authentication_authority_to_be_added?).and_return(true)
+
+        expect(Puppet).to receive(:debug).with("Adding 'SALTED-SHA512-PBKDF2' AuthenticationAuthority key for ShadowHash to user 'nonexistent_user'")
+        provider.write_password_to_users_plist(pbkdf2_password_hash)
+      end
+
+      it 'should not add salted_sha512_pbkdf2 AuthenticationAuthority key if not missing' do
+        expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
+        expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
+        expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
+        expect(provider).to receive(:needs_sha512_pbkdf2_authentication_authority_to_be_added?).and_return(false)
+
+        expect(Puppet).not_to receive(:debug).with("Adding 'SALTED-SHA512-PBKDF2' AuthenticationAuthority key for ShadowHash to user 'nonexistent_user'")
+        provider.write_password_to_users_plist(pbkdf2_password_hash)
+      end
     end
 
-    it "should delete the SALTED-SHA512 key in the shadow_hash_data hash if it exists on a 10.8 system and write_password_to_users_plist has been called to set the user's password" do
-      expect(provider).to receive(:get_users_plist).and_return('users_plist')
-      expect(provider).to receive(:get_shadow_hash_data).with('users_plist').and_return(sha512_shadowhashdata)
-      expect(provider.class).to receive(:get_os_version).and_return('10.8')
-      expect(provider).to receive(:set_salted_pbkdf2).with('users_plist', {}, 'entropy', pbkdf2_password_hash)
-      provider.write_password_to_users_plist(pbkdf2_password_hash)
+    describe 'when on macOS version lower than 11' do
+      before do
+        allow(provider.class).to receive(:get_os_version)
+        allow(provider).to receive(:needs_sha512_pbkdf2_authentication_authority_to_be_added?).and_return(false)
+      end
+
+      it 'should not add salted_sha512_pbkdf2 AuthenticationAuthority' do
+        expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
+        expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
+        expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
+        expect(provider).to receive(:needs_sha512_pbkdf2_authentication_authority_to_be_added?).and_return(false)
+
+        expect(Puppet).not_to receive(:debug).with("Adding 'SALTED-SHA512-PBKDF2' AuthenticationAuthority key for ShadowHash to user 'nonexistent_user'")
+        provider.write_password_to_users_plist(pbkdf2_password_hash)
+      end
+
+      it 'should call set_salted_sha512 on 10.7 when given a salted-SHA512 password hash' do
+        expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
+        expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(sha512_shadowhashdata)
+        expect(provider.class).to receive(:get_os_version).and_return('10.7')
+        expect(provider).to receive(:set_salted_sha512).with(sample_users_plist, sha512_shadowhashdata, sha512_password_hash)
+        provider.write_password_to_users_plist(sha512_password_hash)
+      end
+
+      it 'should call set_salted_pbkdf2 on 10.8 when given a PBKDF2 password hash' do
+        expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
+        expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
+        expect(provider.class).to receive(:get_os_version).and_return('10.8')
+        expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
+        provider.write_password_to_users_plist(pbkdf2_password_hash)
+      end
+
+      it "should delete the SALTED-SHA512 key in the shadow_hash_data hash if it exists on a 10.8 system and write_password_to_users_plist has been called to set the user's password" do
+        expect(provider).to receive(:get_users_plist).and_return('users_plist')
+        expect(provider).to receive(:get_shadow_hash_data).with('users_plist').and_return(sha512_shadowhashdata)
+        expect(provider.class).to receive(:get_os_version).and_return('10.8')
+        expect(provider).to receive(:set_salted_pbkdf2).with('users_plist', {}, 'entropy', pbkdf2_password_hash)
+        provider.write_password_to_users_plist(pbkdf2_password_hash)
+      end
     end
   end
 
@@ -974,16 +1021,7 @@ end
   describe '#set_shadow_hash_data' do
     let(:users_plist) { {'ShadowHashData' => ['string_data'] } }
 
-    it 'should flush the plist data to disk on OS X < 10.15' do
-      allow(provider.class).to receive(:get_os_version).and_return('10.12')
-
-      expect(provider).to receive(:write_users_plist_to_disk)
-      provider.set_shadow_hash_data(users_plist, pbkdf2_embedded_plist)
-    end
-
-    it 'should flush the plist data a temporary file on OS X >= 10.15' do
-      allow(provider.class).to receive(:get_os_version).and_return('10.15')
-
+    it 'should flush the plist data to a temporary file' do
       expect(provider).to receive(:write_and_import_shadow_hash_data)
       provider.set_shadow_hash_data(users_plist, pbkdf2_embedded_plist)
     end
@@ -1033,13 +1071,6 @@ end
     end
   end
 
-  describe '#write_users_plist_to_disk' do
-    it 'should save the passed plist to disk and convert it to a binary plist' do
-      expect(Puppet::Util::Plist).to receive(:write_plist_file).with(user_plist_xml, "#{users_plist_dir}/nonexistent_user.plist", :binary)
-      provider.write_users_plist_to_disk(user_plist_xml)
-    end
-  end
-
   describe '#write_and_import_shadow_hash_data' do
     it 'should save the passed plist to a temporary file and import it' do
       tmpfile = double('tempfile', :path => "/tmp/dsimport_#{username}", :flush => nil)
@@ -1203,6 +1234,7 @@ end
     before :each do
       allow(provider.class).to receive(:get_all_users).and_return(all_users_hash)
       allow(provider.class).to receive(:get_list_of_groups).and_return(group_plist_hash_guid)
+      allow(provider).to receive(:merge_attribute_with_dscl).with('Users', username, 'AuthenticationAuthority', any_args)
       provider.class.prefetch({})
     end