puppet 6.22.1-x86-mingw32 → 6.23.0-x86-mingw32

data/spec/unit/provider/user/directoryservice_spec.rb

@@ -925,28 +925,75 @@ end
       }
     end
 
-    it 'should call set_salted_sha512 on 10.7 when given a salted-SHA512 password hash' do
-      expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
-      expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(sha512_shadowhashdata)
-      expect(provider.class).to receive(:get_os_version).and_return('10.7')
-      expect(provider).to receive(:set_salted_sha512).with(sample_users_plist, sha512_shadowhashdata, sha512_password_hash)
-      provider.write_password_to_users_plist(sha512_password_hash)
+    before do
+      allow(provider).to receive(:merge_attribute_with_dscl).with('Users', username, 'AuthenticationAuthority', any_args)
     end
 
-    it 'should call set_salted_pbkdf2 on 10.8 when given a PBKDF2 password hash' do
-      expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
-      expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
-      expect(provider.class).to receive(:get_os_version).and_return('10.8')
-      expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
-      provider.write_password_to_users_plist(pbkdf2_password_hash)
+    describe 'when on macOS 11 (Big Sur) or greater' do
+      before do
+        allow(provider.class).to receive(:get_os_version).and_return('11.0.0')
+      end
+
+      it 'should add salted_sha512_pbkdf2 AuthenticationAuthority key if missing' do
+        expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
+        expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
+        expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
+        expect(provider).to receive(:needs_sha512_pbkdf2_authentication_authority_to_be_added?).and_return(true)
+
+        expect(Puppet).to receive(:debug).with("Adding 'SALTED-SHA512-PBKDF2' AuthenticationAuthority key for ShadowHash to user 'nonexistent_user'")
+        provider.write_password_to_users_plist(pbkdf2_password_hash)
+      end
+
+      it 'should not add salted_sha512_pbkdf2 AuthenticationAuthority key if not missing' do
+        expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
+        expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
+        expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
+        expect(provider).to receive(:needs_sha512_pbkdf2_authentication_authority_to_be_added?).and_return(false)
+
+        expect(Puppet).not_to receive(:debug).with("Adding 'SALTED-SHA512-PBKDF2' AuthenticationAuthority key for ShadowHash to user 'nonexistent_user'")
+        provider.write_password_to_users_plist(pbkdf2_password_hash)
+      end
     end
 
-    it "should delete the SALTED-SHA512 key in the shadow_hash_data hash if it exists on a 10.8 system and write_password_to_users_plist has been called to set the user's password" do
-      expect(provider).to receive(:get_users_plist).and_return('users_plist')
-      expect(provider).to receive(:get_shadow_hash_data).with('users_plist').and_return(sha512_shadowhashdata)
-      expect(provider.class).to receive(:get_os_version).and_return('10.8')
-      expect(provider).to receive(:set_salted_pbkdf2).with('users_plist', {}, 'entropy', pbkdf2_password_hash)
-      provider.write_password_to_users_plist(pbkdf2_password_hash)
+    describe 'when on macOS version lower than 11' do
+      before do
+        allow(provider.class).to receive(:get_os_version)
+        allow(provider).to receive(:needs_sha512_pbkdf2_authentication_authority_to_be_added?).and_return(false)
+      end
+
+      it 'should not add salted_sha512_pbkdf2 AuthenticationAuthority' do
+        expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
+        expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
+        expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
+        expect(provider).to receive(:needs_sha512_pbkdf2_authentication_authority_to_be_added?).and_return(false)
+
+        expect(Puppet).not_to receive(:debug).with("Adding 'SALTED-SHA512-PBKDF2' AuthenticationAuthority key for ShadowHash to user 'nonexistent_user'")
+        provider.write_password_to_users_plist(pbkdf2_password_hash)
+      end
+
+      it 'should call set_salted_sha512 on 10.7 when given a salted-SHA512 password hash' do
+        expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
+        expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(sha512_shadowhashdata)
+        expect(provider.class).to receive(:get_os_version).and_return('10.7')
+        expect(provider).to receive(:set_salted_sha512).with(sample_users_plist, sha512_shadowhashdata, sha512_password_hash)
+        provider.write_password_to_users_plist(sha512_password_hash)
+      end
+
+      it 'should call set_salted_pbkdf2 on 10.8 when given a PBKDF2 password hash' do
+        expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
+        expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
+        expect(provider.class).to receive(:get_os_version).and_return('10.8')
+        expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
+        provider.write_password_to_users_plist(pbkdf2_password_hash)
+      end
+
+      it "should delete the SALTED-SHA512 key in the shadow_hash_data hash if it exists on a 10.8 system and write_password_to_users_plist has been called to set the user's password" do
+        expect(provider).to receive(:get_users_plist).and_return('users_plist')
+        expect(provider).to receive(:get_shadow_hash_data).with('users_plist').and_return(sha512_shadowhashdata)
+        expect(provider.class).to receive(:get_os_version).and_return('10.8')
+        expect(provider).to receive(:set_salted_pbkdf2).with('users_plist', {}, 'entropy', pbkdf2_password_hash)
+        provider.write_password_to_users_plist(pbkdf2_password_hash)
+      end
     end
   end
 
@@ -974,16 +1021,7 @@ end
   describe '#set_shadow_hash_data' do
     let(:users_plist) { {'ShadowHashData' => ['string_data'] } }
 
-    it 'should flush the plist data to disk on OS X < 10.15' do
-      allow(provider.class).to receive(:get_os_version).and_return('10.12')
-
-      expect(provider).to receive(:write_users_plist_to_disk)
-      provider.set_shadow_hash_data(users_plist, pbkdf2_embedded_plist)
-    end
-
-    it 'should flush the plist data a temporary file on OS X >= 10.15' do
-      allow(provider.class).to receive(:get_os_version).and_return('10.15')
-
+    it 'should flush the plist data to a temporary file' do
       expect(provider).to receive(:write_and_import_shadow_hash_data)
       provider.set_shadow_hash_data(users_plist, pbkdf2_embedded_plist)
     end
@@ -1033,13 +1071,6 @@ end
     end
   end
 
-  describe '#write_users_plist_to_disk' do
-    it 'should save the passed plist to disk and convert it to a binary plist' do
-      expect(Puppet::Util::Plist).to receive(:write_plist_file).with(user_plist_xml, "#{users_plist_dir}/nonexistent_user.plist", :binary)
-      provider.write_users_plist_to_disk(user_plist_xml)
-    end
-  end
-
   describe '#write_and_import_shadow_hash_data' do
     it 'should save the passed plist to a temporary file and import it' do
       tmpfile = double('tempfile', :path => "/tmp/dsimport_#{username}", :flush => nil)
@@ -1203,6 +1234,7 @@ end
     before :each do
       allow(provider.class).to receive(:get_all_users).and_return(all_users_hash)
       allow(provider.class).to receive(:get_list_of_groups).and_return(group_plist_hash_guid)
+      allow(provider).to receive(:merge_attribute_with_dscl).with('Users', username, 'AuthenticationAuthority', any_args)
       provider.class.prefetch({})
     end
 

data/spec/unit/ssl/state_machine_spec.rb

@@ -31,6 +31,14 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
     allow(Kernel).to receive(:sleep)
   end
 
+  def expected_digest(name, content)
+    OpenSSL::Digest.new(name).hexdigest(content)
+  end
+
+  def to_fingerprint(digest)
+    digest.scan(/../).join(':').upcase
+  end
+
   context 'when passing keyword arguments' do
     it "accepts digest" do
       expect(described_class.new(digest: 'SHA512').digest).to eq('SHA512')
@@ -395,29 +403,35 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
 
       it 'verifies CA cert bundle if a ca_fingerprint is given case-insensitively' do
         Puppet[:log_level] = :info
-        machine = described_class.new(digest: 'SHA256', ca_fingerprint: 'caacf69bbbcdad9dbcda92dd2da3608b639d1aea4c314d6cc6823cdb32d8e0f8')
+
+        digest = expected_digest('SHA256', cacert_pem)
+        fingerprint = to_fingerprint(digest)
+        machine = described_class.new(digest: 'SHA256', ca_fingerprint: digest.downcase)
         state = Puppet::SSL::StateMachine::NeedCACerts.new(machine)
         state.next_state
 
-        expect(@logs).to include(an_object_having_attributes(message: "Verified CA bundle with digest (SHA256) CA:AC:F6:9B:BB:CD:AD:9D:BC:DA:92:DD:2D:A3:60:8B:63:9D:1A:EA:4C:31:4D:6C:C6:82:3C:DB:32:D8:E0:F8"))
+        expect(@logs).to include(an_object_having_attributes(message: "Verified CA bundle with digest (SHA256) #{fingerprint}"))
       end
 
       it 'verifies CA cert bundle using non-default fingerprint' do
         Puppet[:log_level] = :info
-        machine = described_class.new(digest: 'SHA512', ca_fingerprint: '3c9d1482b878913ad95c9631feac5090cb05c6eab9496178d6fd5c14a023da3b1a8650a3cbaac516d9a48caf0b0742e1ed7eebf55105c024c74834a45056a9d9')
+
+        digest = expected_digest('SHA512', cacert_pem)
+        machine = described_class.new(digest: 'SHA512', ca_fingerprint: digest)
         state = Puppet::SSL::StateMachine::NeedCACerts.new(machine)
         state.next_state
 
-        expect(@logs).to include(an_object_having_attributes(message: "Verified CA bundle with digest (SHA512) 3C:9D:14:82:B8:78:91:3A:D9:5C:96:31:FE:AC:50:90:CB:05:C6:EA:B9:49:61:78:D6:FD:5C:14:A0:23:DA:3B:1A:86:50:A3:CB:AA:C5:16:D9:A4:8C:AF:0B:07:42:E1:ED:7E:EB:F5:51:05:C0:24:C7:48:34:A4:50:56:A9:D9"))
+        expect(@logs).to include(an_object_having_attributes(message: "Verified CA bundle with digest (SHA512) #{to_fingerprint(digest)}"))
       end
 
       it 'returns an error if verification fails' do
         machine = described_class.new(digest: 'SHA256', ca_fingerprint: 'wrong!')
         state = Puppet::SSL::StateMachine::NeedCACerts.new(machine)
 
+        fingerprint = to_fingerprint(expected_digest('SHA256', cacert_pem))
         st = state.next_state
         expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Error)
-        expect(st.message).to eq("CA bundle with digest (SHA256) CA:AC:F6:9B:BB:CD:AD:9D:BC:DA:92:DD:2D:A3:60:8B:63:9D:1A:EA:4C:31:4D:6C:C6:82:3C:DB:32:D8:E0:F8 did not match expected digest WR:ON:G!")
+        expect(st.message).to eq("CA bundle with digest (SHA256) #{fingerprint} did not match expected digest WR:ON:G!")
       end
     end
   end

data/spec/unit/transaction/additional_resource_generator_spec.rb

@@ -93,8 +93,6 @@ describe Puppet::Transaction::AdditionalResourceGenerator do
     end
   end
 
-
-
   after(:each) do
     Puppet::Type.rmtype(:gen_empty)
     Puppet::Type.rmtype(:eval_after)

data/spec/unit/transaction_spec.rb

@@ -5,13 +5,6 @@ require 'puppet_spec/compiler'
 require 'puppet/transaction'
 require 'fileutils'
 
-Puppet::Type.newtype(:generator) do
-  newparam(:name) { isnamevar }
-
-  def generate
-  end
-end
-
 describe Puppet::Transaction do
   include PuppetSpec::Files
   include PuppetSpec::Compiler
@@ -27,6 +20,19 @@ describe Puppet::Transaction do
     transaction
   end
 
+  before(:all) do
+    Puppet::Type.newtype(:transaction_generator) do
+      newparam(:name) { isnamevar }
+
+      def generate
+      end
+    end
+  end
+
+  after(:all) do
+    Puppet::Type.rmtype(:transaction_generator)
+  end
+
   before do
     @basepath = make_absolute("/what/ever")
     @transaction = Puppet::Transaction.new(Puppet::Resource::Catalog.new, nil, Puppet::Graph::SequentialPrioritizer.new)
@@ -330,9 +336,9 @@ describe Puppet::Transaction do
   describe "when generating resources before traversal" do
     let(:catalog) { Puppet::Resource::Catalog.new }
     let(:transaction) { Puppet::Transaction.new(catalog, nil, Puppet::Graph::SequentialPrioritizer.new) }
-    let(:generator) { Puppet::Type.type(:generator).new :title => "generator" }
+    let(:generator) { Puppet::Type.type(:transaction_generator).new :title => "generator" }
     let(:generated) do
-      %w[a b c].map { |name| Puppet::Type.type(:generator).new(:name => name) }
+      %w[a b c].map { |name| Puppet::Type.type(:transaction_generator).new(:name => name) }
     end
 
     before :each do
@@ -673,7 +679,7 @@ describe Puppet::Transaction do
         end
 
         describe "and new resources are generated" do
-          let(:generator) { Puppet::Type.type(:generator).new :title => "generator" }
+          let(:generator) { Puppet::Type.type(:transaction_generator).new :title => "generator" }
           let(:generated) do
             %w[a b c].map { |name| Puppet::Type.type(:package).new :title => "foo", :name => name, :provider => :apt }
           end
@@ -787,16 +793,8 @@ describe Puppet::Transaction do
     end
 
     it "should call Selinux.matchpathcon_fini in case Selinux is enabled ", :if => Puppet.features.posix? do
-      unless defined?(Selinux)
-        module Selinux
-          def self.is_selinux_enabled
-            true
-          end
-
-          def self.matchpathcon_fini
-          end
-        end
-      end
+      selinux = double('selinux', is_selinux_enabled: true, matchpathcon_fini: nil)
+      stub_const('Selinux', selinux)
 
       resource = Puppet::Type.type(:file).new(:path => make_absolute("/tmp/foo"))
       transaction = transaction_with_resource(resource)

data/spec/unit/type/file/selinux_spec.rb

@@ -7,7 +7,7 @@ require 'spec_helper'
 
     before do
       @path = make_absolute("/my/file")
-      @resource = Puppet::Type.type(:file).new :path => @path
+      @resource = Puppet::Type.type(:file).new(:path => @path, :ensure => :file)
       @sel = property.new :resource => @resource
     end
 
@@ -50,13 +50,13 @@ require 'spec_helper'
     end
 
     it "should handle no default gracefully" do
-      expect(@sel).to receive(:get_selinux_default_context).with(@path).and_return(nil)
+      expect(@sel).to receive(:get_selinux_default_context).with(@path, :file).and_return(nil)
       expect(@sel.default).to be_nil
     end
 
     it "should be able to detect matchpathcon defaults" do
       allow(@sel).to receive(:debug)
-      expect(@sel).to receive(:get_selinux_default_context).with(@path).and_return("user_u:role_r:type_t:s0")
+      expect(@sel).to receive(:get_selinux_default_context).with(@path, :file).and_return("user_u:role_r:type_t:s0")
       expectedresult = case param
         when :seluser; "user_u"
         when :selrole; "role_r"

data/spec/unit/type/service_spec.rb

@@ -72,50 +72,65 @@ describe test_title, "when validating attribute values" do
       allow(@provider.class).to receive(:supports_parameter?).and_return(true)
     end
 
-    it "should support :true as a value" do
-      srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :true)
-      expect(srv.should(:enable)).to eq(:true)
-    end
+    describe "for value without required features" do
+      before :each do
+        allow(@provider).to receive(:satisfies?)
+      end
 
-    it "should support :false as a value" do
-      srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :false)
-      expect(srv.should(:enable)).to eq(:false)
-    end
+      it "should not support :mask as a value" do
+        expect { Puppet::Type.type(:service).new(:name => "yay", :enable => :mask) }.to raise_error(
+          Puppet::ResourceError,
+          /Provider .+ must have features 'maskable' to set 'enable' to 'mask'/
+        )
+      end
 
-    it "should support :mask as a value" do
-      srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :mask)
-      expect(srv.should(:enable)).to eq(:mask)
-    end
+      it "should not support :manual as a value" do
+        expect { Puppet::Type.type(:service).new(:name => "yay", :enable => :manual) }.to raise_error(
+          Puppet::ResourceError,
+          /Provider .+ must have features 'manual_startable' to set 'enable' to 'manual'/
+        )
+      end
 
-    it "should support :manual as a value on Windows" do
-      allow(Puppet::Util::Platform).to receive(:windows?).and_return(true)
-      srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :manual)
-      expect(srv.should(:enable)).to eq(:manual)
+      it "should not support :mask as a value" do
+        expect { Puppet::Type.type(:service).new(:name => "yay", :enable => :delayed) }.to raise_error(
+          Puppet::ResourceError,
+          /Provider .+ must have features 'delayed_startable' to set 'enable' to 'delayed'/
+        )
+      end
     end
 
-    it "should support :delayed as a value on Windows" do
-      allow(Puppet::Util::Platform).to receive(:windows?).and_return(true)
+    describe "for value with required features" do
+      before :each do
+        allow(@provider).to receive(:satisfies?).and_return(:true)
+      end
 
-      srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :delayed)
-      expect(srv.should(:enable)).to eq(:delayed)
-    end
+      it "should support :true as a value" do
+        srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :true)
+        expect(srv.should(:enable)).to eq(:true)
+      end
 
-    it "should not support :manual as a value when not on Windows" do
-      allow(Puppet::Util::Platform).to receive(:windows?).and_return(false)
+      it "should support :false as a value" do
+        srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :false)
+        expect(srv.should(:enable)).to eq(:false)
+      end
 
-      expect { Puppet::Type.type(:service).new(:name => "yay", :enable => :manual) }.to raise_error(
-        Puppet::Error,
-        /Setting enable to manual is only supported on Microsoft Windows\./
-      )
-    end
+      it "should support :mask as a value" do
+        srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :mask)
+        expect(srv.should(:enable)).to eq(:mask)
+      end
 
-    it "should not support :delayed as a value when not on Windows" do
-      allow(Puppet::Util::Platform).to receive(:windows?).and_return(false)
+      it "should support :manual as a value on Windows" do
+        allow(Puppet::Util::Platform).to receive(:windows?).and_return(true)
+        srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :manual)
+        expect(srv.should(:enable)).to eq(:manual)
+      end
 
-      expect { Puppet::Type.type(:service).new(:name => "yay", :enable => :delayed) }.to raise_error(
-        Puppet::Error,
-        /Setting enable to delayed is only supported on Microsoft Windows\./
-      )
+      it "should support :delayed as a value on Windows" do
+        allow(Puppet::Util::Platform).to receive(:windows?).and_return(true)
+
+        srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :delayed)
+        expect(srv.should(:enable)).to eq(:delayed)
+      end
     end
   end
 
@@ -150,105 +165,24 @@ describe test_title, "when validating attribute values" do
       provider_class_with_logon_credentials = Puppet::Type.type(:service).provide(:simple) do
         has_features :manages_logon_credentials
         def logonpassword=(value) end
+        def logonaccount_insync?(current) end
       end
       allow(Puppet::Type.type(:service)).to receive(:defaultprovider).and_return(provider_class_with_logon_credentials)
     end
 
     describe "the 'logonaccount' property" do
-      it "should not be munged nor checked when not on Windows" do
-        allow(Puppet::Util::Platform).to receive(:windows?).and_return(false)
-        service = Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'NonWindowsUser')
+      let(:service) {Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser')}
 
-        expect { service }.not_to raise_error
-        expect(service[:logonaccount]).to eq('NonWindowsUser')
+      it "should let superclass implementation resolve insyncness when provider does not respond to the 'logonaccount_insync?' method" do
+        allow(service.provider).to receive(:respond_to?).with(:logonaccount_insync?).and_return(false)
+        expect(service.property(:logonaccount).insync?('myUser')).to eq(true)
       end
 
-      context "when on Windows", :if => Puppet::Util::Platform.windows? do
-        before do
-          allow(Puppet::Util::Windows::User).to receive(:password_is?).and_return(true)
-          allow(Puppet::Util::Windows::ADSI).to receive(:computer_name).and_return("myPC")
-          allow(Puppet::Util::Windows::User).to receive(:get_rights).and_return('SeServiceLogonRight')
-        end
-
-        it "should fail when the `Log On As A Service` right is missing from given user" do
-          allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("myUser", nil, nil, "myPC", :SidTypeUser))
-          allow(Puppet::Util::Windows::User).to receive(:get_rights).with('myPC\\myUser').and_return("")
-
-          expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser') }.to raise_error(Puppet::Error, /"myPC\\myUser" is missing the 'Log On As A Service' right./)
-        end
-
-        it "should fail when the `Log On As A Service` right is set to denied for given user" do
-          allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("myUser", nil, nil, "myPC", :SidTypeUser))
-          allow(Puppet::Util::Windows::User).to receive(:get_rights).with('myPC\\myUser').and_return("SeDenyServiceLogonRight")
-
-          expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser') }.to raise_error(Puppet::Error, /"myPC\\myUser" has the 'Log On As A Service' right set to denied./)
-        end
-
-        it "should not fail when given user has the `Log On As A Service` right" do
-          allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("myUser", nil, nil, "myPC", :SidTypeUser))
-          allow(Puppet::Util::Windows::User).to receive(:get_rights).with('myPC\\myUser').and_return("SeServiceLogonRight")
-
-          expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser') }.not_to raise_error
-        end
-
-        it "should not fail when given user is a default system account even if the `Log On As A Service` right is missing" do
-          allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("LOCAL SERVICE", nil, nil, "NT AUTHORITY", :SidTypeUser))
-          allow(Puppet::Util::Windows::User).to receive(:default_system_account?).and_return(true)
-
-          expect(Puppet::Util::Windows::User).not_to receive(:get_rights)
-          expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser') }.not_to raise_error
-        end
-
-        ['LocalSystem', '.\LocalSystem', 'myPC\LocalSystem', 'lOcALsysTem'].each do |user_input|
-          it "should succesfully munge #{user_input} to 'LocalSystem'" do
-            service = Puppet::Type.type(:service).new(:name => "yay", :logonaccount => user_input)
-
-            expect { service }.not_to raise_error
-            expect(service[:logonaccount]).to eq('LocalSystem')
-          end
-        end
-
-        it "should succesfully munge local account" do
-          allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("myUser", nil, nil, "myPC", :SidTypeUser))
-          service = Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser')
-
-          expect { service }.not_to raise_error
-          expect(service[:logonaccount]).to eq('.\myUser')
-        end
-
-        it "should succesfully munge domain account" do
-          allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("DomainUser", nil, nil, "myDomain", :SidTypeUser))
-          service = Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'DomainUser')
-
-          expect { service }.not_to raise_error
-          expect(service[:logonaccount]).to eq('myDomain\DomainUser')
-        end
-
-        it "should succesfully munge well known user" do
-          allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("LOCAL SERVICE", nil, nil, "NT AUTHORITY", :SidTypeWellKnownGroup))
-          service = Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'LocalService')
-
-          expect { service }.not_to raise_error
-          expect(service[:logonaccount]).to eq('NT AUTHORITY\LOCAL SERVICE')
-        end
-
-        it "should succesfully munge a SID" do
-          allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("NETWORK SERVICE", nil, nil, "NT AUTHORITY", :SidTypeUser))
-          service = Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'S-1-5-20')
-
-          expect { service }.not_to raise_error
-          expect(service[:logonaccount]).to eq('NT AUTHORITY\NETWORK SERVICE')
-        end
-
-        it "should fail when account is invalid" do
-          allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(nil)
-          expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'InvalidUser') }.to raise_error(Puppet::Error, /"InvalidUser" is not a valid account/)
-        end
-
-        it "should fail when sid type is not user or well known user" do
-          allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("Administrators", nil, nil, "BUILTIN", :SidTypeAlias))
-          expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'Administrators') }.to raise_error(Puppet::Error, /"Administrators" is not a valid account/)
-        end
+      it "should let provider resolve insyncness when provider responds to the 'logonaccount_insync?' method" do
+        allow(service.provider).to receive(:respond_to?).with(:logonaccount_insync?, any_args).and_return(true)
+        allow(service.provider).to receive(:logonaccount_insync?).and_return(false)
+        
+        expect(service.property(:logonaccount).insync?('myUser')).to eq(false)
       end
     end
 
@@ -258,7 +192,6 @@ describe test_title, "when validating attribute values" do
       end
 
       it "should default to empty string when only logonaccount is being managed" do
-        allow(Puppet::Util::Platform).to receive(:windows?).and_return(false)
         service = Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser')
 
         expect { service }.not_to raise_error
@@ -271,70 +204,8 @@ describe test_title, "when validating attribute values" do
       end
 
       it "should fail when logonpassword includes the ':' character" do
-        allow(Puppet::Util::Platform).to receive(:windows?).and_return(false)
         expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser', :logonpassword => 'my:Pass') }.to raise_error(Puppet::Error, /Passwords cannot include ':'/)
       end
-
-      it "should not further check the password against given account when not on Windows" do
-        allow(Puppet::Util::Platform).to receive(:windows?).and_return(false)
-        expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser', :logonpassword => 'myPass') }.not_to raise_error
-      end
-
-      context "when on Windows", :if => Puppet::Util::Platform.windows? do
-        before do
-          allow(Puppet::Util::Windows::ADSI).to receive(:computer_name).and_return("myPC")
-          allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(name_to_principal_result)
-          allow(Puppet::Util::Windows::User).to receive(:get_rights).and_return('SeServiceLogonRight')
-        end
-
-        it "should pass validation when given account is 'LocalSystem'" do
-          allow(Puppet::Util::Windows::User).to receive(:localsystem?).with('LocalSystem').and_return(true)
-          allow(Puppet::Util::Windows::User).to receive(:default_system_account?).with('LocalSystem').and_return(false)
-
-          expect(Puppet::Util::Windows::SID).not_to receive(:name_to_principal)
-          expect(Puppet::Util::Windows::User).not_to receive(:password_is?)
-          expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'LocalSystem') }.not_to raise_error
-        end
-
-        ['LOCAL SERVICE', 'NETWORK SERVICE', 'SYSTEM'].each do |predefined_local_account|
-          describe "when given account is #{predefined_local_account}" do
-            let(:name_to_principal_result) do
-              Puppet::Util::Windows::SID::Principal.new(predefined_local_account, nil, nil, "NT AUTHORITY", :SidTypeUser)
-            end
-
-            it "should pass validation" do
-              allow(Puppet::Util::Windows::User).to receive(:localsystem?).with(predefined_local_account).and_return(false)
-              expect(Puppet::Util::Windows::User).to receive(:default_system_account?).with(predefined_local_account).and_return(true)
-              expect(Puppet::Util::Windows::User).to receive(:default_system_account?).with("NT AUTHORITY\\#{predefined_local_account}").and_return(true)
-
-              expect(Puppet::Util::Windows::User).not_to receive(:password_is?)
-              expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => predefined_local_account) }.not_to raise_error
-            end
-          end
-        end
-
-        let(:name_to_principal_result) do
-          Puppet::Util::Windows::SID::Principal.new("myUser", nil, nil, "myPC", :SidTypeUser)
-        end
-
-        describe "when given logonaccount is not a predefined local account" do
-          before do
-            allow(Puppet::Util::Windows::User).to receive(:localsystem?).with('myUser').and_return(false)
-            allow(Puppet::Util::Windows::User).to receive(:default_system_account?).with('myUser').and_return(false)
-            allow(Puppet::Util::Windows::User).to receive(:default_system_account?).with('.\\myUser').and_return(false)
-          end
-
-          it "should pass validation if password is proven correct" do
-            allow(Puppet::Util::Windows::User).to receive(:password_is?).with('myUser', 'myPass', '.').and_return(true)
-            expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser', :logonpassword => 'myPass') }.not_to raise_error
-          end
-
-          it "should not pass validation if password check fails" do
-            allow(Puppet::Util::Windows::User).to receive(:password_is?).with('myUser', 'myWrongPass', '.').and_return(false)
-            expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser', :logonpassword => 'myWrongPass') }.to raise_error(Puppet::Error, /The given password is invalid for user '.\\myUser'/)
-          end
-        end
-      end
     end
   end