(PUP-11454) Enforce salt requirements for macOS versions 10.15+

AriaXLi · AriaXLi · commit a58001af8a4c · 2022-04-18T16:16:54.000-07:00
For macOS versions 10.15 and higher, it is required that the salt is 32 bytes.
user.rb was modified so the salt requirements were included.
directoryservice.rb was modified so the salt requirements are enforced.
should_allow_managed_macos_users_to_login.rb was modified so it would test on macOS versions 10 and higher, not just 11.
diff --git a/acceptance/tests/resource/user/should_allow_managed_macos_users_to_login.rb b/acceptance/tests/resource/user/should_allow_managed_macos_users_to_login.rb
@@ -35,8 +35,8 @@
       on(agent, "dscl /Local/Default -authonly testuser helloworld", :acceptable_exit_codes => 0)
     end
 
-    unless agent['platform'] =~ /osx-11/
-      skip_test "AuthenticationAuthority field fix test is not valid for macOS older than Big Sur (11.0)"
+    unless agent['platform'] =~ /^osx-1[1-9]/
+      skip_test "AuthenticationAuthority field fix test is not valid for macOS before Big Sur (11.0)"
     end
 
     # Setting up environment to mimic situation on macOS 11 BigSur
diff --git a/lib/puppet/provider/user/directoryservice.rb b/lib/puppet/provider/user/directoryservice.rb
@@ -401,6 +401,11 @@ def iterations=(value)
   # we have to treat the ds cache just like you would in the password=
   # method.
   def salt=(value)
+    if (Puppet::Util::Package.versioncmp(self.class.get_os_version, '10.15') >= 0)
+      if value.length != 64
+        self.fail "macOS versions 10.15 and higher require the salt to be 32-bytes. Since Puppet's user resource requires the value to be hex encoded, the length of the salt's string must be 64. Please check your salt and try again."
+      end
+    end
     if (Puppet::Util::Package.versioncmp(self.class.get_os_version, '10.7') > 0)
       assert_full_pbkdf2_password
 
diff --git a/lib/puppet/type/user.rb b/lib/puppet/type/user.rb
@@ -227,6 +227,9 @@ def change_to_s(currentvalue, newvalue)
         * OS X 10.8 and higher use salted SHA512 PBKDF2 hashes. When managing passwords
           on these systems, the `salt` and `iterations` attributes need to be specified as
           well as the password.
+        * macOS 10.15 and higher require the salt to be 32-bytes. Since Puppet's user 
+          resource requires the value to be hex encoded, the length of the salt's
+          string must be 64. 
         * Windows passwords can be managed only in cleartext, because there is no Windows
           API for setting the password hash.
 
