Merge pull request #8900 from AriaXLi/PUP-11454

(PUP-11454) Enforce salt requirements for macOS versions 10.15+

Author: AriaXLi

acceptance/tests/resource/user/should_allow_managed_macos_users_to_login.rb

@@ -35,8 +35,8 @@
       on(agent, "dscl /Local/Default -authonly testuser helloworld", :acceptable_exit_codes => 0)
     end
 
-    unless agent['platform'] =~ /osx-11/
-      skip_test "AuthenticationAuthority field fix test is not valid for macOS older than Big Sur (11.0)"
+    unless agent['platform'] =~ /^osx-1[1-9]/
+      skip_test "AuthenticationAuthority field fix test is not valid for macOS before Big Sur (11.0)"
     end
 
     # Setting up environment to mimic situation on macOS 11 BigSur

lib/puppet/provider/user/directoryservice.rb

@@ -401,6 +401,11 @@ def iterations=(value)
   # we have to treat the ds cache just like you would in the password=
   # method.
   def salt=(value)
+    if (Puppet::Util::Package.versioncmp(self.class.get_os_version, '10.15') >= 0)
+      if value.length != 64
+        self.fail "macOS versions 10.15 and higher require the salt to be 32-bytes. Since Puppet's user resource requires the value to be hex encoded, the length of the salt's string must be 64. Please check your salt and try again."
+      end
+    end
     if (Puppet::Util::Package.versioncmp(self.class.get_os_version, '10.7') > 0)
       assert_full_pbkdf2_password
 

lib/puppet/type/user.rb

@@ -227,6 +227,9 @@ def change_to_s(currentvalue, newvalue)
         * OS X 10.8 and higher use salted SHA512 PBKDF2 hashes. When managing passwords
           on these systems, the `salt` and `iterations` attributes need to be specified as
           well as the password.
+        * macOS 10.15 and higher require the salt to be 32-bytes. Since Puppet's user 
+          resource requires the value to be hex encoded, the length of the salt's
+          string must be 64. 
         * Windows passwords can be managed only in cleartext, because there is no Windows
           API for setting the password hash.