First real commit

README.md

@@ -0,0 +1,20 @@
+This is a type and provider to manage mechanisms in the `system.login.console` section of macOS' authorization database. Why might you want to use this? Let's say you're deploying an authorization plugin, such as [Crypt](https://github.com/grahamgilbert/crypt2) and you upgrade to an unreleased version of macOS. You may find that your `system.login.console` right has been reset to it's default state and your authorization plugins won't run. This clearly is a bad thing.
+
+## Usage
+
+``` puppet
+authpluginmech { 'Crypt:Check,privileged':
+    ensure       => 'present',
+    insert_after => 'MCXMechanism:login'
+}
+```
+
+In this example, the namevar is the mechanism you wish to add in. We have told it to insert it after `MCXMechanism:login` (as the mechanisms are called in order, so this matters). You can also explicitly set the mechanism.
+
+``` puppet
+authpluginmech { 'My Awesome mech:
+    ensure       => 'present',
+    entry        => 'Crypt:Check,privileged',
+    insert_after => 'MCXMechanism:login'
+}
+```

lib/puppet/provider/authpluginmech/ruby.rb

@@ -0,0 +1,107 @@
+require 'puppet/util/package'
+require 'puppet/util/execution'
+require 'tempfile'
+Puppet::Type.type(:authpluginmech).provide(:ruby) do
+
+    commands :security => '/usr/bin/security'
+
+    def get_auth_plist
+        begin
+            output = security(['authorizationdb', 'read', 'system.login.console'])
+        rescue Puppet::ExecutionFailure => e
+            Puppet.debug "#get_auth_plist had an error -> #{e.inspect}"
+            return {}
+        end
+        return Puppet::Util::Plist.parse_plist(output)
+    end
+
+    def write_db(plist)
+        input_plist = Puppet::Util::Plist.dump_plist(plist, :xml)
+        file = Tempfile.new('input_plist')
+        file.write(input_plist)
+        file.close
+        Puppet::Util::Execution.execute(['/usr/bin/security', 'authorizationdb', 'write', 'system.login.console'], :stdinfile => file.path)
+        file.unlink
+    end
+
+    def in_plist(plist)
+        if plist['mechanisms'].include? resource[:entry]
+            Puppet.debug "#in_plist returning true"
+            return true
+        else
+            Puppet.debug "#in_plist returning true"
+            return false
+        end
+    end
+
+    def remove_mech
+        plist = get_auth_plist()
+        plist['mechanisms'].each {|mech|
+            if mech == resource[:entry]
+                Puppet.debug "#remove_mech removing #{mech}"
+                plist['mechanisms'].delete(resource[:entry])
+                break
+            end
+        }
+        write_db(plist)
+    end
+
+    def add_mech
+        plist = get_auth_plist()
+        if resource[:insert_after] == :none
+            plist['mechanisms'] = [resource[:entry]] + plist['mechanisms']
+        else
+            plist['mechanisms'].each_with_index {|mech, index|
+                if mech == resource[:insert_after]
+                    plist['mechanisms'].insert(index+1, resource[:entry])
+                    break
+                end
+            }
+        end
+        write_db(plist)
+    end
+
+    def set_value(value=nil)
+        # first make sure it's not in the list if it is already
+        plist = get_auth_plist()
+        if in_plist(plist)
+            remove_mech()
+        end
+
+        add_mech()
+    end
+
+    def exists?
+        plist = get_auth_plist()
+        return in_plist(plist)
+    end
+
+    def create
+        set_value()
+    end
+
+    def destroy
+        remove_mech()
+    end
+
+    def insert_after
+        plist = get_auth_plist()
+        if resource[:insert_after] == :none
+            if plist['mechanisms'][0] == resource[:entry]
+                return :none
+            else
+                return plist['mechanisms'][0]
+            end
+        else
+            plist['mechanisms'].each_with_index { |mech, index|
+                if mech == resource[:entry]
+                    return plist['mechanisms'][index-1]
+                end
+            }
+        end
+    end
+
+    def insert_after=(value)
+        set_value(value)
+    end
+end

lib/puppet/type/authpluginmech.rb

@@ -0,0 +1,23 @@
+Puppet::Type.newtype(:authpluginmech) do
+    @doc = %q{Creates an entry in
+    system.login.console
+
+    Example:
+
+        authpluginmech {'mymech':
+          ensure       => present,
+          entry        => 'Crypt:Check,privileged',
+          insert_after => 'CryptoTokenKit:login'
+        }
+    }
+    ensurable
+
+      newparam(:entry, :namevar => true) do
+        desc "The mechanism you want to apply."
+      end
+
+      newproperty(:insert_after) do
+        desc "The entry we want to insert our entry after. Entry will be first if undefined."
+        defaultto :none
+      end
+end

manifests/init.pp

@@ -0,0 +1,3 @@
+class authpluginmech {
+
+}

testing/site.pp

@@ -0,0 +1,22 @@
+node default {
+    # Going to have a bad time without crypt installed
+    package { 'crypt-2.0.0.28':
+        ensure   => 'installed',
+        provider => 'pkgdmg',
+        source   => 'https://github.com/grahamgilbert/crypt2/releases/download/2.0.0.28/Crypt-2.0.0.28.pkg'
+    }
+
+    authpluginmech { 'Crypt:Check,privileged':
+        ensure       => 'present',
+        insert_after => 'MCXMechanism:login'
+    } ->
+    authpluginmech { 'Crypt:CryptGUI':
+        ensure       => 'present',
+        insert_after => 'Crypt:Check,privileged'
+    } ->
+    authpluginmech { 'My awesome mech':
+        ensure       => 'present',
+        entry        => 'Crypt:Enablement,privileged',
+        insert_after => 'Crypt:CryptGUI'
+    }
+}