6 files changed, 84 insertions, 23 deletions

diff --git a/lib/puppet/provider/nameservice.rb b/lib/puppet/provider/nameservice.rb
index 7339b646e..9830fab54 100644
--- a/lib/puppet/provider/nameservice.rb
+++ b/lib/puppet/provider/nameservice.rb
@@ -165,6 +165,7 @@ class Puppet::Provider::NameService < Puppet::Provider
 
     begin
       execute(self.addcmd)
+      execute(self.passcmd) if self.feature? :manages_password_age
     rescue Puppet::ExecutionFailure => detail
       raise Puppet::Error, "Could not create #{@resource.class.name} #{@resource.name}: #{detail}"
     end
diff --git a/lib/puppet/provider/nameservice/objectadd.rb b/lib/puppet/provider/nameservice/objectadd.rb
index 80c142982..dbb9f306f 100644
--- a/lib/puppet/provider/nameservice/objectadd.rb
+++ b/lib/puppet/provider/nameservice/objectadd.rb
@@ -13,7 +13,8 @@ class ObjectAdd < Puppet::Provider::NameService
   end
 
   def modifycmd(param, value)
-    cmd = [command(:modify), flag(param), value]
+    cmd = [command(param.to_s =~ /password_.+_age/ ? :password : :modify)]
+    cmd << flag(param) << value
     if @resource.allowdupe? && ((param == :uid) || (param == :gid and self.class.name == :groupadd))
       cmd << "-o"
     end
diff --git a/lib/puppet/provider/service/launchd.rb b/lib/puppet/provider/service/launchd.rb
index 970359539..b296e0a38 100644
--- a/lib/puppet/provider/service/launchd.rb
+++ b/lib/puppet/provider/service/launchd.rb
@@ -38,6 +38,7 @@ Puppet::Type.type(:service).provide :launchd, :parent => :base do
 
   commands :launchctl => "/bin/launchctl"
   commands :sw_vers => "/usr/bin/sw_vers"
+  commands :plutil => "/usr/bin/plutil"
 
   defaultfor :operatingsystem => :darwin
   confine :operatingsystem => :darwin
@@ -52,6 +53,12 @@ Puppet::Type.type(:service).provide :launchd, :parent => :base do
   Launchd_Overrides = "/var/db/launchd.db/com.apple.launchd/overrides.plist"
 
 
+  # Read a plist, whether its format is XML or in Apple's "binary1"
+  # format.
+  def self.read_plist(path)
+    Plist::parse_xml(plutil('-convert', 'xml1', '-o', '-', path))
+  end
+
   # returns a label => path map for either all jobs, or just a single
   # job if the label is specified
   def self.jobsearch(label=nil)
@@ -62,8 +69,7 @@ Puppet::Type.type(:service).provide :launchd, :parent => :base do
           next if f =~ /^\..*$/
           next if FileTest.directory?(f)
           fullpath = File.join(path, f)
-          job = Plist::parse_xml(fullpath)
-          if job and job.has_key?("Label")
+          if FileTest.file?(fullpath) and job = read_plist(fullpath) and job.has_key?("Label")
             if job["Label"] == label
               return { label => fullpath }
             else
@@ -118,8 +124,11 @@ Puppet::Type.type(:service).provide :launchd, :parent => :base do
   def plist_from_label(label)
     job = self.class.jobsearch(label)
     job_path = job[label]
-    job_plist = Plist::parse_xml(job_path)
-    raise Puppet::Error.new("Unable to parse launchd plist at path: #{job_path}") if not job_plist
+    if FileTest.file?(job_path)
+      job_plist = self.class.read_plist(job_path)
+    else
+      raise Puppet::Error.new("Unable to parse launchd plist at path: #{job_path}")
+    end
     [job_path, job_plist]
   end
 
@@ -200,9 +209,7 @@ Puppet::Type.type(:service).provide :launchd, :parent => :base do
     job_plist_disabled = job_plist["Disabled"] if job_plist.has_key?("Disabled")
 
     if self.class.get_macosx_version_major == "10.6":
-      overrides = Plist::parse_xml(Launchd_Overrides)
-
-      unless overrides.nil?
+      if FileTest.file?(Launchd_Overrides) and overrides = self.class.read_plist(Launchd_Overrides)
         if overrides.has_key?(resource[:name])
           overrides_disabled = overrides[resource[:name]]["Disabled"] if overrides[resource[:name]].has_key?("Disabled")
         end
@@ -227,7 +234,7 @@ Puppet::Type.type(:service).provide :launchd, :parent => :base do
   # versions this is stored in the job plist itself.
   def enable
     if self.class.get_macosx_version_major == "10.6"
-      overrides = Plist::parse_xml(Launchd_Overrides)
+      overrides = self.class.read_plist(Launchd_Overrides)
       overrides[resource[:name]] = { "Disabled" => false }
       Plist::Emit.save_plist(overrides, Launchd_Overrides)
     else
@@ -242,7 +249,7 @@ Puppet::Type.type(:service).provide :launchd, :parent => :base do
 
   def disable
     if self.class.get_macosx_version_major == "10.6"
-      overrides = Plist::parse_xml(Launchd_Overrides)
+      overrides = self.class.read_plist(Launchd_Overrides)
       overrides[resource[:name]] = { "Disabled" => true }
       Plist::Emit.save_plist(overrides, Launchd_Overrides)
     else
diff --git a/lib/puppet/provider/user/hpux.rb b/lib/puppet/provider/user/hpux.rb
index 50506c4cd..983970935 100644
--- a/lib/puppet/provider/user/hpux.rb
+++ b/lib/puppet/provider/user/hpux.rb
@@ -26,5 +26,4 @@ Puppet::Type.type(:user).provide :hpuxuseradd, :parent => :useradd do
   def modifycmd(param,value)
     super.insert(1,"-F")
   end
-
 end
diff --git a/lib/puppet/provider/user/user_role_add.rb b/lib/puppet/provider/user/user_role_add.rb
index c13125925..7e7ad78e5 100644
--- a/lib/puppet/provider/user/user_role_add.rb
+++ b/lib/puppet/provider/user/user_role_add.rb
@@ -6,13 +6,15 @@ Puppet::Type.type(:user).provide :user_role_add, :parent => :useradd, :source =>
 
   defaultfor :operatingsystem => :solaris
 
-  commands :add => "useradd", :delete => "userdel", :modify => "usermod", :role_add => "roleadd", :role_delete => "roledel", :role_modify => "rolemod"
+  commands :add => "useradd", :delete => "userdel", :modify => "usermod", :password => "chage", :role_add => "roleadd", :role_delete => "roledel", :role_modify => "rolemod"
   options :home, :flag => "-d", :method => :dir
   options :comment, :method => :gecos
   options :groups, :flag => "-G"
   options :roles, :flag => "-R"
   options :auths, :flag => "-A"
   options :profiles, :flag => "-P"
+  options :password_min_age, :flag => "-m"
+  options :password_max_age, :flag => "-M"
 
   verify :gid, "GID must be an integer" do |value|
     value.is_a? Integer
@@ -22,14 +24,14 @@ Puppet::Type.type(:user).provide :user_role_add, :parent => :useradd, :source =>
     value !~ /\s/
   end
 
-  has_features :manages_homedir, :allows_duplicates, :manages_solaris_rbac, :manages_passwords
+  has_features :manages_homedir, :allows_duplicates, :manages_solaris_rbac, :manages_passwords, :manages_password_age
 
   #must override this to hand the keyvalue pairs
   def add_properties
     cmd = []
     Puppet::Type.type(:user).validproperties.each do |property|
       #skip the password because we can't create it with the solaris useradd
-      next if [:ensure, :password].include?(property)
+      next if [:ensure, :password, :password_min_age, :password_max_age].include?(property)
       # 1680 Now you can set the hashed passwords on solaris:lib/puppet/provider/user/user_role_add.rb
       # the value needs to be quoted, mostly because -c might
       # have spaces in it
@@ -79,6 +81,7 @@ Puppet::Type.type(:user).provide :user_role_add, :parent => :useradd, :source =>
       run(transition("normal"), "transition role to")
     else
       run(addcmd, "create")
+      run(passcmd, "change password policy for")
     end
     # added to handle case when password is specified
     self.password = @resource[:password] if @resource[:password]
@@ -140,14 +143,23 @@ Puppet::Type.type(:user).provide :user_role_add, :parent => :useradd, :source =>
     run([command(:modify)] + build_keys_cmd(keys_hash) << @resource[:name], "modify attribute key pairs")
   end
 
-  #Read in /etc/shadow, find the line for this user (skipping comments, because who knows) and return the hashed pw (the second entry)
+  #Read in /etc/shadow, find the line for this user (skipping comments, because who knows) and return it
   #No abstraction, all esoteric knowledge of file formats, yay
+  def shadow_entry
+    return @shadow_entry if defined? @shadow_entry
+    @shadow_entry = File.readlines("/etc/shadow").reject { |r| r =~ /^[^\w]/ }.collect { |l| l.chomp.split(':') }.find { |user, _| user == @resource[:name] }
+  end
+
   def password
-    #got perl?
-    if ary = File.readlines("/etc/shadow").reject { |r| r =~ /^[^\w]/}.collect { |l| l.split(':')[0..1] }.find { |user, passwd| user == @resource[:name] }
-      pass = ary[1]
-    end
-    pass
+    shadow_entry[1] if shadow_entry
+  end
+
+  def min_age
+    shadow_entry ? shadow_entry[3] : :absent
+  end
+
+  def max_age
+    shadow_entry ? shadow_entry[4] : :absent
   end
 
   #Read in /etc/shadow, find the line for our used and rewrite it with the new pw
diff --git a/lib/puppet/provider/user/useradd.rb b/lib/puppet/provider/user/useradd.rb
index 7ef217d9e..9a62db464 100644
--- a/lib/puppet/provider/user/useradd.rb
+++ b/lib/puppet/provider/user/useradd.rb
@@ -3,11 +3,13 @@ require 'puppet/provider/nameservice/objectadd'
 Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameService::ObjectAdd do
   desc "User management via `useradd` and its ilk.  Note that you will need to install the `Shadow Password` Ruby library often known as ruby-libshadow to manage user passwords."
 
-  commands :add => "useradd", :delete => "userdel", :modify => "usermod"
+  commands :add => "useradd", :delete => "userdel", :modify => "usermod", :password => "chage"
 
   options :home, :flag => "-d", :method => :dir
   options :comment, :method => :gecos
   options :groups, :flag => "-G"
+  options :password_min_age, :flag => "-m"
+  options :password_max_age, :flag => "-M"
 
   verify :gid, "GID must be an integer" do |value|
     value.is_a? Integer
@@ -17,9 +19,9 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
     value !~ /\s/
   end
 
-  has_features :manages_homedir, :allows_duplicates
+  has_features :manages_homedir, :allows_duplicates, :manages_expiry
 
-  has_feature :manages_passwords if Puppet.features.libshadow?
+  has_features :manages_passwords, :manages_password_age if Puppet.features.libshadow?
 
   def check_allow_dup
     @resource.allowdupe? ? ["-o"] : []
@@ -35,10 +37,20 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
     cmd
   end
 
+  def check_manage_expiry
+    cmd = []
+    if @resource[:expiry]
+      cmd << "-e #{@resource[:expiry]}"
+    end
+
+    cmd
+  end
+
   def add_properties
     cmd = []
     Puppet::Type.type(:user).validproperties.each do |property|
       next if property == :ensure
+      next if property.to_s =~ /password_.+_age/
       # the value needs to be quoted, mostly because -c might
       # have spaces in it
       if value = @resource.should(property) and value != ""
@@ -53,9 +65,38 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
     cmd += add_properties
     cmd += check_allow_dup
     cmd += check_manage_home
+    cmd += check_manage_expiry
     cmd << @resource[:name]
   end
 
+  def passcmd
+    cmd = [command(:password)]
+    [:password_min_age, :password_max_age].each do |property|
+      if value = @resource.should(property)
+        cmd << flag(property) << value
+      end
+    end
+    cmd << @resource[:name]
+  end
+
+  def min_age
+    if Puppet.features.libshadow?
+      if ent = Shadow::Passwd.getspnam(@resource.name)
+        return ent.sp_min
+      end
+    end
+    :absent
+  end
+
+  def max_age
+    if Puppet.features.libshadow?
+      if ent = Shadow::Passwd.getspnam(@resource.name)
+        return ent.sp_max
+      end
+    end
+    :absent
+  end
+
   # Retrieve the password using the Shadow Password library
   def password
     if Puppet.features.libshadow?