diff --git a/manifests/client/config.pp b/manifests/client/config.pp index 7f7cff4..5aa1f0f 100644 --- a/manifests/client/config.pp +++ b/manifests/client/config.pp @@ -1,20 +1,18 @@ class ssh::client::config { $options = $::ssh::client::merged_options $use_augeas = $::ssh::client::use_augeas if $use_augeas { - create_resources('ssh_config', $options) - } else { file { $ssh::params::ssh_config: ensure => present, owner => '0', group => '0', mode => '0644', content => template("${module_name}/ssh_config.erb"), require => Class['ssh::client::install'], } } } diff --git a/manifests/client/config/user.pp b/manifests/client/config/user.pp index 6a2ef5e..04c1f81 100644 --- a/manifests/client/config/user.pp +++ b/manifests/client/config/user.pp @@ -1,60 +1,56 @@ # # Copyright (c) IN2P3 Computing Centre, IN2P3, CNRS # Contributor: Remi Ferrand (2015) # Contributor: Tim Meusel (2017) # define ssh::client::config::user( Enum['present', 'absent'] $ensure = present, Optional[Stdlib::Absolutepath] $target = undef, Optional[Stdlib::Absolutepath] $user_home_dir = undef, Boolean $manage_user_ssh_dir = true, Hash $options = {}, String[1] $user = $name, -) -{ - +) { include ::ssh::params # If a specific target file was specified, # it must have higher priority than any # other parameter. if ($target != undef) { $_target = $target - } - else { + } else { if ($user_home_dir == undef) { $_user_home_dir = "/home/${user}" - } - else { + } else { $_user_home_dir = $user_home_dir } $user_ssh_dir = "${_user_home_dir}/.ssh" $_target = "${user_ssh_dir}/config" if ($manage_user_ssh_dir == true) { unless defined(File[$user_ssh_dir]) { file { $user_ssh_dir: ensure => directory, owner => $user, mode => $::ssh::params::user_ssh_directory_default_mode, before => Concat_file[$_target], } } } } unless defined(Concat_file[$_target]) { - concat_file{$_target: + concat_file { $_target: ensure => $ensure, owner => $user, mode => $::ssh::params::user_ssh_config_default_mode, tag => $name, } } - concat_fragment{$name: + concat_fragment { $name: tag => $name, content => template("${module_name}/ssh_config.erb"), target => $_target, } } diff --git a/manifests/knownhosts.pp b/manifests/knownhosts.pp index 3ffdbe4..19c9213 100644 --- a/manifests/knownhosts.pp +++ b/manifests/knownhosts.pp @@ -1,12 +1,12 @@ class ssh::knownhosts( Boolean $collect_enabled = $ssh::params::collect_enabled, Optional[String] $storeconfigs_group = undef, ) inherits ssh::params { if ($collect_enabled) { if $storeconfigs_group { - Sshkey <<| tag == "hostkey_${storeconfigs_group}" |>> + Sshkey <<| tag == "hostkey_${storeconfigs_group}" |>> } else { Sshkey <<| |>> } } } diff --git a/manifests/server/config.pp b/manifests/server/config.pp index 4be65ae..1236c2e 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -1,48 +1,48 @@ class ssh::server::config { $options = $::ssh::server::merged_options case $ssh::server::validate_sshd_file { true: { $sshd_validate_cmd = '/usr/sbin/sshd -tf %' } default: { $sshd_validate_cmd = undef } } if $::ssh::server::use_augeas { create_resources('sshd_config', $options) } else { concat { $ssh::params::sshd_config: ensure => present, - owner => '0', - group => '0', + owner => 0, + group => 0, mode => '0600', validate_cmd => $sshd_validate_cmd, notify => Service[$ssh::params::service_name], } concat::fragment { 'global config': target => $ssh::params::sshd_config, content => template("${module_name}/sshd_config.erb"), order => '00', } } if $::ssh::server::use_issue_net { file { $ssh::params::issue_net: ensure => present, owner => 0, group => 0, mode => '0644', content => template("${module_name}/issue.net.erb"), notify => Service[$ssh::params::service_name], } concat::fragment { 'banner file': target => $ssh::params::sshd_config, content => "Banner ${ssh::params::issue_net}\n", order => '01', } } } diff --git a/manifests/server/host_key.pp b/manifests/server/host_key.pp index 217ede8..0f01acc 100644 --- a/manifests/server/host_key.pp +++ b/manifests/server/host_key.pp @@ -1,151 +1,151 @@ # == Define: ssh::server::host_key # # This module install a ssh host key in the server (basically, it is # a file resource but it also notifies to the ssh service) # # Important! This define does not modify any option in sshd_config, so # you have to manually define the HostKey option in the server options # if you haven't done yet. # # == Parameters # # [*ensure*] # Set to 'absent' to remove host_key files # # [*public_key_source*] # Sets the content of the source parameter for the public key file # Note public_key_source and public_key_content are mutually exclusive. # # [*public_key_content*] # Sets the content for the public key file. # Note public_key_source and public_key_content are mutually exclusive. # # [*private_key_source*] # Sets the content of the source parameter for the private key file # Note private_key_source and private_key_content are mutually exclusive. # # [*private_key_content*] # Sets the content for the private key file. # Note private_key_source and private_key_content are mutually exclusive. # # [*certificate_source*] # Sets the content of the source parameter for the host key certificate. # Note certificate_source and certificate_content are mutually exclusive. # # [*certificate_content*] # Sets the content for the host key certificate. # Note certificate_source and certificate_content are mutually exclusive. # define ssh::server::host_key ( $ensure = 'present', $public_key_source = '', $public_key_content = '', $private_key_source = '', $private_key_content = '', $certificate_source = '', $certificate_content = '', ) { # Ensure the ssh::server class is included in the manifest include ::ssh::server if $public_key_source == '' and $public_key_content == '' and $ensure == 'present' { fail('You must provide either public_key_source or public_key_content parameter') } if $private_key_source == '' and $private_key_content == '' and $ensure == 'present' { fail('You must provide either private_key_source or private_key_content parameter') } $manage_pub_key_content = $public_key_source ? { '' => $public_key_content, default => undef, } $manage_pub_key_source = $public_key_source ? { '' => undef, default => $public_key_source, } $manage_priv_key_content = $private_key_source ? { '' => $private_key_content, default => undef, } $manage_priv_key_source = $private_key_source ? { '' => undef, default => $private_key_source, } $manage_cert_content = $certificate_source ? { '' => $certificate_content, default => undef, } $manage_cert_source = $certificate_source ? { '' => undef, default => $certificate_source, } if $ensure == 'present' { file {"${name}_pub": ensure => $ensure, - owner => 'root', - group => 'root', + owner => 0, + group => 0, mode => '0644', path => "${::ssh::params::sshd_dir}/${name}.pub", source => $manage_pub_key_source, content => $manage_pub_key_content, notify => Class['ssh::server::service'], } file {"${name}_priv": ensure => $ensure, - owner => 'root', + owner => 0, group => $::ssh::params::host_priv_key_group, mode => '0600', path => "${::ssh::params::sshd_dir}/${name}", source => $manage_priv_key_source, content => $manage_priv_key_content, notify => Class['ssh::server::service'], } } else { file {"${name}_pub": ensure => $ensure, - owner => 'root', - group => 'root', + owner => 0, + group => 0, mode => '0644', path => "${::ssh::params::sshd_dir}/${name}.pub", notify => Class['ssh::server::service'], } file {"${name}_priv": ensure => $ensure, - owner => 'root', + owner => 0, group => $::ssh::params::host_priv_key_group, mode => '0600', path => "${::ssh::params::sshd_dir}/${name}", notify => Class['ssh::server::service'], } } if !empty($certificate_source) or !empty($certificate_content) { if $ensure == 'present' { file {"${name}_cert": ensure => $ensure, - owner => 'root', - group => 'root', + owner => 0, + group => 0, mode => '0644', path => "${::ssh::params::sshd_dir}/${name}-cert.pub", source => $manage_cert_source, content => $manage_cert_content, notify => Class['ssh::server::service'], } } else { file {"${name}_cert": ensure => $ensure, - owner => 'root', - group => 'root', + owner => 0, + group => 0, mode => '0644', path => "${::ssh::params::sshd_dir}/${name}-cert.pub", notify => Class['ssh::server::service'], } } } } diff --git a/spec/defines/server/host_key_spec.rb b/spec/defines/server/host_key_spec.rb index 7cb50aa..108c701 100644 --- a/spec/defines/server/host_key_spec.rb +++ b/spec/defines/server/host_key_spec.rb @@ -1,175 +1,175 @@ require 'spec_helper' describe 'ssh::server::host_key', type: :define do let :title do 'something' end let(:pre_condition) { 'class {"::ssh::params": }' } let :facts do { osfamily: 'RedHat', operatingsystemmajrelease: '6', concat_basedir: '/tmp', puppetversion: '3.7.0', sshdsakey: 'AAAAB3NzaC1kc3MAAACBAODCvvUUnv2imW4cfuLBWVJTLMzds89MtCUXGl3+7Gza5QYJmp7GSkKBnV8+7XI+JAmjv0RKQM1RAn7mV5UplRTtg3CYbeNkX4IakZmNJLTdL4vUyIehhaxBobpOtBaJfFewCJE1plIaWvoWfEDrShcjIUbUbJMfR8YWweIIqp9bAAAAFQCr8+KRfOUZbS9Dz1t15A/Owl61VQAAAIBr/7hNPCvjzAl5+rde6jUR5k20pxAE+z2wsaZxlhrs6ZhhplyCKIXKq4rCx4QuFVPh/c+WJRPO56iH/rSh5Y5cpT1LUk66wNJcOBPprjvDEHfQUHUmfYXzNJ2BHkRL78lfzQr52YyowV6dHfktv0VsIctm13KcMr2KQygZtV6EqgAAAIEAjNC4PRdzYpWfxu268CJDpexlhBwIkIx+ovEibtYeke55qAQcF9UWko4A1c8Wf4nLLxlQYCf501Bt5lb6GmZd0xfpg27fPIfzZPL8o+E756D3ZcNXUaLj4HPRKnwNcdAtChL2jESH3fm8PyNwBI7tV6IOjmOGpyQKtmJq3IyNgms=', sshrsakey: 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDzA57hAMwz6pywCgxNUcloWeNMvBo2PDPxK2RCegst+9tYaf4S3shnM9a1j2PGBoeRXTuUG6mYB32fJm6/37UUUJA4lT+8CZ3hNnDZU9aitpukkKon7RIlvY1PWO8wT4A5mEa0hfdQg6Um8KZZUs+jrB+8zMJO/X0fmleY54r/JKrP3hNcpaJpTUVQEvMmKacW7nYez/PvWKAz8d02uAOXuauGKhZ9K2AHYKlQFqJ4S1jLiduoGFWxFQ2vQybbN/O0PQQU7EZlHIjSzwoowZLzlxCKCZcKnoDsbGCtYHArbjxTb+m5e7nvsamz7TXLoY90Srmc5QGMxrLUlSvkYsm5', sshecdsakey: 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFDrof0LPA0hGuwODy+5uTynV7rgPJspvZo2TzykBu5mSANJvdL1z5/JS3x16/c/cDjx2lfEkRoVDnon4/NjKEM=', sshed25519key: '', id: 'root', is_pe: false, path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games' } end describe 'with public_key_content, private_key_content and certificate_content' do let :params do { public_key_content: 'abc', private_key_content: 'bcd', certificate_content: 'cde' } end it do is_expected.to contain_file('something_pub'). with_content('abc'). with_ensure('present'). - with_owner('root'). - with_group('root'). + with_owner(0). + with_group(0). with_mode('0644'). with_path('/etc/ssh/something.pub') is_expected.to contain_file('something_priv'). with_content('bcd'). with_ensure('present'). - with_owner('root'). + with_owner(0). with_group('root'). with_mode('0600'). with_path('/etc/ssh/something') is_expected.to contain_file('something_cert'). with_content('cde'). with_ensure('present'). - with_owner('root'). - with_group('root'). + with_owner(0). + with_group(0). with_mode('0644'). with_path('/etc/ssh/something-cert.pub') end end describe 'with public_key_content and private_key_content' do let :params do { public_key_content: 'abc', private_key_content: 'bcd' } end it do is_expected.to contain_file('something_pub'). with_content('abc'). with_ensure('present'). - with_owner('root'). - with_group('root'). + with_owner(0). + with_group(0). with_mode('0644'). with_path('/etc/ssh/something.pub') is_expected.to contain_file('something_priv'). with_content('bcd'). with_ensure('present'). - with_owner('root'). + with_owner(0). with_group('root'). with_mode('0600'). with_path('/etc/ssh/something') is_expected.not_to contain_file('something_cert') end end describe 'with *_key_content and *_key_source, *_key_source takes precedence' do let :params do { public_key_content: 'abc', public_key_source: 'a', private_key_content: 'bcd', private_key_source: 'b' } end it do is_expected.to contain_file('something_pub'). without_content. with_source('a'). with_ensure('present'). - with_owner('root'). - with_group('root'). + with_owner(0). + with_group(0). with_mode('0644'). with_path('/etc/ssh/something.pub') is_expected.to contain_file('something_priv'). without_content. with_source('b'). with_ensure('present'). - with_owner('root'). + with_owner(0). with_group('root'). with_mode('0600'). with_path('/etc/ssh/something') is_expected.not_to contain_file('something_cert') end end describe 'with private_key_content and no public_key_content' do let :params do { private_key_content: 'bcd' } end it 'fails' do expect do is_expected.to compile end.to raise_error(%r{You must provide either public_key_source or public_key_content parameter}) end end describe 'with public_key_content and no private_key_content' do let :params do { public_key_content: 'abc' } end it 'fails' do expect do is_expected.to compile end.to raise_error(%r{You must provide either private_key_source or private_key_content parameter}) end end describe 'with private_key_source and no public_key_source' do let :params do { private_key_source: 'bcd' } end it 'fails' do expect do is_expected.to compile end.to raise_error(%r{You must provide either public_key_source or public_key_content parameter}) end end describe 'with public_key_source and no private_key_source' do let :params do { public_key_source: 'abc' } end it 'fails' do expect do is_expected.to compile end.to raise_error(%r{You must provide either private_key_source or private_key_content parameter}) end end end # vim: tabstop=2 shiftwidth=2 softtabstop=2