diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp index 3bd2e90..f766281 100644 --- a/manifests/hostkeys.pp +++ b/manifests/hostkeys.pp @@ -1,44 +1,45 @@ # Class ssh::hostkeys class ssh::hostkeys( Boolean $export_ipaddresses = true, Optional[String] $storeconfigs_group = undef, Array $extra_aliases = [], Array $exclude_interfaces = [], Array $exclude_ipaddresses = [], ) { if $export_ipaddresses == true { - $ipaddresses_real = delete(ipaddresses($exclude_interfaces), $exclude_ipaddresses) + $ipaddresses = ipaddresses($exclude_interfaces) + $ipaddresses_real = $ipaddresses - $exclude_ipaddresses $host_aliases = unique(flatten([ $::fqdn, $::hostname, $extra_aliases, $ipaddresses_real ])) } else { $host_aliases = unique(flatten([ $::fqdn, $::hostname, $extra_aliases])) } if $storeconfigs_group { tag 'hostkey_all', "hostkey_${storeconfigs_group}" } ['dsa', 'rsa', 'ecdsa', 'ed25519'].each |String $key_type| { # can be removed as soon as we drop support for puppet 4 # see https://tickets.puppetlabs.com/browse/FACT-1377?jql=project%20%3D%20FACT%20AND%20fixVersion%20%3D%20%22FACT%203.12.0%22 if $key_type == 'ecdsa' { $key_type_real = 'ecdsa-sha2-nistp256' } else { $key_type_real = $key_type } if $key_type in $facts['ssh'] { @@sshkey { "${::fqdn}_${key_type}": ensure => present, host_aliases => $host_aliases, type => $key_type_real, key => $facts['ssh'][$key_type]['key'], } } else { @@sshkey { "${::fqdn}_${key_type}": ensure => absent, type => $key_type_real, } } } } diff --git a/spec/classes/client_spec.rb b/spec/classes/client_spec.rb index 6852e48..6dd1433 100644 --- a/spec/classes/client_spec.rb +++ b/spec/classes/client_spec.rb @@ -1,31 +1,31 @@ require 'spec_helper' describe 'ssh::client', type: 'class' do context 'when on Debian with no other parameters' do let :facts do { - osfamily: 'Debian', + osfamily: 'Debian' } end it do is_expected.to contain_package('openssh-client').with(ensure: 'present') end end context 'when on Debian with custom ensure' do let :facts do { - osfamily: 'Debian', + osfamily: 'Debian' } end let :params do { ensure: 'latest' } end it do is_expected.to contain_package('openssh-client').with(ensure: 'latest') end end end diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 4f2b46b..e2a36b5 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -1,62 +1,62 @@ require 'spec_helper' describe 'ssh', type: 'class' do context 'when on Debian with no other parameters' do let :facts do { - osfamily: 'Debian', + osfamily: 'Debian' } end it do is_expected.to contain_class('ssh::client') end it do is_expected.to contain_class('ssh::server') end it do is_expected.to contain_concat('/etc/ssh/sshd_config').with_validate_cmd(nil) end it do is_expected.to contain_resources('sshkey').with_purge(true) end context 'when on Debian with the validate_sshd_file setting' do let :facts do { - osfamily: 'Debian', + osfamily: 'Debian' } end let :params do { validate_sshd_file: true } end it do is_expected.to contain_class('ssh::client') end it do is_expected.to contain_concat('/etc/ssh/sshd_config').with_validate_cmd('/usr/sbin/sshd -tf %') end end end standard_facts = { - osfamily: 'Debian', + osfamily: 'Debian' } context 'When on Debian without resource purging' do let :facts do standard_facts end let :params do { 'purge_unmanaged_sshkeys' => false } end it do is_expected.not_to contain_resources('sshkey') end end end diff --git a/spec/classes/server_spec.rb b/spec/classes/server_spec.rb index 0e3c59c..09cae7b 100644 --- a/spec/classes/server_spec.rb +++ b/spec/classes/server_spec.rb @@ -1,145 +1,145 @@ require 'spec_helper' describe 'ssh::server' do let :default_params do { ensure: 'present', storeconfigs_enabled: true } end describe 'providing options' do let :params do { options: { 'TestString' => '/usr/bin', 'TestBoolean' => true } } end let :facts do { osfamily: 'RedHat', - operatingsystemmajrelease: '6', + operatingsystemmajrelease: '6' } end it do is_expected.to contain_concat__fragment('global config').with( target: '/etc/ssh/sshd_config', content: '# File is managed by Puppet AcceptEnv LANG LC_* ChallengeResponseAuthentication no PrintMotd no Subsystem sftp /usr/libexec/openssh/sftp-server TestBoolean yes TestString /usr/bin UsePAM yes X11Forwarding yes ' # rubocop:enable EmptyLinesAroundArguments ) end end [{}, { ensure: 'latest', storeconfigs_enabled: true }, { ensure: 'present', storeconfigs_enabled: false }].each do |param_set| describe "when #{param_set == {} ? 'using default' : 'specifying'} class parameters" do let :param_hash do default_params.merge(param_set) end let :params do param_set end ['Debian'].each do |osfamily| let :facts do { - osfamily: osfamily, + osfamily: osfamily } end describe "on supported osfamily: #{osfamily}" do it { is_expected.to contain_class('ssh::params') } it { is_expected.to contain_package('openssh-server').with_ensure(param_hash[:ensure]) } it do is_expected.to contain_service('ssh').with( 'ensure' => 'running', 'enable' => true, 'hasrestart' => true, 'hasstatus' => true ) end it { is_expected.to contain_concat('/etc/ssh/sshd_config') } it do is_expected.to contain_concat__fragment('global config').with( target: '/etc/ssh/sshd_config', content: '# File is managed by Puppet AcceptEnv LANG LC_* ChallengeResponseAuthentication no PrintMotd no Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes X11Forwarding yes ' ) end end describe 'on Arch' do let :facts do { osfamily: 'Archlinux', lsbdistdescription: 'Arch Linux', - lsbdistid: 'Arch', + lsbdistid: 'Arch' } end it { is_expected.to contain_class('ssh::params') } it do is_expected.to contain_package('openssh').with( ensure: param_hash[:ensure], name: 'openssh' ) end it do is_expected.to contain_service('sshd.service').with( 'ensure' => 'running', 'enable' => true, 'hasrestart' => true, 'hasstatus' => true ) end it { is_expected.to contain_concat('/etc/ssh/sshd_config') } it do is_expected.to contain_concat__fragment('global config').with( target: '/etc/ssh/sshd_config', content: '# File is managed by Puppet AcceptEnv LANG LC_* ChallengeResponseAuthentication no PrintMotd no Subsystem sftp /usr/lib/ssh/sftp-server UsePAM yes X11Forwarding yes ' ) end end end end end end diff --git a/spec/defines/client/config/user_spec.rb b/spec/defines/client/config/user_spec.rb index ad49d69..47a2f8e 100644 --- a/spec/defines/client/config/user_spec.rb +++ b/spec/defines/client/config/user_spec.rb @@ -1,170 +1,170 @@ require 'spec_helper' describe 'ssh::client::config::user', type: :define do let :title do 'riton' end let :ssh_options do { 'HashKnownHosts' => 'yes', 'Host *.in2p3.fr' => { 'User' => 'riton', 'GSSAPIAuthentication' => 'no' } } end let :facts do { osfamily: 'RedHat', - operatingsystemmajrelease: '6', + operatingsystemmajrelease: '6' } end describe 'with invalid parameters' do params = { ensure: ['somestate', 'expects a match for Enum'], target: ['./somedir', 'Pattern'], user_home_dir: ['./somedir', 'Pattern'], manage_user_ssh_dir: ['maybe', 'expects a Boolean'], options: ['the_options', 'Hash value'] } params.each do |param, value| context "with invalid value for #{param}" do let :params do { param => value[0] } end it { is_expected.not_to compile } end end end # describe 'with invalid parameters' describe 'with correct values' do describe 'with a user provided target' do let :target do '/root/.ssh/config' end let :params do { target: target } end it do is_expected.to contain_concat_file(target).with( ensure: 'present', tag: title ) is_expected.to contain_concat_fragment(title).with( tag: title, target: target ) end end # describe 'with a user provided target' describe 'user_home_dir behavior' do context 'with a user provided user_home_dir' do let :user_home_dir do '/path/to/home' end context 'with manage_user_ssh_dir default value' do let :params do { user_home_dir: user_home_dir } end it 'contains ssh directory and ssh config' do is_expected.to contain_file("#{user_home_dir}/.ssh").with( ensure: 'directory', owner: title, mode: '0700' ).that_comes_before("Concat_file[#{user_home_dir}/.ssh/config]") is_expected.to contain_concat_file("#{user_home_dir}/.ssh/config").with( ensure: 'present', owner: title, mode: '0600' ) end end # context 'with manage_user_ssh_dir default value' context 'with manage_user_ssh_dir set to false' do let :params do { user_home_dir: user_home_dir, manage_user_ssh_dir: false } end it do is_expected.not_to contain_file("#{user_home_dir}/.ssh") end end # context 'with manage_user_ssh_dir set to false' end # context 'with a user provided user_home_dir' context 'with no user provided user_home_dir' do it 'with manage_user_ssh_dir default value' do is_expected.to contain_file("/home/#{title}/.ssh").that_comes_before("Concat_file[/home/#{title}/.ssh/config]") is_expected.to contain_concat_file("/home/#{title}/.ssh/config") end context 'with manage_user_ssh_dir set to false' do let :params do { manage_user_ssh_dir: false } end it do is_expected.not_to contain_file("/home/#{title}/.ssh") end it do is_expected.to contain_concat_file("/home/#{title}/.ssh/config") end end # context 'with manage_user_ssh_dir set to false' end # context 'with no user provided user_home_dir' end # describe 'user_home_dir behavior' describe 'ssh configuration content' do let :params do { options: ssh_options } end it 'has single value' do is_expected.to contain_concat_fragment(title).with( content: %r{HashKnownHosts\s+yes}, target: "/home/#{title}/.ssh/config" ) end it 'has Hash value' do is_expected.to contain_concat_fragment(title).with( content: %r{Host \*\.in2p3\.fr\s*\n\s+GSSAPIAuthentication\s+no\s*\n\s+User\s+riton}, target: "/home/#{title}/.ssh/config" ) end end end # describe 'with correct values' end # vim: tabstop=2 shiftwidth=2 softtabstop=2 diff --git a/spec/defines/server/config/setting_spec.rb b/spec/defines/server/config/setting_spec.rb index 8b4d167..4d95a29 100644 --- a/spec/defines/server/config/setting_spec.rb +++ b/spec/defines/server/config/setting_spec.rb @@ -1,72 +1,72 @@ require 'spec_helper' describe 'ssh::server::config::setting', type: :define do let :title do 'something' end let :facts do { osfamily: 'RedHat', - operatingsystemmajrelease: '6', + operatingsystemmajrelease: '6' } end describe 'with key => "AllowGroups", value => "group1 group2"' do let :params do { key: 'AllowGroups', value: 'group1 group2' } end it do is_expected.to contain_concat__fragment('ssh_setting_something_AllowGroups').with_content(%r{\nAllowGroups group1 group2\n}) end end describe 'with key => "Somesetting", value => true' do let :params do { key: 'Somesetting', value: true } end it do is_expected.to contain_concat__fragment('ssh_setting_something_Somesetting').with_content(%r{\nSomesetting yes\n}) end end describe 'with key => "Foo", value => [1, 2]' do let :params do { key: 'Foo', value: [1, 2] } end it do is_expected.to contain_concat__fragment('ssh_setting_something_Foo').with_content(%r{\nFoo 1 2\n}) end end describe 'with key => "Bar", value => {"a" => "b"}' do let :params do { key: 'Bar', value: { 'a' => 'b' } } end it 'fails' do expect do is_expected.to compile end.to raise_error(%r{Hash values are not supported}) end end end # vim: tabstop=2 shiftwidth=2 softtabstop=2 diff --git a/spec/defines/server/host_key_spec.rb b/spec/defines/server/host_key_spec.rb index 1364c54..26a20e0 100644 --- a/spec/defines/server/host_key_spec.rb +++ b/spec/defines/server/host_key_spec.rb @@ -1,166 +1,166 @@ require 'spec_helper' describe 'ssh::server::host_key', type: :define do let :title do 'something' end let(:pre_condition) { 'class {"::ssh::params": }' } let :facts do { osfamily: 'RedHat', - operatingsystemmajrelease: '6', + operatingsystemmajrelease: '6' } end describe 'with public_key_content, private_key_content and certificate_content' do let :params do { public_key_content: 'abc', private_key_content: 'bcd', certificate_content: 'cde' } end it do is_expected.to contain_file('something_pub'). with_content('abc'). with_ensure('present'). with_owner(0). with_group(0). with_mode('0644'). with_path('/etc/ssh/something.pub') is_expected.to contain_file('something_priv'). with_content('bcd'). with_ensure('present'). with_owner(0). with_group('root'). with_mode('0600'). with_path('/etc/ssh/something') is_expected.to contain_file('something_cert'). with_content('cde'). with_ensure('present'). with_owner(0). with_group(0). with_mode('0644'). with_path('/etc/ssh/something-cert.pub') end end describe 'with public_key_content and private_key_content' do let :params do { public_key_content: 'abc', private_key_content: 'bcd' } end it do is_expected.to contain_file('something_pub'). with_content('abc'). with_ensure('present'). with_owner(0). with_group(0). with_mode('0644'). with_path('/etc/ssh/something.pub') is_expected.to contain_file('something_priv'). with_content('bcd'). with_ensure('present'). with_owner(0). with_group('root'). with_mode('0600'). with_path('/etc/ssh/something') is_expected.not_to contain_file('something_cert') end end describe 'with *_key_content and *_key_source, *_key_source takes precedence' do let :params do { public_key_content: 'abc', public_key_source: 'a', private_key_content: 'bcd', private_key_source: 'b' } end it do is_expected.to contain_file('something_pub'). without_content. with_source('a'). with_ensure('present'). with_owner(0). with_group(0). with_mode('0644'). with_path('/etc/ssh/something.pub') is_expected.to contain_file('something_priv'). without_content. with_source('b'). with_ensure('present'). with_owner(0). with_group('root'). with_mode('0600'). with_path('/etc/ssh/something') is_expected.not_to contain_file('something_cert') end end describe 'with private_key_content and no public_key_content' do let :params do { private_key_content: 'bcd' } end it 'fails' do expect do is_expected.to compile end.to raise_error(%r{You must provide either public_key_source or public_key_content parameter}) end end describe 'with public_key_content and no private_key_content' do let :params do { public_key_content: 'abc' } end it 'fails' do expect do is_expected.to compile end.to raise_error(%r{You must provide either private_key_source or private_key_content parameter}) end end describe 'with private_key_source and no public_key_source' do let :params do { private_key_source: 'bcd' } end it 'fails' do expect do is_expected.to compile end.to raise_error(%r{You must provide either public_key_source or public_key_content parameter}) end end describe 'with public_key_source and no private_key_source' do let :params do { public_key_source: 'abc' } end it 'fails' do expect do is_expected.to compile end.to raise_error(%r{You must provide either private_key_source or private_key_content parameter}) end end end # vim: tabstop=2 shiftwidth=2 softtabstop=2 diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 627d352..fef3ee9 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -1,32 +1,32 @@ require 'rspec-puppet' require 'puppetlabs_spec_helper/module_spec_helper' RSpec.configure do |c| c.default_facts = { 'networking' => { 'interfaces' => { 'eth0' => { 'bindings' => [ { - 'address' => '192.168.1.1', - }, - ], + 'address' => '192.168.1.1' + } + ], 'bindings6' => [ { - 'address' => '::1', - }, - ], - }, - }, + 'address' => '::1' + } + ] + } + } }, concat_basedir: '/tmp', puppetversion: '3.7.0', sshdsakey: 'AAAAB3NzaC1kc3MAAACBAODCvvUUnv2imW4cfuLBWVJTLMzds89MtCUXGl3+7Gza5QYJmp7GSkKBnV8+7XI+JAmjv0RKQM1RAn7mV5UplRTtg3CYbeNkX4IakZmNJLTdL4vUyIehhaxBobpOtBaJfFewCJE1plIaWvoWfEDrShcjIUbUbJMfR8YWweIIqp9bAAAAFQCr8+KRfOUZbS9Dz1t15A/Owl61VQAAAIBr/7hNPCvjzAl5+rde6jUR5k20pxAE+z2wsaZxlhrs6ZhhplyCKIXKq4rCx4QuFVPh/c+WJRPO56iH/rSh5Y5cpT1LUk66wNJcOBPprjvDEHfQUHUmfYXzNJ2BHkRL78lfzQr52YyowV6dHfktv0VsIctm13KcMr2KQygZtV6EqgAAAIEAjNC4PRdzYpWfxu268CJDpexlhBwIkIx+ovEibtYeke55qAQcF9UWko4A1c8Wf4nLLxlQYCf501Bt5lb6GmZd0xfpg27fPIfzZPL8o+E756D3ZcNXUaLj4HPRKnwNcdAtChL2jESH3fm8PyNwBI7tV6IOjmOGpyQKtmJq3IyNgms=', sshrsakey: 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDzA57hAMwz6pywCgxNUcloWeNMvBo2PDPxK2RCegst+9tYaf4S3shnM9a1j2PGBoeRXTuUG6mYB32fJm6/37UUUJA4lT+8CZ3hNnDZU9aitpukkKon7RIlvY1PWO8wT4A5mEa0hfdQg6Um8KZZUs+jrB+8zMJO/X0fmleY54r/JKrP3hNcpaJpTUVQEvMmKacW7nYez/PvWKAz8d02uAOXuauGKhZ9K2AHYKlQFqJ4S1jLiduoGFWxFQ2vQybbN/O0PQQU7EZlHIjSzwoowZLzlxCKCZcKnoDsbGCtYHArbjxTb+m5e7nvsamz7TXLoY90Srmc5QGMxrLUlSvkYsm5', sshecdsakey: 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFDrof0LPA0hGuwODy+5uTynV7rgPJspvZo2TzykBu5mSANJvdL1z5/JS3x16/c/cDjx2lfEkRoVDnon4/NjKEM=', sshed25519key: '', id: 'root', is_pe: false, path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games' } end