From e044e4c89fcfde808676aca35b5d322656958b20 Mon Sep 17 00:00:00 2001
From: Andrei Brezan <abrezan@apptio.com>
Date: Thu, 18 Aug 2016 11:26:43 +0200
Subject: [PATCH] Expose PermitTunnel from sshd_config

---
 README.md                                | 12 ++++++++++++
 manifests/init.pp                        |  4 ++++
 spec/classes/init_spec.rb                | 22 ++++++++++++++++++++++
 spec/fixtures/sshd_config_debian         |  1 +
 spec/fixtures/sshd_config_rhel           |  1 +
 spec/fixtures/sshd_config_sles_12_x86_64 |  1 +
 spec/fixtures/sshd_config_solaris        |  1 +
 spec/fixtures/sshd_config_suse_i386      |  1 +
 spec/fixtures/sshd_config_suse_x86_64    |  1 +
 spec/fixtures/sshd_config_ubuntu1604     |  1 +
 templates/sshd_config.erb                |  1 +
 11 files changed, 46 insertions(+)

diff --git a/README.md b/README.md
index 0f5c667..93f9276 100644
--- a/README.md
+++ b/README.md
@@ -435,6 +435,18 @@ network goes down or the client host crashes.  This avoids infinitely hanging se
 
 - *Default*: 'yes'
 
+sshd_config_permittunnel
+-----------------------
+PermitTunnel in sshd_config.
+Specifies whether tun(4) device forwarding is allowed.  The argument must be
+'yes', 'point-to-point' (layer 3), 'ethernet' (layer 2), or 'no'.
+Specifying 'yes' permits both 'point-to-point' and 'ethernet'.  The
+default is 'no'.
+Independent of this setting, the permissions of the selected tun(4) device must
+allow access to the user.
+
+- *Default*: 'no'
+
 sshd_config_ciphers
 -------------------
 Array of ciphers for the Ciphers setting in sshd_config.
diff --git a/manifests/init.pp b/manifests/init.pp
index 4716e4e..90d7774 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -106,6 +106,7 @@ class ssh (
   $manage_root_ssh_config              = false,
   $root_ssh_config_content             = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n",
   $sshd_config_tcp_keepalive           = 'yes',
+  $sshd_config_permittunnel            = 'no',
 ) {
 
   case $::osfamily {
@@ -764,6 +765,9 @@ class ssh (
   }
 
   validate_re($sshd_config_tcp_keepalive, '^(yes|no)$', "ssh::sshd_config_tcp_keepalive may be either 'yes' or 'no' and is set to <${sshd_config_tcp_keepalive}>.")
+
+  validate_re($sshd_config_permittunnel, '^(yes|no|point-to-point|ethernet)$', "ssh::sshd_config_permittunnel may be either 'yes', 'point-to-point', 'ethernet' or 'no' and is set to <${sshd_config_permittunnel}>.")
+
   package { $packages_real:
     ensure    => installed,
     source    => $ssh_package_source_real,
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
index aa9a00d..475cd6f 100644
--- a/spec/classes/init_spec.rb
+++ b/spec/classes/init_spec.rb
@@ -430,6 +430,7 @@ describe 'ssh' do
                                                 '2001:db8::dead:f00d',
         ],
         :sshd_config_tcp_keepalive         => 'yes',
+        :sshd_config_permittunnel          => 'no',
       }
     end
 
@@ -496,6 +497,7 @@ describe 'ssh' do
     it { should contain_file('sshd_config').with_content(/^\s*AllowGroups ssh security$/) }
     it { should contain_file('sshd_config').with_content(/^ListenAddress 192.168.1.1\nListenAddress 2001:db8::dead:f00d$/) }
     it { should contain_file('sshd_config').with_content(/^TCPKeepAlive yes$/) }
+    it { should contain_file('sshd_config').with_content(/^PermitTunnel no$/) }
 
     it {
       should contain_file('sshd_banner').with({
@@ -908,6 +910,26 @@ describe 'ssh' do
     end
   end
 
+  describe 'sshd_config_permittunnel param' do
+    ['yes','point-to-point','ethernet','no'].each do |value|
+      context "set to #{value}" do
+        let (:params) { { :sshd_config_permittunnel => value } }
+
+        it { should contain_file('sshd_config').with_content(/^PermitTunnel #{value}$/) }
+      end
+    end
+
+    context 'when set to an invalid value' do
+      let (:params) { { :sshd_config_permittunnel => 'invalid' } }
+
+      it 'should fail' do
+        expect {
+          should contain_class('ssh')
+        }.to raise_error(Puppet::Error,/ssh::sshd_config_permittunnel may be either \'yes\', \'point-to-point\', \'ethernet\' or \'no\' and is set to <invalid>\./)
+      end
+    end
+  end
+
   context 'with manage_root_ssh_config set to invalid value on valid osfamily' do
     let(:params) { { :manage_root_ssh_config => 'invalid' } }
 
diff --git a/spec/fixtures/sshd_config_debian b/spec/fixtures/sshd_config_debian
index 5f6e587..bd28f49 100644
--- a/spec/fixtures/sshd_config_debian
+++ b/spec/fixtures/sshd_config_debian
@@ -127,6 +127,7 @@ UseDNS yes
 #MaxSessions 10
 
 #PermitTunnel no
+PermitTunnel no
 #ChrootDirectory none
 
 # no default banner path
diff --git a/spec/fixtures/sshd_config_rhel b/spec/fixtures/sshd_config_rhel
index 901b4e9..90f0f95 100644
--- a/spec/fixtures/sshd_config_rhel
+++ b/spec/fixtures/sshd_config_rhel
@@ -127,6 +127,7 @@ UseDNS yes
 #MaxSessions 10
 
 #PermitTunnel no
+PermitTunnel no
 #ChrootDirectory none
 
 # no default banner path
diff --git a/spec/fixtures/sshd_config_sles_12_x86_64 b/spec/fixtures/sshd_config_sles_12_x86_64
index bad554d..5f78015 100644
--- a/spec/fixtures/sshd_config_sles_12_x86_64
+++ b/spec/fixtures/sshd_config_sles_12_x86_64
@@ -127,6 +127,7 @@ UseDNS yes
 #MaxSessions 10
 
 #PermitTunnel no
+PermitTunnel no
 #ChrootDirectory none
 
 # no default banner path
diff --git a/spec/fixtures/sshd_config_solaris b/spec/fixtures/sshd_config_solaris
index 1b934c6..7414f19 100644
--- a/spec/fixtures/sshd_config_solaris
+++ b/spec/fixtures/sshd_config_solaris
@@ -114,6 +114,7 @@ ClientAliveCountMax 3
 #MaxSessions 10
 
 #PermitTunnel no
+PermitTunnel no
 #ChrootDirectory none
 
 # no default banner path
diff --git a/spec/fixtures/sshd_config_suse_i386 b/spec/fixtures/sshd_config_suse_i386
index bad554d..5f78015 100644
--- a/spec/fixtures/sshd_config_suse_i386
+++ b/spec/fixtures/sshd_config_suse_i386
@@ -127,6 +127,7 @@ UseDNS yes
 #MaxSessions 10
 
 #PermitTunnel no
+PermitTunnel no
 #ChrootDirectory none
 
 # no default banner path
diff --git a/spec/fixtures/sshd_config_suse_x86_64 b/spec/fixtures/sshd_config_suse_x86_64
index 4e47b68..9c6640a 100644
--- a/spec/fixtures/sshd_config_suse_x86_64
+++ b/spec/fixtures/sshd_config_suse_x86_64
@@ -127,6 +127,7 @@ UseDNS yes
 #MaxSessions 10
 
 #PermitTunnel no
+PermitTunnel no
 #ChrootDirectory none
 
 # no default banner path
diff --git a/spec/fixtures/sshd_config_ubuntu1604 b/spec/fixtures/sshd_config_ubuntu1604
index 85643c8..80c64e7 100644
--- a/spec/fixtures/sshd_config_ubuntu1604
+++ b/spec/fixtures/sshd_config_ubuntu1604
@@ -130,6 +130,7 @@ UseDNS yes
 #MaxSessions 10
 
 #PermitTunnel no
+PermitTunnel no
 #ChrootDirectory none
 
 # no default banner path
diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb
index 3a80b63..e056aee 100644
--- a/templates/sshd_config.erb
+++ b/templates/sshd_config.erb
@@ -194,6 +194,7 @@ MaxSessions <%= @sshd_config_maxsessions %>
 <% end -%>
 
 #PermitTunnel no
+PermitTunnel <%= @sshd_config_permittunnel %>
 <% if @sshd_config_chrootdirectory -%>
 ChrootDirectory <%= @sshd_config_chrootdirectory %>
 <% else -%>