From 4a6768424063f9bca527e202e597cb4f51828faa Mon Sep 17 00:00:00 2001
From: Martin Hagstrom <martin.hagstrom@ericsson.com>
Date: Wed, 25 Sep 2013 16:11:37 +0200
Subject: [PATCH 1/2] Add ssh authorized key management

---
 manifests/init.pp         | 28 ++++++++++++++++++++++++++++
 spec/classes/init_spec.rb | 26 ++++++++++++++++++++++++++
 2 files changed, 54 insertions(+)

diff --git a/manifests/init.pp b/manifests/init.pp
index bf8f19a..eb3cfbb 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -130,6 +130,25 @@
 #
 # - *Default*: "# This file is being maintained by Puppet.\n# DO NOT EDIT\n"
 #
+# keys
+# ----
+# Keys for user's ~/.ssh/authorized_keys
+#
+# - *Default*: undefined
+#
+# Sample usage:
+# # Push authorized key "root_for_userX" and remove key "root_for_userY" with hiera
+#
+# ssh::keys:
+#   root_for_userX:
+#     ensure: present
+#     user: root
+#     type: dsa
+#     key: AAAA...==
+#   root_for_userY:
+#     ensure: absent
+#     user: root
+#
 class ssh (
   $packages                = ['openssh-server',
                               'openssh-server',
@@ -154,6 +173,7 @@ class ssh (
   $ssh_key_type            = 'ssh-rsa',
   $manage_root_ssh_config  = 'false',
   $root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n",
+  $keys                    = undef,
 ) {
 
   case $permit_root_login {
@@ -276,4 +296,12 @@ class ssh (
   resources  { 'sshkey':
     purge => $purge_keys,
   }
+
+  # push ssh authorized keys
+  if $keys != undef {
+    $keytype = type($keys)
+    if $keytype == 'hash' {
+      create_resources(ssh_authorized_key, $keys)
+    }
+  }
 }
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
index 5cbdae8..eb7d7e6 100644
--- a/spec/classes/init_spec.rb
+++ b/spec/classes/init_spec.rb
@@ -247,4 +247,30 @@ describe 'ssh' do
       })
     }
   end
+  context 'with keys defined' do
+    let(:params) { { :keys => {
+      'root_for_userX' => {
+        'ensure' => 'present',
+        'user'   => 'root',
+        'type'   => 'dsa',
+        'key'    => 'AAAA==',
+      },
+      'root_for_userY' => {
+        'ensure' => 'absent',
+        'user'   => 'root',
+      }
+    } } }
+    it {
+      should contain_ssh_authorized_key('root_for_userX').with({
+        'ensure' => 'present',
+        'user'   => 'root',
+        'type'   => 'dsa',
+        'key'    => 'AAAA==',
+      })
+      should contain_ssh_authorized_key('root_for_userY').with({
+        'ensure' => 'absent',
+        'user'   => 'root',
+      })
+    }
+  end
 end

From cadc6472d38bb1fe898cd4c1664805eca7e6204c Mon Sep 17 00:00:00 2001
From: Garrett Honeycutt <code@garretthoneycutt.com>
Date: Wed, 25 Sep 2013 16:38:20 +0200
Subject: [PATCH 2/2] Remove duplicate documentation from manifest

---
 README.md         |  31 ++++++++++
 manifests/init.pp | 142 ++--------------------------------------------
 2 files changed, 35 insertions(+), 138 deletions(-)

diff --git a/README.md b/README.md
index ff5acbd..98fb2ba 100644
--- a/README.md
+++ b/README.md
@@ -4,6 +4,8 @@ Manage ssh client and server.
 
 The module uses exported resources to manage ssh keys and removes ssh keys that are not managed by puppet. This behavior is managed by the parameters ssh_key_ensure and purge_keys.
 
+===
+
 # Compatability #
 
 This module has been tested to work on the following systems.
@@ -11,8 +13,16 @@ This module has been tested to work on the following systems.
  * EL 5
  * EL 6
 
+===
+
 # Parameters #
 
+keys
+----
+Hash of keys for user's ~/.ssh/authorized_keys
+
+- *Default*: undefined
+
 packages
 --------
 Array of package names used for installation.
@@ -138,3 +148,24 @@ root_ssh_config_content
 Content of root's ~/.ssh/config.
 
 - *Default*: "# This file is being maintained by Puppet.\n# DO NOT EDIT\n"
+
+===
+
+# Manage user's ssh_authorized_keys
+This works by passing the ssh::keys hash to the ssh_authorized_keys type with create_resources(). Because of this, you may specify any valid parameter for ssh_authorized_key. See the [Type Reference](http://docs.puppetlabs.com/references/stable/type.html#ssh_authorized_key) for a complete list.
+
+## Sample usage:
+Push authorized key "root_for_userX" and remove key "root_for_userY" through Hiera.
+
+<pre>
+ssh::keys:
+  root_for_userX:
+    ensure: present
+    user: root
+    type: dsa
+    key: AAAA...==
+  root_for_userY:
+    ensure: absent
+    user: root
+</pre>
+
diff --git a/manifests/init.pp b/manifests/init.pp
index eb3cfbb..eaf8f06 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,141 +1,7 @@
-#  ## Class: ssh ##
+# == Class: ssh
 #
 # Manage ssh client and server.
 #
-# ### Parameters ###
-#
-# packages
-# --------
-# Array of package names used for installation.
-#
-# - *Default*: 'openssh-server', 'openssh-server', 'openssh-clients'
-#
-# permit_root_login
-# -----------------
-# Allow root login. Valid values are 'yes', 'without-password', 'forced-commands-only', 'no'.
-#
-# - *Default*: no
-#
-# purge_keys
-# ----------
-# Remove keys not managed by puppet.
-#
-# - *Default*: 'true'
-#
-# manage_firewall
-# ---------------
-# Open firewall for SSH service.
-#
-# - *Default*: false
-#
-# ssh_config_path
-# ---------------
-# Path to ssh_config.
-#
-# - *Default*: '/etc/ssh/ssh_config'
-#
-# ssh_config_owner
-# ----------------
-# ssh_config's owner.
-#
-# - *Default*: 'root'
-#
-# ssh_config_group
-# ----------------
-# ssh_config's group.
-#
-# - *Default*: 'root'
-#
-# ssh_config_mode
-# ---------------
-# ssh_config's mode.
-#
-# - *Default*: '0644'
-#
-# sshd_config_path
-# ----------------
-# Path to sshd_config.
-#
-# - *Default*: '/etc/ssh/sshd_config
-#
-# sshd_config_owner
-# -----------------
-# sshd_config's owner.
-#
-# - *Default*: 'root'
-#
-# sshd_config_group
-# ----------------
-# sshd_config's group.
-#
-# - *Default*: 'root'
-#
-# sshd_config_mode
-# ---------------
-# sshd_config's mode.
-#
-# - *Default*: '0600'
-#
-# service_ensure
-# --------------
-# Ensure SSH service is running. Valid values are 'stopped' and 'running'.
-#
-# - *Default*: 'running'
-#
-# service_name
-# ------------
-# Name of the SSH service.
-#
-# - *Default*: 'sshd'
-#
-# service_enable
-# --------------
-# Start SSH at boot. Valid values are 'true', 'false' and 'manual'.
-#
-# - *Default*: 'true'
-#
-# service_hasrestart
-# ------------------
-# Specify that the init script has a restart command. Valid values are 'true' and 'false'.
-#
-# - *Default*: 'true'
-#
-# service_hasstatus
-# -----------------
-# Declare whether the service's init script has a functional status command. Valid values are 'true' and 'false'
-#
-# - *Default*: 'true'
-#
-# ssh_key_ensure
-# --------------
-# Export node SSH key. Valid values are 'present' and 'absent'.
-#
-# - *Default*: 'present'
-#
-# ssh_key_type
-# ------------
-# Encryption type for SSH key. Valid values are 'rsa', 'dsa', 'ssh-dss' and 'ssh-rsa'
-#
-# - *Default*: 'ssh-rsa'
-#
-# manage_root_ssh_config
-# ----------------------
-# Manage SSH config of root. Valid values are 'true' and 'false'.
-#
-# - *Default*: 'false'
-#
-# root_ssh_config_content
-# -----------------------
-# Content of root's ~/.ssh/config.
-#
-# - *Default*: "# This file is being maintained by Puppet.\n# DO NOT EDIT\n"
-#
-# keys
-# ----
-# Keys for user's ~/.ssh/authorized_keys
-#
-# - *Default*: undefined
-#
 # Sample usage:
 # # Push authorized key "root_for_userX" and remove key "root_for_userY" with hiera
 #
@@ -297,10 +163,10 @@ class ssh (
     purge => $purge_keys,
   }
 
-  # push ssh authorized keys
+  # manage users' ssh authorized keys if present
   if $keys != undef {
-    $keytype = type($keys)
-    if $keytype == 'hash' {
+    $keys_type = type($keys)
+    if $keys_type == 'hash' {
       create_resources(ssh_authorized_key, $keys)
     }
   }