Merge pull request #11 from ghoneycutt/sshkeys

Sshkeys

README.md

@@ -4,6 +4,8 @@ Manage ssh client and server.
 
 The module uses exported resources to manage ssh keys and removes ssh keys that are not managed by puppet. This behavior is managed by the parameters ssh_key_ensure and purge_keys.
 
+===
+
 # Compatability #
 
 This module has been tested to work on the following systems.
@@ -11,8 +13,16 @@ This module has been tested to work on the following systems.
  * EL 5
  * EL 6
 
+===
+
 # Parameters #
 
+keys
+----
+Hash of keys for user's ~/.ssh/authorized_keys
+
+- *Default*: undefined
+
 packages
 --------
 Array of package names used for installation.
@@ -138,3 +148,24 @@ root_ssh_config_content
 Content of root's ~/.ssh/config.
 
 - *Default*: "# This file is being maintained by Puppet.\n# DO NOT EDIT\n"
+
+===
+
+# Manage user's ssh_authorized_keys
+This works by passing the ssh::keys hash to the ssh_authorized_keys type with create_resources(). Because of this, you may specify any valid parameter for ssh_authorized_key. See the [Type Reference](http://docs.puppetlabs.com/references/stable/type.html#ssh_authorized_key) for a complete list.
+
+## Sample usage:
+Push authorized key "root_for_userX" and remove key "root_for_userY" through Hiera.
+
+<pre>
+ssh::keys:
+  root_for_userX:
+    ensure: present
+    user: root
+    type: dsa
+    key: AAAA...==
+  root_for_userY:
+    ensure: absent
+    user: root
+</pre>
+

manifests/init.pp

@@ -1,134 +1,19 @@
-#  ## Class: ssh ##
+# == Class: ssh
 #
 # Manage ssh client and server.
 #
-# ### Parameters ###
+# Sample usage:
+# # Push authorized key "root_for_userX" and remove key "root_for_userY" with hiera
 #
-# packages
+# ssh::keys:
-# --------
+#   root_for_userX:
-# Array of package names used for installation.
+#     ensure: present
-#
+#     user: root
-# - *Default*: 'openssh-server', 'openssh-server', 'openssh-clients'
+#     type: dsa
-#
+#     key: AAAA...==
-# permit_root_login
+#   root_for_userY:
-# -----------------
+#     ensure: absent
-# Allow root login. Valid values are 'yes', 'without-password', 'forced-commands-only', 'no'.
+#     user: root
-#
-# - *Default*: no
-#
-# purge_keys
-# ----------
-# Remove keys not managed by puppet.
-#
-# - *Default*: 'true'
-#
-# manage_firewall
-# ---------------
-# Open firewall for SSH service.
-#
-# - *Default*: false
-#
-# ssh_config_path
-# ---------------
-# Path to ssh_config.
-#
-# - *Default*: '/etc/ssh/ssh_config'
-#
-# ssh_config_owner
-# ----------------
-# ssh_config's owner.
-#
-# - *Default*: 'root'
-#
-# ssh_config_group
-# ----------------
-# ssh_config's group.
-#
-# - *Default*: 'root'
-#
-# ssh_config_mode
-# ---------------
-# ssh_config's mode.
-#
-# - *Default*: '0644'
-#
-# sshd_config_path
-# ----------------
-# Path to sshd_config.
-#
-# - *Default*: '/etc/ssh/sshd_config
-#
-# sshd_config_owner
-# -----------------
-# sshd_config's owner.
-#
-# - *Default*: 'root'
-#
-# sshd_config_group
-# ----------------
-# sshd_config's group.
-#
-# - *Default*: 'root'
-#
-# sshd_config_mode
-# ---------------
-# sshd_config's mode.
-#
-# - *Default*: '0600'
-#
-# service_ensure
-# --------------
-# Ensure SSH service is running. Valid values are 'stopped' and 'running'.
-#
-# - *Default*: 'running'
-#
-# service_name
-# ------------
-# Name of the SSH service.
-#
-# - *Default*: 'sshd'
-#
-# service_enable
-# --------------
-# Start SSH at boot. Valid values are 'true', 'false' and 'manual'.
-#
-# - *Default*: 'true'
-#
-# service_hasrestart
-# ------------------
-# Specify that the init script has a restart command. Valid values are 'true' and 'false'.
-#
-# - *Default*: 'true'
-#
-# service_hasstatus
-# -----------------
-# Declare whether the service's init script has a functional status command. Valid values are 'true' and 'false'
-#
-# - *Default*: 'true'
-#
-# ssh_key_ensure
-# --------------
-# Export node SSH key. Valid values are 'present' and 'absent'.
-#
-# - *Default*: 'present'
-#
-# ssh_key_type
-# ------------
-# Encryption type for SSH key. Valid values are 'rsa', 'dsa', 'ssh-dss' and 'ssh-rsa'
-#
-# - *Default*: 'ssh-rsa'
-#
-# manage_root_ssh_config
-# ----------------------
-# Manage SSH config of root. Valid values are 'true' and 'false'.
-#
-# - *Default*: 'false'
-#
-# root_ssh_config_content
-# -----------------------
-# Content of root's ~/.ssh/config.
-#
-# - *Default*: "# This file is being maintained by Puppet.\n# DO NOT EDIT\n"
 #
 class ssh (
   $packages                = ['openssh-server',
@@ -154,6 +39,7 @@ class ssh (
   $ssh_key_type            = 'ssh-rsa',
   $manage_root_ssh_config  = 'false',
   $root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n",
+  $keys                    = undef,
 ) {
 
   case $permit_root_login {
@@ -276,4 +162,12 @@ class ssh (
   resources  { 'sshkey':
     purge => $purge_keys,
   }
+
+  # manage users' ssh authorized keys if present
+  if $keys != undef {
+    $keys_type = type($keys)
+    if $keys_type == 'hash' {
+      create_resources(ssh_authorized_key, $keys)
+    }
+  }
 }

spec/classes/init_spec.rb

@@ -247,4 +247,30 @@ describe 'ssh' do
       })
     }
   end
+  context 'with keys defined' do
+    let(:params) { { :keys => {
+      'root_for_userX' => {
+        'ensure' => 'present',
+        'user'   => 'root',
+        'type'   => 'dsa',
+        'key'    => 'AAAA==',
+      },
+      'root_for_userY' => {
+        'ensure' => 'absent',
+        'user'   => 'root',
+      }
+    } } }
+    it {
+      should contain_ssh_authorized_key('root_for_userX').with({
+        'ensure' => 'present',
+        'user'   => 'root',
+        'type'   => 'dsa',
+        'key'    => 'AAAA==',
+      })
+      should contain_ssh_authorized_key('root_for_userY').with({
+        'ensure' => 'absent',
+        'user'   => 'root',
+      })
+    }
+  end
 end