From 64008a427fa91e57277ed2fc79615098d552a580 Mon Sep 17 00:00:00 2001
From: Michael LoSapio <losapio@memsql.com>
Date: Thu, 20 Oct 2016 06:42:39 -0700
Subject: [PATCH 1/2] Add support for ProxyCommand in ssh_config

---
 README.md                 |  5 +++++
 manifests/init.pp         |  1 +
 spec/classes/init_spec.rb | 14 ++++++++++++++
 templates/ssh_config.erb  |  3 +++
 4 files changed, 23 insertions(+)

diff --git a/README.md b/README.md
index 978f40a..aef2f57 100644
--- a/README.md
+++ b/README.md
@@ -163,6 +163,11 @@ String for HostbasedAuthentication option in ssh_config. Valid values are 'yes'
 
 - *Default*: undef
 
+ssh_config_proxy_command
+-------------------------
+String for ProxyCommand option in ssh_config.
+
+- *Default*: undef
 
 ssh_strict_host_key_checking
 -----------------------------
diff --git a/manifests/init.pp b/manifests/init.pp
index 830bb3d..605510f 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -21,6 +21,7 @@ class ssh (
   $ssh_config_server_alive_interval    = undef,
   $ssh_config_sendenv_xmodifiers       = false,
   $ssh_hostbasedauthentication         = undef,
+  $ssh_config_proxy_command            = undef,
   $ssh_strict_host_key_checking        = undef,
   $ssh_config_ciphers                  = undef,
   $ssh_config_kexalgorithms            = undef,
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
index 02db828..c71556c 100644
--- a/spec/classes/init_spec.rb
+++ b/spec/classes/init_spec.rb
@@ -332,6 +332,7 @@ describe 'ssh' do
         :ssh_config_macs                    => [ 'hmac-md5-etm@openssh.com',
                                                  'hmac-sha1-etm@openssh.com',
         ],
+        :ssh_config_proxy_command           => 'ssh -W %h:%p firewall.example.org',
         :ssh_config_global_known_hosts_file => '/etc/ssh/ssh_known_hosts2',
         :ssh_config_global_known_hosts_list => [ '/etc/ssh/ssh_known_hosts3',
 					         '/etc/ssh/ssh_known_hosts4',
@@ -371,6 +372,7 @@ describe 'ssh' do
     it { should contain_file('ssh_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) }
     it { should contain_file('ssh_config').with_content(/^\s*KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1$/) }
     it { should contain_file('ssh_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) }
+    it { should contain_file('ssh_config').with_content(/^\s*ProxyCommand ssh -W %h:%p firewall.example.org$/) }
     it { should contain_file('ssh_config').with_content(/^\s*GlobalKnownHostsFile \/etc\/ssh\/ssh_known_hosts2 \/etc\/ssh\/ssh_known_hosts3 \/etc\/ssh\/ssh_known_hosts4$/) }
     it { should contain_file('ssh_config').with_content(/^\s*UserKnownHostsFile \.ssh\/known_hosts1 \.ssh\/known_hosts2$/) }
     it { should contain_file('ssh_config').with_content(/^\s*HostbasedAuthentication yes$/) }
@@ -790,6 +792,18 @@ describe 'ssh' do
     end
   end
 
+  [true,'invalid'].each do |proxycommand|
+    content "with ssh_config_proxy_command set to invalid value #{proxycommand}" do
+      let(:params) { { :ssh_config_proxy_command => proxycommand } }
+
+      it 'should fail' do
+        expect {
+          should contain_class('ssh')
+      }.to raise_error(Puppet::Error)
+      end
+    end
+  end
+
   context 'with ssh_config_hash_known_hosts set to invalid value on valid osfamily' do
     let(:params) { { :ssh_config_hash_known_hosts => 'invalid' } }
 
diff --git a/templates/ssh_config.erb b/templates/ssh_config.erb
index 7c58bab..04597cd 100644
--- a/templates/ssh_config.erb
+++ b/templates/ssh_config.erb
@@ -63,6 +63,9 @@
 <% if @ssh_config_global_known_hosts_list_real -%>
    GlobalKnownHostsFile <%= @ssh_config_global_known_hosts_list_real.join(' ') %>
 <% end -%>
+<% if @ssh_config_proxy_command -%>
+   ProxyCommand <%= @ssh_config_proxy_command %>
+ <% end -%>
 Host *
 #  GSSAPIAuthentication yes
   GSSAPIAuthentication <%= @ssh_gssapiauthentication %>

From 6f34248977b5225883bd148397e0e48d71e2976f Mon Sep 17 00:00:00 2001
From: Garrett Honeycutt <code@garretthoneycutt.com>
Date: Thu, 20 Oct 2016 16:03:39 -0400
Subject: [PATCH 2/2] Fixup mlosapio's contribution

---
 manifests/init.pp         |  4 ++++
 spec/classes/init_spec.rb | 10 +++++-----
 templates/ssh_config.erb  |  2 +-
 3 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/manifests/init.pp b/manifests/init.pp
index 605510f..bf3fc6a 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -558,6 +558,10 @@ class ssh (
     validate_re($ssh_strict_host_key_checking, '^(yes|no|ask)$', "ssh::ssh_strict_host_key_checking may be 'yes', 'no' or 'ask' and is set to <${ssh_strict_host_key_checking}>.")
   }
 
+  if $ssh_config_proxy_command != undef {
+    validate_string($ssh_config_proxy_command)
+  }
+
   if $ssh_enable_ssh_keysign != undef {
     validate_re($ssh_enable_ssh_keysign, '^(yes|no)$', "ssh::ssh_enable_ssh_keysign may be either 'yes' or 'no' and is set to <${ssh_enable_ssh_keysign}>.")
   }
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
index c71556c..5d1a66e 100644
--- a/spec/classes/init_spec.rb
+++ b/spec/classes/init_spec.rb
@@ -372,7 +372,7 @@ describe 'ssh' do
     it { should contain_file('ssh_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) }
     it { should contain_file('ssh_config').with_content(/^\s*KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1$/) }
     it { should contain_file('ssh_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) }
-    it { should contain_file('ssh_config').with_content(/^\s*ProxyCommand ssh -W %h:%p firewall.example.org$/) }
+    it { should contain_file('ssh_config').with_content(/^\s*ProxyCommand ssh -W %h:%p firewall\.example\.org$/) }
     it { should contain_file('ssh_config').with_content(/^\s*GlobalKnownHostsFile \/etc\/ssh\/ssh_known_hosts2 \/etc\/ssh\/ssh_known_hosts3 \/etc\/ssh\/ssh_known_hosts4$/) }
     it { should contain_file('ssh_config').with_content(/^\s*UserKnownHostsFile \.ssh\/known_hosts1 \.ssh\/known_hosts2$/) }
     it { should contain_file('ssh_config').with_content(/^\s*HostbasedAuthentication yes$/) }
@@ -792,14 +792,14 @@ describe 'ssh' do
     end
   end
 
-  [true,'invalid'].each do |proxycommand|
-    content "with ssh_config_proxy_command set to invalid value #{proxycommand}" do
-      let(:params) { { :ssh_config_proxy_command => proxycommand } }
+  [true, ['not','a','string']].each do |proxy_command|
+    context "with ssh_config_proxy_command set to invalid value #{proxy_command}" do
+      let(:params) { { :ssh_config_proxy_command => proxy_command } }
 
       it 'should fail' do
         expect {
           should contain_class('ssh')
-      }.to raise_error(Puppet::Error)
+        }.to raise_error(Puppet::Error)
       end
     end
   end
diff --git a/templates/ssh_config.erb b/templates/ssh_config.erb
index 04597cd..9cb65e3 100644
--- a/templates/ssh_config.erb
+++ b/templates/ssh_config.erb
@@ -65,7 +65,7 @@
 <% end -%>
 <% if @ssh_config_proxy_command -%>
    ProxyCommand <%= @ssh_config_proxy_command %>
- <% end -%>
+<% end -%>
 Host *
 #  GSSAPIAuthentication yes
   GSSAPIAuthentication <%= @ssh_gssapiauthentication %>