From 0ba2548995da8573928f2947da161d2b588ab6a4 Mon Sep 17 00:00:00 2001
From: David Hollinger <david.hollinger@moduletux.com>
Date: Mon, 15 May 2017 23:45:03 -0500
Subject: [PATCH 1/3] Add JetBrains and rbenv files to gitignore

---
 .gitignore | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.gitignore b/.gitignore
index 222e35e..29471a6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -32,3 +32,9 @@ coverage/
 spec/fixtures/manifests/*
 spec/fixtures/modules/*
 Gemfile.lock
+
+# JetBrains IDE
+.idea/
+
+# Rbenv
+.ruby-version

From b67aefd3c49529a6cc0d5a220b817c23f82a5b07 Mon Sep 17 00:00:00 2001
From: David Hollinger <david.hollinger@moduletux.com>
Date: Mon, 15 May 2017 23:45:43 -0500
Subject: [PATCH 2/3] Add support for HostCertificate and TrustedUserCAKeys
 settings in sshd_config

---
 README.md                 | 12 ++++++++++
 manifests/init.pp         | 20 ++++++++++++++++
 spec/classes/init_spec.rb | 48 +++++++++++++++++++++++++++++++++++++++
 templates/sshd_config.erb |  6 +++++
 4 files changed, 86 insertions(+)

diff --git a/README.md b/README.md
index 1d229dd..15112c0 100644
--- a/README.md
+++ b/README.md
@@ -570,6 +570,18 @@ ssh::sshd_config_match:
     - 'PasswordAuthentication no'
 ```
 
+sshd_config_hostcertificate
+---------------------------
+Absolute path to the OpenSSH Host CA Certificate (HostCertificate) for use with SSH CA validation for Host Certificates.
+
+- *Default*: undefined
+
+sshd_config_trustedusercakeys
+-----------------------------
+Absolute path to the OpenSSH User CA Certificate (TrustedUserCAKeys) for use with SSH CA Validation for Users.
+
+- *Default*: undefined
+
 keys
 ----
 Hash of keys for user's ~/.ssh/authorized_keys
diff --git a/manifests/init.pp b/manifests/init.pp
index 3e8667b..861b68b 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -112,6 +112,8 @@ class ssh (
   $root_ssh_config_content             = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n",
   $sshd_config_tcp_keepalive           = undef,
   $sshd_config_permittunnel            = undef,
+  $sshd_config_hostcertificate         = undef,
+  $sshd_config_trustedusercakeys       = undef,
 ) {
 
   case $::osfamily {
@@ -485,6 +487,16 @@ class ssh (
     default: { $sshd_config_permittunnel_real = $sshd_config_permittunnel }
   }
 
+  case $sshd_config_hostcertificate {
+    'unset', undef: { $sshd_config_hostcertificate_real = undef }
+    default: { $sshd_config_hostcertificate_real = $sshd_config_hostcertificate }
+  }
+
+  case $sshd_config_trustedusercakeys {
+    'unset', undef: { $sshd_config_trustedusercakeys_real = undef }
+    default: { $sshd_config_trustedusercakeys_real = $sshd_config_trustedusercakeys }
+  }
+
   # validate params
   if $ssh_config_ciphers != undef {
     validate_array($ssh_config_ciphers)
@@ -813,6 +825,14 @@ class ssh (
     validate_re($sshd_config_permittunnel_real, '^(yes|no|point-to-point|ethernet|unset)$', "ssh::sshd_config_permittunnel may be either 'yes', 'point-to-point', 'ethernet', 'no' or 'unset' and is set to <${sshd_config_permittunnel_real}>.")
   }
 
+  if $sshd_config_hostcertificate_real != undef {
+    validate_absolute_path($sshd_config_hostcertificate_real)
+  }
+
+  if $sshd_config_trustedusercakeys_real != undef {
+    validate_absolute_path($sshd_config_trustedusercakeys_real)
+  }
+
   package { $packages_real:
     ensure    => installed,
     source    => $ssh_package_source_real,
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
index 53b48b1..e421bbf 100644
--- a/spec/classes/init_spec.rb
+++ b/spec/classes/init_spec.rb
@@ -1015,6 +1015,54 @@ describe 'ssh' do
     end
   end
 
+  describe 'sshd_config_hostcertificate param' do
+    ['unset', '/etc/ssh/ssh_host_key-cert.pub'].each do |value|
+      context "set to #{value}" do
+        let (:params) { { :sshd_config_hostcertificate => value } }
+
+        if value == 'unset'
+          it { should contain_file('sshd_config').without_content(/^\s*HostCertificate/) }
+        else
+          it { should contain_file('sshd_config').with_content(/^HostCertificate #{value}/) }
+        end
+      end
+    end
+  end
+
+  context 'with sshd_config_hostcertificate set to invalid value on valid osfamily' do
+    let(:params) { { :sshd_config_hostcertificate => 'invalid' } }
+
+    it 'should fail' do
+      expect {
+        should contain_class('ssh')
+      }.to raise_error(Puppet::Error,/"invalid" is not an absolute path/)
+    end
+  end
+
+  describe 'sshd_config_trustedusercakeys param' do
+    ['unset', '/etc/ssh/authorized_users_ca.pub'].each do |value|
+      context "set to #{value}" do
+        let (:params) { { :sshd_config_trustedusercakeys => value } }
+
+        if value == 'unset'
+          it { should contain_file('sshd_config').without_content(/^\s*TrustedUserCAKeys/) }
+        else
+          it { should contain_file('sshd_config').with_content(/^TrustedUserCAKeys #{value}/) }
+        end
+      end
+    end
+  end
+
+  context 'with sshd_config_trustedusercakeys set to invalid value on valid osfamily' do
+    let(:params) { { :sshd_config_trustedusercakeys => 'invalid' } }
+
+    it 'should fail' do
+      expect {
+        should contain_class('ssh')
+      }.to raise_error(Puppet::Error,/"invalid" is not an absolute path/)
+    end
+  end
+
   context 'with manage_root_ssh_config set to invalid value on valid osfamily' do
     let(:params) { { :manage_root_ssh_config => 'invalid' } }
 
diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb
index 1a1c9fe..f65d97a 100644
--- a/templates/sshd_config.erb
+++ b/templates/sshd_config.erb
@@ -254,3 +254,9 @@ Match <%= key %>
 <%     end -%>
 <%   end -%>
 <% end -%>
+<% if @sshd_config_hostcertificate_real -%>
+HostCertificate <%= @sshd_config_hostcertificate_real %>
+<% end -%>
+<% if @sshd_config_trustedusercakeys_real -%>
+TrustedUserCAKeys <%= @sshd_config_trustedusercakeys_real %>
+<% end -%>

From 84f0078a322feaa0106a0d4a2ad4295ddf0a6835 Mon Sep 17 00:00:00 2001
From: Garrett Honeycutt <code@garretthoneycutt.com>
Date: Wed, 17 May 2017 10:51:46 -0400
Subject: [PATCH 3/3] Allow sshd_config_trustedusercakeys to be 'none' as per
 the docs

---
 README.md                 | 2 +-
 manifests/init.pp         | 5 ++++-
 spec/classes/init_spec.rb | 2 +-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 15112c0..07797c2 100644
--- a/README.md
+++ b/README.md
@@ -578,7 +578,7 @@ Absolute path to the OpenSSH Host CA Certificate (HostCertificate) for use with
 
 sshd_config_trustedusercakeys
 -----------------------------
-Absolute path to the OpenSSH User CA Certificate (TrustedUserCAKeys) for use with SSH CA Validation for Users.
+Absolute path to the OpenSSH User CA Certificate (TrustedUserCAKeys) for use with SSH CA Validation for Users or the string 'none'.
 
 - *Default*: undefined
 
diff --git a/manifests/init.pp b/manifests/init.pp
index 861b68b..176a477 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -830,7 +830,10 @@ class ssh (
   }
 
   if $sshd_config_trustedusercakeys_real != undef {
-    validate_absolute_path($sshd_config_trustedusercakeys_real)
+    # TrustedUserCAKeys may be a path to the keys or 'none'
+    if $sshd_config_trustedusercakeys_real != 'none' {
+      validate_absolute_path($sshd_config_trustedusercakeys_real)
+    }
   }
 
   package { $packages_real:
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
index e421bbf..8522cf9 100644
--- a/spec/classes/init_spec.rb
+++ b/spec/classes/init_spec.rb
@@ -1040,7 +1040,7 @@ describe 'ssh' do
   end
 
   describe 'sshd_config_trustedusercakeys param' do
-    ['unset', '/etc/ssh/authorized_users_ca.pub'].each do |value|
+    ['unset', '/etc/ssh/authorized_users_ca.pub', 'none'].each do |value|
       context "set to #{value}" do
         let (:params) { { :sshd_config_trustedusercakeys => value } }