Merge pull request #224 from ghoneycutt/223_new_params

new params for HostCertificate and TrustedUserCAKeys
2017-05-17 18:47:34 -04:00 · 2017-05-17 18:47:34 -04:00 · 3e8c502a5b
commit 3e8c502a5b
parent c955ce804d 84f0078a32
5 changed files with 95 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -32,3 +32,9 @@ coverage/
 spec/fixtures/manifests/*
 spec/fixtures/modules/*
 Gemfile.lock
+
+# JetBrains IDE
+.idea/
+
+# Rbenv
+.ruby-version
--- a/README.md
+++ b/README.md
@ -570,6 +570,18 @@ ssh::sshd_config_match:
    - 'PasswordAuthentication no'
 ```

+sshd_config_hostcertificate
+---------------------------
+Absolute path to the OpenSSH Host CA Certificate (HostCertificate) for use with SSH CA validation for Host Certificates.
+
+- *Default*: undefined
+
+sshd_config_trustedusercakeys
+-----------------------------
+Absolute path to the OpenSSH User CA Certificate (TrustedUserCAKeys) for use with SSH CA Validation for Users or the string 'none'.
+
+- *Default*: undefined
+
 keys
 ----
 Hash of keys for user's ~/.ssh/authorized_keys
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -112,6 +112,8 @@ class ssh (
  $root_ssh_config_content             = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n",
  $sshd_config_tcp_keepalive           = undef,
  $sshd_config_permittunnel            = undef,
+  $sshd_config_hostcertificate         = undef,
+  $sshd_config_trustedusercakeys       = undef,
 ) {

  case $::osfamily {
@ -485,6 +487,16 @@ class ssh (
    default: { $sshd_config_permittunnel_real = $sshd_config_permittunnel }
  }

+  case $sshd_config_hostcertificate {
+    'unset', undef: { $sshd_config_hostcertificate_real = undef }
+    default: { $sshd_config_hostcertificate_real = $sshd_config_hostcertificate }
+  }
+
+  case $sshd_config_trustedusercakeys {
+    'unset', undef: { $sshd_config_trustedusercakeys_real = undef }
+    default: { $sshd_config_trustedusercakeys_real = $sshd_config_trustedusercakeys }
+  }
+
  # validate params
  if $ssh_config_ciphers != undef {
    validate_array($ssh_config_ciphers)
@ -813,6 +825,17 @@ class ssh (
    validate_re($sshd_config_permittunnel_real, '^(yes|no|point-to-point|ethernet|unset)$', "ssh::sshd_config_permittunnel may be either 'yes', 'point-to-point', 'ethernet', 'no' or 'unset' and is set to <${sshd_config_permittunnel_real}>.")
  }

+  if $sshd_config_hostcertificate_real != undef {
+    validate_absolute_path($sshd_config_hostcertificate_real)
+  }
+
+  if $sshd_config_trustedusercakeys_real != undef {
+    # TrustedUserCAKeys may be a path to the keys or 'none'
+    if $sshd_config_trustedusercakeys_real != 'none' {
+      validate_absolute_path($sshd_config_trustedusercakeys_real)
+    }
+  }
+
  package { $packages_real:
    ensure    => installed,
    source    => $ssh_package_source_real,
--- a/spec/classes/init_spec.rb
+++ b/spec/classes/init_spec.rb
@ -1015,6 +1015,54 @@ describe 'ssh' do
    end
  end

+  describe 'sshd_config_hostcertificate param' do
+    ['unset', '/etc/ssh/ssh_host_key-cert.pub'].each do |value|
+      context "set to #{value}" do
+        let (:params) { { :sshd_config_hostcertificate => value } }
+
+        if value == 'unset'
+          it { should contain_file('sshd_config').without_content(/^\s*HostCertificate/) }
+        else
+          it { should contain_file('sshd_config').with_content(/^HostCertificate #{value}/) }
+        end
+      end
+    end
+  end
+
+  context 'with sshd_config_hostcertificate set to invalid value on valid osfamily' do
+    let(:params) { { :sshd_config_hostcertificate => 'invalid' } }
+
+    it 'should fail' do
+      expect {
+        should contain_class('ssh')
+      }.to raise_error(Puppet::Error,/"invalid" is not an absolute path/)
+    end
+  end
+
+  describe 'sshd_config_trustedusercakeys param' do
+    ['unset', '/etc/ssh/authorized_users_ca.pub', 'none'].each do |value|
+      context "set to #{value}" do
+        let (:params) { { :sshd_config_trustedusercakeys => value } }
+
+        if value == 'unset'
+          it { should contain_file('sshd_config').without_content(/^\s*TrustedUserCAKeys/) }
+        else
+          it { should contain_file('sshd_config').with_content(/^TrustedUserCAKeys #{value}/) }
+        end
+      end
+    end
+  end
+
+  context 'with sshd_config_trustedusercakeys set to invalid value on valid osfamily' do
+    let(:params) { { :sshd_config_trustedusercakeys => 'invalid' } }
+
+    it 'should fail' do
+      expect {
+        should contain_class('ssh')
+      }.to raise_error(Puppet::Error,/"invalid" is not an absolute path/)
+    end
+  end
+
  context 'with manage_root_ssh_config set to invalid value on valid osfamily' do
    let(:params) { { :manage_root_ssh_config => 'invalid' } }

--- a/templates/sshd_config.erb
+++ b/templates/sshd_config.erb
@ -254,3 +254,9 @@ Match <%= key %>
 <%     end -%>
 <%   end -%>
 <% end -%>
+<% if @sshd_config_hostcertificate_real -%>
+HostCertificate <%= @sshd_config_hostcertificate_real %>
+<% end -%>
+<% if @sshd_config_trustedusercakeys_real -%>
+TrustedUserCAKeys <%= @sshd_config_trustedusercakeys_real %>
+<% end -%>