From fbe72409ffb6e24f014ef9d6f26246b80f4bf604 Mon Sep 17 00:00:00 2001 From: Kyle Fu Date: Mon, 4 May 2015 11:00:11 +0800 Subject: [PATCH 1/2] Make GSSAPIAuthentication in ssh_config modifiable. Fix corresponding Puppet::Error test code. --- README.md | 6 ++++++ manifests/init.pp | 5 +++++ spec/classes/init_spec.rb | 40 +++++++++++++++++++++++++++++++++++++++ spec/spec_helper.rb | 1 + templates/ssh_config.erb | 3 ++- 5 files changed, 54 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index b172eaa..c84be9d 100644 --- a/README.md +++ b/README.md @@ -120,6 +120,12 @@ Boolean to enable SendEnv options for specifying environment variables. Default - *Default*: 'USE_DEFAULTS' +ssh_gssapiauthentication +------------------------- +GSSAPIAuthentication: Enables/disables GSS-API user authentication in ssh_config. Valid values are 'yes' and 'no'. + +- *Default*: 'yes' + ssh_gssapidelegatecredentials ----------------------------- *string* For GSSAPIDelegateCredentials setting in ssh_config. Valid values are diff --git a/manifests/init.pp b/manifests/init.pp index 45ebe3a..66b872e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -24,6 +24,7 @@ class ssh ( $ssh_config_macs = undef, $ssh_config_template = 'ssh/ssh_config.erb', $ssh_sendenv = 'USE_DEFAULTS', + $ssh_gssapiauthentication = 'yes', $ssh_gssapidelegatecredentials = undef, $sshd_config_path = '/etc/ssh/sshd_config', $sshd_config_owner = 'root', @@ -421,6 +422,10 @@ class ssh ( fail('ssh::sshd_config_banner must be set to be able to use sshd_banner_content.') } + if $ssh_gssapiauthentication != undef { + validate_re($ssh_gssapiauthentication, '^(yes|no)$', "ssh::ssh_gssapiauthentication may be either 'yes' or 'no' and is set to <${ssh_gssapiauthentication}>.") + } + if $ssh_gssapidelegatecredentials != undef { validate_re($ssh_gssapidelegatecredentials, '^(yes|no)$', "ssh::ssh_gssapidelegatecredentials may be either 'yes' or 'no' and is set to <${ssh_gssapidelegatecredentials}>.") } diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index bdcc5a8..0d641f6 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -55,6 +55,7 @@ describe 'ssh' do it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) } it { should contain_file('ssh_config').without_content(/^\s*MACs/) } it { should contain_file('ssh_config').with_content(/^\s*GlobalKnownHostsFile \/etc\/ssh\/ssh_known_hosts$/) } + it { should contain_file('ssh_config').with_content(/^\s*GSSAPIAuthentication yes$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } @@ -194,6 +195,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) } it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) } + it { should contain_file('ssh_config').with_content(/^\s*GSSAPIAuthentication yes$/) } it { should_not contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted/) } @@ -312,6 +314,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) } it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) } + it { should contain_file('ssh_config').with_content(/^\s*GSSAPIAuthentication yes$/) } it { should_not contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted/) } @@ -548,6 +551,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) } it { should contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) } it { should contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted yes$/) } + it { should contain_file('ssh_config').with_content(/^\s*GSSAPIAuthentication yes$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } @@ -672,6 +676,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) } it { should contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) } it { should contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted yes$/) } + it { should contain_file('ssh_config').with_content(/^\s*GSSAPIAuthentication yes$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } @@ -796,6 +801,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) } it { should contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) } it { should contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted yes$/) } + it { should contain_file('ssh_config').with_content(/^\s*GSSAPIAuthentication yes$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } @@ -941,6 +947,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) } it { should contain_file('ssh_config').with_content(/^ ForwardAgent yes$/) } it { should contain_file('ssh_config').with_content(/^ ForwardX11 yes$/) } + it { should contain_file('ssh_config').with_content(/^\s*GSSAPIAuthentication yes$/) } it { should contain_file('ssh_config').with_content(/^ ServerAliveInterval 300$/) } it { should contain_file('ssh_config').with_content(/^ SendEnv XMODIFIERS$/) } it { should contain_file('ssh_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) } @@ -2254,6 +2261,39 @@ describe 'ssh' do end end + describe 'with parameter ssh_gssapiauthentication' do + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + ['yes','no'].each do |value| + context "specified as valid #{value} (as #{value.class})" do + let(:params) { { :ssh_gssapiauthentication => value } } + + it { should contain_file('ssh_config').with_content(/^\s*GSSAPIAuthentication #{value}$/) } + end + end + + ['YES',true,2.42,['array'],a = { 'ha' => 'sh' }].each do |value| + context "specified as invalid value #{value} (as #{value.class})" do + let(:params) { { :ssh_gssapiauthentication => value } } + + if value.is_a?(Array) + value = value.join + end + + it do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error,/^ssh::ssh_gssapiauthentication may be either 'yes' or 'no' and is set to <#{value.to_s}>./) + end + end + end + end + describe 'with parameter sshd_gssapiauthentication' do ['yes','no'].each do |value| context "specified as #{value}" do diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 2c6f566..dc7e9f4 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -1 +1,2 @@ +require 'rubygems' require 'puppetlabs_spec_helper/module_spec_helper' diff --git a/templates/ssh_config.erb b/templates/ssh_config.erb index 1719661..cb8a086 100644 --- a/templates/ssh_config.erb +++ b/templates/ssh_config.erb @@ -55,7 +55,8 @@ GlobalKnownHostsFile <%= @ssh_config_global_known_hosts_file %> <% end -%> Host * - GSSAPIAuthentication yes +# GSSAPIAuthentication yes + GSSAPIAuthentication <%= @ssh_gssapiauthentication %> <% if @ssh_gssapidelegatecredentials != nil -%> GSSAPIDelegateCredentials <%= @ssh_gssapidelegatecredentials %> <% end -%> From 29c042a9608d57cd217306db36d5319e7d2a1697 Mon Sep 17 00:00:00 2001 From: Kyle Fu Date: Thu, 7 May 2015 11:19:40 +0800 Subject: [PATCH 2/2] Remove if for ssh_gssapiauthentication. Remove unnecessary line in spec_helper.rb. Fix dot by backslash. --- manifests/init.pp | 4 +--- spec/classes/init_spec.rb | 2 +- spec/spec_helper.rb | 1 - 3 files changed, 2 insertions(+), 5 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 66b872e..738b6b5 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -422,9 +422,7 @@ class ssh ( fail('ssh::sshd_config_banner must be set to be able to use sshd_banner_content.') } - if $ssh_gssapiauthentication != undef { - validate_re($ssh_gssapiauthentication, '^(yes|no)$', "ssh::ssh_gssapiauthentication may be either 'yes' or 'no' and is set to <${ssh_gssapiauthentication}>.") - } + validate_re($ssh_gssapiauthentication, '^(yes|no)$', "ssh::ssh_gssapiauthentication may be either 'yes' or 'no' and is set to <${ssh_gssapiauthentication}>.") if $ssh_gssapidelegatecredentials != undef { validate_re($ssh_gssapidelegatecredentials, '^(yes|no)$', "ssh::ssh_gssapidelegatecredentials may be either 'yes' or 'no' and is set to <${ssh_gssapidelegatecredentials}>.") diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 0d641f6..962fd88 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -2288,7 +2288,7 @@ describe 'ssh' do it do expect { should contain_class('ssh') - }.to raise_error(Puppet::Error,/^ssh::ssh_gssapiauthentication may be either 'yes' or 'no' and is set to <#{value.to_s}>./) + }.to raise_error(Puppet::Error,/^ssh::ssh_gssapiauthentication may be either 'yes' or 'no' and is set to <#{value.to_s}>\./) end end end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index dc7e9f4..2c6f566 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -1,2 +1 @@ -require 'rubygems' require 'puppetlabs_spec_helper/module_spec_helper'