Add ssh authorized key management

manifests/init.pp

@@ -130,6 +130,25 @@
 #
 # - *Default*: "# This file is being maintained by Puppet.\n# DO NOT EDIT\n"
 #
+# keys
+# ----
+# Keys for user's ~/.ssh/authorized_keys
+#
+# - *Default*: undefined
+#
+# Sample usage:
+# # Push authorized key "root_for_userX" and remove key "root_for_userY" with hiera
+#
+# ssh::keys:
+#   root_for_userX:
+#     ensure: present
+#     user: root
+#     type: dsa
+#     key: AAAA...==
+#   root_for_userY:
+#     ensure: absent
+#     user: root
+#
 class ssh (
   $packages                = ['openssh-server',
                               'openssh-server',
@@ -154,6 +173,7 @@ class ssh (
   $ssh_key_type            = 'ssh-rsa',
   $manage_root_ssh_config  = 'false',
   $root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n",
+  $keys                    = undef,
 ) {
 
   case $permit_root_login {
@@ -276,4 +296,12 @@ class ssh (
   resources  { 'sshkey':
     purge => $purge_keys,
   }
+
+  # push ssh authorized keys
+  if $keys != undef {
+    $keytype = type($keys)
+    if $keytype == 'hash' {
+      create_resources(ssh_authorized_key, $keys)
+    }
+  }
 }

spec/classes/init_spec.rb

@@ -247,4 +247,30 @@ describe 'ssh' do
       })
     }
   end
+  context 'with keys defined' do
+    let(:params) { { :keys => {
+      'root_for_userX' => {
+        'ensure' => 'present',
+        'user'   => 'root',
+        'type'   => 'dsa',
+        'key'    => 'AAAA==',
+      },
+      'root_for_userY' => {
+        'ensure' => 'absent',
+        'user'   => 'root',
+      }
+    } } }
+    it {
+      should contain_ssh_authorized_key('root_for_userX').with({
+        'ensure' => 'present',
+        'user'   => 'root',
+        'type'   => 'dsa',
+        'key'    => 'AAAA==',
+      })
+      should contain_ssh_authorized_key('root_for_userY').with({
+        'ensure' => 'absent',
+        'user'   => 'root',
+      })
+    }
+  end
 end