Merge pull request #240 from dhollinger/sshca

Add more SSH CA related fixes and paramaters

Gemfile

@@ -33,6 +33,6 @@ gem 'puppetlabs_spec_helper', '2.0.2',    :require => false if RUBY_VERSION >= '
 gem 'puppetlabs_spec_helper', '>= 2.0.0', :require => false if RUBY_VERSION >= '1.9'
 gem 'parallel_tests',         '<= 2.9.0', :require => false if RUBY_VERSION < '2.0.0'
 
-if puppetversion < '5.0'
+if puppetversion && puppetversion < '5.0'
   gem 'semantic_puppet', :require => false
 end

README.md

@@ -598,7 +598,7 @@ ssh::sshd_config_match:
 
 sshd_config_hostcertificate
 ---------------------------
-Absolute path to the OpenSSH Host CA Certificate (HostCertificate) for use with SSH CA validation for Host Certificates.
+An Absolute Path or Array of Absolute Paths to the Host CA Public Key. Each entry *MUST* be tied 1:1 to a Host CA Private Key (see [sshd_config_hostkey](#sshd_config_hostkey))
 
 - *Default*: undefined
 
@@ -608,6 +608,14 @@ Absolute path to the OpenSSH User CA Certificate (TrustedUserCAKeys) for use wit
 
 - *Default*: undefined
 
+sshd_config_authorized_principals_file
+--------------------------------------
+String path (relative or absolute) to the `authorized_principals` file. Sets the `AuthorizedPrincipalsFile` setting in `sshd_config`
+
+See `sshd_config(5)` for more details
+
+- *Default*: undefined
+
 keys
 ----
 Hash of keys for user's ~/.ssh/authorized_keys

manifests/init.pp

@@ -117,6 +117,7 @@ class ssh (
   $sshd_config_permittunnel               = undef,
   $sshd_config_hostcertificate            = undef,
   $sshd_config_trustedusercakeys          = undef,
+  $sshd_config_authorized_principals_file = undef,
 ) {
 
   case $::osfamily {
@@ -500,6 +501,11 @@ class ssh (
     default: { $sshd_config_trustedusercakeys_real = $sshd_config_trustedusercakeys }
   }
 
+  case $sshd_config_authorized_principals_file {
+    'unset', undef: { $sshd_config_authorized_principals_file_real = undef }
+    default: { $sshd_config_authorized_principals_file_real = $sshd_config_authorized_principals_file }
+  }
+
   # validate params
   if $ssh_config_ciphers != undef {
     validate_array($ssh_config_ciphers)
@@ -839,6 +845,9 @@ class ssh (
   }
 
   if $sshd_config_hostcertificate_real != undef {
+    if is_array($sshd_config_hostcertificate_real) {
+      validate_array($sshd_config_hostcertificate_real)
+    }
     validate_absolute_path($sshd_config_hostcertificate_real)
   }
 
@@ -849,6 +858,10 @@ class ssh (
     }
   }
 
+  if $sshd_config_authorized_principals_file_real != undef {
+    validate_string($sshd_config_authorized_principals_file_real)
+  }
+
   package { $packages_real:
     ensure    => installed,
     source    => $ssh_package_source_real,

spec/classes/init_spec.rb

@@ -1068,20 +1068,27 @@ describe 'sshd_config_print_last_log param' do
   end
 
   describe 'sshd_config_hostcertificate param' do
-    ['unset', '/etc/ssh/ssh_host_key-cert.pub'].each do |value|
-      context "set to #{value}" do
-        let (:params) { { :sshd_config_hostcertificate => value } }
+    context 'unset value' do
+      let(:params) { { :sshd_config_hostcertificate => 'unset' } }
 
-        if value == 'unset'
       it { should contain_file('sshd_config').without_content(/^\s*HostCertificate/) }
-        else
-          it { should contain_file('sshd_config').with_content(/^HostCertificate #{value}/) }
     end
+
+    context 'with a certificate' do
+      let(:params) { { :sshd_config_hostcertificate => '/etc/ssh/ssh_host_key-cert.pub' } }
+
+      it { should contain_file('sshd_config').with_content(/^HostCertificate \/etc\/ssh\/ssh_host_key-cert\.pub/) }
     end
+
+    context 'with multiple certs' do
+      let(:params) { { :sshd_config_hostcertificate => [ '/etc/ssh/ssh_host_key-cert.pub', '/etc/ssh/ssh_host_key-cert2.pub'] } }
+
+      it { should contain_file('sshd_config').with_content(/^HostCertificate \/etc\/ssh\/ssh_host_key-cert\.pub\nHostCertificate \/etc\/ssh\/ssh_host_key-cert2\.pub/)}
     end
   end
 
   context 'with sshd_config_hostcertificate set to invalid value on valid osfamily' do
+    context 'with string' do
       let(:params) { { :sshd_config_hostcertificate => 'invalid' } }
 
       it 'should fail' do
@@ -1090,6 +1097,21 @@ describe 'sshd_config_print_last_log param' do
         }.to raise_error(Puppet::Error,/"invalid" is not an absolute path/)
       end
     end
+  end
+
+  context 'with sshd_config_authorized_principals_file param' do
+    ['unset', '.ssh/authorized_principals'].each do |value|
+      context "set to #{value}" do
+        let (:params) { { :sshd_config_authorized_principals_file => value } }
+
+        if value == 'unset'
+          it { should contain_file('sshd_config').without_content(/^\s*AuthorizedPrincipalsFile/)}
+        else
+          it { should contain_file('sshd_config').with_content(/^AuthorizedPrincipalsFile \.ssh\/authorized_principals/)}
+        end
+      end
+    end
+  end
 
   describe 'sshd_config_trustedusercakeys param' do
     ['unset', '/etc/ssh/authorized_users_ca.pub', 'none'].each do |value|

templates/sshd_config.erb

@@ -263,9 +263,16 @@ Match <%= key %>
 <%     end -%>
 <%   end -%>
 <% end -%>
-<% if @sshd_config_hostcertificate_real -%>
+<% if @sshd_config_hostcertificate_real.class == Array -%>
+<%   @sshd_config_hostcertificate_real.each do |cert| -%>
+HostCertificate <%= cert %>
+<%   end -%>
+<% elsif @sshd_config_hostcertificate_real.class == String -%>
 HostCertificate <%= @sshd_config_hostcertificate_real %>
 <% end -%>
 <% if @sshd_config_trustedusercakeys_real -%>
 TrustedUserCAKeys <%= @sshd_config_trustedusercakeys_real %>
 <% end -%>
+<% if @sshd_config_authorized_principals_file_real -%>
+AuthorizedPrincipalsFile <%= @sshd_config_authorized_principals_file_real %>
+<% end -%>