From ab3737223065320fb6b07816e173c0faa51569b1 Mon Sep 17 00:00:00 2001
From: Roy Victor Williams <rwilli95@uncc.edu>
Date: Tue, 23 Sep 2014 09:43:10 -0400
Subject: [PATCH] Add support for GSSAPIDelegateCredentials in ssh_config.

By default this only applies to Solaris 11.
---
 manifests/init.pp         | 66 +++++++++++++++++++++++++--------------
 spec/classes/init_spec.rb | 33 ++++++++++++++++++++
 templates/ssh_config.erb  |  3 ++
 3 files changed, 79 insertions(+), 23 deletions(-)

diff --git a/manifests/init.pp b/manifests/init.pp
index ddffa5c..d00bc14 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -24,6 +24,7 @@ class ssh (
   $ssh_config_macs                  = undef,
   $ssh_config_template              = 'ssh/ssh_config.erb',
   $ssh_sendenv                      = 'USE_DEFAULTS',
+  $ssh_gssapidelegatecredentials    = 'USE_DEFAULTS',
   $sshd_config_path                 = '/etc/ssh/sshd_config',
   $sshd_config_owner                = 'root',
   $sshd_config_group                = 'root',
@@ -86,6 +87,7 @@ class ssh (
       $default_ssh_package_source              = undef
       $default_ssh_package_adminfile           = undef
       $default_ssh_sendenv                     = true
+      $default_ssh_gssapidelegatecredentials   = undef
       $default_sshd_config_subsystem_sftp      = '/usr/libexec/openssh/sftp-server'
       $default_sshd_config_mode                = '0600'
       $default_sshd_config_use_dns             = 'yes'
@@ -105,6 +107,7 @@ class ssh (
       $default_ssh_package_source              = undef
       $default_ssh_package_adminfile           = undef
       $default_ssh_sendenv                     = true
+      $default_ssh_gssapidelegatecredentials   = undef
       $default_ssh_config_forward_x11_trusted  = 'yes'
       $default_sshd_config_mode                = '0600'
       $default_sshd_config_use_dns             = 'yes'
@@ -137,6 +140,7 @@ class ssh (
       $default_ssh_package_source              = undef
       $default_ssh_package_adminfile           = undef
       $default_ssh_sendenv                     = true
+      $default_ssh_gssapidelegatecredentials   = undef
       $default_sshd_config_subsystem_sftp      = '/usr/lib/openssh/sftp-server'
       $default_sshd_config_mode                = '0600'
       $default_sshd_config_use_dns             = 'yes'
@@ -166,32 +170,35 @@ class ssh (
       $default_ssh_package_adminfile           = undef
       case $::kernelrelease {
         '5.11': {
-          $default_packages              = ['network/ssh',
-                                            'network/ssh/ssh-key',
-                                            'service/network/ssh']
-          $default_service_name          = 'ssh'
-          $default_service_hasstatus     = true
-          $default_ssh_package_source    = undef
+          $default_packages                      = ['network/ssh',
+                                                    'network/ssh/ssh-key',
+                                                    'service/network/ssh']
+          $default_service_name                  = 'ssh'
+          $default_service_hasstatus             = true
+          $default_ssh_package_source            = undef
+          $default_ssh_gssapidelegatecredentials = 'yes'
         }
         '5.10': {
-          $default_packages              = ['SUNWsshcu',
-                                            'SUNWsshdr',
-                                            'SUNWsshdu',
-                                            'SUNWsshr',
-                                            'SUNWsshu']
-          $default_service_name          = 'ssh'
-          $default_service_hasstatus     = true
-          $default_ssh_package_source    = '/var/spool/pkg'
+          $default_packages                      = ['SUNWsshcu',
+                                                    'SUNWsshdr',
+                                                    'SUNWsshdu',
+                                                    'SUNWsshr',
+                                                    'SUNWsshu']
+          $default_service_name                  = 'ssh'
+          $default_service_hasstatus             = true
+          $default_ssh_package_source            = '/var/spool/pkg'
+          $default_ssh_gssapidelegatecredentials = undef
         }
         '5.9' : {
-          $default_packages              = ['SUNWsshcu',
-                                            'SUNWsshdr',
-                                            'SUNWsshdu',
-                                            'SUNWsshr',
-                                            'SUNWsshu']
-          $default_service_name          = 'sshd'
-          $default_service_hasstatus     = false
-          $default_ssh_package_source    = '/var/spool/pkg'
+          $default_packages                      = ['SUNWsshcu',
+                                                    'SUNWsshdr',
+                                                    'SUNWsshdu',
+                                                    'SUNWsshr',
+                                                    'SUNWsshu']
+          $default_service_name                  = 'sshd'
+          $default_service_hasstatus             = false
+          $default_ssh_package_source            = '/var/spool/pkg'
+          $default_ssh_gssapidelegatecredentials = undef
         }
         default: {
           fail('ssh module supports Solaris kernel release 5.9, 5.10 and 5.11.')
@@ -317,6 +324,13 @@ class ssh (
     }
   }
 
+  if $ssh_gssapidelegatecredentials == 'USE_DEFAULTS' {
+    $ssh_gssapidelegatecredentials_real = $default_ssh_gssapidelegateredentials
+  } else {
+    $ssh_gssapidelegatecredentials_real = $ssh_gssapidelegatecredentials
+  }
+
+
   if $sshd_acceptenv == 'USE_DEFAULTS' {
     $sshd_acceptenv_real = $default_sshd_acceptenv
   } else {
@@ -391,7 +405,13 @@ class ssh (
     fail('ssh::sshd_config_banner must be set to be able to use sshd_banner_content.')
   }
 
-  validate_re($sshd_gssapiauthentication, '^(yes|no)$', "ssh::sshd_gssapiauthentication may be either 'yes' or 'no' and is set to <${sshd_gssapiauthentication}>.")
+  if $ssh_gssapidelegatecredentials_real != undef {
+    validate_re($ssh_gssapidelegatecredentials_real, '^(yes|no)$', "ssh::ssh_gssapidelegatecredentials may be either 'yes' or 'no' and is set to <${ssh_gssapidelegatecredentials_real}>.")
+  }
+
+  if $sshd_gssapiauthentication != undef {
+    validate_re($sshd_gssapiauthentication, '^(yes|no)$', "ssh::sshd_gssapiauthentication may be either 'yes' or 'no' and is set to <${sshd_gssapiauthentication}>.")
+  }
 
   if $sshd_gssapikeyexchange_real != undef {
     validate_re($sshd_gssapikeyexchange_real, '^(yes|no)$', "ssh::sshd_gssapikeyexchange may be either 'yes' or 'no' and is set to <${sshd_gssapikeyexchange_real}>.")
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
index e93a074..278f8c8 100644
--- a/spec/classes/init_spec.rb
+++ b/spec/classes/init_spec.rb
@@ -1851,6 +1851,39 @@ describe 'ssh' do
     end
   end
 
+  describe 'with parameter ssh_gssapidelegatecredentials' do
+    ['yes','no'].each do |value|
+      context "specified as #{value}" do
+        let(:params) { { :ssh_gssapidelegatecredentials => value } }
+        let(:facts) do
+          { :fqdn          => 'monkey.example.com',
+            :osfamily      => 'Solaris',
+            :kernelrelease => '5.11',
+            :sshrsakey     => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
+          }
+        end
+
+        it { should contain_file('ssh_config').with_content(/^GSSAPIDelegateCredentials #{value}$/) }
+      end
+    end
+
+    ['YES',true].each do |value|
+      context "specified an invalid value #{value}" do
+        let(:params) { { :ssh_gssapidelegatecredentials => value } }
+        let(:facts) do
+          { :fqdn      => 'monkey.example.com',
+            :osfamily  => 'RedHat',
+            :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
+          }
+        end
+
+        it 'should fail' do
+          expect { should raise_error(Puppet::Error,/^ssh::sshd_gssapidelegatecredentials may be either 'yes' or 'no' and is set to <#{value}>./) }
+        end
+      end
+    end
+  end
+
   describe 'with parameter sshd_gssapiauthentication' do
     ['yes','no'].each do |value|
       context "specified as #{value}" do
diff --git a/templates/ssh_config.erb b/templates/ssh_config.erb
index ce69790..f0cd939 100644
--- a/templates/ssh_config.erb
+++ b/templates/ssh_config.erb
@@ -53,6 +53,9 @@
 <% end -%>
 Host *
   GSSAPIAuthentication yes
+<% if @ssh_gssapidelegatecredentials_real != nil -%>  
+GSSAPIDelegateCredentials <%= @ssh_gssapidelegatecredentials_real %>
+<% end -%>
 # If this option is set to yes then remote X11 clients will have full access
 # to the original X11 display. As virtually no X11 client supports the untrusted
 # mode correctly we set this to yes.