Make GSSAPIAuthentication in ssh_config modifiable. Fix corresponding Puppet::Error test code.

This commit is contained in:
Kyle Fu 2015-05-04 11:00:11 +08:00
parent de29fb46ca
commit fbe72409ff
5 changed files with 54 additions and 1 deletions

View File

@ -120,6 +120,12 @@ Boolean to enable SendEnv options for specifying environment variables. Default
- *Default*: 'USE_DEFAULTS' - *Default*: 'USE_DEFAULTS'
ssh_gssapiauthentication
-------------------------
GSSAPIAuthentication: Enables/disables GSS-API user authentication in ssh_config. Valid values are 'yes' and 'no'.
- *Default*: 'yes'
ssh_gssapidelegatecredentials ssh_gssapidelegatecredentials
----------------------------- -----------------------------
*string* For GSSAPIDelegateCredentials setting in ssh_config. Valid values are *string* For GSSAPIDelegateCredentials setting in ssh_config. Valid values are

View File

@ -24,6 +24,7 @@ class ssh (
$ssh_config_macs = undef, $ssh_config_macs = undef,
$ssh_config_template = 'ssh/ssh_config.erb', $ssh_config_template = 'ssh/ssh_config.erb',
$ssh_sendenv = 'USE_DEFAULTS', $ssh_sendenv = 'USE_DEFAULTS',
$ssh_gssapiauthentication = 'yes',
$ssh_gssapidelegatecredentials = undef, $ssh_gssapidelegatecredentials = undef,
$sshd_config_path = '/etc/ssh/sshd_config', $sshd_config_path = '/etc/ssh/sshd_config',
$sshd_config_owner = 'root', $sshd_config_owner = 'root',
@ -421,6 +422,10 @@ class ssh (
fail('ssh::sshd_config_banner must be set to be able to use sshd_banner_content.') fail('ssh::sshd_config_banner must be set to be able to use sshd_banner_content.')
} }
if $ssh_gssapiauthentication != undef {
validate_re($ssh_gssapiauthentication, '^(yes|no)$', "ssh::ssh_gssapiauthentication may be either 'yes' or 'no' and is set to <${ssh_gssapiauthentication}>.")
}
if $ssh_gssapidelegatecredentials != undef { if $ssh_gssapidelegatecredentials != undef {
validate_re($ssh_gssapidelegatecredentials, '^(yes|no)$', "ssh::ssh_gssapidelegatecredentials may be either 'yes' or 'no' and is set to <${ssh_gssapidelegatecredentials}>.") validate_re($ssh_gssapidelegatecredentials, '^(yes|no)$', "ssh::ssh_gssapidelegatecredentials may be either 'yes' or 'no' and is set to <${ssh_gssapidelegatecredentials}>.")
} }

View File

@ -55,6 +55,7 @@ describe 'ssh' do
it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) } it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
it { should contain_file('ssh_config').without_content(/^\s*MACs/) } it { should contain_file('ssh_config').without_content(/^\s*MACs/) }
it { should contain_file('ssh_config').with_content(/^\s*GlobalKnownHostsFile \/etc\/ssh\/ssh_known_hosts$/) } it { should contain_file('ssh_config').with_content(/^\s*GlobalKnownHostsFile \/etc\/ssh\/ssh_known_hosts$/) }
it { should contain_file('ssh_config').with_content(/^\s*GSSAPIAuthentication yes$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
@ -194,6 +195,7 @@ describe 'ssh' do
it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) } it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) }
it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) } it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) }
it { should contain_file('ssh_config').with_content(/^\s*GSSAPIAuthentication yes$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) } it { should_not contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted/) }
@ -312,6 +314,7 @@ describe 'ssh' do
it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) } it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) }
it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) } it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) }
it { should contain_file('ssh_config').with_content(/^\s*GSSAPIAuthentication yes$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) } it { should_not contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted/) }
@ -548,6 +551,7 @@ describe 'ssh' do
it { should contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) } it { should contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) }
it { should contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) } it { should contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) }
it { should contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted yes$/) } it { should contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted yes$/) }
it { should contain_file('ssh_config').with_content(/^\s*GSSAPIAuthentication yes$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
@ -672,6 +676,7 @@ describe 'ssh' do
it { should contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) } it { should contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) }
it { should contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) } it { should contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) }
it { should contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted yes$/) } it { should contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted yes$/) }
it { should contain_file('ssh_config').with_content(/^\s*GSSAPIAuthentication yes$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
@ -796,6 +801,7 @@ describe 'ssh' do
it { should contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) } it { should contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) }
it { should contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) } it { should contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) }
it { should contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted yes$/) } it { should contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted yes$/) }
it { should contain_file('ssh_config').with_content(/^\s*GSSAPIAuthentication yes$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
@ -941,6 +947,7 @@ describe 'ssh' do
it { should contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) } it { should contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) }
it { should contain_file('ssh_config').with_content(/^ ForwardAgent yes$/) } it { should contain_file('ssh_config').with_content(/^ ForwardAgent yes$/) }
it { should contain_file('ssh_config').with_content(/^ ForwardX11 yes$/) } it { should contain_file('ssh_config').with_content(/^ ForwardX11 yes$/) }
it { should contain_file('ssh_config').with_content(/^\s*GSSAPIAuthentication yes$/) }
it { should contain_file('ssh_config').with_content(/^ ServerAliveInterval 300$/) } it { should contain_file('ssh_config').with_content(/^ ServerAliveInterval 300$/) }
it { should contain_file('ssh_config').with_content(/^ SendEnv XMODIFIERS$/) } it { should contain_file('ssh_config').with_content(/^ SendEnv XMODIFIERS$/) }
it { should contain_file('ssh_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) } it { should contain_file('ssh_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) }
@ -2254,6 +2261,39 @@ describe 'ssh' do
end end
end end
describe 'with parameter ssh_gssapiauthentication' do
let(:facts) do
{ :fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
['yes','no'].each do |value|
context "specified as valid #{value} (as #{value.class})" do
let(:params) { { :ssh_gssapiauthentication => value } }
it { should contain_file('ssh_config').with_content(/^\s*GSSAPIAuthentication #{value}$/) }
end
end
['YES',true,2.42,['array'],a = { 'ha' => 'sh' }].each do |value|
context "specified as invalid value #{value} (as #{value.class})" do
let(:params) { { :ssh_gssapiauthentication => value } }
if value.is_a?(Array)
value = value.join
end
it do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/^ssh::ssh_gssapiauthentication may be either 'yes' or 'no' and is set to <#{value.to_s}>./)
end
end
end
end
describe 'with parameter sshd_gssapiauthentication' do describe 'with parameter sshd_gssapiauthentication' do
['yes','no'].each do |value| ['yes','no'].each do |value|
context "specified as #{value}" do context "specified as #{value}" do

View File

@ -1 +1,2 @@
require 'rubygems'
require 'puppetlabs_spec_helper/module_spec_helper' require 'puppetlabs_spec_helper/module_spec_helper'

View File

@ -55,7 +55,8 @@
GlobalKnownHostsFile <%= @ssh_config_global_known_hosts_file %> GlobalKnownHostsFile <%= @ssh_config_global_known_hosts_file %>
<% end -%> <% end -%>
Host * Host *
GSSAPIAuthentication yes # GSSAPIAuthentication yes
GSSAPIAuthentication <%= @ssh_gssapiauthentication %>
<% if @ssh_gssapidelegatecredentials != nil -%> <% if @ssh_gssapidelegatecredentials != nil -%>
GSSAPIDelegateCredentials <%= @ssh_gssapidelegatecredentials %> GSSAPIDelegateCredentials <%= @ssh_gssapidelegatecredentials %>
<% end -%> <% end -%>